[ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.53' (ECDSA) to the list of known hosts. 2020/06/19 17:44:32 fuzzer started 2020/06/19 17:44:32 connecting to host at 10.128.0.26:41943 2020/06/19 17:44:32 checking machine... 2020/06/19 17:44:32 checking revisions... 2020/06/19 17:44:32 testing simple program... syzkaller login: [ 56.777743][ T6815] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 17:44:32 building call list... [ 57.123515][ T145] tipc: TX() has been purged, node left! [ 57.625741][ T145] ================================================================== [ 57.634107][ T145] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 57.641995][ T145] Write of size 1 at addr ffff8880a60a59e4 by task kworker/u4:3/145 [ 57.650746][ T145] [ 57.653144][ T145] CPU: 1 PID: 145 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0 [ 57.662682][ T145] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.672741][ T145] Workqueue: netns cleanup_net [ 57.677508][ T145] Call Trace: [ 57.680818][ T145] dump_stack+0x18f/0x20d [ 57.685154][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.690693][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.696233][ T145] ? afs_put_call+0xa40/0xa40 [ 57.700928][ T145] print_address_description.constprop.0.cold+0xd3/0x413 [ 57.707950][ T145] ? vprintk_func+0x97/0x1a6 [ 57.712540][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.718078][ T145] kasan_report.cold+0x1f/0x37 [ 57.723014][ T145] ? rcu_read_lock_held_common+0x71/0xa0 [ 57.728751][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.734303][ T145] afs_wake_up_async_call+0x6aa/0x770 [ 57.739785][ T145] ? afs_close_socket+0x320/0x320 [ 57.744840][ T145] ? afs_put_call+0xa40/0xa40 [ 57.749874][ T145] rxrpc_notify_socket+0x1db/0x5d0 [ 57.754988][ T145] ? afs_put_call+0xa40/0xa40 [ 57.759667][ T145] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 57.766079][ T145] rxrpc_call_completed+0xca/0xf0 [ 57.771221][ T145] rxrpc_discard_prealloc+0x781/0xab0 [ 57.776678][ T145] ? lock_sock_nested+0x94/0x110 [ 57.781616][ T145] rxrpc_listen+0x147/0x360 [ 57.786119][ T145] afs_close_socket+0x95/0x320 [ 57.790875][ T145] ? afs_purge_servers+0x16d/0x300 [ 57.796140][ T145] ? afs_rx_discard_new_call+0x50/0x50 [ 57.802193][ T145] ? init_wait_var_entry+0x200/0x200 [ 57.807475][ T145] ? rcu_read_lock_held_common+0xa0/0xa0 [ 57.813189][ T145] ? check_preemption_disabled+0x38/0x220 [ 57.818910][ T145] afs_net_exit+0x1bc/0x310 [ 57.823593][ T145] ? afs_net_init+0xe30/0xe30 [ 57.828267][ T145] ops_exit_list.isra.0+0xa8/0x150 [ 57.833381][ T145] cleanup_net+0x511/0xa50 [ 57.837818][ T145] ? unregister_pernet_device+0x70/0x70 [ 57.843361][ T145] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 57.849348][ T145] process_one_work+0x965/0x1690 [ 57.854324][ T145] ? lock_release+0x800/0x800 [ 57.859097][ T145] ? pwq_dec_nr_in_flight+0x310/0x310 [ 57.865386][ T145] ? rwlock_bug.part.0+0x90/0x90 [ 57.870345][ T145] worker_thread+0x96/0xe10 [ 57.874865][ T145] ? process_one_work+0x1690/0x1690 [ 57.880092][ T145] kthread+0x3b5/0x4a0 [ 57.884201][ T145] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 57.889919][ T145] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 57.895749][ T145] ret_from_fork+0x1f/0x30 [ 57.900171][ T145] [ 57.902496][ T145] Allocated by task 6815: [ 57.906824][ T145] save_stack+0x1b/0x40 [ 57.910972][ T145] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 57.916603][ T145] kmem_cache_alloc_trace+0x153/0x7d0 [ 57.922066][ T145] afs_alloc_call+0x55/0x630 [ 57.926798][ T145] afs_charge_preallocation+0xe9/0x2d0 [ 57.932342][ T145] afs_open_socket+0x292/0x360 [ 57.937103][ T145] afs_net_init+0xa6c/0xe30 [ 57.941603][ T145] ops_init+0xaf/0x420 [ 57.945669][ T145] setup_net+0x2de/0x860 [ 57.949994][ T145] copy_net_ns+0x293/0x590 [ 57.954408][ T145] create_new_namespaces+0x3fb/0xb30 [ 57.959705][ T145] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 57.965333][ T145] ksys_unshare+0x445/0x8e0 [ 57.969849][ T145] __x64_sys_unshare+0x2d/0x40 [ 57.975302][ T145] do_syscall_64+0x60/0xe0 [ 57.979800][ T145] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 57.985676][ T145] [ 57.987995][ T145] Freed by task 145: [ 57.991906][ T145] save_stack+0x1b/0x40 [ 57.996070][ T145] __kasan_slab_free+0xf7/0x140 [ 58.000999][ T145] kfree+0x109/0x2b0 [ 58.004890][ T145] afs_put_call+0x585/0xa40 [ 58.009660][ T145] rxrpc_discard_prealloc+0x764/0xab0 [ 58.015021][ T145] rxrpc_listen+0x147/0x360 [ 58.019521][ T145] afs_close_socket+0x95/0x320 [ 58.024276][ T145] afs_net_exit+0x1bc/0x310 [ 58.028796][ T145] ops_exit_list.isra.0+0xa8/0x150 [ 58.033907][ T145] cleanup_net+0x511/0xa50 [ 58.038315][ T145] process_one_work+0x965/0x1690 [ 58.043360][ T145] worker_thread+0x96/0xe10 [ 58.047854][ T145] kthread+0x3b5/0x4a0 [ 58.051931][ T145] ret_from_fork+0x1f/0x30 [ 58.056332][ T145] [ 58.058655][ T145] The buggy address belongs to the object at ffff8880a60a5800 [ 58.058655][ T145] which belongs to the cache kmalloc-1k of size 1024 [ 58.072711][ T145] The buggy address is located 484 bytes inside of [ 58.072711][ T145] 1024-byte region [ffff8880a60a5800, ffff8880a60a5c00) [ 58.086067][ T145] The buggy address belongs to the page: [ 58.091709][ T145] page:ffffea0002982940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 58.100827][ T145] flags: 0xfffe0000000200(slab) [ 58.105677][ T145] raw: 00fffe0000000200 ffffea00027c5408 ffffea000274b408 ffff8880aa000c40 [ 58.114258][ T145] raw: 0000000000000000 ffff8880a60a5000 0000000100000002 0000000000000000 [ 58.122840][ T145] page dumped because: kasan: bad access detected [ 58.129245][ T145] [ 58.131568][ T145] Memory state around the buggy address: [ 58.137530][ T145] ffff8880a60a5880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.145597][ T145] ffff8880a60a5900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.153752][ T145] >ffff8880a60a5980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.161804][ T145] ^ [ 58.168990][ T145] ffff8880a60a5a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.177217][ T145] ffff8880a60a5a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.185273][ T145] ================================================================== [ 58.193323][ T145] Disabling lock debugging due to kernel taint [ 58.199529][ T145] Kernel panic - not syncing: panic_on_warn set ... [ 58.206113][ T145] CPU: 1 PID: 145 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-next-20200618-syzkaller #0 [ 58.217034][ T145] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.227131][ T145] Workqueue: netns cleanup_net [ 58.231890][ T145] Call Trace: [ 58.235182][ T145] dump_stack+0x18f/0x20d [ 58.239537][ T145] ? afs_wake_up_async_call+0x660/0x770 [ 58.245084][ T145] ? afs_put_call+0xa40/0xa40 [ 58.249761][ T145] panic+0x2e3/0x75c [ 58.253678][ T145] ? __warn_printk+0xf3/0xf3 [ 58.258260][ T145] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 58.264432][ T145] ? trace_hardirqs_on+0x55/0x220 [ 58.269540][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.275072][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.280605][ T145] ? afs_put_call+0xa40/0xa40 [ 58.285284][ T145] end_report+0x4d/0x53 [ 58.289524][ T145] kasan_report.cold+0xd/0x37 [ 58.294205][ T145] ? rcu_read_lock_held_common+0x71/0xa0 [ 58.300012][ T145] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.305548][ T145] afs_wake_up_async_call+0x6aa/0x770 [ 58.310918][ T145] ? afs_close_socket+0x320/0x320 [ 58.315950][ T145] ? afs_put_call+0xa40/0xa40 [ 58.320614][ T145] rxrpc_notify_socket+0x1db/0x5d0 [ 58.325747][ T145] ? afs_put_call+0xa40/0xa40 [ 58.330420][ T145] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 58.336841][ T145] rxrpc_call_completed+0xca/0xf0 [ 58.341971][ T145] rxrpc_discard_prealloc+0x781/0xab0 [ 58.347451][ T145] ? lock_sock_nested+0x94/0x110 [ 58.352404][ T145] rxrpc_listen+0x147/0x360 [ 58.356910][ T145] afs_close_socket+0x95/0x320 [ 58.361673][ T145] ? afs_purge_servers+0x16d/0x300 [ 58.366785][ T145] ? afs_rx_discard_new_call+0x50/0x50 [ 58.372264][ T145] ? init_wait_var_entry+0x200/0x200 [ 58.377565][ T145] ? rcu_read_lock_held_common+0xa0/0xa0 [ 58.383199][ T145] ? check_preemption_disabled+0x38/0x220 [ 58.388920][ T145] afs_net_exit+0x1bc/0x310 [ 58.393445][ T145] ? afs_net_init+0xe30/0xe30 [ 58.398128][ T145] ops_exit_list.isra.0+0xa8/0x150 [ 58.403334][ T145] cleanup_net+0x511/0xa50 [ 58.407746][ T145] ? unregister_pernet_device+0x70/0x70 [ 58.413296][ T145] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.419288][ T145] process_one_work+0x965/0x1690 [ 58.424221][ T145] ? lock_release+0x800/0x800 [ 58.428892][ T145] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.434261][ T145] ? rwlock_bug.part.0+0x90/0x90 [ 58.439173][ T145] worker_thread+0x96/0xe10 [ 58.444352][ T145] ? process_one_work+0x1690/0x1690 [ 58.449541][ T145] kthread+0x3b5/0x4a0 [ 58.453601][ T145] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.459294][ T145] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.465004][ T145] ret_from_fork+0x1f/0x30 [ 58.470786][ T145] Kernel Offset: disabled [ 58.475104][ T145] Rebooting in 86400 seconds..