Warning: Permanently added '10.128.10.40' (ECDSA) to the list of known hosts. 2020/06/18 08:40:42 fuzzer started 2020/06/18 08:40:43 connecting to host at 10.128.0.26:41081 2020/06/18 08:40:43 checking machine... 2020/06/18 08:40:43 checking revisions... 2020/06/18 08:40:43 testing simple program... syzkaller login: [ 56.934131][ T6807] IPVS: ftp: loaded support on port[0] = 21 2020/06/18 08:40:43 building call list... [ 57.241251][ T55] tipc: TX() has been purged, node left! [ 57.753220][ T55] ================================================================== [ 57.761561][ T55] BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 [ 57.769885][ T55] Write of size 1 at addr ffff8880a6bd29e4 by task kworker/u4:2/55 [ 57.778052][ T55] [ 57.780386][ T55] CPU: 0 PID: 55 Comm: kworker/u4:2 Not tainted 5.8.0-rc1-next-20200618-syzkaller #0 [ 57.790470][ T55] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.800708][ T55] Workqueue: netns cleanup_net [ 57.805484][ T55] Call Trace: [ 57.808861][ T55] dump_stack+0x18f/0x20d [ 57.813198][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.818770][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.824405][ T55] ? afs_put_call+0xa40/0xa40 [ 57.832036][ T55] print_address_description.constprop.0.cold+0xd3/0x413 [ 57.839892][ T55] ? vprintk_func+0x97/0x1a6 [ 57.844488][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.851509][ T55] kasan_report.cold+0x1f/0x37 [ 57.856320][ T55] ? rcu_read_lock_held_common+0x71/0xa0 [ 57.861960][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 57.867515][ T55] afs_wake_up_async_call+0x6aa/0x770 [ 57.872907][ T55] ? afs_close_socket+0x320/0x320 [ 57.878199][ T55] ? afs_put_call+0xa40/0xa40 [ 57.883039][ T55] rxrpc_notify_socket+0x1db/0x5d0 [ 57.888170][ T55] ? afs_put_call+0xa40/0xa40 [ 57.892927][ T55] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 57.899428][ T55] rxrpc_call_completed+0xca/0xf0 [ 57.904457][ T55] rxrpc_discard_prealloc+0x781/0xab0 [ 57.909827][ T55] ? lock_sock_nested+0x94/0x110 [ 57.914766][ T55] rxrpc_listen+0x147/0x360 [ 57.919706][ T55] afs_close_socket+0x95/0x320 [ 57.924477][ T55] ? afs_purge_servers+0x16d/0x300 [ 57.929588][ T55] ? afs_rx_discard_new_call+0x50/0x50 [ 57.935065][ T55] ? init_wait_var_entry+0x200/0x200 [ 57.940436][ T55] ? rcu_read_lock_held_common+0xa0/0xa0 [ 57.946065][ T55] ? check_preemption_disabled+0x38/0x220 [ 57.952136][ T55] afs_net_exit+0x1bc/0x310 [ 57.956637][ T55] ? afs_net_init+0xe30/0xe30 [ 57.961311][ T55] ops_exit_list.isra.0+0xa8/0x150 [ 57.966511][ T55] cleanup_net+0x511/0xa50 [ 57.970926][ T55] ? unregister_pernet_device+0x70/0x70 [ 57.976473][ T55] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 57.982634][ T55] process_one_work+0x965/0x1690 [ 57.987578][ T55] ? lock_release+0x800/0x800 [ 57.992255][ T55] ? pwq_dec_nr_in_flight+0x310/0x310 [ 57.997660][ T55] ? rwlock_bug.part.0+0x90/0x90 [ 58.002616][ T55] worker_thread+0x96/0xe10 [ 58.007144][ T55] ? process_one_work+0x1690/0x1690 [ 58.012357][ T55] kthread+0x3b5/0x4a0 [ 58.016436][ T55] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.022156][ T55] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.027875][ T55] ret_from_fork+0x1f/0x30 [ 58.032438][ T55] [ 58.035020][ T55] Allocated by task 6807: [ 58.039359][ T55] save_stack+0x1b/0x40 [ 58.043520][ T55] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.049272][ T55] kmem_cache_alloc_trace+0x153/0x7d0 [ 58.054644][ T55] afs_alloc_call+0x55/0x630 [ 58.059263][ T55] afs_charge_preallocation+0xe9/0x2d0 [ 58.064734][ T55] afs_open_socket+0x292/0x360 [ 58.069488][ T55] afs_net_init+0xa6c/0xe30 [ 58.074004][ T55] ops_init+0xaf/0x420 [ 58.078941][ T55] setup_net+0x2de/0x860 [ 58.083180][ T55] copy_net_ns+0x293/0x590 [ 58.087597][ T55] create_new_namespaces+0x3fb/0xb30 [ 58.092880][ T55] unshare_nsproxy_namespaces+0xbd/0x1f0 [ 58.098517][ T55] ksys_unshare+0x445/0x8e0 [ 58.103018][ T55] __x64_sys_unshare+0x2d/0x40 [ 58.107780][ T55] do_syscall_64+0x60/0xe0 [ 58.112202][ T55] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 58.118086][ T55] [ 58.120403][ T55] Freed by task 55: [ 58.124239][ T55] save_stack+0x1b/0x40 [ 58.128422][ T55] __kasan_slab_free+0xf7/0x140 [ 58.133266][ T55] kfree+0x109/0x2b0 [ 58.137153][ T55] afs_put_call+0x585/0xa40 [ 58.141656][ T55] rxrpc_discard_prealloc+0x764/0xab0 [ 58.147020][ T55] rxrpc_listen+0x147/0x360 [ 58.151518][ T55] afs_close_socket+0x95/0x320 [ 58.156362][ T55] afs_net_exit+0x1bc/0x310 [ 58.160873][ T55] ops_exit_list.isra.0+0xa8/0x150 [ 58.166072][ T55] cleanup_net+0x511/0xa50 [ 58.170506][ T55] process_one_work+0x965/0x1690 [ 58.175440][ T55] worker_thread+0x96/0xe10 [ 58.179937][ T55] kthread+0x3b5/0x4a0 [ 58.184000][ T55] ret_from_fork+0x1f/0x30 [ 58.188401][ T55] [ 58.190741][ T55] The buggy address belongs to the object at ffff8880a6bd2800 [ 58.190741][ T55] which belongs to the cache kmalloc-1k of size 1024 [ 58.204796][ T55] The buggy address is located 484 bytes inside of [ 58.204796][ T55] 1024-byte region [ffff8880a6bd2800, ffff8880a6bd2c00) [ 58.218165][ T55] The buggy address belongs to the page: [ 58.223796][ T55] page:ffffea00029af480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 58.232898][ T55] flags: 0xfffe0000000200(slab) [ 58.237744][ T55] raw: 00fffe0000000200 ffffea0002986308 ffffea00025b0e08 ffff8880aa000c40 [ 58.246450][ T55] raw: 0000000000000000 ffff8880a6bd2000 0000000100000002 0000000000000000 [ 58.255021][ T55] page dumped because: kasan: bad access detected [ 58.261419][ T55] [ 58.263736][ T55] Memory state around the buggy address: [ 58.269377][ T55] ffff8880a6bd2880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.277435][ T55] ffff8880a6bd2900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.285494][ T55] >ffff8880a6bd2980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.293651][ T55] ^ [ 58.300874][ T55] ffff8880a6bd2a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.309037][ T55] ffff8880a6bd2a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.317089][ T55] ================================================================== [ 58.325140][ T55] Disabling lock debugging due to kernel taint [ 58.331847][ T55] Kernel panic - not syncing: panic_on_warn set ... [ 58.338429][ T55] CPU: 0 PID: 55 Comm: kworker/u4:2 Tainted: G B 5.8.0-rc1-next-20200618-syzkaller #0 [ 58.349253][ T55] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.359391][ T55] Workqueue: netns cleanup_net [ 58.364139][ T55] Call Trace: [ 58.367422][ T55] dump_stack+0x18f/0x20d [ 58.372180][ T55] ? afs_wake_up_async_call+0x660/0x770 [ 58.377886][ T55] ? afs_put_call+0xa40/0xa40 [ 58.382549][ T55] panic+0x2e3/0x75c [ 58.386432][ T55] ? __warn_printk+0xf3/0xf3 [ 58.391013][ T55] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 58.397330][ T55] ? trace_hardirqs_on+0x55/0x220 [ 58.402377][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.407908][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.413443][ T55] ? afs_put_call+0xa40/0xa40 [ 58.418132][ T55] end_report+0x4d/0x53 [ 58.422296][ T55] kasan_report.cold+0xd/0x37 [ 58.427148][ T55] ? rcu_read_lock_held_common+0x71/0xa0 [ 58.432775][ T55] ? afs_wake_up_async_call+0x6aa/0x770 [ 58.438314][ T55] afs_wake_up_async_call+0x6aa/0x770 [ 58.443700][ T55] ? afs_close_socket+0x320/0x320 [ 58.448719][ T55] ? afs_put_call+0xa40/0xa40 [ 58.453385][ T55] rxrpc_notify_socket+0x1db/0x5d0 [ 58.458486][ T55] ? afs_put_call+0xa40/0xa40 [ 58.463150][ T55] __rxrpc_set_call_completion.part.0+0x172/0x410 [ 58.469576][ T55] rxrpc_call_completed+0xca/0xf0 [ 58.474594][ T55] rxrpc_discard_prealloc+0x781/0xab0 [ 58.480248][ T55] ? lock_sock_nested+0x94/0x110 [ 58.485184][ T55] rxrpc_listen+0x147/0x360 [ 58.489684][ T55] afs_close_socket+0x95/0x320 [ 58.494441][ T55] ? afs_purge_servers+0x16d/0x300 [ 58.499542][ T55] ? afs_rx_discard_new_call+0x50/0x50 [ 58.504993][ T55] ? init_wait_var_entry+0x200/0x200 [ 58.510528][ T55] ? rcu_read_lock_held_common+0xa0/0xa0 [ 58.516237][ T55] ? check_preemption_disabled+0x38/0x220 [ 58.522044][ T55] afs_net_exit+0x1bc/0x310 [ 58.526535][ T55] ? afs_net_init+0xe30/0xe30 [ 58.531288][ T55] ops_exit_list.isra.0+0xa8/0x150 [ 58.536399][ T55] cleanup_net+0x511/0xa50 [ 58.540806][ T55] ? unregister_pernet_device+0x70/0x70 [ 58.546349][ T55] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.552449][ T55] process_one_work+0x965/0x1690 [ 58.557383][ T55] ? lock_release+0x800/0x800 [ 58.562079][ T55] ? pwq_dec_nr_in_flight+0x310/0x310 [ 58.567447][ T55] ? rwlock_bug.part.0+0x90/0x90 [ 58.572384][ T55] worker_thread+0x96/0xe10 [ 58.576882][ T55] ? process_one_work+0x1690/0x1690 [ 58.582259][ T55] kthread+0x3b5/0x4a0 [ 58.586322][ T55] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.592033][ T55] ? kthread_mod_delayed_work+0x1a0/0x1a0 [ 58.597752][ T55] ret_from_fork+0x1f/0x30 [ 58.603664][ T55] Kernel Offset: disabled [ 58.608024][ T55] Rebooting in 86400 seconds..