[�[0;32m OK �[0m] Reached target Login Prompts.
[�[0;32m OK �[0m] Reached target Multi-User System.
[�[0;32m OK �[0m] Reached target Graphical Interface.
Starting Update UTMP about System Runlevel Changes...
[�[0;32m OK �[0m] Started Update UTMP about System Runlevel Changes.
Debian GNU/Linux 9 syzkaller ttyS0
Warning: Permanently added '10.128.0.75' (ECDSA) to the list of known hosts.
2020/06/14 18:57:25 fuzzer started
2020/06/14 18:57:25 connecting to host at 10.128.0.26:35561
2020/06/14 18:57:25 checking machine...
2020/06/14 18:57:25 checking revisions...
2020/06/14 18:57:25 testing simple program...
syzkaller login: [ 57.032540][ T6814] IPVS: ftp: loaded support on port[0] = 21
2020/06/14 18:57:25 building call list...
[ 57.343287][ T7] tipc: TX() has been purged, node left!
[ 57.845397][ T7] ==================================================================
[ 57.853608][ T7] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770
[ 57.861492][ T7] Write of size 1 at addr ffff8880942389e4 by task kworker/u4:0/7
[ 57.869277][ T7]
[ 57.871601][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.7.0-next-20200614-syzkaller #0
[ 57.880603][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 57.890654][ T7] Workqueue: netns cleanup_net
[ 57.895404][ T7] Call Trace:
[ 57.898691][ T7] dump_stack+0x18f/0x20d
[ 57.903036][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 57.908572][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 57.914110][ T7] ? afs_put_call+0xa40/0xa40
[ 57.918781][ T7] print_address_description.constprop.0.cold+0xd3/0x413
[ 57.925803][ T7] ? vprintk_func+0x97/0x1a6
[ 57.930391][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 57.935928][ T7] kasan_report.cold+0x1f/0x37
[ 57.940698][ T7] ? rcu_read_lock_held_common+0x41/0xa0
[ 57.946322][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 57.951863][ T7] afs_wake_up_async_call+0x6aa/0x770
[ 57.957228][ T7] ? afs_close_socket+0x320/0x320
[ 57.962248][ T7] ? afs_put_call+0xa40/0xa40
[ 57.966913][ T7] rxrpc_notify_socket+0x1db/0x5d0
[ 57.972023][ T7] ? afs_put_call+0xa40/0xa40
[ 57.976690][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410
[ 57.983101][ T7] rxrpc_call_completed+0xca/0xf0
[ 57.988126][ T7] rxrpc_discard_prealloc+0x781/0xab0
[ 57.993494][ T7] ? lock_sock_nested+0x94/0x110
[ 57.998427][ T7] rxrpc_listen+0x147/0x360
[ 58.002928][ T7] afs_close_socket+0x95/0x320
[ 58.007683][ T7] ? afs_purge_servers+0x16d/0x300
[ 58.012792][ T7] ? afs_rx_discard_new_call+0x50/0x50
[ 58.018253][ T7] ? init_wait_var_entry+0x200/0x200
[ 58.023536][ T7] ? rcu_read_lock_held_common+0xa0/0xa0
[ 58.029159][ T7] ? check_preemption_disabled+0x38/0x220
[ 58.034881][ T7] afs_net_exit+0x1bc/0x310
[ 58.039374][ T7] ? afs_net_init+0xe30/0xe30
[ 58.044053][ T7] ops_exit_list.isra.0+0xa8/0x150
[ 58.049162][ T7] cleanup_net+0x511/0xa50
[ 58.053580][ T7] ? unregister_pernet_device+0x70/0x70
[ 58.059122][ T7] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 58.065104][ T7] process_one_work+0x965/0x1690
[ 58.070045][ T7] ? lock_release+0x800/0x800
[ 58.074741][ T7] ? pwq_dec_nr_in_flight+0x310/0x310
[ 58.080110][ T7] ? rwlock_bug.part.0+0x90/0x90
[ 58.085054][ T7] worker_thread+0x96/0xe10
[ 58.089578][ T7] ? process_one_work+0x1690/0x1690
[ 58.094790][ T7] kthread+0x3b5/0x4a0
[ 58.098857][ T7] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 58.104574][ T7] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 58.110306][ T7] ret_from_fork+0x1f/0x30
[ 58.114730][ T7]
[ 58.117054][ T7] Allocated by task 6814:
[ 58.121377][ T7] save_stack+0x1b/0x40
[ 58.125526][ T7] __kasan_kmalloc.constprop.0+0xbf/0xd0
[ 58.131151][ T7] kmem_cache_alloc_trace+0x153/0x7d0
[ 58.136518][ T7] afs_alloc_call+0x55/0x630
[ 58.141102][ T7] afs_charge_preallocation+0xe9/0x2d0
[ 58.146551][ T7] afs_open_socket+0x292/0x360
[ 58.151309][ T7] afs_net_init+0xa6c/0xe30
[ 58.155806][ T7] ops_init+0xaf/0x420
[ 58.159874][ T7] setup_net+0x2de/0x860
[ 58.164121][ T7] copy_net_ns+0x293/0x590
[ 58.168552][ T7] create_new_namespaces+0x3fb/0xb30
[ 58.173835][ T7] unshare_nsproxy_namespaces+0xbd/0x1f0
[ 58.179459][ T7] ksys_unshare+0x43d/0x8e0
[ 58.183953][ T7] __x64_sys_unshare+0x2d/0x40
[ 58.188706][ T7] do_syscall_64+0x60/0xe0
[ 58.193115][ T7] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 58.198986][ T7]
[ 58.201303][ T7] Freed by task 7:
[ 58.205018][ T7] save_stack+0x1b/0x40
[ 58.209165][ T7] __kasan_slab_free+0xf7/0x140
[ 58.214003][ T7] kfree+0x109/0x2b0
[ 58.217890][ T7] afs_put_call+0x585/0xa40
[ 58.222384][ T7] rxrpc_discard_prealloc+0x764/0xab0
[ 58.227744][ T7] rxrpc_listen+0x147/0x360
[ 58.232241][ T7] afs_close_socket+0x95/0x320
[ 58.237011][ T7] afs_net_exit+0x1bc/0x310
[ 58.241512][ T7] ops_exit_list.isra.0+0xa8/0x150
[ 58.246614][ T7] cleanup_net+0x511/0xa50
[ 58.251023][ T7] process_one_work+0x965/0x1690
[ 58.255953][ T7] worker_thread+0x96/0xe10
[ 58.260446][ T7] kthread+0x3b5/0x4a0
[ 58.264509][ T7] ret_from_fork+0x1f/0x30
[ 58.268910][ T7]
[ 58.271233][ T7] The buggy address belongs to the object at ffff888094238800
[ 58.271233][ T7] which belongs to the cache kmalloc-1k of size 1024
[ 58.285276][ T7] The buggy address is located 484 bytes inside of
[ 58.285276][ T7] 1024-byte region [ffff888094238800, ffff888094238c00)
[ 58.298615][ T7] The buggy address belongs to the page:
[ 58.304241][ T7] page:ffffea0002508e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
[ 58.313334][ T7] flags: 0xfffe0000000200(slab)
[ 58.318309][ T7] raw: 00fffe0000000200 ffffea0002a59c88 ffffea000299e508 ffff8880aa000c40
[ 58.326891][ T7] raw: 0000000000000000 ffff888094238000 0000000100000002 0000000000000000
[ 58.335461][ T7] page dumped because: kasan: bad access detected
[ 58.341864][ T7]
[ 58.344181][ T7] Memory state around the buggy address:
[ 58.349803][ T7] ffff888094238880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.357858][ T7] ffff888094238900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.365912][ T7] >ffff888094238980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.373966][ T7] ^
[ 58.381149][ T7] ffff888094238a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.389201][ T7] ffff888094238a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 58.397245][ T7] ==================================================================
[ 58.405290][ T7] Disabling lock debugging due to kernel taint
[ 58.411499][ T7] Kernel panic - not syncing: panic_on_warn set ...
[ 58.418082][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.7.0-next-20200614-syzkaller #0
[ 58.428481][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 58.438542][ T7] Workqueue: netns cleanup_net
[ 58.443296][ T7] Call Trace:
[ 58.446579][ T7] dump_stack+0x18f/0x20d
[ 58.450907][ T7] ? afs_wake_up_async_call+0x5e0/0x770
[ 58.456447][ T7] ? afs_put_call+0xa40/0xa40
[ 58.461119][ T7] panic+0x2e3/0x75c
[ 58.465012][ T7] ? __warn_printk+0xf3/0xf3
[ 58.469605][ T7] ? asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 58.475748][ T7] ? trace_hardirqs_on+0x55/0x220
[ 58.480758][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 58.486279][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 58.491812][ T7] ? afs_put_call+0xa40/0xa40
[ 58.496475][ T7] end_report+0x4d/0x53
[ 58.500613][ T7] kasan_report.cold+0xd/0x37
[ 58.505271][ T7] ? rcu_read_lock_held_common+0x41/0xa0
[ 58.510910][ T7] ? afs_wake_up_async_call+0x6aa/0x770
[ 58.516454][ T7] afs_wake_up_async_call+0x6aa/0x770
[ 58.521827][ T7] ? afs_close_socket+0x320/0x320
[ 58.526836][ T7] ? afs_put_call+0xa40/0xa40
[ 58.531501][ T7] rxrpc_notify_socket+0x1db/0x5d0
[ 58.536705][ T7] ? afs_put_call+0xa40/0xa40
[ 58.541380][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410
[ 58.547777][ T7] rxrpc_call_completed+0xca/0xf0
[ 58.552817][ T7] rxrpc_discard_prealloc+0x781/0xab0
[ 58.558173][ T7] ? lock_sock_nested+0x94/0x110
[ 58.563086][ T7] rxrpc_listen+0x147/0x360
[ 58.567570][ T7] afs_close_socket+0x95/0x320
[ 58.572321][ T7] ? afs_purge_servers+0x16d/0x300
[ 58.577413][ T7] ? afs_rx_discard_new_call+0x50/0x50
[ 58.582855][ T7] ? init_wait_var_entry+0x200/0x200
[ 58.588141][ T7] ? rcu_read_lock_held_common+0xa0/0xa0
[ 58.593841][ T7] ? check_preemption_disabled+0x38/0x220
[ 58.599542][ T7] afs_net_exit+0x1bc/0x310
[ 58.604023][ T7] ? afs_net_init+0xe30/0xe30
[ 58.608682][ T7] ops_exit_list.isra.0+0xa8/0x150
[ 58.613778][ T7] cleanup_net+0x511/0xa50
[ 58.618168][ T7] ? unregister_pernet_device+0x70/0x70
[ 58.623697][ T7] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 58.629664][ T7] process_one_work+0x965/0x1690
[ 58.635541][ T7] ? lock_release+0x800/0x800
[ 58.640206][ T7] ? pwq_dec_nr_in_flight+0x310/0x310
[ 58.645596][ T7] ? rwlock_bug.part.0+0x90/0x90
[ 58.650529][ T7] worker_thread+0x96/0xe10
[ 58.655011][ T7] ? process_one_work+0x1690/0x1690
[ 58.660191][ T7] kthread+0x3b5/0x4a0
[ 58.664245][ T7] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 58.669984][ T7] ? kthread_mod_delayed_work+0x1a0/0x1a0
[ 58.675687][ T7] ret_from_fork+0x1f/0x30
[ 58.681382][ T7] Kernel Offset: disabled
[ 58.685703][ T7] Rebooting in 86400 seconds..