[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. 2020/06/19 02:39:07 fuzzer started 2020/06/19 02:39:07 connecting to host at 10.128.0.26:44773 2020/06/19 02:39:07 checking machine... 2020/06/19 02:39:07 checking revisions... 2020/06/19 02:39:07 testing simple program... syzkaller login: [ 62.515996][ T6829] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 02:39:08 building call list... [ 62.869395][ T1088] tipc: TX() has been purged, node left! [ 63.400761][ T1088] ================================================================== [ 63.409688][ T1088] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 63.417604][ T1088] Write of size 1 at addr ffff88809f3151e4 by task kworker/u4:5/1088 [ 63.425850][ T1088] [ 63.428286][ T1088] CPU: 1 PID: 1088 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 63.437052][ T1088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.447311][ T1088] Workqueue: netns cleanup_net [ 63.452081][ T1088] Call Trace: [ 63.455641][ T1088] dump_stack+0x18f/0x20d [ 63.460163][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.465724][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.471597][ T1088] ? afs_put_call+0xa40/0xa40 [ 63.476650][ T1088] print_address_description.constprop.0.cold+0xd3/0x413 [ 63.484840][ T1088] ? vprintk_func+0x97/0x1a6 [ 63.489659][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.495225][ T1088] kasan_report.cold+0x1f/0x37 [ 63.500185][ T1088] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.505841][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.511631][ T1088] afs_wake_up_async_call+0x6aa/0x770 [ 63.517191][ T1088] ? afs_close_socket+0x320/0x320 [ 63.522317][ T1088] ? afs_put_call+0xa40/0xa40 [ 63.527154][ T1088] rxrpc_notify_socket+0x1db/0x5d0 [ 63.532568][ T1088] ? afs_put_call+0xa40/0xa40 [ 63.537523][ T1088] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.545612][ T1088] rxrpc_call_completed+0xca/0xf0 [ 63.550862][ T1088] rxrpc_discard_prealloc+0x781/0xab0 [ 63.556349][ T1088] ? lock_sock_nested+0x94/0x110 [ 63.561310][ T1088] rxrpc_listen+0x147/0x360 [ 63.565835][ T1088] afs_close_socket+0x95/0x320 [ 63.570696][ T1088] ? afs_purge_servers+0x16d/0x300 [ 63.576082][ T1088] ? afs_rx_discard_new_call+0x50/0x50 [ 63.582427][ T1088] ? init_wait_var_entry+0x200/0x200 [ 63.587813][ T1088] ? rcu_read_lock_held_common+0xa0/0xa0 [ 63.593606][ T1088] ? check_preemption_disabled+0x38/0x220 [ 63.599850][ T1088] afs_net_exit+0x1bc/0x310 [ 63.606370][ T1088] ? afs_net_init+0xe30/0xe30 [ 63.611063][ T1088] ops_exit_list.isra.0+0xa8/0x150 [ 63.616369][ T1088] cleanup_net+0x511/0xa50 [ 63.621069][ T1088] ? unregister_pernet_device+0x70/0x70 [ 63.626749][ T1088] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.633356][ T1088] process_one_work+0x965/0x1690 [ 63.638320][ T1088] ? lock_release+0x800/0x800 [ 63.643274][ T1088] ? pwq_dec_nr_in_flight+0x310/0x310 [ 63.648871][ T1088] ? rwlock_bug.part.0+0x90/0x90 [ 63.654038][ T1088] worker_thread+0x96/0xe10 [ 63.658712][ T1088] ? process_one_work+0x1690/0x1690 [ 63.664771][ T1088] kthread+0x3b5/0x4a0 [ 63.669849][ T1088] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.675761][ T1088] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.681754][ T1088] ret_from_fork+0x1f/0x30 [ 63.686284][ T1088] [ 63.688716][ T1088] Allocated by task 6829: [ 63.693369][ T1088] save_stack+0x1b/0x40 [ 63.697759][ T1088] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.703752][ T1088] kmem_cache_alloc_trace+0x153/0x7d0 [ 63.709230][ T1088] afs_alloc_call+0x55/0x630 [ 63.713991][ T1088] afs_charge_preallocation+0xe9/0x2d0 [ 63.719702][ T1088] afs_open_socket+0x292/0x360 [ 63.724574][ T1088] afs_net_init+0xa6c/0xe30 [ 63.729356][ T1088] ops_init+0xaf/0x420 [ 63.733550][ T1088] setup_net+0x2de/0x860 [ 63.737976][ T1088] copy_net_ns+0x293/0x590 [ 63.742666][ T1088] create_new_namespaces+0x3fb/0xb30 [ 63.748461][ T1088] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 63.754479][ T1088] ksys_unshare+0x43d/0x8e0 [ 63.759298][ T1088] __x64_sys_unshare+0x2d/0x40 [ 63.764071][ T1088] do_syscall_64+0x60/0xe0 [ 63.769097][ T1088] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.775381][ T1088] [ 63.777803][ T1088] Freed by task 1088: [ 63.783371][ T1088] save_stack+0x1b/0x40 [ 63.787869][ T1088] __kasan_slab_free+0xf7/0x140 [ 63.792907][ T1088] kfree+0x109/0x2b0 [ 63.797867][ T1088] afs_put_call+0x585/0xa40 [ 63.802642][ T1088] rxrpc_discard_prealloc+0x764/0xab0 [ 63.808137][ T1088] rxrpc_listen+0x147/0x360 [ 63.812763][ T1088] afs_close_socket+0x95/0x320 [ 63.818685][ T1088] afs_net_exit+0x1bc/0x310 [ 63.823665][ T1088] ops_exit_list.isra.0+0xa8/0x150 [ 63.828803][ T1088] cleanup_net+0x511/0xa50 [ 63.833235][ T1088] process_one_work+0x965/0x1690 [ 63.838452][ T1088] worker_thread+0x96/0xe10 [ 63.843451][ T1088] kthread+0x3b5/0x4a0 [ 63.847792][ T1088] ret_from_fork+0x1f/0x30 [ 63.852578][ T1088] [ 63.855058][ T1088] The buggy address belongs to the object at ffff88809f315000 [ 63.855058][ T1088] which belongs to the cache kmalloc-1k of size 1024 [ 63.870418][ T1088] The buggy address is located 484 bytes inside of [ 63.870418][ T1088] 1024-byte region [ffff88809f315000, ffff88809f315400) [ 63.884005][ T1088] The buggy address belongs to the page: [ 63.889827][ T1088] page:ffffea00027cc540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.899309][ T1088] flags: 0xfffe0000000200(slab) [ 63.904274][ T1088] raw: 00fffe0000000200 ffffea00028c3dc8 ffffea00028c62c8 ffff8880aa000c40 [ 63.913522][ T1088] raw: 0000000000000000 ffff88809f315000 0000000100000002 0000000000000000 [ 63.922210][ T1088] page dumped because: kasan: bad access detected [ 63.928713][ T1088] [ 63.931058][ T1088] Memory state around the buggy address: [ 63.936854][ T1088] ffff88809f315080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.945849][ T1088] ffff88809f315100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.954046][ T1088] >ffff88809f315180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.962128][ T1088] ^ [ 63.969630][ T1088] ffff88809f315200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.977962][ T1088] ffff88809f315280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.988256][ T1088] ================================================================== [ 63.996688][ T1088] Disabling lock debugging due to kernel taint [ 64.003567][ T1088] Kernel panic - not syncing: panic_on_warn set ... [ 64.010695][ T1088] CPU: 1 PID: 1088 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 64.021255][ T1088] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.033570][ T1088] Workqueue: netns cleanup_net [ 64.038757][ T1088] Call Trace: [ 64.042083][ T1088] dump_stack+0x18f/0x20d [ 64.047140][ T1088] ? afs_wake_up_async_call+0x670/0x770 [ 64.054022][ T1088] ? afs_put_call+0xa40/0xa40 [ 64.059146][ T1088] panic+0x2e3/0x75c [ 64.063214][ T1088] ? __warn_printk+0xf3/0xf3 [ 64.068617][ T1088] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 64.075282][ T1088] ? trace_hardirqs_on+0x55/0x220 [ 64.080580][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.086477][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.092659][ T1088] ? afs_put_call+0xa40/0xa40 [ 64.098616][ T1088] end_report+0x4d/0x53 [ 64.102888][ T1088] kasan_report.cold+0xd/0x37 [ 64.108105][ T1088] ? rcu_read_lock_held_common+0x51/0xa0 [ 64.114570][ T1088] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.121269][ T1088] afs_wake_up_async_call+0x6aa/0x770 [ 64.128515][ T1088] ? afs_close_socket+0x320/0x320 [ 64.134298][ T1088] ? afs_put_call+0xa40/0xa40 [ 64.139344][ T1088] rxrpc_notify_socket+0x1db/0x5d0 [ 64.145875][ T1088] ? afs_put_call+0xa40/0xa40 [ 64.150787][ T1088] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 64.158583][ T1088] rxrpc_call_completed+0xca/0xf0 [ 64.163632][ T1088] rxrpc_discard_prealloc+0x781/0xab0 [ 64.170132][ T1088] ? lock_sock_nested+0x94/0x110 [ 64.176027][ T1088] rxrpc_listen+0x147/0x360 [ 64.180878][ T1088] afs_close_socket+0x95/0x320 [ 64.186938][ T1088] ? afs_purge_servers+0x16d/0x300 [ 64.193749][ T1088] ? afs_rx_discard_new_call+0x50/0x50 [ 64.201058][ T1088] ? init_wait_var_entry+0x200/0x200 [ 64.206632][ T1088] ? rcu_read_lock_held_common+0xa0/0xa0 [ 64.212750][ T1088] ? check_preemption_disabled+0x38/0x220 [ 64.219182][ T1088] afs_net_exit+0x1bc/0x310 [ 64.223719][ T1088] ? afs_net_init+0xe30/0xe30 [ 64.228732][ T1088] ops_exit_list.isra.0+0xa8/0x150 [ 64.234400][ T1088] cleanup_net+0x511/0xa50 [ 64.239480][ T1088] ? unregister_pernet_device+0x70/0x70 [ 64.245157][ T1088] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.251331][ T1088] process_one_work+0x965/0x1690 [ 64.256732][ T1088] ? lock_release+0x800/0x800 [ 64.263266][ T1088] ? pwq_dec_nr_in_flight+0x310/0x310 [ 64.269383][ T1088] ? rwlock_bug.part.0+0x90/0x90 [ 64.274336][ T1088] worker_thread+0x96/0xe10 [ 64.279089][ T1088] ? process_one_work+0x1690/0x1690 [ 64.284505][ T1088] kthread+0x3b5/0x4a0 [ 64.288760][ T1088] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.294712][ T1088] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.301638][ T1088] ret_from_fork+0x1f/0x30 [ 64.308228][ T1088] Kernel Offset: disabled [ 64.313181][ T1088] Rebooting in 86400 seconds..