[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. 2020/06/19 03:48:47 fuzzer started 2020/06/19 03:48:47 connecting to host at 10.128.0.26:41481 2020/06/19 03:48:47 checking machine... 2020/06/19 03:48:47 checking revisions... 2020/06/19 03:48:47 testing simple program... syzkaller login: [ 60.940846][ T6830] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 03:48:47 building call list... [ 61.222721][ T175] tipc: TX() has been purged, node left! [ 61.763436][ T175] ================================================================== [ 61.771811][ T175] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.781698][ T175] Write of size 1 at addr ffff8880926a61e4 by task kworker/u4:5/175 [ 61.789675][ T175] [ 61.792006][ T175] CPU: 1 PID: 175 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.800342][ T175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.810404][ T175] Workqueue: netns cleanup_net [ 61.815427][ T175] Call Trace: [ 61.818816][ T175] dump_stack+0x18f/0x20d [ 61.823180][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.828898][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.834444][ T175] ? afs_put_call+0xa40/0xa40 [ 61.841033][ T175] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.848161][ T175] ? vprintk_func+0x97/0x1a6 [ 61.852756][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.858309][ T175] kasan_report.cold+0x1f/0x37 [ 61.863074][ T175] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.868724][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.874268][ T175] afs_wake_up_async_call+0x6aa/0x770 [ 61.879817][ T175] ? afs_close_socket+0x320/0x320 [ 61.885020][ T175] ? afs_put_call+0xa40/0xa40 [ 61.889693][ T175] rxrpc_notify_socket+0x1db/0x5d0 [ 61.894806][ T175] ? afs_put_call+0xa40/0xa40 [ 61.899826][ T175] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.906346][ T175] rxrpc_call_completed+0xca/0xf0 [ 61.911470][ T175] rxrpc_discard_prealloc+0x781/0xab0 [ 61.916853][ T175] ? lock_sock_nested+0x94/0x110 [ 61.921798][ T175] rxrpc_listen+0x147/0x360 [ 61.926300][ T175] afs_close_socket+0x95/0x320 [ 61.931146][ T175] ? afs_purge_servers+0x16d/0x300 [ 61.936255][ T175] ? afs_rx_discard_new_call+0x50/0x50 [ 61.941717][ T175] ? init_wait_var_entry+0x200/0x200 [ 61.947011][ T175] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.952814][ T175] ? check_preemption_disabled+0x38/0x220 [ 61.958537][ T175] afs_net_exit+0x1bc/0x310 [ 61.963343][ T175] ? afs_net_init+0xe30/0xe30 [ 61.968024][ T175] ops_exit_list.isra.0+0xa8/0x150 [ 61.973222][ T175] cleanup_net+0x511/0xa50 [ 61.977637][ T175] ? unregister_pernet_device+0x70/0x70 [ 61.983238][ T175] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.989227][ T175] process_one_work+0x965/0x1690 [ 61.994199][ T175] ? lock_release+0x800/0x800 [ 61.998875][ T175] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.004252][ T175] ? rwlock_bug.part.0+0x90/0x90 [ 62.009200][ T175] worker_thread+0x96/0xe10 [ 62.013723][ T175] ? process_one_work+0x1690/0x1690 [ 62.019130][ T175] kthread+0x3b5/0x4a0 [ 62.023198][ T175] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.029466][ T175] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.035288][ T175] ret_from_fork+0x1f/0x30 [ 62.039710][ T175] [ 62.042074][ T175] Allocated by task 6830: [ 62.046499][ T175] save_stack+0x1b/0x40 [ 62.050650][ T175] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.056274][ T175] kmem_cache_alloc_trace+0x153/0x7d0 [ 62.061651][ T175] afs_alloc_call+0x55/0x630 [ 62.066258][ T175] afs_charge_preallocation+0xe9/0x2d0 [ 62.071708][ T175] afs_open_socket+0x292/0x360 [ 62.076463][ T175] afs_net_init+0xa6c/0xe30 [ 62.080970][ T175] ops_init+0xaf/0x420 [ 62.085185][ T175] setup_net+0x2de/0x860 [ 62.089690][ T175] copy_net_ns+0x293/0x590 [ 62.094194][ T175] create_new_namespaces+0x3fb/0xb30 [ 62.099480][ T175] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.105109][ T175] ksys_unshare+0x43d/0x8e0 [ 62.109604][ T175] __x64_sys_unshare+0x2d/0x40 [ 62.114361][ T175] do_syscall_64+0x60/0xe0 [ 62.118904][ T175] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.124906][ T175] [ 62.127690][ T175] Freed by task 175: [ 62.131587][ T175] save_stack+0x1b/0x40 [ 62.135738][ T175] __kasan_slab_free+0xf7/0x140 [ 62.140582][ T175] kfree+0x109/0x2b0 [ 62.144559][ T175] afs_put_call+0x585/0xa40 [ 62.149221][ T175] rxrpc_discard_prealloc+0x764/0xab0 [ 62.154863][ T175] rxrpc_listen+0x147/0x360 [ 62.159458][ T175] afs_close_socket+0x95/0x320 [ 62.164219][ T175] afs_net_exit+0x1bc/0x310 [ 62.168716][ T175] ops_exit_list.isra.0+0xa8/0x150 [ 62.173821][ T175] cleanup_net+0x511/0xa50 [ 62.178415][ T175] process_one_work+0x965/0x1690 [ 62.183355][ T175] worker_thread+0x96/0xe10 [ 62.187861][ T175] kthread+0x3b5/0x4a0 [ 62.192025][ T175] ret_from_fork+0x1f/0x30 [ 62.196430][ T175] [ 62.198753][ T175] The buggy address belongs to the object at ffff8880926a6000 [ 62.198753][ T175] which belongs to the cache kmalloc-1k of size 1024 [ 62.212897][ T175] The buggy address is located 484 bytes inside of [ 62.212897][ T175] 1024-byte region [ffff8880926a6000, ffff8880926a6400) [ 62.226336][ T175] The buggy address belongs to the page: [ 62.231986][ T175] page:ffffea000249a980 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.241086][ T175] flags: 0xfffe0000000200(slab) [ 62.246033][ T175] raw: 00fffe0000000200 ffffea0002451848 ffffea0002381048 ffff8880aa000c40 [ 62.254764][ T175] raw: 0000000000000000 ffff8880926a6000 0000000100000002 0000000000000000 [ 62.264125][ T175] page dumped because: kasan: bad access detected [ 62.270543][ T175] [ 62.272878][ T175] Memory state around the buggy address: [ 62.278510][ T175] ffff8880926a6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.286705][ T175] ffff8880926a6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.294771][ T175] >ffff8880926a6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.302914][ T175] ^ [ 62.310205][ T175] ffff8880926a6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.318263][ T175] ffff8880926a6280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.326592][ T175] ================================================================== [ 62.334698][ T175] Disabling lock debugging due to kernel taint [ 62.340942][ T175] Kernel panic - not syncing: panic_on_warn set ... [ 62.347533][ T175] CPU: 1 PID: 175 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.357594][ T175] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.367828][ T175] Workqueue: netns cleanup_net [ 62.372645][ T175] Call Trace: [ 62.375938][ T175] dump_stack+0x18f/0x20d [ 62.380271][ T175] ? afs_wake_up_async_call+0x670/0x770 [ 62.385981][ T175] ? afs_put_call+0xa40/0xa40 [ 62.390664][ T175] panic+0x2e3/0x75c [ 62.394562][ T175] ? __warn_printk+0xf3/0xf3 [ 62.399255][ T175] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 62.405442][ T175] ? trace_hardirqs_on+0x55/0x220 [ 62.410470][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.416018][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.421558][ T175] ? afs_put_call+0xa40/0xa40 [ 62.426314][ T175] end_report+0x4d/0x53 [ 62.430465][ T175] kasan_report.cold+0xd/0x37 [ 62.435137][ T175] ? rcu_read_lock_held_common+0x51/0xa0 [ 62.440766][ T175] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.446307][ T175] afs_wake_up_async_call+0x6aa/0x770 [ 62.451670][ T175] ? afs_close_socket+0x320/0x320 [ 62.456786][ T175] ? afs_put_call+0xa40/0xa40 [ 62.461486][ T175] rxrpc_notify_socket+0x1db/0x5d0 [ 62.466603][ T175] ? afs_put_call+0xa40/0xa40 [ 62.471475][ T175] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.477882][ T175] rxrpc_call_completed+0xca/0xf0 [ 62.482902][ T175] rxrpc_discard_prealloc+0x781/0xab0 [ 62.488282][ T175] ? lock_sock_nested+0x94/0x110 [ 62.493214][ T175] rxrpc_listen+0x147/0x360 [ 62.497885][ T175] afs_close_socket+0x95/0x320 [ 62.502648][ T175] ? afs_purge_servers+0x16d/0x300 [ 62.507780][ T175] ? afs_rx_discard_new_call+0x50/0x50 [ 62.513250][ T175] ? init_wait_var_entry+0x200/0x200 [ 62.518529][ T175] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.524161][ T175] ? check_preemption_disabled+0x38/0x220 [ 62.530052][ T175] afs_net_exit+0x1bc/0x310 [ 62.534562][ T175] ? afs_net_init+0xe30/0xe30 [ 62.539229][ T175] ops_exit_list.isra.0+0xa8/0x150 [ 62.544336][ T175] cleanup_net+0x511/0xa50 [ 62.548745][ T175] ? unregister_pernet_device+0x70/0x70 [ 62.554284][ T175] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.560257][ T175] process_one_work+0x965/0x1690 [ 62.565210][ T175] ? lock_release+0x800/0x800 [ 62.569883][ T175] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.575248][ T175] ? rwlock_bug.part.0+0x90/0x90 [ 62.580179][ T175] worker_thread+0x96/0xe10 [ 62.584682][ T175] ? process_one_work+0x1690/0x1690 [ 62.589885][ T175] kthread+0x3b5/0x4a0 [ 62.593957][ T175] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.602101][ T175] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.607843][ T175] ret_from_fork+0x1f/0x30 [ 62.614202][ T175] Kernel Offset: disabled [ 62.618715][ T175] Rebooting in 86400 seconds..