program: socket$nl_generic(0x10, 0x3, 0x10) socketpair$unix(0x1, 0x3, 0x0, &(0x7f0000000080)={0xffffffffffffffff, 0xffffffffffffffff}) sendmsg$RDMA_NLDEV_CMD_SYS_SET(0xffffffffffffffff, 0x0, 0x40844) connect$unix(r0, &(0x7f000057eff8)=@abs, 0x6e) sendmmsg$unix(r1, &(0x7f00000bd000), 0x318, 0x0) recvmmsg(r0, &(0x7f00000000c0), 0x10106, 0x2, 0x0) prctl$PR_SCHED_CORE(0x3e, 0x1, 0x0, 0x2, 0x0) sched_setattr(0x0, 0x0, 0x0) madvise(&(0x7f0000a93000/0x4000)=nil, 0x4000, 0x80000000e) mlock(&(0x7f0000000000/0x800000)=nil, 0x800000) mkdirat$cgroup_root(0xffffffffffffff9c, &(0x7f0000000000)='./cgroup.cpu/syz0\x00', 0x1ff) r2 = syz_open_dev$dri(&(0x7f0000000180), 0x78, 0x802) ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r2, 0xc02064b2, &(0x7f0000000040)={0x7, 0x6576, 0x3}) mmap(&(0x7f0000001000/0x4000)=nil, 0x4000, 0x4, 0x11, r2, 0x100000000) [ 85.501240][ T4672] Bluetooth: hci0: command tx timeout [ 85.542051][ T5333] ================================================================== [ 85.545408][ T5333] BUG: KASAN: slab-out-of-bounds in change_page_attr_set_clr+0x625/0xfc0 [ 85.549001][ T5333] Read of size 8 at addr ffff88801fc6ff88 by task syz.0.0/5333 [ 85.552132][ T5333] [ 85.553115][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.553125][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.553130][ T5333] Call Trace: [ 85.553135][ T5333] [ 85.553139][ T5333] dump_stack_lvl+0x189/0x250 [ 85.553150][ T5333] ? __kasan_check_byte+0x12/0x40 [ 85.553193][ T5333] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.553200][ T5333] ? lock_release+0x4b/0x3e0 [ 85.553212][ T5333] ? __virt_addr_valid+0x4a5/0x5c0 [ 85.553224][ T5333] print_report+0xca/0x240 [ 85.553236][ T5333] ? change_page_attr_set_clr+0x625/0xfc0 [ 85.553248][ T5333] kasan_report+0x118/0x150 [ 85.553260][ T5333] ? change_page_attr_set_clr+0x625/0xfc0 [ 85.553272][ T5333] change_page_attr_set_clr+0x625/0xfc0 [ 85.553282][ T5333] ? __pfx_change_page_attr_set_clr+0x10/0x10 [ 85.553290][ T5333] ? __pfx_pagerange_is_ram_callback+0x10/0x10 [ 85.553299][ T5333] ? memtype_reserve+0x874/0xb30 [ 85.553311][ T5333] ? __pfx___ww_mutex_lock+0x10/0x10 [ 85.553353][ T5333] _set_pages_array+0x145/0x270 [ 85.553367][ T5333] drm_gem_shmem_get_pages_locked+0x2d0/0x440 [ 85.553379][ T5333] ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10 [ 85.553392][ T5333] ? ww_mutex_lock+0x3f/0x1c0 [ 85.553403][ T5333] drm_gem_shmem_mmap+0x193/0x460 [ 85.553416][ T5333] drm_gem_mmap_obj+0x18a/0x4e0 [ 85.553428][ T5333] drm_gem_mmap+0x384/0x640 [ 85.553439][ T5333] ? __pfx_drm_gem_mmap+0x10/0x10 [ 85.553451][ T5333] ? __mas_set_range+0x12f/0x3c0 [ 85.553465][ T5333] mmap_region+0x18b4/0x2110 [ 85.553475][ T5333] ? __pfx_mmap_region+0x10/0x10 [ 85.553498][ T5333] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10 [ 85.553516][ T5333] ? bpf_lsm_mmap_addr+0x9/0x20 [ 85.553527][ T5333] ? security_mmap_addr+0x71/0x270 [ 85.553541][ T5333] ? shmem_mapping+0xd/0x50 [ 85.553554][ T5333] ? memfd_check_seals_mmap+0xc5/0x200 [ 85.553568][ T5333] do_mmap+0xc45/0x10d0 [ 85.553583][ T5333] ? __pfx_do_mmap+0x10/0x10 [ 85.553591][ T5333] ? down_write_killable+0x178/0x230 [ 85.553599][ T5333] ? __pfx_down_write_killable+0x10/0x10 [ 85.553606][ T5333] ? common_file_perm+0x1b5/0x230 [ 85.553618][ T5333] vm_mmap_pgoff+0x2a6/0x4d0 [ 85.553629][ T5333] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 85.553637][ T5333] ? __fget_files+0x2a/0x420 [ 85.553645][ T5333] ? __fget_files+0x2a/0x420 [ 85.553655][ T5333] ? __fget_files+0x2a/0x420 [ 85.553665][ T5333] ksys_mmap_pgoff+0x51f/0x760 [ 85.553681][ T5333] do_syscall_64+0xfa/0xfa0 [ 85.553690][ T5333] ? lockdep_hardirqs_on+0x9c/0x150 [ 85.553715][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.553726][ T5333] ? clear_bhb_loop+0x60/0xb0 [ 85.553737][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.553750][ T5333] RIP: 0033:0x7f5f1e18efc9 [ 85.553763][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 85.553772][ T5333] RSP: 002b:00007f5f1ef68038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 85.553785][ T5333] RAX: ffffffffffffffda RBX: 00007f5f1e3e6180 RCX: 00007f5f1e18efc9 [ 85.553793][ T5333] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000 [ 85.553800][ T5333] RBP: 00007f5f1e211f91 R08: 0000000000000006 R09: 0000000100000000 [ 85.553806][ T5333] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000 [ 85.553813][ T5333] R13: 00007f5f1e3e6218 R14: 00007f5f1e3e6180 R15: 00007ffcdf4961d8 [ 85.553824][ T5333] [ 85.553828][ T5333] [ 85.693772][ T5333] Allocated by task 5333: [ 85.695662][ T5333] kasan_save_track+0x3e/0x80 [ 85.697644][ T5333] __kasan_kmalloc+0x93/0xb0 [ 85.699676][ T5333] __kvmalloc_node_noprof+0x5cd/0x910 [ 85.701828][ T5333] drm_gem_get_pages+0x166/0xa20 [ 85.703939][ T5333] drm_gem_shmem_get_pages_locked+0x201/0x440 [ 85.706526][ T5333] drm_gem_shmem_mmap+0x193/0x460 [ 85.708578][ T5333] drm_gem_mmap_obj+0x18a/0x4e0 [ 85.710700][ T5333] drm_gem_mmap+0x384/0x640 [ 85.712609][ T5333] mmap_region+0x18b4/0x2110 [ 85.714657][ T5333] do_mmap+0xc45/0x10d0 [ 85.716480][ T5333] vm_mmap_pgoff+0x2a6/0x4d0 [ 85.718497][ T5333] ksys_mmap_pgoff+0x51f/0x760 [ 85.720570][ T5333] do_syscall_64+0xfa/0xfa0 [ 85.722446][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.724840][ T5333] [ 85.725898][ T5333] The buggy address belongs to the object at ffff88801fc6ff00 [ 85.725898][ T5333] which belongs to the cache kmalloc-192 of size 192 [ 85.731662][ T5333] The buggy address is located 0 bytes to the right of [ 85.731662][ T5333] allocated 136-byte region [ffff88801fc6ff00, ffff88801fc6ff88) [ 85.737726][ T5333] [ 85.738782][ T5333] The buggy address belongs to the physical page: [ 85.741409][ T5333] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1fc6f [ 85.744913][ T5333] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 85.748011][ T5333] page_type: f5(slab) [ 85.749804][ T5333] raw: 00fff00000000000 ffff88801a4413c0 dead000000000100 dead000000000122 [ 85.753470][ T5333] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 85.757016][ T5333] page dumped because: kasan: bad access detected [ 85.759731][ T5333] page_owner tracks the page as allocated [ 85.761973][ T5333] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5306, tgid 5306 (syz-executor), ts 83394387633, free_ts 83393944428 [ 85.769747][ T5333] post_alloc_hook+0x240/0x2a0 [ 85.771739][ T5333] get_page_from_freelist+0x2365/0x2440 [ 85.773895][ T5333] __alloc_frozen_pages_noprof+0x181/0x370 [ 85.777230][ T5333] allocate_slab+0x71/0x3a0 [ 85.779245][ T5333] ___slab_alloc+0xe94/0x18a0 [ 85.781244][ T5333] __slab_alloc+0x65/0x100 [ 85.783154][ T5333] __kmalloc_node_noprof+0x5cc/0x800 [ 85.785434][ T5333] alloc_slab_obj_exts+0x3d/0xc0 [ 85.787536][ T5333] __memcg_slab_post_alloc_hook+0x31d/0x7d0 [ 85.790028][ T5333] kmem_cache_alloc_noprof+0x417/0x6e0 [ 85.792425][ T5333] copy_signal+0x50/0x650 [ 85.794336][ T5333] copy_process+0x16a6/0x3c00 [ 85.796422][ T5333] kernel_clone+0x21e/0x840 [ 85.798353][ T5333] __x64_sys_clone+0x18b/0x1e0 [ 85.800380][ T5333] do_syscall_64+0xfa/0xfa0 [ 85.802373][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.804900][ T5333] page last free pid 5306 tgid 5306 stack trace: [ 85.807638][ T5333] __free_frozen_pages+0xbc4/0xd30 [ 85.809832][ T5333] vfree+0x25a/0x400 [ 85.811466][ T5333] __do_replace+0x827/0x980 [ 85.813496][ T5333] do_ip6t_set_ctl+0xa16/0xce0 [ 85.815600][ T5333] nf_setsockopt+0x26f/0x290 [ 85.817573][ T5333] do_sock_setsockopt+0x25a/0x3e0 [ 85.819681][ T5333] __x64_sys_setsockopt+0x18b/0x220 [ 85.821844][ T5333] do_syscall_64+0xfa/0xfa0 [ 85.823747][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.826205][ T5333] [ 85.827174][ T5333] Memory state around the buggy address: [ 85.829345][ T5333] ffff88801fc6fe80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 85.832381][ T5333] ffff88801fc6ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.835350][ T5333] >ffff88801fc6ff80: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.838462][ T5333] ^ [ 85.840331][ T5333] ffff88801fc70000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.843695][ T5333] ffff88801fc70080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 85.847220][ T5333] ================================================================== [ 85.943060][ T5333] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.946197][ T5333] CPU: 0 UID: 0 PID: 5333 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.949851][ T5333] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 85.954282][ T5333] Call Trace: [ 85.955734][ T5333] [ 85.957053][ T5333] dump_stack_lvl+0x99/0x250 [ 85.958911][ T5333] ? __asan_memcpy+0x40/0x70 [ 85.960885][ T5333] ? __pfx_dump_stack_lvl+0x10/0x10 [ 85.962922][ T5333] ? __pfx__printk+0x10/0x10 [ 85.964800][ T5333] vpanic+0x237/0x6d0 [ 85.966518][ T5333] ? __pfx_vpanic+0x10/0x10 [ 85.968365][ T5333] ? preempt_schedule+0xae/0xc0 [ 85.970448][ T5333] ? __pfx_preempt_schedule+0x10/0x10 [ 85.972635][ T5333] panic+0xb9/0xc0 [ 85.974228][ T5333] ? __pfx_panic+0x10/0x10 [ 85.976160][ T5333] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 85.978625][ T5333] ? change_page_attr_set_clr+0x625/0xfc0 [ 85.980920][ T5333] check_panic_on_warn+0x89/0xb0 [ 85.983051][ T5333] ? change_page_attr_set_clr+0x625/0xfc0 [ 85.985437][ T5333] end_report+0x78/0x160 [ 85.987401][ T5333] kasan_report+0x129/0x150 [ 85.989378][ T5333] ? change_page_attr_set_clr+0x625/0xfc0 [ 85.991779][ T5333] change_page_attr_set_clr+0x625/0xfc0 [ 85.994105][ T5333] ? __pfx_change_page_attr_set_clr+0x10/0x10 [ 85.996680][ T5333] ? __pfx_pagerange_is_ram_callback+0x10/0x10 [ 85.999318][ T5333] ? memtype_reserve+0x874/0xb30 [ 86.001363][ T5333] ? __pfx___ww_mutex_lock+0x10/0x10 [ 86.003671][ T5333] _set_pages_array+0x145/0x270 [ 86.005665][ T5333] drm_gem_shmem_get_pages_locked+0x2d0/0x440 [ 86.008027][ T5333] ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10 [ 86.010822][ T5333] ? ww_mutex_lock+0x3f/0x1c0 [ 86.012798][ T5333] drm_gem_shmem_mmap+0x193/0x460 [ 86.014974][ T5333] drm_gem_mmap_obj+0x18a/0x4e0 [ 86.017022][ T5333] drm_gem_mmap+0x384/0x640 [ 86.018919][ T5333] ? __pfx_drm_gem_mmap+0x10/0x10 [ 86.021080][ T5333] ? __mas_set_range+0x12f/0x3c0 [ 86.023210][ T5333] mmap_region+0x18b4/0x2110 [ 86.025119][ T5333] ? __pfx_mmap_region+0x10/0x10 [ 86.027249][ T5333] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10 [ 86.029880][ T5333] ? bpf_lsm_mmap_addr+0x9/0x20 [ 86.031889][ T5333] ? security_mmap_addr+0x71/0x270 [ 86.034145][ T5333] ? shmem_mapping+0xd/0x50 [ 86.036161][ T5333] ? memfd_check_seals_mmap+0xc5/0x200 [ 86.038569][ T5333] do_mmap+0xc45/0x10d0 [ 86.040407][ T5333] ? __pfx_do_mmap+0x10/0x10 [ 86.042218][ T5333] ? down_write_killable+0x178/0x230 [ 86.044402][ T5333] ? __pfx_down_write_killable+0x10/0x10 [ 86.046708][ T5333] ? common_file_perm+0x1b5/0x230 [ 86.048899][ T5333] vm_mmap_pgoff+0x2a6/0x4d0 [ 86.050910][ T5333] ? __pfx_vm_mmap_pgoff+0x10/0x10 [ 86.053133][ T5333] ? __fget_files+0x2a/0x420 [ 86.055175][ T5333] ? __fget_files+0x2a/0x420 [ 86.057187][ T5333] ? __fget_files+0x2a/0x420 [ 86.059175][ T5333] ksys_mmap_pgoff+0x51f/0x760 [ 86.061229][ T5333] do_syscall_64+0xfa/0xfa0 [ 86.063289][ T5333] ? lockdep_hardirqs_on+0x9c/0x150 [ 86.065466][ T5333] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.068192][ T5333] ? clear_bhb_loop+0x60/0xb0 [ 86.070341][ T5333] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 86.072936][ T5333] RIP: 0033:0x7f5f1e18efc9 [ 86.074949][ T5333] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 86.082828][ T5333] RSP: 002b:00007f5f1ef68038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009 [ 86.086025][ T5333] RAX: ffffffffffffffda RBX: 00007f5f1e3e6180 RCX: 00007f5f1e18efc9 [ 86.089268][ T5333] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000 [ 86.092642][ T5333] RBP: 00007f5f1e211f91 R08: 0000000000000006 R09: 0000000100000000 [ 86.096172][ T5333] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000 [ 86.099760][ T5333] R13: 00007f5f1e3e6218 R14: 00007f5f1e3e6180 R15: 00007ffcdf4961d8 [ 86.103278][ T5333] [ 86.105049][ T5333] Kernel Offset: disabled [ 86.107089][ T5333] Rebooting in 86400 seconds..