[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.63' (ECDSA) to the list of known hosts. 2020/06/19 03:36:17 fuzzer started 2020/06/19 03:36:18 connecting to host at 10.128.0.26:37331 2020/06/19 03:36:18 checking machine... 2020/06/19 03:36:18 checking revisions... 2020/06/19 03:36:18 testing simple program... syzkaller login: [ 55.203002][ T6986] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 03:36:18 building call list... [ 55.545564][ T577] tipc: TX() has been purged, node left! [ 56.077679][ T577] ================================================================== [ 56.085898][ T577] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 56.093783][ T577] Write of size 1 at addr ffff8880a96701e4 by task kworker/u4:4/577 [ 56.101837][ T577] [ 56.104204][ T577] CPU: 1 PID: 577 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0 [ 56.114242][ T577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.124301][ T577] Workqueue: netns cleanup_net [ 56.129143][ T577] Call Trace: [ 56.132433][ T577] dump_stack+0x18f/0x20d [ 56.136762][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.142311][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.147850][ T577] ? afs_put_call+0xa40/0xa40 [ 56.152529][ T577] print_address_description.constprop.0.cold+0xd3/0x413 [ 56.159574][ T577] ? vprintk_func+0x97/0x1a6 [ 56.164168][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.169711][ T577] kasan_report.cold+0x1f/0x37 [ 56.174565][ T577] ? rcu_read_lock_held_common+0x71/0xa0 [ 56.180278][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.186258][ T577] afs_wake_up_async_call+0x6aa/0x770 [ 56.191623][ T577] ? afs_close_socket+0x320/0x320 [ 56.196645][ T577] ? afs_put_call+0xa40/0xa40 [ 56.201317][ T577] rxrpc_notify_socket+0x1db/0x5d0 [ 56.206451][ T577] ? afs_put_call+0xa40/0xa40 [ 56.211317][ T577] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 56.217744][ T577] rxrpc_call_completed+0xca/0xf0 [ 56.222951][ T577] rxrpc_discard_prealloc+0x781/0xab0 [ 56.228325][ T577] ? lock_sock_nested+0x94/0x110 [ 56.233443][ T577] rxrpc_listen+0x147/0x360 [ 56.237952][ T577] afs_close_socket+0x95/0x320 [ 56.242717][ T577] ? afs_purge_servers+0x16d/0x300 [ 56.248776][ T577] ? afs_rx_discard_new_call+0x50/0x50 [ 56.255104][ T577] ? init_wait_var_entry+0x200/0x200 [ 56.260929][ T577] ? rcu_read_lock_held_common+0xa0/0xa0 [ 56.266560][ T577] ? check_preemption_disabled+0x38/0x220 [ 56.272305][ T577] afs_net_exit+0x1bc/0x310 [ 56.276844][ T577] ? afs_net_init+0xe30/0xe30 [ 56.281517][ T577] ops_exit_list.isra.0+0xa8/0x150 [ 56.287589][ T577] cleanup_net+0x511/0xa50 [ 56.292112][ T577] ? unregister_pernet_device+0x70/0x70 [ 56.297766][ T577] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 56.303770][ T577] process_one_work+0x965/0x1690 [ 56.309017][ T577] ? lock_release+0x800/0x800 [ 56.313715][ T577] ? pwq_dec_nr_in_flight+0x310/0x310 [ 56.319136][ T577] ? rwlock_bug.part.0+0x90/0x90 [ 56.324537][ T577] worker_thread+0x96/0xe10 [ 56.329076][ T577] ? process_one_work+0x1690/0x1690 [ 56.334322][ T577] kthread+0x3b5/0x4a0 [ 56.338405][ T577] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.344471][ T577] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.350197][ T577] ret_from_fork+0x1f/0x30 [ 56.354622][ T577] [ 56.356952][ T577] Allocated by task 6986: [ 56.361319][ T577] save_stack+0x1b/0x40 [ 56.365904][ T577] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.371618][ T577] kmem_cache_alloc_trace+0x153/0x7d0 [ 56.376987][ T577] afs_alloc_call+0x55/0x630 [ 56.381748][ T577] afs_charge_preallocation+0xe9/0x2d0 [ 56.387200][ T577] afs_open_socket+0x292/0x360 [ 56.391977][ T577] afs_net_init+0xa6c/0xe30 [ 56.396758][ T577] ops_init+0xaf/0x420 [ 56.400824][ T577] setup_net+0x2de/0x860 [ 56.405060][ T577] copy_net_ns+0x293/0x590 [ 56.409475][ T577] create_new_namespaces+0x3fb/0xb30 [ 56.414758][ T577] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 56.420473][ T577] ksys_unshare+0x445/0x8e0 [ 56.424980][ T577] __x64_sys_unshare+0x2d/0x40 [ 56.429745][ T577] do_syscall_64+0x60/0xe0 [ 56.434158][ T577] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 56.440035][ T577] [ 56.442355][ T577] Freed by task 577: [ 56.446251][ T577] save_stack+0x1b/0x40 [ 56.450401][ T577] __kasan_slab_free+0xf7/0x140 [ 56.455273][ T577] kfree+0x109/0x2b0 [ 56.459183][ T577] afs_put_call+0x585/0xa40 [ 56.463679][ T577] rxrpc_discard_prealloc+0x764/0xab0 [ 56.469043][ T577] rxrpc_listen+0x147/0x360 [ 56.473545][ T577] afs_close_socket+0x95/0x320 [ 56.478344][ T577] afs_net_exit+0x1bc/0x310 [ 56.482843][ T577] ops_exit_list.isra.0+0xa8/0x150 [ 56.487958][ T577] cleanup_net+0x511/0xa50 [ 56.492415][ T577] process_one_work+0x965/0x1690 [ 56.497436][ T577] worker_thread+0x96/0xe10 [ 56.502025][ T577] kthread+0x3b5/0x4a0 [ 56.506096][ T577] ret_from_fork+0x1f/0x30 [ 56.510508][ T577] [ 56.512859][ T577] The buggy address belongs to the object at ffff8880a9670000 [ 56.512859][ T577] which belongs to the cache kmalloc-1k of size 1024 [ 56.526994][ T577] The buggy address is located 484 bytes inside of [ 56.526994][ T577] 1024-byte region [ffff8880a9670000, ffff8880a9670400) [ 56.540629][ T577] The buggy address belongs to the page: [ 56.546258][ T577] page:ffffea0002a59c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880a9670800 [ 56.556682][ T577] flags: 0xfffe0000000200(slab) [ 56.561540][ T577] raw: 00fffe0000000200 ffffea000280f288 ffffea000280bd08 ffff8880aa000c40 [ 56.570141][ T577] raw: ffff8880a9670800 ffff8880a9670000 0000000100000001 0000000000000000 [ 56.578742][ T577] page dumped because: kasan: bad access detected [ 56.585740][ T577] [ 56.588151][ T577] Memory state around the buggy address: [ 56.593779][ T577] ffff8880a9670080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.601924][ T577] ffff8880a9670100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.609981][ T577] >ffff8880a9670180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.618034][ T577] ^ [ 56.625430][ T577] ffff8880a9670200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.633484][ T577] ffff8880a9670280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.641535][ T577] ================================================================== [ 56.649583][ T577] Disabling lock debugging due to kernel taint [ 56.655862][ T577] Kernel panic - not syncing: panic_on_warn set ... [ 56.662441][ T577] CPU: 1 PID: 577 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-next-20200618-syzkaller #0 [ 56.673353][ T577] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.683413][ T577] Workqueue: netns cleanup_net [ 56.688162][ T577] Call Trace: [ 56.691448][ T577] dump_stack+0x18f/0x20d [ 56.695774][ T577] ? afs_wake_up_async_call+0x660/0x770 [ 56.701310][ T577] ? afs_put_call+0xa40/0xa40 [ 56.705975][ T577] panic+0x2e3/0x75c [ 56.709880][ T577] ? __warn_printk+0xf3/0xf3 [ 56.714464][ T577] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 56.721046][ T577] ? trace_hardirqs_on+0x55/0x220 [ 56.726096][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.731631][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.737185][ T577] ? afs_put_call+0xa40/0xa40 [ 56.741855][ T577] end_report+0x4d/0x53 [ 56.746002][ T577] kasan_report.cold+0xd/0x37 [ 56.750717][ T577] ? rcu_read_lock_held_common+0x71/0xa0 [ 56.756472][ T577] ? afs_wake_up_async_call+0x6aa/0x770 [ 56.762122][ T577] afs_wake_up_async_call+0x6aa/0x770 [ 56.767491][ T577] ? afs_close_socket+0x320/0x320 [ 56.772519][ T577] ? afs_put_call+0xa40/0xa40 [ 56.777191][ T577] rxrpc_notify_socket+0x1db/0x5d0 [ 56.782325][ T577] ? afs_put_call+0xa40/0xa40 [ 56.787428][ T577] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 56.793855][ T577] rxrpc_call_completed+0xca/0xf0 [ 56.798873][ T577] rxrpc_discard_prealloc+0x781/0xab0 [ 56.804265][ T577] ? lock_sock_nested+0x94/0x110 [ 56.809198][ T577] rxrpc_listen+0x147/0x360 [ 56.813694][ T577] afs_close_socket+0x95/0x320 [ 56.818447][ T577] ? afs_purge_servers+0x16d/0x300 [ 56.823561][ T577] ? afs_rx_discard_new_call+0x50/0x50 [ 56.829019][ T577] ? init_wait_var_entry+0x200/0x200 [ 56.834476][ T577] ? rcu_read_lock_held_common+0xa0/0xa0 [ 56.840190][ T577] ? check_preemption_disabled+0x38/0x220 [ 56.846695][ T577] afs_net_exit+0x1bc/0x310 [ 56.851191][ T577] ? afs_net_init+0xe30/0xe30 [ 56.855885][ T577] ops_exit_list.isra.0+0xa8/0x150 [ 56.860995][ T577] cleanup_net+0x511/0xa50 [ 56.865407][ T577] ? unregister_pernet_device+0x70/0x70 [ 56.870950][ T577] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 56.877027][ T577] process_one_work+0x965/0x1690 [ 56.881962][ T577] ? lock_release+0x800/0x800 [ 56.886743][ T577] ? pwq_dec_nr_in_flight+0x310/0x310 [ 56.892111][ T577] ? rwlock_bug.part.0+0x90/0x90 [ 56.897050][ T577] worker_thread+0x96/0xe10 [ 56.901586][ T577] ? process_one_work+0x1690/0x1690 [ 56.906782][ T577] kthread+0x3b5/0x4a0 [ 56.911041][ T577] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.916848][ T577] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 56.922566][ T577] ret_from_fork+0x1f/0x30 [ 56.928431][ T577] Kernel Offset: disabled [ 56.932746][ T577] Rebooting in 86400 seconds..