program: r0 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r1 = syz_genetlink_get_family_id$nbd(&(0x7f0000000240), 0xffffffffffffffff) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff}) sendmsg$NBD_CMD_CONNECT(r0, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x30, r1, 0x1, 0x70bd25, 0x25dfdbfd, {}, [@NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r2}}]}, @NBD_ATTR_SIZE_BYTES={0xc, 0x2, 0x5}]}, 0x30}, 0x1, 0x0, 0x0, 0x4010}, 0x40040) r3 = syz_open_dev$ndb(&(0x7f0000000000), 0x0, 0x2880) ioctl$NBD_CLEAR_SOCK(r3, 0xab04) [ 84.931514][ T4674] Bluetooth: hci0: command tx timeout [ 85.052407][ T5330] block nbd0: shutting down sockets [ 85.080927][ T4674] ================================================================== [ 85.084502][ T4674] BUG: KASAN: slab-use-after-free in recv_work+0x215e/0x24f0 [ 85.087812][ T4674] Write of size 4 at addr ffff888052872c78 by task kworker/u5:1/4674 [ 85.091566][ T4674] [ 85.092630][ T4674] CPU: 0 UID: 0 PID: 4674 Comm: kworker/u5:1 Not tainted 6.16.0-rc2-syzkaller-00378-gb67ec639010f #0 PREEMPT(full) [ 85.092646][ T4674] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.092653][ T4674] Workqueue: nbd0-recv recv_work [ 85.092669][ T4674] Call Trace: [ 85.092678][ T4674] [ 85.092684][ T4674] dump_stack_lvl+0x189/0x250 [ 85.092702][ T4674] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.092712][ T4674] ? rcu_is_watching+0x15/0xb0 [ 85.092725][ T4674] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.092738][ T4674] ? rcu_is_watching+0x15/0xb0 [ 85.092750][ T4674] ? lock_release+0x4b/0x3e0 [ 85.092764][ T4674] ? __virt_addr_valid+0x1c8/0x5c0 [ 85.092773][ T4674] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.092810][ T4674] print_report+0xd2/0x2b0 [ 85.092824][ T4674] ? recv_work+0x215e/0x24f0 [ 85.092832][ T4674] kasan_report+0x118/0x150 [ 85.092843][ T4674] ? recv_work+0x215e/0x24f0 [ 85.092853][ T4674] kasan_check_range+0x2b0/0x2c0 [ 85.092864][ T4674] recv_work+0x215e/0x24f0 [ 85.092871][ T4674] ? arch_stack_walk+0x11c/0x150 [ 85.092883][ T4674] ? stack_trace_save+0x9c/0xe0 [ 85.092897][ T4674] ? __pfx_recv_work+0x10/0x10 [ 85.092905][ T4674] ? lockdep_unlock+0x89/0x120 [ 85.092916][ T4674] ? validate_chain+0x897/0x2140 [ 85.092936][ T4674] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.092997][ T4674] ? process_scheduled_works+0x9ef/0x17b0 [ 85.093010][ T4674] ? process_scheduled_works+0x9ef/0x17b0 [ 85.093024][ T4674] process_scheduled_works+0xae1/0x17b0 [ 85.093044][ T4674] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.093062][ T4674] worker_thread+0x8a0/0xda0 [ 85.093077][ T4674] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.093093][ T4674] ? __kthread_parkme+0x7b/0x200 [ 85.093105][ T4674] kthread+0x70e/0x8a0 [ 85.093116][ T4674] ? __pfx_worker_thread+0x10/0x10 [ 85.093130][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.093141][ T4674] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.093154][ T4674] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.093167][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.093179][ T4674] ret_from_fork+0x3fc/0x770 [ 85.093193][ T4674] ? __pfx_ret_from_fork+0x10/0x10 [ 85.093206][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.093216][ T4674] ret_from_fork_asm+0x1a/0x30 [ 85.093230][ T4674] [ 85.093233][ T4674] [ 85.190691][ T4674] Allocated by task 5329: [ 85.192542][ T4674] kasan_save_track+0x3e/0x80 [ 85.194625][ T4674] __kasan_kmalloc+0x93/0xb0 [ 85.196713][ T4674] __kmalloc_cache_noprof+0x230/0x3d0 [ 85.199013][ T4674] nbd_alloc_and_init_config+0x88/0x260 [ 85.201493][ T4674] nbd_genl_connect+0x9dd/0x1930 [ 85.203734][ T4674] genl_family_rcv_msg_doit+0x215/0x300 [ 85.206178][ T4674] genl_rcv_msg+0x60e/0x790 [ 85.208130][ T4674] netlink_rcv_skb+0x208/0x470 [ 85.210289][ T4674] genl_rcv+0x28/0x40 [ 85.212091][ T4674] netlink_unicast+0x75b/0x8d0 [ 85.214462][ T4674] netlink_sendmsg+0x805/0xb30 [ 85.216800][ T4674] __sock_sendmsg+0x21c/0x270 [ 85.218812][ T4674] ____sys_sendmsg+0x505/0x830 [ 85.220649][ T4674] ___sys_sendmsg+0x21f/0x2a0 [ 85.222711][ T4674] __x64_sys_sendmsg+0x19b/0x260 [ 85.224911][ T4674] do_syscall_64+0xfa/0x3b0 [ 85.226902][ T4674] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.229516][ T4674] [ 85.230618][ T4674] Freed by task 4674: [ 85.232448][ T4674] kasan_save_track+0x3e/0x80 [ 85.234702][ T4674] kasan_save_free_info+0x46/0x50 [ 85.237081][ T4674] __kasan_slab_free+0x62/0x70 [ 85.239125][ T4674] kfree+0x18e/0x440 [ 85.240843][ T4674] nbd_config_put+0x642/0x790 [ 85.242814][ T4674] recv_work+0x2148/0x24f0 [ 85.244627][ T4674] process_scheduled_works+0xae1/0x17b0 [ 85.246959][ T4674] worker_thread+0x8a0/0xda0 [ 85.248938][ T4674] kthread+0x70e/0x8a0 [ 85.250672][ T4674] ret_from_fork+0x3fc/0x770 [ 85.252598][ T4674] ret_from_fork_asm+0x1a/0x30 [ 85.254606][ T4674] [ 85.255638][ T4674] The buggy address belongs to the object at ffff888052872c00 [ 85.255638][ T4674] which belongs to the cache kmalloc-256 of size 256 [ 85.261960][ T4674] The buggy address is located 120 bytes inside of [ 85.261960][ T4674] freed 256-byte region [ffff888052872c00, ffff888052872d00) [ 85.267956][ T4674] [ 85.269104][ T4674] The buggy address belongs to the physical page: [ 85.271972][ T4674] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x52872 [ 85.275799][ T4674] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.279101][ T4674] page_type: f5(slab) [ 85.281093][ T4674] raw: 04fff00000000000 ffff88801a441b40 dead000000000122 0000000000000000 [ 85.284833][ T4674] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 85.288556][ T4674] page dumped because: kasan: bad access detected [ 85.291264][ T4674] page_owner tracks the page as allocated [ 85.293723][ T4674] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5306, tgid 5306 (syz-executor), ts 82998637295, free_ts 0 [ 85.301388][ T4674] post_alloc_hook+0x240/0x2a0 [ 85.303508][ T4674] get_page_from_freelist+0x21e4/0x22c0 [ 85.305898][ T4674] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.308382][ T4674] alloc_pages_mpol+0x232/0x4a0 [ 85.310593][ T4674] allocate_slab+0x8a/0x3b0 [ 85.312610][ T4674] ___slab_alloc+0xbfc/0x1480 [ 85.314792][ T4674] __kmalloc_node_track_caller_noprof+0x2f8/0x4e0 [ 85.317553][ T4674] kmemdup_array+0x3f/0x80 [ 85.319654][ T4674] arpt_register_table+0x367/0x6b0 [ 85.322022][ T4674] arptable_filter_table_init+0x41/0x70 [ 85.324322][ T4674] xt_find_table_lock+0x30c/0x3e0 [ 85.326794][ T4674] xt_request_find_table_lock+0x26/0x100 [ 85.329334][ T4674] do_arpt_get_ctl+0x68b/0x1010 [ 85.331461][ T4674] nf_getsockopt+0x26e/0x290 [ 85.333525][ T4674] ip_getsockopt+0x1c4/0x220 [ 85.335528][ T4674] do_sock_getsockopt+0x360/0x650 [ 85.337708][ T4674] page_owner free stack trace missing [ 85.340040][ T4674] [ 85.341109][ T4674] Memory state around the buggy address: [ 85.343601][ T4674] ffff888052872b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.347215][ T4674] ffff888052872b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.350554][ T4674] >ffff888052872c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.353792][ T4674] ^ [ 85.356833][ T4674] ffff888052872c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.360198][ T4674] ffff888052872d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.363365][ T4674] ================================================================== [ 85.388071][ T4674] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.391151][ T4674] CPU: 0 UID: 0 PID: 4674 Comm: kworker/u5:1 Not tainted 6.16.0-rc2-syzkaller-00378-gb67ec639010f #0 PREEMPT(full) [ 85.395821][ T4674] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.400105][ T4674] Workqueue: nbd0-recv recv_work [ 85.402244][ T4674] Call Trace: [ 85.403875][ T4674] [ 85.405308][ T4674] dump_stack_lvl+0x99/0x250 [ 85.407390][ T4674] ? __asan_memcpy+0x40/0x70 [ 85.409455][ T4674] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.411730][ T4674] ? __pfx__printk+0x10/0x10 [ 85.413657][ T4674] panic+0x2db/0x790 [ 85.415258][ T4674] ? __pfx_panic+0x10/0x10 [ 85.417254][ T4674] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 85.419884][ T4674] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.422724][ T4674] ? print_memory_metadata+0x314/0x400 [ 85.425003][ T4674] ? recv_work+0x215e/0x24f0 [ 85.426992][ T4674] check_panic_on_warn+0x89/0xb0 [ 85.429259][ T4674] ? recv_work+0x215e/0x24f0 [ 85.431292][ T4674] end_report+0x78/0x160 [ 85.433167][ T4674] kasan_report+0x129/0x150 [ 85.435076][ T4674] ? recv_work+0x215e/0x24f0 [ 85.437007][ T4674] kasan_check_range+0x2b0/0x2c0 [ 85.439312][ T4674] recv_work+0x215e/0x24f0 [ 85.441350][ T4674] ? arch_stack_walk+0x11c/0x150 [ 85.443595][ T4674] ? stack_trace_save+0x9c/0xe0 [ 85.445799][ T4674] ? __pfx_recv_work+0x10/0x10 [ 85.447934][ T4674] ? lockdep_unlock+0x89/0x120 [ 85.450168][ T4674] ? validate_chain+0x897/0x2140 [ 85.452434][ T4674] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.454898][ T4674] ? process_scheduled_works+0x9ef/0x17b0 [ 85.457722][ T4674] ? process_scheduled_works+0x9ef/0x17b0 [ 85.460339][ T4674] process_scheduled_works+0xae1/0x17b0 [ 85.462835][ T4674] ? __pfx_process_scheduled_works+0x10/0x10 [ 85.465521][ T4674] worker_thread+0x8a0/0xda0 [ 85.467564][ T4674] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 85.470489][ T4674] ? __kthread_parkme+0x7b/0x200 [ 85.472770][ T4674] kthread+0x70e/0x8a0 [ 85.474822][ T4674] ? __pfx_worker_thread+0x10/0x10 [ 85.477239][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.479299][ T4674] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.481612][ T4674] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.483855][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.485919][ T4674] ret_from_fork+0x3fc/0x770 [ 85.487927][ T4674] ? __pfx_ret_from_fork+0x10/0x10 [ 85.490219][ T4674] ? __pfx_kthread+0x10/0x10 [ 85.492289][ T4674] ret_from_fork_asm+0x1a/0x30 [ 85.494456][ T4674] [ 85.496128][ T4674] Kernel Offset: disabled [ 85.498081][ T4674] Rebooting in 86400 seconds..