[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.223' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 56.352769][ T6789] input: syz1 as /devices/virtual/input/input5 [ 56.366558][ T6789] ================================================================== [ 56.374771][ T6789] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 56.381969][ T6789] Read of size 8 at addr ffff8880a6935158 by task syz-executor132/6789 [ 56.390199][ T6789] [ 56.392537][ T6789] CPU: 0 PID: 6789 Comm: syz-executor132 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 56.402429][ T6789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 56.412490][ T6789] Call Trace: [ 56.415781][ T6789] dump_stack+0x18f/0x20d [ 56.420093][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 56.424922][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 56.429754][ T6789] print_address_description.constprop.0.cold+0xd3/0x413 [ 56.436776][ T6789] ? cdev_device_del+0x69/0x80 [ 56.441516][ T6789] ? evdev_disconnect+0x3d/0xb0 [ 56.446367][ T6789] ? __input_unregister_device+0x1b0/0x430 [ 56.452150][ T6789] ? input_unregister_device+0xb4/0xf0 [ 56.457602][ T6789] ? uinput_destroy_device+0x1e2/0x240 [ 56.463038][ T6789] ? vprintk_func+0x97/0x1a6 [ 56.467607][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 56.472452][ T6789] kasan_report.cold+0x1f/0x37 [ 56.477192][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 56.482054][ T6789] __mutex_lock+0x1033/0x13c0 [ 56.486732][ T6789] ? evdev_cleanup+0x21/0x190 [ 56.491410][ T6789] ? print_usage_bug+0x240/0x240 [ 56.496327][ T6789] ? trace_hardirqs_off+0x50/0x220 [ 56.501414][ T6789] ? mutex_trylock+0x2c0/0x2c0 [ 56.506155][ T6789] ? mark_held_locks+0x9f/0xe0 [ 56.510906][ T6789] ? kfree+0x1eb/0x2b0 [ 56.515044][ T6789] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 56.521033][ T6789] ? kfree_const+0x51/0x60 [ 56.525442][ T6789] ? evdev_cleanup+0x21/0x190 [ 56.530097][ T6789] evdev_cleanup+0x21/0x190 [ 56.534583][ T6789] evdev_disconnect+0x45/0xb0 [ 56.539242][ T6789] __input_unregister_device+0x1b0/0x430 [ 56.544965][ T6789] input_unregister_device+0xb4/0xf0 [ 56.550238][ T6789] uinput_destroy_device+0x1e2/0x240 [ 56.555529][ T6789] ? uinput_destroy_device+0x240/0x240 [ 56.560971][ T6789] uinput_release+0x37/0x50 [ 56.565476][ T6789] __fput+0x33e/0x880 [ 56.569439][ T6789] task_work_run+0xf4/0x1b0 [ 56.573929][ T6789] do_exit+0xb5e/0x2e10 [ 56.578081][ T6789] ? debug_smp_processor_id+0x2f/0x185 [ 56.583605][ T6789] ? mm_update_next_owner+0x7a0/0x7a0 [ 56.588974][ T6789] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 56.594935][ T6789] do_group_exit+0x125/0x340 [ 56.599519][ T6789] __x64_sys_exit_group+0x3a/0x50 [ 56.604524][ T6789] do_syscall_64+0xf6/0x7d0 [ 56.609010][ T6789] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 56.614891][ T6789] RIP: 0033:0x43eee8 [ 56.618774][ T6789] Code: Bad RIP value. [ 56.622822][ T6789] RSP: 002b:00007ffcbcab9d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 56.631315][ T6789] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eee8 [ 56.639788][ T6789] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 56.647760][ T6789] RBP: 00000000004be728 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 56.655737][ T6789] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 56.663685][ T6789] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 56.671670][ T6789] [ 56.673977][ T6789] Allocated by task 6789: [ 56.678301][ T6789] save_stack+0x1b/0x40 [ 56.682468][ T6789] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 56.688170][ T6789] kmem_cache_alloc_trace+0x153/0x7d0 [ 56.693525][ T6789] evdev_connect+0x80/0x4d0 [ 56.698015][ T6789] input_attach_handler+0x194/0x200 [ 56.703192][ T6789] input_register_device.cold+0xf5/0x246 [ 56.708820][ T6789] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 56.714834][ T6789] ksys_ioctl+0x11a/0x180 [ 56.719148][ T6789] __x64_sys_ioctl+0x6f/0xb0 [ 56.723723][ T6789] do_syscall_64+0xf6/0x7d0 [ 56.728229][ T6789] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 56.734101][ T6789] [ 56.736412][ T6789] Freed by task 6789: [ 56.740376][ T6789] save_stack+0x1b/0x40 [ 56.744526][ T6789] __kasan_slab_free+0xf7/0x140 [ 56.749370][ T6789] kfree+0x109/0x2b0 [ 56.753246][ T6789] device_release+0x71/0x200 [ 56.757834][ T6789] kobject_put+0x1c8/0x2f0 [ 56.762244][ T6789] cdev_device_del+0x69/0x80 [ 56.766814][ T6789] evdev_disconnect+0x3d/0xb0 [ 56.771469][ T6789] __input_unregister_device+0x1b0/0x430 [ 56.777109][ T6789] input_unregister_device+0xb4/0xf0 [ 56.782426][ T6789] uinput_destroy_device+0x1e2/0x240 [ 56.787700][ T6789] uinput_release+0x37/0x50 [ 56.792199][ T6789] __fput+0x33e/0x880 [ 56.796175][ T6789] task_work_run+0xf4/0x1b0 [ 56.800656][ T6789] do_exit+0xb5e/0x2e10 [ 56.804788][ T6789] do_group_exit+0x125/0x340 [ 56.809361][ T6789] __x64_sys_exit_group+0x3a/0x50 [ 56.814382][ T6789] do_syscall_64+0xf6/0x7d0 [ 56.818864][ T6789] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 56.824729][ T6789] [ 56.827050][ T6789] The buggy address belongs to the object at ffff8880a6935000 [ 56.827050][ T6789] which belongs to the cache kmalloc-2k of size 2048 [ 56.841095][ T6789] The buggy address is located 344 bytes inside of [ 56.841095][ T6789] 2048-byte region [ffff8880a6935000, ffff8880a6935800) [ 56.854484][ T6789] The buggy address belongs to the page: [ 56.860117][ T6789] page:ffffea00029a4d40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 56.869220][ T6789] flags: 0xfffe0000000200(slab) [ 56.874059][ T6789] raw: 00fffe0000000200 ffffea00029ae488 ffffea00029a4bc8 ffff8880aa000e00 [ 56.882783][ T6789] raw: 0000000000000000 ffff8880a6935000 0000000100000001 0000000000000000 [ 56.891459][ T6789] page dumped because: kasan: bad access detected [ 56.897846][ T6789] [ 56.900172][ T6789] Memory state around the buggy address: [ 56.905790][ T6789] ffff8880a6935000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.914004][ T6789] ffff8880a6935080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.923098][ T6789] >ffff8880a6935100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.931133][ T6789] ^ [ 56.938041][ T6789] ffff8880a6935180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.946086][ T6789] ffff8880a6935200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 56.954118][ T6789] ================================================================== [ 56.962150][ T6789] Disabling lock debugging due to kernel taint [ 56.980336][ T6789] Kernel panic - not syncing: panic_on_warn set ... [ 56.986932][ T6789] CPU: 0 PID: 6789 Comm: syz-executor132 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 56.998207][ T6789] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 57.008250][ T6789] Call Trace: [ 57.011539][ T6789] dump_stack+0x18f/0x20d [ 57.015858][ T6789] ? __mutex_lock+0xf50/0x13c0 [ 57.020602][ T6789] panic+0x2e3/0x75c [ 57.024486][ T6789] ? __warn_printk+0xf3/0xf3 [ 57.029067][ T6789] ? preempt_schedule_common+0x5e/0xc0 [ 57.034512][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 57.039339][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 57.044231][ T6789] ? preempt_schedule_thunk+0x16/0x18 [ 57.049593][ T6789] ? trace_hardirqs_on+0x55/0x230 [ 57.054788][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 57.059611][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 57.064452][ T6789] end_report+0x4d/0x53 [ 57.068583][ T6789] kasan_report.cold+0xd/0x37 [ 57.073235][ T6789] ? __mutex_lock+0x1033/0x13c0 [ 57.078057][ T6789] __mutex_lock+0x1033/0x13c0 [ 57.082713][ T6789] ? evdev_cleanup+0x21/0x190 [ 57.087362][ T6789] ? print_usage_bug+0x240/0x240 [ 57.092287][ T6789] ? trace_hardirqs_off+0x50/0x220 [ 57.097806][ T6789] ? mutex_trylock+0x2c0/0x2c0 [ 57.102563][ T6789] ? mark_held_locks+0x9f/0xe0 [ 57.107300][ T6789] ? kfree+0x1eb/0x2b0 [ 57.111342][ T6789] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 57.117297][ T6789] ? kfree_const+0x51/0x60 [ 57.121693][ T6789] ? evdev_cleanup+0x21/0x190 [ 57.126342][ T6789] evdev_cleanup+0x21/0x190 [ 57.130828][ T6789] evdev_disconnect+0x45/0xb0 [ 57.135499][ T6789] __input_unregister_device+0x1b0/0x430 [ 57.141122][ T6789] input_unregister_device+0xb4/0xf0 [ 57.146382][ T6789] uinput_destroy_device+0x1e2/0x240 [ 57.151643][ T6789] ? uinput_destroy_device+0x240/0x240 [ 57.157098][ T6789] uinput_release+0x37/0x50 [ 57.161576][ T6789] __fput+0x33e/0x880 [ 57.165551][ T6789] task_work_run+0xf4/0x1b0 [ 57.170034][ T6789] do_exit+0xb5e/0x2e10 [ 57.174185][ T6789] ? debug_smp_processor_id+0x2f/0x185 [ 57.179618][ T6789] ? mm_update_next_owner+0x7a0/0x7a0 [ 57.184965][ T6789] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 57.190934][ T6789] do_group_exit+0x125/0x340 [ 57.195499][ T6789] __x64_sys_exit_group+0x3a/0x50 [ 57.200497][ T6789] do_syscall_64+0xf6/0x7d0 [ 57.204974][ T6789] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 57.210838][ T6789] RIP: 0033:0x43eee8 [ 57.214713][ T6789] Code: Bad RIP value. [ 57.218765][ T6789] RSP: 002b:00007ffcbcab9d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 57.227162][ T6789] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043eee8 [ 57.235109][ T6789] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 57.243072][ T6789] RBP: 00000000004be728 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 57.251140][ T6789] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 57.259098][ T6789] R13: 00000000006d0180 R14: 0000000000000000 R15: 0000000000000000 [ 57.268383][ T6789] Kernel Offset: disabled [ 57.272704][ T6789] Rebooting in 86400 seconds..