[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 89.816386][ T28] audit: type=1800 audit(1580795386.258:25): pid=9603 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 89.836652][ T28] audit: type=1800 audit(1580795386.258:26): pid=9603 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 89.890557][ T28] audit: type=1800 audit(1580795386.258:27): pid=9603 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.46' (ECDSA) to the list of known hosts. 2020/02/04 05:49:57 fuzzer started syzkaller login: [ 101.913187][ T9764] cc1 (9764) used greatest stack depth: 22776 bytes left 2020/02/04 05:49:59 connecting to host at 10.128.0.26:37733 2020/02/04 05:49:59 checking machine... 2020/02/04 05:49:59 checking revisions... 2020/02/04 05:49:59 testing simple program... [ 103.106962][ T9773] IPVS: ftp: loaded support on port[0] = 21 2020/02/04 05:49:59 building call list... [ 103.455940][ T3986] tipc: TX() has been purged, node left! [ 104.718081][ T9759] can: request_module (can-proto-0) failed. executing program [ 106.738907][ T9759] can: request_module (can-proto-0) failed. [ 106.750975][ T9759] can: request_module (can-proto-0) failed. [ 107.243141][ T9759] ================================================================== [ 107.251364][ T9759] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 107.259009][ T9759] Read of size 8 at addr ffff8880850894a0 by task syz-fuzzer/9759 [ 107.266794][ T9759] [ 107.269177][ T9759] CPU: 0 PID: 9759 Comm: syz-fuzzer Not tainted 5.5.0-next-20200204-syzkaller #0 [ 107.278292][ T9759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.288346][ T9759] Call Trace: [ 107.291639][ T9759] dump_stack+0x197/0x210 [ 107.295972][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.301167][ T9759] print_address_description.constprop.0.cold+0xd4/0x30b [ 107.308182][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.313386][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.318578][ T9759] __kasan_report.cold+0x1b/0x32 [ 107.323548][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.328783][ T9759] kasan_report+0x12/0x20 [ 107.333093][ T9759] __asan_report_load8_noabort+0x14/0x20 [ 107.338827][ T9759] l2cap_sock_release+0x24c/0x290 [ 107.343893][ T9759] __sock_release+0xce/0x280 [ 107.348479][ T9759] sock_close+0x1e/0x30 [ 107.352636][ T9759] __fput+0x2ff/0x890 [ 107.356654][ T9759] ? __sock_release+0x280/0x280 [ 107.361574][ T9759] ____fput+0x16/0x20 [ 107.365548][ T9759] task_work_run+0x145/0x1c0 [ 107.370277][ T9759] exit_to_usermode_loop+0x316/0x380 [ 107.375606][ T9759] do_syscall_64+0x676/0x790 [ 107.380456][ T9759] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.386332][ T9759] RIP: 0033:0x4afb40 [ 107.390237][ T9759] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 107.409920][ T9759] RSP: 002b:000000c0001e7540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 107.418335][ T9759] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 107.426357][ T9759] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.434358][ T9759] RBP: 000000c0001e7580 R08: 0000000000000000 R09: 0000000000000000 [ 107.443318][ T9759] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 107.451298][ T9759] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 107.459279][ T9759] [ 107.461593][ T9759] Allocated by task 9759: [ 107.465911][ T9759] save_stack+0x23/0x90 [ 107.470047][ T9759] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 107.475677][ T9759] kasan_kmalloc+0x9/0x10 [ 107.480004][ T9759] __kmalloc+0x163/0x770 [ 107.484277][ T9759] sk_prot_alloc+0x23a/0x310 [ 107.488859][ T9759] sk_alloc+0x39/0xfd0 [ 107.492912][ T9759] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 107.498714][ T9759] l2cap_sock_create+0x11e/0x1c0 [ 107.503694][ T9759] bt_sock_create+0x16a/0x2d0 [ 107.508436][ T9759] __sock_create+0x3ce/0x730 [ 107.513052][ T9759] __sys_socket+0x103/0x220 [ 107.517545][ T9759] __x64_sys_socket+0x73/0xb0 [ 107.522222][ T9759] do_syscall_64+0xfa/0x790 [ 107.526734][ T9759] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.532906][ T9759] [ 107.535246][ T9759] Freed by task 9759: [ 107.539211][ T9759] save_stack+0x23/0x90 [ 107.543362][ T9759] __kasan_slab_free+0x102/0x150 [ 107.548283][ T9759] kasan_slab_free+0xe/0x10 [ 107.552780][ T9759] kfree+0x10a/0x2c0 [ 107.556665][ T9759] __sk_destruct+0x5d8/0x7f0 [ 107.561237][ T9759] sk_destruct+0xd5/0x110 [ 107.565556][ T9759] __sk_free+0xfb/0x3f0 [ 107.569706][ T9759] sk_free+0x83/0xb0 [ 107.573581][ T9759] l2cap_sock_kill+0x160/0x190 [ 107.578324][ T9759] l2cap_sock_release+0x1c3/0x290 [ 107.583334][ T9759] __sock_release+0xce/0x280 [ 107.587911][ T9759] sock_close+0x1e/0x30 [ 107.592048][ T9759] __fput+0x2ff/0x890 [ 107.596041][ T9759] ____fput+0x16/0x20 [ 107.600013][ T9759] task_work_run+0x145/0x1c0 [ 107.604606][ T9759] exit_to_usermode_loop+0x316/0x380 [ 107.609894][ T9759] do_syscall_64+0x676/0x790 [ 107.614479][ T9759] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.620382][ T9759] [ 107.622708][ T9759] The buggy address belongs to the object at ffff888085089000 [ 107.622708][ T9759] which belongs to the cache kmalloc-2k of size 2048 [ 107.636907][ T9759] The buggy address is located 1184 bytes inside of [ 107.636907][ T9759] 2048-byte region [ffff888085089000, ffff888085089800) [ 107.650461][ T9759] The buggy address belongs to the page: [ 107.656084][ T9759] page:ffffea0002142240 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 107.665187][ T9759] flags: 0xfffe0000000200(slab) [ 107.670024][ T9759] raw: 00fffe0000000200 ffffea00021422c8 ffffea0002142208 ffff8880aa400e00 [ 107.678607][ T9759] raw: 0000000000000000 ffff888085089000 0000000100000001 0000000000000000 [ 107.687265][ T9759] page dumped because: kasan: bad access detected [ 107.693669][ T9759] [ 107.695989][ T9759] Memory state around the buggy address: [ 107.701613][ T9759] ffff888085089380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.709672][ T9759] ffff888085089400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.717725][ T9759] >ffff888085089480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.725771][ T9759] ^ [ 107.731313][ T9759] ffff888085089500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.739381][ T9759] ffff888085089580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.747470][ T9759] ================================================================== [ 107.755516][ T9759] Disabling lock debugging due to kernel taint [ 107.762220][ T9759] Kernel panic - not syncing: panic_on_warn set ... [ 107.768817][ T9759] CPU: 0 PID: 9759 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200204-syzkaller #0 [ 107.779296][ T9759] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.789337][ T9759] Call Trace: [ 107.792616][ T9759] dump_stack+0x197/0x210 [ 107.796945][ T9759] panic+0x2e3/0x75c [ 107.800880][ T9759] ? add_taint.cold+0x16/0x16 [ 107.805551][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.810773][ T9759] ? preempt_schedule+0x4b/0x60 [ 107.815622][ T9759] ? ___preempt_schedule+0x16/0x18 [ 107.820723][ T9759] ? trace_hardirqs_on+0x5e/0x240 [ 107.825764][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.830964][ T9759] end_report+0x47/0x4f [ 107.835143][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.840360][ T9759] __kasan_report.cold+0xe/0x32 [ 107.845198][ T9759] ? l2cap_sock_release+0x24c/0x290 [ 107.850392][ T9759] kasan_report+0x12/0x20 [ 107.854716][ T9759] __asan_report_load8_noabort+0x14/0x20 [ 107.860355][ T9759] l2cap_sock_release+0x24c/0x290 [ 107.865376][ T9759] __sock_release+0xce/0x280 [ 107.869959][ T9759] sock_close+0x1e/0x30 [ 107.874102][ T9759] __fput+0x2ff/0x890 [ 107.878078][ T9759] ? __sock_release+0x280/0x280 [ 107.882927][ T9759] ____fput+0x16/0x20 [ 107.886890][ T9759] task_work_run+0x145/0x1c0 [ 107.891494][ T9759] exit_to_usermode_loop+0x316/0x380 [ 107.896772][ T9759] do_syscall_64+0x676/0x790 [ 107.901404][ T9759] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.907277][ T9759] RIP: 0033:0x4afb40 [ 107.911161][ T9759] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 107.930769][ T9759] RSP: 002b:000000c0001e7540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 107.939523][ T9759] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 107.947601][ T9759] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.955567][ T9759] RBP: 000000c0001e7580 R08: 0000000000000000 R09: 0000000000000000 [ 107.963528][ T9759] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 107.971492][ T9759] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 107.980914][ T9759] Kernel Offset: disabled [ 107.985236][ T9759] Rebooting in 86400 seconds..