INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.28' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 27.764598] IPVS: ftp: loaded support on port[0] = 21 [ 27.819803] ================================================================== [ 27.827237] BUG: KASAN: use-after-free in uprobe_perf_close+0x3e0/0x570 [ 27.833968] Read of size 4 at addr ffff8801ac62830c by task syzkaller523193/4490 [ 27.841476] [ 27.843079] CPU: 1 PID: 4490 Comm: syzkaller523193 Not tainted 4.16.0+ #11 [ 27.850059] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 27.859384] Call Trace: [ 27.861950] dump_stack+0x1a7/0x27d [ 27.865556] ? arch_local_irq_restore+0x53/0x53 [ 27.870202] ? show_regs_print_info+0x18/0x18 [ 27.874674] ? kasan_check_write+0x14/0x20 [ 27.878884] ? uprobe_perf_close+0x3e0/0x570 [ 27.883269] print_address_description+0x73/0x250 [ 27.888091] ? uprobe_perf_close+0x3e0/0x570 [ 27.892474] kasan_report+0x23c/0x360 [ 27.896250] __asan_report_load4_noabort+0x14/0x20 [ 27.901148] uprobe_perf_close+0x3e0/0x570 [ 27.905353] ? probes_open+0x180/0x180 [ 27.909210] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 27.914031] ? trace_hardirqs_off+0x10/0x10 [ 27.918326] trace_uprobe_register+0x4cb/0xc00 [ 27.922878] ? probe_event_enable+0xd70/0xd70 [ 27.927344] ? kasan_check_read+0x11/0x20 [ 27.931469] ? rcu_is_watching+0x85/0x130 [ 27.935593] ? rcu_pm_notify+0xc0/0xc0 [ 27.939451] ? perf_event_attach_bpf_prog+0x410/0x410 [ 27.944616] ? perf_uprobe_init+0x220/0x220 [ 27.948931] perf_uprobe_destroy+0x9b/0x130 [ 27.953227] ? perf_uprobe_init+0x220/0x220 [ 27.957521] _free_event+0x3d7/0x11f0 [ 27.961292] ? kasan_check_write+0x14/0x20 [ 27.965498] ? ring_buffer_attach+0x840/0x840 [ 27.969973] ? wait_for_completion+0x770/0x770 [ 27.974962] ? perf_event_release_kernel+0x2c2/0xfe0 [ 27.980039] ? lock_downgrade+0x980/0x980 [ 27.984159] ? lock_release+0xa40/0xa40 [ 27.988111] ? lock_release+0xa40/0xa40 [ 27.992064] ? mark_held_locks+0xaf/0x100 [ 27.996191] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.000661] put_event+0x35/0x40 [ 28.004000] perf_event_release_kernel+0x6e8/0xfe0 [ 28.008916] ? lock_release+0xa40/0xa40 [ 28.012869] ? put_event+0x40/0x40 [ 28.016381] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.020941] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 28.026022] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.031016] ? trace_hardirqs_on+0xd/0x10 [ 28.035142] ? debug_object_active_state+0x3a5/0x580 [ 28.040214] ? debug_object_activate+0x404/0x730 [ 28.044950] ? kasan_check_read+0x11/0x20 [ 28.049069] ? rcu_is_watching+0x85/0x130 [ 28.053212] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 28.058115] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 28.063024] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.068017] ? trace_hardirqs_on+0xd/0x10 [ 28.072145] ? locks_remove_file+0x3fa/0x5a0 [ 28.076529] ? fcntl_setlk+0x1140/0x1140 [ 28.080562] ? fsnotify+0x7b3/0x1140 [ 28.084250] ? lock_downgrade+0x980/0x980 [ 28.088369] ? perf_event_release_kernel+0xfe0/0xfe0 [ 28.093441] perf_release+0x37/0x50 [ 28.097042] __fput+0x327/0x7f0 [ 28.100294] ? fput+0x150/0x150 [ 28.103552] ? check_same_owner+0x320/0x320 [ 28.107851] ____fput+0x15/0x20 [ 28.111100] task_work_run+0x1ab/0x280 [ 28.114962] ? task_work_cancel+0x240/0x240 [ 28.119267] ? free_nsproxy+0x18b/0x1f0 [ 28.123211] ? switch_task_namespaces+0xaf/0xc0 [ 28.127853] do_exit+0xa75/0x2700 [ 28.131279] ? mm_update_next_owner+0x960/0x960 [ 28.135925] ? trace_hardirqs_off+0x10/0x10 [ 28.140225] ? find_held_lock+0x35/0x1d0 [ 28.144259] ? try_to_wake_up+0xfc/0x1300 [ 28.148377] ? lock_downgrade+0x980/0x980 [ 28.152498] ? lock_release+0xa40/0xa40 [ 28.156445] ? kasan_check_read+0x11/0x20 [ 28.160563] ? do_raw_spin_unlock+0x9e/0x310 [ 28.164949] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.169503] ? kasan_check_write+0x14/0x20 [ 28.173706] ? do_raw_spin_lock+0xc1/0x230 [ 28.177911] ? trace_hardirqs_off+0xd/0x10 [ 28.182118] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 28.187191] ? try_to_wake_up+0xfc/0x1300 [ 28.191308] ? find_held_lock+0x35/0x1d0 [ 28.195346] ? trace_hardirqs_off+0x10/0x10 [ 28.199638] ? lock_downgrade+0x980/0x980 [ 28.203763] ? find_held_lock+0x35/0x1d0 [ 28.207798] ? do_group_exit+0x318/0x400 [ 28.211830] ? lock_downgrade+0x980/0x980 [ 28.215957] ? kick_process+0xd3/0x110 [ 28.219822] ? kasan_check_read+0x11/0x20 [ 28.223940] ? do_raw_spin_unlock+0x9e/0x310 [ 28.228320] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.232875] ? force_sig+0x30/0x30 [ 28.236385] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.240851] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.245839] do_group_exit+0x149/0x400 [ 28.249701] ? do_futex+0x22a0/0x22a0 [ 28.253471] ? SyS_exit+0x30/0x30 [ 28.256897] ? SyS_read+0x220/0x220 [ 28.260498] ? do_syscall_64+0xb7/0x940 [ 28.264444] ? do_group_exit+0x400/0x400 [ 28.268476] SyS_exit_group+0x1d/0x20 [ 28.272246] do_syscall_64+0x281/0x940 [ 28.276104] ? vmalloc_sync_all+0x30/0x30 [ 28.280221] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.284949] ? syscall_return_slowpath+0x550/0x550 [ 28.289848] ? syscall_return_slowpath+0x2ac/0x550 [ 28.294748] ? prepare_exit_to_usermode+0x350/0x350 [ 28.299741] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 28.305084] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 28.309903] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.315065] RIP: 0033:0x445c89 [ 28.318226] RSP: 002b:00007ffe7c691e08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 28.325925] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445c89 [ 28.333166] RDX: 0000000000445c89 RSI: 0000000000445c89 RDI: 0000000000000001 [ 28.340417] RBP: 00000000006da018 R08: 0000000000000000 R09: 0000000000406fd0 [ 28.347657] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000406f40 [ 28.354905] R13: 0000000000406fd0 R14: 0000000000000000 R15: 0000000000000000 [ 28.362157] [ 28.363758] Allocated by task 4490: [ 28.367362] save_stack+0x43/0xd0 [ 28.370785] kasan_kmalloc+0xad/0xe0 [ 28.374467] kasan_slab_alloc+0x12/0x20 [ 28.378414] kmem_cache_alloc_node+0x144/0x760 [ 28.382968] copy_process.part.38+0x1ab9/0x6140 [ 28.387606] _do_fork+0x1f7/0xfa0 [ 28.391032] SyS_clone+0x37/0x50 [ 28.394368] do_syscall_64+0x281/0x940 [ 28.398225] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 28.403389] [ 28.404988] Freed by task 0: [ 28.407980] save_stack+0x43/0xd0 [ 28.411403] __kasan_slab_free+0x11a/0x170 [ 28.415609] kasan_slab_free+0xe/0x10 [ 28.419381] kmem_cache_free+0x83/0x2a0 [ 28.423327] free_task+0x155/0x1b0 [ 28.426838] __put_task_struct+0x24b/0x3e0 [ 28.431042] delayed_put_task_struct+0xd8/0x3e0 [ 28.435682] rcu_process_callbacks+0xd6c/0x17b0 [ 28.440319] __do_softirq+0x2d7/0xb85 [ 28.444085] [ 28.445688] The buggy address belongs to the object at ffff8801ac6282c0 [ 28.445688] which belongs to the cache task_struct of size 6016 [ 28.458413] The buggy address is located 76 bytes inside of [ 28.458413] 6016-byte region [ffff8801ac6282c0, ffff8801ac629a40) [ 28.470257] The buggy address belongs to the page: [ 28.475161] page:ffffea0006b18a00 count:1 mapcount:0 mapping:ffff8801ac6282c0 index:0x0 compound_mapcount: 0 [ 28.485107] flags: 0x2fffc0000008100(slab|head) [ 28.489750] raw: 02fffc0000008100 ffff8801ac6282c0 0000000000000000 0000000100000001 [ 28.497603] raw: ffffea0006ae0c20 ffff8801dad0c248 ffff8801dad46200 0000000000000000 [ 28.505459] page dumped because: kasan: bad access detected [ 28.511146] [ 28.512746] Memory state around the buggy address: [ 28.517643] ffff8801ac628200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 28.524972] ffff8801ac628280: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 28.532299] >ffff8801ac628300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.539628] ^ [ 28.543222] ffff8801ac628380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.550556] ffff8801ac628400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 28.557883] ================================================================== [ 28.565209] Disabling lock debugging due to kernel taint [ 28.570737] Kernel panic - not syncing: panic_on_warn set ... [ 28.570737] [ 28.578084] CPU: 1 PID: 4490 Comm: syzkaller523193 Tainted: G B 4.16.0+ #11 [ 28.586367] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 28.595688] Call Trace: [ 28.598248] dump_stack+0x1a7/0x27d [ 28.601846] ? arch_local_irq_restore+0x53/0x53 [ 28.606487] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 28.611211] ? vsnprintf+0x1ed/0x1900 [ 28.614982] ? uprobe_perf_close+0x3c0/0x570 [ 28.619358] panic+0x1f8/0x42c [ 28.622519] ? refcount_error_report+0x214/0x214 [ 28.627243] ? do_raw_spin_unlock+0x9e/0x310 [ 28.631619] ? do_raw_spin_unlock+0x9e/0x310 [ 28.635994] ? uprobe_perf_close+0x3e0/0x570 [ 28.640376] kasan_end_report+0x50/0x50 [ 28.644324] kasan_report+0x149/0x360 [ 28.648095] __asan_report_load4_noabort+0x14/0x20 [ 28.652991] uprobe_perf_close+0x3e0/0x570 [ 28.657198] ? probes_open+0x180/0x180 [ 28.661054] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 28.665867] ? trace_hardirqs_off+0x10/0x10 [ 28.670165] trace_uprobe_register+0x4cb/0xc00 [ 28.674714] ? probe_event_enable+0xd70/0xd70 [ 28.679181] ? kasan_check_read+0x11/0x20 [ 28.683299] ? rcu_is_watching+0x85/0x130 [ 28.687422] ? rcu_pm_notify+0xc0/0xc0 [ 28.691280] ? perf_event_attach_bpf_prog+0x410/0x410 [ 28.696441] ? perf_uprobe_init+0x220/0x220 [ 28.700733] perf_uprobe_destroy+0x9b/0x130 [ 28.705028] ? perf_uprobe_init+0x220/0x220 [ 28.709321] _free_event+0x3d7/0x11f0 [ 28.713090] ? kasan_check_write+0x14/0x20 [ 28.717293] ? ring_buffer_attach+0x840/0x840 [ 28.721755] ? wait_for_completion+0x770/0x770 [ 28.726306] ? perf_event_release_kernel+0x2c2/0xfe0 [ 28.731380] ? lock_downgrade+0x980/0x980 [ 28.735499] ? lock_release+0xa40/0xa40 [ 28.739444] ? lock_release+0xa40/0xa40 [ 28.743386] ? mark_held_locks+0xaf/0x100 [ 28.747507] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.751989] put_event+0x35/0x40 [ 28.755328] perf_event_release_kernel+0x6e8/0xfe0 [ 28.760227] ? lock_release+0xa40/0xa40 [ 28.764172] ? put_event+0x40/0x40 [ 28.767679] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.772229] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 28.777299] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.782282] ? trace_hardirqs_on+0xd/0x10 [ 28.786405] ? debug_object_active_state+0x3a5/0x580 [ 28.791475] ? debug_object_activate+0x404/0x730 [ 28.796202] ? kasan_check_read+0x11/0x20 [ 28.800318] ? rcu_is_watching+0x85/0x130 [ 28.804436] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 28.809333] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 28.814236] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.819222] ? trace_hardirqs_on+0xd/0x10 [ 28.823342] ? locks_remove_file+0x3fa/0x5a0 [ 28.827721] ? fcntl_setlk+0x1140/0x1140 [ 28.831751] ? fsnotify+0x7b3/0x1140 [ 28.835438] ? lock_downgrade+0x980/0x980 [ 28.839555] ? perf_event_release_kernel+0xfe0/0xfe0 [ 28.844625] perf_release+0x37/0x50 [ 28.848220] __fput+0x327/0x7f0 [ 28.851469] ? fput+0x150/0x150 [ 28.854717] ? check_same_owner+0x320/0x320 [ 28.859012] ____fput+0x15/0x20 [ 28.862263] task_work_run+0x1ab/0x280 [ 28.866120] ? task_work_cancel+0x240/0x240 [ 28.870426] ? free_nsproxy+0x18b/0x1f0 [ 28.874372] ? switch_task_namespaces+0xaf/0xc0 [ 28.879020] do_exit+0xa75/0x2700 [ 28.882452] ? mm_update_next_owner+0x960/0x960 [ 28.887090] ? trace_hardirqs_off+0x10/0x10 [ 28.891385] ? find_held_lock+0x35/0x1d0 [ 28.895417] ? try_to_wake_up+0xfc/0x1300 [ 28.899533] ? lock_downgrade+0x980/0x980 [ 28.903648] ? lock_release+0xa40/0xa40 [ 28.907593] ? kasan_check_read+0x11/0x20 [ 28.911710] ? do_raw_spin_unlock+0x9e/0x310 [ 28.916091] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.920641] ? kasan_check_write+0x14/0x20 [ 28.924842] ? do_raw_spin_lock+0xc1/0x230 [ 28.929051] ? trace_hardirqs_off+0xd/0x10 [ 28.933253] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 28.938324] ? try_to_wake_up+0xfc/0x1300 [ 28.942449] ? find_held_lock+0x35/0x1d0 [ 28.946480] ? trace_hardirqs_off+0x10/0x10 [ 28.950773] ? lock_downgrade+0x980/0x980 [ 28.955067] ? find_held_lock+0x35/0x1d0 [ 28.959098] ? do_group_exit+0x318/0x400 [ 28.963125] ? lock_downgrade+0x980/0x980 [ 28.967241] ? kick_process+0xd3/0x110 [ 28.971097] ? kasan_check_read+0x11/0x20 [ 28.975212] ? do_raw_spin_unlock+0x9e/0x310 [ 28.979589] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 28.984139] ? force_sig+0x30/0x30 [ 28.987647] ? _raw_spin_unlock_irq+0x27/0x70 [ 28.992110] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 28.997097] do_group_exit+0x149/0x400 [ 29.000955] ? do_futex+0x22a0/0x22a0 [ 29.004724] ? SyS_exit+0x30/0x30 [ 29.008145] ? SyS_read+0x220/0x220 [ 29.011741] ? do_syscall_64+0xb7/0x940 [ 29.015689] ? do_group_exit+0x400/0x400 [ 29.019719] SyS_exit_group+0x1d/0x20 [ 29.023487] do_syscall_64+0x281/0x940 [ 29.027345] ? vmalloc_sync_all+0x30/0x30 [ 29.031468] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 29.036193] ? syscall_return_slowpath+0x550/0x550 [ 29.041092] ? syscall_return_slowpath+0x2ac/0x550 [ 29.045990] ? prepare_exit_to_usermode+0x350/0x350 [ 29.050974] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 29.056304] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 29.061119] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 29.066278] RIP: 0033:0x445c89 [ 29.069436] RSP: 002b:00007ffe7c691e08 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 [ 29.077112] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445c89 [ 29.084352] RDX: 0000000000445c89 RSI: 0000000000445c89 RDI: 0000000000000001 [ 29.091591] RBP: 00000000006da018 R08: 0000000000000000 R09: 0000000000406fd0 [ 29.098836] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000406f40 [ 29.106077] R13: 0000000000406fd0 R14: 0000000000000000 R15: 0000000000000000 [ 29.113750] Dumping ftrace buffer: [ 29.117259] (ftrace buffer empty) [ 29.120939] Kernel Offset: disabled [ 29.124534] Rebooting in 86400 seconds..