Warning: Permanently added '10.128.1.37' (ECDSA) to the list of known hosts. 2020/06/15 12:53:17 fuzzer started 2020/06/15 12:53:17 connecting to host at 10.128.0.26:35383 2020/06/15 12:53:17 checking machine... 2020/06/15 12:53:17 checking revisions... 2020/06/15 12:53:17 testing simple program... syzkaller login: [ 60.574826][ T6820] IPVS: ftp: loaded support on port[0] = 21 2020/06/15 12:53:18 building call list... [ 60.900787][ T3517] tipc: TX() has been purged, node left! [ 61.403040][ T3517] ================================================================== [ 61.412252][ T3517] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.420157][ T3517] Write of size 1 at addr ffff88808112f9e4 by task kworker/u4:5/3517 [ 61.428291][ T3517] [ 61.430628][ T3517] CPU: 1 PID: 3517 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-next-20200615-syzkaller #0 [ 61.440243][ T3517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.450296][ T3517] Workqueue: netns cleanup_net [ 61.455051][ T3517] Call Trace: [ 61.458343][ T3517] dump_stack+0x18f/0x20d [ 61.462853][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.468410][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.474213][ T3517] ? afs_put_call+0xa40/0xa40 [ 61.478889][ T3517] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.485936][ T3517] ? vprintk_func+0x97/0x1a6 [ 61.490528][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.496155][ T3517] kasan_report.cold+0x1f/0x37 [ 61.500920][ T3517] ? rcu_read_lock_held_common+0x71/0xa0 [ 61.506552][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.512100][ T3517] afs_wake_up_async_call+0x6aa/0x770 [ 61.517470][ T3517] ? afs_close_socket+0x320/0x320 [ 61.522494][ T3517] ? afs_put_call+0xa40/0xa40 [ 61.527166][ T3517] rxrpc_notify_socket+0x1db/0x5d0 [ 61.532282][ T3517] ? afs_put_call+0xa40/0xa40 [ 61.536994][ T3517] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.543415][ T3517] rxrpc_call_completed+0xca/0xf0 [ 61.548446][ T3517] rxrpc_discard_prealloc+0x781/0xab0 [ 61.553824][ T3517] ? lock_sock_nested+0x94/0x110 [ 61.558765][ T3517] rxrpc_listen+0x147/0x360 [ 61.563623][ T3517] afs_close_socket+0x95/0x320 [ 61.568382][ T3517] ? afs_purge_servers+0x16d/0x300 [ 61.573495][ T3517] ? afs_rx_discard_new_call+0x50/0x50 [ 61.578955][ T3517] ? init_wait_var_entry+0x200/0x200 [ 61.584243][ T3517] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.589873][ T3517] ? check_preemption_disabled+0x38/0x220 [ 61.595594][ T3517] afs_net_exit+0x1bc/0x310 [ 61.600114][ T3517] ? afs_net_init+0xe30/0xe30 [ 61.604790][ T3517] ops_exit_list.isra.0+0xa8/0x150 [ 61.609910][ T3517] cleanup_net+0x511/0xa50 [ 61.614331][ T3517] ? unregister_pernet_device+0x70/0x70 [ 61.619966][ T3517] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.625955][ T3517] process_one_work+0x965/0x1690 [ 61.630902][ T3517] ? lock_release+0x800/0x800 [ 61.635578][ T3517] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.640952][ T3517] ? rwlock_bug.part.0+0x90/0x90 [ 61.645900][ T3517] worker_thread+0x96/0xe10 [ 61.650414][ T3517] ? process_one_work+0x1690/0x1690 [ 61.655621][ T3517] kthread+0x3b5/0x4a0 [ 61.659687][ T3517] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.665403][ T3517] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.671138][ T3517] ret_from_fork+0x1f/0x30 [ 61.675568][ T3517] [ 61.678078][ T3517] Allocated by task 6820: [ 61.682410][ T3517] save_stack+0x1b/0x40 [ 61.686564][ T3517] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.692196][ T3517] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.697568][ T3517] afs_alloc_call+0x55/0x630 [ 61.702251][ T3517] afs_charge_preallocation+0xe9/0x2d0 [ 61.708051][ T3517] afs_open_socket+0x292/0x360 [ 61.712824][ T3517] afs_net_init+0xa6c/0xe30 [ 61.717326][ T3517] ops_init+0xaf/0x420 [ 61.721392][ T3517] setup_net+0x2de/0x860 [ 61.725815][ T3517] copy_net_ns+0x293/0x590 [ 61.730230][ T3517] create_new_namespaces+0x3fb/0xb30 [ 61.735515][ T3517] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.741146][ T3517] ksys_unshare+0x43d/0x8e0 [ 61.745662][ T3517] __x64_sys_unshare+0x2d/0x40 [ 61.750420][ T3517] do_syscall_64+0x60/0xe0 [ 61.754832][ T3517] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.760731][ T3517] [ 61.763051][ T3517] Freed by task 3517: [ 61.767040][ T3517] save_stack+0x1b/0x40 [ 61.772584][ T3517] __kasan_slab_free+0xf7/0x140 [ 61.777434][ T3517] kfree+0x109/0x2b0 [ 61.781327][ T3517] afs_put_call+0x585/0xa40 [ 61.785826][ T3517] rxrpc_discard_prealloc+0x764/0xab0 [ 61.791190][ T3517] rxrpc_listen+0x147/0x360 [ 61.795689][ T3517] afs_close_socket+0x95/0x320 [ 61.800448][ T3517] afs_net_exit+0x1bc/0x310 [ 61.804966][ T3517] ops_exit_list.isra.0+0xa8/0x150 [ 61.810095][ T3517] cleanup_net+0x511/0xa50 [ 61.814524][ T3517] process_one_work+0x965/0x1690 [ 61.819474][ T3517] worker_thread+0x96/0xe10 [ 61.823972][ T3517] kthread+0x3b5/0x4a0 [ 61.828039][ T3517] ret_from_fork+0x1f/0x30 [ 61.832465][ T3517] [ 61.834790][ T3517] The buggy address belongs to the object at ffff88808112f800 [ 61.834790][ T3517] which belongs to the cache kmalloc-1k of size 1024 [ 61.848859][ T3517] The buggy address is located 484 bytes inside of [ 61.848859][ T3517] 1024-byte region [ffff88808112f800, ffff88808112fc00) [ 61.862212][ T3517] The buggy address belongs to the page: [ 61.867851][ T3517] page:ffffea0002044bc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.877080][ T3517] flags: 0xfffe0000000200(slab) [ 61.881930][ T3517] raw: 00fffe0000000200 ffffea0002044b88 ffffea0002044c48 ffff8880aa000c40 [ 61.890506][ T3517] raw: 0000000000000000 ffff88808112f000 0000000100000002 0000000000000000 [ 61.899079][ T3517] page dumped because: kasan: bad access detected [ 61.905514][ T3517] [ 61.907835][ T3517] Memory state around the buggy address: [ 61.913571][ T3517] ffff88808112f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.921712][ T3517] ffff88808112f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.929776][ T3517] >ffff88808112f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.937832][ T3517] ^ [ 61.945040][ T3517] ffff88808112fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.953106][ T3517] ffff88808112fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.961184][ T3517] ================================================================== [ 61.969331][ T3517] Disabling lock debugging due to kernel taint [ 61.975511][ T3517] Kernel panic - not syncing: panic_on_warn set ... [ 61.982092][ T3517] CPU: 1 PID: 3517 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-next-20200615-syzkaller #0 [ 61.993202][ T3517] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.003257][ T3517] Workqueue: netns cleanup_net [ 62.008010][ T3517] Call Trace: [ 62.011300][ T3517] dump_stack+0x18f/0x20d [ 62.015626][ T3517] ? afs_wake_up_async_call+0x660/0x770 [ 62.021196][ T3517] ? afs_put_call+0xa40/0xa40 [ 62.025881][ T3517] panic+0x2e3/0x75c [ 62.029769][ T3517] ? __warn_printk+0xf3/0xf3 [ 62.034350][ T3517] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 62.040499][ T3517] ? trace_hardirqs_on+0x55/0x220 [ 62.045551][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.051089][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.056625][ T3517] ? afs_put_call+0xa40/0xa40 [ 62.061294][ T3517] end_report+0x4d/0x53 [ 62.065441][ T3517] kasan_report.cold+0xd/0x37 [ 62.070133][ T3517] ? rcu_read_lock_held_common+0x71/0xa0 [ 62.075756][ T3517] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.081297][ T3517] afs_wake_up_async_call+0x6aa/0x770 [ 62.086659][ T3517] ? afs_close_socket+0x320/0x320 [ 62.091682][ T3517] ? afs_put_call+0xa40/0xa40 [ 62.096347][ T3517] rxrpc_notify_socket+0x1db/0x5d0 [ 62.101472][ T3517] ? afs_put_call+0xa40/0xa40 [ 62.106140][ T3517] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.112667][ T3517] rxrpc_call_completed+0xca/0xf0 [ 62.117688][ T3517] rxrpc_discard_prealloc+0x781/0xab0 [ 62.123076][ T3517] ? lock_sock_nested+0x94/0x110 [ 62.128004][ T3517] rxrpc_listen+0x147/0x360 [ 62.132506][ T3517] afs_close_socket+0x95/0x320 [ 62.137268][ T3517] ? afs_purge_servers+0x16d/0x300 [ 62.142375][ T3517] ? afs_rx_discard_new_call+0x50/0x50 [ 62.147826][ T3517] ? init_wait_var_entry+0x200/0x200 [ 62.153107][ T3517] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.158729][ T3517] ? check_preemption_disabled+0x38/0x220 [ 62.164442][ T3517] afs_net_exit+0x1bc/0x310 [ 62.168938][ T3517] ? afs_net_init+0xe30/0xe30 [ 62.173606][ T3517] ops_exit_list.isra.0+0xa8/0x150 [ 62.178709][ T3517] cleanup_net+0x511/0xa50 [ 62.183121][ T3517] ? unregister_pernet_device+0x70/0x70 [ 62.188664][ T3517] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.194636][ T3517] process_one_work+0x965/0x1690 [ 62.199571][ T3517] ? lock_release+0x800/0x800 [ 62.204239][ T3517] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.209603][ T3517] ? rwlock_bug.part.0+0x90/0x90 [ 62.214536][ T3517] worker_thread+0x96/0xe10 [ 62.219041][ T3517] ? process_one_work+0x1690/0x1690 [ 62.224317][ T3517] kthread+0x3b5/0x4a0 [ 62.228379][ T3517] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.234096][ T3517] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.239810][ T3517] ret_from_fork+0x1f/0x30 [ 62.245531][ T3517] Kernel Offset: disabled [ 62.249851][ T3517] Rebooting in 86400 seconds..