[ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. [ OK ] Started OpenBSD Secure Shell server. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.6' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.097467][ T8377] ================================================================== [ 69.106040][ T8377] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 69.113953][ T8377] Read of size 8 at addr ffff888024ff4968 by task syz-executor618/8377 [ 69.122256][ T8377] [ 69.124592][ T8377] CPU: 1 PID: 8377 Comm: syz-executor618 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.134555][ T8377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.144721][ T8377] Call Trace: [ 69.148005][ T8377] dump_stack+0x107/0x163 [ 69.152358][ T8377] ? find_uprobe+0x12c/0x150 [ 69.156954][ T8377] ? find_uprobe+0x12c/0x150 [ 69.161533][ T8377] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.168561][ T8377] ? find_uprobe+0x12c/0x150 [ 69.173143][ T8377] ? find_uprobe+0x12c/0x150 [ 69.177899][ T8377] kasan_report.cold+0x7c/0xd8 [ 69.182664][ T8377] ? find_uprobe+0x12c/0x150 [ 69.187260][ T8377] find_uprobe+0x12c/0x150 [ 69.193183][ T8377] uprobe_unregister+0x1e/0x70 [ 69.197939][ T8377] __probe_event_disable+0x11e/0x240 [ 69.203231][ T8377] probe_event_disable+0x155/0x1c0 [ 69.208350][ T8377] trace_uprobe_register+0x45a/0x880 [ 69.213653][ T8377] ? trace_uprobe_register+0x3ef/0x880 [ 69.219116][ T8377] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.224665][ T8377] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.230551][ T8377] perf_uprobe_destroy+0xbb/0x130 [ 69.235582][ T8377] ? perf_uprobe_init+0x210/0x210 [ 69.240595][ T8377] _free_event+0x2ee/0x1380 [ 69.245108][ T8377] perf_event_release_kernel+0xa24/0xe00 [ 69.250749][ T8377] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.256035][ T8377] ? __perf_event_exit_context+0x170/0x170 [ 69.261861][ T8377] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.268373][ T8377] perf_release+0x33/0x40 [ 69.272706][ T8377] __fput+0x283/0x920 [ 69.276703][ T8377] ? perf_event_release_kernel+0xe00/0xe00 [ 69.282521][ T8377] task_work_run+0xdd/0x190 [ 69.287022][ T8377] do_exit+0xc5c/0x2ae0 [ 69.291180][ T8377] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.296550][ T8377] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.302875][ T8377] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.309127][ T8377] do_group_exit+0x125/0x310 [ 69.313730][ T8377] __x64_sys_exit_group+0x3a/0x50 [ 69.318754][ T8377] do_syscall_64+0x2d/0x70 [ 69.323185][ T8377] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.329081][ T8377] RIP: 0033:0x43daf9 [ 69.332963][ T8377] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.340452][ T8377] RSP: 002b:00007ffe10cfd028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.348857][ T8377] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.356853][ T8377] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.364858][ T8377] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.372922][ T8377] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.381016][ T8377] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.389431][ T8377] [ 69.391744][ T8377] Allocated by task 8377: [ 69.396052][ T8377] kasan_save_stack+0x1b/0x40 [ 69.400726][ T8377] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.407922][ T8377] __uprobe_register+0x19c/0x850 [ 69.413489][ T8377] probe_event_enable+0x357/0xa00 [ 69.418515][ T8377] trace_uprobe_register+0x443/0x880 [ 69.423805][ T8377] perf_trace_event_init+0x549/0xa20 [ 69.429261][ T8377] perf_uprobe_init+0x16f/0x210 [ 69.434114][ T8377] perf_uprobe_event_init+0xff/0x1c0 [ 69.439404][ T8377] perf_try_init_event+0x12a/0x560 [ 69.444504][ T8377] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.450163][ T8377] __do_sys_perf_event_open+0x647/0x2e60 [ 69.455825][ T8377] do_syscall_64+0x2d/0x70 [ 69.460257][ T8377] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.466226][ T8377] [ 69.468557][ T8377] Freed by task 8377: [ 69.472521][ T8377] kasan_save_stack+0x1b/0x40 [ 69.477188][ T8377] kasan_set_track+0x1c/0x30 [ 69.481769][ T8377] kasan_set_free_info+0x20/0x30 [ 69.486700][ T8377] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.492337][ T8377] slab_free_freelist_hook+0x82/0x1d0 [ 69.497707][ T8377] kfree+0xe5/0x7b0 [ 69.501507][ T8377] put_uprobe+0x13b/0x190 [ 69.505833][ T8377] uprobe_apply+0xfc/0x130 [ 69.510338][ T8377] trace_uprobe_register+0x5c9/0x880 [ 69.515646][ T8377] perf_trace_event_init+0x17a/0xa20 [ 69.520943][ T8377] perf_uprobe_init+0x16f/0x210 [ 69.525786][ T8377] perf_uprobe_event_init+0xff/0x1c0 [ 69.531062][ T8377] perf_try_init_event+0x12a/0x560 [ 69.536157][ T8377] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.541732][ T8377] __do_sys_perf_event_open+0x647/0x2e60 [ 69.547383][ T8377] do_syscall_64+0x2d/0x70 [ 69.551794][ T8377] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.557789][ T8377] [ 69.560115][ T8377] The buggy address belongs to the object at ffff888024ff4800 [ 69.560115][ T8377] which belongs to the cache kmalloc-512 of size 512 [ 69.574357][ T8377] The buggy address is located 360 bytes inside of [ 69.574357][ T8377] 512-byte region [ffff888024ff4800, ffff888024ff4a00) [ 69.587843][ T8377] The buggy address belongs to the page: [ 69.593851][ T8377] page:00000000feb700c4 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24ff4 [ 69.604167][ T8377] head:00000000feb700c4 order:1 compound_mapcount:0 [ 69.610757][ T8377] flags: 0xfff00000010200(slab|head) [ 69.616060][ T8377] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 69.625117][ T8377] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 [ 69.633705][ T8377] page dumped because: kasan: bad access detected [ 69.640125][ T8377] [ 69.642454][ T8377] Memory state around the buggy address: [ 69.648079][ T8377] ffff888024ff4800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.656147][ T8377] ffff888024ff4880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.664359][ T8377] >ffff888024ff4900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.672417][ T8377] ^ [ 69.680791][ T8377] ffff888024ff4980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.688841][ T8377] ffff888024ff4a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.697028][ T8377] ================================================================== [ 69.705162][ T8377] Disabling lock debugging due to kernel taint [ 69.711568][ T8377] Kernel panic - not syncing: panic_on_warn set ... [ 69.718156][ T8377] CPU: 1 PID: 8377 Comm: syz-executor618 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.733231][ T8377] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.743405][ T8377] Call Trace: [ 69.746673][ T8377] dump_stack+0x107/0x163 [ 69.751007][ T8377] ? find_uprobe+0x90/0x150 [ 69.755515][ T8377] panic+0x306/0x73d [ 69.764269][ T8377] ? __warn_printk+0xf3/0xf3 [ 69.768865][ T8377] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.775186][ T8377] ? trace_hardirqs_on+0x38/0x1c0 [ 69.780551][ T8377] ? trace_hardirqs_on+0x51/0x1c0 [ 69.785562][ T8377] ? find_uprobe+0x12c/0x150 [ 69.790253][ T8377] ? find_uprobe+0x12c/0x150 [ 69.794851][ T8377] end_report.cold+0x5a/0x5a [ 69.799436][ T8377] kasan_report.cold+0x6a/0xd8 [ 69.804411][ T8377] ? find_uprobe+0x12c/0x150 [ 69.809015][ T8377] find_uprobe+0x12c/0x150 [ 69.813416][ T8377] uprobe_unregister+0x1e/0x70 [ 69.818175][ T8377] __probe_event_disable+0x11e/0x240 [ 69.823815][ T8377] probe_event_disable+0x155/0x1c0 [ 69.828923][ T8377] trace_uprobe_register+0x45a/0x880 [ 69.834198][ T8377] ? trace_uprobe_register+0x3ef/0x880 [ 69.839829][ T8377] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.845471][ T8377] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.851610][ T8377] perf_uprobe_destroy+0xbb/0x130 [ 69.856716][ T8377] ? perf_uprobe_init+0x210/0x210 [ 69.861774][ T8377] _free_event+0x2ee/0x1380 [ 69.866280][ T8377] perf_event_release_kernel+0xa24/0xe00 [ 69.871898][ T8377] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.877180][ T8377] ? __perf_event_exit_context+0x170/0x170 [ 69.882978][ T8377] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.889222][ T8377] perf_release+0x33/0x40 [ 69.893535][ T8377] __fput+0x283/0x920 [ 69.897545][ T8377] ? perf_event_release_kernel+0xe00/0xe00 [ 69.903335][ T8377] task_work_run+0xdd/0x190 [ 69.908408][ T8377] do_exit+0xc5c/0x2ae0 [ 69.912749][ T8377] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.918216][ T8377] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.924454][ T8377] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.930792][ T8377] do_group_exit+0x125/0x310 [ 69.935637][ T8377] __x64_sys_exit_group+0x3a/0x50 [ 69.940710][ T8377] do_syscall_64+0x2d/0x70 [ 69.945113][ T8377] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.950996][ T8377] RIP: 0033:0x43daf9 [ 69.954883][ T8377] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.961796][ T8377] RSP: 002b:00007ffe10cfd028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.970719][ T8377] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.979208][ T8377] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.987777][ T8377] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.995834][ T8377] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 70.003831][ T8377] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 70.012528][ T8377] Kernel Offset: disabled [ 70.017012][ T8377] Rebooting in 86400 seconds..