Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.187' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 59.770866][ T6823] input: syz0 as /devices/virtual/input/input5 [ 59.784312][ T6823] ================================================================== [ 59.793951][ T6823] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 59.802220][ T6823] Read of size 8 at addr ffff8880947b6158 by task syz-executor306/6823 [ 59.810651][ T6823] [ 59.813290][ T6823] CPU: 1 PID: 6823 Comm: syz-executor306 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 59.824774][ T6823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.835825][ T6823] Call Trace: [ 59.840983][ T6823] dump_stack+0x18f/0x20d [ 59.845825][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 59.851115][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 59.855979][ T6823] print_address_description.constprop.0.cold+0xd3/0x413 [ 59.863098][ T6823] ? cdev_device_del+0x69/0x80 [ 59.868397][ T6823] ? evdev_disconnect+0x3d/0xb0 [ 59.873751][ T6823] ? __input_unregister_device+0x1b0/0x430 [ 59.880497][ T6823] ? input_unregister_device+0xb4/0xf0 [ 59.886185][ T6823] ? uinput_destroy_device+0x1e2/0x240 [ 59.892338][ T6823] ? vprintk_func+0x97/0x1a6 [ 59.897665][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 59.902900][ T6823] kasan_report.cold+0x1f/0x37 [ 59.908682][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 59.914082][ T6823] __mutex_lock+0x1033/0x13c0 [ 59.919004][ T6823] ? evdev_cleanup+0x21/0x190 [ 59.923883][ T6823] ? print_usage_bug+0x240/0x240 [ 59.929030][ T6823] ? trace_hardirqs_off+0x50/0x220 [ 59.934134][ T6823] ? mutex_trylock+0x2c0/0x2c0 [ 59.939096][ T6823] ? mark_held_locks+0x9f/0xe0 [ 59.944367][ T6823] ? kfree+0x1eb/0x2b0 [ 59.948639][ T6823] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.956669][ T6823] ? kfree_const+0x51/0x60 [ 59.961850][ T6823] ? evdev_cleanup+0x21/0x190 [ 59.966821][ T6823] evdev_cleanup+0x21/0x190 [ 59.971507][ T6823] evdev_disconnect+0x45/0xb0 [ 59.976577][ T6823] __input_unregister_device+0x1b0/0x430 [ 59.982244][ T6823] input_unregister_device+0xb4/0xf0 [ 59.987981][ T6823] uinput_destroy_device+0x1e2/0x240 [ 59.993744][ T6823] ? uinput_destroy_device+0x240/0x240 [ 59.999830][ T6823] uinput_release+0x37/0x50 [ 60.004387][ T6823] __fput+0x33e/0x880 [ 60.008459][ T6823] task_work_run+0xf4/0x1b0 [ 60.012950][ T6823] do_exit+0xb5e/0x2e10 [ 60.017415][ T6823] ? fsnotify_first_mark+0x191/0x200 [ 60.023315][ T6823] ? debug_smp_processor_id+0x2f/0x185 [ 60.029911][ T6823] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.035323][ T6823] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.041384][ T6823] ? vfs_write+0x161/0x5d0 [ 60.045788][ T6823] do_group_exit+0x125/0x340 [ 60.050374][ T6823] __x64_sys_exit_group+0x3a/0x50 [ 60.055473][ T6823] do_syscall_64+0xf6/0x7d0 [ 60.060048][ T6823] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.066029][ T6823] RIP: 0033:0x43fa38 [ 60.069915][ T6823] Code: Bad RIP value. [ 60.073974][ T6823] RSP: 002b:00007fff5f38c988 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.082459][ T6823] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa38 [ 60.090424][ T6823] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.098598][ T6823] RBP: 00000000004bf288 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.106785][ T6823] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 60.114916][ T6823] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.122982][ T6823] [ 60.125288][ T6823] Allocated by task 6823: [ 60.129621][ T6823] save_stack+0x1b/0x40 [ 60.133814][ T6823] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 60.140452][ T6823] kmem_cache_alloc_trace+0x153/0x7d0 [ 60.146629][ T6823] evdev_connect+0x80/0x4d0 [ 60.151205][ T6823] input_attach_handler+0x194/0x200 [ 60.156535][ T6823] input_register_device.cold+0xf5/0x246 [ 60.162376][ T6823] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 60.168544][ T6823] ksys_ioctl+0x11a/0x180 [ 60.172852][ T6823] __x64_sys_ioctl+0x6f/0xb0 [ 60.177517][ T6823] do_syscall_64+0xf6/0x7d0 [ 60.181997][ T6823] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.187873][ T6823] [ 60.190177][ T6823] Freed by task 6823: [ 60.194149][ T6823] save_stack+0x1b/0x40 [ 60.198298][ T6823] __kasan_slab_free+0xf7/0x140 [ 60.203585][ T6823] kfree+0x109/0x2b0 [ 60.207480][ T6823] device_release+0x71/0x200 [ 60.212054][ T6823] kobject_put+0x1c8/0x2f0 [ 60.216523][ T6823] cdev_device_del+0x69/0x80 [ 60.221127][ T6823] evdev_disconnect+0x3d/0xb0 [ 60.225807][ T6823] __input_unregister_device+0x1b0/0x430 [ 60.231427][ T6823] input_unregister_device+0xb4/0xf0 [ 60.236713][ T6823] uinput_destroy_device+0x1e2/0x240 [ 60.242000][ T6823] uinput_release+0x37/0x50 [ 60.246578][ T6823] __fput+0x33e/0x880 [ 60.250550][ T6823] task_work_run+0xf4/0x1b0 [ 60.255080][ T6823] do_exit+0xb5e/0x2e10 [ 60.259243][ T6823] do_group_exit+0x125/0x340 [ 60.263818][ T6823] __x64_sys_exit_group+0x3a/0x50 [ 60.269043][ T6823] do_syscall_64+0xf6/0x7d0 [ 60.273680][ T6823] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.279764][ T6823] [ 60.282082][ T6823] The buggy address belongs to the object at ffff8880947b6000 [ 60.282082][ T6823] which belongs to the cache kmalloc-2k of size 2048 [ 60.296408][ T6823] The buggy address is located 344 bytes inside of [ 60.296408][ T6823] 2048-byte region [ffff8880947b6000, ffff8880947b6800) [ 60.310121][ T6823] The buggy address belongs to the page: [ 60.315744][ T6823] page:ffffea000251ed80 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.325094][ T6823] flags: 0xfffe0000000200(slab) [ 60.329987][ T6823] raw: 00fffe0000000200 ffffea00027ed048 ffff8880aa001950 ffff8880aa000e00 [ 60.338823][ T6823] raw: 0000000000000000 ffff8880947b6000 0000000100000001 0000000000000000 [ 60.347611][ T6823] page dumped because: kasan: bad access detected [ 60.354014][ T6823] [ 60.356405][ T6823] Memory state around the buggy address: [ 60.362142][ T6823] ffff8880947b6000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.372066][ T6823] ffff8880947b6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.384157][ T6823] >ffff8880947b6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.393491][ T6823] ^ [ 60.401747][ T6823] ffff8880947b6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.410089][ T6823] ffff8880947b6200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.419491][ T6823] ================================================================== [ 60.428865][ T6823] Disabling lock debugging due to kernel taint [ 60.436678][ T6823] Kernel panic - not syncing: panic_on_warn set ... [ 60.443499][ T6823] CPU: 1 PID: 6823 Comm: syz-executor306 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 60.455193][ T6823] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.466442][ T6823] Call Trace: [ 60.469827][ T6823] dump_stack+0x18f/0x20d [ 60.475062][ T6823] ? __mutex_lock+0xf50/0x13c0 [ 60.480743][ T6823] panic+0x2e3/0x75c [ 60.485057][ T6823] ? __warn_printk+0xf3/0xf3 [ 60.489655][ T6823] ? preempt_schedule_common+0x5e/0xc0 [ 60.495359][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 60.500457][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 60.505666][ T6823] ? preempt_schedule_thunk+0x16/0x18 [ 60.511042][ T6823] ? trace_hardirqs_on+0x55/0x230 [ 60.516323][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 60.521261][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 60.526375][ T6823] end_report+0x4d/0x53 [ 60.530799][ T6823] kasan_report.cold+0xd/0x37 [ 60.535755][ T6823] ? __mutex_lock+0x1033/0x13c0 [ 60.541878][ T6823] __mutex_lock+0x1033/0x13c0 [ 60.546900][ T6823] ? evdev_cleanup+0x21/0x190 [ 60.552527][ T6823] ? print_usage_bug+0x240/0x240 [ 60.558144][ T6823] ? trace_hardirqs_off+0x50/0x220 [ 60.563772][ T6823] ? mutex_trylock+0x2c0/0x2c0 [ 60.568696][ T6823] ? mark_held_locks+0x9f/0xe0 [ 60.573455][ T6823] ? kfree+0x1eb/0x2b0 [ 60.577705][ T6823] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.584033][ T6823] ? kfree_const+0x51/0x60 [ 60.588790][ T6823] ? evdev_cleanup+0x21/0x190 [ 60.593542][ T6823] evdev_cleanup+0x21/0x190 [ 60.598151][ T6823] evdev_disconnect+0x45/0xb0 [ 60.603102][ T6823] __input_unregister_device+0x1b0/0x430 [ 60.609087][ T6823] input_unregister_device+0xb4/0xf0 [ 60.615401][ T6823] uinput_destroy_device+0x1e2/0x240 [ 60.620836][ T6823] ? uinput_destroy_device+0x240/0x240 [ 60.626997][ T6823] uinput_release+0x37/0x50 [ 60.631970][ T6823] __fput+0x33e/0x880 [ 60.636630][ T6823] task_work_run+0xf4/0x1b0 [ 60.641252][ T6823] do_exit+0xb5e/0x2e10 [ 60.645692][ T6823] ? fsnotify_first_mark+0x191/0x200 [ 60.652290][ T6823] ? debug_smp_processor_id+0x2f/0x185 [ 60.657911][ T6823] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.664399][ T6823] ? rcu_read_lock_any_held.part.0+0x50/0x50 [ 60.671486][ T6823] ? vfs_write+0x161/0x5d0 [ 60.676012][ T6823] do_group_exit+0x125/0x340 [ 60.680877][ T6823] __x64_sys_exit_group+0x3a/0x50 [ 60.686396][ T6823] do_syscall_64+0xf6/0x7d0 [ 60.691771][ T6823] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.698022][ T6823] RIP: 0033:0x43fa38 [ 60.702904][ T6823] Code: Bad RIP value. [ 60.707159][ T6823] RSP: 002b:00007fff5f38c988 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.716041][ T6823] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fa38 [ 60.724408][ T6823] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.732786][ T6823] RBP: 00000000004bf288 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.741027][ T6823] R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001 [ 60.750800][ T6823] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.760606][ T6823] Kernel Offset: disabled [ 60.765961][ T6823] Rebooting in 86400 seconds..