Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts. 2020/06/25 15:39:27 fuzzer started 2020/06/25 15:39:27 connecting to host at 10.128.0.26:42541 2020/06/25 15:39:27 checking machine... 2020/06/25 15:39:27 checking revisions... 2020/06/25 15:39:27 testing simple program... syzkaller login: [ 61.049184][ T6947] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 15:39:28 building call list... [ 61.405684][ T21] tipc: TX() has been purged, node left! [ 61.908002][ T21] ================================================================== [ 61.916367][ T21] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x430/0x4a0 [ 61.924423][ T21] Write of size 1 at addr ffff88809f1451e4 by task kworker/u4:1/21 [ 61.932302][ T21] [ 61.934632][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc2-syzkaller #0 [ 61.942858][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.953276][ T21] Workqueue: netns cleanup_net [ 61.958154][ T21] Call Trace: [ 61.961450][ T21] dump_stack+0x18f/0x20d [ 61.965786][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.971336][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.976878][ T21] ? afs_put_call+0x440/0x440 [ 61.981565][ T21] print_address_description.constprop.0.cold+0xae/0x436 [ 61.988598][ T21] ? vprintk_func+0x97/0x1a6 [ 61.993807][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 61.999348][ T21] kasan_report.cold+0x1f/0x37 [ 62.004117][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.009667][ T21] afs_wake_up_async_call+0x430/0x4a0 [ 62.015047][ T21] ? afs_close_socket+0x320/0x320 [ 62.020075][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 62.025191][ T21] ? afs_put_call+0x440/0x440 [ 62.029880][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.036305][ T21] rxrpc_call_completed+0xd0/0xf0 [ 62.041335][ T21] rxrpc_discard_prealloc+0x777/0xab0 [ 62.046713][ T21] ? lock_sock_nested+0x94/0x110 [ 62.051749][ T21] rxrpc_listen+0x11c/0x330 [ 62.056257][ T21] afs_close_socket+0x95/0x320 [ 62.061024][ T21] ? afs_purge_servers+0x181/0x330 [ 62.066143][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 62.071605][ T21] ? init_wait_var_entry+0x200/0x200 [ 62.077463][ T21] afs_net_exit+0x1c4/0x310 [ 62.081965][ T21] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.087595][ T21] ops_exit_list+0xb0/0x160 [ 62.092104][ T21] cleanup_net+0x4ea/0xa00 [ 62.096660][ T21] ? __schedule+0x887/0x1eb0 [ 62.101396][ T21] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.106777][ T21] ? check_preemption_disabled+0x38/0x220 [ 62.112552][ T21] process_one_work+0x94c/0x1670 [ 62.117644][ T21] ? lock_release+0x8d0/0x8d0 [ 62.122505][ T21] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.127890][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 62.132849][ T21] worker_thread+0x64c/0x1120 [ 62.138001][ T21] ? process_one_work+0x1670/0x1670 [ 62.143216][ T21] kthread+0x3b5/0x4a0 [ 62.147285][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 62.152693][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 62.157988][ T21] ret_from_fork+0x1f/0x30 [ 62.162416][ T21] [ 62.164798][ T21] Allocated by task 6947: [ 62.169127][ T21] save_stack+0x1b/0x40 [ 62.173288][ T21] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 62.179047][ T21] kmem_cache_alloc_trace+0x14f/0x2d0 [ 62.184429][ T21] afs_alloc_call+0x4f/0x360 [ 62.189485][ T21] afs_charge_preallocation+0xe9/0x2d0 [ 62.194941][ T21] afs_open_socket+0x294/0x360 [ 62.200569][ T21] afs_net_init+0xab4/0xe90 [ 62.205072][ T21] ops_init+0xaf/0x470 [ 62.209230][ T21] setup_net+0x2d8/0x850 [ 62.213470][ T21] copy_net_ns+0x2cf/0x5e0 [ 62.217884][ T21] create_new_namespaces+0x3f6/0xb10 [ 62.223166][ T21] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.228793][ T21] ksys_unshare+0x36c/0x9a0 [ 62.233330][ T21] __ia32_sys_unshare+0x2c/0x40 [ 62.238180][ T21] do_syscall_32_irqs_on+0x3f/0x60 [ 62.243376][ T21] do_fast_syscall_32+0x7f/0x120 [ 62.248315][ T21] entry_SYSENTER_compat+0x6d/0x7c [ 62.253503][ T21] [ 62.255839][ T21] Freed by task 21: [ 62.259647][ T21] save_stack+0x1b/0x40 [ 62.263826][ T21] __kasan_slab_free+0xf5/0x140 [ 62.268764][ T21] kfree+0x103/0x2c0 [ 62.272655][ T21] afs_put_call+0x345/0x440 [ 62.277156][ T21] rxrpc_discard_prealloc+0x75a/0xab0 [ 62.282786][ T21] rxrpc_listen+0x11c/0x330 [ 62.287286][ T21] afs_close_socket+0x95/0x320 [ 62.292045][ T21] afs_net_exit+0x1c4/0x310 [ 62.296545][ T21] ops_exit_list+0xb0/0x160 [ 62.301046][ T21] cleanup_net+0x4ea/0xa00 [ 62.305460][ T21] process_one_work+0x94c/0x1670 [ 62.310452][ T21] worker_thread+0x64c/0x1120 [ 62.315143][ T21] kthread+0x3b5/0x4a0 [ 62.319310][ T21] ret_from_fork+0x1f/0x30 [ 62.323868][ T21] [ 62.326202][ T21] The buggy address belongs to the object at ffff88809f145000 [ 62.326202][ T21] which belongs to the cache kmalloc-1k of size 1024 [ 62.340344][ T21] The buggy address is located 484 bytes inside of [ 62.340344][ T21] 1024-byte region [ffff88809f145000, ffff88809f145400) [ 62.353704][ T21] The buggy address belongs to the page: [ 62.359534][ T21] page:ffffea00027c5140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.368687][ T21] flags: 0xfffe0000000200(slab) [ 62.373548][ T21] raw: 00fffe0000000200 ffffea000242cbc8 ffffea0002a3bb48 ffff8880aa000c40 [ 62.384139][ T21] raw: 0000000000000000 ffff88809f145000 0000000100000002 0000000000000000 [ 62.392719][ T21] page dumped because: kasan: bad access detected [ 62.399121][ T21] [ 62.401438][ T21] Memory state around the buggy address: [ 62.407070][ T21] ffff88809f145080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.415141][ T21] ffff88809f145100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.423202][ T21] >ffff88809f145180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.431254][ T21] ^ [ 62.438445][ T21] ffff88809f145200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.446507][ T21] ffff88809f145280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.454561][ T21] ================================================================== [ 62.462611][ T21] Disabling lock debugging due to kernel taint [ 62.468921][ T21] Kernel panic - not syncing: panic_on_warn set ... [ 62.475504][ T21] CPU: 1 PID: 21 Comm: kworker/u4:1 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 62.485115][ T21] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.495166][ T21] Workqueue: netns cleanup_net [ 62.499914][ T21] Call Trace: [ 62.503204][ T21] dump_stack+0x18f/0x20d [ 62.507527][ T21] ? afs_wake_up_async_call+0x340/0x4a0 [ 62.513058][ T21] ? afs_put_call+0x440/0x440 [ 62.517721][ T21] panic+0x2e3/0x75c [ 62.521609][ T21] ? __warn_printk+0xf3/0xf3 [ 62.526292][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.531832][ T21] ? trace_hardirqs_on+0x55/0x220 [ 62.536854][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.542402][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.547941][ T21] ? afs_put_call+0x440/0x440 [ 62.552612][ T21] end_report+0x4d/0x53 [ 62.557226][ T21] kasan_report.cold+0xd/0x37 [ 62.564509][ T21] ? afs_wake_up_async_call+0x430/0x4a0 [ 62.570056][ T21] afs_wake_up_async_call+0x430/0x4a0 [ 62.575424][ T21] ? afs_close_socket+0x320/0x320 [ 62.580440][ T21] rxrpc_notify_socket+0x1db/0x5d0 [ 62.585556][ T21] ? afs_put_call+0x440/0x440 [ 62.590237][ T21] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.596647][ T21] rxrpc_call_completed+0xd0/0xf0 [ 62.601662][ T21] rxrpc_discard_prealloc+0x777/0xab0 [ 62.607020][ T21] ? lock_sock_nested+0x94/0x110 [ 62.611950][ T21] rxrpc_listen+0x11c/0x330 [ 62.616442][ T21] afs_close_socket+0x95/0x320 [ 62.621194][ T21] ? afs_purge_servers+0x181/0x330 [ 62.626294][ T21] ? afs_rx_discard_new_call+0x50/0x50 [ 62.631746][ T21] ? init_wait_var_entry+0x200/0x200 [ 62.637025][ T21] afs_net_exit+0x1c4/0x310 [ 62.641517][ T21] ? __bpf_trace_afs_cb_miss+0x100/0x100 [ 62.647137][ T21] ops_exit_list+0xb0/0x160 [ 62.651638][ T21] cleanup_net+0x4ea/0xa00 [ 62.656046][ T21] ? __schedule+0x887/0x1eb0 [ 62.660631][ T21] ? ops_free_list.part.0+0x3d0/0x3d0 [ 62.666520][ T21] ? check_preemption_disabled+0x38/0x220 [ 62.672231][ T21] process_one_work+0x94c/0x1670 [ 62.677161][ T21] ? lock_release+0x8d0/0x8d0 [ 62.681830][ T21] ? pwq_dec_nr_in_flight+0x2d0/0x2d0 [ 62.687218][ T21] ? rwlock_bug.part.0+0x90/0x90 [ 62.692154][ T21] worker_thread+0x64c/0x1120 [ 62.696829][ T21] ? process_one_work+0x1670/0x1670 [ 62.702042][ T21] kthread+0x3b5/0x4a0 [ 62.706145][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 62.711255][ T21] ? __kthread_bind_mask+0xc0/0xc0 [ 62.716362][ T21] ret_from_fork+0x1f/0x30 [ 62.722219][ T21] Kernel Offset: disabled [ 62.726659][ T21] Rebooting in 86400 seconds..