[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.183' (ECDSA) to the list of known hosts. 2020/06/19 05:28:30 fuzzer started 2020/06/19 05:28:30 connecting to host at 10.128.0.26:41079 2020/06/19 05:28:30 checking machine... 2020/06/19 05:28:30 checking revisions... 2020/06/19 05:28:30 testing simple program... syzkaller login: [ 44.360042][ T6778] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 05:28:31 building call list... [ 44.694131][ T57] tipc: TX() has been purged, node left! [ 45.235705][ T57] ================================================================== [ 45.244112][ T57] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 45.252083][ T57] Write of size 1 at addr ffff8880a18631e4 by task kworker/u4:2/57 [ 45.259980][ T57] [ 45.262306][ T57] CPU: 1 PID: 57 Comm: kworker/u4:2 Not tainted 5.8.0-rc1-syzkaller #0 [ 45.270524][ T57] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.280571][ T57] Workqueue: netns cleanup_net [ 45.285317][ T57] Call Trace: [ 45.288599][ T57] dump_stack+0x1f0/0x31e [ 45.292927][ T57] print_address_description+0x66/0x5a0 [ 45.298460][ T57] ? vprintk_emit+0x342/0x3c0 [ 45.303822][ T57] ? printk+0x62/0x83 [ 45.307800][ T57] ? vprintk_emit+0x339/0x3c0 [ 45.312487][ T57] kasan_report+0x132/0x1d0 [ 45.317079][ T57] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.322616][ T57] ? afs_make_call+0x24f0/0x24f0 [ 45.327540][ T57] afs_wake_up_async_call+0x16f/0x1c0 [ 45.332902][ T57] ? afs_make_call+0x24f0/0x24f0 [ 45.337825][ T57] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.342932][ T57] rxrpc_call_completed+0x131/0x210 [ 45.348130][ T57] ? afs_rx_new_call+0x240/0x240 [ 45.353057][ T57] rxrpc_discard_prealloc+0x60d/0x710 [ 45.358439][ T57] rxrpc_listen+0x246/0x370 [ 45.363979][ T57] afs_close_socket+0x57/0x280 [ 45.368730][ T57] ? afs_purge_servers+0x21f/0x280 [ 45.373831][ T57] ? init_wait_var_entry+0x150/0x150 [ 45.379110][ T57] afs_net_exit+0x4f/0x90 [ 45.383462][ T57] cleanup_net+0x708/0xba0 [ 45.387904][ T57] process_one_work+0x789/0xfc0 [ 45.392769][ T57] worker_thread+0xaa4/0x1460 [ 45.397466][ T57] kthread+0x37e/0x3a0 [ 45.401536][ T57] ? rcu_lock_release+0x20/0x20 [ 45.406371][ T57] ? kthread_blkcg+0xd0/0xd0 [ 45.411061][ T57] ret_from_fork+0x1f/0x30 [ 45.415487][ T57] [ 45.417800][ T57] Allocated by task 6778: [ 45.422117][ T57] __kasan_kmalloc+0x103/0x140 [ 45.426886][ T57] kmem_cache_alloc_trace+0x234/0x300 [ 45.432248][ T57] afs_alloc_call+0x89/0x2f0 [ 45.436830][ T57] afs_charge_preallocation+0xf0/0x2a0 [ 45.442278][ T57] afs_open_socket+0x3c7/0x510 [ 45.447040][ T57] afs_net_init+0x772/0x940 [ 45.451538][ T57] ops_init+0x320/0x410 [ 45.455686][ T57] setup_net+0x1cb/0x770 [ 45.459921][ T57] copy_net_ns+0x339/0x540 [ 45.464333][ T57] create_new_namespaces+0x52e/0x9f0 [ 45.469612][ T57] unshare_nsproxy_namespaces+0x123/0x190 [ 45.475332][ T57] ksys_unshare+0x463/0x950 [ 45.479829][ T57] __x64_sys_unshare+0x34/0x40 [ 45.484586][ T57] do_syscall_64+0x73/0xe0 [ 45.488999][ T57] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.495316][ T57] [ 45.497617][ T57] Freed by task 57: [ 45.501516][ T57] __kasan_slab_free+0x114/0x170 [ 45.506440][ T57] kfree+0x10a/0x220 [ 45.510318][ T57] afs_put_call+0x30e/0x420 [ 45.514815][ T57] rxrpc_discard_prealloc+0x5e2/0x710 [ 45.520172][ T57] rxrpc_listen+0x246/0x370 [ 45.524651][ T57] afs_close_socket+0x57/0x280 [ 45.529388][ T57] afs_net_exit+0x4f/0x90 [ 45.533693][ T57] cleanup_net+0x708/0xba0 [ 45.538088][ T57] process_one_work+0x789/0xfc0 [ 45.542925][ T57] worker_thread+0xaa4/0x1460 [ 45.547574][ T57] kthread+0x37e/0x3a0 [ 45.551617][ T57] ret_from_fork+0x1f/0x30 [ 45.556007][ T57] [ 45.558330][ T57] The buggy address belongs to the object at ffff8880a1863000 [ 45.558330][ T57] which belongs to the cache kmalloc-1k of size 1024 [ 45.572378][ T57] The buggy address is located 484 bytes inside of [ 45.572378][ T57] 1024-byte region [ffff8880a1863000, ffff8880a1863400) [ 45.585794][ T57] The buggy address belongs to the page: [ 45.591432][ T57] page:ffffea00028618c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 45.600512][ T57] flags: 0xfffe0000000200(slab) [ 45.605426][ T57] raw: 00fffe0000000200 ffffea0002865f88 ffffea0002425948 ffff8880aa400c40 [ 45.613983][ T57] raw: 0000000000000000 ffff8880a1863000 0000000100000002 0000000000000000 [ 45.622538][ T57] page dumped because: kasan: bad access detected [ 45.628930][ T57] [ 45.631229][ T57] Memory state around the buggy address: [ 45.636842][ T57] ffff8880a1863080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.644879][ T57] ffff8880a1863100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.652917][ T57] >ffff8880a1863180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.660948][ T57] ^ [ 45.668119][ T57] ffff8880a1863200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.676153][ T57] ffff8880a1863280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.684182][ T57] ================================================================== [ 45.692212][ T57] Disabling lock debugging due to kernel taint [ 45.698417][ T57] Kernel panic - not syncing: panic_on_warn set ... [ 45.705007][ T57] CPU: 1 PID: 57 Comm: kworker/u4:2 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 45.714620][ T57] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.724762][ T57] Workqueue: netns cleanup_net [ 45.729606][ T57] Call Trace: [ 45.732900][ T57] dump_stack+0x1f0/0x31e [ 45.737219][ T57] panic+0x264/0x7a0 [ 45.741085][ T57] ? trace_hardirqs_on+0x30/0x80 [ 45.746028][ T57] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 45.751803][ T57] kasan_report+0x1c9/0x1d0 [ 45.756296][ T57] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.762088][ T57] ? afs_make_call+0x24f0/0x24f0 [ 45.766999][ T57] afs_wake_up_async_call+0x16f/0x1c0 [ 45.772372][ T57] ? afs_make_call+0x24f0/0x24f0 [ 45.777339][ T57] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.782437][ T57] rxrpc_call_completed+0x131/0x210 [ 45.787633][ T57] ? afs_rx_new_call+0x240/0x240 [ 45.792588][ T57] rxrpc_discard_prealloc+0x60d/0x710 [ 45.797960][ T57] rxrpc_listen+0x246/0x370 [ 45.802453][ T57] afs_close_socket+0x57/0x280 [ 45.807216][ T57] ? afs_purge_servers+0x21f/0x280 [ 45.812642][ T57] ? init_wait_var_entry+0x150/0x150 [ 45.817952][ T57] afs_net_exit+0x4f/0x90 [ 45.822290][ T57] cleanup_net+0x708/0xba0 [ 45.826706][ T57] process_one_work+0x789/0xfc0 [ 45.831536][ T57] worker_thread+0xaa4/0x1460 [ 45.836205][ T57] kthread+0x37e/0x3a0 [ 45.841125][ T57] ? rcu_lock_release+0x20/0x20 [ 45.846047][ T57] ? kthread_blkcg+0xd0/0xd0 [ 45.850614][ T57] ret_from_fork+0x1f/0x30 [ 45.856468][ T57] Kernel Offset: disabled [ 45.860787][ T57] Rebooting in 86400 seconds..