Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.9' (ECDSA) to the list of known hosts. 2020/06/18 06:14:47 fuzzer started 2020/06/18 06:14:47 connecting to host at 10.128.0.26:43299 2020/06/18 06:14:47 checking machine... 2020/06/18 06:14:47 checking revisions... 2020/06/18 06:14:47 testing simple program... syzkaller login: [ 63.636637][ T6827] IPVS: ftp: loaded support on port[0] = 21 2020/06/18 06:14:48 building call list... [ 64.013468][ T6765] tipc: TX() has been purged, node left! [ 64.526010][ T6765] ================================================================== [ 64.534281][ T6765] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 64.542178][ T6765] Write of size 1 at addr ffff8880943311e4 by task kworker/u4:5/6765 [ 64.550233][ T6765] [ 64.552662][ T6765] CPU: 1 PID: 6765 Comm: kworker/u4:5 Not tainted 5.8.0-rc1-syzkaller #0 [ 64.561069][ T6765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.571132][ T6765] Workqueue: netns cleanup_net [ 64.575902][ T6765] Call Trace: [ 64.579205][ T6765] dump_stack+0x18f/0x20d [ 64.583548][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.590077][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.595628][ T6765] ? afs_put_call+0xa40/0xa40 [ 64.600321][ T6765] print_address_description.constprop.0.cold+0xd3/0x413 [ 64.607357][ T6765] ? vprintk_func+0x97/0x1a6 [ 64.611965][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.617518][ T6765] kasan_report.cold+0x1f/0x37 [ 64.622296][ T6765] ? rcu_read_lock_held_common+0x51/0xa0 [ 64.627957][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 64.633514][ T6765] afs_wake_up_async_call+0x6aa/0x770 [ 64.638891][ T6765] ? afs_close_socket+0x320/0x320 [ 64.643928][ T6765] ? afs_put_call+0xa40/0xa40 [ 64.648958][ T6765] rxrpc_notify_socket+0x1db/0x5d0 [ 64.654082][ T6765] ? afs_put_call+0xa40/0xa40 [ 64.658822][ T6765] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 64.665276][ T6765] rxrpc_call_completed+0xca/0xf0 [ 64.670319][ T6765] rxrpc_discard_prealloc+0x781/0xab0 [ 64.675711][ T6765] ? lock_sock_nested+0x94/0x110 [ 64.680934][ T6765] rxrpc_listen+0x147/0x360 [ 64.685559][ T6765] afs_close_socket+0x95/0x320 [ 64.690327][ T6765] ? afs_purge_servers+0x16d/0x300 [ 64.695449][ T6765] ? afs_rx_discard_new_call+0x50/0x50 [ 64.700922][ T6765] ? init_wait_var_entry+0x200/0x200 [ 64.706481][ T6765] ? rcu_read_lock_held_common+0xa0/0xa0 [ 64.712119][ T6765] ? check_preemption_disabled+0x38/0x220 [ 64.717849][ T6765] afs_net_exit+0x1bc/0x310 [ 64.722359][ T6765] ? afs_net_init+0xe30/0xe30 [ 64.727053][ T6765] ops_exit_list.isra.0+0xa8/0x150 [ 64.732183][ T6765] cleanup_net+0x511/0xa50 [ 64.736699][ T6765] ? unregister_pernet_device+0x70/0x70 [ 64.742259][ T6765] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.748259][ T6765] process_one_work+0x965/0x1690 [ 64.753228][ T6765] ? lock_release+0x800/0x800 [ 64.757910][ T6765] ? pwq_dec_nr_in_flight+0x310/0x310 [ 64.763295][ T6765] ? rwlock_bug.part.0+0x90/0x90 [ 64.769036][ T6765] worker_thread+0x96/0xe10 [ 64.773562][ T6765] ? process_one_work+0x1690/0x1690 [ 64.778867][ T6765] kthread+0x3b5/0x4a0 [ 64.783642][ T6765] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.789380][ T6765] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 64.795144][ T6765] ret_from_fork+0x1f/0x30 [ 64.799853][ T6765] [ 64.802181][ T6765] Allocated by task 6827: [ 64.806513][ T6765] save_stack+0x1b/0x40 [ 64.810680][ T6765] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.816312][ T6765] kmem_cache_alloc_trace+0x153/0x7d0 [ 64.821718][ T6765] afs_alloc_call+0x55/0x630 [ 64.826311][ T6765] afs_charge_preallocation+0xe9/0x2d0 [ 64.831852][ T6765] afs_open_socket+0x292/0x360 [ 64.836613][ T6765] afs_net_init+0xa6c/0xe30 [ 64.841245][ T6765] ops_init+0xaf/0x420 [ 64.845320][ T6765] setup_net+0x2de/0x860 [ 64.850005][ T6765] copy_net_ns+0x293/0x590 [ 64.854430][ T6765] create_new_namespaces+0x3fb/0xb30 [ 64.859724][ T6765] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 64.865453][ T6765] ksys_unshare+0x43d/0x8e0 [ 64.869974][ T6765] __x64_sys_unshare+0x2d/0x40 [ 64.874743][ T6765] do_syscall_64+0x60/0xe0 [ 64.879166][ T6765] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 64.885050][ T6765] [ 64.887377][ T6765] Freed by task 6765: [ 64.891363][ T6765] save_stack+0x1b/0x40 [ 64.895519][ T6765] __kasan_slab_free+0xf7/0x140 [ 64.900716][ T6765] kfree+0x109/0x2b0 [ 64.904623][ T6765] afs_put_call+0x585/0xa40 [ 64.909134][ T6765] rxrpc_discard_prealloc+0x764/0xab0 [ 64.914506][ T6765] rxrpc_listen+0x147/0x360 [ 64.919009][ T6765] afs_close_socket+0x95/0x320 [ 64.923778][ T6765] afs_net_exit+0x1bc/0x310 [ 64.928410][ T6765] ops_exit_list.isra.0+0xa8/0x150 [ 64.933542][ T6765] cleanup_net+0x511/0xa50 [ 64.937963][ T6765] process_one_work+0x965/0x1690 [ 64.942900][ T6765] worker_thread+0x96/0xe10 [ 64.947404][ T6765] kthread+0x3b5/0x4a0 [ 64.951494][ T6765] ret_from_fork+0x1f/0x30 [ 64.955899][ T6765] [ 64.958234][ T6765] The buggy address belongs to the object at ffff888094331000 [ 64.958234][ T6765] which belongs to the cache kmalloc-1k of size 1024 [ 64.972722][ T6765] The buggy address is located 484 bytes inside of [ 64.972722][ T6765] 1024-byte region [ffff888094331000, ffff888094331400) [ 64.986072][ T6765] The buggy address belongs to the page: [ 64.991709][ T6765] page:ffffea000250cc40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 65.000813][ T6765] flags: 0xfffe0000000200(slab) [ 65.005679][ T6765] raw: 00fffe0000000200 ffffea000250ccc8 ffffea00029f6cc8 ffff8880aa000c40 [ 65.014270][ T6765] raw: 0000000000000000 ffff888094331000 0000000100000002 0000000000000000 [ 65.022863][ T6765] page dumped because: kasan: bad access detected [ 65.029270][ T6765] [ 65.031596][ T6765] Memory state around the buggy address: [ 65.037230][ T6765] ffff888094331080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.045296][ T6765] ffff888094331100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.053623][ T6765] >ffff888094331180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.061681][ T6765] ^ [ 65.069065][ T6765] ffff888094331200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.077145][ T6765] ffff888094331280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 65.085648][ T6765] ================================================================== [ 65.093704][ T6765] Disabling lock debugging due to kernel taint [ 65.099930][ T6765] Kernel panic - not syncing: panic_on_warn set ... [ 65.106535][ T6765] CPU: 1 PID: 6765 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc1-syzkaller #0 [ 65.116338][ T6765] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 65.126409][ T6765] Workqueue: netns cleanup_net [ 65.131167][ T6765] Call Trace: [ 65.134493][ T6765] dump_stack+0x18f/0x20d [ 65.138849][ T6765] ? afs_wake_up_async_call+0x670/0x770 [ 65.144411][ T6765] ? afs_put_call+0xa40/0xa40 [ 65.153611][ T6765] panic+0x2e3/0x75c [ 65.157518][ T6765] ? __warn_printk+0xf3/0xf3 [ 65.162118][ T6765] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 65.168275][ T6765] ? trace_hardirqs_on+0x55/0x220 [ 65.173304][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 65.178854][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 65.184410][ T6765] ? afs_put_call+0xa40/0xa40 [ 65.189096][ T6765] end_report+0x4d/0x53 [ 65.193261][ T6765] kasan_report.cold+0xd/0x37 [ 65.197955][ T6765] ? rcu_read_lock_held_common+0x51/0xa0 [ 65.203591][ T6765] ? afs_wake_up_async_call+0x6aa/0x770 [ 65.209137][ T6765] afs_wake_up_async_call+0x6aa/0x770 [ 65.214505][ T6765] ? afs_close_socket+0x320/0x320 [ 65.219527][ T6765] ? afs_put_call+0xa40/0xa40 [ 65.224208][ T6765] rxrpc_notify_socket+0x1db/0x5d0 [ 65.229320][ T6765] ? afs_put_call+0xa40/0xa40 [ 65.233998][ T6765] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 65.240411][ T6765] rxrpc_call_completed+0xca/0xf0 [ 65.245439][ T6765] rxrpc_discard_prealloc+0x781/0xab0 [ 65.250811][ T6765] ? lock_sock_nested+0x94/0x110 [ 65.255748][ T6765] rxrpc_listen+0x147/0x360 [ 65.260251][ T6765] afs_close_socket+0x95/0x320 [ 65.265015][ T6765] ? afs_purge_servers+0x16d/0x300 [ 65.270135][ T6765] ? afs_rx_discard_new_call+0x50/0x50 [ 65.275590][ T6765] ? init_wait_var_entry+0x200/0x200 [ 65.280871][ T6765] ? rcu_read_lock_held_common+0xa0/0xa0 [ 65.286500][ T6765] ? check_preemption_disabled+0x38/0x220 [ 65.292209][ T6765] afs_net_exit+0x1bc/0x310 [ 65.296710][ T6765] ? afs_net_init+0xe30/0xe30 [ 65.301381][ T6765] ops_exit_list.isra.0+0xa8/0x150 [ 65.306485][ T6765] cleanup_net+0x511/0xa50 [ 65.310893][ T6765] ? unregister_pernet_device+0x70/0x70 [ 65.316435][ T6765] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 65.322421][ T6765] process_one_work+0x965/0x1690 [ 65.327356][ T6765] ? lock_release+0x800/0x800 [ 65.332024][ T6765] ? pwq_dec_nr_in_flight+0x310/0x310 [ 65.337389][ T6765] ? rwlock_bug.part.0+0x90/0x90 [ 65.342775][ T6765] worker_thread+0x96/0xe10 [ 65.347274][ T6765] ? process_one_work+0x1690/0x1690 [ 65.352463][ T6765] kthread+0x3b5/0x4a0 [ 65.356521][ T6765] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 65.362242][ T6765] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 65.367968][ T6765] ret_from_fork+0x1f/0x30 [ 65.373842][ T6765] Kernel Offset: disabled [ 65.378168][ T6765] Rebooting in 86400 seconds..