[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.157' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 64.100494][ T6799] input: syz0 as /devices/virtual/input/input5 [ 64.113680][ T6799] ================================================================== [ 64.122711][ T6799] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 64.129916][ T6799] Read of size 8 at addr ffff8880a257f158 by task syz-executor351/6799 [ 64.138153][ T6799] [ 64.140491][ T6799] CPU: 1 PID: 6799 Comm: syz-executor351 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 64.150374][ T6799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.160815][ T6799] Call Trace: [ 64.164114][ T6799] dump_stack+0x18f/0x20d [ 64.168445][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.173443][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.178298][ T6799] print_address_description.constprop.0.cold+0xd3/0x413 [ 64.185305][ T6799] ? cdev_device_del+0x69/0x80 [ 64.190061][ T6799] ? evdev_disconnect+0x3d/0xb0 [ 64.194906][ T6799] ? __input_unregister_device+0x1b0/0x430 [ 64.200708][ T6799] ? input_unregister_device+0xb4/0xf0 [ 64.206171][ T6799] ? uinput_destroy_device+0x1e2/0x240 [ 64.211637][ T6799] ? vprintk_func+0x97/0x1a6 [ 64.216325][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.221737][ T6799] kasan_report.cold+0x1f/0x37 [ 64.226513][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.231348][ T6799] __mutex_lock+0x1033/0x13c0 [ 64.236453][ T6799] ? evdev_cleanup+0x21/0x190 [ 64.241122][ T6799] ? print_usage_bug+0x240/0x240 [ 64.246184][ T6799] ? trace_hardirqs_off+0x50/0x220 [ 64.251402][ T6799] ? mutex_trylock+0x2c0/0x2c0 [ 64.256150][ T6799] ? mark_held_locks+0x9f/0xe0 [ 64.261117][ T6799] ? kfree+0x1eb/0x2b0 [ 64.265188][ T6799] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.271171][ T6799] ? kfree_const+0x51/0x60 [ 64.275684][ T6799] ? evdev_cleanup+0x21/0x190 [ 64.280355][ T6799] evdev_cleanup+0x21/0x190 [ 64.284864][ T6799] evdev_disconnect+0x45/0xb0 [ 64.289572][ T6799] __input_unregister_device+0x1b0/0x430 [ 64.295216][ T6799] input_unregister_device+0xb4/0xf0 [ 64.300496][ T6799] uinput_destroy_device+0x1e2/0x240 [ 64.305764][ T6799] ? uinput_destroy_device+0x240/0x240 [ 64.311221][ T6799] uinput_release+0x37/0x50 [ 64.315735][ T6799] __fput+0x33e/0x880 [ 64.319705][ T6799] task_work_run+0xf4/0x1b0 [ 64.324191][ T6799] do_exit+0xb5e/0x2e10 [ 64.328678][ T6799] ? fsnotify_first_mark+0x191/0x200 [ 64.333945][ T6799] ? debug_smp_processor_id+0x2f/0x185 [ 64.339404][ T6799] ? mm_update_next_owner+0x7a0/0x7a0 [ 64.344804][ T6799] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.350801][ T6799] ? vfs_write+0x161/0x5d0 [ 64.355341][ T6799] do_group_exit+0x125/0x340 [ 64.359957][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 64.365071][ T6799] do_syscall_64+0xf6/0x7d0 [ 64.369756][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.376256][ T6799] RIP: 0033:0x43fa18 [ 64.380144][ T6799] Code: Bad RIP value. [ 64.384193][ T6799] RSP: 002b:00007fffdf178b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.392854][ T6799] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 64.401085][ T6799] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 64.409043][ T6799] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 64.417137][ T6799] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 64.425119][ T6799] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 64.433110][ T6799] [ 64.435425][ T6799] Allocated by task 6799: [ 64.439746][ T6799] save_stack+0x1b/0x40 [ 64.443909][ T6799] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 64.449657][ T6799] kmem_cache_alloc_trace+0x153/0x7d0 [ 64.455022][ T6799] evdev_connect+0x80/0x4d0 [ 64.459533][ T6799] input_attach_handler+0x194/0x200 [ 64.464725][ T6799] input_register_device.cold+0xf5/0x246 [ 64.470355][ T6799] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 64.476670][ T6799] ksys_ioctl+0x11a/0x180 [ 64.480999][ T6799] __x64_sys_ioctl+0x6f/0xb0 [ 64.485564][ T6799] do_syscall_64+0xf6/0x7d0 [ 64.490069][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.495931][ T6799] [ 64.498237][ T6799] Freed by task 6799: [ 64.502197][ T6799] save_stack+0x1b/0x40 [ 64.506330][ T6799] __kasan_slab_free+0xf7/0x140 [ 64.511177][ T6799] kfree+0x109/0x2b0 [ 64.515071][ T6799] device_release+0x71/0x200 [ 64.519658][ T6799] kobject_put+0x1c8/0x2f0 [ 64.524423][ T6799] cdev_device_del+0x69/0x80 [ 64.529085][ T6799] evdev_disconnect+0x3d/0xb0 [ 64.533756][ T6799] __input_unregister_device+0x1b0/0x430 [ 64.539485][ T6799] input_unregister_device+0xb4/0xf0 [ 64.544866][ T6799] uinput_destroy_device+0x1e2/0x240 [ 64.550155][ T6799] uinput_release+0x37/0x50 [ 64.554657][ T6799] __fput+0x33e/0x880 [ 64.558636][ T6799] task_work_run+0xf4/0x1b0 [ 64.564090][ T6799] do_exit+0xb5e/0x2e10 [ 64.568489][ T6799] do_group_exit+0x125/0x340 [ 64.573327][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 64.578795][ T6799] do_syscall_64+0xf6/0x7d0 [ 64.583548][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.589417][ T6799] [ 64.592186][ T6799] The buggy address belongs to the object at ffff8880a257f000 [ 64.592186][ T6799] which belongs to the cache kmalloc-2k of size 2048 [ 64.606225][ T6799] The buggy address is located 344 bytes inside of [ 64.606225][ T6799] 2048-byte region [ffff8880a257f000, ffff8880a257f800) [ 64.619940][ T6799] The buggy address belongs to the page: [ 64.625571][ T6799] page:ffffea0002895fc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 64.634676][ T6799] flags: 0xfffe0000000200(slab) [ 64.639534][ T6799] raw: 00fffe0000000200 ffffea0002438208 ffff8880aa001950 ffff8880aa000e00 [ 64.648123][ T6799] raw: 0000000000000000 ffff8880a257f000 0000000100000001 0000000000000000 [ 64.656814][ T6799] page dumped because: kasan: bad access detected [ 64.663311][ T6799] [ 64.665793][ T6799] Memory state around the buggy address: [ 64.671673][ T6799] ffff8880a257f000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.679880][ T6799] ffff8880a257f080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.687963][ T6799] >ffff8880a257f100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.696033][ T6799] ^ [ 64.702960][ T6799] ffff8880a257f180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.711020][ T6799] ffff8880a257f200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 64.719077][ T6799] ================================================================== [ 64.727121][ T6799] Disabling lock debugging due to kernel taint [ 64.735133][ T6799] Kernel panic - not syncing: panic_on_warn set ... [ 64.741748][ T6799] CPU: 0 PID: 6799 Comm: syz-executor351 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 64.753112][ T6799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 64.763170][ T6799] Call Trace: [ 64.766476][ T6799] dump_stack+0x18f/0x20d [ 64.770785][ T6799] ? __mutex_lock+0xf50/0x13c0 [ 64.775525][ T6799] panic+0x2e3/0x75c [ 64.779416][ T6799] ? __warn_printk+0xf3/0xf3 [ 64.784071][ T6799] ? preempt_schedule_common+0x5e/0xc0 [ 64.789519][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.794371][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.799217][ T6799] ? preempt_schedule_thunk+0x16/0x18 [ 64.804745][ T6799] ? trace_hardirqs_on+0x55/0x230 [ 64.809969][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.814832][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.819785][ T6799] end_report+0x4d/0x53 [ 64.823970][ T6799] kasan_report.cold+0xd/0x37 [ 64.828644][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 64.833962][ T6799] __mutex_lock+0x1033/0x13c0 [ 64.838634][ T6799] ? evdev_cleanup+0x21/0x190 [ 64.843311][ T6799] ? print_usage_bug+0x240/0x240 [ 64.848907][ T6799] ? trace_hardirqs_off+0x50/0x220 [ 64.854002][ T6799] ? mutex_trylock+0x2c0/0x2c0 [ 64.858899][ T6799] ? mark_held_locks+0x9f/0xe0 [ 64.863754][ T6799] ? kfree+0x1eb/0x2b0 [ 64.867927][ T6799] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 64.873903][ T6799] ? kfree_const+0x51/0x60 [ 64.878326][ T6799] ? evdev_cleanup+0x21/0x190 [ 64.882980][ T6799] evdev_cleanup+0x21/0x190 [ 64.887476][ T6799] evdev_disconnect+0x45/0xb0 [ 64.892130][ T6799] __input_unregister_device+0x1b0/0x430 [ 64.897749][ T6799] input_unregister_device+0xb4/0xf0 [ 64.903041][ T6799] uinput_destroy_device+0x1e2/0x240 [ 64.908305][ T6799] ? uinput_destroy_device+0x240/0x240 [ 64.913854][ T6799] uinput_release+0x37/0x50 [ 64.918384][ T6799] __fput+0x33e/0x880 [ 64.922349][ T6799] task_work_run+0xf4/0x1b0 [ 64.926865][ T6799] do_exit+0xb5e/0x2e10 [ 64.931006][ T6799] ? fsnotify_first_mark+0x191/0x200 [ 64.936288][ T6799] ? debug_smp_processor_id+0x2f/0x185 [ 64.941727][ T6799] ? mm_update_next_owner+0x7a0/0x7a0 [ 64.947257][ T6799] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 64.953223][ T6799] ? vfs_write+0x161/0x5d0 [ 64.957627][ T6799] do_group_exit+0x125/0x340 [ 64.962460][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 64.967475][ T6799] do_syscall_64+0xf6/0x7d0 [ 64.972328][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 64.978367][ T6799] RIP: 0033:0x43fa18 [ 64.982309][ T6799] Code: Bad RIP value. [ 64.986381][ T6799] RSP: 002b:00007fffdf178b68 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 64.994874][ T6799] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 65.002854][ T6799] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 65.010816][ T6799] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 65.021738][ T6799] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 65.029690][ T6799] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 65.039150][ T6799] Kernel Offset: disabled [ 65.044037][ T6799] Rebooting in 86400 seconds..