[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 81.847609][ T26] audit: type=1800 audit(1580701421.910:25): pid=9589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 81.871911][ T26] audit: type=1800 audit(1580701421.920:26): pid=9589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 81.925960][ T26] audit: type=1800 audit(1580701421.920:27): pid=9589 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.2' (ECDSA) to the list of known hosts. 2020/02/03 03:43:53 fuzzer started 2020/02/03 03:43:55 connecting to host at 10.128.0.26:34603 2020/02/03 03:43:55 checking machine... 2020/02/03 03:43:55 checking revisions... 2020/02/03 03:43:55 testing simple program... syzkaller login: [ 95.626063][ T9757] IPVS: ftp: loaded support on port[0] = 21 2020/02/03 03:43:55 building call list... [ 95.951176][ T76] tipc: TX() has been purged, node left! [ 97.194961][ T9753] can: request_module (can-proto-0) failed. executing program [ 98.952512][ T9753] can: request_module (can-proto-0) failed. [ 98.964289][ T9753] can: request_module (can-proto-0) failed. [ 99.428038][ T9753] ================================================================== [ 99.436244][ T9753] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 99.443780][ T9753] Read of size 8 at addr ffff8880956794a0 by task syz-fuzzer/9753 [ 99.451597][ T9753] [ 99.453907][ T9753] CPU: 0 PID: 9753 Comm: syz-fuzzer Not tainted 5.5.0-next-20200203-syzkaller #0 [ 99.462990][ T9753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.473027][ T9753] Call Trace: [ 99.476302][ T9753] dump_stack+0x197/0x210 [ 99.480661][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 99.485845][ T9753] print_address_description.constprop.0.cold+0xd4/0x30b [ 99.492889][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 99.498097][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 99.503286][ T9753] __kasan_report.cold+0x1b/0x32 [ 99.508207][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 99.513393][ T9753] kasan_report+0x12/0x20 [ 99.517874][ T9753] __asan_report_load8_noabort+0x14/0x20 [ 99.523517][ T9753] l2cap_sock_release+0x24c/0x290 [ 99.528540][ T9753] __sock_release+0xce/0x280 [ 99.533123][ T9753] sock_close+0x1e/0x30 [ 99.537274][ T9753] __fput+0x2ff/0x890 [ 99.541242][ T9753] ? __sock_release+0x280/0x280 [ 99.546076][ T9753] ____fput+0x16/0x20 [ 99.550051][ T9753] task_work_run+0x145/0x1c0 [ 99.554635][ T9753] exit_to_usermode_loop+0x316/0x380 [ 99.559914][ T9753] do_syscall_64+0x676/0x790 [ 99.564502][ T9753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.570384][ T9753] RIP: 0033:0x4afb40 [ 99.574315][ T9753] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 99.593908][ T9753] RSP: 002b:000000c0001e7540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 99.602310][ T9753] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 99.610328][ T9753] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 99.618286][ T9753] RBP: 000000c0001e7580 R08: 0000000000000000 R09: 0000000000000000 [ 99.626244][ T9753] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000ca [ 99.634247][ T9753] R13: 00000000000000c9 R14: 0000000000000200 R15: 0000000000000200 [ 99.642223][ T9753] [ 99.644540][ T9753] Allocated by task 9753: [ 99.648851][ T9753] save_stack+0x23/0x90 [ 99.652986][ T9753] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 99.658657][ T9753] kasan_kmalloc+0x9/0x10 [ 99.662963][ T9753] __kmalloc+0x163/0x770 [ 99.667193][ T9753] sk_prot_alloc+0x23a/0x310 [ 99.671773][ T9753] sk_alloc+0x39/0xfd0 [ 99.675823][ T9753] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 99.681611][ T9753] l2cap_sock_create+0x11e/0x1c0 [ 99.686526][ T9753] bt_sock_create+0x16a/0x2d0 [ 99.691224][ T9753] __sock_create+0x3ce/0x730 [ 99.695795][ T9753] __sys_socket+0x103/0x220 [ 99.700277][ T9753] __x64_sys_socket+0x73/0xb0 [ 99.704939][ T9753] do_syscall_64+0xfa/0x790 [ 99.709422][ T9753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.715286][ T9753] [ 99.717600][ T9753] Freed by task 9753: [ 99.721564][ T9753] save_stack+0x23/0x90 [ 99.725699][ T9753] __kasan_slab_free+0x102/0x150 [ 99.730612][ T9753] kasan_slab_free+0xe/0x10 [ 99.735089][ T9753] kfree+0x10a/0x2c0 [ 99.738960][ T9753] __sk_destruct+0x5d8/0x7f0 [ 99.743537][ T9753] sk_destruct+0xd5/0x110 [ 99.747845][ T9753] __sk_free+0xfb/0x3f0 [ 99.751984][ T9753] sk_free+0x83/0xb0 [ 99.755855][ T9753] l2cap_sock_kill+0x160/0x190 [ 99.760592][ T9753] l2cap_sock_release+0x1c3/0x290 [ 99.765592][ T9753] __sock_release+0xce/0x280 [ 99.770285][ T9753] sock_close+0x1e/0x30 [ 99.774453][ T9753] __fput+0x2ff/0x890 [ 99.778416][ T9753] ____fput+0x16/0x20 [ 99.782373][ T9753] task_work_run+0x145/0x1c0 [ 99.786989][ T9753] exit_to_usermode_loop+0x316/0x380 [ 99.792291][ T9753] do_syscall_64+0x676/0x790 [ 99.796882][ T9753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 99.802785][ T9753] [ 99.805093][ T9753] The buggy address belongs to the object at ffff888095679000 [ 99.805093][ T9753] which belongs to the cache kmalloc-2k of size 2048 [ 99.819123][ T9753] The buggy address is located 1184 bytes inside of [ 99.819123][ T9753] 2048-byte region [ffff888095679000, ffff888095679800) [ 99.832548][ T9753] The buggy address belongs to the page: [ 99.838164][ T9753] page:ffffea0002559e40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 99.847242][ T9753] flags: 0xfffe0000000200(slab) [ 99.852082][ T9753] raw: 00fffe0000000200 ffffea0002a978c8 ffffea00025cd688 ffff8880aa400e00 [ 99.860648][ T9753] raw: 0000000000000000 ffff888095679000 0000000100000001 0000000000000000 [ 99.869205][ T9753] page dumped because: kasan: bad access detected [ 99.875630][ T9753] [ 99.877943][ T9753] Memory state around the buggy address: [ 99.883595][ T9753] ffff888095679380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.891644][ T9753] ffff888095679400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.899685][ T9753] >ffff888095679480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.907827][ T9753] ^ [ 99.913067][ T9753] ffff888095679500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.921115][ T9753] ffff888095679580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 99.929148][ T9753] ================================================================== [ 99.937185][ T9753] Disabling lock debugging due to kernel taint [ 99.944052][ T9753] Kernel panic - not syncing: panic_on_warn set ... [ 99.950642][ T9753] CPU: 0 PID: 9753 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200203-syzkaller #0 [ 99.961111][ T9753] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 99.971144][ T9753] Call Trace: [ 99.974425][ T9753] dump_stack+0x197/0x210 [ 99.978739][ T9753] panic+0x2e3/0x75c [ 99.982757][ T9753] ? add_taint.cold+0x16/0x16 [ 99.987417][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 99.992600][ T9753] ? preempt_schedule+0x4b/0x60 [ 99.997428][ T9753] ? ___preempt_schedule+0x16/0x18 [ 100.002523][ T9753] ? trace_hardirqs_on+0x5e/0x240 [ 100.007526][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 100.012707][ T9753] end_report+0x47/0x4f [ 100.016846][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 100.022025][ T9753] __kasan_report.cold+0xe/0x32 [ 100.026850][ T9753] ? l2cap_sock_release+0x24c/0x290 [ 100.032979][ T9753] kasan_report+0x12/0x20 [ 100.037286][ T9753] __asan_report_load8_noabort+0x14/0x20 [ 100.042894][ T9753] l2cap_sock_release+0x24c/0x290 [ 100.047898][ T9753] __sock_release+0xce/0x280 [ 100.052465][ T9753] sock_close+0x1e/0x30 [ 100.056639][ T9753] __fput+0x2ff/0x890 [ 100.060596][ T9753] ? __sock_release+0x280/0x280 [ 100.065428][ T9753] ____fput+0x16/0x20 [ 100.069387][ T9753] task_work_run+0x145/0x1c0 [ 100.073957][ T9753] exit_to_usermode_loop+0x316/0x380 [ 100.079220][ T9753] do_syscall_64+0x676/0x790 [ 100.083792][ T9753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.089659][ T9753] RIP: 0033:0x4afb40 [ 100.093574][ T9753] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 100.113202][ T9753] RSP: 002b:000000c0001e7540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 100.121602][ T9753] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 100.129551][ T9753] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 100.137498][ T9753] RBP: 000000c0001e7580 R08: 0000000000000000 R09: 0000000000000000 [ 100.145450][ T9753] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000ca [ 100.153400][ T9753] R13: 00000000000000c9 R14: 0000000000000200 R15: 0000000000000200 [ 100.162649][ T9753] Kernel Offset: disabled [ 100.166965][ T9753] Rebooting in 86400 seconds..