[ OK ] Started Getty on tty4. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.2' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 71.651970][ T8432] ================================================================== [ 71.660361][ T8432] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 71.667320][ T8432] Read of size 8 at addr ffff888020abe568 by task syz-executor395/8432 [ 71.675720][ T8432] [ 71.678041][ T8432] CPU: 1 PID: 8432 Comm: syz-executor395 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 71.688001][ T8432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 71.698178][ T8432] Call Trace: [ 71.701518][ T8432] dump_stack+0x107/0x163 [ 71.705986][ T8432] ? find_uprobe+0x12c/0x150 [ 71.710577][ T8432] ? find_uprobe+0x12c/0x150 [ 71.715158][ T8432] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 71.722177][ T8432] ? find_uprobe+0x12c/0x150 [ 71.726759][ T8432] ? find_uprobe+0x12c/0x150 [ 71.731344][ T8432] kasan_report.cold+0x7c/0xd8 [ 71.736102][ T8432] ? find_uprobe+0x12c/0x150 [ 71.740692][ T8432] find_uprobe+0x12c/0x150 [ 71.745102][ T8432] uprobe_unregister+0x1e/0x70 [ 71.749927][ T8432] __probe_event_disable+0x11e/0x240 [ 71.755285][ T8432] probe_event_disable+0x155/0x1c0 [ 71.760399][ T8432] trace_uprobe_register+0x45a/0x880 [ 71.765728][ T8432] ? trace_uprobe_register+0x3ef/0x880 [ 71.771177][ T8432] ? rcu_read_lock_sched_held+0x3a/0x70 [ 71.776716][ T8432] perf_trace_event_unreg.isra.0+0xac/0x250 [ 71.782668][ T8432] perf_uprobe_destroy+0xbb/0x130 [ 71.787682][ T8432] ? perf_uprobe_init+0x210/0x210 [ 71.792748][ T8432] _free_event+0x2ee/0x1380 [ 71.797247][ T8432] perf_event_release_kernel+0xa24/0xe00 [ 71.802870][ T8432] ? fsnotify_first_mark+0x1f0/0x1f0 [ 71.808152][ T8432] ? __perf_event_exit_context+0x170/0x170 [ 71.813969][ T8432] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 71.820204][ T8432] perf_release+0x33/0x40 [ 71.824526][ T8432] __fput+0x283/0x920 [ 71.828515][ T8432] ? perf_event_release_kernel+0xe00/0xe00 [ 71.834340][ T8432] task_work_run+0xdd/0x190 [ 71.838846][ T8432] do_exit+0xc5c/0x2ae0 [ 71.842998][ T8432] ? mm_update_next_owner+0x7a0/0x7a0 [ 71.848361][ T8432] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 71.854588][ T8432] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 71.860825][ T8432] do_group_exit+0x125/0x310 [ 71.865494][ T8432] __x64_sys_exit_group+0x3a/0x50 [ 71.870523][ T8432] do_syscall_64+0x2d/0x70 [ 71.874941][ T8432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 71.880823][ T8432] RIP: 0033:0x43daf9 [ 71.884701][ T8432] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 71.891525][ T8432] RSP: 002b:00007fff5409c138 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.899932][ T8432] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 71.907891][ T8432] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 71.915862][ T8432] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 71.923836][ T8432] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 71.931804][ T8432] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 71.939780][ T8432] [ 71.942100][ T8432] Allocated by task 8432: [ 71.946411][ T8432] kasan_save_stack+0x1b/0x40 [ 71.952218][ T8432] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 71.958028][ T8432] __uprobe_register+0x19c/0x850 [ 71.962969][ T8432] probe_event_enable+0x441/0xa00 [ 71.967997][ T8432] trace_uprobe_register+0x443/0x880 [ 71.973276][ T8432] perf_trace_event_init+0x549/0xa20 [ 71.978553][ T8432] perf_uprobe_init+0x16f/0x210 [ 71.983403][ T8432] perf_uprobe_event_init+0xff/0x1c0 [ 71.988768][ T8432] perf_try_init_event+0x12a/0x560 [ 71.993870][ T8432] perf_event_alloc.part.0+0xe3b/0x3960 [ 71.999412][ T8432] __do_sys_perf_event_open+0x647/0x2e60 [ 72.005042][ T8432] do_syscall_64+0x2d/0x70 [ 72.009447][ T8432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.015335][ T8432] [ 72.017644][ T8432] Freed by task 8432: [ 72.021613][ T8432] kasan_save_stack+0x1b/0x40 [ 72.026291][ T8432] kasan_set_track+0x1c/0x30 [ 72.030868][ T8432] kasan_set_free_info+0x20/0x30 [ 72.035793][ T8432] ____kasan_slab_free.part.0+0xe1/0x110 [ 72.041413][ T8432] slab_free_freelist_hook+0x82/0x1d0 [ 72.046780][ T8432] kfree+0xe5/0x7b0 [ 72.050577][ T8432] put_uprobe+0x13b/0x190 [ 72.054908][ T8432] uprobe_apply+0xfc/0x130 [ 72.059310][ T8432] trace_uprobe_register+0x5c9/0x880 [ 72.065725][ T8432] perf_trace_event_init+0x17a/0xa20 [ 72.071002][ T8432] perf_uprobe_init+0x16f/0x210 [ 72.075844][ T8432] perf_uprobe_event_init+0xff/0x1c0 [ 72.081129][ T8432] perf_try_init_event+0x12a/0x560 [ 72.086234][ T8432] perf_event_alloc.part.0+0xe3b/0x3960 [ 72.091781][ T8432] __do_sys_perf_event_open+0x647/0x2e60 [ 72.097400][ T8432] do_syscall_64+0x2d/0x70 [ 72.101804][ T8432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.107700][ T8432] [ 72.110036][ T8432] The buggy address belongs to the object at ffff888020abe400 [ 72.110036][ T8432] which belongs to the cache kmalloc-512 of size 512 [ 72.124069][ T8432] The buggy address is located 360 bytes inside of [ 72.124069][ T8432] 512-byte region [ffff888020abe400, ffff888020abe600) [ 72.137349][ T8432] The buggy address belongs to the page: [ 72.142974][ T8432] page:000000004ad39401 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20abe [ 72.153122][ T8432] head:000000004ad39401 order:1 compound_mapcount:0 [ 72.159693][ T8432] flags: 0xfff00000010200(slab|head) [ 72.164969][ T8432] raw: 00fff00000010200 0000000000000000 0000000100000001 ffff888010841c80 [ 72.173561][ T8432] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 72.182126][ T8432] page dumped because: kasan: bad access detected [ 72.188519][ T8432] [ 72.190825][ T8432] Memory state around the buggy address: [ 72.196442][ T8432] ffff888020abe400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.204674][ T8432] ffff888020abe480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.212739][ T8432] >ffff888020abe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.220810][ T8432] ^ [ 72.228270][ T8432] ffff888020abe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 72.236491][ T8432] ffff888020abe600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 72.244536][ T8432] ================================================================== [ 72.252579][ T8432] Disabling lock debugging due to kernel taint [ 72.258891][ T8432] Kernel panic - not syncing: panic_on_warn set ... [ 72.265464][ T8432] CPU: 1 PID: 8432 Comm: syz-executor395 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 72.277071][ T8432] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 72.287130][ T8432] Call Trace: [ 72.290414][ T8432] dump_stack+0x107/0x163 [ 72.294736][ T8432] ? find_uprobe+0x90/0x150 [ 72.299272][ T8432] panic+0x306/0x73d [ 72.303248][ T8432] ? __warn_printk+0xf3/0xf3 [ 72.308089][ T8432] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 72.314327][ T8432] ? trace_hardirqs_on+0x38/0x1c0 [ 72.319335][ T8432] ? trace_hardirqs_on+0x51/0x1c0 [ 72.324343][ T8432] ? find_uprobe+0x12c/0x150 [ 72.328931][ T8432] ? find_uprobe+0x12c/0x150 [ 72.333506][ T8432] end_report.cold+0x5a/0x5a [ 72.338082][ T8432] kasan_report.cold+0x6a/0xd8 [ 72.343558][ T8432] ? find_uprobe+0x12c/0x150 [ 72.348137][ T8432] find_uprobe+0x12c/0x150 [ 72.353162][ T8432] uprobe_unregister+0x1e/0x70 [ 72.357925][ T8432] __probe_event_disable+0x11e/0x240 [ 72.363243][ T8432] probe_event_disable+0x155/0x1c0 [ 72.368357][ T8432] trace_uprobe_register+0x45a/0x880 [ 72.373628][ T8432] ? trace_uprobe_register+0x3ef/0x880 [ 72.379088][ T8432] ? rcu_read_lock_sched_held+0x3a/0x70 [ 72.385245][ T8432] perf_trace_event_unreg.isra.0+0xac/0x250 [ 72.391166][ T8432] perf_uprobe_destroy+0xbb/0x130 [ 72.396203][ T8432] ? perf_uprobe_init+0x210/0x210 [ 72.401213][ T8432] _free_event+0x2ee/0x1380 [ 72.405707][ T8432] perf_event_release_kernel+0xa24/0xe00 [ 72.411347][ T8432] ? fsnotify_first_mark+0x1f0/0x1f0 [ 72.416638][ T8432] ? __perf_event_exit_context+0x170/0x170 [ 72.422440][ T8432] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 72.428668][ T8432] perf_release+0x33/0x40 [ 72.433014][ T8432] __fput+0x283/0x920 [ 72.437021][ T8432] ? perf_event_release_kernel+0xe00/0xe00 [ 72.442922][ T8432] task_work_run+0xdd/0x190 [ 72.447432][ T8432] do_exit+0xc5c/0x2ae0 [ 72.451597][ T8432] ? mm_update_next_owner+0x7a0/0x7a0 [ 72.456959][ T8432] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 72.463189][ T8432] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 72.469430][ T8432] do_group_exit+0x125/0x310 [ 72.474038][ T8432] __x64_sys_exit_group+0x3a/0x50 [ 72.479063][ T8432] do_syscall_64+0x2d/0x70 [ 72.485017][ T8432] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 72.490916][ T8432] RIP: 0033:0x43daf9 [ 72.494817][ T8432] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 72.501824][ T8432] RSP: 002b:00007fff5409c138 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 72.510225][ T8432] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 72.518195][ T8432] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 72.526162][ T8432] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 72.534116][ T8432] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 72.542071][ T8432] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 72.550793][ T8432] Kernel Offset: disabled [ 72.555206][ T8432] Rebooting in 86400 seconds..