Warning: Permanently added '10.128.10.8' (ECDSA) to the list of known hosts. 2020/06/15 09:07:38 fuzzer started 2020/06/15 09:07:38 connecting to host at 10.128.0.26:34145 2020/06/15 09:07:38 checking machine... 2020/06/15 09:07:38 checking revisions... 2020/06/15 09:07:38 testing simple program... syzkaller login: [ 59.910422][ T6812] IPVS: ftp: loaded support on port[0] = 21 2020/06/15 09:07:39 building call list... [ 60.341652][ T233] tipc: TX() has been purged, node left! [ 60.864136][ T233] ================================================================== [ 60.872451][ T233] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 60.880423][ T233] Write of size 1 at addr ffff88809791f9e4 by task kworker/u4:3/233 [ 60.888393][ T233] [ 60.890738][ T233] CPU: 0 PID: 233 Comm: kworker/u4:3 Not tainted 5.8.0-rc1-next-20200615-syzkaller #0 [ 60.900264][ T233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.910406][ T233] Workqueue: netns cleanup_net [ 60.915158][ T233] Call Trace: [ 60.918543][ T233] dump_stack+0x18f/0x20d [ 60.922873][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.928572][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.934112][ T233] ? afs_put_call+0xa40/0xa40 [ 60.938789][ T233] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.945816][ T233] ? vprintk_func+0x97/0x1a6 [ 60.950409][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.956273][ T233] kasan_report.cold+0x1f/0x37 [ 60.961048][ T233] ? rcu_read_lock_held_common+0x71/0xa0 [ 60.966863][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.972419][ T233] afs_wake_up_async_call+0x6aa/0x770 [ 60.977874][ T233] ? afs_close_socket+0x320/0x320 [ 60.982901][ T233] ? afs_put_call+0xa40/0xa40 [ 60.987575][ T233] rxrpc_notify_socket+0x1db/0x5d0 [ 60.992689][ T233] ? afs_put_call+0xa40/0xa40 [ 60.997484][ T233] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.003895][ T233] rxrpc_call_completed+0xca/0xf0 [ 61.008920][ T233] rxrpc_discard_prealloc+0x781/0xab0 [ 61.014441][ T233] ? lock_sock_nested+0x94/0x110 [ 61.019471][ T233] rxrpc_listen+0x147/0x360 [ 61.024196][ T233] afs_close_socket+0x95/0x320 [ 61.029049][ T233] ? afs_purge_servers+0x16d/0x300 [ 61.034166][ T233] ? afs_rx_discard_new_call+0x50/0x50 [ 61.039719][ T233] ? init_wait_var_entry+0x200/0x200 [ 61.045184][ T233] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.050835][ T233] ? check_preemption_disabled+0x38/0x220 [ 61.056699][ T233] afs_net_exit+0x1bc/0x310 [ 61.061203][ T233] ? afs_net_init+0xe30/0xe30 [ 61.066308][ T233] ops_exit_list.isra.0+0xa8/0x150 [ 61.071506][ T233] cleanup_net+0x511/0xa50 [ 61.075930][ T233] ? unregister_pernet_device+0x70/0x70 [ 61.081574][ T233] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.087575][ T233] process_one_work+0x965/0x1690 [ 61.092530][ T233] ? lock_release+0x800/0x800 [ 61.097211][ T233] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.102590][ T233] ? rwlock_bug.part.0+0x90/0x90 [ 61.107545][ T233] worker_thread+0x96/0xe10 [ 61.112064][ T233] ? process_one_work+0x1690/0x1690 [ 61.117266][ T233] kthread+0x3b5/0x4a0 [ 61.121336][ T233] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.127152][ T233] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.133001][ T233] ret_from_fork+0x1f/0x30 [ 61.137486][ T233] [ 61.139829][ T233] Allocated by task 6812: [ 61.144173][ T233] save_stack+0x1b/0x40 [ 61.148326][ T233] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.153957][ T233] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.159332][ T233] afs_alloc_call+0x55/0x630 [ 61.163917][ T233] afs_charge_preallocation+0xe9/0x2d0 [ 61.169484][ T233] afs_open_socket+0x292/0x360 [ 61.174329][ T233] afs_net_init+0xa6c/0xe30 [ 61.178842][ T233] ops_init+0xaf/0x420 [ 61.182905][ T233] setup_net+0x2de/0x860 [ 61.187153][ T233] copy_net_ns+0x293/0x590 [ 61.191568][ T233] create_new_namespaces+0x3fb/0xb30 [ 61.196858][ T233] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.202602][ T233] ksys_unshare+0x43d/0x8e0 [ 61.207106][ T233] __x64_sys_unshare+0x2d/0x40 [ 61.211963][ T233] do_syscall_64+0x60/0xe0 [ 61.216375][ T233] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.222276][ T233] [ 61.224601][ T233] Freed by task 233: [ 61.228504][ T233] save_stack+0x1b/0x40 [ 61.232671][ T233] __kasan_slab_free+0xf7/0x140 [ 61.237520][ T233] kfree+0x109/0x2b0 [ 61.241415][ T233] afs_put_call+0x585/0xa40 [ 61.246010][ T233] rxrpc_discard_prealloc+0x764/0xab0 [ 61.251559][ T233] rxrpc_listen+0x147/0x360 [ 61.256162][ T233] afs_close_socket+0x95/0x320 [ 61.261119][ T233] afs_net_exit+0x1bc/0x310 [ 61.265743][ T233] ops_exit_list.isra.0+0xa8/0x150 [ 61.270971][ T233] cleanup_net+0x511/0xa50 [ 61.275574][ T233] process_one_work+0x965/0x1690 [ 61.280686][ T233] worker_thread+0x96/0xe10 [ 61.285188][ T233] kthread+0x3b5/0x4a0 [ 61.289258][ T233] ret_from_fork+0x1f/0x30 [ 61.293663][ T233] [ 61.295993][ T233] The buggy address belongs to the object at ffff88809791f800 [ 61.295993][ T233] which belongs to the cache kmalloc-1k of size 1024 [ 61.310220][ T233] The buggy address is located 484 bytes inside of [ 61.310220][ T233] 1024-byte region [ffff88809791f800, ffff88809791fc00) [ 61.323574][ T233] The buggy address belongs to the page: [ 61.329212][ T233] page:ffffea00025e47c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.338576][ T233] flags: 0xfffe0000000200(slab) [ 61.343446][ T233] raw: 00fffe0000000200 ffffea0002526188 ffffea00028034c8 ffff8880aa000c40 [ 61.352031][ T233] raw: 0000000000000000 ffff88809791f000 0000000100000002 0000000000000000 [ 61.360627][ T233] page dumped because: kasan: bad access detected [ 61.367032][ T233] [ 61.369360][ T233] Memory state around the buggy address: [ 61.374987][ T233] ffff88809791f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.383045][ T233] ffff88809791f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.391109][ T233] >ffff88809791f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.399287][ T233] ^ [ 61.406479][ T233] ffff88809791fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.414641][ T233] ffff88809791fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.423055][ T233] ================================================================== [ 61.431112][ T233] Disabling lock debugging due to kernel taint [ 61.437337][ T233] Kernel panic - not syncing: panic_on_warn set ... [ 61.444119][ T233] CPU: 0 PID: 233 Comm: kworker/u4:3 Tainted: G B 5.8.0-rc1-next-20200615-syzkaller #0 [ 61.455046][ T233] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.465198][ T233] Workqueue: netns cleanup_net [ 61.469962][ T233] Call Trace: [ 61.473258][ T233] dump_stack+0x18f/0x20d [ 61.477778][ T233] ? afs_wake_up_async_call+0x660/0x770 [ 61.483757][ T233] ? afs_put_call+0xa40/0xa40 [ 61.488438][ T233] panic+0x2e3/0x75c [ 61.492420][ T233] ? __warn_printk+0xf3/0xf3 [ 61.497010][ T233] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 61.503256][ T233] ? trace_hardirqs_on+0x55/0x220 [ 61.508580][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.514224][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.519892][ T233] ? afs_put_call+0xa40/0xa40 [ 61.524971][ T233] end_report+0x4d/0x53 [ 61.529230][ T233] kasan_report.cold+0xd/0x37 [ 61.534011][ T233] ? rcu_read_lock_held_common+0x71/0xa0 [ 61.539669][ T233] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.545387][ T233] afs_wake_up_async_call+0x6aa/0x770 [ 61.550756][ T233] ? afs_close_socket+0x320/0x320 [ 61.555898][ T233] ? afs_put_call+0xa40/0xa40 [ 61.560690][ T233] rxrpc_notify_socket+0x1db/0x5d0 [ 61.565795][ T233] ? afs_put_call+0xa40/0xa40 [ 61.570573][ T233] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.577175][ T233] rxrpc_call_completed+0xca/0xf0 [ 61.582246][ T233] rxrpc_discard_prealloc+0x781/0xab0 [ 61.587610][ T233] ? lock_sock_nested+0x94/0x110 [ 61.592694][ T233] rxrpc_listen+0x147/0x360 [ 61.597324][ T233] afs_close_socket+0x95/0x320 [ 61.602082][ T233] ? afs_purge_servers+0x16d/0x300 [ 61.607188][ T233] ? afs_rx_discard_new_call+0x50/0x50 [ 61.612638][ T233] ? init_wait_var_entry+0x200/0x200 [ 61.617909][ T233] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.623624][ T233] ? check_preemption_disabled+0x38/0x220 [ 61.629325][ T233] afs_net_exit+0x1bc/0x310 [ 61.633909][ T233] ? afs_net_init+0xe30/0xe30 [ 61.638571][ T233] ops_exit_list.isra.0+0xa8/0x150 [ 61.643677][ T233] cleanup_net+0x511/0xa50 [ 61.648087][ T233] ? unregister_pernet_device+0x70/0x70 [ 61.653632][ T233] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.659616][ T233] process_one_work+0x965/0x1690 [ 61.664542][ T233] ? lock_release+0x800/0x800 [ 61.669219][ T233] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.674580][ T233] ? rwlock_bug.part.0+0x90/0x90 [ 61.679510][ T233] worker_thread+0x96/0xe10 [ 61.684001][ T233] ? process_one_work+0x1690/0x1690 [ 61.689191][ T233] kthread+0x3b5/0x4a0 [ 61.693252][ T233] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.698956][ T233] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.704660][ T233] ret_from_fork+0x1f/0x30 [ 61.710816][ T233] Kernel Offset: disabled [ 61.715133][ T233] Rebooting in 86400 seconds..