[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.34' (ECDSA) to the list of known hosts. 2020/06/25 18:42:19 fuzzer started 2020/06/25 18:42:20 connecting to host at 10.128.0.26:41159 2020/06/25 18:42:20 checking machine... 2020/06/25 18:42:20 checking revisions... 2020/06/25 18:42:20 testing simple program... syzkaller login: [ 61.464724][ T7003] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 18:42:20 building call list... [ 61.815711][ T7] tipc: TX() has been purged, node left! [ 62.297715][ T7] ================================================================== [ 62.309004][ T7] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 62.316895][ T7] Write of size 1 at addr ffff88809ea9b9e4 by task kworker/u4:0/7 [ 62.324683][ T7] [ 62.327102][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.8.0-rc1-syzkaller #0 [ 62.335241][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.345413][ T7] Workqueue: netns cleanup_net [ 62.350168][ T7] Call Trace: [ 62.353468][ T7] dump_stack+0x18f/0x20d [ 62.357798][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.363347][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.368975][ T7] ? afs_put_call+0x440/0x440 [ 62.373719][ T7] print_address_description.constprop.0.cold+0xae/0x436 [ 62.380841][ T7] ? vprintk_func+0x97/0x1a6 [ 62.385433][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.390986][ T7] kasan_report.cold+0x1f/0x37 [ 62.395756][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.401388][ T7] afs_wake_up_async_call+0x430/0x4a0 [ 62.406759][ T7] ? afs_close_socket+0x320/0x320 [ 62.411784][ T7] rxrpc_notify_socket+0x1db/0x5d0 [ 62.416898][ T7] ? afs_put_call+0x440/0x440 [ 62.421577][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.427996][ T7] rxrpc_call_completed+0xd0/0xf0 [ 62.433480][ T7] rxrpc_discard_prealloc+0x777/0xab0 [ 62.438849][ T7] ? lock_sock_nested+0x94/0x110 [ 62.443798][ T7] rxrpc_listen+0x11c/0x330 [ 62.448304][ T7] afs_close_socket+0x95/0x320 [ 62.453152][ T7] ? afs_purge_servers+0x16d/0x300 [ 62.458267][ T7] ? afs_rx_discard_new_call+0x50/0x50 [ 62.463727][ T7] ? init_wait_var_entry+0x200/0x200 [ 62.469020][ T7] ? check_preemption_disabled+0x38/0x220 [ 62.474833][ T7] afs_net_exit+0x1bc/0x310 [ 62.479334][ T7] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.484970][ T7] ops_exit_list+0xb0/0x160 [ 62.489482][ T7] cleanup_net+0x4ea/0xa00 [ 62.493894][ T7] ? __schedule+0x887/0x1eb0 [ 62.498484][ T7] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.503854][ T7] ? check_preemption_disabled+0x38/0x220 [ 62.509579][ T7] process_one_work+0x94c/0x1670 [ 62.514549][ T7] ? lock_release+0x8d0/0x8d0 [ 62.519225][ T7] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.524602][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 62.529560][ T7] worker_thread+0x64c/0x1120 [ 62.534251][ T7] ? process_one_work+0x1670/0x1670 [ 62.539533][ T7] kthread+0x3b5/0x4a0 [ 62.543597][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 62.548709][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 62.553827][ T7] ret_from_fork+0x1f/0x30 [ 62.558250][ T7] [ 62.560571][ T7] Allocated by task 7003: [ 62.564898][ T7] save_stack+0x1b/0x40 [ 62.569053][ T7] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.574683][ T7] kmem_cache_alloc_trace+0x14f/0x2d0 [ 62.580049][ T7] afs_alloc_call+0x4f/0x360 [ 62.584633][ T7] afs_charge_preallocation+0xe9/0x2d0 [ 62.590086][ T7] afs_open_socket+0x294/0x360 [ 62.594842][ T7] afs_net_init+0xa6c/0xe30 [ 62.599340][ T7] ops_init+0xaf/0x470 [ 62.603402][ T7] setup_net+0x2d8/0x850 [ 62.607637][ T7] copy_net_ns+0x2cf/0x5e0 [ 62.612221][ T7] create_new_namespaces+0x3f6/0xb10 [ 62.617500][ T7] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.623125][ T7] ksys_unshare+0x36c/0x9a0 [ 62.627623][ T7] __x64_sys_unshare+0x2d/0x40 [ 62.632383][ T7] do_syscall_64+0x60/0xe0 [ 62.636796][ T7] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.642673][ T7] [ 62.644997][ T7] Freed by task 7: [ 62.648715][ T7] save_stack+0x1b/0x40 [ 62.652952][ T7] __kasan_slab_free+0xf5/0x140 [ 62.657900][ T7] kfree+0x103/0x2c0 [ 62.661802][ T7] afs_put_call+0x345/0x440 [ 62.666321][ T7] rxrpc_discard_prealloc+0x75a/0xab0 [ 62.671703][ T7] rxrpc_listen+0x11c/0x330 [ 62.676211][ T7] afs_close_socket+0x95/0x320 [ 62.680970][ T7] afs_net_exit+0x1bc/0x310 [ 62.685471][ T7] ops_exit_list+0xb0/0x160 [ 62.689967][ T7] cleanup_net+0x4ea/0xa00 [ 62.694385][ T7] process_one_work+0x94c/0x1670 [ 62.699319][ T7] worker_thread+0x64c/0x1120 [ 62.704015][ T7] kthread+0x3b5/0x4a0 [ 62.708081][ T7] ret_from_fork+0x1f/0x30 [ 62.712481][ T7] [ 62.714807][ T7] The buggy address belongs to the object at ffff88809ea9b800 [ 62.714807][ T7] which belongs to the cache kmalloc-1k of size 1024 [ 62.728853][ T7] The buggy address is located 484 bytes inside of [ 62.728853][ T7] 1024-byte region [ffff88809ea9b800, ffff88809ea9bc00) [ 62.742198][ T7] The buggy address belongs to the page: [ 62.747827][ T7] page:ffffea00027aa6c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.756922][ T7] flags: 0xfffe0000000200(slab) [ 62.761773][ T7] raw: 00fffe0000000200 ffffea0002779008 ffffea000280d488 ffff8880aa000c40 [ 62.770359][ T7] raw: 0000000000000000 ffff88809ea9b000 0000000100000002 0000000000000000 [ 62.778932][ T7] page dumped because: kasan: bad access detected [ 62.785332][ T7] [ 62.787649][ T7] Memory state around the buggy address: [ 62.793740][ T7] ffff88809ea9b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.801795][ T7] ffff88809ea9b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.809851][ T7] >ffff88809ea9b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.817902][ T7] ^ [ 62.825091][ T7] ffff88809ea9ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.833150][ T7] ffff88809ea9ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.841203][ T7] ================================================================== [ 62.849252][ T7] Disabling lock debugging due to kernel taint [ 62.855453][ T7] Kernel panic - not syncing: panic_on_warn set ... [ 62.862035][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.871578][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.881641][ T7] Workqueue: netns cleanup_net [ 62.886396][ T7] Call Trace: [ 62.889697][ T7] dump_stack+0x18f/0x20d [ 62.894034][ T7] ? afs_wake_up_async_call+0x400/0x4a0 [ 62.899586][ T7] ? afs_put_call+0x440/0x440 [ 62.904267][ T7] panic+0x2e3/0x75c [ 62.908173][ T7] ? __warn_printk+0xf3/0xf3 [ 62.912762][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.918317][ T7] ? trace_hardirqs_on+0x55/0x220 [ 62.923340][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.928875][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.934419][ T7] ? afs_put_call+0x440/0x440 [ 62.939697][ T7] end_report+0x4d/0x53 [ 62.943860][ T7] kasan_report.cold+0xd/0x37 [ 62.948620][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.954245][ T7] afs_wake_up_async_call+0x430/0x4a0 [ 62.959619][ T7] ? afs_close_socket+0x320/0x320 [ 62.964733][ T7] rxrpc_notify_socket+0x1db/0x5d0 [ 62.969930][ T7] ? afs_put_call+0x440/0x440 [ 62.974607][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.981039][ T7] rxrpc_call_completed+0xd0/0xf0 [ 62.986062][ T7] rxrpc_discard_prealloc+0x777/0xab0 [ 62.991516][ T7] ? lock_sock_nested+0x94/0x110 [ 62.996448][ T7] rxrpc_listen+0x11c/0x330 [ 63.000944][ T7] afs_close_socket+0x95/0x320 [ 63.005738][ T7] ? afs_purge_servers+0x16d/0x300 [ 63.010841][ T7] ? afs_rx_discard_new_call+0x50/0x50 [ 63.016299][ T7] ? init_wait_var_entry+0x200/0x200 [ 63.021592][ T7] ? check_preemption_disabled+0x38/0x220 [ 63.027320][ T7] afs_net_exit+0x1bc/0x310 [ 63.031820][ T7] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 63.037544][ T7] ops_exit_list+0xb0/0x160 [ 63.042038][ T7] cleanup_net+0x4ea/0xa00 [ 63.046450][ T7] ? __schedule+0x887/0x1eb0 [ 63.051065][ T7] ? ops_free_list.part.0+0x3d0/0x3d0 [ 63.056434][ T7] ? check_preemption_disabled+0x38/0x220 [ 63.062149][ T7] process_one_work+0x94c/0x1670 [ 63.067103][ T7] ? lock_release+0x8d0/0x8d0 [ 63.071775][ T7] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 63.077151][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 63.082108][ T7] worker_thread+0x64c/0x1120 [ 63.086784][ T7] ? process_one_work+0x1670/0x1670 [ 63.091980][ T7] kthread+0x3b5/0x4a0 [ 63.096041][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 63.101139][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 63.106253][ T7] ret_from_fork+0x1f/0x30 [ 63.112238][ T7] Kernel Offset: disabled [ 63.116554][ T7] Rebooting in 86400 seconds..