program: r0 = syz_open_dev$vbi(&(0x7f0000000080), 0x1, 0x2) syz_mount_image$ext4(&(0x7f00000004c0)='ext4\x00', &(0x7f0000000500)='./file0\x00', 0x1000410, &(0x7f0000000100)={[{@grpid}, {@grpquota}]}, 0x4, 0x4eb, &(0x7f0000000540)="$eJzs3c9vVFsdAPDvnXZoKQMFZaFGBRFFQ5j+ABqCC2GjMYTESFy5gNoOTdMZpum0SCuLsnRvIokr/RPcuTBh5cKdO925wYUJKnkv9CVvMS/3zqUd2g7te7Qd6Hw+ye2955xhvufMcM6Ze2B6AuhZZyNiNSKORMS9iBjO85P8iButI33cq5ePp9ZePp5Kotm8878kK0/zou3PpI7lzzkYET/7ccQvk61xG8src5PVamUhT48s1uZHGssrl2YLec74xNjE6LXLV8f3rK1nan968aPZWz//y5+/8fzvq9//dVqt0m+OZ2Xt7dhLraYXo9SW1x8Rt/YjWJf0539/+PCkve1LEXEu6//D0Ze9mwDAYdZsDkdzuD0NABx26f1/KZJCOV8LKEWhUC631vBOx1ChWm8sXhyuLz2YjmwN62QUC/dnq5XRfK3wZBSTND2WXW+kxzelL0fEqYj47cDRLF2eqlenu/nBBwB62LFN8//HA635HwA45Aa7XQEA4MCZ/wGg95j/AaD3fI7537cDAeCQcP8PAL3H/A8AvWfH+f/JwdQDADgQP719Oz2aa/nvv55+uLz0g9LDS9OVxly5tjRVnqovzJdn6vWZaqU81Wzu9HzVen1+7Mp6srG8crdWX3qweHe2NjlTuVsp7nN7AICdnTrz7J9JRKxeP5od0baXg7kaDrdCtysAdE1ftysAdI3v80Dv2sU9vmUAOOS22aL3DR3/i9BTm7/Ch+rCV63/Q6+y/g+964ut//9wz+sBHDzr/9C7ms3Env8A0GOs8QPv9O//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0KNK2ZEUytle4Kvpz0K5HHE8Ik5GMbk/W62MRsSJiPjHQHEgTY91u9IAwDsq/CfJ9/+6MHy+tLn0SPLJQHaOiF/9/s7vHk0uLi6Mpfn/X89ffJrnjx/pRgMAgHY3tma15un83HYj/+rl46nXx0FW8cXN1uaiady1/GiV9Ed/dh6MYkQMfZTk6Zb080rfHsRffRIRX9lo/6O2CKVsDaS18+nm+Gns4/sQf+P13xy/8Eb8QlaWnovZa/HlPagL9JpnN1vjZN730i6W979CnM3O2/f/wWyEenevx7+1LeNfYX3869sSP8n6/Nn19Ntr8uLKX3+yJbM53Cp7EvG1/u3iJ+vxkw7j7/ldtvFfX//muU5lzT9EXIjt47fUsmF2ZLE2P9JYXrk0W5ucqcxUHoyPT4xNjF67fHV8JFujbv3823Yx/nv94olO8dP2D3WIP7hD+7+zy/b/8dN7v/jWW+J/79vbv/+n3xI/nRO/u8v4k0M3Om7fncaf7tD+nd7/i7uM//zfK9O7fCgAcAAayytzk9VqZWGHi/Sz5k6PcfFhXsRqxHtQDRfv1UW3RyZgv210+m7XBAAAAAAAAAAAAAAA6KSxvDI3EPv7daJutxEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIDD67MAAAD//w/PzvM=") r1 = io_uring_setup(0x178e, &(0x7f00000000c0)={0x0, 0x52c1, 0x0, 0x0, 0x10}) r2 = socket$nl_generic(0x10, 0x3, 0x10) sendmsg$nl_route_sched(0xffffffffffffffff, &(0x7f0000001200)={0x0, 0x0, &(0x7f0000000000)={&(0x7f00000002c0)=@newqdisc={0x30, 0x24, 0x4ee4e6a52ff56541, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, {}, {0xffff, 0xffff}}, [@qdisc_kind_options=@q_fq={{0x7}, {0x4}}]}, 0x30}}, 0x0) r3 = socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000000), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r3, 0x8933, &(0x7f0000000700)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000280)=ANY=[@ANYBLOB="1c0000d185206edf7205c7c95ab5054c638df836270c0b8164c42a8bd9483f8d6fd40f92340785", @ANYRES16=r4, @ANYBLOB="050000000000000000000600000008000300", @ANYRES32=r5, @ANYBLOB], 0x1c}, 0x1, 0x0, 0x0, 0x4}, 0x0) r6 = socket$inet_tcp(0x2, 0x1, 0x0) setsockopt$IPT_SO_SET_REPLACE(r6, 0x0, 0x40, &(0x7f00000008c0)=@raw={'raw\x00', 0x8, 0x3, 0x270, 0x128, 0x43, 0xa0, 0x128, 0x98, 0x1d8, 0x178, 0x178, 0x1d8, 0x178, 0x49, 0x0, {[{{@ip={@loopback, @initdev={0xac, 0x1e, 0x0, 0x0}, 0xffffff00, 0xffffffff, 'veth0_vlan\x00', 'bond0\x00', {0xff}, {}, 0x0, 0x2}, 0x12a, 0x108, 0x128, 0x0, {0x0, 0x7a010000}, [@common=@unspec=@rateest={{0x68}, {'macvlan1\x00', 'geneve1\x00', 0x32, 0x3, 0x1, 0x5, 0x4000000, 0x7, {0x3}, {0x1}}}, @common=@addrtype={{0x30}, {0x1}}]}, @unspec=@TRACE={0x20}}, {{@uncond, 0x0, 0x70, 0xb0}, @common=@inet=@LOG={0x40, 'LOG\x00', 0x0, {0x3, 0x1, "7a7d0d9452729a5afa3851200a44a3d28da04828d1768c081f126a6bc527"}}}], {{'\x00', 0x0, 0x70, 0x98}, {0x28, '\x00', 0x4}}}}, 0x2d0) sendmsg$NL80211_CMD_TRIGGER_SCAN(r3, &(0x7f0000000340)={0x0, 0x0, &(0x7f0000000300)={&(0x7f0000000240)=ANY=[@ANYBLOB=' \x00\x00\x00', @ANYRES16=r4, @ANYBLOB="0500000000000000000021"], 0x20}, 0x1, 0x0, 0x0, 0x20000000}, 0x0) add_key$fscrypt_provisioning(0x0, 0x0, &(0x7f0000000140)={0x2, 0xfeffff, @c}, 0x29, 0xffffffffffffffff) syz_80211_inject_frame(&(0x7f0000000300)=@device_b, &(0x7f0000000100)=ANY=[@ANYBLOB="50000000080211000001080211000000080211000000000000000000000000000100010000060202020202020101822d1a00080800000000000000800900e7000b0000000003bb080000030400ff00ff01"], 0x54) r7 = socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nl80211(&(0x7f0000000080), 0xffffffffffffffff) ioctl$sock_SIOCGIFINDEX_80211(r7, 0x8933, &(0x7f00000000c0)={'wlan1\x00', 0x0}) sendmsg$NL80211_CMD_SET_INTERFACE(r7, &(0x7f0000000100)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000180)={0x24, r8, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_IFTYPE={0x8, 0x5, 0x2}]}, 0x24}}, 0x0) sendmsg$NL80211_CMD_CONNECT(r7, &(0x7f00000001c0)={0x0, 0x0, &(0x7f0000000200)={&(0x7f0000000240)={0x28, r8, 0x5, 0x0, 0x0, {{}, {@val={0x8, 0x3, r9}, @void}}, [@NL80211_ATTR_SSID={0xa, 0x34, @default_ap_ssid}]}, 0x28}, 0x1, 0x0, 0x0, 0x800}, 0x0) sendmsg$nl_generic(r2, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[@ANYBLOB="3400000040000701fcffffff00000100017c0000040042800c0001800600060065580000100002800c00038008"], 0x34}, 0x1, 0x0, 0x0, 0x4048011}, 0xc000) syz_usb_connect(0x2, 0x2d, &(0x7f0000000a00)=ANY=[@ANYBLOB="120100000c9768405e0483020b9901e4020109021b000100000000090400fb015c291d000905"], 0x0) r10 = syz_open_dev$audion(&(0x7f0000000000), 0x3, 0x1) write$P9_RVERSION(r10, &(0x7f0000000640)=ANY=[@ANYBLOB='\x00\b\x009P2000.L'], 0x5ce) write$sequencer(r10, &(0x7f0000000040)=[@e={0xff, 0xc, 0xd, 0xb, @SEQ_NOTEON=@special, 0xf7, 0xf0, 0xc}], 0x8) close_range(r1, 0xffffffffffffffff, 0x0) ioctl$VIDIOC_SUBDEV_ENUM_DV_TIMINGS(r0, 0xc0945662, &(0x7f0000000100)={0x1000, 0x0, '\x00', {0x0, @reserved}}) sendmsg$NL80211_CMD_NOTIFY_RADAR(r3, &(0x7f0000000c80)={&(0x7f0000000bc0)={0x10, 0x0, 0x0, 0x4000000}, 0xc, &(0x7f0000000c40)={&(0x7f0000000c00)={0x40, r4, 0x10, 0x70bd27, 0x25dfdbff, {{}, {@val={0x8, 0x3, r5}, @val={0xc, 0x99, {0x7, 0x52}}}}, [@NL80211_ATTR_CENTER_FREQ1={0x8, 0xa0, 0x47}, @NL80211_ATTR_WIPHY_EDMG_CHANNELS={0x5, 0x118, 0x25}, @NL80211_ATTR_CENTER_FREQ2={0x8, 0xa1, 0x7ff}]}, 0x40}, 0x1, 0x0, 0x0, 0x40}, 0x8080) sendmsg$IPCTNL_MSG_TIMEOUT_DELETE(r0, &(0x7f0000000480)={&(0x7f0000000380)={0x10, 0x0, 0x0, 0x2000}, 0xc, &(0x7f0000000440)={&(0x7f00000003c0)={0x7c, 0x2, 0x8, 0x301, 0x0, 0x0, {0x2, 0x0, 0x7}, [@CTA_TIMEOUT_DATA={0x44, 0x4, 0x0, 0x1, @tcp=[@CTA_TIMEOUT_TCP_CLOSE={0x8, 0x8, 0x1, 0x0, 0x16c8072d}, @CTA_TIMEOUT_TCP_CLOSE={0x8, 0x8, 0x1, 0x0, 0x10c}, @CTA_TIMEOUT_TCP_RETRANS={0x8, 0xa, 0x1, 0x0, 0x5}, @CTA_TIMEOUT_TCP_RETRANS={0x8, 0xa, 0x1, 0x0, 0x9}, @CTA_TIMEOUT_TCP_UNACK={0x8, 0xb, 0x1, 0x0, 0x3}, @CTA_TIMEOUT_TCP_RETRANS={0x8, 0xa, 0x1, 0x0, 0xffffffff}, @CTA_TIMEOUT_TCP_TIME_WAIT={0x8, 0x7, 0x1, 0x0, 0x2bbd}, @CTA_TIMEOUT_TCP_ESTABLISHED={0x8, 0x3, 0x1, 0x0, 0x7}]}, @CTA_TIMEOUT_L3PROTO={0x6, 0x2, 0x1, 0x0, 0x60}, @CTA_TIMEOUT_L4PROTO={0x5, 0x3, 0x84}, @CTA_TIMEOUT_L3PROTO={0x6, 0x2, 0x1, 0x0, 0x10}, @CTA_TIMEOUT_NAME={0x9, 0x1, 'syz0\x00'}]}, 0x7c}, 0x1, 0x0, 0x0, 0x80}, 0x804) [ 75.684249][ T5301] Bluetooth: hci0: command tx timeout [ 75.743683][ T5322] loop0: detected capacity change from 0 to 512 [ 75.804210][ T5322] EXT4-fs (loop0): mounted filesystem 00000000-0000-0000-0000-000000000000 r/w without journal. Quota mode: writeback. [ 75.809607][ T5322] ext4 filesystem being mounted at /0/file0 supports timestamps until 2038-01-19 (0x7fffffff) [ 75.824275][ T5322] netlink: 12 bytes leftover after parsing attributes in process `syz.0.0'. [ 75.829769][ T5322] mac80211_hwsim: wmediumd released netlink socket, switching to perfect channel medium [ 76.085015][ T5320] usb 5-1: new full-speed USB device number 2 using dummy_hcd [ 76.236520][ T5320] usb 5-1: config 0 interface 0 altsetting 251 has an endpoint descriptor with address 0xFF, changing to 0x8F [ 76.241675][ T5320] usb 5-1: config 0 interface 0 has no altsetting 0 [ 76.247205][ T5320] usb 5-1: New USB device found, idVendor=045e, idProduct=0283, bcdDevice=99.0b [ 76.251041][ T5320] usb 5-1: New USB device strings: Mfr=1, Product=228, SerialNumber=2 [ 76.254863][ T5320] usb 5-1: Product: syz [ 76.256851][ T5320] usb 5-1: Manufacturer: syz [ 76.258867][ T5320] usb 5-1: SerialNumber: syz [ 76.272435][ T5320] usb 5-1: config 0 descriptor?? [ 76.285934][ T5320] usb 5-1: selecting invalid altsetting 0 [ 76.400828][ T1313] ieee802154 phy0 wpan0: encryption failed: -22 [ 76.409879][ T1313] ieee802154 phy1 wpan1: encryption failed: -22 [ 76.484960][ T5322] ================================================================== [ 76.488472][ T5322] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460 [ 76.491658][ T5322] Write of size 264 at addr ffff888011a9d700 by task syz.0.0/5322 [ 76.494864][ T5322] [ 76.495860][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.495875][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.495883][ T5322] Call Trace: [ 76.495892][ T5322] [ 76.495897][ T5322] dump_stack_lvl+0x189/0x250 [ 76.495918][ T5322] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.495935][ T5322] ? rcu_is_watching+0x15/0xb0 [ 76.495949][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.495963][ T5322] ? rcu_is_watching+0x15/0xb0 [ 76.495972][ T5322] ? lock_release+0x4b/0x3e0 [ 76.495977][ T5322] ? _raw_spin_lock_irqsave+0xb3/0xf0 [ 76.495986][ T5322] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.495994][ T5322] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.496003][ T5322] print_report+0xca/0x240 [ 76.496011][ T5322] ? copy_to_urb+0x261/0x460 [ 76.496017][ T5322] kasan_report+0x118/0x150 [ 76.496029][ T5322] ? copy_to_urb+0x261/0x460 [ 76.496036][ T5322] kasan_check_range+0x2b0/0x2c0 [ 76.496047][ T5322] ? copy_to_urb+0x261/0x460 [ 76.496052][ T5322] __asan_memcpy+0x40/0x70 [ 76.496060][ T5322] copy_to_urb+0x261/0x460 [ 76.496068][ T5322] prepare_playback_urb+0x953/0x13d0 [ 76.496086][ T5322] ? __pfx_prepare_playback_urb+0x10/0x10 [ 76.496100][ T5322] ? is_bpf_text_address+0x26/0x2b0 [ 76.496111][ T5322] ? rcu_is_watching+0x15/0xb0 [ 76.496120][ T5322] ? __kasan_check_byte+0x12/0x40 [ 76.496133][ T5322] ? __bfs+0x154/0x2a0 [ 76.496142][ T5322] ? __pfx_hlock_conflict+0x10/0x10 [ 76.496155][ T5322] ? __pfx_prepare_playback_urb+0x10/0x10 [ 76.496169][ T5322] prepare_outbound_urb+0x377/0xc50 [ 76.496179][ T5322] ? check_path+0x21/0x40 [ 76.496189][ T5322] ? _copy_from_iter+0xc3d/0x1790 [ 76.496246][ T5322] ? __asan_memcpy+0x40/0x70 [ 76.496259][ T5322] ? __pfx_prepare_outbound_urb+0x10/0x10 [ 76.496271][ T5322] ? snd_usb_endpoint_start_quirk+0x1f7/0x320 [ 76.496285][ T5322] snd_usb_endpoint_start+0x4d8/0x14a0 [ 76.496300][ T5322] ? __pfx_snd_usb_endpoint_start+0x10/0x10 [ 76.496312][ T5322] ? do_raw_spin_lock+0x121/0x290 [ 76.496328][ T5322] start_endpoints+0xa1/0x280 [ 76.496341][ T5322] ? snd_usb_substream_playback_trigger+0x3ce/0x7a0 [ 76.496356][ T5322] snd_usb_substream_playback_trigger+0x3e0/0x7a0 [ 76.496372][ T5322] snd_pcm_do_start+0xb7/0x180 [ 76.496385][ T5322] snd_pcm_action+0xe7/0x240 [ 76.496396][ T5322] __snd_pcm_lib_xfer+0x1762/0x1ce0 [ 76.496411][ T5322] ? __pfx_interleaved_copy+0x10/0x10 [ 76.496423][ T5322] ? __pfx_default_write_copy+0x10/0x10 [ 76.496438][ T5322] ? __pfx___snd_pcm_lib_xfer+0x10/0x10 [ 76.496454][ T5322] snd_pcm_oss_write3+0x1bc/0x320 [ 76.496468][ T5322] snd_pcm_plug_write_transfer+0x2cb/0x4c0 [ 76.496484][ T5322] ? __pfx_snd_pcm_plug_write_transfer+0x10/0x10 [ 76.496499][ T5322] ? snd_pcm_plug_client_channels_buf+0x490/0x640 [ 76.496510][ T5322] snd_pcm_oss_write+0xb9c/0x1190 [ 76.496519][ T5322] ? __pfx_snd_pcm_oss_write+0x10/0x10 [ 76.496527][ T5322] ? bpf_lsm_file_permission+0x9/0x20 [ 76.496532][ T5322] ? security_file_permission+0x75/0x290 [ 76.496539][ T5322] ? rw_verify_area+0x255/0x4d0 [ 76.496546][ T5322] ? __lock_acquire+0xab9/0xd20 [ 76.496552][ T5322] ? __pfx_snd_pcm_oss_write+0x10/0x10 [ 76.496559][ T5322] vfs_write+0x27e/0xb30 [ 76.496567][ T5322] ? __pfx_vfs_write+0x10/0x10 [ 76.496575][ T5322] ? __fget_files+0x2a/0x420 [ 76.496584][ T5322] ? __fget_files+0x2a/0x420 [ 76.496591][ T5322] ? __fget_files+0x3a0/0x420 [ 76.496599][ T5322] ? __fget_files+0x2a/0x420 [ 76.496609][ T5322] ksys_write+0x145/0x250 [ 76.496616][ T5322] ? __pfx_ksys_write+0x10/0x10 [ 76.496624][ T5322] ? do_syscall_64+0xbe/0xfa0 [ 76.496638][ T5322] do_syscall_64+0xfa/0xfa0 [ 76.496661][ T5322] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.496681][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.496691][ T5322] ? clear_bhb_loop+0x60/0xb0 [ 76.496706][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.496717][ T5322] RIP: 0033:0x7f858fb8f749 [ 76.496765][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 76.496777][ T5322] RSP: 002b:00007f8590a32038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 76.496791][ T5322] RAX: ffffffffffffffda RBX: 00007f858fde5fa0 RCX: 00007f858fb8f749 [ 76.496800][ T5322] RDX: 00000000000005ce RSI: 0000200000000640 RDI: 000000000000000b [ 76.496808][ T5322] RBP: 00007f858fc13f91 R08: 0000000000000000 R09: 0000000000000000 [ 76.496815][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 76.496821][ T5322] R13: 00007f858fde6038 R14: 00007f858fde5fa0 R15: 00007fff50686ad8 [ 76.496836][ T5322] [ 76.496839][ T5322] [ 76.684479][ T5322] Allocated by task 5322: [ 76.686255][ T5322] kasan_save_track+0x3e/0x80 [ 76.688187][ T5322] __kasan_kmalloc+0x93/0xb0 [ 76.690079][ T5322] __kmalloc_noprof+0x411/0x7f0 [ 76.692129][ T5322] snd_usb_endpoint_set_params+0x1749/0x2e70 [ 76.694734][ T5322] snd_usb_hw_params+0xb12/0x1280 [ 76.696905][ T5322] snd_pcm_hw_params+0x89d/0x1d30 [ 76.699196][ T5322] snd_pcm_oss_change_params_locked+0x21cb/0x3e40 [ 76.701979][ T5322] snd_pcm_oss_write+0x2fb/0x1190 [ 76.704195][ T5322] vfs_write+0x27e/0xb30 [ 76.706169][ T5322] ksys_write+0x145/0x250 [ 76.708102][ T5322] do_syscall_64+0xfa/0xfa0 [ 76.710175][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.712655][ T5322] [ 76.713686][ T5322] The buggy address belongs to the object at ffff888011a9d700 [ 76.713686][ T5322] which belongs to the cache kmalloc-192 of size 192 [ 76.719528][ T5322] The buggy address is located 0 bytes inside of [ 76.719528][ T5322] allocated 192-byte region [ffff888011a9d700, ffff888011a9d7c0) [ 76.726647][ T5322] [ 76.727931][ T5322] The buggy address belongs to the physical page: [ 76.730861][ T5322] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11a9d [ 76.734797][ T5322] flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) [ 76.738377][ T5322] page_type: f5(slab) [ 76.740576][ T5322] raw: 00fff00000000000 ffff88801a0413c0 dead000000000122 0000000000000000 [ 76.745121][ T5322] raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000 [ 76.749730][ T5322] page dumped because: kasan: bad access detected [ 76.753036][ T5322] page_owner tracks the page as allocated [ 76.755999][ T5322] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x252800(GFP_NOWAIT|__GFP_NORETRY|__GFP_COMP|__GFP_THISNODE), pid 5299, tgid 5299 (udevd), ts 76275791634, free_ts 75853862659 [ 76.765269][ T5322] post_alloc_hook+0x234/0x290 [ 76.767251][ T5322] get_page_from_freelist+0x2365/0x2440 [ 76.769577][ T5322] __alloc_pages_slowpath+0x30b/0xcf0 [ 76.771955][ T5322] __alloc_frozen_pages_noprof+0x319/0x370 [ 76.774393][ T5322] allocate_slab+0x71/0x350 [ 76.776224][ T5322] ___slab_alloc+0xf56/0x1990 [ 76.778074][ T5322] __slab_alloc+0x65/0x100 [ 76.779811][ T5322] __kmalloc_node_noprof+0x5cc/0x800 [ 76.781742][ T5322] alloc_slab_obj_exts+0x3e/0x100 [ 76.783898][ T5322] allocate_slab+0x152/0x350 [ 76.785608][ T5322] ___slab_alloc+0xf56/0x1990 [ 76.787336][ T5322] __slab_alloc+0x65/0x100 [ 76.789022][ T5322] kmem_cache_alloc_lru_noprof+0x3ef/0x6d0 [ 76.791162][ T5322] __d_alloc+0x36/0x7a0 [ 76.792699][ T5322] d_alloc_parallel+0xe1/0x1610 [ 76.794467][ T5322] path_openat+0xa3b/0x3830 [ 76.796120][ T5322] page last free pid 4720 tgid 4720 stack trace: [ 76.798516][ T5322] __free_frozen_pages+0xbc4/0xd30 [ 76.800548][ T5322] __slab_free+0x2e7/0x390 [ 76.802292][ T5322] qlist_free_all+0x97/0x140 [ 76.803804][ T5322] kasan_quarantine_reduce+0x148/0x160 [ 76.805567][ T5322] __kasan_slab_alloc+0x22/0x80 [ 76.807153][ T5322] __kmalloc_cache_noprof+0x36f/0x6f0 [ 76.809145][ T5322] kernfs_fop_open+0x397/0xca0 [ 76.811055][ T5322] do_dentry_open+0x953/0x13f0 [ 76.812897][ T5322] vfs_open+0x3b/0x340 [ 76.814219][ T5322] path_openat+0x2ee5/0x3830 [ 76.815782][ T5322] do_filp_open+0x1fa/0x410 [ 76.817775][ T5322] do_sys_openat2+0x121/0x1c0 [ 76.819768][ T5322] __x64_sys_openat+0x138/0x170 [ 76.821752][ T5322] do_syscall_64+0xfa/0xfa0 [ 76.823410][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.825789][ T5322] [ 76.826797][ T5322] Memory state around the buggy address: [ 76.829140][ T5322] ffff888011a9d680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 76.832228][ T5322] ffff888011a9d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.835634][ T5322] >ffff888011a9d780: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 76.839109][ T5322] ^ [ 76.841723][ T5322] ffff888011a9d800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 76.844959][ T5322] ffff888011a9d880: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc [ 76.848275][ T5322] ================================================================== [ 76.851580][ T5322] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.855021][ T5322] CPU: 0 UID: 0 PID: 5322 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 76.859154][ T5322] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.863648][ T5322] Call Trace: [ 76.865169][ T5322] [ 76.866512][ T5322] dump_stack_lvl+0x99/0x250 [ 76.868710][ T5322] ? __asan_memcpy+0x40/0x70 [ 76.871281][ T5322] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.873649][ T5322] ? __pfx__printk+0x10/0x10 [ 76.875712][ T5322] vpanic+0x237/0x6d0 [ 76.877508][ T5322] ? __pfx_vpanic+0x10/0x10 [ 76.879493][ T5322] panic+0xb9/0xc0 [ 76.881232][ T5322] ? __pfx_panic+0x10/0x10 [ 76.883141][ T5322] ? _raw_spin_unlock_irqrestore+0xad/0x110 [ 76.885664][ T5322] ? is_module_address+0x17/0xf0 [ 76.887838][ T5322] ? copy_to_urb+0x261/0x460 [ 76.889749][ T5322] check_panic_on_warn+0x89/0xb0 [ 76.891847][ T5322] ? copy_to_urb+0x261/0x460 [ 76.893767][ T5322] end_report+0x78/0x160 [ 76.895600][ T5322] kasan_report+0x129/0x150 [ 76.897511][ T5322] ? copy_to_urb+0x261/0x460 [ 76.899452][ T5322] kasan_check_range+0x2b0/0x2c0 [ 76.901538][ T5322] ? copy_to_urb+0x261/0x460 [ 76.903543][ T5322] __asan_memcpy+0x40/0x70 [ 76.905464][ T5322] copy_to_urb+0x261/0x460 [ 76.907083][ T5322] prepare_playback_urb+0x953/0x13d0 [ 76.909303][ T5322] ? __pfx_prepare_playback_urb+0x10/0x10 [ 76.911618][ T5322] ? is_bpf_text_address+0x26/0x2b0 [ 76.913655][ T5322] ? rcu_is_watching+0x15/0xb0 [ 76.915320][ T5322] ? __kasan_check_byte+0x12/0x40 [ 76.917119][ T5322] ? __bfs+0x154/0x2a0 [ 76.918663][ T5322] ? __pfx_hlock_conflict+0x10/0x10 [ 76.920564][ T5322] ? __pfx_prepare_playback_urb+0x10/0x10 [ 76.922974][ T5322] prepare_outbound_urb+0x377/0xc50 [ 76.924966][ T5322] ? check_path+0x21/0x40 [ 76.926587][ T5322] ? _copy_from_iter+0xc3d/0x1790 [ 76.928671][ T5322] ? __asan_memcpy+0x40/0x70 [ 76.930813][ T5322] ? __pfx_prepare_outbound_urb+0x10/0x10 [ 76.933217][ T5322] ? snd_usb_endpoint_start_quirk+0x1f7/0x320 [ 76.935625][ T5322] snd_usb_endpoint_start+0x4d8/0x14a0 [ 76.937886][ T5322] ? __pfx_snd_usb_endpoint_start+0x10/0x10 [ 76.940770][ T5322] ? do_raw_spin_lock+0x121/0x290 [ 76.942974][ T5322] start_endpoints+0xa1/0x280 [ 76.945042][ T5322] ? snd_usb_substream_playback_trigger+0x3ce/0x7a0 [ 76.947708][ T5322] snd_usb_substream_playback_trigger+0x3e0/0x7a0 [ 76.950178][ T5322] snd_pcm_do_start+0xb7/0x180 [ 76.952050][ T5322] snd_pcm_action+0xe7/0x240 [ 76.954083][ T5322] __snd_pcm_lib_xfer+0x1762/0x1ce0 [ 76.956384][ T5322] ? __pfx_interleaved_copy+0x10/0x10 [ 76.958706][ T5322] ? __pfx_default_write_copy+0x10/0x10 [ 76.961644][ T5322] ? __pfx___snd_pcm_lib_xfer+0x10/0x10 [ 76.963891][ T5322] snd_pcm_oss_write3+0x1bc/0x320 [ 76.966023][ T5322] snd_pcm_plug_write_transfer+0x2cb/0x4c0 [ 76.968619][ T5322] ? __pfx_snd_pcm_plug_write_transfer+0x10/0x10 [ 76.971253][ T5322] ? snd_pcm_plug_client_channels_buf+0x490/0x640 [ 76.973944][ T5322] snd_pcm_oss_write+0xb9c/0x1190 [ 76.976075][ T5322] ? __pfx_snd_pcm_oss_write+0x10/0x10 [ 76.978351][ T5322] ? bpf_lsm_file_permission+0x9/0x20 [ 76.980875][ T5322] ? security_file_permission+0x75/0x290 [ 76.983259][ T5322] ? rw_verify_area+0x255/0x4d0 [ 76.985513][ T5322] ? __lock_acquire+0xab9/0xd20 [ 76.987627][ T5322] ? __pfx_snd_pcm_oss_write+0x10/0x10 [ 76.990020][ T5322] vfs_write+0x27e/0xb30 [ 76.991756][ T5322] ? __pfx_vfs_write+0x10/0x10 [ 76.993796][ T5322] ? __fget_files+0x2a/0x420 [ 76.995612][ T5322] ? __fget_files+0x2a/0x420 [ 76.997666][ T5322] ? __fget_files+0x3a0/0x420 [ 76.999796][ T5322] ? __fget_files+0x2a/0x420 [ 77.001935][ T5322] ksys_write+0x145/0x250 [ 77.003830][ T5322] ? __pfx_ksys_write+0x10/0x10 [ 77.006015][ T5322] ? do_syscall_64+0xbe/0xfa0 [ 77.008056][ T5322] do_syscall_64+0xfa/0xfa0 [ 77.009959][ T5322] ? lockdep_hardirqs_on+0x9c/0x150 [ 77.012233][ T5322] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.014879][ T5322] ? clear_bhb_loop+0x60/0xb0 [ 77.016909][ T5322] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 77.019404][ T5322] RIP: 0033:0x7f858fb8f749 [ 77.021269][ T5322] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 [ 77.029189][ T5322] RSP: 002b:00007f8590a32038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 77.032640][ T5322] RAX: ffffffffffffffda RBX: 00007f858fde5fa0 RCX: 00007f858fb8f749 [ 77.035912][ T5322] RDX: 00000000000005ce RSI: 0000200000000640 RDI: 000000000000000b [ 77.039465][ T5322] RBP: 00007f858fc13f91 R08: 0000000000000000 R09: 0000000000000000 [ 77.042718][ T5322] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 77.046064][ T5322] R13: 00007f858fde6038 R14: 00007f858fde5fa0 R15: 00007fff50686ad8 [ 77.049343][ T5322] [ 77.050950][ T5322] Kernel Offset: disabled [ 77.052753][ T5322] Rebooting in 86400 seconds..