Warning: Permanently added '10.128.10.11' (ECDSA) to the list of known hosts. 2020/02/05 02:33:37 fuzzer started 2020/02/05 02:33:39 connecting to host at 10.128.0.26:44877 2020/02/05 02:33:39 checking machine... 2020/02/05 02:33:39 checking revisions... 2020/02/05 02:33:39 testing simple program... syzkaller login: [ 114.724830][ T9870] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 02:33:39 building call list... [ 115.087961][ T307] tipc: TX() has been purged, node left! [ 116.290659][ T9855] can: request_module (can-proto-0) failed. executing program [ 118.331490][ T9855] can: request_module (can-proto-0) failed. [ 118.343901][ T9855] can: request_module (can-proto-0) failed. [ 118.825842][ T9855] ================================================================== [ 118.834377][ T9855] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 118.841910][ T9855] Read of size 8 at addr ffff8880a82504a0 by task syz-fuzzer/9855 [ 118.849832][ T9855] [ 118.852150][ T9855] CPU: 0 PID: 9855 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 118.861353][ T9855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 118.871417][ T9855] Call Trace: [ 118.874722][ T9855] dump_stack+0x197/0x210 [ 118.879296][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 118.884674][ T9855] print_address_description.constprop.0.cold+0xd4/0x30b [ 118.891730][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 118.896928][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 118.902125][ T9855] __kasan_report.cold+0x1b/0x32 [ 118.907066][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 118.912262][ T9855] kasan_report+0x12/0x20 [ 118.916582][ T9855] __asan_report_load8_noabort+0x14/0x20 [ 118.922216][ T9855] l2cap_sock_release+0x24c/0x290 [ 118.927251][ T9855] __sock_release+0xce/0x280 [ 118.931830][ T9855] sock_close+0x1e/0x30 [ 118.936108][ T9855] __fput+0x2ff/0x890 [ 118.940091][ T9855] ? __sock_release+0x280/0x280 [ 118.944943][ T9855] ____fput+0x16/0x20 [ 118.948917][ T9855] task_work_run+0x145/0x1c0 [ 118.953512][ T9855] exit_to_usermode_loop+0x316/0x380 [ 118.958784][ T9855] do_syscall_64+0x676/0x790 [ 118.963497][ T9855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 118.969401][ T9855] RIP: 0033:0x4afb40 [ 118.973283][ T9855] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 118.993498][ T9855] RSP: 002b:000000c0001f5540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 119.001900][ T9855] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 119.010013][ T9855] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 119.017972][ T9855] RBP: 000000c0001f5580 R08: 0000000000000000 R09: 0000000000000000 [ 119.026079][ T9855] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cd [ 119.034051][ T9855] R13: 00000000000000cc R14: 0000000000000200 R15: 0000000000000200 [ 119.042204][ T9855] [ 119.044625][ T9855] Allocated by task 9855: [ 119.049047][ T9855] save_stack+0x23/0x90 [ 119.053208][ T9855] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 119.059120][ T9855] kasan_kmalloc+0x9/0x10 [ 119.063435][ T9855] __kmalloc+0x163/0x770 [ 119.067663][ T9855] sk_prot_alloc+0x23a/0x310 [ 119.072243][ T9855] sk_alloc+0x39/0xfd0 [ 119.076412][ T9855] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 119.082217][ T9855] l2cap_sock_create+0x11e/0x1c0 [ 119.087241][ T9855] bt_sock_create+0x16a/0x2d0 [ 119.091900][ T9855] __sock_create+0x3ce/0x730 [ 119.096478][ T9855] __sys_socket+0x103/0x220 [ 119.100967][ T9855] __x64_sys_socket+0x73/0xb0 [ 119.106587][ T9855] do_syscall_64+0xfa/0x790 [ 119.111118][ T9855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 119.117525][ T9855] [ 119.119839][ T9855] Freed by task 9855: [ 119.123815][ T9855] save_stack+0x23/0x90 [ 119.127963][ T9855] __kasan_slab_free+0x102/0x150 [ 119.132903][ T9855] kasan_slab_free+0xe/0x10 [ 119.137510][ T9855] kfree+0x10a/0x2c0 [ 119.141483][ T9855] __sk_destruct+0x5d8/0x7f0 [ 119.146062][ T9855] sk_destruct+0xd5/0x110 [ 119.150485][ T9855] __sk_free+0xfb/0x3f0 [ 119.154779][ T9855] sk_free+0x83/0xb0 [ 119.158662][ T9855] l2cap_sock_kill+0x160/0x190 [ 119.163475][ T9855] l2cap_sock_release+0x1c3/0x290 [ 119.168491][ T9855] __sock_release+0xce/0x280 [ 119.173066][ T9855] sock_close+0x1e/0x30 [ 119.177257][ T9855] __fput+0x2ff/0x890 [ 119.181489][ T9855] ____fput+0x16/0x20 [ 119.185475][ T9855] task_work_run+0x145/0x1c0 [ 119.190171][ T9855] exit_to_usermode_loop+0x316/0x380 [ 119.195554][ T9855] do_syscall_64+0x676/0x790 [ 119.200139][ T9855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 119.206055][ T9855] [ 119.208375][ T9855] The buggy address belongs to the object at ffff8880a8250000 [ 119.208375][ T9855] which belongs to the cache kmalloc-2k of size 2048 [ 119.222419][ T9855] The buggy address is located 1184 bytes inside of [ 119.222419][ T9855] 2048-byte region [ffff8880a8250000, ffff8880a8250800) [ 119.235940][ T9855] The buggy address belongs to the page: [ 119.241608][ T9855] page:ffffea0002a09400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 119.250705][ T9855] flags: 0xfffe0000000200(slab) [ 119.255538][ T9855] raw: 00fffe0000000200 ffffea00026ce508 ffffea00024b5908 ffff8880aa400e00 [ 119.264219][ T9855] raw: 0000000000000000 ffff8880a8250000 0000000100000001 0000000000000000 [ 119.273112][ T9855] page dumped because: kasan: bad access detected [ 119.279699][ T9855] [ 119.282008][ T9855] Memory state around the buggy address: [ 119.288161][ T9855] ffff8880a8250380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.296205][ T9855] ffff8880a8250400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.304245][ T9855] >ffff8880a8250480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.312318][ T9855] ^ [ 119.317434][ T9855] ffff8880a8250500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.326091][ T9855] ffff8880a8250580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 119.334141][ T9855] ================================================================== [ 119.342205][ T9855] Disabling lock debugging due to kernel taint [ 119.348721][ T9855] Kernel panic - not syncing: panic_on_warn set ... [ 119.355400][ T9855] CPU: 0 PID: 9855 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 119.365933][ T9855] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 119.375978][ T9855] Call Trace: [ 119.379265][ T9855] dump_stack+0x197/0x210 [ 119.383584][ T9855] panic+0x2e3/0x75c [ 119.387474][ T9855] ? add_taint.cold+0x16/0x16 [ 119.392148][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 119.397861][ T9855] ? preempt_schedule+0x4b/0x60 [ 119.402815][ T9855] ? ___preempt_schedule+0x16/0x18 [ 119.408001][ T9855] ? trace_hardirqs_on+0x5e/0x240 [ 119.413135][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 119.418497][ T9855] end_report+0x47/0x4f [ 119.422836][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 119.428024][ T9855] __kasan_report.cold+0xe/0x32 [ 119.433028][ T9855] ? l2cap_sock_release+0x24c/0x290 [ 119.438213][ T9855] kasan_report+0x12/0x20 [ 119.442691][ T9855] __asan_report_load8_noabort+0x14/0x20 [ 119.448369][ T9855] l2cap_sock_release+0x24c/0x290 [ 119.453491][ T9855] __sock_release+0xce/0x280 [ 119.458207][ T9855] sock_close+0x1e/0x30 [ 119.462344][ T9855] __fput+0x2ff/0x890 [ 119.466327][ T9855] ? __sock_release+0x280/0x280 [ 119.471170][ T9855] ____fput+0x16/0x20 [ 119.475224][ T9855] task_work_run+0x145/0x1c0 [ 119.479799][ T9855] exit_to_usermode_loop+0x316/0x380 [ 119.485078][ T9855] do_syscall_64+0x676/0x790 [ 119.489799][ T9855] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 119.495675][ T9855] RIP: 0033:0x4afb40 [ 119.499554][ T9855] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 119.519393][ T9855] RSP: 002b:000000c0001f5540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 119.528082][ T9855] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 119.536042][ T9855] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 119.544104][ T9855] RBP: 000000c0001f5580 R08: 0000000000000000 R09: 0000000000000000 [ 119.552063][ T9855] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cd [ 119.560023][ T9855] R13: 00000000000000cc R14: 0000000000000200 R15: 0000000000000200 [ 119.569834][ T9855] Kernel Offset: disabled [ 119.574449][ T9855] Rebooting in 86400 seconds..