================================================================== BUG: KASAN: use-after-free in perf_output_read_group kernel/events/core.c:5883 [inline] BUG: KASAN: use-after-free in perf_output_read+0xee6/0x1050 kernel/events/core.c:5918 Read of size 8 at addr ffff8881d3b98a60 by task syz-executor436/16526 CPU: 1 PID: 16526 Comm: syz-executor436 Not tainted 4.14.155-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xe5/0x154 lib/dump_stack.c:58 print_address_description+0x60/0x226 mm/kasan/report.c:187 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316 perf_output_read_group kernel/events/core.c:5883 [inline] perf_output_read+0xee6/0x1050 kernel/events/core.c:5918 perf_output_sample+0xcea/0x1700 kernel/events/core.c:5960 __perf_event_output kernel/events/core.c:6270 [inline] perf_event_output_backward+0x10b/0x220 kernel/events/core.c:6291 __perf_event_overflow+0x12d/0x340 kernel/events/core.c:7541 perf_swevent_overflow+0x7a/0xf0 kernel/events/core.c:7617 perf_swevent_event+0x19c/0x270 kernel/events/core.c:7650 do_perf_sw_event kernel/events/core.c:7758 [inline] ___perf_sw_event+0x2a4/0x4a0 kernel/events/core.c:7789 __perf_sw_event+0x42/0x80 kernel/events/core.c:7801 perf_sw_event include/linux/perf_event.h:1051 [inline] __do_page_fault+0x7b8/0xbb0 arch/x86/mm/fault.c:1461 page_fault+0x42/0x50 arch/x86/entry/entry_64.S:1122 RIP: 4af788:0x4af6f8 RSP: 6dcc68:00000000006dcc60 EFLAGS: 006dcc6c Allocated by task 9982: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:661 [inline] rb_alloc+0x7b/0x4a0 kernel/events/ring_buffer.c:750 perf_mmap+0xcc1/0x1480 kernel/events/core.c:5468 call_mmap include/linux/fs.h:1803 [inline] mmap_region+0x7d9/0xfb0 mm/mmap.c:1736 do_mmap+0x548/0xb80 mm/mmap.c:1512 do_mmap_pgoff include/linux/mm.h:2215 [inline] vm_mmap_pgoff+0x177/0x1c0 mm/util.c:333 SYSC_mmap_pgoff mm/mmap.c:1564 [inline] SyS_mmap_pgoff+0xf4/0x1b0 mm/mmap.c:1520 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 0xffffffffffffffff Freed by task 10013: save_stack mm/kasan/common.c:76 [inline] set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463 slab_free_hook mm/slub.c:1407 [inline] slab_free_freelist_hook mm/slub.c:1458 [inline] slab_free mm/slub.c:3039 [inline] kfree+0x108/0x3a0 mm/slub.c:3976 __rcu_reclaim kernel/rcu/rcu.h:195 [inline] rcu_do_batch kernel/rcu/tree.c:2699 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2962 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2929 [inline] rcu_process_callbacks+0x59f/0xf60 kernel/rcu/tree.c:2946 __do_softirq+0x234/0x9ec kernel/softirq.c:288 The buggy address belongs to the object at ffff8881d3b98a00 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 96 bytes inside of 512-byte region [ffff8881d3b98a00, ffff8881d3b98c00) The buggy address belongs to the page: page:ffffea00074ee600 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000010200(slab|head) raw: 4000000000010200 0000000000000000 0000000000000000 00000001800c000c raw: ffffea0007438880 0000000700000007 ffff8881da802c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8881d3b98900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8881d3b98980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8881d3b98a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8881d3b98a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881d3b98b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================