program:
r0 = openat$kvm(0xffffffffffffff9c, &(0x7f0000000200), 0x0, 0x0)
r1 = ioctl$KVM_CREATE_VM(r0, 0xae01, 0x0)
r2 = ioctl$KVM_CREATE_VCPU(r1, 0xae41, 0x0)
ioctl$KVM_SET_USER_MEMORY_REGION(r1, 0x4020ae46, &(0x7f0000000180)={0x0, 0x0, 0x0, 0x2000, &(0x7f0000000000/0x2000)=nil})
r3 = syz_open_dev$dri(&(0x7f0000000000), 0x0, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r3, 0xc02064b2, &(0x7f0000000040)={0x7, 0x6576, 0x3})
mmap(&(0x7f0000001000/0x4000)=nil, 0x4000, 0x4, 0x11, r3, 0x100000000)
ioctl$KVM_SET_REGS(r2, 0x4090ae82, &(0x7f00000003c0)={[0x60000000004, 0x1000000000, 0x5, 0x41, 0x2000000, 0x0, 0xe, 0x0, 0xa1d, 0x68ff, 0x5, 0x0, 0x3, 0x2], 0x10000})
ioctl$KVM_RUN(r2, 0xae80, 0x0)

[   86.160667][ T5329] ==================================================================
[   86.164153][ T5329] BUG: KASAN: slab-out-of-bounds in change_page_attr_set_clr+0x625/0xfc0
[   86.167635][ T5329] Read of size 8 at addr ffff888032e52688 by task syz.0.0/5329
[   86.170892][ T5329] 
[   86.172055][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.172070][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.172083][ T5329] Call Trace:
[   86.172090][ T5329]  <TASK>
[   86.172096][ T5329]  dump_stack_lvl+0x189/0x250
[   86.172113][ T5329]  ? __kasan_check_byte+0x12/0x40
[   86.172162][ T5329]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.172173][ T5329]  ? lock_release+0x4b/0x3e0
[   86.172188][ T5329]  ? __virt_addr_valid+0x4a5/0x5c0
[   86.172200][ T5329]  print_report+0xca/0x240
[   86.172213][ T5329]  ? change_page_attr_set_clr+0x625/0xfc0
[   86.172227][ T5329]  kasan_report+0x118/0x150
[   86.172239][ T5329]  ? change_page_attr_set_clr+0x625/0xfc0
[   86.172253][ T5329]  change_page_attr_set_clr+0x625/0xfc0
[   86.172266][ T5329]  ? __pfx_change_page_attr_set_clr+0x10/0x10
[   86.172279][ T5329]  ? __pfx_pagerange_is_ram_callback+0x10/0x10
[   86.172291][ T5329]  ? memtype_reserve+0x874/0xb30
[   86.172305][ T5329]  ? __pfx___ww_mutex_lock+0x10/0x10
[   86.172356][ T5329]  _set_pages_array+0x145/0x270
[   86.172372][ T5329]  drm_gem_shmem_get_pages_locked+0x2d0/0x440
[   86.172388][ T5329]  ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10
[   86.172407][ T5329]  ? ww_mutex_lock+0x3f/0x1c0
[   86.172418][ T5329]  drm_gem_shmem_mmap+0x193/0x460
[   86.172436][ T5329]  drm_gem_mmap_obj+0x18a/0x4e0
[   86.172449][ T5329]  drm_gem_mmap+0x384/0x640
[   86.172461][ T5329]  ? __pfx_drm_gem_mmap+0x10/0x10
[   86.172472][ T5329]  ? __mas_set_range+0x12f/0x3c0
[   86.172489][ T5329]  mmap_region+0x18b4/0x2110
[   86.172507][ T5329]  ? __pfx_mmap_region+0x10/0x10
[   86.172521][ T5329]  ? __schedule+0x17ae/0x4cc0
[   86.172538][ T5329]  ? rcu_read_lock_sched_held+0x89/0x100
[   86.172554][ T5329]  ? __pfx_rcu_read_lock_sched_held+0x10/0x10
[   86.172585][ T5329]  ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10
[   86.172607][ T5329]  ? bpf_lsm_mmap_addr+0x9/0x20
[   86.172622][ T5329]  ? security_mmap_addr+0x71/0x270
[   86.172638][ T5329]  ? shmem_mapping+0xd/0x50
[   86.172652][ T5329]  ? memfd_check_seals_mmap+0xc5/0x200
[   86.172668][ T5329]  do_mmap+0xc45/0x10d0
[   86.172684][ T5329]  ? __pfx_do_mmap+0x10/0x10
[   86.172697][ T5329]  ? down_write_killable+0x178/0x230
[   86.172710][ T5329]  ? __pfx_down_write_killable+0x10/0x10
[   86.172722][ T5329]  ? common_file_perm+0x1b5/0x230
[   86.172741][ T5329]  vm_mmap_pgoff+0x2a6/0x4d0
[   86.172757][ T5329]  ? __pfx_vm_mmap_pgoff+0x10/0x10
[   86.172773][ T5329]  ? __fget_files+0x2a/0x420
[   86.172784][ T5329]  ? __fget_files+0x2a/0x420
[   86.172794][ T5329]  ? __fget_files+0x2a/0x420
[   86.172805][ T5329]  ksys_mmap_pgoff+0x51f/0x760
[   86.172822][ T5329]  do_syscall_64+0xfa/0xfa0
[   86.172833][ T5329]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.172850][ T5329]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.172862][ T5329]  ? clear_bhb_loop+0x60/0xb0
[   86.172873][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.172885][ T5329] RIP: 0033:0x7f728e98efc9
[   86.172897][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.172906][ T5329] RSP: 002b:00007f728f85f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[   86.172918][ T5329] RAX: ffffffffffffffda RBX: 00007f728ebe5fa0 RCX: 00007f728e98efc9
[   86.172927][ T5329] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000
[   86.172934][ T5329] RBP: 00007f728ea11f91 R08: 0000000000000006 R09: 0000000100000000
[   86.172944][ T5329] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000
[   86.172951][ T5329] R13: 00007f728ebe6038 R14: 00007f728ebe5fa0 R15: 00007ffcdff497a8
[   86.172964][ T5329]  </TASK>
[   86.172968][ T5329] 
[   86.321965][ T5329] Allocated by task 5329:
[   86.323823][ T5329]  kasan_save_track+0x3e/0x80
[   86.325823][ T5329]  __kasan_kmalloc+0x93/0xb0
[   86.327750][ T5329]  __kvmalloc_node_noprof+0x5cd/0x910
[   86.329841][ T5329]  drm_gem_get_pages+0x166/0xa20
[   86.332003][ T5329]  drm_gem_shmem_get_pages_locked+0x201/0x440
[   86.334681][ T5329]  drm_gem_shmem_mmap+0x193/0x460
[   86.336644][ T5329]  drm_gem_mmap_obj+0x18a/0x4e0
[   86.338675][ T5329]  drm_gem_mmap+0x384/0x640
[   86.340492][ T5329]  mmap_region+0x18b4/0x2110
[   86.342247][ T5329]  do_mmap+0xc45/0x10d0
[   86.344216][ T5329]  vm_mmap_pgoff+0x2a6/0x4d0
[   86.346233][ T5329]  ksys_mmap_pgoff+0x51f/0x760
[   86.348412][ T5329]  do_syscall_64+0xfa/0xfa0
[   86.350441][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.353088][ T5329] 
[   86.354172][ T5329] The buggy address belongs to the object at ffff888032e52600
[   86.354172][ T5329]  which belongs to the cache kmalloc-192 of size 192
[   86.359809][ T5329] The buggy address is located 0 bytes to the right of
[   86.359809][ T5329]  allocated 136-byte region [ffff888032e52600, ffff888032e52688)
[   86.365598][ T5329] 
[   86.366620][ T5329] The buggy address belongs to the physical page:
[   86.369336][ T5329] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x32e52
[   86.373084][ T5329] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   86.376210][ T5329] page_type: f5(slab)
[   86.378012][ T5329] raw: 04fff00000000000 ffff88801a4413c0 ffffea0000c13840 dead000000000004
[   86.381720][ T5329] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
[   86.385462][ T5329] page dumped because: kasan: bad access detected
[   86.388257][ T5329] page_owner tracks the page as allocated
[   86.390803][ T5329] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 10602294750, free_ts 10526036432
[   86.398933][ T5329]  post_alloc_hook+0x240/0x2a0
[   86.401159][ T5329]  get_page_from_freelist+0x2365/0x2440
[   86.403726][ T5329]  __alloc_frozen_pages_noprof+0x181/0x370
[   86.406259][ T5329]  alloc_pages_mpol+0x232/0x4a0
[   86.408423][ T5329]  allocate_slab+0x96/0x3a0
[   86.410528][ T5329]  ___slab_alloc+0xe94/0x18a0
[   86.412702][ T5329]  __slab_alloc+0x65/0x100
[   86.414727][ T5329]  __kmalloc_cache_noprof+0x411/0x6f0
[   86.416920][ T5329]  virtio_gpu_plane_duplicate_state+0x72/0xb0
[   86.419494][ T5329]  drm_atomic_get_plane_state+0x25d/0x5a0
[   86.421795][ T5329]  drm_client_modeset_commit_atomic+0x1e7/0x760
[   86.424490][ T5329]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   86.427274][ T5329]  drm_fb_helper_pan_display+0x3e7/0xbd0
[   86.429807][ T5329]  fb_pan_display+0x39e/0x680
[   86.431921][ T5329]  bit_update_start+0x4d/0x1e0
[   86.434053][ T5329]  fbcon_switch+0x14f7/0x1f90
[   86.436163][ T5329] page last free pid 9 tgid 9 stack trace:
[   86.438713][ T5329]  __free_frozen_pages+0xbc4/0xd30
[   86.440851][ T5329]  __slab_free+0x2e7/0x390
[   86.442698][ T5329]  qlist_free_all+0x97/0x140
[   86.444719][ T5329]  kasan_quarantine_reduce+0x148/0x160
[   86.446907][ T5329]  __kasan_slab_alloc+0x22/0x80
[   86.448922][ T5329]  __kmalloc_cache_noprof+0x36f/0x6f0
[   86.451129][ T5329]  drm_atomic_state_alloc+0xa9/0x100
[   86.453401][ T5329]  drm_atomic_helper_dirtyfb+0xed/0xee0
[   86.455888][ T5329]  drm_fbdev_shmem_helper_fb_dirty+0x160/0x2f0
[   86.458631][ T5329]  drm_fb_helper_damage_work+0x224/0x710
[   86.461188][ T5329]  process_scheduled_works+0xae1/0x17b0
[   86.463690][ T5329]  worker_thread+0x8a0/0xda0
[   86.465657][ T5329]  kthread+0x711/0x8a0
[   86.467417][ T5329]  ret_from_fork+0x4bc/0x870
[   86.469452][ T5329]  ret_from_fork_asm+0x1a/0x30
[   86.471685][ T5329] 
[   86.472815][ T5329] Memory state around the buggy address:
[   86.475358][ T5329]  ffff888032e52580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   86.478918][ T5329]  ffff888032e52600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   86.482453][ T5329] >ffff888032e52680: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   86.486020][ T5329]                       ^
[   86.488031][ T5329]  ffff888032e52700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   86.491696][ T5329]  ffff888032e52780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
[   86.495318][ T5329] ==================================================================
[   86.503128][ T5307] Bluetooth: hci0: command tx timeout
[   86.527702][ T5329] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   86.530663][ T5329] CPU: 0 UID: 0 PID: 5329 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   86.534638][ T5329] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   86.539374][ T5329] Call Trace:
[   86.540948][ T5329]  <TASK>
[   86.542261][ T5329]  dump_stack_lvl+0x99/0x250
[   86.544383][ T5329]  ? __asan_memcpy+0x40/0x70
[   86.546473][ T5329]  ? __pfx_dump_stack_lvl+0x10/0x10
[   86.548828][ T5329]  ? __pfx__printk+0x10/0x10
[   86.550900][ T5329]  vpanic+0x237/0x6d0
[   86.552744][ T5329]  ? __pfx_vpanic+0x10/0x10
[   86.554764][ T5329]  ? preempt_schedule+0xae/0xc0
[   86.556877][ T5329]  ? __pfx_preempt_schedule+0x10/0x10
[   86.559167][ T5329]  panic+0xb9/0xc0
[   86.560905][ T5329]  ? __pfx_panic+0x10/0x10
[   86.562909][ T5329]  ? _raw_spin_unlock_irqrestore+0xfd/0x110
[   86.565573][ T5329]  ? change_page_attr_set_clr+0x625/0xfc0
[   86.568148][ T5329]  check_panic_on_warn+0x89/0xb0
[   86.570340][ T5329]  ? change_page_attr_set_clr+0x625/0xfc0
[   86.572889][ T5329]  end_report+0x78/0x160
[   86.574863][ T5329]  kasan_report+0x129/0x150
[   86.576929][ T5329]  ? change_page_attr_set_clr+0x625/0xfc0
[   86.579460][ T5329]  change_page_attr_set_clr+0x625/0xfc0
[   86.581852][ T5329]  ? __pfx_change_page_attr_set_clr+0x10/0x10
[   86.584382][ T5329]  ? __pfx_pagerange_is_ram_callback+0x10/0x10
[   86.586946][ T5329]  ? memtype_reserve+0x874/0xb30
[   86.589169][ T5329]  ? __pfx___ww_mutex_lock+0x10/0x10
[   86.591558][ T5329]  _set_pages_array+0x145/0x270
[   86.593781][ T5329]  drm_gem_shmem_get_pages_locked+0x2d0/0x440
[   86.596502][ T5329]  ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10
[   86.599334][ T5329]  ? ww_mutex_lock+0x3f/0x1c0
[   86.601440][ T5329]  drm_gem_shmem_mmap+0x193/0x460
[   86.603689][ T5329]  drm_gem_mmap_obj+0x18a/0x4e0
[   86.605836][ T5329]  drm_gem_mmap+0x384/0x640
[   86.607794][ T5329]  ? __pfx_drm_gem_mmap+0x10/0x10
[   86.610007][ T5329]  ? __mas_set_range+0x12f/0x3c0
[   86.612085][ T5329]  mmap_region+0x18b4/0x2110
[   86.614152][ T5329]  ? __pfx_mmap_region+0x10/0x10
[   86.616401][ T5329]  ? __schedule+0x17ae/0x4cc0
[   86.618534][ T5329]  ? rcu_read_lock_sched_held+0x89/0x100
[   86.620913][ T5329]  ? __pfx_rcu_read_lock_sched_held+0x10/0x10
[   86.623634][ T5329]  ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10
[   86.626529][ T5329]  ? bpf_lsm_mmap_addr+0x9/0x20
[   86.628650][ T5329]  ? security_mmap_addr+0x71/0x270
[   86.630797][ T5329]  ? shmem_mapping+0xd/0x50
[   86.632757][ T5329]  ? memfd_check_seals_mmap+0xc5/0x200
[   86.635048][ T5329]  do_mmap+0xc45/0x10d0
[   86.636836][ T5329]  ? __pfx_do_mmap+0x10/0x10
[   86.638833][ T5329]  ? down_write_killable+0x178/0x230
[   86.641189][ T5329]  ? __pfx_down_write_killable+0x10/0x10
[   86.643580][ T5329]  ? common_file_perm+0x1b5/0x230
[   86.645730][ T5329]  vm_mmap_pgoff+0x2a6/0x4d0
[   86.647777][ T5329]  ? __pfx_vm_mmap_pgoff+0x10/0x10
[   86.649979][ T5329]  ? __fget_files+0x2a/0x420
[   86.651967][ T5329]  ? __fget_files+0x2a/0x420
[   86.653947][ T5329]  ? __fget_files+0x2a/0x420
[   86.656116][ T5329]  ksys_mmap_pgoff+0x51f/0x760
[   86.658263][ T5329]  do_syscall_64+0xfa/0xfa0
[   86.660335][ T5329]  ? lockdep_hardirqs_on+0x9c/0x150
[   86.662529][ T5329]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.665018][ T5329]  ? clear_bhb_loop+0x60/0xb0
[   86.666954][ T5329]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   86.669367][ T5329] RIP: 0033:0x7f728e98efc9
[   86.671242][ T5329] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   86.679327][ T5329] RSP: 002b:00007f728f85f038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[   86.683093][ T5329] RAX: ffffffffffffffda RBX: 00007f728ebe5fa0 RCX: 00007f728e98efc9
[   86.686632][ T5329] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000
[   86.690140][ T5329] RBP: 00007f728ea11f91 R08: 0000000000000006 R09: 0000000100000000
[   86.693658][ T5329] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000
[   86.697163][ T5329] R13: 00007f728ebe6038 R14: 00007f728ebe5fa0 R15: 00007ffcdff497a8
[   86.700677][ T5329]  </TASK>
[   86.702426][ T5329] Kernel Offset: disabled
[   86.704402][ T5329] Rebooting in 86400 seconds..