[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.146' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.945293][ T6828] input: syz1 as /devices/virtual/input/input5 [ 59.959766][ T6828] ================================================================== [ 59.968181][ T6828] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 59.975406][ T6828] Read of size 8 at addr ffff88809d9cb158 by task syz-executor276/6828 [ 59.983800][ T6828] [ 59.986141][ T6828] CPU: 1 PID: 6828 Comm: syz-executor276 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 59.996037][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.006138][ T6828] Call Trace: [ 60.009442][ T6828] dump_stack+0x18f/0x20d [ 60.013880][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.018716][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.023556][ T6828] print_address_description.constprop.0.cold+0xd3/0x413 [ 60.030571][ T6828] ? cdev_device_del+0x69/0x80 [ 60.035466][ T6828] ? evdev_disconnect+0x3d/0xb0 [ 60.040323][ T6828] ? __input_unregister_device+0x1b0/0x430 [ 60.046109][ T6828] ? input_unregister_device+0xb4/0xf0 [ 60.051558][ T6828] ? uinput_destroy_device+0x1e2/0x240 [ 60.057007][ T6828] ? vprintk_func+0x97/0x1a6 [ 60.061586][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.066420][ T6828] kasan_report.cold+0x1f/0x37 [ 60.071336][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.076201][ T6828] __mutex_lock+0x1033/0x13c0 [ 60.080871][ T6828] ? evdev_cleanup+0x21/0x190 [ 60.085713][ T6828] ? print_usage_bug+0x240/0x240 [ 60.090665][ T6828] ? trace_hardirqs_off+0x50/0x220 [ 60.096142][ T6828] ? mutex_trylock+0x2c0/0x2c0 [ 60.100898][ T6828] ? mark_held_locks+0x9f/0xe0 [ 60.105878][ T6828] ? kfree+0x1eb/0x2b0 [ 60.109952][ T6828] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.116030][ T6828] ? kfree_const+0x51/0x60 [ 60.120442][ T6828] ? evdev_cleanup+0x21/0x190 [ 60.125184][ T6828] evdev_cleanup+0x21/0x190 [ 60.129670][ T6828] evdev_disconnect+0x45/0xb0 [ 60.134441][ T6828] __input_unregister_device+0x1b0/0x430 [ 60.140676][ T6828] input_unregister_device+0xb4/0xf0 [ 60.146190][ T6828] uinput_destroy_device+0x1e2/0x240 [ 60.151664][ T6828] ? uinput_destroy_device+0x240/0x240 [ 60.157510][ T6828] uinput_release+0x37/0x50 [ 60.162140][ T6828] __fput+0x33e/0x880 [ 60.166248][ T6828] task_work_run+0xf4/0x1b0 [ 60.171113][ T6828] do_exit+0xb5e/0x2e10 [ 60.175651][ T6828] ? fsnotify_first_mark+0x191/0x200 [ 60.180952][ T6828] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 60.186772][ T6828] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.192209][ T6828] ? vfs_write+0x161/0x5d0 [ 60.196635][ T6828] do_group_exit+0x125/0x340 [ 60.201300][ T6828] __x64_sys_exit_group+0x3a/0x50 [ 60.206475][ T6828] do_syscall_64+0xf6/0x7d0 [ 60.210974][ T6828] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.216872][ T6828] RIP: 0033:0x43f9e8 [ 60.220769][ T6828] Code: Bad RIP value. [ 60.225138][ T6828] RSP: 002b:00007ffd4f39a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.233535][ T6828] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9e8 [ 60.241750][ T6828] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.249698][ T6828] RBP: 00000000004bf228 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.257663][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.265713][ T6828] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.273690][ T6828] [ 60.276009][ T6828] Allocated by task 6828: [ 60.280491][ T6828] save_stack+0x1b/0x40 [ 60.284646][ T6828] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.290274][ T6828] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.295636][ T6828] evdev_connect+0x80/0x4d0 [ 60.300215][ T6828] input_attach_handler+0x194/0x200 [ 60.305397][ T6828] input_register_device.cold+0xf5/0x246 [ 60.311109][ T6828] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 60.317155][ T6828] ksys_ioctl+0x11a/0x180 [ 60.321591][ T6828] __x64_sys_ioctl+0x6f/0xb0 [ 60.326815][ T6828] do_syscall_64+0xf6/0x7d0 [ 60.331595][ T6828] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.337751][ T6828] [ 60.340079][ T6828] Freed by task 6828: [ 60.344199][ T6828] save_stack+0x1b/0x40 [ 60.348364][ T6828] __kasan_slab_free+0xf7/0x140 [ 60.353561][ T6828] kfree+0x109/0x2b0 [ 60.357448][ T6828] device_release+0x71/0x200 [ 60.362016][ T6828] kobject_put+0x1c8/0x2f0 [ 60.366991][ T6828] cdev_device_del+0x69/0x80 [ 60.371719][ T6828] evdev_disconnect+0x3d/0xb0 [ 60.376384][ T6828] __input_unregister_device+0x1b0/0x430 [ 60.382126][ T6828] input_unregister_device+0xb4/0xf0 [ 60.387523][ T6828] uinput_destroy_device+0x1e2/0x240 [ 60.392793][ T6828] uinput_release+0x37/0x50 [ 60.397306][ T6828] __fput+0x33e/0x880 [ 60.401278][ T6828] task_work_run+0xf4/0x1b0 [ 60.405782][ T6828] do_exit+0xb5e/0x2e10 [ 60.409926][ T6828] do_group_exit+0x125/0x340 [ 60.414507][ T6828] __x64_sys_exit_group+0x3a/0x50 [ 60.419510][ T6828] do_syscall_64+0xf6/0x7d0 [ 60.424024][ T6828] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.429897][ T6828] [ 60.432281][ T6828] The buggy address belongs to the object at ffff88809d9cb000 [ 60.432281][ T6828] which belongs to the cache kmalloc-2k of size 2048 [ 60.447140][ T6828] The buggy address is located 344 bytes inside of [ 60.447140][ T6828] 2048-byte region [ffff88809d9cb000, ffff88809d9cb800) [ 60.460585][ T6828] The buggy address belongs to the page: [ 60.466209][ T6828] page:ffffea00027672c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.475443][ T6828] flags: 0xfffe0000000200(slab) [ 60.480672][ T6828] raw: 00fffe0000000200 ffffea0002a43588 ffffea0002804248 ffff8880aa000e00 [ 60.489691][ T6828] raw: 0000000000000000 ffff88809d9cb000 0000000100000001 0000000000000000 [ 60.498257][ T6828] page dumped because: kasan: bad access detected [ 60.505268][ T6828] [ 60.507602][ T6828] Memory state around the buggy address: [ 60.513431][ T6828] ffff88809d9cb000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.521477][ T6828] ffff88809d9cb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.529979][ T6828] >ffff88809d9cb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.538814][ T6828] ^ [ 60.545839][ T6828] ffff88809d9cb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.553922][ T6828] ffff88809d9cb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.562047][ T6828] ================================================================== [ 60.570094][ T6828] Disabling lock debugging due to kernel taint [ 60.588369][ T6828] Kernel panic - not syncing: panic_on_warn set ... [ 60.595067][ T6828] CPU: 1 PID: 6828 Comm: syz-executor276 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 60.606978][ T6828] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.617013][ T6828] Call Trace: [ 60.620289][ T6828] dump_stack+0x18f/0x20d [ 60.624713][ T6828] ? __mutex_lock+0xf50/0x13c0 [ 60.629478][ T6828] panic+0x2e3/0x75c [ 60.633360][ T6828] ? __warn_printk+0xf3/0xf3 [ 60.637930][ T6828] ? preempt_schedule_common+0x5e/0xc0 [ 60.643556][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.648416][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.653263][ T6828] ? preempt_schedule_thunk+0x16/0x18 [ 60.658706][ T6828] ? trace_hardirqs_on+0x55/0x230 [ 60.663718][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.668553][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.673468][ T6828] end_report+0x4d/0x53 [ 60.677626][ T6828] kasan_report.cold+0xd/0x37 [ 60.682730][ T6828] ? __mutex_lock+0x1033/0x13c0 [ 60.687559][ T6828] __mutex_lock+0x1033/0x13c0 [ 60.692247][ T6828] ? evdev_cleanup+0x21/0x190 [ 60.696900][ T6828] ? print_usage_bug+0x240/0x240 [ 60.701827][ T6828] ? trace_hardirqs_off+0x50/0x220 [ 60.707117][ T6828] ? mutex_trylock+0x2c0/0x2c0 [ 60.711871][ T6828] ? mark_held_locks+0x9f/0xe0 [ 60.716708][ T6828] ? kfree+0x1eb/0x2b0 [ 60.720769][ T6828] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.726740][ T6828] ? kfree_const+0x51/0x60 [ 60.731134][ T6828] ? evdev_cleanup+0x21/0x190 [ 60.735786][ T6828] evdev_cleanup+0x21/0x190 [ 60.740278][ T6828] evdev_disconnect+0x45/0xb0 [ 60.744955][ T6828] __input_unregister_device+0x1b0/0x430 [ 60.750579][ T6828] input_unregister_device+0xb4/0xf0 [ 60.755855][ T6828] uinput_destroy_device+0x1e2/0x240 [ 60.761132][ T6828] ? uinput_destroy_device+0x240/0x240 [ 60.766562][ T6828] uinput_release+0x37/0x50 [ 60.771182][ T6828] __fput+0x33e/0x880 [ 60.775164][ T6828] task_work_run+0xf4/0x1b0 [ 60.779660][ T6828] do_exit+0xb5e/0x2e10 [ 60.783809][ T6828] ? fsnotify_first_mark+0x191/0x200 [ 60.789084][ T6828] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 60.794972][ T6828] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.800855][ T6828] ? vfs_write+0x161/0x5d0 [ 60.805255][ T6828] do_group_exit+0x125/0x340 [ 60.809871][ T6828] __x64_sys_exit_group+0x3a/0x50 [ 60.814873][ T6828] do_syscall_64+0xf6/0x7d0 [ 60.819355][ T6828] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.825220][ T6828] RIP: 0033:0x43f9e8 [ 60.829105][ T6828] Code: Bad RIP value. [ 60.833143][ T6828] RSP: 002b:00007ffd4f39a028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.841526][ T6828] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9e8 [ 60.849471][ T6828] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.857417][ T6828] RBP: 00000000004bf228 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.865362][ T6828] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.873309][ T6828] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.882556][ T6828] Kernel Offset: disabled [ 60.886892][ T6828] Rebooting in 86400 seconds..