program: r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000003c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r0, 0x3ba0, &(0x7f0000000340)={0x48, 0x5, r1, 0x0, 0xffffffffffffffff, 0x1}) openat$iommufd(0xffffffffffffff9c, &(0x7f0000000040), 0x101400, 0x0) socket$l2tp6(0xa, 0x2, 0x73) socket$nl_generic(0x10, 0x3, 0x10) openat$binfmt_format(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/fs/binfmt_misc/syz1\x00', 0x2, 0x0) socket$kcm(0x10, 0x400000002, 0x0) socket$key(0xf, 0x3, 0x2) syz_usb_connect$cdc_ecm(0x3, 0x4d, &(0x7f0000001240)=ANY=[@ANYBLOB="12010000020000102505a1a44000010203010902"], 0x0) openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) syz_open_procfs(0x0, &(0x7f0000000080)='ns\x00') userfaultfd(0x801) syz_open_dev$sndctrl(&(0x7f0000000240), 0x0, 0x2a8600) openat$audio(0xffffffffffffff9c, &(0x7f00000000c0), 0x88602, 0x0) r2 = syz_open_dev$dri(&(0x7f0000000380), 0x2, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r2, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r2, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x40000012}) socket(0x10, 0x3, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$inet_udplite(0x2, 0x2, 0x88) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)) ioctl$DRM_IOCTL_MODE_ATOMIC(r2, 0xc03864bc, &(0x7f0000000180)={0x201, 0x1, &(0x7f0000000540)=[r3], &(0x7f0000000500)=[0x1], &(0x7f0000000200), &(0x7f0000000580), 0x0, 0x7f}) r4 = memfd_create(&(0x7f0000000a00)='\xa3\x9fn\xb4dR\x04i5\x02\xac\xce\xe1\x88\x9d[@8\xd7\xce\x1f 9I\x7f\x15\x1d\x93=\xb5\xe7\\\'L\xe6\xd2\x8e\xbc)JtTDq\x81\xcf\x81\xba\xe51\xf5 \xc8\x10>\xc9\\\x85\x17L\xbf\xcf\x91\xdfM\xf3\x02^T*\x00\x02\xb9~B\x9f\xacl\x1d3\x06o\xf8\x16H\xaa*\x02\xf7\xfb\x06\xf1\x83\x92\xa8\xc2\xcb\xae\xb0\xb4\x93\xb8\x04\xf1\x99\xc2yY+\xd9y\x8a\xd5b\xe8\"q\x1b0)\xccm\xacz\xc1\xadd\x9b6a\xf3\xdds\xbb\x88\xff\b\x85\xb3s\x00\x0e\xbcfvi\x85\xfc.|\xd4h\xec\x82o\x8e\x93\x11\xc1\xd4\xae\x05\x17=\xd9R\xd0\xd4\x90\xcf\x9b\xdc\xaeV\x88\x94\x9f\xe3\xefqi\xed\xa8w\xbe\xd0\xd0-tBl\x9e+\xd3\xed\xce\x9f\x83\x86\xf9\x12\x16Ts\x80\x13]C\xfb\xf7\x1a\x00\x00\x00\x00\x00\x00\x00k\xae\xcb\x1a.\xc2\x8f\xd1x4]PZ\x9e\xd5Y\xf0L\xa4\xbc\x84\xf6\x04L\xff0\x8b\\*\xf9,\xb6\r\x97\xedy\xe0\x8a\xe2\x8ck\xc6S\xc3g\xb9\x1a\xf8\x8f \x9d\x00u7\xd8\'\xf1E\xa4(Q\x80Fy\xb5\xe4q\xc9\xff \xd8\x9d\xad\x11\xf8m\xd3\xbc\x9e\x10D\x7f!\xca\x0ev\x15h$\x01\xdd\xe5\xce\xf8*\xb3\x01\x85\a\xe4qv&\x9c\xac\x9aN~o\xe5\x89\xd5\a\x9f\f\x1f\xc2e/\x8d\x1e\n\xd0_\xbd!^\xa46\xb8j\xc0x\n\xdb\xe1\xa3\xd6\xae;\r\x92@\xa5I\x88Z1F\xf0\x1at\t\xd0\x8a\x04m\x06\xf3BL\xffS\x9eY\xf4\xb0U \xf8\xd00\x88y\xebX\x92\xd5\xbb\xa1h7\xf3\xe0\x0f\xbd\x02\xe4\n\xf9\xb1\x87\x8aM\xfeG\xb2L\xbd\x92-\xcd\x1f\xf4\xe1,\xb7G|\xec\"\xa2\xab\xf6\x84\xe0\xcf1\x9aYb\xf5\x88\xa8\x83.\xe9\xd6\xc6p\xa7o\x86%\xc6-\xdb', 0x3) execveat(r4, &(0x7f0000000000)='\x00', 0x0, 0x0, 0x1000) r5 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) r6 = creat(&(0x7f0000000080)='./file0\x00', 0x70) close(r6) r7 = ioctl$KVM_CREATE_VM(r5, 0xae01, 0x0) ioctl$KVM_CREATE_VCPU(r7, 0xae41, 0x0) [ 67.791421][ T5309] Bluetooth: hci0: command tx timeout [ 68.171032][ T5316] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 68.321180][ T5316] usb 5-1: Using ep0 maxpacket: 16 [ 68.328325][ T5316] usb 5-1: config 0 has no interfaces? [ 68.348826][ T5316] usb 5-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 68.353563][ T5316] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 68.368165][ T5316] usb 5-1: Product: syz [ 68.376118][ T5316] usb 5-1: Manufacturer: syz [ 68.387424][ T5316] usb 5-1: SerialNumber: syz [ 68.426720][ T5316] usb 5-1: config 0 descriptor?? [ 68.639052][ T5324] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 68.689128][ T5324] process 'syz.0.0' launched '/dev/fd/23' with NULL argv: empty string added [ 68.736687][ T1038] ================================================================== [ 68.740120][ T1038] BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 68.759372][ T1038] Read of size 1 at addr ffff888044072009 by task kworker/u4:7/1038 [ 68.762978][ T1038] [ 68.764069][ T1038] CPU: 0 UID: 0 PID: 1038 Comm: kworker/u4:7 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 68.764085][ T1038] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 68.764094][ T1038] Workqueue: events_unbound commit_work [ 68.764117][ T1038] Call Trace: [ 68.764125][ T1038] [ 68.764130][ T1038] dump_stack_lvl+0x241/0x360 [ 68.764149][ T1038] ? __pfx_dump_stack_lvl+0x10/0x10 [ 68.764163][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764177][ T1038] ? rcu_is_watching+0x15/0xb0 [ 68.764190][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764202][ T1038] ? lock_release+0x4e/0x3e0 [ 68.764213][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764226][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764239][ T1038] print_report+0x16e/0x5b0 [ 68.764253][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764265][ T1038] ? __virt_addr_valid+0x183/0x530 [ 68.764278][ T1038] ? __virt_addr_valid+0x45f/0x530 [ 68.764291][ T1038] ? __phys_addr+0xba/0x170 [ 68.764305][ T1038] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 68.764318][ T1038] kasan_report+0x143/0x180 [ 68.764329][ T1038] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 68.764343][ T1038] drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 68.764356][ T1038] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 68.764417][ T1038] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 68.764428][ T1038] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10 [ 68.764443][ T1038] ? drm_atomic_helper_commit_hw_done+0x3f9/0x430 [ 68.764458][ T1038] drm_atomic_helper_commit_tail+0x314/0x510 [ 68.764472][ T1038] commit_tail+0x2c4/0x3d0 [ 68.764485][ T1038] ? process_scheduled_works+0x9cb/0x18e0 [ 68.764497][ T1038] process_scheduled_works+0xac3/0x18e0 [ 68.764513][ T1038] ? __pfx_process_scheduled_works+0x10/0x10 [ 68.764524][ T1038] ? assign_work+0x367/0x3d0 [ 68.764535][ T1038] worker_thread+0x870/0xd50 [ 68.764551][ T1038] ? __kthread_parkme+0x1a8/0x200 [ 68.764565][ T1038] ? __pfx_worker_thread+0x10/0x10 [ 68.764576][ T1038] kthread+0x7b7/0x940 [ 68.764590][ T1038] ? __pfx_worker_thread+0x10/0x10 [ 68.764601][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764621][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764632][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764642][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764653][ T1038] ? _raw_spin_unlock_irq+0x23/0x50 [ 68.764661][ T1038] ? lockdep_hardirqs_on+0x9d/0x150 [ 68.764671][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764682][ T1038] ret_from_fork+0x4b/0x80 [ 68.764692][ T1038] ? __pfx_kthread+0x10/0x10 [ 68.764704][ T1038] ret_from_fork_asm+0x1a/0x30 [ 68.764716][ T1038] [ 68.764720][ T1038] [ 69.023295][ T1038] Allocated by task 5324: [ 69.026799][ T1038] kasan_save_track+0x3f/0x80 [ 69.036571][ T1038] __kasan_kmalloc+0x9d/0xb0 [ 69.039184][ T1038] __kmalloc_cache_noprof+0x236/0x370 [ 69.041788][ T1038] drm_atomic_helper_crtc_duplicate_state+0x72/0xb0 [ 69.048173][ T1038] drm_atomic_get_crtc_state+0x182/0x410 [ 69.055881][ T1038] drm_atomic_get_plane_state+0x44e/0x510 [ 69.066057][ T1038] drm_atomic_set_property+0x281/0x3240 [ 69.070781][ T1038] drm_mode_atomic_ioctl+0x7f0/0x1420 [ 69.073128][ T1038] drm_ioctl_kernel+0x34e/0x450 [ 69.090645][ T1038] drm_ioctl+0x687/0xbb0 [ 69.092321][ T1038] __se_sys_ioctl+0xf1/0x160 [ 69.094114][ T1038] do_syscall_64+0xf3/0x230 [ 69.096028][ T1038] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.098291][ T1038] [ 69.099203][ T1038] Freed by task 5316: [ 69.100628][ T1038] kasan_save_track+0x3f/0x80 [ 69.102805][ T1038] kasan_save_free_info+0x40/0x50 [ 69.104585][ T1038] __kasan_slab_free+0x59/0x70 [ 69.119721][ T1038] kfree+0x198/0x430 [ 69.121514][ T1038] drm_atomic_state_default_clear+0x3bd/0xb80 [ 69.124242][ T1038] __drm_atomic_state_free+0xb8/0x210 [ 69.126481][ T1038] drm_atomic_helper_dirtyfb+0xde9/0xe90 [ 69.129000][ T1038] drm_fbdev_shmem_helper_fb_dirty+0x151/0x2e0 [ 69.135422][ T1038] drm_fb_helper_damage_work+0x26c/0x910 [ 69.137574][ T1038] process_scheduled_works+0xac3/0x18e0 [ 69.147645][ T1038] worker_thread+0x870/0xd50 [ 69.151017][ T1038] kthread+0x7b7/0x940 [ 69.152958][ T1038] ret_from_fork+0x4b/0x80 [ 69.156694][ T1038] ret_from_fork_asm+0x1a/0x30 [ 69.167084][ T1038] [ 69.167997][ T1038] The buggy address belongs to the object at ffff888044072000 [ 69.167997][ T1038] which belongs to the cache kmalloc-512 of size 512 [ 69.173705][ T1038] The buggy address is located 9 bytes inside of [ 69.173705][ T1038] freed 512-byte region [ffff888044072000, ffff888044072200) [ 69.189552][ T1038] [ 69.190619][ T1038] The buggy address belongs to the physical page: [ 69.193460][ T1038] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x44072 [ 69.212288][ T1038] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 69.215647][ T1038] anon flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 69.218748][ T1038] page_type: f5(slab) [ 69.220454][ T1038] raw: 04fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001 [ 69.224176][ T1038] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 69.237831][ T1038] head: 04fff00000000040 ffff88801b041c80 0000000000000000 dead000000000001 [ 69.241250][ T1038] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 69.244667][ T1038] head: 04fff00000000001 ffffea0001101c81 00000000ffffffff 00000000ffffffff [ 69.248064][ T1038] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 69.251508][ T1038] page dumped because: kasan: bad access detected [ 69.272394][ T1038] page_owner tracks the page as allocated [ 69.274568][ T1038] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 4816, tgid 4816 (kworker/0:3), ts 46101071793, free_ts 45025142752 [ 69.283188][ T1038] post_alloc_hook+0x1f4/0x240 [ 69.286844][ T1038] get_page_from_freelist+0x352b/0x36c0 [ 69.296504][ T1038] __alloc_frozen_pages_noprof+0x211/0x5b0 [ 69.299521][ T1038] alloc_pages_mpol+0x339/0x690 [ 69.301410][ T1038] allocate_slab+0x8f/0x3a0 [ 69.306382][ T1038] ___slab_alloc+0xc3b/0x1500 [ 69.308279][ T1038] __slab_alloc+0x58/0xa0 [ 69.310079][ T1038] __kmalloc_cache_noprof+0x26a/0x370 [ 69.321483][ T1038] drm_atomic_helper_setup_commit+0x1d5/0x1490 [ 69.327049][ T1038] drm_atomic_helper_commit+0x62/0xa00 [ 69.329258][ T1038] drm_atomic_commit+0x296/0x2f0 [ 69.331329][ T1038] drm_atomic_helper_dirtyfb+0xd34/0xe90 [ 69.333790][ T1038] drm_fbdev_shmem_helper_fb_dirty+0x151/0x2e0 [ 69.352764][ T1038] drm_fb_helper_damage_work+0x26c/0x910 [ 69.355536][ T1038] process_scheduled_works+0xac3/0x18e0 [ 69.358491][ T1038] worker_thread+0x870/0xd50 [ 69.360322][ T1038] page last free pid 5145 tgid 5145 stack trace: [ 69.367399][ T1038] __free_frozen_pages+0xde8/0x10a0 [ 69.376151][ T1038] __put_partials+0x160/0x1c0 [ 69.378653][ T1038] put_cpu_partial+0x17e/0x250 [ 69.380706][ T1038] __slab_free+0x294/0x390 [ 69.387687][ T1038] qlist_free_all+0x9a/0x140 [ 69.390271][ T1038] kasan_quarantine_reduce+0x14f/0x170 [ 69.392496][ T1038] __kasan_slab_alloc+0x23/0x80 [ 69.394542][ T1038] kmem_cache_alloc_noprof+0x1e1/0x390 [ 69.404058][ T1038] getname_flags+0xb6/0x530 [ 69.410400][ T1038] do_sys_openat2+0xbf/0x1d0 [ 69.419786][ T1038] __x64_sys_openat+0x249/0x2a0 [ 69.421710][ T1038] do_syscall_64+0xf3/0x230 [ 69.423708][ T1038] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 69.430728][ T1038] [ 69.431886][ T1038] Memory state around the buggy address: [ 69.439726][ T1038] ffff888044071f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.443007][ T1038] ffff888044071f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 69.450395][ T1038] >ffff888044072000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.455973][ T1038] ^ [ 69.457678][ T1038] ffff888044072080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.470966][ T1038] ffff888044072100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 69.481048][ T1038] ================================================================== [ 69.666928][ T5316] usb 5-1: USB disconnect, device number 2 [ 69.701080][ T1038] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 69.716955][ T1038] CPU: 0 UID: 0 PID: 1038 Comm: kworker/u4:7 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 69.741194][ T1038] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 69.773424][ T1038] Workqueue: events_unbound commit_work [ 69.788758][ T1038] Call Trace: [ 69.790067][ T1038] [ 69.791798][ T1038] dump_stack_lvl+0x241/0x360 [ 69.794497][ T1038] ? __pfx_dump_stack_lvl+0x10/0x10 [ 69.808540][ T1038] ? __pfx__printk+0x10/0x10 [ 69.826476][ T1038] ? vscnprintf+0x5d/0x90 [ 69.828501][ T1038] panic+0x349/0x880 [ 69.830170][ T1038] ? check_panic_on_warn+0x21/0xb0 [ 69.832165][ T1038] ? __pfx_panic+0x10/0x10 [ 69.833935][ T1038] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 69.837203][ T1038] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.840838][ T1038] ? print_report+0x519/0x5b0 [ 69.846578][ T1038] check_panic_on_warn+0x86/0xb0 [ 69.849761][ T1038] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 69.854222][ T1038] end_report+0x77/0x160 [ 69.858054][ T1038] kasan_report+0x154/0x180 [ 69.860527][ T1038] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 69.864072][ T1038] drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 69.869765][ T1038] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 69.879751][ T1038] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 69.889101][ T1038] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10 [ 69.893862][ T1038] ? drm_atomic_helper_commit_hw_done+0x3f9/0x430 [ 69.897545][ T1038] drm_atomic_helper_commit_tail+0x314/0x510 [ 69.900004][ T1038] commit_tail+0x2c4/0x3d0 [ 69.901729][ T1038] ? process_scheduled_works+0x9cb/0x18e0 [ 69.906638][ T1038] process_scheduled_works+0xac3/0x18e0 [ 69.924921][ T1038] ? __pfx_process_scheduled_works+0x10/0x10 [ 69.944173][ T1038] ? assign_work+0x367/0x3d0 [ 69.949602][ T1038] worker_thread+0x870/0xd50 [ 69.951403][ T1038] ? __kthread_parkme+0x1a8/0x200 [ 69.956119][ T1038] ? __pfx_worker_thread+0x10/0x10 [ 69.958352][ T1038] kthread+0x7b7/0x940 [ 69.960042][ T1038] ? __pfx_worker_thread+0x10/0x10 [ 69.962165][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.974368][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.976531][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.980772][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.983510][ T1038] ? _raw_spin_unlock_irq+0x23/0x50 [ 69.986021][ T1038] ? lockdep_hardirqs_on+0x9d/0x150 [ 69.989838][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.992281][ T1038] ret_from_fork+0x4b/0x80 [ 69.994623][ T1038] ? __pfx_kthread+0x10/0x10 [ 69.996483][ T1038] ret_from_fork_asm+0x1a/0x30 [ 69.998463][ T1038] [ 70.000772][ T1038] Kernel Offset: disabled [ 70.002467][ T1038] Rebooting in 86400 seconds..