Warning: Permanently added '10.128.10.15' (ECDSA) to the list of known hosts. executing program [ 59.534946][ T6832] input: syz1 as /devices/virtual/input/input5 [ 59.548081][ T6832] ================================================================== [ 59.556305][ T6832] BUG: KASAN: use-after-free in __mutex_lock+0x1033/0x13c0 [ 59.563509][ T6832] Read of size 8 at addr ffff8880a6ba9158 by task syz-executor852/6832 [ 59.571748][ T6832] [ 59.574088][ T6832] CPU: 1 PID: 6832 Comm: syz-executor852 Not tainted 5.7.0-rc6-next-20200522-syzkaller #0 [ 59.583971][ T6832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 59.594035][ T6832] Call Trace: [ 59.597332][ T6832] dump_stack+0x18f/0x20d [ 59.601664][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 59.606564][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 59.611401][ T6832] print_address_description.constprop.0.cold+0xd3/0x413 [ 59.618409][ T6832] ? cdev_device_del+0x69/0x80 [ 59.623217][ T6832] ? evdev_disconnect+0x3d/0xb0 [ 59.628049][ T6832] ? __input_unregister_device+0x1b0/0x430 [ 59.633872][ T6832] ? input_unregister_device+0xb4/0xf0 [ 59.639311][ T6832] ? uinput_destroy_device+0x1e2/0x240 [ 59.644758][ T6832] ? vprintk_func+0x97/0x1a6 [ 59.649384][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 59.654250][ T6832] kasan_report.cold+0x1f/0x37 [ 59.659011][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 59.663850][ T6832] __mutex_lock+0x1033/0x13c0 [ 59.668544][ T6832] ? evdev_cleanup+0x21/0x190 [ 59.673201][ T6832] ? print_usage_bug+0x240/0x240 [ 59.678138][ T6832] ? trace_hardirqs_off+0x50/0x220 [ 59.683228][ T6832] ? mutex_trylock+0x2c0/0x2c0 [ 59.687974][ T6832] ? mark_held_locks+0x9f/0xe0 [ 59.692715][ T6832] ? kfree+0x1eb/0x2b0 [ 59.696781][ T6832] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 59.702744][ T6832] ? kfree_const+0x51/0x60 [ 59.707143][ T6832] ? evdev_cleanup+0x21/0x190 [ 59.711814][ T6832] evdev_cleanup+0x21/0x190 [ 59.716296][ T6832] evdev_disconnect+0x45/0xb0 [ 59.720952][ T6832] __input_unregister_device+0x1b0/0x430 [ 59.726577][ T6832] input_unregister_device+0xb4/0xf0 [ 59.731849][ T6832] uinput_destroy_device+0x1e2/0x240 [ 59.737126][ T6832] ? uinput_destroy_device+0x240/0x240 [ 59.742576][ T6832] uinput_release+0x37/0x50 [ 59.747058][ T6832] __fput+0x33e/0x880 [ 59.751018][ T6832] task_work_run+0xf4/0x1b0 [ 59.755501][ T6832] do_exit+0xb5e/0x2e10 [ 59.759650][ T6832] ? fsnotify_first_mark+0x191/0x200 [ 59.764916][ T6832] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 59.770613][ T6832] ? mm_update_next_owner+0x7a0/0x7a0 [ 59.775959][ T6832] ? vfs_write+0x161/0x5d0 [ 59.780356][ T6832] do_group_exit+0x125/0x340 [ 59.784921][ T6832] __x64_sys_exit_group+0x3a/0x50 [ 59.789920][ T6832] do_syscall_64+0xf6/0x7d0 [ 59.794401][ T6832] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.800268][ T6832] RIP: 0033:0x43f9f8 [ 59.804163][ T6832] Code: Bad RIP value. [ 59.808267][ T6832] RSP: 002b:00007ffcc3a587b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 59.816667][ T6832] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9f8 [ 59.824637][ T6832] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 59.832592][ T6832] RBP: 00000000004bf248 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 59.840541][ T6832] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 59.848489][ T6832] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 59.856455][ T6832] [ 59.858763][ T6832] Allocated by task 6832: [ 59.863071][ T6832] save_stack+0x1b/0x40 [ 59.867206][ T6832] __kasan_kmalloc.constprop.0+0xbf/0xd0 [ 59.872829][ T6832] kmem_cache_alloc_trace+0x153/0x7d0 [ 59.878177][ T6832] evdev_connect+0x80/0x4d0 [ 59.882653][ T6832] input_attach_handler+0x194/0x200 [ 59.887828][ T6832] input_register_device.cold+0xf5/0x246 [ 59.893434][ T6832] uinput_ioctl_handler.isra.0+0x1210/0x1d80 [ 59.899397][ T6832] ksys_ioctl+0x11a/0x180 [ 59.903715][ T6832] __x64_sys_ioctl+0x6f/0xb0 [ 59.908298][ T6832] do_syscall_64+0xf6/0x7d0 [ 59.912782][ T6832] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 59.918642][ T6832] [ 59.920964][ T6832] Freed by task 6832: [ 59.924921][ T6832] save_stack+0x1b/0x40 [ 59.929051][ T6832] __kasan_slab_free+0xf7/0x140 [ 59.933880][ T6832] kfree+0x109/0x2b0 [ 59.937750][ T6832] device_release+0x71/0x200 [ 59.942313][ T6832] kobject_put+0x1c8/0x2f0 [ 59.946703][ T6832] cdev_device_del+0x69/0x80 [ 59.951269][ T6832] evdev_disconnect+0x3d/0xb0 [ 59.955919][ T6832] __input_unregister_device+0x1b0/0x430 [ 59.961540][ T6832] input_unregister_device+0xb4/0xf0 [ 59.966817][ T6832] uinput_destroy_device+0x1e2/0x240 [ 59.972077][ T6832] uinput_release+0x37/0x50 [ 59.976562][ T6832] __fput+0x33e/0x880 [ 59.980525][ T6832] task_work_run+0xf4/0x1b0 [ 59.985002][ T6832] do_exit+0xb5e/0x2e10 [ 59.989136][ T6832] do_group_exit+0x125/0x340 [ 59.993713][ T6832] __x64_sys_exit_group+0x3a/0x50 [ 59.998728][ T6832] do_syscall_64+0xf6/0x7d0 [ 60.003222][ T6832] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.009084][ T6832] [ 60.011390][ T6832] The buggy address belongs to the object at ffff8880a6ba9000 [ 60.011390][ T6832] which belongs to the cache kmalloc-2k of size 2048 [ 60.025423][ T6832] The buggy address is located 344 bytes inside of [ 60.025423][ T6832] 2048-byte region [ffff8880a6ba9000, ffff8880a6ba9800) [ 60.038751][ T6832] The buggy address belongs to the page: [ 60.044361][ T6832] page:ffffea00029aea40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 [ 60.053443][ T6832] flags: 0xfffe0000000200(slab) [ 60.058293][ T6832] raw: 00fffe0000000200 ffffea00029aea88 ffffea00029aea08 ffff8880aa000e00 [ 60.066859][ T6832] raw: 0000000000000000 ffff8880a6ba9000 0000000100000001 0000000000000000 [ 60.075414][ T6832] page dumped because: kasan: bad access detected [ 60.081810][ T6832] [ 60.084126][ T6832] Memory state around the buggy address: [ 60.089736][ T6832] ffff8880a6ba9000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.097786][ T6832] ffff8880a6ba9080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.105819][ T6832] >ffff8880a6ba9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.113852][ T6832] ^ [ 60.120762][ T6832] ffff8880a6ba9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.128814][ T6832] ffff8880a6ba9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 60.136848][ T6832] ================================================================== [ 60.144892][ T6832] Disabling lock debugging due to kernel taint [ 60.152065][ T6832] Kernel panic - not syncing: panic_on_warn set ... [ 60.158668][ T6832] CPU: 0 PID: 6832 Comm: syz-executor852 Tainted: G B 5.7.0-rc6-next-20200522-syzkaller #0 [ 60.169937][ T6832] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 60.180007][ T6832] Call Trace: [ 60.183290][ T6832] dump_stack+0x18f/0x20d [ 60.187671][ T6832] ? __mutex_lock+0xf50/0x13c0 [ 60.192412][ T6832] panic+0x2e3/0x75c [ 60.196285][ T6832] ? __warn_printk+0xf3/0xf3 [ 60.200852][ T6832] ? preempt_schedule_common+0x5e/0xc0 [ 60.206292][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 60.211116][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 60.215995][ T6832] ? preempt_schedule_thunk+0x16/0x18 [ 60.221493][ T6832] ? trace_hardirqs_on+0x55/0x230 [ 60.226512][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 60.231362][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 60.236198][ T6832] end_report+0x4d/0x53 [ 60.240332][ T6832] kasan_report.cold+0xd/0x37 [ 60.244985][ T6832] ? __mutex_lock+0x1033/0x13c0 [ 60.249810][ T6832] __mutex_lock+0x1033/0x13c0 [ 60.254462][ T6832] ? evdev_cleanup+0x21/0x190 [ 60.259114][ T6832] ? print_usage_bug+0x240/0x240 [ 60.264068][ T6832] ? trace_hardirqs_off+0x50/0x220 [ 60.269153][ T6832] ? mutex_trylock+0x2c0/0x2c0 [ 60.273889][ T6832] ? mark_held_locks+0x9f/0xe0 [ 60.278638][ T6832] ? kfree+0x1eb/0x2b0 [ 60.282711][ T6832] ? lockdep_hardirqs_on_prepare+0x3a2/0x590 [ 60.288676][ T6832] ? kfree_const+0x51/0x60 [ 60.293073][ T6832] ? evdev_cleanup+0x21/0x190 [ 60.297740][ T6832] evdev_cleanup+0x21/0x190 [ 60.302232][ T6832] evdev_disconnect+0x45/0xb0 [ 60.306901][ T6832] __input_unregister_device+0x1b0/0x430 [ 60.312509][ T6832] input_unregister_device+0xb4/0xf0 [ 60.317769][ T6832] uinput_destroy_device+0x1e2/0x240 [ 60.323031][ T6832] ? uinput_destroy_device+0x240/0x240 [ 60.328475][ T6832] uinput_release+0x37/0x50 [ 60.332961][ T6832] __fput+0x33e/0x880 [ 60.336925][ T6832] task_work_run+0xf4/0x1b0 [ 60.341448][ T6832] do_exit+0xb5e/0x2e10 [ 60.345580][ T6832] ? fsnotify_first_mark+0x191/0x200 [ 60.350841][ T6832] ? uinput_dev_upload_effect+0x1e0/0x1e0 [ 60.356534][ T6832] ? mm_update_next_owner+0x7a0/0x7a0 [ 60.362011][ T6832] ? vfs_write+0x161/0x5d0 [ 60.366403][ T6832] do_group_exit+0x125/0x340 [ 60.370969][ T6832] __x64_sys_exit_group+0x3a/0x50 [ 60.375969][ T6832] do_syscall_64+0xf6/0x7d0 [ 60.380450][ T6832] entry_SYSCALL_64_after_hwframe+0x49/0xb3 [ 60.386330][ T6832] RIP: 0033:0x43f9f8 [ 60.390214][ T6832] Code: Bad RIP value. [ 60.394251][ T6832] RSP: 002b:00007ffcc3a587b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 60.402649][ T6832] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043f9f8 [ 60.410595][ T6832] RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000 [ 60.418539][ T6832] RBP: 00000000004bf248 R08: 00000000000000e7 R09: ffffffffffffffd0 [ 60.426501][ T6832] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 [ 60.434444][ T6832] R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000 [ 60.443793][ T6832] Kernel Offset: disabled [ 60.448128][ T6832] Rebooting in 86400 seconds..