Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.101' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.713058][ T8422] ================================================================== [ 68.721428][ T8422] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 68.728403][ T8422] Read of size 8 at addr ffff888020bd1d68 by task syz-executor164/8422 [ 68.736808][ T8422] [ 68.739126][ T8422] CPU: 0 PID: 8422 Comm: syz-executor164 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 68.749182][ T8422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.760368][ T8422] Call Trace: [ 68.763665][ T8422] dump_stack+0x107/0x163 [ 68.768129][ T8422] ? find_uprobe+0x12c/0x150 [ 68.772712][ T8422] ? find_uprobe+0x12c/0x150 [ 68.777305][ T8422] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 68.784360][ T8422] ? find_uprobe+0x12c/0x150 [ 68.788961][ T8422] ? find_uprobe+0x12c/0x150 [ 68.793646][ T8422] kasan_report.cold+0x7c/0xd8 [ 68.803375][ T8422] ? find_uprobe+0x12c/0x150 [ 68.807993][ T8422] find_uprobe+0x12c/0x150 [ 68.812422][ T8422] uprobe_unregister+0x1e/0x70 [ 68.817293][ T8422] __probe_event_disable+0x11e/0x240 [ 68.822786][ T8422] probe_event_disable+0x155/0x1c0 [ 68.827893][ T8422] trace_uprobe_register+0x45a/0x880 [ 68.833194][ T8422] ? trace_uprobe_register+0x3ef/0x880 [ 68.838659][ T8422] ? rcu_read_lock_sched_held+0x3a/0x70 [ 68.844198][ T8422] perf_trace_event_unreg.isra.0+0xac/0x250 [ 68.850109][ T8422] perf_uprobe_destroy+0xbb/0x130 [ 68.855139][ T8422] ? perf_uprobe_init+0x210/0x210 [ 68.860176][ T8422] _free_event+0x2ee/0x1380 [ 68.864676][ T8422] perf_event_release_kernel+0xa24/0xe00 [ 68.870323][ T8422] ? fsnotify_first_mark+0x1f0/0x1f0 [ 68.875909][ T8422] ? __perf_event_exit_context+0x170/0x170 [ 68.881735][ T8422] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 68.887972][ T8422] perf_release+0x33/0x40 [ 68.892301][ T8422] __fput+0x283/0x920 [ 68.896327][ T8422] ? perf_event_release_kernel+0xe00/0xe00 [ 68.902150][ T8422] task_work_run+0xdd/0x190 [ 68.906649][ T8422] do_exit+0xc5c/0x2ae0 [ 68.910806][ T8422] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.916190][ T8422] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 68.922447][ T8422] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.928873][ T8422] do_group_exit+0x125/0x310 [ 68.933589][ T8422] __x64_sys_exit_group+0x3a/0x50 [ 68.938716][ T8422] do_syscall_64+0x2d/0x70 [ 68.943129][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.949037][ T8422] RIP: 0033:0x43ddc9 [ 68.953183][ T8422] Code: Unable to access opcode bytes at RIP 0x43dd9f. [ 68.960106][ T8422] RSP: 002b:00007ffc6e134708 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.968823][ T8422] RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043ddc9 [ 68.976799][ T8422] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.984781][ T8422] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 68.992746][ T8422] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004af2f0 [ 69.000723][ T8422] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.008713][ T8422] [ 69.011131][ T8422] Allocated by task 8422: [ 69.015453][ T8422] kasan_save_stack+0x1b/0x40 [ 69.020140][ T8422] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.025957][ T8422] __uprobe_register+0x19c/0x850 [ 69.030893][ T8422] probe_event_enable+0x441/0xa00 [ 69.035911][ T8422] trace_uprobe_register+0x443/0x880 [ 69.041205][ T8422] perf_trace_event_init+0x549/0xa20 [ 69.046487][ T8422] perf_uprobe_init+0x16f/0x210 [ 69.051331][ T8422] perf_uprobe_event_init+0xff/0x1c0 [ 69.056953][ T8422] perf_try_init_event+0x12a/0x560 [ 69.062081][ T8422] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.067630][ T8422] __do_sys_perf_event_open+0x647/0x2e60 [ 69.075010][ T8422] do_syscall_64+0x2d/0x70 [ 69.079613][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.085592][ T8422] [ 69.087917][ T8422] Freed by task 8422: [ 69.091894][ T8422] kasan_save_stack+0x1b/0x40 [ 69.096578][ T8422] kasan_set_track+0x1c/0x30 [ 69.101170][ T8422] kasan_set_free_info+0x20/0x30 [ 69.106100][ T8422] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.111744][ T8422] slab_free_freelist_hook+0x82/0x1d0 [ 69.117299][ T8422] kfree+0xe5/0x7b0 [ 69.121092][ T8422] put_uprobe+0x13b/0x190 [ 69.125412][ T8422] uprobe_apply+0xfc/0x130 [ 69.130775][ T8422] trace_uprobe_register+0x5c9/0x880 [ 69.136178][ T8422] perf_trace_event_init+0x17a/0xa20 [ 69.141537][ T8422] perf_uprobe_init+0x16f/0x210 [ 69.146378][ T8422] perf_uprobe_event_init+0xff/0x1c0 [ 69.151675][ T8422] perf_try_init_event+0x12a/0x560 [ 69.156793][ T8422] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.162334][ T8422] __do_sys_perf_event_open+0x647/0x2e60 [ 69.168012][ T8422] do_syscall_64+0x2d/0x70 [ 69.172428][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.178314][ T8422] [ 69.180713][ T8422] The buggy address belongs to the object at ffff888020bd1c00 [ 69.180713][ T8422] which belongs to the cache kmalloc-512 of size 512 [ 69.194773][ T8422] The buggy address is located 360 bytes inside of [ 69.194773][ T8422] 512-byte region [ffff888020bd1c00, ffff888020bd1e00) [ 69.208059][ T8422] The buggy address belongs to the page: [ 69.213698][ T8422] page:000000001b03f58a refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20bd0 [ 69.223935][ T8422] head:000000001b03f58a order:1 compound_mapcount:0 [ 69.230862][ T8422] flags: 0xfff00000010200(slab|head) [ 69.236147][ T8422] raw: 00fff00000010200 0000000000000000 0000000500000001 ffff888010841c80 [ 69.244732][ T8422] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 69.253392][ T8422] page dumped because: kasan: bad access detected [ 69.259879][ T8422] [ 69.262209][ T8422] Memory state around the buggy address: [ 69.267827][ T8422] ffff888020bd1c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.275875][ T8422] ffff888020bd1c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.283922][ T8422] >ffff888020bd1d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.291969][ T8422] ^ [ 69.299418][ T8422] ffff888020bd1d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.307519][ T8422] ffff888020bd1e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.315573][ T8422] ================================================================== [ 69.323727][ T8422] Disabling lock debugging due to kernel taint [ 69.330035][ T8422] Kernel panic - not syncing: panic_on_warn set ... [ 69.336888][ T8422] CPU: 0 PID: 8422 Comm: syz-executor164 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.348270][ T8422] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.359154][ T8422] Call Trace: [ 69.362456][ T8422] dump_stack+0x107/0x163 [ 69.367457][ T8422] ? find_uprobe+0x90/0x150 [ 69.371956][ T8422] panic+0x306/0x73d [ 69.375848][ T8422] ? __warn_printk+0xf3/0xf3 [ 69.380432][ T8422] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.386611][ T8422] ? trace_hardirqs_on+0x38/0x1c0 [ 69.391630][ T8422] ? trace_hardirqs_on+0x51/0x1c0 [ 69.396660][ T8422] ? find_uprobe+0x12c/0x150 [ 69.401272][ T8422] ? find_uprobe+0x12c/0x150 [ 69.405869][ T8422] end_report.cold+0x5a/0x5a [ 69.410455][ T8422] kasan_report.cold+0x6a/0xd8 [ 69.415217][ T8422] ? find_uprobe+0x12c/0x150 [ 69.420427][ T8422] find_uprobe+0x12c/0x150 [ 69.424882][ T8422] uprobe_unregister+0x1e/0x70 [ 69.429651][ T8422] __probe_event_disable+0x11e/0x240 [ 69.435077][ T8422] probe_event_disable+0x155/0x1c0 [ 69.440187][ T8422] trace_uprobe_register+0x45a/0x880 [ 69.445489][ T8422] ? trace_uprobe_register+0x3ef/0x880 [ 69.450960][ T8422] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.456550][ T8422] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.462569][ T8422] perf_uprobe_destroy+0xbb/0x130 [ 69.467598][ T8422] ? perf_uprobe_init+0x210/0x210 [ 69.472620][ T8422] _free_event+0x2ee/0x1380 [ 69.477124][ T8422] perf_event_release_kernel+0xa24/0xe00 [ 69.482741][ T8422] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.488021][ T8422] ? __perf_event_exit_context+0x170/0x170 [ 69.493816][ T8422] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.500048][ T8422] perf_release+0x33/0x40 [ 69.504363][ T8422] __fput+0x283/0x920 [ 69.508336][ T8422] ? perf_event_release_kernel+0xe00/0xe00 [ 69.514215][ T8422] task_work_run+0xdd/0x190 [ 69.518709][ T8422] do_exit+0xc5c/0x2ae0 [ 69.522861][ T8422] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.528250][ T8422] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.534580][ T8422] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.540845][ T8422] do_group_exit+0x125/0x310 [ 69.545428][ T8422] __x64_sys_exit_group+0x3a/0x50 [ 69.550442][ T8422] do_syscall_64+0x2d/0x70 [ 69.554852][ T8422] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.560737][ T8422] RIP: 0033:0x43ddc9 [ 69.564650][ T8422] Code: Unable to access opcode bytes at RIP 0x43dd9f. [ 69.571471][ T8422] RSP: 002b:00007ffc6e134708 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.579873][ T8422] RAX: ffffffffffffffda RBX: 00000000004af2f0 RCX: 000000000043ddc9 [ 69.587830][ T8422] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.595790][ T8422] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000400488 [ 69.603747][ T8422] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004af2f0 [ 69.611718][ T8422] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.620324][ T8422] Kernel Offset: disabled [ 69.624653][ T8422] Rebooting in 86400 seconds..