[ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started OpenBSD Secure Shell server. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.1.51' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 58.228983][ T6799] input: syz0 as /devices/virtual/input/input5 [ 58.242706][ T6799] ================================================================== [ 58.255530][ T6799] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 58.262731][ T6799] Read of size 8 at addr ffff8880a6a94158 by task syz-executor824/6799 [ 58.270973][ T6799] [ 58.273306][ T6799] CPU: 1 PID: 6799 Comm: syz-executor824 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 58.283192][ T6799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.293329][ T6799] Call Trace: [ 58.296724][ T6799] dump_stack+0x18f/0x20d [ 58.301041][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.305969][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.310800][ T6799] print_address_description.constprop.0.cold+0xd3/0x413 [ 58.318421][ T6799] ? cdev_device_del+0x69/0x80 [ 58.323168][ T6799] ? evdev_disconnect+0x3d/0xb0 [ 58.328005][ T6799] ? __input_unregister_device+0x1b0/0x430 [ 58.333800][ T6799] ? input_unregister_device+0xb4/0xf0 [ 58.339335][ T6799] ? uinput_destroy_device+0x1e2/0x240 [ 58.344782][ T6799] ? vprintk_func+0x97/0x1a6 [ 58.349349][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.354186][ T6799] kasan_report.cold+0x1f/0x37 [ 58.358943][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.363785][ T6799] __mutex_lock+0x1033/0x13c0 [ 58.368450][ T6799] ? evdev_cleanup+0x21/0x190 [ 58.373102][ T6799] ? print_usage_bug+0x240/0x240 [ 58.378034][ T6799] ? trace_hardirqs_off+0x50/0x220 [ 58.383187][ T6799] ? mutex_trylock+0x2c0/0x2c0 [ 58.387935][ T6799] ? mark_held_locks+0x9f/0xe0 [ 58.392740][ T6799] ? kfree+0x1eb/0x2b0 [ 58.396909][ T6799] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 58.402879][ T6799] ? kfree_const+0x51/0x60 [ 58.407368][ T6799] ? evdev_cleanup+0x21/0x190 [ 58.412039][ T6799] evdev_cleanup+0x21/0x190 [ 58.416522][ T6799] evdev_disconnect+0x45/0xb0 [ 58.421190][ T6799] __input_unregister_device+0x1b0/0x430 [ 58.426800][ T6799] input_unregister_device+0xb4/0xf0 [ 58.432078][ T6799] uinput_destroy_device+0x1e2/0x240 [ 58.437341][ T6799] ? uinput_destroy_device+0x240/0x240 [ 58.442789][ T6799] uinput_release+0x37/0x50 [ 58.447268][ T6799] __fput+0x33e/0x880 [ 58.451235][ T6799] task_work_run+0xf4/0x1b0 [ 58.455734][ T6799] do_exit+0xb5e/0x2e10 [ 58.459866][ T6799] ? fsnotify_first_mark+0x191/0x200 [ 58.465576][ T6799] ? debug_smp_processor_id+0x2f/0x185 [ 58.471013][ T6799] ? mm_update_next_owner+0x7a0/0x7a0 [ 58.476391][ T6799] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 58.482364][ T6799] ? vfs_write+0x161/0x5d0 [ 58.486778][ T6799] do_group_exit+0x125/0x340 [ 58.491361][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 58.496465][ T6799] do_syscall_64+0xf6/0x7d0 [ 58.500952][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.506825][ T6799] RIP: 0033:0x43fa18 [ 58.510705][ T6799] Code: Bad RIP value. [ 58.514784][ T6799] RSP: 002b:00007ffc70c1c878 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 58.523170][ T6799] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 58.531116][ T6799] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 58.539064][ T6799] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 58.547025][ T6799] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 58.554973][ T6799] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 58.562939][ T6799] [ 58.565245][ T6799] Allocated by task 6799: [ 58.569554][ T6799] save_stack+0x1b/0x40 [ 58.573687][ T6799] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 58.579301][ T6799] kmem_cache_alloc_trace+0x153/0x7d0 [ 58.584673][ T6799] evdev_connect+0x80/0x4d0 [ 58.589506][ T6799] input_attach_handler+0x194/0x200 [ 58.594799][ T6799] input_register_device.cold+0xf5/0x246 [ 58.600418][ T6799] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 58.606391][ T6799] ksys_ioctl+0x11a/0x180 [ 58.610801][ T6799] __x64_sys_ioctl+0x6f/0xb0 [ 58.615385][ T6799] do_syscall_64+0xf6/0x7d0 [ 58.619879][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.625749][ T6799] [ 58.628051][ T6799] Freed by task 6799: [ 58.632030][ T6799] save_stack+0x1b/0x40 [ 58.636344][ T6799] __kasan_slab_free+0xf7/0x140 [ 58.641170][ T6799] kfree+0x109/0x2b0 [ 58.645052][ T6799] device_release+0x71/0x200 [ 58.649618][ T6799] kobject_put+0x1c8/0x2f0 [ 58.654010][ T6799] cdev_device_del+0x69/0x80 [ 58.658603][ T6799] evdev_disconnect+0x3d/0xb0 [ 58.663257][ T6799] __input_unregister_device+0x1b0/0x430 [ 58.670340][ T6799] input_unregister_device+0xb4/0xf0 [ 58.676390][ T6799] uinput_destroy_device+0x1e2/0x240 [ 58.681649][ T6799] uinput_release+0x37/0x50 [ 58.686125][ T6799] __fput+0x33e/0x880 [ 58.690082][ T6799] task_work_run+0xf4/0x1b0 [ 58.694624][ T6799] do_exit+0xb5e/0x2e10 [ 58.698770][ T6799] do_group_exit+0x125/0x340 [ 58.703355][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 58.708373][ T6799] do_syscall_64+0xf6/0x7d0 [ 58.712873][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 58.718750][ T6799] [ 58.721064][ T6799] The buggy address belongs to the object at ffff8880a6a94000 [ 58.721064][ T6799] which belongs to the cache kmalloc-2k of size 2048 [ 58.735442][ T6799] The buggy address is located 344 bytes inside of [ 58.735442][ T6799] 2048-byte region [ffff8880a6a94000, ffff8880a6a94800) [ 58.749050][ T6799] The buggy address belongs to the page: [ 58.754955][ T6799] page:ffffea00029aa500 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 58.764174][ T6799] flags: 0xfffe0000000200(slab) [ 58.769021][ T6799] raw: 00fffe0000000200 ffffea0002554a08 ffffea0002763f88 ffff8880aa000e00 [ 58.777606][ T6799] raw: 0000000000000000 ffff8880a6a94000 0000000100000001 0000000000000000 [ 58.786168][ T6799] page dumped because: kasan: bad access detected [ 58.792567][ T6799] [ 58.794869][ T6799] Memory state around the buggy address: [ 58.800492][ T6799] ffff8880a6a94000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.808529][ T6799] ffff8880a6a94080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.816569][ T6799] >ffff8880a6a94100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.824613][ T6799] ^ [ 58.831547][ T6799] ffff8880a6a94180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.839597][ T6799] ffff8880a6a94200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 58.847630][ T6799] ================================================================== [ 58.855672][ T6799] Disabling lock debugging due to kernel taint [ 58.863866][ T6799] Kernel panic - not syncing: panic_on_warn set ... [ 58.870576][ T6799] CPU: 0 PID: 6799 Comm: syz-executor824 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 58.881841][ T6799] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 58.891907][ T6799] Call Trace: [ 58.895283][ T6799] dump_stack+0x18f/0x20d [ 58.899595][ T6799] ? __mutex_lock+0xf50/0x13c0 [ 58.904344][ T6799] panic+0x2e3/0x75c [ 58.908223][ T6799] ? __warn_printk+0xf3/0xf3 [ 58.912803][ T6799] ? preempt_schedule_common+0x5e/0xc0 [ 58.918230][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.923070][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.927978][ T6799] ? preempt_schedule_thunk+0x16/0x18 [ 58.933320][ T6799] ? trace_hardirqs_on+0x55/0x230 [ 58.938317][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.943139][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.948139][ T6799] end_report+0x4d/0x53 [ 58.952374][ T6799] kasan_report.cold+0xd/0x37 [ 58.957045][ T6799] ? __mutex_lock+0x1033/0x13c0 [ 58.961871][ T6799] __mutex_lock+0x1033/0x13c0 [ 58.966958][ T6799] ? evdev_cleanup+0x21/0x190 [ 58.971607][ T6799] ? print_usage_bug+0x240/0x240 [ 58.976534][ T6799] ? trace_hardirqs_off+0x50/0x220 [ 58.981620][ T6799] ? mutex_trylock+0x2c0/0x2c0 [ 58.986356][ T6799] ? mark_held_locks+0x9f/0xe0 [ 58.991100][ T6799] ? kfree+0x1eb/0x2b0 [ 58.998181][ T6799] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.004147][ T6799] ? kfree_const+0x51/0x60 [ 59.008625][ T6799] ? evdev_cleanup+0x21/0x190 [ 59.013285][ T6799] evdev_cleanup+0x21/0x190 [ 59.017761][ T6799] evdev_disconnect+0x45/0xb0 [ 59.022414][ T6799] __input_unregister_device+0x1b0/0x430 [ 59.028017][ T6799] input_unregister_device+0xb4/0xf0 [ 59.033276][ T6799] uinput_destroy_device+0x1e2/0x240 [ 59.038533][ T6799] ? uinput_destroy_device+0x240/0x240 [ 59.043999][ T6799] uinput_release+0x37/0x50 [ 59.048477][ T6799] __fput+0x33e/0x880 [ 59.052437][ T6799] task_work_run+0xf4/0x1b0 [ 59.056913][ T6799] do_exit+0xb5e/0x2e10 [ 59.061041][ T6799] ? fsnotify_first_mark+0x191/0x200 [ 59.066300][ T6799] ? debug_smp_processor_id+0x2f/0x185 [ 59.071743][ T6799] ? mm_update_next_owner+0x7a0/0x7a0 [ 59.077100][ T6799] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 59.083074][ T6799] ? vfs_write+0x161/0x5d0 [ 59.087467][ T6799] do_group_exit+0x125/0x340 [ 59.092029][ T6799] __x64_sys_exit_group+0x3a/0x50 [ 59.098119][ T6799] do_syscall_64+0xf6/0x7d0 [ 59.102605][ T6799] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.108470][ T6799] RIP: 0033:0x43fa18 [ 59.112347][ T6799] Code: Bad RIP value. [ 59.116741][ T6799] RSP: 002b:00007ffc70c1c878 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.125122][ T6799] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa18 [ 59.133080][ T6799] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 59.141038][ T6799] RBP: 00000000004bf268 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 59.148987][ T6799] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 59.157468][ T6799] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 59.166791][ T6799] Kernel Offset: disabled [ 59.171151][ T6799] Rebooting in 86400 seconds..