BUG: KASAN: use-after-free in afs_wake_up_async_call

[butt3rflyh4ck]

Hi, I run the lastest syzkaller and Linux kernel (v5.8.0-rc1), but
the systeam always crash
==================================================================
[ 55.179022][ T2134] BUG: KASAN: use-after-free in
afs_wake_up_async_call+0x6aa/0x770
[ 55.179856][ T2134] Write of size 1 at addr ffff88804cc3d1e4 by
task kworker/u4:5/2134
[ 55.180702][ T2134]
[ 55.180962][ T2134] CPU: 1 PID: 2134 Comm: kworker/u4:5 Not tainted
5.8.0-rc1+ #6
[ 55.181763][ T2134] Hardware name: QEMU Standard PC (i440FX + PIIX,
1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 55.182790][ T2134] Workqueue: netns cleanup_net
[ 55.183291][ T2134] Call Trace:
[ 55.183644][ T2134] dump_stack+0x18f/0x20d
[ 55.184107][ T2134] ? afs_wake_up_async_call+0x6aa/0x770
[ 55.184694][ T2134] ? afs_wake_up_async_call+0x6aa/0x770
[ 55.185284][ T2134] ? afs_put_call+0xa40/0xa40
[ 55.185781][ T2134] print_address_description.constprop.0.cold+0xd3/0x445
[ 55.186525][ T2134] ? vprintk_func+0x97/0x1a6
[ 55.187016][ T2134] ? afs_wake_up_async_call+0x6aa/0x770
[ 55.187602][ T2134] kasan_report.cold+0x1f/0x37
[ 55.188110][ T2134] ? rcu_read_lock_held_common+0x61/0xa0
[ 55.188707][ T2134] ? afs_wake_up_async_call+0x6aa/0x770
[ 55.189300][ T2134] afs_wake_up_async_call+0x6aa/0x770
[ 55.189853][ T2134] ? afs_close_socket+0x320/0x320
[ 55.190379][ T2134] ? afs_put_call+0xa40/0xa40
[ 55.190876][ T2134] rxrpc_notify_socket+0x1db/0x5d0
[ 55.191421][ T2134] ? afs_put_call+0xa40/0xa40
[ 55.191918][ T2134] __rxrpc_set_call_completion.part.0+0x172/0x410
[ 55.192596][ T2134] rxrpc_call_completed+0xca/0xf0
[ 55.193137][ T2134] rxrpc_discard_prealloc+0x781/0xab0
[ 55.193707][ T2134] ? lock_sock_nested+0x94/0x110
[ 55.194233][ T2134] rxrpc_listen+0x147/0x360
[ 55.194715][ T2134] afs_close_socket+0x95/0x320
[ 55.195222][ T2134] ? afs_purge_servers+0x16d/0x300
[ 55.195770][ T2134] ? afs_rx_discard_new_call+0x50/0x50
[ 55.196353][ T2134] ? init_wait_var_entry+0x200/0x200
[ 55.196921][ T2134] ? rcu_read_lock_held_common+0xa0/0xa0
[ 55.197522][ T2134] ? check_preemption_disabled+0x38/0x220
[ 55.198131][ T2134] afs_net_exit+0x1bc/0x310
[ 55.198608][ T2134] ? afs_net_init+0xe30/0xe30
[ 55.199105][ T2134] ops_exit_list.isra.0+0xa8/0x150
[ 55.199650][ T2134] cleanup_net+0x511/0xa50
[ 55.200123][ T2134] ? unregister_pernet_device+0x70/0x70
[ 55.200715][ T2134] ? rcu_read_lock_any_held.part.0+0x50/0x50
[ 55.201357][ T2134] process_one_work+0x965/0x1690
[ 55.201887][ T2134] ? lock_release+0x800/0x800
[ 55.202386][ T2134] ? pwq_dec_nr_in_flight+0x310/0x310
[ 55.202960][ T2134] ? rwlock_bug.part.0+0x90/0x90
[ 55.203491][ T2134] worker_thread+0x96/0xe10
[ 55.203977][ T2134] ? process_one_work+0x1690/0x1690
[ 55.204531][ T2134] kthread+0x378/0x4a0
[ 55.204969][ T2134] ? kthread_create_on_node+0xf0/0xf0
[ 55.205537][ T2134] ? kthread_create_on_node+0xf0/0xf0
[ 55.206108][ T2134] ret_from_fork+0x1f/0x30

the crash has been reported, and nobody to fix it, is a bug?
How I bypass this bug.

thanks,
butt3rflyh4ck.

[Eric Biggers]

Yes this is a kernel bug. It was reported at
https://groups.google.com/forum/#!msg/syzkaller-bugs/1Z4Sn5KhBWI/3EG8ktCPBQAJ.
Presumably it's blocking upstream testing at the moment.

Most bugs are dependent on specific kernel config options, which can be disabled
to make the bugs unreachable. But why bother finding bugs if not to fix them?

You can help by helping to fix this bug. For example, bisect to find which
commit introduced the bug, and let the appropriate people / mailing lists know
what you found. And if possible, send a patch to fix the bug.

- Eric