[ OK ] Started Getty on tty3. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 60.310934][ T6811] input: syz1 as /devices/virtual/input/input5 [ 60.324870][ T6811] ================================================================== [ 60.333102][ T6811] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 60.340301][ T6811] Read of size 8 at addr ffff8880a6462158 by task syz-executor848/6811 [ 60.348534][ T6811] [ 60.350868][ T6811] CPU: 1 PID: 6811 Comm: syz-executor848 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 60.360750][ T6811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.370808][ T6811] Call Trace: [ 60.374104][ T6811] dump_stack+0x18f/0x20d [ 60.378486][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.383348][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.388264][ T6811] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.395292][ T6811] ? cdev_device_del+0x69/0x80 [ 60.400038][ T6811] ? evdev_disconnect+0x3d/0xb0 [ 60.404864][ T6811] ? __input_unregister_device+0x1b0/0x430 [ 60.410646][ T6811] ? input_unregister_device+0xb4/0xf0 [ 60.416177][ T6811] ? uinput_destroy_device+0x1e2/0x240 [ 60.421626][ T6811] ? vprintk_func+0x97/0x1a6 [ 60.426205][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.431129][ T6811] kasan_report.cold+0x1f/0x37 [ 60.435869][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.440696][ T6811] __mutex_lock+0x1033/0x13c0 [ 60.445361][ T6811] ? evdev_cleanup+0x21/0x190 [ 60.450017][ T6811] ? print_usage_bug+0x240/0x240 [ 60.454930][ T6811] ? trace_hardirqs_off+0x50/0x220 [ 60.460019][ T6811] ? mutex_trylock+0x2c0/0x2c0 [ 60.464762][ T6811] ? mark_held_locks+0x9f/0xe0 [ 60.469506][ T6811] ? kfree+0x1eb/0x2b0 [ 60.473562][ T6811] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.479538][ T6811] ? kfree_const+0x51/0x60 [ 60.484106][ T6811] ? evdev_cleanup+0x21/0x190 [ 60.488794][ T6811] evdev_cleanup+0x21/0x190 [ 60.493289][ T6811] evdev_disconnect+0x45/0xb0 [ 60.497946][ T6811] __input_unregister_device+0x1b0/0x430 [ 60.503563][ T6811] input_unregister_device+0xb4/0xf0 [ 60.508824][ T6811] uinput_destroy_device+0x1e2/0x240 [ 60.514094][ T6811] ? uinput_destroy_device+0x240/0x240 [ 60.519544][ T6811] uinput_release+0x37/0x50 [ 60.524043][ T6811] __fput+0x33e/0x880 [ 60.528016][ T6811] task_work_run+0xf4/0x1b0 [ 60.532520][ T6811] do_exit+0xb5e/0x2e10 [ 60.536663][ T6811] ? fsnotify_first_mark+0x191/0x200 [ 60.541943][ T6811] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 60.547638][ T6811] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.552986][ T6811] ? vfs_write+0x161/0x5d0 [ 60.557396][ T6811] do_group_exit+0x125/0x340 [ 60.561967][ T6811] __x64_sys_exit_group+0x3a/0x50 [ 60.566979][ T6811] do_syscall_64+0xf6/0x7d0 [ 60.571463][ T6811] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.577330][ T6811] RIP: 0033:0x43f9e8 [ 60.581223][ T6811] Code: Bad RIP value. [ 60.585260][ T6811] RSP: 002b:00007ffcb993b758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.593647][ T6811] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9e8 [ 60.601630][ T6811] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.609599][ T6811] RBP: 00000000004bf228 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.617599][ T6811] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.625590][ T6811] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.633572][ T6811] [ 60.635890][ T6811] Allocated by task 6811: [ 60.640551][ T6811] save_stack+0x1b/0x40 [ 60.644680][ T6811] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.650321][ T6811] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.655755][ T6811] evdev_connect+0x80/0x4d0 [ 60.660234][ T6811] input_attach_handler+0x194/0x200 [ 60.665425][ T6811] input_register_device.cold+0xf5/0x246 [ 60.671036][ T6811] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 60.676994][ T6811] ksys_ioctl+0x11a/0x180 [ 60.681298][ T6811] __x64_sys_ioctl+0x6f/0xb0 [ 60.685874][ T6811] do_syscall_64+0xf6/0x7d0 [ 60.690353][ T6811] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.696223][ T6811] [ 60.698530][ T6811] Freed by task 6811: [ 60.702497][ T6811] save_stack+0x1b/0x40 [ 60.706636][ T6811] __kasan_slab_free+0xf7/0x140 [ 60.711510][ T6811] kfree+0x109/0x2b0 [ 60.715426][ T6811] device_release+0x71/0x200 [ 60.720004][ T6811] kobject_put+0x1c8/0x2f0 [ 60.724428][ T6811] cdev_device_del+0x69/0x80 [ 60.729018][ T6811] evdev_disconnect+0x3d/0xb0 [ 60.733759][ T6811] __input_unregister_device+0x1b0/0x430 [ 60.739365][ T6811] input_unregister_device+0xb4/0xf0 [ 60.744642][ T6811] uinput_destroy_device+0x1e2/0x240 [ 60.749919][ T6811] uinput_release+0x37/0x50 [ 60.754415][ T6811] __fput+0x33e/0x880 [ 60.758375][ T6811] task_work_run+0xf4/0x1b0 [ 60.762877][ T6811] do_exit+0xb5e/0x2e10 [ 60.767016][ T6811] do_group_exit+0x125/0x340 [ 60.771594][ T6811] __x64_sys_exit_group+0x3a/0x50 [ 60.776592][ T6811] do_syscall_64+0xf6/0x7d0 [ 60.781071][ T6811] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.786932][ T6811] [ 60.789238][ T6811] The buggy address belongs to the object at ffff8880a6462000 [ 60.789238][ T6811] which belongs to the cache kmalloc-2k of size 2048 [ 60.803274][ T6811] The buggy address is located 344 bytes inside of [ 60.803274][ T6811] 2048-byte region [ffff8880a6462000, ffff8880a6462800) [ 60.816633][ T6811] The buggy address belongs to the page: [ 60.822273][ T6811] page:ffffea0002991880 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.831351][ T6811] flags: 0xfffe0000000200(slab) [ 60.836179][ T6811] raw: 00fffe0000000200 ffffea0002991588 ffffea00029918c8 ffff8880aa000e00 [ 60.844739][ T6811] raw: 0000000000000000 ffff8880a6462000 0000000100000001 0000000000000000 [ 60.853315][ T6811] page dumped because: kasan: bad access detected [ 60.859698][ T6811] [ 60.861999][ T6811] Memory state around the buggy address: [ 60.867616][ T6811] ffff8880a6462000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.875653][ T6811] ffff8880a6462080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.883701][ T6811] >ffff8880a6462100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.891734][ T6811] ^ [ 60.898640][ T6811] ffff8880a6462180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.906674][ T6811] ffff8880a6462200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.914707][ T6811] ================================================================== [ 60.922753][ T6811] Disabling lock debugging due to kernel taint [ 60.929697][ T6811] Kernel panic - not syncing: panic_on_warn set ... [ 60.936319][ T6811] CPU: 1 PID: 6811 Comm: syz-executor848 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 60.947583][ T6811] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.957660][ T6811] Call Trace: [ 60.960945][ T6811] dump_stack+0x18f/0x20d [ 60.965247][ T6811] ? __mutex_lock+0xf50/0x13c0 [ 60.969994][ T6811] panic+0x2e3/0x75c [ 60.973861][ T6811] ? __warn_printk+0xf3/0xf3 [ 60.978422][ T6811] ? preempt_schedule_common+0x5e/0xc0 [ 60.983854][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.988688][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 60.993527][ T6811] ? preempt_schedule_thunk+0x16/0x18 [ 60.998872][ T6811] ? trace_hardirqs_on+0x55/0x230 [ 61.003869][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 61.008690][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 61.013514][ T6811] end_report+0x4d/0x53 [ 61.017643][ T6811] kasan_report.cold+0xd/0x37 [ 61.022293][ T6811] ? __mutex_lock+0x1033/0x13c0 [ 61.027112][ T6811] __mutex_lock+0x1033/0x13c0 [ 61.031763][ T6811] ? evdev_cleanup+0x21/0x190 [ 61.036421][ T6811] ? print_usage_bug+0x240/0x240 [ 61.041347][ T6811] ? trace_hardirqs_off+0x50/0x220 [ 61.046425][ T6811] ? mutex_trylock+0x2c0/0x2c0 [ 61.051175][ T6811] ? mark_held_locks+0x9f/0xe0 [ 61.055921][ T6811] ? kfree+0x1eb/0x2b0 [ 61.059984][ T6811] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 61.065934][ T6811] ? kfree_const+0x51/0x60 [ 61.070322][ T6811] ? evdev_cleanup+0x21/0x190 [ 61.074991][ T6811] evdev_cleanup+0x21/0x190 [ 61.079481][ T6811] evdev_disconnect+0x45/0xb0 [ 61.084143][ T6811] __input_unregister_device+0x1b0/0x430 [ 61.090967][ T6811] input_unregister_device+0xb4/0xf0 [ 61.096221][ T6811] uinput_destroy_device+0x1e2/0x240 [ 61.101480][ T6811] ? uinput_destroy_device+0x240/0x240 [ 61.106910][ T6811] uinput_release+0x37/0x50 [ 61.111386][ T6811] __fput+0x33e/0x880 [ 61.115343][ T6811] task_work_run+0xf4/0x1b0 [ 61.119830][ T6811] do_exit+0xb5e/0x2e10 [ 61.123987][ T6811] ? fsnotify_first_mark+0x191/0x200 [ 61.130476][ T6811] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 61.136181][ T6811] ? mm_update_next_owner+0x7a0/0x7a0 [ 61.141534][ T6811] ? vfs_write+0x161/0x5d0 [ 61.145950][ T6811] do_group_exit+0x125/0x340 [ 61.150520][ T6811] __x64_sys_exit_group+0x3a/0x50 [ 61.155530][ T6811] do_syscall_64+0xf6/0x7d0 [ 61.160012][ T6811] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 61.165875][ T6811] RIP: 0033:0x43f9e8 [ 61.169776][ T6811] Code: Bad RIP value. [ 61.173813][ T6811] RSP: 002b:00007ffcb993b758 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 61.182204][ T6811] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9e8 [ 61.190173][ T6811] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 61.198138][ T6811] RBP: 00000000004bf228 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 61.206090][ T6811] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 61.214045][ T6811] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 61.223363][ T6811] Kernel Offset: disabled [ 61.227674][ T6811] Rebooting in 86400 seconds..