Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. 2020/06/14 21:43:38 fuzzer started 2020/06/14 21:43:38 connecting to host at 10.128.0.26:46535 2020/06/14 21:43:38 checking machine... 2020/06/14 21:43:38 checking revisions... 2020/06/14 21:43:39 testing simple program... syzkaller login: [ 57.729218][ T6821] IPVS: ftp: loaded support on port[0] = 21 2020/06/14 21:43:39 building call list... [ 58.036840][ T334] tipc: TX() has been purged, node left! [ 58.528892][ T334] ================================================================== [ 58.537289][ T334] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 58.545173][ T334] Write of size 1 at addr ffff8880827451e4 by task kworker/u4:4/334 [ 58.553155][ T334] [ 58.555503][ T334] CPU: 0 PID: 334 Comm: kworker/u4:4 Not tainted 5.7.0-next-20200614-syzkaller #0 [ 58.564704][ T334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.574760][ T334] Workqueue: netns cleanup_net [ 58.579513][ T334] Call Trace: [ 58.582806][ T334] dump_stack+0x18f/0x20d [ 58.587136][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.592682][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.598224][ T334] ? afs_put_call+0xa40/0xa40 [ 58.602898][ T334] print_address_description.constprop.0.cold+0xd3/0x413 [ 58.610061][ T334] ? vprintk_func+0x97/0x1a6 [ 58.614656][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.620211][ T334] kasan_report.cold+0x1f/0x37 [ 58.624977][ T334] ? rcu_read_lock_held_common+0x41/0xa0 [ 58.630619][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.636179][ T334] afs_wake_up_async_call+0x6aa/0x770 [ 58.641549][ T334] ? afs_close_socket+0x320/0x320 [ 58.646572][ T334] ? afs_put_call+0xa40/0xa40 [ 58.651330][ T334] rxrpc_notify_socket+0x1db/0x5d0 [ 58.656440][ T334] ? afs_put_call+0xa40/0xa40 [ 58.661108][ T334] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 58.667528][ T334] rxrpc_call_completed+0xca/0xf0 [ 58.672564][ T334] rxrpc_discard_prealloc+0x781/0xab0 [ 58.677935][ T334] ? lock_sock_nested+0x94/0x110 [ 58.682870][ T334] rxrpc_listen+0x147/0x360 [ 58.687382][ T334] afs_close_socket+0x95/0x320 [ 58.692141][ T334] ? afs_purge_servers+0x16d/0x300 [ 58.697251][ T334] ? afs_rx_discard_new_call+0x50/0x50 [ 58.702712][ T334] ? init_wait_var_entry+0x200/0x200 [ 58.707997][ T334] ? rcu_read_lock_held_common+0xa0/0xa0 [ 58.713621][ T334] ? check_preemption_disabled+0x38/0x220 [ 58.719370][ T334] afs_net_exit+0x1bc/0x310 [ 58.723868][ T334] ? afs_net_init+0xe30/0xe30 [ 58.728564][ T334] ops_exit_list.isra.0+0xa8/0x150 [ 58.733676][ T334] cleanup_net+0x511/0xa50 [ 58.738096][ T334] ? unregister_pernet_device+0x70/0x70 [ 58.743641][ T334] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.749622][ T334] process_one_work+0x965/0x1690 [ 58.754654][ T334] ? lock_release+0x800/0x800 [ 58.759354][ T334] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.764727][ T334] ? rwlock_bug.part.0+0x90/0x90 [ 58.769695][ T334] worker_thread+0x96/0xe10 [ 58.774210][ T334] ? process_one_work+0x1690/0x1690 [ 58.779414][ T334] kthread+0x3b5/0x4a0 [ 58.783519][ T334] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.789280][ T334] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.795002][ T334] ret_from_fork+0x1f/0x30 [ 58.799443][ T334] [ 58.801764][ T334] Allocated by task 6821: [ 58.806103][ T334] save_stack+0x1b/0x40 [ 58.810948][ T334] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.816573][ T334] kmem_cache_alloc_trace+0x153/0x7d0 [ 58.821936][ T334] afs_alloc_call+0x55/0x630 [ 58.826524][ T334] afs_charge_preallocation+0xe9/0x2d0 [ 58.831994][ T334] afs_open_socket+0x292/0x360 [ 58.836764][ T334] afs_net_init+0xa6c/0xe30 [ 58.841269][ T334] ops_init+0xaf/0x420 [ 58.845386][ T334] setup_net+0x2de/0x860 [ 58.849683][ T334] copy_net_ns+0x293/0x590 [ 58.854281][ T334] create_new_namespaces+0x3fb/0xb30 [ 58.859597][ T334] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 58.865278][ T334] ksys_unshare+0x43d/0x8e0 [ 58.869780][ T334] __x64_sys_unshare+0x2d/0x40 [ 58.874716][ T334] do_syscall_64+0x60/0xe0 [ 58.879135][ T334] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.885031][ T334] [ 58.887789][ T334] Freed by task 334: [ 58.891685][ T334] save_stack+0x1b/0x40 [ 58.895835][ T334] __kasan_slab_free+0xf7/0x140 [ 58.900676][ T334] kfree+0x109/0x2b0 [ 58.904586][ T334] afs_put_call+0x585/0xa40 [ 58.909123][ T334] rxrpc_discard_prealloc+0x764/0xab0 [ 58.914523][ T334] rxrpc_listen+0x147/0x360 [ 58.919027][ T334] afs_close_socket+0x95/0x320 [ 58.923785][ T334] afs_net_exit+0x1bc/0x310 [ 58.928660][ T334] ops_exit_list.isra.0+0xa8/0x150 [ 58.933767][ T334] cleanup_net+0x511/0xa50 [ 58.938180][ T334] process_one_work+0x965/0x1690 [ 58.943112][ T334] worker_thread+0x96/0xe10 [ 58.947625][ T334] kthread+0x3b5/0x4a0 [ 58.951784][ T334] ret_from_fork+0x1f/0x30 [ 58.956267][ T334] [ 58.958594][ T334] The buggy address belongs to the object at ffff888082745000 [ 58.958594][ T334] which belongs to the cache kmalloc-1k of size 1024 [ 58.972653][ T334] The buggy address is located 484 bytes inside of [ 58.972653][ T334] 1024-byte region [ffff888082745000, ffff888082745400) [ 58.986112][ T334] The buggy address belongs to the page: [ 58.991745][ T334] page:ffffea000209d140 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 59.000841][ T334] flags: 0xfffe0000000200(slab) [ 59.005692][ T334] raw: 00fffe0000000200 ffffea000209d088 ffffea000209d188 ffff8880aa000c40 [ 59.014366][ T334] raw: 0000000000000000 ffff888082745000 0000000100000002 0000000000000000 [ 59.022956][ T334] page dumped because: kasan: bad access detected [ 59.029462][ T334] [ 59.031794][ T334] Memory state around the buggy address: [ 59.037421][ T334] ffff888082745080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.045478][ T334] ffff888082745100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.053539][ T334] >ffff888082745180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.061589][ T334] ^ [ 59.068874][ T334] ffff888082745200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.076942][ T334] ffff888082745280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 59.084992][ T334] ================================================================== [ 59.093051][ T334] Disabling lock debugging due to kernel taint [ 59.099345][ T334] Kernel panic - not syncing: panic_on_warn set ... [ 59.105927][ T334] CPU: 0 PID: 334 Comm: kworker/u4:4 Tainted: G B 5.7.0-next-20200614-syzkaller #0 [ 59.116502][ T334] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.126572][ T334] Workqueue: netns cleanup_net [ 59.131317][ T334] Call Trace: [ 59.134601][ T334] dump_stack+0x18f/0x20d [ 59.138924][ T334] ? afs_wake_up_async_call+0x5e0/0x770 [ 59.144456][ T334] ? afs_put_call+0xa40/0xa40 [ 59.149148][ T334] panic+0x2e3/0x75c [ 59.153041][ T334] ? __warn_printk+0xf3/0xf3 [ 59.157618][ T334] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 59.163782][ T334] ? trace_hardirqs_on+0x55/0x220 [ 59.168801][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.174340][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.179875][ T334] ? afs_put_call+0xa40/0xa40 [ 59.184552][ T334] end_report+0x4d/0x53 [ 59.188704][ T334] kasan_report.cold+0xd/0x37 [ 59.193378][ T334] ? rcu_read_lock_held_common+0x41/0xa0 [ 59.199011][ T334] ? afs_wake_up_async_call+0x6aa/0x770 [ 59.204557][ T334] afs_wake_up_async_call+0x6aa/0x770 [ 59.209921][ T334] ? afs_close_socket+0x320/0x320 [ 59.214938][ T334] ? afs_put_call+0xa40/0xa40 [ 59.219615][ T334] rxrpc_notify_socket+0x1db/0x5d0 [ 59.224731][ T334] ? afs_put_call+0xa40/0xa40 [ 59.229420][ T334] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 59.236007][ T334] rxrpc_call_completed+0xca/0xf0 [ 59.241032][ T334] rxrpc_discard_prealloc+0x781/0xab0 [ 59.246402][ T334] ? lock_sock_nested+0x94/0x110 [ 59.251336][ T334] rxrpc_listen+0x147/0x360 [ 59.255834][ T334] afs_close_socket+0x95/0x320 [ 59.260603][ T334] ? afs_purge_servers+0x16d/0x300 [ 59.265704][ T334] ? afs_rx_discard_new_call+0x50/0x50 [ 59.271158][ T334] ? init_wait_var_entry+0x200/0x200 [ 59.276435][ T334] ? rcu_read_lock_held_common+0xa0/0xa0 [ 59.282066][ T334] ? check_preemption_disabled+0x38/0x220 [ 59.287775][ T334] afs_net_exit+0x1bc/0x310 [ 59.292264][ T334] ? afs_net_init+0xe30/0xe30 [ 59.296928][ T334] ops_exit_list.isra.0+0xa8/0x150 [ 59.302027][ T334] cleanup_net+0x511/0xa50 [ 59.306435][ T334] ? unregister_pernet_device+0x70/0x70 [ 59.311976][ T334] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.317950][ T334] process_one_work+0x965/0x1690 [ 59.322878][ T334] ? lock_release+0x800/0x800 [ 59.327574][ T334] ? pwq_dec_nr_in_flight+0x310/0x310 [ 59.332942][ T334] ? rwlock_bug.part.0+0x90/0x90 [ 59.337876][ T334] worker_thread+0x96/0xe10 [ 59.342372][ T334] ? process_one_work+0x1690/0x1690 [ 59.347556][ T334] kthread+0x3b5/0x4a0 [ 59.351611][ T334] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.357318][ T334] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 59.363041][ T334] ret_from_fork+0x1f/0x30 [ 59.368797][ T334] Kernel Offset: disabled [ 59.373110][ T334] Rebooting in 86400 seconds..