================================================================== BUG: KFENCE: use-after-free read in find_node_in_range kernel/events/uprobes.c:1271 [inline] BUG: KFENCE: use-after-free read in build_probe_list kernel/events/uprobes.c:1305 [inline] BUG: KFENCE: use-after-free read in uprobe_mmap+0x307/0x1080 kernel/events/uprobes.c:1382 Use-after-free read at 0xffff88823bd50168 (in kfence-#167): find_node_in_range kernel/events/uprobes.c:1271 [inline] build_probe_list kernel/events/uprobes.c:1305 [inline] uprobe_mmap+0x307/0x1080 kernel/events/uprobes.c:1382 mmap_region+0x56c/0x1730 mm/mmap.c:1881 do_mmap+0xcff/0x11d0 mm/mmap.c:1580 vm_mmap_pgoff+0x1b7/0x290 mm/util.c:519 ksys_mmap_pgoff+0x49c/0x620 mm/mmap.c:1631 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 kfence-#167 [0xffff88823bd50000-0xffff88823bd501a7, size=424, cache=kmalloc-512] allocated by task 24640: kmalloc include/linux/slab.h:556 [inline] kzalloc include/linux/slab.h:686 [inline] alloc_uprobe kernel/events/uprobes.c:731 [inline] __uprobe_register+0x19c/0x850 kernel/events/uprobes.c:1167 trace_uprobe_enable kernel/trace/trace_uprobe.c:1060 [inline] probe_event_enable+0x357/0xa00 kernel/trace/trace_uprobe.c:1129 trace_uprobe_register+0x443/0x880 kernel/trace/trace_uprobe.c:1456 perf_trace_event_reg kernel/trace/trace_event_perf.c:129 [inline] perf_trace_event_init+0x549/0xa20 kernel/trace/trace_event_perf.c:204 perf_uprobe_init+0x16f/0x210 kernel/trace/trace_event_perf.c:336 perf_uprobe_event_init+0xff/0x1c0 kernel/events/core.c:9721 perf_try_init_event+0x12a/0x560 kernel/events/core.c:11038 perf_init_event kernel/events/core.c:11090 [inline] perf_event_alloc.part.0+0xe3b/0x3960 kernel/events/core.c:11370 perf_event_alloc kernel/events/core.c:11749 [inline] __do_sys_perf_event_open+0x647/0x2e60 kernel/events/core.c:11847 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 freed by task 24640: put_uprobe kernel/events/uprobes.c:612 [inline] put_uprobe+0x13b/0x190 kernel/events/uprobes.c:601 uprobe_apply+0xfc/0x130 kernel/events/uprobes.c:1231 uprobe_perf_open kernel/trace/trace_uprobe.c:1311 [inline] trace_uprobe_register+0x5c9/0x880 kernel/trace/trace_uprobe.c:1463 perf_trace_event_open kernel/trace/trace_event_perf.c:186 [inline] perf_trace_event_init kernel/trace/trace_event_perf.c:208 [inline] perf_trace_event_init+0x17a/0xa20 kernel/trace/trace_event_perf.c:195 perf_uprobe_init+0x16f/0x210 kernel/trace/trace_event_perf.c:336 perf_uprobe_event_init+0xff/0x1c0 kernel/events/core.c:9721 perf_try_init_event+0x12a/0x560 kernel/events/core.c:11038 perf_init_event kernel/events/core.c:11090 [inline] perf_event_alloc.part.0+0xe3b/0x3960 kernel/events/core.c:11370 perf_event_alloc kernel/events/core.c:11749 [inline] __do_sys_perf_event_open+0x647/0x2e60 kernel/events/core.c:11847 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 CPU: 1 PID: 24640 Comm: syz-executor.5 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:find_node_in_range kernel/events/uprobes.c:1271 [inline] RIP: 0010:build_probe_list kernel/events/uprobes.c:1305 [inline] RIP: 0010:uprobe_mmap+0x307/0x1080 kernel/events/uprobes.c:1382 Code: 6d 10 e8 2c b3 de ff 48 85 ed 74 61 e8 22 b3 de ff 48 8d bd 68 01 00 00 48 89 f8 48 c1 e8 03 42 80 3c 20 00 0f 85 af 0a 00 00 <48> 8b 9d 68 01 00 00 49 39 dd 72 ad e8 f8 b2 de ff 49 39 dd 0f 86 RSP: 0018:ffffc90001f3fb98 EFLAGS: 00010246 RAX: 1ffff110477aa02d RBX: 0000000000009fff RCX: ffffc9000ac82000 RDX: 0000000000040000 RSI: ffffffff819439be RDI: ffff88823bd50168 RBP: ffff88823bd50000 R08: 0000000000000001 R09: 0000000000000003 R10: fffff520003e7f65 R11: 1ffffffff1f1112b R12: dffffc0000000000 R13: ffff88807a6f2138 R14: ffffc90001f3fc10 R15: 0000000000009fff FS: 00007ffa39762700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823bd50168 CR3: 000000001b3b2000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mmap_region+0x56c/0x1730 mm/mmap.c:1881 do_mmap+0xcff/0x11d0 mm/mmap.c:1580 vm_mmap_pgoff+0x1b7/0x290 mm/util.c:519 ksys_mmap_pgoff+0x49c/0x620 mm/mmap.c:1631 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465b09 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffa39762188 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 0000000000465b09 RDX: 0000000000000000 RSI: 000000000000a000 RDI: 0000000020001000 RBP: 00000000004b069f R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000012 R11: 0000000000000246 R12: 000000000056bf60 R13: 00007ffdba7a739f R14: 00007ffa39762300 R15: 0000000000022000 ==================================================================