program: r0 = openat$mice(0xffffffffffffff9c, &(0x7f0000000000), 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(0xffffffffffffffff, 0xc04064a0, &(0x7f0000000140)={&(0x7f0000000040)=[0x0], &(0x7f0000000080)=[0x0, 0x0, 0x0, 0x0, 0x0, 0x0], &(0x7f00000000c0)=[0x0, 0x0, 0x0], &(0x7f0000000100)=[0x0], 0x1, 0x6, 0x3, 0x1}) r2 = creat(&(0x7f0000000000)='./file0\x00', 0x0) close_range(r2, 0xffffffffffffffff, 0x0) r3 = syz_open_dev$dri(&(0x7f0000000100), 0x1f, 0x0) r4 = socket$nl_route(0x10, 0x3, 0x0) r5 = socket$nl_route(0x10, 0x3, 0x0) r6 = socket(0x10, 0x3, 0x0) r7 = socket$nl_route(0x10, 0x3, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, &(0x7f0000000040)={'vxcan0\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_vcan(r7, 0x8933, &(0x7f0000000080)={'vxcan1\x00', 0x0}) sendmsg$nl_route(r6, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000001c0)=@can_newroute={0x24, 0x18, 0x1, 0x0, 0x25dfdbfe, {0x1d, 0x1, 0x7}, [@CGW_DST_IF={0x8, 0xa, r8}, @CGW_SRC_IF={0x8, 0x9, r9}]}, 0x24}}, 0x0) ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f0000000040)={'vxcan1\x00', 0x0}) ioctl$ifreq_SIOCGIFINDEX_vcan(r5, 0x8933, &(0x7f0000000080)={'vxcan0\x00', 0x0}) sendmsg$nl_route(r5, &(0x7f0000000800)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)=@can_newroute={0x24, 0x18, 0x1, 0x0, 0x200, {0x1d, 0x1, 0x8}, [@CGW_DST_IF={0x8, 0xa, r10}, @CGW_SRC_IF={0x8, 0x9, r11}]}, 0x24}}, 0x0) sendmsg$nl_route(r4, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f00000000c0)=ANY=[@ANYBLOB="3400000019"], 0x34}}, 0x0) r12 = syz_open_dev$dri(&(0x7f0000000100), 0x1f, 0x0) ioctl$DRM_IOCTL_MODE_GETRESOURCES(r12, 0xc04064a0, &(0x7f0000000140)={0x0, &(0x7f0000000040)=[0x0], 0x0, 0x0, 0x0, 0x1}) r14 = syz_open_dev$dri(&(0x7f0000000100), 0x1f, 0x0) ioctl$DRM_IOCTL_MODE_GETCRTC(r3, 0xc06864a1, &(0x7f00000002c0)={0x0, 0x0, r13, 0x0}) ioctl$DRM_IOCTL_MODE_GETFB2(r14, 0xc06864ce, &(0x7f0000000080)={r15, 0x0, 0x0, 0x0, 0x0, [0x0]}) ioctl$DRM_IOCTL_MODE_ADDFB2(r2, 0xc06864b8, &(0x7f0000002c80)={0x0, 0x101, 0xa, 0x30315559, 0x0, [r16], [], [], [0x4000000000000]}) r17 = seccomp$SECCOMP_SET_MODE_FILTER_LISTENER(0x1, 0x0, &(0x7f00000000c0)={0x1, &(0x7f0000000000)=[{0x6, 0x0, 0xfe, 0x7fff0006}]}) r18 = openat$dma_heap(0xffffffffffffff9c, &(0x7f0000000240), 0xa2003, 0x0) ioctl$DMA_HEAP_IOCTL_ALLOC(r18, 0xc0184800, &(0x7f0000000100)={0x20004, r17}) r20 = syz_open_dev$dri(&(0x7f0000000280), 0x1ff, 0x140) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(r20, 0xc00c642e, &(0x7f00000000c0)={0x0, 0x0, r19}) ioctl$DRM_IOCTL_GEM_FLINK(r20, 0xc00864d2, &(0x7f0000000300)={r21}) ioctl$DRM_IOCTL_PRIME_FD_TO_HANDLE(0xffffffffffffffff, 0xc00c642e, &(0x7f0000000180)={0x0}) ioctl$DRM_IOCTL_MODE_ADDFB2(r0, 0xc06864b8, &(0x7f00000001c0)={r1, 0x4, 0x8, 0x7, 0x2, [r16, 0x0, r21, r22], [0xfff, 0x8, 0x80000000, 0x1], [0x7, 0x8b0, 0xfffffff5, 0x8001], [0x6, 0x7, 0x3ff, 0x9120]}) [ 79.974320][ T5284] Bluetooth: hci0: command tx timeout [ 80.076729][ T5321] netlink: 16 bytes leftover after parsing attributes in process `syz.0.0'. [ 80.093889][ T5320] ------------[ cut here ]------------ [ 80.096442][ T5320] !RB_EMPTY_ROOT(&prime_fpriv->dmabufs) [ 80.096453][ T5320] WARNING: drivers/gpu/drm/drm_prime.c:224 at drm_prime_destroy_file_private+0x4b/0x60, CPU#0: syz.0.0/5320 [ 80.105652][ T5320] Modules linked in: [ 80.107334][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 80.110987][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 80.115317][ T5320] RIP: 0010:drm_prime_destroy_file_private+0x4b/0x60 [ 80.118476][ T5320] Code: 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 2d c9 c6 fc 48 83 3b 00 75 0c e8 72 fd 59 fc 5b e9 cc e4 41 06 cc e8 66 fd 59 fc 90 <0f> 0b 90 5b e9 bc e4 41 06 cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 [ 80.126926][ T5320] RSP: 0018:ffffc90003a2fc40 EFLAGS: 00010293 [ 80.129673][ T5320] RAX: ffffffff856bd3da RBX: ffff8880411853b0 RCX: ffff88803671a500 [ 80.133270][ T5320] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888041185328 [ 80.136771][ T5320] RBP: ffff888041185278 R08: ffffc90003a2fbc7 R09: 1ffff92000745f78 [ 80.140299][ T5320] R10: dffffc0000000000 R11: fffff52000745f79 R12: dffffc0000000000 [ 80.143819][ T5320] R13: dead000000000100 R14: 0000000000000000 R15: ffff888041185288 [ 80.147342][ T5320] FS: 000055556df13540(0000) GS:ffff88808c881000(0000) knlGS:0000000000000000 [ 80.150929][ T5320] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 80.153974][ T5320] CR2: 0000200000002c80 CR3: 0000000043673000 CR4: 0000000000352ef0 [ 80.157706][ T5320] Call Trace: [ 80.159341][ T5320] [ 80.160712][ T5320] drm_file_free+0x7f1/0xa00 [ 80.162967][ T5320] drm_release+0x2de/0x3f0 [ 80.165312][ T5320] ? __pfx_drm_release+0x10/0x10 [ 80.167510][ T5320] __fput+0x44f/0xa60 [ 80.169369][ T5320] task_work_run+0x1d9/0x270 [ 80.171600][ T5320] ? __pfx_task_work_run+0x10/0x10 [ 80.174111][ T5320] exit_to_user_mode_loop+0xf3/0x4d0 [ 80.176479][ T5320] ? rcu_is_watching+0x15/0xb0 [ 80.178878][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.181468][ T5320] do_syscall_64+0x33e/0xf80 [ 80.183739][ T5320] ? trace_irq_disable+0x3b/0x140 [ 80.186090][ T5320] ? clear_bhb_loop+0x40/0x90 [ 80.188229][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.190816][ T5320] RIP: 0033:0x7f4d1299ce59 [ 80.193134][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 80.202398][ T5320] RSP: 002b:00007ffd73086488 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 80.205904][ T5320] RAX: 0000000000000000 RBX: 00007ffd73086570 RCX: 00007f4d1299ce59 [ 80.209293][ T5320] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 80.213148][ T5320] RBP: 00000000000137b2 R08: 0000000000000001 R09: 0000000000000000 [ 80.216433][ T5320] R10: 00007f4d127ff02c R11: 0000000000000246 R12: 00007ffd730865b0 [ 80.219750][ T5320] R13: 00007f4d12c15fac R14: 000000000001388a R15: 00007f4d12c15fa0 [ 80.223598][ T5320] [ 80.224867][ T5320] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 80.227540][ T5320] CPU: 0 UID: 0 PID: 5320 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 80.231551][ T5320] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 80.235481][ T5320] Call Trace: [ 80.236920][ T5320] [ 80.238169][ T5320] vpanic+0x56c/0xa60 [ 80.239821][ T5320] ? __pfx__printk+0x10/0x10 [ 80.241736][ T5320] ? __pfx_vpanic+0x10/0x10 [ 80.243612][ T5320] ? is_bpf_text_address+0x292/0x2b0 [ 80.245793][ T5320] ? is_bpf_text_address+0x26/0x2b0 [ 80.248203][ T5320] panic+0xc5/0xd0 [ 80.249871][ T5320] ? __pfx_panic+0x10/0x10 [ 80.251650][ T5320] __warn+0x315/0x4c0 [ 80.253250][ T5320] ? drm_prime_destroy_file_private+0x4b/0x60 [ 80.255887][ T5320] ? drm_prime_destroy_file_private+0x4b/0x60 [ 80.258665][ T5320] __report_bug+0x29a/0x540 [ 80.260772][ T5320] ? rcu_is_watching+0x15/0xb0 [ 80.262902][ T5320] ? drm_prime_destroy_file_private+0x4b/0x60 [ 80.265604][ T5320] ? __pfx___report_bug+0x10/0x10 [ 80.267763][ T5320] ? drm_file_free+0x78a/0xa00 [ 80.269847][ T5320] ? drm_prime_destroy_file_private+0x4b/0x60 [ 80.272800][ T5320] report_bug+0x16a/0x220 [ 80.274683][ T5320] ? drm_prime_destroy_file_private+0x4b/0x60 [ 80.277312][ T5320] ? drm_prime_destroy_file_private+0x4d/0x60 [ 80.279902][ T5320] handle_bug+0x9c/0x200 [ 80.281761][ T5320] exc_invalid_op+0x1a/0x50 [ 80.283743][ T5320] asm_exc_invalid_op+0x1a/0x20 [ 80.285852][ T5320] RIP: 0010:drm_prime_destroy_file_private+0x4b/0x60 [ 80.288542][ T5320] Code: 00 fc ff df 80 3c 08 00 74 08 48 89 df e8 2d c9 c6 fc 48 83 3b 00 75 0c e8 72 fd 59 fc 5b e9 cc e4 41 06 cc e8 66 fd 59 fc 90 <0f> 0b 90 5b e9 bc e4 41 06 cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 [ 80.295937][ T5320] RSP: 0018:ffffc90003a2fc40 EFLAGS: 00010293 [ 80.298781][ T5320] RAX: ffffffff856bd3da RBX: ffff8880411853b0 RCX: ffff88803671a500 [ 80.301927][ T5320] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff888041185328 [ 80.305102][ T5320] RBP: ffff888041185278 R08: ffffc90003a2fbc7 R09: 1ffff92000745f78 [ 80.308338][ T5320] R10: dffffc0000000000 R11: fffff52000745f79 R12: dffffc0000000000 [ 80.311666][ T5320] R13: dead000000000100 R14: 0000000000000000 R15: ffff888041185288 [ 80.314845][ T5320] ? drm_prime_destroy_file_private+0x4a/0x60 [ 80.317108][ T5320] drm_file_free+0x7f1/0xa00 [ 80.318776][ T5320] drm_release+0x2de/0x3f0 [ 80.320402][ T5320] ? __pfx_drm_release+0x10/0x10 [ 80.322195][ T5320] __fput+0x44f/0xa60 [ 80.323787][ T5320] task_work_run+0x1d9/0x270 [ 80.326155][ T5320] ? __pfx_task_work_run+0x10/0x10 [ 80.328427][ T5320] exit_to_user_mode_loop+0xf3/0x4d0 [ 80.330578][ T5320] ? rcu_is_watching+0x15/0xb0 [ 80.332592][ T5320] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.334997][ T5320] do_syscall_64+0x33e/0xf80 [ 80.337120][ T5320] ? trace_irq_disable+0x3b/0x140 [ 80.339403][ T5320] ? clear_bhb_loop+0x40/0x90 [ 80.341487][ T5320] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 80.344048][ T5320] RIP: 0033:0x7f4d1299ce59 [ 80.346041][ T5320] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 [ 80.357554][ T5320] RSP: 002b:00007ffd73086488 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 [ 80.361042][ T5320] RAX: 0000000000000000 RBX: 00007ffd73086570 RCX: 00007f4d1299ce59 [ 80.364136][ T5320] RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 [ 80.368068][ T5320] RBP: 00000000000137b2 R08: 0000000000000001 R09: 0000000000000000 [ 80.372453][ T5320] R10: 00007f4d127ff02c R11: 0000000000000246 R12: 00007ffd730865b0 [ 80.376564][ T5320] R13: 00007f4d12c15fac R14: 000000000001388a R15: 00007f4d12c15fa0 [ 80.380975][ T5320] [ 80.383427][ T5320] Kernel Offset: disabled [ 80.385329][ T5320] Rebooting in 86400 seconds..