[ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Starting Load/Save RF Kill Switch Status... [ OK ] Started Update UTMP about System Runlevel Changes. [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 61.086795][ T6796] input: syz0 as /devices/virtual/input/input5 [ 61.100002][ T6796] ================================================================== [ 61.108326][ T6796] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 61.115620][ T6796] Read of size 8 at addr ffff8880a8492158 by task syz-executor234/6796 [ 61.123854][ T6796] [ 61.126195][ T6796] CPU: 1 PID: 6796 Comm: syz-executor234 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 61.136252][ T6796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.146320][ T6796] Call Trace: [ 61.149620][ T6796] dump_stack+0x18f/0x20d [ 61.153986][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.158864][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.163698][ T6796] print_address_description.constprop.0.cold+0xd3/0x413 [ 61.170707][ T6796] ? cdev_device_del+0x69/0x80 [ 61.175458][ T6796] ? evdev_disconnect+0x3d/0xb0 [ 61.180323][ T6796] ? __input_unregister_device+0x1b0/0x430 [ 61.186151][ T6796] ? input_unregister_device+0xb4/0xf0 [ 61.191594][ T6796] ? uinput_destroy_device+0x1e2/0x240 [ 61.197041][ T6796] ? vprintk_func+0x97/0x1a6 [ 61.201621][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.206449][ T6796] kasan_report.cold+0x1f/0x37 [ 61.211292][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.216126][ T6796] __mutex_lock+0x1033/0x13c0 [ 61.220783][ T6796] ? evdev_cleanup+0x21/0x190 [ 61.225434][ T6796] ? print_usage_bug+0x240/0x240 [ 61.230547][ T6796] ? trace_hardirqs_off+0x50/0x220 [ 61.238153][ T6796] ? mutex_trylock+0x2c0/0x2c0 [ 61.243000][ T6796] ? mark_held_locks+0x9f/0xe0 [ 61.247742][ T6796] ? kfree+0x1eb/0x2b0 [ 61.251880][ T6796] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.258024][ T6796] ? kfree_const+0x51/0x60 [ 61.262431][ T6796] ? evdev_cleanup+0x21/0x190 [ 61.267094][ T6796] evdev_cleanup+0x21/0x190 [ 61.271599][ T6796] evdev_disconnect+0x45/0xb0 [ 61.276462][ T6796] __input_unregister_device+0x1b0/0x430 [ 61.282122][ T6796] input_unregister_device+0xb4/0xf0 [ 61.287706][ T6796] uinput_destroy_device+0x1e2/0x240 [ 61.293865][ T6796] ? uinput_destroy_device+0x240/0x240 [ 61.299678][ T6796] uinput_release+0x37/0x50 [ 61.304548][ T6796] __fput+0x33e/0x880 [ 61.308532][ T6796] task_work_run+0xf4/0x1b0 [ 61.313184][ T6796] do_exit+0xb5e/0x2e10 [ 61.317341][ T6796] ? fsnotify_first_mark+0x191/0x200 [ 61.322638][ T6796] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 61.328449][ T6796] ? mm_update_next_owner+0x7a0/0x7a0 [ 61.333918][ T6796] ? vfs_write+0x161/0x5d0 [ 61.338436][ T6796] do_group_exit+0x125/0x340 [ 61.343189][ T6796] __x64_sys_exit_group+0x3a/0x50 [ 61.348193][ T6796] do_syscall_64+0xf6/0x7d0 [ 61.352679][ T6796] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.358562][ T6796] RIP: 0033:0x43fa18 [ 61.362478][ T6796] Code: Bad RIP value. [ 61.366634][ T6796] RSP: 002b:00007fff61e9c9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.375051][ T6796] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 61.383240][ T6796] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 61.391317][ T6796] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 61.399282][ T6796] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 61.410338][ T6796] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 61.418404][ T6796] [ 61.420731][ T6796] Allocated by task 6796: [ 61.425042][ T6796] save_stack+0x1b/0x40 [ 61.429402][ T6796] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 61.435145][ T6796] kmem_cache_alloc_trace+0x153/0x7d0 [ 61.441274][ T6796] evdev_connect+0x80/0x4d0 [ 61.446319][ T6796] input_attach_handler+0x194/0x200 [ 61.451801][ T6796] input_register_device.cold+0xf5/0x246 [ 61.457434][ T6796] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 61.463401][ T6796] ksys_ioctl+0x11a/0x180 [ 61.467735][ T6796] __x64_sys_ioctl+0x6f/0xb0 [ 61.472499][ T6796] do_syscall_64+0xf6/0x7d0 [ 61.476996][ T6796] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.483060][ T6796] [ 61.485375][ T6796] Freed by task 6796: [ 61.489353][ T6796] save_stack+0x1b/0x40 [ 61.493599][ T6796] __kasan_slab_free+0xf7/0x140 [ 61.498446][ T6796] kfree+0x109/0x2b0 [ 61.502335][ T6796] device_release+0x71/0x200 [ 61.506924][ T6796] kobject_put+0x1c8/0x2f0 [ 61.511454][ T6796] cdev_device_del+0x69/0x80 [ 61.516893][ T6796] evdev_disconnect+0x3d/0xb0 [ 61.522347][ T6796] __input_unregister_device+0x1b0/0x430 [ 61.529578][ T6796] input_unregister_device+0xb4/0xf0 [ 61.535713][ T6796] uinput_destroy_device+0x1e2/0x240 [ 61.541204][ T6796] uinput_release+0x37/0x50 [ 61.545914][ T6796] __fput+0x33e/0x880 [ 61.549946][ T6796] task_work_run+0xf4/0x1b0 [ 61.554590][ T6796] do_exit+0xb5e/0x2e10 [ 61.558864][ T6796] do_group_exit+0x125/0x340 [ 61.563456][ T6796] __x64_sys_exit_group+0x3a/0x50 [ 61.568483][ T6796] do_syscall_64+0xf6/0x7d0 [ 61.573075][ T6796] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.578966][ T6796] [ 61.581279][ T6796] The buggy address belongs to the object at ffff8880a8492000 [ 61.581279][ T6796] which belongs to the cache kmalloc-2k of size 2048 [ 61.595571][ T6796] The buggy address is located 344 bytes inside of [ 61.595571][ T6796] 2048-byte region [ffff8880a8492000, ffff8880a8492800) [ 61.608954][ T6796] The buggy address belongs to the page: [ 61.614567][ T6796] page:ffffea0002a12480 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 61.623655][ T6796] flags: 0xfffe0000000200(slab) [ 61.628605][ T6796] raw: 00fffe0000000200 ffffea00024dc988 ffff8880aa001950 ffff8880aa000e00 [ 61.637300][ T6796] raw: 0000000000000000 ffff8880a8492000 0000000100000001 0000000000000000 [ 61.645995][ T6796] page dumped because: kasan: bad access detected [ 61.652413][ T6796] [ 61.654730][ T6796] Memory state around the buggy address: [ 61.660510][ T6796] ffff8880a8492000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.668560][ T6796] ffff8880a8492080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.676628][ T6796] >ffff8880a8492100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.685090][ T6796] ^ [ 61.692616][ T6796] ffff8880a8492180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.700858][ T6796] ffff8880a8492200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 61.708950][ T6796] ================================================================== [ 61.717096][ T6796] Disabling lock debugging due to kernel taint [ 61.724411][ T6796] Kernel panic - not syncing: panic_on_warn set ... [ 61.731046][ T6796] CPU: 0 PID: 6796 Comm: syz-executor234 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 61.742594][ T6796] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 61.752951][ T6796] Call Trace: [ 61.756551][ T6796] dump_stack+0x18f/0x20d [ 61.761034][ T6796] ? __mutex_lock+0xf50/0x13c0 [ 61.765792][ T6796] panic+0x2e3/0x75c [ 61.769800][ T6796] ? __warn_printk+0xf3/0xf3 [ 61.774574][ T6796] ? preempt_schedule_common+0x5e/0xc0 [ 61.780149][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.785885][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.791209][ T6796] ? preempt_schedule_thunk+0x16/0x18 [ 61.796718][ T6796] ? trace_hardirqs_on+0x55/0x230 [ 61.802265][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.807247][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.812116][ T6796] end_report+0x4d/0x53 [ 61.816421][ T6796] kasan_report.cold+0xd/0x37 [ 61.821223][ T6796] ? __mutex_lock+0x1033/0x13c0 [ 61.826158][ T6796] __mutex_lock+0x1033/0x13c0 [ 61.830923][ T6796] ? evdev_cleanup+0x21/0x190 [ 61.835872][ T6796] ? print_usage_bug+0x240/0x240 [ 61.841528][ T6796] ? trace_hardirqs_off+0x50/0x220 [ 61.846942][ T6796] ? mutex_trylock+0x2c0/0x2c0 [ 61.852474][ T6796] ? mark_held_locks+0x9f/0xe0 [ 61.857349][ T6796] ? kfree+0x1eb/0x2b0 [ 61.862780][ T6796] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.868855][ T6796] ? kfree_const+0x51/0x60 [ 61.873423][ T6796] ? evdev_cleanup+0x21/0x190 [ 61.878310][ T6796] evdev_cleanup+0x21/0x190 [ 61.882822][ T6796] evdev_disconnect+0x45/0xb0 [ 61.887704][ T6796] __input_unregister_device+0x1b0/0x430 [ 61.893362][ T6796] input_unregister_device+0xb4/0xf0 [ 61.898652][ T6796] uinput_destroy_device+0x1e2/0x240 [ 61.903934][ T6796] ? uinput_destroy_device+0x240/0x240 [ 61.909383][ T6796] uinput_release+0x37/0x50 [ 61.913975][ T6796] __fput+0x33e/0x880 [ 61.918063][ T6796] task_work_run+0xf4/0x1b0 [ 61.922673][ T6796] do_exit+0xb5e/0x2e10 [ 61.926816][ T6796] ? fsnotify_first_mark+0x191/0x200 [ 61.932305][ T6796] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 61.938369][ T6796] ? mm_update_next_owner+0x7a0/0x7a0 [ 61.943902][ T6796] ? vfs_write+0x161/0x5d0 [ 61.948740][ T6796] do_group_exit+0x125/0x340 [ 61.953523][ T6796] __x64_sys_exit_group+0x3a/0x50 [ 61.958565][ T6796] do_syscall_64+0xf6/0x7d0 [ 61.963143][ T6796] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.969024][ T6796] RIP: 0033:0x43fa18 [ 61.972904][ T6796] Code: Bad RIP value. [ 61.976981][ T6796] RSP: 002b:00007fff61e9c9a8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.986440][ T6796] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 61.994442][ T6796] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 62.002743][ T6796] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 62.010711][ T6796] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 62.018681][ T6796] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 62.028232][ T6796] Kernel Offset: disabled [ 62.033174][ T6796] Rebooting in 86400 seconds..