[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.231' (ECDSA) to the list of known hosts. 2020/06/17 22:11:13 fuzzer started 2020/06/17 22:11:13 connecting to host at 10.128.0.26:33057 2020/06/17 22:11:13 checking machine... 2020/06/17 22:11:13 checking revisions... 2020/06/17 22:11:13 testing simple program... syzkaller login: [ 61.997287][ T6856] IPVS: ftp: loaded support on port[0] = 21 2020/06/17 22:11:14 building call list... [ 62.345213][ T139] tipc: TX() has been purged, node left! [ 62.867392][ T139] ================================================================== [ 62.875848][ T139] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 62.883945][ T139] Write of size 1 at addr ffff888091a939e4 by task kworker/u4:3/139 [ 62.891938][ T139] [ 62.894273][ T139] CPU: 1 PID: 139 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-syzkaller #0 [ 62.902589][ T139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.912675][ T139] Workqueue: netns cleanup_net [ 62.917430][ T139] Call Trace: [ 62.920723][ T139] dump_stack+0x18f/0x20d [ 62.925079][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.930652][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.936202][ T139] ? afs_put_call+0xa40/0xa40 [ 62.940972][ T139] print_address_description.constprop.0.cold+0xd3/0x413 [ 62.948004][ T139] ? vprintk_func+0x97/0x1a6 [ 62.952605][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.958150][ T139] kasan_report.cold+0x1f/0x37 [ 62.962917][ T139] ? rcu_read_lock_held_common+0x51/0xa0 [ 62.968575][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.974139][ T139] afs_wake_up_async_call+0x6aa/0x770 [ 62.979527][ T139] ? afs_close_socket+0x320/0x320 [ 62.984564][ T139] ? afs_put_call+0xa40/0xa40 [ 62.989275][ T139] rxrpc_notify_socket+0x1db/0x5d0 [ 62.994392][ T139] ? afs_put_call+0xa40/0xa40 [ 62.999070][ T139] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.005489][ T139] rxrpc_call_completed+0xca/0xf0 [ 63.010518][ T139] rxrpc_discard_prealloc+0x781/0xab0 [ 63.015895][ T139] ? lock_sock_nested+0x94/0x110 [ 63.020837][ T139] rxrpc_listen+0x147/0x360 [ 63.025343][ T139] afs_close_socket+0x95/0x320 [ 63.030107][ T139] ? afs_purge_servers+0x16d/0x300 [ 63.035267][ T139] ? afs_rx_discard_new_call+0x50/0x50 [ 63.040738][ T139] ? init_wait_var_entry+0x200/0x200 [ 63.046073][ T139] ? rcu_read_lock_held_common+0xa0/0xa0 [ 63.051714][ T139] ? check_preemption_disabled+0x38/0x220 [ 63.057525][ T139] afs_net_exit+0x1bc/0x310 [ 63.062028][ T139] ? afs_net_init+0xe30/0xe30 [ 63.067658][ T139] ops_exit_list.isra.0+0xa8/0x150 [ 63.072866][ T139] cleanup_net+0x511/0xa50 [ 63.077292][ T139] ? unregister_pernet_device+0x70/0x70 [ 63.083018][ T139] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.089015][ T139] process_one_work+0x965/0x1690 [ 63.093965][ T139] ? lock_release+0x800/0x800 [ 63.098645][ T139] ? pwq_dec_nr_in_flight+0x310/0x310 [ 63.104045][ T139] ? rwlock_bug.part.0+0x90/0x90 [ 63.109082][ T139] worker_thread+0x96/0xe10 [ 63.113626][ T139] ? process_one_work+0x1690/0x1690 [ 63.118831][ T139] kthread+0x3b5/0x4a0 [ 63.122909][ T139] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.128636][ T139] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.134625][ T139] ret_from_fork+0x1f/0x30 [ 63.139167][ T139] [ 63.141526][ T139] Allocated by task 6856: [ 63.146730][ T139] save_stack+0x1b/0x40 [ 63.150902][ T139] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.156531][ T139] kmem_cache_alloc_trace+0x153/0x7d0 [ 63.161897][ T139] afs_alloc_call+0x55/0x630 [ 63.166481][ T139] afs_charge_preallocation+0xe9/0x2d0 [ 63.171942][ T139] afs_open_socket+0x292/0x360 [ 63.176854][ T139] afs_net_init+0xa6c/0xe30 [ 63.182227][ T139] ops_init+0xaf/0x420 [ 63.186297][ T139] setup_net+0x2de/0x860 [ 63.190538][ T139] copy_net_ns+0x293/0x590 [ 63.194957][ T139] create_new_namespaces+0x3fb/0xb30 [ 63.200330][ T139] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 63.205961][ T139] ksys_unshare+0x43d/0x8e0 [ 63.210478][ T139] __x64_sys_unshare+0x2d/0x40 [ 63.215239][ T139] do_syscall_64+0x60/0xe0 [ 63.220261][ T139] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.226147][ T139] [ 63.228559][ T139] Freed by task 139: [ 63.232458][ T139] save_stack+0x1b/0x40 [ 63.236629][ T139] __kasan_slab_free+0xf7/0x140 [ 63.241488][ T139] kfree+0x109/0x2b0 [ 63.245390][ T139] afs_put_call+0x585/0xa40 [ 63.249920][ T139] rxrpc_discard_prealloc+0x764/0xab0 [ 63.255347][ T139] rxrpc_listen+0x147/0x360 [ 63.259859][ T139] afs_close_socket+0x95/0x320 [ 63.264645][ T139] afs_net_exit+0x1bc/0x310 [ 63.269140][ T139] ops_exit_list.isra.0+0xa8/0x150 [ 63.274255][ T139] cleanup_net+0x511/0xa50 [ 63.278684][ T139] process_one_work+0x965/0x1690 [ 63.283622][ T139] worker_thread+0x96/0xe10 [ 63.288120][ T139] kthread+0x3b5/0x4a0 [ 63.292189][ T139] ret_from_fork+0x1f/0x30 [ 63.296593][ T139] [ 63.298918][ T139] The buggy address belongs to the object at ffff888091a93800 [ 63.298918][ T139] which belongs to the cache kmalloc-1k of size 1024 [ 63.312965][ T139] The buggy address is located 484 bytes inside of [ 63.312965][ T139] 1024-byte region [ffff888091a93800, ffff888091a93c00) [ 63.326309][ T139] The buggy address belongs to the page: [ 63.331940][ T139] page:ffffea000246a4c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.341038][ T139] flags: 0xfffe0000000200(slab) [ 63.345893][ T139] raw: 00fffe0000000200 ffffea0002a42808 ffffea0002474fc8 ffff8880aa000c40 [ 63.354743][ T139] raw: 0000000000000000 ffff888091a93000 0000000100000002 0000000000000000 [ 63.363315][ T139] page dumped because: kasan: bad access detected [ 63.369808][ T139] [ 63.372125][ T139] Memory state around the buggy address: [ 63.377795][ T139] ffff888091a93880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.385864][ T139] ffff888091a93900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.394009][ T139] >ffff888091a93980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.402066][ T139] ^ [ 63.409276][ T139] ffff888091a93a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.417606][ T139] ffff888091a93a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.425656][ T139] ================================================================== [ 63.433704][ T139] Disabling lock debugging due to kernel taint [ 63.439931][ T139] Kernel panic - not syncing: panic_on_warn set ... [ 63.446530][ T139] CPU: 1 PID: 139 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 63.456238][ T139] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.466558][ T139] Workqueue: netns cleanup_net [ 63.471316][ T139] Call Trace: [ 63.474601][ T139] dump_stack+0x18f/0x20d [ 63.479030][ T139] ? afs_wake_up_async_call+0x680/0x770 [ 63.484604][ T139] ? afs_put_call+0xa40/0xa40 [ 63.489281][ T139] panic+0x2e3/0x75c [ 63.493179][ T139] ? __warn_printk+0xf3/0xf3 [ 63.497772][ T139] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 63.503927][ T139] ? trace_hardirqs_on+0x55/0x220 [ 63.508955][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.514504][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.520144][ T139] ? afs_put_call+0xa40/0xa40 [ 63.524880][ T139] end_report+0x4d/0x53 [ 63.529029][ T139] kasan_report.cold+0xd/0x37 [ 63.533716][ T139] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.539480][ T139] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.545028][ T139] afs_wake_up_async_call+0x6aa/0x770 [ 63.550403][ T139] ? afs_close_socket+0x320/0x320 [ 63.555544][ T139] ? afs_put_call+0xa40/0xa40 [ 63.560224][ T139] rxrpc_notify_socket+0x1db/0x5d0 [ 63.565526][ T139] ? afs_put_call+0xa40/0xa40 [ 63.570212][ T139] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.576684][ T139] rxrpc_call_completed+0xca/0xf0 [ 63.582140][ T139] rxrpc_discard_prealloc+0x781/0xab0 [ 63.587524][ T139] ? lock_sock_nested+0x94/0x110 [ 63.592459][ T139] rxrpc_listen+0x147/0x360 [ 63.596954][ T139] afs_close_socket+0x95/0x320 [ 63.601738][ T139] ? afs_purge_servers+0x16d/0x300 [ 63.606843][ T139] ? afs_rx_discard_new_call+0x50/0x50 [ 63.612290][ T139] ? init_wait_var_entry+0x200/0x200 [ 63.617583][ T139] ? rcu_read_lock_held_common+0xa0/0xa0 [ 63.623505][ T139] ? check_preemption_disabled+0x38/0x220 [ 63.629214][ T139] afs_net_exit+0x1bc/0x310 [ 63.633706][ T139] ? afs_net_init+0xe30/0xe30 [ 63.638378][ T139] ops_exit_list.isra.0+0xa8/0x150 [ 63.643485][ T139] cleanup_net+0x511/0xa50 [ 63.647894][ T139] ? unregister_pernet_device+0x70/0x70 [ 63.653440][ T139] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.659412][ T139] process_one_work+0x965/0x1690 [ 63.664429][ T139] ? lock_release+0x800/0x800 [ 63.669100][ T139] ? pwq_dec_nr_in_flight+0x310/0x310 [ 63.674459][ T139] ? rwlock_bug.part.0+0x90/0x90 [ 63.679383][ T139] worker_thread+0x96/0xe10 [ 63.683878][ T139] ? process_one_work+0x1690/0x1690 [ 63.689081][ T139] kthread+0x3b5/0x4a0 [ 63.693137][ T139] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.698840][ T139] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.704568][ T139] ret_from_fork+0x1f/0x30 [ 63.710456][ T139] Kernel Offset: disabled [ 63.715036][ T139] Rebooting in 86400 seconds..