./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor314292024
<...>
Warning: Permanently added '10.128.0.68' (ECDSA) to the list of known hosts.
execve("./syz-executor314292024", ["./syz-executor314292024"], 0x7ffdc11c5690 /* 10 vars */) = 0
brk(NULL) = 0x5555571c3000
brk(0x5555571c3c40) = 0x5555571c3c40
arch_prctl(ARCH_SET_FS, 0x5555571c3300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor314292024", 4096) = 27
brk(0x5555571e4c40) = 0x5555571e4c40
brk(0x5555571e5000) = 0x5555571e5000
mprotect(0x7f54cab4e000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3614 attached
, child_tidptr=0x5555571c35d0) = 3614
[pid 3614] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0
[pid 3614] setpgid(0, 0) = 0
[pid 3614] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3
[pid 3614] write(3, "1000", 4) = 4
[pid 3614] close(3) = 0
[pid 3614] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3
[pid 3614] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000040) = 0
[pid 3614] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
[pid 3614] write(4, "5", 1) = 1
[pid 3614] mmap(0x20ffc000, 12328, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100000000) = -1 ENOMEM (Cannot allocate memory)
[pid 3614] exit_group(0) = ?
syzkaller login: [ 47.430255][ T3614] ==================================================================
[ 47.438372][ T3614] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xa1/0xb0
[ 47.446701][ T3614] Read of size 8 at addr ffff8880744409e8 by task syz-executor314/3614
[ 47.454953][ T3614]
[ 47.457277][ T3614] CPU: 1 PID: 3614 Comm: syz-executor314 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0
[ 47.467689][ T3614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[ 47.477740][ T3614] Call Trace:
[ 47.481009][ T3614]
[ 47.483930][ T3614] dump_stack_lvl+0xcd/0x134
[ 47.488523][ T3614] print_report.cold+0x2ba/0x719
[ 47.493473][ T3614] ? drm_gem_object_release_handle+0xa1/0xb0
[ 47.499447][ T3614] kasan_report+0xb1/0x1e0
[ 47.503853][ T3614] ? drm_gem_object_release_handle+0xa1/0xb0
[ 47.509841][ T3614] drm_gem_object_release_handle+0xa1/0xb0
[ 47.515638][ T3614] ? drm_gem_object_handle_put_unlocked+0x390/0x390
[ 47.522224][ T3614] idr_for_each+0x113/0x220
[ 47.526747][ T3614] ? idr_find+0x50/0x50
[ 47.530926][ T3614] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 47.536746][ T3614] drm_gem_release+0x22/0x30
[ 47.541353][ T3614] drm_file_free.part.0+0x805/0xb80
[ 47.546556][ T3614] ? fsnotify+0x1680/0x1680
[ 47.551069][ T3614] drm_close_helper.isra.0+0x17d/0x1f0
[ 47.556545][ T3614] drm_release+0x1e6/0x530
[ 47.560967][ T3614] __fput+0x277/0x9d0
[ 47.564951][ T3614] ? drm_release_noglobal+0x180/0x180
[ 47.570327][ T3614] task_work_run+0xdd/0x1a0
[ 47.574834][ T3614] do_exit+0xad5/0x29b0
[ 47.578995][ T3614] ? mm_update_next_owner+0x7a0/0x7a0
[ 47.584368][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40
[ 47.589567][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40
[ 47.594781][ T3614] do_group_exit+0xd2/0x2f0
[ 47.599286][ T3614] __x64_sys_exit_group+0x3a/0x50
[ 47.604312][ T3614] do_syscall_64+0x35/0xb0
[ 47.608730][ T3614] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 47.614632][ T3614] RIP: 0033:0x7f54caae0349
[ 47.619044][ T3614] Code: Unable to access opcode bytes at RIP 0x7f54caae031f.
[ 47.626399][ T3614] RSP: 002b:00007ffc991f77d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 47.634817][ T3614] RAX: ffffffffffffffda RBX: 00007f54cab543f0 RCX: 00007f54caae0349
[ 47.642798][ T3614] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 47.650803][ T3614] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[ 47.658776][ T3614] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f54cab543f0
[ 47.666744][ T3614] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 47.674734][ T3614]
[ 47.677776][ T3614]
[ 47.680104][ T3614] Allocated by task 3614:
[ 47.684421][ T3614] kasan_save_stack+0x1e/0x40
[ 47.689098][ T3614] __kasan_kmalloc+0xa9/0xd0
[ 47.693687][ T3614] vgem_gem_create_object+0x38/0xb0
[ 47.698887][ T3614] __drm_gem_shmem_create+0x80/0x480
[ 47.704264][ T3614] drm_gem_shmem_dumb_create+0x13c/0x380
[ 47.709912][ T3614] drm_mode_create_dumb+0x26c/0x2f0
[ 47.715111][ T3614] drm_ioctl_kernel+0x27d/0x4e0
[ 47.719964][ T3614] drm_ioctl+0x51e/0x9d0
[ 47.724208][ T3614] __x64_sys_ioctl+0x193/0x200
[ 47.728972][ T3614] do_syscall_64+0x35/0xb0
[ 47.733386][ T3614] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 47.739287][ T3614]
[ 47.741607][ T3614] Freed by task 3614:
[ 47.745584][ T3614] kasan_save_stack+0x1e/0x40
[ 47.750274][ T3614] kasan_set_track+0x21/0x30
[ 47.754870][ T3614] kasan_set_free_info+0x20/0x30
[ 47.759814][ T3614] ____kasan_slab_free+0x166/0x1c0
[ 47.764927][ T3614] slab_free_freelist_hook+0x8b/0x1c0
[ 47.770296][ T3614] kfree+0xe2/0x580
[ 47.774101][ T3614] drm_gem_mmap+0x4fc/0x770
[ 47.778615][ T3614] mmap_region+0xbff/0x1460
[ 47.783132][ T3614] do_mmap+0x863/0xfa0
[ 47.787213][ T3614] vm_mmap_pgoff+0x1ab/0x270
[ 47.791804][ T3614] ksys_mmap_pgoff+0x41b/0x5a0
[ 47.796565][ T3614] do_syscall_64+0x35/0xb0
[ 47.800982][ T3614] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 47.806878][ T3614]
[ 47.809191][ T3614] The buggy address belongs to the object at ffff888074440800
[ 47.809191][ T3614] which belongs to the cache kmalloc-1k of size 1024
[ 47.823239][ T3614] The buggy address is located 488 bytes inside of
[ 47.823239][ T3614] 1024-byte region [ffff888074440800, ffff888074440c00)
[ 47.836606][ T3614]
[ 47.838921][ T3614] The buggy address belongs to the physical page:
[ 47.845318][ T3614] page:ffffea0001d11000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74440
[ 47.855477][ T3614] head:ffffea0001d11000 order:3 compound_mapcount:0 compound_pincount:0
[ 47.863802][ T3614] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 47.871792][ T3614] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888011841dc0
[ 47.880377][ T3614] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[ 47.888962][ T3614] page dumped because: kasan: bad access detected
[ 47.895380][ T3614] page_owner tracks the page as allocated
[ 47.901099][ T3614] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3608, tgid 3608 (sshd), ts 47420089282, free_ts 47415741853
[ 47.921775][ T3614] get_page_from_freelist+0x109b/0x2ce0
[ 47.927335][ T3614] __alloc_pages+0x1c7/0x510
[ 47.931927][ T3614] alloc_pages+0x1a6/0x270
[ 47.936346][ T3614] allocate_slab+0x27e/0x3d0
[ 47.940933][ T3614] ___slab_alloc+0x7f1/0xe10
[ 47.945520][ T3614] __slab_alloc.constprop.0+0x4d/0xa0
[ 47.950890][ T3614] __kmalloc_node_track_caller+0x2f2/0x380
[ 47.956694][ T3614] __alloc_skb+0xd9/0x2f0
[ 47.961022][ T3614] tcp_stream_alloc_skb+0x38/0x580
[ 47.966134][ T3614] tcp_sendmsg_locked+0xc36/0x2f80
[ 47.971245][ T3614] tcp_sendmsg+0x2b/0x40
[ 47.975503][ T3614] inet_sendmsg+0x99/0xe0
[ 47.979854][ T3614] sock_sendmsg+0xcf/0x120
[ 47.984283][ T3614] sock_write_iter+0x291/0x3d0
[ 47.989054][ T3614] vfs_write+0x9e9/0xdd0
[ 47.993301][ T3614] ksys_write+0x1e8/0x250
[ 47.997646][ T3614] page last free stack trace:
[ 48.002306][ T3614] free_pcp_prepare+0x5e4/0xd20
[ 48.007162][ T3614] free_unref_page+0x19/0x4d0
[ 48.011842][ T3614] __folio_put+0x105/0x130
[ 48.016280][ T3614] put_page+0x21b/0x280
[ 48.020439][ T3614] page_to_skb+0x9e9/0xc10
[ 48.024856][ T3614] receive_buf+0xe0a/0x5560
[ 48.029363][ T3614] virtnet_poll+0x708/0x1310
[ 48.033957][ T3614] __napi_poll+0xb3/0x6d0
[ 48.038284][ T3614] net_rx_action+0x9c1/0xd90
[ 48.042872][ T3614] __do_softirq+0x1d3/0x9c6
[ 48.047375][ T3614]
[ 48.049691][ T3614] Memory state around the buggy address:
[ 48.055312][ T3614] ffff888074440880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.063372][ T3614] ffff888074440900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.071428][ T3614] >ffff888074440980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.079479][ T3614] ^
[ 48.086923][ T3614] ffff888074440a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.094992][ T3614] ffff888074440a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 48.103156][ T3614] ==================================================================
[ 48.112066][ T3614] Kernel panic - not syncing: panic_on_warn set ...
[ 48.118661][ T3614] CPU: 1 PID: 3614 Comm: syz-executor314 Not tainted 6.0.0-rc3-syzkaller-00031-gc5e4d5e99162 #0
[ 48.129073][ T3614] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
[ 48.139123][ T3614] Call Trace:
[ 48.142400][ T3614]
[ 48.145326][ T3614] dump_stack_lvl+0xcd/0x134
[ 48.149926][ T3614] panic+0x2c8/0x627
[ 48.153827][ T3614] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 48.159812][ T3614] ? preempt_schedule_common+0x59/0xc0
[ 48.165275][ T3614] ? preempt_schedule_thunk+0x16/0x18
[ 48.170654][ T3614] ? drm_gem_object_release_handle+0xa1/0xb0
[ 48.176636][ T3614] end_report.part.0+0x3f/0x7c
[ 48.181404][ T3614] kasan_report.cold+0xa/0xf
[ 48.185998][ T3614] ? drm_gem_object_release_handle+0xa1/0xb0
[ 48.191982][ T3614] drm_gem_object_release_handle+0xa1/0xb0
[ 48.197793][ T3614] ? drm_gem_object_handle_put_unlocked+0x390/0x390
[ 48.204388][ T3614] idr_for_each+0x113/0x220
[ 48.208899][ T3614] ? idr_find+0x50/0x50
[ 48.213064][ T3614] ? _raw_spin_unlock_irqrestore+0x50/0x70
[ 48.218879][ T3614] drm_gem_release+0x22/0x30
[ 48.223474][ T3614] drm_file_free.part.0+0x805/0xb80
[ 48.228676][ T3614] ? fsnotify+0x1680/0x1680
[ 48.233185][ T3614] drm_close_helper.isra.0+0x17d/0x1f0
[ 48.238662][ T3614] drm_release+0x1e6/0x530
[ 48.243083][ T3614] __fput+0x277/0x9d0
[ 48.247068][ T3614] ? drm_release_noglobal+0x180/0x180
[ 48.252463][ T3614] task_work_run+0xdd/0x1a0
[ 48.256970][ T3614] do_exit+0xad5/0x29b0
[ 48.261128][ T3614] ? mm_update_next_owner+0x7a0/0x7a0
[ 48.266501][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40
[ 48.271699][ T3614] ? _raw_spin_unlock_irq+0x1f/0x40
[ 48.276909][ T3614] do_group_exit+0xd2/0x2f0
[ 48.281414][ T3614] __x64_sys_exit_group+0x3a/0x50
[ 48.286441][ T3614] do_syscall_64+0x35/0xb0
[ 48.290863][ T3614] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 48.296760][ T3614] RIP: 0033:0x7f54caae0349
[ 48.301174][ T3614] Code: Unable to access opcode bytes at RIP 0x7f54caae031f.
[ 48.308533][ T3614] RSP: 002b:00007ffc991f77d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 48.316960][ T3614] RAX: ffffffffffffffda RBX: 00007f54cab543f0 RCX: 00007f54caae0349
[ 48.324931][ T3614] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 48.332897][ T3614] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[ 48.340866][ T3614] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f54cab543f0
[ 48.348837][ T3614] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 48.356814][ T3614]
[ 48.360021][ T3614] Kernel Offset: disabled
[ 48.364339][ T3614] Rebooting in 86400 seconds..