Warning: Permanently added '10.128.0.51' (ECDSA) to the list of known hosts. executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program executing program syzkaller login: [ 75.435191][ T8409] ------------[ cut here ]------------ [ 75.444552][ T8411] ================================================================== [ 75.452654][ T8411] BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0 [ 75.460084][ T8411] Read of size 8 at addr ffff888143c4d468 by task syz-executor431/8411 [ 75.468425][ T8411] [ 75.470942][ T8411] CPU: 0 PID: 8411 Comm: syz-executor431 Not tainted 5.12.0-rc6-syzkaller #0 executing program executing program executing program executing program executing program executing program executing program [ 75.479984][ T8411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.490179][ T8411] Call Trace: [ 75.493897][ T8411] dump_stack+0x141/0x1d7 [ 75.498363][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.503682][ T8411] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 75.511806][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.517124][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.522182][ T8411] kasan_report.cold+0x7c/0xd8 [ 75.526975][ T8411] ? __lock_acquire+0x16b0/0x54c0 [ 75.532036][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.537093][ T8411] __lock_acquire+0x3e6f/0x54c0 [ 75.540272][ T8409] refcount_t: underflow; use-after-free. [ 75.542067][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.542108][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.542133][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.551516][ T8409] WARNING: CPU: 1 PID: 8409 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0 [ 75.554036][ T8411] lock_acquire+0x1ab/0x740 [ 75.554066][ T8411] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.554095][ T8411] ? lock_release+0x720/0x720 [ 75.565448][ T8409] Modules linked in: [ 75.566303][ T8411] ? llcp_sock_release+0x1df/0x580 [ 75.566343][ T8411] ? mark_held_locks+0x9f/0xe0 [ 75.566371][ T8411] _raw_write_lock+0x2a/0x40 [ 75.582134][ T8409] [ 75.585843][ T8411] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.585878][ T8411] nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.585906][ T8411] llcp_sock_release+0x286/0x580 [ 75.596114][ T8409] CPU: 1 PID: 8409 Comm: syz-executor431 Not tainted 5.12.0-rc6-syzkaller #0 [ 75.599779][ T8411] __sock_release+0xcd/0x280 [ 75.599814][ T8411] sock_close+0x18/0x20 [ 75.599838][ T8411] __fput+0x288/0x920 [ 75.605545][ T8409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.609291][ T8411] ? __sock_release+0x280/0x280 [ 75.609327][ T8411] task_work_run+0xdd/0x1a0 [ 75.613900][ T8409] RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0 [ 75.617117][ T8411] do_exit+0xbfc/0x2a60 [ 75.617153][ T8411] ? mm_update_next_owner+0x7a0/0x7a0 [ 75.626761][ T8409] Code: e9 db fe ff ff 48 89 df e8 5c e0 ee fd e9 8a fe ff ff e8 92 2f ab fd 48 c7 c7 c0 d8 c1 89 c6 05 9d 26 e8 09 01 e8 9b 86 f9 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55 [ 75.627726][ T8411] ? lock_downgrade+0x6e0/0x6e0 [ 75.627769][ T8411] do_group_exit+0x125/0x310 [ 75.643148][ T8409] RSP: 0018:ffffc9000191fb98 EFLAGS: 00010286 [ 75.646457][ T8411] __x64_sys_exit_group+0x3a/0x50 [ 75.646491][ T8411] do_syscall_64+0x2d/0x70 [ 75.646521][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.650952][ T8409] [ 75.661193][ T8411] RIP: 0033:0x43e989 [ 75.661213][ T8411] Code: Unable to access opcode bytes at RIP 0x43e95f. [ 75.661223][ T8411] RSP: 002b:00007ffe312efd18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.661246][ T8411] RAX: ffffffffffffffda RBX: 00000000004b02f0 RCX: 000000000043e989 [ 75.661260][ T8411] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 75.661274][ T8411] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 75.661288][ T8411] R10: 0000000000080800 R11: 0000000000000246 R12: 00000000004b02f0 [ 75.661302][ T8411] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 75.661324][ T8411] [ 75.661329][ T8411] Allocated by task 1: [ 75.666740][ T8409] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 75.671128][ T8411] kasan_save_stack+0x1b/0x40 [ 75.671155][ T8411] __kasan_kmalloc+0x99/0xc0 [ 75.671175][ T8411] nfc_llcp_register_device+0x45/0x9d0 [ 75.671199][ T8411] nfc_register_device+0x6d/0x360 [ 75.671219][ T8411] nfcsim_device_new+0x345/0x5c1 [ 75.671241][ T8411] nfcsim_init+0x71/0x14d [ 75.671260][ T8411] do_one_initcall+0x103/0x650 [ 75.678189][ T8409] RDX: ffff888017eb54c0 RSI: ffffffff815c4d15 RDI: fffff52000323f65 [ 75.681987][ T8411] kernel_init_freeable+0x63e/0x6c2 [ 75.682013][ T8411] kernel_init+0xd/0x1b8 [ 75.682035][ T8411] ret_from_fork+0x1f/0x30 [ 75.682055][ T8411] [ 75.682060][ T8411] Freed by task 8408: [ 75.682070][ T8411] kasan_save_stack+0x1b/0x40 [ 75.682091][ T8411] kasan_set_track+0x1c/0x30 [ 75.682110][ T8411] kasan_set_free_info+0x20/0x30 [ 75.682131][ T8411] __kasan_slab_free+0xf5/0x130 [ 75.682149][ T8411] slab_free_freelist_hook+0x92/0x210 [ 75.682176][ T8411] kfree+0xe5/0x7f0 [ 75.700681][ T8409] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 75.708819][ T8411] nfc_llcp_local_put+0x194/0x200 [ 75.708854][ T8411] llcp_sock_destruct+0x81/0x150 [ 75.708877][ T8411] __sk_destruct+0x4b/0x900 [ 75.708900][ T8411] sk_destruct+0xbd/0xe0 [ 75.708919][ T8411] __sk_free+0xef/0x3d0 [ 75.725249][ T8409] R10: ffffffff815bdaae R11: 0000000000000000 R12: 0000000000000000 [ 75.725754][ T8411] sk_free+0x78/0xa0 [ 75.738999][ T8409] R13: ffff888143c4d018 R14: ffff888143c4d000 R15: ffff88802fad4000 [ 75.741677][ T8411] llcp_sock_release+0x3c9/0x580 [ 75.741710][ T8411] __sock_release+0xcd/0x280 [ 75.741733][ T8411] sock_close+0x18/0x20 [ 75.741753][ T8411] __fput+0x288/0x920 [ 75.741776][ T8411] task_work_run+0xdd/0x1a0 [ 75.741798][ T8411] do_exit+0xbfc/0x2a60 [ 75.741821][ T8411] do_group_exit+0x125/0x310 [ 75.741845][ T8411] __x64_sys_exit_group+0x3a/0x50 [ 75.747773][ T8409] FS: 0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 [ 75.748228][ T8411] do_syscall_64+0x2d/0x70 [ 75.765775][ T8409] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 75.772581][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.772616][ T8411] [ 75.772621][ T8411] The buggy address belongs to the object at ffff888143c4d000 [ 75.772621][ T8411] which belongs to the cache kmalloc-2k of size 2048 [ 75.772638][ T8411] The buggy address is located 1128 bytes inside of [ 75.772638][ T8411] 2048-byte region [ffff888143c4d000, ffff888143c4d800) [ 75.772657][ T8411] The buggy address belongs to the page: [ 75.772666][ T8411] page:ffffea00050f1200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143c48 [ 75.772687][ T8411] head:ffffea00050f1200 order:3 compound_mapcount:0 compound_pincount:0 [ 75.772703][ T8411] flags: 0x57ff00000010200(slab|head) [ 75.772729][ T8411] raw: 057ff00000010200 dead000000000100 dead000000000122 ffff888010442000 [ 75.788234][ T8409] CR2: 00007f710e7b8000 CR3: 0000000013474000 CR4: 00000000001506e0 [ 75.788897][ T8411] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 75.788912][ T8411] page dumped because: kasan: bad access detected [ 75.788921][ T8411] [ 75.788925][ T8411] Memory state around the buggy address: [ 75.788936][ T8411] ffff888143c4d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.788951][ T8411] ffff888143c4d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.801123][ T8409] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 75.805391][ T8411] >ffff888143c4d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.805404][ T8411] ^ [ 75.805416][ T8411] ffff888143c4d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.805432][ T8411] ffff888143c4d500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 75.805444][ T8411] ================================================================== [ 75.805451][ T8411] Disabling lock debugging due to kernel taint [ 75.808013][ T8409] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 75.812041][ T8411] Kernel panic - not syncing: panic_on_warn set ... [ 75.812052][ T8411] CPU: 0 PID: 8411 Comm: syz-executor431 Tainted: G B 5.12.0-rc6-syzkaller #0 [ 75.812073][ T8411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 75.812085][ T8411] Call Trace: [ 75.812094][ T8411] dump_stack+0x141/0x1d7 [ 75.812124][ T8411] panic+0x306/0x73d [ 75.825503][ T8409] Call Trace: [ 75.830106][ T8411] ? __warn_printk+0xf3/0xf3 [ 75.830137][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.837116][ T8409] nfc_llcp_local_put+0x1ab/0x200 [ 75.840996][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.841028][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.841049][ T8411] end_report.cold+0x5a/0x5a [ 75.841069][ T8411] kasan_report.cold+0x6a/0xd8 [ 75.841089][ T8411] ? __lock_acquire+0x16b0/0x54c0 [ 75.848383][ T8409] llcp_sock_destruct+0x81/0x150 [ 75.850773][ T8411] ? __lock_acquire+0x3e6f/0x54c0 [ 75.850802][ T8411] __lock_acquire+0x3e6f/0x54c0 [ 75.850826][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.850852][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.857456][ T8409] ? nfc_llcp_sock_free+0x220/0x220 [ 75.864274][ T8411] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 75.864307][ T8411] lock_acquire+0x1ab/0x740 [ 75.864329][ T8411] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.864353][ T8411] ? lock_release+0x720/0x720 [ 75.871552][ T8409] __sk_destruct+0x4b/0x900 [ 75.874120][ T8411] ? llcp_sock_release+0x1df/0x580 [ 75.874152][ T8411] ? mark_held_locks+0x9f/0xe0 [ 75.878712][ T8409] sk_destruct+0xbd/0xe0 [ 75.881004][ T8411] _raw_write_lock+0x2a/0x40 [ 75.881029][ T8411] ? nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.881052][ T8411] nfc_llcp_sock_unlink+0x1d/0x1c0 [ 75.887939][ T8409] __sk_free+0xef/0x3d0 [ 75.890306][ T8411] llcp_sock_release+0x286/0x580 [ 75.890337][ T8411] __sock_release+0xcd/0x280 [ 75.890362][ T8411] sock_close+0x18/0x20 [ 75.890383][ T8411] __fput+0x288/0x920 [ 75.890407][ T8411] ? __sock_release+0x280/0x280 [ 75.897066][ T8409] sk_free+0x78/0xa0 [ 75.901929][ T8411] task_work_run+0xdd/0x1a0 [ 75.901968][ T8411] do_exit+0xbfc/0x2a60 [ 75.901997][ T8411] ? mm_update_next_owner+0x7a0/0x7a0 [ 75.902021][ T8411] ? lock_downgrade+0x6e0/0x6e0 [ 75.909389][ T8409] llcp_sock_release+0x3c9/0x580 [ 75.915191][ T8411] do_group_exit+0x125/0x310 [ 75.915222][ T8411] __x64_sys_exit_group+0x3a/0x50 [ 75.915249][ T8411] do_syscall_64+0x2d/0x70 [ 75.915274][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 75.921323][ T8409] __sock_release+0xcd/0x280 [ 75.927875][ T8411] RIP: 0033:0x43e989 [ 75.927901][ T8411] Code: Unable to access opcode bytes at RIP 0x43e95f. [ 75.927910][ T8411] RSP: 002b:00007ffe312efd18 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 75.927932][ T8411] RAX: ffffffffffffffda RBX: 00000000004b02f0 RCX: 000000000043e989 [ 75.935255][ T8409] sock_close+0x18/0x20 [ 75.938319][ T8411] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 75.938336][ T8411] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000001 [ 75.938350][ T8411] R10: 0000000000080800 R11: 0000000000000246 R12: 00000000004b02f0 [ 75.938364][ T8411] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 75.944704][ T8409] __fput+0x288/0x920 [ 75.948954][ T8411] Kernel Offset: disabled [ 76.562546][ T8411] Rebooting in 86400 seconds..