[ OK ] Started Getty on tty4. [ OK ] Started Getty on tty3. [ OK ] Started Getty on tty2. [ OK ] Started Getty on tty1. [ OK ] Started Serial Getty on ttyS0. [ OK ] Reached target Login Prompts. [ OK ] Reached target Multi-User System. [ OK ] Reached target Graphical Interface. Starting Update UTMP about System Runlevel Changes... [ OK ] Started Update UTMP about System Runlevel Changes. Starting Load/Save RF Kill Switch Status... [ OK ] Started Load/Save RF Kill Switch Status. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.15.204' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.940035][ T8406] ================================================================== [ 68.949318][ T8406] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 68.957384][ T8406] Read of size 8 at addr ffff88802668a568 by task syz-executor191/8406 [ 68.965924][ T8406] [ 68.968621][ T8406] CPU: 0 PID: 8406 Comm: syz-executor191 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 68.978853][ T8406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.989757][ T8406] Call Trace: [ 68.993190][ T8406] dump_stack+0x107/0x163 [ 68.997544][ T8406] ? find_uprobe+0x12c/0x150 [ 69.002412][ T8406] ? find_uprobe+0x12c/0x150 [ 69.007568][ T8406] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 69.014831][ T8406] ? find_uprobe+0x12c/0x150 [ 69.019440][ T8406] ? find_uprobe+0x12c/0x150 [ 69.024344][ T8406] kasan_report.cold+0x7c/0xd8 [ 69.029118][ T8406] ? find_uprobe+0x12c/0x150 [ 69.033995][ T8406] find_uprobe+0x12c/0x150 [ 69.038668][ T8406] uprobe_unregister+0x1e/0x70 [ 69.043439][ T8406] __probe_event_disable+0x11e/0x240 [ 69.048784][ T8406] probe_event_disable+0x155/0x1c0 [ 69.054120][ T8406] trace_uprobe_register+0x45a/0x880 [ 69.059795][ T8406] ? trace_uprobe_register+0x3ef/0x880 [ 69.065994][ T8406] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.071754][ T8406] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.078304][ T8406] perf_uprobe_destroy+0xbb/0x130 [ 69.083434][ T8406] ? perf_uprobe_init+0x210/0x210 [ 69.088600][ T8406] _free_event+0x2ee/0x1380 [ 69.093853][ T8406] perf_event_release_kernel+0xa24/0xe00 [ 69.100394][ T8406] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.105731][ T8406] ? __perf_event_exit_context+0x170/0x170 [ 69.111739][ T8406] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.118153][ T8406] perf_release+0x33/0x40 [ 69.122674][ T8406] __fput+0x283/0x920 [ 69.126857][ T8406] ? perf_event_release_kernel+0xe00/0xe00 [ 69.132935][ T8406] task_work_run+0xdd/0x190 [ 69.137816][ T8406] do_exit+0xc5c/0x2ae0 [ 69.142403][ T8406] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.148050][ T8406] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.155255][ T8406] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.161699][ T8406] do_group_exit+0x125/0x310 [ 69.166303][ T8406] __x64_sys_exit_group+0x3a/0x50 [ 69.171482][ T8406] do_syscall_64+0x2d/0x70 [ 69.177210][ T8406] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.183781][ T8406] RIP: 0033:0x43daf9 [ 69.187773][ T8406] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.194748][ T8406] RSP: 002b:00007ffc43c99948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.203655][ T8406] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.212710][ T8406] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.221744][ T8406] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.230604][ T8406] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.239673][ T8406] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.247954][ T8406] [ 69.250493][ T8406] Allocated by task 8406: [ 69.254882][ T8406] kasan_save_stack+0x1b/0x40 [ 69.259962][ T8406] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 69.266171][ T8406] __uprobe_register+0x19c/0x850 [ 69.271380][ T8406] probe_event_enable+0x357/0xa00 [ 69.276708][ T8406] trace_uprobe_register+0x443/0x880 [ 69.282623][ T8406] perf_trace_event_init+0x549/0xa20 [ 69.288985][ T8406] perf_uprobe_init+0x16f/0x210 [ 69.294613][ T8406] perf_uprobe_event_init+0xff/0x1c0 [ 69.300866][ T8406] perf_try_init_event+0x12a/0x560 [ 69.306154][ T8406] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.312553][ T8406] __do_sys_perf_event_open+0x647/0x2e60 [ 69.318364][ T8406] do_syscall_64+0x2d/0x70 [ 69.323067][ T8406] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.329222][ T8406] [ 69.331548][ T8406] Freed by task 8406: [ 69.336878][ T8406] kasan_save_stack+0x1b/0x40 [ 69.342434][ T8406] kasan_set_track+0x1c/0x30 [ 69.347651][ T8406] kasan_set_free_info+0x20/0x30 [ 69.353073][ T8406] ____kasan_slab_free.part.0+0xe1/0x110 [ 69.359903][ T8406] slab_free_freelist_hook+0x82/0x1d0 [ 69.365842][ T8406] kfree+0xe5/0x7b0 [ 69.370013][ T8406] put_uprobe+0x13b/0x190 [ 69.375564][ T8406] uprobe_apply+0xfc/0x130 [ 69.381114][ T8406] trace_uprobe_register+0x5c9/0x880 [ 69.387025][ T8406] perf_trace_event_init+0x17a/0xa20 [ 69.393421][ T8406] perf_uprobe_init+0x16f/0x210 [ 69.399155][ T8406] perf_uprobe_event_init+0xff/0x1c0 [ 69.405359][ T8406] perf_try_init_event+0x12a/0x560 [ 69.411677][ T8406] perf_event_alloc.part.0+0xe3b/0x3960 [ 69.418442][ T8406] __do_sys_perf_event_open+0x647/0x2e60 [ 69.424865][ T8406] do_syscall_64+0x2d/0x70 [ 69.430641][ T8406] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.438116][ T8406] [ 69.440451][ T8406] The buggy address belongs to the object at ffff88802668a400 [ 69.440451][ T8406] which belongs to the cache kmalloc-512 of size 512 [ 69.456071][ T8406] The buggy address is located 360 bytes inside of [ 69.456071][ T8406] 512-byte region [ffff88802668a400, ffff88802668a600) [ 69.470083][ T8406] The buggy address belongs to the page: [ 69.476306][ T8406] page:00000000a60f45fb refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2668a [ 69.486986][ T8406] head:00000000a60f45fb order:1 compound_mapcount:0 [ 69.494645][ T8406] flags: 0xfff00000010200(slab|head) [ 69.500360][ T8406] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 69.510478][ T8406] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 69.519513][ T8406] page dumped because: kasan: bad access detected [ 69.525930][ T8406] [ 69.528260][ T8406] Memory state around the buggy address: [ 69.534163][ T8406] ffff88802668a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.542292][ T8406] ffff88802668a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.551049][ T8406] >ffff88802668a500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.560632][ T8406] ^ [ 69.568905][ T8406] ffff88802668a580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.577647][ T8406] ffff88802668a600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 69.588883][ T8406] ================================================================== [ 69.597611][ T8406] Disabling lock debugging due to kernel taint [ 69.605537][ T8406] Kernel panic - not syncing: panic_on_warn set ... [ 69.612783][ T8406] CPU: 0 PID: 8406 Comm: syz-executor191 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.625009][ T8406] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.636314][ T8406] Call Trace: [ 69.639884][ T8406] dump_stack+0x107/0x163 [ 69.644621][ T8406] ? find_uprobe+0x90/0x150 [ 69.649339][ T8406] panic+0x306/0x73d [ 69.653764][ T8406] ? __warn_printk+0xf3/0xf3 [ 69.658741][ T8406] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.665220][ T8406] ? trace_hardirqs_on+0x38/0x1c0 [ 69.670279][ T8406] ? trace_hardirqs_on+0x51/0x1c0 [ 69.675477][ T8406] ? find_uprobe+0x12c/0x150 [ 69.680222][ T8406] ? find_uprobe+0x12c/0x150 [ 69.684913][ T8406] end_report.cold+0x5a/0x5a [ 69.689715][ T8406] kasan_report.cold+0x6a/0xd8 [ 69.694629][ T8406] ? find_uprobe+0x12c/0x150 [ 69.699467][ T8406] find_uprobe+0x12c/0x150 [ 69.704176][ T8406] uprobe_unregister+0x1e/0x70 [ 69.708972][ T8406] __probe_event_disable+0x11e/0x240 [ 69.714667][ T8406] probe_event_disable+0x155/0x1c0 [ 69.720124][ T8406] trace_uprobe_register+0x45a/0x880 [ 69.725599][ T8406] ? trace_uprobe_register+0x3ef/0x880 [ 69.731190][ T8406] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.736991][ T8406] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.743163][ T8406] perf_uprobe_destroy+0xbb/0x130 [ 69.748349][ T8406] ? perf_uprobe_init+0x210/0x210 [ 69.753528][ T8406] _free_event+0x2ee/0x1380 [ 69.758687][ T8406] perf_event_release_kernel+0xa24/0xe00 [ 69.764470][ T8406] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.770347][ T8406] ? __perf_event_exit_context+0x170/0x170 [ 69.776608][ T8406] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.783163][ T8406] perf_release+0x33/0x40 [ 69.787849][ T8406] __fput+0x283/0x920 [ 69.791842][ T8406] ? perf_event_release_kernel+0xe00/0xe00 [ 69.797762][ T8406] task_work_run+0xdd/0x190 [ 69.802358][ T8406] do_exit+0xc5c/0x2ae0 [ 69.806577][ T8406] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.813069][ T8406] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.819494][ T8406] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.826314][ T8406] do_group_exit+0x125/0x310 [ 69.830962][ T8406] __x64_sys_exit_group+0x3a/0x50 [ 69.836078][ T8406] do_syscall_64+0x2d/0x70 [ 69.841012][ T8406] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.847176][ T8406] RIP: 0033:0x43daf9 [ 69.851220][ T8406] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.858142][ T8406] RSP: 002b:00007ffc43c99948 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.866922][ T8406] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.875401][ T8406] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.883786][ T8406] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.892735][ T8406] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.901393][ T8406] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.912638][ T8406] Kernel Offset: disabled [ 69.917457][ T8406] Rebooting in 86400 seconds..