Warning: Permanently added '10.128.15.193' (ECDSA) to the list of known hosts. 2020/06/19 06:47:55 fuzzer started 2020/06/19 06:47:55 connecting to host at 10.128.0.26:44523 2020/06/19 06:47:55 checking machine... 2020/06/19 06:47:55 checking revisions... 2020/06/19 06:47:55 testing simple program... syzkaller login: [ 42.173374][ T6906] IPVS: ftp: loaded support on port[0] = 21 2020/06/19 06:47:56 building call list... [ 42.510792][ T26] tipc: TX() has been purged, node left! [ 43.003061][ T26] ================================================================== [ 43.011287][ T26] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 43.019168][ T26] Write of size 1 at addr ffff88809a2a79e4 by task kworker/u4:2/26 [ 43.027043][ T26] [ 43.029373][ T26] CPU: 1 PID: 26 Comm: kworker/u4:2 Not tainted 5.8.0-rc1-syzkaller #0 [ 43.037598][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.047648][ T26] Workqueue: netns cleanup_net [ 43.052400][ T26] Call Trace: [ 43.055684][ T26] dump_stack+0x1f0/0x31e [ 43.060008][ T26] print_address_description+0x66/0x5a0 [ 43.065554][ T26] ? vprintk_emit+0x342/0x3c0 [ 43.070261][ T26] ? printk+0x62/0x83 [ 43.074235][ T26] ? vprintk_emit+0x339/0x3c0 [ 43.078913][ T26] kasan_report+0x132/0x1d0 [ 43.083414][ T26] ? afs_wake_up_async_call+0x16f/0x1c0 [ 43.091743][ T26] ? afs_make_call+0x24f0/0x24f0 [ 43.096674][ T26] afs_wake_up_async_call+0x16f/0x1c0 [ 43.102045][ T26] ? afs_make_call+0x24f0/0x24f0 [ 43.106973][ T26] rxrpc_notify_socket+0x1e7/0x4a0 [ 43.112094][ T26] rxrpc_call_completed+0x131/0x210 [ 43.117364][ T26] ? afs_rx_new_call+0x240/0x240 [ 43.122293][ T26] rxrpc_discard_prealloc+0x60d/0x710 [ 43.127664][ T26] rxrpc_listen+0x246/0x370 [ 43.132162][ T26] afs_close_socket+0x57/0x280 [ 43.136914][ T26] ? afs_purge_servers+0x21f/0x280 [ 43.142032][ T26] ? init_wait_var_entry+0x150/0x150 [ 43.148271][ T26] afs_net_exit+0x4f/0x90 [ 43.152628][ T26] cleanup_net+0x708/0xba0 [ 43.157053][ T26] process_one_work+0x789/0xfc0 [ 43.162090][ T26] worker_thread+0xaa4/0x1460 [ 43.166793][ T26] kthread+0x37e/0x3a0 [ 43.170852][ T26] ? rcu_lock_release+0x20/0x20 [ 43.175689][ T26] ? kthread_blkcg+0xd0/0xd0 [ 43.180297][ T26] ret_from_fork+0x1f/0x30 [ 43.184727][ T26] [ 43.187057][ T26] Allocated by task 6906: [ 43.191421][ T26] __kasan_kmalloc+0x103/0x140 [ 43.196268][ T26] kmem_cache_alloc_trace+0x234/0x300 [ 43.201633][ T26] afs_alloc_call+0x89/0x2f0 [ 43.206215][ T26] afs_charge_preallocation+0xf0/0x2a0 [ 43.211662][ T26] afs_open_socket+0x3c7/0x510 [ 43.216412][ T26] afs_net_init+0x772/0x940 [ 43.220909][ T26] ops_init+0x320/0x410 [ 43.225055][ T26] setup_net+0x1cb/0x770 [ 43.229288][ T26] copy_net_ns+0x339/0x540 [ 43.233709][ T26] create_new_namespaces+0x52e/0x9f0 [ 43.238992][ T26] unshare_nsproxy_namespaces+0x123/0x190 [ 43.244707][ T26] ksys_unshare+0x463/0x950 [ 43.249202][ T26] __x64_sys_unshare+0x34/0x40 [ 43.253970][ T26] do_syscall_64+0x73/0xe0 [ 43.258383][ T26] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 43.264299][ T26] [ 43.266618][ T26] Freed by task 26: [ 43.270421][ T26] __kasan_slab_free+0x114/0x170 [ 43.275348][ T26] kfree+0x10a/0x220 [ 43.279392][ T26] afs_put_call+0x30e/0x420 [ 43.284017][ T26] rxrpc_discard_prealloc+0x5e2/0x710 [ 43.289386][ T26] rxrpc_listen+0x246/0x370 [ 43.293882][ T26] afs_close_socket+0x57/0x280 [ 43.298639][ T26] afs_net_exit+0x4f/0x90 [ 43.302961][ T26] cleanup_net+0x708/0xba0 [ 43.307369][ T26] process_one_work+0x789/0xfc0 [ 43.312208][ T26] worker_thread+0xaa4/0x1460 [ 43.316899][ T26] kthread+0x37e/0x3a0 [ 43.321051][ T26] ret_from_fork+0x1f/0x30 [ 43.325457][ T26] [ 43.327814][ T26] The buggy address belongs to the object at ffff88809a2a7800 [ 43.327814][ T26] which belongs to the cache kmalloc-1k of size 1024 [ 43.341864][ T26] The buggy address is located 484 bytes inside of [ 43.341864][ T26] 1024-byte region [ffff88809a2a7800, ffff88809a2a7c00) [ 43.355407][ T26] The buggy address belongs to the page: [ 43.361057][ T26] page:ffffea000268a9c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 43.370248][ T26] flags: 0xfffe0000000200(slab) [ 43.375099][ T26] raw: 00fffe0000000200 ffffea00028d2988 ffffea00029a18c8 ffff8880aa400c40 [ 43.383684][ T26] raw: 0000000000000000 ffff88809a2a7000 0000000100000002 0000000000000000 [ 43.392265][ T26] page dumped because: kasan: bad access detected [ 43.398782][ T26] [ 43.401102][ T26] Memory state around the buggy address: [ 43.406706][ T26] ffff88809a2a7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.414785][ T26] ffff88809a2a7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.423007][ T26] >ffff88809a2a7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.431239][ T26] ^ [ 43.438419][ T26] ffff88809a2a7a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.446457][ T26] ffff88809a2a7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.454588][ T26] ================================================================== [ 43.462637][ T26] Disabling lock debugging due to kernel taint [ 43.468839][ T26] Kernel panic - not syncing: panic_on_warn set ... [ 43.475456][ T26] CPU: 1 PID: 26 Comm: kworker/u4:2 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 43.485711][ T26] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.495759][ T26] Workqueue: netns cleanup_net [ 43.500494][ T26] Call Trace: [ 43.503842][ T26] dump_stack+0x1f0/0x31e [ 43.508141][ T26] panic+0x264/0x7a0 [ 43.512006][ T26] ? trace_hardirqs_on+0x30/0x80 [ 43.517019][ T26] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 43.522806][ T26] kasan_report+0x1c9/0x1d0 [ 43.527276][ T26] ? afs_wake_up_async_call+0x16f/0x1c0 [ 43.532799][ T26] ? afs_make_call+0x24f0/0x24f0 [ 43.537716][ T26] afs_wake_up_async_call+0x16f/0x1c0 [ 43.543058][ T26] ? afs_make_call+0x24f0/0x24f0 [ 43.547961][ T26] rxrpc_notify_socket+0x1e7/0x4a0 [ 43.553042][ T26] rxrpc_call_completed+0x131/0x210 [ 43.558208][ T26] ? afs_rx_new_call+0x240/0x240 [ 43.563117][ T26] rxrpc_discard_prealloc+0x60d/0x710 [ 43.568457][ T26] rxrpc_listen+0x246/0x370 [ 43.572931][ T26] afs_close_socket+0x57/0x280 [ 43.577748][ T26] ? afs_purge_servers+0x21f/0x280 [ 43.583192][ T26] ? init_wait_var_entry+0x150/0x150 [ 43.588447][ T26] afs_net_exit+0x4f/0x90 [ 43.592745][ T26] cleanup_net+0x708/0xba0 [ 43.597139][ T26] process_one_work+0x789/0xfc0 [ 43.601963][ T26] worker_thread+0xaa4/0x1460 [ 43.606623][ T26] kthread+0x37e/0x3a0 [ 43.610659][ T26] ? rcu_lock_release+0x20/0x20 [ 43.615486][ T26] ? kthread_blkcg+0xd0/0xd0 [ 43.620044][ T26] ret_from_fork+0x1f/0x30 [ 43.625068][ T26] Kernel Offset: disabled [ 43.629377][ T26] Rebooting in 86400 seconds..