Warning: Permanently added '10.128.1.54' (ECDSA) to the list of known hosts. 2020/06/16 17:32:01 fuzzer started 2020/06/16 17:32:01 connecting to host at 10.128.0.26:43573 2020/06/16 17:32:01 checking machine... 2020/06/16 17:32:01 checking revisions... 2020/06/16 17:32:02 testing simple program... syzkaller login: [ 60.849889][ T6843] IPVS: ftp: loaded support on port[0] = 21 2020/06/16 17:32:02 building call list... [ 61.271359][ T6771] tipc: TX() has been purged, node left! [ 61.833281][ T6771] ================================================================== [ 61.841556][ T6771] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 61.849443][ T6771] Write of size 1 at addr ffff8880a2e739e4 by task kworker/u4:6/6771 [ 61.857508][ T6771] [ 61.859841][ T6771] CPU: 1 PID: 6771 Comm: kworker/u4:6 Not tainted 5.8.0-rc1-next-20200616-syzkaller #0 [ 61.869470][ T6771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.879536][ T6771] Workqueue: netns cleanup_net [ 61.884289][ T6771] Call Trace: [ 61.887847][ T6771] dump_stack+0x18f/0x20d [ 61.892180][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.897724][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.903527][ T6771] ? afs_put_call+0xa40/0xa40 [ 61.908210][ T6771] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.915249][ T6771] ? vprintk_func+0x97/0x1a6 [ 61.919848][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.925390][ T6771] kasan_report.cold+0x1f/0x37 [ 61.930165][ T6771] ? rcu_read_lock_held_common+0x71/0xa0 [ 61.935794][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 61.941350][ T6771] afs_wake_up_async_call+0x6aa/0x770 [ 61.946718][ T6771] ? afs_close_socket+0x320/0x320 [ 61.951737][ T6771] ? afs_put_call+0xa40/0xa40 [ 61.956421][ T6771] rxrpc_notify_socket+0x1db/0x5d0 [ 61.961573][ T6771] ? afs_put_call+0xa40/0xa40 [ 61.966275][ T6771] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 61.972694][ T6771] rxrpc_call_completed+0xca/0xf0 [ 61.977744][ T6771] rxrpc_discard_prealloc+0x781/0xab0 [ 61.983118][ T6771] ? lock_sock_nested+0x94/0x110 [ 61.988057][ T6771] rxrpc_listen+0x147/0x360 [ 61.992560][ T6771] afs_close_socket+0x95/0x320 [ 61.997319][ T6771] ? afs_purge_servers+0x16d/0x300 [ 62.002431][ T6771] ? afs_rx_discard_new_call+0x50/0x50 [ 62.007905][ T6771] ? init_wait_var_entry+0x200/0x200 [ 62.013193][ T6771] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.018823][ T6771] ? check_preemption_disabled+0x38/0x220 [ 62.024546][ T6771] afs_net_exit+0x1bc/0x310 [ 62.029043][ T6771] ? afs_net_init+0xe30/0xe30 [ 62.033737][ T6771] ops_exit_list.isra.0+0xa8/0x150 [ 62.038849][ T6771] cleanup_net+0x511/0xa50 [ 62.043273][ T6771] ? unregister_pernet_device+0x70/0x70 [ 62.048819][ T6771] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.054802][ T6771] process_one_work+0x965/0x1690 [ 62.059751][ T6771] ? lock_release+0x800/0x800 [ 62.064428][ T6771] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.069802][ T6771] ? rwlock_bug.part.0+0x90/0x90 [ 62.074921][ T6771] worker_thread+0x96/0xe10 [ 62.079437][ T6771] ? process_one_work+0x1690/0x1690 [ 62.084633][ T6771] kthread+0x3b5/0x4a0 [ 62.088699][ T6771] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.094413][ T6771] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.100143][ T6771] ret_from_fork+0x1f/0x30 [ 62.104567][ T6771] [ 62.106895][ T6771] Allocated by task 6843: [ 62.111235][ T6771] save_stack+0x1b/0x40 [ 62.115391][ T6771] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 62.121016][ T6771] kmem_cache_alloc_trace+0x153/0x7d0 [ 62.126383][ T6771] afs_alloc_call+0x55/0x630 [ 62.130976][ T6771] afs_charge_preallocation+0xe9/0x2d0 [ 62.136956][ T6771] afs_open_socket+0x292/0x360 [ 62.141725][ T6771] afs_net_init+0xa6c/0xe30 [ 62.146226][ T6771] ops_init+0xaf/0x420 [ 62.150289][ T6771] setup_net+0x2de/0x860 [ 62.154526][ T6771] copy_net_ns+0x293/0x590 [ 62.158939][ T6771] create_new_namespaces+0x3fb/0xb30 [ 62.164227][ T6771] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 62.169892][ T6771] ksys_unshare+0x43d/0x8e0 [ 62.174404][ T6771] __x64_sys_unshare+0x2d/0x40 [ 62.179169][ T6771] do_syscall_64+0x60/0xe0 [ 62.183582][ T6771] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 62.189460][ T6771] [ 62.191781][ T6771] Freed by task 6771: [ 62.195758][ T6771] save_stack+0x1b/0x40 [ 62.199909][ T6771] __kasan_slab_free+0xf7/0x140 [ 62.204754][ T6771] kfree+0x109/0x2b0 [ 62.208645][ T6771] afs_put_call+0x585/0xa40 [ 62.213150][ T6771] rxrpc_discard_prealloc+0x764/0xab0 [ 62.218536][ T6771] rxrpc_listen+0x147/0x360 [ 62.223307][ T6771] afs_close_socket+0x95/0x320 [ 62.228066][ T6771] afs_net_exit+0x1bc/0x310 [ 62.232579][ T6771] ops_exit_list.isra.0+0xa8/0x150 [ 62.237681][ T6771] cleanup_net+0x511/0xa50 [ 62.242095][ T6771] process_one_work+0x965/0x1690 [ 62.247040][ T6771] worker_thread+0x96/0xe10 [ 62.251538][ T6771] kthread+0x3b5/0x4a0 [ 62.255602][ T6771] ret_from_fork+0x1f/0x30 [ 62.260016][ T6771] [ 62.262341][ T6771] The buggy address belongs to the object at ffff8880a2e73800 [ 62.262341][ T6771] which belongs to the cache kmalloc-1k of size 1024 [ 62.276392][ T6771] The buggy address is located 484 bytes inside of [ 62.276392][ T6771] 1024-byte region [ffff8880a2e73800, ffff8880a2e73c00) [ 62.289760][ T6771] The buggy address belongs to the page: [ 62.295388][ T6771] page:ffffea00028b9cc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 62.304490][ T6771] flags: 0xfffe0000000200(slab) [ 62.309342][ T6771] raw: 00fffe0000000200 ffffea00029ec8c8 ffffea00029fcd08 ffff8880aa000c40 [ 62.317924][ T6771] raw: 0000000000000000 ffff8880a2e73000 0000000100000002 0000000000000000 [ 62.326494][ T6771] page dumped because: kasan: bad access detected [ 62.332890][ T6771] [ 62.335212][ T6771] Memory state around the buggy address: [ 62.340848][ T6771] ffff8880a2e73880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.348903][ T6771] ffff8880a2e73900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.356962][ T6771] >ffff8880a2e73980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.365537][ T6771] ^ [ 62.372750][ T6771] ffff8880a2e73a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.380808][ T6771] ffff8880a2e73a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 62.388964][ T6771] ================================================================== [ 62.398667][ T6771] Disabling lock debugging due to kernel taint [ 62.404885][ T6771] Kernel panic - not syncing: panic_on_warn set ... [ 62.411568][ T6771] CPU: 1 PID: 6771 Comm: kworker/u4:6 Tainted: G B 5.8.0-rc1-next-20200616-syzkaller #0 [ 62.422665][ T6771] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 62.432734][ T6771] Workqueue: netns cleanup_net [ 62.437495][ T6771] Call Trace: [ 62.440789][ T6771] dump_stack+0x18f/0x20d [ 62.445123][ T6771] ? afs_wake_up_async_call+0x600/0x770 [ 62.450677][ T6771] ? afs_put_call+0xa40/0xa40 [ 62.455358][ T6771] panic+0x2e3/0x75c [ 62.459256][ T6771] ? __warn_printk+0xf3/0xf3 [ 62.463849][ T6771] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 62.470006][ T6771] ? trace_hardirqs_on+0x55/0x220 [ 62.475019][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.480562][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.486130][ T6771] ? afs_put_call+0xa40/0xa40 [ 62.490803][ T6771] end_report+0x4d/0x53 [ 62.494990][ T6771] kasan_report.cold+0xd/0x37 [ 62.499674][ T6771] ? rcu_read_lock_held_common+0x71/0xa0 [ 62.505307][ T6771] ? afs_wake_up_async_call+0x6aa/0x770 [ 62.510837][ T6771] afs_wake_up_async_call+0x6aa/0x770 [ 62.516229][ T6771] ? afs_close_socket+0x320/0x320 [ 62.521265][ T6771] ? afs_put_call+0xa40/0xa40 [ 62.525929][ T6771] rxrpc_notify_socket+0x1db/0x5d0 [ 62.531039][ T6771] ? afs_put_call+0xa40/0xa40 [ 62.535702][ T6771] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 62.542102][ T6771] rxrpc_call_completed+0xca/0xf0 [ 62.547126][ T6771] rxrpc_discard_prealloc+0x781/0xab0 [ 62.552478][ T6771] ? lock_sock_nested+0x94/0x110 [ 62.557496][ T6771] rxrpc_listen+0x147/0x360 [ 62.562038][ T6771] afs_close_socket+0x95/0x320 [ 62.566884][ T6771] ? afs_purge_servers+0x16d/0x300 [ 62.572063][ T6771] ? afs_rx_discard_new_call+0x50/0x50 [ 62.577505][ T6771] ? init_wait_var_entry+0x200/0x200 [ 62.582779][ T6771] ? rcu_read_lock_held_common+0xa0/0xa0 [ 62.588401][ T6771] ? check_preemption_disabled+0x38/0x220 [ 62.594116][ T6771] afs_net_exit+0x1bc/0x310 [ 62.598605][ T6771] ? afs_net_init+0xe30/0xe30 [ 62.603291][ T6771] ops_exit_list.isra.0+0xa8/0x150 [ 62.608392][ T6771] cleanup_net+0x511/0xa50 [ 62.613017][ T6771] ? unregister_pernet_device+0x70/0x70 [ 62.618612][ T6771] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 62.624616][ T6771] process_one_work+0x965/0x1690 [ 62.633290][ T6771] ? lock_release+0x800/0x800 [ 62.637971][ T6771] ? pwq_dec_nr_in_flight+0x310/0x310 [ 62.643334][ T6771] ? rwlock_bug.part.0+0x90/0x90 [ 62.648597][ T6771] worker_thread+0x96/0xe10 [ 62.653092][ T6771] ? process_one_work+0x1690/0x1690 [ 62.658270][ T6771] kthread+0x3b5/0x4a0 [ 62.662352][ T6771] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.668092][ T6771] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 62.673817][ T6771] ret_from_fork+0x1f/0x30 [ 62.679259][ T6771] Kernel Offset: disabled [ 62.683590][ T6771] Rebooting in 86400 seconds..