Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.209' (ECDSA) to the list of known hosts. 2020/06/19 04:22:43 fuzzer started 2020/06/19 04:22:43 connecting to host at 10.128.0.26:36169 2020/06/19 04:22:43 checking machine... 2020/06/19 04:22:43 checking revisions... 2020/06/19 04:22:43 testing simple program... syzkaller login: [ 60.102150][ T6817] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 04:22:43 building call list... [ 60.475348][ T344] tipc: TX() has been purged, node left! [ 60.977935][ T344] ================================================================== [ 60.986162][ T344] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 60.994049][ T344] Write of size 1 at addr ffff8880822d49e4 by task kworker/u4:4/344 [ 61.002034][ T344] [ 61.004382][ T344] CPU: 0 PID: 344 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 61.012692][ T344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.022748][ T344] Workqueue: netns cleanup_net [ 61.027502][ T344] Call Trace: [ 61.030789][ T344] dump_stack+0x18f/0x20d [ 61.035116][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.040656][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.046204][ T344] ? afs_put_call+0xa40/0xa40 [ 61.050879][ T344] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.057987][ T344] ? vprintk_func+0x97/0x1a6 [ 61.062579][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.068134][ T344] kasan_report.cold+0x1f/0x37 [ 61.072898][ T344] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.078523][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.084074][ T344] afs_wake_up_async_call+0x6aa/0x770 [ 61.089444][ T344] ? afs_close_socket+0x320/0x320 [ 61.094472][ T344] ? afs_put_call+0xa40/0xa40 [ 61.099148][ T344] rxrpc_notify_socket+0x1db/0x5d0 [ 61.104258][ T344] ? afs_put_call+0xa40/0xa40 [ 61.108937][ T344] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.115351][ T344] rxrpc_call_completed+0xca/0xf0 [ 61.120376][ T344] rxrpc_discard_prealloc+0x781/0xab0 [ 61.125751][ T344] ? lock_sock_nested+0x94/0x110 [ 61.130692][ T344] rxrpc_listen+0x147/0x360 [ 61.135196][ T344] afs_close_socket+0x95/0x320 [ 61.139967][ T344] ? afs_purge_servers+0x16d/0x300 [ 61.145074][ T344] ? afs_rx_discard_new_call+0x50/0x50 [ 61.150549][ T344] ? init_wait_var_entry+0x200/0x200 [ 61.155837][ T344] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.161464][ T344] ? check_preemption_disabled+0x38/0x220 [ 61.167183][ T344] afs_net_exit+0x1bc/0x310 [ 61.171765][ T344] ? afs_net_init+0xe30/0xe30 [ 61.176456][ T344] ops_exit_list.isra.0+0xa8/0x150 [ 61.181569][ T344] cleanup_net+0x511/0xa50 [ 61.185986][ T344] ? unregister_pernet_device+0x70/0x70 [ 61.191532][ T344] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.197517][ T344] process_one_work+0x965/0x1690 [ 61.202464][ T344] ? lock_release+0x800/0x800 [ 61.207138][ T344] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.212600][ T344] ? rwlock_bug.part.0+0x90/0x90 [ 61.217549][ T344] worker_thread+0x96/0xe10 [ 61.222062][ T344] ? process_one_work+0x1690/0x1690 [ 61.227258][ T344] kthread+0x3b5/0x4a0 [ 61.231324][ T344] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.237036][ T344] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.242756][ T344] ret_from_fork+0x1f/0x30 [ 61.247179][ T344] [ 61.249501][ T344] Allocated by task 6817: [ 61.253823][ T344] save_stack+0x1b/0x40 [ 61.257974][ T344] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.263611][ T344] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.268974][ T344] afs_alloc_call+0x55/0x630 [ 61.273562][ T344] afs_charge_preallocation+0xe9/0x2d0 [ 61.279010][ T344] afs_open_socket+0x292/0x360 [ 61.283776][ T344] afs_net_init+0xa6c/0xe30 [ 61.288280][ T344] ops_init+0xaf/0x420 [ 61.292361][ T344] setup_net+0x2de/0x860 [ 61.297044][ T344] copy_net_ns+0x293/0x590 [ 61.301466][ T344] create_new_namespaces+0x3fb/0xb30 [ 61.306754][ T344] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 61.312380][ T344] ksys_unshare+0x43d/0x8e0 [ 61.316879][ T344] __x64_sys_unshare+0x2d/0x40 [ 61.321635][ T344] do_syscall_64+0x60/0xe0 [ 61.326046][ T344] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 61.331920][ T344] [ 61.334239][ T344] Freed by task 344: [ 61.338140][ T344] save_stack+0x1b/0x40 [ 61.342292][ T344] __kasan_slab_free+0xf7/0x140 [ 61.347202][ T344] kfree+0x109/0x2b0 [ 61.351088][ T344] afs_put_call+0x585/0xa40 [ 61.355586][ T344] rxrpc_discard_prealloc+0x764/0xab0 [ 61.360949][ T344] rxrpc_listen+0x147/0x360 [ 61.365445][ T344] afs_close_socket+0x95/0x320 [ 61.370207][ T344] afs_net_exit+0x1bc/0x310 [ 61.374711][ T344] ops_exit_list.isra.0+0xa8/0x150 [ 61.379815][ T344] cleanup_net+0x511/0xa50 [ 61.384227][ T344] process_one_work+0x965/0x1690 [ 61.389167][ T344] worker_thread+0x96/0xe10 [ 61.393672][ T344] kthread+0x3b5/0x4a0 [ 61.397742][ T344] ret_from_fork+0x1f/0x30 [ 61.402142][ T344] [ 61.404467][ T344] The buggy address belongs to the object at ffff8880822d4800 [ 61.404467][ T344] which belongs to the cache kmalloc-1k of size 1024 [ 61.418520][ T344] The buggy address is located 484 bytes inside of [ 61.418520][ T344] 1024-byte region [ffff8880822d4800, ffff8880822d4c00) [ 61.431875][ T344] The buggy address belongs to the page: [ 61.437510][ T344] page:ffffea000208b500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.446609][ T344] flags: 0xfffe0000000200(slab) [ 61.451465][ T344] raw: 00fffe0000000200 ffffea000208b488 ffffea000208b588 ffff8880aa000c40 [ 61.460051][ T344] raw: 0000000000000000 ffff8880822d4000 0000000100000002 0000000000000000 [ 61.468624][ T344] page dumped because: kasan: bad access detected [ 61.475033][ T344] [ 61.477349][ T344] Memory state around the buggy address: [ 61.482973][ T344] ffff8880822d4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.491026][ T344] ffff8880822d4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.499098][ T344] >ffff8880822d4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.507147][ T344] ^ [ 61.514344][ T344] ffff8880822d4a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.522406][ T344] ffff8880822d4a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.530553][ T344] ================================================================== [ 61.538606][ T344] Disabling lock debugging due to kernel taint [ 61.544821][ T344] Kernel panic - not syncing: panic_on_warn set ... [ 61.551401][ T344] CPU: 0 PID: 344 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 61.561100][ T344] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.571154][ T344] Workqueue: netns cleanup_net [ 61.575921][ T344] Call Trace: [ 61.579205][ T344] dump_stack+0x18f/0x20d [ 61.583530][ T344] ? afs_wake_up_async_call+0x670/0x770 [ 61.589067][ T344] ? afs_put_call+0xa40/0xa40 [ 61.593738][ T344] panic+0x2e3/0x75c [ 61.597631][ T344] ? __warn_printk+0xf3/0xf3 [ 61.602222][ T344] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 61.608368][ T344] ? trace_hardirqs_on+0x55/0x220 [ 61.613385][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.618921][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.624453][ T344] ? afs_put_call+0xa40/0xa40 [ 61.629120][ T344] end_report+0x4d/0x53 [ 61.633266][ T344] kasan_report.cold+0xd/0x37 [ 61.637940][ T344] ? rcu_read_lock_held_common+0x51/0xa0 [ 61.643562][ T344] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.649360][ T344] afs_wake_up_async_call+0x6aa/0x770 [ 61.654722][ T344] ? afs_close_socket+0x320/0x320 [ 61.659734][ T344] ? afs_put_call+0xa40/0xa40 [ 61.664401][ T344] rxrpc_notify_socket+0x1db/0x5d0 [ 61.669512][ T344] ? afs_put_call+0xa40/0xa40 [ 61.674187][ T344] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.680604][ T344] rxrpc_call_completed+0xca/0xf0 [ 61.685639][ T344] rxrpc_discard_prealloc+0x781/0xab0 [ 61.691006][ T344] ? lock_sock_nested+0x94/0x110 [ 61.695943][ T344] rxrpc_listen+0x147/0x360 [ 61.700441][ T344] afs_close_socket+0x95/0x320 [ 61.705194][ T344] ? afs_purge_servers+0x16d/0x300 [ 61.710297][ T344] ? afs_rx_discard_new_call+0x50/0x50 [ 61.715758][ T344] ? init_wait_var_entry+0x200/0x200 [ 61.721052][ T344] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.726677][ T344] ? check_preemption_disabled+0x38/0x220 [ 61.732386][ T344] afs_net_exit+0x1bc/0x310 [ 61.736878][ T344] ? afs_net_init+0xe30/0xe30 [ 61.741547][ T344] ops_exit_list.isra.0+0xa8/0x150 [ 61.746650][ T344] cleanup_net+0x511/0xa50 [ 61.751060][ T344] ? unregister_pernet_device+0x70/0x70 [ 61.756598][ T344] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.762570][ T344] process_one_work+0x965/0x1690 [ 61.767524][ T344] ? lock_release+0x800/0x800 [ 61.772190][ T344] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.777552][ T344] ? rwlock_bug.part.0+0x90/0x90 [ 61.782483][ T344] worker_thread+0x96/0xe10 [ 61.786980][ T344] ? process_one_work+0x1690/0x1690 [ 61.792174][ T344] kthread+0x3b5/0x4a0 [ 61.796233][ T344] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.801944][ T344] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.807657][ T344] ret_from_fork+0x1f/0x30 [ 61.813458][ T344] Kernel Offset: disabled [ 61.817806][ T344] Rebooting in 86400 seconds..