[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.141' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 37.197863] ================================================================== [ 37.205271] BUG: KASAN: use-after-free in __lock_acquire+0x2cb4/0x3ff0 [ 37.211942] Read of size 8 at addr ffff888238ae35d0 by task syz-executor880/8113 [ 37.219466] [ 37.221082] CPU: 1 PID: 8113 Comm: syz-executor880 Not tainted 4.19.189-syzkaller #0 [ 37.228978] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.238346] Call Trace: [ 37.240951] dump_stack+0x1fc/0x2ef [ 37.244570] print_address_description.cold+0x54/0x219 [ 37.249862] kasan_report_error.cold+0x8a/0x1b9 [ 37.254689] ? __lock_acquire+0x2cb4/0x3ff0 [ 37.259034] __asan_report_load8_noabort+0x88/0x90 [ 37.263984] ? __lock_acquire+0x2cb4/0x3ff0 [ 37.268310] __lock_acquire+0x2cb4/0x3ff0 [ 37.272494] ? __lock_acquire+0x6de/0x3ff0 [ 37.276753] ? mark_held_locks+0xf0/0xf0 [ 37.280896] ? mark_held_locks+0xf0/0xf0 [ 37.284969] ? debug_object_activate+0x12f/0x450 [ 37.289745] ? reacquire_held_locks+0xb5/0x430 [ 37.294350] ? release_sock+0x1b/0x1b0 [ 37.298249] ? lock_sock_nested+0xa6/0x110 [ 37.302652] lock_acquire+0x170/0x3c0 [ 37.306447] ? nfc_llcp_sock_unlink+0x1d/0x190 [ 37.311026] ? mark_held_locks+0xa6/0xf0 [ 37.315082] _raw_write_lock+0x2a/0x40 [ 37.318966] ? nfc_llcp_sock_unlink+0x1d/0x190 [ 37.323543] nfc_llcp_sock_unlink+0x1d/0x190 [ 37.328057] llcp_sock_release+0x286/0x520 [ 37.332299] __sock_release+0xcd/0x2a0 [ 37.336190] ? __sock_release+0x2a0/0x2a0 [ 37.340333] sock_close+0x15/0x20 [ 37.343802] __fput+0x2ce/0x890 [ 37.347090] task_work_run+0x148/0x1c0 [ 37.350994] do_exit+0xbf3/0x2be0 [ 37.354468] ? lock_downgrade+0x720/0x720 [ 37.358614] ? mm_update_next_owner+0x650/0x650 [ 37.364508] ? up_read+0x17/0x110 [ 37.367994] ? __do_page_fault+0x180/0xd60 [ 37.375366] do_group_exit+0x125/0x310 [ 37.379291] __x64_sys_exit_group+0x3a/0x50 [ 37.383858] do_syscall_64+0xf9/0x620 [ 37.387700] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.394003] RIP: 0033:0x43db99 [ 37.397495] Code: Bad RIP value. [ 37.400971] RSP: 002b:00007ffe77888748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.408742] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db99 [ 37.416001] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 37.423261] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 37.430624] R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004ae230 [ 37.438058] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 37.445338] [ 37.446959] Allocated by task 1: [ 37.450321] kmem_cache_alloc_trace+0x12f/0x380 [ 37.454988] nfc_llcp_register_device+0x45/0x9b0 [ 37.460786] nfc_register_device+0x6d/0x360 [ 37.465115] nfcsim_device_new+0x333/0x5af [ 37.469342] nfcsim_init+0x71/0x14d [ 37.472973] do_one_initcall+0xf1/0x740 [ 37.476962] kernel_init_freeable+0x9a6/0xa98 [ 37.481448] kernel_init+0xd/0x1b6 [ 37.484985] ret_from_fork+0x24/0x30 [ 37.488677] [ 37.490297] Freed by task 8113: [ 37.493574] kfree+0xcc/0x210 [ 37.496705] nfc_llcp_local_put+0x155/0x1b0 [ 37.501018] llcp_sock_destruct+0x7b/0x140 [ 37.505248] __sk_destruct+0x4b/0x8a0 [ 37.509056] __sk_free+0x165/0x3b0 [ 37.512596] sk_free+0x3b/0x50 [ 37.515781] llcp_sock_release+0x37a/0x520 [ 37.520008] __sock_release+0xcd/0x2a0 [ 37.523932] sock_close+0x15/0x20 [ 37.527419] __fput+0x2ce/0x890 [ 37.530704] task_work_run+0x148/0x1c0 [ 37.534581] do_exit+0xbf3/0x2be0 [ 37.538025] do_group_exit+0x125/0x310 [ 37.541929] __x64_sys_exit_group+0x3a/0x50 [ 37.546297] do_syscall_64+0xf9/0x620 [ 37.550092] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.555523] [ 37.557145] The buggy address belongs to the object at ffff888238ae31c0 [ 37.557145] which belongs to the cache kmalloc-2048 of size 2048 [ 37.569969] The buggy address is located 1040 bytes inside of [ 37.569969] 2048-byte region [ffff888238ae31c0, ffff888238ae39c0) [ 37.582017] The buggy address belongs to the page: [ 37.586950] page:ffffea0008e2b880 count:1 mapcount:0 mapping:ffff88813bff0c40 index:0x0 compound_mapcount: 0 [ 37.596922] flags: 0x57ff00000008100(slab|head) [ 37.601668] raw: 057ff00000008100 ffffea0008e29a88 ffffea0008e2c288 ffff88813bff0c40 [ 37.609548] raw: 0000000000000000 ffff888238ae20c0 0000000100000003 0000000000000000 [ 37.617517] page dumped because: kasan: bad access detected [ 37.623212] [ 37.624816] Memory state around the buggy address: [ 37.629754] ffff888238ae3480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.637113] ffff888238ae3500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.644474] >ffff888238ae3580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.651819] ^ [ 37.657794] ffff888238ae3600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.665199] ffff888238ae3680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 37.674636] ================================================================== [ 37.682103] Disabling lock debugging due to kernel taint [ 37.687556] Kernel panic - not syncing: panic_on_warn set ... [ 37.687556] [ 37.695693] CPU: 1 PID: 8113 Comm: syz-executor880 Tainted: G B 4.19.189-syzkaller #0 [ 37.705668] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 37.715041] Call Trace: [ 37.717624] dump_stack+0x1fc/0x2ef [ 37.721353] panic+0x26a/0x50e [ 37.724545] ? __warn_printk+0xf3/0xf3 [ 37.728451] ? lock_downgrade+0x720/0x720 [ 37.732702] ? print_shadow_for_address+0xb8/0x114 [ 37.737639] ? trace_hardirqs_off+0x64/0x200 [ 37.742041] kasan_end_report+0x43/0x49 [ 37.746008] kasan_report_error.cold+0xa7/0x1b9 [ 37.750672] ? __lock_acquire+0x2cb4/0x3ff0 [ 37.755025] __asan_report_load8_noabort+0x88/0x90 [ 37.759955] ? __lock_acquire+0x2cb4/0x3ff0 [ 37.764274] __lock_acquire+0x2cb4/0x3ff0 [ 37.768439] ? __lock_acquire+0x6de/0x3ff0 [ 37.772853] ? mark_held_locks+0xf0/0xf0 [ 37.776917] ? mark_held_locks+0xf0/0xf0 [ 37.780984] ? debug_object_activate+0x12f/0x450 [ 37.785839] ? reacquire_held_locks+0xb5/0x430 [ 37.790429] ? release_sock+0x1b/0x1b0 [ 37.794325] ? lock_sock_nested+0xa6/0x110 [ 37.798562] lock_acquire+0x170/0x3c0 [ 37.802367] ? nfc_llcp_sock_unlink+0x1d/0x190 [ 37.806955] ? mark_held_locks+0xa6/0xf0 [ 37.811098] _raw_write_lock+0x2a/0x40 [ 37.815068] ? nfc_llcp_sock_unlink+0x1d/0x190 [ 37.819666] nfc_llcp_sock_unlink+0x1d/0x190 [ 37.824096] llcp_sock_release+0x286/0x520 [ 37.828327] __sock_release+0xcd/0x2a0 [ 37.832208] ? __sock_release+0x2a0/0x2a0 [ 37.836347] sock_close+0x15/0x20 [ 37.839800] __fput+0x2ce/0x890 [ 37.843091] task_work_run+0x148/0x1c0 [ 37.847004] do_exit+0xbf3/0x2be0 [ 37.850456] ? lock_downgrade+0x720/0x720 [ 37.854597] ? mm_update_next_owner+0x650/0x650 [ 37.859270] ? up_read+0x17/0x110 [ 37.862741] ? __do_page_fault+0x180/0xd60 [ 37.866973] do_group_exit+0x125/0x310 [ 37.870862] __x64_sys_exit_group+0x3a/0x50 [ 37.875191] do_syscall_64+0xf9/0x620 [ 37.878992] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 37.884182] RIP: 0033:0x43db99 [ 37.887378] Code: Bad RIP value. [ 37.890739] RSP: 002b:00007ffe77888748 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 37.898443] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db99 [ 37.906099] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 37.913369] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 37.920643] R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004ae230 [ 37.927918] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 37.935789] Kernel Offset: disabled [ 37.939427] Rebooting in 86400 seconds..