program:
r0 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r0, &(0x7f00000000c0)={0x0, 0xffffff9e, &(0x7f0000000000)={&(0x7f00000009c0)={{0x14}, [@NFT_MSG_NEWTABLE={0x20, 0x0, 0xa, 0x101, 0x0, 0x0, {0x1}, [@NFTA_TABLE_NAME={0x9, 0x1, 'syz0\x00'}]}, @NFT_MSG_NEWSET={0x3c, 0x9, 0xa, 0x401, 0x0, 0x18000000, {0x1}, [@NFTA_SET_ID={0x8}, @NFTA_SET_NAME={0x9, 0x2, 'syz2\x00'}, @NFTA_SET_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_KEY_LEN={0x8, 0x5, 0x1, 0x0, 0x8}]}, @NFT_MSG_NEWSETELEM={0x74, 0xc, 0xa, 0x301, 0x0, 0x0, {0x1}, [@NFTA_SET_ELEM_LIST_SET_ID={0x8}, @NFTA_SET_ELEM_LIST_TABLE={0x9, 0x1, 'syz0\x00'}, @NFTA_SET_ELEM_LIST_ELEMENTS={0x38, 0x3, 0x0, 0x1, [{0x34, 0x0, 0x0, 0x1, [@NFTA_SET_ELEM_KEY={0x4}, @NFTA_SET_ELEM_EXPRESSIONS={0x4, 0x6, 0x0, 0x1, [{0x28, 0x7, 0x0, 0x1, @counter={{0xc}, @val={0x4}}}, {0x14, 0x1, 0x0, 0x1, @counter={{0xc}, @val={0x480}}}]}]}]}]}], {0x14, 0x10}}, 0xe4}}, 0x0)
syz_usb_connect(0x3, 0x2d, &(0x7f0000000100)=ANY=[@ANYBLOB="120100000c9768405e0483020b9901e4020109021b000100000000090400fb015c291d00090509", @ANYRES8=0x0, @ANYRES16=r0, @ANYRESOCT=r0, @ANYRESDEC=r0, @ANYRES16, @ANYRES32=r0], 0x0)
r1 = syz_open_dev$audion(&(0x7f0000000040), 0x7b, 0x801)
write$P9_RVERSION(r1, &(0x7f0000000000)=ANY=[@ANYBLOB="1500000065ffdd85421b955c4e7eb0627038896e0000000008003950323030302e4c"], 0x5ce) (async)
write$P9_RVERSION(r1, &(0x7f0000000000)=ANY=[@ANYBLOB="1500000065ffdd85421b955c4e7eb0627038896e0000000008003950323030302e4c"], 0x5ce)

[   75.907120][ T5299] Bluetooth: hci0: command tx timeout
[   76.320540][ T1313] ieee802154 phy0 wpan0: encryption failed: -22
[   76.323585][ T1313] ieee802154 phy1 wpan1: encryption failed: -22
[   76.435747][ T5313] usb 5-1: new high-speed USB device number 2 using dummy_hcd
[   76.598404][ T5313] usb 5-1: config 0 interface 0 has no altsetting 0
[   76.604786][ T5313] usb 5-1: New USB device found, idVendor=045e, idProduct=0283, bcdDevice=99.0b
[   76.609624][ T5313] usb 5-1: New USB device strings: Mfr=1, Product=228, SerialNumber=2
[   76.614012][ T5313] usb 5-1: Product: syz
[   76.616734][ T5313] usb 5-1: Manufacturer: syz
[   76.618745][ T5313] usb 5-1: SerialNumber: syz
[   76.631804][ T5313] usb 5-1: config 0 descriptor??
[   76.653261][ T5313] usb 5-1: selecting invalid altsetting 0
[   76.844950][ T5321] ==================================================================
[   76.848350][ T5321] BUG: KASAN: slab-out-of-bounds in copy_to_urb+0x261/0x460
[   76.851710][ T5321] Write of size 192 at addr ffff88803687e900 by task syz.0.0/5321
[   76.854960][ T5321] 
[   76.856009][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   76.856086][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   76.856093][ T5321] Call Trace:
[   76.856101][ T5321]  <TASK>
[   76.856107][ T5321]  dump_stack_lvl+0x189/0x250
[   76.856128][ T5321]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.856144][ T5321]  ? rcu_is_watching+0x15/0xb0
[   76.856157][ T5321]  ? __pfx_dump_stack_lvl+0x10/0x10
[   76.856170][ T5321]  ? rcu_is_watching+0x15/0xb0
[   76.856181][ T5321]  ? lock_release+0x4b/0x3e0
[   76.856192][ T5321]  ? _raw_spin_lock_irqsave+0xb3/0xf0
[   76.856206][ T5321]  ? __virt_addr_valid+0x1c8/0x5c0
[   76.856219][ T5321]  ? __virt_addr_valid+0x4a5/0x5c0
[   76.856233][ T5321]  print_report+0xca/0x240
[   76.856246][ T5321]  ? copy_to_urb+0x261/0x460
[   76.856261][ T5321]  kasan_report+0x118/0x150
[   76.856276][ T5321]  ? copy_to_urb+0x261/0x460
[   76.856292][ T5321]  kasan_check_range+0x2b0/0x2c0
[   76.856306][ T5321]  ? copy_to_urb+0x261/0x460
[   76.856334][ T5321]  __asan_memcpy+0x40/0x70
[   76.856345][ T5321]  copy_to_urb+0x261/0x460
[   76.856367][ T5321]  prepare_playback_urb+0x953/0x13d0
[   76.856394][ T5321]  ? __pfx_prepare_playback_urb+0x10/0x10
[   76.856408][ T5321]  ? is_bpf_text_address+0x26/0x2b0
[   76.856419][ T5321]  ? rcu_is_watching+0x15/0xb0
[   76.856429][ T5321]  ? __kasan_check_byte+0x12/0x40
[   76.856443][ T5321]  ? __bfs+0x154/0x2a0
[   76.856453][ T5321]  ? __pfx_hlock_conflict+0x10/0x10
[   76.856465][ T5321]  ? __pfx_prepare_playback_urb+0x10/0x10
[   76.856480][ T5321]  prepare_outbound_urb+0x377/0xc50
[   76.856492][ T5321]  ? check_path+0x21/0x40
[   76.856504][ T5321]  ? _copy_from_iter+0xc3d/0x1790
[   76.856621][ T5321]  ? __asan_memcpy+0x40/0x70
[   76.856637][ T5321]  ? __pfx_prepare_outbound_urb+0x10/0x10
[   76.856650][ T5321]  ? snd_usb_endpoint_start_quirk+0x1f7/0x320
[   76.856672][ T5321]  snd_usb_endpoint_start+0x4d8/0x14a0
[   76.856687][ T5321]  ? __pfx_snd_usb_endpoint_start+0x10/0x10
[   76.856699][ T5321]  ? do_raw_spin_lock+0x121/0x290
[   76.856715][ T5321]  start_endpoints+0xa1/0x280
[   76.856730][ T5321]  ? snd_usb_substream_playback_trigger+0x3ce/0x7a0
[   76.856747][ T5321]  snd_usb_substream_playback_trigger+0x3e0/0x7a0
[   76.856764][ T5321]  snd_pcm_do_start+0xb7/0x180
[   76.856779][ T5321]  snd_pcm_action+0xe7/0x240
[   76.856794][ T5321]  __snd_pcm_lib_xfer+0x1762/0x1ce0
[   76.856810][ T5321]  ? __pfx_interleaved_copy+0x10/0x10
[   76.856824][ T5321]  ? __pfx_default_write_copy+0x10/0x10
[   76.856839][ T5321]  ? __pfx___snd_pcm_lib_xfer+0x10/0x10
[   76.856854][ T5321]  snd_pcm_oss_write3+0x1bc/0x320
[   76.856873][ T5321]  snd_pcm_plug_write_transfer+0x2cb/0x4c0
[   76.856895][ T5321]  ? __pfx_snd_pcm_plug_write_transfer+0x10/0x10
[   76.856913][ T5321]  ? snd_pcm_plug_client_channels_buf+0x490/0x640
[   76.856933][ T5321]  snd_pcm_oss_write+0xb9c/0x1190
[   76.856950][ T5321]  ? __pfx_snd_pcm_oss_write+0x10/0x10
[   76.856962][ T5321]  ? bpf_lsm_file_permission+0x9/0x20
[   76.856972][ T5321]  ? security_file_permission+0x75/0x290
[   76.856983][ T5321]  ? rw_verify_area+0x255/0x4d0
[   76.856999][ T5321]  ? __lock_acquire+0xab9/0xd20
[   76.857008][ T5321]  ? __pfx_snd_pcm_oss_write+0x10/0x10
[   76.857024][ T5321]  vfs_write+0x27e/0xb30
[   76.857039][ T5321]  ? __pfx_vfs_write+0x10/0x10
[   76.857052][ T5321]  ? __fget_files+0x2a/0x420
[   76.857070][ T5321]  ? __fget_files+0x2a/0x420
[   76.857082][ T5321]  ? __fget_files+0x3a0/0x420
[   76.857095][ T5321]  ? __fget_files+0x2a/0x420
[   76.857111][ T5321]  ksys_write+0x145/0x250
[   76.857124][ T5321]  ? __pfx_ksys_write+0x10/0x10
[   76.857136][ T5321]  ? do_syscall_64+0xbe/0xfa0
[   76.857151][ T5321]  do_syscall_64+0xfa/0xfa0
[   76.857163][ T5321]  ? lockdep_hardirqs_on+0x9c/0x150
[   76.857177][ T5321]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.857188][ T5321]  ? clear_bhb_loop+0x60/0xb0
[   76.857201][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   76.857212][ T5321] RIP: 0033:0x7f510898f6c9
[   76.857223][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   76.857232][ T5321] RSP: 002b:00007f51098d3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   76.857246][ T5321] RAX: ffffffffffffffda RBX: 00007f5108be6090 RCX: 00007f510898f6c9
[   76.857254][ T5321] RDX: 00000000000005ce RSI: 0000200000000000 RDI: 0000000000000005
[   76.857261][ T5321] RBP: 00007f5108a11f91 R08: 0000000000000000 R09: 0000000000000000
[   76.857267][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   76.857273][ T5321] R13: 00007f5108be6128 R14: 00007f5108be6090 R15: 00007fff9b5e8a68
[   76.857284][ T5321]  </TASK>
[   76.857289][ T5321] 
[   77.053598][ T5321] Allocated by task 5321:
[   77.055379][ T5321]  kasan_save_track+0x3e/0x80
[   77.057306][ T5321]  __kasan_kmalloc+0x93/0xb0
[   77.059257][ T5321]  __kmalloc_noprof+0x411/0x7f0
[   77.061291][ T5321]  snd_usb_endpoint_set_params+0x1610/0x29a0
[   77.063812][ T5321]  snd_usb_hw_params+0xb12/0x1280
[   77.065914][ T5321]  snd_pcm_hw_params+0x89d/0x1d30
[   77.068048][ T5321]  snd_pcm_oss_change_params_locked+0x21cb/0x3e40
[   77.070822][ T5321]  snd_pcm_oss_write+0x2fb/0x1190
[   77.073131][ T5321]  vfs_write+0x27e/0xb30
[   77.075245][ T5321]  ksys_write+0x145/0x250
[   77.077585][ T5321]  do_syscall_64+0xfa/0xfa0
[   77.079784][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.082551][ T5321] 
[   77.083519][ T5321] The buggy address belongs to the object at ffff88803687e900
[   77.083519][ T5321]  which belongs to the cache kmalloc-192 of size 192
[   77.089015][ T5321] The buggy address is located 0 bytes inside of
[   77.089015][ T5321]  allocated 144-byte region [ffff88803687e900, ffff88803687e990)
[   77.094685][ T5321] 
[   77.095655][ T5321] The buggy address belongs to the physical page:
[   77.098125][ T5321] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x3687e
[   77.101781][ T5321] anon flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   77.104947][ T5321] page_type: f5(slab)
[   77.106776][ T5321] raw: 04fff00000000000 ffff88801a0413c0 0000000000000000 dead000000000001
[   77.110873][ T5321] raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
[   77.115233][ T5321] page dumped because: kasan: bad access detected
[   77.117950][ T5321] page_owner tracks the page as allocated
[   77.120471][ T5321] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 16818658796, free_ts 0
[   77.127768][ T5321]  post_alloc_hook+0x240/0x2a0
[   77.130050][ T5321]  get_page_from_freelist+0x2365/0x2440
[   77.133180][ T5321]  __alloc_frozen_pages_noprof+0x181/0x370
[   77.136213][ T5321]  alloc_pages_mpol+0x232/0x4a0
[   77.138541][ T5321]  allocate_slab+0x96/0x350
[   77.140477][ T5321]  ___slab_alloc+0xe94/0x18a0
[   77.142499][ T5321]  __slab_alloc+0x65/0x100
[   77.144326][ T5321]  __kmalloc_noprof+0x471/0x7f0
[   77.146371][ T5321]  usb_alloc_urb+0x46/0x150
[   77.148279][ T5321]  usb_control_msg+0x118/0x3e0
[   77.150316][ T5321]  usb_get_status+0xe7/0x2a0
[   77.152250][ T5321]  hub_probe+0x1e37/0x37f0
[   77.154165][ T5321]  usb_probe_interface+0x668/0xc30
[   77.156287][ T5321]  really_probe+0x26d/0x9e0
[   77.158323][ T5321]  __driver_probe_device+0x18c/0x2f0
[   77.160573][ T5321]  driver_probe_device+0x4f/0x430
[   77.162740][ T5321] page_owner free stack trace missing
[   77.165026][ T5321] 
[   77.166090][ T5321] Memory state around the buggy address:
[   77.168426][ T5321]  ffff88803687e880: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.171818][ T5321]  ffff88803687e900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   77.175177][ T5321] >ffff88803687e980: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.178806][ T5321]                          ^
[   77.181288][ T5321]  ffff88803687ea00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   77.184923][ T5321]  ffff88803687ea80: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   77.188274][ T5321] ==================================================================
[   77.191678][ T5321] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   77.194668][ T5321] CPU: 0 UID: 0 PID: 5321 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   77.198489][ T5321] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   77.203097][ T5321] Call Trace:
[   77.204482][ T5321]  <TASK>
[   77.205764][ T5321]  dump_stack_lvl+0x99/0x250
[   77.207685][ T5321]  ? __asan_memcpy+0x40/0x70
[   77.209626][ T5321]  ? __pfx_dump_stack_lvl+0x10/0x10
[   77.211977][ T5321]  ? __pfx__printk+0x10/0x10
[   77.213969][ T5321]  vpanic+0x237/0x6d0
[   77.215817][ T5321]  ? __pfx_vpanic+0x10/0x10
[   77.217869][ T5321]  panic+0xb9/0xc0
[   77.219566][ T5321]  ? __pfx_panic+0x10/0x10
[   77.221749][ T5321]  ? _raw_spin_unlock_irqrestore+0xad/0x110
[   77.224464][ T5321]  ? is_module_address+0x17/0xf0
[   77.226584][ T5321]  ? copy_to_urb+0x261/0x460
[   77.228627][ T5321]  check_panic_on_warn+0x89/0xb0
[   77.230890][ T5321]  ? copy_to_urb+0x261/0x460
[   77.233126][ T5321]  end_report+0x78/0x160
[   77.235201][ T5321]  kasan_report+0x129/0x150
[   77.237608][ T5321]  ? copy_to_urb+0x261/0x460
[   77.239717][ T5321]  kasan_check_range+0x2b0/0x2c0
[   77.242155][ T5321]  ? copy_to_urb+0x261/0x460
[   77.244522][ T5321]  __asan_memcpy+0x40/0x70
[   77.246746][ T5321]  copy_to_urb+0x261/0x460
[   77.249042][ T5321]  prepare_playback_urb+0x953/0x13d0
[   77.251356][ T5321]  ? __pfx_prepare_playback_urb+0x10/0x10
[   77.253907][ T5321]  ? is_bpf_text_address+0x26/0x2b0
[   77.256115][ T5321]  ? rcu_is_watching+0x15/0xb0
[   77.258204][ T5321]  ? __kasan_check_byte+0x12/0x40
[   77.260446][ T5321]  ? __bfs+0x154/0x2a0
[   77.262311][ T5321]  ? __pfx_hlock_conflict+0x10/0x10
[   77.264607][ T5321]  ? __pfx_prepare_playback_urb+0x10/0x10
[   77.267162][ T5321]  prepare_outbound_urb+0x377/0xc50
[   77.269412][ T5321]  ? check_path+0x21/0x40
[   77.271334][ T5321]  ? _copy_from_iter+0xc3d/0x1790
[   77.273948][ T5321]  ? __asan_memcpy+0x40/0x70
[   77.276637][ T5321]  ? __pfx_prepare_outbound_urb+0x10/0x10
[   77.279359][ T5321]  ? snd_usb_endpoint_start_quirk+0x1f7/0x320
[   77.282098][ T5321]  snd_usb_endpoint_start+0x4d8/0x14a0
[   77.284606][ T5321]  ? __pfx_snd_usb_endpoint_start+0x10/0x10
[   77.287482][ T5321]  ? do_raw_spin_lock+0x121/0x290
[   77.289903][ T5321]  start_endpoints+0xa1/0x280
[   77.292024][ T5321]  ? snd_usb_substream_playback_trigger+0x3ce/0x7a0
[   77.294892][ T5321]  snd_usb_substream_playback_trigger+0x3e0/0x7a0
[   77.297687][ T5321]  snd_pcm_do_start+0xb7/0x180
[   77.299803][ T5321]  snd_pcm_action+0xe7/0x240
[   77.301793][ T5321]  __snd_pcm_lib_xfer+0x1762/0x1ce0
[   77.304052][ T5321]  ? __pfx_interleaved_copy+0x10/0x10
[   77.306296][ T5321]  ? __pfx_default_write_copy+0x10/0x10
[   77.308502][ T5321]  ? __pfx___snd_pcm_lib_xfer+0x10/0x10
[   77.310740][ T5321]  snd_pcm_oss_write3+0x1bc/0x320
[   77.312928][ T5321]  snd_pcm_plug_write_transfer+0x2cb/0x4c0
[   77.315699][ T5321]  ? __pfx_snd_pcm_plug_write_transfer+0x10/0x10
[   77.318440][ T5321]  ? snd_pcm_plug_client_channels_buf+0x490/0x640
[   77.321144][ T5321]  snd_pcm_oss_write+0xb9c/0x1190
[   77.323483][ T5321]  ? __pfx_snd_pcm_oss_write+0x10/0x10
[   77.325863][ T5321]  ? bpf_lsm_file_permission+0x9/0x20
[   77.328183][ T5321]  ? security_file_permission+0x75/0x290
[   77.330581][ T5321]  ? rw_verify_area+0x255/0x4d0
[   77.333065][ T5321]  ? __lock_acquire+0xab9/0xd20
[   77.335749][ T5321]  ? __pfx_snd_pcm_oss_write+0x10/0x10
[   77.338158][ T5321]  vfs_write+0x27e/0xb30
[   77.339821][ T5321]  ? __pfx_vfs_write+0x10/0x10
[   77.341719][ T5321]  ? __fget_files+0x2a/0x420
[   77.343619][ T5321]  ? __fget_files+0x2a/0x420
[   77.345545][ T5321]  ? __fget_files+0x3a0/0x420
[   77.347821][ T5321]  ? __fget_files+0x2a/0x420
[   77.350242][ T5321]  ksys_write+0x145/0x250
[   77.352199][ T5321]  ? __pfx_ksys_write+0x10/0x10
[   77.354155][ T5321]  ? do_syscall_64+0xbe/0xfa0
[   77.356243][ T5321]  do_syscall_64+0xfa/0xfa0
[   77.358305][ T5321]  ? lockdep_hardirqs_on+0x9c/0x150
[   77.360552][ T5321]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.363223][ T5321]  ? clear_bhb_loop+0x60/0xb0
[   77.365441][ T5321]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   77.368033][ T5321] RIP: 0033:0x7f510898f6c9
[   77.370008][ T5321] Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
[   77.378311][ T5321] RSP: 002b:00007f51098d3038 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[   77.382438][ T5321] RAX: ffffffffffffffda RBX: 00007f5108be6090 RCX: 00007f510898f6c9
[   77.386874][ T5321] RDX: 00000000000005ce RSI: 0000200000000000 RDI: 0000000000000005
[   77.390800][ T5321] RBP: 00007f5108a11f91 R08: 0000000000000000 R09: 0000000000000000
[   77.394227][ T5321] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[   77.397718][ T5321] R13: 00007f5108be6128 R14: 00007f5108be6090 R15: 00007fff9b5e8a68
[   77.401305][ T5321]  </TASK>
[   77.403079][ T5321] Kernel Offset: disabled
[   77.404931][ T5321] Rebooting in 86400 seconds..