Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.41' (ECDSA) to the list of known hosts. 2020/07/03 21:22:48 fuzzer started 2020/07/03 21:22:49 connecting to host at 10.128.0.26:41053 2020/07/03 21:22:49 checking machine... 2020/07/03 21:22:49 checking revisions... 2020/07/03 21:22:49 testing simple program... syzkaller login: [ 59.061771][ T6822] IPVS: ftp: loaded support on port[0] = 21 2020/07/03 21:22:49 building call list... [ 59.374221][ T2485] tipc: TX() has been purged, node left! [ 59.916381][ T2485] ================================================================== [ 59.924629][ T2485] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 59.932519][ T2485] Write of size 1 at addr ffff88809fd2e9e4 by task kworker/u4:4/2485 [ 59.940566][ T2485] [ 59.942895][ T2485] CPU: 0 PID: 2485 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 59.951301][ T2485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.961363][ T2485] Workqueue: netns cleanup_net [ 59.966118][ T2485] Call Trace: [ 59.969408][ T2485] dump_stack+0x18f/0x20d [ 59.973744][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 59.979285][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 59.984824][ T2485] ? afs_put_call+0x440/0x440 [ 59.989499][ T2485] print_address_description.constprop.0.cold+0xae/0x436 [ 59.996527][ T2485] ? vprintk_func+0x97/0x1a6 [ 60.001117][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.006661][ T2485] kasan_report.cold+0x1f/0x37 [ 60.011441][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.016987][ T2485] afs_wake_up_async_call+0x430/0x4a0 [ 60.022356][ T2485] ? afs_close_socket+0x320/0x320 [ 60.027380][ T2485] rxrpc_notify_socket+0x1db/0x5d0 [ 60.032490][ T2485] ? afs_put_call+0x440/0x440 [ 60.037194][ T2485] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.043613][ T2485] rxrpc_call_completed+0xd0/0xf0 [ 60.048649][ T2485] rxrpc_discard_prealloc+0x777/0xab0 [ 60.054018][ T2485] ? lock_sock_nested+0x94/0x110 [ 60.058956][ T2485] rxrpc_listen+0x11c/0x330 [ 60.063469][ T2485] afs_close_socket+0x95/0x320 [ 60.068227][ T2485] ? afs_purge_servers+0x16d/0x300 [ 60.073336][ T2485] ? afs_rx_discard_new_call+0x50/0x50 [ 60.078794][ T2485] ? init_wait_var_entry+0x200/0x200 [ 60.084085][ T2485] ? check_preemption_disabled+0x38/0x220 [ 60.089809][ T2485] afs_net_exit+0x1bc/0x310 [ 60.094306][ T2485] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 60.099933][ T2485] ops_exit_list+0xb0/0x160 [ 60.104439][ T2485] cleanup_net+0x4ea/0xa00 [ 60.108853][ T2485] ? __schedule+0x887/0x1eb0 [ 60.113442][ T2485] ? ops_free_list.part.0+0x3d0/0x3d0 [ 60.118814][ T2485] ? check_preemption_disabled+0x38/0x220 [ 60.124537][ T2485] process_one_work+0x94c/0x1670 [ 60.129483][ T2485] ? lock_release+0x8d0/0x8d0 [ 60.134157][ T2485] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.139533][ T2485] ? rwlock_bug.part.0+0x90/0x90 [ 60.144508][ T2485] worker_thread+0x64c/0x1120 [ 60.149198][ T2485] ? process_one_work+0x1670/0x1670 [ 60.154393][ T2485] kthread+0x3b5/0x4a0 [ 60.158458][ T2485] ? __kthread_bind_mask+0xc0/0xc0 [ 60.163564][ T2485] ? __kthread_bind_mask+0xc0/0xc0 [ 60.168673][ T2485] ret_from_fork+0x1f/0x30 [ 60.173098][ T2485] [ 60.175421][ T2485] Allocated by task 6822: [ 60.179746][ T2485] save_stack+0x1b/0x40 [ 60.183898][ T2485] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 60.189525][ T2485] kmem_cache_alloc_trace+0x14f/0x2d0 [ 60.194891][ T2485] afs_alloc_call+0x4f/0x360 [ 60.199474][ T2485] afs_charge_preallocation+0xe9/0x2d0 [ 60.204924][ T2485] afs_open_socket+0x294/0x360 [ 60.209680][ T2485] afs_net_init+0xa6c/0xe30 [ 60.214176][ T2485] ops_init+0xaf/0x470 [ 60.218237][ T2485] setup_net+0x2d8/0x850 [ 60.222474][ T2485] copy_net_ns+0x2cf/0x5e0 [ 60.226884][ T2485] create_new_namespaces+0x3f6/0xb10 [ 60.232164][ T2485] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 60.237799][ T2485] ksys_unshare+0x36c/0x9a0 [ 60.242305][ T2485] __x64_sys_unshare+0x2d/0x40 [ 60.247076][ T2485] do_syscall_64+0x60/0xe0 [ 60.251502][ T2485] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.257382][ T2485] [ 60.259707][ T2485] Freed by task 2485: [ 60.263687][ T2485] save_stack+0x1b/0x40 [ 60.267856][ T2485] __kasan_slab_free+0xf5/0x140 [ 60.272701][ T2485] kfree+0x103/0x2c0 [ 60.276591][ T2485] afs_put_call+0x345/0x440 [ 60.281087][ T2485] rxrpc_discard_prealloc+0x75a/0xab0 [ 60.286454][ T2485] rxrpc_listen+0x11c/0x330 [ 60.290951][ T2485] afs_close_socket+0x95/0x320 [ 60.295707][ T2485] afs_net_exit+0x1bc/0x310 [ 60.300210][ T2485] ops_exit_list+0xb0/0x160 [ 60.304709][ T2485] cleanup_net+0x4ea/0xa00 [ 60.309118][ T2485] process_one_work+0x94c/0x1670 [ 60.314052][ T2485] worker_thread+0x64c/0x1120 [ 60.318718][ T2485] kthread+0x3b5/0x4a0 [ 60.322779][ T2485] ret_from_fork+0x1f/0x30 [ 60.327179][ T2485] [ 60.329503][ T2485] The buggy address belongs to the object at ffff88809fd2e800 [ 60.329503][ T2485] which belongs to the cache kmalloc-1k of size 1024 [ 60.343550][ T2485] The buggy address is located 484 bytes inside of [ 60.343550][ T2485] 1024-byte region [ffff88809fd2e800, ffff88809fd2ec00) [ 60.356892][ T2485] The buggy address belongs to the page: [ 60.362518][ T2485] page:ffffea00027f4b80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.371612][ T2485] flags: 0xfffe0000000200(slab) [ 60.376460][ T2485] raw: 00fffe0000000200 ffffea0002809548 ffffea0002a4b648 ffff8880aa000c40 [ 60.385040][ T2485] raw: 0000000000000000 ffff88809fd2e000 0000000100000002 0000000000000000 [ 60.393614][ T2485] page dumped because: kasan: bad access detected [ 60.400011][ T2485] [ 60.402328][ T2485] Memory state around the buggy address: [ 60.407950][ T2485] ffff88809fd2e880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.416004][ T2485] ffff88809fd2e900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.424056][ T2485] >ffff88809fd2e980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.432103][ T2485] ^ [ 60.439289][ T2485] ffff88809fd2ea00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.447344][ T2485] ffff88809fd2ea80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.455394][ T2485] ================================================================== [ 60.463441][ T2485] Disabling lock debugging due to kernel taint [ 60.469643][ T2485] Kernel panic - not syncing: panic_on_warn set ... [ 60.476228][ T2485] CPU: 0 PID: 2485 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 60.486012][ T2485] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.496065][ T2485] Workqueue: netns cleanup_net [ 60.500814][ T2485] Call Trace: [ 60.504098][ T2485] dump_stack+0x18f/0x20d [ 60.508426][ T2485] ? afs_wake_up_async_call+0x3b0/0x4a0 [ 60.514060][ T2485] ? afs_put_call+0x440/0x440 [ 60.518730][ T2485] panic+0x2e3/0x75c [ 60.522630][ T2485] ? __warn_printk+0xf3/0xf3 [ 60.527217][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.532748][ T2485] ? trace_hardirqs_on+0x55/0x220 [ 60.537755][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.543279][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.548810][ T2485] ? afs_put_call+0x440/0x440 [ 60.553477][ T2485] end_report+0x4d/0x53 [ 60.557799][ T2485] kasan_report.cold+0xd/0x37 [ 60.562501][ T2485] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.568029][ T2485] afs_wake_up_async_call+0x430/0x4a0 [ 60.573384][ T2485] ? afs_close_socket+0x320/0x320 [ 60.578396][ T2485] rxrpc_notify_socket+0x1db/0x5d0 [ 60.583487][ T2485] ? afs_put_call+0x440/0x440 [ 60.588145][ T2485] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.594537][ T2485] rxrpc_call_completed+0xd0/0xf0 [ 60.599544][ T2485] rxrpc_discard_prealloc+0x777/0xab0 [ 60.604896][ T2485] ? lock_sock_nested+0x94/0x110 [ 60.609810][ T2485] rxrpc_listen+0x11c/0x330 [ 60.614299][ T2485] afs_close_socket+0x95/0x320 [ 60.619041][ T2485] ? afs_purge_servers+0x16d/0x300 [ 60.624141][ T2485] ? afs_rx_discard_new_call+0x50/0x50 [ 60.629582][ T2485] ? init_wait_var_entry+0x200/0x200 [ 60.634844][ T2485] ? check_preemption_disabled+0x38/0x220 [ 60.640543][ T2485] afs_net_exit+0x1bc/0x310 [ 60.645029][ T2485] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 60.650633][ T2485] ops_exit_list+0xb0/0x160 [ 60.655119][ T2485] cleanup_net+0x4ea/0xa00 [ 60.659576][ T2485] ? __schedule+0x887/0x1eb0 [ 60.664156][ T2485] ? ops_free_list.part.0+0x3d0/0x3d0 [ 60.669519][ T2485] ? check_preemption_disabled+0x38/0x220 [ 60.675266][ T2485] process_one_work+0x94c/0x1670 [ 60.680194][ T2485] ? lock_release+0x8d0/0x8d0 [ 60.684904][ T2485] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.690268][ T2485] ? rwlock_bug.part.0+0x90/0x90 [ 60.695199][ T2485] worker_thread+0x64c/0x1120 [ 60.699859][ T2485] ? process_one_work+0x1670/0x1670 [ 60.705041][ T2485] kthread+0x3b5/0x4a0 [ 60.709093][ T2485] ? __kthread_bind_mask+0xc0/0xc0 [ 60.714179][ T2485] ? __kthread_bind_mask+0xc0/0xc0 [ 60.719709][ T2485] ret_from_fork+0x1f/0x30 [ 60.725522][ T2485] Kernel Offset: disabled [ 60.729842][ T2485] Rebooting in 86400 seconds..