Starting OpenBSD Secure Shell server... [ OK ] Started Regular background program processing daemon. Starting Permit User Sessions... Starting System Logging Service... Starting getty on tty2-tty6 if dbus and logind are not available... [ OK ] Started Permit User Sessions. [ OK ] Started System Logging Service. [ OK ] Found device /dev/ttyS0. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. Debian GNU/Linux 9 syzkaller ttyS0 2020/06/25 19:14:31 fuzzer started 2020/06/25 19:14:32 connecting to host at 10.128.0.26:38139 2020/06/25 19:14:32 checking machine... 2020/06/25 19:14:32 checking revisions... 2020/06/25 19:14:32 testing simple program... syzkaller login: [ 73.925668][ T29] audit: type=1400 audit(1593112472.475:8): avc: denied { execmem } for pid=6995 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 74.014730][ T6996] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 19:14:32 building call list... [ 74.343561][ T21] tipc: TX() has been purged, node left! [ 74.856519][ T21] ================================================================== [ 74.864894][ T21] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 74.872791][ T21] Write of size 1 at addr ffff88809e9611e4 by task kworker/u4:1/21 [ 74.880666][ T21] [ 74.882998][ T21] CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc2-syzkaller #0 [ 74.891238][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.901427][ T21] Workqueue: netns cleanup_net [ 74.906189][ T21] Call Trace: [ 74.909486][ T21] dump_stack+0x18f/0x20d [ 74.913822][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 74.919449][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 74.924994][ T21] ? afs_put_call+0x440/0x440 [ 74.929672][ T21] print_address_description.constprop.0.cold+0xae/0x436 [ 74.936717][ T21] ? vprintk_func+0x97/0x1a6 [ 74.941328][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 74.946880][ T21] kasan_report.cold+0x1f/0x37 [ 74.951650][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 74.957198][ T21] afs_wake_up_async_call+0x430/0x4a0 [ 74.962567][ T21] ? afs_close_socket+0x320/0x320 [ 74.967604][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 74.972804][ T21] ? afs_put_call+0x440/0x440 [ 74.977478][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 74.983898][ T21] rxrpc_call_completed+0xd0/0xf0 [ 74.988920][ T21] rxrpc_discard_prealloc+0x777/0xab0 [ 74.994291][ T21] ? lock_sock_nested+0x94/0x110 [ 74.999238][ T21] rxrpc_listen+0x11c/0x330 [ 75.003742][ T21] afs_close_socket+0x95/0x320 [ 75.008502][ T21] ? afs_purge_servers+0x181/0x330 [ 75.013610][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 75.019069][ T21] ? init_wait_var_entry+0x200/0x200 [ 75.024361][ T21] afs_net_exit+0x1c4/0x310 [ 75.028860][ T21] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 75.034492][ T21] ops_exit_list+0xb0/0x160 [ 75.038997][ T21] cleanup_net+0x4ea/0xa00 [ 75.043410][ T21] ? __schedule+0x887/0x1eb0 [ 75.048020][ T21] ? ops_free_list.part.0+0x3d0/0x3d0 [ 75.053394][ T21] ? check_preemption_disabled+0x38/0x220 [ 75.059133][ T21] process_one_work+0x94c/0x1670 [ 75.064082][ T21] ? lock_release+0x8d0/0x8d0 [ 75.068756][ T21] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 75.074135][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 75.079081][ T21] worker_thread+0x64c/0x1120 [ 75.083767][ T21] ? __kthread_parkme+0x13f/0x1e0 [ 75.088786][ T21] ? process_one_work+0x1670/0x1670 [ 75.093981][ T21] kthread+0x3b5/0x4a0 [ 75.098041][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 75.103149][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 75.108263][ T21] ret_from_fork+0x1f/0x30 [ 75.112685][ T21] [ 75.115006][ T21] Allocated by task 6996: [ 75.119334][ T21] save_stack+0x1b/0x40 [ 75.123487][ T21] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 75.129113][ T21] kmem_cache_alloc_trace+0x14f/0x2d0 [ 75.134501][ T21] afs_alloc_call+0x4f/0x360 [ 75.139085][ T21] afs_charge_preallocation+0xe9/0x2d0 [ 75.144543][ T21] afs_open_socket+0x294/0x360 [ 75.149298][ T21] afs_net_init+0xab4/0xe90 [ 75.153795][ T21] ops_init+0xaf/0x470 [ 75.157858][ T21] setup_net+0x2d8/0x850 [ 75.162093][ T21] copy_net_ns+0x2cf/0x5e0 [ 75.166512][ T21] create_new_namespaces+0x3f6/0xb10 [ 75.171879][ T21] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 75.178025][ T21] ksys_unshare+0x36c/0x9a0 [ 75.182532][ T21] __x64_sys_unshare+0x2d/0x40 [ 75.187291][ T21] do_syscall_64+0x60/0xe0 [ 75.191708][ T21] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 75.197585][ T21] [ 75.200001][ T21] Freed by task 21: [ 75.203811][ T21] save_stack+0x1b/0x40 [ 75.207959][ T21] __kasan_slab_free+0xf5/0x140 [ 75.212801][ T21] kfree+0x103/0x2c0 [ 75.216693][ T21] afs_put_call+0x345/0x440 [ 75.221190][ T21] rxrpc_discard_prealloc+0x75a/0xab0 [ 75.226558][ T21] rxrpc_listen+0x11c/0x330 [ 75.231053][ T21] afs_close_socket+0x95/0x320 [ 75.235807][ T21] afs_net_exit+0x1c4/0x310 [ 75.240305][ T21] ops_exit_list+0xb0/0x160 [ 75.244800][ T21] cleanup_net+0x4ea/0xa00 [ 75.249210][ T21] process_one_work+0x94c/0x1670 [ 75.254211][ T21] worker_thread+0x64c/0x1120 [ 75.258902][ T21] kthread+0x3b5/0x4a0 [ 75.262974][ T21] ret_from_fork+0x1f/0x30 [ 75.267384][ T21] [ 75.269714][ T21] The buggy address belongs to the object at ffff88809e961000 [ 75.269714][ T21] which belongs to the cache kmalloc-1k of size 1024 [ 75.283855][ T21] The buggy address is located 484 bytes inside of [ 75.283855][ T21] 1024-byte region [ffff88809e961000, ffff88809e961400) [ 75.297218][ T21] The buggy address belongs to the page: [ 75.302877][ T21] page:ffffea00027a5840 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 75.311994][ T21] flags: 0xfffe0000000200(slab) [ 75.316865][ T21] raw: 00fffe0000000200 ffffea00024b5e08 ffffea00027fcc48 ffff8880aa000c40 [ 75.325466][ T21] raw: 0000000000000000 ffff88809e961000 0000000100000002 0000000000000000 [ 75.334079][ T21] page dumped because: kasan: bad access detected [ 75.340750][ T21] [ 75.343102][ T21] Memory state around the buggy address: [ 75.348723][ T21] ffff88809e961080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.357175][ T21] ffff88809e961100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.365416][ T21] >ffff88809e961180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.373461][ T21] ^ [ 75.380673][ T21] ffff88809e961200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.388737][ T21] ffff88809e961280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.396792][ T21] ================================================================== [ 75.404861][ T21] Disabling lock debugging due to kernel taint [ 75.412201][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 75.418784][ T21] CPU: 0 PID: 21 Comm: kworker/u4:1 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 75.428396][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.438570][ T21] Workqueue: netns cleanup_net [ 75.444019][ T21] Call Trace: [ 75.447319][ T21] dump_stack+0x18f/0x20d [ 75.451648][ T21] ? afs_wake_up_async_call+0x340/0x4a0 [ 75.457203][ T21] ? afs_put_call+0x440/0x440 [ 75.461892][ T21] panic+0x2e3/0x75c [ 75.465876][ T21] ? __warn_printk+0xf3/0xf3 [ 75.470723][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 75.476361][ T21] ? trace_hardirqs_on+0x55/0x220 [ 75.481385][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 75.486922][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 75.492458][ T21] ? afs_put_call+0x440/0x440 [ 75.497127][ T21] end_report+0x4d/0x53 [ 75.501286][ T21] kasan_report.cold+0xd/0x37 [ 75.505966][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 75.511506][ T21] afs_wake_up_async_call+0x430/0x4a0 [ 75.516873][ T21] ? afs_close_socket+0x320/0x320 [ 75.521894][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 75.527026][ T21] ? afs_put_call+0x440/0x440 [ 75.531698][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 75.538109][ T21] rxrpc_call_completed+0xd0/0xf0 [ 75.543231][ T21] rxrpc_discard_prealloc+0x777/0xab0 [ 75.548619][ T21] ? lock_sock_nested+0x94/0x110 [ 75.553562][ T21] rxrpc_listen+0x11c/0x330 [ 75.558067][ T21] afs_close_socket+0x95/0x320 [ 75.562834][ T21] ? afs_purge_servers+0x181/0x330 [ 75.567942][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 75.573520][ T21] ? init_wait_var_entry+0x200/0x200 [ 75.578815][ T21] afs_net_exit+0x1c4/0x310 [ 75.583323][ T21] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 75.588953][ T21] ops_exit_list+0xb0/0x160 [ 75.593454][ T21] cleanup_net+0x4ea/0xa00 [ 75.597863][ T21] ? __schedule+0x887/0x1eb0 [ 75.602448][ T21] ? ops_free_list.part.0+0x3d0/0x3d0 [ 75.607845][ T21] ? check_preemption_disabled+0x38/0x220 [ 75.613567][ T21] process_one_work+0x94c/0x1670 [ 75.618504][ T21] ? lock_release+0x8d0/0x8d0 [ 75.623348][ T21] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 75.628716][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 75.633655][ T21] worker_thread+0x64c/0x1120 [ 75.638330][ T21] ? __kthread_parkme+0x13f/0x1e0 [ 75.643429][ T21] ? process_one_work+0x1670/0x1670 [ 75.648615][ T21] kthread+0x3b5/0x4a0 [ 75.652671][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 75.657858][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 75.662962][ T21] ret_from_fork+0x1f/0x30 [ 75.668828][ T21] Kernel Offset: disabled [ 75.673152][ T21] Rebooting in 86400 seconds..