Warning: Permanently added '10.128.1.9' (ECDSA) to the list of known hosts. [ 66.832176][ T5870] FAULT_INJECTION: forcing a failure. [ 66.832176][ T5870] name failslab, interval 1, probability 0, space 0, times 1 [ 66.845064][ T5870] CPU: 1 PID: 5870 Comm: syz-executor655 Not tainted 5.14.0-rc3-syzkaller #0 [ 66.853969][ T5870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 66.864086][ T5870] Call Trace: [ 66.867347][ T5870] dump_stack_lvl+0x57/0x7d [ 66.871827][ T5870] should_fail.cold+0x5/0xa [ 66.876300][ T5870] ? drm_gem_get_pages+0x120/0x4e0 [ 66.881376][ T5870] should_failslab+0x5/0x10 [ 66.885846][ T5870] __kmalloc_node+0x75/0x380 [ 66.890410][ T5870] drm_gem_get_pages+0x120/0x4e0 [ 66.895314][ T5870] ? __mutex_lock+0x5bf/0x10a0 [ 66.900050][ T5870] ? drm_gem_dma_resv_wait+0x1a0/0x1a0 [ 66.905488][ T5870] ? mutex_lock_io_nested+0xf00/0xf00 [ 66.911022][ T5870] ? find_held_lock+0x2d/0x110 [ 66.915770][ T5870] ? drm_vma_node_is_allowed+0xa8/0xe0 [ 66.921240][ T5870] ? lock_downgrade+0x6e0/0x6e0 [ 66.926183][ T5870] drm_gem_shmem_get_pages+0xa2/0x1f0 [ 66.931632][ T5870] drm_gem_shmem_mmap+0xda/0x260 [ 66.936542][ T5870] drm_gem_mmap_obj+0x165/0x320 [ 66.941366][ T5870] drm_gem_mmap+0x349/0x4e0 [ 66.945860][ T5870] ? drm_gem_fence_array_add_implicit+0x540/0x540 [ 66.952613][ T5870] ? kmem_cache_alloc+0x371/0x4a0 [ 66.957624][ T5870] mmap_region+0xa3c/0x14e0 [ 66.962122][ T5870] ? get_unmapped_area+0x1e7/0x2e0 [ 66.967247][ T5870] do_mmap+0x5d3/0xfc0 [ 66.971295][ T5870] ? security_mmap_file+0xc3/0x160 [ 66.976382][ T5870] vm_mmap_pgoff+0x163/0x210 [ 66.980948][ T5870] ? randomize_stack_top+0xd0/0xd0 [ 66.986032][ T5870] ? __fget_files+0x194/0x2e0 [ 66.990684][ T5870] ksys_mmap_pgoff+0x3be/0x5f0 [ 66.995419][ T5870] ? mlock_future_check+0xf0/0xf0 [ 67.000416][ T5870] ? syscall_enter_from_user_mode+0x21/0x70 [ 67.006301][ T5870] do_syscall_64+0x35/0xb0 [ 67.010693][ T5870] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.016557][ T5870] RIP: 0033:0x7f5cbd976ce9 [ 67.020970][ T5870] Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 67.040730][ T5870] RSP: 002b:00007ffdf4ae0908 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 67.049131][ T5870] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f5cbd976ce9 [ 67.057166][ T5870] RDX: 0000000000000000 RSI: 0000000000003000 RDI: 0000000020ffc000 [ 67.065303][ T5870] RBP: 00007ffdf4ae0920 R08: 0000000000000003 R09: 0000000100000000 [ 67.073340][ T5870] R10: 0000000000000012 R11: 0000000000000246 R12: 0000000000000004 [ 67.081292][ T5870] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 67.095293][ T5870] ================================================================== [ 67.103659][ T5870] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xd1/0xf0 [ 67.111984][ T5870] Read of size 8 at addr ffff88801d68fa28 by task syz-executor655/5870 [ 67.120224][ T5870] [ 67.122549][ T5870] CPU: 0 PID: 5870 Comm: syz-executor655 Not tainted 5.14.0-rc3-syzkaller #0 [ 67.131755][ T5870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.141806][ T5870] Call Trace: [ 67.145094][ T5870] dump_stack_lvl+0x57/0x7d [ 67.149682][ T5870] print_address_description.constprop.0.cold+0x6c/0x309 [ 67.156747][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.163265][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.169337][ T5870] kasan_report.cold+0x83/0xdf [ 67.174104][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.180179][ T5870] drm_gem_object_release_handle+0xd1/0xf0 [ 67.186162][ T5870] ? drm_gem_object_handle_put_unlocked+0x2a0/0x2a0 [ 67.192925][ T5870] idr_for_each+0xf5/0x1d0 [ 67.197537][ T5870] ? idr_find+0x50/0x50 [ 67.202131][ T5870] ? lockdep_hardirqs_on_prepare+0x17b/0x400 [ 67.208371][ T5870] drm_gem_release+0x17/0x20 [ 67.212956][ T5870] drm_file_free.part.0+0x7a1/0xb60 [ 67.218165][ T5870] ? drm_close_helper.isra.0+0x153/0x1d0 [ 67.223974][ T5870] drm_release+0x1bb/0x4b0 [ 67.228412][ T5870] __fput+0x209/0x870 [ 67.232490][ T5870] task_work_run+0xc0/0x160 [ 67.237090][ T5870] do_exit+0x9fe/0x24e0 [ 67.241334][ T5870] ? lock_downgrade+0x6e0/0x6e0 [ 67.246190][ T5870] ? mm_update_next_owner+0x6d0/0x6d0 [ 67.251662][ T5870] do_group_exit+0xe7/0x290 [ 67.256168][ T5870] __x64_sys_exit_group+0x35/0x40 [ 67.261283][ T5870] do_syscall_64+0x35/0xb0 [ 67.266173][ T5870] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.273376][ T5870] RIP: 0033:0x7f5cbd9759e9 [ 67.277883][ T5870] Code: Unable to access opcode bytes at RIP 0x7f5cbd9759bf. [ 67.285247][ T5870] RSP: 002b:00007ffdf4ae08f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.293833][ T5870] RAX: ffffffffffffffda RBX: 00007f5cbd9e93f0 RCX: 00007f5cbd9759e9 [ 67.301898][ T5870] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 67.309873][ T5870] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000 [ 67.317870][ T5870] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f5cbd9e93f0 [ 67.325928][ T5870] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 67.334000][ T5870] [ 67.336420][ T5870] Allocated by task 5870: [ 67.340831][ T5870] kasan_save_stack+0x1b/0x40 [ 67.345509][ T5870] __kasan_kmalloc+0x9b/0xd0 [ 67.350196][ T5870] vgem_gem_create_object+0x35/0x90 [ 67.355498][ T5870] __drm_gem_shmem_create+0x72/0x3e0 [ 67.360974][ T5870] drm_gem_shmem_create_with_handle+0x19/0x90 [ 67.367331][ T5870] drm_gem_shmem_dumb_create+0x131/0x270 [ 67.373002][ T5870] drm_ioctl_kernel+0x1c9/0x260 [ 67.378210][ T5870] drm_ioctl+0x444/0x8f0 [ 67.382615][ T5870] __x64_sys_ioctl+0x11f/0x190 [ 67.387636][ T5870] do_syscall_64+0x35/0xb0 [ 67.392192][ T5870] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.398260][ T5870] [ 67.400589][ T5870] Freed by task 5870: [ 67.404561][ T5870] kasan_save_stack+0x1b/0x40 [ 67.409240][ T5870] kasan_set_track+0x1c/0x30 [ 67.413921][ T5870] kasan_set_free_info+0x20/0x30 [ 67.418869][ T5870] __kasan_slab_free+0xfb/0x130 [ 67.423721][ T5870] slab_free_freelist_hook+0xdf/0x240 [ 67.429101][ T5870] kfree+0xeb/0x650 [ 67.432913][ T5870] drm_gem_mmap+0x3be/0x4e0 [ 67.437420][ T5870] mmap_region+0xa3c/0x14e0 [ 67.442097][ T5870] do_mmap+0x5d3/0xfc0 [ 67.446438][ T5870] vm_mmap_pgoff+0x163/0x210 [ 67.451027][ T5870] ksys_mmap_pgoff+0x3be/0x5f0 [ 67.455796][ T5870] do_syscall_64+0x35/0xb0 [ 67.460213][ T5870] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.466198][ T5870] [ 67.468526][ T5870] The buggy address belongs to the object at ffff88801d68f800 [ 67.468526][ T5870] which belongs to the cache kmalloc-1k of size 1024 [ 67.483110][ T5870] The buggy address is located 552 bytes inside of [ 67.483110][ T5870] 1024-byte region [ffff88801d68f800, ffff88801d68fc00) [ 67.496470][ T5870] The buggy address belongs to the page: [ 67.502181][ T5870] page:ffffea000075a200 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d688 [ 67.512333][ T5870] head:ffffea000075a200 order:3 compound_mapcount:0 compound_pincount:0 [ 67.521061][ T5870] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) [ 67.529058][ T5870] raw: 00fff00000010200 dead000000000100 dead000000000122 ffff88800fc41dc0 [ 67.537641][ T5870] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 [ 67.546396][ T5870] page dumped because: kasan: bad access detected [ 67.552894][ T5870] page_owner tracks the page as allocated [ 67.558615][ T5870] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, ts 5555902984, free_ts 0 [ 67.576665][ T5870] get_page_from_freelist+0xa6f/0x2f50 [ 67.582130][ T5870] __alloc_pages+0x1b2/0x500 [ 67.586716][ T5870] alloc_page_interleave+0xf/0x1c0 [ 67.591828][ T5870] allocate_slab+0x32e/0x4b0 [ 67.596445][ T5870] ___slab_alloc+0x4ba/0x820 [ 67.601127][ T5870] __slab_alloc.constprop.0+0xa7/0xf0 [ 67.606498][ T5870] __kmalloc_node_track_caller+0x2e3/0x360 [ 67.612399][ T5870] drmm_kmalloc+0x7e/0x1f0 [ 67.616819][ T5870] __drmm_universal_plane_alloc+0x141/0x260 [ 67.623062][ T5870] vkms_plane_init+0x64/0xc0 [ 67.627754][ T5870] vkms_output_init+0x27/0x440 [ 67.632536][ T5870] vkms_init+0x4bb/0x54c [ 67.636782][ T5870] do_one_initcall+0xbe/0x440 [ 67.641471][ T5870] kernel_init_freeable+0x5b2/0x60c [ 67.646856][ T5870] kernel_init+0x14/0x120 [ 67.651276][ T5870] ret_from_fork+0x1f/0x30 [ 67.655697][ T5870] page_owner free stack trace missing [ 67.661062][ T5870] [ 67.663386][ T5870] Memory state around the buggy address: [ 67.669008][ T5870] ffff88801d68f900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.677523][ T5870] ffff88801d68f980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.685584][ T5870] >ffff88801d68fa00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.693727][ T5870] ^ [ 67.699276][ T5870] ffff88801d68fa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.707467][ T5870] ffff88801d68fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 67.715611][ T5870] ================================================================== [ 67.723795][ T5870] Disabling lock debugging due to kernel taint [ 67.731012][ T5870] Kernel panic - not syncing: panic_on_warn set ... [ 67.737708][ T5870] CPU: 0 PID: 5870 Comm: syz-executor655 Tainted: G B 5.14.0-rc3-syzkaller #0 [ 67.748333][ T5870] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 67.758457][ T5870] Call Trace: [ 67.761812][ T5870] dump_stack_lvl+0x57/0x7d [ 67.766381][ T5870] panic+0x256/0x4eb [ 67.770252][ T5870] ? __warn_printk+0xee/0xee [ 67.774825][ T5870] ? preempt_schedule_common+0x59/0xc0 [ 67.780259][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.786299][ T5870] ? preempt_schedule_thunk+0x16/0x18 [ 67.791652][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.797602][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.803728][ T5870] end_report.cold+0x5a/0x5a [ 67.808295][ T5870] kasan_report.cold+0x71/0xdf [ 67.813033][ T5870] ? drm_gem_object_release_handle+0xd1/0xf0 [ 67.819071][ T5870] drm_gem_object_release_handle+0xd1/0xf0 [ 67.824942][ T5870] ? drm_gem_object_handle_put_unlocked+0x2a0/0x2a0 [ 67.831686][ T5870] idr_for_each+0xf5/0x1d0 [ 67.836081][ T5870] ? idr_find+0x50/0x50 [ 67.840232][ T5870] ? lockdep_hardirqs_on_prepare+0x17b/0x400 [ 67.846204][ T5870] drm_gem_release+0x17/0x20 [ 67.850784][ T5870] drm_file_free.part.0+0x7a1/0xb60 [ 67.856234][ T5870] ? drm_close_helper.isra.0+0x153/0x1d0 [ 67.861846][ T5870] drm_release+0x1bb/0x4b0 [ 67.866235][ T5870] __fput+0x209/0x870 [ 67.870199][ T5870] task_work_run+0xc0/0x160 [ 67.874958][ T5870] do_exit+0x9fe/0x24e0 [ 67.879090][ T5870] ? lock_downgrade+0x6e0/0x6e0 [ 67.883916][ T5870] ? mm_update_next_owner+0x6d0/0x6d0 [ 67.889260][ T5870] do_group_exit+0xe7/0x290 [ 67.893822][ T5870] __x64_sys_exit_group+0x35/0x40 [ 67.898817][ T5870] do_syscall_64+0x35/0xb0 [ 67.903221][ T5870] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 67.909107][ T5870] RIP: 0033:0x7f5cbd9759e9 [ 67.913502][ T5870] Code: Unable to access opcode bytes at RIP 0x7f5cbd9759bf. [ 67.920844][ T5870] RSP: 002b:00007ffdf4ae08f8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 67.929358][ T5870] RAX: ffffffffffffffda RBX: 00007f5cbd9e93f0 RCX: 00007f5cbd9759e9 [ 67.937318][ T5870] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 67.945283][ T5870] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000 [ 67.953229][ T5870] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f5cbd9e93f0 [ 67.961369][ T5870] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 67.969829][ T5870] Kernel Offset: disabled [ 67.974225][ T5870] Rebooting in 86400 seconds..