INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.10.21' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 43.400719] IPVS: ftp: loaded support on port[0] = 21 [ 43.453736] ================================================================== [ 43.461333] BUG: KASAN: use-after-free in uprobe_perf_close+0x45e/0x5f0 [ 43.468065] Read of size 4 at addr ffff8801acc867a4 by task syzkaller802591/4475 [ 43.475572] [ 43.477181] CPU: 0 PID: 4475 Comm: syzkaller802591 Not tainted 4.16.0+ #3 [ 43.484081] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 43.493414] Call Trace: [ 43.495986] dump_stack+0x1b9/0x294 [ 43.499690] ? dump_stack_print_info.cold.2+0x52/0x52 [ 43.504861] ? printk+0x9e/0xba [ 43.508120] ? kmsg_dump_rewind_nolock+0xe4/0xe4 [ 43.512866] ? kasan_check_write+0x14/0x20 [ 43.517081] print_address_description+0x6c/0x20b [ 43.521990] ? uprobe_perf_close+0x45e/0x5f0 [ 43.526378] kasan_report.cold.7+0x242/0x2fe [ 43.530769] __asan_report_load4_noabort+0x14/0x20 [ 43.535677] uprobe_perf_close+0x45e/0x5f0 [ 43.540413] ? probes_open+0x1a0/0x1a0 [ 43.544278] ? graph_lock+0x170/0x170 [ 43.548063] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 43.553233] trace_uprobe_register+0x355/0xcd0 [ 43.557802] ? uprobe_perf_close+0x5f0/0x5f0 [ 43.562190] ? kasan_check_read+0x11/0x20 [ 43.566317] ? rcu_is_watching+0x85/0x140 [ 43.570442] ? rcu_pm_notify+0xc0/0xc0 [ 43.574306] ? perf_event_attach_bpf_prog+0x3e0/0x3e0 [ 43.579476] ? perf_uprobe_init+0x260/0x260 [ 43.583775] perf_uprobe_destroy+0xa0/0x130 [ 43.588075] ? perf_uprobe_init+0x260/0x260 [ 43.592375] _free_event+0x3ff/0x13b0 [ 43.596154] ? __mutex_unlock_slowpath+0x140/0x8a0 [ 43.601061] ? ring_buffer_attach+0x830/0x830 [ 43.605537] ? lock_downgrade+0x8e0/0x8e0 [ 43.609666] ? mark_held_locks+0xc9/0x160 [ 43.613792] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 43.618358] ? _raw_spin_unlock_irq+0x27/0x70 [ 43.622834] put_event+0x48/0x60 [ 43.626176] perf_event_release_kernel+0x8bd/0xf90 [ 43.631085] ? put_event+0x60/0x60 [ 43.634607] ? kasan_check_read+0x11/0x20 [ 43.638733] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.643121] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 43.647692] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 43.652774] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.657766] ? trace_hardirqs_on+0xd/0x10 [ 43.661893] ? kasan_check_read+0x11/0x20 [ 43.666027] ? rcu_is_watching+0x85/0x140 [ 43.670152] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 43.675320] ? __call_rcu.constprop.68+0x396/0xbb0 [ 43.680285] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 43.685802] ? locks_remove_file+0x3f7/0x5a0 [ 43.690191] ? fcntl_setlk+0x1020/0x1020 [ 43.694244] ? fsnotify+0x415/0x1100 [ 43.697943] ? perf_event_release_kernel+0xf90/0xf90 [ 43.703021] perf_release+0x37/0x50 [ 43.706626] __fput+0x34d/0x890 [ 43.709884] ? fput+0x1a0/0x1a0 [ 43.713143] ? check_same_owner+0x320/0x320 [ 43.717444] ____fput+0x15/0x20 [ 43.720712] task_work_run+0x1e4/0x290 [ 43.724589] ? task_work_cancel+0x240/0x240 [ 43.728890] ? switch_task_namespaces+0xbd/0xd0 [ 43.733538] do_exit+0xf89/0x2730 [ 43.736970] ? graph_lock+0x170/0x170 [ 43.740756] ? mm_update_next_owner+0x980/0x980 [ 43.745404] ? graph_lock+0x170/0x170 [ 43.749197] ? find_held_lock+0x36/0x1c0 [ 43.753241] ? lock_downgrade+0x8e0/0x8e0 [ 43.757367] ? lock_downgrade+0x8e0/0x8e0 [ 43.761498] ? kasan_check_read+0x11/0x20 [ 43.765626] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.770013] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 43.774581] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 43.779140] ? rcu_read_lock+0x70/0x70 [ 43.783003] ? activate_task+0x123/0x2e0 [ 43.787043] ? trace_hardirqs_off+0xd/0x10 [ 43.791257] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 43.796342] ? try_to_wake_up+0x102/0x1190 [ 43.800563] ? find_held_lock+0x36/0x1c0 [ 43.804607] ? graph_lock+0x170/0x170 [ 43.808396] ? lock_downgrade+0x8e0/0x8e0 [ 43.812541] ? pvclock_read_flags+0x160/0x160 [ 43.817016] ? find_held_lock+0x36/0x1c0 [ 43.821063] ? lock_downgrade+0x8e0/0x8e0 [ 43.825195] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 43.830712] ? kasan_check_read+0x11/0x20 [ 43.834839] ? do_raw_spin_unlock+0x9e/0x2e0 [ 43.839227] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 43.843788] ? force_sig+0x30/0x30 [ 43.847308] ? _raw_spin_unlock_irq+0x27/0x70 [ 43.851783] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 43.856781] do_group_exit+0x16f/0x430 [ 43.860650] ? do_futex+0x27d0/0x27d0 [ 43.864432] ? SyS_exit+0x30/0x30 [ 43.867868] ? do_syscall_64+0xb7/0x9d0 [ 43.871822] ? do_group_exit+0x430/0x430 [ 43.875872] SyS_exit_group+0x1d/0x20 [ 43.879666] do_syscall_64+0x29e/0x9d0 [ 43.883532] ? vmalloc_sync_all+0x30/0x30 [ 43.887658] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 43.892391] ? syscall_return_slowpath+0x5c0/0x5c0 [ 43.897297] ? syscall_return_slowpath+0x30f/0x5c0 [ 43.902206] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 43.907548] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 43.912385] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 43.917567] RIP: 0033:0x445c39 [ 43.920745] RSP: 002b:00007ffc11b5b758 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 43.928430] RAX: ffffffffffffffda RBX: 00000000006dbc20 RCX: 0000000000445c39 [ 43.935675] RDX: 0000000000445c39 RSI: 0000000000000001 RDI: 0000000000000001 [ 43.942922] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 43.950171] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000002 [ 43.957418] R13: 00000000006dbc24 R14: 0000000000000001 R15: 0000000000002710 [ 43.964672] [ 43.966288] Allocated by task 4475: [ 43.969903] save_stack+0x43/0xd0 [ 43.973332] kasan_kmalloc+0xc4/0xe0 [ 43.977020] kasan_slab_alloc+0x12/0x20 [ 43.980975] kmem_cache_alloc_node+0x144/0x780 [ 43.985537] copy_process.part.38+0x16bf/0x6e90 [ 43.990201] _do_fork+0x291/0x12a0 [ 43.993718] SyS_clone+0x37/0x50 [ 43.997065] do_syscall_64+0x29e/0x9d0 [ 44.000934] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.006096] [ 44.007699] Freed by task 0: [ 44.010694] save_stack+0x43/0xd0 [ 44.014124] __kasan_slab_free+0x11a/0x170 [ 44.018334] kasan_slab_free+0xe/0x10 [ 44.022123] kmem_cache_free+0x86/0x2d0 [ 44.026072] free_task+0x166/0x1d0 [ 44.029588] __put_task_struct+0x2d2/0x600 [ 44.033802] delayed_put_task_struct+0x367/0x470 [ 44.038546] rcu_process_callbacks+0x941/0x15f0 [ 44.043192] __do_softirq+0x2e0/0xaf5 [ 44.046966] [ 44.048572] The buggy address belongs to the object at ffff8801acc86780 [ 44.048572] which belongs to the cache task_struct of size 5952 [ 44.061293] The buggy address is located 36 bytes inside of [ 44.061293] 5952-byte region [ffff8801acc86780, ffff8801acc87ec0) [ 44.073152] The buggy address belongs to the page: [ 44.078058] page:ffffea0006b32180 count:1 mapcount:0 mapping:ffff8801acc86780 index:0x0 compound_mapcount: 0 [ 44.088004] flags: 0x2fffc0000008100(slab|head) [ 44.092653] raw: 02fffc0000008100 ffff8801acc86780 0000000000000000 0000000100000001 [ 44.100523] raw: ffffea0006b2c220 ffff8801dad0e248 ffff8801dad48200 0000000000000000 [ 44.108378] page dumped because: kasan: bad access detected [ 44.114061] [ 44.115665] Memory state around the buggy address: [ 44.120572] ffff8801acc86680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.127917] ffff8801acc86700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 44.135252] >ffff8801acc86780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.142582] ^ [ 44.146966] ffff8801acc86800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.154313] ffff8801acc86880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 44.161659] ================================================================== [ 44.168991] Disabling lock debugging due to kernel taint [ 44.174540] Kernel panic - not syncing: panic_on_warn set ... [ 44.174540] [ 44.181884] CPU: 0 PID: 4475 Comm: syzkaller802591 Tainted: G B 4.16.0+ #3 [ 44.190173] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 44.199505] Call Trace: [ 44.202076] dump_stack+0x1b9/0x294 [ 44.205698] ? dump_stack_print_info.cold.2+0x52/0x52 [ 44.210876] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.215612] ? uprobe_perf_close+0x390/0x5f0 [ 44.220011] panic+0x22f/0x4de [ 44.223182] ? add_taint.cold.5+0x16/0x16 [ 44.227309] ? do_raw_spin_unlock+0x9e/0x2e0 [ 44.231695] ? do_raw_spin_unlock+0x9e/0x2e0 [ 44.236082] ? uprobe_perf_close+0x45e/0x5f0 [ 44.240479] kasan_end_report+0x47/0x4f [ 44.244432] kasan_report.cold.7+0x76/0x2fe [ 44.248739] __asan_report_load4_noabort+0x14/0x20 [ 44.253649] uprobe_perf_close+0x45e/0x5f0 [ 44.257872] ? probes_open+0x1a0/0x1a0 [ 44.261735] ? graph_lock+0x170/0x170 [ 44.265516] ? __sanitizer_cov_trace_switch+0x53/0x90 [ 44.270685] trace_uprobe_register+0x355/0xcd0 [ 44.275244] ? uprobe_perf_close+0x5f0/0x5f0 [ 44.279631] ? kasan_check_read+0x11/0x20 [ 44.283754] ? rcu_is_watching+0x85/0x140 [ 44.287880] ? rcu_pm_notify+0xc0/0xc0 [ 44.291742] ? perf_event_attach_bpf_prog+0x3e0/0x3e0 [ 44.296909] ? perf_uprobe_init+0x260/0x260 [ 44.301206] perf_uprobe_destroy+0xa0/0x130 [ 44.305515] ? perf_uprobe_init+0x260/0x260 [ 44.309822] _free_event+0x3ff/0x13b0 [ 44.313603] ? __mutex_unlock_slowpath+0x140/0x8a0 [ 44.318509] ? ring_buffer_attach+0x830/0x830 [ 44.322978] ? lock_downgrade+0x8e0/0x8e0 [ 44.327103] ? mark_held_locks+0xc9/0x160 [ 44.331228] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 44.335785] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.340256] put_event+0x48/0x60 [ 44.343600] perf_event_release_kernel+0x8bd/0xf90 [ 44.348518] ? put_event+0x60/0x60 [ 44.352035] ? kasan_check_read+0x11/0x20 [ 44.356160] ? do_raw_spin_unlock+0x9e/0x2e0 [ 44.360542] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 44.365108] ? _raw_spin_unlock_irqrestore+0x74/0xc0 [ 44.370199] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.375190] ? trace_hardirqs_on+0xd/0x10 [ 44.379317] ? kasan_check_read+0x11/0x20 [ 44.383446] ? rcu_is_watching+0x85/0x140 [ 44.387573] ? rcu_bh_force_quiescent_state+0x20/0x20 [ 44.392738] ? __call_rcu.constprop.68+0x396/0xbb0 [ 44.397648] ? __sanitizer_cov_trace_const_cmp8+0x18/0x20 [ 44.403163] ? locks_remove_file+0x3f7/0x5a0 [ 44.407549] ? fcntl_setlk+0x1020/0x1020 [ 44.411588] ? fsnotify+0x415/0x1100 [ 44.415284] ? perf_event_release_kernel+0xf90/0xf90 [ 44.420363] perf_release+0x37/0x50 [ 44.423965] __fput+0x34d/0x890 [ 44.427220] ? fput+0x1a0/0x1a0 [ 44.430478] ? check_same_owner+0x320/0x320 [ 44.434778] ____fput+0x15/0x20 [ 44.438042] task_work_run+0x1e4/0x290 [ 44.441908] ? task_work_cancel+0x240/0x240 [ 44.446226] ? switch_task_namespaces+0xbd/0xd0 [ 44.450872] do_exit+0xf89/0x2730 [ 44.454300] ? graph_lock+0x170/0x170 [ 44.458079] ? mm_update_next_owner+0x980/0x980 [ 44.462721] ? graph_lock+0x170/0x170 [ 44.466500] ? find_held_lock+0x36/0x1c0 [ 44.470539] ? lock_downgrade+0x8e0/0x8e0 [ 44.474749] ? lock_downgrade+0x8e0/0x8e0 [ 44.478874] ? kasan_check_read+0x11/0x20 [ 44.482998] ? do_raw_spin_unlock+0x9e/0x2e0 [ 44.487382] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 44.491940] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 44.496499] ? rcu_read_lock+0x70/0x70 [ 44.500374] ? activate_task+0x123/0x2e0 [ 44.504411] ? trace_hardirqs_off+0xd/0x10 [ 44.508624] ? _raw_spin_unlock_irqrestore+0x63/0xc0 [ 44.513705] ? try_to_wake_up+0x102/0x1190 [ 44.517914] ? find_held_lock+0x36/0x1c0 [ 44.521962] ? graph_lock+0x170/0x170 [ 44.525738] ? lock_downgrade+0x8e0/0x8e0 [ 44.529870] ? pvclock_read_flags+0x160/0x160 [ 44.534345] ? find_held_lock+0x36/0x1c0 [ 44.538386] ? lock_downgrade+0x8e0/0x8e0 [ 44.542513] ? __sanitizer_cov_trace_const_cmp4+0x16/0x20 [ 44.548029] ? kasan_check_read+0x11/0x20 [ 44.552153] ? do_raw_spin_unlock+0x9e/0x2e0 [ 44.556539] ? do_raw_spin_trylock+0x1b0/0x1b0 [ 44.561098] ? force_sig+0x30/0x30 [ 44.564614] ? _raw_spin_unlock_irq+0x27/0x70 [ 44.569083] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 44.574078] do_group_exit+0x16f/0x430 [ 44.577943] ? do_futex+0x27d0/0x27d0 [ 44.581718] ? SyS_exit+0x30/0x30 [ 44.585152] ? do_syscall_64+0xb7/0x9d0 [ 44.589102] ? do_group_exit+0x430/0x430 [ 44.593140] SyS_exit_group+0x1d/0x20 [ 44.596918] do_syscall_64+0x29e/0x9d0 [ 44.600785] ? vmalloc_sync_all+0x30/0x30 [ 44.604921] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 44.609652] ? syscall_return_slowpath+0x5c0/0x5c0 [ 44.614571] ? syscall_return_slowpath+0x30f/0x5c0 [ 44.619491] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 44.624832] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 44.629743] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 44.634908] RIP: 0033:0x445c39 [ 44.638074] RSP: 002b:00007ffc11b5b758 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 44.645758] RAX: ffffffffffffffda RBX: 00000000006dbc20 RCX: 0000000000445c39 [ 44.653005] RDX: 0000000000445c39 RSI: 0000000000000001 RDI: 0000000000000001 [ 44.660247] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 [ 44.667502] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000000002 [ 44.674748] R13: 00000000006dbc24 R14: 0000000000000001 R15: 0000000000002710 [ 44.682394] Dumping ftrace buffer: [ 44.685919] (ftrace buffer empty) [ 44.689605] Kernel Offset: disabled [ 44.693212] Rebooting in 86400 seconds..