[ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.10.45' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.287507][ T8372] ================================================================== [ 73.295829][ T8372] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 73.302771][ T8372] Read of size 8 at addr ffff8880208c8d68 by task syz-executor694/8372 [ 73.310990][ T8372] [ 73.313300][ T8372] CPU: 1 PID: 8372 Comm: syz-executor694 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 73.323254][ T8372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.336799][ T8372] Call Trace: [ 73.340105][ T8372] dump_stack+0x107/0x163 [ 73.344434][ T8372] ? find_uprobe+0x12c/0x150 [ 73.349025][ T8372] ? find_uprobe+0x12c/0x150 [ 73.353600][ T8372] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.360619][ T8372] ? find_uprobe+0x12c/0x150 [ 73.365193][ T8372] ? find_uprobe+0x12c/0x150 [ 73.369766][ T8372] kasan_report.cold+0x7c/0xd8 [ 73.374531][ T8372] ? find_uprobe+0x12c/0x150 [ 73.379108][ T8372] find_uprobe+0x12c/0x150 [ 73.383512][ T8372] uprobe_unregister+0x1e/0x70 [ 73.388262][ T8372] __probe_event_disable+0x11e/0x240 [ 73.393537][ T8372] probe_event_disable+0x155/0x1c0 [ 73.398646][ T8372] trace_uprobe_register+0x45a/0x880 [ 73.403919][ T8372] ? trace_uprobe_register+0x3ef/0x880 [ 73.409364][ T8372] ? rcu_read_lock_sched_held+0x3a/0x70 [ 73.414897][ T8372] perf_trace_event_unreg.isra.0+0xac/0x250 [ 73.420784][ T8372] perf_uprobe_destroy+0xbb/0x130 [ 73.425810][ T8372] ? perf_uprobe_init+0x210/0x210 [ 73.430820][ T8372] _free_event+0x2ee/0x1380 [ 73.435312][ T8372] perf_event_release_kernel+0xa24/0xe00 [ 73.440947][ T8372] ? fsnotify_first_mark+0x1f0/0x1f0 [ 73.446234][ T8372] ? __perf_event_exit_context+0x170/0x170 [ 73.452051][ T8372] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 73.458280][ T8372] perf_release+0x33/0x40 [ 73.462594][ T8372] __fput+0x283/0x920 [ 73.466567][ T8372] ? perf_event_release_kernel+0xe00/0xe00 [ 73.472372][ T8372] task_work_run+0xdd/0x190 [ 73.476880][ T8372] do_exit+0xc5c/0x2ae0 [ 73.481026][ T8372] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.486382][ T8372] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 73.492609][ T8372] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.498842][ T8372] do_group_exit+0x125/0x310 [ 73.503420][ T8372] __x64_sys_exit_group+0x3a/0x50 [ 73.508443][ T8372] do_syscall_64+0x2d/0x70 [ 73.512858][ T8372] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.518739][ T8372] RIP: 0033:0x43db09 [ 73.522623][ T8372] Code: Unable to access opcode bytes at RIP 0x43dadf. [ 73.529445][ T8372] RSP: 002b:00007fff07e37728 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.537841][ T8372] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db09 [ 73.545797][ T8372] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 73.553751][ T8372] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 73.561704][ T8372] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 73.569656][ T8372] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.577636][ T8372] [ 73.579957][ T8372] Allocated by task 8372: [ 73.584262][ T8372] kasan_save_stack+0x1b/0x40 [ 73.588927][ T8372] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 73.594713][ T8372] __uprobe_register+0x19c/0x850 [ 73.599649][ T8372] probe_event_enable+0x441/0xa00 [ 73.604669][ T8372] trace_uprobe_register+0x443/0x880 [ 73.609972][ T8372] perf_trace_event_init+0x549/0xa20 [ 73.615255][ T8372] perf_uprobe_init+0x16f/0x210 [ 73.620088][ T8372] perf_uprobe_event_init+0xff/0x1c0 [ 73.625354][ T8372] perf_try_init_event+0x12a/0x560 [ 73.630447][ T8372] perf_event_alloc.part.0+0xe3b/0x3960 [ 73.635977][ T8372] __do_sys_perf_event_open+0x647/0x2e60 [ 73.641597][ T8372] do_syscall_64+0x2d/0x70 [ 73.645996][ T8372] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.651887][ T8372] [ 73.654191][ T8372] Freed by task 8372: [ 73.658147][ T8372] kasan_save_stack+0x1b/0x40 [ 73.662824][ T8372] kasan_set_track+0x1c/0x30 [ 73.667397][ T8372] kasan_set_free_info+0x20/0x30 [ 73.672316][ T8372] ____kasan_slab_free.part.0+0xe1/0x110 [ 73.677932][ T8372] slab_free_freelist_hook+0x82/0x1d0 [ 73.683287][ T8372] kfree+0xe5/0x7b0 [ 73.687095][ T8372] put_uprobe+0x13b/0x190 [ 73.691406][ T8372] uprobe_apply+0xfc/0x130 [ 73.695808][ T8372] trace_uprobe_register+0x5c9/0x880 [ 73.701075][ T8372] perf_trace_event_init+0x17a/0xa20 [ 73.706356][ T8372] perf_uprobe_init+0x16f/0x210 [ 73.711193][ T8372] perf_uprobe_event_init+0xff/0x1c0 [ 73.716458][ T8372] perf_try_init_event+0x12a/0x560 [ 73.721558][ T8372] perf_event_alloc.part.0+0xe3b/0x3960 [ 73.727096][ T8372] __do_sys_perf_event_open+0x647/0x2e60 [ 73.732707][ T8372] do_syscall_64+0x2d/0x70 [ 73.737119][ T8372] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.743014][ T8372] [ 73.745319][ T8372] The buggy address belongs to the object at ffff8880208c8c00 [ 73.745319][ T8372] which belongs to the cache kmalloc-512 of size 512 [ 73.759354][ T8372] The buggy address is located 360 bytes inside of [ 73.759354][ T8372] 512-byte region [ffff8880208c8c00, ffff8880208c8e00) [ 73.772615][ T8372] The buggy address belongs to the page: [ 73.778228][ T8372] page:0000000015ee0178 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x208c8 [ 73.788362][ T8372] head:0000000015ee0178 order:1 compound_mapcount:0 [ 73.794946][ T8372] flags: 0xfff00000010200(slab|head) [ 73.800223][ T8372] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 73.808789][ T8372] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 73.817352][ T8372] page dumped because: kasan: bad access detected [ 73.823744][ T8372] [ 73.826063][ T8372] Memory state around the buggy address: [ 73.831796][ T8372] ffff8880208c8c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.839887][ T8372] ffff8880208c8c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.848064][ T8372] >ffff8880208c8d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.856122][ T8372] ^ [ 73.863562][ T8372] ffff8880208c8d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 73.871611][ T8372] ffff8880208c8e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 73.879653][ T8372] ================================================================== [ 73.887691][ T8372] Disabling lock debugging due to kernel taint [ 73.893972][ T8372] Kernel panic - not syncing: panic_on_warn set ... [ 73.900565][ T8372] CPU: 1 PID: 8372 Comm: syz-executor694 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 73.911945][ T8372] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.922002][ T8372] Call Trace: [ 73.925265][ T8372] dump_stack+0x107/0x163 [ 73.929591][ T8372] ? find_uprobe+0x90/0x150 [ 73.934076][ T8372] panic+0x306/0x73d [ 73.937968][ T8372] ? __warn_printk+0xf3/0xf3 [ 73.942633][ T8372] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 73.948777][ T8372] ? trace_hardirqs_on+0x38/0x1c0 [ 73.953782][ T8372] ? trace_hardirqs_on+0x51/0x1c0 [ 73.958786][ T8372] ? find_uprobe+0x12c/0x150 [ 73.963354][ T8372] ? find_uprobe+0x12c/0x150 [ 73.967924][ T8372] end_report.cold+0x5a/0x5a [ 73.972496][ T8372] kasan_report.cold+0x6a/0xd8 [ 73.977241][ T8372] ? find_uprobe+0x12c/0x150 [ 73.981831][ T8372] find_uprobe+0x12c/0x150 [ 73.986232][ T8372] uprobe_unregister+0x1e/0x70 [ 73.990981][ T8372] __probe_event_disable+0x11e/0x240 [ 73.996251][ T8372] probe_event_disable+0x155/0x1c0 [ 74.001344][ T8372] trace_uprobe_register+0x45a/0x880 [ 74.006611][ T8372] ? trace_uprobe_register+0x3ef/0x880 [ 74.012048][ T8372] ? rcu_read_lock_sched_held+0x3a/0x70 [ 74.017588][ T8372] perf_trace_event_unreg.isra.0+0xac/0x250 [ 74.023472][ T8372] perf_uprobe_destroy+0xbb/0x130 [ 74.028583][ T8372] ? perf_uprobe_init+0x210/0x210 [ 74.033605][ T8372] _free_event+0x2ee/0x1380 [ 74.038092][ T8372] perf_event_release_kernel+0xa24/0xe00 [ 74.043703][ T8372] ? fsnotify_first_mark+0x1f0/0x1f0 [ 74.048982][ T8372] ? __perf_event_exit_context+0x170/0x170 [ 74.054767][ T8372] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 74.061079][ T8372] perf_release+0x33/0x40 [ 74.065397][ T8372] __fput+0x283/0x920 [ 74.069457][ T8372] ? perf_event_release_kernel+0xe00/0xe00 [ 74.075244][ T8372] task_work_run+0xdd/0x190 [ 74.079746][ T8372] do_exit+0xc5c/0x2ae0 [ 74.083885][ T8372] ? mm_update_next_owner+0x7a0/0x7a0 [ 74.089250][ T8372] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.095470][ T8372] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.101709][ T8372] do_group_exit+0x125/0x310 [ 74.106281][ T8372] __x64_sys_exit_group+0x3a/0x50 [ 74.111298][ T8372] do_syscall_64+0x2d/0x70 [ 74.115691][ T8372] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.121564][ T8372] RIP: 0033:0x43db09 [ 74.125439][ T8372] Code: Unable to access opcode bytes at RIP 0x43dadf. [ 74.132271][ T8372] RSP: 002b:00007fff07e37728 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.140665][ T8372] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043db09 [ 74.148626][ T8372] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 74.156582][ T8372] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 74.164545][ T8372] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 74.172503][ T8372] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 74.181206][ T8372] Kernel Offset: disabled [ 74.185516][ T8372] Rebooting in 86400 seconds..