Warning: Permanently added '10.128.0.166' (ECDSA) to the list of known hosts. 2020/06/19 18:15:43 fuzzer started 2020/06/19 18:15:43 connecting to host at 10.128.0.26:38035 2020/06/19 18:15:43 checking machine... 2020/06/19 18:15:43 checking revisions... 2020/06/19 18:15:43 testing simple program... syzkaller login: [ 44.331050][ T6800] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 18:15:44 building call list... [ 44.642383][ T410] tipc: TX() has been purged, node left! [ 45.164314][ T410] ================================================================== [ 45.172527][ T410] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 45.180406][ T410] Write of size 1 at addr ffff8880a1c969e4 by task kworker/u4:9/410 [ 45.188402][ T410] [ 45.190725][ T410] CPU: 1 PID: 410 Comm: kworker/u4:9 Not tainted 5.8.0-rc1-syzkaller #0 [ 45.199226][ T410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.209365][ T410] Workqueue: netns cleanup_net [ 45.214174][ T410] Call Trace: [ 45.217465][ T410] dump_stack+0x1f0/0x31e [ 45.221789][ T410] print_address_description+0x66/0x5a0 [ 45.227498][ T410] ? vprintk_emit+0x342/0x3c0 [ 45.233039][ T410] ? printk+0x62/0x83 [ 45.237029][ T410] ? vprintk_emit+0x339/0x3c0 [ 45.241700][ T410] kasan_report+0x132/0x1d0 [ 45.246282][ T410] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.251941][ T410] ? afs_make_call+0x24f0/0x24f0 [ 45.256883][ T410] afs_wake_up_async_call+0x16f/0x1c0 [ 45.262294][ T410] ? afs_make_call+0x24f0/0x24f0 [ 45.267226][ T410] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.272338][ T410] rxrpc_call_completed+0x131/0x210 [ 45.277703][ T410] ? afs_rx_new_call+0x240/0x240 [ 45.282725][ T410] rxrpc_discard_prealloc+0x60d/0x710 [ 45.288132][ T410] rxrpc_listen+0x246/0x370 [ 45.292630][ T410] afs_close_socket+0x57/0x280 [ 45.297384][ T410] ? afs_purge_servers+0x21f/0x280 [ 45.302489][ T410] ? init_wait_var_entry+0x150/0x150 [ 45.307779][ T410] afs_net_exit+0x4f/0x90 [ 45.312098][ T410] cleanup_net+0x708/0xba0 [ 45.316599][ T410] process_one_work+0x789/0xfc0 [ 45.321572][ T410] worker_thread+0xaa4/0x1460 [ 45.326268][ T410] kthread+0x37e/0x3a0 [ 45.330325][ T410] ? rcu_lock_release+0x20/0x20 [ 45.335166][ T410] ? kthread_blkcg+0xd0/0xd0 [ 45.339838][ T410] ret_from_fork+0x1f/0x30 [ 45.344272][ T410] [ 45.346601][ T410] Allocated by task 6800: [ 45.350921][ T410] __kasan_kmalloc+0x103/0x140 [ 45.355697][ T410] kmem_cache_alloc_trace+0x234/0x300 [ 45.361061][ T410] afs_alloc_call+0x89/0x2f0 [ 45.365639][ T410] afs_charge_preallocation+0xf0/0x2a0 [ 45.371084][ T410] afs_open_socket+0x3c7/0x510 [ 45.375857][ T410] afs_net_init+0x772/0x940 [ 45.380522][ T410] ops_init+0x320/0x410 [ 45.384676][ T410] setup_net+0x1cb/0x770 [ 45.388913][ T410] copy_net_ns+0x339/0x540 [ 45.393346][ T410] create_new_namespaces+0x52e/0x9f0 [ 45.398626][ T410] unshare_nsproxy_namespaces+0x123/0x190 [ 45.404377][ T410] ksys_unshare+0x463/0x950 [ 45.408923][ T410] __x64_sys_unshare+0x34/0x40 [ 45.413690][ T410] do_syscall_64+0x73/0xe0 [ 45.418109][ T410] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 45.423993][ T410] [ 45.426326][ T410] Freed by task 410: [ 45.430225][ T410] __kasan_slab_free+0x114/0x170 [ 45.435162][ T410] kfree+0x10a/0x220 [ 45.439058][ T410] afs_put_call+0x30e/0x420 [ 45.443564][ T410] rxrpc_discard_prealloc+0x5e2/0x710 [ 45.448937][ T410] rxrpc_listen+0x246/0x370 [ 45.453631][ T410] afs_close_socket+0x57/0x280 [ 45.458447][ T410] afs_net_exit+0x4f/0x90 [ 45.462893][ T410] cleanup_net+0x708/0xba0 [ 45.467294][ T410] process_one_work+0x789/0xfc0 [ 45.472270][ T410] worker_thread+0xaa4/0x1460 [ 45.477013][ T410] kthread+0x37e/0x3a0 [ 45.481127][ T410] ret_from_fork+0x1f/0x30 [ 45.485544][ T410] [ 45.487904][ T410] The buggy address belongs to the object at ffff8880a1c96800 [ 45.487904][ T410] which belongs to the cache kmalloc-1k of size 1024 [ 45.501954][ T410] The buggy address is located 484 bytes inside of [ 45.501954][ T410] 1024-byte region [ffff8880a1c96800, ffff8880a1c96c00) [ 45.516330][ T410] The buggy address belongs to the page: [ 45.521942][ T410] page:ffffea0002872580 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 45.531026][ T410] flags: 0xfffe0000000200(slab) [ 45.535888][ T410] raw: 00fffe0000000200 ffffea00029c7148 ffffea000250cc08 ffff8880aa400c40 [ 45.544456][ T410] raw: 0000000000000000 ffff8880a1c96000 0000000100000002 0000000000000000 [ 45.553643][ T410] page dumped because: kasan: bad access detected [ 45.560125][ T410] [ 45.562441][ T410] Memory state around the buggy address: [ 45.568146][ T410] ffff8880a1c96880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.576354][ T410] ffff8880a1c96900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.584409][ T410] >ffff8880a1c96980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.592458][ T410] ^ [ 45.599643][ T410] ffff8880a1c96a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.608415][ T410] ffff8880a1c96a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 45.616457][ T410] ================================================================== [ 45.624494][ T410] Disabling lock debugging due to kernel taint [ 45.630699][ T410] Kernel panic - not syncing: panic_on_warn set ... [ 45.637458][ T410] CPU: 1 PID: 410 Comm: kworker/u4:9 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 45.647161][ T410] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 45.657495][ T410] Workqueue: netns cleanup_net [ 45.662251][ T410] Call Trace: [ 45.665576][ T410] dump_stack+0x1f0/0x31e [ 45.669999][ T410] panic+0x264/0x7a0 [ 45.673888][ T410] ? trace_hardirqs_on+0x30/0x80 [ 45.678821][ T410] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 45.684605][ T410] kasan_report+0x1c9/0x1d0 [ 45.689103][ T410] ? afs_wake_up_async_call+0x16f/0x1c0 [ 45.694633][ T410] ? afs_make_call+0x24f0/0x24f0 [ 45.699664][ T410] afs_wake_up_async_call+0x16f/0x1c0 [ 45.705024][ T410] ? afs_make_call+0x24f0/0x24f0 [ 45.709940][ T410] rxrpc_notify_socket+0x1e7/0x4a0 [ 45.715049][ T410] rxrpc_call_completed+0x131/0x210 [ 45.720218][ T410] ? afs_rx_new_call+0x240/0x240 [ 45.725233][ T410] rxrpc_discard_prealloc+0x60d/0x710 [ 45.730604][ T410] rxrpc_listen+0x246/0x370 [ 45.735099][ T410] afs_close_socket+0x57/0x280 [ 45.739850][ T410] ? afs_purge_servers+0x21f/0x280 [ 45.744955][ T410] ? init_wait_var_entry+0x150/0x150 [ 45.750408][ T410] afs_net_exit+0x4f/0x90 [ 45.754730][ T410] cleanup_net+0x708/0xba0 [ 45.759127][ T410] process_one_work+0x789/0xfc0 [ 45.763974][ T410] worker_thread+0xaa4/0x1460 [ 45.768629][ T410] kthread+0x37e/0x3a0 [ 45.772694][ T410] ? rcu_lock_release+0x20/0x20 [ 45.777525][ T410] ? kthread_blkcg+0xd0/0xd0 [ 45.782108][ T410] ret_from_fork+0x1f/0x30 [ 45.788705][ T410] Kernel Offset: disabled [ 45.793029][ T410] Rebooting in 86400 seconds..