Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. 2020/06/19 00:05:22 fuzzer started 2020/06/19 00:05:22 connecting to host at 10.128.0.26:45991 2020/06/19 00:05:22 checking machine... 2020/06/19 00:05:22 checking revisions... 2020/06/19 00:05:22 testing simple program... syzkaller login: [ 62.405308][ T6795] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 00:05:23 building call list... [ 62.724450][ T165] tipc: TX() has been purged, node left! [ 63.296322][ T165] ================================================================== [ 63.305357][ T165] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 63.313363][ T165] Write of size 1 at addr ffff888096c7c1e4 by task kworker/u4:4/165 [ 63.321503][ T165] [ 63.323836][ T165] CPU: 1 PID: 165 Comm: kworker/u4:4 Not tainted 5.8.0-rc1-syzkaller #0 [ 63.333034][ T165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.343517][ T165] Workqueue: netns cleanup_net [ 63.348287][ T165] Call Trace: [ 63.351580][ T165] dump_stack+0x18f/0x20d [ 63.355913][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.361471][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.367532][ T165] ? afs_put_call+0xa40/0xa40 [ 63.372218][ T165] print_address_description.constprop.0.cold+0xd3/0x413 [ 63.379261][ T165] ? vprintk_func+0x97/0x1a6 [ 63.383857][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.389502][ T165] kasan_report.cold+0x1f/0x37 [ 63.394290][ T165] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.400254][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.406012][ T165] afs_wake_up_async_call+0x6aa/0x770 [ 63.411511][ T165] ? afs_close_socket+0x320/0x320 [ 63.417068][ T165] ? afs_put_call+0xa40/0xa40 [ 63.421742][ T165] rxrpc_notify_socket+0x1db/0x5d0 [ 63.426878][ T165] ? afs_put_call+0xa40/0xa40 [ 63.431557][ T165] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 63.437991][ T165] rxrpc_call_completed+0xca/0xf0 [ 63.443020][ T165] rxrpc_discard_prealloc+0x781/0xab0 [ 63.448460][ T165] ? lock_sock_nested+0x94/0x110 [ 63.453402][ T165] rxrpc_listen+0x147/0x360 [ 63.457908][ T165] afs_close_socket+0x95/0x320 [ 63.462769][ T165] ? afs_purge_servers+0x16d/0x300 [ 63.469017][ T165] ? afs_rx_discard_new_call+0x50/0x50 [ 63.474489][ T165] ? init_wait_var_entry+0x200/0x200 [ 63.479797][ T165] ? rcu_read_lock_held_common+0xa0/0xa0 [ 63.485518][ T165] ? check_preemption_disabled+0x38/0x220 [ 63.491243][ T165] afs_net_exit+0x1bc/0x310 [ 63.495743][ T165] ? afs_net_init+0xe30/0xe30 [ 63.501632][ T165] ops_exit_list.isra.0+0xa8/0x150 [ 63.506747][ T165] cleanup_net+0x511/0xa50 [ 63.511170][ T165] ? unregister_pernet_device+0x70/0x70 [ 63.516809][ T165] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.522962][ T165] process_one_work+0x965/0x1690 [ 63.528317][ T165] ? lock_release+0x800/0x800 [ 63.532996][ T165] ? pwq_dec_nr_in_flight+0x310/0x310 [ 63.538377][ T165] ? rwlock_bug.part.0+0x90/0x90 [ 63.543526][ T165] worker_thread+0x96/0xe10 [ 63.548154][ T165] ? process_one_work+0x1690/0x1690 [ 63.553458][ T165] kthread+0x3b5/0x4a0 [ 63.557528][ T165] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.564275][ T165] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 63.570005][ T165] ret_from_fork+0x1f/0x30 [ 63.574573][ T165] [ 63.576918][ T165] Allocated by task 6795: [ 63.581350][ T165] save_stack+0x1b/0x40 [ 63.585525][ T165] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.591171][ T165] kmem_cache_alloc_trace+0x153/0x7d0 [ 63.596626][ T165] afs_alloc_call+0x55/0x630 [ 63.601232][ T165] afs_charge_preallocation+0xe9/0x2d0 [ 63.606687][ T165] afs_open_socket+0x292/0x360 [ 63.611445][ T165] afs_net_init+0xa6c/0xe30 [ 63.616117][ T165] ops_init+0xaf/0x420 [ 63.620273][ T165] setup_net+0x2de/0x860 [ 63.624540][ T165] copy_net_ns+0x293/0x590 [ 63.629486][ T165] create_new_namespaces+0x3fb/0xb30 [ 63.634779][ T165] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 63.640516][ T165] ksys_unshare+0x43d/0x8e0 [ 63.645019][ T165] __x64_sys_unshare+0x2d/0x40 [ 63.649777][ T165] do_syscall_64+0x60/0xe0 [ 63.654198][ T165] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 63.660183][ T165] [ 63.662548][ T165] Freed by task 165: [ 63.666442][ T165] save_stack+0x1b/0x40 [ 63.670592][ T165] __kasan_slab_free+0xf7/0x140 [ 63.675437][ T165] kfree+0x109/0x2b0 [ 63.679331][ T165] afs_put_call+0x585/0xa40 [ 63.683834][ T165] rxrpc_discard_prealloc+0x764/0xab0 [ 63.689206][ T165] rxrpc_listen+0x147/0x360 [ 63.693808][ T165] afs_close_socket+0x95/0x320 [ 63.698562][ T165] afs_net_exit+0x1bc/0x310 [ 63.703060][ T165] ops_exit_list.isra.0+0xa8/0x150 [ 63.708171][ T165] cleanup_net+0x511/0xa50 [ 63.712851][ T165] process_one_work+0x965/0x1690 [ 63.717790][ T165] worker_thread+0x96/0xe10 [ 63.722292][ T165] kthread+0x3b5/0x4a0 [ 63.726355][ T165] ret_from_fork+0x1f/0x30 [ 63.730757][ T165] [ 63.733087][ T165] The buggy address belongs to the object at ffff888096c7c000 [ 63.733087][ T165] which belongs to the cache kmalloc-1k of size 1024 [ 63.747670][ T165] The buggy address is located 484 bytes inside of [ 63.747670][ T165] 1024-byte region [ffff888096c7c000, ffff888096c7c400) [ 63.761345][ T165] The buggy address belongs to the page: [ 63.767083][ T165] page:ffffea00025b1f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.776181][ T165] flags: 0xfffe0000000200(slab) [ 63.781051][ T165] raw: 00fffe0000000200 ffffea00027b34c8 ffffea00029bf188 ffff8880aa000c40 [ 63.789826][ T165] raw: 0000000000000000 ffff888096c7c000 0000000100000002 0000000000000000 [ 63.798683][ T165] page dumped because: kasan: bad access detected [ 63.805087][ T165] [ 63.807409][ T165] Memory state around the buggy address: [ 63.813038][ T165] ffff888096c7c080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.821106][ T165] ffff888096c7c100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.829172][ T165] >ffff888096c7c180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.837224][ T165] ^ [ 63.844507][ T165] ffff888096c7c200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.852593][ T165] ffff888096c7c280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.860658][ T165] ================================================================== [ 63.868717][ T165] Disabling lock debugging due to kernel taint [ 63.874939][ T165] Kernel panic - not syncing: panic_on_warn set ... [ 63.881550][ T165] CPU: 1 PID: 165 Comm: kworker/u4:4 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 63.891252][ T165] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.901308][ T165] Workqueue: netns cleanup_net [ 63.906066][ T165] Call Trace: [ 63.909438][ T165] dump_stack+0x18f/0x20d [ 63.913756][ T165] ? afs_wake_up_async_call+0x680/0x770 [ 63.919477][ T165] ? afs_put_call+0xa40/0xa40 [ 63.924166][ T165] panic+0x2e3/0x75c [ 63.928066][ T165] ? __warn_printk+0xf3/0xf3 [ 63.932664][ T165] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 63.939098][ T165] ? trace_hardirqs_on+0x55/0x220 [ 63.944155][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.949879][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.955415][ T165] ? afs_put_call+0xa40/0xa40 [ 63.960266][ T165] end_report+0x4d/0x53 [ 63.964535][ T165] kasan_report.cold+0xd/0x37 [ 63.969328][ T165] ? rcu_read_lock_held_common+0x51/0xa0 [ 63.975060][ T165] ? afs_wake_up_async_call+0x6aa/0x770 [ 63.980860][ T165] afs_wake_up_async_call+0x6aa/0x770 [ 63.986316][ T165] ? afs_close_socket+0x320/0x320 [ 63.991341][ T165] ? afs_put_call+0xa40/0xa40 [ 63.996027][ T165] rxrpc_notify_socket+0x1db/0x5d0 [ 64.001483][ T165] ? afs_put_call+0xa40/0xa40 [ 64.006416][ T165] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 64.013159][ T165] rxrpc_call_completed+0xca/0xf0 [ 64.018268][ T165] rxrpc_discard_prealloc+0x781/0xab0 [ 64.023710][ T165] ? lock_sock_nested+0x94/0x110 [ 64.028645][ T165] rxrpc_listen+0x147/0x360 [ 64.034009][ T165] afs_close_socket+0x95/0x320 [ 64.038767][ T165] ? afs_purge_servers+0x16d/0x300 [ 64.044220][ T165] ? afs_rx_discard_new_call+0x50/0x50 [ 64.049672][ T165] ? init_wait_var_entry+0x200/0x200 [ 64.054965][ T165] ? rcu_read_lock_held_common+0xa0/0xa0 [ 64.060679][ T165] ? check_preemption_disabled+0x38/0x220 [ 64.066393][ T165] afs_net_exit+0x1bc/0x310 [ 64.070910][ T165] ? afs_net_init+0xe30/0xe30 [ 64.075583][ T165] ops_exit_list.isra.0+0xa8/0x150 [ 64.080691][ T165] cleanup_net+0x511/0xa50 [ 64.085279][ T165] ? unregister_pernet_device+0x70/0x70 [ 64.090825][ T165] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.096933][ T165] process_one_work+0x965/0x1690 [ 64.101899][ T165] ? lock_release+0x800/0x800 [ 64.106586][ T165] ? pwq_dec_nr_in_flight+0x310/0x310 [ 64.112039][ T165] ? rwlock_bug.part.0+0x90/0x90 [ 64.117060][ T165] worker_thread+0x96/0xe10 [ 64.121562][ T165] ? process_one_work+0x1690/0x1690 [ 64.126754][ T165] kthread+0x3b5/0x4a0 [ 64.130816][ T165] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.136700][ T165] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.142438][ T165] ret_from_fork+0x1f/0x30 [ 64.148689][ T165] Kernel Offset: disabled [ 64.153032][ T165] Rebooting in 86400 seconds..