./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1255957189 <...> Warning: Permanently added '10.128.0.103' (ECDSA) to the list of known hosts. execve("./syz-executor1255957189", ["./syz-executor1255957189"], 0x7ffd9b9ad030 /* 10 vars */) = 0 brk(NULL) = 0x555556e86000 brk(0x555556e86c40) = 0x555556e86c40 arch_prctl(ARCH_SET_FS, 0x555556e86300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1255957189", 4096) = 28 brk(0x555556ea7c40) = 0x555556ea7c40 brk(0x555556ea8000) = 0x555556ea8000 mprotect(0x7f6f8a755000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3610 attached , child_tidptr=0x555556e865d0) = 3610 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3611 attached [pid 3609] <... clone resumed>, child_tidptr=0x555556e865d0) = 3611 [pid 3610] <... clone resumed>, child_tidptr=0x555556e865d0) = 3612 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3612 attached , child_tidptr=0x555556e865d0) = 3613 [pid 3612] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] <... prctl resumed>) = 0 [pid 3612] setpgid(0, 0) = 0 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3609] <... clone resumed>, child_tidptr=0x555556e865d0) = 3614 [pid 3612] <... openat resumed>) = 3 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3615 attached ./strace-static-x86_64: Process 3614 attached ./strace-static-x86_64: Process 3613 attached [pid 3612] write(3, "1000", 4) = 4 [pid 3612] close(3) = 0 [pid 3612] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY./strace-static-x86_64: Process 3616 attached [pid 3613] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] <... openat resumed>) = 3 [pid 3611] <... clone resumed>, child_tidptr=0x555556e865d0) = 3615 [pid 3612] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3609] <... clone resumed>, child_tidptr=0x555556e865d0) = 3616 [pid 3612] <... ioctl resumed>, 0x20000080) = 0 [pid 3612] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3616] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3615] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3613] <... clone resumed>, child_tidptr=0x555556e865d0) = 3617 [pid 3612] <... openat resumed>) = 4 [pid 3612] write(4, "6", 1) = 1 [pid 3609] <... clone resumed>, child_tidptr=0x555556e865d0) = 3618 [pid 3614] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000) = -1 EINVAL (Invalid argument) ./strace-static-x86_64: Process 3620 attached [pid 3615] <... prctl resumed>) = 0 [pid 3612] exit_group(0 [pid 3616] <... clone resumed>, child_tidptr=0x555556e865d0) = 3620 [pid 3615] setpgid(0, 0 [pid 3614] <... clone resumed>, child_tidptr=0x555556e865d0) = 3619 [pid 3612] <... exit_group resumed>) = ? ./strace-static-x86_64: Process 3619 attached ./strace-static-x86_64: Process 3618 attached ./strace-static-x86_64: Process 3617 attached [pid 3620] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3615] <... setpgid resumed>) = 0 [pid 3620] <... prctl resumed>) = 0 [pid 3617] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3615] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3612] +++ exited with 0 +++ [pid 3620] setpgid(0, 0 [pid 3617] <... prctl resumed>) = 0 [pid 3615] <... openat resumed>) = 3 [pid 3620] <... setpgid resumed>) = 0 [pid 3618] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3617] setpgid(0, 0 [pid 3615] write(3, "1000", 4./strace-static-x86_64: Process 3621 attached [pid 3620] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3617] <... setpgid resumed>) = 0 [pid 3615] <... write resumed>) = 4 [pid 3620] <... openat resumed>) = 3 [pid 3618] <... clone resumed>, child_tidptr=0x555556e865d0) = 3621 [pid 3617] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3615] close(3 [pid 3620] write(3, "1000", 4 [pid 3617] <... openat resumed>) = 3 [pid 3615] <... close resumed>) = 0 [pid 3620] <... write resumed>) = 4 [pid 3617] write(3, "1000", 4 [pid 3615] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3620] close(3 [pid 3619] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3617] <... write resumed>) = 4 [pid 3615] <... openat resumed>) = 3 [pid 3620] <... close resumed>) = 0 [pid 3619] <... prctl resumed>) = 0 [pid 3617] close(3 [pid 3615] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3620] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3619] setpgid(0, 0 [pid 3617] <... close resumed>) = 0 [pid 3615] <... ioctl resumed>, 0x20000080) = 0 [pid 3620] <... openat resumed>) = 3 [pid 3619] <... setpgid resumed>) = 0 [pid 3617] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3615] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3620] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3619] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3617] <... openat resumed>) = 3 [pid 3615] <... openat resumed>) = 4 [pid 3620] <... ioctl resumed>, 0x20000080) = 0 [pid 3619] <... openat resumed>) = 3 [pid 3617] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3615] write(4, "6", 1 [pid 3620] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3619] write(3, "1000", 4 [pid 3617] <... ioctl resumed>, 0x20000080) = 0 [pid 3615] <... write resumed>) = 1 [pid 3620] <... openat resumed>) = 4 [pid 3619] <... write resumed>) = 4 [pid 3617] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3615] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3620] write(4, "6", 1 [pid 3619] close(3 [pid 3617] <... openat resumed>) = 4 [pid 3615] <... mmap resumed>) = -1 EACCES (Permission denied) [pid 3620] <... write resumed>) = 1 [pid 3619] <... close resumed>) = 0 [pid 3617] write(4, "6", 1 [pid 3615] exit_group(0 [pid 3620] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3619] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3617] <... write resumed>) = 1 [pid 3615] <... exit_group resumed>) = ? [pid 3620] <... mmap resumed>) = -1 ENOMEM (Cannot allocate memory) [pid 3619] <... openat resumed>) = 3 [pid 3617] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3615] +++ exited with 0 +++ [pid 3620] exit_group(0 [pid 3619] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3617] <... mmap resumed>) = -1 ENOMEM (Cannot allocate memory) [pid 3610] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3612, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 3620] <... exit_group resumed>) = ? syzkaller login: [ 38.401853][ T3612] FAULT_INJECTION: forcing a failure. [ 38.401853][ T3612] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 38.401853][ T3612] FAULT_INJECTION: forcing a failure. [ 38.401853][ T3612] name fail_page_alloc, interval 1, probability 0, space 0, times 1 [ 38.401880][ T3612] CPU: 1 PID: 3612 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.401901][ T3612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.401911][ T3612] Call Trace: [ 38.401916][ T3612] [ 38.401922][ T3612] dump_stack_lvl+0xcd/0x134 [ 38.401969][ T3612] should_fail.cold+0x5/0xa [ 38.401991][ T3612] prepare_alloc_pages+0x17b/0x570 [ 38.402011][ T3612] ? mark_lock.part.0+0xee/0x1910 [ 38.402038][ T3612] __alloc_pages+0x12f/0x500 [ 38.402057][ T3612] ? __alloc_pages_slowpath.constprop.0+0x20e0/0x20e0 [ 38.402094][ T3612] alloc_pages_vma+0xf9/0x770 [ 38.402121][ T3612] wp_page_copy+0x1b6/0x1b00 [ 38.402147][ T3612] ? validate_page_before_insert+0x670/0x670 [ 38.402168][ T3612] ? lock_downgrade+0x6e0/0x6e0 [ 38.402189][ T3612] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 38.402208][ T3612] ? vm_normal_page+0x146/0x2a0 [ 38.402242][ T3612] do_wp_page+0x3db/0x2030 [ 38.402267][ T3612] __handle_mm_fault+0x1dc8/0x4150 [ 38.402295][ T3612] ? vm_iomap_memory+0x190/0x190 [ 38.402342][ T3612] handle_mm_fault+0x1c8/0x790 [ 38.402367][ T3612] do_user_addr_fault+0x489/0x11c0 [ 38.402397][ T3612] exc_page_fault+0x9e/0x180 [ 38.402423][ T3612] asm_exc_page_fault+0x27/0x30 [ 38.402442][ T3612] RIP: 0033:0x7f6f8a6acf25 [ 38.402457][ T3612] Code: 0a 00 00 74 08 84 c9 0f 85 46 02 00 00 45 31 e4 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 ba 01 00 00 00 85 c0 0f 85 d5 01 00 00 <0f> b1 15 1c ef 0a 00 4c 8b 33 4d 85 f6 75 3b e9 72 01 00 00 0f 1f [ 38.402474][ T3612] RSP: 002b:00007ffc86505a40 EFLAGS: 00010246 [ 38.402490][ T3612] RAX: 0000000000000000 RBX: 00007f6f8a759140 RCX: 0000000000000001 [ 38.402502][ T3612] RDX: 0000000000000001 RSI: 00007f6f8a759140 RDI: 0000000000000000 [ 38.402514][ T3612] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000100004000 [ 38.402525][ T3612] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000000 [ 38.402536][ T3612] R13: 0000000000000001 R14: 00007ffc86505ad0 R15: 00007ffc86505ac0 [ 38.402562][ T3612] [ 38.402738][ T3612] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 38.419422][ T3615] FAULT_INJECTION: forcing a failure. [ 38.419422][ T3615] name fail_page_alloc, interval 1, probability 0, space 0, times 0 [ 38.419443][ T3615] CPU: 0 PID: 3615 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.419460][ T3615] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.419469][ T3615] Call Trace: [ 38.419473][ T3615] [ 38.419479][ T3615] dump_stack_lvl+0xcd/0x134 [ 38.419498][ T3615] should_fail.cold+0x5/0xa [ 38.419516][ T3615] prepare_alloc_pages+0x17b/0x570 [ 38.419533][ T3615] ? mark_lock.part.0+0xee/0x1910 [ 38.419555][ T3615] __alloc_pages+0x12f/0x500 [ 38.419571][ T3615] ? __alloc_pages_slowpath.constprop.0+0x20e0/0x20e0 [ 38.419602][ T3615] alloc_pages_vma+0xf9/0x770 [ 38.419624][ T3615] wp_page_copy+0x1b6/0x1b00 [ 38.419645][ T3615] ? validate_page_before_insert+0x670/0x670 [ 38.419663][ T3615] ? lock_downgrade+0x6e0/0x6e0 [ 38.419681][ T3615] ? __sanitizer_cov_trace_cmp8+0x1d/0x70 [ 38.419697][ T3615] ? vm_normal_page+0x146/0x2a0 [ 38.419722][ T3615] do_wp_page+0x3db/0x2030 [ 38.419743][ T3615] __handle_mm_fault+0x1dc8/0x4150 [ 38.419766][ T3615] ? vm_iomap_memory+0x190/0x190 [ 38.419799][ T3615] handle_mm_fault+0x1c8/0x790 [ 38.419819][ T3615] do_user_addr_fault+0x489/0x11c0 [ 38.419850][ T3615] exc_page_fault+0x9e/0x180 [ 38.419871][ T3615] asm_exc_page_fault+0x27/0x30 [ 38.419887][ T3615] RIP: 0033:0x7f6f8a6acf25 [ 38.419900][ T3615] Code: 0a 00 00 74 08 84 c9 0f 85 46 02 00 00 45 31 e4 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 ba 01 00 00 00 85 c0 0f 85 d5 01 00 00 <0f> b1 15 1c ef 0a 00 4c 8b 33 4d 85 f6 75 3b e9 72 01 00 00 0f 1f [ 38.419914][ T3615] RSP: 002b:00007ffc86505a40 EFLAGS: 00010246 [ 38.419928][ T3615] RAX: 0000000000000000 RBX: 00007f6f8a759140 RCX: 0000000000000001 [ 38.419938][ T3615] RDX: 0000000000000001 RSI: 00007f6f8a759140 RDI: 0000000000000000 [ 38.419948][ T3615] RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000100004000 [ 38.419957][ T3615] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000000 [ 38.419967][ T3615] R13: 0000000000000001 R14: 00007ffc86505ad0 R15: 00007ffc86505ac0 [ 38.419988][ T3615] [ 38.419995][ T3615] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 38.421218][ T3620] FAULT_INJECTION: forcing a failure. [ 38.421218][ T3620] name failslab, interval 1, probability 0, space 0, times 1 [ 38.421237][ T3620] CPU: 0 PID: 3620 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.421254][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.421263][ T3620] Call Trace: [ 38.421266][ T3620] [ 38.421272][ T3620] dump_stack_lvl+0xcd/0x134 [ 38.421291][ T3620] should_fail.cold+0x5/0xa [ 38.421308][ T3620] ? kvmalloc_node+0x3e/0x190 [ 38.421324][ T3620] should_failslab+0x5/0x10 [ 38.421340][ T3620] __kmalloc_node+0x75/0x390 [ 38.421362][ T3620] kvmalloc_node+0x3e/0x190 [ 38.421379][ T3620] drm_gem_get_pages+0x14e/0x590 [ 38.421399][ T3620] ? lockdep_hardirqs_on_prepare+0x400/0x400 [ 38.421419][ T3620] ? drm_gem_shmem_get_pages+0x56/0x250 [ 38.421439][ T3620] ? drm_gem_object_lookup+0xc0/0xc0 [ 38.421457][ T3620] ? mutex_lock_io_nested+0x1190/0x1190 [ 38.421478][ T3620] ? find_held_lock+0x2d/0x110 [ 38.421499][ T3620] ? drm_vma_node_is_allowed+0xc4/0x100 [ 38.421517][ T3620] ? lock_downgrade+0x6e0/0x6e0 [ 38.421540][ T3620] drm_gem_shmem_get_pages+0xd6/0x250 [ 38.421559][ T3620] ? drm_gem_shmem_mmap+0x2b0/0x2b0 [ 38.421578][ T3620] drm_gem_shmem_mmap+0x137/0x2b0 [ 38.421597][ T3620] ? drm_gem_shmem_mmap+0x2b0/0x2b0 [ 38.421615][ T3620] drm_gem_mmap_obj+0x1b8/0x450 [ 38.421634][ T3620] drm_gem_mmap+0x419/0x770 [ 38.421653][ T3620] ? drm_gem_lock_reservations+0xe00/0xe00 [ 38.421671][ T3620] ? kmem_cache_alloc+0x2ef/0x3b0 [ 38.421694][ T3620] mmap_region+0xba5/0x14a0 [ 38.421718][ T3620] ? vm_munmap+0x20/0x20 [ 38.421737][ T3620] ? cap_mmap_addr+0x50/0x300 [ 38.421757][ T3620] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 38.421777][ T3620] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 38.421794][ T3620] ? get_unmapped_area+0x2ae/0x3d0 [ 38.421816][ T3620] do_mmap+0x863/0xfa0 [ 38.421846][ T3620] vm_mmap_pgoff+0x1b7/0x290 [ 38.421867][ T3620] ? randomize_page+0xb0/0xb0 [ 38.421885][ T3620] ? __fget_files+0x286/0x470 [ 38.421909][ T3620] ksys_mmap_pgoff+0x40d/0x5a0 [ 38.421932][ T3620] do_syscall_64+0x35/0xb0 [ 38.421949][ T3620] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.421966][ T3620] RIP: 0033:0x7f6f8a6e8799 [ 38.421979][ T3620] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 38.421993][ T3620] RSP: 002b:00007ffc86505a88 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 38.422008][ T3620] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f6f8a6e8799 [ 38.422019][ T3620] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000 [ 38.422029][ T3620] RBP: 00007ffc86505ab0 R08: 0000000000000003 R09: 0000000100004000 [ 38.422039][ T3620] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000004 [ 38.422048][ T3620] R13: 0000000000000000 R14: 00007ffc86505ad0 R15: 00007ffc86505ac0 [ 38.422070][ T3620] [ 38.424458][ T3617] FAULT_INJECTION: forcing a failure. [ 38.424458][ T3617] name failslab, interval 1, probability 0, space 0, times 0 [ 38.424479][ T3617] CPU: 0 PID: 3617 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.424498][ T3617] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.424508][ T3617] Call Trace: [ 38.424512][ T3617] [ 38.424518][ T3617] dump_stack_lvl+0xcd/0x134 [ 38.424540][ T3617] should_fail.cold+0x5/0xa [ 38.424559][ T3617] ? vm_area_alloc+0x1c/0x110 [ 38.424579][ T3617] should_failslab+0x5/0x10 [ 38.424598][ T3617] kmem_cache_alloc+0x5e/0x3b0 [ 38.424618][ T3617] vm_area_alloc+0x1c/0x110 [ 38.424635][ T3617] mmap_region+0x96e/0x14a0 [ 38.424663][ T3617] ? vm_munmap+0x20/0x20 [ 38.424685][ T3617] ? cap_mmap_addr+0x50/0x300 [ 38.424708][ T3617] ? __sanitizer_cov_trace_const_cmp4+0x1c/0x70 [ 38.424731][ T3617] ? __sanitizer_cov_trace_const_cmp8+0x1d/0x70 [ 38.424751][ T3617] ? get_unmapped_area+0x2ae/0x3d0 [ 38.424778][ T3617] do_mmap+0x863/0xfa0 [ 38.424807][ T3617] vm_mmap_pgoff+0x1b7/0x290 [ 38.424841][ T3617] ? randomize_page+0xb0/0xb0 [ 38.424865][ T3617] ? __fget_files+0x286/0x470 [ 38.424892][ T3617] ksys_mmap_pgoff+0x40d/0x5a0 [ 38.424920][ T3617] do_syscall_64+0x35/0xb0 [ 38.424940][ T3617] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.424959][ T3617] RIP: 0033:0x7f6f8a6e8799 [ 38.424974][ T3617] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 38.424989][ T3617] RSP: 002b:00007ffc86505a88 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 38.425006][ T3617] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f6f8a6e8799 [ 38.425019][ T3617] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000 [ 38.425029][ T3617] RBP: 00007ffc86505ab0 R08: 0000000000000003 R09: 0000000100004000 [ 38.425041][ T3617] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000004 [ 38.425052][ T3617] R13: 0000000000000000 R14: 00007ffc86505ad0 R15: 00007ffc86505ac0 [ 38.425076][ T3617] [ 38.427777][ T3620] ================================================================== [ 38.427785][ T3620] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 [ 38.427809][ T3620] Read of size 8 at addr ffff88801f4aaa28 by task syz-executor125/3620 [ 38.427831][ T3620] [ 38.427835][ T3620] CPU: 0 PID: 3620 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.427854][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.427864][ T3620] Call Trace: [ 38.427868][ T3620] [ 38.427874][ T3620] dump_stack_lvl+0xcd/0x134 [ 38.427895][ T3620] print_address_description.constprop.0.cold+0xeb/0x495 [ 38.427920][ T3620] ? drm_gem_object_release_handle+0xf2/0x110 [ 38.427940][ T3620] kasan_report.cold+0xf4/0x1c6 [ 38.427960][ T3620] ? drm_gem_object_release_handle+0xf2/0x110 [ 38.427982][ T3620] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 38.428004][ T3620] drm_gem_object_release_handle+0xf2/0x110 [ 38.428026][ T3620] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 38.428048][ T3620] idr_for_each+0x113/0x220 [ 38.428069][ T3620] ? idr_find+0x50/0x50 [ 38.428091][ T3620] drm_gem_release+0x22/0x30 [ 38.428111][ T3620] drm_file_free.part.0+0x805/0xb80 [ 38.428132][ T3620] ? fsnotify+0x13d0/0x13d0 [ 38.428153][ T3620] drm_close_helper.isra.0+0x17d/0x1f0 [ 38.428175][ T3620] drm_release+0x1e6/0x530 [ 38.428195][ T3620] __fput+0x277/0x9d0 [ 38.428216][ T3620] ? drm_release_noglobal+0x180/0x180 [ 38.428237][ T3620] task_work_run+0xdd/0x1a0 [ 38.428261][ T3620] do_exit+0xaff/0x2a00 [ 38.428283][ T3620] ? lock_downgrade+0x6e0/0x6e0 [ 38.428306][ T3620] ? mm_update_next_owner+0x7a0/0x7a0 [ 38.428329][ T3620] ? _raw_spin_unlock_irq+0x1f/0x40 [ 38.428349][ T3620] do_group_exit+0xd2/0x2f0 [ 38.428372][ T3620] __x64_sys_exit_group+0x3a/0x50 [ 38.428394][ T3620] do_syscall_64+0x35/0xb0 [ 38.428414][ T3620] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.428433][ T3620] RIP: 0033:0x7f6f8a6e7429 [ 38.428447][ T3620] Code: Unable to access opcode bytes at RIP 0x7f6f8a6e73ff. [ 38.428455][ T3620] RSP: 002b:00007ffc86505a38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 38.428474][ T3620] RAX: ffffffffffffffda RBX: 00007f6f8a75b3f0 RCX: 00007f6f8a6e7429 [ 38.428489][ T3620] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 38.428503][ T3620] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 38.428515][ T3620] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f6f8a75b3f0 [ 38.428527][ T3620] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 38.428544][ T3620] [ 38.428549][ T3620] [ 38.428552][ T3620] Allocated by task 3620: [ 38.428560][ T3620] kasan_save_stack+0x1e/0x40 [ 38.428580][ T3620] __kasan_kmalloc+0xa9/0xd0 [ 38.428599][ T3620] vgem_gem_create_object+0x38/0xb0 [ 38.428620][ T3620] __drm_gem_shmem_create+0x80/0x480 [ 38.428640][ T3620] drm_gem_shmem_dumb_create+0x13c/0x380 [ 38.428661][ T3620] drm_mode_create_dumb+0x26c/0x2f0 [ 38.428681][ T3620] drm_ioctl_kernel+0x27d/0x4e0 [ 38.428699][ T3620] drm_ioctl+0x51e/0x9d0 [ 38.428716][ T3620] __x64_sys_ioctl+0x193/0x200 [ 38.428733][ T3620] do_syscall_64+0x35/0xb0 [ 38.428750][ T3620] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.428769][ T3620] [ 38.428772][ T3620] Freed by task 3620: [ 38.428779][ T3620] kasan_save_stack+0x1e/0x40 [ 38.428798][ T3620] kasan_set_track+0x21/0x30 [ 38.428817][ T3620] kasan_set_free_info+0x20/0x30 [ 38.428840][ T3620] ____kasan_slab_free+0x166/0x1a0 [ 38.428858][ T3620] slab_free_freelist_hook+0x8b/0x1c0 [ 38.428877][ T3620] kfree+0xd6/0x4d0 [ 38.428893][ T3620] drm_gem_mmap+0x4fc/0x770 [ 38.428910][ T3620] mmap_region+0xba5/0x14a0 [ 38.428930][ T3620] do_mmap+0x863/0xfa0 [ 38.428949][ T3620] vm_mmap_pgoff+0x1b7/0x290 [ 38.428966][ T3620] ksys_mmap_pgoff+0x40d/0x5a0 [ 38.428987][ T3620] do_syscall_64+0x35/0xb0 [ 38.429005][ T3620] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.429023][ T3620] [ 38.429026][ T3620] The buggy address belongs to the object at ffff88801f4aa800 [ 38.429026][ T3620] which belongs to the cache kmalloc-1k of size 1024 [ 38.429040][ T3620] The buggy address is located 552 bytes inside of [ 38.429040][ T3620] 1024-byte region [ffff88801f4aa800, ffff88801f4aac00) [ 38.429057][ T3620] [ 38.429060][ T3620] The buggy address belongs to the physical page: [ 38.429066][ T3620] page:ffffea00007d2a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1f4a8 [ 38.429085][ T3620] head:ffffea00007d2a00 order:3 compound_mapcount:0 compound_pincount:0 [ 38.429099][ T3620] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 38.429124][ T3620] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0 [ 38.429141][ T3620] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 [ 38.429151][ T3620] page dumped because: kasan: bad access detected [ 38.429157][ T3620] page_owner tracks the page as allocated [ 38.429162][ T3620] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3604, tgid 3604 (sshd), ts 38405291747, free_ts 38352867406 [ 38.429196][ T3620] get_page_from_freelist+0xba2/0x3e00 [ 38.429214][ T3620] __alloc_pages+0x1b2/0x500 [ 38.429229][ T3620] alloc_pages+0x1aa/0x310 [ 38.429248][ T3620] allocate_slab+0x26c/0x3c0 [ 38.429265][ T3620] ___slab_alloc+0x985/0xd90 [ 38.429283][ T3620] __slab_alloc.constprop.0+0x4d/0xa0 [ 38.429302][ T3620] __kmalloc_node_track_caller+0x2cb/0x360 [ 38.429322][ T3620] __alloc_skb+0xde/0x340 [ 38.429337][ T3620] tcp_stream_alloc_skb+0x66/0x900 [ 38.429354][ T3620] tcp_sendmsg_locked+0xad1/0x2fc0 [ 38.429370][ T3620] tcp_sendmsg+0x2b/0x40 [ 38.429384][ T3620] inet_sendmsg+0x99/0xe0 [ 38.429401][ T3620] sock_sendmsg+0xcf/0x120 [ 38.429416][ T3620] sock_write_iter+0x284/0x3c0 [ 38.429431][ T3620] new_sync_write+0x38a/0x560 [ 38.429448][ T3620] vfs_write+0x7c0/0xac0 [ 38.429465][ T3620] page last free stack trace: [ 38.429470][ T3620] free_pcp_prepare+0x549/0xd20 [ 38.429490][ T3620] free_unref_page+0x19/0x6a0 [ 38.429505][ T3620] __unfreeze_partials+0x17c/0x1a0 [ 38.429523][ T3620] qlist_free_all+0x6a/0x170 [ 38.429540][ T3620] kasan_quarantine_reduce+0x180/0x200 [ 38.429560][ T3620] __kasan_slab_alloc+0xa2/0xc0 [ 38.429580][ T3620] __kmalloc+0x200/0x350 [ 38.429596][ T3620] tomoyo_supervisor+0xce6/0xf00 [ 38.429616][ T3620] tomoyo_execute_permission+0x37f/0x4a0 [ 38.429633][ T3620] tomoyo_find_next_domain+0x348/0x1f80 [ 38.429655][ T3620] tomoyo_bprm_check_security+0x121/0x1a0 [ 38.429674][ T3620] security_bprm_check+0x45/0xa0 [ 38.429690][ T3620] bprm_execve+0x732/0x1970 [ 38.429707][ T3620] do_execveat_common+0x727/0x890 [ 38.429726][ T3620] __x64_sys_execve+0x8f/0xc0 [ 38.429743][ T3620] do_syscall_64+0x35/0xb0 [ 38.429761][ T3620] [ 38.429764][ T3620] Memory state around the buggy address: [ 38.429772][ T3620] ffff88801f4aa900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429784][ T3620] ffff88801f4aa980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429796][ T3620] >ffff88801f4aaa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429805][ T3620] ^ [ 38.429814][ T3620] ffff88801f4aaa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429834][ T3620] ffff88801f4aab00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 38.429843][ T3620] ================================================================== [ 38.429850][ T3620] Kernel panic - not syncing: panic_on_warn set ... [ 38.429859][ T3620] CPU: 0 PID: 3620 Comm: syz-executor125 Not tainted 5.18.0-syzkaller-04943-g7e062cda7d90 #0 [ 38.429879][ T3620] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 38.429889][ T3620] Call Trace: [ 38.429894][ T3620] [ 38.429900][ T3620] dump_stack_lvl+0xcd/0x134 [ 38.429921][ T3620] panic+0x2d7/0x636 [ 38.429939][ T3620] ? panic_print_sys_info.part.0+0x10b/0x10b [ 38.429963][ T3620] ? drm_gem_object_release_handle+0xf2/0x110 [ 38.429987][ T3620] ? drm_gem_object_release_handle+0xf2/0x110 [ 38.430009][ T3620] end_report.part.0+0x3f/0x7c [ 38.430029][ T3620] kasan_report.cold+0x93/0x1c6 [ 38.430050][ T3620] ? drm_gem_object_release_handle+0xf2/0x110 [ 38.430072][ T3620] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 38.430095][ T3620] drm_gem_object_release_handle+0xf2/0x110 [ 38.430117][ T3620] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 38.430140][ T3620] idr_for_each+0x113/0x220 [ 38.430160][ T3620] ? idr_find+0x50/0x50 [ 38.430184][ T3620] drm_gem_release+0x22/0x30 [ 38.430204][ T3620] drm_file_free.part.0+0x805/0xb80 [ 38.430225][ T3620] ? fsnotify+0x13d0/0x13d0 [ 38.430247][ T3620] drm_close_helper.isra.0+0x17d/0x1f0 [ 38.430269][ T3620] drm_release+0x1e6/0x530 [ 38.430288][ T3620] __fput+0x277/0x9d0 [ 38.430308][ T3620] ? drm_release_noglobal+0x180/0x180 [ 38.430328][ T3620] task_work_run+0xdd/0x1a0 [ 38.430350][ T3620] do_exit+0xaff/0x2a00 [ 38.430372][ T3620] ? lock_downgrade+0x6e0/0x6e0 [ 38.430396][ T3620] ? mm_update_next_owner+0x7a0/0x7a0 [ 38.430420][ T3620] ? _raw_spin_unlock_irq+0x1f/0x40 [ 38.430440][ T3620] do_group_exit+0xd2/0x2f0 [ 38.430464][ T3620] __x64_sys_exit_group+0x3a/0x50 [ 38.430491][ T3620] do_syscall_64+0x35/0xb0 [ 38.430516][ T3620] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 38.430536][ T3620] RIP: 0033:0x7f6f8a6e7429 [ 38.430549][ T3620] Code: Unable to access opcode bytes at RIP 0x7f6f8a6e73ff. [ 38.430557][ T3620] RSP: 002b:00007ffc86505a38 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 38.430576][ T3620] RAX: ffffffffffffffda RBX: 00007f6f8a75b3f0 RCX: 00007f6f8a6e7429 [ 38.430590][ T3620] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 38.430602][ T3620] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 38.430614][ T3620] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f6f8a75b3f0 [ 38.430626][ T3620] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 38.430643][ T3620] [ 38.431549][ T3620] Kernel Offset: disabled