./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor4050888800 <...> DUID 00:04:ab:86:5b:51:31:5e:ac:a3:74:55:84:ab:cd:90:ff:3d forked to background, child pid 3188 [ 28.941661][ T3189] 8021q: adding VLAN 0 to HW filter on device bond0 [ 28.950242][ T3189] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.10.1' (ECDSA) to the list of known hosts. execve("./syz-executor4050888800", ["./syz-executor4050888800"], 0x7fffb95d30d0 /* 10 vars */) = 0 brk(NULL) = 0x555557510000 brk(0x555557510c40) = 0x555557510c40 arch_prctl(ARCH_SET_FS, 0x555557510300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor4050888800", 4096) = 28 brk(0x555557531c40) = 0x555557531c40 brk(0x555557532000) = 0x555557532000 mprotect(0x7f8e2c2f9000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3 ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000080) = 0 mmap(0x20ffc000, 12328, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100000000) = 0x20ffc000 exit_group(0) = ? syzkaller login: [ 51.265053][ T3609] ================================================================== [ 51.265063][ T3609] BUG: KASAN: vmalloc-out-of-bounds in check_move_unevictable_pages+0x3f6/0x440 [ 51.265085][ T3609] Write of size 8 at addr ffffc90002d20008 by task syz-executor405/3609 [ 51.265098][ T3609] [ 51.265101][ T3609] CPU: 0 PID: 3609 Comm: syz-executor405 Not tainted 5.19.0-rc1-next-20220607-syzkaller #0 [ 51.265116][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.265124][ T3609] Call Trace: [ 51.265128][ T3609] [ 51.265133][ T3609] dump_stack_lvl+0xcd/0x134 [ 51.265165][ T3609] print_address_description.constprop.0.cold+0xf/0x495 [ 51.265189][ T3609] ? check_move_unevictable_pages+0x3f6/0x440 [ 51.265202][ T3609] kasan_report.cold+0xf4/0x1c6 [ 51.265222][ T3609] ? pat_enabled+0x1/0x10 [ 51.265236][ T3609] ? check_move_unevictable_pages+0x3f6/0x440 [ 51.265251][ T3609] check_move_unevictable_pages+0x3f6/0x440 [ 51.265265][ T3609] ? check_move_unevictable_folios+0x1590/0x1590 [ 51.265279][ T3609] ? __change_page_attr_set_clr+0x1/0x1ec0 [ 51.265295][ T3609] ? pat_pagerange_is_ram+0xa8/0x140 [ 51.265310][ T3609] ? memtype_seq_stop+0x20/0x20 [ 51.265325][ T3609] ? cpa_flush+0x310/0x440 [ 51.265339][ T3609] drm_gem_put_pages+0x29f/0x3f0 [ 51.265355][ T3609] ? drm_gem_vm_open+0xc0/0xc0 [ 51.265366][ T3609] ? set_pages_array_wb+0x183/0x240 [ 51.265387][ T3609] drm_gem_shmem_put_pages_locked+0x13e/0x230 [ 51.265402][ T3609] ? drm_gem_shmem_object_get_sg_table+0x100/0x100 [ 51.265418][ T3609] drm_gem_shmem_vm_close+0x45/0x70 [ 51.265433][ T3609] remove_vma+0x81/0x130 [ 51.265446][ T3609] exit_mmap+0x2a1/0x750 [ 51.265461][ T3609] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 51.265487][ T3609] __mmput+0x128/0x4c0 [ 51.265502][ T3609] mmput+0x5c/0x70 [ 51.265515][ T3609] do_exit+0xa18/0x2a00 [ 51.265535][ T3609] ? lock_downgrade+0x6e0/0x6e0 [ 51.265557][ T3609] ? mm_update_next_owner+0x7b0/0x7b0 [ 51.265578][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.265599][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.265620][ T3609] do_group_exit+0xd2/0x2f0 [ 51.265641][ T3609] __x64_sys_exit_group+0x3a/0x50 [ 51.265661][ T3609] do_syscall_64+0x35/0xb0 [ 51.265677][ T3609] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 51.265699][ T3609] RIP: 0033:0x7f8e2c28b299 [ 51.265710][ T3609] Code: Unable to access opcode bytes at RIP 0x7f8e2c28b26f. [ 51.265715][ T3609] RSP: 002b:00007ffe02c318d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.265730][ T3609] RAX: ffffffffffffffda RBX: 00007f8e2c2ff270 RCX: 00007f8e2c28b299 [ 51.265740][ T3609] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 51.265748][ T3609] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000 [ 51.265757][ T3609] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f8e2c2ff270 [ 51.265765][ T3609] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 51.265778][ T3609] [ 51.265782][ T3609] [ 51.265787][ T3609] The buggy address belongs to the virtual mapping at [ 51.265787][ T3609] [ffffc90002d18000, ffffc90002d21000) created by: [ 51.265787][ T3609] kernel_clone+0xe7/0xab0 [ 51.265807][ T3609] [ 51.265810][ T3609] Memory state around the buggy address: [ 51.265816][ T3609] ffffc90002d1ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.265825][ T3609] ffffc90002d1ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 51.265833][ T3609] >ffffc90002d20000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.265839][ T3609] ^ [ 51.265845][ T3609] ffffc90002d20080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.265853][ T3609] ffffc90002d20100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 51.265859][ T3609] ================================================================== [ 51.265865][ T3609] Kernel panic - not syncing: panic_on_warn set ... [ 51.634060][ T3609] CPU: 0 PID: 3609 Comm: syz-executor405 Not tainted 5.19.0-rc1-next-20220607-syzkaller #0 [ 51.644028][ T3609] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 51.654074][ T3609] Call Trace: [ 51.657343][ T3609] [ 51.660261][ T3609] dump_stack_lvl+0xcd/0x134 [ 51.664939][ T3609] panic+0x2d7/0x636 [ 51.668827][ T3609] ? panic_print_sys_info.part.0+0x10b/0x10b [ 51.674808][ T3609] ? mark_held_locks+0x9f/0xe0 [ 51.679569][ T3609] ? check_move_unevictable_pages+0x3f6/0x440 [ 51.685625][ T3609] ? check_move_unevictable_pages+0x3f6/0x440 [ 51.691684][ T3609] end_report.part.0+0x3f/0x7c [ 51.696445][ T3609] kasan_report.cold+0x93/0x1c6 [ 51.701295][ T3609] ? pat_enabled+0x1/0x10 [ 51.705615][ T3609] ? check_move_unevictable_pages+0x3f6/0x440 [ 51.711691][ T3609] check_move_unevictable_pages+0x3f6/0x440 [ 51.717595][ T3609] ? check_move_unevictable_folios+0x1590/0x1590 [ 51.723929][ T3609] ? __change_page_attr_set_clr+0x1/0x1ec0 [ 51.729737][ T3609] ? pat_pagerange_is_ram+0xa8/0x140 [ 51.735021][ T3609] ? memtype_seq_stop+0x20/0x20 [ 51.739882][ T3609] ? cpa_flush+0x310/0x440 [ 51.744323][ T3609] drm_gem_put_pages+0x29f/0x3f0 [ 51.749258][ T3609] ? drm_gem_vm_open+0xc0/0xc0 [ 51.754011][ T3609] ? set_pages_array_wb+0x183/0x240 [ 51.759303][ T3609] drm_gem_shmem_put_pages_locked+0x13e/0x230 [ 51.765394][ T3609] ? drm_gem_shmem_object_get_sg_table+0x100/0x100 [ 51.771903][ T3609] drm_gem_shmem_vm_close+0x45/0x70 [ 51.777107][ T3609] remove_vma+0x81/0x130 [ 51.781358][ T3609] exit_mmap+0x2a1/0x750 [ 51.785591][ T3609] ? __ia32_sys_remap_file_pages+0x150/0x150 [ 51.791571][ T3609] __mmput+0x128/0x4c0 [ 51.795635][ T3609] mmput+0x5c/0x70 [ 51.799349][ T3609] do_exit+0xa18/0x2a00 [ 51.803503][ T3609] ? lock_downgrade+0x6e0/0x6e0 [ 51.808352][ T3609] ? mm_update_next_owner+0x7b0/0x7b0 [ 51.813718][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.818924][ T3609] ? _raw_spin_unlock_irq+0x1f/0x40 [ 51.824204][ T3609] do_group_exit+0xd2/0x2f0 [ 51.828726][ T3609] __x64_sys_exit_group+0x3a/0x50 [ 51.833784][ T3609] do_syscall_64+0x35/0xb0 [ 51.838204][ T3609] entry_SYSCALL_64_after_hwframe+0x46/0xb0 [ 51.844103][ T3609] RIP: 0033:0x7f8e2c28b299 [ 51.848510][ T3609] Code: Unable to access opcode bytes at RIP 0x7f8e2c28b26f. [ 51.855856][ T3609] RSP: 002b:00007ffe02c318d8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 [ 51.864265][ T3609] RAX: ffffffffffffffda RBX: 00007f8e2c2ff270 RCX: 00007f8e2c28b299 [ 51.872234][ T3609] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000 [ 51.880195][ T3609] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000 [ 51.888156][ T3609] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f8e2c2ff270 [ 51.896114][ T3609] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001 [ 51.904079][ T3609] [ 51.907249][ T3609] Kernel Offset: disabled [ 51.911583][ T3609] Rebooting in 86400 seconds..