INIT: Entering runlevel: 2 [info] Using makefile-style concurrent boot in runlevel 2. [....] Starting enhanced syslogd: rsyslogd[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting periodic command scheduler: cron[?25l[?1c7[ ok 8[?25h[?0c. [....] Starting OpenBSD Secure Shell server: sshd[?25l[?1c7[ ok 8[?25h[?0c. Debian GNU/Linux 7 syzkaller ttyS0 Warning: Permanently added '10.128.0.44' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 29.579271] IPVS: ftp: loaded support on port[0] = 21 [ 29.629894] ================================================================== [ 29.637334] BUG: KASAN: use-after-free in uprobe_perf_close+0x3e0/0x570 [ 29.644062] Read of size 4 at addr ffff8801d96ec44c by task syzkaller137233/4515 [ 29.651564] [ 29.653170] CPU: 0 PID: 4515 Comm: syzkaller137233 Not tainted 4.16.0+ #286 [ 29.660241] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 29.669567] Call Trace: [ 29.672131] dump_stack+0x1a7/0x27d [ 29.675732] ? arch_local_irq_restore+0x53/0x53 [ 29.680372] ? show_regs_print_info+0x18/0x18 [ 29.684843] ? kasan_check_write+0x14/0x20 [ 29.689053] ? uprobe_perf_close+0x3e0/0x570 [ 29.693437] print_address_description+0x73/0x250 [ 29.698255] ? uprobe_perf_close+0x3e0/0x570 [ 29.702644] kasan_report+0x23c/0x360 [ 29.706421] __asan_report_load4_noabort+0x14/0x20 [ 29.711321] uprobe_perf_close+0x3e0/0x570 [ 29.715529] ? trace_hardirqs_off+0x10/0x10 [ 29.719822] ? probes_open+0x180/0x180 [ 29.723686] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 29.728600] ? trace_hardirqs_off+0x10/0x10 [ 29.732905] trace_uprobe_register+0x4cb/0xc00 [ 29.737459] ? probe_event_enable+0xd70/0xd70 [ 29.741932] ? kasan_check_read+0x11/0x20 [ 29.746051] ? rcu_is_watching+0x85/0x130 [ 29.750171] ? rcu_pm_notify+0xc0/0xc0 [ 29.754816] ? perf_event_attach_bpf_prog+0x410/0x410 [ 29.759983] ? perf_uprobe_init+0x220/0x220 [ 29.764280] perf_uprobe_destroy+0x9b/0x130 [ 29.768574] ? perf_uprobe_init+0x220/0x220 [ 29.772869] _free_event+0x3d7/0x11f0 [ 29.776641] ? kasan_check_write+0x14/0x20 [ 29.780850] ? ring_buffer_attach+0x840/0x840 [ 29.785318] ? wait_for_completion+0x770/0x770 [ 29.789872] ? perf_event_release_kernel+0x2c2/0xfe0 [ 29.794949] ? lock_downgrade+0x980/0x980 [ 29.799068] ? lock_release+0xa40/0xa40 [ 29.803021] ? lock_release+0xa40/0xa40 [ 29.806972] ? mark_held_locks+0xaf/0x100 [ 29.811092] ? _raw_spin_unlock_irq+0x27/0x70 [ 29.815562] put_event+0x35/0x40 [ 29.818901] perf_event_release_kernel+0x6e8/0xfe0 [ 29.823806] ? lock_release+0xa40/0xa40 [ 29.827755] ? put_event+0x40/0x40 [ 29.831269] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.835829] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 29.840909] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.845898] ? trace_hardirqs_on+0xd/0x10 [ 29.850028] ? debug_object_active_state+0x3a5/0x580 [ 29.855107] ? debug_object_activate+0x404/0x730 [ 29.859840] ? kasan_check_read+0x11/0x20 [ 29.863961] ? rcu_is_watching+0x85/0x130 [ 29.868082] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 29.872984] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 29.877889] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 29.882879] ? trace_hardirqs_on+0xd/0x10 [ 29.887001] ? locks_remove_file+0x3fa/0x5a0 [ 29.891391] ? fcntl_setlk+0x1140/0x1140 [ 29.895433] ? fsnotify+0x7b3/0x1140 [ 29.899136] ? lock_downgrade+0x980/0x980 [ 29.903259] ? perf_event_release_kernel+0xfe0/0xfe0 [ 29.908333] perf_release+0x37/0x50 [ 29.911934] __fput+0x327/0x7f0 [ 29.915196] ? fput+0x150/0x150 [ 29.918450] ? check_same_owner+0x320/0x320 [ 29.922749] ____fput+0x15/0x20 [ 29.926002] task_work_run+0x1ab/0x280 [ 29.929870] ? task_work_cancel+0x240/0x240 [ 29.934169] ? free_nsproxy+0x18b/0x1f0 [ 29.938118] ? switch_task_namespaces+0xaf/0xc0 [ 29.942774] do_exit+0xa75/0x2700 [ 29.946206] ? mm_update_next_owner+0x960/0x960 [ 29.950846] ? trace_hardirqs_off+0x10/0x10 [ 29.955147] ? find_held_lock+0x35/0x1d0 [ 29.959188] ? try_to_wake_up+0xfc/0x1300 [ 29.963308] ? lock_downgrade+0x980/0x980 [ 29.967427] ? lock_release+0xa40/0xa40 [ 29.971372] ? kasan_check_read+0x11/0x20 [ 29.975493] ? do_raw_spin_unlock+0x9e/0x310 [ 29.979872] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 29.984427] ? kasan_check_write+0x14/0x20 [ 29.988632] ? do_raw_spin_lock+0xc1/0x230 [ 29.992839] ? trace_hardirqs_off+0xd/0x10 [ 29.997052] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 30.002129] ? try_to_wake_up+0xfc/0x1300 [ 30.006249] ? find_held_lock+0x35/0x1d0 [ 30.010286] ? trace_hardirqs_off+0x10/0x10 [ 30.014583] ? lock_downgrade+0x980/0x980 [ 30.018707] ? find_held_lock+0x35/0x1d0 [ 30.022742] ? do_group_exit+0x318/0x400 [ 30.026775] ? lock_downgrade+0x980/0x980 [ 30.030894] ? kick_process+0xd3/0x110 [ 30.034758] ? kasan_check_read+0x11/0x20 [ 30.038878] ? do_raw_spin_unlock+0x9e/0x310 [ 30.043262] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 30.047819] ? force_sig+0x30/0x30 [ 30.051332] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.055800] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.060789] do_group_exit+0x149/0x400 [ 30.064651] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.069812] ? SyS_exit+0x30/0x30 [ 30.073241] ? do_fast_syscall_32+0x156/0xf9f [ 30.077707] ? do_group_exit+0x400/0x400 [ 30.081740] SyS_exit_group+0x1d/0x20 [ 30.085527] do_fast_syscall_32+0x3ec/0xf9f [ 30.089822] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.094377] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.099105] ? do_syscall_64+0x940/0x940 [ 30.103138] ? syscall_return_slowpath+0x2ac/0x550 [ 30.108044] ? prepare_exit_to_usermode+0x350/0x350 [ 30.113038] ? sysret32_from_system_call+0x5/0x3c [ 30.117858] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.122677] entry_SYSENTER_compat+0x70/0x7f [ 30.127059] RIP: 0023:0xf7f08c99 [ 30.130398] RSP: 002b:00000000ff807c7c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc [ 30.138078] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000 [ 30.145319] RDX: 000000008574d900 RSI: 0000000000000004 RDI: 0000000000000001 [ 30.152559] RBP: 00000000080c7269 R08: 0000000000000000 R09: 0000000000000000 [ 30.159801] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.167043] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.174295] [ 30.175898] Allocated by task 4515: [ 30.179499] save_stack+0x43/0xd0 [ 30.182925] kasan_kmalloc+0xad/0xe0 [ 30.186611] kasan_slab_alloc+0x12/0x20 [ 30.190554] kmem_cache_alloc_node+0x144/0x760 [ 30.195108] copy_process.part.38+0x1ab9/0x6140 [ 30.199745] _do_fork+0x1f7/0xfa0 [ 30.203170] SyS_clone+0x37/0x50 [ 30.206510] compat_SyS_x86_clone+0x35/0x40 [ 30.210802] do_int80_syscall_32+0x2ad/0x9c0 [ 30.215184] entry_INT80_compat+0x6e/0x78 [ 30.219298] [ 30.220897] Freed by task 0: [ 30.223891] save_stack+0x43/0xd0 [ 30.227314] __kasan_slab_free+0x11a/0x170 [ 30.231519] kasan_slab_free+0xe/0x10 [ 30.235289] kmem_cache_free+0x83/0x2a0 [ 30.239236] free_task+0x155/0x1b0 [ 30.242746] __put_task_struct+0x24b/0x3e0 [ 30.246955] delayed_put_task_struct+0xd8/0x3e0 [ 30.251596] rcu_process_callbacks+0xd6c/0x17b0 [ 30.256236] __do_softirq+0x2d7/0xb85 [ 30.260004] [ 30.261611] The buggy address belongs to the object at ffff8801d96ec400 [ 30.261611] which belongs to the cache task_struct of size 6016 [ 30.274336] The buggy address is located 76 bytes inside of [ 30.274336] 6016-byte region [ffff8801d96ec400, ffff8801d96edb80) [ 30.286178] The buggy address belongs to the page: [ 30.291079] page:ffffea000765bb00 count:1 mapcount:0 mapping:ffff8801d96ec400 index:0x0 compound_mapcount: 0 [ 30.301022] flags: 0x2fffc0000008100(slab|head) [ 30.305665] raw: 02fffc0000008100 ffff8801d96ec400 0000000000000000 0000000100000001 [ 30.313527] raw: ffffea0006ad1e20 ffffea0006aedda0 ffff8801dad46200 0000000000000000 [ 30.321376] page dumped because: kasan: bad access detected [ 30.327055] [ 30.328653] Memory state around the buggy address: [ 30.333552] ffff8801d96ec300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.340882] ffff8801d96ec380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 30.348214] >ffff8801d96ec400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.355543] ^ [ 30.361224] ffff8801d96ec480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.368554] ffff8801d96ec500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 30.375885] ================================================================== [ 30.383214] Disabling lock debugging due to kernel taint [ 30.388727] Kernel panic - not syncing: panic_on_warn set ... [ 30.388727] [ 30.396084] CPU: 0 PID: 4515 Comm: syzkaller137233 Tainted: G B 4.16.0+ #286 [ 30.404466] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 30.413791] Call Trace: [ 30.416353] dump_stack+0x1a7/0x27d [ 30.419956] ? arch_local_irq_restore+0x53/0x53 [ 30.424596] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.429325] ? vsnprintf+0x1ed/0x1900 [ 30.433101] ? uprobe_perf_close+0x3c0/0x570 [ 30.437484] panic+0x1f8/0x42c [ 30.440646] ? refcount_error_report+0x214/0x214 [ 30.445374] ? do_raw_spin_unlock+0x9e/0x310 [ 30.449751] ? do_raw_spin_unlock+0x9e/0x310 [ 30.454133] ? uprobe_perf_close+0x3e0/0x570 [ 30.458511] kasan_end_report+0x50/0x50 [ 30.462455] kasan_report+0x149/0x360 [ 30.466226] __asan_report_load4_noabort+0x14/0x20 [ 30.471131] uprobe_perf_close+0x3e0/0x570 [ 30.475349] ? trace_hardirqs_off+0x10/0x10 [ 30.479641] ? probes_open+0x180/0x180 [ 30.483498] ? mutex_lock_io_nested+0x16c0/0x16c0 [ 30.488309] ? trace_hardirqs_off+0x10/0x10 [ 30.492603] trace_uprobe_register+0x4cb/0xc00 [ 30.497166] ? probe_event_enable+0xd70/0xd70 [ 30.501631] ? kasan_check_read+0x11/0x20 [ 30.505753] ? rcu_is_watching+0x85/0x130 [ 30.509873] ? rcu_pm_notify+0xc0/0xc0 [ 30.513733] ? perf_event_attach_bpf_prog+0x410/0x410 [ 30.518897] ? perf_uprobe_init+0x220/0x220 [ 30.523188] perf_uprobe_destroy+0x9b/0x130 [ 30.527478] ? perf_uprobe_init+0x220/0x220 [ 30.531770] _free_event+0x3d7/0x11f0 [ 30.535543] ? kasan_check_write+0x14/0x20 [ 30.539749] ? ring_buffer_attach+0x840/0x840 [ 30.544215] ? wait_for_completion+0x770/0x770 [ 30.548767] ? perf_event_release_kernel+0x2c2/0xfe0 [ 30.553856] ? lock_downgrade+0x980/0x980 [ 30.557974] ? lock_release+0xa40/0xa40 [ 30.561919] ? lock_release+0xa40/0xa40 [ 30.565864] ? mark_held_locks+0xaf/0x100 [ 30.569982] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.574458] put_event+0x35/0x40 [ 30.577793] perf_event_release_kernel+0x6e8/0xfe0 [ 30.582699] ? lock_release+0xa40/0xa40 [ 30.586643] ? put_event+0x40/0x40 [ 30.590154] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 30.594707] ? _raw_spin_unlock_irqrestore+0x31/0xc0 [ 30.599783] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.604770] ? trace_hardirqs_on+0xd/0x10 [ 30.608907] ? debug_object_active_state+0x3a5/0x580 [ 30.613988] ? debug_object_activate+0x404/0x730 [ 30.618725] ? kasan_check_read+0x11/0x20 [ 30.622853] ? rcu_is_watching+0x85/0x130 [ 30.626972] ? rcu_report_exp_cpu_mult+0x480/0x480 [ 30.631877] ? __call_rcu.constprop.69+0x3b7/0xca0 [ 30.636778] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.641765] ? trace_hardirqs_on+0xd/0x10 [ 30.645883] ? locks_remove_file+0x3fa/0x5a0 [ 30.650260] ? fcntl_setlk+0x1140/0x1140 [ 30.654292] ? fsnotify+0x7b3/0x1140 [ 30.657984] ? lock_downgrade+0x980/0x980 [ 30.662124] ? perf_event_release_kernel+0xfe0/0xfe0 [ 30.667198] perf_release+0x37/0x50 [ 30.670803] __fput+0x327/0x7f0 [ 30.674061] ? fput+0x150/0x150 [ 30.677312] ? check_same_owner+0x320/0x320 [ 30.681607] ____fput+0x15/0x20 [ 30.684857] task_work_run+0x1ab/0x280 [ 30.688714] ? task_work_cancel+0x240/0x240 [ 30.693022] ? free_nsproxy+0x18b/0x1f0 [ 30.696969] ? switch_task_namespaces+0xaf/0xc0 [ 30.701611] do_exit+0xa75/0x2700 [ 30.705040] ? mm_update_next_owner+0x960/0x960 [ 30.709689] ? trace_hardirqs_off+0x10/0x10 [ 30.713986] ? find_held_lock+0x35/0x1d0 [ 30.718027] ? try_to_wake_up+0xfc/0x1300 [ 30.722150] ? lock_downgrade+0x980/0x980 [ 30.726273] ? lock_release+0xa40/0xa40 [ 30.730223] ? kasan_check_read+0x11/0x20 [ 30.734343] ? do_raw_spin_unlock+0x9e/0x310 [ 30.738722] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 30.743276] ? kasan_check_write+0x14/0x20 [ 30.747482] ? do_raw_spin_lock+0xc1/0x230 [ 30.751690] ? trace_hardirqs_off+0xd/0x10 [ 30.755911] ? _raw_spin_unlock_irqrestore+0xa6/0xc0 [ 30.760985] ? try_to_wake_up+0xfc/0x1300 [ 30.765106] ? find_held_lock+0x35/0x1d0 [ 30.769139] ? trace_hardirqs_off+0x10/0x10 [ 30.773433] ? lock_downgrade+0x980/0x980 [ 30.777989] ? find_held_lock+0x35/0x1d0 [ 30.782032] ? do_group_exit+0x318/0x400 [ 30.786067] ? lock_downgrade+0x980/0x980 [ 30.790186] ? kick_process+0xd3/0x110 [ 30.794047] ? kasan_check_read+0x11/0x20 [ 30.798165] ? do_raw_spin_unlock+0x9e/0x310 [ 30.802546] ? do_raw_spin_trylock+0x1a0/0x1a0 [ 30.807101] ? force_sig+0x30/0x30 [ 30.810612] ? _raw_spin_unlock_irq+0x27/0x70 [ 30.815079] ? trace_hardirqs_on_caller+0x421/0x5c0 [ 30.820070] do_group_exit+0x149/0x400 [ 30.823930] ? compat_SyS_get_robust_list+0x300/0x300 [ 30.829093] ? SyS_exit+0x30/0x30 [ 30.832518] ? do_fast_syscall_32+0x156/0xf9f [ 30.836983] ? do_group_exit+0x400/0x400 [ 30.841021] SyS_exit_group+0x1d/0x20 [ 30.844794] do_fast_syscall_32+0x3ec/0xf9f [ 30.849103] ? do_int80_syscall_32+0x9c0/0x9c0 [ 30.853653] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 30.858380] ? do_syscall_64+0x940/0x940 [ 30.862411] ? syscall_return_slowpath+0x2ac/0x550 [ 30.867311] ? prepare_exit_to_usermode+0x350/0x350 [ 30.872299] ? sysret32_from_system_call+0x5/0x3c [ 30.877116] ? trace_hardirqs_off_thunk+0x1a/0x1c [ 30.881929] entry_SYSENTER_compat+0x70/0x7f [ 30.886308] RIP: 0023:0xf7f08c99 [ 30.889643] RSP: 002b:00000000ff807c7c EFLAGS: 00000282 ORIG_RAX: 00000000000000fc [ 30.897321] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000000000 [ 30.904564] RDX: 000000008574d900 RSI: 0000000000000004 RDI: 0000000000000001 [ 30.911803] RBP: 00000000080c7269 R08: 0000000000000000 R09: 0000000000000000 [ 30.919045] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 [ 30.926285] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 30.933971] Dumping ftrace buffer: [ 30.937482] (ftrace buffer empty) [ 30.941162] Kernel Offset: disabled [ 30.944761] Rebooting in 86400 seconds..