Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.227' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 72.616885][ T8395] ================================================================== [ 72.625358][ T8395] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 72.632393][ T8395] Read of size 8 at addr ffff8880215b8168 by task syz-executor179/8395 [ 72.640815][ T8395] [ 72.643126][ T8395] CPU: 1 PID: 8395 Comm: syz-executor179 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 72.653433][ T8395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.663476][ T8395] Call Trace: [ 72.666869][ T8395] dump_stack+0x107/0x163 [ 72.671310][ T8395] ? find_uprobe+0x12c/0x150 [ 72.677742][ T8395] ? find_uprobe+0x12c/0x150 [ 72.682495][ T8395] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 72.692338][ T8395] ? find_uprobe+0x12c/0x150 [ 72.697014][ T8395] ? find_uprobe+0x12c/0x150 [ 72.701620][ T8395] kasan_report.cold+0x7c/0xd8 [ 72.706385][ T8395] ? find_uprobe+0x12c/0x150 [ 72.710987][ T8395] find_uprobe+0x12c/0x150 [ 72.715400][ T8395] uprobe_unregister+0x1e/0x70 [ 72.721203][ T8395] __probe_event_disable+0x11e/0x240 [ 72.726746][ T8395] probe_event_disable+0x155/0x1c0 [ 72.731861][ T8395] trace_uprobe_register+0x45a/0x880 [ 72.737138][ T8395] ? trace_uprobe_register+0x3ef/0x880 [ 72.742587][ T8395] ? rcu_read_lock_sched_held+0x3a/0x70 [ 72.748212][ T8395] perf_trace_event_unreg.isra.0+0xac/0x250 [ 72.754466][ T8395] perf_uprobe_destroy+0xbb/0x130 [ 72.759592][ T8395] ? perf_uprobe_init+0x210/0x210 [ 72.765582][ T8395] _free_event+0x2ee/0x1380 [ 72.770242][ T8395] perf_event_release_kernel+0xa24/0xe00 [ 72.775879][ T8395] ? fsnotify_first_mark+0x1f0/0x1f0 [ 72.781193][ T8395] ? __perf_event_exit_context+0x170/0x170 [ 72.787011][ T8395] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 72.793289][ T8395] perf_release+0x33/0x40 [ 72.797622][ T8395] __fput+0x283/0x920 [ 72.801684][ T8395] ? perf_event_release_kernel+0xe00/0xe00 [ 72.807484][ T8395] task_work_run+0xdd/0x190 [ 72.811982][ T8395] do_exit+0xc5c/0x2ae0 [ 72.816221][ T8395] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.821584][ T8395] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.827814][ T8395] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.834670][ T8395] do_group_exit+0x125/0x310 [ 72.839253][ T8395] __x64_sys_exit_group+0x3a/0x50 [ 72.844440][ T8395] do_syscall_64+0x2d/0x70 [ 72.848854][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.854736][ T8395] RIP: 0033:0x43daf9 [ 72.858746][ T8395] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 72.865586][ T8395] RSP: 002b:00007ffcf50e6928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.874001][ T8395] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 72.881959][ T8395] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.889925][ T8395] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 72.897883][ T8395] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 72.905976][ T8395] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 72.913951][ T8395] [ 72.916282][ T8395] Allocated by task 8395: [ 72.920603][ T8395] kasan_save_stack+0x1b/0x40 [ 72.925464][ T8395] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 72.931261][ T8395] __uprobe_register+0x19c/0x850 [ 72.936196][ T8395] probe_event_enable+0x357/0xa00 [ 72.941256][ T8395] trace_uprobe_register+0x443/0x880 [ 72.946543][ T8395] perf_trace_event_init+0x549/0xa20 [ 72.951813][ T8395] perf_uprobe_init+0x16f/0x210 [ 72.956648][ T8395] perf_uprobe_event_init+0xff/0x1c0 [ 72.961917][ T8395] perf_try_init_event+0x12a/0x560 [ 72.967026][ T8395] perf_event_alloc.part.0+0xe3b/0x3960 [ 72.972656][ T8395] __do_sys_perf_event_open+0x647/0x2e60 [ 72.978291][ T8395] do_syscall_64+0x2d/0x70 [ 72.982801][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.988944][ T8395] [ 72.991374][ T8395] Freed by task 8395: [ 72.995479][ T8395] kasan_save_stack+0x1b/0x40 [ 73.000230][ T8395] kasan_set_track+0x1c/0x30 [ 73.004910][ T8395] kasan_set_free_info+0x20/0x30 [ 73.009847][ T8395] ____kasan_slab_free.part.0+0xe1/0x110 [ 73.015492][ T8395] slab_free_freelist_hook+0x82/0x1d0 [ 73.020860][ T8395] kfree+0xe5/0x7b0 [ 73.025033][ T8395] put_uprobe+0x13b/0x190 [ 73.029367][ T8395] uprobe_apply+0xfc/0x130 [ 73.033802][ T8395] trace_uprobe_register+0x5c9/0x880 [ 73.039085][ T8395] perf_trace_event_init+0x17a/0xa20 [ 73.044381][ T8395] perf_uprobe_init+0x16f/0x210 [ 73.049254][ T8395] perf_uprobe_event_init+0xff/0x1c0 [ 73.054527][ T8395] perf_try_init_event+0x12a/0x560 [ 73.059623][ T8395] perf_event_alloc.part.0+0xe3b/0x3960 [ 73.065154][ T8395] __do_sys_perf_event_open+0x647/0x2e60 [ 73.070773][ T8395] do_syscall_64+0x2d/0x70 [ 73.075346][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.081264][ T8395] [ 73.083577][ T8395] The buggy address belongs to the object at ffff8880215b8000 [ 73.083577][ T8395] which belongs to the cache kmalloc-512 of size 512 [ 73.097713][ T8395] The buggy address is located 360 bytes inside of [ 73.097713][ T8395] 512-byte region [ffff8880215b8000, ffff8880215b8200) [ 73.111239][ T8395] The buggy address belongs to the page: [ 73.116856][ T8395] page:000000006f4e943c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x215b8 [ 73.127000][ T8395] head:000000006f4e943c order:1 compound_mapcount:0 [ 73.133572][ T8395] flags: 0xfff00000010200(slab|head) [ 73.138942][ T8395] raw: 00fff00000010200 0000000000000000 0000000500000001 ffff888010841c80 [ 73.147628][ T8395] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 73.156192][ T8395] page dumped because: kasan: bad access detected [ 73.162672][ T8395] [ 73.164996][ T8395] Memory state around the buggy address: [ 73.170625][ T8395] ffff8880215b8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.178672][ T8395] ffff8880215b8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.186968][ T8395] >ffff8880215b8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.195017][ T8395] ^ [ 73.202457][ T8395] ffff8880215b8180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.210521][ T8395] ffff8880215b8200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.218564][ T8395] ================================================================== [ 73.226820][ T8395] Disabling lock debugging due to kernel taint [ 73.233522][ T8395] Kernel panic - not syncing: panic_on_warn set ... [ 73.240133][ T8395] CPU: 1 PID: 8395 Comm: syz-executor179 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 73.251519][ T8395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.261576][ T8395] Call Trace: [ 73.264847][ T8395] dump_stack+0x107/0x163 [ 73.269182][ T8395] ? find_uprobe+0x90/0x150 [ 73.273865][ T8395] panic+0x306/0x73d [ 73.279850][ T8395] ? __warn_printk+0xf3/0xf3 [ 73.284554][ T8395] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 73.290785][ T8395] ? trace_hardirqs_on+0x38/0x1c0 [ 73.296129][ T8395] ? trace_hardirqs_on+0x51/0x1c0 [ 73.301155][ T8395] ? find_uprobe+0x12c/0x150 [ 73.305779][ T8395] ? find_uprobe+0x12c/0x150 [ 73.310372][ T8395] end_report.cold+0x5a/0x5a [ 73.315036][ T8395] kasan_report.cold+0x6a/0xd8 [ 73.320080][ T8395] ? find_uprobe+0x12c/0x150 [ 73.324656][ T8395] find_uprobe+0x12c/0x150 [ 73.329146][ T8395] uprobe_unregister+0x1e/0x70 [ 73.333907][ T8395] __probe_event_disable+0x11e/0x240 [ 73.339265][ T8395] probe_event_disable+0x155/0x1c0 [ 73.344374][ T8395] trace_uprobe_register+0x45a/0x880 [ 73.349644][ T8395] ? trace_uprobe_register+0x3ef/0x880 [ 73.355085][ T8395] ? rcu_read_lock_sched_held+0x3a/0x70 [ 73.360614][ T8395] perf_trace_event_unreg.isra.0+0xac/0x250 [ 73.366492][ T8395] perf_uprobe_destroy+0xbb/0x130 [ 73.371500][ T8395] ? perf_uprobe_init+0x210/0x210 [ 73.376523][ T8395] _free_event+0x2ee/0x1380 [ 73.381010][ T8395] perf_event_release_kernel+0xa24/0xe00 [ 73.386630][ T8395] ? fsnotify_first_mark+0x1f0/0x1f0 [ 73.391919][ T8395] ? __perf_event_exit_context+0x170/0x170 [ 73.397818][ T8395] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 73.404045][ T8395] perf_release+0x33/0x40 [ 73.408357][ T8395] __fput+0x283/0x920 [ 73.412325][ T8395] ? perf_event_release_kernel+0xe00/0xe00 [ 73.418134][ T8395] task_work_run+0xdd/0x190 [ 73.422626][ T8395] do_exit+0xc5c/0x2ae0 [ 73.426769][ T8395] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.432126][ T8395] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 73.438360][ T8395] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.444799][ T8395] do_group_exit+0x125/0x310 [ 73.449408][ T8395] __x64_sys_exit_group+0x3a/0x50 [ 73.454551][ T8395] do_syscall_64+0x2d/0x70 [ 73.460995][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.466972][ T8395] RIP: 0033:0x43daf9 [ 73.470848][ T8395] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 73.477671][ T8395] RSP: 002b:00007ffcf50e6928 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.486211][ T8395] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 73.494302][ T8395] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 73.502269][ T8395] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 73.510400][ T8395] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 73.518486][ T8395] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.527537][ T8395] Kernel Offset: disabled [ 73.531977][ T8395] Rebooting in 86400 seconds..