[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.120' (ECDSA) to the list of known hosts.
2020/06/25 14:13:20 fuzzer started
2020/06/25 14:13:21 connecting to host at 10.128.0.26:44777
2020/06/25 14:13:21 checking machine...
2020/06/25 14:13:21 checking revisions...
2020/06/25 14:13:21 testing simple program...
syzkaller login: [   62.105754][ T6797] IPVS: ftp: loaded support on port[0] = 21
2020/06/25 14:13:21 building call list...
[   62.458356][   T26] tipc: TX() has been purged, node left!
[   62.980032][   T26] ==================================================================
[   62.990092][   T26] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0
[   62.999530][   T26] Write of size 1 at addr ffff888090b979e4 by task kworker/u4:2/26
[   63.008815][   T26] 
[   63.011601][   T26] CPU: 0 PID: 26 Comm: kworker/u4:2 Not tainted 5.8.0-rc2-syzkaller #0
[   63.021078][   T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.032420][   T26] Workqueue: netns cleanup_net
[   63.038077][   T26] Call Trace:
[   63.042433][   T26]  dump_stack+0x18f/0x20d
[   63.048063][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.056154][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.062661][   T26]  ? afs_put_call+0x440/0x440
[   63.068359][   T26]  print_address_description.constprop.0.cold+0xae/0x436
[   63.077234][   T26]  ? vprintk_func+0x97/0x1a6
[   63.082466][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.088673][   T26]  kasan_report.cold+0x1f/0x37
[   63.094456][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.101683][   T26]  afs_wake_up_async_call+0x430/0x4a0
[   63.109155][   T26]  ? afs_close_socket+0x320/0x320
[   63.115130][   T26]  rxrpc_notify_socket+0x1db/0x5d0
[   63.121441][   T26]  ? afs_put_call+0x440/0x440
[   63.126321][   T26]  __rxrpc_set_call_completion.part.0+0x172/0x410
[   63.133849][   T26]  rxrpc_call_completed+0xd0/0xf0
[   63.140988][   T26]  rxrpc_discard_prealloc+0x777/0xab0
[   63.147672][   T26]  ? lock_sock_nested+0x94/0x110
[   63.153509][   T26]  rxrpc_listen+0x11c/0x330
[   63.158673][   T26]  afs_close_socket+0x95/0x320
[   63.164449][   T26]  ? afs_purge_servers+0x181/0x330
[   63.172028][   T26]  ? afs_rx_discard_new_call+0x50/0x50
[   63.179976][   T26]  ? init_wait_var_entry+0x200/0x200
[   63.187430][   T26]  afs_net_exit+0x1c4/0x310
[   63.193474][   T26]  ? __bpf_trace_afs_cb_miss+0x100/0x100
[   63.200234][   T26]  ops_exit_list+0xb0/0x160
[   63.205623][   T26]  cleanup_net+0x4ea/0xa00
[   63.210802][   T26]  ? __schedule+0x887/0x1eb0
[   63.217595][   T26]  ? ops_free_list.part.0+0x3d0/0x3d0
[   63.223632][   T26]  ? check_preemption_disabled+0x38/0x220
[   63.229832][   T26]  process_one_work+0x94c/0x1670
[   63.235862][   T26]  ? lock_release+0x8d0/0x8d0
[   63.242274][   T26]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   63.250455][   T26]  ? rwlock_bug.part.0+0x90/0x90
[   63.256580][   T26]  worker_thread+0x64c/0x1120
[   63.261376][   T26]  ? process_one_work+0x1670/0x1670
[   63.267035][   T26]  kthread+0x3b5/0x4a0
[   63.271912][   T26]  ? __kthread_bind_mask+0xc0/0xc0
[   63.277745][   T26]  ? __kthread_bind_mask+0xc0/0xc0
[   63.284134][   T26]  ret_from_fork+0x1f/0x30
[   63.289101][   T26] 
[   63.291609][   T26] Allocated by task 6797:
[   63.296131][   T26]  save_stack+0x1b/0x40
[   63.301177][   T26]  __kasan_kmalloc.constprop.0+0xc2/0xd0
[   63.307346][   T26]  kmem_cache_alloc_trace+0x14f/0x2d0
[   63.313704][   T26]  afs_alloc_call+0x4f/0x360
[   63.319474][   T26]  afs_charge_preallocation+0xe9/0x2d0
[   63.328293][   T26]  afs_open_socket+0x294/0x360
[   63.334261][   T26]  afs_net_init+0xab4/0xe90
[   63.340454][   T26]  ops_init+0xaf/0x470
[   63.345197][   T26]  setup_net+0x2d8/0x850
[   63.349529][   T26]  copy_net_ns+0x2cf/0x5e0
[   63.355948][   T26]  create_new_namespaces+0x3f6/0xb10
[   63.362464][   T26]  unshare_nsproxy_namespaces+0xbd/0x1f0
[   63.370020][   T26]  ksys_unshare+0x36c/0x9a0
[   63.375905][   T26]  __ia32_sys_unshare+0x2c/0x40
[   63.381565][   T26]  do_syscall_32_irqs_on+0x3f/0x60
[   63.388306][   T26]  do_fast_syscall_32+0x7f/0x120
[   63.393973][   T26]  entry_SYSENTER_compat+0x6d/0x7c
[   63.401557][   T26] 
[   63.404471][   T26] Freed by task 26:
[   63.410055][   T26]  save_stack+0x1b/0x40
[   63.414883][   T26]  __kasan_slab_free+0xf5/0x140
[   63.420033][   T26]  kfree+0x103/0x2c0
[   63.425381][   T26]  afs_put_call+0x345/0x440
[   63.431209][   T26]  rxrpc_discard_prealloc+0x75a/0xab0
[   63.439152][   T26]  rxrpc_listen+0x11c/0x330
[   63.444342][   T26]  afs_close_socket+0x95/0x320
[   63.450076][   T26]  afs_net_exit+0x1c4/0x310
[   63.455440][   T26]  ops_exit_list+0xb0/0x160
[   63.460817][   T26]  cleanup_net+0x4ea/0xa00
[   63.465780][   T26]  process_one_work+0x94c/0x1670
[   63.471943][   T26]  worker_thread+0x64c/0x1120
[   63.477949][   T26]  kthread+0x3b5/0x4a0
[   63.482858][   T26]  ret_from_fork+0x1f/0x30
[   63.488539][   T26] 
[   63.491180][   T26] The buggy address belongs to the object at ffff888090b97800
[   63.491180][   T26]  which belongs to the cache kmalloc-1k of size 1024
[   63.506820][   T26] The buggy address is located 484 bytes inside of
[   63.506820][   T26]  1024-byte region [ffff888090b97800, ffff888090b97c00)
[   63.522019][   T26] The buggy address belongs to the page:
[   63.528975][   T26] page:ffffea000242e5c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
[   63.538519][   T26] flags: 0xfffe0000000200(slab)
[   63.543481][   T26] raw: 00fffe0000000200 ffffea00027d2d08 ffffea000250e888 ffff8880aa000c40
[   63.552527][   T26] raw: 0000000000000000 ffff888090b97000 0000000100000002 0000000000000000
[   63.561488][   T26] page dumped because: kasan: bad access detected
[   63.568604][   T26] 
[   63.571376][   T26] Memory state around the buggy address:
[   63.578024][   T26]  ffff888090b97880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.589211][   T26]  ffff888090b97900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.599545][   T26] >ffff888090b97980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.608804][   T26]                                                        ^
[   63.617048][   T26]  ffff888090b97a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.625449][   T26]  ffff888090b97a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   63.633808][   T26] ==================================================================
[   63.641962][   T26] Disabling lock debugging due to kernel taint
[   63.648177][   T26] Kernel panic - not syncing: panic_on_warn set ...
[   63.654765][   T26] CPU: 0 PID: 26 Comm: kworker/u4:2 Tainted: G    B             5.8.0-rc2-syzkaller #0
[   63.665204][   T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   63.676666][   T26] Workqueue: netns cleanup_net
[   63.681691][   T26] Call Trace:
[   63.684988][   T26]  dump_stack+0x18f/0x20d
[   63.689551][   T26]  ? afs_wake_up_async_call+0x340/0x4a0
[   63.695098][   T26]  ? afs_put_call+0x440/0x440
[   63.699819][   T26]  panic+0x2e3/0x75c
[   63.703804][   T26]  ? __warn_printk+0xf3/0xf3
[   63.708634][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.714274][   T26]  ? trace_hardirqs_on+0x55/0x220
[   63.719393][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.724939][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.730521][   T26]  ? afs_put_call+0x440/0x440
[   63.735378][   T26]  end_report+0x4d/0x53
[   63.739547][   T26]  kasan_report.cold+0xd/0x37
[   63.744304][   T26]  ? afs_wake_up_async_call+0x430/0x4a0
[   63.749849][   T26]  afs_wake_up_async_call+0x430/0x4a0
[   63.755227][   T26]  ? afs_close_socket+0x320/0x320
[   63.760272][   T26]  rxrpc_notify_socket+0x1db/0x5d0
[   63.765387][   T26]  ? afs_put_call+0x440/0x440
[   63.770066][   T26]  __rxrpc_set_call_completion.part.0+0x172/0x410
[   63.776482][   T26]  rxrpc_call_completed+0xd0/0xf0
[   63.781574][   T26]  rxrpc_discard_prealloc+0x777/0xab0
[   63.786947][   T26]  ? lock_sock_nested+0x94/0x110
[   63.791907][   T26]  rxrpc_listen+0x11c/0x330
[   63.796415][   T26]  afs_close_socket+0x95/0x320
[   63.801556][   T26]  ? afs_purge_servers+0x181/0x330
[   63.806757][   T26]  ? afs_rx_discard_new_call+0x50/0x50
[   63.812367][   T26]  ? init_wait_var_entry+0x200/0x200
[   63.817980][   T26]  afs_net_exit+0x1c4/0x310
[   63.822696][   T26]  ? __bpf_trace_afs_cb_miss+0x100/0x100
[   63.828331][   T26]  ops_exit_list+0xb0/0x160
[   63.834421][   T26]  cleanup_net+0x4ea/0xa00
[   63.838836][   T26]  ? __schedule+0x887/0x1eb0
[   63.843677][   T26]  ? ops_free_list.part.0+0x3d0/0x3d0
[   63.849060][   T26]  ? check_preemption_disabled+0x38/0x220
[   63.855153][   T26]  process_one_work+0x94c/0x1670
[   63.860282][   T26]  ? lock_release+0x8d0/0x8d0
[   63.865046][   T26]  ? pwq_dec_nr_in_flight+0x2d0/0x2d0
[   63.870528][   T26]  ? rwlock_bug.part.0+0x90/0x90
[   63.875479][   T26]  worker_thread+0x64c/0x1120
[   63.880175][   T26]  ? process_one_work+0x1670/0x1670
[   63.885584][   T26]  kthread+0x3b5/0x4a0
[   63.890698][   T26]  ? __kthread_bind_mask+0xc0/0xc0
[   63.896068][   T26]  ? __kthread_bind_mask+0xc0/0xc0
[   63.901575][   T26]  ret_from_fork+0x1f/0x30
[   63.908023][   T26] Kernel Offset: disabled
[   63.912494][   T26] Rebooting in 86400 seconds..