Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.59' (ECDSA) to the list of known hosts. 2020/06/25 16:07:38 fuzzer started 2020/06/25 16:07:39 connecting to host at 10.128.0.26:39129 2020/06/25 16:07:39 checking machine... 2020/06/25 16:07:39 checking revisions... 2020/06/25 16:07:39 testing simple program... syzkaller login: [ 65.898480][ T6806] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 16:07:39 building call list... [ 66.307459][ T7] tipc: TX() has been purged, node left! [ 66.809238][ T7] ================================================================== [ 66.817648][ T7] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 66.825558][ T7] Write of size 1 at addr ffff8880817c19e4 by task kworker/u4:0/7 [ 66.833360][ T7] [ 66.835701][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Not tainted 5.8.0-rc1-syzkaller #0 [ 66.844701][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.855111][ T7] Workqueue: netns cleanup_net [ 66.859889][ T7] Call Trace: [ 66.863572][ T7] dump_stack+0x18f/0x20d [ 66.867940][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 66.873528][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 66.879438][ T7] ? afs_put_call+0x440/0x440 [ 66.884372][ T7] print_address_description.constprop.0.cold+0xae/0x436 [ 66.891444][ T7] ? vprintk_func+0x97/0x1a6 [ 66.896340][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 66.902386][ T7] kasan_report.cold+0x1f/0x37 [ 66.907285][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 66.913288][ T7] afs_wake_up_async_call+0x430/0x4a0 [ 66.918922][ T7] ? afs_close_socket+0x320/0x320 [ 66.924422][ T7] rxrpc_notify_socket+0x1db/0x5d0 [ 66.929709][ T7] ? afs_put_call+0x440/0x440 [ 66.934404][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 66.941538][ T7] rxrpc_call_completed+0xd0/0xf0 [ 66.947333][ T7] rxrpc_discard_prealloc+0x777/0xab0 [ 66.953015][ T7] ? lock_sock_nested+0x94/0x110 [ 66.958334][ T7] rxrpc_listen+0x11c/0x330 [ 66.963146][ T7] afs_close_socket+0x95/0x320 [ 66.968724][ T7] ? afs_purge_servers+0x16d/0x300 [ 66.974155][ T7] ? afs_rx_discard_new_call+0x50/0x50 [ 66.979643][ T7] ? init_wait_var_entry+0x200/0x200 [ 66.985493][ T7] ? check_preemption_disabled+0x38/0x220 [ 66.991237][ T7] afs_net_exit+0x1bc/0x310 [ 66.995752][ T7] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 67.001525][ T7] ops_exit_list+0xb0/0x160 [ 67.006064][ T7] cleanup_net+0x4ea/0xa00 [ 67.010756][ T7] ? __schedule+0x887/0x1eb0 [ 67.015728][ T7] ? ops_free_list.part.0+0x3d0/0x3d0 [ 67.021403][ T7] ? check_preemption_disabled+0x38/0x220 [ 67.027325][ T7] process_one_work+0x94c/0x1670 [ 67.032394][ T7] ? lock_release+0x8d0/0x8d0 [ 67.037086][ T7] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 67.042638][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 67.047605][ T7] worker_thread+0x64c/0x1120 [ 67.053126][ T7] ? process_one_work+0x1670/0x1670 [ 67.058360][ T7] kthread+0x3b5/0x4a0 [ 67.062769][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 67.068315][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 67.073477][ T7] ret_from_fork+0x1f/0x30 [ 67.078475][ T7] [ 67.080906][ T7] Allocated by task 6806: [ 67.085255][ T7] save_stack+0x1b/0x40 [ 67.089435][ T7] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 67.095075][ T7] kmem_cache_alloc_trace+0x14f/0x2d0 [ 67.100458][ T7] afs_alloc_call+0x4f/0x360 [ 67.105390][ T7] afs_charge_preallocation+0xe9/0x2d0 [ 67.111038][ T7] afs_open_socket+0x294/0x360 [ 67.115960][ T7] afs_net_init+0xa6c/0xe30 [ 67.120663][ T7] ops_init+0xaf/0x470 [ 67.124773][ T7] setup_net+0x2d8/0x850 [ 67.129295][ T7] copy_net_ns+0x2cf/0x5e0 [ 67.133728][ T7] create_new_namespaces+0x3f6/0xb10 [ 67.139022][ T7] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 67.145059][ T7] ksys_unshare+0x36c/0x9a0 [ 67.149573][ T7] __x64_sys_unshare+0x2d/0x40 [ 67.154495][ T7] do_syscall_64+0x60/0xe0 [ 67.159132][ T7] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.165033][ T7] [ 67.167399][ T7] Freed by task 7: [ 67.171132][ T7] save_stack+0x1b/0x40 [ 67.175649][ T7] __kasan_slab_free+0xf5/0x140 [ 67.180802][ T7] kfree+0x103/0x2c0 [ 67.184855][ T7] afs_put_call+0x345/0x440 [ 67.189611][ T7] rxrpc_discard_prealloc+0x75a/0xab0 [ 67.195000][ T7] rxrpc_listen+0x11c/0x330 [ 67.199624][ T7] afs_close_socket+0x95/0x320 [ 67.204392][ T7] afs_net_exit+0x1bc/0x310 [ 67.208997][ T7] ops_exit_list+0xb0/0x160 [ 67.213822][ T7] cleanup_net+0x4ea/0xa00 [ 67.218337][ T7] process_one_work+0x94c/0x1670 [ 67.223397][ T7] worker_thread+0x64c/0x1120 [ 67.228084][ T7] kthread+0x3b5/0x4a0 [ 67.232161][ T7] ret_from_fork+0x1f/0x30 [ 67.236681][ T7] [ 67.239020][ T7] The buggy address belongs to the object at ffff8880817c1800 [ 67.239020][ T7] which belongs to the cache kmalloc-1k of size 1024 [ 67.253722][ T7] The buggy address is located 484 bytes inside of [ 67.253722][ T7] 1024-byte region [ffff8880817c1800, ffff8880817c1c00) [ 67.267421][ T7] The buggy address belongs to the page: [ 67.273645][ T7] page:ffffea000205f040 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 67.283193][ T7] flags: 0xfffe0000000200(slab) [ 67.288082][ T7] raw: 00fffe0000000200 ffffea000205efc8 ffffea000205f088 ffff8880aa000c40 [ 67.297297][ T7] raw: 0000000000000000 ffff8880817c1000 0000000100000002 0000000000000000 [ 67.306291][ T7] page dumped because: kasan: bad access detected [ 67.313460][ T7] [ 67.315811][ T7] Memory state around the buggy address: [ 67.321588][ T7] ffff8880817c1880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.329882][ T7] ffff8880817c1900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.338073][ T7] >ffff8880817c1980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.346698][ T7] ^ [ 67.354047][ T7] ffff8880817c1a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.362159][ T7] ffff8880817c1a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.370824][ T7] ================================================================== [ 67.379818][ T7] Disabling lock debugging due to kernel taint [ 67.386992][ T7] Kernel panic - not syncing: panic_on_warn set ... [ 67.394422][ T7] CPU: 1 PID: 7 Comm: kworker/u4:0 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 67.405131][ T7] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.415925][ T7] Workqueue: netns cleanup_net [ 67.420801][ T7] Call Trace: [ 67.424128][ T7] dump_stack+0x18f/0x20d [ 67.428784][ T7] ? afs_wake_up_async_call+0x370/0x4a0 [ 67.434448][ T7] ? afs_put_call+0x440/0x440 [ 67.439152][ T7] panic+0x2e3/0x75c [ 67.443665][ T7] ? __warn_printk+0xf3/0xf3 [ 67.448605][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 67.454194][ T7] ? trace_hardirqs_on+0x55/0x220 [ 67.459426][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 67.465130][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 67.471392][ T7] ? afs_put_call+0x440/0x440 [ 67.476307][ T7] end_report+0x4d/0x53 [ 67.480820][ T7] kasan_report.cold+0xd/0x37 [ 67.486115][ T7] ? afs_wake_up_async_call+0x430/0x4a0 [ 67.492536][ T7] afs_wake_up_async_call+0x430/0x4a0 [ 67.498272][ T7] ? afs_close_socket+0x320/0x320 [ 67.503489][ T7] rxrpc_notify_socket+0x1db/0x5d0 [ 67.509006][ T7] ? afs_put_call+0x440/0x440 [ 67.513698][ T7] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 67.521339][ T7] rxrpc_call_completed+0xd0/0xf0 [ 67.526374][ T7] rxrpc_discard_prealloc+0x777/0xab0 [ 67.531924][ T7] ? lock_sock_nested+0x94/0x110 [ 67.537193][ T7] rxrpc_listen+0x11c/0x330 [ 67.541826][ T7] afs_close_socket+0x95/0x320 [ 67.547045][ T7] ? afs_purge_servers+0x16d/0x300 [ 67.552253][ T7] ? afs_rx_discard_new_call+0x50/0x50 [ 67.557722][ T7] ? init_wait_var_entry+0x200/0x200 [ 67.563018][ T7] ? check_preemption_disabled+0x38/0x220 [ 67.568745][ T7] afs_net_exit+0x1bc/0x310 [ 67.573469][ T7] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 67.579107][ T7] ops_exit_list+0xb0/0x160 [ 67.583760][ T7] cleanup_net+0x4ea/0xa00 [ 67.590633][ T7] ? __schedule+0x887/0x1eb0 [ 67.595699][ T7] ? ops_free_list.part.0+0x3d0/0x3d0 [ 67.601226][ T7] ? check_preemption_disabled+0x38/0x220 [ 67.607249][ T7] process_one_work+0x94c/0x1670 [ 67.612215][ T7] ? lock_release+0x8d0/0x8d0 [ 67.616897][ T7] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 67.622280][ T7] ? rwlock_bug.part.0+0x90/0x90 [ 67.627412][ T7] worker_thread+0x64c/0x1120 [ 67.632274][ T7] ? process_one_work+0x1670/0x1670 [ 67.637479][ T7] kthread+0x3b5/0x4a0 [ 67.641557][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 67.646681][ T7] ? __kthread_bind_mask+0xc0/0xc0 [ 67.651969][ T7] ret_from_fork+0x1f/0x30 [ 67.658776][ T7] Kernel Offset: disabled [ 67.663282][ T7] Rebooting in 86400 seconds..