Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.233' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.169926][ T8412] ================================================================== [ 69.178480][ T8412] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 69.185541][ T8412] Read of size 8 at addr ffff888021c26568 by task syz-executor132/8412 [ 69.193875][ T8412] [ 69.196201][ T8412] CPU: 1 PID: 8412 Comm: syz-executor132 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.206176][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.216345][ T8412] Call Trace: [ 69.219635][ T8412] dump_stack+0x107/0x163 [ 69.223983][ T8412] ? find_uprobe+0x12c/0x150 [ 69.228577][ T8412] ? find_uprobe+0x12c/0x150 [ 69.233166][ T8412] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.240196][ T8412] ? find_uprobe+0x12c/0x150 [ 69.244784][ T8412] ? find_uprobe+0x12c/0x150 [ 69.249378][ T8412] kasan_report.cold+0x7c/0xd8 [ 69.254149][ T8412] ? find_uprobe+0x12c/0x150 [ 69.258744][ T8412] find_uprobe+0x12c/0x150 [ 69.263164][ T8412] uprobe_unregister+0x1e/0x70 [ 69.267940][ T8412] __probe_event_disable+0x11e/0x240 [ 69.273234][ T8412] probe_event_disable+0x155/0x1c0 [ 69.278339][ T8412] trace_uprobe_register+0x45a/0x880 [ 69.283789][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 69.289249][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.294886][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.300788][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 69.305815][ T8412] ? perf_uprobe_init+0x210/0x210 [ 69.310841][ T8412] _free_event+0x2ee/0x1380 [ 69.315352][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 69.321059][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.326351][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 69.332178][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.338440][ T8412] perf_release+0x33/0x40 [ 69.342769][ T8412] __fput+0x283/0x920 [ 69.346743][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 69.352637][ T8412] task_work_run+0xdd/0x190 [ 69.357162][ T8412] do_exit+0xc5c/0x2ae0 [ 69.361330][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.366806][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.373131][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.379384][ T8412] do_group_exit+0x125/0x310 [ 69.383984][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 69.389136][ T8412] do_syscall_64+0x2d/0x70 [ 69.393579][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.399468][ T8412] RIP: 0033:0x43ddc9 [ 69.403375][ T8412] Code: Unable to access opcode bytes at RIP 0x43dd9f. [ 69.410222][ T8412] RSP: 002b:00007ffcfae66c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.418640][ T8412] RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043ddc9 [ 69.426872][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.434848][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 69.442826][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004af2f0 [ 69.450800][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.458807][ T8412] [ 69.461137][ T8412] Allocated by task 8412: [ 69.465581][ T8412] kasan_save_stack+0x1b/0x40 [ 69.470541][ T8412] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.476360][ T8412] __uprobe_register+0x19c/0x850 [ 69.481325][ T8412] probe_event_enable+0x441/0xa00 [ 69.486351][ T8412] trace_uprobe_register+0x443/0x880 [ 69.491664][ T8412] perf_trace_event_init+0x549/0xa20 [ 69.496938][ T8412] perf_uprobe_init+0x16f/0x210 [ 69.501779][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 69.507163][ T8412] perf_try_init_event+0x12a/0x560 [ 69.512283][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.517831][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 69.523469][ T8412] do_syscall_64+0x2d/0x70 [ 69.527990][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.533965][ T8412] [ 69.536293][ T8412] Freed by task 8412: [ 69.540274][ T8412] kasan_save_stack+0x1b/0x40 [ 69.544961][ T8412] kasan_set_track+0x1c/0x30 [ 69.549573][ T8412] kasan_set_free_info+0x20/0x30 [ 69.554519][ T8412] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.560157][ T8412] slab_free_freelist_hook+0x82/0x1d0 [ 69.565779][ T8412] kfree+0xe5/0x7b0 [ 69.569600][ T8412] put_uprobe+0x13b/0x190 [ 69.573971][ T8412] uprobe_apply+0xfc/0x130 [ 69.578405][ T8412] trace_uprobe_register+0x5c9/0x880 [ 69.583727][ T8412] perf_trace_event_init+0x17a/0xa20 [ 69.589136][ T8412] perf_uprobe_init+0x16f/0x210 [ 69.594001][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 69.599276][ T8412] perf_try_init_event+0x12a/0x560 [ 69.604484][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.610035][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 69.615679][ T8412] do_syscall_64+0x2d/0x70 [ 69.620113][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.626015][ T8412] [ 69.628331][ T8412] The buggy address belongs to the object at ffff888021c26400 [ 69.628331][ T8412] which belongs to the cache kmalloc-512 of size 512 [ 69.642556][ T8412] The buggy address is located 360 bytes inside of [ 69.642556][ T8412] 512-byte region [ffff888021c26400, ffff888021c26600) [ 69.655842][ T8412] The buggy address belongs to the page: [ 69.661477][ T8412] page:0000000027f41f45 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21c26 [ 69.671632][ T8412] head:0000000027f41f45 order:1 compound_mapcount:0 [ 69.678219][ T8412] flags: 0xfff00000010200(slab|head) [ 69.683674][ T8412] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 69.693084][ T8412] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 69.701675][ T8412] page dumped because: kasan: bad access detected [ 69.708091][ T8412] [ 69.710490][ T8412] Memory state around the buggy address: [ 69.716122][ T8412] ffff888021c26400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.724172][ T8412] ffff888021c26480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.732225][ T8412] >ffff888021c26500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.740272][ T8412] ^ [ 69.747728][ T8412] ffff888021c26580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.755786][ T8412] ffff888021c26600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.763829][ T8412] ================================================================== [ 69.771871][ T8412] Disabling lock debugging due to kernel taint [ 69.778224][ T8412] Kernel panic - not syncing: panic_on_warn set ... [ 69.784822][ T8412] CPU: 1 PID: 8412 Comm: syz-executor132 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.796301][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.806360][ T8412] Call Trace: [ 69.809659][ T8412] dump_stack+0x107/0x163 [ 69.813996][ T8412] ? find_uprobe+0x90/0x150 [ 69.818483][ T8412] panic+0x306/0x73d [ 69.822364][ T8412] ? __warn_printk+0xf3/0xf3 [ 69.826935][ T8412] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.833076][ T8412] ? trace_hardirqs_on+0x38/0x1c0 [ 69.838103][ T8412] ? trace_hardirqs_on+0x51/0x1c0 [ 69.843125][ T8412] ? find_uprobe+0x12c/0x150 [ 69.847710][ T8412] ? find_uprobe+0x12c/0x150 [ 69.852305][ T8412] end_report.cold+0x5a/0x5a [ 69.856893][ T8412] kasan_report.cold+0x6a/0xd8 [ 69.861670][ T8412] ? find_uprobe+0x12c/0x150 [ 69.866245][ T8412] find_uprobe+0x12c/0x150 [ 69.870645][ T8412] uprobe_unregister+0x1e/0x70 [ 69.875406][ T8412] __probe_event_disable+0x11e/0x240 [ 69.880688][ T8412] probe_event_disable+0x155/0x1c0 [ 69.885784][ T8412] trace_uprobe_register+0x45a/0x880 [ 69.891067][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 69.896520][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.902049][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.907924][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 69.912941][ T8412] ? perf_uprobe_init+0x210/0x210 [ 69.917958][ T8412] _free_event+0x2ee/0x1380 [ 69.922442][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 69.928060][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.933340][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 69.939146][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.945380][ T8412] perf_release+0x33/0x40 [ 69.949708][ T8412] __fput+0x283/0x920 [ 69.953693][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 69.959491][ T8412] task_work_run+0xdd/0x190 [ 69.963980][ T8412] do_exit+0xc5c/0x2ae0 [ 69.968137][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.973491][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.979719][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.985949][ T8412] do_group_exit+0x125/0x310 [ 69.990539][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 69.995554][ T8412] do_syscall_64+0x2d/0x70 [ 69.999987][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.005868][ T8412] RIP: 0033:0x43ddc9 [ 70.009763][ T8412] Code: Unable to access opcode bytes at RIP 0x43dd9f. [ 70.016595][ T8412] RSP: 002b:00007ffcfae66c38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.024986][ T8412] RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043ddc9 [ 70.034444][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 70.042412][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 70.050366][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004af2f0 [ 70.058331][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.066815][ T8412] Kernel Offset: disabled [ 70.071144][ T8412] Rebooting in 86400 seconds..