./strace-static-x86_64 -e \!wait4,clock_nanosleep,nanosleep -s 100 -x -f ./syz-executor3156480762
<...>
Warning: Permanently added '10.128.10.38' (ECDSA) to the list of known hosts.
execve("./syz-executor3156480762", ["./syz-executor3156480762"], 0x7ffc2a238de0 /* 10 vars */) = 0
brk(NULL) = 0x555555df0000
brk(0x555555df0c40) = 0x555555df0c40
arch_prctl(ARCH_SET_FS, 0x555555df0300) = 0
uname({sysname="Linux", nodename="syzkaller", ...}) = 0
readlink("/proc/self/exe", "/root/syz-executor3156480762", 4096) = 28
brk(0x555555e11c40) = 0x555555e11c40
brk(0x555555e12000) = 0x555555e12000
mprotect(0x7f8d1ceff000, 16384, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
openat(AT_FDCWD, "/sys/kernel/debug/failslab/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_futex/ignore-private", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-highmem", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/ignore-gfp-wait", O_WRONLY|O_CLOEXEC) = 3
write(3, "N", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/sys/kernel/debug/fail_page_alloc/min-order", O_WRONLY|O_CLOEXEC) = 3
write(3, "0", 1) = 1
close(3) = 0
openat(AT_FDCWD, "/dev/dri/card0", O_RDONLY) = 3
ioctl(3, DRM_IOCTL_MODE_CREATE_DUMB, 0x20000080) = 0
openat(AT_FDCWD, "/proc/thread-self/fail-nth", O_RDWR) = 4
write(4, "4", 1) = 1
mmap(0x20ffc000, 12328, PROT_NONE, MAP_PRIVATE|MAP_FIXED, 3, 0x100000000) = -1 ENOMEM (Cannot allocate memory)
exit_group(0) = ?
syzkaller login: [ 36.502100][ T3612] ==================================================================
[ 36.510205][ T3612] BUG: KASAN: use-after-free in drm_gem_object_release_handle+0xa1/0xb0
[ 36.518554][ T3612] Read of size 8 at addr ffff88802087a1e8 by task syz-executor315/3612
[ 36.526777][ T3612]
[ 36.529085][ T3612] CPU: 0 PID: 3612 Comm: syz-executor315 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0
[ 36.539130][ T3612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[ 36.549170][ T3612] Call Trace:
[ 36.552448][ T3612]
[ 36.555368][ T3612] dump_stack_lvl+0xcd/0x134
[ 36.559954][ T3612] print_report.cold+0x2ba/0x719
[ 36.564914][ T3612] ? drm_gem_object_release_handle+0xa1/0xb0
[ 36.570907][ T3612] kasan_report+0xb1/0x1e0
[ 36.575328][ T3612] ? drm_gem_object_release_handle+0xa1/0xb0
[ 36.581302][ T3612] drm_gem_object_release_handle+0xa1/0xb0
[ 36.587100][ T3612] ? drm_gem_object_handle_put_unlocked+0x390/0x390
[ 36.593675][ T3612] idr_for_each+0x113/0x220
[ 36.598181][ T3612] ? idr_find+0x50/0x50
[ 36.602325][ T3612] ? rwlock_bug.part.0+0x90/0x90
[ 36.607250][ T3612] ? wait_for_completion_io_timeout+0x20/0x20
[ 36.613312][ T3612] drm_gem_release+0x22/0x30
[ 36.617895][ T3612] drm_file_free+0x7bb/0xb90
[ 36.622489][ T3612] ? drm_close_helper.isra.0+0x16b/0x1e0
[ 36.628126][ T3612] drm_release+0x1a6/0x4d0
[ 36.632622][ T3612] __fput+0x27c/0xa90
[ 36.636610][ T3612] ? drm_lastclose+0xe0/0xe0
[ 36.641196][ T3612] task_work_run+0xdd/0x1a0
[ 36.645710][ T3612] do_exit+0xad5/0x29b0
[ 36.649870][ T3612] ? mm_update_next_owner+0x7a0/0x7a0
[ 36.655241][ T3612] do_group_exit+0xd2/0x2f0
[ 36.659739][ T3612] __x64_sys_exit_group+0x3a/0x50
[ 36.664762][ T3612] do_syscall_64+0x35/0xb0
[ 36.669171][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 36.675059][ T3612] RIP: 0033:0x7f8d1ce919e9
[ 36.679458][ T3612] Code: Unable to access opcode bytes at 0x7f8d1ce919bf.
[ 36.686457][ T3612] RSP: 002b:00007ffd54d314e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 36.694863][ T3612] RAX: ffffffffffffffda RBX: 00007f8d1cf053f0 RCX: 00007f8d1ce919e9
[ 36.702822][ T3612] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 36.710778][ T3612] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[ 36.718734][ T3612] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f8d1cf053f0
[ 36.726692][ T3612] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 36.734681][ T3612]
[ 36.737685][ T3612]
[ 36.739997][ T3612] Allocated by task 3612:
[ 36.744317][ T3612] kasan_save_stack+0x1e/0x40
[ 36.748987][ T3612] __kasan_kmalloc+0xa9/0xd0
[ 36.753565][ T3612] vgem_gem_create_object+0x38/0xb0
[ 36.758757][ T3612] __drm_gem_shmem_create+0x80/0x480
[ 36.764034][ T3612] drm_gem_shmem_dumb_create+0x13c/0x380
[ 36.769656][ T3612] drm_mode_create_dumb+0x26c/0x2f0
[ 36.774846][ T3612] drm_ioctl_kernel+0x27d/0x4e0
[ 36.779682][ T3612] drm_ioctl+0x3e2/0xa30
[ 36.783998][ T3612] __x64_sys_ioctl+0x193/0x200
[ 36.788751][ T3612] do_syscall_64+0x35/0xb0
[ 36.793158][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 36.799039][ T3612]
[ 36.801346][ T3612] Freed by task 3612:
[ 36.805307][ T3612] kasan_save_stack+0x1e/0x40
[ 36.809974][ T3612] kasan_set_track+0x21/0x30
[ 36.814565][ T3612] kasan_set_free_info+0x20/0x30
[ 36.819581][ T3612] ____kasan_slab_free+0x166/0x1c0
[ 36.825027][ T3612] slab_free_freelist_hook+0x8b/0x1c0
[ 36.830383][ T3612] kfree+0xe2/0x580
[ 36.834176][ T3612] drm_gem_mmap+0x4fc/0x770
[ 36.838663][ T3612] mmap_region+0xbff/0x1460
[ 36.843159][ T3612] do_mmap+0x863/0xfa0
[ 36.847212][ T3612] vm_mmap_pgoff+0x1ab/0x270
[ 36.851788][ T3612] ksys_mmap_pgoff+0x41b/0x5a0
[ 36.856540][ T3612] do_syscall_64+0x35/0xb0
[ 36.860946][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 36.866826][ T3612]
[ 36.869139][ T3612] The buggy address belongs to the object at ffff88802087a000
[ 36.869139][ T3612] which belongs to the cache kmalloc-1k of size 1024
[ 36.883176][ T3612] The buggy address is located 488 bytes inside of
[ 36.883176][ T3612] 1024-byte region [ffff88802087a000, ffff88802087a400)
[ 36.896523][ T3612]
[ 36.898833][ T3612] The buggy address belongs to the physical page:
[ 36.905226][ T3612] page:ffffea0000821e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x20878
[ 36.915359][ T3612] head:ffffea0000821e00 order:3 compound_mapcount:0 compound_pincount:0
[ 36.923671][ T3612] flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
[ 36.931638][ T3612] raw: 00fff00000010200 0000000000000000 dead000000000001 ffff888011841dc0
[ 36.940215][ T3612] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[ 36.948780][ T3612] page dumped because: kasan: bad access detected
[ 36.955170][ T3612] page_owner tracks the page as allocated
[ 36.960865][ T3612] page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 3201, tgid 3201 (dhcpcd-run-hook), ts 20744794384, free_ts 20738415897
[ 36.981776][ T3612] get_page_from_freelist+0x109b/0x2ce0
[ 36.987319][ T3612] __alloc_pages+0x1c7/0x510
[ 36.991905][ T3612] alloc_pages+0x1a6/0x270
[ 36.996311][ T3612] allocate_slab+0x27e/0x3d0
[ 37.000890][ T3612] ___slab_alloc+0x84f/0xe80
[ 37.005466][ T3612] __slab_alloc.constprop.0+0x4d/0xa0
[ 37.010829][ T3612] __kmalloc+0x32b/0x340
[ 37.015062][ T3612] tomoyo_init_log+0x128a/0x1ed0
[ 37.020075][ T3612] tomoyo_supervisor+0x350/0xf10
[ 37.025009][ T3612] tomoyo_env_perm+0x17f/0x1f0
[ 37.029761][ T3612] tomoyo_find_next_domain+0x13ce/0x1f80
[ 37.035382][ T3612] tomoyo_bprm_check_security+0x121/0x1a0
[ 37.041099][ T3612] security_bprm_check+0x45/0xa0
[ 37.046032][ T3612] bprm_execve+0x732/0x1960
[ 37.050527][ T3612] do_execveat_common+0x727/0x890
[ 37.055541][ T3612] __x64_sys_execve+0x8f/0xc0
[ 37.060209][ T3612] page last free stack trace:
[ 37.064864][ T3612] free_pcp_prepare+0x5e4/0xd20
[ 37.069706][ T3612] free_unref_page+0x19/0x4d0
[ 37.074375][ T3612] __unfreeze_partials+0x17c/0x1a0
[ 37.079474][ T3612] qlist_free_all+0x6a/0x170
[ 37.084058][ T3612] kasan_quarantine_reduce+0x180/0x200
[ 37.089513][ T3612] __kasan_slab_alloc+0xa2/0xc0
[ 37.094390][ T3612] kmem_cache_alloc_lru+0x376/0x720
[ 37.099594][ T3612] __d_alloc+0x32/0x980
[ 37.103739][ T3612] d_alloc_cursor+0x3b/0xd0
[ 37.108233][ T3612] dcache_dir_open+0x33/0x90
[ 37.112818][ T3612] do_dentry_open+0x6cc/0x13f0
[ 37.117578][ T3612] path_openat+0x1c92/0x28f0
[ 37.122162][ T3612] do_filp_open+0x1b6/0x400
[ 37.126662][ T3612] do_sys_openat2+0x16d/0x4c0
[ 37.131324][ T3612] __x64_sys_openat+0x13f/0x1f0
[ 37.136160][ T3612] do_syscall_64+0x35/0xb0
[ 37.140573][ T3612]
[ 37.142886][ T3612] Memory state around the buggy address:
[ 37.148507][ T3612] ffff88802087a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.156579][ T3612] ffff88802087a100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.164624][ T3612] >ffff88802087a180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.172670][ T3612] ^
[ 37.180114][ T3612] ffff88802087a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.188163][ T3612] ffff88802087a280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 37.196293][ T3612] ==================================================================
[ 37.205137][ T3612] Kernel panic - not syncing: panic_on_warn set ...
[ 37.211743][ T3612] CPU: 1 PID: 3612 Comm: syz-executor315 Not tainted 6.0.0-syzkaller-07994-ge8bc52cb8df8 #0
[ 37.221811][ T3612] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
[ 37.231868][ T3612] Call Trace:
[ 37.235240][ T3612]
[ 37.238172][ T3612] dump_stack_lvl+0xcd/0x134
[ 37.242774][ T3612] panic+0x2c8/0x622
[ 37.246683][ T3612] ? panic_print_sys_info.part.0+0x10b/0x10b
[ 37.252759][ T3612] ? preempt_schedule_common+0x59/0xc0
[ 37.258261][ T3612] ? preempt_schedule_thunk+0x16/0x18
[ 37.263667][ T3612] ? drm_gem_object_release_handle+0xa1/0xb0
[ 37.269658][ T3612] end_report.part.0+0x3f/0x7c
[ 37.274457][ T3612] kasan_report.cold+0xa/0xf
[ 37.279152][ T3612] ? drm_gem_object_release_handle+0xa1/0xb0
[ 37.285150][ T3612] drm_gem_object_release_handle+0xa1/0xb0
[ 37.290965][ T3612] ? drm_gem_object_handle_put_unlocked+0x390/0x390
[ 37.297562][ T3612] idr_for_each+0x113/0x220
[ 37.302085][ T3612] ? idr_find+0x50/0x50
[ 37.306252][ T3612] ? rwlock_bug.part.0+0x90/0x90
[ 37.311203][ T3612] ? wait_for_completion_io_timeout+0x20/0x20
[ 37.317315][ T3612] drm_gem_release+0x22/0x30
[ 37.321916][ T3612] drm_file_free+0x7bb/0xb90
[ 37.326516][ T3612] ? drm_close_helper.isra.0+0x16b/0x1e0
[ 37.332158][ T3612] drm_release+0x1a6/0x4d0
[ 37.336680][ T3612] __fput+0x27c/0xa90
[ 37.340673][ T3612] ? drm_lastclose+0xe0/0xe0
[ 37.345272][ T3612] task_work_run+0xdd/0x1a0
[ 37.349790][ T3612] do_exit+0xad5/0x29b0
[ 37.353969][ T3612] ? mm_update_next_owner+0x7a0/0x7a0
[ 37.359365][ T3612] do_group_exit+0xd2/0x2f0
[ 37.363886][ T3612] __x64_sys_exit_group+0x3a/0x50
[ 37.368933][ T3612] do_syscall_64+0x35/0xb0
[ 37.373360][ T3612] entry_SYSCALL_64_after_hwframe+0x63/0xcd
[ 37.379265][ T3612] RIP: 0033:0x7f8d1ce919e9
[ 37.383684][ T3612] Code: Unable to access opcode bytes at 0x7f8d1ce919bf.
[ 37.390785][ T3612] RSP: 002b:00007ffd54d314e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
[ 37.399210][ T3612] RAX: ffffffffffffffda RBX: 00007f8d1cf053f0 RCX: 00007f8d1ce919e9
[ 37.407193][ T3612] RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
[ 37.415256][ T3612] RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000100000000
[ 37.423231][ T3612] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f8d1cf053f0
[ 37.431203][ T3612] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 37.439184][ T3612]
[ 37.442257][ T3612] Kernel Offset: disabled
[ 37.446591][ T3612] Rebooting in 86400 seconds..