Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.51' (ECDSA) to the list of known hosts. 2020/06/19 04:16:01 fuzzer started 2020/06/19 04:16:01 connecting to host at 10.128.0.26:45101 2020/06/19 04:16:01 checking machine... 2020/06/19 04:16:01 checking revisions... 2020/06/19 04:16:01 testing simple program... syzkaller login: [ 63.008103][ T6845] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 04:16:01 building call list... [ 63.325300][ T21] tipc: TX() has been purged, node left! [ 63.826766][ T21] ================================================================== [ 63.835043][ T21] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 63.843218][ T21] Write of size 1 at addr ffff8880a60909e4 by task kworker/u4:1/21 [ 63.851095][ T21] [ 63.853439][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-syzkaller #0 [ 63.861678][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.871742][ T21] Workqueue: netns cleanup_net [ 63.876516][ T21] Call Trace: [ 63.879821][ T21] dump_stack+0x18f/0x20d [ 63.884181][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.889729][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.895286][ T21] ? afs_put_call+0xa40/0xa40 [ 63.899967][ T21] print_address_description.constprop.0.cold+0xd3/0x413 [ 63.907025][ T21] ? vprintk_func+0x97/0x1a6 [ 63.911641][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.917206][ T21] kasan_report.cold+0x1f/0x37 [ 63.921972][ T21] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.927599][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.933144][ T21] afs_wake_up_async_call+0x6aa/0x770 [ 63.938521][ T21] ? afs_close_socket+0x320/0x320 [ 63.943552][ T21] ? afs_put_call+0xa40/0xa40 [ 63.948242][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 63.953357][ T21] ? afs_put_call+0xa40/0xa40 [ 63.958054][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.964576][ T21] rxrpc_call_completed+0xca/0xf0 [ 63.969612][ T21] rxrpc_discard_prealloc+0x781/0xab0 [ 63.974990][ T21] ? lock_sock_nested+0x94/0x110 [ 63.979939][ T21] rxrpc_listen+0x147/0x360 [ 63.984445][ T21] afs_close_socket+0x95/0x320 [ 63.989211][ T21] ? afs_purge_servers+0x16d/0x300 [ 63.994359][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 63.999845][ T21] ? init_wait_var_entry+0x200/0x200 [ 64.005139][ T21] ? rcu_read_lock_held_common+0xa0/0xa0 [ 64.010793][ T21] ? check_preemption_disabled+0x38/0x220 [ 64.017072][ T21] afs_net_exit+0x1bc/0x310 [ 64.021589][ T21] ? afs_net_init+0xe30/0xe30 [ 64.026261][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 64.031376][ T21] cleanup_net+0x511/0xa50 [ 64.035795][ T21] ? unregister_pernet_device+0x70/0x70 [ 64.041356][ T21] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.047347][ T21] process_one_work+0x965/0x1690 [ 64.052338][ T21] ? lock_release+0x800/0x800 [ 64.057336][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 64.062728][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 64.067689][ T21] worker_thread+0x96/0xe10 [ 64.072213][ T21] ? process_one_work+0x1690/0x1690 [ 64.077413][ T21] kthread+0x3b5/0x4a0 [ 64.081480][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.087195][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.092984][ T21] ret_from_fork+0x1f/0x30 [ 64.097435][ T21] [ 64.099764][ T21] Allocated by task 6845: [ 64.104127][ T21] save_stack+0x1b/0x40 [ 64.108288][ T21] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.113937][ T21] kmem_cache_alloc_trace+0x153/0x7d0 [ 64.119305][ T21] afs_alloc_call+0x55/0x630 [ 64.123893][ T21] afs_charge_preallocation+0xe9/0x2d0 [ 64.129636][ T21] afs_open_socket+0x292/0x360 [ 64.134510][ T21] afs_net_init+0xa6c/0xe30 [ 64.139009][ T21] ops_init+0xaf/0x420 [ 64.143091][ T21] setup_net+0x2de/0x860 [ 64.147444][ T21] copy_net_ns+0x293/0x590 [ 64.151860][ T21] create_new_namespaces+0x3fb/0xb30 [ 64.157246][ T21] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 64.162884][ T21] ksys_unshare+0x43d/0x8e0 [ 64.167411][ T21] __x64_sys_unshare+0x2d/0x40 [ 64.172207][ T21] do_syscall_64+0x60/0xe0 [ 64.176628][ T21] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.182627][ T21] [ 64.184962][ T21] Freed by task 21: [ 64.188773][ T21] save_stack+0x1b/0x40 [ 64.192929][ T21] __kasan_slab_free+0xf7/0x140 [ 64.197773][ T21] kfree+0x109/0x2b0 [ 64.201666][ T21] afs_put_call+0x585/0xa40 [ 64.206167][ T21] rxrpc_discard_prealloc+0x764/0xab0 [ 64.211544][ T21] rxrpc_listen+0x147/0x360 [ 64.216043][ T21] afs_close_socket+0x95/0x320 [ 64.220802][ T21] afs_net_exit+0x1bc/0x310 [ 64.225308][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 64.230443][ T21] cleanup_net+0x511/0xa50 [ 64.234869][ T21] process_one_work+0x965/0x1690 [ 64.239812][ T21] worker_thread+0x96/0xe10 [ 64.244309][ T21] kthread+0x3b5/0x4a0 [ 64.248375][ T21] ret_from_fork+0x1f/0x30 [ 64.252796][ T21] [ 64.255122][ T21] The buggy address belongs to the object at ffff8880a6090800 [ 64.255122][ T21] which belongs to the cache kmalloc-1k of size 1024 [ 64.269170][ T21] The buggy address is located 484 bytes inside of [ 64.269170][ T21] 1024-byte region [ffff8880a6090800, ffff8880a6090c00) [ 64.282525][ T21] The buggy address belongs to the page: [ 64.288157][ T21] page:ffffea0002982400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 64.297275][ T21] flags: 0xfffe0000000200(slab) [ 64.302158][ T21] raw: 00fffe0000000200 ffffea000269c108 ffffea00027d8648 ffff8880aa000c40 [ 64.311281][ T21] raw: 0000000000000000 ffff8880a6090000 0000000100000002 0000000000000000 [ 64.319887][ T21] page dumped because: kasan: bad access detected [ 64.326320][ T21] [ 64.328666][ T21] Memory state around the buggy address: [ 64.334302][ T21] ffff8880a6090880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.342365][ T21] ffff8880a6090900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.350642][ T21] >ffff8880a6090980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.358935][ T21] ^ [ 64.366261][ T21] ffff8880a6090a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.374341][ T21] ffff8880a6090a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.382420][ T21] ================================================================== [ 64.390484][ T21] Disabling lock debugging due to kernel taint [ 64.396698][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 64.403485][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 64.413193][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.423256][ T21] Workqueue: netns cleanup_net [ 64.428020][ T21] Call Trace: [ 64.431380][ T21] dump_stack+0x18f/0x20d [ 64.435899][ T21] ? afs_wake_up_async_call+0x680/0x770 [ 64.441476][ T21] ? afs_put_call+0xa40/0xa40 [ 64.446329][ T21] panic+0x2e3/0x75c [ 64.450227][ T21] ? __warn_printk+0xf3/0xf3 [ 64.455194][ T21] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 64.461487][ T21] ? trace_hardirqs_on+0x55/0x220 [ 64.466800][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.472349][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.477896][ T21] ? afs_put_call+0xa40/0xa40 [ 64.483135][ T21] end_report+0x4d/0x53 [ 64.487282][ T21] kasan_report.cold+0xd/0x37 [ 64.491988][ T21] ? rcu_read_lock_held_common+0x51/0xa0 [ 64.497609][ T21] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.503157][ T21] afs_wake_up_async_call+0x6aa/0x770 [ 64.508528][ T21] ? afs_close_socket+0x320/0x320 [ 64.513541][ T21] ? afs_put_call+0xa40/0xa40 [ 64.518225][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 64.523385][ T21] ? afs_put_call+0xa40/0xa40 [ 64.528105][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 64.534602][ T21] rxrpc_call_completed+0xca/0xf0 [ 64.539656][ T21] rxrpc_discard_prealloc+0x781/0xab0 [ 64.545145][ T21] ? lock_sock_nested+0x94/0x110 [ 64.550192][ T21] rxrpc_listen+0x147/0x360 [ 64.554698][ T21] afs_close_socket+0x95/0x320 [ 64.559482][ T21] ? afs_purge_servers+0x16d/0x300 [ 64.564622][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 64.570129][ T21] ? init_wait_var_entry+0x200/0x200 [ 64.575426][ T21] ? rcu_read_lock_held_common+0xa0/0xa0 [ 64.581074][ T21] ? check_preemption_disabled+0x38/0x220 [ 64.587143][ T21] afs_net_exit+0x1bc/0x310 [ 64.591636][ T21] ? afs_net_init+0xe30/0xe30 [ 64.596497][ T21] ops_exit_list.isra.0+0xa8/0x150 [ 64.601666][ T21] cleanup_net+0x511/0xa50 [ 64.606173][ T21] ? unregister_pernet_device+0x70/0x70 [ 64.612316][ T21] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.618551][ T21] process_one_work+0x965/0x1690 [ 64.623485][ T21] ? lock_release+0x800/0x800 [ 64.628155][ T21] ? pwq_dec_nr_in_flight+0x310/0x310 [ 64.633515][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 64.638464][ T21] worker_thread+0x96/0xe10 [ 64.643074][ T21] ? process_one_work+0x1690/0x1690 [ 64.648272][ T21] kthread+0x3b5/0x4a0 [ 64.652326][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.658134][ T21] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.663964][ T21] ret_from_fork+0x1f/0x30 [ 64.669896][ T21] Kernel Offset: disabled [ 64.674258][ T21] Rebooting in 86400 seconds..