program: syz_open_dev$dvb_frontend(&(0x7f0000000080), 0x0, 0x0) r0 = syz_open_procfs(0x0, &(0x7f0000000000)='fd/3\x00') syz_kvm_setup_syzos_vm$x86(r0, &(0x7f0000c00000/0x400000)=nil) syz_open_dev$dvb_frontend(&(0x7f0000000080), 0x0, 0x0) (async) syz_open_procfs(0x0, &(0x7f0000000000)='fd/3\x00') (async) syz_kvm_setup_syzos_vm$x86(r0, &(0x7f0000c00000/0x400000)=nil) (async) [ 103.539135][ T4657] Bluetooth: hci0: command tx timeout [ 103.634388][ T5331] i2c i2c-1: dvb_frontend_start: failed to start kthread (-4) [ 103.657572][ T5332] ================================================================== [ 103.660916][ T5332] BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x40a/0x4d0 [ 103.664360][ T5332] Read of size 4 at addr ffff888033a7b23c by task syz.0.0/5332 [ 103.667546][ T5332] [ 103.668614][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 103.668629][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 103.668636][ T5332] Call Trace: [ 103.668643][ T5332] [ 103.668648][ T5332] dump_stack_lvl+0xe8/0x150 [ 103.668665][ T5332] print_address_description+0x55/0x1e0 [ 103.668678][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 103.668691][ T5332] print_report+0x58/0x70 [ 103.668701][ T5332] kasan_report+0x117/0x150 [ 103.668716][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 103.668730][ T5332] dvb_frontend_release+0x40a/0x4d0 [ 103.668749][ T5332] ? __pfx_dvb_frontend_release+0x10/0x10 [ 103.668762][ T5332] __fput+0x44f/0xa60 [ 103.668776][ T5332] task_work_run+0x1d9/0x270 [ 103.668792][ T5332] ? __pfx_task_work_run+0x10/0x10 [ 103.668807][ T5332] ? do_raw_spin_unlock+0x4d/0x210 [ 103.668825][ T5332] do_exit+0x70f/0x22c0 [ 103.668839][ T5332] ? __kasan_slab_free+0x5c/0x80 [ 103.668852][ T5332] ? kmem_cache_free+0x182/0x650 [ 103.668868][ T5332] ? __pfx_do_exit+0x10/0x10 [ 103.668882][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 103.668899][ T5332] do_group_exit+0x21b/0x2d0 [ 103.668913][ T5332] ? _raw_spin_unlock_irq+0x23/0x50 [ 103.668975][ T5332] get_signal+0x1284/0x1330 [ 103.669018][ T5332] arch_do_signal_or_restart+0xbc/0x840 [ 103.669037][ T5332] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 103.669052][ T5332] ? do_sys_openat2+0x14c/0x200 [ 103.669068][ T5332] exit_to_user_mode_loop+0xa9/0x680 [ 103.669078][ T5332] ? rcu_is_watching+0x15/0xb0 [ 103.669091][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.669103][ T5332] do_syscall_64+0x353/0x580 [ 103.669114][ T5332] ? trace_irq_disable+0x3b/0x140 [ 103.669130][ T5332] ? clear_bhb_loop+0x40/0x90 [ 103.669142][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.669153][ T5332] RIP: 0033:0x7fe244b5d68e [ 103.669165][ T5332] Code: Unable to access opcode bytes at 0x7fe244b5d664. [ 103.669171][ T5332] RSP: 002b:00007fe245b1aae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 103.669184][ T5332] RAX: 0000000000000005 RBX: 00007fe245b1b6c0 RCX: 00007fe244b5d68e [ 103.669192][ T5332] RDX: 0000000000000000 RSI: 00007fe245b1abc0 RDI: ffffffffffffff9c [ 103.669199][ T5332] RBP: 00007fe245b1abc0 R08: 0000000000000000 R09: 0000000000000000 [ 103.669206][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd [ 103.669213][ T5332] R13: 00007fe244e16128 R14: 00007fe244e16090 R15: 00007ffd434d5f18 [ 103.669225][ T5332] [ 103.669229][ T5332] [ 103.773650][ T5332] Allocated by task 1: [ 103.777961][ T5332] kasan_save_track+0x3e/0x80 [ 103.780016][ T5332] __kasan_kmalloc+0x93/0xb0 [ 103.781909][ T5332] __kmalloc_cache_noprof+0x31c/0x660 [ 103.784055][ T5332] dvb_register_device+0x2fd/0x21e0 [ 103.786261][ T5332] dvb_register_frontend+0x61b/0x920 [ 103.788540][ T5332] vidtv_bridge_probe+0x9aa/0xf80 [ 103.790704][ T5332] platform_probe+0xf9/0x190 [ 103.792656][ T5332] really_probe+0x267/0xaf0 [ 103.794626][ T5332] __driver_probe_device+0x1ef/0x380 [ 103.796781][ T5332] driver_probe_device+0x4f/0x240 [ 103.798882][ T5332] __driver_attach+0x34c/0x640 [ 103.800967][ T5332] bus_for_each_dev+0x23b/0x2c0 [ 103.803025][ T5332] bus_add_driver+0x345/0x670 [ 103.805035][ T5332] driver_register+0x23a/0x320 [ 103.806999][ T5332] vidtv_bridge_init+0x28/0x50 [ 103.808964][ T5332] do_one_initcall+0x250/0x870 [ 103.811265][ T5332] do_initcall_level+0x104/0x190 [ 103.813561][ T5332] do_initcalls+0x59/0xa0 [ 103.815388][ T5332] kernel_init_freeable+0x2a6/0x3e0 [ 103.817464][ T5332] kernel_init+0x1d/0x1d0 [ 103.819308][ T5332] ret_from_fork+0x514/0xb70 [ 103.821371][ T5332] ret_from_fork_asm+0x1a/0x30 [ 103.823474][ T5332] [ 103.824553][ T5332] Freed by task 5332: [ 103.826323][ T5332] kasan_save_track+0x3e/0x80 [ 103.828333][ T5332] kasan_save_free_info+0x46/0x50 [ 103.830491][ T5332] __kasan_slab_free+0x5c/0x80 [ 103.832541][ T5332] kfree+0x1c5/0x640 [ 103.834161][ T5332] dvb_generic_release+0x11d/0x1b0 [ 103.836355][ T5332] dvb_frontend_release+0x132/0x4d0 [ 103.838545][ T5332] __fput+0x44f/0xa60 [ 103.840143][ T5332] task_work_run+0x1d9/0x270 [ 103.842096][ T5332] do_exit+0x70f/0x22c0 [ 103.843885][ T5332] do_group_exit+0x21b/0x2d0 [ 103.845800][ T5332] get_signal+0x1284/0x1330 [ 103.847667][ T5332] arch_do_signal_or_restart+0xbc/0x840 [ 103.850059][ T5332] exit_to_user_mode_loop+0xa9/0x680 [ 103.852409][ T5332] do_syscall_64+0x353/0x580 [ 103.854432][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 103.856963][ T5332] [ 103.858056][ T5332] The buggy address belongs to the object at ffff888033a7b200 [ 103.858056][ T5332] which belongs to the cache kmalloc-256 of size 256 [ 103.863708][ T5332] The buggy address is located 60 bytes inside of [ 103.863708][ T5332] freed 256-byte region [ffff888033a7b200, ffff888033a7b300) [ 103.869132][ T5332] [ 103.870173][ T5332] The buggy address belongs to the physical page: [ 103.873066][ T5332] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x33a7b [ 103.876628][ T5332] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 103.879608][ T5332] page_type: f5(slab) [ 103.881272][ T5332] raw: 04fff00000000000 ffff88801ac41b40 dead000000000100 dead000000000122 [ 103.884627][ T5332] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 103.887990][ T5332] page dumped because: kasan: bad access detected [ 103.890343][ T5332] page_owner tracks the page as allocated [ 103.892528][ T5332] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 26631617488, free_ts 26543095782 [ 103.900410][ T5332] post_alloc_hook+0x22d/0x280 [ 103.902466][ T5332] get_page_from_freelist+0x2593/0x2610 [ 103.904621][ T5332] __alloc_frozen_pages_noprof+0x18d/0x380 [ 103.907078][ T5332] allocate_slab+0x77/0x660 [ 103.909041][ T5332] refill_objects+0x339/0x3d0 [ 103.911000][ T5332] __pcs_replace_empty_main+0x321/0x720 [ 103.913508][ T5332] __kmalloc_cache_noprof+0x392/0x660 [ 103.915756][ T5332] bus_add_driver+0x162/0x670 [ 103.917644][ T5332] driver_register+0x23a/0x320 [ 103.919609][ T5332] i2c_register_driver+0xbb/0x1a0 [ 103.921825][ T5332] do_one_initcall+0x250/0x870 [ 103.923854][ T5332] do_initcall_level+0x104/0x190 [ 103.925912][ T5332] do_initcalls+0x59/0xa0 [ 103.927691][ T5332] kernel_init_freeable+0x2a6/0x3e0 [ 103.929880][ T5332] kernel_init+0x1d/0x1d0 [ 103.931795][ T5332] ret_from_fork+0x514/0xb70 [ 103.934143][ T5332] page last free pid 9 tgid 9 stack trace: [ 103.937265][ T5332] __free_frozen_pages+0xc1c/0xd30 [ 103.939657][ T5332] __slab_free+0x274/0x2c0 [ 103.941590][ T5332] qlist_free_all+0x99/0x100 [ 103.943621][ T5332] kasan_quarantine_reduce+0x148/0x160 [ 103.945936][ T5332] __kasan_slab_alloc+0x22/0x80 [ 103.947953][ T5332] __kmalloc_cache_noprof+0x2ba/0x660 [ 103.950095][ T5332] drm_atomic_state_alloc+0xa9/0x100 [ 103.952347][ T5332] drm_atomic_helper_dirtyfb+0x129/0xf80 [ 103.954796][ T5332] drm_fbdev_shmem_helper_fb_dirty+0x160/0x2d0 [ 103.957432][ T5332] drm_fb_helper_damage_work+0x2b3/0x750 [ 103.959858][ T5332] process_scheduled_works+0xb5d/0x1860 [ 103.962257][ T5332] worker_thread+0xa53/0xfc0 [ 103.964270][ T5332] kthread+0x389/0x470 [ 103.966100][ T5332] ret_from_fork+0x514/0xb70 [ 103.968112][ T5332] ret_from_fork_asm+0x1a/0x30 [ 103.970073][ T5332] [ 103.971075][ T5332] Memory state around the buggy address: [ 103.973450][ T5332] ffff888033a7b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.976701][ T5332] ffff888033a7b180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.980729][ T5332] >ffff888033a7b200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.984160][ T5332] ^ [ 103.986596][ T5332] ffff888033a7b280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 103.989624][ T5332] ffff888033a7b300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 103.992868][ T5332] ================================================================== [ 104.087083][ T5332] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 104.090078][ T5332] CPU: 0 UID: 0 PID: 5332 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 104.093842][ T5332] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 104.097821][ T5332] Call Trace: [ 104.099127][ T5332] [ 104.100316][ T5332] vpanic+0x56c/0xa60 [ 104.102151][ T5332] ? __pfx_vpanic+0x10/0x10 [ 104.103966][ T5332] ? __pfx___schedule+0x10/0x10 [ 104.106007][ T5332] panic+0xc5/0xd0 [ 104.107447][ T5332] ? __pfx_panic+0x10/0x10 [ 104.109178][ T5332] ? preempt_schedule_common+0x82/0xd0 [ 104.111361][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 104.113579][ T5332] check_panic_on_warn+0x89/0xb0 [ 104.115586][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 104.117696][ T5332] end_report+0x73/0x170 [ 104.119362][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 104.121543][ T5332] kasan_report+0x128/0x150 [ 104.123427][ T5332] ? dvb_frontend_release+0x40a/0x4d0 [ 104.125616][ T5332] dvb_frontend_release+0x40a/0x4d0 [ 104.127785][ T5332] ? __pfx_dvb_frontend_release+0x10/0x10 [ 104.130212][ T5332] __fput+0x44f/0xa60 [ 104.131978][ T5332] task_work_run+0x1d9/0x270 [ 104.133946][ T5332] ? __pfx_task_work_run+0x10/0x10 [ 104.136012][ T5332] ? do_raw_spin_unlock+0x4d/0x210 [ 104.138038][ T5332] do_exit+0x70f/0x22c0 [ 104.139747][ T5332] ? __kasan_slab_free+0x5c/0x80 [ 104.141850][ T5332] ? kmem_cache_free+0x182/0x650 [ 104.143917][ T5332] ? __pfx_do_exit+0x10/0x10 [ 104.145850][ T5332] ? do_raw_spin_lock+0x12b/0x2f0 [ 104.147977][ T5332] do_group_exit+0x21b/0x2d0 [ 104.149915][ T5332] ? _raw_spin_unlock_irq+0x23/0x50 [ 104.152139][ T5332] get_signal+0x1284/0x1330 [ 104.154151][ T5332] arch_do_signal_or_restart+0xbc/0x840 [ 104.156460][ T5332] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 104.158907][ T5332] ? do_sys_openat2+0x14c/0x200 [ 104.160960][ T5332] exit_to_user_mode_loop+0xa9/0x680 [ 104.163090][ T5332] ? rcu_is_watching+0x15/0xb0 [ 104.165106][ T5332] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.167601][ T5332] do_syscall_64+0x353/0x580 [ 104.169571][ T5332] ? trace_irq_disable+0x3b/0x140 [ 104.171721][ T5332] ? clear_bhb_loop+0x40/0x90 [ 104.173689][ T5332] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 104.176567][ T5332] RIP: 0033:0x7fe244b5d68e [ 104.178801][ T5332] Code: Unable to access opcode bytes at 0x7fe244b5d664. [ 104.181596][ T5332] RSP: 002b:00007fe245b1aae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 104.185035][ T5332] RAX: 0000000000000005 RBX: 00007fe245b1b6c0 RCX: 00007fe244b5d68e [ 104.188203][ T5332] RDX: 0000000000000000 RSI: 00007fe245b1abc0 RDI: ffffffffffffff9c [ 104.191547][ T5332] RBP: 00007fe245b1abc0 R08: 0000000000000000 R09: 0000000000000000 [ 104.194881][ T5332] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd [ 104.198237][ T5332] R13: 00007fe244e16128 R14: 00007fe244e16090 R15: 00007ffd434d5f18 [ 104.201525][ T5332] [ 104.203224][ T5332] Kernel Offset: disabled [ 104.205054][ T5332] Rebooting in 86400 seconds..