[ 85.712884][ T27] audit: type=1800 audit(1580910430.192:25): pid=9857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 86.848347][ T27] kauditd_printk_skb: 3 callbacks suppressed [ 86.848359][ T27] audit: type=1800 audit(1580910431.332:29): pid=9857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 86.876205][ T27] audit: type=1800 audit(1580910431.332:30): pid=9857 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.174' (ECDSA) to the list of known hosts. 2020/02/05 13:47:18 fuzzer started 2020/02/05 13:47:20 connecting to host at 10.128.0.26:36721 2020/02/05 13:47:20 checking machine... 2020/02/05 13:47:20 checking revisions... 2020/02/05 13:47:20 testing simple program... syzkaller login: [ 95.983132][T10025] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 13:47:20 building call list... [ 96.354014][ T185] tipc: TX() has been purged, node left! [ 97.679047][T10009] can: request_module (can-proto-0) failed. executing program [ 99.557712][T10009] can: request_module (can-proto-0) failed. [ 99.570588][T10009] can: request_module (can-proto-0) failed. [ 100.121431][T10009] ================================================================== [ 100.129989][T10009] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 100.137721][T10009] Read of size 8 at addr ffff88809eaa34a0 by task syz-fuzzer/10009 [ 100.145604][T10009] [ 100.148004][T10009] CPU: 0 PID: 10009 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 100.157188][T10009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.167295][T10009] Call Trace: [ 100.170790][T10009] dump_stack+0x197/0x210 [ 100.175123][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.180324][T10009] print_address_description.constprop.0.cold+0xd4/0x30b [ 100.187458][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.193000][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.198280][T10009] __kasan_report.cold+0x1b/0x32 [ 100.203225][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.208430][T10009] kasan_report+0x12/0x20 [ 100.212767][T10009] __asan_report_load8_noabort+0x14/0x20 [ 100.219012][T10009] l2cap_sock_release+0x24c/0x290 [ 100.224121][T10009] __sock_release+0xce/0x280 [ 100.228706][T10009] sock_close+0x1e/0x30 [ 100.232850][T10009] __fput+0x2ff/0x890 [ 100.236970][T10009] ? __sock_release+0x280/0x280 [ 100.241876][T10009] ____fput+0x16/0x20 [ 100.245864][T10009] task_work_run+0x145/0x1c0 [ 100.250524][T10009] exit_to_usermode_loop+0x316/0x380 [ 100.256191][T10009] do_syscall_64+0x676/0x790 [ 100.260794][T10009] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.266712][T10009] RIP: 0033:0x4afb40 [ 100.270594][T10009] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 100.290207][T10009] RSP: 002b:000000c0001ed540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 100.298741][T10009] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 100.306720][T10009] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 100.314709][T10009] RBP: 000000c0001ed580 R08: 0000000000000000 R09: 0000000000000000 [ 100.322698][T10009] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 100.330664][T10009] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 100.338647][T10009] [ 100.340964][T10009] Allocated by task 10009: [ 100.345395][T10009] save_stack+0x23/0x90 [ 100.349559][T10009] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 100.356317][T10009] kasan_kmalloc+0x9/0x10 [ 100.360642][T10009] __kmalloc+0x163/0x770 [ 100.364986][T10009] sk_prot_alloc+0x23a/0x310 [ 100.369564][T10009] sk_alloc+0x39/0xfd0 [ 100.373727][T10009] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 100.379521][T10009] l2cap_sock_create+0x11e/0x1c0 [ 100.384561][T10009] bt_sock_create+0x16a/0x2d0 [ 100.389234][T10009] __sock_create+0x3ce/0x730 [ 100.393839][T10009] __sys_socket+0x103/0x220 [ 100.398393][T10009] __x64_sys_socket+0x73/0xb0 [ 100.403081][T10009] do_syscall_64+0xfa/0x790 [ 100.407669][T10009] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.413654][T10009] [ 100.415976][T10009] Freed by task 10009: [ 100.420056][T10009] save_stack+0x23/0x90 [ 100.424215][T10009] __kasan_slab_free+0x102/0x150 [ 100.429140][T10009] kasan_slab_free+0xe/0x10 [ 100.433692][T10009] kfree+0x10a/0x2c0 [ 100.437970][T10009] __sk_destruct+0x5d8/0x7f0 [ 100.442547][T10009] sk_destruct+0xd5/0x110 [ 100.446978][T10009] __sk_free+0xfb/0x3f0 [ 100.451139][T10009] sk_free+0x83/0xb0 [ 100.455030][T10009] l2cap_sock_kill+0x160/0x190 [ 100.459811][T10009] l2cap_sock_release+0x1c3/0x290 [ 100.464899][T10009] __sock_release+0xce/0x280 [ 100.469497][T10009] sock_close+0x1e/0x30 [ 100.473642][T10009] __fput+0x2ff/0x890 [ 100.477747][T10009] ____fput+0x16/0x20 [ 100.481728][T10009] task_work_run+0x145/0x1c0 [ 100.486336][T10009] exit_to_usermode_loop+0x316/0x380 [ 100.491624][T10009] do_syscall_64+0x676/0x790 [ 100.496452][T10009] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.502457][T10009] [ 100.504780][T10009] The buggy address belongs to the object at ffff88809eaa3000 [ 100.504780][T10009] which belongs to the cache kmalloc-2k of size 2048 [ 100.519166][T10009] The buggy address is located 1184 bytes inside of [ 100.519166][T10009] 2048-byte region [ffff88809eaa3000, ffff88809eaa3800) [ 100.532926][T10009] The buggy address belongs to the page: [ 100.539038][T10009] page:ffffea00027aa8c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 100.548297][T10009] flags: 0xfffe0000000200(slab) [ 100.553284][T10009] raw: 00fffe0000000200 ffffea00028121c8 ffffea00025315c8 ffff8880aa400e00 [ 100.562128][T10009] raw: 0000000000000000 ffff88809eaa3000 0000000100000001 0000000000000000 [ 100.572328][T10009] page dumped because: kasan: bad access detected [ 100.578734][T10009] [ 100.581046][T10009] Memory state around the buggy address: [ 100.586769][T10009] ffff88809eaa3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.594992][T10009] ffff88809eaa3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.603045][T10009] >ffff88809eaa3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.611095][T10009] ^ [ 100.616258][T10009] ffff88809eaa3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.624502][T10009] ffff88809eaa3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 100.632560][T10009] ================================================================== [ 100.640693][T10009] Disabling lock debugging due to kernel taint [ 100.647358][T10009] Kernel panic - not syncing: panic_on_warn set ... [ 100.654162][T10009] CPU: 0 PID: 10009 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 100.664758][T10009] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 100.674809][T10009] Call Trace: [ 100.678103][T10009] dump_stack+0x197/0x210 [ 100.682433][T10009] panic+0x2e3/0x75c [ 100.686320][T10009] ? add_taint.cold+0x16/0x16 [ 100.691014][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.696227][T10009] ? preempt_schedule+0x4b/0x60 [ 100.701076][T10009] ? ___preempt_schedule+0x16/0x18 [ 100.706275][T10009] ? trace_hardirqs_on+0x5e/0x240 [ 100.711376][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.716848][T10009] end_report+0x47/0x4f [ 100.720990][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.726240][T10009] __kasan_report.cold+0xe/0x32 [ 100.731089][T10009] ? l2cap_sock_release+0x24c/0x290 [ 100.736294][T10009] kasan_report+0x12/0x20 [ 100.740621][T10009] __asan_report_load8_noabort+0x14/0x20 [ 100.746340][T10009] l2cap_sock_release+0x24c/0x290 [ 100.751383][T10009] __sock_release+0xce/0x280 [ 100.756063][T10009] sock_close+0x1e/0x30 [ 100.760329][T10009] __fput+0x2ff/0x890 [ 100.764342][T10009] ? __sock_release+0x280/0x280 [ 100.769183][T10009] ____fput+0x16/0x20 [ 100.773164][T10009] task_work_run+0x145/0x1c0 [ 100.777779][T10009] exit_to_usermode_loop+0x316/0x380 [ 100.783076][T10009] do_syscall_64+0x676/0x790 [ 100.787669][T10009] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 100.793688][T10009] RIP: 0033:0x4afb40 [ 100.797617][T10009] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 100.817292][T10009] RSP: 002b:000000c0001ed540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 100.825703][T10009] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 100.833667][T10009] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 100.841627][T10009] RBP: 000000c0001ed580 R08: 0000000000000000 R09: 0000000000000000 [ 100.849588][T10009] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 100.857551][T10009] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 100.867452][T10009] Kernel Offset: disabled [ 100.871808][T10009] Rebooting in 86400 seconds..