Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts. 2020/06/19 08:27:54 fuzzer started 2020/06/19 08:27:54 connecting to host at 10.128.0.26:41019 2020/06/19 08:27:54 checking machine... 2020/06/19 08:27:54 checking revisions... 2020/06/19 08:27:54 testing simple program... syzkaller login: [ 60.724200][ T6818] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 08:27:55 building call list... [ 61.102390][ T6635] tipc: TX() has been purged, node left! [ 61.604709][ T6635] ================================================================== [ 61.613132][ T6635] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.621021][ T6635] Write of size 1 at addr ffff8880a2bff1e4 by task kworker/u4:10/6635 [ 61.629162][ T6635] [ 61.631493][ T6635] CPU: 0 PID: 6635 Comm: kworker/u4:10 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.639980][ T6635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.650039][ T6635] Workqueue: netns cleanup_net [ 61.654800][ T6635] Call Trace: [ 61.658098][ T6635] dump_stack+0x18f/0x20d [ 61.662452][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.668233][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.673787][ T6635] ? afs_put_call+0xa40/0xa40 [ 61.678484][ T6635] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.685627][ T6635] ? vprintk_func+0x97/0x1a6 [ 61.691104][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.696741][ T6635] kasan_report.cold+0x1f/0x37 [ 61.702464][ T6635] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.708093][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.713646][ T6635] afs_wake_up_async_call+0x6aa/0x770 [ 61.719015][ T6635] ? afs_close_socket+0x320/0x320 [ 61.724743][ T6635] ? afs_put_call+0xa40/0xa40 [ 61.729438][ T6635] rxrpc_notify_socket+0x1db/0x5d0 [ 61.734554][ T6635] ? afs_put_call+0xa40/0xa40 [ 61.739229][ T6635] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.745666][ T6635] rxrpc_call_completed+0xca/0xf0 [ 61.750708][ T6635] rxrpc_discard_prealloc+0x781/0xab0 [ 61.756087][ T6635] ? lock_sock_nested+0x94/0x110 [ 61.761051][ T6635] rxrpc_listen+0x147/0x360 [ 61.770331][ T6635] afs_close_socket+0x95/0x320 [ 61.775584][ T6635] ? afs_purge_servers+0x16d/0x300 [ 61.780878][ T6635] ? afs_rx_discard_new_call+0x50/0x50 [ 61.786346][ T6635] ? init_wait_var_entry+0x200/0x200 [ 61.791660][ T6635] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.797309][ T6635] ? check_preemption_disabled+0x38/0x220 [ 61.803193][ T6635] afs_net_exit+0x1bc/0x310 [ 61.807702][ T6635] ? afs_net_init+0xe30/0xe30 [ 61.812380][ T6635] ops_exit_list.isra.0+0xa8/0x150 [ 61.817509][ T6635] cleanup_net+0x511/0xa50 [ 61.821928][ T6635] ? unregister_pernet_device+0x70/0x70 [ 61.827475][ T6635] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.833465][ T6635] process_one_work+0x965/0x1690 [ 61.838417][ T6635] ? lock_release+0x800/0x800 [ 61.843109][ T6635] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.848501][ T6635] ? rwlock_bug.part.0+0x90/0x90 [ 61.853449][ T6635] worker_thread+0x96/0xe10 [ 61.857966][ T6635] ? process_one_work+0x1690/0x1690 [ 61.863166][ T6635] kthread+0x3b5/0x4a0 [ 61.867237][ T6635] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.872951][ T6635] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.878760][ T6635] ret_from_fork+0x1f/0x30 [ 61.883182][ T6635] [ 61.885510][ T6635] Allocated by task 6818: [ 61.889867][ T6635] save_stack+0x1b/0x40 [ 61.894021][ T6635] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.899653][ T6635] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.905017][ T6635] afs_alloc_call+0x55/0x630 [ 61.909612][ T6635] afs_charge_preallocation+0xe9/0x2d0 [ 61.915066][ T6635] afs_open_socket+0x292/0x360 [ 61.919823][ T6635] afs_net_init+0xa6c/0xe30 [ 61.924321][ T6635] ops_init+0xaf/0x420 [ 61.928388][ T6635] setup_net+0x2de/0x860 [ 61.932642][ T6635] copy_net_ns+0x293/0x590 [ 61.937268][ T6635] create_new_namespaces+0x3fb/0xb30 [ 61.942565][ T6635] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.948227][ T6635] ksys_unshare+0x43d/0x8e0 [ 61.952732][ T6635] __x64_sys_unshare+0x2d/0x40 [ 61.957492][ T6635] do_syscall_64+0x60/0xe0 [ 61.961903][ T6635] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.967799][ T6635] [ 61.970125][ T6635] Freed by task 6635: [ 61.974118][ T6635] save_stack+0x1b/0x40 [ 61.978271][ T6635] __kasan_slab_free+0xf7/0x140 [ 61.983113][ T6635] kfree+0x109/0x2b0 [ 61.987001][ T6635] afs_put_call+0x585/0xa40 [ 61.991507][ T6635] rxrpc_discard_prealloc+0x764/0xab0 [ 61.996873][ T6635] rxrpc_listen+0x147/0x360 [ 62.001371][ T6635] afs_close_socket+0x95/0x320 [ 62.006144][ T6635] afs_net_exit+0x1bc/0x310 [ 62.010663][ T6635] ops_exit_list.isra.0+0xa8/0x150 [ 62.015781][ T6635] cleanup_net+0x511/0xa50 [ 62.020209][ T6635] process_one_work+0x965/0x1690 [ 62.025354][ T6635] worker_thread+0x96/0xe10 [ 62.029872][ T6635] kthread+0x3b5/0x4a0 [ 62.033989][ T6635] ret_from_fork+0x1f/0x30 [ 62.038572][ T6635] [ 62.040915][ T6635] The buggy address belongs to the object at ffff8880a2bff000 [ 62.040915][ T6635] which belongs to the cache kmalloc-1k of size 1024 [ 62.054976][ T6635] The buggy address is located 484 bytes inside of [ 62.054976][ T6635] 1024-byte region [ffff8880a2bff000, ffff8880a2bff400) [ 62.069099][ T6635] The buggy address belongs to the page: [ 62.074741][ T6635] page:ffffea00028affc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.083856][ T6635] flags: 0xfffe0000000200(slab) [ 62.088725][ T6635] raw: 00fffe0000000200 ffffea00029d6988 ffffea00029dbd48 ffff8880aa000c40 [ 62.097614][ T6635] raw: 0000000000000000 ffff8880a2bff000 0000000100000002 0000000000000000 [ 62.106195][ T6635] page dumped because: kasan: bad access detected [ 62.112601][ T6635] [ 62.114928][ T6635] Memory state around the buggy address: [ 62.120560][ T6635] ffff8880a2bff080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.128624][ T6635] ffff8880a2bff100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.136689][ T6635] >ffff8880a2bff180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.144769][ T6635] ^ [ 62.152663][ T6635] ffff8880a2bff200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.160756][ T6635] ffff8880a2bff280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.168838][ T6635] ================================================================== [ 62.176896][ T6635] Disabling lock debugging due to kernel taint [ 62.183364][ T6635] Kernel panic - not syncing: panic_on_warn set ... [ 62.189948][ T6635] CPU: 0 PID: 6635 Comm: kworker/u4:10 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.199820][ T6635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.209876][ T6635] Workqueue: netns cleanup_net [ 62.214626][ T6635] Call Trace: [ 62.217915][ T6635] dump_stack+0x18f/0x20d [ 62.222244][ T6635] ? afs_wake_up_async_call+0x670/0x770 [ 62.228127][ T6635] ? afs_put_call+0xa40/0xa40 [ 62.232798][ T6635] panic+0x2e3/0x75c [ 62.236695][ T6635] ? __warn_printk+0xf3/0xf3 [ 62.241280][ T6635] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 62.247431][ T6635] ? trace_hardirqs_on+0x55/0x220 [ 62.252449][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.257992][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.263545][ T6635] ? afs_put_call+0xa40/0xa40 [ 62.268219][ T6635] end_report+0x4d/0x53 [ 62.272370][ T6635] kasan_report.cold+0xd/0x37 [ 62.277044][ T6635] ? rcu_read_lock_held_common+0x51/0xa0 [ 62.282672][ T6635] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.288219][ T6635] afs_wake_up_async_call+0x6aa/0x770 [ 62.293589][ T6635] ? afs_close_socket+0x320/0x320 [ 62.298608][ T6635] ? afs_put_call+0xa40/0xa40 [ 62.303289][ T6635] rxrpc_notify_socket+0x1db/0x5d0 [ 62.308395][ T6635] ? afs_put_call+0xa40/0xa40 [ 62.313124][ T6635] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.319549][ T6635] rxrpc_call_completed+0xca/0xf0 [ 62.324749][ T6635] rxrpc_discard_prealloc+0x781/0xab0 [ 62.330391][ T6635] ? lock_sock_nested+0x94/0x110 [ 62.335327][ T6635] rxrpc_listen+0x147/0x360 [ 62.339824][ T6635] afs_close_socket+0x95/0x320 [ 62.344843][ T6635] ? afs_purge_servers+0x16d/0x300 [ 62.349948][ T6635] ? afs_rx_discard_new_call+0x50/0x50 [ 62.355420][ T6635] ? init_wait_var_entry+0x200/0x200 [ 62.360986][ T6635] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.366614][ T6635] ? check_preemption_disabled+0x38/0x220 [ 62.372847][ T6635] afs_net_exit+0x1bc/0x310 [ 62.377345][ T6635] ? afs_net_init+0xe30/0xe30 [ 62.382127][ T6635] ops_exit_list.isra.0+0xa8/0x150 [ 62.388011][ T6635] cleanup_net+0x511/0xa50 [ 62.392506][ T6635] ? unregister_pernet_device+0x70/0x70 [ 62.398143][ T6635] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.404121][ T6635] process_one_work+0x965/0x1690 [ 62.409061][ T6635] ? lock_release+0x800/0x800 [ 62.413731][ T6635] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.419102][ T6635] ? rwlock_bug.part.0+0x90/0x90 [ 62.424127][ T6635] worker_thread+0x96/0xe10 [ 62.428640][ T6635] ? process_one_work+0x1690/0x1690 [ 62.433832][ T6635] kthread+0x3b5/0x4a0 [ 62.437898][ T6635] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.443967][ T6635] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.449691][ T6635] ret_from_fork+0x1f/0x30 [ 62.455593][ T6635] Kernel Offset: disabled [ 62.460027][ T6635] Rebooting in 86400 seconds..