Warning: Permanently added '10.128.10.48' (ECDSA) to the list of known hosts. 2020/02/04 05:49:47 fuzzer started 2020/02/04 05:49:49 connecting to host at 10.128.0.26:35645 2020/02/04 05:49:49 checking machine... 2020/02/04 05:49:49 checking revisions... 2020/02/04 05:49:49 testing simple program... syzkaller login: [ 103.069715][T10023] IPVS: ftp: loaded support on port[0] = 21 2020/02/04 05:49:50 building call list... [ 103.437764][ T247] tipc: TX() has been purged, node left! [ 104.700748][T10008] can: request_module (can-proto-0) failed. executing program [ 106.620817][T10008] can: request_module (can-proto-0) failed. [ 106.636366][T10008] can: request_module (can-proto-0) failed. [ 107.225347][T10008] ================================================================== [ 107.235108][T10008] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 107.242752][T10008] Read of size 8 at addr ffff8880a83fd4a0 by task syz-fuzzer/10008 [ 107.250960][T10008] [ 107.253467][T10008] CPU: 1 PID: 10008 Comm: syz-fuzzer Not tainted 5.5.0-next-20200204-syzkaller #0 [ 107.262651][T10008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.272824][T10008] Call Trace: [ 107.276146][T10008] dump_stack+0x197/0x210 [ 107.280632][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.286279][T10008] print_address_description.constprop.0.cold+0xd4/0x30b [ 107.293581][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.298782][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.304055][T10008] __kasan_report.cold+0x1b/0x32 [ 107.309129][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.314335][T10008] kasan_report+0x12/0x20 [ 107.318680][T10008] __asan_report_load8_noabort+0x14/0x20 [ 107.324427][T10008] l2cap_sock_release+0x24c/0x290 [ 107.329620][T10008] __sock_release+0xce/0x280 [ 107.334740][T10008] sock_close+0x1e/0x30 [ 107.339030][T10008] __fput+0x2ff/0x890 [ 107.343204][T10008] ? __sock_release+0x280/0x280 [ 107.348305][T10008] ____fput+0x16/0x20 [ 107.352291][T10008] task_work_run+0x145/0x1c0 [ 107.357014][T10008] exit_to_usermode_loop+0x316/0x380 [ 107.362465][T10008] do_syscall_64+0x676/0x790 [ 107.367175][T10008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.373066][T10008] RIP: 0033:0x4afb40 [ 107.377025][T10008] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 107.396961][T10008] RSP: 002b:000000c0001e9540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 107.405576][T10008] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 107.413654][T10008] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.421773][T10008] RBP: 000000c0001e9580 R08: 0000000000000000 R09: 0000000000000000 [ 107.429887][T10008] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 107.437866][T10008] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 107.446074][T10008] [ 107.448657][T10008] Allocated by task 10008: [ 107.453088][T10008] save_stack+0x23/0x90 [ 107.457379][T10008] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 107.463015][T10008] kasan_kmalloc+0x9/0x10 [ 107.467327][T10008] __kmalloc+0x163/0x770 [ 107.471570][T10008] sk_prot_alloc+0x23a/0x310 [ 107.476204][T10008] sk_alloc+0x39/0xfd0 [ 107.480322][T10008] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 107.486255][T10008] l2cap_sock_create+0x11e/0x1c0 [ 107.491194][T10008] bt_sock_create+0x16a/0x2d0 [ 107.495872][T10008] __sock_create+0x3ce/0x730 [ 107.500591][T10008] __sys_socket+0x103/0x220 [ 107.505270][T10008] __x64_sys_socket+0x73/0xb0 [ 107.510013][T10008] do_syscall_64+0xfa/0x790 [ 107.514519][T10008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.520390][T10008] [ 107.522710][T10008] Freed by task 10008: [ 107.526775][T10008] save_stack+0x23/0x90 [ 107.530926][T10008] __kasan_slab_free+0x102/0x150 [ 107.535998][T10008] kasan_slab_free+0xe/0x10 [ 107.540653][T10008] kfree+0x10a/0x2c0 [ 107.544552][T10008] __sk_destruct+0x5d8/0x7f0 [ 107.549339][T10008] sk_destruct+0xd5/0x110 [ 107.553675][T10008] __sk_free+0xfb/0x3f0 [ 107.557830][T10008] sk_free+0x83/0xb0 [ 107.561910][T10008] l2cap_sock_kill+0x160/0x190 [ 107.566672][T10008] l2cap_sock_release+0x1c3/0x290 [ 107.571684][T10008] __sock_release+0xce/0x280 [ 107.576395][T10008] sock_close+0x1e/0x30 [ 107.580985][T10008] __fput+0x2ff/0x890 [ 107.585002][T10008] ____fput+0x16/0x20 [ 107.589003][T10008] task_work_run+0x145/0x1c0 [ 107.593643][T10008] exit_to_usermode_loop+0x316/0x380 [ 107.599221][T10008] do_syscall_64+0x676/0x790 [ 107.603986][T10008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.609969][T10008] [ 107.612291][T10008] The buggy address belongs to the object at ffff8880a83fd000 [ 107.612291][T10008] which belongs to the cache kmalloc-2k of size 2048 [ 107.626673][T10008] The buggy address is located 1184 bytes inside of [ 107.626673][T10008] 2048-byte region [ffff8880a83fd000, ffff8880a83fd800) [ 107.640738][T10008] The buggy address belongs to the page: [ 107.646422][T10008] page:ffffea0002a0ff40 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 107.655772][T10008] flags: 0xfffe0000000200(slab) [ 107.660739][T10008] raw: 00fffe0000000200 ffffea00027da808 ffffea00028de208 ffff8880aa400e00 [ 107.669316][T10008] raw: 0000000000000000 ffff8880a83fd000 0000000100000001 0000000000000000 [ 107.677968][T10008] page dumped because: kasan: bad access detected [ 107.684629][T10008] [ 107.687112][T10008] Memory state around the buggy address: [ 107.692741][T10008] ffff8880a83fd380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.701065][T10008] ffff8880a83fd400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.709405][T10008] >ffff8880a83fd480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.718007][T10008] ^ [ 107.723121][T10008] ffff8880a83fd500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.731493][T10008] ffff8880a83fd580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 107.739550][T10008] ================================================================== [ 107.747845][T10008] Disabling lock debugging due to kernel taint [ 107.756063][T10008] Kernel panic - not syncing: panic_on_warn set ... [ 107.762808][T10008] CPU: 1 PID: 10008 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200204-syzkaller #0 [ 107.773617][T10008] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 107.783701][T10008] Call Trace: [ 107.787076][T10008] dump_stack+0x197/0x210 [ 107.791442][T10008] panic+0x2e3/0x75c [ 107.795348][T10008] ? add_taint.cold+0x16/0x16 [ 107.800009][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.805202][T10008] ? preempt_schedule+0x4b/0x60 [ 107.810137][T10008] ? ___preempt_schedule+0x16/0x18 [ 107.815263][T10008] ? trace_hardirqs_on+0x5e/0x240 [ 107.820419][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.825637][T10008] end_report+0x47/0x4f [ 107.829957][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.835154][T10008] __kasan_report.cold+0xe/0x32 [ 107.841571][T10008] ? l2cap_sock_release+0x24c/0x290 [ 107.846825][T10008] kasan_report+0x12/0x20 [ 107.851372][T10008] __asan_report_load8_noabort+0x14/0x20 [ 107.857439][T10008] l2cap_sock_release+0x24c/0x290 [ 107.862939][T10008] __sock_release+0xce/0x280 [ 107.867632][T10008] sock_close+0x1e/0x30 [ 107.871917][T10008] __fput+0x2ff/0x890 [ 107.875899][T10008] ? __sock_release+0x280/0x280 [ 107.880740][T10008] ____fput+0x16/0x20 [ 107.884945][T10008] task_work_run+0x145/0x1c0 [ 107.889539][T10008] exit_to_usermode_loop+0x316/0x380 [ 107.894826][T10008] do_syscall_64+0x676/0x790 [ 107.899486][T10008] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 107.905493][T10008] RIP: 0033:0x4afb40 [ 107.909405][T10008] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 107.928997][T10008] RSP: 002b:000000c0001e9540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 107.937419][T10008] RAX: 0000000000000000 RBX: 000000c00002c000 RCX: 00000000004afb40 [ 107.945387][T10008] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 107.953482][T10008] RBP: 000000c0001e9580 R08: 0000000000000000 R09: 0000000000000000 [ 107.966596][T10008] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cb [ 107.974567][T10008] R13: 00000000000000ca R14: 0000000000000200 R15: 0000000000000200 [ 107.984154][T10008] Kernel Offset: disabled [ 107.988536][T10008] Rebooting in 86400 seconds..