[ OK ] Started OpenBSD Secure Shell server. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts. 2020/06/25 14:36:29 fuzzer started 2020/06/25 14:36:29 connecting to host at 10.128.0.26:37117 2020/06/25 14:36:29 checking machine... 2020/06/25 14:36:29 checking revisions... 2020/06/25 14:36:29 testing simple program... syzkaller login: [ 42.880154][ T6801] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 14:36:29 building call list... [ 43.132064][ T668] tipc: TX() has been purged, node left! [ 43.673571][ T668] ================================================================== [ 43.681879][ T668] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 43.689775][ T668] Write of size 1 at addr ffff88808c3471e4 by task kworker/u4:5/668 [ 43.697759][ T668] [ 43.700103][ T668] CPU: 1 PID: 668 Comm: kworker/u4:5 Not tainted 5.8.0-rc2-syzkaller #0 [ 43.708500][ T668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.719245][ T668] Workqueue: netns cleanup_net [ 43.723995][ T668] Call Trace: [ 43.727277][ T668] dump_stack+0x1f0/0x31e [ 43.731617][ T668] print_address_description+0x66/0x5a0 [ 43.737167][ T668] ? vprintk_emit+0x342/0x3c0 [ 43.741843][ T668] ? printk+0x62/0x83 [ 43.745820][ T668] ? vprintk_emit+0x339/0x3c0 [ 43.750629][ T668] kasan_report+0x132/0x1d0 [ 43.755142][ T668] ? afs_wake_up_async_call+0x16f/0x1c0 [ 43.760684][ T668] ? afs_make_call+0x24f0/0x24f0 [ 43.765784][ T668] afs_wake_up_async_call+0x16f/0x1c0 [ 43.771576][ T668] ? afs_make_call+0x24f0/0x24f0 [ 43.776499][ T668] rxrpc_notify_socket+0x1e7/0x4a0 [ 43.781607][ T668] rxrpc_call_completed+0x131/0x210 [ 43.786793][ T668] ? afs_rx_new_call+0x240/0x240 [ 43.791730][ T668] rxrpc_discard_prealloc+0x60d/0x710 [ 43.797187][ T668] rxrpc_listen+0x246/0x370 [ 43.801683][ T668] afs_close_socket+0x57/0x280 [ 43.806436][ T668] ? afs_purge_servers+0x25f/0x2c0 [ 43.811647][ T668] ? init_wait_var_entry+0x150/0x150 [ 43.816951][ T668] afs_net_exit+0x57/0xa0 [ 43.821326][ T668] cleanup_net+0x708/0xba0 [ 43.825747][ T668] process_one_work+0x789/0xfc0 [ 43.831569][ T668] worker_thread+0xaa4/0x1460 [ 43.836277][ T668] kthread+0x37e/0x3a0 [ 43.840337][ T668] ? rcu_lock_release+0x20/0x20 [ 43.845174][ T668] ? kthread_blkcg+0xd0/0xd0 [ 43.849931][ T668] ret_from_fork+0x1f/0x30 [ 43.854347][ T668] [ 43.856665][ T668] Allocated by task 6801: [ 43.860978][ T668] __kasan_kmalloc+0x103/0x140 [ 43.865725][ T668] kmem_cache_alloc_trace+0x234/0x300 [ 43.871081][ T668] afs_alloc_call+0x89/0x2f0 [ 43.875668][ T668] afs_charge_preallocation+0xf0/0x2a0 [ 43.881117][ T668] afs_open_socket+0x3c7/0x510 [ 43.885870][ T668] afs_net_init+0x7a0/0x990 [ 43.890801][ T668] ops_init+0x320/0x410 [ 43.894950][ T668] setup_net+0x1cb/0x770 [ 43.899180][ T668] copy_net_ns+0x339/0x540 [ 43.903583][ T668] create_new_namespaces+0x52e/0x9f0 [ 43.908852][ T668] unshare_nsproxy_namespaces+0x123/0x190 [ 43.914563][ T668] ksys_unshare+0x463/0x950 [ 43.919050][ T668] __x64_sys_unshare+0x34/0x40 [ 43.923796][ T668] do_syscall_64+0x73/0xe0 [ 43.928289][ T668] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.934190][ T668] [ 43.936513][ T668] Freed by task 668: [ 43.940392][ T668] __kasan_slab_free+0x114/0x170 [ 43.945319][ T668] kfree+0x10a/0x220 [ 43.949206][ T668] afs_put_call+0x30e/0x420 [ 43.953696][ T668] rxrpc_discard_prealloc+0x5e2/0x710 [ 43.959078][ T668] rxrpc_listen+0x246/0x370 [ 43.963586][ T668] afs_close_socket+0x57/0x280 [ 43.968336][ T668] afs_net_exit+0x57/0xa0 [ 43.972661][ T668] cleanup_net+0x708/0xba0 [ 43.977066][ T668] process_one_work+0x789/0xfc0 [ 43.981905][ T668] worker_thread+0xaa4/0x1460 [ 43.986567][ T668] kthread+0x37e/0x3a0 [ 43.990623][ T668] ret_from_fork+0x1f/0x30 [ 43.995022][ T668] [ 43.997373][ T668] The buggy address belongs to the object at ffff88808c347000 [ 43.997373][ T668] which belongs to the cache kmalloc-1k of size 1024 [ 44.011418][ T668] The buggy address is located 484 bytes inside of [ 44.011418][ T668] 1024-byte region [ffff88808c347000, ffff88808c347400) [ 44.024764][ T668] The buggy address belongs to the page: [ 44.030395][ T668] page:ffffea000230d1c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 44.039493][ T668] flags: 0xfffe0000000200(slab) [ 44.044341][ T668] raw: 00fffe0000000200 ffffea00025a2c88 ffffea00025ba3c8 ffff8880aa400c40 [ 44.052919][ T668] raw: 0000000000000000 ffff88808c347000 0000000100000002 0000000000000000 [ 44.061578][ T668] page dumped because: kasan: bad access detected [ 44.067974][ T668] [ 44.070294][ T668] Memory state around the buggy address: [ 44.076095][ T668] ffff88808c347080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.084160][ T668] ffff88808c347100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.092223][ T668] >ffff88808c347180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.101411][ T668] ^ [ 44.108776][ T668] ffff88808c347200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.116841][ T668] ffff88808c347280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.124882][ T668] ================================================================== [ 44.132928][ T668] Disabling lock debugging due to kernel taint [ 44.139184][ T668] Kernel panic - not syncing: panic_on_warn set ... [ 44.145764][ T668] CPU: 1 PID: 668 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 44.155464][ T668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.165521][ T668] Workqueue: netns cleanup_net [ 44.170429][ T668] Call Trace: [ 44.173689][ T668] dump_stack+0x1f0/0x31e [ 44.177988][ T668] panic+0x264/0x7a0 [ 44.181854][ T668] ? trace_hardirqs_on+0x30/0x80 [ 44.187280][ T668] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 44.193070][ T668] kasan_report+0x1c9/0x1d0 [ 44.197541][ T668] ? afs_wake_up_async_call+0x16f/0x1c0 [ 44.203054][ T668] ? afs_make_call+0x24f0/0x24f0 [ 44.207971][ T668] afs_wake_up_async_call+0x16f/0x1c0 [ 44.213317][ T668] ? afs_make_call+0x24f0/0x24f0 [ 44.218249][ T668] rxrpc_notify_socket+0x1e7/0x4a0 [ 44.223329][ T668] rxrpc_call_completed+0x131/0x210 [ 44.228494][ T668] ? afs_rx_new_call+0x240/0x240 [ 44.233423][ T668] rxrpc_discard_prealloc+0x60d/0x710 [ 44.238793][ T668] rxrpc_listen+0x246/0x370 [ 44.243273][ T668] afs_close_socket+0x57/0x280 [ 44.248007][ T668] ? afs_purge_servers+0x25f/0x2c0 [ 44.253096][ T668] ? init_wait_var_entry+0x150/0x150 [ 44.258366][ T668] afs_net_exit+0x57/0xa0 [ 44.262677][ T668] cleanup_net+0x708/0xba0 [ 44.267069][ T668] process_one_work+0x789/0xfc0 [ 44.271895][ T668] worker_thread+0xaa4/0x1460 [ 44.276555][ T668] kthread+0x37e/0x3a0 [ 44.280608][ T668] ? rcu_lock_release+0x20/0x20 [ 44.285431][ T668] ? kthread_blkcg+0xd0/0xd0 [ 44.290002][ T668] ret_from_fork+0x1f/0x30 [ 44.295714][ T668] Kernel Offset: disabled [ 44.300028][ T668] Rebooting in 86400 seconds..