Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.52' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.184561][ T8422] ================================================================== [ 73.192680][ T8422] BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0 [ 73.200102][ T8422] Read of size 8 at addr ffff888144614468 by task syz-executor242/8422 [ 73.208448][ T8422] [ 73.210782][ T8422] CPU: 0 PID: 8422 Comm: syz-executor242 Not tainted 5.12.0-rc4-syzkaller #0 [ 73.219556][ T8422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.229713][ T8422] Call Trace: [ 73.233016][ T8422] dump_stack+0x141/0x1d7 [ 73.237415][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.242474][ T8422] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.249532][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.254578][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.259622][ T8422] kasan_report.cold+0x7c/0xd8 [ 73.264415][ T8422] ? __lock_acquire+0x16b0/0x54c0 [ 73.269454][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.274496][ T8422] __lock_acquire+0x3e6f/0x54c0 [ 73.279363][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.285351][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.291320][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.297303][ T8422] lock_acquire+0x1ab/0x740 [ 73.301809][ T8422] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.307105][ T8422] ? lock_release+0x720/0x720 [ 73.311803][ T8422] ? llcp_sock_release+0x1df/0x580 [ 73.316919][ T8422] ? mark_held_locks+0x9f/0xe0 [ 73.321670][ T8422] _raw_write_lock+0x2a/0x40 [ 73.326247][ T8422] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.331523][ T8422] nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.336632][ T8422] llcp_sock_release+0x286/0x580 [ 73.341580][ T8422] __sock_release+0xcd/0x280 [ 73.346182][ T8422] sock_close+0x18/0x20 [ 73.350340][ T8422] __fput+0x288/0x920 [ 73.354315][ T8422] ? __sock_release+0x280/0x280 [ 73.359175][ T8422] task_work_run+0xdd/0x1a0 [ 73.363675][ T8422] do_exit+0xbfc/0x2a60 [ 73.367827][ T8422] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.373193][ T8422] ? lock_downgrade+0x6e0/0x6e0 [ 73.378042][ T8422] do_group_exit+0x125/0x310 [ 73.382642][ T8422] __x64_sys_exit_group+0x3a/0x50 [ 73.387665][ T8422] do_syscall_64+0x2d/0x70 [ 73.392084][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.398000][ T8422] RIP: 0033:0x43db99 [ 73.401889][ T8422] Code: Unable to access opcode bytes at RIP 0x43db6f. [ 73.408731][ T8422] RSP: 002b:00007ffdd4d753e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.417139][ T8422] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db99 [ 73.425119][ T8422] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 73.433145][ T8422] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 73.441117][ T8422] R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004ae230 [ 73.449094][ T8422] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.457090][ T8422] [ 73.459420][ T8422] Allocated by task 1: [ 73.463478][ T8422] kasan_save_stack+0x1b/0x40 [ 73.468146][ T8422] __kasan_kmalloc+0x99/0xc0 [ 73.472738][ T8422] nfc_llcp_register_device+0x45/0x9d0 [ 73.478201][ T8422] nfc_register_device+0x6d/0x360 [ 73.483221][ T8422] nfcsim_device_new+0x345/0x5c1 [ 73.488148][ T8422] nfcsim_init+0x71/0x14d [ 73.492479][ T8422] do_one_initcall+0x103/0x650 [ 73.497234][ T8422] kernel_init_freeable+0x63e/0x6c2 [ 73.502429][ T8422] kernel_init+0xd/0x1b8 [ 73.506681][ T8422] ret_from_fork+0x1f/0x30 [ 73.511087][ T8422] [ 73.513417][ T8422] Freed by task 8422: [ 73.517377][ T8422] kasan_save_stack+0x1b/0x40 [ 73.522046][ T8422] kasan_set_track+0x1c/0x30 [ 73.526636][ T8422] kasan_set_free_info+0x20/0x30 [ 73.531567][ T8422] __kasan_slab_free+0xf5/0x130 [ 73.536413][ T8422] slab_free_freelist_hook+0x92/0x210 [ 73.541797][ T8422] kfree+0xe5/0x7f0 [ 73.545611][ T8422] nfc_llcp_local_put+0x194/0x200 [ 73.550637][ T8422] llcp_sock_destruct+0x81/0x150 [ 73.555587][ T8422] __sk_destruct+0x4b/0x900 [ 73.560085][ T8422] sk_destruct+0xbd/0xe0 [ 73.564349][ T8422] __sk_free+0xef/0x3d0 [ 73.568492][ T8422] sk_free+0x78/0xa0 [ 73.572370][ T8422] llcp_sock_release+0x3c9/0x580 [ 73.577307][ T8422] __sock_release+0xcd/0x280 [ 73.581900][ T8422] sock_close+0x18/0x20 [ 73.586050][ T8422] __fput+0x288/0x920 [ 73.590033][ T8422] task_work_run+0xdd/0x1a0 [ 73.594525][ T8422] do_exit+0xbfc/0x2a60 [ 73.598672][ T8422] do_group_exit+0x125/0x310 [ 73.603266][ T8422] __x64_sys_exit_group+0x3a/0x50 [ 73.608298][ T8422] do_syscall_64+0x2d/0x70 [ 73.612708][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.618602][ T8422] [ 73.620911][ T8422] The buggy address belongs to the object at ffff888144614000 [ 73.620911][ T8422] which belongs to the cache kmalloc-2k of size 2048 [ 73.634947][ T8422] The buggy address is located 1128 bytes inside of [ 73.634947][ T8422] 2048-byte region [ffff888144614000, ffff888144614800) [ 73.648404][ T8422] The buggy address belongs to the page: [ 73.654022][ T8422] page:ffffea0005118400 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888144616000 pfn:0x144610 [ 73.665913][ T8422] head:ffffea0005118400 order:3 compound_mapcount:0 compound_pincount:0 [ 73.674263][ T8422] flags: 0x57ff00000010200(slab|head) [ 73.679648][ T8422] raw: 057ff00000010200 ffffea00050f2008 ffffea00050f1e08 ffff888010842000 [ 73.688228][ T8422] raw: ffff888144616000 0000000000080006 00000001ffffffff 0000000000000000 [ 73.696797][ T8422] page dumped because: kasan: bad access detected [ 73.703205][ T8422] [ 73.705526][ T8422] Memory state around the buggy address: [ 73.711143][ T8422] ffff888144614300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.719211][ T8422] ffff888144614380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.727322][ T8422] >ffff888144614400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.735384][ T8422] ^ [ 73.742845][ T8422] ffff888144614480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.750913][ T8422] ffff888144614500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.758971][ T8422] ================================================================== [ 73.767026][ T8422] Disabling lock debugging due to kernel taint [ 73.773164][ T8422] Kernel panic - not syncing: panic_on_warn set ... [ 73.779738][ T8422] CPU: 0 PID: 8422 Comm: syz-executor242 Tainted: G B 5.12.0-rc4-syzkaller #0 [ 73.789880][ T8422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.799939][ T8422] Call Trace: [ 73.803218][ T8422] dump_stack+0x141/0x1d7 [ 73.807552][ T8422] panic+0x306/0x73d [ 73.811447][ T8422] ? __warn_printk+0xf3/0xf3 [ 73.816038][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.821137][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.826194][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.831224][ T8422] end_report.cold+0x5a/0x5a [ 73.835815][ T8422] kasan_report.cold+0x6a/0xd8 [ 73.840588][ T8422] ? __lock_acquire+0x16b0/0x54c0 [ 73.845602][ T8422] ? __lock_acquire+0x3e6f/0x54c0 [ 73.850623][ T8422] __lock_acquire+0x3e6f/0x54c0 [ 73.855470][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.861451][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.867427][ T8422] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 73.873414][ T8422] lock_acquire+0x1ab/0x740 [ 73.877948][ T8422] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.883226][ T8422] ? lock_release+0x720/0x720 [ 73.887908][ T8422] ? llcp_sock_release+0x1df/0x580 [ 73.893069][ T8422] ? mark_held_locks+0x9f/0xe0 [ 73.897854][ T8422] _raw_write_lock+0x2a/0x40 [ 73.902570][ T8422] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.907864][ T8422] nfc_llcp_sock_unlink+0x1d/0x1c0 [ 73.913014][ T8422] llcp_sock_release+0x286/0x580 [ 73.917945][ T8422] __sock_release+0xcd/0x280 [ 73.922545][ T8422] sock_close+0x18/0x20 [ 73.926686][ T8422] __fput+0x288/0x920 [ 73.930665][ T8422] ? __sock_release+0x280/0x280 [ 73.935498][ T8422] task_work_run+0xdd/0x1a0 [ 73.939991][ T8422] do_exit+0xbfc/0x2a60 [ 73.944155][ T8422] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.949531][ T8422] ? lock_downgrade+0x6e0/0x6e0 [ 73.954369][ T8422] do_group_exit+0x125/0x310 [ 73.958965][ T8422] __x64_sys_exit_group+0x3a/0x50 [ 73.963980][ T8422] do_syscall_64+0x2d/0x70 [ 73.968397][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 73.974284][ T8422] RIP: 0033:0x43db99 [ 73.978163][ T8422] Code: Unable to access opcode bytes at RIP 0x43db6f. [ 73.985093][ T8422] RSP: 002b:00007ffdd4d753e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.993506][ T8422] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db99 [ 74.001476][ T8422] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 74.009442][ T8422] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 74.017417][ T8422] R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004ae230 [ 74.025381][ T8422] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 74.033893][ T8422] Kernel Offset: disabled [ 74.038240][ T8422] Rebooting in 86400 seconds..