Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.80' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 70.174810][ T8397] ================================================================== [ 70.183026][ T8397] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 70.189970][ T8397] Read of size 8 at addr ffff8880230e6168 by task syz-executor660/8397 [ 70.198212][ T8397] [ 70.200520][ T8397] CPU: 1 PID: 8397 Comm: syz-executor660 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 70.210493][ T8397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.220542][ T8397] Call Trace: [ 70.223810][ T8397] dump_stack+0x107/0x163 [ 70.228145][ T8397] ? find_uprobe+0x12c/0x150 [ 70.232727][ T8397] ? find_uprobe+0x12c/0x150 [ 70.237303][ T8397] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 70.244333][ T8397] ? find_uprobe+0x12c/0x150 [ 70.248912][ T8397] ? find_uprobe+0x12c/0x150 [ 70.253503][ T8397] kasan_report.cold+0x7c/0xd8 [ 70.258256][ T8397] ? find_uprobe+0x12c/0x150 [ 70.262834][ T8397] find_uprobe+0x12c/0x150 [ 70.267236][ T8397] uprobe_unregister+0x1e/0x70 [ 70.271987][ T8397] __probe_event_disable+0x11e/0x240 [ 70.277262][ T8397] probe_event_disable+0x155/0x1c0 [ 70.282463][ T8397] trace_uprobe_register+0x45a/0x880 [ 70.287754][ T8397] ? trace_uprobe_register+0x3ef/0x880 [ 70.293224][ T8397] ? rcu_read_lock_sched_held+0x3a/0x70 [ 70.299973][ T8397] perf_trace_event_unreg.isra.0+0xac/0x250 [ 70.305854][ T8397] perf_uprobe_destroy+0xbb/0x130 [ 70.310862][ T8397] ? perf_uprobe_init+0x210/0x210 [ 70.315887][ T8397] _free_event+0x2ee/0x1380 [ 70.320378][ T8397] perf_event_release_kernel+0xa24/0xe00 [ 70.325996][ T8397] ? fsnotify_first_mark+0x1f0/0x1f0 [ 70.331270][ T8397] ? __perf_event_exit_context+0x170/0x170 [ 70.337067][ T8397] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 70.343296][ T8397] perf_release+0x33/0x40 [ 70.347609][ T8397] __fput+0x283/0x920 [ 70.351601][ T8397] ? perf_event_release_kernel+0xe00/0xe00 [ 70.357401][ T8397] task_work_run+0xdd/0x190 [ 70.361895][ T8397] do_exit+0xc5c/0x2ae0 [ 70.366043][ T8397] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.371400][ T8397] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.377628][ T8397] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.383887][ T8397] do_group_exit+0x125/0x310 [ 70.388468][ T8397] __x64_sys_exit_group+0x3a/0x50 [ 70.393487][ T8397] do_syscall_64+0x2d/0x70 [ 70.397909][ T8397] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.403789][ T8397] RIP: 0033:0x43daf9 [ 70.407713][ T8397] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 70.414550][ T8397] RSP: 002b:00007fff4e8375d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 70.422948][ T8397] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 70.430903][ T8397] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 70.438872][ T8397] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 70.446842][ T8397] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 70.454796][ T8397] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.462764][ T8397] [ 70.465072][ T8397] Allocated by task 8397: [ 70.469378][ T8397] kasan_save_stack+0x1b/0x40 [ 70.474057][ T8397] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 70.479851][ T8397] __uprobe_register+0x19c/0x850 [ 70.484788][ T8397] probe_event_enable+0x357/0xa00 [ 70.489804][ T8397] trace_uprobe_register+0x443/0x880 [ 70.495081][ T8397] perf_trace_event_init+0x549/0xa20 [ 70.500354][ T8397] perf_uprobe_init+0x16f/0x210 [ 70.505193][ T8397] perf_uprobe_event_init+0xff/0x1c0 [ 70.510465][ T8397] perf_try_init_event+0x12a/0x560 [ 70.515569][ T8397] perf_event_alloc.part.0+0xe3b/0x3960 [ 70.521100][ T8397] __do_sys_perf_event_open+0x647/0x2e60 [ 70.526717][ T8397] do_syscall_64+0x2d/0x70 [ 70.531119][ T8397] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.536997][ T8397] [ 70.539303][ T8397] Freed by task 8397: [ 70.543267][ T8397] kasan_save_stack+0x1b/0x40 [ 70.547928][ T8397] kasan_set_track+0x1c/0x30 [ 70.552502][ T8397] kasan_set_free_info+0x20/0x30 [ 70.557423][ T8397] ____kasan_slab_free.part.0+0xe1/0x110 [ 70.563036][ T8397] slab_free_freelist_hook+0x82/0x1d0 [ 70.568410][ T8397] kfree+0xe5/0x7b0 [ 70.572222][ T8397] put_uprobe+0x13b/0x190 [ 70.576534][ T8397] uprobe_apply+0xfc/0x130 [ 70.580954][ T8397] trace_uprobe_register+0x5c9/0x880 [ 70.586226][ T8397] perf_trace_event_init+0x17a/0xa20 [ 70.591494][ T8397] perf_uprobe_init+0x16f/0x210 [ 70.596331][ T8397] perf_uprobe_event_init+0xff/0x1c0 [ 70.601597][ T8397] perf_try_init_event+0x12a/0x560 [ 70.606690][ T8397] perf_event_alloc.part.0+0xe3b/0x3960 [ 70.612237][ T8397] __do_sys_perf_event_open+0x647/0x2e60 [ 70.617857][ T8397] do_syscall_64+0x2d/0x70 [ 70.622258][ T8397] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 70.628136][ T8397] [ 70.630441][ T8397] The buggy address belongs to the object at ffff8880230e6000 [ 70.630441][ T8397] which belongs to the cache kmalloc-512 of size 512 [ 70.644487][ T8397] The buggy address is located 360 bytes inside of [ 70.644487][ T8397] 512-byte region [ffff8880230e6000, ffff8880230e6200) [ 70.657770][ T8397] The buggy address belongs to the page: [ 70.663384][ T8397] page:00000000d2be3b84 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x230e6 [ 70.673519][ T8397] head:00000000d2be3b84 order:1 compound_mapcount:0 [ 70.680098][ T8397] flags: 0xfff00000010200(slab|head) [ 70.685436][ T8397] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 70.694013][ T8397] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 70.702581][ T8397] page dumped because: kasan: bad access detected [ 70.708975][ T8397] [ 70.711282][ T8397] Memory state around the buggy address: [ 70.716891][ T8397] ffff8880230e6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.724996][ T8397] ffff8880230e6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.733063][ T8397] >ffff8880230e6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.741119][ T8397] ^ [ 70.748557][ T8397] ffff8880230e6180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 70.756614][ T8397] ffff8880230e6200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 70.764655][ T8397] ================================================================== [ 70.772698][ T8397] Disabling lock debugging due to kernel taint [ 70.779114][ T8397] Kernel panic - not syncing: panic_on_warn set ... [ 70.785713][ T8397] CPU: 1 PID: 8397 Comm: syz-executor660 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 70.797088][ T8397] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 70.807164][ T8397] Call Trace: [ 70.810425][ T8397] dump_stack+0x107/0x163 [ 70.814739][ T8397] ? find_uprobe+0x90/0x150 [ 70.819224][ T8397] panic+0x306/0x73d [ 70.823121][ T8397] ? __warn_printk+0xf3/0xf3 [ 70.827691][ T8397] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 70.833829][ T8397] ? trace_hardirqs_on+0x38/0x1c0 [ 70.838835][ T8397] ? trace_hardirqs_on+0x51/0x1c0 [ 70.843855][ T8397] ? find_uprobe+0x12c/0x150 [ 70.848425][ T8397] ? find_uprobe+0x12c/0x150 [ 70.852996][ T8397] end_report.cold+0x5a/0x5a [ 70.857572][ T8397] kasan_report.cold+0x6a/0xd8 [ 70.862331][ T8397] ? find_uprobe+0x12c/0x150 [ 70.866902][ T8397] find_uprobe+0x12c/0x150 [ 70.871300][ T8397] uprobe_unregister+0x1e/0x70 [ 70.876048][ T8397] __probe_event_disable+0x11e/0x240 [ 70.881315][ T8397] probe_event_disable+0x155/0x1c0 [ 70.886413][ T8397] trace_uprobe_register+0x45a/0x880 [ 70.891681][ T8397] ? trace_uprobe_register+0x3ef/0x880 [ 70.897135][ T8397] ? rcu_read_lock_sched_held+0x3a/0x70 [ 70.902663][ T8397] perf_trace_event_unreg.isra.0+0xac/0x250 [ 70.908537][ T8397] perf_uprobe_destroy+0xbb/0x130 [ 70.913541][ T8397] ? perf_uprobe_init+0x210/0x210 [ 70.918545][ T8397] _free_event+0x2ee/0x1380 [ 70.923029][ T8397] perf_event_release_kernel+0xa24/0xe00 [ 70.928640][ T8397] ? fsnotify_first_mark+0x1f0/0x1f0 [ 70.933907][ T8397] ? __perf_event_exit_context+0x170/0x170 [ 70.939693][ T8397] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 70.945916][ T8397] perf_release+0x33/0x40 [ 70.950225][ T8397] __fput+0x283/0x920 [ 70.954187][ T8397] ? perf_event_release_kernel+0xe00/0xe00 [ 70.959973][ T8397] task_work_run+0xdd/0x190 [ 70.964457][ T8397] do_exit+0xc5c/0x2ae0 [ 70.968595][ T8397] ? mm_update_next_owner+0x7a0/0x7a0 [ 70.973949][ T8397] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 70.980170][ T8397] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 70.986396][ T8397] do_group_exit+0x125/0x310 [ 70.990965][ T8397] __x64_sys_exit_group+0x3a/0x50 [ 70.995987][ T8397] do_syscall_64+0x2d/0x70 [ 71.000391][ T8397] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 71.006282][ T8397] RIP: 0033:0x43daf9 [ 71.010154][ T8397] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 71.016973][ T8397] RSP: 002b:00007fff4e8375d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 71.025361][ T8397] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 71.033314][ T8397] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 71.041263][ T8397] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 71.049211][ T8397] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 71.057160][ T8397] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 71.065742][ T8397] Kernel Offset: disabled [ 71.070067][ T8397] Rebooting in 86400 seconds..