Warning: Permanently added '10.128.0.85' (ECDSA) to the list of known hosts. 2020/07/01 23:15:10 fuzzer started 2020/07/01 23:15:11 connecting to host at 10.128.0.26:33949 2020/07/01 23:15:11 checking machine... 2020/07/01 23:15:11 checking revisions... 2020/07/01 23:15:11 testing simple program... syzkaller login: [ 60.759660][ T6809] IPVS: ftp: loaded support on port[0] = 21 2020/07/01 23:15:11 building call list... [ 61.062659][ T414] tipc: TX() has been purged, node left! [ 61.564514][ T414] ================================================================== [ 61.572767][ T414] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 61.580661][ T414] Write of size 1 at addr ffff88809af1a1e4 by task kworker/u4:4/414 [ 61.588634][ T414] [ 61.591860][ T414] CPU: 1 PID: 414 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.600173][ T414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.610416][ T414] Workqueue: netns cleanup_net [ 61.615168][ T414] Call Trace: [ 61.618458][ T414] dump_stack+0x18f/0x20d [ 61.622884][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.628429][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.633968][ T414] ? afs_put_call+0x440/0x440 [ 61.638640][ T414] print_address_description.constprop.0.cold+0xae/0x436 [ 61.645675][ T414] ? vprintk_func+0x97/0x1a6 [ 61.650271][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.655812][ T414] kasan_report.cold+0x1f/0x37 [ 61.660577][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.666131][ T414] afs_wake_up_async_call+0x430/0x4a0 [ 61.671498][ T414] ? afs_close_socket+0x320/0x320 [ 61.676529][ T414] rxrpc_notify_socket+0x1db/0x5d0 [ 61.681654][ T414] ? afs_put_call+0x440/0x440 [ 61.686420][ T414] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.692962][ T414] rxrpc_call_completed+0xd0/0xf0 [ 61.698163][ T414] rxrpc_discard_prealloc+0x777/0xab0 [ 61.703647][ T414] ? lock_sock_nested+0x94/0x110 [ 61.708599][ T414] rxrpc_listen+0x11c/0x330 [ 61.713543][ T414] afs_close_socket+0x95/0x320 [ 61.718310][ T414] ? afs_purge_servers+0x16d/0x300 [ 61.723431][ T414] ? afs_rx_discard_new_call+0x50/0x50 [ 61.729670][ T414] ? init_wait_var_entry+0x200/0x200 [ 61.735574][ T414] ? check_preemption_disabled+0x38/0x220 [ 61.741317][ T414] afs_net_exit+0x1bc/0x310 [ 61.745820][ T414] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 61.751556][ T414] ops_exit_list+0xb0/0x160 [ 61.756060][ T414] cleanup_net+0x4ea/0xa00 [ 61.760471][ T414] ? __schedule+0x887/0x1eb0 [ 61.765071][ T414] ? ops_free_list.part.0+0x3d0/0x3d0 [ 61.770445][ T414] ? check_preemption_disabled+0x38/0x220 [ 61.776169][ T414] process_one_work+0x94c/0x1670 [ 61.781461][ T414] ? lock_release+0x8d0/0x8d0 [ 61.786155][ T414] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 61.791529][ T414] ? rwlock_bug.part.0+0x90/0x90 [ 61.796560][ T414] worker_thread+0x64c/0x1120 [ 61.801249][ T414] ? process_one_work+0x1670/0x1670 [ 61.806529][ T414] kthread+0x3b5/0x4a0 [ 61.810770][ T414] ? __kthread_bind_mask+0xc0/0xc0 [ 61.815877][ T414] ? __kthread_bind_mask+0xc0/0xc0 [ 61.820996][ T414] ret_from_fork+0x1f/0x30 [ 61.825423][ T414] [ 61.827744][ T414] Allocated by task 6809: [ 61.832074][ T414] save_stack+0x1b/0x40 [ 61.836233][ T414] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 61.841872][ T414] kmem_cache_alloc_trace+0x14f/0x2d0 [ 61.847338][ T414] afs_alloc_call+0x4f/0x360 [ 61.852030][ T414] afs_charge_preallocation+0xe9/0x2d0 [ 61.857480][ T414] afs_open_socket+0x294/0x360 [ 61.862234][ T414] afs_net_init+0xa6c/0xe30 [ 61.866740][ T414] ops_init+0xaf/0x470 [ 61.870799][ T414] setup_net+0x2d8/0x850 [ 61.875032][ T414] copy_net_ns+0x2cf/0x5e0 [ 61.879452][ T414] create_new_namespaces+0x3f6/0xb10 [ 61.884729][ T414] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.890351][ T414] ksys_unshare+0x36c/0x9a0 [ 61.894850][ T414] __x64_sys_unshare+0x2d/0x40 [ 61.899623][ T414] do_syscall_64+0x60/0xe0 [ 61.904034][ T414] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.909915][ T414] [ 61.912234][ T414] Freed by task 414: [ 61.916123][ T414] save_stack+0x1b/0x40 [ 61.920274][ T414] __kasan_slab_free+0xf5/0x140 [ 61.925118][ T414] kfree+0x103/0x2c0 [ 61.929094][ T414] afs_put_call+0x345/0x440 [ 61.933589][ T414] rxrpc_discard_prealloc+0x75a/0xab0 [ 61.939309][ T414] rxrpc_listen+0x11c/0x330 [ 61.943903][ T414] afs_close_socket+0x95/0x320 [ 61.948665][ T414] afs_net_exit+0x1bc/0x310 [ 61.953162][ T414] ops_exit_list+0xb0/0x160 [ 61.957682][ T414] cleanup_net+0x4ea/0xa00 [ 61.962100][ T414] process_one_work+0x94c/0x1670 [ 61.967466][ T414] worker_thread+0x64c/0x1120 [ 61.972137][ T414] kthread+0x3b5/0x4a0 [ 61.977072][ T414] ret_from_fork+0x1f/0x30 [ 61.981560][ T414] [ 61.983886][ T414] The buggy address belongs to the object at ffff88809af1a000 [ 61.983886][ T414] which belongs to the cache kmalloc-1k of size 1024 [ 61.998040][ T414] The buggy address is located 484 bytes inside of [ 61.998040][ T414] 1024-byte region [ffff88809af1a000, ffff88809af1a400) [ 62.011395][ T414] The buggy address belongs to the page: [ 62.017251][ T414] page:ffffea00026bc680 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.026507][ T414] flags: 0xfffe0000000200(slab) [ 62.031728][ T414] raw: 00fffe0000000200 ffffea00029b9908 ffffea0002806a48 ffff8880aa000c40 [ 62.040326][ T414] raw: 0000000000000000 ffff88809af1a000 0000000100000002 0000000000000000 [ 62.049026][ T414] page dumped because: kasan: bad access detected [ 62.055549][ T414] [ 62.057872][ T414] Memory state around the buggy address: [ 62.063509][ T414] ffff88809af1a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.071577][ T414] ffff88809af1a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.079638][ T414] >ffff88809af1a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.088210][ T414] ^ [ 62.095403][ T414] ffff88809af1a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.103491][ T414] ffff88809af1a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.111553][ T414] ================================================================== [ 62.119603][ T414] Disabling lock debugging due to kernel taint [ 62.125797][ T414] Kernel panic - not syncing: panic_on_warn set ... [ 62.132387][ T414] CPU: 1 PID: 414 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 62.142098][ T414] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.152156][ T414] Workqueue: netns cleanup_net [ 62.156915][ T414] Call Trace: [ 62.160208][ T414] dump_stack+0x18f/0x20d [ 62.164548][ T414] ? afs_wake_up_async_call+0x3b0/0x4a0 [ 62.170105][ T414] ? afs_put_call+0x440/0x440 [ 62.174925][ T414] panic+0x2e3/0x75c [ 62.178835][ T414] ? __warn_printk+0xf3/0xf3 [ 62.184055][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.189604][ T414] ? trace_hardirqs_on+0x55/0x220 [ 62.194636][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.200301][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.205871][ T414] ? afs_put_call+0x440/0x440 [ 62.210536][ T414] end_report+0x4d/0x53 [ 62.214791][ T414] kasan_report.cold+0xd/0x37 [ 62.219463][ T414] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.225018][ T414] afs_wake_up_async_call+0x430/0x4a0 [ 62.230402][ T414] ? afs_close_socket+0x320/0x320 [ 62.235432][ T414] rxrpc_notify_socket+0x1db/0x5d0 [ 62.240565][ T414] ? afs_put_call+0x440/0x440 [ 62.245677][ T414] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.252101][ T414] rxrpc_call_completed+0xd0/0xf0 [ 62.257124][ T414] rxrpc_discard_prealloc+0x777/0xab0 [ 62.262502][ T414] ? lock_sock_nested+0x94/0x110 [ 62.267438][ T414] rxrpc_listen+0x11c/0x330 [ 62.271939][ T414] afs_close_socket+0x95/0x320 [ 62.276693][ T414] ? afs_purge_servers+0x16d/0x300 [ 62.281881][ T414] ? afs_rx_discard_new_call+0x50/0x50 [ 62.287330][ T414] ? init_wait_var_entry+0x200/0x200 [ 62.292609][ T414] ? check_preemption_disabled+0x38/0x220 [ 62.298323][ T414] afs_net_exit+0x1bc/0x310 [ 62.302828][ T414] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.309002][ T414] ops_exit_list+0xb0/0x160 [ 62.313781][ T414] cleanup_net+0x4ea/0xa00 [ 62.318192][ T414] ? __schedule+0x887/0x1eb0 [ 62.323053][ T414] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.328434][ T414] ? check_preemption_disabled+0x38/0x220 [ 62.334271][ T414] process_one_work+0x94c/0x1670 [ 62.339400][ T414] ? lock_release+0x8d0/0x8d0 [ 62.344069][ T414] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.349434][ T414] ? rwlock_bug.part.0+0x90/0x90 [ 62.354369][ T414] worker_thread+0x64c/0x1120 [ 62.359067][ T414] ? process_one_work+0x1670/0x1670 [ 62.364259][ T414] kthread+0x3b5/0x4a0 [ 62.368324][ T414] ? __kthread_bind_mask+0xc0/0xc0 [ 62.373456][ T414] ? __kthread_bind_mask+0xc0/0xc0 [ 62.378565][ T414] ret_from_fork+0x1f/0x30 [ 62.385400][ T414] Kernel Offset: disabled [ 62.389719][ T414] Rebooting in 86400 seconds..