[ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.113' (ECDSA) to the list of known hosts. 2020/06/25 21:56:18 fuzzer started 2020/06/25 21:56:18 connecting to host at 10.128.0.26:38883 2020/06/25 21:56:18 checking machine... 2020/06/25 21:56:18 checking revisions... 2020/06/25 21:56:18 testing simple program... syzkaller login: [ 47.486582][ T6831] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 21:56:18 building call list... [ 47.806595][ T25] tipc: TX() has been purged, node left! [ 48.318610][ T25] ================================================================== [ 48.326840][ T25] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 48.334823][ T25] Write of size 1 at addr ffff8880820239e4 by task kworker/u4:2/25 [ 48.343398][ T25] [ 48.345730][ T25] CPU: 0 PID: 25 Comm: kworker/u4:2 Not tainted 5.8.0-rc2-syzkaller #0 [ 48.354217][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.364282][ T25] Workqueue: netns cleanup_net [ 48.369167][ T25] Call Trace: [ 48.372467][ T25] dump_stack+0x1f0/0x31e [ 48.376887][ T25] print_address_description+0x66/0x5a0 [ 48.382441][ T25] ? vprintk_emit+0x342/0x3c0 [ 48.387173][ T25] ? printk+0x62/0x83 [ 48.391150][ T25] ? vprintk_emit+0x339/0x3c0 [ 48.395828][ T25] kasan_report+0x132/0x1d0 [ 48.400852][ T25] ? afs_wake_up_async_call+0x16f/0x1c0 [ 48.406400][ T25] ? afs_make_call+0x24f0/0x24f0 [ 48.411521][ T25] afs_wake_up_async_call+0x16f/0x1c0 [ 48.416978][ T25] ? afs_make_call+0x24f0/0x24f0 [ 48.421910][ T25] rxrpc_notify_socket+0x1e7/0x4a0 [ 48.427024][ T25] rxrpc_call_completed+0x131/0x210 [ 48.432224][ T25] ? afs_rx_new_call+0x240/0x240 [ 48.437192][ T25] rxrpc_discard_prealloc+0x60d/0x710 [ 48.442570][ T25] rxrpc_listen+0x246/0x370 [ 48.447078][ T25] afs_close_socket+0x57/0x280 [ 48.452018][ T25] ? afs_purge_servers+0x25f/0x2c0 [ 48.457216][ T25] ? init_wait_var_entry+0x150/0x150 [ 48.462692][ T25] afs_net_exit+0x57/0xa0 [ 48.467713][ T25] cleanup_net+0x708/0xba0 [ 48.472154][ T25] process_one_work+0x789/0xfc0 [ 48.477032][ T25] worker_thread+0xaa4/0x1460 [ 48.481736][ T25] kthread+0x37e/0x3a0 [ 48.485808][ T25] ? rcu_lock_release+0x20/0x20 [ 48.490745][ T25] ? kthread_blkcg+0xd0/0xd0 [ 48.495336][ T25] ret_from_fork+0x1f/0x30 [ 48.499763][ T25] [ 48.502123][ T25] Allocated by task 6831: [ 48.506539][ T25] __kasan_kmalloc+0x103/0x140 [ 48.511298][ T25] kmem_cache_alloc_trace+0x234/0x300 [ 48.516835][ T25] afs_alloc_call+0x89/0x2f0 [ 48.521417][ T25] afs_charge_preallocation+0xf0/0x2a0 [ 48.527047][ T25] afs_open_socket+0x3c7/0x510 [ 48.531924][ T25] afs_net_init+0x7a0/0x990 [ 48.536422][ T25] ops_init+0x320/0x410 [ 48.540578][ T25] setup_net+0x1cb/0x770 [ 48.544902][ T25] copy_net_ns+0x339/0x540 [ 48.549397][ T25] create_new_namespaces+0x52e/0x9f0 [ 48.554763][ T25] unshare_nsproxy_namespaces+0x123/0x190 [ 48.560658][ T25] ksys_unshare+0x463/0x950 [ 48.565250][ T25] __x64_sys_unshare+0x34/0x40 [ 48.570276][ T25] do_syscall_64+0x73/0xe0 [ 48.574776][ T25] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 48.580657][ T25] [ 48.582978][ T25] Freed by task 25: [ 48.586783][ T25] __kasan_slab_free+0x114/0x170 [ 48.591711][ T25] kfree+0x10a/0x220 [ 48.595598][ T25] afs_put_call+0x30e/0x420 [ 48.600102][ T25] rxrpc_discard_prealloc+0x5e2/0x710 [ 48.605821][ T25] rxrpc_listen+0x246/0x370 [ 48.610320][ T25] afs_close_socket+0x57/0x280 [ 48.615082][ T25] afs_net_exit+0x57/0xa0 [ 48.619406][ T25] cleanup_net+0x708/0xba0 [ 48.623830][ T25] process_one_work+0x789/0xfc0 [ 48.628696][ T25] worker_thread+0xaa4/0x1460 [ 48.633388][ T25] kthread+0x37e/0x3a0 [ 48.637464][ T25] ret_from_fork+0x1f/0x30 [ 48.641902][ T25] [ 48.644231][ T25] The buggy address belongs to the object at ffff888082023800 [ 48.644231][ T25] which belongs to the cache kmalloc-1k of size 1024 [ 48.658293][ T25] The buggy address is located 484 bytes inside of [ 48.658293][ T25] 1024-byte region [ffff888082023800, ffff888082023c00) [ 48.671841][ T25] The buggy address belongs to the page: [ 48.677480][ T25] page:ffffea00020808c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 48.686710][ T25] flags: 0xfffe0000000200(slab) [ 48.691563][ T25] raw: 00fffe0000000200 ffffea0002080848 ffffea0002080908 ffff8880aa400c40 [ 48.700238][ T25] raw: 0000000000000000 ffff888082023000 0000000100000002 0000000000000000 [ 48.708817][ T25] page dumped because: kasan: bad access detected [ 48.715223][ T25] [ 48.717548][ T25] Memory state around the buggy address: [ 48.723183][ T25] ffff888082023880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.731382][ T25] ffff888082023900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.739467][ T25] >ffff888082023980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.747536][ T25] ^ [ 48.755053][ T25] ffff888082023a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.763122][ T25] ffff888082023a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 48.771265][ T25] ================================================================== [ 48.779316][ T25] Disabling lock debugging due to kernel taint [ 48.785678][ T25] Kernel panic - not syncing: panic_on_warn set ... [ 48.792270][ T25] CPU: 0 PID: 25 Comm: kworker/u4:2 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 48.802497][ T25] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 48.812555][ T25] Workqueue: netns cleanup_net [ 48.817537][ T25] Call Trace: [ 48.821007][ T25] dump_stack+0x1f0/0x31e [ 48.825853][ T25] panic+0x264/0x7a0 [ 48.829735][ T25] ? trace_hardirqs_on+0x30/0x80 [ 48.835535][ T25] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 48.841340][ T25] kasan_report+0x1c9/0x1d0 [ 48.845931][ T25] ? afs_wake_up_async_call+0x16f/0x1c0 [ 48.851830][ T25] ? afs_make_call+0x24f0/0x24f0 [ 48.857179][ T25] afs_wake_up_async_call+0x16f/0x1c0 [ 48.862657][ T25] ? afs_make_call+0x24f0/0x24f0 [ 48.867617][ T25] rxrpc_notify_socket+0x1e7/0x4a0 [ 48.872852][ T25] rxrpc_call_completed+0x131/0x210 [ 48.878563][ T25] ? afs_rx_new_call+0x240/0x240 [ 48.883492][ T25] rxrpc_discard_prealloc+0x60d/0x710 [ 48.888848][ T25] rxrpc_listen+0x246/0x370 [ 48.893488][ T25] afs_close_socket+0x57/0x280 [ 48.898814][ T25] ? afs_purge_servers+0x25f/0x2c0 [ 48.904070][ T25] ? init_wait_var_entry+0x150/0x150 [ 48.909871][ T25] afs_net_exit+0x57/0xa0 [ 48.914292][ T25] cleanup_net+0x708/0xba0 [ 48.919562][ T25] process_one_work+0x789/0xfc0 [ 48.924667][ T25] worker_thread+0xaa4/0x1460 [ 48.930373][ T25] kthread+0x37e/0x3a0 [ 48.934465][ T25] ? rcu_lock_release+0x20/0x20 [ 48.939484][ T25] ? kthread_blkcg+0xd0/0xd0 [ 48.944241][ T25] ret_from_fork+0x1f/0x30 [ 48.950255][ T25] Kernel Offset: disabled [ 48.954594][ T25] Rebooting in 86400 seconds..