Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.82' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 67.530864][ T8411] ================================================================== [ 67.539222][ T8411] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 67.546174][ T8411] Read of size 8 at addr ffff888017f05d68 by task syz-executor109/8411 [ 67.554396][ T8411] [ 67.556706][ T8411] CPU: 1 PID: 8411 Comm: syz-executor109 Not tainted 5.11.0-rc6-next-20210204-syzkaller #0 [ 67.566837][ T8411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.576875][ T8411] Call Trace: [ 67.580142][ T8411] dump_stack+0x107/0x163 [ 67.584485][ T8411] ? find_uprobe+0x12c/0x150 [ 67.589064][ T8411] ? find_uprobe+0x12c/0x150 [ 67.593665][ T8411] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 67.600691][ T8411] ? find_uprobe+0x12c/0x150 [ 67.605269][ T8411] ? find_uprobe+0x12c/0x150 [ 67.609843][ T8411] kasan_report.cold+0x7c/0xd8 [ 67.614591][ T8411] ? find_uprobe+0x12c/0x150 [ 67.619165][ T8411] find_uprobe+0x12c/0x150 [ 67.623573][ T8411] uprobe_unregister+0x1e/0x70 [ 67.628350][ T8411] __probe_event_disable+0x11e/0x240 [ 67.633670][ T8411] probe_event_disable+0x155/0x1c0 [ 67.638771][ T8411] trace_uprobe_register+0x45a/0x880 [ 67.644056][ T8411] ? trace_uprobe_register+0x3ef/0x880 [ 67.649513][ T8411] ? rcu_read_lock_sched_held+0x3a/0x70 [ 67.655047][ T8411] perf_trace_event_unreg.isra.0+0xac/0x250 [ 67.660931][ T8411] perf_uprobe_destroy+0xbb/0x130 [ 67.665943][ T8411] ? perf_uprobe_init+0x210/0x210 [ 67.671043][ T8411] _free_event+0x2ee/0x1380 [ 67.675552][ T8411] perf_event_release_kernel+0xa24/0xe00 [ 67.681187][ T8411] ? fsnotify_first_mark+0x1f0/0x1f0 [ 67.686476][ T8411] ? __perf_event_exit_context+0x170/0x170 [ 67.692369][ T8411] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 67.698600][ T8411] perf_release+0x33/0x40 [ 67.702958][ T8411] __fput+0x283/0x920 [ 67.706938][ T8411] ? perf_event_release_kernel+0xe00/0xe00 [ 67.712736][ T8411] task_work_run+0xdd/0x190 [ 67.717231][ T8411] do_exit+0xc5c/0x2ae0 [ 67.721412][ T8411] ? mm_update_next_owner+0x7a0/0x7a0 [ 67.726825][ T8411] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 67.733086][ T8411] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 67.739322][ T8411] do_group_exit+0x125/0x310 [ 67.743912][ T8411] __x64_sys_exit_group+0x3a/0x50 [ 67.748935][ T8411] do_syscall_64+0x2d/0x70 [ 67.753343][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.759224][ T8411] RIP: 0033:0x43daf9 [ 67.763114][ T8411] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 67.769950][ T8411] RSP: 002b:00007ffd1d03f8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.778436][ T8411] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 67.786396][ T8411] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 67.794350][ T8411] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 67.802304][ T8411] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 67.810261][ T8411] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 67.818252][ T8411] [ 67.820576][ T8411] Allocated by task 8411: [ 67.824884][ T8411] kasan_save_stack+0x1b/0x40 [ 67.829563][ T8411] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 67.835362][ T8411] __uprobe_register+0x19c/0x850 [ 67.840300][ T8411] probe_event_enable+0x357/0xa00 [ 67.845322][ T8411] trace_uprobe_register+0x443/0x880 [ 67.850601][ T8411] perf_trace_event_init+0x549/0xa20 [ 67.855870][ T8411] perf_uprobe_init+0x16f/0x210 [ 67.860703][ T8411] perf_uprobe_event_init+0xff/0x1c0 [ 67.865973][ T8411] perf_try_init_event+0x12a/0x560 [ 67.871081][ T8411] perf_event_alloc.part.0+0xe3b/0x3960 [ 67.876624][ T8411] __do_sys_perf_event_open+0x647/0x2e60 [ 67.882242][ T8411] do_syscall_64+0x2d/0x70 [ 67.886644][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.892534][ T8411] [ 67.894850][ T8411] Freed by task 8411: [ 67.898820][ T8411] kasan_save_stack+0x1b/0x40 [ 67.903493][ T8411] kasan_set_track+0x1c/0x30 [ 67.908066][ T8411] kasan_set_free_info+0x20/0x30 [ 67.912987][ T8411] ____kasan_slab_free.part.0+0xe1/0x110 [ 67.918602][ T8411] slab_free_freelist_hook+0x82/0x1d0 [ 67.923973][ T8411] kfree+0xe5/0x7b0 [ 67.927765][ T8411] put_uprobe+0x13b/0x190 [ 67.932091][ T8411] uprobe_apply+0xfc/0x130 [ 67.936505][ T8411] trace_uprobe_register+0x5c9/0x880 [ 67.941776][ T8411] perf_trace_event_init+0x17a/0xa20 [ 67.947069][ T8411] perf_uprobe_init+0x16f/0x210 [ 67.951903][ T8411] perf_uprobe_event_init+0xff/0x1c0 [ 67.957179][ T8411] perf_try_init_event+0x12a/0x560 [ 67.962290][ T8411] perf_event_alloc.part.0+0xe3b/0x3960 [ 67.967820][ T8411] __do_sys_perf_event_open+0x647/0x2e60 [ 67.973450][ T8411] do_syscall_64+0x2d/0x70 [ 67.977853][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 67.983735][ T8411] [ 67.986043][ T8411] The buggy address belongs to the object at ffff888017f05c00 [ 67.986043][ T8411] which belongs to the cache kmalloc-512 of size 512 [ 68.000076][ T8411] The buggy address is located 360 bytes inside of [ 68.000076][ T8411] 512-byte region [ffff888017f05c00, ffff888017f05e00) [ 68.013343][ T8411] The buggy address belongs to the page: [ 68.018968][ T8411] page:00000000b82340ef refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17f04 [ 68.029113][ T8411] head:00000000b82340ef order:1 compound_mapcount:0 [ 68.035694][ T8411] flags: 0xfff00000010200(slab|head) [ 68.040969][ T8411] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 68.049537][ T8411] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 68.058097][ T8411] page dumped because: kasan: bad access detected [ 68.064496][ T8411] [ 68.066804][ T8411] Memory state around the buggy address: [ 68.072417][ T8411] ffff888017f05c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.080472][ T8411] ffff888017f05c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.088515][ T8411] >ffff888017f05d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.096566][ T8411] ^ [ 68.104014][ T8411] ffff888017f05d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.112058][ T8411] ffff888017f05e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.120100][ T8411] ================================================================== [ 68.128149][ T8411] Disabling lock debugging due to kernel taint [ 68.134434][ T8411] Kernel panic - not syncing: panic_on_warn set ... [ 68.141031][ T8411] CPU: 1 PID: 8411 Comm: syz-executor109 Tainted: G B 5.11.0-rc6-next-20210204-syzkaller #0 [ 68.152404][ T8411] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.162464][ T8411] Call Trace: [ 68.165746][ T8411] dump_stack+0x107/0x163 [ 68.170093][ T8411] ? find_uprobe+0x100/0x150 [ 68.174681][ T8411] panic+0x306/0x73d [ 68.178563][ T8411] ? __warn_printk+0xf3/0xf3 [ 68.183147][ T8411] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 68.189296][ T8411] ? trace_hardirqs_on+0x38/0x1c0 [ 68.194318][ T8411] ? trace_hardirqs_on+0x51/0x1c0 [ 68.199326][ T8411] ? find_uprobe+0x12c/0x150 [ 68.203911][ T8411] ? find_uprobe+0x12c/0x150 [ 68.208485][ T8411] end_report.cold+0x5a/0x5a [ 68.213058][ T8411] kasan_report.cold+0x6a/0xd8 [ 68.217804][ T8411] ? find_uprobe+0x12c/0x150 [ 68.222375][ T8411] find_uprobe+0x12c/0x150 [ 68.226775][ T8411] uprobe_unregister+0x1e/0x70 [ 68.231586][ T8411] __probe_event_disable+0x11e/0x240 [ 68.236859][ T8411] probe_event_disable+0x155/0x1c0 [ 68.241966][ T8411] trace_uprobe_register+0x45a/0x880 [ 68.247234][ T8411] ? trace_uprobe_register+0x3ef/0x880 [ 68.252675][ T8411] ? rcu_read_lock_sched_held+0x3a/0x70 [ 68.258201][ T8411] perf_trace_event_unreg.isra.0+0xac/0x250 [ 68.264095][ T8411] perf_uprobe_destroy+0xbb/0x130 [ 68.269110][ T8411] ? perf_uprobe_init+0x210/0x210 [ 68.274127][ T8411] _free_event+0x2ee/0x1380 [ 68.278646][ T8411] perf_event_release_kernel+0xa24/0xe00 [ 68.284265][ T8411] ? fsnotify_first_mark+0x1f0/0x1f0 [ 68.289548][ T8411] ? __perf_event_exit_context+0x170/0x170 [ 68.295344][ T8411] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 68.301584][ T8411] perf_release+0x33/0x40 [ 68.305909][ T8411] __fput+0x283/0x920 [ 68.309885][ T8411] ? perf_event_release_kernel+0xe00/0xe00 [ 68.315673][ T8411] task_work_run+0xdd/0x190 [ 68.320172][ T8411] do_exit+0xc5c/0x2ae0 [ 68.324320][ T8411] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.329687][ T8411] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 68.335911][ T8411] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.342139][ T8411] do_group_exit+0x125/0x310 [ 68.346713][ T8411] __x64_sys_exit_group+0x3a/0x50 [ 68.351740][ T8411] do_syscall_64+0x2d/0x70 [ 68.356151][ T8411] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.362030][ T8411] RIP: 0033:0x43daf9 [ 68.365902][ T8411] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 68.372721][ T8411] RSP: 002b:00007ffd1d03f8e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.381154][ T8411] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 68.389105][ T8411] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.397055][ T8411] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 68.405016][ T8411] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 68.413587][ T8411] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 68.422015][ T8411] Kernel Offset: disabled [ 68.426331][ T8411] Rebooting in 86400 seconds..