[....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [ 88.294111][ T26] audit: type=1800 audit(1580869983.621:25): pid=9639 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="cron" dev="sda1" ino=2414 res=0 [ 88.314035][ T26] audit: type=1800 audit(1580869983.621:26): pid=9639 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="mcstrans" dev="sda1" ino=2457 res=0 [ 88.336272][ T26] audit: type=1800 audit(1580869983.621:27): pid=9639 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=collect_data cause=failed(directio) comm="startpar" name="restorecond" dev="sda1" ino=2436 res=0 [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts. 2020/02/05 02:33:14 fuzzer started 2020/02/05 02:33:16 connecting to host at 10.128.0.26:41143 2020/02/05 02:33:16 checking machine... 2020/02/05 02:33:16 checking revisions... 2020/02/05 02:33:16 testing simple program... syzkaller login: [ 101.455480][ T9808] IPVS: ftp: loaded support on port[0] = 21 2020/02/05 02:33:16 building call list... [ 101.850138][ T78] tipc: TX() has been purged, node left! [ 103.001894][ T9794] can: request_module (can-proto-0) failed. executing program [ 104.953716][ T9794] can: request_module (can-proto-0) failed. [ 104.966085][ T9794] can: request_module (can-proto-0) failed. [ 105.487365][ T9794] ================================================================== [ 105.495570][ T9794] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 105.503100][ T9794] Read of size 8 at addr ffff88808e4a54a0 by task syz-fuzzer/9794 [ 105.510882][ T9794] [ 105.513207][ T9794] CPU: 1 PID: 9794 Comm: syz-fuzzer Not tainted 5.5.0-next-20200205-syzkaller #0 [ 105.522296][ T9794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 105.532449][ T9794] Call Trace: [ 105.535744][ T9794] dump_stack+0x197/0x210 [ 105.540074][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 105.545266][ T9794] print_address_description.constprop.0.cold+0xd4/0x30b [ 105.552286][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 105.557507][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 105.563201][ T9794] __kasan_report.cold+0x1b/0x32 [ 105.568143][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 105.573345][ T9794] kasan_report+0x12/0x20 [ 105.577667][ T9794] __asan_report_load8_noabort+0x14/0x20 [ 105.583296][ T9794] l2cap_sock_release+0x24c/0x290 [ 105.588325][ T9794] __sock_release+0xce/0x280 [ 105.593437][ T9794] sock_close+0x1e/0x30 [ 105.597763][ T9794] __fput+0x2ff/0x890 [ 105.601744][ T9794] ? __sock_release+0x280/0x280 [ 105.606684][ T9794] ____fput+0x16/0x20 [ 105.610674][ T9794] task_work_run+0x145/0x1c0 [ 105.615261][ T9794] exit_to_usermode_loop+0x316/0x380 [ 105.620541][ T9794] do_syscall_64+0x676/0x790 [ 105.625143][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.631023][ T9794] RIP: 0033:0x4afb40 [ 105.634917][ T9794] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 105.654518][ T9794] RSP: 002b:000000c00008d540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 105.662927][ T9794] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 105.670906][ T9794] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 105.678872][ T9794] RBP: 000000c00008d580 R08: 0000000000000000 R09: 0000000000000000 [ 105.686948][ T9794] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 105.694912][ T9794] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 105.702890][ T9794] [ 105.705210][ T9794] Allocated by task 9794: [ 105.709534][ T9794] save_stack+0x23/0x90 [ 105.713685][ T9794] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 105.719340][ T9794] kasan_kmalloc+0x9/0x10 [ 105.723917][ T9794] __kmalloc+0x163/0x770 [ 105.728151][ T9794] sk_prot_alloc+0x23a/0x310 [ 105.732730][ T9794] sk_alloc+0x39/0xfd0 [ 105.736792][ T9794] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 105.742586][ T9794] l2cap_sock_create+0x11e/0x1c0 [ 105.747513][ T9794] bt_sock_create+0x16a/0x2d0 [ 105.752178][ T9794] __sock_create+0x3ce/0x730 [ 105.756775][ T9794] __sys_socket+0x103/0x220 [ 105.761273][ T9794] __x64_sys_socket+0x73/0xb0 [ 105.766046][ T9794] do_syscall_64+0xfa/0x790 [ 105.770541][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.776420][ T9794] [ 105.778772][ T9794] Freed by task 9794: [ 105.782745][ T9794] save_stack+0x23/0x90 [ 105.787005][ T9794] __kasan_slab_free+0x102/0x150 [ 105.791928][ T9794] kasan_slab_free+0xe/0x10 [ 105.796418][ T9794] kfree+0x10a/0x2c0 [ 105.800304][ T9794] __sk_destruct+0x5d8/0x7f0 [ 105.804878][ T9794] sk_destruct+0xd5/0x110 [ 105.809725][ T9794] __sk_free+0xfb/0x3f0 [ 105.813873][ T9794] sk_free+0x83/0xb0 [ 105.817765][ T9794] l2cap_sock_kill+0x160/0x190 [ 105.822863][ T9794] l2cap_sock_release+0x1c3/0x290 [ 105.827876][ T9794] __sock_release+0xce/0x280 [ 105.832453][ T9794] sock_close+0x1e/0x30 [ 105.836649][ T9794] __fput+0x2ff/0x890 [ 105.840616][ T9794] ____fput+0x16/0x20 [ 105.844935][ T9794] task_work_run+0x145/0x1c0 [ 105.849519][ T9794] exit_to_usermode_loop+0x316/0x380 [ 105.854842][ T9794] do_syscall_64+0x676/0x790 [ 105.859427][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 105.865310][ T9794] [ 105.867636][ T9794] The buggy address belongs to the object at ffff88808e4a5000 [ 105.867636][ T9794] which belongs to the cache kmalloc-2k of size 2048 [ 105.881784][ T9794] The buggy address is located 1184 bytes inside of [ 105.881784][ T9794] 2048-byte region [ffff88808e4a5000, ffff88808e4a5800) [ 105.895325][ T9794] The buggy address belongs to the page: [ 105.901038][ T9794] page:ffffea0002392940 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 105.910139][ T9794] flags: 0xfffe0000000200(slab) [ 105.915257][ T9794] raw: 00fffe0000000200 ffffea0002341208 ffffea000261fe88 ffff8880aa400e00 [ 105.923940][ T9794] raw: 0000000000000000 ffff88808e4a5000 0000000100000001 0000000000000000 [ 105.932511][ T9794] page dumped because: kasan: bad access detected [ 105.938972][ T9794] [ 105.941317][ T9794] Memory state around the buggy address: [ 105.946969][ T9794] ffff88808e4a5380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.955023][ T9794] ffff88808e4a5400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.963074][ T9794] >ffff88808e4a5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.971130][ T9794] ^ [ 105.976602][ T9794] ffff88808e4a5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.984659][ T9794] ffff88808e4a5580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 105.992807][ T9794] ================================================================== [ 106.000861][ T9794] Disabling lock debugging due to kernel taint [ 106.008070][ T9794] Kernel panic - not syncing: panic_on_warn set ... [ 106.014790][ T9794] CPU: 1 PID: 9794 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200205-syzkaller #0 [ 106.025390][ T9794] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 106.035486][ T9794] Call Trace: [ 106.038779][ T9794] dump_stack+0x197/0x210 [ 106.043108][ T9794] panic+0x2e3/0x75c [ 106.046999][ T9794] ? add_taint.cold+0x16/0x16 [ 106.051669][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 106.056901][ T9794] ? preempt_schedule+0x4b/0x60 [ 106.061850][ T9794] ? ___preempt_schedule+0x16/0x18 [ 106.066984][ T9794] ? trace_hardirqs_on+0x5e/0x240 [ 106.072000][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 106.077230][ T9794] end_report+0x47/0x4f [ 106.081412][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 106.086604][ T9794] __kasan_report.cold+0xe/0x32 [ 106.091452][ T9794] ? l2cap_sock_release+0x24c/0x290 [ 106.096690][ T9794] kasan_report+0x12/0x20 [ 106.101017][ T9794] __asan_report_load8_noabort+0x14/0x20 [ 106.106684][ T9794] l2cap_sock_release+0x24c/0x290 [ 106.111743][ T9794] __sock_release+0xce/0x280 [ 106.116327][ T9794] sock_close+0x1e/0x30 [ 106.120468][ T9794] __fput+0x2ff/0x890 [ 106.124641][ T9794] ? __sock_release+0x280/0x280 [ 106.129589][ T9794] ____fput+0x16/0x20 [ 106.133563][ T9794] task_work_run+0x145/0x1c0 [ 106.138147][ T9794] exit_to_usermode_loop+0x316/0x380 [ 106.143423][ T9794] do_syscall_64+0x676/0x790 [ 106.148180][ T9794] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 106.154058][ T9794] RIP: 0033:0x4afb40 [ 106.157943][ T9794] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 106.177811][ T9794] RSP: 002b:000000c00008d540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 106.186275][ T9794] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 106.194262][ T9794] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 106.202225][ T9794] RBP: 000000c00008d580 R08: 0000000000000000 R09: 0000000000000000 [ 106.210184][ T9794] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 106.218147][ T9794] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 106.227604][ T9794] Kernel Offset: disabled [ 106.232029][ T9794] Rebooting in 86400 seconds..