Starting Load/Save RF Kill Switch Status... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts. 2020/06/19 05:23:11 fuzzer started 2020/06/19 05:23:11 connecting to host at 10.128.0.26:36097 2020/06/19 05:23:11 checking machine... 2020/06/19 05:23:11 checking revisions... 2020/06/19 05:23:11 testing simple program... syzkaller login: [ 59.689228][ T6819] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 05:23:12 building call list... [ 60.019719][ T74] tipc: TX() has been purged, node left! [ 60.533933][ T74] ================================================================== [ 60.542660][ T74] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 60.550754][ T74] Write of size 1 at addr ffff88809ee651e4 by task kworker/u4:3/74 [ 60.558652][ T74] [ 60.561051][ T74] CPU: 0 PID: 74 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-syzkaller #0 [ 60.569467][ T74] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.579756][ T74] Workqueue: netns cleanup_net [ 60.584534][ T74] Call Trace: [ 60.587862][ T74] dump_stack+0x18f/0x20d [ 60.592298][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.597885][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.603431][ T74] ? afs_put_call+0xa40/0xa40 [ 60.608108][ T74] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.615140][ T74] ? vprintk_func+0x97/0x1a6 [ 60.619738][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.625282][ T74] kasan_report.cold+0x1f/0x37 [ 60.630047][ T74] ? rcu_read_lock_held_common+0x51/0xa0 [ 60.635674][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.641219][ T74] afs_wake_up_async_call+0x6aa/0x770 [ 60.646583][ T74] ? afs_close_socket+0x320/0x320 [ 60.651609][ T74] ? afs_put_call+0xa40/0xa40 [ 60.656285][ T74] rxrpc_notify_socket+0x1db/0x5d0 [ 60.662028][ T74] ? afs_put_call+0xa40/0xa40 [ 60.666709][ T74] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.673126][ T74] rxrpc_call_completed+0xca/0xf0 [ 60.678158][ T74] rxrpc_discard_prealloc+0x781/0xab0 [ 60.683531][ T74] ? lock_sock_nested+0x94/0x110 [ 60.688484][ T74] rxrpc_listen+0x147/0x360 [ 60.692997][ T74] afs_close_socket+0x95/0x320 [ 60.697758][ T74] ? afs_purge_servers+0x16d/0x300 [ 60.702875][ T74] ? afs_rx_discard_new_call+0x50/0x50 [ 60.708780][ T74] ? init_wait_var_entry+0x200/0x200 [ 60.714067][ T74] ? rcu_read_lock_held_common+0xa0/0xa0 [ 60.719791][ T74] ? check_preemption_disabled+0x38/0x220 [ 60.725510][ T74] afs_net_exit+0x1bc/0x310 [ 60.730189][ T74] ? afs_net_init+0xe30/0xe30 [ 60.734863][ T74] ops_exit_list.isra.0+0xa8/0x150 [ 60.739974][ T74] cleanup_net+0x511/0xa50 [ 60.744399][ T74] ? unregister_pernet_device+0x70/0x70 [ 60.749946][ T74] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.755929][ T74] process_one_work+0x965/0x1690 [ 60.760875][ T74] ? lock_release+0x800/0x800 [ 60.765548][ T74] ? pwq_dec_nr_in_flight+0x310/0x310 [ 60.770928][ T74] ? rwlock_bug.part.0+0x90/0x90 [ 60.775889][ T74] worker_thread+0x96/0xe10 [ 60.780413][ T74] ? process_one_work+0x1690/0x1690 [ 60.785615][ T74] kthread+0x3b5/0x4a0 [ 60.789683][ T74] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.795487][ T74] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.801213][ T74] ret_from_fork+0x1f/0x30 [ 60.805638][ T74] [ 60.807962][ T74] Allocated by task 6819: [ 60.812305][ T74] save_stack+0x1b/0x40 [ 60.816463][ T74] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.822090][ T74] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.827457][ T74] afs_alloc_call+0x55/0x630 [ 60.832050][ T74] afs_charge_preallocation+0xe9/0x2d0 [ 60.837501][ T74] afs_open_socket+0x292/0x360 [ 60.842282][ T74] afs_net_init+0xa6c/0xe30 [ 60.846785][ T74] ops_init+0xaf/0x420 [ 60.850851][ T74] setup_net+0x2de/0x860 [ 60.855083][ T74] copy_net_ns+0x293/0x590 [ 60.859497][ T74] create_new_namespaces+0x3fb/0xb30 [ 60.864782][ T74] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 60.870414][ T74] ksys_unshare+0x43d/0x8e0 [ 60.875149][ T74] __x64_sys_unshare+0x2d/0x40 [ 60.879912][ T74] do_syscall_64+0x60/0xe0 [ 60.884330][ T74] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.890209][ T74] [ 60.892534][ T74] Freed by task 74: [ 60.896366][ T74] save_stack+0x1b/0x40 [ 60.902777][ T74] __kasan_slab_free+0xf7/0x140 [ 60.907621][ T74] kfree+0x109/0x2b0 [ 60.911506][ T74] afs_put_call+0x585/0xa40 [ 60.916015][ T74] rxrpc_discard_prealloc+0x764/0xab0 [ 60.921552][ T74] rxrpc_listen+0x147/0x360 [ 60.926050][ T74] afs_close_socket+0x95/0x320 [ 60.930806][ T74] afs_net_exit+0x1bc/0x310 [ 60.935305][ T74] ops_exit_list.isra.0+0xa8/0x150 [ 60.940425][ T74] cleanup_net+0x511/0xa50 [ 60.944838][ T74] process_one_work+0x965/0x1690 [ 60.949771][ T74] worker_thread+0x96/0xe10 [ 60.954266][ T74] kthread+0x3b5/0x4a0 [ 60.958331][ T74] ret_from_fork+0x1f/0x30 [ 60.962737][ T74] [ 60.965153][ T74] The buggy address belongs to the object at ffff88809ee65000 [ 60.965153][ T74] which belongs to the cache kmalloc-1k of size 1024 [ 60.979303][ T74] The buggy address is located 484 bytes inside of [ 60.979303][ T74] 1024-byte region [ffff88809ee65000, ffff88809ee65400) [ 60.992746][ T74] The buggy address belongs to the page: [ 60.998373][ T74] page:ffffea00027b9940 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.007465][ T74] flags: 0xfffe0000000200(slab) [ 61.012332][ T74] raw: 00fffe0000000200 ffffea00026eb208 ffffea00029a8e88 ffff8880aa000c40 [ 61.020927][ T74] raw: 0000000000000000 ffff88809ee65000 0000000100000002 0000000000000000 [ 61.029502][ T74] page dumped because: kasan: bad access detected [ 61.035904][ T74] [ 61.038221][ T74] Memory state around the buggy address: [ 61.043845][ T74] ffff88809ee65080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.051928][ T74] ffff88809ee65100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.060070][ T74] >ffff88809ee65180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.068125][ T74] ^ [ 61.075322][ T74] ffff88809ee65200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.083465][ T74] ffff88809ee65280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.091516][ T74] ================================================================== [ 61.099580][ T74] Disabling lock debugging due to kernel taint [ 61.105772][ T74] Kernel panic - not syncing: panic_on_warn set ... [ 61.112355][ T74] CPU: 0 PID: 74 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 61.121961][ T74] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.132011][ T74] Workqueue: netns cleanup_net [ 61.136787][ T74] Call Trace: [ 61.140083][ T74] dump_stack+0x18f/0x20d [ 61.144412][ T74] ? afs_wake_up_async_call+0x680/0x770 [ 61.149960][ T74] ? afs_put_call+0xa40/0xa40 [ 61.154632][ T74] panic+0x2e3/0x75c [ 61.158520][ T74] ? __warn_printk+0xf3/0xf3 [ 61.163109][ T74] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 61.169262][ T74] ? trace_hardirqs_on+0x55/0x220 [ 61.174279][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.179814][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.185351][ T74] ? afs_put_call+0xa40/0xa40 [ 61.190020][ T74] end_report+0x4d/0x53 [ 61.194169][ T74] kasan_report.cold+0xd/0x37 [ 61.198841][ T74] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.204467][ T74] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.210005][ T74] afs_wake_up_async_call+0x6aa/0x770 [ 61.215376][ T74] ? afs_close_socket+0x320/0x320 [ 61.220390][ T74] ? afs_put_call+0xa40/0xa40 [ 61.225060][ T74] rxrpc_notify_socket+0x1db/0x5d0 [ 61.230161][ T74] ? afs_put_call+0xa40/0xa40 [ 61.234830][ T74] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.241240][ T74] rxrpc_call_completed+0xca/0xf0 [ 61.246258][ T74] rxrpc_discard_prealloc+0x781/0xab0 [ 61.251622][ T74] ? lock_sock_nested+0x94/0x110 [ 61.256552][ T74] rxrpc_listen+0x147/0x360 [ 61.261046][ T74] afs_close_socket+0x95/0x320 [ 61.265796][ T74] ? afs_purge_servers+0x16d/0x300 [ 61.270897][ T74] ? afs_rx_discard_new_call+0x50/0x50 [ 61.276354][ T74] ? init_wait_var_entry+0x200/0x200 [ 61.281721][ T74] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.287355][ T74] ? check_preemption_disabled+0x38/0x220 [ 61.293073][ T74] afs_net_exit+0x1bc/0x310 [ 61.297570][ T74] ? afs_net_init+0xe30/0xe30 [ 61.302328][ T74] ops_exit_list.isra.0+0xa8/0x150 [ 61.307434][ T74] cleanup_net+0x511/0xa50 [ 61.311849][ T74] ? unregister_pernet_device+0x70/0x70 [ 61.317391][ T74] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.323368][ T74] process_one_work+0x965/0x1690 [ 61.328307][ T74] ? lock_release+0x800/0x800 [ 61.332977][ T74] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.338338][ T74] ? rwlock_bug.part.0+0x90/0x90 [ 61.343366][ T74] worker_thread+0x96/0xe10 [ 61.347867][ T74] ? process_one_work+0x1690/0x1690 [ 61.353058][ T74] kthread+0x3b5/0x4a0 [ 61.357126][ T74] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.362835][ T74] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.368546][ T74] ret_from_fork+0x1f/0x30 [ 61.374254][ T74] Kernel Offset: disabled [ 61.378570][ T74] Rebooting in 86400 seconds..