[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.57' (ECDSA) to the list of known hosts. 2020/06/25 14:57:57 fuzzer started 2020/06/25 14:57:57 connecting to host at 10.128.0.26:44835 2020/06/25 14:57:57 checking machine... 2020/06/25 14:57:57 checking revisions... 2020/06/25 14:57:57 testing simple program... syzkaller login: [ 60.763523][ T6828] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 14:57:58 building call list... [ 61.060617][ T6762] tipc: TX() has been purged, node left! [ 61.621481][ T6762] ================================================================== [ 61.629906][ T6762] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 61.638146][ T6762] Write of size 1 at addr ffff8880a8b479e4 by task kworker/u4:5/6762 [ 61.646373][ T6762] [ 61.648794][ T6762] CPU: 1 PID: 6762 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.657194][ T6762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.667257][ T6762] Workqueue: netns cleanup_net [ 61.672013][ T6762] Call Trace: [ 61.675523][ T6762] dump_stack+0x18f/0x20d [ 61.679857][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.686008][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.692678][ T6762] ? afs_put_call+0x440/0x440 [ 61.697617][ T6762] print_address_description.constprop.0.cold+0xae/0x436 [ 61.704650][ T6762] ? vprintk_func+0x97/0x1a6 [ 61.709258][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.715583][ T6762] kasan_report.cold+0x1f/0x37 [ 61.720351][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.725900][ T6762] afs_wake_up_async_call+0x430/0x4a0 [ 61.731538][ T6762] ? afs_close_socket+0x320/0x320 [ 61.736658][ T6762] rxrpc_notify_socket+0x1db/0x5d0 [ 61.741783][ T6762] ? afs_put_call+0x440/0x440 [ 61.746547][ T6762] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.752974][ T6762] rxrpc_call_completed+0xd0/0xf0 [ 61.758461][ T6762] rxrpc_discard_prealloc+0x777/0xab0 [ 61.763847][ T6762] ? lock_sock_nested+0x94/0x110 [ 61.768805][ T6762] rxrpc_listen+0x11c/0x330 [ 61.774033][ T6762] afs_close_socket+0x95/0x320 [ 61.778805][ T6762] ? afs_purge_servers+0x16d/0x300 [ 61.783918][ T6762] ? afs_rx_discard_new_call+0x50/0x50 [ 61.789468][ T6762] ? init_wait_var_entry+0x200/0x200 [ 61.794761][ T6762] ? check_preemption_disabled+0x38/0x220 [ 61.800491][ T6762] afs_net_exit+0x1bc/0x310 [ 61.805427][ T6762] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 61.811237][ T6762] ops_exit_list+0xb0/0x160 [ 61.815840][ T6762] cleanup_net+0x4ea/0xa00 [ 61.820563][ T6762] ? __schedule+0x887/0x1eb0 [ 61.825186][ T6762] ? ops_free_list.part.0+0x3d0/0x3d0 [ 61.830654][ T6762] ? check_preemption_disabled+0x38/0x220 [ 61.836386][ T6762] process_one_work+0x94c/0x1670 [ 61.841339][ T6762] ? lock_release+0x8d0/0x8d0 [ 61.846024][ T6762] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.851402][ T6762] ? rwlock_bug.part.0+0x90/0x90 [ 61.856439][ T6762] worker_thread+0x64c/0x1120 [ 61.861216][ T6762] ? __kthread_parkme+0x13f/0x1e0 [ 61.866259][ T6762] ? process_one_work+0x1670/0x1670 [ 61.871632][ T6762] kthread+0x3b5/0x4a0 [ 61.875795][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 61.881256][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 61.886634][ T6762] ret_from_fork+0x1f/0x30 [ 61.891123][ T6762] [ 61.893451][ T6762] Allocated by task 6828: [ 61.897782][ T6762] save_stack+0x1b/0x40 [ 61.901935][ T6762] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.907562][ T6762] kmem_cache_alloc_trace+0x14f/0x2d0 [ 61.913017][ T6762] afs_alloc_call+0x4f/0x360 [ 61.917632][ T6762] afs_charge_preallocation+0xe9/0x2d0 [ 61.923198][ T6762] afs_open_socket+0x294/0x360 [ 61.927967][ T6762] afs_net_init+0xa6c/0xe30 [ 61.932471][ T6762] ops_init+0xaf/0x470 [ 61.936715][ T6762] setup_net+0x2d8/0x850 [ 61.941066][ T6762] copy_net_ns+0x2cf/0x5e0 [ 61.945681][ T6762] create_new_namespaces+0x3f6/0xb10 [ 61.950971][ T6762] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.956601][ T6762] ksys_unshare+0x36c/0x9a0 [ 61.961460][ T6762] __x64_sys_unshare+0x2d/0x40 [ 61.966322][ T6762] do_syscall_64+0x60/0xe0 [ 61.970737][ T6762] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.976614][ T6762] [ 61.978941][ T6762] Freed by task 6762: [ 61.983442][ T6762] save_stack+0x1b/0x40 [ 61.987769][ T6762] __kasan_slab_free+0xf5/0x140 [ 61.993313][ T6762] kfree+0x103/0x2c0 [ 61.997204][ T6762] afs_put_call+0x345/0x440 [ 62.001795][ T6762] rxrpc_discard_prealloc+0x75a/0xab0 [ 62.007348][ T6762] rxrpc_listen+0x11c/0x330 [ 62.011849][ T6762] afs_close_socket+0x95/0x320 [ 62.016698][ T6762] afs_net_exit+0x1bc/0x310 [ 62.021195][ T6762] ops_exit_list+0xb0/0x160 [ 62.025729][ T6762] cleanup_net+0x4ea/0xa00 [ 62.030314][ T6762] process_one_work+0x94c/0x1670 [ 62.035254][ T6762] worker_thread+0x64c/0x1120 [ 62.040973][ T6762] kthread+0x3b5/0x4a0 [ 62.045105][ T6762] ret_from_fork+0x1f/0x30 [ 62.049507][ T6762] [ 62.051932][ T6762] The buggy address belongs to the object at ffff8880a8b47800 [ 62.051932][ T6762] which belongs to the cache kmalloc-1k of size 1024 [ 62.066165][ T6762] The buggy address is located 484 bytes inside of [ 62.066165][ T6762] 1024-byte region [ffff8880a8b47800, ffff8880a8b47c00) [ 62.079719][ T6762] The buggy address belongs to the page: [ 62.085361][ T6762] page:ffffea0002a2d1c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.094589][ T6762] flags: 0xfffe0000000200(slab) [ 62.100395][ T6762] raw: 00fffe0000000200 ffffea0002a28d88 ffffea0002991008 ffff8880aa000c40 [ 62.110138][ T6762] raw: 0000000000000000 ffff8880a8b47000 0000000100000002 0000000000000000 [ 62.119154][ T6762] page dumped because: kasan: bad access detected [ 62.125651][ T6762] [ 62.127989][ T6762] Memory state around the buggy address: [ 62.136868][ T6762] ffff8880a8b47880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.145025][ T6762] ffff8880a8b47900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.153524][ T6762] >ffff8880a8b47980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.162063][ T6762] ^ [ 62.170038][ T6762] ffff8880a8b47a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.178809][ T6762] ffff8880a8b47a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.187729][ T6762] ================================================================== [ 62.197119][ T6762] Disabling lock debugging due to kernel taint [ 62.203731][ T6762] Kernel panic - not syncing: panic_on_warn set ... [ 62.210511][ T6762] CPU: 1 PID: 6762 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.220911][ T6762] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.231509][ T6762] Workqueue: netns cleanup_net [ 62.236456][ T6762] Call Trace: [ 62.239749][ T6762] dump_stack+0x18f/0x20d [ 62.244165][ T6762] ? afs_wake_up_async_call+0x370/0x4a0 [ 62.249721][ T6762] ? afs_put_call+0x440/0x440 [ 62.254424][ T6762] panic+0x2e3/0x75c [ 62.258334][ T6762] ? __warn_printk+0xf3/0xf3 [ 62.262938][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.268665][ T6762] ? trace_hardirqs_on+0x55/0x220 [ 62.273790][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.279425][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.284980][ T6762] ? afs_put_call+0x440/0x440 [ 62.289790][ T6762] end_report+0x4d/0x53 [ 62.294026][ T6762] kasan_report.cold+0xd/0x37 [ 62.298709][ T6762] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.304521][ T6762] afs_wake_up_async_call+0x430/0x4a0 [ 62.310098][ T6762] ? afs_close_socket+0x320/0x320 [ 62.315378][ T6762] rxrpc_notify_socket+0x1db/0x5d0 [ 62.320501][ T6762] ? afs_put_call+0x440/0x440 [ 62.325174][ T6762] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.331677][ T6762] rxrpc_call_completed+0xd0/0xf0 [ 62.336700][ T6762] rxrpc_discard_prealloc+0x777/0xab0 [ 62.342263][ T6762] ? lock_sock_nested+0x94/0x110 [ 62.347226][ T6762] rxrpc_listen+0x11c/0x330 [ 62.352683][ T6762] afs_close_socket+0x95/0x320 [ 62.357534][ T6762] ? afs_purge_servers+0x16d/0x300 [ 62.362659][ T6762] ? afs_rx_discard_new_call+0x50/0x50 [ 62.368172][ T6762] ? init_wait_var_entry+0x200/0x200 [ 62.373580][ T6762] ? check_preemption_disabled+0x38/0x220 [ 62.379563][ T6762] afs_net_exit+0x1bc/0x310 [ 62.384092][ T6762] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.390421][ T6762] ops_exit_list+0xb0/0x160 [ 62.395023][ T6762] cleanup_net+0x4ea/0xa00 [ 62.400303][ T6762] ? __schedule+0x887/0x1eb0 [ 62.405070][ T6762] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.410534][ T6762] ? check_preemption_disabled+0x38/0x220 [ 62.416251][ T6762] process_one_work+0x94c/0x1670 [ 62.421416][ T6762] ? lock_release+0x8d0/0x8d0 [ 62.426343][ T6762] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.431720][ T6762] ? rwlock_bug.part.0+0x90/0x90 [ 62.436654][ T6762] worker_thread+0x64c/0x1120 [ 62.441333][ T6762] ? __kthread_parkme+0x13f/0x1e0 [ 62.446381][ T6762] ? process_one_work+0x1670/0x1670 [ 62.451757][ T6762] kthread+0x3b5/0x4a0 [ 62.456000][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 62.461193][ T6762] ? __kthread_bind_mask+0xc0/0xc0 [ 62.466447][ T6762] ret_from_fork+0x1f/0x30 [ 62.472904][ T6762] Kernel Offset: disabled [ 62.477223][ T6762] Rebooting in 86400 seconds..