[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.178' (ECDSA) to the list of known hosts. 2020/06/19 04:02:01 fuzzer started 2020/06/19 04:02:01 connecting to host at 10.128.0.26:34787 2020/06/19 04:02:01 checking machine... 2020/06/19 04:02:01 checking revisions... 2020/06/19 04:02:01 testing simple program... syzkaller login: [ 68.250762][ T6827] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 04:02:02 building call list... [ 68.610591][ T76] tipc: TX() has been purged, node left! [ 69.132912][ T76] ================================================================== [ 69.142522][ T76] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 69.151262][ T76] Write of size 1 at addr ffff88809fa179e4 by task kworker/u4:3/76 [ 69.160101][ T76] [ 69.162697][ T76] CPU: 1 PID: 76 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-syzkaller #0 [ 69.171238][ T76] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.182349][ T76] Workqueue: netns cleanup_net [ 69.187120][ T76] Call Trace: [ 69.190427][ T76] dump_stack+0x18f/0x20d [ 69.195225][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.201338][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.207843][ T76] ? afs_put_call+0xa40/0xa40 [ 69.212655][ T76] print_address_description.constprop.0.cold+0xd3/0x413 [ 69.219875][ T76] ? vprintk_func+0x97/0x1a6 [ 69.224572][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.230570][ T76] kasan_report.cold+0x1f/0x37 [ 69.236739][ T76] ? rcu_read_lock_held_common+0x51/0xa0 [ 69.242728][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.248279][ T76] afs_wake_up_async_call+0x6aa/0x770 [ 69.254975][ T76] ? afs_close_socket+0x320/0x320 [ 69.260007][ T76] ? afs_put_call+0xa40/0xa40 [ 69.264702][ T76] rxrpc_notify_socket+0x1db/0x5d0 [ 69.270853][ T76] ? afs_put_call+0xa40/0xa40 [ 69.275616][ T76] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 69.282842][ T76] rxrpc_call_completed+0xca/0xf0 [ 69.288787][ T76] rxrpc_discard_prealloc+0x781/0xab0 [ 69.294892][ T76] ? lock_sock_nested+0x94/0x110 [ 69.300013][ T76] rxrpc_listen+0x147/0x360 [ 69.304523][ T76] afs_close_socket+0x95/0x320 [ 69.309578][ T76] ? afs_purge_servers+0x16d/0x300 [ 69.314693][ T76] ? afs_rx_discard_new_call+0x50/0x50 [ 69.320532][ T76] ? init_wait_var_entry+0x200/0x200 [ 69.326379][ T76] ? rcu_read_lock_held_common+0xa0/0xa0 [ 69.333972][ T76] ? check_preemption_disabled+0x38/0x220 [ 69.339982][ T76] afs_net_exit+0x1bc/0x310 [ 69.344489][ T76] ? afs_net_init+0xe30/0xe30 [ 69.349731][ T76] ops_exit_list.isra.0+0xa8/0x150 [ 69.355650][ T76] cleanup_net+0x511/0xa50 [ 69.361080][ T76] ? unregister_pernet_device+0x70/0x70 [ 69.367548][ T76] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 69.373568][ T76] process_one_work+0x965/0x1690 [ 69.378534][ T76] ? lock_release+0x800/0x800 [ 69.383227][ T76] ? pwq_dec_nr_in_flight+0x310/0x310 [ 69.388604][ T76] ? rwlock_bug.part.0+0x90/0x90 [ 69.393639][ T76] worker_thread+0x96/0xe10 [ 69.398273][ T76] ? process_one_work+0x1690/0x1690 [ 69.404125][ T76] kthread+0x3b5/0x4a0 [ 69.408818][ T76] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 69.414533][ T76] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 69.420693][ T76] ret_from_fork+0x1f/0x30 [ 69.425117][ T76] [ 69.427442][ T76] Allocated by task 6827: [ 69.431878][ T76] save_stack+0x1b/0x40 [ 69.436032][ T76] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 69.441662][ T76] kmem_cache_alloc_trace+0x153/0x7d0 [ 69.447481][ T76] afs_alloc_call+0x55/0x630 [ 69.452156][ T76] afs_charge_preallocation+0xe9/0x2d0 [ 69.458134][ T76] afs_open_socket+0x292/0x360 [ 69.462892][ T76] afs_net_init+0xa6c/0xe30 [ 69.467656][ T76] ops_init+0xaf/0x420 [ 69.472247][ T76] setup_net+0x2de/0x860 [ 69.476588][ T76] copy_net_ns+0x293/0x590 [ 69.481488][ T76] create_new_namespaces+0x3fb/0xb30 [ 69.486799][ T76] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 69.492528][ T76] ksys_unshare+0x43d/0x8e0 [ 69.497087][ T76] __x64_sys_unshare+0x2d/0x40 [ 69.501861][ T76] do_syscall_64+0x60/0xe0 [ 69.506287][ T76] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.512484][ T76] [ 69.514830][ T76] Freed by task 76: [ 69.518640][ T76] save_stack+0x1b/0x40 [ 69.522817][ T76] __kasan_slab_free+0xf7/0x140 [ 69.528121][ T76] kfree+0x109/0x2b0 [ 69.532012][ T76] afs_put_call+0x585/0xa40 [ 69.536540][ T76] rxrpc_discard_prealloc+0x764/0xab0 [ 69.541938][ T76] rxrpc_listen+0x147/0x360 [ 69.546637][ T76] afs_close_socket+0x95/0x320 [ 69.552185][ T76] afs_net_exit+0x1bc/0x310 [ 69.556712][ T76] ops_exit_list.isra.0+0xa8/0x150 [ 69.561911][ T76] cleanup_net+0x511/0xa50 [ 69.566333][ T76] process_one_work+0x965/0x1690 [ 69.571289][ T76] worker_thread+0x96/0xe10 [ 69.575905][ T76] kthread+0x3b5/0x4a0 [ 69.580060][ T76] ret_from_fork+0x1f/0x30 [ 69.584466][ T76] [ 69.586795][ T76] The buggy address belongs to the object at ffff88809fa17800 [ 69.586795][ T76] which belongs to the cache kmalloc-1k of size 1024 [ 69.602117][ T76] The buggy address is located 484 bytes inside of [ 69.602117][ T76] 1024-byte region [ffff88809fa17800, ffff88809fa17c00) [ 69.617251][ T76] The buggy address belongs to the page: [ 69.622888][ T76] page:ffffea00027e85c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 69.632001][ T76] flags: 0xfffe0000000200(slab) [ 69.636974][ T76] raw: 00fffe0000000200 ffffea00024274c8 ffffea00027cf848 ffff8880aa000c40 [ 69.645794][ T76] raw: 0000000000000000 ffff88809fa17000 0000000100000002 0000000000000000 [ 69.654774][ T76] page dumped because: kasan: bad access detected [ 69.661360][ T76] [ 69.663800][ T76] Memory state around the buggy address: [ 69.670137][ T76] ffff88809fa17880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.679557][ T76] ffff88809fa17900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.690583][ T76] >ffff88809fa17980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.698753][ T76] ^ [ 69.707425][ T76] ffff88809fa17a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.715896][ T76] ffff88809fa17a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.729070][ T76] ================================================================== [ 69.737739][ T76] Disabling lock debugging due to kernel taint [ 69.744201][ T76] Kernel panic - not syncing: panic_on_warn set ... [ 69.751775][ T76] CPU: 1 PID: 76 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 69.761662][ T76] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.771888][ T76] Workqueue: netns cleanup_net [ 69.776655][ T76] Call Trace: [ 69.780091][ T76] dump_stack+0x18f/0x20d [ 69.784438][ T76] ? afs_wake_up_async_call+0x670/0x770 [ 69.789972][ T76] ? afs_put_call+0xa40/0xa40 [ 69.794665][ T76] panic+0x2e3/0x75c [ 69.798563][ T76] ? __warn_printk+0xf3/0xf3 [ 69.803150][ T76] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.809301][ T76] ? trace_hardirqs_on+0x55/0x220 [ 69.815017][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.820575][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.826156][ T76] ? afs_put_call+0xa40/0xa40 [ 69.830835][ T76] end_report+0x4d/0x53 [ 69.834985][ T76] kasan_report.cold+0xd/0x37 [ 69.839923][ T76] ? rcu_read_lock_held_common+0x51/0xa0 [ 69.846509][ T76] ? afs_wake_up_async_call+0x6aa/0x770 [ 69.852413][ T76] afs_wake_up_async_call+0x6aa/0x770 [ 69.858852][ T76] ? afs_close_socket+0x320/0x320 [ 69.863872][ T76] ? afs_put_call+0xa40/0xa40 [ 69.868545][ T76] rxrpc_notify_socket+0x1db/0x5d0 [ 69.873656][ T76] ? afs_put_call+0xa40/0xa40 [ 69.878330][ T76] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 69.884748][ T76] rxrpc_call_completed+0xca/0xf0 [ 69.889786][ T76] rxrpc_discard_prealloc+0x781/0xab0 [ 69.895164][ T76] ? lock_sock_nested+0x94/0x110 [ 69.900097][ T76] rxrpc_listen+0x147/0x360 [ 69.904597][ T76] afs_close_socket+0x95/0x320 [ 69.909369][ T76] ? afs_purge_servers+0x16d/0x300 [ 69.914475][ T76] ? afs_rx_discard_new_call+0x50/0x50 [ 69.919927][ T76] ? init_wait_var_entry+0x200/0x200 [ 69.925238][ T76] ? rcu_read_lock_held_common+0xa0/0xa0 [ 69.931477][ T76] ? check_preemption_disabled+0x38/0x220 [ 69.937291][ T76] afs_net_exit+0x1bc/0x310 [ 69.942057][ T76] ? afs_net_init+0xe30/0xe30 [ 69.947470][ T76] ops_exit_list.isra.0+0xa8/0x150 [ 69.953098][ T76] cleanup_net+0x511/0xa50 [ 69.957507][ T76] ? unregister_pernet_device+0x70/0x70 [ 69.963399][ T76] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 69.969385][ T76] process_one_work+0x965/0x1690 [ 69.974431][ T76] ? lock_release+0x800/0x800 [ 69.979107][ T76] ? pwq_dec_nr_in_flight+0x310/0x310 [ 69.984485][ T76] ? rwlock_bug.part.0+0x90/0x90 [ 69.989627][ T76] worker_thread+0x96/0xe10 [ 69.994169][ T76] ? process_one_work+0x1690/0x1690 [ 69.999374][ T76] kthread+0x3b5/0x4a0 [ 70.003532][ T76] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 70.009790][ T76] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 70.015514][ T76] ret_from_fork+0x1f/0x30 [ 70.021499][ T76] Kernel Offset: disabled [ 70.025848][ T76] Rebooting in 86400 seconds..