[[0;32m  OK  [0m] Reached target Login Prompts.
[[0;32m  OK  [0m] Reached target Multi-User System.
[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.0.42' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   77.641133][ T8396] ------------[ cut here ]------------
[   77.644680][ T8398] ==================================================================
[   77.647048][ T8396] refcount_t: underflow; use-after-free.
[   77.655262][ T8398] BUG: KASAN: use-after-free in __lock_acquire+0x3e6f/0x54c0
[   77.655322][ T8398] Read of size 8 at addr ffff88801a918468 by task syz-executor481/8398
[   77.655339][ T8398] 
[   77.655346][ T8398] CPU: 0 PID: 8398 Comm: syz-executor481 Not tainted 5.12.0-rc7-syzkaller #0
[   77.655365][ T8398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.655377][ T8398] Call Trace:
[   77.655385][ T8398]  dump_stack+0x141/0x1d7
[   77.655415][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.655434][ T8398]  print_address_description.constprop.0.cold+0x5b/0x2f8
[   77.655457][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.655476][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.655495][ T8398]  kasan_report.cold+0x7c/0xd8
[   77.655514][ T8398]  ? __lock_acquire+0x15d0/0x54c0
[   77.655534][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.655555][ T8398]  __lock_acquire+0x3e6f/0x54c0
[   77.655578][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.655602][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.655622][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.655648][ T8398]  lock_acquire+0x1ab/0x740
[   77.655668][ T8398]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.655692][ T8398]  ? lock_release+0x720/0x720
[   77.655713][ T8398]  ? llcp_sock_release+0x1df/0x580
[   77.655737][ T8398]  ? mark_held_locks+0x9f/0xe0
[   77.655770][ T8398]  _raw_write_lock+0x2a/0x40
[   77.655792][ T8398]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.655816][ T8398]  nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.655839][ T8398]  llcp_sock_release+0x286/0x580
[   77.655865][ T8398]  __sock_release+0xcd/0x280
[   77.655887][ T8398]  sock_close+0x18/0x20
[   77.655906][ T8398]  __fput+0x288/0x920
[   77.655925][ T8398]  ? __sock_release+0x280/0x280
[   77.655947][ T8398]  task_work_run+0xdd/0x1a0
[   77.655973][ T8398]  do_exit+0xbfc/0x2a60
[   77.656009][ T8398]  ? find_held_lock+0x2d/0x110
[   77.656032][ T8398]  ? mm_update_next_owner+0x7a0/0x7a0
[   77.656058][ T8398]  ? get_signal+0x337/0x2150
[   77.656076][ T8398]  ? lock_downgrade+0x6e0/0x6e0
[   77.656102][ T8398]  do_group_exit+0x125/0x310
[   77.656128][ T8398]  get_signal+0x47f/0x2150
[   77.656151][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.656177][ T8398]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   77.656212][ T8398]  ? copy_siginfo_to_user32+0xa0/0xa0
[   77.656239][ T8398]  ? __context_tracking_exit+0xb8/0xe0
[   77.656263][ T8398]  ? lock_downgrade+0x6e0/0x6e0
[   77.656288][ T8398]  ? __x64_sys_recvmmsg+0x1bf/0x260
[   77.687380][ T8396] WARNING: CPU: 1 PID: 8396 at lib/refcount.c:28 refcount_warn_saturate+0x1d1/0x1e0
[   77.688692][ T8398]  exit_to_user_mode_prepare+0x148/0x250
[   77.688726][ T8398]  syscall_exit_to_user_mode+0x19/0x60
[   77.688752][ T8398]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   77.688787][ T8398] RIP: 0033:0x43fd79
[   77.688804][ T8398] Code: Unable to access opcode bytes at RIP 0x43fd4f.
[   77.688814][ T8398] RSP: 002b:00007ffd67894878 EFLAGS: 00000246
[   77.708944][ T8396] Modules linked in:
[   77.712052][ T8398]  ORIG_RAX: 000000000000012b
[   77.712066][ T8398] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   77.712081][ T8398] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   77.712096][ T8398] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   77.712110][ T8398] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   77.712124][ T8398] R13: 0000000000000000 R14: 00007ffd678948a0 R15: 00007ffd67894890
[   77.712149][ T8398] 
[   77.724454][ T8396] 
[   77.729226][ T8398] Allocated by task 1:
[   77.729241][ T8398]  kasan_save_stack+0x1b/0x40
[   77.729268][ T8398]  __kasan_kmalloc+0x99/0xc0
[   77.729288][ T8398]  nfc_llcp_register_device+0x45/0x9d0
[   77.729315][ T8398]  nfc_register_device+0x6d/0x360
[   77.729333][ T8398]  nfcsim_device_new+0x345/0x5c1
[   77.729356][ T8398]  nfcsim_init+0x71/0x14d
[   77.729374][ T8398]  do_one_initcall+0x103/0x650
[   77.729395][ T8398]  kernel_init_freeable+0x63e/0x6c2
[   77.729414][ T8398]  kernel_init+0xd/0x1b8
[   77.741213][ T8396] CPU: 1 PID: 8396 Comm: syz-executor481 Not tainted 5.12.0-rc7-syzkaller #0
[   77.744528][ T8398]  ret_from_fork+0x1f/0x30
[   77.744561][ T8398] 
[   77.744566][ T8398] Freed by task 8395:
[   77.744576][ T8398]  kasan_save_stack+0x1b/0x40
[   77.744600][ T8398]  kasan_set_track+0x1c/0x30
[   77.744619][ T8398]  kasan_set_free_info+0x20/0x30
[   77.754706][ T8396] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.755456][ T8398]  __kasan_slab_free+0xf5/0x130
[   77.755488][ T8398]  slab_free_freelist_hook+0x92/0x210
[   77.755509][ T8398]  kfree+0xe5/0x7f0
[   77.755527][ T8398]  nfc_llcp_local_put+0x194/0x200
[   77.765522][ T8396] RIP: 0010:refcount_warn_saturate+0x1d1/0x1e0
[   77.767513][ T8398]  llcp_sock_destruct+0x81/0x150
[   77.767544][ T8398]  __sk_destruct+0x4b/0x900
[   77.767565][ T8398]  sk_destruct+0xbd/0xe0
[   77.767583][ T8398]  __sk_free+0xef/0x3d0
[   77.767599][ T8398]  sk_free+0x78/0xa0
[   77.767615][ T8398]  llcp_sock_release+0x3c9/0x580
[   77.767638][ T8398]  __sock_release+0xcd/0x280
[   77.767658][ T8398]  sock_close+0x18/0x20
[   77.767676][ T8398]  __fput+0x288/0x920
[   77.777852][ T8396] Code: e9 db fe ff ff 48 89 df e8 4c de ee fd e9 8a fe ff ff e8 e2 b4 aa fd 48 c7 c7 c0 ed c1 89 c6 05 bc 94 e8 09 01 e8 f8 46 ff 04 <0f> 0b e9 af fe ff ff 0f 1f 84 00 00 00 00 00 41 56 41 55 41 54 55
[   77.782268][ T8398]  task_work_run+0xdd/0x1a0
[   77.782301][ T8398]  do_exit+0xbfc/0x2a60
[   77.782325][ T8398]  do_group_exit+0x125/0x310
[   77.782349][ T8398]  get_signal+0x47f/0x2150
[   77.782367][ T8398]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   77.791356][ T8396] RSP: 0018:ffffc9000166f958 EFLAGS: 00010282
[   77.792242][ T8398]  exit_to_user_mode_prepare+0x148/0x250
[   77.797108][ T8396] 
[   77.802133][ T8398]  syscall_exit_to_user_mode+0x19/0x60
[   77.802169][ T8398]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   77.802200][ T8398] 
[   77.802205][ T8398] The buggy address belongs to the object at ffff88801a918000
[   77.802205][ T8398]  which belongs to the cache kmalloc-2k of size 2048
[   77.802222][ T8398] The buggy address is located 1128 bytes inside of
[   77.802222][ T8398]  2048-byte region [ffff88801a918000, ffff88801a918800)
[   77.802242][ T8398] The buggy address belongs to the page:
[   77.802251][ T8398] page:ffffea00006a4600 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1a918
[   77.802275][ T8398] head:ffffea00006a4600 order:3 compound_mapcount:0 compound_pincount:0
[   77.802292][ T8398] flags: 0xfff00000010200(slab|head)
[   77.802320][ T8398] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842000
[   77.802339][ T8398] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   77.817905][ T8396] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[   77.821215][ T8398] page dumped because: kasan: bad access detected
[   77.821228][ T8398] 
[   77.821232][ T8398] Memory state around the buggy address:
[   77.821244][ T8398]  ffff88801a918300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.821259][ T8398]  ffff88801a918380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.821274][ T8398] >ffff88801a918400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.821285][ T8398]                                                           ^
[   77.821297][ T8398]  ffff88801a918480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.833242][ T8396] RDX: ffff88801e2454c0 RSI: ffffffff815c5205 RDI: fffff520002cdf1d
[   77.834717][ T8398]  ffff88801a918500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   77.834731][ T8398] ==================================================================
[   77.834738][ T8398] Disabling lock debugging due to kernel taint
[   77.834746][ T8398] Kernel panic - not syncing: panic_on_warn set ...
[   77.834757][ T8398] CPU: 0 PID: 8398 Comm: syz-executor481 Tainted: G    B             5.12.0-rc7-syzkaller #0
[   77.843922][ T8396] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
[   77.849196][ T8398] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   77.849211][ T8398] Call Trace:
[   77.849221][ T8398]  dump_stack+0x141/0x1d7
[   77.849247][ T8398]  panic+0x306/0x73d
[   77.849269][ T8398]  ? __warn_printk+0xf3/0xf3
[   77.849292][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.856613][ T8396] R10: ffffffff815bdf9e R11: 0000000000000000 R12: 0000000000000000
[   77.858735][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.858766][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.858790][ T8398]  end_report.cold+0x5a/0x5a
[   77.858811][ T8398]  kasan_report.cold+0x6a/0xd8
[   77.866062][ T8396] R13: ffff88801a918018 R14: ffff88801a918000 R15: ffff88802f649490
[   77.867814][ T8398]  ? __lock_acquire+0x15d0/0x54c0
[   77.867847][ T8398]  ? __lock_acquire+0x3e6f/0x54c0
[   77.867869][ T8398]  __lock_acquire+0x3e6f/0x54c0
[   77.867894][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.876943][ T8396] FS:  0000000000000000(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
[   77.879870][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.879907][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.879934][ T8398]  lock_acquire+0x1ab/0x740
[   77.879958][ T8398]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.887990][ T8396] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   77.891513][ T8398]  ? lock_release+0x720/0x720
[   77.891556][ T8398]  ? llcp_sock_release+0x1df/0x580
[   77.891585][ T8398]  ? mark_held_locks+0x9f/0xe0
[   77.891608][ T8398]  _raw_write_lock+0x2a/0x40
[   77.900021][ T8396] CR2: 00007fdf9027b000 CR3: 0000000020fdb000 CR4: 00000000001506e0
[   77.901644][ T8398]  ? nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.901685][ T8398]  nfc_llcp_sock_unlink+0x1d/0x1c0
[   77.913394][ T8396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   77.916785][ T8398]  llcp_sock_release+0x286/0x580
[   77.916824][ T8398]  __sock_release+0xcd/0x280
[   77.916847][ T8398]  sock_close+0x18/0x20
[   77.924706][ T8396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   77.928355][ T8398]  __fput+0x288/0x920
[   77.928384][ T8398]  ? __sock_release+0x280/0x280
[   77.928408][ T8398]  task_work_run+0xdd/0x1a0
[   77.928434][ T8398]  do_exit+0xbfc/0x2a60
[   77.934831][ T8396] Call Trace:
[   77.939273][ T8398]  ? find_held_lock+0x2d/0x110
[   77.939307][ T8398]  ? mm_update_next_owner+0x7a0/0x7a0
[   77.939334][ T8398]  ? get_signal+0x337/0x2150
[   77.939353][ T8398]  ? lock_downgrade+0x6e0/0x6e0
[   77.939377][ T8398]  do_group_exit+0x125/0x310
[   77.948108][ T8396]  nfc_llcp_local_put+0x1ab/0x200
[   77.949325][ T8398]  get_signal+0x47f/0x2150
[   77.949356][ T8398]  ? lockdep_hardirqs_on_prepare+0x400/0x400
[   77.954163][ T8396]  llcp_sock_destruct+0x81/0x150
[   77.962015][ T8398]  arch_do_signal_or_restart+0x2a8/0x1eb0
[   77.962061][ T8398]  ? copy_siginfo_to_user32+0xa0/0xa0
[   77.962085][ T8398]  ? __context_tracking_exit+0xb8/0xe0
[   77.962109][ T8398]  ? lock_downgrade+0x6e0/0x6e0
[   77.962133][ T8398]  ? __x64_sys_recvmmsg+0x1bf/0x260
[   77.974150][ T8396]  ? nfc_llcp_sock_free+0x220/0x220
[   77.978511][ T8398]  exit_to_user_mode_prepare+0x148/0x250
[   77.978550][ T8398]  syscall_exit_to_user_mode+0x19/0x60
[   77.978575][ T8398]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   77.978601][ T8398] RIP: 0033:0x43fd79
[   77.978617][ T8398] Code: Unable to access opcode bytes at RIP 0x43fd4f.
[   77.978625][ T8398] RSP: 002b:00007ffd67894878 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[   77.978648][ T8398] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   77.990055][ T8396]  __sk_destruct+0x4b/0x900
[   77.994642][ T8398] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   77.994665][ T8398] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   77.994676][ T8398] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   77.994689][ T8398] R13: 0000000000000000 R14: 00007ffd678948a0 R15: 00007ffd67894890
[   77.997534][ T8398] Kernel Offset: disabled
[   78.814825][ T8398] Rebooting in 86400 seconds..