[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. 2020/06/17 04:31:14 fuzzer started 2020/06/17 04:31:14 connecting to host at 10.128.0.26:42663 2020/06/17 04:31:14 checking machine... 2020/06/17 04:31:14 checking revisions... 2020/06/17 04:31:14 testing simple program... syzkaller login: [ 60.174091][ T6867] IPVS: ftp: loaded support on port[0] = 21 2020/06/17 04:31:14 building call list... [ 60.491398][ T109] tipc: TX() has been purged, node left! [ 61.023591][ T109] ================================================================== [ 61.031827][ T109] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.039721][ T109] Write of size 1 at addr ffff88809a5b79e4 by task kworker/u4:3/109 [ 61.047684][ T109] [ 61.050042][ T109] CPU: 1 PID: 109 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.058525][ T109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.068615][ T109] Workqueue: netns cleanup_net [ 61.073391][ T109] Call Trace: [ 61.076686][ T109] dump_stack+0x18f/0x20d [ 61.081111][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.086672][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.092238][ T109] ? afs_put_call+0xa40/0xa40 [ 61.096925][ T109] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.103961][ T109] ? vprintk_func+0x97/0x1a6 [ 61.108836][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.114592][ T109] kasan_report.cold+0x1f/0x37 [ 61.119377][ T109] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.125157][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.130729][ T109] afs_wake_up_async_call+0x6aa/0x770 [ 61.136105][ T109] ? afs_close_socket+0x320/0x320 [ 61.141132][ T109] ? afs_put_call+0xa40/0xa40 [ 61.146158][ T109] rxrpc_notify_socket+0x1db/0x5d0 [ 61.151287][ T109] ? afs_put_call+0xa40/0xa40 [ 61.156846][ T109] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.163275][ T109] rxrpc_call_completed+0xca/0xf0 [ 61.168307][ T109] rxrpc_discard_prealloc+0x781/0xab0 [ 61.173707][ T109] ? lock_sock_nested+0x94/0x110 [ 61.179140][ T109] rxrpc_listen+0x147/0x360 [ 61.183658][ T109] afs_close_socket+0x95/0x320 [ 61.188430][ T109] ? afs_purge_servers+0x16d/0x300 [ 61.193540][ T109] ? afs_rx_discard_new_call+0x50/0x50 [ 61.199461][ T109] ? init_wait_var_entry+0x200/0x200 [ 61.205039][ T109] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.210677][ T109] ? check_preemption_disabled+0x38/0x220 [ 61.216447][ T109] afs_net_exit+0x1bc/0x310 [ 61.220950][ T109] ? afs_net_init+0xe30/0xe30 [ 61.225716][ T109] ops_exit_list.isra.0+0xa8/0x150 [ 61.230845][ T109] cleanup_net+0x511/0xa50 [ 61.235272][ T109] ? unregister_pernet_device+0x70/0x70 [ 61.241018][ T109] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.247704][ T109] process_one_work+0x965/0x1690 [ 61.252766][ T109] ? lock_release+0x800/0x800 [ 61.257444][ T109] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.262823][ T109] ? rwlock_bug.part.0+0x90/0x90 [ 61.267780][ T109] worker_thread+0x96/0xe10 [ 61.272309][ T109] ? process_one_work+0x1690/0x1690 [ 61.277502][ T109] kthread+0x3b5/0x4a0 [ 61.281597][ T109] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.287570][ T109] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.293314][ T109] ret_from_fork+0x1f/0x30 [ 61.297741][ T109] [ 61.300165][ T109] Allocated by task 6867: [ 61.304580][ T109] save_stack+0x1b/0x40 [ 61.308733][ T109] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.314365][ T109] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.320080][ T109] afs_alloc_call+0x55/0x630 [ 61.324680][ T109] afs_charge_preallocation+0xe9/0x2d0 [ 61.330136][ T109] afs_open_socket+0x292/0x360 [ 61.334982][ T109] afs_net_init+0xa6c/0xe30 [ 61.339481][ T109] ops_init+0xaf/0x420 [ 61.343537][ T109] setup_net+0x2de/0x860 [ 61.347775][ T109] copy_net_ns+0x293/0x590 [ 61.352197][ T109] create_new_namespaces+0x3fb/0xb30 [ 61.357478][ T109] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.363112][ T109] ksys_unshare+0x43d/0x8e0 [ 61.367616][ T109] __x64_sys_unshare+0x2d/0x40 [ 61.372373][ T109] do_syscall_64+0x60/0xe0 [ 61.376789][ T109] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.382767][ T109] [ 61.385378][ T109] Freed by task 109: [ 61.389410][ T109] save_stack+0x1b/0x40 [ 61.393562][ T109] __kasan_slab_free+0xf7/0x140 [ 61.398416][ T109] kfree+0x109/0x2b0 [ 61.402308][ T109] afs_put_call+0x585/0xa40 [ 61.406895][ T109] rxrpc_discard_prealloc+0x764/0xab0 [ 61.412262][ T109] rxrpc_listen+0x147/0x360 [ 61.416761][ T109] afs_close_socket+0x95/0x320 [ 61.421537][ T109] afs_net_exit+0x1bc/0x310 [ 61.426051][ T109] ops_exit_list.isra.0+0xa8/0x150 [ 61.431158][ T109] cleanup_net+0x511/0xa50 [ 61.435662][ T109] process_one_work+0x965/0x1690 [ 61.440602][ T109] worker_thread+0x96/0xe10 [ 61.445187][ T109] kthread+0x3b5/0x4a0 [ 61.449272][ T109] ret_from_fork+0x1f/0x30 [ 61.453671][ T109] [ 61.456064][ T109] The buggy address belongs to the object at ffff88809a5b7800 [ 61.456064][ T109] which belongs to the cache kmalloc-1k of size 1024 [ 61.470110][ T109] The buggy address is located 484 bytes inside of [ 61.470110][ T109] 1024-byte region [ffff88809a5b7800, ffff88809a5b7c00) [ 61.483644][ T109] The buggy address belongs to the page: [ 61.489388][ T109] page:ffffea0002696dc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.499138][ T109] flags: 0xfffe0000000200(slab) [ 61.503997][ T109] raw: 00fffe0000000200 ffffea0002877288 ffffea0002a390c8 ffff8880aa000c40 [ 61.512589][ T109] raw: 0000000000000000 ffff88809a5b7000 0000000100000002 0000000000000000 [ 61.521290][ T109] page dumped because: kasan: bad access detected [ 61.528646][ T109] [ 61.530963][ T109] Memory state around the buggy address: [ 61.536587][ T109] ffff88809a5b7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.544650][ T109] ffff88809a5b7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.553055][ T109] >ffff88809a5b7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.561194][ T109] ^ [ 61.568382][ T109] ffff88809a5b7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.576439][ T109] ffff88809a5b7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.584586][ T109] ================================================================== [ 61.592643][ T109] Disabling lock debugging due to kernel taint [ 61.598846][ T109] Kernel panic - not syncing: panic_on_warn set ... [ 61.605519][ T109] CPU: 1 PID: 109 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 61.615226][ T109] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.625380][ T109] Workqueue: netns cleanup_net [ 61.630134][ T109] Call Trace: [ 61.633442][ T109] dump_stack+0x18f/0x20d [ 61.637775][ T109] ? afs_wake_up_async_call+0x670/0x770 [ 61.643342][ T109] ? afs_put_call+0xa40/0xa40 [ 61.648024][ T109] panic+0x2e3/0x75c [ 61.652166][ T109] ? __warn_printk+0xf3/0xf3 [ 61.656757][ T109] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 61.662902][ T109] ? trace_hardirqs_on+0x55/0x220 [ 61.667925][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.673464][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.679019][ T109] ? afs_put_call+0xa40/0xa40 [ 61.683686][ T109] end_report+0x4d/0x53 [ 61.687921][ T109] kasan_report.cold+0xd/0x37 [ 61.692584][ T109] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.698210][ T109] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.703759][ T109] afs_wake_up_async_call+0x6aa/0x770 [ 61.709112][ T109] ? afs_close_socket+0x320/0x320 [ 61.714125][ T109] ? afs_put_call+0xa40/0xa40 [ 61.718793][ T109] rxrpc_notify_socket+0x1db/0x5d0 [ 61.723900][ T109] ? afs_put_call+0xa40/0xa40 [ 61.728585][ T109] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.735006][ T109] rxrpc_call_completed+0xca/0xf0 [ 61.740133][ T109] rxrpc_discard_prealloc+0x781/0xab0 [ 61.745496][ T109] ? lock_sock_nested+0x94/0x110 [ 61.750414][ T109] rxrpc_listen+0x147/0x360 [ 61.754907][ T109] afs_close_socket+0x95/0x320 [ 61.759659][ T109] ? afs_purge_servers+0x16d/0x300 [ 61.764754][ T109] ? afs_rx_discard_new_call+0x50/0x50 [ 61.770286][ T109] ? init_wait_var_entry+0x200/0x200 [ 61.775666][ T109] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.781388][ T109] ? check_preemption_disabled+0x38/0x220 [ 61.787091][ T109] afs_net_exit+0x1bc/0x310 [ 61.791590][ T109] ? afs_net_init+0xe30/0xe30 [ 61.796287][ T109] ops_exit_list.isra.0+0xa8/0x150 [ 61.801400][ T109] cleanup_net+0x511/0xa50 [ 61.805812][ T109] ? unregister_pernet_device+0x70/0x70 [ 61.811355][ T109] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.817325][ T109] process_one_work+0x965/0x1690 [ 61.822272][ T109] ? lock_release+0x800/0x800 [ 61.826965][ T109] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.832764][ T109] ? rwlock_bug.part.0+0x90/0x90 [ 61.838251][ T109] worker_thread+0x96/0xe10 [ 61.842744][ T109] ? process_one_work+0x1690/0x1690 [ 61.847932][ T109] kthread+0x3b5/0x4a0 [ 61.851999][ T109] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.857766][ T109] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.863544][ T109] ret_from_fork+0x1f/0x30 [ 61.869576][ T109] Kernel Offset: disabled [ 61.873909][ T109] Rebooting in 86400 seconds..