tipc: TX() has been purged, node left! ================================================================== BUG: KASAN: use-after-free in afs_wake_up_async_call+0x16f/0x1c0 fs/afs/rxrpc.c:707 Write of size 1 at addr ffff8880a18631e4 by task kworker/u4:2/57 CPU: 1 PID: 57 Comm: kworker/u4:2 Not tainted 5.8.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1f0/0x31e lib/dump_stack.c:118 print_address_description+0x66/0x5a0 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 afs_wake_up_async_call+0x16f/0x1c0 fs/afs/rxrpc.c:707 rxrpc_notify_socket+0x1e7/0x4a0 net/rxrpc/recvmsg.c:40 __rxrpc_set_call_completion net/rxrpc/recvmsg.c:76 [inline] __rxrpc_call_completed net/rxrpc/recvmsg.c:102 [inline] rxrpc_call_completed+0x131/0x210 net/rxrpc/recvmsg.c:111 rxrpc_discard_prealloc+0x60d/0x710 net/rxrpc/call_accept.c:233 rxrpc_listen+0x246/0x370 net/rxrpc/af_rxrpc.c:245 afs_close_socket+0x57/0x280 fs/afs/rxrpc.c:110 afs_net_exit+0x4f/0x90 fs/afs/main.c:155 ops_exit_list net/core/net_namespace.c:186 [inline] cleanup_net+0x708/0xba0 net/core/net_namespace.c:603 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 6778: save_stack mm/kasan/common.c:48 [inline] set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0x103/0x140 mm/kasan/common.c:494 kmem_cache_alloc_trace+0x234/0x300 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] afs_alloc_call+0x89/0x2f0 fs/afs/rxrpc.c:141 afs_charge_preallocation+0xf0/0x2a0 fs/afs/rxrpc.c:757 afs_open_socket+0x3c7/0x510 fs/afs/rxrpc.c:92 afs_net_init+0x772/0x940 fs/afs/main.c:125 ops_init+0x320/0x410 net/core/net_namespace.c:151 setup_net+0x1cb/0x770 net/core/net_namespace.c:341 copy_net_ns+0x339/0x540 net/core/net_namespace.c:482 create_new_namespaces+0x52e/0x9f0 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0x123/0x190 kernel/nsproxy.c:231 ksys_unshare+0x463/0x950 kernel/fork.c:2983 __do_sys_unshare kernel/fork.c:3051 [inline] __se_sys_unshare kernel/fork.c:3049 [inline] __x64_sys_unshare+0x34/0x40 kernel/fork.c:3049 do_syscall_64+0x73/0xe0 arch/x86/entry/common.c:359 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 57: save_stack mm/kasan/common.c:48 [inline] set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0x114/0x170 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x10a/0x220 mm/slab.c:3757 afs_put_call+0x30e/0x420 fs/afs/rxrpc.c:190 rxrpc_discard_prealloc+0x5e2/0x710 net/rxrpc/call_accept.c:230 rxrpc_listen+0x246/0x370 net/rxrpc/af_rxrpc.c:245 afs_close_socket+0x57/0x280 fs/afs/rxrpc.c:110 afs_net_exit+0x4f/0x90 fs/afs/main.c:155 ops_exit_list net/core/net_namespace.c:186 [inline] cleanup_net+0x708/0xba0 net/core/net_namespace.c:603 process_one_work+0x789/0xfc0 kernel/workqueue.c:2269 worker_thread+0xaa4/0x1460 kernel/workqueue.c:2415 kthread+0x37e/0x3a0 drivers/block/aoe/aoecmd.c:1234 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff8880a1863000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 484 bytes inside of 1024-byte region [ffff8880a1863000, ffff8880a1863400) The buggy address belongs to the page: page:ffffea00028618c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002865f88 ffffea0002425948 ffff8880aa400c40 raw: 0000000000000000 ffff8880a1863000 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a1863080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a1863100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880a1863180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a1863200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880a1863280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================