[ 88.607938][ T27] audit: type=1800 audit(1580869992.186:26): pid=9569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. [ 89.357046][ T27] kauditd_printk_skb: 2 callbacks suppressed [ 89.357058][ T27] audit: type=1800 audit(1580869992.966:29): pid=9569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rc.local" dev="sda1" ino=2432 res=0 [ 89.386393][ T27] audit: type=1800 audit(1580869992.966:30): pid=9569 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="rmnologin" dev="sda1" ino=2423 res=0 Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. 2020/02/05 02:33:22 fuzzer started 2020/02/05 02:33:23 connecting to host at 10.128.0.26:36203 2020/02/05 02:33:23 checking machine... 2020/02/05 02:33:23 checking revisions... 2020/02/05 02:33:23 testing simple program... syzkaller login: [ 100.337604][ T9738] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 02:33:24 building call list... [ 100.749007][ T130] tipc: TX() has been purged, node left! [ 102.012845][ T9743] can: request_module (can-proto-0) failed. executing program [ 103.933283][ T9743] can: request_module (can-proto-0) failed. [ 103.945781][ T9743] can: request_module (can-proto-0) failed. [ 104.446948][ T9743] ================================================================== [ 104.455217][ T9743] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 104.462877][ T9743] Read of size 8 at addr ffff888091e774a0 by task syz-fuzzer/9743 [ 104.470797][ T9743] [ 104.473134][ T9743] CPU: 0 PID: 9743 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 104.482225][ T9743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.493080][ T9743] Call Trace: [ 104.496431][ T9743] dump_stack+0x197/0x210 [ 104.500825][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 104.506166][ T9743] print_address_description.constprop.0.cold+0xd4/0x30b [ 104.513194][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 104.518510][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 104.523716][ T9743] __kasan_report.cold+0x1b/0x32 [ 104.528655][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 104.533903][ T9743] kasan_report+0x12/0x20 [ 104.538259][ T9743] __asan_report_load8_noabort+0x14/0x20 [ 104.543895][ T9743] l2cap_sock_release+0x24c/0x290 [ 104.548953][ T9743] __sock_release+0xce/0x280 [ 104.553554][ T9743] sock_close+0x1e/0x30 [ 104.557815][ T9743] __fput+0x2ff/0x890 [ 104.561959][ T9743] ? __sock_release+0x280/0x280 [ 104.566805][ T9743] ____fput+0x16/0x20 [ 104.570777][ T9743] task_work_run+0x145/0x1c0 [ 104.575477][ T9743] exit_to_usermode_loop+0x316/0x380 [ 104.580768][ T9743] do_syscall_64+0x676/0x790 [ 104.585355][ T9743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.591239][ T9743] RIP: 0033:0x4afb40 [ 104.595127][ T9743] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 104.615037][ T9743] RSP: 002b:000000c00020b540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 104.623593][ T9743] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 104.631606][ T9743] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 104.639571][ T9743] RBP: 000000c00020b580 R08: 0000000000000000 R09: 0000000000000000 [ 104.647684][ T9743] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 104.655778][ T9743] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 104.664032][ T9743] [ 104.666392][ T9743] Allocated by task 9743: [ 104.670841][ T9743] save_stack+0x23/0x90 [ 104.675174][ T9743] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 104.680811][ T9743] kasan_kmalloc+0x9/0x10 [ 104.685238][ T9743] __kmalloc+0x163/0x770 [ 104.689603][ T9743] sk_prot_alloc+0x23a/0x310 [ 104.694200][ T9743] sk_alloc+0x39/0xfd0 [ 104.698275][ T9743] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 104.704084][ T9743] l2cap_sock_create+0x11e/0x1c0 [ 104.709010][ T9743] bt_sock_create+0x16a/0x2d0 [ 104.713689][ T9743] __sock_create+0x3ce/0x730 [ 104.719065][ T9743] __sys_socket+0x103/0x220 [ 104.723706][ T9743] __x64_sys_socket+0x73/0xb0 [ 104.728567][ T9743] do_syscall_64+0xfa/0x790 [ 104.733257][ T9743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.739203][ T9743] [ 104.741536][ T9743] Freed by task 9743: [ 104.745524][ T9743] save_stack+0x23/0x90 [ 104.749676][ T9743] __kasan_slab_free+0x102/0x150 [ 104.754608][ T9743] kasan_slab_free+0xe/0x10 [ 104.759088][ T9743] kfree+0x10a/0x2c0 [ 104.762975][ T9743] __sk_destruct+0x5d8/0x7f0 [ 104.767593][ T9743] sk_destruct+0xd5/0x110 [ 104.772061][ T9743] __sk_free+0xfb/0x3f0 [ 104.776949][ T9743] sk_free+0x83/0xb0 [ 104.780842][ T9743] l2cap_sock_kill+0x160/0x190 [ 104.785591][ T9743] l2cap_sock_release+0x1c3/0x290 [ 104.790597][ T9743] __sock_release+0xce/0x280 [ 104.795178][ T9743] sock_close+0x1e/0x30 [ 104.799335][ T9743] __fput+0x2ff/0x890 [ 104.803445][ T9743] ____fput+0x16/0x20 [ 104.807412][ T9743] task_work_run+0x145/0x1c0 [ 104.811987][ T9743] exit_to_usermode_loop+0x316/0x380 [ 104.817459][ T9743] do_syscall_64+0x676/0x790 [ 104.822204][ T9743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 104.828073][ T9743] [ 104.830470][ T9743] The buggy address belongs to the object at ffff888091e77000 [ 104.830470][ T9743] which belongs to the cache kmalloc-2k of size 2048 [ 104.844968][ T9743] The buggy address is located 1184 bytes inside of [ 104.844968][ T9743] 2048-byte region [ffff888091e77000, ffff888091e77800) [ 104.858476][ T9743] The buggy address belongs to the page: [ 104.864108][ T9743] page:ffffea0002479dc0 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 104.873260][ T9743] flags: 0xfffe0000000200(slab) [ 104.878114][ T9743] raw: 00fffe0000000200 ffffea0002843508 ffffea000260c588 ffff8880aa400e00 [ 104.886698][ T9743] raw: 0000000000000000 ffff888091e77000 0000000100000001 0000000000000000 [ 104.895264][ T9743] page dumped because: kasan: bad access detected [ 104.901679][ T9743] [ 104.903996][ T9743] Memory state around the buggy address: [ 104.909618][ T9743] ffff888091e77380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.917677][ T9743] ffff888091e77400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.925736][ T9743] >ffff888091e77480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.934001][ T9743] ^ [ 104.939212][ T9743] ffff888091e77500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.947395][ T9743] ffff888091e77580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 104.955470][ T9743] ================================================================== [ 104.963569][ T9743] Disabling lock debugging due to kernel taint [ 104.970662][ T9743] Kernel panic - not syncing: panic_on_warn set ... [ 104.977291][ T9743] CPU: 0 PID: 9743 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 104.987772][ T9743] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 104.997968][ T9743] Call Trace: [ 105.001305][ T9743] dump_stack+0x197/0x210 [ 105.005652][ T9743] panic+0x2e3/0x75c [ 105.009835][ T9743] ? add_taint.cold+0x16/0x16 [ 105.014614][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 105.019797][ T9743] ? preempt_schedule+0x4b/0x60 [ 105.024725][ T9743] ? ___preempt_schedule+0x16/0x18 [ 105.030428][ T9743] ? trace_hardirqs_on+0x5e/0x240 [ 105.036840][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 105.042039][ T9743] end_report+0x47/0x4f [ 105.046227][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 105.051419][ T9743] __kasan_report.cold+0xe/0x32 [ 105.056268][ T9743] ? l2cap_sock_release+0x24c/0x290 [ 105.061450][ T9743] kasan_report+0x12/0x20 [ 105.065780][ T9743] __asan_report_load8_noabort+0x14/0x20 [ 105.071588][ T9743] l2cap_sock_release+0x24c/0x290 [ 105.076767][ T9743] __sock_release+0xce/0x280 [ 105.081356][ T9743] sock_close+0x1e/0x30 [ 105.085516][ T9743] __fput+0x2ff/0x890 [ 105.089496][ T9743] ? __sock_release+0x280/0x280 [ 105.094469][ T9743] ____fput+0x16/0x20 [ 105.098453][ T9743] task_work_run+0x145/0x1c0 [ 105.103298][ T9743] exit_to_usermode_loop+0x316/0x380 [ 105.108630][ T9743] do_syscall_64+0x676/0x790 [ 105.113223][ T9743] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.119104][ T9743] RIP: 0033:0x4afb40 [ 105.122997][ T9743] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 105.142940][ T9743] RSP: 002b:000000c00020b540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 105.151691][ T9743] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 105.159650][ T9743] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 105.167701][ T9743] RBP: 000000c00020b580 R08: 0000000000000000 R09: 0000000000000000 [ 105.175787][ T9743] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 105.183771][ T9743] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 105.193440][ T9743] Kernel Offset: disabled [ 105.197780][ T9743] Rebooting in 86400 seconds..