[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.158' (ECDSA) to the list of known hosts. 2020/06/19 05:40:43 fuzzer started 2020/06/19 05:40:44 connecting to host at 10.128.0.26:33015 2020/06/19 05:40:44 checking machine... 2020/06/19 05:40:44 checking revisions... 2020/06/19 05:40:44 testing simple program... syzkaller login: [ 61.802678][ T6823] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 05:40:44 building call list... [ 62.144762][ T252] tipc: TX() has been purged, node left! [ 62.686956][ T252] ================================================================== [ 62.695283][ T252] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 62.703167][ T252] Write of size 1 at addr ffff88809f5c51e4 by task kworker/u4:5/252 [ 62.711126][ T252] [ 62.713456][ T252] CPU: 1 PID: 252 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 62.721788][ T252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.731843][ T252] Workqueue: netns cleanup_net [ 62.736600][ T252] Call Trace: [ 62.739949][ T252] dump_stack+0x18f/0x20d [ 62.745408][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.750948][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.756487][ T252] ? afs_put_call+0xa40/0xa40 [ 62.761161][ T252] print_address_description.constprop.0.cold+0xd3/0x413 [ 62.768204][ T252] ? vprintk_func+0x97/0x1a6 [ 62.772794][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.778349][ T252] kasan_report.cold+0x1f/0x37 [ 62.783129][ T252] ? rcu_read_lock_held_common+0x51/0xa0 [ 62.789018][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.794563][ T252] afs_wake_up_async_call+0x6aa/0x770 [ 62.800018][ T252] ? afs_close_socket+0x320/0x320 [ 62.805041][ T252] ? afs_put_call+0xa40/0xa40 [ 62.809716][ T252] rxrpc_notify_socket+0x1db/0x5d0 [ 62.814831][ T252] ? afs_put_call+0xa40/0xa40 [ 62.819508][ T252] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.826018][ T252] rxrpc_call_completed+0xca/0xf0 [ 62.831054][ T252] rxrpc_discard_prealloc+0x781/0xab0 [ 62.836432][ T252] ? lock_sock_nested+0x94/0x110 [ 62.841372][ T252] rxrpc_listen+0x147/0x360 [ 62.846307][ T252] afs_close_socket+0x95/0x320 [ 62.851066][ T252] ? afs_purge_servers+0x16d/0x300 [ 62.856189][ T252] ? afs_rx_discard_new_call+0x50/0x50 [ 62.861653][ T252] ? init_wait_var_entry+0x200/0x200 [ 62.866943][ T252] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.872573][ T252] ? check_preemption_disabled+0x38/0x220 [ 62.878299][ T252] afs_net_exit+0x1bc/0x310 [ 62.882886][ T252] ? afs_net_init+0xe30/0xe30 [ 62.887568][ T252] ops_exit_list.isra.0+0xa8/0x150 [ 62.895024][ T252] cleanup_net+0x511/0xa50 [ 62.899440][ T252] ? unregister_pernet_device+0x70/0x70 [ 62.904992][ T252] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.910978][ T252] process_one_work+0x965/0x1690 [ 62.915933][ T252] ? lock_release+0x800/0x800 [ 62.921131][ T252] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.926593][ T252] ? rwlock_bug.part.0+0x90/0x90 [ 62.931545][ T252] worker_thread+0x96/0xe10 [ 62.936062][ T252] ? process_one_work+0x1690/0x1690 [ 62.941261][ T252] kthread+0x3b5/0x4a0 [ 62.945324][ T252] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.951046][ T252] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.956768][ T252] ret_from_fork+0x1f/0x30 [ 62.961278][ T252] [ 62.963601][ T252] Allocated by task 6823: [ 62.967927][ T252] save_stack+0x1b/0x40 [ 62.972104][ T252] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.978338][ T252] kmem_cache_alloc_trace+0x153/0x7d0 [ 62.983719][ T252] afs_alloc_call+0x55/0x630 [ 62.988304][ T252] afs_charge_preallocation+0xe9/0x2d0 [ 62.993759][ T252] afs_open_socket+0x292/0x360 [ 62.998521][ T252] afs_net_init+0xa6c/0xe30 [ 63.003020][ T252] ops_init+0xaf/0x420 [ 63.007079][ T252] setup_net+0x2de/0x860 [ 63.011313][ T252] copy_net_ns+0x293/0x590 [ 63.015730][ T252] create_new_namespaces+0x3fb/0xb30 [ 63.021013][ T252] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 63.028635][ T252] ksys_unshare+0x43d/0x8e0 [ 63.033147][ T252] __x64_sys_unshare+0x2d/0x40 [ 63.037906][ T252] do_syscall_64+0x60/0xe0 [ 63.042322][ T252] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.048236][ T252] [ 63.050561][ T252] Freed by task 252: [ 63.054479][ T252] save_stack+0x1b/0x40 [ 63.058662][ T252] __kasan_slab_free+0xf7/0x140 [ 63.063526][ T252] kfree+0x109/0x2b0 [ 63.067429][ T252] afs_put_call+0x585/0xa40 [ 63.071948][ T252] rxrpc_discard_prealloc+0x764/0xab0 [ 63.077407][ T252] rxrpc_listen+0x147/0x360 [ 63.081909][ T252] afs_close_socket+0x95/0x320 [ 63.087716][ T252] afs_net_exit+0x1bc/0x310 [ 63.092214][ T252] ops_exit_list.isra.0+0xa8/0x150 [ 63.097407][ T252] cleanup_net+0x511/0xa50 [ 63.102426][ T252] process_one_work+0x965/0x1690 [ 63.107370][ T252] worker_thread+0x96/0xe10 [ 63.111883][ T252] kthread+0x3b5/0x4a0 [ 63.115946][ T252] ret_from_fork+0x1f/0x30 [ 63.120355][ T252] [ 63.123202][ T252] The buggy address belongs to the object at ffff88809f5c5000 [ 63.123202][ T252] which belongs to the cache kmalloc-1k of size 1024 [ 63.137247][ T252] The buggy address is located 484 bytes inside of [ 63.137247][ T252] 1024-byte region [ffff88809f5c5000, ffff88809f5c5400) [ 63.150594][ T252] The buggy address belongs to the page: [ 63.156223][ T252] page:ffffea00027d7140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.165327][ T252] flags: 0xfffe0000000200(slab) [ 63.170300][ T252] raw: 00fffe0000000200 ffffea00024e5248 ffffea0002a59c48 ffff8880aa000c40 [ 63.178885][ T252] raw: 0000000000000000 ffff88809f5c5000 0000000100000002 0000000000000000 [ 63.187457][ T252] page dumped because: kasan: bad access detected [ 63.193854][ T252] [ 63.196192][ T252] Memory state around the buggy address: [ 63.201828][ T252] ffff88809f5c5080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.209883][ T252] ffff88809f5c5100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.217941][ T252] >ffff88809f5c5180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.225989][ T252] ^ [ 63.233191][ T252] ffff88809f5c5200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.241245][ T252] ffff88809f5c5280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.250534][ T252] ================================================================== [ 63.258589][ T252] Disabling lock debugging due to kernel taint [ 63.264814][ T252] Kernel panic - not syncing: panic_on_warn set ... [ 63.271431][ T252] CPU: 1 PID: 252 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 63.281225][ T252] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.291287][ T252] Workqueue: netns cleanup_net [ 63.296043][ T252] Call Trace: [ 63.299335][ T252] dump_stack+0x18f/0x20d [ 63.303669][ T252] ? afs_wake_up_async_call+0x670/0x770 [ 63.309209][ T252] ? afs_put_call+0xa40/0xa40 [ 63.314927][ T252] panic+0x2e3/0x75c [ 63.318824][ T252] ? __warn_printk+0xf3/0xf3 [ 63.323413][ T252] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 63.329570][ T252] ? trace_hardirqs_on+0x55/0x220 [ 63.334710][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.340237][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.345760][ T252] ? afs_put_call+0xa40/0xa40 [ 63.350428][ T252] end_report+0x4d/0x53 [ 63.354924][ T252] kasan_report.cold+0xd/0x37 [ 63.359606][ T252] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.365237][ T252] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.370793][ T252] afs_wake_up_async_call+0x6aa/0x770 [ 63.376156][ T252] ? afs_close_socket+0x320/0x320 [ 63.381186][ T252] ? afs_put_call+0xa40/0xa40 [ 63.385868][ T252] rxrpc_notify_socket+0x1db/0x5d0 [ 63.390983][ T252] ? afs_put_call+0xa40/0xa40 [ 63.395665][ T252] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.402211][ T252] rxrpc_call_completed+0xca/0xf0 [ 63.407224][ T252] rxrpc_discard_prealloc+0x781/0xab0 [ 63.412609][ T252] ? lock_sock_nested+0x94/0x110 [ 63.417553][ T252] rxrpc_listen+0x147/0x360 [ 63.422128][ T252] afs_close_socket+0x95/0x320 [ 63.426881][ T252] ? afs_purge_servers+0x16d/0x300 [ 63.431990][ T252] ? afs_rx_discard_new_call+0x50/0x50 [ 63.437452][ T252] ? init_wait_var_entry+0x200/0x200 [ 63.442753][ T252] ? rcu_read_lock_held_common+0xa0/0xa0 [ 63.448552][ T252] ? check_preemption_disabled+0x38/0x220 [ 63.454260][ T252] afs_net_exit+0x1bc/0x310 [ 63.458745][ T252] ? afs_net_init+0xe30/0xe30 [ 63.463844][ T252] ops_exit_list.isra.0+0xa8/0x150 [ 63.469381][ T252] cleanup_net+0x511/0xa50 [ 63.473798][ T252] ? unregister_pernet_device+0x70/0x70 [ 63.479741][ T252] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.485731][ T252] process_one_work+0x965/0x1690 [ 63.490663][ T252] ? lock_release+0x800/0x800 [ 63.495376][ T252] ? pwq_dec_nr_in_flight+0x310/0x310 [ 63.501274][ T252] ? rwlock_bug.part.0+0x90/0x90 [ 63.506222][ T252] worker_thread+0x96/0xe10 [ 63.510747][ T252] ? process_one_work+0x1690/0x1690 [ 63.515939][ T252] kthread+0x3b5/0x4a0 [ 63.520601][ T252] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.526316][ T252] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.532024][ T252] ret_from_fork+0x1f/0x30 [ 63.537973][ T252] Kernel Offset: disabled [ 63.542303][ T252] Rebooting in 86400 seconds..