Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.10' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.568985][ T36] audit: type=1804 audit(1612772164.264:2): pid=8429 uid=0 auid=4294967295 ses=4294967295 subj==unconfined op=invalid_pcr cause=open_writers comm="syz-executor146" name="/root/bus" dev="sda1" ino=14153 res=1 errno=0 [ 69.593464][ T8429] ================================================================== [ 69.602262][ T8429] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 69.609258][ T8429] Read of size 8 at addr ffff8880118a7968 by task syz-executor146/8429 [ 69.617550][ T8429] [ 69.619873][ T8429] CPU: 0 PID: 8429 Comm: syz-executor146 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.630199][ T8429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.640264][ T8429] Call Trace: [ 69.643557][ T8429] dump_stack+0x107/0x163 [ 69.647926][ T8429] ? find_uprobe+0x12c/0x150 [ 69.652533][ T8429] ? find_uprobe+0x12c/0x150 [ 69.657217][ T8429] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.664266][ T8429] ? find_uprobe+0x12c/0x150 [ 69.668876][ T8429] ? find_uprobe+0x12c/0x150 [ 69.673472][ T8429] kasan_report.cold+0x7c/0xd8 [ 69.678269][ T8429] ? find_uprobe+0x12c/0x150 [ 69.682864][ T8429] find_uprobe+0x12c/0x150 [ 69.687292][ T8429] uprobe_unregister+0x1e/0x70 [ 69.692061][ T8429] __probe_event_disable+0x11e/0x240 [ 69.697372][ T8429] probe_event_disable+0x155/0x1c0 [ 69.702502][ T8429] trace_uprobe_register+0x45a/0x880 [ 69.707804][ T8429] ? trace_uprobe_register+0x3ef/0x880 [ 69.713289][ T8429] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.718846][ T8429] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.724769][ T8429] perf_uprobe_destroy+0xbb/0x130 [ 69.729810][ T8429] ? perf_uprobe_init+0x210/0x210 [ 69.734844][ T8429] _free_event+0x2ee/0x1380 [ 69.739366][ T8429] perf_event_release_kernel+0xa24/0xe00 [ 69.745026][ T8429] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.750343][ T8429] ? __perf_event_exit_context+0x170/0x170 [ 69.756187][ T8429] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.762467][ T8429] perf_release+0x33/0x40 [ 69.766808][ T8429] __fput+0x283/0x920 [ 69.770794][ T8429] ? perf_event_release_kernel+0xe00/0xe00 [ 69.776618][ T8429] task_work_run+0xdd/0x190 [ 69.782535][ T8429] do_exit+0xc5c/0x2ae0 [ 69.786710][ T8429] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.792092][ T8429] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.798487][ T8429] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.804801][ T8429] do_group_exit+0x125/0x310 [ 69.809507][ T8429] __x64_sys_exit_group+0x3a/0x50 [ 69.814588][ T8429] do_syscall_64+0x2d/0x70 [ 69.819177][ T8429] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.825201][ T8429] RIP: 0033:0x43db29 [ 69.829117][ T8429] Code: Unable to access opcode bytes at RIP 0x43daff. [ 69.836754][ T8429] RSP: 002b:00007fff072b9b98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.845190][ T8429] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db29 [ 69.853176][ T8429] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.861421][ T8429] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.869396][ T8429] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.877549][ T8429] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.885636][ T8429] [ 69.888047][ T8429] Allocated by task 8429: [ 69.892424][ T8429] kasan_save_stack+0x1b/0x40 [ 69.897125][ T8429] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.902947][ T8429] __uprobe_register+0x19c/0x850 [ 69.907927][ T8429] probe_event_enable+0x357/0xa00 [ 69.912985][ T8429] trace_uprobe_register+0x443/0x880 [ 69.918301][ T8429] perf_trace_event_init+0x549/0xa20 [ 69.923604][ T8429] perf_uprobe_init+0x16f/0x210 [ 69.928483][ T8429] perf_uprobe_event_init+0xff/0x1c0 [ 69.933786][ T8429] perf_try_init_event+0x12a/0x560 [ 69.938937][ T8429] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.944495][ T8429] __do_sys_perf_event_open+0x647/0x2e60 [ 69.950303][ T8429] do_syscall_64+0x2d/0x70 [ 69.954750][ T8429] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.960675][ T8429] [ 69.963015][ T8429] Freed by task 8429: [ 69.967046][ T8429] kasan_save_stack+0x1b/0x40 [ 69.971739][ T8429] kasan_set_track+0x1c/0x30 [ 69.976380][ T8429] kasan_set_free_info+0x20/0x30 [ 69.981380][ T8429] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.987043][ T8429] slab_free_freelist_hook+0x82/0x1d0 [ 69.992447][ T8429] kfree+0xe5/0x7b0 [ 69.996274][ T8429] put_uprobe+0x13b/0x190 [ 70.000625][ T8429] uprobe_apply+0xfc/0x130 [ 70.005050][ T8429] trace_uprobe_register+0x5c9/0x880 [ 70.010356][ T8429] perf_trace_event_init+0x17a/0xa20 [ 70.015647][ T8429] perf_uprobe_init+0x16f/0x210 [ 70.020517][ T8429] perf_uprobe_event_init+0xff/0x1c0 [ 70.025813][ T8429] perf_try_init_event+0x12a/0x560 [ 70.030935][ T8429] perf_event_alloc.part.0+0xe3b/0x3960 [ 70.036505][ T8429] __do_sys_perf_event_open+0x647/0x2e60 [ 70.042145][ T8429] do_syscall_64+0x2d/0x70 [ 70.046571][ T8429] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.052488][ T8429] [ 70.054826][ T8429] The buggy address belongs to the object at ffff8880118a7800 [ 70.054826][ T8429] which belongs to the cache kmalloc-512 of size 512 [ 70.068909][ T8429] The buggy address is located 360 bytes inside of [ 70.068909][ T8429] 512-byte region [ffff8880118a7800, ffff8880118a7a00) [ 70.082223][ T8429] The buggy address belongs to the page: [ 70.087873][ T8429] page:000000006bc4fa56 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x118a6 [ 70.098074][ T8429] head:000000006bc4fa56 order:1 compound_mapcount:0 [ 70.104673][ T8429] flags: 0xfff00000010200(slab|head) [ 70.109984][ T8429] raw: 00fff00000010200 ffffea000085d000 0000000200000002 ffff888010841c80 [ 70.118587][ T8429] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 70.127181][ T8429] page dumped because: kasan: bad access detected [ 70.133611][ T8429] [ 70.135950][ T8429] Memory state around the buggy address: [ 70.141608][ T8429] ffff8880118a7800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.149680][ T8429] ffff8880118a7880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.157744][ T8429] >ffff8880118a7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.165829][ T8429] ^ [ 70.173327][ T8429] ffff8880118a7980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.181403][ T8429] ffff8880118a7a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.189476][ T8429] ================================================================== [ 70.197581][ T8429] Disabling lock debugging due to kernel taint [ 70.203920][ T8429] Kernel panic - not syncing: panic_on_warn set ... [ 70.210537][ T8429] CPU: 0 PID: 8429 Comm: syz-executor146 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 70.221955][ T8429] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.232032][ T8429] Call Trace: [ 70.235325][ T8429] dump_stack+0x107/0x163 [ 70.239734][ T8429] ? find_uprobe+0x90/0x150 [ 70.244255][ T8429] panic+0x306/0x73d [ 70.248464][ T8429] ? __warn_printk+0xf3/0xf3 [ 70.253060][ T8429] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 70.259233][ T8429] ? trace_hardirqs_on+0x38/0x1c0 [ 70.264279][ T8429] ? trace_hardirqs_on+0x51/0x1c0 [ 70.269317][ T8429] ? find_uprobe+0x12c/0x150 [ 70.274009][ T8429] ? find_uprobe+0x12c/0x150 [ 70.278602][ T8429] end_report.cold+0x5a/0x5a [ 70.283290][ T8429] kasan_report.cold+0x6a/0xd8 [ 70.288082][ T8429] ? find_uprobe+0x12c/0x150 [ 70.292842][ T8429] find_uprobe+0x12c/0x150 [ 70.297279][ T8429] uprobe_unregister+0x1e/0x70 [ 70.302064][ T8429] __probe_event_disable+0x11e/0x240 [ 70.307380][ T8429] probe_event_disable+0x155/0x1c0 [ 70.312515][ T8429] trace_uprobe_register+0x45a/0x880 [ 70.317815][ T8429] ? trace_uprobe_register+0x3ef/0x880 [ 70.323464][ T8429] ? rcu_read_lock_sched_held+0x3a/0x70 [ 70.329042][ T8429] perf_trace_event_unreg.isra.0+0xac/0x250 [ 70.334954][ T8429] perf_uprobe_destroy+0xbb/0x130 [ 70.339992][ T8429] ? perf_uprobe_init+0x210/0x210 [ 70.345030][ T8429] _free_event+0x2ee/0x1380 [ 70.349553][ T8429] perf_event_release_kernel+0xa24/0xe00 [ 70.355197][ T8429] ? fsnotify_first_mark+0x1f0/0x1f0 [ 70.360484][ T8429] ? __perf_event_exit_context+0x170/0x170 [ 70.366298][ T8429] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 70.372539][ T8429] perf_release+0x33/0x40 [ 70.377239][ T8429] __fput+0x283/0x920 [ 70.381232][ T8429] ? perf_event_release_kernel+0xe00/0xe00 [ 70.387038][ T8429] task_work_run+0xdd/0x190 [ 70.391554][ T8429] do_exit+0xc5c/0x2ae0 [ 70.395727][ T8429] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.401112][ T8429] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.407358][ T8429] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.413616][ T8429] do_group_exit+0x125/0x310 [ 70.418216][ T8429] __x64_sys_exit_group+0x3a/0x50 [ 70.423439][ T8429] do_syscall_64+0x2d/0x70 [ 70.428026][ T8429] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.433947][ T8429] RIP: 0033:0x43db29 [ 70.437839][ T8429] Code: Unable to access opcode bytes at RIP 0x43daff. [ 70.444684][ T8429] RSP: 002b:00007fff072b9b98 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.453111][ T8429] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db29 [ 70.461209][ T8429] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 70.470501][ T8429] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 70.478648][ T8429] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 70.486729][ T8429] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.495315][ T8429] Kernel Offset: disabled [ 70.499666][ T8429] Rebooting in 86400 seconds..