./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor2811026875 <...> DUID 00:04:d9:3a:76:1c:b4:63:be:bc:0b:c2:08:9c:83:36:98:31 forked to background, child pid 3188 [ 24.756236][ T3189] 8021q: adding VLAN 0 to HW filter on device bond0 [ 24.769225][ T3189] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.33' (ECDSA) to the list of known hosts. execve("./syz-executor2811026875", ["./syz-executor2811026875"], 0x7ffdb1fe3c40 /* 10 vars */) = 0 brk(NULL) = 0x555555b06000 brk(0x555555b06c40) = 0x555555b06c40 arch_prctl(ARCH_SET_FS, 0x555555b06300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor2811026875", 4096) = 28 brk(0x555555b27c40) = 0x555555b27c40 brk(0x555555b28000) = 0x555555b28000 mprotect(0x7f70a4a86000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555b065d0) = 3610 ./strace-static-x86_64: Process 3610 attached [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555b065d0) = 3611 [pid 3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3611 attached [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555b065d0) = 3612 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] <... clone resumed>, child_tidptr=0x555555b065d0) = 3613 [pid 3609] <... clone resumed>, child_tidptr=0x555555b065d0) = 3614 [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555b065d0) = 3615 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3611] <... clone resumed>, child_tidptr=0x555555b065d0) = 3616 ./strace-static-x86_64: Process 3613 attached [pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3609] <... clone resumed>, child_tidptr=0x555555b065d0) = 3617 [pid 3613] <... prctl resumed>) = 0 [pid 3613] setpgid(0, 0) = 0 [pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC./strace-static-x86_64: Process 3612 attached ) = 3 [pid 3613] write(3, "1000", 4) = 4 [pid 3613] close(3) = 0 [pid 3613] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3612] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3616 attached ./strace-static-x86_64: Process 3615 attached [pid 3613] <... openat resumed>) = 3 [pid 3615] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3613] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000080) = 0 ./strace-static-x86_64: Process 3617 attached [pid 3617] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3613] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3612] <... clone resumed>, child_tidptr=0x555555b065d0) = 3619 ./strace-static-x86_64: Process 3614 attached [pid 3615] <... clone resumed>, child_tidptr=0x555555b065d0) = 3618 [pid 3613] write(4, "6", 1) = 1 [pid 3613] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3617] <... clone resumed>, child_tidptr=0x555555b065d0) = 3620 [pid 3613] <... mmap resumed>) = -1 EINVAL (Invalid argument) ./strace-static-x86_64: Process 3620 attached ./strace-static-x86_64: Process 3619 attached ./strace-static-x86_64: Process 3618 attached [pid 3616] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3614] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3616] <... prctl resumed>) = 0 [pid 3613] exit_group(0) = ? [pid 3616] setpgid(0, 0 [pid 3614] <... clone resumed>, child_tidptr=0x555555b065d0) = 3621 [pid 3616] <... setpgid resumed>) = 0 [pid 3616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3616] write(3, "1000", 4) = 4 [pid 3616] close(3 [pid 3619] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3616] <... close resumed>) = 0 [pid 3616] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3 [pid 3616] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000080) = 0 [pid 3613] +++ exited with 0 +++ [pid 3616] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3610] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3613, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- ./strace-static-x86_64: Process 3621 attached [pid 3610] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3621] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3621] setpgid(0, 0 [pid 3610] <... clone resumed>, child_tidptr=0x555555b065d0) = 3622 [pid 3616] <... openat resumed>) = 4 [pid 3621] <... setpgid resumed>) = 0 [pid 3616] write(4, "6", 1 [pid 3621] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3621] write(3, "1000", 4) = 4 [pid 3619] <... prctl resumed>) = 0 [pid 3616] <... write resumed>) = 1 ./strace-static-x86_64: Process 3622 attached [pid 3621] close(3 [pid 3619] setpgid(0, 0 [pid 3616] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3619] <... setpgid resumed>) = 0 [pid 3622] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3621] <... close resumed>) = 0 [pid 3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3616] <... mmap resumed>) = -1 EINVAL (Invalid argument) [pid 3622] <... prctl resumed>) = 0 [pid 3621] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3622] setpgid(0, 0 [pid 3621] <... openat resumed>) = 3 [pid 3622] <... setpgid resumed>) = 0 [pid 3621] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3622] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3621] <... ioctl resumed>, 0x20000080) = 0 [pid 3622] <... openat resumed>) = 3 [pid 3621] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3622] write(3, "1000", 4 [pid 3621] <... openat resumed>) = 4 [pid 3622] <... write resumed>) = 4 [pid 3621] write(4, "6", 1 [pid 3622] close(3 [pid 3621] <... write resumed>) = 1 [pid 3622] <... close resumed>) = 0 [pid 3621] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3622] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3621] <... mmap resumed>) = -1 ENOMEM (Cannot allocate memory) [pid 3622] <... openat resumed>) = 3 [pid 3621] exit_group(0 [pid 3622] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3621] <... exit_group resumed>) = ? syzkaller login: [ 42.749549][ T3613] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 42.776476][ T3616] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 42.783981][ T3621] ================================================================== [pid 3622] <... ioctl resumed>, 0x20000080) = 0 [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3619] <... openat resumed>) = 3 [pid 3618] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3616] exit_group(0 [pid 3620] <... prctl resumed>) = 0 [pid 3619] write(3, "1000", 4 [pid 3618] <... prctl resumed>) = 0 [pid 3616] <... exit_group resumed>) = ? [pid 3620] setpgid(0, 0 [pid 3619] <... write resumed>) = 4 [pid 3618] setpgid(0, 0 [pid 3616] +++ exited with 0 +++ [pid 3620] <... setpgid resumed>) = 0 [pid 3619] close(3 [pid 3618] <... setpgid resumed>) = 0 [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3619] <... close resumed>) = 0 [pid 3618] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3611] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3616, si_uid=0, si_status=0, si_utime=0, si_stime=2} --- [pid 3620] <... openat resumed>) = 3 [pid 3619] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3618] <... openat resumed>) = 3 [pid 3611] restart_syscall(<... resuming interrupted clone ...> [pid 3620] write(3, "1000", 4 [pid 3619] <... openat resumed>) = 3 [pid 3618] write(3, "1000", 4 [pid 3611] <... restart_syscall resumed>) = 0 [pid 3620] <... write resumed>) = 4 [pid 3619] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3618] <... write resumed>) = 4 [pid 3620] close(3 [pid 3619] <... ioctl resumed>, 0x20000080) = 0 [pid 3618] close(3 [pid 3620] <... close resumed>) = 0 [pid 3619] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3618] <... close resumed>) = 0 [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3620] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3619] <... openat resumed>) = 4 [pid 3618] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3620] <... openat resumed>) = 3 [pid 3619] write(4, "6", 1 [pid 3618] <... openat resumed>) = 3 [pid 3611] <... clone resumed>, child_tidptr=0x555555b065d0) = 3623 [pid 3620] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3619] <... write resumed>) = 1 [pid 3618] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3620] <... ioctl resumed>, 0x20000080) = 0 [pid 3619] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3618] <... ioctl resumed>, 0x20000080) = 0 [ 42.783992][ T3621] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0x3b/0xf0 [ 42.784035][ T3621] Read of size 8 at addr ffff88807d0331e8 by task syz-executor281/3621 [ 42.784048][ T3621] [ 42.784053][ T3621] CPU: 0 PID: 3621 Comm: syz-executor281 Not tainted 5.19.0-rc5-syzkaller-00233-gb1c428b6c368 #0 [ 42.821447][ T3621] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 42.831511][ T3621] Call Trace: [ 42.834813][ T3621] [ 42.838026][ T3621] dump_stack_lvl+0x1e3/0x2cb [ 42.840624][ T3619] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [pid 3620] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3619] <... mmap resumed>) = -1 EACCES (Permission denied) [ 42.842728][ T3621] ? bfq_pos_tree_add_move+0x436/0x436 [ 42.842753][ T3621] ? __wake_up_klogd+0xcd/0x100 [ 42.842770][ T3621] ? panic+0x76e/0x76e [ 42.864532][ T3621] ? _printk+0xcf/0x10f [ 42.868703][ T3621] print_address_description+0x65/0x4b0 [ 42.874254][ T3621] print_report+0xf4/0x210 [ 42.878660][ T3621] ? trace_lock_release+0x7a/0x190 [ 42.883769][ T3621] ? drm_gem_object_release_handle+0x3b/0xf0 [ 42.889738][ T3621] kasan_report+0xfb/0x130 [ 42.894146][ T3621] ? drm_gem_object_release_handle+0x3b/0xf0 [ 42.900114][ T3621] drm_gem_object_release_handle+0x3b/0xf0 [ 42.905905][ T3621] idr_for_each+0x1f8/0x2e0 [ 42.910397][ T3621] ? drm_gem_handle_delete+0x180/0x180 [ 42.915840][ T3621] ? idr_find+0x60/0x60 [ 42.919982][ T3621] ? _raw_spin_unlock+0x40/0x40 [ 42.924817][ T3621] drm_gem_release+0x21/0x30 [ 42.929391][ T3621] drm_file_free+0x6ac/0x920 [ 42.933984][ T3621] drm_release+0x33e/0x5c0 [ 42.938390][ T3621] ? drm_lastclose+0xa0/0xa0 [ 42.942979][ T3621] __fput+0x3b9/0x820 [ 42.946953][ T3621] task_work_run+0x146/0x1c0 [ 42.951533][ T3621] do_exit+0x547/0x1ed0 [ 42.955677][ T3621] ? _raw_spin_unlock_irq+0x2a/0x40 [ 42.960868][ T3621] ? mm_update_next_owner+0x6d0/0x6d0 [ 42.966222][ T3621] ? lockdep_hardirqs_on_prepare+0x448/0x7b0 [ 42.972187][ T3621] ? print_irqtrace_events+0x220/0x220 [ 42.977634][ T3621] ? vtime_user_exit+0x2b2/0x3e0 [ 42.982558][ T3621] ? vtime_user_enter+0x1ea/0x2d0 [ 42.987655][ T3621] do_group_exit+0x23b/0x2f0 [ 42.992231][ T3621] __x64_sys_exit_group+0x3b/0x40 [ 42.997237][ T3621] do_syscall_64+0x2b/0x70 [ 43.001640][ T3621] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.007517][ T3621] RIP: 0033:0x7f70a4a18429 [ 43.011916][ T3621] Code: Unable to access opcode bytes at RIP 0x7f70a4a183ff. [ 43.019261][ T3621] RSP: 002b:00007ffe1a6055e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.027660][ T3621] RAX: ffffffffffffffda RBX: 00007f70a4a8c3f0 RCX: 00007f70a4a18429 [ 43.035620][ T3621] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 43.043580][ T3621] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 43.051539][ T3621] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f70a4a8c3f0 [ 43.059496][ T3621] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 43.067472][ T3621] [ 43.070478][ T3621] [ 43.072785][ T3621] Allocated by task 3621: [ 43.077095][ T3621] ____kasan_kmalloc+0xdc/0x110 [ 43.081932][ T3621] kmem_cache_alloc_trace+0x94/0x310 [ 43.087201][ T3621] vgem_gem_create_object+0x46/0xa0 [ 43.092385][ T3621] __drm_gem_shmem_create+0x7c/0x310 [ 43.097655][ T3621] drm_gem_shmem_dumb_create+0x243/0x420 [ 43.103270][ T3621] drm_ioctl_kernel+0x33e/0x4f0 [ 43.108101][ T3621] drm_ioctl+0x626/0xa10 [ 43.112339][ T3621] __se_sys_ioctl+0xfb/0x170 [ 43.116916][ T3621] do_syscall_64+0x2b/0x70 [ 43.121320][ T3621] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.127196][ T3621] [ 43.129503][ T3621] Freed by task 3621: [ 43.133478][ T3621] kasan_set_track+0x4c/0x70 [ 43.138066][ T3621] kasan_set_free_info+0x1f/0x40 [ 43.142990][ T3621] ____kasan_slab_free+0xd8/0x110 [ 43.148001][ T3621] slab_free_freelist_hook+0x12e/0x1a0 [ 43.153442][ T3621] kfree+0xc6/0x210 [ 43.157232][ T3621] drm_gem_mmap+0x4c9/0x760 [ 43.161717][ T3621] mmap_region+0x10da/0x16e0 [ 43.166290][ T3621] do_mmap+0x7a7/0xdf0 [ 43.170341][ T3621] vm_mmap_pgoff+0x1e5/0x2f0 [ 43.174926][ T3621] ksys_mmap_pgoff+0x48c/0x6d0 [ 43.179672][ T3621] do_syscall_64+0x2b/0x70 [ 43.184089][ T3621] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.189991][ T3621] [ 43.192307][ T3621] The buggy address belongs to the object at ffff88807d033000 [ 43.192307][ T3621] which belongs to the cache kmalloc-1k of size 1024 [ 43.206354][ T3621] The buggy address is located 488 bytes inside of [ 43.206354][ T3621] 1024-byte region [ffff88807d033000, ffff88807d033400) [ 43.219696][ T3621] [ 43.222005][ T3621] The buggy address belongs to the physical page: [ 43.228397][ T3621] page:ffffea0001f40c00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7d030 [ 43.238532][ T3621] head:ffffea0001f40c00 order:3 compound_mapcount:0 compound_pincount:0 [ 43.246837][ T3621] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 43.254815][ T3621] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011c41dc0 [ 43.263391][ T3621] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 43.271951][ T3621] page dumped because: kasan: bad access detected [ 43.278346][ T3621] page_owner tracks the page as allocated [ 43.284038][ T3621] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3030, tgid 3030 (udevd), ts 16843186170, free_ts 16840239297 [ 43.304769][ T3621] get_page_from_freelist+0x72b/0x7a0 [ 43.310134][ T3621] __alloc_pages+0x259/0x560 [ 43.314712][ T3621] alloc_slab_page+0x70/0xf0 [ 43.319298][ T3621] allocate_slab+0x5e/0x520 [ 43.323789][ T3621] ___slab_alloc+0x42e/0xce0 [ 43.328364][ T3621] __kmalloc+0x2ba/0x370 [ 43.332588][ T3621] load_elf_phdrs+0x158/0x260 [ 43.337253][ T3621] load_elf_binary+0xadf/0x27d0 [ 43.342089][ T3621] bprm_execve+0x8dc/0x1590 [ 43.346575][ T3621] do_execveat_common+0x59b/0x750 [ 43.351581][ T3621] __x64_sys_execve+0x8e/0xa0 [ 43.356252][ T3621] do_syscall_64+0x2b/0x70 [ 43.360660][ T3621] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.366551][ T3621] page last free stack trace: [ 43.371205][ T3621] free_pcp_prepare+0x812/0x900 [ 43.376038][ T3621] free_unref_page+0x7d/0x390 [ 43.380700][ T3621] __unfreeze_partials+0x1ab/0x200 [ 43.385796][ T3621] put_cpu_partial+0x116/0x180 [ 43.390543][ T3621] ___cache_free+0x118/0x1a0 [ 43.395117][ T3621] qlist_free_all+0x2b/0x70 [ 43.399603][ T3621] kasan_quarantine_reduce+0x169/0x180 [ 43.405047][ T3621] __kasan_slab_alloc+0x2f/0xe0 [ 43.409880][ T3621] kmem_cache_alloc+0x199/0x2f0 [ 43.414710][ T3621] vm_area_alloc+0x20/0xe0 [ 43.419109][ T3621] mmap_region+0xb46/0x16e0 [ 43.423600][ T3621] do_mmap+0x7a7/0xdf0 [ 43.427655][ T3621] vm_mmap_pgoff+0x1e5/0x2f0 [ 43.432227][ T3621] ksys_mmap_pgoff+0x48c/0x6d0 [ 43.436973][ T3621] do_syscall_64+0x2b/0x70 [ 43.441373][ T3621] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.447252][ T3621] [ 43.449558][ T3621] Memory state around the buggy address: [ 43.455168][ T3621] ffff88807d033080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.463213][ T3621] ffff88807d033100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.471254][ T3621] >ffff88807d033180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.479293][ T3621] ^ [ 43.486729][ T3621] ffff88807d033200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 43.494771][ T3621] ffff88807d033280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 3618] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3622] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3620] <... openat resumed>) = 4 [pid 3619] exit_group(0 [pid 3618] <... openat resumed>) = 4 [pid 3622] <... openat resumed>) = 4 [pid 3622] write(4, "6", 1) = 1 [pid 3622] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000) = -1 ENOMEM (Cannot allocate memory) [ 43.502811][ T3621] ================================================================== [ 43.522460][ T3621] Kernel panic - not syncing: panic_on_warn set ... [ 43.527515][ T3622] general protection fault, probably for non-canonical address 0xfb3ffc2ea0000352: 0000 [#1] PREEMPT SMP KASAN [ 43.527535][ T3622] KASAN: maybe wild-memory-access in range [0xda00017500001a90-0xda00017500001a97] [ 43.527547][ T3622] CPU: 0 PID: 3622 Comm: syz-executor281 Not tainted 5.19.0-rc5-syzkaller-00233-gb1c428b6c368 #0 [ 43.527563][ T3622] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 [ 43.527572][ T3622] RIP: 0010:__lock_acquire+0x6a/0x1f80 [ 43.527592][ T3622] Code: ff df 8a 04 10 84 c0 0f 85 60 16 00 00 83 3d c0 0d 9c 0c 00 0f 84 10 15 00 00 83 3d 0f 03 37 0b 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ef e8 88 6d 72 00 48 ba 00 00 00 00 00 fc [ 43.527604][ T3622] RSP: 0018:ffffc9000326f6a8 EFLAGS: 00010803 [ 43.527618][ T3622] RAX: 1b40002ea0000352 RBX: 0000000000000000 RCX: 0000000000000000 [ 43.527629][ T3622] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: da00017500001a96 [ 43.527639][ T3622] RBP: ffff888079f83b00 R08: 0000000000000001 R09: 0000000000000000 [ 43.527648][ T3622] R10: fffffbfff1c073ce R11: 1ffffffff1c073cd R12: 0000000000000000 [ 43.527658][ T3622] R13: da00017500001a96 R14: 0000000000000000 R15: 0000000000000000 [ 43.527667][ T3622] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 43.527680][ T3622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.527691][ T3622] CR2: 00007f70a4a8d290 CR3: 000000000c88e000 CR4: 00000000003506f0 [ 43.527705][ T3622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.527713][ T3622] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 43.527723][ T3622] Call Trace: [ 43.527727][ T3622] [ 43.527732][ T3622] ? __bpf_trace_rcu_stall_warning+0x10/0x10 [ 43.527749][ T3622] ? __stack_depot_save+0x33/0x490 [ 43.527767][ T3622] lock_acquire+0x1a7/0x400 [ 43.527781][ T3622] ? drm_gem_object_handle_put_unlocked+0x88/0x350 [ 43.527802][ T3622] ? read_lock_is_recursive+0x10/0x10 [ 43.527819][ T3622] ? __might_sleep+0xc0/0xc0 [ 43.527838][ T3622] ? drm_gem_object_release_handle+0xd5/0xf0 [ 43.527857][ T3622] __mutex_lock_common+0x1de/0x26c0 [ 43.527874][ T3622] ? drm_gem_object_handle_put_unlocked+0x88/0x350 [ 43.527893][ T3622] ? trace_lock_release+0x7a/0x190 [ 43.527909][ T3622] ? drm_gem_object_handle_put_unlocked+0x88/0x350 [ 43.527927][ T3622] ? mutex_lock_io_nested+0x60/0x60 [ 43.527944][ T3622] ? __lock_acquire+0x1f80/0x1f80 [ 43.527962][ T3622] mutex_lock_nested+0x17/0x20 [ 43.527977][ T3622] drm_gem_object_handle_put_unlocked+0x88/0x350 [ 43.527996][ T3622] drm_gem_object_release_handle+0xdd/0xf0 [ 43.528013][ T3622] idr_for_each+0x1f8/0x2e0 [ 43.528030][ T3622] ? drm_gem_handle_delete+0x180/0x180 [ 43.528047][ T3622] ? idr_find+0x60/0x60 [ 43.528062][ T3622] ? _raw_spin_unlock+0x40/0x40 [ 43.528078][ T3622] drm_gem_release+0x21/0x30 [ 43.528091][ T3622] drm_file_free+0x6ac/0x920 [ 43.528111][ T3622] drm_release+0x33e/0x5c0 [ 43.528129][ T3622] ? drm_lastclose+0xa0/0xa0 [ 43.528143][ T3622] __fput+0x3b9/0x820 [ 43.528161][ T3622] task_work_run+0x146/0x1c0 [ 43.528179][ T3622] do_exit+0x547/0x1ed0 [ 43.528193][ T3622] ? _raw_spin_unlock_irq+0x2a/0x40 [ 43.528208][ T3622] ? mm_update_next_owner+0x6d0/0x6d0 [ 43.528221][ T3622] ? lockdep_hardirqs_on_prepare+0x448/0x7b0 [ 43.528237][ T3622] ? print_irqtrace_events+0x220/0x220 [ 43.528251][ T3622] ? vtime_user_exit+0x2b2/0x3e0 [ 43.528267][ T3622] ? vtime_user_enter+0x1ea/0x2d0 [ 43.528284][ T3622] do_group_exit+0x23b/0x2f0 [ 43.528307][ T3622] __x64_sys_exit_group+0x3b/0x40 [ 43.528322][ T3622] do_syscall_64+0x2b/0x70 [ 43.528338][ T3622] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 43.528352][ T3622] RIP: 0033:0x7f70a4a18429 [ 43.528364][ T3622] Code: Unable to access opcode bytes at RIP 0x7f70a4a183ff. [ 43.528371][ T3622] RSP: 002b:00007ffe1a6055e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 43.528386][ T3622] RAX: ffffffffffffffda RBX: 00007f70a4a8c3f0 RCX: 00007f70a4a18429 [ 43.528397][ T3622] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 43.528406][ T3622] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 43.528416][ T3622] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f70a4a8c3f0 [ 43.528426][ T3622] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 43.528441][ T3622] [ 43.528445][ T3622] Modules linked in: [ 43.528455][ T3622] ---[ end trace 0000000000000000 ]--- [ 43.528461][ T3622] RIP: 0010:__lock_acquire+0x6a/0x1f80 [ 43.528476][ T3622] Code: ff df 8a 04 10 84 c0 0f 85 60 16 00 00 83 3d c0 0d 9c 0c 00 0f 84 10 15 00 00 83 3d 0f 03 37 0b 00 74 2c 4c 89 e8 48 c1 e8 03 <80> 3c 10 00 74 12 4c 89 ef e8 88 6d 72 00 48 ba 00 00 00 00 00 fc [ 43.528488][ T3622] RSP: 0018:ffffc9000326f6a8 EFLAGS: 00010803 [ 43.528500][ T3622] RAX: 1b40002ea0000352 RBX: 0000000000000000 RCX: 0000000000000000 [ 43.528509][ T3622] RDX: dffffc0000000000 RSI: 0000000000000000 RDI: da00017500001a96 [ 43.528519][ T3622] RBP: ffff888079f83b00 R08: 0000000000000001 R09: 0000000000000000 [ 43.528529][ T3622] R10: fffffbfff1c073ce R11: 1ffffffff1c073cd R12: 0000000000000000 [ 43.528539][ T3622] R13: da00017500001a96 R14: 0000000000000000 R15: 0000000000000000 [ 43.528548][ T3622] FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000 [ 43.528561][ T3622] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.528571][ T3622] CR2: 00007f70a4a8d290 CR3: 000000000c88e000 CR4: 00000000003506f0 [ 43.528584][ T3622] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 43.528593][ T3622] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 45.169696][ T3621] Shutting down cpus with NMI [ 45.174555][ T3621] Kernel Offset: disabled [ 45.178870][ T3621] Rebooting in 86400 seconds..