syzbot

tipc: TX() has been purged, node left!
==================================================================
BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 fs/afs/rxrpc.c:707
Write of size 1 at addr ffff8880820239e4 by task kworker/u4:2/25

CPU: 0 PID: 25 Comm: kworker/u4:2 Not tainted 5.8.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1f0/0x31e lib/dump_stack.c:118
 print_address_description+0x66/0x5a0 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 afs_wake_up_async_call+0x16f/0x1c0 fs/afs/rxrpc.c:707
 rxrpc_notify_socket+0x1e7/0x4a0 net/rxrpc/recvmsg.c:40
 __rxrpc_set_call_completion net/rxrpc/recvmsg.c:76 [inline]
 __rxrpc_call_completed net/rxrpc/recvmsg.c:102 [inline]
 rxrpc_call_completed+0x131/0x210 net/rxrpc/recvmsg.c:111
 rxrpc_discard_prealloc+0x60d/0x710 net/rxrpc/call_accept.c:233
 rxrpc_listen+0x246/0x370 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x57/0x280 fs/afs/rxrpc.c:110
 afs_net_exit+0x57/0xa0 fs/afs/main.c:158
 ops_exit_list net/core/net_namespace.c:186 [inline]
 cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

Allocated by task 6831:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494
 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551
 kmalloc include/linux/slab.h:555 [inline]
 kzalloc include/linux/slab.h:669 [inline]
 afs_alloc_call+0x89/0x2f0 fs/afs/rxrpc.c:141
 afs_charge_preallocation+0xf0/0x2a0 fs/afs/rxrpc.c:757
 afs_open_socket+0x3c7/0x510 fs/afs/rxrpc.c:92
 afs_net_init+0x7a0/0x990 fs/afs/main.c:126
 ops_init+0x320/0x410 net/core/net_namespace.c:151
 setup_net+0x1cb/0x770 net/core/net_namespace.c:341
 copy_net_ns+0x339/0x540 net/core/net_namespace.c:482
 create_new_namespaces+0x52e/0x9f0 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x123/0x190 kernel/nsproxy.c:231
 ksys_unshare+0x463/0x950 kernel/fork.c:2983
 __do_sys_unshare kernel/fork.c:3051 [inline]
 __se_sys_unshare kernel/fork.c:3049 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:3049
 do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:359
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 25:
 save_stack mm/kasan/common.c:48 [inline]
 set_track mm/kasan/common.c:56 [inline]
 kasan_set_free_info mm/kasan/common.c:316 [inline]
 __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455
 __cache_free mm/slab.c:3426 [inline]
 kfree+0x10a/0x220 mm/slab.c:3757
 afs_put_call+0x30e/0x420 fs/afs/rxrpc.c:190
 rxrpc_discard_prealloc+0x5e2/0x710 net/rxrpc/call_accept.c:230
 rxrpc_listen+0x246/0x370 net/rxrpc/af_rxrpc.c:245
 afs_close_socket+0x57/0x280 fs/afs/rxrpc.c:110
 afs_net_exit+0x57/0xa0 fs/afs/main.c:158
 ops_exit_list net/core/net_namespace.c:186 [inline]
 cleanup_net+0x708/0xba0 net/core/net_namespace.c:603
 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269
 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415
 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293

The buggy address belongs to the object at ffff888082023800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 484 bytes inside of
 1024-byte region [ffff888082023800, ffff888082023c00)
The buggy address belongs to the page:
page:ffffea00020808c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002080848 ffffea0002080908 ffff8880aa400c40
raw: 0000000000000000 ffff888082023000 0000000100000002 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888082023880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888082023900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888082023980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff888082023a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888082023a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================