./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1291123900 <...> [ 28.712769][ T3181] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.731920][ T3181] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller syzkaller login: [ 40.033360][ T27] kauditd_printk_skb: 37 callbacks suppressed [ 40.033376][ T27] audit: type=1400 audit(1659931052.929:73): avc: denied { transition } for pid=3389 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 40.062321][ T27] audit: type=1400 audit(1659931052.939:74): avc: denied { write } for pid=3389 comm="sh" path="pipe:[28117]" dev="pipefs" ino=28117 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.0.74' (ECDSA) to the list of known hosts. execve("./syz-executor1291123900", ["./syz-executor1291123900"], 0x7ffdad11ae50 /* 10 vars */) = 0 brk(NULL) = 0x555556b8c000 brk(0x555556b8cc40) = 0x555556b8cc40 arch_prctl(ARCH_SET_FS, 0x555556b8c300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1291123900", 4096) = 28 brk(0x555556badc40) = 0x555556badc40 brk(0x555556bae000) = 0x555556bae000 mprotect(0x7f1e06c34000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3603 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3604 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3605 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3606 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3607 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3608 ./strace-static-x86_64: Process 3608 attached [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3607 attached [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3608] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3609 [pid 3607] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3610 ./strace-static-x86_64: Process 3606 attached [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555556b8c5d0) = 3611 ./strace-static-x86_64: Process 3609 attached ./strace-static-x86_64: Process 3611 attached ./strace-static-x86_64: Process 3610 attached [pid 3611] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3609] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3611] <... prctl resumed>) = 0 ./strace-static-x86_64: Process 3603 attached [pid 3609] <... prctl resumed>) = 0 [pid 3611] setpgid(0, 0 [pid 3609] setpgid(0, 0 [pid 3611] <... setpgid resumed>) = 0 ./strace-static-x86_64: Process 3605 attached ./strace-static-x86_64: Process 3604 attached [pid 3610] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3609] <... setpgid resumed>) = 0 [pid 3603] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] <... prctl resumed>) = 0 [pid 3610] setpgid(0, 0) = 0 [pid 3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3611] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3610] <... openat resumed>) = 3 [pid 3609] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3604] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3612 attached [pid 3611] <... openat resumed>) = 3 [pid 3610] write(3, "1000", 4 [pid 3609] <... openat resumed>) = 3 [pid 3605] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] <... write resumed>) = 4 [pid 3610] close(3) = 0 [pid 3610] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3611] write(3, "1000", 4 [pid 3610] <... openat resumed>) = 3 [pid 3609] write(3, "1000", 4 [pid 3610] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3611] <... write resumed>) = 4 [pid 3610] <... ioctl resumed>, 0x20000080) = 0 [pid 3609] <... write resumed>) = 4 [pid 3604] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3613 [pid 3611] close(3 [pid 3610] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3609] close(3./strace-static-x86_64: Process 3613 attached [pid 3612] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3611] <... close resumed>) = 0 [pid 3610] <... openat resumed>) = 4 [pid 3609] <... close resumed>) = 0 [pid 3610] write(4, "6", 1) = 1 [ 51.036997][ T27] audit: type=1400 audit(1659931063.929:75): avc: denied { execmem } for pid=3602 comm="syz-executor129" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [pid 3613] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3612] <... prctl resumed>) = 0 [pid 3611] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3610] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3609] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3603] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3612 [pid 3612] setpgid(0, 0 [pid 3611] <... openat resumed>) = 3 [pid 3609] <... openat resumed>) = 3 [pid 3605] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3614 [pid 3613] <... prctl resumed>) = 0 [pid 3612] <... setpgid resumed>) = 0 [pid 3611] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3609] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3613] setpgid(0, 0 [pid 3612] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3611] <... ioctl resumed>, 0x20000080) = 0 [pid 3609] <... ioctl resumed>, 0x20000080) = 0 [pid 3613] <... setpgid resumed>) = 0 [pid 3612] <... openat resumed>) = 3 [pid 3611] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3609] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3613] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3612] write(3, "1000", 4 [pid 3611] <... openat resumed>) = 4 [pid 3609] <... openat resumed>) = 4 [pid 3613] <... openat resumed>) = 3 [pid 3612] <... write resumed>) = 4 [pid 3611] write(4, "6", 1 [pid 3609] write(4, "6", 1 [pid 3613] write(3, "1000", 4 [pid 3612] close(3 [pid 3611] <... write resumed>) = 1 [pid 3609] <... write resumed>) = 1 [pid 3613] <... write resumed>) = 4 [pid 3612] <... close resumed>) = 0 [pid 3611] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000 [pid 3609] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000./strace-static-x86_64: Process 3614 attached [pid 3613] close(3 [pid 3612] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3611] <... mmap resumed>) = -1 ENOMEM (Cannot allocate memory) [ 51.094587][ T27] audit: type=1400 audit(1659931063.989:76): avc: denied { read } for pid=3610 comm="syz-executor129" name="card0" dev="devtmpfs" ino=624 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 51.118419][ T27] audit: type=1400 audit(1659931063.989:77): avc: denied { open } for pid=3610 comm="syz-executor129" path="/dev/dri/card0" dev="devtmpfs" ino=624 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [pid 3610] <... mmap resumed>) = -1 EACCES (Permission denied) [pid 3609] <... mmap resumed>) = -1 EINVAL (Invalid argument) [pid 3614] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3613] <... close resumed>) = 0 [pid 3612] <... openat resumed>) = 3 [pid 3611] exit_group(0 [pid 3610] exit_group(0 [pid 3613] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [ 51.121510][ T3609] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 51.150800][ T27] audit: type=1400 audit(1659931063.989:78): avc: denied { ioctl } for pid=3610 comm="syz-executor129" path="/dev/dri/card0" dev="devtmpfs" ino=624 ioctlcmd=0x64b2 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 51.156849][ T3611] ================================================================== [ 51.176836][ T27] audit: type=1400 audit(1659931064.019:79): avc: denied { map } for pid=3610 comm="syz-executor129" path="/dev/dri/card0" dev="devtmpfs" ino=624 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:dri_device_t tclass=chr_file permissive=1 [ 51.184204][ T3611] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xf2/0x110 [ 51.184255][ T3611] Read of size 8 at addr ffff888074a1f9e8 by task syz-executor129/3611 [ 51.184272][ T3611] [ 51.184278][ T3611] CPU: 0 PID: 3611 Comm: syz-executor129 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 51.184300][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 51.184314][ T3611] Call Trace: [ 51.184320][ T3611] [ 51.184327][ T3611] dump_stack_lvl+0xcd/0x134 [ 51.223522][ T3614] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 51.224685][ T3611] print_address_description.constprop.0.cold+0xeb/0x467 [ 51.241714][ T3616] Huh VM_FAULT_OOM leaked out to the #PF handler. Retrying PF [ 51.247193][ T3611] ? drm_gem_object_release_handle+0xf2/0x110 [ 51.247228][ T3611] kasan_report.cold+0xf4/0x1c6 [ 51.247253][ T3611] ? drm_gem_object_release_handle+0xf2/0x110 [ 51.296893][ T3611] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 51.303499][ T3611] drm_gem_object_release_handle+0xf2/0x110 [ 51.309396][ T3611] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 51.315985][ T3611] idr_for_each+0x113/0x220 [ 51.320486][ T3611] ? idr_find+0x50/0x50 [ 51.324638][ T3611] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 51.330442][ T3611] drm_gem_release+0x22/0x30 [ 51.335042][ T3611] drm_file_free.part.0+0x805/0xb80 [ 51.340237][ T3611] ? fsnotify+0x1680/0x1680 [ 51.344822][ T3611] drm_close_helper.isra.0+0x17d/0x1f0 [ 51.350280][ T3611] drm_release+0x1e6/0x530 [ 51.354707][ T3611] __fput+0x277/0x9d0 [ 51.358684][ T3611] ? drm_release_noglobal+0x180/0x180 [ 51.364054][ T3611] task_work_run+0xdd/0x1a0 [ 51.368568][ T3611] do_exit+0xade/0x29d0 [ 51.372735][ T3611] ? mm_update_next_owner+0x7a0/0x7a0 [ 51.378113][ T3611] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.383324][ T3611] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.388528][ T3611] do_group_exit+0xd2/0x2f0 [ 51.393047][ T3611] __x64_sys_exit_group+0x3a/0x50 [ 51.398077][ T3611] do_syscall_64+0x35/0xb0 [ 51.402498][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.408480][ T3611] RIP: 0033:0x7f1e06bc6429 [ 51.412900][ T3611] Code: Unable to access opcode bytes at RIP 0x7f1e06bc63ff. [ 51.420280][ T3611] RSP: 002b:00007ffdb4428a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.428693][ T3611] RAX: ffffffffffffffda RBX: 00007f1e06c3a3f0 RCX: 00007f1e06bc6429 [ 51.436663][ T3611] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 51.444731][ T3611] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 51.452695][ T3611] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f1e06c3a3f0 [ 51.460658][ T3611] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 51.468625][ T3611] [ 51.471636][ T3611] [ 51.473962][ T3611] Allocated by task 3611: [ 51.478275][ T3611] kasan_save_stack+0x1e/0x40 [ 51.482948][ T3611] __kasan_kmalloc+0xa6/0xd0 [ 51.487529][ T3611] kmem_cache_alloc_trace+0x1ed/0x4b0 [ 51.492898][ T3611] vgem_gem_create_object+0x38/0xb0 [ 51.498095][ T3611] __drm_gem_shmem_create+0x80/0x480 [ 51.503371][ T3611] drm_gem_shmem_dumb_create+0x13c/0x380 [ 51.508996][ T3611] drm_mode_create_dumb+0x26c/0x2f0 [ 51.514199][ T3611] drm_ioctl_kernel+0x27d/0x4e0 [ 51.519055][ T3611] drm_ioctl+0x51e/0x9d0 [ 51.523293][ T3611] __x64_sys_ioctl+0x193/0x200 [ 51.528051][ T3611] do_syscall_64+0x35/0xb0 [ 51.532475][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.538375][ T3611] [ 51.540694][ T3611] Freed by task 3611: [ 51.544671][ T3611] kasan_save_stack+0x1e/0x40 [ 51.549355][ T3611] kasan_set_track+0x21/0x30 [ 51.553946][ T3611] kasan_set_free_info+0x20/0x30 [ 51.558885][ T3611] ____kasan_slab_free+0x13d/0x180 [ 51.563995][ T3611] kfree+0x173/0x390 [ 51.567888][ T3611] drm_gem_mmap+0x4fc/0x770 [ 51.572396][ T3611] mmap_region+0xbe7/0x1460 [ 51.576890][ T3611] do_mmap+0x863/0xfa0 [ 51.580953][ T3611] vm_mmap_pgoff+0x1b7/0x290 [ 51.585541][ T3611] ksys_mmap_pgoff+0x40d/0x5a0 [ 51.590299][ T3611] do_syscall_64+0x35/0xb0 [ 51.594726][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.600624][ T3611] [ 51.602942][ T3611] The buggy address belongs to the object at ffff888074a1f800 [ 51.602942][ T3611] which belongs to the cache kmalloc-1k of size 1024 [ 51.616990][ T3611] The buggy address is located 488 bytes inside of [ 51.616990][ T3611] 1024-byte region [ffff888074a1f800, ffff888074a1fc00) [ 51.630371][ T3611] [ 51.632688][ T3611] The buggy address belongs to the physical page: [ 51.639088][ T3611] page:ffffea0001d287c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74a1f [ 51.649234][ T3611] flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) [ 51.656784][ T3611] raw: 00fff00000000200 ffffea0001d28588 ffffea0001d28788 ffff888011840700 [ 51.665358][ T3611] raw: 0000000000000000 ffff888074a1f000 0000000100000002 0000000000000000 [ 51.673930][ T3611] page dumped because: kasan: bad access detected [ 51.680323][ T3611] page_owner tracks the page as allocated [ 51.686022][ T3611] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3611, tgid 3611 (syz-executor129), ts 51104467083, free_ts 44924454378 [ 51.706333][ T3611] get_page_from_freelist+0x1298/0x3b80 [ 51.711878][ T3611] __alloc_pages+0x1c7/0x510 [ 51.716461][ T3611] cache_grow_begin+0x75/0x350 [ 51.721216][ T3611] cache_alloc_refill+0x27f/0x380 [ 51.726248][ T3611] kmem_cache_alloc_trace+0x38c/0x4b0 [ 51.731627][ T3611] vgem_gem_create_object+0x38/0xb0 [ 51.736840][ T3611] __drm_gem_shmem_create+0x80/0x480 [ 51.742120][ T3611] drm_gem_shmem_dumb_create+0x13c/0x380 [ 51.747753][ T3611] drm_mode_create_dumb+0x26c/0x2f0 [ 51.752954][ T3611] drm_ioctl_kernel+0x27d/0x4e0 [ 51.757801][ T3611] drm_ioctl+0x51e/0x9d0 [ 51.762033][ T3611] __x64_sys_ioctl+0x193/0x200 [ 51.766788][ T3611] do_syscall_64+0x35/0xb0 [ 51.771200][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.777086][ T3611] page last free stack trace: [ 51.781747][ T3611] free_pcp_prepare+0x549/0xd20 [ 51.786602][ T3611] free_unref_page+0x19/0x6a0 [ 51.791279][ T3611] __put_page+0x145/0x280 [ 51.795613][ T3611] anon_pipe_buf_release+0x367/0x4b0 [ 51.800903][ T3611] pipe_read+0x610/0x1100 [ 51.805228][ T3611] new_sync_read+0x489/0x560 [ 51.809810][ T3611] vfs_read+0x492/0x5d0 [ 51.813957][ T3611] ksys_read+0x1e8/0x250 [ 51.818196][ T3611] do_syscall_64+0x35/0xb0 [ 51.822613][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 51.828505][ T3611] [ 51.830815][ T3611] Memory state around the buggy address: [ 51.836431][ T3611] ffff888074a1f880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [pid 3612] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3611] <... exit_group resumed>) = ? [pid 3614] <... prctl resumed>) = 0 [pid 3613] <... openat resumed>) = 3 [pid 3612] <... ioctl resumed>, 0x20000080) = 0 [pid 3610] <... exit_group resumed>) = ? [pid 3609] exit_group(0 [pid 3614] setpgid(0, 0 [pid 3610] +++ exited with 0 +++ [pid 3609] <... exit_group resumed>) = ? [pid 3614] <... setpgid resumed>) = 0 [pid 3609] +++ exited with 0 +++ [pid 3614] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3607] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3610, si_uid=0, si_status=0, si_utime=0, si_stime=0} --- [pid 3614] <... openat resumed>) = 3 [pid 3608] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3609, si_uid=0, si_status=0, si_utime=0, si_stime=3} --- [pid 3607] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3614] write(3, "1000", 4 [pid 3608] restart_syscall(<... resuming interrupted clone ...> [pid 3614] <... write resumed>) = 4 [pid 3608] <... restart_syscall resumed>) = 0 [pid 3607] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3615 [pid 3614] close(3) = 0 [pid 3614] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3614] <... openat resumed>) = 3 [pid 3614] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB [pid 3608] <... clone resumed>, child_tidptr=0x555556b8c5d0) = 3616 [pid 3614] <... ioctl resumed>, 0x20000080) = 0 [pid 3614] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3614] write(4, "6", 1) = 1 [pid 3614] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000) = -1 EACCES (Permission denied) [pid 3614] exit_group(0) = ? [pid 3614] +++ exited with 0 +++ ./strace-static-x86_64: Process 3616 attached [pid 3616] prctl(PR_SET_PDEATHSIG, SIGKILL) = 0 [pid 3616] setpgid(0, 0) = 0 [pid 3616] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3616] write(3, "1000", 4) = 4 [pid 3616] close(3) = 0 [pid 3616] openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3 [pid 3616] ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000080) = 0 [pid 3616] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4 [pid 3616] write(4, "6", 1) = 1 [pid 3616] mmap(0x20ffc000, 12288, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100004000) = -1 EACCES (Permission denied) [pid 3616] exit_group(0) = ? [pid 3616] +++ exited with 0 +++ [pid 3608] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3616, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- [pid 3608] restart_syscall(<... resuming interrupted clone ...>) = 0 [pid 3608] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3612] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3605] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3614, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- [ 51.844488][ T3611] ffff888074a1f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.852536][ T3611] >ffff888074a1f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.860582][ T3611] ^ [ 51.868022][ T3611] ffff888074a1fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.876073][ T3611] ffff888074a1fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 51.884131][ T3611] ================================================================== [ 51.894511][ T3611] Kernel panic - not syncing: panic_on_warn set ... [ 51.901113][ T3611] CPU: 1 PID: 3611 Comm: syz-executor129 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 51.911256][ T3611] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 51.921299][ T3611] Call Trace: [ 51.924567][ T3611] [ 51.927492][ T3611] dump_stack_lvl+0xcd/0x134 [ 51.932083][ T3611] panic+0x2d7/0x636 [ 51.935969][ T3611] ? panic_print_sys_info.part.0+0x10b/0x10b [ 51.941942][ T3611] ? preempt_schedule_common+0x59/0xc0 [ 51.947397][ T3611] ? drm_gem_object_release_handle+0xf2/0x110 [ 51.953463][ T3611] ? preempt_schedule_thunk+0x16/0x18 [ 51.958835][ T3611] ? drm_gem_object_release_handle+0xf2/0x110 [ 51.964904][ T3611] end_report.part.0+0x3f/0x7c [ 51.969664][ T3611] kasan_report.cold+0x93/0x1c6 [ 51.974510][ T3611] ? drm_gem_object_release_handle+0xf2/0x110 [ 51.980573][ T3611] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 51.987161][ T3611] drm_gem_object_release_handle+0xf2/0x110 [ 51.993057][ T3611] ? drm_gem_object_handle_put_unlocked+0x390/0x390 [ 51.999644][ T3611] idr_for_each+0x113/0x220 [ 52.004144][ T3611] ? idr_find+0x50/0x50 [ 52.008293][ T3611] ? _raw_spin_unlock_irqrestore+0x50/0x70 [ 52.014098][ T3611] drm_gem_release+0x22/0x30 [ 52.018687][ T3611] drm_file_free.part.0+0x805/0xb80 [ 52.023887][ T3611] ? fsnotify+0x1680/0x1680 [ 52.028386][ T3611] drm_close_helper.isra.0+0x17d/0x1f0 [ 52.033844][ T3611] drm_release+0x1e6/0x530 [ 52.038260][ T3611] __fput+0x277/0x9d0 [ 52.042253][ T3611] ? drm_release_noglobal+0x180/0x180 [ 52.047619][ T3611] task_work_run+0xdd/0x1a0 [ 52.052120][ T3611] do_exit+0xade/0x29d0 [ 52.056272][ T3611] ? mm_update_next_owner+0x7a0/0x7a0 [ 52.061641][ T3611] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.066832][ T3611] ? _raw_spin_unlock_irq+0x1f/0x40 [ 52.072027][ T3611] do_group_exit+0xd2/0x2f0 [ 52.076531][ T3611] __x64_sys_exit_group+0x3a/0x50 [ 52.081552][ T3611] do_syscall_64+0x35/0xb0 [ 52.085965][ T3611] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 52.091852][ T3611] RIP: 0033:0x7f1e06bc6429 [ 52.096263][ T3611] Code: Unable to access opcode bytes at RIP 0x7f1e06bc63ff. [ 52.103612][ T3611] RSP: 002b:00007ffdb4428a88 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 52.112015][ T3611] RAX: ffffffffffffffda RBX: 00007f1e06c3a3f0 RCX: 00007f1e06bc6429 [ 52.119996][ T3611] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 52.127970][ T3611] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100004000 [ 52.135948][ T3611] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f1e06c3a3f0 [ 52.143915][ T3611] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 52.151887][ T3611] [ 52.155044][ T3611] Kernel Offset: disabled [ 52.159359][ T3611] Rebooting in 86400 seconds..