[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.119' (ECDSA) to the list of known hosts. 2020/06/25 18:25:13 fuzzer started 2020/06/25 18:25:13 connecting to host at 10.128.0.26:32875 2020/06/25 18:25:13 checking machine... 2020/06/25 18:25:13 checking revisions... 2020/06/25 18:25:13 testing simple program... syzkaller login: [ 61.531469][ T6813] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 18:25:14 building call list... [ 61.841408][ T6762] tipc: TX() has been purged, node left! [ 62.353432][ T6762] ================================================================== [ 62.361666][ T6762] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 62.369553][ T6762] Write of size 1 at addr ffff88809f1719e4 by task kworker/u4:7/6762 [ 62.377600][ T6762] [ 62.379929][ T6762] CPU: 1 PID: 6762 Comm: kworker/u4:7 Not tainted 5.8.0-rc2-syzkaller #0 [ 62.389108][ T6762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.400130][ T6762] Workqueue: netns cleanup_net [ 62.404894][ T6762] Call Trace: [ 62.408191][ T6762] dump_stack+0x18f/0x20d [ 62.412705][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.418251][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.423791][ T6762] ? afs_put_call+0x440/0x440 [ 62.428641][ T6762] print_address_description.constprop.0.cold+0xae/0x436 [ 62.435668][ T6762] ? vprintk_func+0x97/0x1a6 [ 62.440258][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.445799][ T6762] kasan_report.cold+0x1f/0x37 [ 62.450580][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.456996][ T6762] afs_wake_up_async_call+0x430/0x4a0 [ 62.462363][ T6762] ? afs_close_socket+0x320/0x320 [ 62.467390][ T6762] rxrpc_notify_socket+0x1db/0x5d0 [ 62.472499][ T6762] ? afs_put_call+0x440/0x440 [ 62.477171][ T6762] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.483582][ T6762] rxrpc_call_completed+0xd0/0xf0 [ 62.488619][ T6762] rxrpc_discard_prealloc+0x777/0xab0 [ 62.493993][ T6762] ? lock_sock_nested+0x94/0x110 [ 62.498930][ T6762] rxrpc_listen+0x11c/0x330 [ 62.503433][ T6762] afs_close_socket+0x95/0x320 [ 62.508190][ T6762] ? afs_purge_servers+0x181/0x330 [ 62.513300][ T6762] ? afs_rx_discard_new_call+0x50/0x50 [ 62.518762][ T6762] ? init_wait_var_entry+0x200/0x200 [ 62.524058][ T6762] afs_net_exit+0x1c4/0x310 [ 62.528573][ T6762] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.534216][ T6762] ops_exit_list+0xb0/0x160 [ 62.538821][ T6762] cleanup_net+0x4ea/0xa00 [ 62.543240][ T6762] ? __schedule+0x887/0x1eb0 [ 62.547838][ T6762] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.553213][ T6762] ? check_preemption_disabled+0x38/0x220 [ 62.558935][ T6762] process_one_work+0x94c/0x1670 [ 62.563901][ T6762] ? lock_release+0x8d0/0x8d0 [ 62.568592][ T6762] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.573976][ T6762] ? rwlock_bug.part.0+0x90/0x90 [ 62.578940][ T6762] worker_thread+0x64c/0x1120 [ 62.583647][ T6762] ? __kthread_parkme+0x13f/0x1e0 [ 62.588680][ T6762] ? process_one_work+0x1670/0x1670 [ 62.593877][ T6762] kthread+0x3b5/0x4a0 [ 62.597941][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 62.603050][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 62.608166][ T6762] ret_from_fork+0x1f/0x30 [ 62.612589][ T6762] [ 62.614917][ T6762] Allocated by task 6813: [ 62.619248][ T6762] save_stack+0x1b/0x40 [ 62.623399][ T6762] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.629043][ T6762] kmem_cache_alloc_trace+0x14f/0x2d0 [ 62.634773][ T6762] afs_alloc_call+0x4f/0x360 [ 62.639363][ T6762] afs_charge_preallocation+0xe9/0x2d0 [ 62.644976][ T6762] afs_open_socket+0x294/0x360 [ 62.649738][ T6762] afs_net_init+0xab4/0xe90 [ 62.654238][ T6762] ops_init+0xaf/0x470 [ 62.658299][ T6762] setup_net+0x2d8/0x850 [ 62.662533][ T6762] copy_net_ns+0x2cf/0x5e0 [ 62.666944][ T6762] create_new_namespaces+0x3f6/0xb10 [ 62.672225][ T6762] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.677852][ T6762] ksys_unshare+0x36c/0x9a0 [ 62.682350][ T6762] __x64_sys_unshare+0x2d/0x40 [ 62.687123][ T6762] do_syscall_64+0x60/0xe0 [ 62.691626][ T6762] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.697501][ T6762] [ 62.699820][ T6762] Freed by task 6762: [ 62.703798][ T6762] save_stack+0x1b/0x40 [ 62.707946][ T6762] __kasan_slab_free+0xf5/0x140 [ 62.712786][ T6762] kfree+0x103/0x2c0 [ 62.716674][ T6762] afs_put_call+0x345/0x440 [ 62.721191][ T6762] rxrpc_discard_prealloc+0x75a/0xab0 [ 62.726554][ T6762] rxrpc_listen+0x11c/0x330 [ 62.731050][ T6762] afs_close_socket+0x95/0x320 [ 62.735803][ T6762] afs_net_exit+0x1c4/0x310 [ 62.740584][ T6762] ops_exit_list+0xb0/0x160 [ 62.745078][ T6762] cleanup_net+0x4ea/0xa00 [ 62.749489][ T6762] process_one_work+0x94c/0x1670 [ 62.754514][ T6762] worker_thread+0x64c/0x1120 [ 62.759183][ T6762] kthread+0x3b5/0x4a0 [ 62.763249][ T6762] ret_from_fork+0x1f/0x30 [ 62.767648][ T6762] [ 62.769970][ T6762] The buggy address belongs to the object at ffff88809f171800 [ 62.769970][ T6762] which belongs to the cache kmalloc-1k of size 1024 [ 62.784099][ T6762] The buggy address is located 484 bytes inside of [ 62.784099][ T6762] 1024-byte region [ffff88809f171800, ffff88809f171c00) [ 62.797713][ T6762] The buggy address belongs to the page: [ 62.803359][ T6762] page:ffffea00027c5c40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.812473][ T6762] flags: 0xfffe0000000200(slab) [ 62.817335][ T6762] raw: 00fffe0000000200 ffffea0002a4c208 ffffea00025cfd08 ffff8880aa000c40 [ 62.825938][ T6762] raw: 0000000000000000 ffff88809f171000 0000000100000002 0000000000000000 [ 62.834515][ T6762] page dumped because: kasan: bad access detected [ 62.840926][ T6762] [ 62.843243][ T6762] Memory state around the buggy address: [ 62.848879][ T6762] ffff88809f171880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.856941][ T6762] ffff88809f171900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.864997][ T6762] >ffff88809f171980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.873137][ T6762] ^ [ 62.880326][ T6762] ffff88809f171a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.888727][ T6762] ffff88809f171a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.896777][ T6762] ================================================================== [ 62.904823][ T6762] Disabling lock debugging due to kernel taint [ 62.911036][ T6762] Kernel panic - not syncing: panic_on_warn set ... [ 62.917631][ T6762] CPU: 1 PID: 6762 Comm: kworker/u4:7 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 62.927424][ T6762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.937741][ T6762] Workqueue: netns cleanup_net [ 62.942499][ T6762] Call Trace: [ 62.945786][ T6762] dump_stack+0x18f/0x20d [ 62.950143][ T6762] ? afs_wake_up_async_call+0x340/0x4a0 [ 62.955682][ T6762] ? afs_put_call+0x440/0x440 [ 62.960360][ T6762] panic+0x2e3/0x75c [ 62.964258][ T6762] ? __warn_printk+0xf3/0xf3 [ 62.968852][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.974394][ T6762] ? trace_hardirqs_on+0x55/0x220 [ 62.979409][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.984948][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.990479][ T6762] ? afs_put_call+0x440/0x440 [ 62.995147][ T6762] end_report+0x4d/0x53 [ 62.999299][ T6762] kasan_report.cold+0xd/0x37 [ 63.003967][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 63.009508][ T6762] afs_wake_up_async_call+0x430/0x4a0 [ 63.014869][ T6762] ? afs_close_socket+0x320/0x320 [ 63.019891][ T6762] rxrpc_notify_socket+0x1db/0x5d0 [ 63.024991][ T6762] ? afs_put_call+0x440/0x440 [ 63.029833][ T6762] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.036328][ T6762] rxrpc_call_completed+0xd0/0xf0 [ 63.041354][ T6762] rxrpc_discard_prealloc+0x777/0xab0 [ 63.046721][ T6762] ? lock_sock_nested+0x94/0x110 [ 63.051650][ T6762] rxrpc_listen+0x11c/0x330 [ 63.056145][ T6762] afs_close_socket+0x95/0x320 [ 63.060898][ T6762] ? afs_purge_servers+0x181/0x330 [ 63.066037][ T6762] ? afs_rx_discard_new_call+0x50/0x50 [ 63.071487][ T6762] ? init_wait_var_entry+0x200/0x200 [ 63.076766][ T6762] afs_net_exit+0x1c4/0x310 [ 63.081263][ T6762] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 63.086977][ T6762] ops_exit_list+0xb0/0x160 [ 63.091472][ T6762] cleanup_net+0x4ea/0xa00 [ 63.095885][ T6762] ? __schedule+0x887/0x1eb0 [ 63.100465][ T6762] ? ops_free_list.part.0+0x3d0/0x3d0 [ 63.105832][ T6762] ? check_preemption_disabled+0x38/0x220 [ 63.111552][ T6762] process_one_work+0x94c/0x1670 [ 63.116482][ T6762] ? lock_release+0x8d0/0x8d0 [ 63.121148][ T6762] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 63.126513][ T6762] ? rwlock_bug.part.0+0x90/0x90 [ 63.131451][ T6762] worker_thread+0x64c/0x1120 [ 63.136123][ T6762] ? __kthread_parkme+0x13f/0x1e0 [ 63.141397][ T6762] ? process_one_work+0x1670/0x1670 [ 63.146583][ T6762] kthread+0x3b5/0x4a0 [ 63.150640][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 63.155740][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 63.160847][ T6762] ret_from_fork+0x1f/0x30 [ 63.166709][ T6762] Kernel Offset: disabled [ 63.171153][ T6762] Rebooting in 86400 seconds..