[ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.199' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 63.418336][ T6824] input: syz0 as /devices/virtual/input/input5 [ 63.431053][ T6824] ================================================================== [ 63.439401][ T6824] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 63.446605][ T6824] Read of size 8 at addr ffff8880a722d158 by task syz-executor905/6824 [ 63.454963][ T6824] [ 63.457386][ T6824] CPU: 0 PID: 6824 Comm: syz-executor905 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 63.467268][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 63.477497][ T6824] Call Trace: [ 63.480895][ T6824] dump_stack+0x18f/0x20d [ 63.485227][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 63.490453][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 63.495408][ T6824] print_address_description.constprop.0.cold+0xd3/0x413 [ 63.502425][ T6824] ? cdev_device_del+0x69/0x80 [ 63.507195][ T6824] ? evdev_disconnect+0x3d/0xb0 [ 63.512178][ T6824] ? __input_unregister_device+0x1b0/0x430 [ 63.517982][ T6824] ? input_unregister_device+0xb4/0xf0 [ 63.523446][ T6824] ? uinput_destroy_device+0x1e2/0x240 [ 63.528899][ T6824] ? vprintk_func+0x97/0x1a6 [ 63.533477][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 63.538329][ T6824] kasan_report.cold+0x1f/0x37 [ 63.543079][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 63.547927][ T6824] __mutex_lock+0x1033/0x13c0 [ 63.552603][ T6824] ? evdev_cleanup+0x21/0x190 [ 63.557256][ T6824] ? print_usage_bug+0x240/0x240 [ 63.562172][ T6824] ? trace_hardirqs_off+0x50/0x220 [ 63.567260][ T6824] ? mutex_trylock+0x2c0/0x2c0 [ 63.572005][ T6824] ? mark_held_locks+0x9f/0xe0 [ 63.576759][ T6824] ? kfree+0x1eb/0x2b0 [ 63.580807][ T6824] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 63.586803][ T6824] ? kfree_const+0x51/0x60 [ 63.591219][ T6824] ? evdev_cleanup+0x21/0x190 [ 63.596500][ T6824] evdev_cleanup+0x21/0x190 [ 63.601618][ T6824] evdev_disconnect+0x45/0xb0 [ 63.606278][ T6824] __input_unregister_device+0x1b0/0x430 [ 63.612944][ T6824] input_unregister_device+0xb4/0xf0 [ 63.618214][ T6824] uinput_destroy_device+0x1e2/0x240 [ 63.623496][ T6824] ? uinput_destroy_device+0x240/0x240 [ 63.628931][ T6824] uinput_release+0x37/0x50 [ 63.633423][ T6824] __fput+0x33e/0x880 [ 63.637412][ T6824] task_work_run+0xf4/0x1b0 [ 63.641993][ T6824] do_exit+0xb5e/0x2e10 [ 63.646129][ T6824] ? debug_smp_processor_id+0x2f/0x185 [ 63.651677][ T6824] ? mm_update_next_owner+0x7a0/0x7a0 [ 63.657042][ T6824] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 63.663023][ T6824] do_group_exit+0x125/0x340 [ 63.667607][ T6824] __x64_sys_exit_group+0x3a/0x50 [ 63.672630][ T6824] do_syscall_64+0xf6/0x7d0 [ 63.677121][ T6824] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.682994][ T6824] RIP: 0033:0x43eee8 [ 63.686874][ T6824] Code: Bad RIP value. [ 63.690928][ T6824] RSP: 002b:00007ffed19c4318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 63.699313][ T6824] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eee8 [ 63.707610][ T6824] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 63.715572][ T6824] RBP: 00000000004be728 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 63.723525][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 63.731478][ T6824] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 63.739542][ T6824] [ 63.741869][ T6824] Allocated by task 6824: [ 63.746235][ T6824] save_stack+0x1b/0x40 [ 63.750821][ T6824] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 63.756442][ T6824] kmem_cache_alloc_trace+0x153/0x7d0 [ 63.762146][ T6824] evdev_connect+0x80/0x4d0 [ 63.766630][ T6824] input_attach_handler+0x194/0x200 [ 63.771802][ T6824] input_register_device.cold+0xf5/0x246 [ 63.777429][ T6824] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 63.783395][ T6824] ksys_ioctl+0x11a/0x180 [ 63.787710][ T6824] __x64_sys_ioctl+0x6f/0xb0 [ 63.792276][ T6824] do_syscall_64+0xf6/0x7d0 [ 63.796755][ T6824] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.802617][ T6824] [ 63.804939][ T6824] Freed by task 6824: [ 63.808926][ T6824] save_stack+0x1b/0x40 [ 63.813092][ T6824] __kasan_slab_free+0xf7/0x140 [ 63.817952][ T6824] kfree+0x109/0x2b0 [ 63.821849][ T6824] device_release+0x71/0x200 [ 63.826444][ T6824] kobject_put+0x1c8/0x2f0 [ 63.830951][ T6824] cdev_device_del+0x69/0x80 [ 63.835546][ T6824] evdev_disconnect+0x3d/0xb0 [ 63.840246][ T6824] __input_unregister_device+0x1b0/0x430 [ 63.846706][ T6824] input_unregister_device+0xb4/0xf0 [ 63.852064][ T6824] uinput_destroy_device+0x1e2/0x240 [ 63.857367][ T6824] uinput_release+0x37/0x50 [ 63.861861][ T6824] __fput+0x33e/0x880 [ 63.865817][ T6824] task_work_run+0xf4/0x1b0 [ 63.870312][ T6824] do_exit+0xb5e/0x2e10 [ 63.874441][ T6824] do_group_exit+0x125/0x340 [ 63.879001][ T6824] __x64_sys_exit_group+0x3a/0x50 [ 63.884003][ T6824] do_syscall_64+0xf6/0x7d0 [ 63.888494][ T6824] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 63.894372][ T6824] [ 63.896784][ T6824] The buggy address belongs to the object at ffff8880a722d000 [ 63.896784][ T6824] which belongs to the cache kmalloc-2k of size 2048 [ 63.910823][ T6824] The buggy address is located 344 bytes inside of [ 63.910823][ T6824] 2048-byte region [ffff8880a722d000, ffff8880a722d800) [ 63.924159][ T6824] The buggy address belongs to the page: [ 63.929791][ T6824] page:ffffea00029c8b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 63.939100][ T6824] flags: 0xfffe0000000200(slab) [ 63.943950][ T6824] raw: 00fffe0000000200 ffffea00029cb988 ffffea00025aa188 ffff8880aa000e00 [ 63.952609][ T6824] raw: 0000000000000000 ffff8880a722d000 0000000100000001 0000000000000000 [ 63.961563][ T6824] page dumped because: kasan: bad access detected [ 63.968057][ T6824] [ 63.970723][ T6824] Memory state around the buggy address: [ 63.976722][ T6824] ffff8880a722d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.987021][ T6824] ffff8880a722d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 63.998869][ T6824] >ffff8880a722d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.008075][ T6824] ^ [ 64.015605][ T6824] ffff8880a722d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.024454][ T6824] ffff8880a722d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.033529][ T6824] ================================================================== [ 64.044200][ T6824] Disabling lock debugging due to kernel taint [ 64.051098][ T6824] Kernel panic - not syncing: panic_on_warn set ... [ 64.059273][ T6824] CPU: 0 PID: 6824 Comm: syz-executor905 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 64.070716][ T6824] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.082430][ T6824] Call Trace: [ 64.085831][ T6824] dump_stack+0x18f/0x20d [ 64.091140][ T6824] ? __mutex_lock+0xf50/0x13c0 [ 64.096433][ T6824] panic+0x2e3/0x75c [ 64.100956][ T6824] ? __warn_printk+0xf3/0xf3 [ 64.105973][ T6824] ? preempt_schedule_common+0x5e/0xc0 [ 64.111783][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 64.116758][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 64.121880][ T6824] ? preempt_schedule_thunk+0x16/0x18 [ 64.128537][ T6824] ? trace_hardirqs_on+0x55/0x230 [ 64.134062][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 64.139119][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 64.144069][ T6824] end_report+0x4d/0x53 [ 64.148227][ T6824] kasan_report.cold+0xd/0x37 [ 64.153111][ T6824] ? __mutex_lock+0x1033/0x13c0 [ 64.158601][ T6824] __mutex_lock+0x1033/0x13c0 [ 64.163402][ T6824] ? evdev_cleanup+0x21/0x190 [ 64.168283][ T6824] ? print_usage_bug+0x240/0x240 [ 64.175101][ T6824] ? trace_hardirqs_off+0x50/0x220 [ 64.181496][ T6824] ? mutex_trylock+0x2c0/0x2c0 [ 64.186604][ T6824] ? mark_held_locks+0x9f/0xe0 [ 64.192109][ T6824] ? kfree+0x1eb/0x2b0 [ 64.197070][ T6824] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.203064][ T6824] ? kfree_const+0x51/0x60 [ 64.208213][ T6824] ? evdev_cleanup+0x21/0x190 [ 64.213697][ T6824] evdev_cleanup+0x21/0x190 [ 64.218638][ T6824] evdev_disconnect+0x45/0xb0 [ 64.223322][ T6824] __input_unregister_device+0x1b0/0x430 [ 64.229445][ T6824] input_unregister_device+0xb4/0xf0 [ 64.234777][ T6824] uinput_destroy_device+0x1e2/0x240 [ 64.240778][ T6824] ? uinput_destroy_device+0x240/0x240 [ 64.246439][ T6824] uinput_release+0x37/0x50 [ 64.251188][ T6824] __fput+0x33e/0x880 [ 64.255190][ T6824] task_work_run+0xf4/0x1b0 [ 64.259868][ T6824] do_exit+0xb5e/0x2e10 [ 64.264009][ T6824] ? debug_smp_processor_id+0x2f/0x185 [ 64.269650][ T6824] ? mm_update_next_owner+0x7a0/0x7a0 [ 64.275386][ T6824] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.282385][ T6824] do_group_exit+0x125/0x340 [ 64.287990][ T6824] __x64_sys_exit_group+0x3a/0x50 [ 64.293610][ T6824] do_syscall_64+0xf6/0x7d0 [ 64.298522][ T6824] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.304694][ T6824] RIP: 0033:0x43eee8 [ 64.308595][ T6824] Code: Bad RIP value. [ 64.312643][ T6824] RSP: 002b:00007ffed19c4318 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.322687][ T6824] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eee8 [ 64.330925][ T6824] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 64.339504][ T6824] RBP: 00000000004be728 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 64.348783][ T6824] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 64.360800][ T6824] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 64.370457][ T6824] Kernel Offset: disabled [ 64.374782][ T6824] Rebooting in 86400 seconds..