[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.136' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   73.364345][ T8387] ==================================================================
[   73.372560][ T8387] BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
[   73.380039][ T8387] Read of size 8 at addr ffff888144790468 by task syz-executor259/8387
[   73.385295][ T8386] ------------[ cut here ]------------
[   73.388264][ T8387] 
[   73.388271][ T8387] CPU: 0 PID: 8387 Comm: syz-executor259 Not tainted 5.12.0-rc7-syzkaller #0
[   73.388296][ T8387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.388309][ T8387] Call Trace:
[   73.388317][ T8387]  dump_stack+0x141/0x1d7
[   73.396901][ T8386] refcount_t: underflow; use-after-free.
[   73.405029][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.405061][ T8387]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   73.405090][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.405112][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.405133][ T8387]  kasan_report.cold+0x7c/0xd8
[   73.405152][ T8387]  ? __lock_acquire+0x16b0/0x54c0
[   73.405176][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.405197][ T8387]  __lock_acquire+0x3e6f/0x54c0
[   73.405220][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.405242][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.405262][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.405288][ T8387]  lock_acquire+0x1ab/0x740
[   73.405307][ T8387]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.405332][ T8387]  ? lock_release+0x720/0x720
[   73.405352][ T8387]  ? llcp_sock_release+0x1df/0x580
[   73.405376][ T8387]  ? mark_held_locks+0x9f/0xe0
[   73.405398][ T8387]  _raw_write_lock+0x2a/0x40
[   73.405418][ T8387]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.405438][ T8387]  nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.405460][ T8387]  llcp_sock_release+0x286/0x580
[   73.405490][ T8387]  __sock_release+0xcd/0x280
[   73.405513][ T8387]  sock_close+0x18/0x20
[   73.405533][ T8387]  __fput+0x288/0x920
[   73.405556][ T8387]  ? __sock_release+0x280/0x280
[   73.405581][ T8387]  task_work_run+0xdd/0x1a0
[   73.405607][ T8387]  do_exit+0xbfc/0x2a60
[   73.405635][ T8387]  ? find_held_lock+0x2d/0x110
[   73.405657][ T8387]  ? mm_update_next_owner+0x7a0/0x7a0
[   73.405685][ T8387]  ? get_signal+0x337/0x2150
[   73.405705][ T8387]  ? lock_downgrade+0x6e0/0x6e0
[   73.405731][ T8387]  do_group_exit+0x125/0x310
[   73.405755][ T8387]  get_signal+0x47f/0x2150
[   73.417987][ T8386] WARNING: CPU: 1 PID: 8386 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0
[   73.419095][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.419129][ T8387]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   73.419166][ T8387]  ? copy_siginfo_to_user32+0xa0/0xa0
[   73.424087][ T8386] Modules linked in:
[   73.429104][ T8387]  ? __context_tracking_exit+0xb8/0xe0
[   73.429137][ T8387]  ? lock_downgrade+0x6e0/0x6e0
[   73.429166][ T8387]  ? __x64_sys_recvmmsg+0x1bf/0x260
[   73.429195][ T8387]  exit_to_user_mode_prepare+0x148/0x250
[   73.434825][ T8386] 
[   73.441219][ T8387]  syscall_exit_to_user_mode+0x19/0x60
[   73.441250][ T8387]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   73.441278][ T8387] RIP: 0033:0x43fd79
[   73.441294][ T8387] Code: Unable to access opcode bytes at RIP 0x43fd4f.
[   73.441304][ T8387] RSP: 002b:00007ffe40e4ce78 EFLAGS: 00000246
[   73.446831][ T8386] CPU: 1 PID: 8386 Comm: syz-executor259 Not tainted 5.12.0-rc7-syzkaller #0
[   73.451328][ T8387]  ORIG_RAX: 000000000000012b
[   73.451338][ T8387] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   73.451353][ T8387] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   73.451368][ T8387] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   73.451382][ T8387] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   73.451397][ T8387] R13: 0000000000000000 R14: 00007ffe40e4cea0 R15: 00007ffe40e4ce90
[   73.451421][ T8387] 
[   73.456874][ T8386] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.461162][ T8387] Allocated by task 1:
[   73.461173][ T8387]  kasan_save_stack+0x1b/0x40
[   73.461199][ T8387]  __kasan_kmalloc+0x99/0xc0
[   73.461220][ T8387]  nfc_llcp_register_device+0x45/0x9d0
[   73.461246][ T8387]  nfc_register_device+0x6d/0x360
[   73.466897][ T8386] RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0
[   73.474657][ T8387]  nfcsim_device_new+0x345/0x5c1
[   73.474684][ T8387]  nfcsim_init+0x71/0x14d
[   73.474704][ T8387]  do_one_initcall+0x103/0x650
[   73.474727][ T8387]  kernel_init_freeable+0x63e/0x6c2
[   73.474749][ T8387]  kernel_init+0xd/0x1b8
[   73.474768][ T8387]  ret_from_fork+0x1f/0x30
[   73.474788][ T8387] 
[   73.474792][ T8387] Freed by task 8385:
[   73.481354][ T8386] Code: e9 db fe ff ff 48 89 df e8 bc de ee fd e9 8a fe ff ff e8 a2 23 ab fd 48 c7 c7 80 db c1 89 c6 05 5e 25 e8 09 01 e8 98 7a f9 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
[   73.486712][ T8387]  kasan_save_stack+0x1b/0x40
[   73.486737][ T8387]  kasan_set_track+0x1c/0x30
[   73.486757][ T8387]  kasan_set_free_info+0x20/0x30
[   73.486781][ T8387]  __kasan_slab_free+0xf5/0x130
[   73.486807][ T8387]  slab_free_freelist_hook+0x92/0x210
[   73.486833][ T8387]  kfree+0xe5/0x7f0
[   73.493344][ T8386] RSP: 0018:ffffc9000165f958 EFLAGS: 00010282
[   73.497381][ T8387]  nfc_llcp_local_put+0x194/0x200
[   73.497414][ T8387]  llcp_sock_destruct+0x81/0x150
[   73.497435][ T8387]  __sk_destruct+0x4b/0x900
[   73.497455][ T8387]  sk_destruct+0xbd/0xe0
[   73.497475][ T8387]  __sk_free+0xef/0x3d0
[   73.497496][ T8387]  sk_free+0x78/0xa0
[   73.497515][ T8387]  llcp_sock_release+0x3c9/0x580
[   73.497537][ T8387]  __sock_release+0xcd/0x280
[   73.505378][ T8386] 
[   73.507478][ T8387]  sock_close+0x18/0x20
[   73.507507][ T8387]  __fput+0x288/0x920
[   73.507533][ T8387]  task_work_run+0xdd/0x1a0
[   73.507557][ T8387]  do_exit+0xbfc/0x2a60
[   73.512845][ T8386] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   73.518281][ T8387]  do_group_exit+0x125/0x310
[   73.518307][ T8387]  get_signal+0x47f/0x2150
[   73.518323][ T8387]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   73.518349][ T8387]  exit_to_user_mode_prepare+0x148/0x250
[   73.518374][ T8387]  syscall_exit_to_user_mode+0x19/0x60
[   73.518398][ T8387]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   73.526282][ T8386] RDX: ffff88801fe6d4c0 RSI: ffffffff815c4d25 RDI: fffff520002cbf1d
[   73.528268][ T8387] 
[   73.528274][ T8387] The buggy address belongs to the object at ffff888144790000
[   73.528274][ T8387]  which belongs to the cache kmalloc-2k of size 2048
[   73.528292][ T8387] The buggy address is located 1128 bytes inside of
[   73.528292][ T8387]  2048-byte region [ffff888144790000, ffff888144790800)
[   73.528314][ T8387] The buggy address belongs to the page:
[   73.528322][ T8387] page:ffffea000511e400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x144790
[   73.528345][ T8387] head:ffffea000511e400 order:3 compound_mapcount:0 compound_pincount:0
[   73.535577][ T8386] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   73.538376][ T8387] flags: 0x57ff00000010200(slab|head)
[   73.538409][ T8387] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010442000
[   73.538430][ T8387] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   73.538442][ T8387] page dumped because: kasan: bad access detected
[   73.538451][ T8387] 
[   73.538454][ T8387] Memory state around the buggy address:
[   73.538465][ T8387]  ffff888144790300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.538480][ T8387]  ffff888144790380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.538495][ T8387] >ffff888144790400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.543266][ T8386] R10: ffffffff815bdabe R11: 0000000000000000 R12: 0000000000000000
[   73.547221][ T8387]                                                           ^
[   73.547237][ T8387]  ffff888144790480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.547250][ T8387]  ffff888144790500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   73.547261][ T8387] ==================================================================
[   73.547267][ T8387] Disabling lock debugging due to kernel taint
[   73.547274][ T8387] Kernel panic - not syncing: panic_on_warn set ...
[   73.547284][ T8387] CPU: 0 PID: 8387 Comm: syz-executor259 Tainted: G    B             5.12.0-rc7-syzkaller #0
[   73.547308][ T8387] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   73.547320][ T8387] Call Trace:
[   73.554712][ T8386] R13: ffff888144790018 R14: ffff888144790000 R15: ffff88802db9d1a0
[   73.556104][ T8387]  dump_stack+0x141/0x1d7
[   73.556138][ T8387]  panic+0x306/0x73d
[   73.560707][ T8386] FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
[   73.564767][ T8387]  ? __warn_printk+0xf3/0xf3
[   73.564798][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.564821][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.570029][ T8386] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   73.575521][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.575551][ T8387]  end_report.cold+0x5a/0x5a
[   73.575570][ T8387]  kasan_report.cold+0x6a/0xd8
[   73.575590][ T8387]  ? __lock_acquire+0x16b0/0x54c0
[   73.580518][ T8386] CR2: 00007ffe40e4ce58 CR3: 000000002684d000 CR4: 00000000001506e0
[   73.584990][ T8387]  ? __lock_acquire+0x3e6f/0x54c0
[   73.585018][ T8387]  __lock_acquire+0x3e6f/0x54c0
[   73.585042][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.589958][ T8386] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   73.594023][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.594053][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.594080][ T8387]  lock_acquire+0x1ab/0x740
[   73.603763][ T8386] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   73.609423][ T8387]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.609454][ T8387]  ? lock_release+0x720/0x720
[   73.615468][ T8386] Call Trace:
[   73.620530][ T8387]  ? llcp_sock_release+0x1df/0x580
[   73.620562][ T8387]  ? mark_held_locks+0x9f/0xe0
[   73.624706][ T8386]  nfc_llcp_local_put+0x1ab/0x200
[   73.629869][ T8387]  _raw_write_lock+0x2a/0x40
[   73.629896][ T8387]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.635269][ T8386]  llcp_sock_destruct+0x81/0x150
[   73.639941][ T8387]  nfc_llcp_sock_unlink+0x1d/0x1c0
[   73.639969][ T8387]  llcp_sock_release+0x286/0x580
[   73.645894][ T8386]  ? nfc_llcp_sock_free+0x220/0x220
[   73.647898][ T8387]  __sock_release+0xcd/0x280
[   73.647927][ T8387]  sock_close+0x18/0x20
[   73.653445][ T8386]  __sk_destruct+0x4b/0x900
[   73.659230][ T8387]  __fput+0x288/0x920
[   73.659257][ T8387]  ? __sock_release+0x280/0x280
[   73.659284][ T8387]  task_work_run+0xdd/0x1a0
[   73.664065][ T8386]  sk_destruct+0xbd/0xe0
[   73.669981][ T8387]  do_exit+0xbfc/0x2a60
[   73.670012][ T8387]  ? find_held_lock+0x2d/0x110
[   73.676364][ T8386]  __sk_free+0xef/0x3d0
[   73.684793][ T8387]  ? mm_update_next_owner+0x7a0/0x7a0
[   73.684824][ T8387]  ? get_signal+0x337/0x2150
[   73.684842][ T8387]  ? lock_downgrade+0x6e0/0x6e0
[   73.689799][ T8386]  sk_free+0x78/0xa0
[   73.697475][ T8387]  do_group_exit+0x125/0x310
[   73.697506][ T8387]  get_signal+0x47f/0x2150
[   73.697527][ T8387]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   73.705876][ T8386]  llcp_sock_release+0x3c9/0x580
[   73.713455][ T8387]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   73.713489][ T8387]  ? copy_siginfo_to_user32+0xa0/0xa0
[   73.721859][ T8386]  __sock_release+0xcd/0x280
[   73.729403][ T8387]  ? __context_tracking_exit+0xb8/0xe0
[   73.729431][ T8387]  ? lock_downgrade+0x6e0/0x6e0
[   73.729454][ T8387]  ? __x64_sys_recvmmsg+0x1bf/0x260
[   73.732086][ T8386]  sock_close+0x18/0x20
[   73.741831][ T8387]  exit_to_user_mode_prepare+0x148/0x250
[   73.741860][ T8387]  syscall_exit_to_user_mode+0x19/0x60
[   73.741883][ T8387]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   73.746287][ T8386]  __fput+0x288/0x920
[   73.750583][ T8387] RIP: 0033:0x43fd79
[   73.750601][ T8387] Code: Unable to access opcode bytes at RIP 0x43fd4f.
[   73.750610][ T8387] RSP: 002b:00007ffe40e4ce78 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[   73.755578][ T8386]  ? __sock_release+0x280/0x280
[   73.760711][ T8387] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   73.760727][ T8387] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   73.760741][ T8387] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   73.766108][ T8386]  task_work_run+0xdd/0x1a0
[   73.771958][ T8387] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   73.771973][ T8387] R13: 0000000000000000 R14: 00007ffe40e4cea0 R15: 00007ffe40e4ce90
[   73.777545][ T8387] Kernel Offset: disabled
[   74.551148][ T8387] Rebooting in 86400 seconds..