[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. 2020/06/18 22:59:58 fuzzer started 2020/06/18 22:59:58 connecting to host at 10.128.0.26:43779 2020/06/18 22:59:58 checking machine... 2020/06/18 22:59:58 checking revisions... 2020/06/18 22:59:58 testing simple program... syzkaller login: [ 44.073804][ T6800] IPVS: ftp: loaded support on port[0] = 21 2020/06/18 22:59:58 building call list... [ 44.440489][ T7] tipc: TX() has been purged, node left! [ 44.932113][ T7] ================================================================== [ 44.940318][ T7] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 44.948197][ T7] Write of size 1 at addr ffff8880a19d99e4 by task kworker/u4:0/7 [ 44.955979][ T7] [ 44.958304][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.8.0-rc1-syzkaller #0 [ 44.966446][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.976501][ T7] Workqueue: netns cleanup_net [ 44.981338][ T7] Call Trace: [ 44.984640][ T7] dump_stack+0x1f0/0x31e [ 44.988968][ T7] print_address_description+0x66/0x5a0 [ 44.994502][ T7] ? vprintk_emit+0x342/0x3c0 [ 44.999182][ T7] ? printk+0x62/0x83 [ 45.003257][ T7] ? vprintk_emit+0x339/0x3c0 [ 45.007948][ T7] kasan_report+0x132/0x1d0 [ 45.012454][ T7] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.018959][ T7] ? afs_make_call+0x24f0/0x24f0 [ 45.023897][ T7] afs_wake_up_async_call+0x16f/0x1c0 [ 45.029264][ T7] ? afs_make_call+0x24f0/0x24f0 [ 45.034190][ T7] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.039295][ T7] rxrpc_call_completed+0x131/0x210 [ 45.044540][ T7] ? afs_rx_new_call+0x240/0x240 [ 45.049493][ T7] rxrpc_discard_prealloc+0x60d/0x710 [ 45.054882][ T7] rxrpc_listen+0x246/0x370 [ 45.059382][ T7] afs_close_socket+0x57/0x280 [ 45.064137][ T7] ? afs_purge_servers+0x21f/0x280 [ 45.069413][ T7] ? init_wait_var_entry+0x150/0x150 [ 45.074694][ T7] afs_net_exit+0x4f/0x90 [ 45.079013][ T7] cleanup_net+0x708/0xba0 [ 45.083425][ T7] process_one_work+0x789/0xfc0 [ 45.088288][ T7] worker_thread+0xaa4/0x1460 [ 45.092990][ T7] kthread+0x37e/0x3a0 [ 45.097048][ T7] ? rcu_lock_release+0x20/0x20 [ 45.101891][ T7] ? kthread_blkcg+0xd0/0xd0 [ 45.106734][ T7] ret_from_fork+0x1f/0x30 [ 45.111235][ T7] [ 45.113816][ T7] Allocated by task 6800: [ 45.118139][ T7] __kasan_kmalloc+0x103/0x140 [ 45.122898][ T7] kmem_cache_alloc_trace+0x234/0x300 [ 45.128266][ T7] afs_alloc_call+0x89/0x2f0 [ 45.132851][ T7] afs_charge_preallocation+0xf0/0x2a0 [ 45.138308][ T7] afs_open_socket+0x3c7/0x510 [ 45.143071][ T7] afs_net_init+0x772/0x940 [ 45.147581][ T7] ops_init+0x320/0x410 [ 45.151734][ T7] setup_net+0x1cb/0x770 [ 45.155984][ T7] copy_net_ns+0x339/0x540 [ 45.160407][ T7] create_new_namespaces+0x52e/0x9f0 [ 45.165692][ T7] unshare_nsproxy_namespaces+0x123/0x190 [ 45.171506][ T7] ksys_unshare+0x463/0x950 [ 45.176042][ T7] __x64_sys_unshare+0x34/0x40 [ 45.180803][ T7] do_syscall_64+0x73/0xe0 [ 45.185383][ T7] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.191257][ T7] [ 45.193598][ T7] Freed by task 7: [ 45.197572][ T7] __kasan_slab_free+0x114/0x170 [ 45.202498][ T7] kfree+0x10a/0x220 [ 45.206376][ T7] afs_put_call+0x30e/0x420 [ 45.210850][ T7] rxrpc_discard_prealloc+0x5e2/0x710 [ 45.216205][ T7] rxrpc_listen+0x246/0x370 [ 45.222259][ T7] afs_close_socket+0x57/0x280 [ 45.226997][ T7] afs_net_exit+0x4f/0x90 [ 45.231310][ T7] cleanup_net+0x708/0xba0 [ 45.235716][ T7] process_one_work+0x789/0xfc0 [ 45.240542][ T7] worker_thread+0xaa4/0x1460 [ 45.245207][ T7] kthread+0x37e/0x3a0 [ 45.249283][ T7] ret_from_fork+0x1f/0x30 [ 45.254026][ T7] [ 45.256338][ T7] The buggy address belongs to the object at ffff8880a19d9800 [ 45.256338][ T7] which belongs to the cache kmalloc-1k of size 1024 [ 45.270662][ T7] The buggy address is located 484 bytes inside of [ 45.270662][ T7] 1024-byte region [ffff8880a19d9800, ffff8880a19d9c00) [ 45.284023][ T7] The buggy address belongs to the page: [ 45.289641][ T7] page:ffffea0002867640 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 45.298826][ T7] flags: 0xfffe0000000200(slab) [ 45.303745][ T7] raw: 00fffe0000000200 ffffea0002872108 ffffea00029465c8 ffff8880aa400c40 [ 45.312324][ T7] raw: 0000000000000000 ffff8880a19d9000 0000000100000002 0000000000000000 [ 45.320901][ T7] page dumped because: kasan: bad access detected [ 45.327390][ T7] [ 45.329732][ T7] Memory state around the buggy address: [ 45.336116][ T7] ffff8880a19d9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.344153][ T7] ffff8880a19d9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.352288][ T7] >ffff8880a19d9980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.360329][ T7] ^ [ 45.367770][ T7] ffff8880a19d9a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.375808][ T7] ffff8880a19d9a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.383853][ T7] ================================================================== [ 45.391893][ T7] Disabling lock debugging due to kernel taint [ 45.398083][ T7] Kernel panic - not syncing: panic_on_warn set ... [ 45.404660][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 45.414185][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.424243][ T7] Workqueue: netns cleanup_net [ 45.428986][ T7] Call Trace: [ 45.432253][ T7] dump_stack+0x1f0/0x31e [ 45.436556][ T7] panic+0x264/0x7a0 [ 45.440424][ T7] ? trace_hardirqs_on+0x30/0x80 [ 45.445337][ T7] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 45.451135][ T7] kasan_report+0x1c9/0x1d0 [ 45.455617][ T7] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.461132][ T7] ? afs_make_call+0x24f0/0x24f0 [ 45.466038][ T7] afs_wake_up_async_call+0x16f/0x1c0 [ 45.471382][ T7] ? afs_make_call+0x24f0/0x24f0 [ 45.476310][ T7] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.481395][ T7] rxrpc_call_completed+0x131/0x210 [ 45.486562][ T7] ? afs_rx_new_call+0x240/0x240 [ 45.491469][ T7] rxrpc_discard_prealloc+0x60d/0x710 [ 45.496817][ T7] rxrpc_listen+0x246/0x370 [ 45.501309][ T7] afs_close_socket+0x57/0x280 [ 45.506045][ T7] ? afs_purge_servers+0x21f/0x280 [ 45.511130][ T7] ? init_wait_var_entry+0x150/0x150 [ 45.516466][ T7] afs_net_exit+0x4f/0x90 [ 45.520798][ T7] cleanup_net+0x708/0xba0 [ 45.525542][ T7] process_one_work+0x789/0xfc0 [ 45.530374][ T7] worker_thread+0xaa4/0x1460 [ 45.535048][ T7] kthread+0x37e/0x3a0 [ 45.539096][ T7] ? rcu_lock_release+0x20/0x20 [ 45.543943][ T7] ? kthread_blkcg+0xd0/0xd0 [ 45.548596][ T7] ret_from_fork+0x1f/0x30 [ 45.554183][ T7] Kernel Offset: disabled [ 45.558498][ T7] Rebooting in 86400 seconds..