Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.43' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 73.652621][ T8412] ================================================================== [ 73.661594][ T8412] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 73.669193][ T8412] Read of size 8 at addr ffff888011b4f968 by task syz-executor999/8412 [ 73.677587][ T8412] [ 73.680131][ T8412] CPU: 0 PID: 8412 Comm: syz-executor999 Not tainted 5.11.0-rc6-next-20210204-syzkaller #0 [ 73.690732][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 73.701095][ T8412] Call Trace: [ 73.704793][ T8412] dump_stack+0x107/0x163 [ 73.709157][ T8412] ? find_uprobe+0x12c/0x150 [ 73.713935][ T8412] ? find_uprobe+0x12c/0x150 [ 73.718621][ T8412] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 73.726105][ T8412] ? find_uprobe+0x12c/0x150 [ 73.730883][ T8412] ? find_uprobe+0x12c/0x150 [ 73.736498][ T8412] kasan_report.cold+0x7c/0xd8 [ 73.741289][ T8412] ? find_uprobe+0x12c/0x150 [ 73.746075][ T8412] find_uprobe+0x12c/0x150 [ 73.750885][ T8412] uprobe_unregister+0x1e/0x70 [ 73.756266][ T8412] __probe_event_disable+0x11e/0x240 [ 73.762168][ T8412] probe_event_disable+0x155/0x1c0 [ 73.767851][ T8412] trace_uprobe_register+0x45a/0x880 [ 73.773849][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 73.780321][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 73.786433][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 73.793680][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 73.799320][ T8412] ? perf_uprobe_init+0x210/0x210 [ 73.804672][ T8412] _free_event+0x2ee/0x1380 [ 73.809263][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 73.814912][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 73.820206][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 73.826392][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 73.833173][ T8412] perf_release+0x33/0x40 [ 73.837746][ T8412] __fput+0x283/0x920 [ 73.841854][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 73.847821][ T8412] task_work_run+0xdd/0x190 [ 73.852374][ T8412] do_exit+0xc5c/0x2ae0 [ 73.856773][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 73.862294][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 73.868744][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 73.875105][ T8412] do_group_exit+0x125/0x310 [ 73.879801][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 73.885054][ T8412] do_syscall_64+0x2d/0x70 [ 73.889654][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 73.895569][ T8412] RIP: 0033:0x43daf9 [ 73.899468][ T8412] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 73.906599][ T8412] RSP: 002b:00007ffe7b514028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 73.915428][ T8412] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 73.923845][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 73.931996][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 73.940063][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 73.948163][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 73.956538][ T8412] [ 73.958872][ T8412] Allocated by task 8412: [ 73.963540][ T8412] kasan_save_stack+0x1b/0x40 [ 73.968396][ T8412] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 73.974728][ T8412] __uprobe_register+0x19c/0x850 [ 73.979757][ T8412] probe_event_enable+0x441/0xa00 [ 73.985006][ T8412] trace_uprobe_register+0x443/0x880 [ 73.990291][ T8412] perf_trace_event_init+0x549/0xa20 [ 73.995810][ T8412] perf_uprobe_init+0x16f/0x210 [ 74.001278][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 74.006755][ T8412] perf_try_init_event+0x12a/0x560 [ 74.011967][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 74.017898][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 74.023543][ T8412] do_syscall_64+0x2d/0x70 [ 74.028270][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.034432][ T8412] [ 74.037228][ T8412] Freed by task 8412: [ 74.041641][ T8412] kasan_save_stack+0x1b/0x40 [ 74.046746][ T8412] kasan_set_track+0x1c/0x30 [ 74.051574][ T8412] kasan_set_free_info+0x20/0x30 [ 74.057112][ T8412] ____kasan_slab_free.part.0+0xe1/0x110 [ 74.063112][ T8412] slab_free_freelist_hook+0x82/0x1d0 [ 74.068823][ T8412] kfree+0xe5/0x7b0 [ 74.072633][ T8412] put_uprobe+0x13b/0x190 [ 74.076965][ T8412] uprobe_apply+0xfc/0x130 [ 74.081752][ T8412] trace_uprobe_register+0x5c9/0x880 [ 74.087082][ T8412] perf_trace_event_init+0x17a/0xa20 [ 74.092752][ T8412] perf_uprobe_init+0x16f/0x210 [ 74.097794][ T8412] perf_uprobe_event_init+0xff/0x1c0 [ 74.103594][ T8412] perf_try_init_event+0x12a/0x560 [ 74.109071][ T8412] perf_event_alloc.part.0+0xe3b/0x3960 [ 74.114746][ T8412] __do_sys_perf_event_open+0x647/0x2e60 [ 74.120479][ T8412] do_syscall_64+0x2d/0x70 [ 74.125246][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.131600][ T8412] [ 74.134073][ T8412] The buggy address belongs to the object at ffff888011b4f800 [ 74.134073][ T8412] which belongs to the cache kmalloc-512 of size 512 [ 74.150280][ T8412] The buggy address is located 360 bytes inside of [ 74.150280][ T8412] 512-byte region [ffff888011b4f800, ffff888011b4fa00) [ 74.163899][ T8412] The buggy address belongs to the page: [ 74.170283][ T8412] page:00000000017f7bba refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11b4e [ 74.180532][ T8412] head:00000000017f7bba order:1 compound_mapcount:0 [ 74.187342][ T8412] flags: 0xfff00000010200(slab|head) [ 74.192720][ T8412] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 74.201392][ T8412] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 74.210508][ T8412] page dumped because: kasan: bad access detected [ 74.216989][ T8412] [ 74.219315][ T8412] Memory state around the buggy address: [ 74.225061][ T8412] ffff888011b4f800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.233134][ T8412] ffff888011b4f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.241293][ T8412] >ffff888011b4f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.249368][ T8412] ^ [ 74.257066][ T8412] ffff888011b4f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 74.265963][ T8412] ffff888011b4fa00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 74.274301][ T8412] ================================================================== [ 74.282450][ T8412] Disabling lock debugging due to kernel taint [ 74.289344][ T8412] Kernel panic - not syncing: panic_on_warn set ... [ 74.296350][ T8412] CPU: 0 PID: 8412 Comm: syz-executor999 Tainted: G B 5.11.0-rc6-next-20210204-syzkaller #0 [ 74.307992][ T8412] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 74.318448][ T8412] Call Trace: [ 74.322053][ T8412] dump_stack+0x107/0x163 [ 74.326484][ T8412] ? find_uprobe+0x100/0x150 [ 74.331456][ T8412] panic+0x306/0x73d [ 74.335360][ T8412] ? __warn_printk+0xf3/0xf3 [ 74.339940][ T8412] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 74.346145][ T8412] ? trace_hardirqs_on+0x38/0x1c0 [ 74.351163][ T8412] ? trace_hardirqs_on+0x51/0x1c0 [ 74.356265][ T8412] ? find_uprobe+0x12c/0x150 [ 74.361108][ T8412] ? find_uprobe+0x12c/0x150 [ 74.365993][ T8412] end_report.cold+0x5a/0x5a [ 74.371121][ T8412] kasan_report.cold+0x6a/0xd8 [ 74.375999][ T8412] ? find_uprobe+0x12c/0x150 [ 74.380702][ T8412] find_uprobe+0x12c/0x150 [ 74.385892][ T8412] uprobe_unregister+0x1e/0x70 [ 74.390661][ T8412] __probe_event_disable+0x11e/0x240 [ 74.396028][ T8412] probe_event_disable+0x155/0x1c0 [ 74.401134][ T8412] trace_uprobe_register+0x45a/0x880 [ 74.406717][ T8412] ? trace_uprobe_register+0x3ef/0x880 [ 74.412326][ T8412] ? rcu_read_lock_sched_held+0x3a/0x70 [ 74.417865][ T8412] perf_trace_event_unreg.isra.0+0xac/0x250 [ 74.424033][ T8412] perf_uprobe_destroy+0xbb/0x130 [ 74.429330][ T8412] ? perf_uprobe_init+0x210/0x210 [ 74.434660][ T8412] _free_event+0x2ee/0x1380 [ 74.439162][ T8412] perf_event_release_kernel+0xa24/0xe00 [ 74.445190][ T8412] ? fsnotify_first_mark+0x1f0/0x1f0 [ 74.450581][ T8412] ? __perf_event_exit_context+0x170/0x170 [ 74.456495][ T8412] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 74.462759][ T8412] perf_release+0x33/0x40 [ 74.467201][ T8412] __fput+0x283/0x920 [ 74.471287][ T8412] ? perf_event_release_kernel+0xe00/0xe00 [ 74.477455][ T8412] task_work_run+0xdd/0x190 [ 74.484570][ T8412] do_exit+0xc5c/0x2ae0 [ 74.489057][ T8412] ? mm_update_next_owner+0x7a0/0x7a0 [ 74.494767][ T8412] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 74.501493][ T8412] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 74.508095][ T8412] do_group_exit+0x125/0x310 [ 74.512780][ T8412] __x64_sys_exit_group+0x3a/0x50 [ 74.517803][ T8412] do_syscall_64+0x2d/0x70 [ 74.522431][ T8412] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 74.529286][ T8412] RIP: 0033:0x43daf9 [ 74.533272][ T8412] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 74.540131][ T8412] RSP: 002b:00007ffe7b514028 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 74.549114][ T8412] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 74.557770][ T8412] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 74.566003][ T8412] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 74.574053][ T8412] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 74.582391][ T8412] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 74.592061][ T8412] Kernel Offset: disabled [ 74.597124][ T8412] Rebooting in 86400 seconds..