[ 83.696392][ T27] audit: type=1800 audit(1580910417.788:26): pid=9669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 84.563850][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 84.563862][ T27] audit: type=1800 audit(1580910418.668:29): pid=9669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 84.590897][ T27] audit: type=1800 audit(1580910418.668:30): pid=9669 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.16' (ECDSA) to the list of known hosts. 2020/02/05 13:47:08 fuzzer started 2020/02/05 13:47:10 connecting to host at 10.128.0.26:32999 2020/02/05 13:47:10 checking machine... 2020/02/05 13:47:10 checking revisions... 2020/02/05 13:47:10 testing simple program... syzkaller login: [ 96.545122][ T9839] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 13:47:10 building call list... [ 96.945286][ T220] tipc: TX() has been purged, node left! [ 98.167814][ T9835] can: request_module (can-proto-0) failed. executing program [ 100.129252][ T9835] can: request_module (can-proto-0) failed. [ 100.141342][ T9835] can: request_module (can-proto-0) failed. [ 100.661796][ T9835] ================================================================== [ 100.670096][ T9835] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 100.677910][ T9835] Read of size 8 at addr ffff888091a854a0 by task syz-fuzzer/9835 [ 100.685709][ T9835] [ 100.688028][ T9835] CPU: 1 PID: 9835 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 100.697137][ T9835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.707972][ T9835] Call Trace: [ 100.711269][ T9835] dump_stack+0x197/0x210 [ 100.715606][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 100.720812][ T9835] print_address_description.constprop.0.cold+0xd4/0x30b [ 100.727838][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 100.733248][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 100.738596][ T9835] __kasan_report.cold+0x1b/0x32 [ 100.743663][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 100.749469][ T9835] kasan_report+0x12/0x20 [ 100.754174][ T9835] __asan_report_load8_noabort+0x14/0x20 [ 100.760311][ T9835] l2cap_sock_release+0x24c/0x290 [ 100.765515][ T9835] __sock_release+0xce/0x280 [ 100.770127][ T9835] sock_close+0x1e/0x30 [ 100.774307][ T9835] __fput+0x2ff/0x890 [ 100.778301][ T9835] ? __sock_release+0x280/0x280 [ 100.783218][ T9835] ____fput+0x16/0x20 [ 100.787432][ T9835] task_work_run+0x145/0x1c0 [ 100.792035][ T9835] exit_to_usermode_loop+0x316/0x380 [ 100.797356][ T9835] do_syscall_64+0x676/0x790 [ 100.801994][ T9835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.808035][ T9835] RIP: 0033:0x4afb40 [ 100.812208][ T9835] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 100.832048][ T9835] RSP: 002b:000000c000079540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 100.840931][ T9835] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 100.848922][ T9835] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 100.857275][ T9835] RBP: 000000c000079580 R08: 0000000000000000 R09: 0000000000000000 [ 100.865242][ T9835] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cd [ 100.873228][ T9835] R13: 00000000000000cc R14: 0000000000000200 R15: 0000000000000200 [ 100.881303][ T9835] [ 100.883622][ T9835] Allocated by task 9835: [ 100.887993][ T9835] save_stack+0x23/0x90 [ 100.892160][ T9835] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 100.897798][ T9835] kasan_kmalloc+0x9/0x10 [ 100.902150][ T9835] __kmalloc+0x163/0x770 [ 100.906407][ T9835] sk_prot_alloc+0x23a/0x310 [ 100.911566][ T9835] sk_alloc+0x39/0xfd0 [ 100.915655][ T9835] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 100.921824][ T9835] l2cap_sock_create+0x11e/0x1c0 [ 100.926750][ T9835] bt_sock_create+0x16a/0x2d0 [ 100.931433][ T9835] __sock_create+0x3ce/0x730 [ 100.936161][ T9835] __sys_socket+0x103/0x220 [ 100.940858][ T9835] __x64_sys_socket+0x73/0xb0 [ 100.945793][ T9835] do_syscall_64+0xfa/0x790 [ 100.950298][ T9835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.956206][ T9835] [ 100.958564][ T9835] Freed by task 9835: [ 100.962540][ T9835] save_stack+0x23/0x90 [ 100.966815][ T9835] __kasan_slab_free+0x102/0x150 [ 100.971749][ T9835] kasan_slab_free+0xe/0x10 [ 100.976267][ T9835] kfree+0x10a/0x2c0 [ 100.980156][ T9835] __sk_destruct+0x5d8/0x7f0 [ 100.984849][ T9835] sk_destruct+0xd5/0x110 [ 100.989184][ T9835] __sk_free+0xfb/0x3f0 [ 100.993620][ T9835] sk_free+0x83/0xb0 [ 100.997727][ T9835] l2cap_sock_kill+0x160/0x190 [ 101.003120][ T9835] l2cap_sock_release+0x1c3/0x290 [ 101.010557][ T9835] __sock_release+0xce/0x280 [ 101.015412][ T9835] sock_close+0x1e/0x30 [ 101.019861][ T9835] __fput+0x2ff/0x890 [ 101.023884][ T9835] ____fput+0x16/0x20 [ 101.028133][ T9835] task_work_run+0x145/0x1c0 [ 101.032729][ T9835] exit_to_usermode_loop+0x316/0x380 [ 101.038325][ T9835] do_syscall_64+0x676/0x790 [ 101.043113][ T9835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 101.049112][ T9835] [ 101.051837][ T9835] The buggy address belongs to the object at ffff888091a85000 [ 101.051837][ T9835] which belongs to the cache kmalloc-2k of size 2048 [ 101.066276][ T9835] The buggy address is located 1184 bytes inside of [ 101.066276][ T9835] 2048-byte region [ffff888091a85000, ffff888091a85800) [ 101.080465][ T9835] The buggy address belongs to the page: [ 101.086377][ T9835] page:ffffea000246a140 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 101.095627][ T9835] flags: 0xfffe0000000200(slab) [ 101.101426][ T9835] raw: 00fffe0000000200 ffffea0002882988 ffffea0002578e08 ffff8880aa400e00 [ 101.110637][ T9835] raw: 0000000000000000 ffff888091a85000 0000000100000001 0000000000000000 [ 101.120224][ T9835] page dumped because: kasan: bad access detected [ 101.128838][ T9835] [ 101.131663][ T9835] Memory state around the buggy address: [ 101.137392][ T9835] ffff888091a85380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.146144][ T9835] ffff888091a85400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.154238][ T9835] >ffff888091a85480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.162418][ T9835] ^ [ 101.167744][ T9835] ffff888091a85500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.175791][ T9835] ffff888091a85580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 101.184328][ T9835] ================================================================== [ 101.192469][ T9835] Disabling lock debugging due to kernel taint [ 101.199537][ T9835] Kernel panic - not syncing: panic_on_warn set ... [ 101.206235][ T9835] CPU: 1 PID: 9835 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 101.217295][ T9835] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 101.227431][ T9835] Call Trace: [ 101.230758][ T9835] dump_stack+0x197/0x210 [ 101.235203][ T9835] panic+0x2e3/0x75c [ 101.239329][ T9835] ? add_taint.cold+0x16/0x16 [ 101.244422][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 101.249957][ T9835] ? preempt_schedule+0x4b/0x60 [ 101.255036][ T9835] ? ___preempt_schedule+0x16/0x18 [ 101.260162][ T9835] ? trace_hardirqs_on+0x5e/0x240 [ 101.265280][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 101.270690][ T9835] end_report+0x47/0x4f [ 101.275563][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 101.281281][ T9835] __kasan_report.cold+0xe/0x32 [ 101.286155][ T9835] ? l2cap_sock_release+0x24c/0x290 [ 101.291460][ T9835] kasan_report+0x12/0x20 [ 101.296717][ T9835] __asan_report_load8_noabort+0x14/0x20 [ 101.302853][ T9835] l2cap_sock_release+0x24c/0x290 [ 101.308610][ T9835] __sock_release+0xce/0x280 [ 101.314162][ T9835] sock_close+0x1e/0x30 [ 101.319095][ T9835] __fput+0x2ff/0x890 [ 101.323362][ T9835] ? __sock_release+0x280/0x280 [ 101.328561][ T9835] ____fput+0x16/0x20 [ 101.333026][ T9835] task_work_run+0x145/0x1c0 [ 101.337798][ T9835] exit_to_usermode_loop+0x316/0x380 [ 101.343217][ T9835] do_syscall_64+0x676/0x790 [ 101.347804][ T9835] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 101.353689][ T9835] RIP: 0033:0x4afb40 [ 101.357673][ T9835] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 101.378112][ T9835] RSP: 002b:000000c000079540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 101.387180][ T9835] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 101.395199][ T9835] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 101.403532][ T9835] RBP: 000000c000079580 R08: 0000000000000000 R09: 0000000000000000 [ 101.411517][ T9835] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cd [ 101.419639][ T9835] R13: 00000000000000cc R14: 0000000000000200 R15: 0000000000000200 [ 101.430592][ T9835] Kernel Offset: disabled [ 101.435272][ T9835] Rebooting in 86400 seconds..