./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor1278644618 <...> forked to background, child pid 3178 no interfaces have a carrier [ 22.605485][ T3179] 8021q: adding VLAN 0 to HW filter on device bond0 [ 22.615520][ T3179] eql: remember to turn off Van-Jacobson compression on your slave devices Starting sshd: OK syzkaller Warning: Permanently added '10.128.0.213' (ECDSA) to the list of known hosts. execve("./syz-executor1278644618", ["./syz-executor1278644618"], 0x7ffe0242b030 /* 10 vars */) = 0 brk(NULL) = 0x555555e5f000 brk(0x555555e5fc40) = 0x555555e5fc40 arch_prctl(ARCH_SET_FS, 0x555555e5f300) = 0 uname({sysname="Linux", nodename="syzkaller", ...}) = 0 readlink("/proc/self/exe", "/root/syz-executor1278644618", 4096) = 28 brk(0x555555e80c40) = 0x555555e80c40 brk(0x555555e81000) = 0x555555e81000 mprotect(0x7f1d8ec0e000, 16384, PROT_READ) = 0 mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000 mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000 mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000 openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3 write(3, "N", 1) = 1 close(3) = 0 openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3 write(3, "0", 1) = 1 close(3) = 0 clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x555555e5f5d0) = 3601 ./strace-static-x86_64: Process 3601 attached [pid 3600] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3601] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3602 attached ./strace-static-x86_64: Process 3603 attached [pid 3600] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3602 [pid 3600] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD./strace-static-x86_64: Process 3604 attached [pid 3603] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3602] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3600] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3604 [pid 3603] <... prctl resumed>) = 0 ./strace-static-x86_64: Process 3605 attached [pid 3600] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3604] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3603] setpgid(0, 0 [pid 3601] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3603 ./strace-static-x86_64: Process 3607 attached ./strace-static-x86_64: Process 3606 attached [pid 3605] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3603] <... setpgid resumed>) = 0 [pid 3602] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3605 [pid 3600] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3606 [pid 3607] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3606] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3605] <... prctl resumed>) = 0 [pid 3604] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3607 [pid 3603] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC./strace-static-x86_64: Process 3608 attached [pid 3600] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3607] <... prctl resumed>) = 0 ./strace-static-x86_64: Process 3609 attached [pid 3608] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3607] setpgid(0, 0 [pid 3606] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3608 [pid 3605] setpgid(0, 0 [pid 3603] <... openat resumed>) = 3 [pid 3600] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3609 [pid 3609] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3608] <... prctl resumed>) = 0 [pid 3607] <... setpgid resumed>) = 0 ./strace-static-x86_64: Process 3610 attached [pid 3600] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3608] setpgid(0, 0 [pid 3607] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3605] <... setpgid resumed>) = 0 [pid 3603] write(3, "1000", 4./strace-static-x86_64: Process 3611 attached [pid 3610] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3609] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3610 [pid 3608] <... setpgid resumed>) = 0 [pid 3607] <... openat resumed>) = 3 [pid 3600] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3611 [pid 3611] clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD [pid 3610] <... prctl resumed>) = 0 [pid 3608] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3607] write(3, "1000", 4 [pid 3605] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3603] <... write resumed>) = 4 [pid 3610] setpgid(0, 0 [pid 3608] <... openat resumed>) = 3 [pid 3607] <... write resumed>) = 4 [pid 3605] <... openat resumed>) = 3 [pid 3603] close(3./strace-static-x86_64: Process 3612 attached [pid 3610] <... setpgid resumed>) = 0 [pid 3608] write(3, "1000", 4 [pid 3607] close(3 [pid 3605] write(3, "1000", 4 [pid 3603] <... close resumed>) = 0 [pid 3612] prctl(PR_SET_PDEATHSIG, SIGKILL [pid 3611] <... clone resumed>, child_tidptr=0x555555e5f5d0) = 3612 [pid 3610] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC [pid 3608] <... write resumed>) = 4 [pid 3607] <... close resumed>) = 0 [pid 3605] <... write resumed>) = 4 [pid 3603] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3610] <... openat resumed>) = 3 [pid 3608] close(3 [pid 3607] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3605] close(3 [pid 3608] <... close resumed>) = 0 [pid 3610] write(3, "1000", 4 [pid 3605] <... close resumed>) = 0 [pid 3603] <... openat resumed>) = 3 [pid 3610] <... write resumed>) = 4 [pid 3608] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3607] <... openat resumed>) = 3 [pid 3605] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3603] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3612] <... prctl resumed>) = 0 [pid 3610] close(3 [pid 3608] <... openat resumed>) = 3 [pid 3607] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3605] <... openat resumed>) = 3 [pid 3605] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3610] <... close resumed>) = 0 [pid 3610] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3608] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3610] <... openat resumed>) = 3 [pid 3612] setpgid(0, 0) = 0 [pid 3610] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3612] openat(AT_FDCWD, "/proc/self/oom_score_adj", O_WRONLY|O_CLOEXEC) = 3 [pid 3612] write(3, "1000", 4) = 4 [pid 3612] close(3) = 0 [pid 3612] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 3 [pid 3612] ioctl(3, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=27, height=5, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3603] <... ioctl resumed>) = 0 [pid 3603] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4 [pid 3603] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 3603] write(5, "7", 1) = 1 [pid 3603] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3605] <... ioctl resumed>) = 0 [pid 3605] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4 [pid 3605] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 3605] write(5, "7", 1) = 1 [pid 3605] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3607] <... ioctl resumed>) = 0 [pid 3607] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4 [pid 3607] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 3607] write(5, "7", 1) = 1 [pid 3607] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3608] <... ioctl resumed>) = 0 [pid 3608] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4 [pid 3608] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 3608] write(5, "7", 1) = 1 [pid 3608] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3610] <... ioctl resumed>) = 0 [pid 3610] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR) = 4 [pid 3610] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 5 [pid 3610] write(5, "7", 1) = 1 [pid 3610] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} [pid 3603] <... ioctl resumed>) = 0 [pid 3612] <... ioctl resumed>) = 0 [pid 3603] exit_group(0 [pid 3612] openat(AT_FDCWD, "/dev/char/4:1", O_RDWR [pid 3603] <... exit_group resumed>) = ? [pid 3603] +++ exited with 0 +++ [pid 3612] <... openat resumed>) = 4 [pid 3612] openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR [pid 3601] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=3603, si_uid=0, si_status=0, si_utime=0, si_stime=1} --- [pid 3612] <... openat resumed>) = 5 [pid 3601] restart_syscall(<... resuming interrupted clone ...> [pid 3612] write(5, "7", 1 [pid 3601] <... restart_syscall resumed>) = 0 [pid 3612] <... write resumed>) = 1 [pid 3612] ioctl(4, KDFONTOP, {op=KD_FONT_OP_SET, flags=0, width=1, height=27, charcount=512, data="\x0d\xe4\x73\x70\x56\x3e\xd4\x50\xe7\x4f\xba\x9e\xe1\x79\xc0\xc3\xe9\xad\xc8\x5c\xaf\x8b\x84\x72\x24\x62\xad\x15\x24\xc6\x6b\xfb\x8e\x45\xba\x6e\x38\x74\xc6\x5b\x82\x9b\x1f\x1a\x23\x5b\xd3\xb1\x48\xfb\x05\x15\xce\xe6\x7c\xda\xf9\xae\xae\x59\x5c\x1e\x8e\xa1\xa6\x1d\x94\x24\x98\x1d\x3f\x26\xe4\x69\x9a\x20\x6b\xcd\xd0\xf8\xf5\x37\x45\x66\x88\xf3\xcd\xfc\x70\x45\xda\x32\x84\x2f\x9b\x8e\x41\x12\x7e\xd9"...} syzkaller login: [ 39.793776][ T3605] ================================================================== [ 39.793784][ T3605] BUG: KASAN: vmalloc-out-of-bounds in sys_imageblit+0x1ed0/0x2240 [ 39.793821][ T3605] Write of size 4 at addr ffffc90004521000 by task syz-executor127/3605 [ 39.793831][ T3605] [ 39.793834][ T3605] CPU: 0 PID: 3605 Comm: syz-executor127 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 39.793847][ T3605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 39.793854][ T3605] Call Trace: [ 39.793858][ T3605] [ 39.793862][ T3605] dump_stack_lvl+0xcd/0x134 [ 39.793877][ T3605] print_address_description.constprop.0.cold+0xf/0x495 [ 39.793892][ T3605] ? sys_imageblit+0x1ed0/0x2240 [ 39.793904][ T3605] kasan_report.cold+0xf4/0x1c6 [ 39.793919][ T3605] ? sys_imageblit+0x1ed0/0x2240 [ 39.793932][ T3605] sys_imageblit+0x1ed0/0x2240 [ 39.793948][ T3605] ? sys_copyarea+0x1fa0/0x1fa0 [ 39.793961][ T3605] ? find_held_lock+0x2d/0x110 [ 39.793975][ T3605] ? fb_pad_unaligned_buffer+0x3ef/0x4a0 [ 39.793990][ T3605] drm_fbdev_fb_imageblit+0x15c/0x350 [ 39.794006][ T3605] bit_putcs+0x6e1/0xd20 [ 39.794020][ T3605] ? bit_clear+0x4f0/0x4f0 [ 39.794033][ T3605] ? fb_get_color_depth+0x11a/0x240 [ 39.794046][ T3605] ? __sanitizer_cov_trace_switch+0x50/0x90 [ 39.794060][ T3605] ? bit_clear+0x4f0/0x4f0 [ 39.794072][ T3605] fbcon_putcs+0x314/0x3e0 [ 39.794084][ T3605] do_update_region+0x399/0x630 [ 39.794099][ T3605] ? con_get_trans_old+0x2a0/0x2a0 [ 39.794112][ T3605] ? fb_get_color_depth+0x11a/0x240 [ 39.794126][ T3605] ? fbcon_set_palette+0x3f4/0x590 [ 39.794137][ T3605] ? var_to_display+0x7f0/0x7f0 [ 39.794149][ T3605] redraw_screen+0x61f/0x740 [ 39.794159][ T3605] ? free_unref_page+0x32d/0x6a0 [ 39.794171][ T3605] ? insert_char+0x3e0/0x3e0 [ 39.794183][ T3605] fbcon_do_set_font+0x5eb/0x6f0 [ 39.794196][ T3605] fbcon_set_font+0x89d/0xab0 [ 39.794208][ T3605] ? fbcon_set_def_font+0x320/0x320 [ 39.794219][ T3605] con_font_op+0x73a/0xc90 [ 39.794231][ T3605] ? con_write+0x40/0x40 [ 39.794245][ T3605] vt_ioctl+0x1efa/0x2b20 [ 39.794256][ T3605] ? vt_waitactive+0x350/0x350 [ 39.794269][ T3605] ? tomoyo_path_number_perm+0x24e/0x590 [ 39.794284][ T3605] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 39.794298][ T3605] ? __sanitizer_cov_trace_switch+0x50/0x90 [ 39.794311][ T3605] ? vt_waitactive+0x350/0x350 [ 39.794323][ T3605] tty_ioctl+0xbbd/0x15e0 [ 39.794335][ T3605] ? tty_fasync+0x390/0x390 [ 39.794346][ T3605] ? find_held_lock+0x2d/0x110 [ 39.794359][ T3605] ? ptrace_notify+0xfa/0x140 [ 39.794370][ T3605] ? lock_downgrade+0x6e0/0x6e0 [ 39.794382][ T3605] ? _raw_spin_unlock_irq+0x1f/0x40 [ 39.794395][ T3605] ? bpf_lsm_file_ioctl+0x5/0x10 [ 39.794408][ T3605] ? tty_fasync+0x390/0x390 [ 39.794419][ T3605] __x64_sys_ioctl+0x193/0x200 [ 39.794433][ T3605] do_syscall_64+0x35/0xb0 [ 39.794446][ T3605] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 39.794458][ T3605] RIP: 0033:0x7f1d8eba0239 [ 39.794468][ T3605] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 39.794479][ T3605] RSP: 002b:00007ffcf66ac9a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 39.794492][ T3605] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d8eba0239 [ 39.794500][ T3605] RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000004 [ 39.794507][ T3605] RBP: 00007ffcf66ac9c0 R08: 0000000000000001 R09: 0000000000000000 [ 39.794514][ T3605] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 [ 39.794520][ T3605] R13: 0000000000000000 R14: 00007ffcf66ac9e0 R15: 00007ffcf66ac9d0 [ 39.794531][ T3605] [ 39.794534][ T3605] [ 39.794538][ T3605] The buggy address belongs to the virtual mapping at [ 39.794538][ T3605] [ffffc90004221000, ffffc90004522000) created by: [ 39.794538][ T3605] drm_gem_shmem_vmap+0x3d7/0x5a0 [ 39.794555][ T3605] [ 39.794558][ T3605] Memory state around the buggy address: [ 39.794563][ T3605] ffffc90004520f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.794571][ T3605] ffffc90004520f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 39.794578][ T3605] >ffffc90004521000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 39.794583][ T3605] ^ [ 39.794588][ T3605] ffffc90004521080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 39.794595][ T3605] ffffc90004521100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 39.794601][ T3605] ================================================================== [ 39.794606][ T3605] Kernel panic - not syncing: panic_on_warn set ... [ 39.794610][ T3605] CPU: 0 PID: 3605 Comm: syz-executor127 Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 [ 39.794621][ T3605] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022 [ 39.794627][ T3605] Call Trace: [ 39.794629][ T3605] [ 39.794633][ T3605] dump_stack_lvl+0xcd/0x134 [ 39.794644][ T3605] panic+0x2d7/0x636 [ 39.794654][ T3605] ? panic_print_sys_info.part.0+0x10b/0x10b [ 39.794666][ T3605] ? mark_held_locks+0x9f/0xe0 [ 39.794676][ T3605] ? sys_imageblit+0x1ed0/0x2240 [ 39.794689][ T3605] ? sys_imageblit+0x1ed0/0x2240 [ 39.794701][ T3605] end_report.part.0+0x3f/0x7c [ 39.794711][ T3605] kasan_report.cold+0x93/0x1c6 [ 39.794722][ T3605] ? sys_imageblit+0x1ed0/0x2240 [ 39.794734][ T3605] sys_imageblit+0x1ed0/0x2240 [ 39.794750][ T3605] ? sys_copyarea+0x1fa0/0x1fa0 [ 39.794762][ T3605] ? find_held_lock+0x2d/0x110 [ 39.794774][ T3605] ? fb_pad_unaligned_buffer+0x3ef/0x4a0 [ 39.794789][ T3605] drm_fbdev_fb_imageblit+0x15c/0x350 [ 39.794802][ T3605] bit_putcs+0x6e1/0xd20 [ 39.794816][ T3605] ? bit_clear+0x4f0/0x4f0 [ 39.794828][ T3605] ? fb_get_color_depth+0x11a/0x240 [ 39.794841][ T3605] ? __sanitizer_cov_trace_switch+0x50/0x90 [ 39.794853][ T3605] ? bit_clear+0x4f0/0x4f0 [ 39.794864][ T3605] fbcon_putcs+0x314/0x3e0 [ 39.794876][ T3605] do_update_region+0x399/0x630 [ 39.794891][ T3605] ? con_get_trans_old+0x2a0/0x2a0 [ 39.794903][ T3605] ? fb_get_color_depth+0x11a/0x240 [ 39.794920][ T3605] ? fbcon_set_palette+0x3f4/0x590 [ 39.794931][ T3605] ? var_to_display+0x7f0/0x7f0 [ 39.794942][ T3605] redraw_screen+0x61f/0x740 [ 39.794952][ T3605] ? free_unref_page+0x32d/0x6a0 [ 39.794963][ T3605] ? insert_char+0x3e0/0x3e0 [ 39.794974][ T3605] fbcon_do_set_font+0x5eb/0x6f0 [ 39.794986][ T3605] fbcon_set_font+0x89d/0xab0 [ 39.794998][ T3605] ? fbcon_set_def_font+0x320/0x320 [ 39.795009][ T3605] con_font_op+0x73a/0xc90 [ 39.795020][ T3605] ? con_write+0x40/0x40 [ 39.795033][ T3605] vt_ioctl+0x1efa/0x2b20 [ 39.795044][ T3605] ? vt_waitactive+0x350/0x350 [ 39.795056][ T3605] ? tomoyo_path_number_perm+0x24e/0x590 [ 39.795070][ T3605] ? tomoyo_execute_permission+0x4a0/0x4a0 [ 39.795084][ T3605] ? __sanitizer_cov_trace_switch+0x50/0x90 [ 39.795097][ T3605] ? vt_waitactive+0x350/0x350 [ 39.795108][ T3605] tty_ioctl+0xbbd/0x15e0 [ 39.795118][ T3605] ? tty_fasync+0x390/0x390 [ 39.795129][ T3605] ? find_held_lock+0x2d/0x110 [ 39.795142][ T3605] ? ptrace_notify+0xfa/0x140 [ 39.795152][ T3605] ? lock_downgrade+0x6e0/0x6e0 [ 39.795163][ T3605] ? _raw_spin_unlock_irq+0x1f/0x40 [ 39.795174][ T3605] ? bpf_lsm_file_ioctl+0x5/0x10 [ 39.795187][ T3605] ? tty_fasync+0x390/0x390 [ 39.795197][ T3605] __x64_sys_ioctl+0x193/0x200 [ 39.795209][ T3605] do_syscall_64+0x35/0xb0 [ 39.795221][ T3605] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 39.795233][ T3605] RIP: 0033:0x7f1d8eba0239 [ 39.795241][ T3605] Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 [ 39.795251][ T3605] RSP: 002b:00007ffcf66ac9a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 [ 39.795261][ T3605] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007f1d8eba0239 [ 39.795268][ T3605] RDX: 0000000020000040 RSI: 0000000000004b72 RDI: 0000000000000004 [ 39.795274][ T3605] RBP: 00007ffcf66ac9c0 R08: 0000000000000001 R09: 0000000000000000 [ 39.795281][ T3605] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000005 [ 39.795287][ T3605] R13: 0000000000000000 R14: 00007ffcf66ac9e0 R15: 00007ffcf66ac9d0 [ 39.795297][ T3605] [ 39.795860][ T3605] Kernel Offset: disabled