Warning: Permanently added '10.128.10.22' (ECDSA) to the list of known hosts. 2020/02/03 03:44:01 fuzzer started 2020/02/03 03:44:03 connecting to host at 10.128.0.26:38143 2020/02/03 03:44:03 checking machine... 2020/02/03 03:44:03 checking revisions... 2020/02/03 03:44:03 testing simple program... syzkaller login: [ 110.601978][ T9769] IPVS: ftp: loaded support on port[0] = 21 2020/02/03 03:44:03 building call list... [ 110.940837][ T21] tipc: TX() has been purged, node left! [ 112.163620][ T9751] can: request_module (can-proto-0) failed. executing program [ 113.993620][ T9751] can: request_module (can-proto-0) failed. [ 114.006140][ T9751] can: request_module (can-proto-0) failed. [ 114.527969][ T9751] ================================================================== [ 114.536307][ T9751] BUG: KASAN: use-after-free in l2cap_sock_release+0x24c/0x290 [ 114.543863][ T9751] Read of size 8 at addr ffff8880944904a0 by task syz-fuzzer/9751 [ 114.551704][ T9751] [ 114.554022][ T9751] CPU: 0 PID: 9751 Comm: syz-fuzzer Not tainted 5.5.0-next-20200203-syzkaller #0 [ 114.563252][ T9751] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 114.573307][ T9751] Call Trace: [ 114.576591][ T9751] dump_stack+0x197/0x210 [ 114.580907][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 114.586106][ T9751] print_address_description.constprop.0.cold+0xd4/0x30b [ 114.593126][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 114.598318][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 114.603519][ T9751] __kasan_report.cold+0x1b/0x32 [ 114.608464][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 114.613764][ T9751] kasan_report+0x12/0x20 [ 114.618190][ T9751] __asan_report_load8_noabort+0x14/0x20 [ 114.623819][ T9751] l2cap_sock_release+0x24c/0x290 [ 114.628843][ T9751] __sock_release+0xce/0x280 [ 114.633428][ T9751] sock_close+0x1e/0x30 [ 114.637593][ T9751] __fput+0x2ff/0x890 [ 114.641569][ T9751] ? __sock_release+0x280/0x280 [ 114.646415][ T9751] ____fput+0x16/0x20 [ 114.650512][ T9751] task_work_run+0x145/0x1c0 [ 114.655144][ T9751] exit_to_usermode_loop+0x316/0x380 [ 114.660433][ T9751] do_syscall_64+0x676/0x790 [ 114.665036][ T9751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 114.670938][ T9751] RIP: 0033:0x4afb40 [ 114.674858][ T9751] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 114.694461][ T9751] RSP: 002b:000000c00020b540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 114.702905][ T9751] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 114.710870][ T9751] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 114.718847][ T9751] RBP: 000000c00020b580 R08: 0000000000000000 R09: 0000000000000000 [ 114.726813][ T9751] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 114.734769][ T9751] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 114.742748][ T9751] [ 114.745063][ T9751] Allocated by task 9751: [ 114.749422][ T9751] save_stack+0x23/0x90 [ 114.753570][ T9751] __kasan_kmalloc.constprop.0+0xcf/0xe0 [ 114.759186][ T9751] kasan_kmalloc+0x9/0x10 [ 114.763495][ T9751] __kmalloc+0x163/0x770 [ 114.767835][ T9751] sk_prot_alloc+0x23a/0x310 [ 114.772404][ T9751] sk_alloc+0x39/0xfd0 [ 114.776454][ T9751] l2cap_sock_alloc.constprop.0+0x37/0x230 [ 114.782251][ T9751] l2cap_sock_create+0x11e/0x1c0 [ 114.787217][ T9751] bt_sock_create+0x16a/0x2d0 [ 114.791878][ T9751] __sock_create+0x3ce/0x730 [ 114.796482][ T9751] __sys_socket+0x103/0x220 [ 114.800972][ T9751] __x64_sys_socket+0x73/0xb0 [ 114.805647][ T9751] do_syscall_64+0xfa/0x790 [ 114.810146][ T9751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 114.816021][ T9751] [ 114.818340][ T9751] Freed by task 9751: [ 114.822311][ T9751] save_stack+0x23/0x90 [ 114.826455][ T9751] __kasan_slab_free+0x102/0x150 [ 114.831381][ T9751] kasan_slab_free+0xe/0x10 [ 114.835869][ T9751] kfree+0x10a/0x2c0 [ 114.839753][ T9751] __sk_destruct+0x5d8/0x7f0 [ 114.844337][ T9751] sk_destruct+0xd5/0x110 [ 114.848646][ T9751] __sk_free+0xfb/0x3f0 [ 114.852789][ T9751] sk_free+0x83/0xb0 [ 114.856665][ T9751] l2cap_sock_kill+0x160/0x190 [ 114.861442][ T9751] l2cap_sock_release+0x1c3/0x290 [ 114.866460][ T9751] __sock_release+0xce/0x280 [ 114.871087][ T9751] sock_close+0x1e/0x30 [ 114.875339][ T9751] __fput+0x2ff/0x890 [ 114.879314][ T9751] ____fput+0x16/0x20 [ 114.883429][ T9751] task_work_run+0x145/0x1c0 [ 114.888005][ T9751] exit_to_usermode_loop+0x316/0x380 [ 114.893326][ T9751] do_syscall_64+0x676/0x790 [ 114.897949][ T9751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 114.903833][ T9751] [ 114.906144][ T9751] The buggy address belongs to the object at ffff888094490000 [ 114.906144][ T9751] which belongs to the cache kmalloc-2k of size 2048 [ 114.920228][ T9751] The buggy address is located 1184 bytes inside of [ 114.920228][ T9751] 2048-byte region [ffff888094490000, ffff888094490800) [ 114.933704][ T9751] The buggy address belongs to the page: [ 114.939339][ T9751] page:ffffea0002512400 refcount:1 mapcount:0 mapping:ffff8880aa400e00 index:0x0 [ 114.948439][ T9751] flags: 0xfffe0000000200(slab) [ 114.953307][ T9751] raw: 00fffe0000000200 ffffea00025123c8 ffffea00021bf608 ffff8880aa400e00 [ 114.961902][ T9751] raw: 0000000000000000 ffff888094490000 0000000100000001 0000000000000000 [ 114.970482][ T9751] page dumped because: kasan: bad access detected [ 114.976882][ T9751] [ 114.979215][ T9751] Memory state around the buggy address: [ 114.984823][ T9751] ffff888094490380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 114.992948][ T9751] ffff888094490400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.000993][ T9751] >ffff888094490480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.009027][ T9751] ^ [ 115.014127][ T9751] ffff888094490500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.022176][ T9751] ffff888094490580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 115.030210][ T9751] ================================================================== [ 115.038246][ T9751] Disabling lock debugging due to kernel taint [ 115.045200][ T9751] Kernel panic - not syncing: panic_on_warn set ... [ 115.051806][ T9751] CPU: 0 PID: 9751 Comm: syz-fuzzer Tainted: G B 5.5.0-next-20200203-syzkaller #0 [ 115.062293][ T9751] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 115.072378][ T9751] Call Trace: [ 115.075655][ T9751] dump_stack+0x197/0x210 [ 115.079966][ T9751] panic+0x2e3/0x75c [ 115.083887][ T9751] ? add_taint.cold+0x16/0x16 [ 115.088587][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 115.093791][ T9751] ? preempt_schedule+0x4b/0x60 [ 115.098624][ T9751] ? ___preempt_schedule+0x16/0x18 [ 115.103714][ T9751] ? trace_hardirqs_on+0x5e/0x240 [ 115.108715][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 115.113888][ T9751] end_report+0x47/0x4f [ 115.118019][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 115.123194][ T9751] __kasan_report.cold+0xe/0x32 [ 115.128033][ T9751] ? l2cap_sock_release+0x24c/0x290 [ 115.133207][ T9751] kasan_report+0x12/0x20 [ 115.137510][ T9751] __asan_report_load8_noabort+0x14/0x20 [ 115.143134][ T9751] l2cap_sock_release+0x24c/0x290 [ 115.148139][ T9751] __sock_release+0xce/0x280 [ 115.152709][ T9751] sock_close+0x1e/0x30 [ 115.156843][ T9751] __fput+0x2ff/0x890 [ 115.160800][ T9751] ? __sock_release+0x280/0x280 [ 115.165626][ T9751] ____fput+0x16/0x20 [ 115.169584][ T9751] task_work_run+0x145/0x1c0 [ 115.174157][ T9751] exit_to_usermode_loop+0x316/0x380 [ 115.179418][ T9751] do_syscall_64+0x676/0x790 [ 115.183998][ T9751] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 115.189863][ T9751] RIP: 0033:0x4afb40 [ 115.193737][ T9751] Code: 8b 7c 24 10 48 8b 74 24 18 48 8b 54 24 20 49 c7 c2 00 00 00 00 49 c7 c0 00 00 00 00 49 c7 c1 00 00 00 00 48 8b 44 24 08 0f 05 <48> 3d 01 f0 ff ff 76 20 48 c7 44 24 28 ff ff ff ff 48 c7 44 24 30 [ 115.213315][ T9751] RSP: 002b:000000c00020b540 EFLAGS: 00000202 ORIG_RAX: 0000000000000003 [ 115.221721][ T9751] RAX: 0000000000000000 RBX: 000000c00002e500 RCX: 00000000004afb40 [ 115.229666][ T9751] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 [ 115.237614][ T9751] RBP: 000000c00020b580 R08: 0000000000000000 R09: 0000000000000000 [ 115.245571][ T9751] R10: 0000000000000000 R11: 0000000000000202 R12: 00000000000000cc [ 115.253529][ T9751] R13: 00000000000000cb R14: 0000000000000200 R15: 0000000000000200 [ 115.262642][ T9751] Kernel Offset: disabled [ 115.266969][ T9751] Rebooting in 86400 seconds..