[ 97.716173][ T27] audit: type=1800 audit(1580795392.998:27): pid=9809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [ 97.752425][ T27] audit: type=1800 audit(1580795392.998:28): pid=9809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="ssh" dev="sda1" ino=2417 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 98.469942][ T27] audit: type=1800 audit(1580795393.798:29): pid=9809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 98.491130][ T27] audit: type=1800 audit(1580795393.798:30): pid=9809 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. 2020/02/04 05:50:02 fuzzer started 2020/02/04 05:50:03 connecting to host at 10.128.0.26:39439 2020/02/04 05:50:03 checking machine... 2020/02/04 05:50:03 checking revisions... 2020/02/04 05:50:03 testing simple program... syzkaller login: [ 108.795065][ T9978] IPVS: ftp: loaded support on port[0] = 21 2020/02/04 05:50:04 building call list... [ 109.174690][ T87] tipc: TX() has been purged, node left! [ 110.388302][ T9963] can: request_module (can-proto-0) failed. executing program [ 112.300362][ T9963] can: request_module (can-proto-0) failed. [ 112.312995][ T9963] can: request_module (can-proto-0) failed. [ 112.832158][ T9963] ================================================================== [ 112.840655][ T9963] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 112.848198][ T9963] Read of size 8 at addr ffff88809dce34a0 by task syz-fuzzer/9963 [ 112.856055][ T9963] [ 112.858443][ T9963] CPU: 0 PID: 9963 Comm: syz-fuzzer Not tainted 5.5.0-next-20200204-syzkaller #0 [ 112.867559][ T9963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 112.877614][ T9963] Call Trace: [ 112.880923][ T9963] dump_stack+0x197/0x210 [ 112.885258][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 112.890477][ T9963] print_address_description.constprop.0.cold+0xd4/0x30b [ 112.897510][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 112.902806][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 112.908008][ T9963] __kasan_report.cold+0x1b/0x32 [ 112.913239][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 112.918698][ T9963] kasan_report+0x12/0x20 [ 112.923113][ T9963] __asan_report_load8_noabort+0x14/0x20 [ 112.928776][ T9963] l2cap_sock_release+0x24c/0x290 [ 112.933802][ T9963] __sock_release+0xce/0x280 [ 112.938410][ T9963] sock_close+0x1e/0x30 [ 112.942604][ T9963] __fput+0x2ff/0x890 [ 112.946610][ T9963] ? __sock_release+0x280/0x280 [ 112.951854][ T9963] ____fput+0x16/0x20 [ 112.955849][ T9963] task_work_run+0x145/0x1c0 [ 112.960461][ T9963] exit_to_usermode_loop+0x316/0x380 [ 112.965788][ T9963] do_syscall_64+0x676/0x790 [ 112.970474][ T9963] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 112.976388][ T9963] RIP: 0033:0x4afb40 [ 112.980383][ T9963] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 113.000130][ T9963] RSP: 002b:000000c0001e5540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 113.008699][ T9963] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 113.016766][ T9963] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 113.024871][ T9963] RBP: 000000c0001e5580 R08: 0000000000000000 R09: 0000000000000000 [ 113.033043][ T9963] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 113.041074][ T9963] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 113.049296][ T9963] [ 113.051634][ T9963] Allocated by task 9963: [ 113.056013][ T9963] save_stack+0x23/0x90 [ 113.060314][ T9963] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 113.066067][ T9963] kasan_kmalloc+0x9/0x10 [ 113.070387][ T9963] __kmalloc+0x163/0x770 [ 113.074759][ T9963] sk_prot_alloc+0x23a/0x310 [ 113.079339][ T9963] sk_alloc+0x39/0xfd0 [ 113.083509][ T9963] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 113.089329][ T9963] l2cap_sock_create+0x11e/0x1c0 [ 113.094278][ T9963] bt_sock_create+0x16a/0x2d0 [ 113.099135][ T9963] __sock_create+0x3ce/0x730 [ 113.103866][ T9963] __sys_socket+0x103/0x220 [ 113.108379][ T9963] __x64_sys_socket+0x73/0xb0 [ 113.113185][ T9963] do_syscall_64+0xfa/0x790 [ 113.117705][ T9963] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.123588][ T9963] [ 113.125908][ T9963] Freed by task 9963: [ 113.129894][ T9963] save_stack+0x23/0x90 [ 113.134085][ T9963] __kasan_slab_free+0x102/0x150 [ 113.139086][ T9963] kasan_slab_free+0xe/0x10 [ 113.143699][ T9963] kfree+0x10a/0x2c0 [ 113.147686][ T9963] __sk_destruct+0x5d8/0x7f0 [ 113.152405][ T9963] sk_destruct+0xd5/0x110 [ 113.156867][ T9963] __sk_free+0xfb/0x3f0 [ 113.161052][ T9963] sk_free+0x83/0xb0 [ 113.165049][ T9963] l2cap_sock_kill+0x160/0x190 [ 113.169809][ T9963] l2cap_sock_release+0x1c3/0x290 [ 113.175036][ T9963] __sock_release+0xce/0x280 [ 113.179624][ T9963] sock_close+0x1e/0x30 [ 113.183778][ T9963] __fput+0x2ff/0x890 [ 113.187811][ T9963] ____fput+0x16/0x20 [ 113.191796][ T9963] task_work_run+0x145/0x1c0 [ 113.196521][ T9963] exit_to_usermode_loop+0x316/0x380 [ 113.201815][ T9963] do_syscall_64+0x676/0x790 [ 113.206408][ T9963] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.212280][ T9963] [ 113.214596][ T9963] The buggy address belongs to the object at ffff88809dce3000 [ 113.214596][ T9963] which belongs to the cache kmalloc-2k of size 2048 [ 113.228649][ T9963] The buggy address is located 1184 bytes inside of [ 113.228649][ T9963] 2048-byte region [ffff88809dce3000, ffff88809dce3800) [ 113.242144][ T9963] The buggy address belongs to the page: [ 113.247786][ T9963] page:ffffea00027738c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 113.256898][ T9963] flags: 0xfffe0000000200(slab) [ 113.261747][ T9963] raw: 00fffe0000000200 ffffea00027cfb08 ffffea0002682e48 ffff8880aa400e00 [ 113.270324][ T9963] raw: 0000000000000000 ffff88809dce3000 0000000100000001 0000000000000000 [ 113.278909][ T9963] page dumped because: kasan: bad access detected [ 113.285303][ T9963] [ 113.287622][ T9963] Memory state around the buggy address: [ 113.293255][ T9963] ffff88809dce3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.301310][ T9963] ffff88809dce3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.309372][ T9963] >ffff88809dce3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.317488][ T9963] ^ [ 113.322605][ T9963] ffff88809dce3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.330660][ T9963] ffff88809dce3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 113.338710][ T9963] ================================================================== [ 113.347207][ T9963] Disabling lock debugging due to kernel taint [ 113.353830][ T9963] Kernel panic - not syncing: panic_on_warn set ... [ 113.360570][ T9963] CPU: 0 PID: 9963 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200204-syzkaller #0 [ 113.371161][ T9963] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 113.381219][ T9963] Call Trace: [ 113.384505][ T9963] dump_stack+0x197/0x210 [ 113.388907][ T9963] panic+0x2e3/0x75c [ 113.392802][ T9963] ? add_taint.cold+0x16/0x16 [ 113.397473][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 113.402860][ T9963] ? preempt_schedule+0x4b/0x60 [ 113.407698][ T9963] ? ___preempt_schedule+0x16/0x18 [ 113.412826][ T9963] ? trace_hardirqs_on+0x5e/0x240 [ 113.417853][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 113.423246][ T9963] end_report+0x47/0x4f [ 113.427439][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 113.432645][ T9963] __kasan_report.cold+0xe/0x32 [ 113.437500][ T9963] ? l2cap_sock_release+0x24c/0x290 [ 113.442755][ T9963] kasan_report+0x12/0x20 [ 113.447100][ T9963] __asan_report_load8_noabort+0x14/0x20 [ 113.452790][ T9963] l2cap_sock_release+0x24c/0x290 [ 113.458077][ T9963] __sock_release+0xce/0x280 [ 113.462683][ T9963] sock_close+0x1e/0x30 [ 113.466828][ T9963] __fput+0x2ff/0x890 [ 113.470819][ T9963] ? __sock_release+0x280/0x280 [ 113.475669][ T9963] ____fput+0x16/0x20 [ 113.479656][ T9963] task_work_run+0x145/0x1c0 [ 113.484261][ T9963] exit_to_usermode_loop+0x316/0x380 [ 113.489665][ T9963] do_syscall_64+0x676/0x790 [ 113.494246][ T9963] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 113.500172][ T9963] RIP: 0033:0x4afb40 [ 113.504063][ T9963] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 113.523795][ T9963] RSP: 002b:000000c0001e5540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 113.532206][ T9963] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 113.540175][ T9963] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 113.548141][ T9963] RBP: 000000c0001e5580 R08: 0000000000000000 R09: 0000000000000000 [ 113.556108][ T9963] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 113.564207][ T9963] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 113.573714][ T9963] Kernel Offset: disabled [ 113.578062][ T9963] Rebooting in 86400 seconds..