program:
r0 = syz_open_dev$dri(&(0x7f0000000000), 0x0, 0x0)
ioctl$DRM_IOCTL_MODE_CREATE_DUMB(r0, 0xc02064b2, &(0x7f0000000040)={0x3, 0x6576, 0xd})
mmap(&(0x7f0000001000/0x4000)=nil, 0x4000, 0x4, 0x11, r0, 0x100000000)
r1 = openat$cgroup_ro(0xffffffffffffff9c, &(0x7f0000000040)='blkio.bfq.io_service_bytes_recursive\x00', 0x275a, 0x0)
mmap(&(0x7f0000000000/0xb36000)=nil, 0xb36000, 0x3, 0x28012, r1, 0x0)
[ 68.099460][ T5322] ==================================================================
[ 68.107839][ T5322] BUG: KASAN: slab-out-of-bounds in change_page_attr_set_clr+0x625/0xfc0
[ 68.112496][ T5322] Read of size 8 at addr ffff888012359cf8 by task syz.0.0/5322
[ 68.115737][ T5322]
[ 68.116838][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 68.116855][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.116863][ T5322] Call Trace:
[ 68.116870][ T5322]
[ 68.116878][ T5322] dump_stack_lvl+0x189/0x250
[ 68.116894][ T5322] ? __kasan_check_byte+0x12/0x40
[ 68.116947][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.116960][ T5322] ? lock_release+0x4b/0x3e0
[ 68.116978][ T5322] ? __virt_addr_valid+0x4a5/0x5c0
[ 68.116992][ T5322] print_report+0xca/0x240
[ 68.117007][ T5322] ? change_page_attr_set_clr+0x625/0xfc0
[ 68.117022][ T5322] kasan_report+0x118/0x150
[ 68.117035][ T5322] ? change_page_attr_set_clr+0x625/0xfc0
[ 68.117051][ T5322] change_page_attr_set_clr+0x625/0xfc0
[ 68.117068][ T5322] ? __pfx_change_page_attr_set_clr+0x10/0x10
[ 68.117082][ T5322] ? __pfx_pagerange_is_ram_callback+0x10/0x10
[ 68.117095][ T5322] ? memtype_reserve+0x874/0xb30
[ 68.117111][ T5322] ? __pfx___ww_mutex_lock+0x10/0x10
[ 68.117151][ T5322] _set_pages_array+0x145/0x270
[ 68.117168][ T5322] drm_gem_shmem_get_pages_locked+0x2d0/0x440
[ 68.117188][ T5322] ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10
[ 68.117208][ T5322] ? ww_mutex_lock+0x3f/0x1c0
[ 68.117222][ T5322] drm_gem_shmem_mmap+0x193/0x460
[ 68.117240][ T5322] drm_gem_mmap_obj+0x18a/0x4e0
[ 68.117260][ T5322] drm_gem_mmap+0x384/0x640
[ 68.117274][ T5322] ? __pfx_drm_gem_mmap+0x10/0x10
[ 68.117286][ T5322] ? __mas_set_range+0x12f/0x3c0
[ 68.117303][ T5322] mmap_region+0x18b4/0x2110
[ 68.117322][ T5322] ? __pfx_mmap_region+0x10/0x10
[ 68.117353][ T5322] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10
[ 68.117373][ T5322] ? bpf_lsm_mmap_addr+0x9/0x20
[ 68.117388][ T5322] ? security_mmap_addr+0x71/0x270
[ 68.117403][ T5322] ? shmem_mapping+0xd/0x50
[ 68.117417][ T5322] ? memfd_check_seals_mmap+0xc5/0x200
[ 68.117433][ T5322] do_mmap+0xc45/0x10d0
[ 68.117451][ T5322] ? __pfx_do_mmap+0x10/0x10
[ 68.117466][ T5322] ? down_write_killable+0x178/0x230
[ 68.117481][ T5322] ? __pfx_down_write_killable+0x10/0x10
[ 68.117493][ T5322] ? common_file_perm+0x1b5/0x230
[ 68.117512][ T5322] vm_mmap_pgoff+0x2a6/0x4d0
[ 68.117528][ T5322] ? __pfx_vm_mmap_pgoff+0x10/0x10
[ 68.117543][ T5322] ? __fget_files+0x2a/0x420
[ 68.117556][ T5322] ? __fget_files+0x2a/0x420
[ 68.117568][ T5322] ? __fget_files+0x2a/0x420
[ 68.117580][ T5322] ksys_mmap_pgoff+0x51f/0x760
[ 68.117598][ T5322] do_syscall_64+0xfa/0xfa0
[ 68.117609][ T5322] ? lockdep_hardirqs_on+0x9c/0x150
[ 68.117626][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.117637][ T5322] ? clear_bhb_loop+0x60/0xb0
[ 68.117649][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.117660][ T5322] RIP: 0033:0x7f047b58eec9
[ 68.117671][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 68.117680][ T5322] RSP: 002b:00007f047c397038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 68.117693][ T5322] RAX: ffffffffffffffda RBX: 00007f047b7e5fa0 RCX: 00007f047b58eec9
[ 68.117701][ T5322] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000
[ 68.117710][ T5322] RBP: 00007f047b611f91 R08: 0000000000000003 R09: 0000000100000000
[ 68.117718][ T5322] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000
[ 68.117724][ T5322] R13: 00007f047b7e6038 R14: 00007f047b7e5fa0 R15: 00007ffc3218a828
[ 68.117736][ T5322]
[ 68.117740][ T5322]
[ 68.266443][ T5322] Allocated by task 5322:
[ 68.268279][ T5322] kasan_save_track+0x3e/0x80
[ 68.270307][ T5322] __kasan_kmalloc+0x93/0xb0
[ 68.272294][ T5322] __kvmalloc_node_noprof+0x5cd/0x910
[ 68.274620][ T5322] drm_gem_get_pages+0x166/0xa20
[ 68.276695][ T5322] drm_gem_shmem_get_pages_locked+0x201/0x440
[ 68.279039][ T5322] drm_gem_shmem_mmap+0x193/0x460
[ 68.281025][ T5322] drm_gem_mmap_obj+0x18a/0x4e0
[ 68.283137][ T5322] drm_gem_mmap+0x384/0x640
[ 68.285070][ T5322] mmap_region+0x18b4/0x2110
[ 68.287041][ T5322] do_mmap+0xc45/0x10d0
[ 68.288859][ T5322] vm_mmap_pgoff+0x2a6/0x4d0
[ 68.290898][ T5322] ksys_mmap_pgoff+0x51f/0x760
[ 68.292983][ T5322] do_syscall_64+0xfa/0xfa0
[ 68.294950][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.297419][ T5322]
[ 68.298458][ T5322] The buggy address belongs to the object at ffff888012359c00
[ 68.298458][ T5322] which belongs to the cache kmalloc-256 of size 256
[ 68.304154][ T5322] The buggy address is located 0 bytes to the right of
[ 68.304154][ T5322] allocated 248-byte region [ffff888012359c00, ffff888012359cf8)
[ 68.309865][ T5322]
[ 68.310823][ T5322] The buggy address belongs to the physical page:
[ 68.313553][ T5322] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x12359
[ 68.317244][ T5322] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
[ 68.320406][ T5322] page_type: f5(slab)
[ 68.322133][ T5322] raw: 00fff00000000000 ffff88801a441b40 dead000000000100 dead000000000122
[ 68.325579][ T5322] raw: 0000000000000000 0000000080080008 00000000f5000000 0000000000000000
[ 68.329001][ T5322] page dumped because: kasan: bad access detected
[ 68.331919][ T5322] page_owner tracks the page as allocated
[ 68.334395][ T5322] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5300, tgid 5300 (syz-executor), ts 66899219642, free_ts 66890151140
[ 68.342345][ T5322] post_alloc_hook+0x240/0x2a0
[ 68.344207][ T5322] get_page_from_freelist+0x2365/0x2440
[ 68.346311][ T5322] __alloc_pages_slowpath+0x30b/0xcf0
[ 68.348433][ T5322] __alloc_frozen_pages_noprof+0x319/0x370
[ 68.350685][ T5322] allocate_slab+0x71/0x3a0
[ 68.352492][ T5322] ___slab_alloc+0xe94/0x18a0
[ 68.354302][ T5322] __slab_alloc+0x65/0x100
[ 68.356066][ T5322] __kmalloc_node_noprof+0x5cc/0x800
[ 68.358433][ T5322] alloc_slab_obj_exts+0x3d/0xc0
[ 68.360567][ T5322] __memcg_slab_post_alloc_hook+0x31d/0x7d0
[ 68.363047][ T5322] __kvmalloc_node_noprof+0x6d8/0x910
[ 68.365302][ T5322] nf_hook_entries_grow+0x281/0x720
[ 68.367530][ T5322] __nf_register_net_hook+0x2c9/0x930
[ 68.369838][ T5322] nf_register_net_hook+0xb2/0x190
[ 68.372074][ T5322] nf_register_net_hooks+0x44/0x1b0
[ 68.374314][ T5322] ebt_register_table+0xd05/0x10e0
[ 68.376318][ T5322] page last free pid 15 tgid 15 stack trace:
[ 68.378626][ T5322] __free_frozen_pages+0xbc4/0xd30
[ 68.380629][ T5322] rcu_core+0xcab/0x1770
[ 68.382272][ T5322] handle_softirqs+0x286/0x870
[ 68.384130][ T5322] run_ksoftirqd+0x9b/0x100
[ 68.386075][ T5322] smpboot_thread_fn+0x542/0xa60
[ 68.388211][ T5322] kthread+0x711/0x8a0
[ 68.389980][ T5322] ret_from_fork+0x4bc/0x870
[ 68.391941][ T5322] ret_from_fork_asm+0x1a/0x30
[ 68.394023][ T5322]
[ 68.395084][ T5322] Memory state around the buggy address:
[ 68.397465][ T5322] ffff888012359b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 68.400880][ T5322] ffff888012359c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 68.404289][ T5322] >ffff888012359c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
[ 68.407658][ T5322] ^
[ 68.411014][ T5322] ffff888012359d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 68.414422][ T5322] ffff888012359d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 68.417812][ T5322] ==================================================================
[ 68.430393][ T5302] Bluetooth: hci0: command tx timeout
[ 68.458668][ T5322] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 68.461983][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 68.465972][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[ 68.470861][ T5322] Call Trace:
[ 68.472201][ T5322]
[ 68.473387][ T5322] dump_stack_lvl+0x99/0x250
[ 68.475144][ T5322] ? __asan_memcpy+0x40/0x70
[ 68.476929][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10
[ 68.478874][ T5322] ? __pfx__printk+0x10/0x10
[ 68.480872][ T5322] vpanic+0x237/0x6d0
[ 68.482524][ T5322] ? __pfx_vpanic+0x10/0x10
[ 68.484332][ T5322] ? preempt_schedule+0xae/0xc0
[ 68.486274][ T5322] ? __pfx_preempt_schedule+0x10/0x10
[ 68.488423][ T5322] panic+0xb9/0xc0
[ 68.490341][ T5322] ? __pfx_panic+0x10/0x10
[ 68.492410][ T5322] ? _raw_spin_unlock_irqrestore+0xfd/0x110
[ 68.495088][ T5322] ? change_page_attr_set_clr+0x625/0xfc0
[ 68.497788][ T5322] check_panic_on_warn+0x89/0xb0
[ 68.500044][ T5322] ? change_page_attr_set_clr+0x625/0xfc0
[ 68.502637][ T5322] end_report+0x78/0x160
[ 68.504540][ T5322] kasan_report+0x129/0x150
[ 68.506588][ T5322] ? change_page_attr_set_clr+0x625/0xfc0
[ 68.509217][ T5322] change_page_attr_set_clr+0x625/0xfc0
[ 68.511724][ T5322] ? __pfx_change_page_attr_set_clr+0x10/0x10
[ 68.514454][ T5322] ? __pfx_pagerange_is_ram_callback+0x10/0x10
[ 68.517186][ T5322] ? memtype_reserve+0x874/0xb30
[ 68.519541][ T5322] ? __pfx___ww_mutex_lock+0x10/0x10
[ 68.521919][ T5322] _set_pages_array+0x145/0x270
[ 68.523930][ T5322] drm_gem_shmem_get_pages_locked+0x2d0/0x440
[ 68.526427][ T5322] ? __pfx_drm_gem_shmem_get_pages_locked+0x10/0x10
[ 68.529079][ T5322] ? ww_mutex_lock+0x3f/0x1c0
[ 68.531229][ T5322] drm_gem_shmem_mmap+0x193/0x460
[ 68.533509][ T5322] drm_gem_mmap_obj+0x18a/0x4e0
[ 68.535644][ T5322] drm_gem_mmap+0x384/0x640
[ 68.537638][ T5322] ? __pfx_drm_gem_mmap+0x10/0x10
[ 68.539833][ T5322] ? __mas_set_range+0x12f/0x3c0
[ 68.541997][ T5322] mmap_region+0x18b4/0x2110
[ 68.544045][ T5322] ? __pfx_mmap_region+0x10/0x10
[ 68.546197][ T5322] ? __pfx_arch_get_unmapped_area_topdown+0x10/0x10
[ 68.549051][ T5322] ? bpf_lsm_mmap_addr+0x9/0x20
[ 68.551335][ T5322] ? security_mmap_addr+0x71/0x270
[ 68.553710][ T5322] ? shmem_mapping+0xd/0x50
[ 68.555807][ T5322] ? memfd_check_seals_mmap+0xc5/0x200
[ 68.558263][ T5322] do_mmap+0xc45/0x10d0
[ 68.560229][ T5322] ? __pfx_do_mmap+0x10/0x10
[ 68.562840][ T5322] ? down_write_killable+0x178/0x230
[ 68.565268][ T5322] ? __pfx_down_write_killable+0x10/0x10
[ 68.567720][ T5322] ? common_file_perm+0x1b5/0x230
[ 68.569950][ T5322] vm_mmap_pgoff+0x2a6/0x4d0
[ 68.572114][ T5322] ? __pfx_vm_mmap_pgoff+0x10/0x10
[ 68.574353][ T5322] ? __fget_files+0x2a/0x420
[ 68.576437][ T5322] ? __fget_files+0x2a/0x420
[ 68.578532][ T5322] ? __fget_files+0x2a/0x420
[ 68.580679][ T5322] ksys_mmap_pgoff+0x51f/0x760
[ 68.582700][ T5322] do_syscall_64+0xfa/0xfa0
[ 68.584637][ T5322] ? lockdep_hardirqs_on+0x9c/0x150
[ 68.586821][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.589586][ T5322] ? clear_bhb_loop+0x60/0xb0
[ 68.591727][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 68.594433][ T5322] RIP: 0033:0x7f047b58eec9
[ 68.596460][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[ 68.604783][ T5322] RSP: 002b:00007f047c397038 EFLAGS: 00000246 ORIG_RAX: 0000000000000009
[ 68.608328][ T5322] RAX: ffffffffffffffda RBX: 00007f047b7e5fa0 RCX: 00007f047b58eec9
[ 68.611492][ T5322] RDX: 0000000000000004 RSI: 0000000000004000 RDI: 0000200000001000
[ 68.614741][ T5322] RBP: 00007f047b611f91 R08: 0000000000000003 R09: 0000000100000000
[ 68.617898][ T5322] R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000000000
[ 68.621138][ T5322] R13: 00007f047b7e6038 R14: 00007f047b7e5fa0 R15: 00007ffc3218a828
[ 68.624476][ T5322]
[ 68.626202][ T5322] Kernel Offset: disabled
[ 68.628074][ T5322] Rebooting in 86400 seconds..