[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.4' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 69.078729][ T8412] ================================================================== [ 69.087056][ T8412] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 69.094013][ T8412] Read of size 8 at addr ffff8880171f2168 by task syz-executor748/8412 [ 69.102337][ T8412] [ 69.105093][ T8412] CPU: 0 PID: 8412 Comm: syz-executor748 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.115167][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.125250][ T8412] Call Trace: [ 69.128528][ T8412] dump_stack+0x107/0x163 [ 69.132888][ T8412] ? find_uprobe+0x12c/0x150 [ 69.137468][ T8412] ? find_uprobe+0x12c/0x150 [ 69.142057][ T8412] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.149099][ T8412] ? find_uprobe+0x12c/0x150 [ 69.153684][ T8412] ? find_uprobe+0x12c/0x150 [ 69.158281][ T8412] kasan_report.cold+0x7c/0xd8 [ 69.163153][ T8412] ? find_uprobe+0x12c/0x150 [ 69.167748][ T8412] find_uprobe+0x12c/0x150 [ 69.172193][ T8412] uprobe_unregister+0x1e/0x70 [ 69.176972][ T8412] __probe_event_disable+0x11e/0x240 [ 69.182261][ T8412] probe_event_disable+0x155/0x1c0 [ 69.187654][ T8412] trace_uprobe_register+0x45a/0x880 [ 69.192938][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 69.198491][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.204042][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.210026][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 69.215501][ T8412] ? perf_uprobe_init+0x210/0x210 [ 69.220544][ T8412] _free_event+0x2ee/0x1380 [ 69.225997][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 69.231638][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.237008][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 69.242827][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.249103][ T8412] perf_release+0x33/0x40 [ 69.253884][ T8412] __fput+0x283/0x920 [ 69.257875][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 69.263687][ T8412] task_work_run+0xdd/0x190 [ 69.268202][ T8412] do_exit+0xc5c/0x2ae0 [ 69.272370][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.277849][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.284121][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.290368][ T8412] do_group_exit+0x125/0x310 [ 69.295046][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 69.300078][ T8412] do_syscall_64+0x2d/0x70 [ 69.304500][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.310646][ T8412] RIP: 0033:0x43daf9 [ 69.314894][ T8412] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.321851][ T8412] RSP: 002b:00007ffef8162f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.331323][ T8412] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.339283][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.347786][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.355777][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.363830][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.371832][ T8412] [ 69.374162][ T8412] Allocated by task 8412: [ 69.378799][ T8412] kasan_save_stack+0x1b/0x40 [ 69.383472][ T8412] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.389268][ T8412] __uprobe_register+0x19c/0x850 [ 69.394290][ T8412] probe_event_enable+0x357/0xa00 [ 69.399414][ T8412] trace_uprobe_register+0x443/0x880 [ 69.404691][ T8412] perf_trace_event_init+0x549/0xa20 [ 69.410068][ T8412] perf_uprobe_init+0x16f/0x210 [ 69.415098][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 69.420636][ T8412] perf_try_init_event+0x12a/0x560 [ 69.425744][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.431278][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 69.436908][ T8412] do_syscall_64+0x2d/0x70 [ 69.441335][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.447234][ T8412] [ 69.449544][ T8412] Freed by task 8412: [ 69.453516][ T8412] kasan_save_stack+0x1b/0x40 [ 69.458791][ T8412] kasan_set_track+0x1c/0x30 [ 69.463376][ T8412] kasan_set_free_info+0x20/0x30 [ 69.468314][ T8412] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.474556][ T8412] slab_free_freelist_hook+0x82/0x1d0 [ 69.479934][ T8412] kfree+0xe5/0x7b0 [ 69.483877][ T8412] put_uprobe+0x13b/0x190 [ 69.488202][ T8412] uprobe_apply+0xfc/0x130 [ 69.492707][ T8412] trace_uprobe_register+0x5c9/0x880 [ 69.497994][ T8412] perf_trace_event_init+0x17a/0xa20 [ 69.503286][ T8412] perf_uprobe_init+0x16f/0x210 [ 69.508124][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 69.513481][ T8412] perf_try_init_event+0x12a/0x560 [ 69.518591][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.524120][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 69.529773][ T8412] do_syscall_64+0x2d/0x70 [ 69.534240][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.540142][ T8412] [ 69.542541][ T8412] The buggy address belongs to the object at ffff8880171f2000 [ 69.542541][ T8412] which belongs to the cache kmalloc-512 of size 512 [ 69.556768][ T8412] The buggy address is located 360 bytes inside of [ 69.556768][ T8412] 512-byte region [ffff8880171f2000, ffff8880171f2200) [ 69.570200][ T8412] The buggy address belongs to the page: [ 69.575897][ T8412] page:00000000731d482d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171f2 [ 69.586043][ T8412] head:00000000731d482d order:1 compound_mapcount:0 [ 69.592614][ T8412] flags: 0xfff00000010200(slab|head) [ 69.597924][ T8412] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 69.606591][ T8412] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 69.615167][ T8412] page dumped because: kasan: bad access detected [ 69.621662][ T8412] [ 69.623988][ T8412] Memory state around the buggy address: [ 69.629617][ T8412] ffff8880171f2000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.637671][ T8412] ffff8880171f2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.646346][ T8412] >ffff8880171f2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.654504][ T8412] ^ [ 69.661959][ T8412] ffff8880171f2180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.670118][ T8412] ffff8880171f2200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.678171][ T8412] ================================================================== [ 69.686245][ T8412] Disabling lock debugging due to kernel taint [ 69.693582][ T8412] Kernel panic - not syncing: panic_on_warn set ... [ 69.700185][ T8412] CPU: 0 PID: 8412 Comm: syz-executor748 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.712225][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.722373][ T8412] Call Trace: [ 69.725659][ T8412] dump_stack+0x107/0x163 [ 69.730031][ T8412] ? find_uprobe+0x90/0x150 [ 69.734542][ T8412] panic+0x306/0x73d [ 69.738468][ T8412] ? __warn_printk+0xf3/0xf3 [ 69.743047][ T8412] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.749505][ T8412] ? trace_hardirqs_on+0x38/0x1c0 [ 69.754520][ T8412] ? trace_hardirqs_on+0x51/0x1c0 [ 69.759533][ T8412] ? find_uprobe+0x12c/0x150 [ 69.764108][ T8412] ? find_uprobe+0x12c/0x150 [ 69.768684][ T8412] end_report.cold+0x5a/0x5a [ 69.773262][ T8412] kasan_report.cold+0x6a/0xd8 [ 69.778017][ T8412] ? find_uprobe+0x12c/0x150 [ 69.782611][ T8412] find_uprobe+0x12c/0x150 [ 69.787022][ T8412] uprobe_unregister+0x1e/0x70 [ 69.791823][ T8412] __probe_event_disable+0x11e/0x240 [ 69.797102][ T8412] probe_event_disable+0x155/0x1c0 [ 69.802205][ T8412] trace_uprobe_register+0x45a/0x880 [ 69.807493][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 69.812940][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.818478][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.824363][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 69.829381][ T8412] ? perf_uprobe_init+0x210/0x210 [ 69.834388][ T8412] _free_event+0x2ee/0x1380 [ 69.839064][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 69.844935][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.850212][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 69.856005][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.862276][ T8412] perf_release+0x33/0x40 [ 69.866625][ T8412] __fput+0x283/0x920 [ 69.870609][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 69.876410][ T8412] task_work_run+0xdd/0x190 [ 69.880905][ T8412] do_exit+0xc5c/0x2ae0 [ 69.885064][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.890619][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.896974][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.903219][ T8412] do_group_exit+0x125/0x310 [ 69.907822][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 69.912852][ T8412] do_syscall_64+0x2d/0x70 [ 69.917283][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.923258][ T8412] RIP: 0033:0x43daf9 [ 69.927133][ T8412] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.933958][ T8412] RSP: 002b:00007ffef8162f38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.942545][ T8412] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.950528][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.958510][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.966525][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.974495][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.983045][ T8412] Kernel Offset: disabled [ 69.987371][ T8412] Rebooting in 86400 seconds..