Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.239' (ECDSA) to the list of known hosts. 2020/06/15 19:43:20 fuzzer started 2020/06/15 19:43:21 connecting to host at 10.128.0.26:43501 2020/06/15 19:43:21 checking machine... 2020/06/15 19:43:21 checking revisions... 2020/06/15 19:43:21 testing simple program... syzkaller login: [ 59.579426][ T6887] IPVS: ftp: loaded support on port[0] = 21 2020/06/15 19:43:21 building call list... [ 59.882231][ T24] tipc: TX() has been purged, node left! [ 60.434018][ T24] ================================================================== [ 60.442268][ T24] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 60.450155][ T24] Write of size 1 at addr ffff888081c849e4 by task kworker/u4:2/24 [ 60.458029][ T24] [ 60.460363][ T24] CPU: 1 PID: 24 Comm: kworker/u4:2 Not tainted 5.8.0-rc1-next-20200615-syzkaller #0 [ 60.469808][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.479885][ T24] Workqueue: netns cleanup_net [ 60.484639][ T24] Call Trace: [ 60.487932][ T24] dump_stack+0x18f/0x20d [ 60.492264][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.497838][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.503381][ T24] ? afs_put_call+0xa40/0xa40 [ 60.508062][ T24] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.515092][ T24] ? vprintk_func+0x97/0x1a6 [ 60.519685][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.525228][ T24] kasan_report.cold+0x1f/0x37 [ 60.529998][ T24] ? rcu_read_lock_held_common+0x71/0xa0 [ 60.535628][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 60.541189][ T24] afs_wake_up_async_call+0x6aa/0x770 [ 60.546566][ T24] ? afs_close_socket+0x320/0x320 [ 60.551594][ T24] ? afs_put_call+0xa40/0xa40 [ 60.556268][ T24] rxrpc_notify_socket+0x1db/0x5d0 [ 60.561484][ T24] ? afs_put_call+0xa40/0xa40 [ 60.566166][ T24] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 60.572585][ T24] rxrpc_call_completed+0xca/0xf0 [ 60.577618][ T24] rxrpc_discard_prealloc+0x781/0xab0 [ 60.583004][ T24] ? lock_sock_nested+0x94/0x110 [ 60.587948][ T24] rxrpc_listen+0x147/0x360 [ 60.592459][ T24] afs_close_socket+0x95/0x320 [ 60.597225][ T24] ? afs_purge_servers+0x16d/0x300 [ 60.602340][ T24] ? afs_rx_discard_new_call+0x50/0x50 [ 60.607805][ T24] ? init_wait_var_entry+0x200/0x200 [ 60.613098][ T24] ? rcu_read_lock_held_common+0xa0/0xa0 [ 60.618735][ T24] ? check_preemption_disabled+0x38/0x220 [ 60.624462][ T24] afs_net_exit+0x1bc/0x310 [ 60.628966][ T24] ? afs_net_init+0xe30/0xe30 [ 60.633643][ T24] ops_exit_list.isra.0+0xa8/0x150 [ 60.638767][ T24] cleanup_net+0x511/0xa50 [ 60.643195][ T24] ? unregister_pernet_device+0x70/0x70 [ 60.648753][ T24] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.654746][ T24] process_one_work+0x965/0x1690 [ 60.659696][ T24] ? lock_release+0x800/0x800 [ 60.664383][ T24] ? pwq_dec_nr_in_flight+0x310/0x310 [ 60.669762][ T24] ? rwlock_bug.part.0+0x90/0x90 [ 60.674711][ T24] worker_thread+0x96/0xe10 [ 60.679235][ T24] ? process_one_work+0x1690/0x1690 [ 60.684440][ T24] kthread+0x3b5/0x4a0 [ 60.688507][ T24] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.694226][ T24] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 60.699951][ T24] ret_from_fork+0x1f/0x30 [ 60.704378][ T24] [ 60.706704][ T24] Allocated by task 6887: [ 60.711040][ T24] save_stack+0x1b/0x40 [ 60.715199][ T24] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.720829][ T24] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.726200][ T24] afs_alloc_call+0x55/0x630 [ 60.730790][ T24] afs_charge_preallocation+0xe9/0x2d0 [ 60.736247][ T24] afs_open_socket+0x292/0x360 [ 60.741008][ T24] afs_net_init+0xa6c/0xe30 [ 60.745508][ T24] ops_init+0xaf/0x420 [ 60.749575][ T24] setup_net+0x2de/0x860 [ 60.753839][ T24] copy_net_ns+0x293/0x590 [ 60.758259][ T24] create_new_namespaces+0x3fb/0xb30 [ 60.763542][ T24] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 60.769170][ T24] ksys_unshare+0x43d/0x8e0 [ 60.773694][ T24] __x64_sys_unshare+0x2d/0x40 [ 60.778459][ T24] do_syscall_64+0x60/0xe0 [ 60.782874][ T24] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 60.788754][ T24] [ 60.791076][ T24] Freed by task 24: [ 60.794883][ T24] save_stack+0x1b/0x40 [ 60.799038][ T24] __kasan_slab_free+0xf7/0x140 [ 60.803881][ T24] kfree+0x109/0x2b0 [ 60.807792][ T24] afs_put_call+0x585/0xa40 [ 60.812292][ T24] rxrpc_discard_prealloc+0x764/0xab0 [ 60.817672][ T24] rxrpc_listen+0x147/0x360 [ 60.822178][ T24] afs_close_socket+0x95/0x320 [ 60.826937][ T24] afs_net_exit+0x1bc/0x310 [ 60.831438][ T24] ops_exit_list.isra.0+0xa8/0x150 [ 60.836543][ T24] cleanup_net+0x511/0xa50 [ 60.840961][ T24] process_one_work+0x965/0x1690 [ 60.845896][ T24] worker_thread+0x96/0xe10 [ 60.850398][ T24] kthread+0x3b5/0x4a0 [ 60.854483][ T24] ret_from_fork+0x1f/0x30 [ 60.858891][ T24] [ 60.861217][ T24] The buggy address belongs to the object at ffff888081c84800 [ 60.861217][ T24] which belongs to the cache kmalloc-1k of size 1024 [ 60.875266][ T24] The buggy address is located 484 bytes inside of [ 60.875266][ T24] 1024-byte region [ffff888081c84800, ffff888081c84c00) [ 60.888614][ T24] The buggy address belongs to the page: [ 60.894248][ T24] page:ffffea0002072100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.903351][ T24] flags: 0xfffe0000000200(slab) [ 60.908209][ T24] raw: 00fffe0000000200 ffffea0002072088 ffffea0002072148 ffff8880aa000c40 [ 60.916795][ T24] raw: 0000000000000000 ffff888081c84000 0000000100000002 0000000000000000 [ 60.925369][ T24] page dumped because: kasan: bad access detected [ 60.931771][ T24] [ 60.934205][ T24] Memory state around the buggy address: [ 60.939834][ T24] ffff888081c84880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.947915][ T24] ffff888081c84900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.955976][ T24] >ffff888081c84980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.964028][ T24] ^ [ 60.971221][ T24] ffff888081c84a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.979282][ T24] ffff888081c84a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.987333][ T24] ================================================================== [ 60.995382][ T24] Disabling lock debugging due to kernel taint [ 61.001585][ T24] Kernel panic - not syncing: panic_on_warn set ... [ 61.008169][ T24] CPU: 1 PID: 24 Comm: kworker/u4:2 Tainted: G B 5.8.0-rc1-next-20200615-syzkaller #0 [ 61.019009][ T24] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.029067][ T24] Workqueue: netns cleanup_net [ 61.033821][ T24] Call Trace: [ 61.037107][ T24] dump_stack+0x18f/0x20d [ 61.041442][ T24] ? afs_wake_up_async_call+0x660/0x770 [ 61.047012][ T24] ? afs_put_call+0xa40/0xa40 [ 61.051713][ T24] panic+0x2e3/0x75c [ 61.055610][ T24] ? __warn_printk+0xf3/0xf3 [ 61.060226][ T24] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 61.066385][ T24] ? trace_hardirqs_on+0x55/0x220 [ 61.071525][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.077071][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.082619][ T24] ? afs_put_call+0xa40/0xa40 [ 61.087299][ T24] end_report+0x4d/0x53 [ 61.091457][ T24] kasan_report.cold+0xd/0x37 [ 61.096138][ T24] ? rcu_read_lock_held_common+0x71/0xa0 [ 61.101798][ T24] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.107344][ T24] afs_wake_up_async_call+0x6aa/0x770 [ 61.112717][ T24] ? afs_close_socket+0x320/0x320 [ 61.117741][ T24] ? afs_put_call+0xa40/0xa40 [ 61.122414][ T24] rxrpc_notify_socket+0x1db/0x5d0 [ 61.127519][ T24] ? afs_put_call+0xa40/0xa40 [ 61.132188][ T24] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.138602][ T24] rxrpc_call_completed+0xca/0xf0 [ 61.143625][ T24] rxrpc_discard_prealloc+0x781/0xab0 [ 61.148991][ T24] ? lock_sock_nested+0x94/0x110 [ 61.153924][ T24] rxrpc_listen+0x147/0x360 [ 61.158427][ T24] afs_close_socket+0x95/0x320 [ 61.163193][ T24] ? afs_purge_servers+0x16d/0x300 [ 61.168303][ T24] ? afs_rx_discard_new_call+0x50/0x50 [ 61.173758][ T24] ? init_wait_var_entry+0x200/0x200 [ 61.179039][ T24] ? rcu_read_lock_held_common+0xa0/0xa0 [ 61.184662][ T24] ? check_preemption_disabled+0x38/0x220 [ 61.190380][ T24] afs_net_exit+0x1bc/0x310 [ 61.199739][ T24] ? afs_net_init+0xe30/0xe30 [ 61.204411][ T24] ops_exit_list.isra.0+0xa8/0x150 [ 61.209516][ T24] cleanup_net+0x511/0xa50 [ 61.213928][ T24] ? unregister_pernet_device+0x70/0x70 [ 61.219469][ T24] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 61.225444][ T24] process_one_work+0x965/0x1690 [ 61.230379][ T24] ? lock_release+0x800/0x800 [ 61.235158][ T24] ? pwq_dec_nr_in_flight+0x310/0x310 [ 61.240525][ T24] ? rwlock_bug.part.0+0x90/0x90 [ 61.245461][ T24] worker_thread+0x96/0xe10 [ 61.249962][ T24] ? process_one_work+0x1690/0x1690 [ 61.255153][ T24] kthread+0x3b5/0x4a0 [ 61.259214][ T24] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.264923][ T24] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 61.270636][ T24] ret_from_fork+0x1f/0x30 [ 61.276256][ T24] Kernel Offset: disabled [ 61.280574][ T24] Rebooting in 86400 seconds..