program: socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000300)={0xffffffffffffffff}) r1 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r2 = syz_genetlink_get_family_id$nbd(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$NBD_CMD_CONNECT(r1, &(0x7f0000000200)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f0000000100)={0x38, r2, 0x1, 0x70bd2d, 0x25dfdbfb, {}, [@NBD_ATTR_BACKEND_IDENTIFIER={0x5, 0xa, '\x00'}, @NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r0}}]}, @NBD_ATTR_SIZE_BYTES={0xc}]}, 0x38}, 0x1, 0x0, 0x0, 0x4000000}, 0x4000050) (fail_nth: 43) [ 68.597314][ T4668] Bluetooth: hci0: command tx timeout [ 68.685677][ T5322] FAULT_INJECTION: forcing a failure. [ 68.685677][ T5322] name failslab, interval 1, probability 0, space 0, times 1 [ 68.696233][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted 6.15.0-rc1-syzkaller-00288-ge618ee89561b #0 PREEMPT(full) [ 68.696252][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.696258][ T5322] Call Trace: [ 68.696264][ T5322] [ 68.696269][ T5322] dump_stack_lvl+0x241/0x360 [ 68.696372][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.696387][ T5322] ? __pfx__printk+0x10/0x10 [ 68.696404][ T5322] ? __pfx___might_resched+0x10/0x10 [ 68.696420][ T5322] should_fail_ex+0x424/0x570 [ 68.696459][ T5322] should_failslab+0xac/0x100 [ 68.696476][ T5322] kmem_cache_alloc_noprof+0x78/0x390 [ 68.696490][ T5322] ? __kernfs_new_node+0xdf/0x890 [ 68.696500][ T5322] ? stack_depot_save_flags+0x43f/0x940 [ 68.696513][ T5322] __kernfs_new_node+0xdf/0x890 [ 68.696525][ T5322] ? __lock_acquire+0xad5/0xd80 [ 68.696539][ T5322] ? __pfx___kernfs_new_node+0x10/0x10 [ 68.696555][ T5322] ? kernfs_root+0x1c/0x230 [ 68.696567][ T5322] ? kernfs_root+0x1c/0x230 [ 68.696579][ T5322] kernfs_new_node+0x114/0x220 [ 68.696593][ T5322] __kernfs_create_file+0x49/0x2e0 [ 68.696609][ T5322] sysfs_add_file_mode_ns+0x24a/0x310 [ 68.696636][ T5322] sysfs_create_file_ns+0x197/0x2c0 [ 68.696653][ T5322] ? __pfx_sysfs_create_file_ns+0x10/0x10 [ 68.696668][ T5322] ? __asan_memcpy+0x40/0x70 [ 68.696680][ T5322] ? device_create_file+0xf2/0x1c0 [ 68.696695][ T5322] nbd_genl_connect+0x1711/0x1c90 [ 68.696719][ T5322] ? __pfx_nbd_genl_connect+0x10/0x10 [ 68.696742][ T5322] ? __nla_parse+0x40/0x60 [ 68.696758][ T5322] ? genl_family_rcv_msg_attrs_parse+0x1d4/0x290 [ 68.696806][ T5322] genl_rcv_msg+0xb38/0xf00 [ 68.696824][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 68.696834][ T5322] ? stack_trace_save+0x11a/0x1d0 [ 68.696851][ T5322] ? __pfx_stack_trace_save+0x10/0x10 [ 68.696867][ T5322] ? stack_depot_save_flags+0x44/0x940 [ 68.696876][ T5322] ? stack_trace_snprint+0x31/0xf0 [ 68.696898][ T5322] ? __lock_acquire+0xad5/0xd80 [ 68.696909][ T5322] ? __pfx_nbd_genl_connect+0x10/0x10 [ 68.696933][ T5322] netlink_rcv_skb+0x208/0x480 [ 68.696949][ T5322] ? __pfx_genl_rcv_msg+0x10/0x10 [ 68.696961][ T5322] ? __pfx_netlink_rcv_skb+0x10/0x10 [ 68.696989][ T5322] ? netlink_deliver_tap+0x2e/0x1b0 [ 68.697007][ T5322] genl_rcv+0x28/0x40 [ 68.697017][ T5322] netlink_unicast+0x7f8/0x9a0 [ 68.697037][ T5322] ? __pfx_netlink_unicast+0x10/0x10 [ 68.697051][ T5322] ? skb_put+0x114/0x1f0 [ 68.697065][ T5322] netlink_sendmsg+0x8c3/0xcd0 [ 68.697089][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 68.697107][ T5322] ? aa_sock_msg_perm+0x91/0x160 [ 68.697126][ T5322] ? __pfx_netlink_sendmsg+0x10/0x10 [ 68.697138][ T5322] __sock_sendmsg+0x221/0x270 [ 68.697155][ T5322] ____sys_sendmsg+0x523/0x860 [ 68.697173][ T5322] ? __pfx_____sys_sendmsg+0x10/0x10 [ 68.697182][ T5322] ? __fget_files+0x2a/0x420 [ 68.697194][ T5322] ? __fget_files+0x2a/0x420 [ 68.697210][ T5322] __sys_sendmsg+0x271/0x360 [ 68.697226][ T5322] ? __pfx___sys_sendmsg+0x10/0x10 [ 68.697291][ T5322] ? do_syscall_64+0xb6/0x230 [ 68.697306][ T5322] do_syscall_64+0xf3/0x230 [ 68.697319][ T5322] ? clear_bhb_loop+0x45/0xa0 [ 68.697332][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 68.697342][ T5322] RIP: 0033:0x7fd33d18d169 [ 68.697353][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 68.697361][ T5322] RSP: 002b:00007fd33e0ce038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 68.697374][ T5322] RAX: ffffffffffffffda RBX: 00007fd33d3a5fa0 RCX: 00007fd33d18d169 [ 68.697382][ T5322] RDX: 0000000004000050 RSI: 0000200000000200 RDI: 0000000000000006 [ 68.697389][ T5322] RBP: 00007fd33e0ce090 R08: 0000000000000000 R09: 0000000000000000 [ 68.697395][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000002 [ 68.697401][ T5322] R13: 0000000000000000 R14: 00007fd33d3a5fa0 R15: 00007ffdb31acc08 [ 68.697418][ T5322] [ 68.697516][ T5322] block nbd0: device_create_file failed for backend! [ 68.862000][ T4668] block nbd0: Receive control failed (result -32) [ 68.866871][ T4668] block nbd0: shutting down sockets [ 68.884000][ T4668] ================================================================== [ 68.887141][ T4668] BUG: KASAN: slab-use-after-free in recv_work+0x228a/0x25d0 [ 68.890002][ T4668] Write of size 4 at addr ffff888033975078 by task kworker/u5:1/4668 [ 68.893095][ T4668] [ 68.894044][ T4668] CPU: 0 UID: 0 PID: 4668 Comm: kworker/u5:1 Not tainted 6.15.0-rc1-syzkaller-00288-ge618ee89561b #0 PREEMPT(full) [ 68.894054][ T4668] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.894060][ T4668] Workqueue: nbd0-recv recv_work [ 68.894071][ T4668] Call Trace: [ 68.894076][ T4668] [ 68.894079][ T4668] dump_stack_lvl+0x241/0x360 [ 68.894091][ T4668] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.894100][ T4668] ? rcu_is_watching+0x15/0xb0 [ 68.894109][ T4668] ? __virt_addr_valid+0x183/0x530 [ 68.894119][ T4668] ? lock_release+0x4e/0x3e0 [ 68.894126][ T4668] ? __virt_addr_valid+0x183/0x530 [ 68.894135][ T4668] ? __virt_addr_valid+0x183/0x530 [ 68.894144][ T4668] print_report+0x16e/0x5b0 [ 68.894154][ T4668] ? __virt_addr_valid+0x183/0x530 [ 68.894166][ T4668] ? __virt_addr_valid+0x183/0x530 [ 68.894178][ T4668] ? __virt_addr_valid+0x45f/0x530 [ 68.894210][ T4668] ? __phys_addr+0xba/0x170 [ 68.894221][ T4668] ? recv_work+0x228a/0x25d0 [ 68.894227][ T4668] kasan_report+0x143/0x180 [ 68.894240][ T4668] ? recv_work+0x228a/0x25d0 [ 68.894251][ T4668] kasan_check_range+0x28f/0x2a0 [ 68.894264][ T4668] recv_work+0x228a/0x25d0 [ 68.894276][ T4668] ? stack_trace_save+0x11a/0x1d0 [ 68.894291][ T4668] ? __pfx_recv_work+0x10/0x10 [ 68.894300][ T4668] ? lockdep_unlock+0x8d/0x120 [ 68.894308][ T4668] ? validate_chain+0x8a7/0x24e0 [ 68.894331][ T4668] ? process_scheduled_works+0x9cb/0x18e0 [ 68.894342][ T4668] process_scheduled_works+0xac3/0x18e0 [ 68.894356][ T4668] ? __pfx_process_scheduled_works+0x10/0x10 [ 68.894368][ T4668] ? assign_work+0x367/0x3d0 [ 68.894379][ T4668] worker_thread+0x870/0xd50 [ 68.894393][ T4668] ? __kthread_parkme+0x1a8/0x200 [ 68.894406][ T4668] ? __pfx_worker_thread+0x10/0x10 [ 68.894422][ T4668] kthread+0x7b7/0x940 [ 68.894431][ T4668] ? __pfx_worker_thread+0x10/0x10 [ 68.894439][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894447][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894455][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894464][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894472][ T4668] ? _raw_spin_unlock_irq+0x23/0x50 [ 68.894479][ T4668] ? lockdep_hardirqs_on+0x9d/0x150 [ 68.894487][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894496][ T4668] ret_from_fork+0x4b/0x80 [ 68.894503][ T4668] ? __pfx_kthread+0x10/0x10 [ 68.894511][ T4668] ret_from_fork_asm+0x1a/0x30 [ 68.894520][ T4668] [ 68.894523][ T4668] [ 68.986216][ T4668] Allocated by task 5322: [ 68.987865][ T4668] kasan_save_track+0x3f/0x80 [ 68.989697][ T4668] __kasan_kmalloc+0x9d/0xb0 [ 68.991567][ T4668] __kmalloc_cache_noprof+0x236/0x370 [ 68.993761][ T4668] nbd_alloc_and_init_config+0x88/0x260 [ 68.995898][ T4668] nbd_genl_connect+0xcbc/0x1c90 [ 68.997811][ T4668] genl_rcv_msg+0xb38/0xf00 [ 68.999531][ T4668] netlink_rcv_skb+0x208/0x480 [ 69.001383][ T4668] genl_rcv+0x28/0x40 [ 69.002779][ T4668] netlink_unicast+0x7f8/0x9a0 [ 69.004601][ T4668] netlink_sendmsg+0x8c3/0xcd0 [ 69.006292][ T4668] __sock_sendmsg+0x221/0x270 [ 69.008121][ T4668] ____sys_sendmsg+0x523/0x860 [ 69.009960][ T4668] __sys_sendmsg+0x271/0x360 [ 69.011708][ T4668] do_syscall_64+0xf3/0x230 [ 69.013502][ T4668] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.015885][ T4668] [ 69.016854][ T4668] Freed by task 4668: [ 69.018424][ T4668] kasan_save_track+0x3f/0x80 [ 69.020356][ T4668] kasan_save_free_info+0x40/0x50 [ 69.022232][ T4668] __kasan_slab_free+0x59/0x70 [ 69.024079][ T4668] kfree+0x198/0x430 [ 69.025615][ T4668] nbd_config_put+0x67d/0x7e0 [ 69.027552][ T4668] recv_work+0x2274/0x25d0 [ 69.029391][ T4668] process_scheduled_works+0xac3/0x18e0 [ 69.031505][ T4668] worker_thread+0x870/0xd50 [ 69.033337][ T4668] kthread+0x7b7/0x940 [ 69.034893][ T4668] ret_from_fork+0x4b/0x80 [ 69.036711][ T4668] ret_from_fork_asm+0x1a/0x30 [ 69.038669][ T4668] [ 69.039648][ T4668] The buggy address belongs to the object at ffff888033975000 [ 69.039648][ T4668] which belongs to the cache kmalloc-256 of size 256 [ 69.045216][ T4668] The buggy address is located 120 bytes inside of [ 69.045216][ T4668] freed 256-byte region [ffff888033975000, ffff888033975100) [ 69.050371][ T4668] [ 69.051318][ T4668] The buggy address belongs to the physical page: [ 69.053750][ T4668] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33975 [ 69.057195][ T4668] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 69.059964][ T4668] page_type: f5(slab) [ 69.061521][ T4668] raw: 04fff00000000000 ffff88801b041b40 ffffea000101d500 dead000000000006 [ 69.064986][ T4668] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 69.068297][ T4668] page dumped because: kasan: bad access detected [ 69.070794][ T4668] page_owner tracks the page as allocated [ 69.072998][ T4668] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 22502935749, free_ts 22490123078 [ 69.079923][ T4668] post_alloc_hook+0x1f4/0x240 [ 69.081793][ T4668] get_page_from_freelist+0x352b/0x36c0 [ 69.083943][ T4668] __alloc_frozen_pages_noprof+0x211/0x5b0 [ 69.086544][ T4668] alloc_pages_mpol+0x339/0x690 [ 69.088586][ T4668] allocate_slab+0x8f/0x3a0 [ 69.090445][ T4668] ___slab_alloc+0xc3b/0x1500 [ 69.092313][ T4668] __slab_alloc+0x58/0xa0 [ 69.094001][ T4668] __kmalloc_node_track_caller_noprof+0x2ef/0x4d0 [ 69.096543][ T4668] krealloc_noprof+0x10f/0x300 [ 69.098369][ T4668] add_sysfs_param+0xca/0x840 [ 69.100339][ T4668] kernel_add_sysfs_param+0xb4/0x130 [ 69.102471][ T4668] param_sysfs_builtin+0x1dd/0x2a0 [ 69.104515][ T4668] param_sysfs_builtin_init+0x31/0x40 [ 69.106694][ T4668] do_one_initcall+0x24a/0x940 [ 69.108811][ T4668] do_initcall_level+0x157/0x210 [ 69.111186][ T4668] do_initcalls+0x71/0xd0 [ 69.112957][ T4668] page last free pid 1 tgid 1 stack trace: [ 69.115301][ T4668] __free_frozen_pages+0xde8/0x10a0 [ 69.117433][ T4668] __put_partials+0x160/0x1c0 [ 69.119334][ T4668] put_cpu_partial+0x17e/0x250 [ 69.121301][ T4668] __slab_free+0x294/0x390 [ 69.123123][ T4668] qlist_free_all+0x9a/0x140 [ 69.124917][ T4668] kasan_quarantine_reduce+0x14f/0x170 [ 69.127112][ T4668] __kasan_krealloc+0x20/0x150 [ 69.129047][ T4668] krealloc_noprof+0x198/0x300 [ 69.130946][ T4668] add_sysfs_param+0xca/0x840 [ 69.132640][ T4668] kernel_add_sysfs_param+0xb4/0x130 [ 69.134904][ T4668] param_sysfs_builtin+0x1dd/0x2a0 [ 69.137308][ T4668] param_sysfs_builtin_init+0x31/0x40 [ 69.139439][ T4668] do_one_initcall+0x24a/0x940 [ 69.141237][ T4668] do_initcall_level+0x157/0x210 [ 69.143188][ T4668] do_initcalls+0x71/0xd0 [ 69.144894][ T4668] kernel_init_freeable+0x432/0x5d0 [ 69.146960][ T4668] [ 69.147861][ T4668] Memory state around the buggy address: [ 69.149958][ T4668] ffff888033974f00: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 69.152660][ T4668] ffff888033974f80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc [ 69.155481][ T4668] >ffff888033975000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.158203][ T4668] ^ [ 69.161167][ T4668] ffff888033975080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.163991][ T4668] ffff888033975100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.166864][ T4668] ================================================================== [ 69.181567][ T4668] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 69.184323][ T4668] CPU: 0 UID: 0 PID: 4668 Comm: kworker/u5:1 Not tainted 6.15.0-rc1-syzkaller-00288-ge618ee89561b #0 PREEMPT(full) [ 69.188809][ T4668] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.192636][ T4668] Workqueue: nbd0-recv recv_work [ 69.194539][ T4668] Call Trace: [ 69.195822][ T4668] [ 69.196954][ T4668] dump_stack_lvl+0x241/0x360 [ 69.198766][ T4668] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.200718][ T4668] ? __pfx__printk+0x10/0x10 [ 69.202515][ T4668] ? vscnprintf+0x5d/0x90 [ 69.204211][ T4668] panic+0x349/0x880 [ 69.205604][ T4668] ? check_panic_on_warn+0x21/0xb0 [ 69.207421][ T4668] ? __pfx_panic+0x10/0x10 [ 69.209325][ T4668] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 69.211639][ T4668] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.214115][ T4668] ? print_report+0x519/0x5b0 [ 69.215883][ T4668] check_panic_on_warn+0x86/0xb0 [ 69.217761][ T4668] ? recv_work+0x228a/0x25d0 [ 69.219637][ T4668] end_report+0x77/0x160 [ 69.221363][ T4668] kasan_report+0x154/0x180 [ 69.223047][ T4668] ? recv_work+0x228a/0x25d0 [ 69.224664][ T4668] kasan_check_range+0x28f/0x2a0 [ 69.226568][ T4668] recv_work+0x228a/0x25d0 [ 69.228467][ T4668] ? stack_trace_save+0x11a/0x1d0 [ 69.234828][ T4668] ? __pfx_recv_work+0x10/0x10 [ 69.236949][ T4668] ? lockdep_unlock+0x8d/0x120 [ 69.238723][ T4668] ? validate_chain+0x8a7/0x24e0 [ 69.240662][ T4668] ? process_scheduled_works+0x9cb/0x18e0 [ 69.242904][ T4668] process_scheduled_works+0xac3/0x18e0 [ 69.245112][ T4668] ? __pfx_process_scheduled_works+0x10/0x10 [ 69.247382][ T4668] ? assign_work+0x367/0x3d0 [ 69.249185][ T4668] worker_thread+0x870/0xd50 [ 69.251024][ T4668] ? __kthread_parkme+0x1a8/0x200 [ 69.252997][ T4668] ? __pfx_worker_thread+0x10/0x10 [ 69.254972][ T4668] kthread+0x7b7/0x940 [ 69.256558][ T4668] ? __pfx_worker_thread+0x10/0x10 [ 69.258556][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.260375][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.262215][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.264106][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.265945][ T4668] ? _raw_spin_unlock_irq+0x23/0x50 [ 69.267918][ T4668] ? lockdep_hardirqs_on+0x9d/0x150 [ 69.269922][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.271721][ T4668] ret_from_fork+0x4b/0x80 [ 69.273521][ T4668] ? __pfx_kthread+0x10/0x10 [ 69.275397][ T4668] ret_from_fork_asm+0x1a/0x30 [ 69.277130][ T4668] [ 69.278651][ T4668] Kernel Offset: disabled [ 69.280515][ T4668] Rebooting in 86400 seconds..