[[0;32m  OK  [0m] Reached target Graphical Interface.
         Starting Update UTMP about System Runlevel Changes...
         Starting Load/Save RF Kill Switch Status...
[[0;32m  OK  [0m] Started Load/Save RF Kill Switch Status.
[[0;32m  OK  [0m] Started Update UTMP about System Runlevel Changes.

Debian GNU/Linux 9 syzkaller ttyS0

Warning: Permanently added '10.128.1.43' (ECDSA) to the list of known hosts.
executing program
executing program
executing program
executing program
executing program
executing program
executing program
syzkaller login: [   36.164529] ==================================================================
[   36.171974] BUG: KASAN: use-after-free in __lock_acquire+0x2c57/0x3f20
[   36.178659] Read of size 8 at addr ffff8880ae5b0d60 by task syz-executor402/7985
[   36.186174] 
[   36.187781] CPU: 0 PID: 7985 Comm: syz-executor402 Not tainted 4.14.232-syzkaller #0
[   36.195639] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.204965] Call Trace:
[   36.207546]  dump_stack+0x1b2/0x281
[   36.211149]  print_address_description.cold+0x54/0x1d3
[   36.216402]  kasan_report_error.cold+0x8a/0x191
[   36.221046]  ? __lock_acquire+0x2c57/0x3f20
[   36.225355]  __asan_report_load8_noabort+0x68/0x70
[   36.230277]  ? __lock_acquire+0x2c57/0x3f20
[   36.234574]  __lock_acquire+0x2c57/0x3f20
[   36.238696]  ? __lock_acquire+0x5fc/0x3f20
[   36.242921]  ? trace_hardirqs_on+0x10/0x10
[   36.247138]  ? trace_hardirqs_on+0x10/0x10
[   36.251348]  ? trace_hardirqs_on+0x10/0x10
[   36.255559]  ? reacquire_held_locks+0xb5/0x3f0
[   36.260126]  ? release_sock+0x1b/0x1b0
[   36.263988]  ? lock_sock_nested+0x98/0x100
[   36.268220]  lock_acquire+0x170/0x3f0
[   36.272053]  ? nfc_llcp_sock_unlink+0x1d/0x170
[   36.276616]  _raw_write_lock+0x2a/0x40
[   36.280479]  ? nfc_llcp_sock_unlink+0x1d/0x170
[   36.285051]  nfc_llcp_sock_unlink+0x1d/0x170
[   36.289444]  llcp_sock_release+0x235/0x4c0
[   36.293679]  __sock_release+0xcd/0x2b0
[   36.297545]  ? __sock_release+0x2b0/0x2b0
[   36.301671]  sock_close+0x15/0x20
[   36.305123]  __fput+0x25f/0x7a0
[   36.308380]  task_work_run+0x11f/0x190
[   36.312240]  do_exit+0xa44/0x2850
[   36.315666]  ? ___sys_sendmsg+0x800/0x800
[   36.319801]  ? mm_update_next_owner+0x5b0/0x5b0
[   36.324466]  ? get_signal+0x323/0x1ca0
[   36.328349]  ? lock_acquire+0x170/0x3f0
[   36.332312]  ? lock_downgrade+0x740/0x740
[   36.336439]  do_group_exit+0x100/0x2e0
[   36.340324]  get_signal+0x38d/0x1ca0
[   36.344015]  do_signal+0x7c/0x1550
[   36.347533]  ? SyS_recvmsg+0x40/0x40
[   36.351223]  ? setup_sigcontext+0x820/0x820
[   36.355530]  ? llcp_sock_listen+0x181/0x230
[   36.359830]  ? llcp_sock_listen+0x181/0x230
[   36.364125]  ? __local_bh_enable_ip+0xc1/0x170
[   36.368698]  ? llcp_sock_listen+0x181/0x230
[   36.373012]  ? exit_to_usermode_loop+0x41/0x200
[   36.377667]  exit_to_usermode_loop+0x160/0x200
[   36.382225]  do_syscall_64+0x4a3/0x640
[   36.386106]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.391282] RIP: 0033:0x43fd79
[   36.394456] RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[   36.402150] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   36.409416] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   36.416664] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   36.423908] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   36.431166] R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0
[   36.438424] 
[   36.440029] Allocated by task 1:
[   36.443413]  kasan_kmalloc+0xeb/0x160
[   36.447193]  kmem_cache_alloc_trace+0x131/0x3d0
[   36.451841]  nfc_llcp_register_device+0x43/0xa50
[   36.456586]  nfc_register_device+0x63/0x330
[   36.460907]  nfcsim_device_new+0x372/0x5c2
[   36.465148]  nfcsim_init+0x71/0x12a
[   36.468751]  do_one_initcall+0x88/0x210
[   36.472698]  kernel_init_freeable+0x553/0x614
[   36.477168]  kernel_init+0xd/0x165
[   36.480700]  ret_from_fork+0x24/0x30
[   36.484384] 
[   36.485987] Freed by task 7984:
[   36.489254]  kasan_slab_free+0xc3/0x1a0
[   36.493207]  kfree+0xc9/0x250
[   36.496285]  nfc_llcp_local_put+0x13c/0x190
[   36.500577]  llcp_sock_destruct+0x69/0x120
[   36.504786]  __sk_destruct+0x49/0x760
[   36.508577]  __sk_free+0xd9/0x2d0
[   36.512003]  sk_free+0x2b/0x40
[   36.515168]  llcp_sock_release+0x31b/0x4c0
[   36.519376]  __sock_release+0xcd/0x2b0
[   36.523236]  sock_close+0x15/0x20
[   36.526663]  __fput+0x25f/0x7a0
[   36.529933]  task_work_run+0x11f/0x190
[   36.533793]  do_exit+0xa44/0x2850
[   36.537222]  do_group_exit+0x100/0x2e0
[   36.541097]  get_signal+0x38d/0x1ca0
[   36.544786]  do_signal+0x7c/0x1550
[   36.548336]  exit_to_usermode_loop+0x160/0x200
[   36.552889]  do_syscall_64+0x4a3/0x640
[   36.556752]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.561912] 
[   36.563515] The buggy address belongs to the object at ffff8880ae5b0940
[   36.563515]  which belongs to the cache kmalloc-2048 of size 2048
[   36.576323] The buggy address is located 1056 bytes inside of
[   36.576323]  2048-byte region [ffff8880ae5b0940, ffff8880ae5b1140)
[   36.588345] The buggy address belongs to the page:
[   36.593246] page:ffffea0002b96c00 count:1 mapcount:0 mapping:ffff8880ae5b00c0 index:0x0 compound_mapcount: 0
[   36.603190] flags: 0xfff00000008100(slab|head)
[   36.607751] raw: 00fff00000008100 ffff8880ae5b00c0 0000000000000000 0000000100000003
[   36.615607] raw: ffffea0002b96ba0 ffffea0002b98220 ffff88813fe80c40 0000000000000000
[   36.623459] page dumped because: kasan: bad access detected
[   36.629145] 
[   36.630783] Memory state around the buggy address:
[   36.635692]  ffff8880ae5b0c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.643035]  ffff8880ae5b0c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.650372] >ffff8880ae5b0d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.657719]                                                        ^
[   36.664194]  ffff8880ae5b0d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.671541]  ffff8880ae5b0e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   36.678872] ==================================================================
[   36.686204] Disabling lock debugging due to kernel taint
[   36.691623] Kernel panic - not syncing: panic_on_warn set ...
[   36.691623] 
[   36.698963] CPU: 0 PID: 7985 Comm: syz-executor402 Tainted: G    B           4.14.232-syzkaller #0
[   36.708043] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   36.717372] Call Trace:
[   36.719936]  dump_stack+0x1b2/0x281
[   36.723540]  panic+0x1f9/0x42d
[   36.726706]  ? add_taint.cold+0x16/0x16
[   36.730657]  ? lock_downgrade+0x740/0x740
[   36.734784]  kasan_end_report+0x43/0x49
[   36.738741]  kasan_report_error.cold+0xa7/0x191
[   36.743395]  ? __lock_acquire+0x2c57/0x3f20
[   36.747691]  __asan_report_load8_noabort+0x68/0x70
[   36.752595]  ? __lock_acquire+0x2c57/0x3f20
[   36.756892]  __lock_acquire+0x2c57/0x3f20
[   36.761026]  ? __lock_acquire+0x5fc/0x3f20
[   36.765246]  ? trace_hardirqs_on+0x10/0x10
[   36.769457]  ? trace_hardirqs_on+0x10/0x10
[   36.773664]  ? trace_hardirqs_on+0x10/0x10
[   36.777873]  ? reacquire_held_locks+0xb5/0x3f0
[   36.782430]  ? release_sock+0x1b/0x1b0
[   36.786289]  ? lock_sock_nested+0x98/0x100
[   36.790497]  lock_acquire+0x170/0x3f0
[   36.794272]  ? nfc_llcp_sock_unlink+0x1d/0x170
[   36.798870]  _raw_write_lock+0x2a/0x40
[   36.802732]  ? nfc_llcp_sock_unlink+0x1d/0x170
[   36.807290]  nfc_llcp_sock_unlink+0x1d/0x170
[   36.811733]  llcp_sock_release+0x235/0x4c0
[   36.815990]  __sock_release+0xcd/0x2b0
[   36.819904]  ? __sock_release+0x2b0/0x2b0
[   36.824029]  sock_close+0x15/0x20
[   36.827461]  __fput+0x25f/0x7a0
[   36.830761]  task_work_run+0x11f/0x190
[   36.834624]  do_exit+0xa44/0x2850
[   36.838051]  ? ___sys_sendmsg+0x800/0x800
[   36.842186]  ? mm_update_next_owner+0x5b0/0x5b0
[   36.846874]  ? get_signal+0x323/0x1ca0
[   36.850746]  ? lock_acquire+0x170/0x3f0
[   36.854692]  ? lock_downgrade+0x740/0x740
[   36.858869]  do_group_exit+0x100/0x2e0
[   36.862794]  get_signal+0x38d/0x1ca0
[   36.866495]  do_signal+0x7c/0x1550
[   36.870054]  ? SyS_recvmsg+0x40/0x40
[   36.873747]  ? setup_sigcontext+0x820/0x820
[   36.878048]  ? llcp_sock_listen+0x181/0x230
[   36.882348]  ? llcp_sock_listen+0x181/0x230
[   36.886660]  ? __local_bh_enable_ip+0xc1/0x170
[   36.891216]  ? llcp_sock_listen+0x181/0x230
[   36.895511]  ? exit_to_usermode_loop+0x41/0x200
[   36.900167]  exit_to_usermode_loop+0x160/0x200
[   36.904731]  do_syscall_64+0x4a3/0x640
[   36.908601]  entry_SYSCALL_64_after_hwframe+0x46/0xbb
[   36.913762] RIP: 0033:0x43fd79
[   36.916940] RSP: 002b:00007ffcc1aaf498 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
[   36.924620] RAX: fffffffffffffe00 RBX: 00000000000f4240 RCX: 000000000043fd79
[   36.931863] RDX: 0000000000000001 RSI: 00000000200032c0 RDI: 0000000000000003
[   36.939113] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001
[   36.946359] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000403550
[   36.954398] R13: 0000000000000000 R14: 00007ffcc1aaf4c0 R15: 00007ffcc1aaf4b0
[   36.961698] Kernel Offset: disabled
[   36.965392] Rebooting in 86400 seconds..