Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.49' (ECDSA) to the list of known hosts. 2020/07/02 01:14:33 fuzzer started 2020/07/02 01:14:33 connecting to host at 10.128.0.26:40115 2020/07/02 01:14:33 checking machine... 2020/07/02 01:14:33 checking revisions... 2020/07/02 01:14:33 testing simple program... syzkaller login: [ 59.635692][ T6817] IPVS: ftp: loaded support on port[0] = 21 2020/07/02 01:14:34 building call list... [ 59.953687][ T2749] tipc: TX() has been purged, node left! [ 60.465509][ T2749] ================================================================== [ 60.473854][ T2749] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 60.481737][ T2749] Write of size 1 at addr ffff888097b351e4 by task kworker/u4:5/2749 [ 60.489784][ T2749] [ 60.492114][ T2749] CPU: 1 PID: 2749 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 60.500539][ T2749] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.510592][ T2749] Workqueue: netns cleanup_net [ 60.515342][ T2749] Call Trace: [ 60.518645][ T2749] dump_stack+0x18f/0x20d [ 60.522975][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.528515][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.534051][ T2749] ? afs_put_call+0x440/0x440 [ 60.538731][ T2749] print_address_description.constprop.0.cold+0xae/0x436 [ 60.545757][ T2749] ? vprintk_func+0x97/0x1a6 [ 60.550366][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.555907][ T2749] kasan_report.cold+0x1f/0x37 [ 60.560670][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 60.566217][ T2749] afs_wake_up_async_call+0x430/0x4a0 [ 60.571583][ T2749] ? afs_close_socket+0x320/0x320 [ 60.576611][ T2749] rxrpc_notify_socket+0x1db/0x5d0 [ 60.581721][ T2749] ? afs_put_call+0x440/0x440 [ 60.586396][ T2749] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.592811][ T2749] rxrpc_call_completed+0xd0/0xf0 [ 60.597837][ T2749] rxrpc_discard_prealloc+0x777/0xab0 [ 60.603205][ T2749] ? lock_sock_nested+0x94/0x110 [ 60.608146][ T2749] rxrpc_listen+0x11c/0x330 [ 60.612647][ T2749] afs_close_socket+0x95/0x320 [ 60.617405][ T2749] ? afs_purge_servers+0x16d/0x300 [ 60.622536][ T2749] ? afs_rx_discard_new_call+0x50/0x50 [ 60.628004][ T2749] ? init_wait_var_entry+0x200/0x200 [ 60.633298][ T2749] ? check_preemption_disabled+0x38/0x220 [ 60.639022][ T2749] afs_net_exit+0x1bc/0x310 [ 60.643523][ T2749] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 60.649153][ T2749] ops_exit_list+0xb0/0x160 [ 60.653656][ T2749] cleanup_net+0x4ea/0xa00 [ 60.658068][ T2749] ? __schedule+0x887/0x1eb0 [ 60.662743][ T2749] ? ops_free_list.part.0+0x3d0/0x3d0 [ 60.668132][ T2749] ? check_preemption_disabled+0x38/0x220 [ 60.673860][ T2749] process_one_work+0x94c/0x1670 [ 60.678907][ T2749] ? lock_release+0x8d0/0x8d0 [ 60.683579][ T2749] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 60.688953][ T2749] ? rwlock_bug.part.0+0x90/0x90 [ 60.693899][ T2749] worker_thread+0x64c/0x1120 [ 60.698585][ T2749] ? __kthread_parkme+0x13f/0x1e0 [ 60.703606][ T2749] ? process_one_work+0x1670/0x1670 [ 60.708887][ T2749] kthread+0x3b5/0x4a0 [ 60.712956][ T2749] ? __kthread_bind_mask+0xc0/0xc0 [ 60.718056][ T2749] ? __kthread_bind_mask+0xc0/0xc0 [ 60.723167][ T2749] ret_from_fork+0x1f/0x30 [ 60.727589][ T2749] [ 60.729910][ T2749] Allocated by task 6817: [ 60.734322][ T2749] save_stack+0x1b/0x40 [ 60.738472][ T2749] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 60.744106][ T2749] kmem_cache_alloc_trace+0x14f/0x2d0 [ 60.749470][ T2749] afs_alloc_call+0x4f/0x360 [ 60.754056][ T2749] afs_charge_preallocation+0xe9/0x2d0 [ 60.759609][ T2749] afs_open_socket+0x294/0x360 [ 60.764363][ T2749] afs_net_init+0xa6c/0xe30 [ 60.768858][ T2749] ops_init+0xaf/0x470 [ 60.772916][ T2749] setup_net+0x2d8/0x850 [ 60.777168][ T2749] copy_net_ns+0x2cf/0x5e0 [ 60.781581][ T2749] create_new_namespaces+0x3f6/0xb10 [ 60.786963][ T2749] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 60.792607][ T2749] ksys_unshare+0x36c/0x9a0 [ 60.797109][ T2749] __x64_sys_unshare+0x2d/0x40 [ 60.801870][ T2749] do_syscall_64+0x60/0xe0 [ 60.806287][ T2749] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.812164][ T2749] [ 60.814485][ T2749] Freed by task 2749: [ 60.818468][ T2749] save_stack+0x1b/0x40 [ 60.822617][ T2749] __kasan_slab_free+0xf5/0x140 [ 60.827460][ T2749] kfree+0x103/0x2c0 [ 60.831352][ T2749] afs_put_call+0x345/0x440 [ 60.835851][ T2749] rxrpc_discard_prealloc+0x75a/0xab0 [ 60.841215][ T2749] rxrpc_listen+0x11c/0x330 [ 60.845713][ T2749] afs_close_socket+0x95/0x320 [ 60.850471][ T2749] afs_net_exit+0x1bc/0x310 [ 60.854970][ T2749] ops_exit_list+0xb0/0x160 [ 60.859485][ T2749] cleanup_net+0x4ea/0xa00 [ 60.863897][ T2749] process_one_work+0x94c/0x1670 [ 60.868826][ T2749] worker_thread+0x64c/0x1120 [ 60.873494][ T2749] kthread+0x3b5/0x4a0 [ 60.877559][ T2749] ret_from_fork+0x1f/0x30 [ 60.881955][ T2749] [ 60.884278][ T2749] The buggy address belongs to the object at ffff888097b35000 [ 60.884278][ T2749] which belongs to the cache kmalloc-1k of size 1024 [ 60.898344][ T2749] The buggy address is located 484 bytes inside of [ 60.898344][ T2749] 1024-byte region [ffff888097b35000, ffff888097b35400) [ 60.911823][ T2749] The buggy address belongs to the page: [ 60.917453][ T2749] page:ffffea00025ecd40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.926548][ T2749] flags: 0xfffe0000000200(slab) [ 60.931397][ T2749] raw: 00fffe0000000200 ffffea00029b7648 ffffea00027e6188 ffff8880aa000c40 [ 60.939975][ T2749] raw: 0000000000000000 ffff888097b35000 0000000100000002 0000000000000000 [ 60.948542][ T2749] page dumped because: kasan: bad access detected [ 60.954959][ T2749] [ 60.957275][ T2749] Memory state around the buggy address: [ 60.962899][ T2749] ffff888097b35080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.971132][ T2749] ffff888097b35100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.979210][ T2749] >ffff888097b35180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.987258][ T2749] ^ [ 60.994463][ T2749] ffff888097b35200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.002521][ T2749] ffff888097b35280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.010569][ T2749] ================================================================== [ 61.018615][ T2749] Disabling lock debugging due to kernel taint [ 61.024818][ T2749] Kernel panic - not syncing: panic_on_warn set ... [ 61.031400][ T2749] CPU: 1 PID: 2749 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 61.041196][ T2749] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.054556][ T2749] Workqueue: netns cleanup_net [ 61.059311][ T2749] Call Trace: [ 61.062597][ T2749] dump_stack+0x18f/0x20d [ 61.066924][ T2749] ? afs_wake_up_async_call+0x3b0/0x4a0 [ 61.072471][ T2749] ? afs_put_call+0x440/0x440 [ 61.077146][ T2749] panic+0x2e3/0x75c [ 61.081032][ T2749] ? __warn_printk+0xf3/0xf3 [ 61.085615][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.091158][ T2749] ? trace_hardirqs_on+0x55/0x220 [ 61.096174][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.101709][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.107242][ T2749] ? afs_put_call+0x440/0x440 [ 61.111910][ T2749] end_report+0x4d/0x53 [ 61.116057][ T2749] kasan_report.cold+0xd/0x37 [ 61.120724][ T2749] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.126262][ T2749] afs_wake_up_async_call+0x430/0x4a0 [ 61.131620][ T2749] ? afs_close_socket+0x320/0x320 [ 61.136741][ T2749] rxrpc_notify_socket+0x1db/0x5d0 [ 61.141841][ T2749] ? afs_put_call+0x440/0x440 [ 61.146508][ T2749] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.152910][ T2749] rxrpc_call_completed+0xd0/0xf0 [ 61.157926][ T2749] rxrpc_discard_prealloc+0x777/0xab0 [ 61.163286][ T2749] ? lock_sock_nested+0x94/0x110 [ 61.168215][ T2749] rxrpc_listen+0x11c/0x330 [ 61.172708][ T2749] afs_close_socket+0x95/0x320 [ 61.177464][ T2749] ? afs_purge_servers+0x16d/0x300 [ 61.182568][ T2749] ? afs_rx_discard_new_call+0x50/0x50 [ 61.193658][ T2749] ? init_wait_var_entry+0x200/0x200 [ 61.198933][ T2749] ? check_preemption_disabled+0x38/0x220 [ 61.204639][ T2749] afs_net_exit+0x1bc/0x310 [ 61.209131][ T2749] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 61.214750][ T2749] ops_exit_list+0xb0/0x160 [ 61.219241][ T2749] cleanup_net+0x4ea/0xa00 [ 61.223733][ T2749] ? __schedule+0x887/0x1eb0 [ 61.228314][ T2749] ? ops_free_list.part.0+0x3d0/0x3d0 [ 61.233674][ T2749] ? check_preemption_disabled+0x38/0x220 [ 61.239473][ T2749] process_one_work+0x94c/0x1670 [ 61.244403][ T2749] ? lock_release+0x8d0/0x8d0 [ 61.249067][ T2749] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.254429][ T2749] ? rwlock_bug.part.0+0x90/0x90 [ 61.259361][ T2749] worker_thread+0x64c/0x1120 [ 61.264032][ T2749] ? __kthread_parkme+0x13f/0x1e0 [ 61.269045][ T2749] ? process_one_work+0x1670/0x1670 [ 61.274229][ T2749] kthread+0x3b5/0x4a0 [ 61.278286][ T2749] ? __kthread_bind_mask+0xc0/0xc0 [ 61.283388][ T2749] ? __kthread_bind_mask+0xc0/0xc0 [ 61.288493][ T2749] ret_from_fork+0x1f/0x30 [ 61.294130][ T2749] Kernel Offset: disabled [ 61.298444][ T2749] Rebooting in 86400 seconds..