Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.64' (ECDSA) to the list of known hosts. 2020/06/17 05:01:04 fuzzer started 2020/06/17 05:01:04 connecting to host at 10.128.0.26:46505 2020/06/17 05:01:04 checking machine... 2020/06/17 05:01:04 checking revisions... 2020/06/17 05:01:04 testing simple program... syzkaller login: [ 60.580191][ T6982] IPVS: ftp: loaded support on port[0] = 21 2020/06/17 05:01:05 building call list... [ 60.945935][ T313] tipc: TX() has been purged, node left! [ 61.448270][ T313] ================================================================== [ 61.456517][ T313] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.464409][ T313] Write of size 1 at addr ffff8880a72481e4 by task kworker/u4:7/313 [ 61.472371][ T313] [ 61.474714][ T313] CPU: 1 PID: 313 Comm: kworker/u4:7 Not tainted 5.8.0-rc1-next-20200617-syzkaller #0 [ 61.484243][ T313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.494300][ T313] Workqueue: netns cleanup_net [ 61.499058][ T313] Call Trace: [ 61.502387][ T313] dump_stack+0x18f/0x20d [ 61.506719][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.512284][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.517822][ T313] ? afs_put_call+0xa40/0xa40 [ 61.522513][ T313] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.529552][ T313] ? vprintk_func+0x97/0x1a6 [ 61.534148][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.539692][ T313] kasan_report.cold+0x1f/0x37 [ 61.544459][ T313] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.550084][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.555642][ T313] afs_wake_up_async_call+0x6aa/0x770 [ 61.561009][ T313] ? afs_close_socket+0x320/0x320 [ 61.566035][ T313] ? afs_put_call+0xa40/0xa40 [ 61.570732][ T313] rxrpc_notify_socket+0x1db/0x5d0 [ 61.575852][ T313] ? afs_put_call+0xa40/0xa40 [ 61.580525][ T313] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.586945][ T313] rxrpc_call_completed+0xca/0xf0 [ 61.591972][ T313] rxrpc_discard_prealloc+0x781/0xab0 [ 61.597447][ T313] ? lock_sock_nested+0x94/0x110 [ 61.604870][ T313] rxrpc_listen+0x147/0x360 [ 61.609484][ T313] afs_close_socket+0x95/0x320 [ 61.615673][ T313] ? afs_purge_servers+0x16d/0x300 [ 61.620873][ T313] ? afs_rx_discard_new_call+0x50/0x50 [ 61.626350][ T313] ? init_wait_var_entry+0x200/0x200 [ 61.631927][ T313] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.638113][ T313] ? check_preemption_disabled+0x38/0x220 [ 61.644444][ T313] afs_net_exit+0x1bc/0x310 [ 61.649640][ T313] ? afs_net_init+0xe30/0xe30 [ 61.654313][ T313] ops_exit_list.isra.0+0xa8/0x150 [ 61.659428][ T313] cleanup_net+0x511/0xa50 [ 61.663861][ T313] ? unregister_pernet_device+0x70/0x70 [ 61.669496][ T313] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.675481][ T313] process_one_work+0x965/0x1690 [ 61.680425][ T313] ? lock_release+0x800/0x800 [ 61.685121][ T313] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.690509][ T313] ? rwlock_bug.part.0+0x90/0x90 [ 61.695551][ T313] worker_thread+0x96/0xe10 [ 61.700078][ T313] ? process_one_work+0x1690/0x1690 [ 61.705305][ T313] kthread+0x3b5/0x4a0 [ 61.709834][ T313] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.715656][ T313] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.721376][ T313] ret_from_fork+0x1f/0x30 [ 61.725800][ T313] [ 61.728126][ T313] Allocated by task 6982: [ 61.732452][ T313] save_stack+0x1b/0x40 [ 61.736692][ T313] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.742445][ T313] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.747812][ T313] afs_alloc_call+0x55/0x630 [ 61.752397][ T313] afs_charge_preallocation+0xe9/0x2d0 [ 61.757850][ T313] afs_open_socket+0x292/0x360 [ 61.762609][ T313] afs_net_init+0xa6c/0xe30 [ 61.767108][ T313] ops_init+0xaf/0x420 [ 61.771173][ T313] setup_net+0x2de/0x860 [ 61.775506][ T313] copy_net_ns+0x293/0x590 [ 61.779937][ T313] create_new_namespaces+0x3fb/0xb30 [ 61.785250][ T313] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.791519][ T313] ksys_unshare+0x445/0x8e0 [ 61.796054][ T313] __x64_sys_unshare+0x2d/0x40 [ 61.800815][ T313] do_syscall_64+0x60/0xe0 [ 61.805226][ T313] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.811116][ T313] [ 61.813457][ T313] Freed by task 313: [ 61.817360][ T313] save_stack+0x1b/0x40 [ 61.821513][ T313] __kasan_slab_free+0xf7/0x140 [ 61.826369][ T313] kfree+0x109/0x2b0 [ 61.830260][ T313] afs_put_call+0x585/0xa40 [ 61.834774][ T313] rxrpc_discard_prealloc+0x764/0xab0 [ 61.840150][ T313] rxrpc_listen+0x147/0x360 [ 61.844657][ T313] afs_close_socket+0x95/0x320 [ 61.849442][ T313] afs_net_exit+0x1bc/0x310 [ 61.853945][ T313] ops_exit_list.isra.0+0xa8/0x150 [ 61.859051][ T313] cleanup_net+0x511/0xa50 [ 61.863464][ T313] process_one_work+0x965/0x1690 [ 61.868398][ T313] worker_thread+0x96/0xe10 [ 61.872920][ T313] kthread+0x3b5/0x4a0 [ 61.877077][ T313] ret_from_fork+0x1f/0x30 [ 61.881478][ T313] [ 61.883809][ T313] The buggy address belongs to the object at ffff8880a7248000 [ 61.883809][ T313] which belongs to the cache kmalloc-1k of size 1024 [ 61.899250][ T313] The buggy address is located 484 bytes inside of [ 61.899250][ T313] 1024-byte region [ffff8880a7248000, ffff8880a7248400) [ 61.912954][ T313] The buggy address belongs to the page: [ 61.918585][ T313] page:ffffea00029c9200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.927684][ T313] flags: 0xfffe0000000200(slab) [ 61.932572][ T313] raw: 00fffe0000000200 ffffea00024f5348 ffffea00025bcf08 ffff8880aa000c40 [ 61.941167][ T313] raw: 0000000000000000 ffff8880a7248000 0000000100000002 0000000000000000 [ 61.949751][ T313] page dumped because: kasan: bad access detected [ 61.957369][ T313] [ 61.959689][ T313] Memory state around the buggy address: [ 61.965347][ T313] ffff8880a7248080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.973406][ T313] ffff8880a7248100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.981484][ T313] >ffff8880a7248180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.989640][ T313] ^ [ 61.996830][ T313] ffff8880a7248200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.004888][ T313] ffff8880a7248280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.012941][ T313] ================================================================== [ 62.020989][ T313] Disabling lock debugging due to kernel taint [ 62.027194][ T313] Kernel panic - not syncing: panic_on_warn set ... [ 62.033802][ T313] CPU: 1 PID: 313 Comm: kworker/u4:7 Tainted: G B 5.8.0-rc1-next-20200617-syzkaller #0 [ 62.044713][ T313] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.055200][ T313] Workqueue: netns cleanup_net [ 62.059949][ T313] Call Trace: [ 62.063251][ T313] dump_stack+0x18f/0x20d [ 62.067576][ T313] ? afs_wake_up_async_call+0x5e0/0x770 [ 62.073110][ T313] ? afs_put_call+0xa40/0xa40 [ 62.077778][ T313] panic+0x2e3/0x75c [ 62.081666][ T313] ? __warn_printk+0xf3/0xf3 [ 62.086246][ T313] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 62.092393][ T313] ? trace_hardirqs_on+0x55/0x220 [ 62.097412][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.102943][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.108484][ T313] ? afs_put_call+0xa40/0xa40 [ 62.113158][ T313] end_report+0x4d/0x53 [ 62.117310][ T313] kasan_report.cold+0xd/0x37 [ 62.121982][ T313] ? rcu_read_lock_held_common+0x51/0xa0 [ 62.127608][ T313] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.133150][ T313] afs_wake_up_async_call+0x6aa/0x770 [ 62.138519][ T313] ? afs_close_socket+0x320/0x320 [ 62.144232][ T313] ? afs_put_call+0xa40/0xa40 [ 62.148899][ T313] rxrpc_notify_socket+0x1db/0x5d0 [ 62.154001][ T313] ? afs_put_call+0xa40/0xa40 [ 62.158668][ T313] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.165272][ T313] rxrpc_call_completed+0xca/0xf0 [ 62.170310][ T313] rxrpc_discard_prealloc+0x781/0xab0 [ 62.175674][ T313] ? lock_sock_nested+0x94/0x110 [ 62.180715][ T313] rxrpc_listen+0x147/0x360 [ 62.185233][ T313] afs_close_socket+0x95/0x320 [ 62.190006][ T313] ? afs_purge_servers+0x16d/0x300 [ 62.195207][ T313] ? afs_rx_discard_new_call+0x50/0x50 [ 62.200679][ T313] ? init_wait_var_entry+0x200/0x200 [ 62.205968][ T313] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.211590][ T313] ? check_preemption_disabled+0x38/0x220 [ 62.217321][ T313] afs_net_exit+0x1bc/0x310 [ 62.221817][ T313] ? afs_net_init+0xe30/0xe30 [ 62.226507][ T313] ops_exit_list.isra.0+0xa8/0x150 [ 62.231615][ T313] cleanup_net+0x511/0xa50 [ 62.236114][ T313] ? unregister_pernet_device+0x70/0x70 [ 62.241659][ T313] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.248248][ T313] process_one_work+0x965/0x1690 [ 62.253182][ T313] ? lock_release+0x800/0x800 [ 62.258029][ T313] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.263397][ T313] ? rwlock_bug.part.0+0x90/0x90 [ 62.268332][ T313] worker_thread+0x96/0xe10 [ 62.272855][ T313] ? process_one_work+0x1690/0x1690 [ 62.278045][ T313] kthread+0x3b5/0x4a0 [ 62.282108][ T313] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.287845][ T313] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.293574][ T313] ret_from_fork+0x1f/0x30 [ 62.299386][ T313] Kernel Offset: disabled [ 62.303749][ T313] Rebooting in 86400 seconds..