INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.23' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 40.898566] IPVS: ftp: loaded support on port[0] = 21 [ 40.952706] ================================================================== [ 40.960260] BUG: KASAN: use-after-free in uprobe_perf_close+0x3e0/0x570 [ 40.966986] Read of size 4 at addr ffff8801d955264c by task syzkaller474457/4485 [ 40.974490] [ 40.976097] CPU: 0 PID: 4485 Comm: syzkaller474457 Not tainted 4.16.0+ #376 [ 40.983177] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 40.992522] Call Trace: [ 40.995096] dump_stack+0x1a7/0x27d [ 40.998703] ? arch_local_irq_restore+0x53/0x53 [ 41.004130] ? show_regs_print_info+0x18/0x18 [ 41.008604] ? kasan_check_write+0x14/0x20 [ 41.012811] ? uprobe_perf_close+0x3e0/0x570 [ 41.017192] print_address_description+0x73/0x250 [ 41.022006] ? uprobe_perf_close+0x3e0/0x570 [ 41.026401] kasan_report+0x23c/0x360 [ 41.030263] __asan_report_load4_noabort+0x14/0x20 [ 41.035175] uprobe_perf_close+0x3e0/0x570 [ 41.039380] ? trace_hardirqs_off+0x10/0x10 [ 41.043677] ? probes_open+0x180/0x180 [ 41.047538] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 41.052355] ? trace_hardirqs_off+0x10/0x10 [ 41.056663] trace_uprobe_register+0x4cb/0xc00 [ 41.061218] ? probe_event_enable+0xd70/0xd70 [ 41.065689] ? kasan_check_read+0x11/0x20 [ 41.069807] ? rcu_is_watching+0x85/0x130 [ 41.073928] ? rcu_pm_notify+0xc0/0xc0 [ 41.077792] ? perf_event_attach_bpf_prog+0x410/0x410 [ 41.082959] ? perf_uprobe_init+0x220/0x220 [ 41.087257] perf_uprobe_destroy+0x9b/0x130 [ 41.091554] ? perf_uprobe_init+0x220/0x220 [ 41.095852] _free_event+0x3d7/0x11f0 [ 41.099628] ? kasan_check_write+0x14/0x20 [ 41.103837] ? ring_buffer_attach+0x840/0x840 [ 41.108309] ? wait_for_completion+0x770/0x770 [ 41.113703] ? perf_event_release_kernel+0x2c2/0xfe0 [ 41.118782] ? lock_downgrade+0x980/0x980 [ 41.122901] ? lock_release+0xa40/0xa40 [ 41.126847] ? lock_release+0xa40/0xa40 [ 41.130798] ? mark_held_locks+0xaf/0x100 [ 41.134922] ? _raw_spin_unlock_irq+0x27/0x70 [ 41.139390] put_event+0x35/0x40 [ 41.142727] perf_event_release_kernel+0x6e8/0xfe0 [ 41.147631] ? lock_release+0xa40/0xa40 [ 41.151577] ? put_event+0x40/0x40 [ 41.155089] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 41.159643] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 41.164729] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.169727] ? trace_hardirqs_on+0xd/0x10 [ 41.173864] ? debug_object_active_state+0x3a5/0x580 [ 41.178941] ? debug_object_activate+0x404/0x730 [ 41.183677] ? kasan_check_read+0x11/0x20 [ 41.187799] ? rcu_is_watching+0x85/0x130 [ 41.191918] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 41.196822] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 41.201729] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.206718] ? trace_hardirqs_on+0xd/0x10 [ 41.210842] ? locks_remove_file+0x3fa/0x5a0 [ 41.215224] ? fcntl_setlk+0x1140/0x1140 [ 41.219254] ? fsnotify+0x7b3/0x1140 [ 41.222943] ? lock_downgrade+0x980/0x980 [ 41.227077] ? perf_event_release_kernel+0xfe0/0xfe0 [ 41.232149] perf_release+0x37/0x50 [ 41.235748] __fput+0x327/0x7f0 [ 41.239000] ? fput+0x150/0x150 [ 41.242253] ? check_same_owner+0x320/0x320 [ 41.246548] ____fput+0x15/0x20 [ 41.249797] task_work_run+0x1ab/0x280 [ 41.253660] ? task_work_cancel+0x240/0x240 [ 41.257953] ? free_nsproxy+0x18b/0x1f0 [ 41.261900] ? switch_task_namespaces+0xaf/0xc0 [ 41.266544] do_exit+0xa75/0x2700 [ 41.269972] ? mm_update_next_owner+0x960/0x960 [ 41.274613] ? trace_hardirqs_off+0x10/0x10 [ 41.278926] ? find_held_lock+0x35/0x1d0 [ 41.282976] ? try_to_wake_up+0xfc/0x1300 [ 41.287098] ? lock_downgrade+0x980/0x980 [ 41.291222] ? lock_release+0xa40/0xa40 [ 41.295168] ? kasan_check_read+0x11/0x20 [ 41.299286] ? do_raw_spin_unlock+0x9e/0x310 [ 41.303666] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 41.308223] ? kasan_check_write+0x14/0x20 [ 41.312439] ? do_raw_spin_lock+0xc1/0x230 [ 41.316658] ? trace_hardirqs_off+0xd/0x10 [ 41.320866] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 41.325942] ? try_to_wake_up+0xfc/0x1300 [ 41.330063] ? find_held_lock+0x35/0x1d0 [ 41.334098] ? trace_hardirqs_off+0x10/0x10 [ 41.338391] ? lock_downgrade+0x980/0x980 [ 41.342530] ? find_held_lock+0x35/0x1d0 [ 41.346566] ? do_group_exit+0x318/0x400 [ 41.350599] ? lock_downgrade+0x980/0x980 [ 41.354720] ? kick_process+0xd3/0x110 [ 41.358587] ? kasan_check_read+0x11/0x20 [ 41.362715] ? do_raw_spin_unlock+0x9e/0x310 [ 41.367095] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 41.371647] ? force_sig+0x30/0x30 [ 41.375160] ? _raw_spin_unlock_irq+0x27/0x70 [ 41.379637] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.384635] do_group_exit+0x149/0x400 [ 41.388494] ? do_futex+0x22a0/0x22a0 [ 41.392267] ? SyS_exit+0x30/0x30 [ 41.395691] ? SyS_read+0x220/0x220 [ 41.399293] ? do_syscall_64+0xb7/0x940 [ 41.403237] ? do_group_exit+0x400/0x400 [ 41.407268] SyS_exit_group+0x1d/0x20 [ 41.411041] do_syscall_64+0x281/0x940 [ 41.414904] ? vmalloc_sync_all+0x30/0x30 [ 41.419023] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.423751] ? syscall_return_slowpath+0x550/0x550 [ 41.428654] ? syscall_return_slowpath+0x2ac/0x550 [ 41.433555] ? prepare_exit_to_usermode+0x350/0x350 [ 41.438545] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 41.443881] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 41.448696] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.453857] RIP: 0033:0x445c89 [ 41.457017] RSP: 002b:00007ffd332827e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 41.464699] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445c89 [ 41.471943] RDX: 0000000000445c89 RSI: 0000000000445c89 RDI: 0000000000000001 [ 41.479186] RBP: 00000000006da018 R08: 0000000000000000 R09: 0000000000406fd0 [ 41.486430] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000406f40 [ 41.493674] R13: 0000000000406fd0 R14: 0000000000000000 R15: 0000000000000000 [ 41.500922] [ 41.502523] Allocated by task 4485: [ 41.506127] save_stack+0x43/0xd0 [ 41.509552] kasan_kmalloc+0xad/0xe0 [ 41.513238] kasan_slab_alloc+0x12/0x20 [ 41.517182] kmem_cache_alloc_node+0x144/0x760 [ 41.521738] copy_process.part.38+0x1ab9/0x6140 [ 41.526375] _do_fork+0x1f7/0xfa0 [ 41.529811] SyS_clone+0x37/0x50 [ 41.533153] do_syscall_64+0x281/0x940 [ 41.537012] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 41.542178] [ 41.543790] Freed by task 0: [ 41.546780] save_stack+0x43/0xd0 [ 41.550205] __kasan_slab_free+0x11a/0x170 [ 41.554410] kasan_slab_free+0xe/0x10 [ 41.558179] kmem_cache_free+0x83/0x2a0 [ 41.562123] free_task+0x155/0x1b0 [ 41.565635] __put_task_struct+0x24b/0x3e0 [ 41.569842] delayed_put_task_struct+0xd8/0x3e0 [ 41.574487] rcu_process_callbacks+0xd6c/0x17b0 [ 41.579135] __do_softirq+0x2d7/0xb85 [ 41.582906] [ 41.584507] The buggy address belongs to the object at ffff8801d9552600 [ 41.584507] which belongs to the cache task_struct of size 6016 [ 41.597219] The buggy address is located 76 bytes inside of [ 41.597219] 6016-byte region [ffff8801d9552600, ffff8801d9553d80) [ 41.609062] The buggy address belongs to the page: [ 41.613964] page:ffffea0007655480 count:1 mapcount:0 mapping:ffff8801d9552600 index:0x0 compound_mapcount: 0 [ 41.623914] flags: 0x2fffc0000008100(slab|head) [ 41.628556] raw: 02fffc0000008100 ffff8801d9552600 0000000000000000 0000000100000001 [ 41.636407] raw: ffffea0007636ba0 ffff8801dad0c248 ffff8801dad46200 0000000000000000 [ 41.644254] page dumped because: kasan: bad access detected [ 41.649931] [ 41.651529] Memory state around the buggy address: [ 41.656427] ffff8801d9552500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.663759] ffff8801d9552580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 41.671091] >ffff8801d9552600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.678421] ^ [ 41.684107] ffff8801d9552680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.691445] ffff8801d9552700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 41.698776] ================================================================== [ 41.706114] Disabling lock debugging due to kernel taint [ 41.711699] Kernel panic - not syncing: panic_on_warn set ... [ 41.711699] [ 41.719041] CPU: 0 PID: 4485 Comm: syzkaller474457 Tainted: G B 4.16.0+ #376 [ 41.727434] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 41.736769] Call Trace: [ 41.739329] dump_stack+0x1a7/0x27d [ 41.742929] ? arch_local_irq_restore+0x53/0x53 [ 41.747569] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 41.752303] ? vsnprintf+0x1ed/0x1900 [ 41.756074] ? uprobe_perf_close+0x3c0/0x570 [ 41.760452] panic+0x1f8/0x42c [ 41.763614] ? refcount_error_report+0x214/0x214 [ 41.768341] ? do_raw_spin_unlock+0x9e/0x310 [ 41.772719] ? do_raw_spin_unlock+0x9e/0x310 [ 41.777098] ? uprobe_perf_close+0x3e0/0x570 [ 41.781480] kasan_end_report+0x50/0x50 [ 41.785429] kasan_report+0x149/0x360 [ 41.789302] __asan_report_load4_noabort+0x14/0x20 [ 41.794203] uprobe_perf_close+0x3e0/0x570 [ 41.798411] ? trace_hardirqs_off+0x10/0x10 [ 41.802703] ? probes_open+0x180/0x180 [ 41.806565] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 41.811384] ? trace_hardirqs_off+0x10/0x10 [ 41.815681] trace_uprobe_register+0x4cb/0xc00 [ 41.820237] ? probe_event_enable+0xd70/0xd70 [ 41.824706] ? kasan_check_read+0x11/0x20 [ 41.828825] ? rcu_is_watching+0x85/0x130 [ 41.832945] ? rcu_pm_notify+0xc0/0xc0 [ 41.836812] ? perf_event_attach_bpf_prog+0x410/0x410 [ 41.842003] ? perf_uprobe_init+0x220/0x220 [ 41.846294] perf_uprobe_destroy+0x9b/0x130 [ 41.850584] ? perf_uprobe_init+0x220/0x220 [ 41.854874] _free_event+0x3d7/0x11f0 [ 41.858644] ? kasan_check_write+0x14/0x20 [ 41.862846] ? ring_buffer_attach+0x840/0x840 [ 41.867311] ? wait_for_completion+0x770/0x770 [ 41.871867] ? perf_event_release_kernel+0x2c2/0xfe0 [ 41.876943] ? lock_downgrade+0x980/0x980 [ 41.881062] ? lock_release+0xa40/0xa40 [ 41.885007] ? lock_release+0xa40/0xa40 [ 41.888954] ? mark_held_locks+0xaf/0x100 [ 41.893078] ? _raw_spin_unlock_irq+0x27/0x70 [ 41.897556] put_event+0x35/0x40 [ 41.900895] perf_event_release_kernel+0x6e8/0xfe0 [ 41.905802] ? lock_release+0xa40/0xa40 [ 41.909744] ? put_event+0x40/0x40 [ 41.913254] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 41.917809] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 41.922881] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.927867] ? trace_hardirqs_on+0xd/0x10 [ 41.931985] ? debug_object_active_state+0x3a5/0x580 [ 41.937057] ? debug_object_activate+0x404/0x730 [ 41.941793] ? kasan_check_read+0x11/0x20 [ 41.945910] ? rcu_is_watching+0x85/0x130 [ 41.950025] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 41.954924] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 41.959820] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 41.964804] ? trace_hardirqs_on+0xd/0x10 [ 41.968923] ? locks_remove_file+0x3fa/0x5a0 [ 41.973298] ? fcntl_setlk+0x1140/0x1140 [ 41.977326] ? fsnotify+0x7b3/0x1140 [ 41.981017] ? lock_downgrade+0x980/0x980 [ 41.985134] ? perf_event_release_kernel+0xfe0/0xfe0 [ 41.990205] perf_release+0x37/0x50 [ 41.993802] __fput+0x327/0x7f0 [ 41.997054] ? fput+0x150/0x150 [ 42.000302] ? check_same_owner+0x320/0x320 [ 42.004595] ____fput+0x15/0x20 [ 42.007846] task_work_run+0x1ab/0x280 [ 42.011703] ? task_work_cancel+0x240/0x240 [ 42.015995] ? free_nsproxy+0x18b/0x1f0 [ 42.019938] ? switch_task_namespaces+0xaf/0xc0 [ 42.024582] do_exit+0xa75/0x2700 [ 42.028011] ? mm_update_next_owner+0x960/0x960 [ 42.032653] ? trace_hardirqs_off+0x10/0x10 [ 42.036948] ? find_held_lock+0x35/0x1d0 [ 42.040987] ? try_to_wake_up+0xfc/0x1300 [ 42.045108] ? lock_downgrade+0x980/0x980 [ 42.049227] ? lock_release+0xa40/0xa40 [ 42.053185] ? kasan_check_read+0x11/0x20 [ 42.057306] ? do_raw_spin_unlock+0x9e/0x310 [ 42.061686] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 42.066240] ? kasan_check_write+0x14/0x20 [ 42.070448] ? do_raw_spin_lock+0xc1/0x230 [ 42.074655] ? trace_hardirqs_off+0xd/0x10 [ 42.078864] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 42.083939] ? try_to_wake_up+0xfc/0x1300 [ 42.088057] ? find_held_lock+0x35/0x1d0 [ 42.092092] ? trace_hardirqs_off+0x10/0x10 [ 42.096392] ? lock_downgrade+0x980/0x980 [ 42.100517] ? find_held_lock+0x35/0x1d0 [ 42.104554] ? do_group_exit+0x318/0x400 [ 42.108584] ? lock_downgrade+0x980/0x980 [ 42.112701] ? kick_process+0xd3/0x110 [ 42.116566] ? kasan_check_read+0x11/0x20 [ 42.120683] ? do_raw_spin_unlock+0x9e/0x310 [ 42.125068] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 42.129619] ? force_sig+0x30/0x30 [ 42.133129] ? _raw_spin_unlock_irq+0x27/0x70 [ 42.137597] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 42.142596] do_group_exit+0x149/0x400 [ 42.146453] ? do_futex+0x22a0/0x22a0 [ 42.150221] ? SyS_exit+0x30/0x30 [ 42.153643] ? SyS_read+0x220/0x220 [ 42.157240] ? do_syscall_64+0xb7/0x940 [ 42.161182] ? do_group_exit+0x400/0x400 [ 42.165211] SyS_exit_group+0x1d/0x20 [ 42.168977] do_syscall_64+0x281/0x940 [ 42.172836] ? vmalloc_sync_all+0x30/0x30 [ 42.176953] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 42.181786] ? syscall_return_slowpath+0x550/0x550 [ 42.186684] ? syscall_return_slowpath+0x2ac/0x550 [ 42.191586] ? prepare_exit_to_usermode+0x350/0x350 [ 42.196573] ? entry_SYSCALL_64_after_hwframe+0x52/0xb7 [ 42.201908] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 42.206725] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 42.211886] RIP: 0033:0x445c89 [ 42.215044] RSP: 002b:00007ffd332827e8 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7 [ 42.222722] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000445c89 [ 42.229963] RDX: 0000000000445c89 RSI: 0000000000445c89 RDI: 0000000000000001 [ 42.237202] RBP: 00000000006da018 R08: 0000000000000000 R09: 0000000000406fd0 [ 42.244441] R10: 0000000000000000 R11: 0000000000000206 R12: 0000000000406f40 [ 42.251679] R13: 0000000000406fd0 R14: 0000000000000000 R15: 0000000000000000 [ 42.259303] Dumping ftrace buffer: [ 42.262813] (ftrace buffer empty) [ 42.266494] Kernel Offset: disabled [ 42.270093] Rebooting in 86400 seconds..