Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.24' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 77.459764][ T8409] ================================================================== [ 77.469662][ T8409] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 77.477332][ T8409] Read of size 8 at addr ffff888017cb7568 by task syz-executor998/8409 [ 77.487663][ T8409] [ 77.490090][ T8409] CPU: 1 PID: 8409 Comm: syz-executor998 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 77.501716][ T8409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 77.512350][ T8409] Call Trace: [ 77.516036][ T8409] dump_stack+0x107/0x163 [ 77.520835][ T8409] ? find_uprobe+0x12c/0x150 [ 77.525709][ T8409] ? find_uprobe+0x12c/0x150 [ 77.530322][ T8409] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 77.539184][ T8409] ? find_uprobe+0x12c/0x150 [ 77.544913][ T8409] ? find_uprobe+0x12c/0x150 [ 77.550961][ T8409] kasan_report.cold+0x7c/0xd8 [ 77.556380][ T8409] ? find_uprobe+0x12c/0x150 [ 77.561474][ T8409] find_uprobe+0x12c/0x150 [ 77.566445][ T8409] uprobe_unregister+0x1e/0x70 [ 77.571978][ T8409] __probe_event_disable+0x11e/0x240 [ 77.577925][ T8409] probe_event_disable+0x155/0x1c0 [ 77.583327][ T8409] trace_uprobe_register+0x45a/0x880 [ 77.589020][ T8409] ? trace_uprobe_register+0x3ef/0x880 [ 77.594815][ T8409] ? rcu_read_lock_sched_held+0x3a/0x70 [ 77.600764][ T8409] perf_trace_event_unreg.isra.0+0xac/0x250 [ 77.607941][ T8409] perf_uprobe_destroy+0xbb/0x130 [ 77.614216][ T8409] ? perf_uprobe_init+0x210/0x210 [ 77.621435][ T8409] _free_event+0x2ee/0x1380 [ 77.628005][ T8409] perf_event_release_kernel+0xa24/0xe00 [ 77.635197][ T8409] ? fsnotify_first_mark+0x1f0/0x1f0 [ 77.642340][ T8409] ? __perf_event_exit_context+0x170/0x170 [ 77.649672][ T8409] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 77.658407][ T8409] perf_release+0x33/0x40 [ 77.664593][ T8409] __fput+0x283/0x920 [ 77.669397][ T8409] ? perf_event_release_kernel+0xe00/0xe00 [ 77.677271][ T8409] task_work_run+0xdd/0x190 [ 77.682848][ T8409] do_exit+0xc5c/0x2ae0 [ 77.687583][ T8409] ? mm_update_next_owner+0x7a0/0x7a0 [ 77.693333][ T8409] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 77.700130][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 77.707360][ T8409] do_group_exit+0x125/0x310 [ 77.712728][ T8409] __x64_sys_exit_group+0x3a/0x50 [ 77.718903][ T8409] do_syscall_64+0x2d/0x70 [ 77.723884][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.731194][ T8409] RIP: 0033:0x43daf9 [ 77.735326][ T8409] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 77.743161][ T8409] RSP: 002b:00007ffd2ca44d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 77.752541][ T8409] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 77.761174][ T8409] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 77.770880][ T8409] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 77.780837][ T8409] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 77.789880][ T8409] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 77.798425][ T8409] [ 77.801119][ T8409] Allocated by task 8409: [ 77.806635][ T8409] kasan_save_stack+0x1b/0x40 [ 77.812349][ T8409] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 77.819130][ T8409] __uprobe_register+0x19c/0x850 [ 77.824518][ T8409] probe_event_enable+0x357/0xa00 [ 77.830382][ T8409] trace_uprobe_register+0x443/0x880 [ 77.836495][ T8409] perf_trace_event_init+0x549/0xa20 [ 77.842773][ T8409] perf_uprobe_init+0x16f/0x210 [ 77.848127][ T8409] perf_uprobe_event_init+0xff/0x1c0 [ 77.853736][ T8409] perf_try_init_event+0x12a/0x560 [ 77.858947][ T8409] perf_event_alloc.part.0+0xe3b/0x3960 [ 77.865150][ T8409] __do_sys_perf_event_open+0x647/0x2e60 [ 77.872035][ T8409] do_syscall_64+0x2d/0x70 [ 77.877700][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.885031][ T8409] [ 77.887501][ T8409] Freed by task 8409: [ 77.892052][ T8409] kasan_save_stack+0x1b/0x40 [ 77.898168][ T8409] kasan_set_track+0x1c/0x30 [ 77.903753][ T8409] kasan_set_free_info+0x20/0x30 [ 77.909020][ T8409] ____kasan_slab_free.part.0+0xe1/0x110 [ 77.915030][ T8409] slab_free_freelist_hook+0x82/0x1d0 [ 77.921248][ T8409] kfree+0xe5/0x7b0 [ 77.925842][ T8409] put_uprobe+0x13b/0x190 [ 77.930655][ T8409] uprobe_apply+0xfc/0x130 [ 77.935336][ T8409] trace_uprobe_register+0x5c9/0x880 [ 77.941121][ T8409] perf_trace_event_init+0x17a/0xa20 [ 77.946808][ T8409] perf_uprobe_init+0x16f/0x210 [ 77.952306][ T8409] perf_uprobe_event_init+0xff/0x1c0 [ 77.958640][ T8409] perf_try_init_event+0x12a/0x560 [ 77.964803][ T8409] perf_event_alloc.part.0+0xe3b/0x3960 [ 77.971003][ T8409] __do_sys_perf_event_open+0x647/0x2e60 [ 77.978782][ T8409] do_syscall_64+0x2d/0x70 [ 77.983415][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 77.990543][ T8409] [ 77.993172][ T8409] The buggy address belongs to the object at ffff888017cb7400 [ 77.993172][ T8409] which belongs to the cache kmalloc-512 of size 512 [ 78.008924][ T8409] The buggy address is located 360 bytes inside of [ 78.008924][ T8409] 512-byte region [ffff888017cb7400, ffff888017cb7600) [ 78.024416][ T8409] The buggy address belongs to the page: [ 78.030514][ T8409] page:0000000025ece71d refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x17cb6 [ 78.041606][ T8409] head:0000000025ece71d order:1 compound_mapcount:0 [ 78.049050][ T8409] flags: 0xfff00000010200(slab|head) [ 78.054979][ T8409] raw: 00fff00000010200 0000000000000000 0000000700000001 ffff888010841c80 [ 78.064815][ T8409] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 78.080836][ T8409] page dumped because: kasan: bad access detected [ 78.088248][ T8409] [ 78.091272][ T8409] Memory state around the buggy address: [ 78.097808][ T8409] ffff888017cb7400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.107624][ T8409] ffff888017cb7480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.117271][ T8409] >ffff888017cb7500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.127123][ T8409] ^ [ 78.136832][ T8409] ffff888017cb7580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 78.145807][ T8409] ffff888017cb7600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 78.155743][ T8409] ================================================================== [ 78.164627][ T8409] Disabling lock debugging due to kernel taint [ 78.172281][ T8409] Kernel panic - not syncing: panic_on_warn set ... [ 78.179352][ T8409] CPU: 1 PID: 8409 Comm: syz-executor998 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 78.191514][ T8409] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 78.201942][ T8409] Call Trace: [ 78.205417][ T8409] dump_stack+0x107/0x163 [ 78.211875][ T8409] ? find_uprobe+0x90/0x150 [ 78.220941][ T8409] panic+0x306/0x73d [ 78.226565][ T8409] ? __warn_printk+0xf3/0xf3 [ 78.233004][ T8409] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 78.240737][ T8409] ? trace_hardirqs_on+0x38/0x1c0 [ 78.246227][ T8409] ? trace_hardirqs_on+0x51/0x1c0 [ 78.251702][ T8409] ? find_uprobe+0x12c/0x150 [ 78.256972][ T8409] ? find_uprobe+0x12c/0x150 [ 78.261750][ T8409] end_report.cold+0x5a/0x5a [ 78.266847][ T8409] kasan_report.cold+0x6a/0xd8 [ 78.271622][ T8409] ? find_uprobe+0x12c/0x150 [ 78.276411][ T8409] find_uprobe+0x12c/0x150 [ 78.281074][ T8409] uprobe_unregister+0x1e/0x70 [ 78.286400][ T8409] __probe_event_disable+0x11e/0x240 [ 78.291915][ T8409] probe_event_disable+0x155/0x1c0 [ 78.297957][ T8409] trace_uprobe_register+0x45a/0x880 [ 78.303647][ T8409] ? trace_uprobe_register+0x3ef/0x880 [ 78.310344][ T8409] ? rcu_read_lock_sched_held+0x3a/0x70 [ 78.316316][ T8409] perf_trace_event_unreg.isra.0+0xac/0x250 [ 78.322597][ T8409] perf_uprobe_destroy+0xbb/0x130 [ 78.327912][ T8409] ? perf_uprobe_init+0x210/0x210 [ 78.333556][ T8409] _free_event+0x2ee/0x1380 [ 78.338251][ T8409] perf_event_release_kernel+0xa24/0xe00 [ 78.344497][ T8409] ? fsnotify_first_mark+0x1f0/0x1f0 [ 78.350285][ T8409] ? __perf_event_exit_context+0x170/0x170 [ 78.356606][ T8409] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 78.363538][ T8409] perf_release+0x33/0x40 [ 78.369519][ T8409] __fput+0x283/0x920 [ 78.375370][ T8409] ? perf_event_release_kernel+0xe00/0xe00 [ 78.382250][ T8409] task_work_run+0xdd/0x190 [ 78.388221][ T8409] do_exit+0xc5c/0x2ae0 [ 78.393340][ T8409] ? mm_update_next_owner+0x7a0/0x7a0 [ 78.399938][ T8409] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 78.406553][ T8409] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 78.414413][ T8409] do_group_exit+0x125/0x310 [ 78.419126][ T8409] __x64_sys_exit_group+0x3a/0x50 [ 78.424352][ T8409] do_syscall_64+0x2d/0x70 [ 78.428871][ T8409] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 78.435510][ T8409] RIP: 0033:0x43daf9 [ 78.439978][ T8409] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 78.446830][ T8409] RSP: 002b:00007ffd2ca44d78 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 78.456701][ T8409] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 78.465742][ T8409] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 78.474475][ T8409] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 78.483028][ T8409] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 78.492159][ T8409] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 78.500993][ T8409] Kernel Offset: disabled [ 78.505720][ T8409] Rebooting in 86400 seconds..