Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.45' (ECDSA) to the list of known hosts. 2020/06/19 07:07:50 fuzzer started 2020/06/19 07:07:50 connecting to host at 10.128.0.26:42669 2020/06/19 07:07:50 checking machine... 2020/06/19 07:07:50 checking revisions... 2020/06/19 07:07:50 testing simple program... syzkaller login: [ 58.509495][ T6841] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 07:07:51 building call list... [ 58.895274][ T21] tipc: TX() has been purged, node left! [ 59.417431][ T21] ================================================================== [ 59.425649][ T21] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 59.433709][ T21] Write of size 1 at addr ffff88809732b9e4 by task kworker/u4:1/21 [ 59.441583][ T21] [ 59.443919][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0 [ 59.453445][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.464000][ T21] Workqueue: netns cleanup_net [ 59.468782][ T21] Call Trace: [ 59.472081][ T21] dump_stack+0x18f/0x20d [ 59.476446][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.482006][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.487566][ T21] ? afs_put_call+0xa40/0xa40 [ 59.492244][ T21] print_address_description.constprop.0.cold+0xd3/0x413 [ 59.499268][ T21] ? vprintk_func+0x97/0x1a6 [ 59.503871][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.509412][ T21] kasan_report.cold+0x1f/0x37 [ 59.514282][ T21] ? rcu_read_lock_held_common+0x71/0xa0 [ 59.521214][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.526761][ T21] afs_wake_up_async_call+0x6aa/0x770 [ 59.532128][ T21] ? afs_close_socket+0x320/0x320 [ 59.537151][ T21] ? afs_put_call+0xa40/0xa40 [ 59.541826][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 59.546964][ T21] ? afs_put_call+0xa40/0xa40 [ 59.551662][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 59.558110][ T21] rxrpc_call_completed+0xca/0xf0 [ 59.563161][ T21] rxrpc_discard_prealloc+0x781/0xab0 [ 59.568641][ T21] ? lock_sock_nested+0x94/0x110 [ 59.573600][ T21] rxrpc_listen+0x147/0x360 [ 59.578135][ T21] afs_close_socket+0x95/0x320 [ 59.582993][ T21] ? afs_purge_servers+0x16d/0x300 [ 59.588107][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 59.593572][ T21] ? init_wait_var_entry+0x200/0x200 [ 59.598867][ T21] ? rcu_read_lock_held_common+0xa0/0xa0 [ 59.604523][ T21] ? check_preemption_disabled+0x38/0x220 [ 59.610252][ T21] afs_net_exit+0x1bc/0x310 [ 59.614750][ T21] ? afs_net_init+0xe30/0xe30 [ 59.619430][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 59.624726][ T21] cleanup_net+0x511/0xa50 [ 59.629178][ T21] ? unregister_pernet_device+0x70/0x70 [ 59.634730][ T21] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.640722][ T21] process_one_work+0x965/0x1690 [ 59.645671][ T21] ? lock_release+0x800/0x800 [ 59.650381][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 59.655758][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 59.660843][ T21] worker_thread+0x96/0xe10 [ 59.665480][ T21] ? process_one_work+0x1690/0x1690 [ 59.670683][ T21] kthread+0x3b5/0x4a0 [ 59.674748][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.680472][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.686216][ T21] ret_from_fork+0x1f/0x30 [ 59.690648][ T21] [ 59.692968][ T21] Allocated by task 6841: [ 59.697297][ T21] save_stack+0x1b/0x40 [ 59.701471][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.707117][ T21] kmem_cache_alloc_trace+0x153/0x7d0 [ 59.712482][ T21] afs_alloc_call+0x55/0x630 [ 59.717155][ T21] afs_charge_preallocation+0xe9/0x2d0 [ 59.722628][ T21] afs_open_socket+0x292/0x360 [ 59.727423][ T21] afs_net_init+0xa6c/0xe30 [ 59.731919][ T21] ops_init+0xaf/0x420 [ 59.735983][ T21] setup_net+0x2de/0x860 [ 59.740218][ T21] copy_net_ns+0x293/0x590 [ 59.744630][ T21] create_new_namespaces+0x3fb/0xb30 [ 59.749909][ T21] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 59.755565][ T21] ksys_unshare+0x445/0x8e0 [ 59.760063][ T21] __x64_sys_unshare+0x2d/0x40 [ 59.764821][ T21] do_syscall_64+0x60/0xe0 [ 59.769233][ T21] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.775128][ T21] [ 59.777450][ T21] Freed by task 21: [ 59.781280][ T21] save_stack+0x1b/0x40 [ 59.785438][ T21] __kasan_slab_free+0xf7/0x140 [ 59.790281][ T21] kfree+0x109/0x2b0 [ 59.794169][ T21] afs_put_call+0x585/0xa40 [ 59.798666][ T21] rxrpc_discard_prealloc+0x764/0xab0 [ 59.804028][ T21] rxrpc_listen+0x147/0x360 [ 59.808526][ T21] afs_close_socket+0x95/0x320 [ 59.813282][ T21] afs_net_exit+0x1bc/0x310 [ 59.817786][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 59.822895][ T21] cleanup_net+0x511/0xa50 [ 59.827306][ T21] process_one_work+0x965/0x1690 [ 59.832260][ T21] worker_thread+0x96/0xe10 [ 59.836773][ T21] kthread+0x3b5/0x4a0 [ 59.840836][ T21] ret_from_fork+0x1f/0x30 [ 59.845240][ T21] [ 59.847585][ T21] The buggy address belongs to the object at ffff88809732b800 [ 59.847585][ T21] which belongs to the cache kmalloc-1k of size 1024 [ 59.862083][ T21] The buggy address is located 484 bytes inside of [ 59.862083][ T21] 1024-byte region [ffff88809732b800, ffff88809732bc00) [ 59.876472][ T21] The buggy address belongs to the page: [ 59.882124][ T21] page:ffffea00025ccac0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 59.891220][ T21] flags: 0xfffe0000000200(slab) [ 59.896071][ T21] raw: 00fffe0000000200 ffffea00027aab48 ffffea00025e2f88 ffff8880aa000c40 [ 59.904653][ T21] raw: 0000000000000000 ffff88809732b000 0000000100000002 0000000000000000 [ 59.913225][ T21] page dumped because: kasan: bad access detected [ 59.919627][ T21] [ 59.921949][ T21] Memory state around the buggy address: [ 59.927576][ T21] ffff88809732b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.935631][ T21] ffff88809732b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.943687][ T21] >ffff88809732b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.951737][ T21] ^ [ 59.959365][ T21] ffff88809732ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.967431][ T21] ffff88809732ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.975487][ T21] ================================================================== [ 59.983554][ T21] Disabling lock debugging due to kernel taint [ 59.989803][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 59.996400][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Tainted: G B 5.8.0-rc1-next-20200618-syzkaller #0 [ 60.007236][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.017308][ T21] Workqueue: netns cleanup_net [ 60.022085][ T21] Call Trace: [ 60.025380][ T21] dump_stack+0x18f/0x20d [ 60.029716][ T21] ? afs_wake_up_async_call+0x660/0x770 [ 60.035263][ T21] ? afs_put_call+0xa40/0xa40 [ 60.039945][ T21] panic+0x2e3/0x75c [ 60.043879][ T21] ? __warn_printk+0xf3/0xf3 [ 60.048559][ T21] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 60.054749][ T21] ? trace_hardirqs_on+0x55/0x220 [ 60.059769][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.065299][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.070830][ T21] ? afs_put_call+0xa40/0xa40 [ 60.075502][ T21] end_report+0x4d/0x53 [ 60.080085][ T21] kasan_report.cold+0xd/0x37 [ 60.084766][ T21] ? rcu_read_lock_held_common+0x71/0xa0 [ 60.090556][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.096221][ T21] afs_wake_up_async_call+0x6aa/0x770 [ 60.101575][ T21] ? afs_close_socket+0x320/0x320 [ 60.106607][ T21] ? afs_put_call+0xa40/0xa40 [ 60.111275][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 60.116493][ T21] ? afs_put_call+0xa40/0xa40 [ 60.121161][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.127555][ T21] rxrpc_call_completed+0xca/0xf0 [ 60.132654][ T21] rxrpc_discard_prealloc+0x781/0xab0 [ 60.138007][ T21] ? lock_sock_nested+0x94/0x110 [ 60.142932][ T21] rxrpc_listen+0x147/0x360 [ 60.147451][ T21] afs_close_socket+0x95/0x320 [ 60.152420][ T21] ? afs_purge_servers+0x16d/0x300 [ 60.157536][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 60.162996][ T21] ? init_wait_var_entry+0x200/0x200 [ 60.168374][ T21] ? rcu_read_lock_held_common+0xa0/0xa0 [ 60.173996][ T21] ? check_preemption_disabled+0x38/0x220 [ 60.179729][ T21] afs_net_exit+0x1bc/0x310 [ 60.184225][ T21] ? afs_net_init+0xe30/0xe30 [ 60.188890][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 60.194075][ T21] cleanup_net+0x511/0xa50 [ 60.198487][ T21] ? unregister_pernet_device+0x70/0x70 [ 60.204467][ T21] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.210548][ T21] process_one_work+0x965/0x1690 [ 60.215581][ T21] ? lock_release+0x800/0x800 [ 60.220256][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 60.225743][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 60.230661][ T21] worker_thread+0x96/0xe10 [ 60.235320][ T21] ? process_one_work+0x1690/0x1690 [ 60.240502][ T21] kthread+0x3b5/0x4a0 [ 60.244561][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.250397][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.256102][ T21] ret_from_fork+0x1f/0x30 [ 60.261889][ T21] Kernel Offset: disabled [ 60.266231][ T21] Rebooting in 86400 seconds..