Warning: Permanently added '10.128.0.209' (ECDSA) to the list of known hosts. 2020/02/03 03:43:59 fuzzer started 2020/02/03 03:44:01 connecting to host at 10.128.0.26:34317 2020/02/03 03:44:01 checking machine... 2020/02/03 03:44:01 checking revisions... 2020/02/03 03:44:01 testing simple program... syzkaller login: [ 102.286518][ T9846] IPVS: ftp: loaded support on port[0] = 21 2020/02/03 03:44:01 building call list... [ 102.672878][ T21] tipc: TX() has been purged, node left! [ 103.895038][ T9828] can: request_module (can-proto-0) failed. executing program [ 105.715995][ T9828] can: request_module (can-proto-0) failed. [ 105.728631][ T9828] can: request_module (can-proto-0) failed. [ 106.289871][ T9828] ================================================================== [ 106.298670][ T9828] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 106.306355][ T9828] Read of size 8 at addr ffff88809a0d34a0 by task syz-fuzzer/9828 [ 106.314560][ T9828] [ 106.316896][ T9828] CPU: 0 PID: 9828 Comm: syz-fuzzer Not tainted 5.5.0-next-20200203-syzkaller #0 [ 106.326001][ T9828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.336262][ T9828] Call Trace: [ 106.339559][ T9828] dump_stack+0x197/0x210 [ 106.343905][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.349143][ T9828] print_address_description.constprop.0.cold+0xd4/0x30b [ 106.356290][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.361502][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.366913][ T9828] __kasan_report.cold+0x1b/0x32 [ 106.371982][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.377902][ T9828] kasan_report+0x12/0x20 [ 106.382246][ T9828] __asan_report_load8_noabort+0x14/0x20 [ 106.387994][ T9828] l2cap_sock_release+0x24c/0x290 [ 106.393030][ T9828] __sock_release+0xce/0x280 [ 106.397879][ T9828] sock_close+0x1e/0x30 [ 106.402128][ T9828] __fput+0x2ff/0x890 [ 106.406128][ T9828] ? __sock_release+0x280/0x280 [ 106.410999][ T9828] ____fput+0x16/0x20 [ 106.415224][ T9828] task_work_run+0x145/0x1c0 [ 106.419842][ T9828] exit_to_usermode_loop+0x316/0x380 [ 106.425205][ T9828] do_syscall_64+0x676/0x790 [ 106.429817][ T9828] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.435827][ T9828] RIP: 0033:0x4afb40 [ 106.439720][ T9828] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 106.459558][ T9828] RSP: 002b:000000c0001ad540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 106.468026][ T9828] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 106.476146][ T9828] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 106.484336][ T9828] RBP: 000000c0001ad580 R08: 0000000000000000 R09: 0000000000000000 [ 106.492420][ T9828] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 106.500522][ T9828] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 106.508514][ T9828] [ 106.510834][ T9828] Allocated by task 9828: [ 106.515151][ T9828] save_stack+0x23/0x90 [ 106.519464][ T9828] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 106.525094][ T9828] kasan_kmalloc+0x9/0x10 [ 106.529458][ T9828] __kmalloc+0x163/0x770 [ 106.533696][ T9828] sk_prot_alloc+0x23a/0x310 [ 106.538505][ T9828] sk_alloc+0x39/0xfd0 [ 106.542571][ T9828] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 106.548395][ T9828] l2cap_sock_create+0x11e/0x1c0 [ 106.553379][ T9828] bt_sock_create+0x16a/0x2d0 [ 106.558267][ T9828] __sock_create+0x3ce/0x730 [ 106.562846][ T9828] __sys_socket+0x103/0x220 [ 106.567349][ T9828] __x64_sys_socket+0x73/0xb0 [ 106.572130][ T9828] do_syscall_64+0xfa/0x790 [ 106.576637][ T9828] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.582693][ T9828] [ 106.585222][ T9828] Freed by task 9828: [ 106.589199][ T9828] save_stack+0x23/0x90 [ 106.593385][ T9828] __kasan_slab_free+0x102/0x150 [ 106.598320][ T9828] kasan_slab_free+0xe/0x10 [ 106.602813][ T9828] kfree+0x10a/0x2c0 [ 106.606704][ T9828] __sk_destruct+0x5d8/0x7f0 [ 106.611280][ T9828] sk_destruct+0xd5/0x110 [ 106.615841][ T9828] __sk_free+0xfb/0x3f0 [ 106.619982][ T9828] sk_free+0x83/0xb0 [ 106.623866][ T9828] l2cap_sock_kill+0x160/0x190 [ 106.628609][ T9828] l2cap_sock_release+0x1c3/0x290 [ 106.633729][ T9828] __sock_release+0xce/0x280 [ 106.638325][ T9828] sock_close+0x1e/0x30 [ 106.642472][ T9828] __fput+0x2ff/0x890 [ 106.646502][ T9828] ____fput+0x16/0x20 [ 106.650474][ T9828] task_work_run+0x145/0x1c0 [ 106.655182][ T9828] exit_to_usermode_loop+0x316/0x380 [ 106.660564][ T9828] do_syscall_64+0x676/0x790 [ 106.665314][ T9828] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.671307][ T9828] [ 106.673632][ T9828] The buggy address belongs to the object at ffff88809a0d3000 [ 106.673632][ T9828] which belongs to the cache kmalloc-2k of size 2048 [ 106.688096][ T9828] The buggy address is located 1184 bytes inside of [ 106.688096][ T9828] 2048-byte region [ffff88809a0d3000, ffff88809a0d3800) [ 106.701531][ T9828] The buggy address belongs to the page: [ 106.707155][ T9828] page:ffffea00026834c0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 106.716257][ T9828] flags: 0xfffe0000000200(slab) [ 106.721171][ T9828] raw: 00fffe0000000200 ffffea0002a69948 ffffea000214acc8 ffff8880aa400e00 [ 106.729805][ T9828] raw: 0000000000000000 ffff88809a0d3000 0000000100000001 0000000000000000 [ 106.738393][ T9828] page dumped because: kasan: bad access detected [ 106.744798][ T9828] [ 106.747114][ T9828] Memory state around the buggy address: [ 106.752918][ T9828] ffff88809a0d3380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.761330][ T9828] ffff88809a0d3400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.769478][ T9828] >ffff88809a0d3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.777594][ T9828] ^ [ 106.782766][ T9828] ffff88809a0d3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.791034][ T9828] ffff88809a0d3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 106.799089][ T9828] ================================================================== [ 106.807145][ T9828] Disabling lock debugging due to kernel taint [ 106.814076][ T9828] Kernel panic - not syncing: panic_on_warn set ... [ 106.820830][ T9828] CPU: 0 PID: 9828 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200203-syzkaller #0 [ 106.831311][ T9828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.841481][ T9828] Call Trace: [ 106.844894][ T9828] dump_stack+0x197/0x210 [ 106.849228][ T9828] panic+0x2e3/0x75c [ 106.853222][ T9828] ? add_taint.cold+0x16/0x16 [ 106.858027][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.863222][ T9828] ? preempt_schedule+0x4b/0x60 [ 106.868151][ T9828] ? ___preempt_schedule+0x16/0x18 [ 106.873315][ T9828] ? trace_hardirqs_on+0x5e/0x240 [ 106.878330][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.883531][ T9828] end_report+0x47/0x4f [ 106.887720][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.892917][ T9828] __kasan_report.cold+0xe/0x32 [ 106.897778][ T9828] ? l2cap_sock_release+0x24c/0x290 [ 106.903212][ T9828] kasan_report+0x12/0x20 [ 106.907531][ T9828] __asan_report_load8_noabort+0x14/0x20 [ 106.913175][ T9828] l2cap_sock_release+0x24c/0x290 [ 106.918258][ T9828] __sock_release+0xce/0x280 [ 106.922846][ T9828] sock_close+0x1e/0x30 [ 106.926985][ T9828] __fput+0x2ff/0x890 [ 106.930970][ T9828] ? __sock_release+0x280/0x280 [ 106.935921][ T9828] ____fput+0x16/0x20 [ 106.939982][ T9828] task_work_run+0x145/0x1c0 [ 106.944584][ T9828] exit_to_usermode_loop+0x316/0x380 [ 106.950006][ T9828] do_syscall_64+0x676/0x790 [ 106.954598][ T9828] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.960477][ T9828] RIP: 0033:0x4afb40 [ 106.964433][ T9828] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 106.984133][ T9828] RSP: 002b:000000c0001ad540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 106.992543][ T9828] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 107.000522][ T9828] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.008589][ T9828] RBP: 000000c0001ad580 R08: 0000000000000000 R09: 0000000000000000 [ 107.016670][ T9828] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 107.024638][ T9828] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 107.034297][ T9828] Kernel Offset: disabled [ 107.038805][ T9828] Rebooting in 86400 seconds..