[ OK ] Started OpenBSD Secure Shell server. [ OK ] Started Getty on tty2. [ OK ] Started Serial Getty on ttyS0. [ OK ] Started Getty on tty1. [ OK ] Started getty on tty2-tty6 if dbus and logind are not available. Debian GNU/Linux 9 syzkaller ttyS0 Warning: Permanently added '10.128.0.13' (ECDSA) to the list of known hosts. executing program syzkaller login: [ 68.337095][ T8395] ================================================================== [ 68.345294][ T8395] BUG: KASAN: use-after-free in find_uprobe+0x12c/0x150 [ 68.352236][ T8395] Read of size 8 at addr ffff888011931d68 by task syz-executor482/8395 [ 68.360453][ T8395] [ 68.362780][ T8395] CPU: 0 PID: 8395 Comm: syz-executor482 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 [ 68.372754][ T8395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 68.382804][ T8395] Call Trace: [ 68.386068][ T8395] dump_stack+0x107/0x163 [ 68.390399][ T8395] ? find_uprobe+0x12c/0x150 [ 68.394973][ T8395] ? find_uprobe+0x12c/0x150 [ 68.399587][ T8395] print_address_description.constprop.0.cold+0x5b/0x2f8 [ 68.406602][ T8395] ? find_uprobe+0x12c/0x150 [ 68.411177][ T8395] ? find_uprobe+0x12c/0x150 [ 68.415748][ T8395] kasan_report.cold+0x7c/0xd8 [ 68.420501][ T8395] ? find_uprobe+0x12c/0x150 [ 68.425075][ T8395] find_uprobe+0x12c/0x150 [ 68.429476][ T8395] uprobe_unregister+0x1e/0x70 [ 68.434228][ T8395] __probe_event_disable+0x11e/0x240 [ 68.439507][ T8395] probe_event_disable+0x155/0x1c0 [ 68.444620][ T8395] trace_uprobe_register+0x45a/0x880 [ 68.449901][ T8395] ? trace_uprobe_register+0x3ef/0x880 [ 68.455345][ T8395] ? rcu_read_lock_sched_held+0x3a/0x70 [ 68.460877][ T8395] perf_trace_event_unreg.isra.0+0xac/0x250 [ 68.466765][ T8395] perf_uprobe_destroy+0xbb/0x130 [ 68.471772][ T8395] ? perf_uprobe_init+0x210/0x210 [ 68.476800][ T8395] _free_event+0x2ee/0x1380 [ 68.481290][ T8395] perf_event_release_kernel+0xa24/0xe00 [ 68.486920][ T8395] ? fsnotify_first_mark+0x1f0/0x1f0 [ 68.492207][ T8395] ? __perf_event_exit_context+0x170/0x170 [ 68.498000][ T8395] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 68.504228][ T8395] perf_release+0x33/0x40 [ 68.508569][ T8395] __fput+0x283/0x920 [ 68.512536][ T8395] ? perf_event_release_kernel+0xe00/0xe00 [ 68.518328][ T8395] task_work_run+0xdd/0x190 [ 68.522832][ T8395] do_exit+0xc5c/0x2ae0 [ 68.526978][ T8395] ? mm_update_next_owner+0x7a0/0x7a0 [ 68.532333][ T8395] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 68.538555][ T8395] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 68.544789][ T8395] do_group_exit+0x125/0x310 [ 68.549378][ T8395] __x64_sys_exit_group+0x3a/0x50 [ 68.554387][ T8395] do_syscall_64+0x2d/0x70 [ 68.558789][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.564669][ T8395] RIP: 0033:0x43daf9 [ 68.568545][ T8395] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 68.575376][ T8395] RSP: 002b:00007ffd56528178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 68.583836][ T8395] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 68.591840][ T8395] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 68.599819][ T8395] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 68.607817][ T8395] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 68.615808][ T8395] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 68.623821][ T8395] [ 68.626130][ T8395] Allocated by task 8395: [ 68.630439][ T8395] kasan_save_stack+0x1b/0x40 [ 68.635102][ T8395] ____kasan_kmalloc.constprop.0+0xa0/0xd0 [ 68.640893][ T8395] __uprobe_register+0x19c/0x850 [ 68.645814][ T8395] probe_event_enable+0x441/0xa00 [ 68.650823][ T8395] trace_uprobe_register+0x443/0x880 [ 68.656092][ T8395] perf_trace_event_init+0x549/0xa20 [ 68.661357][ T8395] perf_uprobe_init+0x16f/0x210 [ 68.666186][ T8395] perf_uprobe_event_init+0xff/0x1c0 [ 68.671453][ T8395] perf_try_init_event+0x12a/0x560 [ 68.676546][ T8395] perf_event_alloc.part.0+0xe3b/0x3960 [ 68.682073][ T8395] __do_sys_perf_event_open+0x647/0x2e60 [ 68.687686][ T8395] do_syscall_64+0x2d/0x70 [ 68.692085][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.697960][ T8395] [ 68.700270][ T8395] Freed by task 8395: [ 68.704278][ T8395] kasan_save_stack+0x1b/0x40 [ 68.708938][ T8395] kasan_set_track+0x1c/0x30 [ 68.713507][ T8395] kasan_set_free_info+0x20/0x30 [ 68.718435][ T8395] ____kasan_slab_free.part.0+0xe1/0x110 [ 68.724046][ T8395] slab_free_freelist_hook+0x82/0x1d0 [ 68.729411][ T8395] kfree+0xe5/0x7b0 [ 68.733210][ T8395] put_uprobe+0x13b/0x190 [ 68.737523][ T8395] uprobe_apply+0xfc/0x130 [ 68.741921][ T8395] trace_uprobe_register+0x5c9/0x880 [ 68.747202][ T8395] perf_trace_event_init+0x17a/0xa20 [ 68.752472][ T8395] perf_uprobe_init+0x16f/0x210 [ 68.757305][ T8395] perf_uprobe_event_init+0xff/0x1c0 [ 68.762580][ T8395] perf_try_init_event+0x12a/0x560 [ 68.767682][ T8395] perf_event_alloc.part.0+0xe3b/0x3960 [ 68.773254][ T8395] __do_sys_perf_event_open+0x647/0x2e60 [ 68.778885][ T8395] do_syscall_64+0x2d/0x70 [ 68.783284][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.789161][ T8395] [ 68.791500][ T8395] Last potentially related work creation: [ 68.797193][ T8395] kasan_save_stack+0x1b/0x40 [ 68.801853][ T8395] kasan_record_aux_stack+0xe5/0x110 [ 68.807121][ T8395] kvfree_call_rcu+0x74/0x8c0 [ 68.811783][ T8395] timerfd_release+0x105/0x290 [ 68.816529][ T8395] __fput+0x283/0x920 [ 68.820495][ T8395] task_work_run+0xdd/0x190 [ 68.824999][ T8395] exit_to_user_mode_prepare+0x249/0x250 [ 68.830631][ T8395] syscall_exit_to_user_mode+0x19/0x50 [ 68.836076][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 68.841954][ T8395] [ 68.844272][ T8395] The buggy address belongs to the object at ffff888011931c00 [ 68.844272][ T8395] which belongs to the cache kmalloc-512 of size 512 [ 68.858302][ T8395] The buggy address is located 360 bytes inside of [ 68.858302][ T8395] 512-byte region [ffff888011931c00, ffff888011931e00) [ 68.871558][ T8395] The buggy address belongs to the page: [ 68.877167][ T8395] page:000000000e96c112 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11930 [ 68.887296][ T8395] head:000000000e96c112 order:1 compound_mapcount:0 [ 68.893869][ T8395] flags: 0xfff00000010200(slab|head) [ 68.899151][ T8395] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010841c80 [ 68.907718][ T8395] raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 [ 68.916279][ T8395] page dumped because: kasan: bad access detected [ 68.922670][ T8395] [ 68.924996][ T8395] Memory state around the buggy address: [ 68.930602][ T8395] ffff888011931c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.938643][ T8395] ffff888011931c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.946693][ T8395] >ffff888011931d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.954732][ T8395] ^ [ 68.962165][ T8395] ffff888011931d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 68.970206][ T8395] ffff888011931e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 68.978244][ T8395] ================================================================== [ 68.986293][ T8395] Disabling lock debugging due to kernel taint [ 68.992710][ T8395] Kernel panic - not syncing: panic_on_warn set ... [ 68.999294][ T8395] CPU: 0 PID: 8395 Comm: syz-executor482 Tainted: G B 5.11.0-rc6-next-20210205-syzkaller #0 [ 69.010664][ T8395] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 69.020722][ T8395] Call Trace: [ 69.023996][ T8395] dump_stack+0x107/0x163 [ 69.028310][ T8395] ? find_uprobe+0x90/0x150 [ 69.032795][ T8395] panic+0x306/0x73d [ 69.036671][ T8395] ? __warn_printk+0xf3/0xf3 [ 69.041241][ T8395] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 69.047400][ T8395] ? trace_hardirqs_on+0x38/0x1c0 [ 69.052416][ T8395] ? trace_hardirqs_on+0x51/0x1c0 [ 69.057419][ T8395] ? find_uprobe+0x12c/0x150 [ 69.061989][ T8395] ? find_uprobe+0x12c/0x150 [ 69.066556][ T8395] end_report.cold+0x5a/0x5a [ 69.071124][ T8395] kasan_report.cold+0x6a/0xd8 [ 69.075868][ T8395] ? find_uprobe+0x12c/0x150 [ 69.080456][ T8395] find_uprobe+0x12c/0x150 [ 69.084865][ T8395] uprobe_unregister+0x1e/0x70 [ 69.089610][ T8395] __probe_event_disable+0x11e/0x240 [ 69.094876][ T8395] probe_event_disable+0x155/0x1c0 [ 69.099966][ T8395] trace_uprobe_register+0x45a/0x880 [ 69.105230][ T8395] ? trace_uprobe_register+0x3ef/0x880 [ 69.110671][ T8395] ? rcu_read_lock_sched_held+0x3a/0x70 [ 69.116224][ T8395] perf_trace_event_unreg.isra.0+0xac/0x250 [ 69.122096][ T8395] perf_uprobe_destroy+0xbb/0x130 [ 69.127099][ T8395] ? perf_uprobe_init+0x210/0x210 [ 69.132113][ T8395] _free_event+0x2ee/0x1380 [ 69.136595][ T8395] perf_event_release_kernel+0xa24/0xe00 [ 69.142206][ T8395] ? fsnotify_first_mark+0x1f0/0x1f0 [ 69.147484][ T8395] ? __perf_event_exit_context+0x170/0x170 [ 69.153271][ T8395] ? __sanitizer_cov_trace_const_cmp2+0x22/0x80 [ 69.159497][ T8395] perf_release+0x33/0x40 [ 69.163805][ T8395] __fput+0x283/0x920 [ 69.167767][ T8395] ? perf_event_release_kernel+0xe00/0xe00 [ 69.173562][ T8395] task_work_run+0xdd/0x190 [ 69.178045][ T8395] do_exit+0xc5c/0x2ae0 [ 69.182189][ T8395] ? mm_update_next_owner+0x7a0/0x7a0 [ 69.187539][ T8395] ? __sanitizer_cov_trace_const_cmp1+0x22/0x80 [ 69.193760][ T8395] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 69.199981][ T8395] do_group_exit+0x125/0x310 [ 69.204562][ T8395] __x64_sys_exit_group+0x3a/0x50 [ 69.209565][ T8395] do_syscall_64+0x2d/0x70 [ 69.213975][ T8395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 69.219851][ T8395] RIP: 0033:0x43daf9 [ 69.223719][ T8395] Code: Unable to access opcode bytes at RIP 0x43dacf. [ 69.230536][ T8395] RSP: 002b:00007ffd56528178 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 69.238937][ T8395] RAX: ffffffffffffffda RBX: 00000000004ae230 RCX: 000000000043daf9 [ 69.246887][ T8395] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 69.254852][ T8395] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000 [ 69.262803][ T8395] R10: 00000000ffffffff R11: 0000000000000246 R12: 00000000004ae230 [ 69.270750][ T8395] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 69.279421][ T8395] Kernel Offset: disabled [ 69.283733][ T8395] Rebooting in 86400 seconds..