[  246.490308][ T8977] ==================================================================
[  246.491108][ T8977] BUG: KASAN: out-of-bounds in digitv_ctrl_msg+0x200/0x270
[  246.491793][ T8977] Read of size 18446744073709551615 at addr ffffc9000238fbd1 by task syz-executor.4/8977
[  246.492853][ T8977] 
[  246.493096][ T8977] CPU: 0 PID: 8977 Comm: syz-executor.4 Not tainted 6.0.0-rc4+ #20
[  246.493829][ T8977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  246.494760][ T8977] Call Trace:
[  246.495087][ T8977]  <TASK>
[  246.495380][ T8977]  dump_stack_lvl+0xcd/0x134
[  246.495845][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.496329][ T8977]  print_report.cold+0x18a/0x66d
[  246.496829][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.497315][ T8977]  kasan_report+0x8a/0x1b0
[  246.497766][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.498285][ T8977]  kasan_check_range+0x13b/0x190
[  246.500822][ T8977]  memcpy+0x20/0x60
[  246.505671][ T8977]  digitv_ctrl_msg+0x200/0x270
[  246.506519][ T8977]  digitv_i2c_xfer+0x241/0x3b0
[  246.507046][ T8977]  __i2c_transfer+0x4c2/0x16a0
[  246.507617][ T8977]  i2c_smbus_xfer_emulated+0x1be/0xf00
[  246.508177][ T8977]  ? i2c_smbus_try_get_dmabuf+0x130/0x130
[  246.508974][ T8977]  ? _raw_spin_unlock_irqrestore+0x50/0x70
[  246.509737][ T8977]  ? _raw_spin_unlock_irqrestore+0x50/0x70
[  246.510486][ T8977]  ? rcu_read_lock_sched_held+0x9c/0xd0
[  246.512132][ T8977]  ? rcu_read_lock_bh_held+0xb0/0xb0
[  246.512725][ T8977]  __i2c_smbus_xfer+0x504/0x10b0
[  246.513252][ T8977]  i2c_smbus_xfer+0x100/0x380
[  246.513770][ T8977]  i2cdev_ioctl_smbus+0x496/0x830
[  246.514310][ T8977]  ? i2cdev_release+0xb0/0xb0
[  246.514767][ T8977]  i2cdev_ioctl+0x3cc/0x7b0
[  246.515261][ T8977]  ? i2cdev_ioctl_rdwr.isra.0+0x6a0/0x6a0
[  246.515810][ T8977]  ? __fget_files+0x26b/0x430
[  246.516283][ T8977]  ? __sanitizer_cov_trace_pc+0x1a/0x40
[  246.516808][ T8977]  ? i2cdev_ioctl_rdwr.isra.0+0x6a0/0x6a0
[  246.517369][ T8977]  __x64_sys_ioctl+0x193/0x200
[  246.517838][ T8977]  do_syscall_64+0x35/0x80
[  246.518364][ T8977]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  246.519015][ T8977] RIP: 0033:0x7fcf784a80fd
[  246.520981][ T8977] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  246.523100][ T8977] RSP: 002b:00007fcf78bf8bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  246.523763][ T8977] RAX: ffffffffffffffda RBX: 00007fcf7859c340 RCX: 00007fcf784a80fd
[  246.524400][ T8977] RDX: 00000000200003c0 RSI: 0000000000000720 RDI: 0000000000000003
[  246.524996][ T8977] RBP: 00007fcf7850b606 R08: 0000000000000000 R09: 0000000000000000
[  246.525600][ T8977] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  246.526264][ T8977] R13: 00007ffeabc59d2f R14: 00007ffeabc59ed0 R15: 00007fcf78bf8d80
[  246.527196][ T8977]  </TASK>
[  246.527532][ T8977] 
[  246.527794][ T8977] The buggy address belongs to stack of task syz-executor.4/8977
[  246.528559][ T8977]  and is located at offset 177 in frame:
[  246.529182][ T8977]  i2c_smbus_xfer_emulated+0x0/0xf00
[  246.529733][ T8977] 
[  246.529983][ T8977] This frame has 3 objects:
[  246.530456][ T8977]  [32, 64) 'msg'
[  246.530475][ T8977]  [96, 130) 'msgbuf1'
[  246.530852][ T8977]  [176, 211) 'msgbuf0'
[  246.531133][ T2954] Bluetooth: hci4: command 0x0419 tx timeout
[  246.531256][ T8977] 
[  246.531265][ T8977] The buggy address belongs to the virtual mapping at
[  246.531265][ T8977]  [ffffc90002388000, ffffc90002391000) created by:
[  246.531265][ T8977]  kernel_clone+0xe7/0x1040
[  246.533817][ T8977] 
[  246.534066][ T8977] The buggy address belongs to the physical page:
[  246.537004][ T8977] page:ffffea000165d400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59750
[  246.539164][ T8977] memcg:ffff88801ed70d02
[  246.539620][ T8977] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[  246.540386][ T8977] raw: 04fff00000000000 0000000000000000 dead000000000122 0000000000000000
[  246.541250][ T8977] raw: 0000000000000000 0000000000000000 00000001ffffffff ffff88801ed70d02
[  246.542139][ T8977] page dumped because: kasan: bad access detected
[  246.542797][ T8977] page_owner tracks the page as allocated
[  246.543385][ T8977] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x102dc2(GFP_HIGHUSER|__GFP_NOWARN|__GFP_ZERO), pid 62, tgid 62 (kworker/u6:2), ts 245371815797, free_ts 242367217728
[  246.545707][ T8977]  prep_new_page+0x2c6/0x350
[  246.546295][ T8977]  get_page_from_freelist+0xae9/0x3a80
[  246.546881][ T8977]  __alloc_pages+0x321/0x710
[  246.547378][ T8977]  alloc_pages+0x117/0x2f0
[  246.547856][ T8977]  __vmalloc_node_range+0xb2c/0x1320
[  246.548417][ T8977]  copy_process+0x4608/0x6f80
[  246.548998][ T8977]  kernel_clone+0xe7/0x1040
[  246.549515][ T8977]  user_mode_thread+0xad/0xe0
[  246.550095][ T8977]  call_usermodehelper_exec_work+0xcc/0x180
[  246.551982][ T8977]  process_one_work+0x9c7/0x1650
[  246.552597][ T8977]  worker_thread+0x623/0x1070
[  246.553181][ T8977]  kthread+0x2e9/0x3a0
[  246.553652][ T8977]  ret_from_fork+0x1f/0x30
[  246.554433][ T8977] page last free stack trace:
[  246.555612][ T8977]  free_pcp_prepare+0x5ab/0xd00
[  246.556805][ T8977]  free_unref_page+0x19/0x410
[  246.557729][ T8977]  kasan_depopulate_vmalloc_pte+0x5c/0x70
[  246.559807][ T8977]  __apply_to_page_range+0x66e/0xf50
[  246.562692][ T8977]  kasan_release_vmalloc+0xa2/0xb0
[  246.563513][ T8977]  __purge_vmap_area_lazy+0x880/0x1c10
[  246.564064][ T8977]  drain_vmap_area_work+0x52/0xe0
[  246.564574][ T8977]  process_one_work+0x9c7/0x1650
[  246.565086][ T8977]  worker_thread+0x623/0x1070
[  246.565582][ T8977]  kthread+0x2e9/0x3a0
[  246.566008][ T8977]  ret_from_fork+0x1f/0x30
[  246.566487][ T8977] 
[  246.566784][ T8977] Memory state around the buggy address:
[  246.567284][ T8977]  ffffc9000238fa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  246.568064][ T8977]  ffffc9000238fb00: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2
[  246.569090][ T8977] >ffffc9000238fb80: 00 00 00 00 02 f2 f2 f2 f2 f2 00 00 00 00 03 f3
[  246.569879][ T8977]                                                  ^
[  246.570560][ T8977]  ffffc9000238fc00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[  246.571333][ T8977]  ffffc9000238fc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[  246.572104][ T8977] ==================================================================
[  246.593251][ T8977] Kernel panic - not syncing: panic_on_warn set ...
[  246.594169][ T8977] CPU: 0 PID: 8977 Comm: syz-executor.4 Not tainted 6.0.0-rc4+ #20
[  246.595215][ T8977] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  246.596549][ T8977] Call Trace:
[  246.597012][ T8977]  <TASK>
[  246.597440][ T8977]  dump_stack_lvl+0xcd/0x134
[  246.600065][ T8977]  panic+0x2d7/0x636
[  246.602328][ T8977]  ? panic_print_sys_info.part.0+0x10b/0x10b
[  246.603885][ T8977]  ? preempt_schedule_common+0x5e/0xc0
[  246.604695][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.605371][ T8977]  ? preempt_schedule_thunk+0x16/0x18
[  246.606138][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.606846][ T8977]  end_report.part.0+0x3f/0x7c
[  246.607482][ T8977]  kasan_report.cold+0x8/0x12
[  246.608103][ T8977]  ? digitv_ctrl_msg+0x200/0x270
[  246.608712][ T8977]  kasan_check_range+0x13b/0x190
[  246.609356][ T8977]  memcpy+0x20/0x60
[  246.609769][ T8977]  digitv_ctrl_msg+0x200/0x270
[  246.610326][ T8977]  digitv_i2c_xfer+0x241/0x3b0
[  246.610846][ T8977]  __i2c_transfer+0x4c2/0x16a0
[  246.611439][ T8977]  i2c_smbus_xfer_emulated+0x1be/0xf00
[  246.612022][ T8977]  ? i2c_smbus_try_get_dmabuf+0x130/0x130
[  246.612626][ T8977]  ? _raw_spin_unlock_irqrestore+0x50/0x70
[  246.613262][ T8977]  ? _raw_spin_unlock_irqrestore+0x50/0x70
[  246.615254][ T8977]  ? rcu_read_lock_sched_held+0x9c/0xd0
[  246.616448][ T8977]  ? rcu_read_lock_bh_held+0xb0/0xb0
[  246.617241][ T8977]  __i2c_smbus_xfer+0x504/0x10b0
[  246.618001][ T8977]  i2c_smbus_xfer+0x100/0x380
[  246.618861][ T8977]  i2cdev_ioctl_smbus+0x496/0x830
[  246.620869][ T8977]  ? i2cdev_release+0xb0/0xb0
[  246.621573][ T8977]  i2cdev_ioctl+0x3cc/0x7b0
[  246.625249][ T8977]  ? i2cdev_ioctl_rdwr.isra.0+0x6a0/0x6a0
[  246.625939][ T8977]  ? __fget_files+0x26b/0x430
[  246.626586][ T8977]  ? __sanitizer_cov_trace_pc+0x1a/0x40
[  246.627247][ T8977]  ? i2cdev_ioctl_rdwr.isra.0+0x6a0/0x6a0
[  246.627956][ T8977]  __x64_sys_ioctl+0x193/0x200
[  246.628532][ T8977]  do_syscall_64+0x35/0x80
[  246.629090][ T8977]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[  246.629729][ T8977] RIP: 0033:0x7fcf784a80fd
[  246.630294][ T8977] Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
[  246.632203][ T8977] RSP: 002b:00007fcf78bf8bf8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[  246.633053][ T8977] RAX: ffffffffffffffda RBX: 00007fcf7859c340 RCX: 00007fcf784a80fd
[  246.633927][ T8977] RDX: 00000000200003c0 RSI: 0000000000000720 RDI: 0000000000000003
[  246.634850][ T8977] RBP: 00007fcf7850b606 R08: 0000000000000000 R09: 0000000000000000
[  246.635989][ T8977] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  246.636781][ T8977] R13: 00007ffeabc59d2f R14: 00007ffeabc59ed0 R15: 00007fcf78bf8d80
[  246.637590][ T8977]  </TASK>
[  246.637997][ T8977] Kernel Offset: disabled
[  246.638600][ T8977] Rebooting in 86400 seconds..

VM DIAGNOSIS:
23:53:22  Registers:
info registers vcpu 0
RAX=000000000000005d RBX=0000000000000000 RCX=0000000000000000 RDX=00000000000003f8
RSI=ffff88801d0c9d40 RDI=ffffffff916c1f40 RBP=ffffffff916c1f00 RSP=ffffc9000238f2f8
R8 =ffffffff84624951 R9 =000000000000001f R10=0000000000000001 R11=ffffed100322e046
R12=0000000000000000 R13=000000000000005d R14=0000000000000000 R15=0000000000000010
RIP=ffffffff8462497b RFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 00007fcf78bf9700 00000000 00000000
GS =0000 ffff88802cc00000 00000000 00000000
LDT=0000 fffffe0000000000 00000000 00000000
TR =0040 fffffe0000003000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000001000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=00007fcf7859d060 CR3=000000002b29f000 CR4=00350ef0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001f80
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=ffffffffffff00000000000000000000 XMM01=23232323232323232323232323232323
XMM02=ffffffffffffffffffffffffffffffff XMM03=00000000000000000000000000000000
XMM04=ffffffffffff00000000000000000000 XMM05=00000000000000000000000000001000
XMM06=0000000000000000000000524f525245 XMM07=00000000000000000000000000000000
XMM08=000000000000000000524f5252450040 XMM09=00000000000000000000000000000000
XMM10=00000000000000000000000000000000 XMM11=00000000000000000000000000000000
XMM12=00000000000000000000000000000000 XMM13=00000000000000000000000000000000
XMM14=00000000000000000000000000000000 XMM15=00000000000000000000000000000000
info registers vcpu 1
RAX=0000000000000000 RBX=0000000000000063 RCX=ffff888019d80000 RDX=0000000000000000
RSI=ffff888019d80000 RDI=0000000000000002 RBP=ffffc9000229f940 RSP=ffffc9000229f818
R8 =ffffffff842156c3 R9 =0000000000000012 R10=0000000000000001 R11=ffffed1009676b1e
R12=ffffffff89d22d21 R13=ffffffff89d22d20 R14=1ffff92000453f08 R15=0000000000000063
RIP=ffffffff817ae7c0 RFL=00000282 [--S----] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 0000000000000000 00000000 00000000
CS =0010 0000000000000000 ffffffff 00a09b00 DPL=0 CS64 [-RA]
SS =0018 0000000000000000 ffffffff 00c09300 DPL=0 DS   [-WA]
DS =0000 0000000000000000 00000000 00000000
FS =0000 000000c0004dc490 00000000 00000000
GS =0000 ffff88807ec00000 00000000 00000000
LDT=0000 fffffe0000000000 00000000 00000000
TR =0040 fffffe000004a000 00004087 00008b00 DPL=0 TSS64-busy
GDT=     fffffe0000048000 0000007f
IDT=     fffffe0000000000 00000fff
CR0=80050033 CR2=000000c0024ee000 CR3=000000004b0b3000 CR4=00350ee0
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000 
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000d01
FCW=037f FSW=0000 [ST=0] FTW=00 MXCSR=00001fa0
FPR0=0000000000000000 0000 FPR1=0000000000000000 0000
FPR2=0000000000000000 0000 FPR3=0000000000000000 0000
FPR4=0000000000000000 0000 FPR5=0000000000000000 0000
FPR6=0000000000000000 0000 FPR7=0000000000000000 0000
XMM00=0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a XMM01=797320202022207475706e6920646574
XMM02=363639322d64766564752d646d657473 XMM03=2031332e2e64205d3130305b20202020
XMM04=7062203a3634343932352e3634322020 XMM05=203a6b746e6972705f65636172745f66
XMM06=6c6966203a544958452045424f52504b XMM07=66202c34706f6f6c203d20656d616e65
XMM08=656c6966203a544958452045424f5250 XMM09=7566202c34706f6f6c203d20656d616e
XMM10=2f34706f6f6c203d2068746170206c6c XMM11=65642f6c6175747269762f6b636f6c62
XMM12=66203d2072646461202c2f7365636976 XMM13=2c303239366264393866666666666666
XMM14=706d65203d20656d616e207264646120 XMM15=00000000000000000000000000000000