DUID 00:04:bb:a2:40:ae:48:ac:17:b5:4c:fd:37:63:df:39:12:a9
forked to background, child pid 3181
[   29.406016][ T3182] 8021q: adding VLAN 0 to HW filter on device bond0
[   29.419067][ T3182] eql: remember to turn off Van-Jacobson compression on your slave devices
Starting sshd: OK

syzkaller
Warning: Permanently added '10.128.0.55' (ECDSA) to the list of known hosts.
executing program
syzkaller login: [   50.139554][ T3596] FAULT_INJECTION: forcing a failure.
[   50.139554][ T3596] name failslab, interval 1, probability 0, space 0, times 1
[   50.152555][ T3596] CPU: 1 PID: 3596 Comm: syz-executor763 Not tainted 5.16.0-rc5-syzkaller #0
[   50.161301][ T3596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.171341][ T3596] Call Trace:
[   50.174601][ T3596]  <TASK>
[   50.177591][ T3596]  dump_stack_lvl+0xcd/0x134
[   50.182184][ T3596]  should_fail.cold+0x5/0xa
[   50.186681][ T3596]  ? kvmalloc_node+0x61/0x120
[   50.191340][ T3596]  should_failslab+0x5/0x10
[   50.195826][ T3596]  __kmalloc_node+0x75/0x390
[   50.200408][ T3596]  kvmalloc_node+0x61/0x120
[   50.205023][ T3596]  drm_gem_get_pages+0x14f/0x5d0
[   50.209963][ T3596]  ? drm_gem_shmem_get_pages+0x56/0x250
[   50.215503][ T3596]  ? drm_gem_dma_resv_wait+0x220/0x220
[   50.220948][ T3596]  ? mutex_lock_io_nested+0x1150/0x1150
[   50.226485][ T3596]  ? drm_vma_node_is_allowed+0xc4/0x100
[   50.232023][ T3596]  ? lock_downgrade+0x6e0/0x6e0
[   50.236872][ T3596]  drm_gem_shmem_get_pages+0xd6/0x250
[   50.242326][ T3596]  ? drm_gem_shmem_dumb_create+0x290/0x290
[   50.248121][ T3596]  drm_gem_shmem_mmap+0x137/0x2e0
[   50.253144][ T3596]  ? drm_gem_shmem_dumb_create+0x290/0x290
[   50.258936][ T3596]  drm_gem_mmap_obj+0x1b6/0x3e0
[   50.263777][ T3596]  drm_gem_mmap+0x419/0x680
[   50.268266][ T3596]  ? drm_gem_fence_array_add_implicit+0x150/0x150
[   50.274668][ T3596]  ? kmem_cache_alloc+0x2ec/0x3a0
[   50.279686][ T3596]  mmap_region+0xd8c/0x1650
[   50.284183][ T3596]  do_mmap+0x869/0xfb0
[   50.288244][ T3596]  vm_mmap_pgoff+0x1b7/0x290
[   50.292819][ T3596]  ? randomize_stack_top+0x100/0x100
[   50.298090][ T3596]  ? __fget_files+0x28c/0x470
[   50.302763][ T3596]  ksys_mmap_pgoff+0x40d/0x5a0
[   50.307519][ T3596]  do_syscall_64+0x35/0xb0
[   50.311927][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   50.317808][ T3596] RIP: 0033:0x7fe01452dcf9
[   50.322205][ T3596] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
[   50.341798][ T3596] RSP: 002b:00007ffcee35e4c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[   50.350201][ T3596] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe01452dcf9
[   50.358160][ T3596] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000
[   50.366129][ T3596] RBP: 00007ffcee35e4e0 R08: 0000000000000003 R09: 0000000100000000
[   50.374082][ T3596] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000004
[   50.382042][ T3596] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[   50.390010][ T3596]  </TASK>
[   50.398413][ T3596] ==================================================================
[   50.406568][ T3596] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110
[   50.414971][ T3596] Read of size 8 at addr ffff888078de9228 by task syz-executor763/3596
[   50.423188][ T3596] 
[   50.425497][ T3596] CPU: 0 PID: 3596 Comm: syz-executor763 Not tainted 5.16.0-rc5-syzkaller #0
[   50.434236][ T3596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   50.444275][ T3596] Call Trace:
[   50.447540][ T3596]  <TASK>
[   50.450454][ T3596]  dump_stack_lvl+0xcd/0x134
[   50.455032][ T3596]  print_address_description.constprop.0.cold+0x8d/0x320
[   50.462044][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   50.468099][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   50.474155][ T3596]  kasan_report.cold+0x83/0xdf
[   50.478907][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   50.484981][ T3596]  ? drm_gem_object_handle_put_unlocked+0x320/0x320
[   50.491638][ T3596]  drm_gem_object_release_handle+0xf2/0x110
[   50.497523][ T3596]  ? drm_gem_object_handle_put_unlocked+0x320/0x320
[   50.504116][ T3596]  idr_for_each+0x113/0x220
[   50.508709][ T3596]  ? idr_find+0x50/0x50
[   50.512874][ T3596]  drm_gem_release+0x22/0x30
[   50.517461][ T3596]  drm_file_free.part.0+0x805/0xb80
[   50.522663][ T3596]  ? fsnotify+0x12b0/0x12b0
[   50.527168][ T3596]  drm_close_helper.isra.0+0x17d/0x1f0
[   50.532631][ T3596]  drm_release+0x1e6/0x530
[   50.537048][ T3596]  __fput+0x286/0x9f0
[   50.541023][ T3596]  ? drm_release_noglobal+0x180/0x180
[   50.546405][ T3596]  task_work_run+0xdd/0x1a0
[   50.551000][ T3596]  do_exit+0xc14/0x2b40
[   50.555158][ T3596]  ? lock_downgrade+0x6e0/0x6e0
[   50.560007][ T3596]  ? lock_downgrade+0x6e0/0x6e0
[   50.564858][ T3596]  ? mm_update_next_owner+0x7a0/0x7a0
[   50.570239][ T3596]  do_group_exit+0x125/0x310
[   50.574828][ T3596]  __x64_sys_exit_group+0x3a/0x50
[   50.579852][ T3596]  do_syscall_64+0x35/0xb0
[   50.584278][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   50.590171][ T3596] RIP: 0033:0x7fe01452c9f9
[   50.594579][ T3596] Code: Unable to access opcode bytes at RIP 0x7fe01452c9cf.
[   50.601928][ T3596] RSP: 002b:00007ffcee35e4b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   50.610348][ T3596] RAX: ffffffffffffffda RBX: 00007fe0145a03f0 RCX: 00007fe01452c9f9
[   50.618314][ T3596] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   50.626275][ T3596] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[   50.634240][ T3596] R10: 0000000000000012 R11: 0000000000000246 R12: 00007fe0145a03f0
[   50.642269][ T3596] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   50.650364][ T3596]  </TASK>
[   50.653389][ T3596] 
[   50.655709][ T3596] Allocated by task 3596:
[   50.660027][ T3596]  kasan_save_stack+0x1e/0x50
[   50.664704][ T3596]  __kasan_kmalloc+0xa9/0xd0
[   50.669290][ T3596]  vgem_gem_create_object+0x38/0xa0
[   50.674490][ T3596]  __drm_gem_shmem_create+0x80/0x470
[   50.679770][ T3596]  drm_gem_shmem_create_with_handle+0x26/0x100
[   50.685931][ T3596]  drm_gem_shmem_dumb_create+0x13f/0x290
[   50.691558][ T3596]  drm_mode_create_dumb+0x26c/0x2f0
[   50.696755][ T3596]  drm_ioctl_kernel+0x27d/0x4e0
[   50.701603][ T3596]  drm_ioctl+0x51e/0x9d0
[   50.705838][ T3596]  __x64_sys_ioctl+0x193/0x200
[   50.710599][ T3596]  do_syscall_64+0x35/0xb0
[   50.715013][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   50.720902][ T3596] 
[   50.723214][ T3596] Freed by task 3596:
[   50.727180][ T3596]  kasan_save_stack+0x1e/0x50
[   50.731859][ T3596]  kasan_set_track+0x21/0x30
[   50.736444][ T3596]  kasan_set_free_info+0x20/0x30
[   50.741381][ T3596]  __kasan_slab_free+0xff/0x130
[   50.746224][ T3596]  slab_free_freelist_hook+0x8b/0x1c0
[   50.751588][ T3596]  kfree+0xf6/0x560
[   50.755387][ T3596]  drm_gem_object_free+0x58/0x80
[   50.760332][ T3596]  drm_gem_mmap+0x4aa/0x680
[   50.764832][ T3596]  mmap_region+0xd8c/0x1650
[   50.769335][ T3596]  do_mmap+0x869/0xfb0
[   50.773399][ T3596]  vm_mmap_pgoff+0x1b7/0x290
[   50.777984][ T3596]  ksys_mmap_pgoff+0x40d/0x5a0
[   50.782744][ T3596]  do_syscall_64+0x35/0xb0
[   50.787164][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   50.793054][ T3596] 
[   50.795364][ T3596] The buggy address belongs to the object at ffff888078de9000
[   50.795364][ T3596]  which belongs to the cache kmalloc-1k of size 1024
[   50.809411][ T3596] The buggy address is located 552 bytes inside of
[   50.809411][ T3596]  1024-byte region [ffff888078de9000, ffff888078de9400)
[   50.822761][ T3596] The buggy address belongs to the page:
[   50.828377][ T3596] page:ffffea0001e37a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78de8
[   50.838520][ T3596] head:ffffea0001e37a00 order:3 compound_mapcount:0 compound_pincount:0
[   50.846832][ T3596] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[   50.854809][ T3596] raw: 00fff00000010200 0000000000000000 dead000000000122 ffff888010c41dc0
[   50.863384][ T3596] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[   50.871950][ T3596] page dumped because: kasan: bad access detected
[   50.878346][ T3596] page_owner tracks the page as allocated
[   50.884044][ T3596] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3594, ts 50106996374, free_ts 50054496628
[   50.903141][ T3596]  get_page_from_freelist+0xa72/0x2f50
[   50.908607][ T3596]  __alloc_pages+0x1b2/0x500
[   50.913190][ T3596]  alloc_pages+0x1a7/0x300
[   50.917601][ T3596]  new_slab+0x32d/0x4a0
[   50.921747][ T3596]  ___slab_alloc+0x918/0xfe0
[   50.926329][ T3596]  __slab_alloc.constprop.0+0x4d/0xa0
[   50.931696][ T3596]  __kmalloc_node_track_caller+0x2cb/0x360
[   50.937497][ T3596]  __alloc_skb+0xde/0x340
[   50.941823][ T3596]  tcp_stream_alloc_skb+0x66/0x910
[   50.946923][ T3596]  tcp_sendmsg_locked+0xaba/0x3040
[   50.952042][ T3596]  tcp_sendmsg+0x2b/0x40
[   50.956276][ T3596]  inet_sendmsg+0x99/0xe0
[   50.960602][ T3596]  sock_sendmsg+0xcf/0x120
[   50.965013][ T3596]  sock_write_iter+0x289/0x3c0
[   50.969772][ T3596]  new_sync_write+0x429/0x660
[   50.974446][ T3596]  vfs_write+0x7cd/0xae0
[   50.978683][ T3596] page last free stack trace:
[   50.983338][ T3596]  free_pcp_prepare+0x374/0x870
[   50.988186][ T3596]  free_unref_page+0x19/0x690
[   50.992859][ T3596]  __put_page+0x27a/0x470
[   50.997181][ T3596]  do_exit+0x204f/0x2b40
[   51.001417][ T3596]  do_group_exit+0x125/0x310
[   51.006003][ T3596]  __x64_sys_exit_group+0x3a/0x50
[   51.011022][ T3596]  do_syscall_64+0x35/0xb0
[   51.015435][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.021325][ T3596] 
[   51.023634][ T3596] Memory state around the buggy address:
[   51.029250][ T3596]  ffff888078de9100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.037306][ T3596]  ffff888078de9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.045359][ T3596] >ffff888078de9200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.053408][ T3596]                                   ^
[   51.058763][ T3596]  ffff888078de9280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.066816][ T3596]  ffff888078de9300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   51.074866][ T3596] ==================================================================
[   51.082912][ T3596] Disabling lock debugging due to kernel taint
[   51.090019][ T3596] Kernel panic - not syncing: panic_on_warn set ...
[   51.096605][ T3596] CPU: 0 PID: 3596 Comm: syz-executor763 Tainted: G    B             5.16.0-rc5-syzkaller #0
[   51.106744][ T3596] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[   51.116788][ T3596] Call Trace:
[   51.120054][ T3596]  <TASK>
[   51.122973][ T3596]  dump_stack_lvl+0xcd/0x134
[   51.127561][ T3596]  panic+0x2b0/0x6dd
[   51.131453][ T3596]  ? __warn_printk+0xf3/0xf3
[   51.136042][ T3596]  ? preempt_schedule_common+0x59/0xc0
[   51.141492][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   51.147554][ T3596]  ? preempt_schedule_thunk+0x16/0x18
[   51.152923][ T3596]  ? trace_hardirqs_on+0x38/0x1c0
[   51.157956][ T3596]  ? trace_hardirqs_on+0x51/0x1c0
[   51.162977][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   51.169038][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   51.175102][ T3596]  end_report.cold+0x63/0x6f
[   51.179688][ T3596]  kasan_report.cold+0x71/0xdf
[   51.184450][ T3596]  ? drm_gem_object_release_handle+0xf2/0x110
[   51.190514][ T3596]  ? drm_gem_object_handle_put_unlocked+0x320/0x320
[   51.197099][ T3596]  drm_gem_object_release_handle+0xf2/0x110
[   51.202992][ T3596]  ? drm_gem_object_handle_put_unlocked+0x320/0x320
[   51.209577][ T3596]  idr_for_each+0x113/0x220
[   51.214080][ T3596]  ? idr_find+0x50/0x50
[   51.218233][ T3596]  drm_gem_release+0x22/0x30
[   51.222825][ T3596]  drm_file_free.part.0+0x805/0xb80
[   51.228020][ T3596]  ? fsnotify+0x12b0/0x12b0
[   51.232512][ T3596]  drm_close_helper.isra.0+0x17d/0x1f0
[   51.237967][ T3596]  drm_release+0x1e6/0x530
[   51.242378][ T3596]  __fput+0x286/0x9f0
[   51.246350][ T3596]  ? drm_release_noglobal+0x180/0x180
[   51.251716][ T3596]  task_work_run+0xdd/0x1a0
[   51.256215][ T3596]  do_exit+0xc14/0x2b40
[   51.260374][ T3596]  ? lock_downgrade+0x6e0/0x6e0
[   51.265216][ T3596]  ? lock_downgrade+0x6e0/0x6e0
[   51.270063][ T3596]  ? mm_update_next_owner+0x7a0/0x7a0
[   51.275434][ T3596]  do_group_exit+0x125/0x310
[   51.280021][ T3596]  __x64_sys_exit_group+0x3a/0x50
[   51.285039][ T3596]  do_syscall_64+0x35/0xb0
[   51.289455][ T3596]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[   51.295343][ T3596] RIP: 0033:0x7fe01452c9f9
[   51.299751][ T3596] Code: Unable to access opcode bytes at RIP 0x7fe01452c9cf.
[   51.307105][ T3596] RSP: 002b:00007ffcee35e4b8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[   51.315860][ T3596] RAX: ffffffffffffffda RBX: 00007fe0145a03f0 RCX: 00007fe01452c9f9
[   51.323826][ T3596] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[   51.331783][ T3596] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[   51.339742][ T3596] R10: 0000000000000012 R11: 0000000000000246 R12: 00007fe0145a03f0
[   51.347708][ T3596] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[   51.355691][ T3596]  </TASK>
[   51.358764][ T3596] Kernel Offset: disabled
[   51.363076][ T3596] Rebooting in 86400 seconds..