[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.43' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 36.164529] ================================================================== [ 36.171974] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20 [ 36.178659] Read of size 8 at addr ffff8880ae5b0d60 by task syz-executor402/7985 [ 36.186174] [ 36.187781] CPU: 0 PID: 7985 Comm: syz-executor402 Not tainted 4.14.232-syzkaller #0 [ 36.195639] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.204965] Call Trace: [ 36.207546] dump_stack+0x1b2/0x281 [ 36.211149] print_address_description.cold+0x54/0x1d3 [ 36.216402] kasan_report_error.cold+0x8a/0x191 [ 36.221046] ? __lock_acquire+0x2c57/0x3f20 [ 36.225355] __asan_report_load8_noabort+0x68/0x70 [ 36.230277] ? __lock_acquire+0x2c57/0x3f20 [ 36.234574] __lock_acquire+0x2c57/0x3f20 [ 36.238696] ? __lock_acquire+0x5fc/0x3f20 [ 36.242921] ? trace_hardirqs_on+0x10/0x10 [ 36.247138] ? trace_hardirqs_on+0x10/0x10 [ 36.251348] ? trace_hardirqs_on+0x10/0x10 [ 36.255559] ? reacquire_held_locks+0xb5/0x3f0 [ 36.260126] ? release_sock+0x1b/0x1b0 [ 36.263988] ? lock_sock_nested+0x98/0x100 [ 36.268220] lock_acquire+0x170/0x3f0 [ 36.272053] ? nfc_llcp_sock_unlink+0x1d/0x170 [ 36.276616] _raw_write_lock+0x2a/0x40 [ 36.280479] ? nfc_llcp_sock_unlink+0x1d/0x170 [ 36.285051] nfc_llcp_sock_unlink+0x1d/0x170 [ 36.289444] llcp_sock_release+0x235/0x4c0 [ 36.293679] __sock_release+0xcd/0x2b0 [ 36.297545] ? __sock_release+0x2b0/0x2b0 [ 36.301671] sock_close+0x15/0x20 [ 36.305123] __fput+0x25f/0x7a0 [ 36.308380] task_work_run+0x11f/0x190 [ 36.312240] do_exit+0xa44/0x2850 [ 36.315666] ? ___sys_sendmsg+0x800/0x800 [ 36.319801] ? mm_update_next_owner+0x5b0/0x5b0 [ 36.324466] ? get_signal+0x323/0x1ca0 [ 36.328349] ? lock_acquire+0x170/0x3f0 [ 36.332312] ? lock_downgrade+0x740/0x740 [ 36.336439] do_group_exit+0x100/0x2e0 [ 36.340324] get_signal+0x38d/0x1ca0 [ 36.344015] do_signal+0x7c/0x1550 [ 36.347533] ? SyS_recvmsg+0x40/0x40 [ 36.351223] ? setup_sigcontext+0x820/0x820 [ 36.355530] ? llcp_sock_listen+0x181/0x230 [ 36.359830] ? llcp_sock_listen+0x181/0x230 [ 36.364125] ? __local_bh_enable_ip+0xc1/0x170 [ 36.368698] ? llcp_sock_listen+0x181/0x230 [ 36.373012] ? exit_to_usermode_loop+0x41/0x200 [ 36.377667] exit_to_usermode_loop+0x160/0x200 [ 36.382225] do_syscall_64+0x4a3/0x640 [ 36.386106] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.391282] RIP: 0033:0x43fd79 [ 36.394456] RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 36.402150] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79 [ 36.409416] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003 [ 36.416664] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 36.423908] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550 [ 36.431166] R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0 [ 36.438424] [ 36.440029] Allocated by task 1: [ 36.443413] kasan_kmalloc+0xeb/0x160 [ 36.447193] kmem_cache_alloc_trace+0x131/0x3d0 [ 36.451841] nfc_llcp_register_device+0x43/0xa50 [ 36.456586] nfc_register_device+0x63/0x330 [ 36.460907] nfcsim_device_new+0x372/0x5c2 [ 36.465148] nfcsim_init+0x71/0x12a [ 36.468751] do_one_initcall+0x88/0x210 [ 36.472698] kernel_init_freeable+0x553/0x614 [ 36.477168] kernel_init+0xd/0x165 [ 36.480700] ret_from_fork+0x24/0x30 [ 36.484384] [ 36.485987] Freed by task 7984: [ 36.489254] kasan_slab_free+0xc3/0x1a0 [ 36.493207] kfree+0xc9/0x250 [ 36.496285] nfc_llcp_local_put+0x13c/0x190 [ 36.500577] llcp_sock_destruct+0x69/0x120 [ 36.504786] __sk_destruct+0x49/0x760 [ 36.508577] __sk_free+0xd9/0x2d0 [ 36.512003] sk_free+0x2b/0x40 [ 36.515168] llcp_sock_release+0x31b/0x4c0 [ 36.519376] __sock_release+0xcd/0x2b0 [ 36.523236] sock_close+0x15/0x20 [ 36.526663] __fput+0x25f/0x7a0 [ 36.529933] task_work_run+0x11f/0x190 [ 36.533793] do_exit+0xa44/0x2850 [ 36.537222] do_group_exit+0x100/0x2e0 [ 36.541097] get_signal+0x38d/0x1ca0 [ 36.544786] do_signal+0x7c/0x1550 [ 36.548336] exit_to_usermode_loop+0x160/0x200 [ 36.552889] do_syscall_64+0x4a3/0x640 [ 36.556752] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.561912] [ 36.563515] The buggy address belongs to the object at ffff8880ae5b0940 [ 36.563515] which belongs to the cache kmalloc-2048 of size 2048 [ 36.576323] The buggy address is located 1056 bytes inside of [ 36.576323] 2048-byte region [ffff8880ae5b0940, ffff8880ae5b1140) [ 36.588345] The buggy address belongs to the page: [ 36.593246] page:ffffea0002b96c00 count:1 mapcount:0 mapping:ffff8880ae5b00c0 index:0x0 compound_mapcount: 0 [ 36.603190] flags: 0xfff00000008100(slab|head) [ 36.607751] raw: 00fff00000008100 ffff8880ae5b00c0 0000000000000000 0000000100000003 [ 36.615607] raw: ffffea0002b96ba0 ffffea0002b98220 ffff88813fe80c40 0000000000000000 [ 36.623459] page dumped because: kasan: bad access detected [ 36.629145] [ 36.630783] Memory state around the buggy address: [ 36.635692] ffff8880ae5b0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.643035] ffff8880ae5b0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.650372] >ffff8880ae5b0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.657719] ^ [ 36.664194] ffff8880ae5b0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.671541] ffff8880ae5b0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 36.678872] ================================================================== [ 36.686204] Disabling lock debugging due to kernel taint [ 36.691623] Kernel panic - not syncing: panic_on_warn set ... [ 36.691623] [ 36.698963] CPU: 0 PID: 7985 Comm: syz-executor402 Tainted: G B 4.14.232-syzkaller #0 [ 36.708043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 36.717372] Call Trace: [ 36.719936] dump_stack+0x1b2/0x281 [ 36.723540] panic+0x1f9/0x42d [ 36.726706] ? add_taint.cold+0x16/0x16 [ 36.730657] ? lock_downgrade+0x740/0x740 [ 36.734784] kasan_end_report+0x43/0x49 [ 36.738741] kasan_report_error.cold+0xa7/0x191 [ 36.743395] ? __lock_acquire+0x2c57/0x3f20 [ 36.747691] __asan_report_load8_noabort+0x68/0x70 [ 36.752595] ? __lock_acquire+0x2c57/0x3f20 [ 36.756892] __lock_acquire+0x2c57/0x3f20 [ 36.761026] ? __lock_acquire+0x5fc/0x3f20 [ 36.765246] ? trace_hardirqs_on+0x10/0x10 [ 36.769457] ? trace_hardirqs_on+0x10/0x10 [ 36.773664] ? trace_hardirqs_on+0x10/0x10 [ 36.777873] ? reacquire_held_locks+0xb5/0x3f0 [ 36.782430] ? release_sock+0x1b/0x1b0 [ 36.786289] ? lock_sock_nested+0x98/0x100 [ 36.790497] lock_acquire+0x170/0x3f0 [ 36.794272] ? nfc_llcp_sock_unlink+0x1d/0x170 [ 36.798870] _raw_write_lock+0x2a/0x40 [ 36.802732] ? nfc_llcp_sock_unlink+0x1d/0x170 [ 36.807290] nfc_llcp_sock_unlink+0x1d/0x170 [ 36.811733] llcp_sock_release+0x235/0x4c0 [ 36.815990] __sock_release+0xcd/0x2b0 [ 36.819904] ? __sock_release+0x2b0/0x2b0 [ 36.824029] sock_close+0x15/0x20 [ 36.827461] __fput+0x25f/0x7a0 [ 36.830761] task_work_run+0x11f/0x190 [ 36.834624] do_exit+0xa44/0x2850 [ 36.838051] ? ___sys_sendmsg+0x800/0x800 [ 36.842186] ? mm_update_next_owner+0x5b0/0x5b0 [ 36.846874] ? get_signal+0x323/0x1ca0 [ 36.850746] ? lock_acquire+0x170/0x3f0 [ 36.854692] ? lock_downgrade+0x740/0x740 [ 36.858869] do_group_exit+0x100/0x2e0 [ 36.862794] get_signal+0x38d/0x1ca0 [ 36.866495] do_signal+0x7c/0x1550 [ 36.870054] ? SyS_recvmsg+0x40/0x40 [ 36.873747] ? setup_sigcontext+0x820/0x820 [ 36.878048] ? llcp_sock_listen+0x181/0x230 [ 36.882348] ? llcp_sock_listen+0x181/0x230 [ 36.886660] ? __local_bh_enable_ip+0xc1/0x170 [ 36.891216] ? llcp_sock_listen+0x181/0x230 [ 36.895511] ? exit_to_usermode_loop+0x41/0x200 [ 36.900167] exit_to_usermode_loop+0x160/0x200 [ 36.904731] do_syscall_64+0x4a3/0x640 [ 36.908601] entry_SYSCALL_64_after_hwframe+0x46/0xbb [ 36.913762] RIP: 0033:0x43fd79 [ 36.916940] RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b [ 36.924620] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79 [ 36.931863] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003 [ 36.939113] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 36.946359] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550 [ 36.954398] R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0 [ 36.961698] Kernel Offset: disabled [ 36.965392] Rebooting in 86400 seconds..