program:
perf_event_open$cgroup(&(0x7f0000000380)={0x4, 0x80, 0x6, 0xe, 0x4, 0xc4, 0x0, 0x1, 0x3600, 0xe, 0x1, 0x1, 0x1, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x2, 0x1, 0x0, 0x1, 0x1, 0x0, 0x1, 0x1, 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x1, 0x1, 0x0, 0x80, 0x1, @perf_bp={0x0, 0x4}, 0x640, 0x5, 0x7, 0x0, 0x1ff, 0x1, 0x3, 0x0, 0x5, 0x0, 0x4}, 0xffffffffffffffff, 0xe, 0xffffffffffffffff, 0xa) (async)
futex(&(0x7f0000000040), 0x5, 0x0, 0x0, &(0x7f0000000140), 0x35000000)
r0 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94)
bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r0}, 0x10) (async, rerun: 32)
syz_open_dev$dvb_frontend(&(0x7f00000002c0), 0x0, 0x2) (rerun: 32)
syz_init_net_socket$nl_rdma(0x10, 0x3, 0x10) (async)
r1 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$NFT_BATCH(r1, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000880)=ANY=[@ANYBLOB="1400000010000100000000f203cab5efcd00000000000000000a20000000000a03000000000000000000070000000900010073797a30000000e1fb1e260ae86b278b8f4d5735005c000000090a010400000000000000000700000008000a40000000000900020073797a31000000000900010073797a30000000000800054000000021200011800e000100636f6e6e6c696d69740000000c00028008000140fffffff73c0000000c0a01010000000000000000070000000900020073797a31000000000900010073797a3000000000100003800c0000800800034000000002140000001000010000000000000000000084000a"], 0xe0}}, 0x0) (async)
r2 = socket$packet(0x11, 0x3, 0x300) (async)
socketpair(0x1, 0x100000005, 0x0, &(0x7f0000000000)={<r3=>0xffffffffffffffff})
getpeername$packet(r3, &(0x7f0000000000)={0x11, 0x0, <r4=>0x0, 0x1, 0x0, 0x6, @dev}, &(0x7f0000000040)=0x14)
sendmmsg(r2, &(0x7f0000000440)=[{{&(0x7f0000000500)=@xdp={0x2c, 0xdd85, r4}, 0x80, &(0x7f00000004c0)=[{&(0x7f0000000180)='O', 0x1}], 0x1, 0x0, 0x0, 0x2f00}}], 0x1, 0x20000084) (async)
sendmsg$IPCTNL_MSG_EXP_NEW(0xffffffffffffffff, &(0x7f0000000500)={0x0, 0x0, &(0x7f00000004c0)={0x0, 0xa4}, 0x1, 0x0, 0x0, 0x8004}, 0x0)
sendmsg$IPCTNL_MSG_EXP_NEW(0xffffffffffffffff, &(0x7f0000000540)={&(0x7f0000000300)={0x10, 0x0, 0x0, 0x2481000}, 0xc, &(0x7f0000000480)={&(0x7f0000000400)={0x30, 0x0, 0x2, 0x801, 0x0, 0x0, {0x7, 0x0, 0x2}, [@CTA_EXPECT_NAT={0x1c, 0xa, 0x0, 0x1, [@CTA_EXPECT_NAT_DIR, @CTA_EXPECT_NAT_TUPLE={0x14, 0x2, 0x0, 0x1, [@CTA_TUPLE_ZONE={0x6}, @CTA_TUPLE_ZONE={0xffffffffffffff31, 0x3, 0x1, 0x0, 0x3}]}]}]}, 0x30}, 0x1, 0x0, 0x0, 0x40010}, 0x4008000) (async)
r5 = socket(0x10, 0x803, 0x0)
sendto(r5, &(0x7f0000000740)="120000001200e7ef007b00000000000000a1", 0x12, 0x0, 0x0, 0x0)
getsockopt$inet_sctp_SCTP_INITMSG(r5, 0x84, 0x2, &(0x7f0000000080), &(0x7f0000000340)=0x8)
recvmmsg(r5, &(0x7f00000037c0)=[{{&(0x7f00000004c0)=@ethernet={0x0, @random}, 0x80, &(0x7f0000000380)=[{&(0x7f0000000140)=""/100, 0x64}, {&(0x7f0000000280)=""/85, 0x55}, {&(0x7f0000000fc0)=""/4096, 0x1000}, {&(0x7f0000000a00)=""/106, 0x6a}, {&(0x7f0000000980)=""/73, 0x49}, {&(0x7f0000000200)=""/77, 0x4d}, {&(0x7f00000007c0)=""/141, 0x8d}, {&(0x7f00000001c0)=""/10, 0xa}], 0x8, &(0x7f0000000600)=""/191, 0xbf}, 0x5}], 0x1, 0x2000, &(0x7f0000003700)={0x77359400})

[   88.878962][ T5295] Bluetooth: hci0: command tx timeout
[   89.171586][ T5319] ==================================================================
[   89.175150][ T5319] BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x350
[   89.179065][ T5319] Read of size 8 at addr ffff888033a17418 by task syz.0.0/5319
[   89.182462][ T5319] 
[   89.183590][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   89.183603][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   89.183609][ T5319] Call Trace:
[   89.183616][ T5319]  <TASK>
[   89.183622][ T5319]  dump_stack_lvl+0xe8/0x150
[   89.183640][ T5319]  print_report+0xba/0x230
[   89.183652][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.183662][ T5319]  kasan_report+0x117/0x150
[   89.183678][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.183688][ T5319]  dvb_device_open+0xc4/0x350
[   89.183697][ T5319]  ? do_raw_spin_unlock+0x4d/0x210
[   89.183708][ T5319]  chrdev_open+0x4cd/0x5e0
[   89.183724][ T5319]  ? __pfx_chrdev_open+0x10/0x10
[   89.183737][ T5319]  ? fsnotify_open_perm_and_set_mode+0x135/0x6d0
[   89.183752][ T5319]  ? __pfx_chrdev_open+0x10/0x10
[   89.183765][ T5319]  do_dentry_open+0x785/0x14e0
[   89.183778][ T5319]  vfs_open+0x3b/0x340
[   89.183787][ T5319]  ? path_openat+0x2df0/0x3860
[   89.183800][ T5319]  path_openat+0x2e08/0x3860
[   89.183815][ T5319]  ? __pfx_stack_trace_save+0x10/0x10
[   89.183826][ T5319]  ? stack_depot_save_flags+0x33/0x810
[   89.183840][ T5319]  ? __pfx_path_openat+0x10/0x10
[   89.183852][ T5319]  ? __x64_sys_openat+0x138/0x170
[   89.183862][ T5319]  ? do_syscall_64+0x14d/0xf80
[   89.183919][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.183931][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   89.183945][ T5319]  do_file_open+0x23e/0x4a0
[   89.183958][ T5319]  ? __pfx_do_file_open+0x10/0x10
[   89.183975][ T5319]  ? _raw_spin_unlock+0x28/0x50
[   89.183989][ T5319]  ? alloc_fd+0x64b/0x6c0
[   89.184001][ T5319]  do_sys_openat2+0x113/0x200
[   89.184012][ T5319]  ? __pfx_do_sys_openat2+0x10/0x10
[   89.184023][ T5319]  ? __task_pid_nr_ns+0x28/0x490
[   89.184040][ T5319]  __x64_sys_openat+0x138/0x170
[   89.184051][ T5319]  do_syscall_64+0x14d/0xf80
[   89.184061][ T5319]  ? trace_irq_disable+0x3b/0x150
[   89.184073][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.184084][ T5319]  ? clear_bhb_loop+0x40/0x90
[   89.184094][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.184104][ T5319] RIP: 0033:0x7f4fb835c84e
[   89.184115][ T5319] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   89.184123][ T5319] RSP: 002b:00007f4fb924db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   89.184135][ T5319] RAX: ffffffffffffffda RBX: 00007f4fb924e6c0 RCX: 00007f4fb835c84e
[   89.184142][ T5319] RDX: 0000000000000002 RSI: 00007f4fb924dc00 RDI: ffffffffffffff9c
[   89.184149][ T5319] RBP: 00007f4fb924dc00 R08: 0000000000000000 R09: 0000000000000000
[   89.184155][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
[   89.184161][ T5319] R13: 00007f4fb8616038 R14: 00007f4fb8615fa0 R15: 00007ffcff3b51b8
[   89.184172][ T5319]  </TASK>
[   89.184175][ T5319] 
[   89.300211][ T5319] Allocated by task 1:
[   89.301964][ T5319]  kasan_save_track+0x3e/0x80
[   89.303907][ T5319]  __kasan_kmalloc+0x93/0xb0
[   89.305829][ T5319]  __kmalloc_cache_noprof+0x31c/0x660
[   89.308027][ T5319]  dvb_register_device+0x2fd/0x2210
[   89.310139][ T5319]  dvb_register_frontend+0x649/0x950
[   89.312254][ T5319]  vidtv_bridge_probe+0x9aa/0xf80
[   89.314288][ T5319]  platform_probe+0xf9/0x190
[   89.316195][ T5319]  really_probe+0x267/0xaf0
[   89.318033][ T5319]  __driver_probe_device+0x18c/0x320
[   89.320140][ T5319]  driver_probe_device+0x4f/0x240
[   89.322001][ T5319]  __driver_attach+0x3e7/0x710
[   89.323948][ T5319]  bus_for_each_dev+0x23b/0x2c0
[   89.325929][ T5319]  bus_add_driver+0x345/0x670
[   89.328040][ T5319]  driver_register+0x23a/0x320
[   89.330193][ T5319]  vidtv_bridge_init+0x28/0x50
[   89.332301][ T5319]  do_one_initcall+0x250/0x8d0
[   89.334371][ T5319]  do_initcall_level+0x104/0x190
[   89.336551][ T5319]  do_initcalls+0x59/0xa0
[   89.338400][ T5319]  kernel_init_freeable+0x2a6/0x3e0
[   89.340617][ T5319]  kernel_init+0x1d/0x1d0
[   89.342260][ T5319]  ret_from_fork+0x51e/0xb90
[   89.343924][ T5319]  ret_from_fork_asm+0x1a/0x30
[   89.345816][ T5319] 
[   89.346799][ T5319] Freed by task 5319:
[   89.348448][ T5319]  kasan_save_track+0x3e/0x80
[   89.350174][ T5319]  kasan_save_free_info+0x46/0x50
[   89.352096][ T5319]  __kasan_slab_free+0x5c/0x80
[   89.353979][ T5319]  kfree+0x1c1/0x630
[   89.355568][ T5319]  dvb_device_open+0x2cd/0x350
[   89.357528][ T5319]  chrdev_open+0x4cd/0x5e0
[   89.359517][ T5319]  do_dentry_open+0x785/0x14e0
[   89.361558][ T5319]  vfs_open+0x3b/0x340
[   89.363399][ T5319]  path_openat+0x2e08/0x3860
[   89.365406][ T5319]  do_file_open+0x23e/0x4a0
[   89.367390][ T5319]  do_sys_openat2+0x113/0x200
[   89.369414][ T5319]  __x64_sys_openat+0x138/0x170
[   89.371620][ T5319]  do_syscall_64+0x14d/0xf80
[   89.373742][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.376351][ T5319] 
[   89.377461][ T5319] The buggy address belongs to the object at ffff888033a17400
[   89.377461][ T5319]  which belongs to the cache kmalloc-256 of size 256
[   89.383534][ T5319] The buggy address is located 24 bytes inside of
[   89.383534][ T5319]  freed 256-byte region [ffff888033a17400, ffff888033a17500)
[   89.388872][ T5319] 
[   89.389808][ T5319] The buggy address belongs to the physical page:
[   89.392189][ T5319] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33a17
[   89.395507][ T5319] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[   89.398295][ T5319] page_type: f5(slab)
[   89.399896][ T5319] raw: 04fff00000000000 ffff88801a841b40 dead000000000100 dead000000000122
[   89.403216][ T5319] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   89.406805][ T5319] page dumped because: kasan: bad access detected
[   89.409575][ T5319] page_owner tracks the page as allocated
[   89.411962][ T5319] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21756332351, free_ts 21730749886
[   89.420207][ T5319]  post_alloc_hook+0x231/0x280
[   89.422201][ T5319]  get_page_from_freelist+0x24dc/0x2580
[   89.424273][ T5319]  __alloc_frozen_pages_noprof+0x18d/0x380
[   89.426266][ T5319]  allocate_slab+0x77/0x660
[   89.427825][ T5319]  refill_objects+0x331/0x3c0
[   89.429448][ T5319]  __pcs_replace_empty_main+0x2b9/0x620
[   89.431616][ T5319]  __kmalloc_cache_noprof+0x392/0x660
[   89.433701][ T5319]  bus_add_driver+0x162/0x670
[   89.435563][ T5319]  driver_register+0x23a/0x320
[   89.437615][ T5319]  vidtv_bridge_init+0x28/0x50
[   89.439721][ T5319]  do_one_initcall+0x250/0x8d0
[   89.441691][ T5319]  do_initcall_level+0x104/0x190
[   89.443846][ T5319]  do_initcalls+0x59/0xa0
[   89.445684][ T5319]  kernel_init_freeable+0x2a6/0x3e0
[   89.448050][ T5319]  kernel_init+0x1d/0x1d0
[   89.449949][ T5319]  ret_from_fork+0x51e/0xb90
[   89.452045][ T5319] page last free pid 1351 tgid 1351 stack trace:
[   89.455384][ T5319]  __free_frozen_pages+0xc00/0xd90
[   89.457902][ T5319]  vfree+0x25a/0x400
[   89.459809][ T5319]  delayed_vfree_work+0x55/0x80
[   89.461926][ T5319]  process_scheduled_works+0xb02/0x1830
[   89.464307][ T5319]  worker_thread+0xa50/0xfc0
[   89.466372][ T5319]  kthread+0x388/0x470
[   89.468340][ T5319]  ret_from_fork+0x51e/0xb90
[   89.470453][ T5319]  ret_from_fork_asm+0x1a/0x30
[   89.472423][ T5319] 
[   89.473381][ T5319] Memory state around the buggy address:
[   89.475782][ T5319]  ffff888033a17300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   89.479744][ T5319]  ffff888033a17380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   89.483253][ T5319] >ffff888033a17400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.486748][ T5319]                             ^
[   89.488848][ T5319]  ffff888033a17480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   89.492081][ T5319]  ffff888033a17500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   89.495564][ T5319] ==================================================================
[   89.541302][ T5319] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[   89.543754][ T5319] CPU: 0 UID: 0 PID: 5319 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) 
[   89.546781][ T5319] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[   89.550696][ T5319] Call Trace:
[   89.552143][ T5319]  <TASK>
[   89.553475][ T5319]  vpanic+0x56c/0xa60
[   89.555300][ T5319]  ? __pfx_vpanic+0x10/0x10
[   89.557266][ T5319]  ? __pfx___schedule+0x10/0x10
[   89.559403][ T5319]  panic+0xc5/0xd0
[   89.561087][ T5319]  ? __pfx_panic+0x10/0x10
[   89.562819][ T5319]  ? preempt_schedule_thunk+0x16/0x30
[   89.565092][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.567249][ T5319]  check_panic_on_warn+0x89/0xb0
[   89.569808][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.571945][ T5319]  end_report+0x73/0x180
[   89.573720][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.575694][ T5319]  kasan_report+0x128/0x150
[   89.577538][ T5319]  ? dvb_device_open+0xc4/0x350
[   89.579575][ T5319]  dvb_device_open+0xc4/0x350
[   89.581679][ T5319]  ? do_raw_spin_unlock+0x4d/0x210
[   89.583922][ T5319]  chrdev_open+0x4cd/0x5e0
[   89.585842][ T5319]  ? __pfx_chrdev_open+0x10/0x10
[   89.587996][ T5319]  ? fsnotify_open_perm_and_set_mode+0x135/0x6d0
[   89.591063][ T5319]  ? __pfx_chrdev_open+0x10/0x10
[   89.593579][ T5319]  do_dentry_open+0x785/0x14e0
[   89.595494][ T5319]  vfs_open+0x3b/0x340
[   89.597285][ T5319]  ? path_openat+0x2df0/0x3860
[   89.599429][ T5319]  path_openat+0x2e08/0x3860
[   89.601505][ T5319]  ? __pfx_stack_trace_save+0x10/0x10
[   89.604028][ T5319]  ? stack_depot_save_flags+0x33/0x810
[   89.606771][ T5319]  ? __pfx_path_openat+0x10/0x10
[   89.609057][ T5319]  ? __x64_sys_openat+0x138/0x170
[   89.611304][ T5319]  ? do_syscall_64+0x14d/0xf80
[   89.615438][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.618045][ T5319]  ? __lock_acquire+0x6b5/0x2cf0
[   89.620302][ T5319]  do_file_open+0x23e/0x4a0
[   89.622363][ T5319]  ? __pfx_do_file_open+0x10/0x10
[   89.624639][ T5319]  ? _raw_spin_unlock+0x28/0x50
[   89.626834][ T5319]  ? alloc_fd+0x64b/0x6c0
[   89.628798][ T5319]  do_sys_openat2+0x113/0x200
[   89.630929][ T5319]  ? __pfx_do_sys_openat2+0x10/0x10
[   89.633197][ T5319]  ? __task_pid_nr_ns+0x28/0x490
[   89.635246][ T5319]  __x64_sys_openat+0x138/0x170
[   89.637213][ T5319]  do_syscall_64+0x14d/0xf80
[   89.639130][ T5319]  ? trace_irq_disable+0x3b/0x150
[   89.641111][ T5319]  ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.643542][ T5319]  ? clear_bhb_loop+0x40/0x90
[   89.645330][ T5319]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   89.647716][ T5319] RIP: 0033:0x7f4fb835c84e
[   89.649717][ T5319] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
[   89.657042][ T5319] RSP: 002b:00007f4fb924db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[   89.660609][ T5319] RAX: ffffffffffffffda RBX: 00007f4fb924e6c0 RCX: 00007f4fb835c84e
[   89.664093][ T5319] RDX: 0000000000000002 RSI: 00007f4fb924dc00 RDI: ffffffffffffff9c
[   89.667460][ T5319] RBP: 00007f4fb924dc00 R08: 0000000000000000 R09: 0000000000000000
[   89.670896][ T5319] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
[   89.674122][ T5319] R13: 00007f4fb8616038 R14: 00007f4fb8615fa0 R15: 00007ffcff3b51b8
[   89.677365][ T5319]  </TASK>
[   89.681706][ T5319] Kernel Offset: disabled
[   89.683515][ T5319] Rebooting in 86400 seconds..