program: socket$inet_dccp(0x2, 0x6, 0x0) r0 = syz_open_dev$video(&(0x7f0000000000), 0x485, 0x0) r1 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_CREATE(r1, &(0x7f0000000040)={0x0, 0x0, &(0x7f00000044c0)={&(0x7f0000000180)={0x4c, 0x2, 0x6, 0x101, 0x0, 0x0, {}, [@IPSET_ATTR_FAMILY={0x5, 0x5, 0xa}, @IPSET_ATTR_PROTOCOL={0x5}, @IPSET_ATTR_REVISION={0x5, 0x4, 0x3}, @IPSET_ATTR_SETNAME={0x9, 0x2, 'syz1\x00'}, @IPSET_ATTR_TYPENAME={0x11, 0x3, 'hash:net,net\x00'}]}, 0x4c}, 0x1, 0x0, 0x0, 0x4040000}, 0x0) sendmsg$IPSET_CMD_TEST(r1, &(0x7f0000000300)={0x0, 0x0, &(0x7f0000000140)={&(0x7f00000000c0)=ANY=[@ANYBLOB="640000000906010800000000000000000600000505000100070000003c0007801800148014000240fc0000000000000000000000000000011800018014000240ff01000000000000000000000000000105000300070000000900020073797a31"], 0x64}}, 0x4800) r2 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPSET_CMD_FLUSH(r2, &(0x7f00000002c0)={0x0, 0x0, &(0x7f00000000c0)={&(0x7f0000000080)={0x1c, 0x4, 0x6, 0x201, 0x0, 0x0, {0x5, 0x0, 0x7}, [@IPSET_ATTR_PROTOCOL={0x5}]}, 0x1c}, 0x1, 0x0, 0x0, 0x45}, 0x20040080) r3 = syz_open_dev$vbi(&(0x7f0000000040), 0x0, 0x2) ioctl$VIDIOC_S_INPUT(r3, 0xc0045627, &(0x7f00000001c0)=0x2) r4 = syz_open_dev$vim2m(&(0x7f00000002c0), 0x2000000f5, 0x2) ioctl$vim2m_VIDIOC_S_CTRL(r4, 0xc008561c, &(0x7f0000000e80)={0xf0f020}) ioctl$VIDIOC_S_SELECTION(r0, 0xc040565f, &(0x7f0000000080)={0x9}) r5 = socket$inet_udp(0x2, 0x2, 0x0) r6 = socket$inet_udp(0x2, 0x2, 0x0) readv(r4, &(0x7f0000000580)=[{&(0x7f00000000c0)=""/42, 0x2a}, {&(0x7f0000000200)=""/191, 0xbf}, {&(0x7f0000000300)=""/180, 0xb4}, {&(0x7f0000000180)=""/9, 0x9}, {&(0x7f0000000480)=""/220, 0xdc}], 0x5) ioctl$sock_ipv4_tunnel_SIOCADDTUNNEL(r5, 0x89f1, &(0x7f0000000440)={'sit0\x00', &(0x7f0000000400)={'syztnl0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @loopback, @empty}}}}) close_range(0xffffffffffffffff, 0xffffffffffffffff, 0x0) ioctl$sock_ipv4_tunnel_SIOCGETTUNNEL(r5, 0x89f5, &(0x7f00000001c0)={'syztnl0\x00', &(0x7f0000000140)={'erspan0\x00', r7, 0x0, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x0, 0x14, 0x0, 0x0, 0x0, 0x0, 0x0, @dev={0xac, 0x14, 0x14, 0xd}, @multicast2}}}}) r8 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$IPCTNL_MSG_EXP_NEW(r8, &(0x7f0000000080)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000240)={0xbc, 0x0, 0x2, 0x401, 0x0, 0x0, {0xa}, [@CTA_EXPECT_MASK={0x3c, 0x3, 0x0, 0x1, [@CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}, @CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x28, 0x3, @remote}, {0x14, 0x4, @empty}}}]}, @CTA_EXPECT_TUPLE={0x3c, 0x2, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @private0}, {0x14, 0x4, @mcast2}}}, @CTA_TUPLE_PROTO={0xc, 0x2, 0x0, 0x1, {0x5}}]}, @CTA_EXPECT_MASTER={0x30, 0x1, 0x0, 0x1, [@CTA_TUPLE_IP={0x2c, 0x1, 0x0, 0x1, @ipv6={{0x14, 0x3, @mcast2}, {0x14, 0x4, @dev}}}]}]}, 0xbc}}, 0x0) ioctl$sock_ipv4_tunnel_SIOCDELTUNNEL(r6, 0x89f2, &(0x7f0000000100)={'syztnl0\x00', &(0x7f0000000000)={'tunl0\x00', 0x0, 0x0, 0x0, 0x0, 0x0, {{0x5, 0x4, 0x0, 0x4, 0x14, 0xfffe, 0x0, 0x0, 0x0, 0x0, @remote, @empty}}}}) [ 79.460299][ T4669] Bluetooth: hci0: command tx timeout [ 79.463887][ T1310] ieee802154 phy0 wpan0: encryption failed: -22 [ 79.466342][ T1310] ieee802154 phy1 wpan1: encryption failed: -22 [ 79.640878][ T5326] ================================================================== [ 79.644136][ T5326] BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.647514][ T5326] Write of size 1440 at addr ffffc9000d33fda0 by task vivid-000-vid-c/5326 [ 79.650708][ T5326] [ 79.651654][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: vivid-000-vid-c Not tainted 6.14.0-rc7-syzkaller-00050-gfc444ada1310 #0 [ 79.651664][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 79.651669][ T5326] Call Trace: [ 79.651674][ T5326] [ 79.651678][ T5326] dump_stack_lvl+0x241/0x360 [ 79.651689][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 79.651696][ T5326] ? __pfx__printk+0x10/0x10 [ 79.651705][ T5326] ? _printk+0xd5/0x120 [ 79.651715][ T5326] print_report+0x16e/0x5b0 [ 79.651729][ T5326] ? __virt_addr_valid+0xbd/0x530 [ 79.651739][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.651747][ T5326] kasan_report+0x143/0x180 [ 79.651755][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.651763][ T5326] kasan_check_range+0x282/0x290 [ 79.651771][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.651778][ T5326] __asan_memcpy+0x40/0x70 [ 79.651784][ T5326] tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.651800][ T5326] vivid_thread_vid_cap_tick+0xfbc/0x6090 [ 79.651820][ T5326] ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10 [ 79.651835][ T5326] vivid_thread_vid_cap+0x8aa/0xf30 [ 79.651850][ T5326] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 79.651862][ T5326] kthread+0x7a9/0x920 [ 79.651876][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651890][ T5326] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 79.651902][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651912][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651921][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651930][ T5326] ? _raw_spin_unlock_irq+0x23/0x50 [ 79.651938][ T5326] ? lockdep_hardirqs_on+0x99/0x150 [ 79.651946][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651955][ T5326] ret_from_fork+0x4b/0x80 [ 79.651964][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.651973][ T5326] ret_from_fork_asm+0x1a/0x30 [ 79.651983][ T5326] [ 79.651985][ T5326] [ 79.718960][ T5326] The buggy address belongs to the virtual mapping at [ 79.718960][ T5326] [ffffc9000d329000, ffffc9000d341000) created by: [ 79.718960][ T5326] vb2_vmalloc_alloc+0xf2/0x340 [ 79.726050][ T5326] [ 79.727040][ T5326] The buggy address belongs to the physical page: [ 79.729513][ T5326] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888040cbff50 pfn:0x40cbf [ 79.733363][ T5326] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 79.736100][ T5326] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000 [ 79.739474][ T5326] raw: ffff888040cbff50 0000000000000000 00000001ffffffff 0000000000000000 [ 79.742685][ T5326] page dumped because: kasan: bad access detected [ 79.745107][ T5326] page_owner tracks the page as allocated [ 79.747333][ T5326] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2dc2(GFP_KERNEL|__GFP_HIGHMEM|__GFP_NOWARN|__GFP_ZERO), pid 5324, tgid 5323 (syz.0.0), ts 79575080385, free_ts 67637774486 [ 79.755556][ T5326] post_alloc_hook+0x1f4/0x240 [ 79.757680][ T5326] get_page_from_freelist+0x365c/0x37a0 [ 79.759823][ T5326] __alloc_frozen_pages_noprof+0x292/0x710 [ 79.762063][ T5326] alloc_pages_mpol+0x311/0x660 [ 79.763945][ T5326] alloc_pages_noprof+0x121/0x190 [ 79.766039][ T5326] __vmalloc_node_range_noprof+0x9c6/0x1380 [ 79.768555][ T5326] vmalloc_user_noprof+0x74/0x80 [ 79.770481][ T5326] vb2_vmalloc_alloc+0xf2/0x340 [ 79.772408][ T5326] __vb2_queue_alloc+0xa0b/0x16f0 [ 79.774319][ T5326] vb2_core_reqbufs+0xd2e/0x17c0 [ 79.776246][ T5326] __vb2_init_fileio+0x319/0xf90 [ 79.778216][ T5326] __vb2_perform_fileio+0x31a/0x17b0 [ 79.780255][ T5326] vb2_fop_read+0x247/0x330 [ 79.782196][ T5326] v4l2_read+0x1a4/0x2c0 [ 79.783705][ T5326] vfs_readv+0x6bc/0xa80 [ 79.785193][ T5326] do_readv+0x1b6/0x360 [ 79.786947][ T5326] page last free pid 5307 tgid 5307 stack trace: [ 79.789401][ T5326] free_frozen_pages+0xe0d/0x10e0 [ 79.791348][ T5326] __slab_free+0x2c2/0x380 [ 79.793118][ T5326] qlist_free_all+0x9a/0x140 [ 79.794842][ T5326] kasan_quarantine_reduce+0x14f/0x170 [ 79.796889][ T5326] __kasan_slab_alloc+0x23/0x80 [ 79.798809][ T5326] kmem_cache_alloc_node_noprof+0x1d9/0x380 [ 79.801137][ T5326] __alloc_skb+0x1c3/0x440 [ 79.802870][ T5326] netlink_sendmsg+0x634/0xcb0 [ 79.804776][ T5326] __sock_sendmsg+0x221/0x270 [ 79.806716][ T5326] __sys_sendto+0x363/0x4c0 [ 79.808527][ T5326] __x64_sys_sendto+0xde/0x100 [ 79.810357][ T5326] do_syscall_64+0xf3/0x230 [ 79.812135][ T5326] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 79.814488][ T5326] [ 79.815474][ T5326] Memory state around the buggy address: [ 79.817674][ T5326] ffffc9000d33ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.820658][ T5326] ffffc9000d33ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 79.823821][ T5326] >ffffc9000d340000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 79.826981][ T5326] ^ [ 79.828629][ T5326] ffffc9000d340080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 79.831776][ T5326] ffffc9000d340100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 [ 79.834967][ T5326] ================================================================== [ 79.854568][ T5326] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 79.857497][ T5326] CPU: 0 UID: 0 PID: 5326 Comm: vivid-000-vid-c Not tainted 6.14.0-rc7-syzkaller-00050-gfc444ada1310 #0 [ 79.861733][ T5326] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 79.865836][ T5326] Call Trace: [ 79.867319][ T5326] [ 79.868408][ T5326] dump_stack_lvl+0x241/0x360 [ 79.870157][ T5326] ? __pfx_dump_stack_lvl+0x10/0x10 [ 79.872129][ T5326] ? __pfx__printk+0x10/0x10 [ 79.873892][ T5326] ? lockdep_hardirqs_on_prepare+0x43d/0x780 [ 79.876178][ T5326] ? vscnprintf+0x5d/0x90 [ 79.877919][ T5326] panic+0x349/0x880 [ 79.879412][ T5326] ? check_panic_on_warn+0x21/0xb0 [ 79.881332][ T5326] ? __pfx_panic+0x10/0x10 [ 79.883131][ T5326] ? _raw_spin_unlock_irqrestore+0x130/0x140 [ 79.885460][ T5326] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 79.888258][ T5326] check_panic_on_warn+0x86/0xb0 [ 79.890259][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.892622][ T5326] end_report+0x77/0x160 [ 79.894323][ T5326] kasan_report+0x154/0x180 [ 79.896078][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.898353][ T5326] kasan_check_range+0x282/0x290 [ 79.900229][ T5326] ? tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.902377][ T5326] __asan_memcpy+0x40/0x70 [ 79.904088][ T5326] tpg_fill_plane_buffer+0x1a12/0x5ca0 [ 79.906275][ T5326] vivid_thread_vid_cap_tick+0xfbc/0x6090 [ 79.908466][ T5326] ? __pfx_vivid_thread_vid_cap_tick+0x10/0x10 [ 79.910790][ T5326] vivid_thread_vid_cap+0x8aa/0xf30 [ 79.912844][ T5326] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 79.915189][ T5326] kthread+0x7a9/0x920 [ 79.917010][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.918837][ T5326] ? __pfx_vivid_thread_vid_cap+0x10/0x10 [ 79.921056][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.922817][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.924665][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.926466][ T5326] ? _raw_spin_unlock_irq+0x23/0x50 [ 79.928471][ T5326] ? lockdep_hardirqs_on+0x99/0x150 [ 79.930498][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.932284][ T5326] ret_from_fork+0x4b/0x80 [ 79.933970][ T5326] ? __pfx_kthread+0x10/0x10 [ 79.935688][ T5326] ret_from_fork_asm+0x1a/0x30 [ 79.937583][ T5326] [ 79.939053][ T5326] Kernel Offset: disabled [ 79.940763][ T5326] Rebooting in 86400 seconds..