[ OK ] Started Getty on tty4. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.50' (ECDSA) to the list of known hosts. 2020/06/26 01:55:22 fuzzer started 2020/06/26 01:55:23 connecting to host at 10.128.0.26:40245 2020/06/26 01:55:23 checking machine... 2020/06/26 01:55:23 checking revisions... 2020/06/26 01:55:23 testing simple program... syzkaller login: [ 61.058847][ T6842] IPVS: ftp: loaded support on port[0] = 21 2020/06/26 01:55:23 building call list... [ 61.397567][ T178] tipc: TX() has been purged, node left! [ 61.889882][ T178] ================================================================== [ 61.899835][ T178] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 61.908980][ T178] Write of size 1 at addr ffff888092f951e4 by task kworker/u4:4/178 [ 61.917751][ T178] [ 61.920380][ T178] CPU: 0 PID: 178 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.930275][ T178] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.941999][ T178] Workqueue: netns cleanup_net [ 61.946964][ T178] Call Trace: [ 61.950377][ T178] dump_stack+0x18f/0x20d [ 61.955519][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.962891][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.969119][ T178] ? afs_put_call+0x440/0x440 [ 61.974299][ T178] print_address_description.constprop.0.cold+0xae/0x436 [ 61.983009][ T178] ? vprintk_func+0x97/0x1a6 [ 61.987642][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.994381][ T178] kasan_report.cold+0x1f/0x37 [ 61.999710][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.006082][ T178] afs_wake_up_async_call+0x430/0x4a0 [ 62.011698][ T178] ? afs_close_socket+0x320/0x320 [ 62.018125][ T178] rxrpc_notify_socket+0x1db/0x5d0 [ 62.023430][ T178] ? afs_put_call+0x440/0x440 [ 62.031354][ T178] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.038943][ T178] rxrpc_call_completed+0xd0/0xf0 [ 62.044985][ T178] rxrpc_discard_prealloc+0x777/0xab0 [ 62.051351][ T178] ? lock_sock_nested+0x94/0x110 [ 62.056773][ T178] rxrpc_listen+0x11c/0x330 [ 62.061716][ T178] afs_close_socket+0x95/0x320 [ 62.067291][ T178] ? afs_purge_servers+0x16d/0x300 [ 62.072591][ T178] ? afs_rx_discard_new_call+0x50/0x50 [ 62.078153][ T178] ? init_wait_var_entry+0x200/0x200 [ 62.084418][ T178] ? check_preemption_disabled+0x38/0x220 [ 62.090638][ T178] afs_net_exit+0x1bc/0x310 [ 62.095286][ T178] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.101278][ T178] ops_exit_list+0xb0/0x160 [ 62.106572][ T178] cleanup_net+0x4ea/0xa00 [ 62.111201][ T178] ? __schedule+0x887/0x1eb0 [ 62.116070][ T178] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.122198][ T178] ? check_preemption_disabled+0x38/0x220 [ 62.128625][ T178] process_one_work+0x94c/0x1670 [ 62.134536][ T178] ? lock_release+0x8d0/0x8d0 [ 62.139961][ T178] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.147706][ T178] ? rwlock_bug.part.0+0x90/0x90 [ 62.153864][ T178] worker_thread+0x64c/0x1120 [ 62.159838][ T178] ? process_one_work+0x1670/0x1670 [ 62.165530][ T178] kthread+0x3b5/0x4a0 [ 62.171367][ T178] ? __kthread_bind_mask+0xc0/0xc0 [ 62.177195][ T178] ? __kthread_bind_mask+0xc0/0xc0 [ 62.183191][ T178] ret_from_fork+0x1f/0x30 [ 62.188308][ T178] [ 62.190936][ T178] Allocated by task 6842: [ 62.196627][ T178] save_stack+0x1b/0x40 [ 62.201605][ T178] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.208649][ T178] kmem_cache_alloc_trace+0x14f/0x2d0 [ 62.215370][ T178] afs_alloc_call+0x4f/0x360 [ 62.220515][ T178] afs_charge_preallocation+0xe9/0x2d0 [ 62.227230][ T178] afs_open_socket+0x294/0x360 [ 62.233517][ T178] afs_net_init+0xa6c/0xe30 [ 62.239517][ T178] ops_init+0xaf/0x470 [ 62.244145][ T178] setup_net+0x2d8/0x850 [ 62.248568][ T178] copy_net_ns+0x2cf/0x5e0 [ 62.254098][ T178] create_new_namespaces+0x3f6/0xb10 [ 62.260309][ T178] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.266848][ T178] ksys_unshare+0x36c/0x9a0 [ 62.271577][ T178] __x64_sys_unshare+0x2d/0x40 [ 62.277079][ T178] do_syscall_64+0x60/0xe0 [ 62.281873][ T178] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.288062][ T178] [ 62.290976][ T178] Freed by task 178: [ 62.296462][ T178] save_stack+0x1b/0x40 [ 62.301384][ T178] __kasan_slab_free+0xf5/0x140 [ 62.306557][ T178] kfree+0x103/0x2c0 [ 62.310994][ T178] afs_put_call+0x345/0x440 [ 62.316235][ T178] rxrpc_discard_prealloc+0x75a/0xab0 [ 62.322331][ T178] rxrpc_listen+0x11c/0x330 [ 62.328057][ T178] afs_close_socket+0x95/0x320 [ 62.333840][ T178] afs_net_exit+0x1bc/0x310 [ 62.338788][ T178] ops_exit_list+0xb0/0x160 [ 62.344266][ T178] cleanup_net+0x4ea/0xa00 [ 62.350166][ T178] process_one_work+0x94c/0x1670 [ 62.357089][ T178] worker_thread+0x64c/0x1120 [ 62.362345][ T178] kthread+0x3b5/0x4a0 [ 62.367798][ T178] ret_from_fork+0x1f/0x30 [ 62.379949][ T178] [ 62.383501][ T178] The buggy address belongs to the object at ffff888092f95000 [ 62.383501][ T178] which belongs to the cache kmalloc-1k of size 1024 [ 62.400910][ T178] The buggy address is located 484 bytes inside of [ 62.400910][ T178] 1024-byte region [ffff888092f95000, ffff888092f95400) [ 62.415498][ T178] The buggy address belongs to the page: [ 62.421653][ T178] page:ffffea00024be540 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.432496][ T178] flags: 0xfffe0000000200(slab) [ 62.438304][ T178] raw: 00fffe0000000200 ffffea00025be748 ffffea00029d0e48 ffff8880aa000c40 [ 62.448658][ T178] raw: 0000000000000000 ffff888092f95000 0000000100000002 0000000000000000 [ 62.458100][ T178] page dumped because: kasan: bad access detected [ 62.464925][ T178] [ 62.467534][ T178] Memory state around the buggy address: [ 62.474145][ T178] ffff888092f95080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.482932][ T178] ffff888092f95100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.492454][ T178] >ffff888092f95180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.501559][ T178] ^ [ 62.509187][ T178] ffff888092f95200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.517352][ T178] ffff888092f95280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.525813][ T178] ================================================================== [ 62.534699][ T178] Disabling lock debugging due to kernel taint [ 62.540991][ T178] Kernel panic - not syncing: panic_on_warn set ... [ 62.547603][ T178] CPU: 0 PID: 178 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.557657][ T178] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.568028][ T178] Workqueue: netns cleanup_net [ 62.573122][ T178] Call Trace: [ 62.576436][ T178] dump_stack+0x18f/0x20d [ 62.580779][ T178] ? afs_wake_up_async_call+0x400/0x4a0 [ 62.586565][ T178] ? afs_put_call+0x440/0x440 [ 62.591241][ T178] panic+0x2e3/0x75c [ 62.595598][ T178] ? __warn_printk+0xf3/0xf3 [ 62.600199][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.605926][ T178] ? trace_hardirqs_on+0x55/0x220 [ 62.611343][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.617095][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.622643][ T178] ? afs_put_call+0x440/0x440 [ 62.627411][ T178] end_report+0x4d/0x53 [ 62.631813][ T178] kasan_report.cold+0xd/0x37 [ 62.636494][ T178] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.642211][ T178] afs_wake_up_async_call+0x430/0x4a0 [ 62.647707][ T178] ? afs_close_socket+0x320/0x320 [ 62.652735][ T178] rxrpc_notify_socket+0x1db/0x5d0 [ 62.657845][ T178] ? afs_put_call+0x440/0x440 [ 62.662527][ T178] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.668946][ T178] rxrpc_call_completed+0xd0/0xf0 [ 62.673980][ T178] rxrpc_discard_prealloc+0x777/0xab0 [ 62.679351][ T178] ? lock_sock_nested+0x94/0x110 [ 62.684296][ T178] rxrpc_listen+0x11c/0x330 [ 62.688919][ T178] afs_close_socket+0x95/0x320 [ 62.693699][ T178] ? afs_purge_servers+0x16d/0x300 [ 62.699004][ T178] ? afs_rx_discard_new_call+0x50/0x50 [ 62.705595][ T178] ? init_wait_var_entry+0x200/0x200 [ 62.710885][ T178] ? check_preemption_disabled+0x38/0x220 [ 62.716907][ T178] afs_net_exit+0x1bc/0x310 [ 62.721500][ T178] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.727133][ T178] ops_exit_list+0xb0/0x160 [ 62.731634][ T178] cleanup_net+0x4ea/0xa00 [ 62.736061][ T178] ? __schedule+0x887/0x1eb0 [ 62.740654][ T178] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.746035][ T178] ? check_preemption_disabled+0x38/0x220 [ 62.751761][ T178] process_one_work+0x94c/0x1670 [ 62.756700][ T178] ? lock_release+0x8d0/0x8d0 [ 62.761374][ T178] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.766743][ T178] ? rwlock_bug.part.0+0x90/0x90 [ 62.771694][ T178] worker_thread+0x64c/0x1120 [ 62.776405][ T178] ? process_one_work+0x1670/0x1670 [ 62.781600][ T178] kthread+0x3b5/0x4a0 [ 62.785705][ T178] ? __kthread_bind_mask+0xc0/0xc0 [ 62.790935][ T178] ? __kthread_bind_mask+0xc0/0xc0 [ 62.796219][ T178] ret_from_fork+0x1f/0x30 [ 62.802256][ T178] Kernel Offset: disabled [ 62.806752][ T178] Rebooting in 86400 seconds..