Warning: Permanently added '10.128.10.5' (ECDSA) to the list of known hosts. 2020/06/25 21:56:14 fuzzer started 2020/06/25 21:56:14 connecting to host at 10.128.0.26:38367 2020/06/25 21:56:14 checking machine... 2020/06/25 21:56:14 checking revisions... 2020/06/25 21:56:14 testing simple program... syzkaller login: [ 43.049377][ T6797] IPVS: ftp: loaded support on port[0] = 21 2020/06/25 21:56:15 building call list... [ 43.355904][ T1039] tipc: TX() has been purged, node left! [ 43.848674][ T1039] ================================================================== [ 43.856884][ T1039] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 [ 43.864786][ T1039] Write of size 1 at addr ffff8880a3b7b1e4 by task kworker/u4:5/1039 [ 43.872831][ T1039] [ 43.875152][ T1039] CPU: 1 PID: 1039 Comm: kworker/u4:5 Not tainted 5.8.0-rc2-syzkaller #0 [ 43.883553][ T1039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.893604][ T1039] Workqueue: netns cleanup_net [ 43.898351][ T1039] Call Trace: [ 43.901634][ T1039] dump_stack+0x1f0/0x31e [ 43.906045][ T1039] print_address_description+0x66/0x5a0 [ 43.911577][ T1039] ? vprintk_emit+0x342/0x3c0 [ 43.916253][ T1039] ? printk+0x62/0x83 [ 43.920224][ T1039] ? vprintk_emit+0x339/0x3c0 [ 43.924902][ T1039] kasan_report+0x132/0x1d0 [ 43.929398][ T1039] ? afs_wake_up_async_call+0x16f/0x1c0 [ 43.934936][ T1039] ? afs_make_call+0x24f0/0x24f0 [ 43.939859][ T1039] afs_wake_up_async_call+0x16f/0x1c0 [ 43.945226][ T1039] ? afs_make_call+0x24f0/0x24f0 [ 43.950156][ T1039] rxrpc_notify_socket+0x1e7/0x4a0 [ 43.955347][ T1039] rxrpc_call_completed+0x131/0x210 [ 43.960559][ T1039] ? afs_rx_new_call+0x240/0x240 [ 43.965486][ T1039] rxrpc_discard_prealloc+0x60d/0x710 [ 43.970854][ T1039] rxrpc_listen+0x246/0x370 [ 43.975358][ T1039] afs_close_socket+0x57/0x280 [ 43.980123][ T1039] ? afs_purge_servers+0x25f/0x2c0 [ 43.985231][ T1039] ? init_wait_var_entry+0x150/0x150 [ 43.990519][ T1039] afs_net_exit+0x57/0xa0 [ 43.994845][ T1039] cleanup_net+0x708/0xba0 [ 43.999264][ T1039] process_one_work+0x789/0xfc0 [ 44.004134][ T1039] worker_thread+0xaa4/0x1460 [ 44.008834][ T1039] kthread+0x37e/0x3a0 [ 44.012891][ T1039] ? rcu_lock_release+0x20/0x20 [ 44.017738][ T1039] ? kthread_blkcg+0xd0/0xd0 [ 44.022317][ T1039] ret_from_fork+0x1f/0x30 [ 44.026733][ T1039] [ 44.029136][ T1039] Allocated by task 6797: [ 44.033452][ T1039] __kasan_kmalloc+0x103/0x140 [ 44.038358][ T1039] kmem_cache_alloc_trace+0x234/0x300 [ 44.043726][ T1039] afs_alloc_call+0x89/0x2f0 [ 44.048309][ T1039] afs_charge_preallocation+0xf0/0x2a0 [ 44.053755][ T1039] afs_open_socket+0x3c7/0x510 [ 44.058516][ T1039] afs_net_init+0x7a0/0x990 [ 44.063014][ T1039] ops_init+0x320/0x410 [ 44.067159][ T1039] setup_net+0x1cb/0x770 [ 44.071391][ T1039] copy_net_ns+0x339/0x540 [ 44.075993][ T1039] create_new_namespaces+0x52e/0x9f0 [ 44.081262][ T1039] unshare_nsproxy_namespaces+0x123/0x190 [ 44.086982][ T1039] ksys_unshare+0x463/0x950 [ 44.091482][ T1039] __x64_sys_unshare+0x34/0x40 [ 44.096243][ T1039] do_syscall_64+0x73/0xe0 [ 44.101602][ T1039] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 44.107473][ T1039] [ 44.109797][ T1039] Freed by task 1039: [ 44.113783][ T1039] __kasan_slab_free+0x114/0x170 [ 44.118718][ T1039] kfree+0x10a/0x220 [ 44.122603][ T1039] afs_put_call+0x30e/0x420 [ 44.127096][ T1039] rxrpc_discard_prealloc+0x5e2/0x710 [ 44.132631][ T1039] rxrpc_listen+0x246/0x370 [ 44.137124][ T1039] afs_close_socket+0x57/0x280 [ 44.141871][ T1039] afs_net_exit+0x57/0xa0 [ 44.146197][ T1039] cleanup_net+0x708/0xba0 [ 44.150609][ T1039] process_one_work+0x789/0xfc0 [ 44.155445][ T1039] worker_thread+0xaa4/0x1460 [ 44.160112][ T1039] kthread+0x37e/0x3a0 [ 44.164173][ T1039] ret_from_fork+0x1f/0x30 [ 44.168572][ T1039] [ 44.170894][ T1039] The buggy address belongs to the object at ffff8880a3b7b000 [ 44.170894][ T1039] which belongs to the cache kmalloc-1k of size 1024 [ 44.185063][ T1039] The buggy address is located 484 bytes inside of [ 44.185063][ T1039] 1024-byte region [ffff8880a3b7b000, ffff8880a3b7b400) [ 44.198415][ T1039] The buggy address belongs to the page: [ 44.204046][ T1039] page:ffffea00028edec0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 44.213149][ T1039] flags: 0xfffe0000000200(slab) [ 44.218009][ T1039] raw: 00fffe0000000200 ffffea0002a6f788 ffffea0002809848 ffff8880aa400c40 [ 44.226601][ T1039] raw: 0000000000000000 ffff8880a3b7b000 0000000100000002 0000000000000000 [ 44.235176][ T1039] page dumped because: kasan: bad access detected [ 44.241579][ T1039] [ 44.243908][ T1039] Memory state around the buggy address: [ 44.249537][ T1039] ffff8880a3b7b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.257588][ T1039] ffff8880a3b7b100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.265627][ T1039] >ffff8880a3b7b180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.273657][ T1039] ^ [ 44.280825][ T1039] ffff8880a3b7b200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.288909][ T1039] ffff8880a3b7b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.296947][ T1039] ================================================================== [ 44.304977][ T1039] Disabling lock debugging due to kernel taint [ 44.311159][ T1039] Kernel panic - not syncing: panic_on_warn set ... [ 44.317744][ T1039] CPU: 1 PID: 1039 Comm: kworker/u4:5 Tainted: G B 5.8.0-rc2-syzkaller #0 [ 44.327526][ T1039] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.337568][ T1039] Workqueue: netns cleanup_net [ 44.342300][ T1039] Call Trace: [ 44.345563][ T1039] dump_stack+0x1f0/0x31e [ 44.349865][ T1039] panic+0x264/0x7a0 [ 44.353726][ T1039] ? trace_hardirqs_on+0x30/0x80 [ 44.358657][ T1039] ? _raw_spin_unlock_irqrestore+0xa5/0xd0 [ 44.364429][ T1039] kasan_report+0x1c9/0x1d0 [ 44.368913][ T1039] ? afs_wake_up_async_call+0x16f/0x1c0 [ 44.374484][ T1039] ? afs_make_call+0x24f0/0x24f0 [ 44.379397][ T1039] afs_wake_up_async_call+0x16f/0x1c0 [ 44.384980][ T1039] ? afs_make_call+0x24f0/0x24f0 [ 44.389905][ T1039] rxrpc_notify_socket+0x1e7/0x4a0 [ 44.395174][ T1039] rxrpc_call_completed+0x131/0x210 [ 44.400356][ T1039] ? afs_rx_new_call+0x240/0x240 [ 44.405274][ T1039] rxrpc_discard_prealloc+0x60d/0x710 [ 44.410632][ T1039] rxrpc_listen+0x246/0x370 [ 44.415151][ T1039] afs_close_socket+0x57/0x280 [ 44.419903][ T1039] ? afs_purge_servers+0x25f/0x2c0 [ 44.424983][ T1039] ? init_wait_var_entry+0x150/0x150 [ 44.430238][ T1039] afs_net_exit+0x57/0xa0 [ 44.434538][ T1039] cleanup_net+0x708/0xba0 [ 44.438928][ T1039] process_one_work+0x789/0xfc0 [ 44.443862][ T1039] worker_thread+0xaa4/0x1460 [ 44.448602][ T1039] kthread+0x37e/0x3a0 [ 44.452641][ T1039] ? rcu_lock_release+0x20/0x20 [ 44.457464][ T1039] ? kthread_blkcg+0xd0/0xd0 [ 44.462044][ T1039] ret_from_fork+0x1f/0x30 [ 44.467876][ T1039] Kernel Offset: disabled [ 44.472198][ T1039] Rebooting in 86400 seconds..