program: r0 = openat$iommufd(0xffffffffffffff9c, &(0x7f0000000000), 0x0, 0x0) ioctl$IOMMU_IOAS_ALLOC(r0, 0x3b81, &(0x7f00000003c0)={0xc, 0x0, 0x0}) ioctl$IOMMU_TEST_OP_CREATE_ACCESS(r0, 0x3ba0, &(0x7f0000000340)={0x48, 0x5, r1, 0x0, 0xffffffffffffffff, 0x1}) openat$iommufd(0xffffffffffffff9c, &(0x7f0000000040), 0x101400, 0x0) socket$l2tp6(0xa, 0x2, 0x73) socket$nl_generic(0x10, 0x3, 0x10) openat$binfmt_format(0xffffffffffffff9c, &(0x7f0000000080)='/proc/sys/fs/binfmt_misc/syz1\x00', 0x2, 0x0) socket$kcm(0x10, 0x400000002, 0x0) socket$key(0xf, 0x3, 0x2) syz_usb_connect$cdc_ecm(0x3, 0x4d, &(0x7f0000001240)=ANY=[@ANYBLOB="12010000020000102505a1a44000010203010902"], 0x0) openat$fuse(0xffffffffffffff9c, &(0x7f00000000c0), 0x42, 0x0) syz_open_procfs(0x0, &(0x7f0000000080)='ns\x00') userfaultfd(0x801) syz_open_dev$sndctrl(&(0x7f0000000240), 0x0, 0x2a8600) openat$audio(0xffffffffffffff9c, &(0x7f00000000c0), 0x88602, 0x0) r2 = syz_open_dev$dri(&(0x7f0000000380), 0x2, 0x0) ioctl$DRM_IOCTL_SET_CLIENT_CAP(r2, 0x4010640d, &(0x7f0000000000)={0x3, 0x2}) ioctl$DRM_IOCTL_MODE_GETPLANERESOURCES(r2, 0xc01064b5, &(0x7f0000000140)={&(0x7f0000000100)=[0x0], 0x40000012}) socket(0x10, 0x3, 0x0) socket$nl_generic(0x10, 0x3, 0x10) socket$inet_udplite(0x2, 0x2, 0x88) socketpair$unix(0x1, 0x2, 0x0, &(0x7f0000000200)) ioctl$DRM_IOCTL_MODE_ATOMIC(r2, 0xc03864bc, &(0x7f0000000180)={0x201, 0x1, &(0x7f0000000540)=[r3], &(0x7f0000000500)=[0x1], &(0x7f0000000200), &(0x7f0000000580), 0x0, 0x7f}) [ 148.610077][ T4670] Bluetooth: hci0: command tx timeout [ 148.909650][ T57] usb 5-1: new high-speed USB device number 2 using dummy_hcd [ 149.061537][ T57] usb 5-1: Using ep0 maxpacket: 16 [ 149.067878][ T57] usb 5-1: config 0 has no interfaces? [ 149.088105][ T57] usb 5-1: New USB device found, idVendor=0525, idProduct=a4a1, bcdDevice= 0.40 [ 149.092407][ T57] usb 5-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 149.103098][ T57] usb 5-1: Product: syz [ 149.105758][ T57] usb 5-1: Manufacturer: syz [ 149.122057][ T57] usb 5-1: SerialNumber: syz [ 149.127862][ T57] usb 5-1: config 0 descriptor?? [ 149.340407][ T5339] UDPLite: UDP-Lite is deprecated and scheduled to be removed in 2025, please contact the netdev mailing list [ 149.366038][ T3588] usb 5-1: USB disconnect, device number 2 [ 149.396245][ T4629] ================================================================== [ 149.399486][ T4629] BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 149.412643][ T4629] Read of size 1 at addr ffff888043945409 by task kworker/u4:10/4629 [ 149.415745][ T4629] [ 149.416711][ T4629] CPU: 0 UID: 0 PID: 4629 Comm: kworker/u4:10 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 149.416726][ T4629] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 149.416740][ T4629] Workqueue: events_unbound commit_work [ 149.416763][ T4629] Call Trace: [ 149.416770][ T4629] [ 149.416775][ T4629] dump_stack_lvl+0x241/0x360 [ 149.416793][ T4629] ? __pfx_dump_stack_lvl+0x10/0x10 [ 149.416805][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416818][ T4629] ? rcu_is_watching+0x15/0xb0 [ 149.416829][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416840][ T4629] ? lock_release+0x4e/0x3e0 [ 149.416850][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416861][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416873][ T4629] print_report+0x16e/0x5b0 [ 149.416884][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416896][ T4629] ? __virt_addr_valid+0x183/0x530 [ 149.416907][ T4629] ? __virt_addr_valid+0x45f/0x530 [ 149.416918][ T4629] ? __phys_addr+0xba/0x170 [ 149.416930][ T4629] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 149.416943][ T4629] kasan_report+0x143/0x180 [ 149.416955][ T4629] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 149.416969][ T4629] drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 149.416983][ T4629] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 149.417053][ T4629] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 149.417063][ T4629] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10 [ 149.417077][ T4629] ? drm_atomic_helper_commit_hw_done+0x3f9/0x430 [ 149.417091][ T4629] drm_atomic_helper_commit_tail+0x314/0x510 [ 149.417105][ T4629] commit_tail+0x2c4/0x3d0 [ 149.417139][ T4629] ? process_scheduled_works+0x9cb/0x18e0 [ 149.417152][ T4629] process_scheduled_works+0xac3/0x18e0 [ 149.417169][ T4629] ? __pfx_process_scheduled_works+0x10/0x10 [ 149.417181][ T4629] ? assign_work+0x367/0x3d0 [ 149.417191][ T4629] worker_thread+0x870/0xd50 [ 149.417204][ T4629] ? __kthread_parkme+0x1a8/0x200 [ 149.417216][ T4629] ? __pfx_worker_thread+0x10/0x10 [ 149.417227][ T4629] kthread+0x7b7/0x940 [ 149.417241][ T4629] ? __pfx_worker_thread+0x10/0x10 [ 149.417251][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417263][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417275][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417286][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417298][ T4629] ? _raw_spin_unlock_irq+0x23/0x50 [ 149.417306][ T4629] ? lockdep_hardirqs_on+0x9d/0x150 [ 149.417316][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417327][ T4629] ret_from_fork+0x4b/0x80 [ 149.417337][ T4629] ? __pfx_kthread+0x10/0x10 [ 149.417347][ T4629] ret_from_fork_asm+0x1a/0x30 [ 149.417359][ T4629] [ 149.417362][ T4629] [ 149.676184][ T4629] Allocated by task 5339: [ 149.679724][ T4629] kasan_save_track+0x3f/0x80 [ 149.682643][ T4629] __kasan_kmalloc+0x9d/0xb0 [ 149.691473][ T4629] __kmalloc_cache_noprof+0x236/0x370 [ 149.693385][ T4629] drm_atomic_helper_crtc_duplicate_state+0x72/0xb0 [ 149.695725][ T4629] drm_atomic_get_crtc_state+0x182/0x410 [ 149.701450][ T4629] drm_atomic_get_plane_state+0x44e/0x510 [ 149.710389][ T4629] drm_atomic_set_property+0x281/0x3240 [ 149.713158][ T4629] drm_mode_atomic_ioctl+0x7f0/0x1420 [ 149.715730][ T4629] drm_ioctl_kernel+0x34e/0x450 [ 149.720330][ T4629] drm_ioctl+0x687/0xbb0 [ 149.721964][ T4629] __se_sys_ioctl+0xf1/0x160 [ 149.731884][ T4629] do_syscall_64+0xf3/0x230 [ 149.734161][ T4629] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 149.736874][ T4629] [ 149.737839][ T4629] Freed by task 5338: [ 149.750137][ T4629] kasan_save_track+0x3f/0x80 [ 149.752778][ T4629] kasan_save_free_info+0x40/0x50 [ 149.757555][ T4629] __kasan_slab_free+0x59/0x70 [ 149.761997][ T4629] kfree+0x198/0x430 [ 149.763948][ T4629] drm_atomic_state_default_clear+0x3bd/0xb80 [ 149.770807][ T4629] __drm_atomic_state_free+0xb8/0x210 [ 149.773786][ T4629] drm_client_modeset_commit_atomic+0x727/0x7d0 [ 149.777323][ T4629] drm_client_modeset_commit_locked+0xe0/0x520 [ 149.780885][ T4629] drm_client_modeset_commit+0x4a/0x70 [ 149.786630][ T4629] __drm_fb_helper_restore_fbdev_mode_unlocked+0xbd/0x200 [ 149.791451][ T4629] drm_fbdev_client_restore+0x34/0x40 [ 149.794869][ T4629] drm_client_dev_restore+0x132/0x270 [ 149.799050][ T4629] drm_release+0x335/0x410 [ 149.802730][ T4629] __fput+0x3e9/0x9f0 [ 149.805621][ T4629] task_work_run+0x251/0x310 [ 149.807978][ T4629] syscall_exit_to_user_mode+0x13f/0x340 [ 149.810470][ T4629] do_syscall_64+0x100/0x230 [ 149.812338][ T4629] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 149.815267][ T4629] [ 149.816552][ T4629] The buggy address belongs to the object at ffff888043945400 [ 149.816552][ T4629] which belongs to the cache kmalloc-512 of size 512 [ 149.828542][ T4629] The buggy address is located 9 bytes inside of [ 149.828542][ T4629] freed 512-byte region [ffff888043945400, ffff888043945600) [ 149.838587][ T4629] [ 149.839996][ T4629] The buggy address belongs to the physical page: [ 149.843546][ T4629] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43944 [ 149.848499][ T4629] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 149.856935][ T4629] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff) [ 149.866924][ T4629] page_type: f5(slab) [ 149.871157][ T4629] raw: 04fff00000000040 ffff88801b041c80 dead000000000122 0000000000000000 [ 149.878018][ T4629] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 149.883484][ T4629] head: 04fff00000000040 ffff88801b041c80 dead000000000122 0000000000000000 [ 149.890633][ T4629] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000 [ 149.896009][ T4629] head: 04fff00000000001 ffffea00010e5101 00000000ffffffff 00000000ffffffff [ 149.900046][ T4629] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 149.905872][ T4629] page dumped because: kasan: bad access detected [ 149.909508][ T4629] page_owner tracks the page as allocated [ 149.912855][ T4629] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5323, tgid 5323 (udevd), ts 149165511422, free_ts 146267261596 [ 149.923956][ T4629] post_alloc_hook+0x1f4/0x240 [ 149.927083][ T4629] get_page_from_freelist+0x352b/0x36c0 [ 149.930866][ T4629] __alloc_frozen_pages_noprof+0x211/0x5b0 [ 149.934496][ T4629] alloc_pages_mpol+0x339/0x690 [ 149.937341][ T4629] allocate_slab+0x8f/0x3a0 [ 149.939956][ T4629] ___slab_alloc+0xc3b/0x1500 [ 149.942586][ T4629] __slab_alloc+0x58/0xa0 [ 149.945163][ T4629] __kmalloc_cache_noprof+0x26a/0x370 [ 149.948287][ T4629] kernfs_fop_open+0x3a3/0xdf0 [ 149.952189][ T4629] do_dentry_open+0xdec/0x1960 [ 149.955356][ T4629] vfs_open+0x3b/0x370 [ 149.958276][ T4629] path_openat+0x2caf/0x35d0 [ 149.961428][ T4629] do_filp_open+0x284/0x4e0 [ 149.963713][ T4629] do_sys_openat2+0x12b/0x1d0 [ 149.965923][ T4629] __x64_sys_openat+0x249/0x2a0 [ 149.968350][ T4629] do_syscall_64+0xf3/0x230 [ 149.970967][ T4629] page last free pid 4730 tgid 4730 stack trace: [ 149.974544][ T4629] __free_frozen_pages+0xde8/0x10a0 [ 149.989612][ T4629] __slab_free+0x2c6/0x390 [ 149.992710][ T4629] qlist_free_all+0x9a/0x140 [ 149.994561][ T4629] kasan_quarantine_reduce+0x14f/0x170 [ 150.005542][ T4629] __kasan_slab_alloc+0x23/0x80 [ 150.008254][ T4629] kmem_cache_alloc_noprof+0x1e1/0x390 [ 150.017905][ T4629] getname_flags+0xb6/0x530 [ 150.024744][ T4629] do_sys_openat2+0xbf/0x1d0 [ 150.029721][ T4629] __x64_sys_openat+0x249/0x2a0 [ 150.034672][ T4629] do_syscall_64+0xf3/0x230 [ 150.040957][ T4629] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 150.051734][ T4629] [ 150.056869][ T4629] Memory state around the buggy address: [ 150.065322][ T4629] ffff888043945300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.071337][ T4629] ffff888043945380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 150.074362][ T4629] >ffff888043945400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.083909][ T4629] ^ [ 150.085781][ T4629] ffff888043945480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.099502][ T4629] ffff888043945500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 150.114529][ T4629] ================================================================== [ 150.292574][ T1310] ieee802154 phy0 wpan0: encryption failed: -22 [ 150.295179][ T1310] ieee802154 phy1 wpan1: encryption failed: -22 [ 150.354053][ T4629] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 150.357981][ T4629] CPU: 0 UID: 0 PID: 4629 Comm: kworker/u4:10 Not tainted 6.15.0-rc1-syzkaller #0 PREEMPT(full) [ 150.381075][ T4629] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 150.386129][ T4629] Workqueue: events_unbound commit_work [ 150.388894][ T4629] Call Trace: [ 150.400632][ T4629] [ 150.402030][ T4629] dump_stack_lvl+0x241/0x360 [ 150.403992][ T4629] ? __pfx_dump_stack_lvl+0x10/0x10 [ 150.406379][ T4629] ? __pfx__printk+0x10/0x10 [ 150.408312][ T4629] ? vscnprintf+0x5d/0x90 [ 150.420317][ T4629] panic+0x349/0x880 [ 150.422140][ T4629] ? check_panic_on_warn+0x21/0xb0 [ 150.424834][ T4629] ? __pfx_panic+0x10/0x10 [ 150.426950][ T4629] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 150.441366][ T4629] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 150.444624][ T4629] ? print_report+0x519/0x5b0 [ 150.447006][ T4629] check_panic_on_warn+0x86/0xb0 [ 150.451051][ T4629] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 150.463277][ T4629] end_report+0x77/0x160 [ 150.465294][ T4629] kasan_report+0x154/0x180 [ 150.467440][ T4629] ? drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 150.472378][ T4629] drm_atomic_helper_wait_for_vblanks+0x30b/0x910 [ 150.475423][ T4629] ? _raw_spin_unlock_irqrestore+0x134/0x140 [ 150.478528][ T4629] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 150.491643][ T4629] ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10 [ 150.494471][ T4629] ? drm_atomic_helper_commit_hw_done+0x3f9/0x430 [ 150.497105][ T4629] drm_atomic_helper_commit_tail+0x314/0x510 [ 150.499589][ T4629] commit_tail+0x2c4/0x3d0 [ 150.511773][ T4629] ? process_scheduled_works+0x9cb/0x18e0 [ 150.514138][ T4629] process_scheduled_works+0xac3/0x18e0 [ 150.516495][ T4629] ? __pfx_process_scheduled_works+0x10/0x10 [ 150.519005][ T4629] ? assign_work+0x367/0x3d0 [ 150.522920][ T4629] worker_thread+0x870/0xd50 [ 150.525681][ T4629] ? __kthread_parkme+0x1a8/0x200 [ 150.529298][ T4629] ? __pfx_worker_thread+0x10/0x10 [ 150.532067][ T4629] kthread+0x7b7/0x940 [ 150.533771][ T4629] ? __pfx_worker_thread+0x10/0x10 [ 150.536029][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.540203][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.542583][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.545009][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.547476][ T4629] ? _raw_spin_unlock_irq+0x23/0x50 [ 150.550361][ T4629] ? lockdep_hardirqs_on+0x9d/0x150 [ 150.553837][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.556337][ T4629] ret_from_fork+0x4b/0x80 [ 150.562283][ T4629] ? __pfx_kthread+0x10/0x10 [ 150.565858][ T4629] ret_from_fork_asm+0x1a/0x30 [ 150.569948][ T4629] [ 150.575300][ T4629] Kernel Offset: disabled [ 150.579037][ T4629] Rebooting in 86400 seconds..