[ OK ] Started Getty on tty4. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.211' (ECDSA) to the list of known hosts. 2020/06/19 04:22:33 fuzzer started 2020/06/19 04:22:33 connecting to host at 10.128.0.26:44637 2020/06/19 04:22:33 checking machine... 2020/06/19 04:22:33 checking revisions... 2020/06/19 04:22:33 testing simple program... syzkaller login: [ 59.126857][ T6821] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 04:22:34 building call list... [ 59.485942][ T185] tipc: TX() has been purged, node left! [ 60.008312][ T185] ================================================================== [ 60.019158][ T185] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 60.027130][ T185] Write of size 1 at addr ffff8880a4a869e4 by task kworker/u4:4/185 [ 60.035109][ T185] [ 60.037527][ T185] CPU: 0 PID: 185 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 60.045840][ T185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.057148][ T185] Workqueue: netns cleanup_net [ 60.061918][ T185] Call Trace: [ 60.065234][ T185] dump_stack+0x18f/0x20d [ 60.069596][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.081511][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.087060][ T185] ? afs_put_call+0xa40/0xa40 [ 60.091739][ T185] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.099254][ T185] ? vprintk_func+0x97/0x1a6 [ 60.104198][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.110003][ T185] kasan_report.cold+0x1f/0x37 [ 60.114774][ T185] ? rcu_read_lock_held_common+0x51/0xa0 [ 60.121020][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.126572][ T185] afs_wake_up_async_call+0x6aa/0x770 [ 60.132047][ T185] ? afs_close_socket+0x320/0x320 [ 60.137080][ T185] ? afs_put_call+0xa40/0xa40 [ 60.141756][ T185] rxrpc_notify_socket+0x1db/0x5d0 [ 60.147073][ T185] ? afs_put_call+0xa40/0xa40 [ 60.151756][ T185] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.158352][ T185] rxrpc_call_completed+0xca/0xf0 [ 60.163468][ T185] rxrpc_discard_prealloc+0x781/0xab0 [ 60.168985][ T185] ? lock_sock_nested+0x94/0x110 [ 60.173939][ T185] rxrpc_listen+0x147/0x360 [ 60.178471][ T185] afs_close_socket+0x95/0x320 [ 60.183232][ T185] ? afs_purge_servers+0x16d/0x300 [ 60.188348][ T185] ? afs_rx_discard_new_call+0x50/0x50 [ 60.194159][ T185] ? init_wait_var_entry+0x200/0x200 [ 60.199447][ T185] ? rcu_read_lock_held_common+0xa0/0xa0 [ 60.205079][ T185] ? check_preemption_disabled+0x38/0x220 [ 60.210820][ T185] afs_net_exit+0x1bc/0x310 [ 60.215347][ T185] ? afs_net_init+0xe30/0xe30 [ 60.220026][ T185] ops_exit_list.isra.0+0xa8/0x150 [ 60.225326][ T185] cleanup_net+0x511/0xa50 [ 60.230293][ T185] ? unregister_pernet_device+0x70/0x70 [ 60.235851][ T185] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.241840][ T185] process_one_work+0x965/0x1690 [ 60.246809][ T185] ? lock_release+0x800/0x800 [ 60.251485][ T185] ? pwq_dec_nr_in_flight+0x310/0x310 [ 60.257041][ T185] ? rwlock_bug.part.0+0x90/0x90 [ 60.261996][ T185] worker_thread+0x96/0xe10 [ 60.266513][ T185] ? process_one_work+0x1690/0x1690 [ 60.271721][ T185] kthread+0x3b5/0x4a0 [ 60.275791][ T185] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.281508][ T185] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.287250][ T185] ret_from_fork+0x1f/0x30 [ 60.291795][ T185] [ 60.294117][ T185] Allocated by task 6821: [ 60.298445][ T185] save_stack+0x1b/0x40 [ 60.302598][ T185] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.308226][ T185] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.313717][ T185] afs_alloc_call+0x55/0x630 [ 60.319092][ T185] afs_charge_preallocation+0xe9/0x2d0 [ 60.325088][ T185] afs_open_socket+0x292/0x360 [ 60.330395][ T185] afs_net_init+0xa6c/0xe30 [ 60.334895][ T185] ops_init+0xaf/0x420 [ 60.339458][ T185] setup_net+0x2de/0x860 [ 60.343718][ T185] copy_net_ns+0x293/0x590 [ 60.348673][ T185] create_new_namespaces+0x3fb/0xb30 [ 60.354056][ T185] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 60.359704][ T185] ksys_unshare+0x43d/0x8e0 [ 60.364226][ T185] __x64_sys_unshare+0x2d/0x40 [ 60.368988][ T185] do_syscall_64+0x60/0xe0 [ 60.373413][ T185] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.380089][ T185] [ 60.382430][ T185] Freed by task 185: [ 60.386775][ T185] save_stack+0x1b/0x40 [ 60.390930][ T185] __kasan_slab_free+0xf7/0x140 [ 60.395985][ T185] kfree+0x109/0x2b0 [ 60.399881][ T185] afs_put_call+0x585/0xa40 [ 60.404387][ T185] rxrpc_discard_prealloc+0x764/0xab0 [ 60.409768][ T185] rxrpc_listen+0x147/0x360 [ 60.414369][ T185] afs_close_socket+0x95/0x320 [ 60.419127][ T185] afs_net_exit+0x1bc/0x310 [ 60.423720][ T185] ops_exit_list.isra.0+0xa8/0x150 [ 60.428913][ T185] cleanup_net+0x511/0xa50 [ 60.433330][ T185] process_one_work+0x965/0x1690 [ 60.438268][ T185] worker_thread+0x96/0xe10 [ 60.442764][ T185] kthread+0x3b5/0x4a0 [ 60.446839][ T185] ret_from_fork+0x1f/0x30 [ 60.451251][ T185] [ 60.453577][ T185] The buggy address belongs to the object at ffff8880a4a86800 [ 60.453577][ T185] which belongs to the cache kmalloc-1k of size 1024 [ 60.467806][ T185] The buggy address is located 484 bytes inside of [ 60.467806][ T185] 1024-byte region [ffff8880a4a86800, ffff8880a4a86c00) [ 60.481328][ T185] The buggy address belongs to the page: [ 60.486977][ T185] page:ffffea000292a180 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.496077][ T185] flags: 0xfffe0000000200(slab) [ 60.500937][ T185] raw: 00fffe0000000200 ffffea00027d4508 ffffea000280a248 ffff8880aa000c40 [ 60.509713][ T185] raw: 0000000000000000 ffff8880a4a86000 0000000100000002 0000000000000000 [ 60.518376][ T185] page dumped because: kasan: bad access detected [ 60.525473][ T185] [ 60.527882][ T185] Memory state around the buggy address: [ 60.533511][ T185] ffff8880a4a86880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.541574][ T185] ffff8880a4a86900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.549634][ T185] >ffff8880a4a86980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.557689][ T185] ^ [ 60.564880][ T185] ffff8880a4a86a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.572944][ T185] ffff8880a4a86a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.580997][ T185] ================================================================== [ 60.589051][ T185] Disabling lock debugging due to kernel taint [ 60.595409][ T185] Kernel panic - not syncing: panic_on_warn set ... [ 60.601994][ T185] CPU: 0 PID: 185 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 60.611691][ T185] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.621744][ T185] Workqueue: netns cleanup_net [ 60.626513][ T185] Call Trace: [ 60.629806][ T185] dump_stack+0x18f/0x20d [ 60.634143][ T185] ? afs_wake_up_async_call+0x670/0x770 [ 60.639675][ T185] ? afs_put_call+0xa40/0xa40 [ 60.644360][ T185] panic+0x2e3/0x75c [ 60.648252][ T185] ? __warn_printk+0xf3/0xf3 [ 60.652833][ T185] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 60.658980][ T185] ? trace_hardirqs_on+0x55/0x220 [ 60.663996][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.669529][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.675062][ T185] ? afs_put_call+0xa40/0xa40 [ 60.679749][ T185] end_report+0x4d/0x53 [ 60.683912][ T185] kasan_report.cold+0xd/0x37 [ 60.688598][ T185] ? rcu_read_lock_held_common+0x51/0xa0 [ 60.694225][ T185] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.699767][ T185] afs_wake_up_async_call+0x6aa/0x770 [ 60.705134][ T185] ? afs_close_socket+0x320/0x320 [ 60.710154][ T185] ? afs_put_call+0xa40/0xa40 [ 60.714823][ T185] rxrpc_notify_socket+0x1db/0x5d0 [ 60.719984][ T185] ? afs_put_call+0xa40/0xa40 [ 60.724654][ T185] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.731060][ T185] rxrpc_call_completed+0xca/0xf0 [ 60.736078][ T185] rxrpc_discard_prealloc+0x781/0xab0 [ 60.741460][ T185] ? lock_sock_nested+0x94/0x110 [ 60.746397][ T185] rxrpc_listen+0x147/0x360 [ 60.750894][ T185] afs_close_socket+0x95/0x320 [ 60.755649][ T185] ? afs_purge_servers+0x16d/0x300 [ 60.760755][ T185] ? afs_rx_discard_new_call+0x50/0x50 [ 60.766209][ T185] ? init_wait_var_entry+0x200/0x200 [ 60.771505][ T185] ? rcu_read_lock_held_common+0xa0/0xa0 [ 60.777163][ T185] ? check_preemption_disabled+0x38/0x220 [ 60.782888][ T185] afs_net_exit+0x1bc/0x310 [ 60.787405][ T185] ? afs_net_init+0xe30/0xe30 [ 60.792075][ T185] ops_exit_list.isra.0+0xa8/0x150 [ 60.797177][ T185] cleanup_net+0x511/0xa50 [ 60.801603][ T185] ? unregister_pernet_device+0x70/0x70 [ 60.807168][ T185] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.813141][ T185] process_one_work+0x965/0x1690 [ 60.818337][ T185] ? lock_release+0x800/0x800 [ 60.823013][ T185] ? pwq_dec_nr_in_flight+0x310/0x310 [ 60.828477][ T185] ? rwlock_bug.part.0+0x90/0x90 [ 60.833409][ T185] worker_thread+0x96/0xe10 [ 60.837913][ T185] ? process_one_work+0x1690/0x1690 [ 60.843128][ T185] kthread+0x3b5/0x4a0 [ 60.847210][ T185] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.852919][ T185] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.858637][ T185] ret_from_fork+0x1f/0x30 [ 60.864385][ T185] Kernel Offset: disabled [ 60.868768][ T185] Rebooting in 86400 seconds..