BUG: unable to handle kernel NULL pointer dereference in afs_unuse_cell BUG: kernel NULL pointer dereference, address: 000000000000009c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 122fff067 P4D 122fff067 PUD 122f6e067 PMD 0 Oops: 0000 [#1] SMP CPU: 1 PID: 1442 Comm: kworker/u4:19 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:afs_unuse_cell+0x67/0x780 fs/afs/cell.c:592 Code: 4d 8b 6f 08 45 8b a7 88 0c 00 00 41 8b 87 90 0c 00 00 89 45 d4 e8 69 09 96 fd 49 8d 9e 9c 00 00 00 4d 85 ed 0f 85 30 04 00 00 <41> 8b 86 9c 00 00 00 89 45 8c 48 89 df e8 47 ee 15 fe 8b 18 8b 0a RSP: 0018:ffff88810667ba38 EFLAGS: 00010246 RAX: ffffffff8428ee07 RBX: 000000000000009c RCX: ffff88810715be00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888128c89400 RBP: ffff88810667bac0 R08: ffffea000000000f R09: ffff88813fffa000 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810715c810 FS: 0000000000000000(0000) GS:ffff88813fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000009c CR3: 000000012758d000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: afs_cell_purge+0xfb/0x5e0 fs/afs/cell.c:951 afs_net_exit+0xc6/0x180 fs/afs/main.c:156 ops_exit_list net/core/net_namespace.c:187 [inline] cleanup_net+0xd73/0x1af0 net/core/net_namespace.c:604 process_one_work+0x121c/0x1fc0 kernel/workqueue.c:2272 worker_thread+0x10cc/0x2740 kernel/workqueue.c:2418 kthread+0x51c/0x560 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Modules linked in: CR2: 000000000000009c ---[ end trace b036e0bb03a52e43 ]--- RIP: 0010:afs_unuse_cell+0x67/0x780 fs/afs/cell.c:592 Code: 4d 8b 6f 08 45 8b a7 88 0c 00 00 41 8b 87 90 0c 00 00 89 45 d4 e8 69 09 96 fd 49 8d 9e 9c 00 00 00 4d 85 ed 0f 85 30 04 00 00 <41> 8b 86 9c 00 00 00 89 45 8c 48 89 df e8 47 ee 15 fe 8b 18 8b 0a RSP: 0018:ffff88810667ba38 EFLAGS: 00010246 RAX: ffffffff8428ee07 RBX: 000000000000009c RCX: ffff88810715be00 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888128c89400 RBP: ffff88810667bac0 R08: ffffea000000000f R09: ffff88813fffa000 R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810715c810 FS: 0000000000000000(0000) GS:ffff88813fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000009c CR3: 000000012758d000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Warning: Permanently added '10.128.0.235' (ECDSA) to the list of known hosts. [ OK ] Listening on Load/Save RF Kill Switch Status /dev/rfkill Watch. [ OK ] Started Getty on tty6. [ OK ] Started Getty on tty5. [ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 2020/11/13 00:04:32 fuzzer started 2020/11/13 00:04:32 connecting to host at 10.128.0.26:34469 2020/11/13 00:04:32 checking machine... 2020/11/13 00:04:32 checking revisions... 2020/11/13 00:04:33 testing simple program... executing program syzkaller login: [ 175.076525][ T27] audit: type=1400 audit(1605225878.604:8): avc: denied { execmem } for pid=8504 comm="syz-executor.0" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 [ 175.245855][ T27] audit: type=1400 audit(1605225878.774:9): avc: denied { sys_admin } for pid=8504 comm="syz-executor.0" capability=21 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 [ 175.278237][ T8505] IPVS: ftp: loaded support on port[0] = 21 [ 175.356277][ T27] audit: type=1400 audit(1605225878.884:10): avc: denied { sys_chroot } for pid=8505 comm="syz-executor.0" capability=18 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=cap_userns permissive=1 executing program 2020/11/13 00:04:39 building call list... [ 176.421606][ T1442] BUG: kernel NULL pointer dereference, address: 000000000000009c [ 176.429524][ T1442] #PF: supervisor read access in kernel mode [ 176.435572][ T1442] #PF: error_code(0x0000) - not-present page [ 176.441696][ T1442] PGD 122fff067 P4D 122fff067 PUD 122f6e067 PMD 0 [ 176.448435][ T1442] Oops: 0000 [#1] SMP [ 176.452514][ T1442] CPU: 1 PID: 1442 Comm: kworker/u4:19 Not tainted 5.10.0-rc1-syzkaller #0 [ 176.461291][ T1442] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 176.471467][ T1442] Workqueue: netns cleanup_net [ 176.476378][ T1442] RIP: 0010:afs_unuse_cell+0x67/0x780 [ 176.481865][ T1442] Code: 4d 8b 6f 08 45 8b a7 88 0c 00 00 41 8b 87 90 0c 00 00 89 45 d4 e8 69 09 96 fd 49 8d 9e 9c 00 00 00 4d 85 ed 0f 85 30 04 00 00 <41> 8b 86 9c 00 00 00 89 45 8c 48 89 df e8 47 ee 15 fe 8b 18 8b 0a [ 176.501654][ T1442] RSP: 0018:ffff88810667ba38 EFLAGS: 00010246 [ 176.507833][ T1442] RAX: ffffffff8428ee07 RBX: 000000000000009c RCX: ffff88810715be00 [ 176.515892][ T1442] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888128c89400 [ 176.523958][ T1442] RBP: ffff88810667bac0 R08: ffffea000000000f R09: ffff88813fffa000 [ 176.532007][ T1442] R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000 [ 176.540061][ T1442] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810715c810 [ 176.548571][ T1442] FS: 0000000000000000(0000) GS:ffff88813fd00000(0000) knlGS:0000000000000000 [ 176.557599][ T1442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 176.564304][ T1442] CR2: 000000000000009c CR3: 000000012758d000 CR4: 00000000001506e0 [ 176.572368][ T1442] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 176.580437][ T1442] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 176.588486][ T1442] Call Trace: [ 176.591890][ T1442] ? up_write+0x62/0x220 [ 176.596254][ T1442] afs_cell_purge+0xfb/0x5e0 [ 176.601084][ T1442] ? del_timer_sync+0x131/0x1f0 [ 176.606067][ T1442] ? afs_fs_probe_cleanup+0x111/0x140 [ 176.611558][ T1442] afs_net_exit+0xc6/0x180 [ 176.616082][ T1442] ? afs_net_init+0xe90/0xe90 [ 176.620864][ T1442] cleanup_net+0xd73/0x1af0 [ 176.625485][ T1442] ? ops_init+0x7d0/0x7d0 [ 176.629948][ T1442] process_one_work+0x121c/0x1fc0 [ 176.635126][ T1442] worker_thread+0x10cc/0x2740 [ 176.640022][ T1442] ? kmsan_get_metadata+0x116/0x180 [ 176.645347][ T1442] kthread+0x51c/0x560 [ 176.649533][ T1442] ? process_one_work+0x1fc0/0x1fc0 [ 176.654850][ T1442] ? kthread_blkcg+0x110/0x110 [ 176.659723][ T1442] ret_from_fork+0x1f/0x30 [ 176.664205][ T1442] Modules linked in: [ 176.668192][ T1442] CR2: 000000000000009c [ 176.672441][ T1442] ---[ end trace b036e0bb03a52e43 ]--- [ 176.678003][ T1442] RIP: 0010:afs_unuse_cell+0x67/0x780 [ 176.683513][ T1442] Code: 4d 8b 6f 08 45 8b a7 88 0c 00 00 41 8b 87 90 0c 00 00 89 45 d4 e8 69 09 96 fd 49 8d 9e 9c 00 00 00 4d 85 ed 0f 85 30 04 00 00 <41> 8b 86 9c 00 00 00 89 45 8c 48 89 df e8 47 ee 15 fe 8b 18 8b 0a [ 176.703222][ T1442] RSP: 0018:ffff88810667ba38 EFLAGS: 00010246 [ 176.709412][ T1442] RAX: ffffffff8428ee07 RBX: 000000000000009c RCX: ffff88810715be00 [ 176.717477][ T1442] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888128c89400 [ 176.725979][ T1442] RBP: ffff88810667bac0 R08: ffffea000000000f R09: ffff88813fffa000 [ 176.734036][ T1442] R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000 [ 176.742092][ T1442] R13: 0000000000000000 R14: 0000000000000000 R15: ffff88810715c810 [ 176.750162][ T1442] FS: 0000000000000000(0000) GS:ffff88813fd00000(0000) knlGS:0000000000000000 [ 176.759176][ T1442] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 176.765843][ T1442] CR2: 000000000000009c CR3: 000000012758d000 CR4: 00000000001506e0 [ 176.773899][ T1442] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 176.781958][ T1442] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 176.790003][ T1442] Kernel panic - not syncing: Fatal exception [ 176.797316][ T1442] Kernel Offset: disabled [ 176.801686][ T1442] Rebooting in 86400 seconds..