[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. Starting Load/Save RF Kill Switch Status... [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.151' (ECDSA) to the list of known hosts. 2020/06/19 08:14:55 fuzzer started 2020/06/19 08:14:55 connecting to host at 10.128.0.26:40865 2020/06/19 08:14:55 checking machine... 2020/06/19 08:14:55 checking revisions... 2020/06/19 08:14:55 testing simple program... syzkaller login: [ 57.484363][ T6833] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 08:14:56 building call list... [ 57.845386][ T321] tipc: TX() has been purged, node left! [ 58.377524][ T321] ================================================================== [ 58.385760][ T321] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 58.393646][ T321] Write of size 1 at addr ffff8880956d09e4 by task kworker/u4:5/321 [ 58.401703][ T321] [ 58.404032][ T321] CPU: 0 PID: 321 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0 [ 58.413574][ T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.423633][ T321] Workqueue: netns cleanup_net [ 58.428472][ T321] Call Trace: [ 58.431773][ T321] dump_stack+0x18f/0x20d [ 58.436122][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.441698][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.447238][ T321] ? afs_put_call+0xa40/0xa40 [ 58.451915][ T321] print_address_description.constprop.0.cold+0xd3/0x413 [ 58.458951][ T321] ? vprintk_func+0x97/0x1a6 [ 58.463566][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.469108][ T321] kasan_report.cold+0x1f/0x37 [ 58.473872][ T321] ? rcu_read_lock_held_common+0x71/0xa0 [ 58.479499][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.485045][ T321] afs_wake_up_async_call+0x6aa/0x770 [ 58.490414][ T321] ? afs_close_socket+0x320/0x320 [ 58.495440][ T321] ? afs_put_call+0xa40/0xa40 [ 58.500128][ T321] rxrpc_notify_socket+0x1db/0x5d0 [ 58.505335][ T321] ? afs_put_call+0xa40/0xa40 [ 58.510008][ T321] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 58.516418][ T321] rxrpc_call_completed+0xca/0xf0 [ 58.521443][ T321] rxrpc_discard_prealloc+0x781/0xab0 [ 58.526815][ T321] ? lock_sock_nested+0x94/0x110 [ 58.531753][ T321] rxrpc_listen+0x147/0x360 [ 58.536906][ T321] afs_close_socket+0x95/0x320 [ 58.541799][ T321] ? afs_purge_servers+0x16d/0x300 [ 58.546938][ T321] ? afs_rx_discard_new_call+0x50/0x50 [ 58.552419][ T321] ? init_wait_var_entry+0x200/0x200 [ 58.557720][ T321] ? rcu_read_lock_held_common+0xa0/0xa0 [ 58.563348][ T321] ? check_preemption_disabled+0x38/0x220 [ 58.569128][ T321] afs_net_exit+0x1bc/0x310 [ 58.573669][ T321] ? afs_net_init+0xe30/0xe30 [ 58.578378][ T321] ops_exit_list.isra.0+0xa8/0x150 [ 58.583546][ T321] cleanup_net+0x511/0xa50 [ 58.587991][ T321] ? unregister_pernet_device+0x70/0x70 [ 58.593562][ T321] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.599588][ T321] process_one_work+0x965/0x1690 [ 58.604548][ T321] ? lock_release+0x800/0x800 [ 58.609234][ T321] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.614624][ T321] ? rwlock_bug.part.0+0x90/0x90 [ 58.619755][ T321] worker_thread+0x96/0xe10 [ 58.624486][ T321] ? process_one_work+0x1690/0x1690 [ 58.629700][ T321] kthread+0x3b5/0x4a0 [ 58.633770][ T321] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.639488][ T321] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.645556][ T321] ret_from_fork+0x1f/0x30 [ 58.649980][ T321] [ 58.652301][ T321] Allocated by task 6833: [ 58.656639][ T321] save_stack+0x1b/0x40 [ 58.660810][ T321] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.666439][ T321] kmem_cache_alloc_trace+0x153/0x7d0 [ 58.671898][ T321] afs_alloc_call+0x55/0x630 [ 58.676500][ T321] afs_charge_preallocation+0xe9/0x2d0 [ 58.681959][ T321] afs_open_socket+0x292/0x360 [ 58.686721][ T321] afs_net_init+0xa6c/0xe30 [ 58.691669][ T321] ops_init+0xaf/0x420 [ 58.695827][ T321] setup_net+0x2de/0x860 [ 58.700069][ T321] copy_net_ns+0x293/0x590 [ 58.704483][ T321] create_new_namespaces+0x3fb/0xb30 [ 58.709845][ T321] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 58.715471][ T321] ksys_unshare+0x445/0x8e0 [ 58.720054][ T321] __x64_sys_unshare+0x2d/0x40 [ 58.724810][ T321] do_syscall_64+0x60/0xe0 [ 58.729219][ T321] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.735117][ T321] [ 58.737443][ T321] Freed by task 321: [ 58.741332][ T321] save_stack+0x1b/0x40 [ 58.745567][ T321] __kasan_slab_free+0xf7/0x140 [ 58.750414][ T321] kfree+0x109/0x2b0 [ 58.754303][ T321] afs_put_call+0x585/0xa40 [ 58.758800][ T321] rxrpc_discard_prealloc+0x764/0xab0 [ 58.764161][ T321] rxrpc_listen+0x147/0x360 [ 58.768668][ T321] afs_close_socket+0x95/0x320 [ 58.773423][ T321] afs_net_exit+0x1bc/0x310 [ 58.777929][ T321] ops_exit_list.isra.0+0xa8/0x150 [ 58.783055][ T321] cleanup_net+0x511/0xa50 [ 58.787473][ T321] process_one_work+0x965/0x1690 [ 58.792425][ T321] worker_thread+0x96/0xe10 [ 58.797362][ T321] kthread+0x3b5/0x4a0 [ 58.801453][ T321] ret_from_fork+0x1f/0x30 [ 58.805894][ T321] [ 58.808223][ T321] The buggy address belongs to the object at ffff8880956d0800 [ 58.808223][ T321] which belongs to the cache kmalloc-1k of size 1024 [ 58.822281][ T321] The buggy address is located 484 bytes inside of [ 58.822281][ T321] 1024-byte region [ffff8880956d0800, ffff8880956d0c00) [ 58.835726][ T321] The buggy address belongs to the page: [ 58.841361][ T321] page:ffffea000255b400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 58.850459][ T321] flags: 0xfffe0000000200(slab) [ 58.855309][ T321] raw: 00fffe0000000200 ffffea000256efc8 ffffea000250e908 ffff8880aa000c40 [ 58.863891][ T321] raw: 0000000000000000 ffff8880956d0000 0000000100000002 0000000000000000 [ 58.872475][ T321] page dumped because: kasan: bad access detected [ 58.878883][ T321] [ 58.881209][ T321] Memory state around the buggy address: [ 58.887007][ T321] ffff8880956d0880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.895062][ T321] ffff8880956d0900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.903394][ T321] >ffff8880956d0980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.911469][ T321] ^ [ 58.918661][ T321] ffff8880956d0a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.926808][ T321] ffff8880956d0a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.934854][ T321] ================================================================== [ 58.943253][ T321] Disabling lock debugging due to kernel taint [ 58.949482][ T321] Kernel panic - not syncing: panic_on_warn set ... [ 58.956066][ T321] CPU: 0 PID: 321 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-next-20200618-syzkaller #0 [ 58.966989][ T321] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.977085][ T321] Workqueue: netns cleanup_net [ 58.981848][ T321] Call Trace: [ 58.985147][ T321] dump_stack+0x18f/0x20d [ 58.989492][ T321] ? afs_wake_up_async_call+0x660/0x770 [ 58.995034][ T321] ? afs_put_call+0xa40/0xa40 [ 58.999711][ T321] panic+0x2e3/0x75c [ 59.003613][ T321] ? __warn_printk+0xf3/0xf3 [ 59.008204][ T321] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 59.014353][ T321] ? trace_hardirqs_on+0x55/0x220 [ 59.019805][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.025513][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.031135][ T321] ? afs_put_call+0xa40/0xa40 [ 59.035812][ T321] end_report+0x4d/0x53 [ 59.039963][ T321] kasan_report.cold+0xd/0x37 [ 59.044645][ T321] ? rcu_read_lock_held_common+0x71/0xa0 [ 59.050285][ T321] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.055834][ T321] afs_wake_up_async_call+0x6aa/0x770 [ 59.061400][ T321] ? afs_close_socket+0x320/0x320 [ 59.066442][ T321] ? afs_put_call+0xa40/0xa40 [ 59.071225][ T321] rxrpc_notify_socket+0x1db/0x5d0 [ 59.077218][ T321] ? afs_put_call+0xa40/0xa40 [ 59.082137][ T321] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 59.089107][ T321] rxrpc_call_completed+0xca/0xf0 [ 59.094137][ T321] rxrpc_discard_prealloc+0x781/0xab0 [ 59.099497][ T321] ? lock_sock_nested+0x94/0x110 [ 59.104416][ T321] rxrpc_listen+0x147/0x360 [ 59.108966][ T321] afs_close_socket+0x95/0x320 [ 59.114118][ T321] ? afs_purge_servers+0x16d/0x300 [ 59.119402][ T321] ? afs_rx_discard_new_call+0x50/0x50 [ 59.125080][ T321] ? init_wait_var_entry+0x200/0x200 [ 59.130716][ T321] ? rcu_read_lock_held_common+0xa0/0xa0 [ 59.136462][ T321] ? check_preemption_disabled+0x38/0x220 [ 59.142217][ T321] afs_net_exit+0x1bc/0x310 [ 59.146851][ T321] ? afs_net_init+0xe30/0xe30 [ 59.151540][ T321] ops_exit_list.isra.0+0xa8/0x150 [ 59.156678][ T321] cleanup_net+0x511/0xa50 [ 59.161134][ T321] ? unregister_pernet_device+0x70/0x70 [ 59.166780][ T321] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.172778][ T321] process_one_work+0x965/0x1690 [ 59.177723][ T321] ? lock_release+0x800/0x800 [ 59.182390][ T321] ? pwq_dec_nr_in_flight+0x310/0x310 [ 59.187895][ T321] ? rwlock_bug.part.0+0x90/0x90 [ 59.192848][ T321] worker_thread+0x96/0xe10 [ 59.197351][ T321] ? process_one_work+0x1690/0x1690 [ 59.202550][ T321] kthread+0x3b5/0x4a0 [ 59.206598][ T321] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.212301][ T321] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.218019][ T321] ret_from_fork+0x1f/0x30 [ 59.223993][ T321] Kernel Offset: disabled [ 59.228324][ T321] Rebooting in 86400 seconds..