program: r0 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r0, &(0x7f0000000040)={0x0, 0x0, &(0x7f0000000080)={&(0x7f00000000c0)={0x48, 0x2, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_REVISION={0x5}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_FAMILY={0x5}, @IPSET_ATTR_PROTOCOL={0x5, 0x1, 0x6}, @IPSET_ATTR_TYPENAME={0xd, 0x3, 'hash:mac\x00'}]}, 0x48}}, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) (async) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_TEST(r1, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000000000)={0x2c, 0xb, 0x6, 0x5, 0x0, 0x0, {}, [@IPSET_ATTR_SETNAME={0x9, 0x2, 'syz0\x00'}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_DATA={0x4}]}, 0x2c}}, 0x0) socket$inet_dccp(0x2, 0x6, 0x0) syz_open_dev$video(&(0x7f0000000000), 0x485, 0x0) (async) r2 = syz_open_dev$video(&(0x7f0000000000), 0x485, 0x0) syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2) (async) r3 = syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2) ioctl$VIDIOC_S_INPUT(r3, 0xc0045627, &(0x7f00000001c0)=0x2) r4 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r4, 0xc008561c, &(0x7f0000000e80)={0xf0f020}) ioctl$VIDIOC_S_SELECTION(r2, 0xc040565f, &(0x7f0000000080)={0x9}) syz_open_dev$vim2m(&(0x7f0000000000), 0x9, 0x2) (async) syz_open_dev$vim2m(&(0x7f0000000000), 0x9, 0x2) socket$rxrpc(0x21, 0x2, 0xa) syz_open_dev$video(&(0x7f0000000040), 0xa7, 0x0) r5 = syz_open_dev$dri(&(0x7f0000000340), 0x2, 0xc8d03) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xd, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x79, 0x11, 0xd8}, [@ldst={0x4}], {0x95, 0x0, 0x74}}, &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sock_ops, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) (async) bpf$PROG_LOAD(0x5, &(0x7f000000e000)={0xd, 0x4, &(0x7f0000000040)=@framed={{0xffffffb4, 0x0, 0x0, 0x0, 0x0, 0x79, 0x11, 0xd8}, [@ldst={0x4}], {0x95, 0x0, 0x74}}, &(0x7f0000003ff6)='GPL\x00', 0x2, 0xfd90, &(0x7f000000cf3d)=""/195, 0x0, 0x0, '\x00', 0x0, @sock_ops, 0xffffffffffffffff, 0x8, 0x0, 0x0, 0x10, 0x0, 0x0, 0x0, 0xffffffffffffffff, 0x0, 0x0, 0x0, 0x10, 0x0, @void, @value}, 0x48) ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r5, 0xc00864bf, &(0x7f0000000000)) (async) ioctl$DRM_IOCTL_SYNCOBJ_CREATE(r5, 0xc00864bf, &(0x7f0000000000)={0x0}) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) (async) sched_setscheduler(0x0, 0x1, &(0x7f0000000300)=0x7) r7 = add_key$keyring(&(0x7f0000000000), &(0x7f0000000040)={'syz', 0x1}, 0x0, 0x0, 0xfffffffffffffffb) keyctl$describe(0x1d, r7, &(0x7f0000000300)=""/182, 0xb6) ioctl$DRM_IOCTL_SYNCOBJ_TIMELINE_SIGNAL(r5, 0xc01864cd, &(0x7f0000000180)={&(0x7f0000000080)=[r6], 0x0, 0x1}) ioctl$DRM_IOCTL_SYNCOBJ_HANDLE_TO_FD_SYNC_FILE(r5, 0xc01064c1, &(0x7f00000002c0)={r6}) pselect6(0x40, &(0x7f0000000000)={0xfc}, 0x0, 0x0, 0x0, 0x0) (async) pselect6(0x40, &(0x7f0000000000)={0xfc}, 0x0, 0x0, 0x0, 0x0) syz_emit_ethernet(0x82, &(0x7f0000000000)=ANY=[], 0x0) [ 81.027099][ T1311] ieee802154 phy0 wpan0: encryption failed: -22 [ 81.030215][ T4665] Bluetooth: hci0: command tx timeout [ 81.034631][ T1311] ieee802154 phy1 wpan1: encryption failed: -22 [ 81.206809][ T5329] ================================================================== [ 81.210180][ T5329] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.213792][ T5329] Write of size 1440 at addr ffffc9000d217da0 by task vivid-000-vid-c/5329 [ 81.217179][ T5329] [ 81.218194][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: vivid-000-vid-c Not tainted 6.14.0-rc6-syzkaller-00003-g4d872d51bc9d #0 [ 81.218207][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 81.218214][ T5329] Call Trace: [ 81.218222][ T5329] [ 81.218229][ T5329] dump_stack_lvl+0x241/0x360 [ 81.218247][ T5329] ? __pfx_dump_stack_lvl+0x10/0x10 [ 81.218258][ T5329] ? __pfx__printk+0x10/0x10 [ 81.218267][ T5329] ? _printk+0xd5/0x120 [ 81.218276][ T5329] print_report+0x16e/0x5b0 [ 81.218290][ T5329] ? __virt_addr_valid+0xbd/0x530 [ 81.218301][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.218314][ T5329] kasan_report+0x143/0x180 [ 81.218327][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.218339][ T5329] kasan_check_range+0x282/0x290 [ 81.218351][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.218363][ T5329] __asan_memcpy+0x40/0x70 [ 81.218373][ T5329] tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.218397][ T5329] vivid_thread_vid_cap_tick+0xfbc/0x6090 [ 81.218423][ T5329] ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10 [ 81.218442][ T5329] vivid_thread_vid_cap+0x8aa/0xf30 [ 81.218458][ T5329] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 81.218468][ T5329] kthread+0x7a9/0x920 [ 81.218482][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218495][ T5329] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 81.218507][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218520][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218533][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218545][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 81.218559][ T5329] ? lockdep_hardirqs_on+0x99/0x150 [ 81.218573][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218587][ T5329] ret_from_fork+0x4b/0x80 [ 81.218599][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.218609][ T5329] ret_from_fork_asm+0x1a/0x30 [ 81.218623][ T5329] [ 81.218626][ T5329] [ 81.290580][ T5329] The buggy address belongs to the virtual mapping at [ 81.290580][ T5329] [ffffc9000d201000, ffffc9000d219000) created by: [ 81.290580][ T5329] vb2_vmalloc_alloc+0xf2/0x340 [ 81.297631][ T5329] [ 81.298774][ T5329] The buggy address belongs to the physical page: [ 81.301323][ T5329] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff8880365a3e00 pfn:0x365a3 [ 81.305383][ T5329] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 81.308199][ T5329] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 81.311707][ T5329] raw: ffff8880365a3e00 0000000000000000 00000001ffffffff 0000000000000000 [ 81.315017][ T5329] page dumped because: kasan: bad access detected [ 81.317538][ T5329] page_owner tracks the page as allocated [ 81.319793][ T5329] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5327, tgid 5325 (syz.0.0), ts 81140776812, free_ts 68786357609 [ 81.327267][ T5329] post_alloc_hook+0x1f4/0x240 [ 81.329214][ T5329] get_page_from_freelist+0x365c/0x37a0 [ 81.331434][ T5329] __alloc_frozen_pages_noprof+0x292/0x710 [ 81.333782][ T5329] alloc_pages_mpol+0x311/0x660 [ 81.335662][ T5329] alloc_pages_noprof+0x121/0x190 [ 81.337741][ T5329] __vmalloc_node_range_noprof+0x9c6/0x1380 [ 81.340164][ T5329] vmalloc_user_noprof+0x74/0x80 [ 81.342253][ T5329] vb2_vmalloc_alloc+0xf2/0x340 [ 81.344211][ T5329] __vb2_queue_alloc+0xa0b/0x16f0 [ 81.346263][ T5329] vb2_core_reqbufs+0xd2e/0x17c0 [ 81.348362][ T5329] __vb2_init_fileio+0x319/0xf90 [ 81.350337][ T5329] vb2_core_poll+0x45a/0x7a0 [ 81.352205][ T5329] vb2_fop_poll+0x170/0x360 [ 81.354190][ T5329] v4l2_poll+0x140/0x2b0 [ 81.356061][ T5329] do_select+0x1198/0x1d60 [ 81.357973][ T5329] core_sys_select+0x843/0xa40 [ 81.359904][ T5329] page last free pid 5306 tgid 5306 stack trace: [ 81.362460][ T5329] free_frozen_pages+0xe0d/0x10e0 [ 81.364495][ T5329] __slab_free+0x2c2/0x380 [ 81.366294][ T5329] qlist_free_all+0x9a/0x140 [ 81.368263][ T5329] kasan_quarantine_reduce+0x14f/0x170 [ 81.370515][ T5329] __kasan_slab_alloc+0x23/0x80 [ 81.372454][ T5329] kmem_cache_alloc_noprof+0x1d9/0x380 [ 81.374631][ T5329] getname_flags+0xb7/0x540 [ 81.376484][ T5329] do_sys_openat2+0xd2/0x1d0 [ 81.378611][ T5329] __x64_sys_openat+0x247/0x2a0 [ 81.380612][ T5329] do_syscall_64+0xf3/0x230 [ 81.382450][ T5329] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 81.384799][ T5329] [ 81.385802][ T5329] Memory state around the buggy address: [ 81.387996][ T5329] ffffc9000d217f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.391222][ T5329] ffffc9000d217f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 81.394646][ T5329] >ffffc9000d218000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 81.397945][ T5329] ^ [ 81.399499][ T5329] ffffc9000d218080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 81.402447][ T5329] ffffc9000d218100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 81.405723][ T5329] ================================================================== [ 81.417821][ T5329] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 81.420794][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: vivid-000-vid-c Not tainted 6.14.0-rc6-syzkaller-00003-g4d872d51bc9d #0 [ 81.424982][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 81.429027][ T5329] Call Trace: [ 81.430339][ T5329] [ 81.431565][ T5329] dump_stack_lvl+0x241/0x360 [ 81.433560][ T5329] ? __pfx_dump_stack_lvl+0x10/0x10 [ 81.436018][ T5329] ? __pfx__printk+0x10/0x10 [ 81.438155][ T5329] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 81.440571][ T5329] ? vscnprintf+0x5d/0x90 [ 81.442450][ T5329] panic+0x349/0x880 [ 81.444328][ T5329] ? check_panic_on_warn+0x21/0xb0 [ 81.446797][ T5329] ? __pfx_panic+0x10/0x10 [ 81.448591][ T5329] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 81.450932][ T5329] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 81.453303][ T5329] check_panic_on_warn+0x86/0xb0 [ 81.455503][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.457887][ T5329] end_report+0x77/0x160 [ 81.459471][ T5329] kasan_report+0x154/0x180 [ 81.461309][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.463563][ T5329] kasan_check_range+0x282/0x290 [ 81.466036][ T5329] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.468930][ T5329] __asan_memcpy+0x40/0x70 [ 81.470885][ T5329] tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 81.473062][ T5329] vivid_thread_vid_cap_tick+0xfbc/0x6090 [ 81.475320][ T5329] ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10 [ 81.477467][ T5329] vivid_thread_vid_cap+0x8aa/0xf30 [ 81.479403][ T5329] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 81.481897][ T5329] kthread+0x7a9/0x920 [ 81.483605][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.485515][ T5329] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 81.487842][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.489701][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.491442][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.493302][ T5329] ? _raw_spin_unlock_irq+0x23/0x50 [ 81.495340][ T5329] ? lockdep_hardirqs_on+0x99/0x150 [ 81.497606][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.499534][ T5329] ret_from_fork+0x4b/0x80 [ 81.501264][ T5329] ? __pfx_kthread+0x10/0x10 [ 81.503115][ T5329] ret_from_fork_asm+0x1a/0x30 [ 81.504962][ T5329] [ 81.506477][ T5329] Kernel Offset: disabled [ 81.508296][ T5329] Rebooting in 86400 seconds..