[ 72.170347][ T27] audit: type=1800 audit(1580910407.177:26): pid=9956 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 73.237901][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 73.237916][ T27] audit: type=1800 audit(1580910408.267:29): pid=9956 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 73.267949][ T27] audit: type=1800 audit(1580910408.297:30): pid=9956 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.3' (ECDSA) to the list of known hosts. 2020/02/05 13:46:55 fuzzer started 2020/02/05 13:46:57 connecting to host at 10.128.0.26:38699 2020/02/05 13:46:57 checking machine... 2020/02/05 13:46:57 checking revisions... 2020/02/05 13:46:57 testing simple program... syzkaller login: [ 82.350959][T10123] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 13:46:57 building call list... [ 82.706386][ T88] tipc: TX() has been purged, node left! [ 84.050302][T10112] can: request_module (can-proto-0) failed. executing program [ 85.792253][T10112] can: request_module (can-proto-0) failed. [ 85.805694][T10112] can: request_module (can-proto-0) failed. [ 86.335582][T10112] ================================================================== [ 86.346602][T10112] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 86.354937][T10112] Read of size 8 at addr ffff8880a9a744a0 by task syz-fuzzer/10112 [ 86.363480][T10112] [ 86.366409][T10112] CPU: 1 PID: 10112 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 86.377218][T10112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.387922][T10112] Call Trace: [ 86.392051][T10112] dump_stack+0x197/0x210 [ 86.396707][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.402197][T10112] print_address_description.constprop.0.cold+0xd4/0x30b [ 86.410074][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.415834][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.421797][T10112] __kasan_report.cold+0x1b/0x32 [ 86.427376][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.432883][T10112] kasan_report+0x12/0x20 [ 86.437592][T10112] __asan_report_load8_noabort+0x14/0x20 [ 86.443580][T10112] l2cap_sock_release+0x24c/0x290 [ 86.448858][T10112] __sock_release+0xce/0x280 [ 86.454185][T10112] sock_close+0x1e/0x30 [ 86.459367][T10112] __fput+0x2ff/0x890 [ 86.464364][T10112] ? __sock_release+0x280/0x280 [ 86.469445][T10112] ____fput+0x16/0x20 [ 86.474817][T10112] task_work_run+0x145/0x1c0 [ 86.479950][T10112] exit_to_usermode_loop+0x316/0x380 [ 86.485997][T10112] do_syscall_64+0x676/0x790 [ 86.491241][T10112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.497860][T10112] RIP: 0033:0x4afb40 [ 86.502084][T10112] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 86.523224][T10112] RSP: 002b:000000c0001ed540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 86.531974][T10112] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 86.540119][T10112] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 86.548569][T10112] RBP: 000000c0001ed580 R08: 0000000000000000 R09: 0000000000000000 [ 86.557269][T10112] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 86.565787][T10112] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 86.574511][T10112] [ 86.577082][T10112] Allocated by task 10112: [ 86.582084][T10112] save_stack+0x23/0x90 [ 86.586784][T10112] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 86.592895][T10112] kasan_kmalloc+0x9/0x10 [ 86.598249][T10112] __kmalloc+0x163/0x770 [ 86.602642][T10112] sk_prot_alloc+0x23a/0x310 [ 86.607707][T10112] sk_alloc+0x39/0xfd0 [ 86.612174][T10112] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 86.618337][T10112] l2cap_sock_create+0x11e/0x1c0 [ 86.623687][T10112] bt_sock_create+0x16a/0x2d0 [ 86.628845][T10112] __sock_create+0x3ce/0x730 [ 86.633585][T10112] __sys_socket+0x103/0x220 [ 86.638471][T10112] __x64_sys_socket+0x73/0xb0 [ 86.643645][T10112] do_syscall_64+0xfa/0x790 [ 86.648668][T10112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.654569][T10112] [ 86.656903][T10112] Freed by task 10112: [ 86.661385][T10112] save_stack+0x23/0x90 [ 86.665669][T10112] __kasan_slab_free+0x102/0x150 [ 86.671116][T10112] kasan_slab_free+0xe/0x10 [ 86.675900][T10112] kfree+0x10a/0x2c0 [ 86.679817][T10112] __sk_destruct+0x5d8/0x7f0 [ 86.684605][T10112] sk_destruct+0xd5/0x110 [ 86.689461][T10112] __sk_free+0xfb/0x3f0 [ 86.693641][T10112] sk_free+0x83/0xb0 [ 86.698018][T10112] l2cap_sock_kill+0x160/0x190 [ 86.703009][T10112] l2cap_sock_release+0x1c3/0x290 [ 86.708344][T10112] __sock_release+0xce/0x280 [ 86.713398][T10112] sock_close+0x1e/0x30 [ 86.717802][T10112] __fput+0x2ff/0x890 [ 86.722078][T10112] ____fput+0x16/0x20 [ 86.726471][T10112] task_work_run+0x145/0x1c0 [ 86.731300][T10112] exit_to_usermode_loop+0x316/0x380 [ 86.736845][T10112] do_syscall_64+0x676/0x790 [ 86.741863][T10112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 86.747892][T10112] [ 86.750298][T10112] The buggy address belongs to the object at ffff8880a9a74000 [ 86.750298][T10112] which belongs to the cache kmalloc-2k of size 2048 [ 86.765274][T10112] The buggy address is located 1184 bytes inside of [ 86.765274][T10112] 2048-byte region [ffff8880a9a74000, ffff8880a9a74800) [ 86.779655][T10112] The buggy address belongs to the page: [ 86.785595][T10112] page:ffffea0002a69d00 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 86.795105][T10112] flags: 0xfffe0000000200(slab) [ 86.800061][T10112] raw: 00fffe0000000200 ffffea0002a69cc8 ffffea0002a69dc8 ffff8880aa400e00 [ 86.808810][T10112] raw: 0000000000000000 ffff8880a9a74000 0000000100000001 0000000000000000 [ 86.817665][T10112] page dumped because: kasan: bad access detected [ 86.824754][T10112] [ 86.827440][T10112] Memory state around the buggy address: [ 86.833285][T10112] ffff8880a9a74380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.842098][T10112] ffff8880a9a74400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.851248][T10112] >ffff8880a9a74480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.859872][T10112] ^ [ 86.865539][T10112] ffff8880a9a74500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.874221][T10112] ffff8880a9a74580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 86.883059][T10112] ================================================================== [ 86.891352][T10112] Disabling lock debugging due to kernel taint [ 86.898272][T10112] Kernel panic - not syncing: panic_on_warn set ... [ 86.905035][T10112] CPU: 1 PID: 10112 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 86.916353][T10112] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 86.927320][T10112] Call Trace: [ 86.931012][T10112] dump_stack+0x197/0x210 [ 86.935549][T10112] panic+0x2e3/0x75c [ 86.939677][T10112] ? add_taint.cold+0x16/0x16 [ 86.944422][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.949625][T10112] ? preempt_schedule+0x4b/0x60 [ 86.954815][T10112] ? ___preempt_schedule+0x16/0x18 [ 86.960189][T10112] ? trace_hardirqs_on+0x5e/0x240 [ 86.965504][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.970718][T10112] end_report+0x47/0x4f [ 86.975048][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.980501][T10112] __kasan_report.cold+0xe/0x32 [ 86.985359][T10112] ? l2cap_sock_release+0x24c/0x290 [ 86.991117][T10112] kasan_report+0x12/0x20 [ 86.995638][T10112] __asan_report_load8_noabort+0x14/0x20 [ 87.001933][T10112] l2cap_sock_release+0x24c/0x290 [ 87.007083][T10112] __sock_release+0xce/0x280 [ 87.011857][T10112] sock_close+0x1e/0x30 [ 87.016029][T10112] __fput+0x2ff/0x890 [ 87.020800][T10112] ? __sock_release+0x280/0x280 [ 87.026106][T10112] ____fput+0x16/0x20 [ 87.030345][T10112] task_work_run+0x145/0x1c0 [ 87.035605][T10112] exit_to_usermode_loop+0x316/0x380 [ 87.041387][T10112] do_syscall_64+0x676/0x790 [ 87.046106][T10112] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 87.052742][T10112] RIP: 0033:0x4afb40 [ 87.056757][T10112] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 87.076809][T10112] RSP: 002b:000000c0001ed540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 87.085667][T10112] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 87.094099][T10112] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 87.103961][T10112] RBP: 000000c0001ed580 R08: 0000000000000000 R09: 0000000000000000 [ 87.113158][T10112] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 87.122419][T10112] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 87.134286][T10112] Kernel Offset: disabled [ 87.138886][T10112] Rebooting in 86400 seconds..