program: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nbd(&(0x7f0000000240), 0xffffffffffffffff) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff}) sendmsg$NBD_CMD_CONNECT(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000000)={&(0x7f0000000300)={0x30, r1, 0x1, 0x70bd25, 0x25dfdbfb, {}, [@NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r2}}]}, @NBD_ATTR_SIZE_BYTES={0xc, 0x2, 0x5}]}, 0x30}, 0x1, 0x0, 0x0, 0x4010}, 0x40040) r3 = syz_open_dev$ndb(&(0x7f0000000040), 0x0, 0x0) ioctl$NBD_CLEAR_SOCK(r3, 0xab04) [ 86.720699][ T9] cfg80211: failed to load regulatory.db [ 86.793622][ T5308] Bluetooth: hci0: command tx timeout [ 86.840280][ T5332] block nbd0: shutting down sockets [ 86.847397][ T5308] ================================================================== [ 86.851008][ T5308] BUG: KASAN: slab-use-after-free in recv_work+0x215e/0x24f0 [ 86.854306][ T5308] Write of size 4 at addr ffff88800b5c7a78 by task kworker/u5:2/5308 [ 86.857744][ T5308] [ 86.858923][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 86.858938][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 86.858946][ T5308] Workqueue: nbd0-recv recv_work [ 86.858964][ T5308] Call Trace: [ 86.858971][ T5308] [ 86.858976][ T5308] dump_stack_lvl+0x189/0x250 [ 86.858989][ T5308] ? rcu_is_watching+0x15/0xb0 [ 86.859000][ T5308] ? __kasan_check_byte+0x12/0x40 [ 86.859055][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 86.859064][ T5308] ? rcu_is_watching+0x15/0xb0 [ 86.859074][ T5308] ? lock_release+0x4b/0x3e0 [ 86.859085][ T5308] ? __virt_addr_valid+0x1c8/0x5c0 [ 86.859099][ T5308] ? __virt_addr_valid+0x4a5/0x5c0 [ 86.859111][ T5308] print_report+0xca/0x240 [ 86.859123][ T5308] ? recv_work+0x215e/0x24f0 [ 86.859133][ T5308] kasan_report+0x118/0x150 [ 86.859146][ T5308] ? recv_work+0x215e/0x24f0 [ 86.859157][ T5308] kasan_check_range+0x2b0/0x2c0 [ 86.859171][ T5308] recv_work+0x215e/0x24f0 [ 86.859181][ T5308] ? arch_stack_walk+0x11c/0x150 [ 86.859194][ T5308] ? stack_trace_save+0x9c/0xe0 [ 86.859209][ T5308] ? __pfx_recv_work+0x10/0x10 [ 86.859221][ T5308] ? lockdep_unlock+0x89/0x120 [ 86.859234][ T5308] ? validate_chain+0x897/0x2140 [ 86.859254][ T5308] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.859297][ T5308] ? process_scheduled_works+0x9ef/0x17b0 [ 86.859307][ T5308] ? process_scheduled_works+0x9ef/0x17b0 [ 86.859318][ T5308] process_scheduled_works+0xae1/0x17b0 [ 86.859334][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 86.859348][ T5308] worker_thread+0x8a0/0xda0 [ 86.859359][ T5308] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 86.859371][ T5308] ? __kthread_parkme+0x7b/0x200 [ 86.859384][ T5308] kthread+0x711/0x8a0 [ 86.859396][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 86.859406][ T5308] ? __pfx_kthread+0x10/0x10 [ 86.859418][ T5308] ? _raw_spin_unlock_irq+0x23/0x50 [ 86.859426][ T5308] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.859436][ T5308] ? __pfx_kthread+0x10/0x10 [ 86.859448][ T5308] ret_from_fork+0x4bc/0x870 [ 86.859459][ T5308] ? __pfx_ret_from_fork+0x10/0x10 [ 86.859469][ T5308] ? __pfx_kthread+0x10/0x10 [ 86.859481][ T5308] ret_from_fork_asm+0x1a/0x30 [ 86.859496][ T5308] [ 86.859500][ T5308] [ 86.953430][ T5308] Allocated by task 5331: [ 86.955327][ T5308] kasan_save_track+0x3e/0x80 [ 86.957450][ T5308] __kasan_kmalloc+0x93/0xb0 [ 86.959483][ T5308] __kmalloc_cache_noprof+0x3d5/0x6f0 [ 86.961737][ T5308] nbd_alloc_and_init_config+0x88/0x260 [ 86.964072][ T5308] nbd_genl_connect+0x9d7/0x18f0 [ 86.966244][ T5308] genl_family_rcv_msg_doit+0x215/0x300 [ 86.968639][ T5308] genl_rcv_msg+0x60e/0x790 [ 86.970676][ T5308] netlink_rcv_skb+0x208/0x470 [ 86.972854][ T5308] genl_rcv+0x28/0x40 [ 86.974628][ T5308] netlink_unicast+0x82f/0x9e0 [ 86.976789][ T5308] netlink_sendmsg+0x805/0xb30 [ 86.978855][ T5308] __sock_sendmsg+0x21c/0x270 [ 86.980780][ T5308] ____sys_sendmsg+0x505/0x830 [ 86.982651][ T5308] ___sys_sendmsg+0x21f/0x2a0 [ 86.984409][ T5308] __x64_sys_sendmsg+0x19b/0x260 [ 86.986355][ T5308] do_syscall_64+0xfa/0xfa0 [ 86.988098][ T5308] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.990585][ T5308] [ 86.991717][ T5308] Freed by task 5308: [ 86.993494][ T5308] kasan_save_track+0x3e/0x80 [ 86.995558][ T5308] __kasan_save_free_info+0x46/0x50 [ 86.997800][ T5308] __kasan_slab_free+0x5c/0x80 [ 86.999894][ T5308] kfree+0x19a/0x6d0 [ 87.001671][ T5308] nbd_config_put+0x642/0x790 [ 87.003736][ T5308] recv_work+0x2148/0x24f0 [ 87.005737][ T5308] process_scheduled_works+0xae1/0x17b0 [ 87.007999][ T5308] worker_thread+0x8a0/0xda0 [ 87.010189][ T5308] kthread+0x711/0x8a0 [ 87.012026][ T5308] ret_from_fork+0x4bc/0x870 [ 87.014002][ T5308] ret_from_fork_asm+0x1a/0x30 [ 87.015999][ T5308] [ 87.017105][ T5308] The buggy address belongs to the object at ffff88800b5c7a00 [ 87.017105][ T5308] which belongs to the cache kmalloc-256 of size 256 [ 87.023188][ T5308] The buggy address is located 120 bytes inside of [ 87.023188][ T5308] freed 256-byte region [ffff88800b5c7a00, ffff88800b5c7b00) [ 87.029202][ T5308] [ 87.030265][ T5308] The buggy address belongs to the physical page: [ 87.033156][ T5308] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xb5c7 [ 87.036943][ T5308] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 87.039845][ T5308] page_type: f5(slab) [ 87.041720][ T5308] raw: 00fff00000000000 ffff88801a441b40 dead000000000100 dead000000000122 [ 87.045522][ T5308] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000 [ 87.049493][ T5308] page dumped because: kasan: bad access detected [ 87.052513][ T5308] page_owner tracks the page as allocated [ 87.055063][ T5308] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 4719, tgid 4719 (udevd), ts 84765823033, free_ts 42600834818 [ 87.063871][ T5308] post_alloc_hook+0x240/0x2a0 [ 87.065990][ T5308] get_page_from_freelist+0x2365/0x2440 [ 87.068492][ T5308] __alloc_frozen_pages_noprof+0x181/0x370 [ 87.071112][ T5308] allocate_slab+0x71/0x3a0 [ 87.073172][ T5308] ___slab_alloc+0xe94/0x1920 [ 87.075262][ T5308] __slab_alloc+0x65/0x100 [ 87.077236][ T5308] __kmalloc_node_noprof+0x5cc/0x800 [ 87.079554][ T5308] allocate_slab+0x179/0x3a0 [ 87.081848][ T5308] ___slab_alloc+0xe94/0x1920 [ 87.083969][ T5308] __slab_alloc+0x65/0x100 [ 87.085962][ T5308] kmem_cache_alloc_lru_noprof+0x3ef/0x6d0 [ 87.088466][ T5308] alloc_inode+0xb8/0x1b0 [ 87.090362][ T5308] iget_locked+0x106/0x580 [ 87.092211][ T5308] kernfs_get_inode+0x4f/0x780 [ 87.094222][ T5308] kernfs_iop_lookup+0x1f6/0x320 [ 87.096399][ T5308] __lookup_slow+0x294/0x3d0 [ 87.098556][ T5308] page last free pid 29 tgid 29 stack trace: [ 87.101222][ T5308] __free_frozen_pages+0xbc4/0xd30 [ 87.103438][ T5308] __folio_put+0x21b/0x2c0 [ 87.105318][ T5308] migrate_pages_batch+0x22a3/0x35e0 [ 87.107631][ T5308] migrate_pages+0x1bcc/0x2930 [ 87.109794][ T5308] compact_zone+0x23e1/0x4ab0 [ 87.111865][ T5308] compact_node+0x1d2/0x280 [ 87.114243][ T5308] kcompactd+0xbc8/0x1290 [ 87.116700][ T5308] kthread+0x711/0x8a0 [ 87.118908][ T5308] ret_from_fork+0x4bc/0x870 [ 87.121628][ T5308] ret_from_fork_asm+0x1a/0x30 [ 87.124338][ T5308] [ 87.125637][ T5308] Memory state around the buggy address: [ 87.128574][ T5308] ffff88800b5c7900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.132296][ T5308] ffff88800b5c7980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.135776][ T5308] >ffff88800b5c7a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.139197][ T5308] ^ [ 87.142886][ T5308] ffff88800b5c7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 87.146654][ T5308] ffff88800b5c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 87.150752][ T5308] ================================================================== [ 87.174505][ T5308] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 87.177780][ T5308] CPU: 0 UID: 0 PID: 5308 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 87.181854][ T5308] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 87.186486][ T5308] Workqueue: nbd0-recv recv_work [ 87.188680][ T5308] Call Trace: [ 87.190205][ T5308] [ 87.191531][ T5308] dump_stack_lvl+0x99/0x250 [ 87.193597][ T5308] ? __asan_memcpy+0x40/0x70 [ 87.195633][ T5308] ? __pfx_dump_stack_lvl+0x10/0x10 [ 87.197901][ T5308] ? __pfx__printk+0x10/0x10 [ 87.200024][ T5308] vpanic+0x237/0x6d0 [ 87.201810][ T5308] ? __pfx_vpanic+0x10/0x10 [ 87.203725][ T5308] ? preempt_schedule+0xae/0xc0 [ 87.206676][ T5308] ? __pfx_preempt_schedule+0x10/0x10 [ 87.208960][ T5308] panic+0xb9/0xc0 [ 87.210876][ T5308] ? __pfx_panic+0x10/0x10 [ 87.212911][ T5308] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 87.215256][ T5308] ? recv_work+0x215e/0x24f0 [ 87.217077][ T5308] check_panic_on_warn+0x89/0xb0 [ 87.219279][ T5308] ? recv_work+0x215e/0x24f0 [ 87.221771][ T5308] end_report+0x78/0x160 [ 87.223752][ T5308] kasan_report+0x129/0x150 [ 87.225597][ T5308] ? recv_work+0x215e/0x24f0 [ 87.227436][ T5308] kasan_check_range+0x2b0/0x2c0 [ 87.229451][ T5308] recv_work+0x215e/0x24f0 [ 87.231321][ T5308] ? arch_stack_walk+0x11c/0x150 [ 87.233465][ T5308] ? stack_trace_save+0x9c/0xe0 [ 87.235521][ T5308] ? __pfx_recv_work+0x10/0x10 [ 87.237563][ T5308] ? lockdep_unlock+0x89/0x120 [ 87.239735][ T5308] ? validate_chain+0x897/0x2140 [ 87.241895][ T5308] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.244131][ T5308] ? process_scheduled_works+0x9ef/0x17b0 [ 87.246537][ T5308] ? process_scheduled_works+0x9ef/0x17b0 [ 87.249081][ T5308] process_scheduled_works+0xae1/0x17b0 [ 87.251494][ T5308] ? __pfx_process_scheduled_works+0x10/0x10 [ 87.254059][ T5308] worker_thread+0x8a0/0xda0 [ 87.256058][ T5308] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 87.258830][ T5308] ? __kthread_parkme+0x7b/0x200 [ 87.261267][ T5308] kthread+0x711/0x8a0 [ 87.262976][ T5308] ? __pfx_worker_thread+0x10/0x10 [ 87.265247][ T5308] ? __pfx_kthread+0x10/0x10 [ 87.267296][ T5308] ? _raw_spin_unlock_irq+0x23/0x50 [ 87.269646][ T5308] ? lockdep_hardirqs_on+0x9c/0x150 [ 87.271979][ T5308] ? __pfx_kthread+0x10/0x10 [ 87.274014][ T5308] ret_from_fork+0x4bc/0x870 [ 87.276020][ T5308] ? __pfx_ret_from_fork+0x10/0x10 [ 87.278273][ T5308] ? __pfx_kthread+0x10/0x10 [ 87.280370][ T5308] ret_from_fork_asm+0x1a/0x30 [ 87.282324][ T5308] [ 87.283831][ T5308] Kernel Offset: disabled [ 87.285579][ T5308] Rebooting in 86400 seconds..