program: pipe2$9p(&(0x7f0000000040)={0xffffffffffffffff, 0xffffffffffffffff}, 0x4080) write$P9_RSYMLINK(r0, &(0x7f0000000100)={0x14, 0x11, 0x2, {0xf1c01cc2b87c0344, 0x1}}, 0x14) r1 = bpf$BPF_PROG_RAW_TRACEPOINT_LOAD(0x5, &(0x7f0000000180)={0x11, 0x5, &(0x7f0000000280)=ANY=[@ANYBLOB="1801000021000000000000004cc311ec8500000075000000a70000000800000095"], &(0x7f0000000100)='GPL\x00', 0x0, 0x0, 0x0, 0x0, 0x0, '\x00', 0x0, 0x2}, 0x94) bpf$BPF_RAW_TRACEPOINT_OPEN(0x11, &(0x7f0000000540)={&(0x7f0000000000)='kfree\x00', r1}, 0x10) (async, rerun: 32) syz_open_dev$dvb_frontend(&(0x7f00000002c0), 0x0, 0x2) (async, rerun: 32) sendmsg$nl_generic(0xffffffffffffffff, &(0x7f0000000000)={0x0, 0x0, &(0x7f0000000180)={&(0x7f00000002c0)=ANY=[], 0x34}, 0x1, 0x0, 0x0, 0x4048011}, 0xc000) r2 = openat$ptmx(0xffffffffffffff9c, &(0x7f0000000080), 0x60081, 0x0) ioctl$TIOCSETD(r2, 0x5423, &(0x7f0000000200)=0x16) (async) mprotect(&(0x7f0000ffe000/0x1000)=nil, 0x1000, 0x1) (async) ioctl$TIOCSTI(r2, 0x5412, &(0x7f00000000c0)=0x3b) ioctl$TIOCSTI(r2, 0x5412, &(0x7f00000001c0)=0x3) (async) ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000140)=0xb) r3 = syz_open_dev$dvb_demux(&(0x7f0000000080), 0x0, 0x20000) ioctl$DVB_DEMUX_DMX_SET_PES_FILTER(r3, 0x40146f2c, &(0x7f0000000040)={0x0, 0x0, 0x0, 0x5, 0x4}) mprotect(&(0x7f0000000000/0x800000)=nil, 0x800000, 0x1) ioctl$DVB_DEMUX_DMX_REMOVE_PID(r3, 0x40026f34, &(0x7f0000000100)=0x9) (async) ioctl$DVB_DEMUX_DMX_SET_PES_FILTER(r3, 0x40146f2c, &(0x7f0000000000)={0x8, 0x0, 0x2, 0x8}) r4 = socket$nl_route(0x10, 0x3, 0x0) (async, rerun: 64) r5 = socket(0x10, 0x803, 0x0) (rerun: 64) bind$netlink(r5, &(0x7f0000000100)={0x10, 0x0, 0x25dfdbfd, 0x400}, 0xc) (async) getsockname$packet(r5, &(0x7f0000000600)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f0000000080)=0x14) sendmsg$nl_route(r4, &(0x7f00000006c0)={0x0, 0x0, &(0x7f00000001c0)={&(0x7f00000003c0)=ANY=[@ANYBLOB="4400000010000d042abd70f8ffffffffffffff00", @ANYRES32=r6, @ANYBLOB="01000000000000002400128009000100626f6e640000000014000280050001000400000005000e0003"], 0x44}, 0x1, 0x0, 0x0, 0x40040}, 0x0) (async) r7 = socket$nl_route(0x10, 0x3, 0x0) r8 = socket(0x1, 0x803, 0x0) getsockname$packet(r8, &(0x7f0000000100)={0x11, 0x0, 0x0, 0x1, 0x0, 0x6, @broadcast}, &(0x7f00000002c0)=0x14) sendmsg$nl_route(r7, &(0x7f0000000240)={0x0, 0x0, &(0x7f0000000180)={&(0x7f0000001400)=@newlink={0x3c, 0x10, 0x401, 0x0, 0x0, {0x0, 0x0, 0x0, 0x0, 0x0, 0x440}, [@IFLA_LINKINFO={0x14, 0x12, 0x0, 0x1, @veth={{0x9}, {0x4, 0x2, 0x0, 0x1, @void}}}, @IFLA_MASTER={0x8, 0xa, r9}]}, 0x3c}}, 0x0) ioctl$TIOCSTI(r2, 0x5412, &(0x7f0000000180)=0x7) [ 117.498551][ T4667] Bluetooth: hci0: command tx timeout [ 117.601869][ T5331] ================================================================== [ 117.605520][ T5331] BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x350 [ 117.610112][ T5331] Read of size 8 at addr ffff8880330bfe18 by task syz.0.0/5331 [ 117.613872][ T5331] [ 117.614966][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 117.614981][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 117.614988][ T5331] Call Trace: [ 117.614995][ T5331] [ 117.615001][ T5331] dump_stack_lvl+0xe8/0x150 [ 117.615022][ T5331] print_report+0xba/0x230 [ 117.615036][ T5331] ? dvb_device_open+0xc4/0x350 [ 117.615050][ T5331] kasan_report+0x117/0x150 [ 117.615063][ T5331] ? dvb_device_open+0xc4/0x350 [ 117.615077][ T5331] dvb_device_open+0xc4/0x350 [ 117.615088][ T5331] ? do_raw_spin_unlock+0x4d/0x210 [ 117.615102][ T5331] chrdev_open+0x4cd/0x5e0 [ 117.615115][ T5331] ? __pfx_chrdev_open+0x10/0x10 [ 117.615126][ T5331] ? fsnotify_open_perm_and_set_mode+0x135/0x6d0 [ 117.615143][ T5331] ? __pfx_chrdev_open+0x10/0x10 [ 117.615152][ T5331] do_dentry_open+0x785/0x14e0 [ 117.615170][ T5331] vfs_open+0x3b/0x340 [ 117.615181][ T5331] ? path_openat+0x2df0/0x3860 [ 117.615191][ T5331] path_openat+0x2e08/0x3860 [ 117.615204][ T5331] ? __pfx_stack_trace_save+0x10/0x10 [ 117.615217][ T5331] ? stack_depot_save_flags+0x33/0x810 [ 117.615237][ T5331] ? __pfx_path_openat+0x10/0x10 [ 117.615245][ T5331] ? __x64_sys_openat+0x138/0x170 [ 117.615257][ T5331] ? do_syscall_64+0x14d/0xf80 [ 117.615321][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.615341][ T5331] ? __lock_acquire+0x6b5/0x2cf0 [ 117.615361][ T5331] do_file_open+0x23e/0x4a0 [ 117.615372][ T5331] ? __pfx_do_file_open+0x10/0x10 [ 117.615387][ T5331] ? _raw_spin_unlock+0x28/0x50 [ 117.615396][ T5331] ? alloc_fd+0x64b/0x6c0 [ 117.615411][ T5331] do_sys_openat2+0x113/0x200 [ 117.615424][ T5331] ? __pfx_do_sys_openat2+0x10/0x10 [ 117.615438][ T5331] ? __task_pid_nr_ns+0x28/0x470 [ 117.615450][ T5331] __x64_sys_openat+0x138/0x170 [ 117.615465][ T5331] do_syscall_64+0x14d/0xf80 [ 117.615476][ T5331] ? trace_irq_disable+0x3b/0x150 [ 117.615486][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.615496][ T5331] ? clear_bhb_loop+0x40/0x90 [ 117.615506][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.615514][ T5331] RIP: 0033:0x7f39a015cfce [ 117.615523][ T5331] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 117.615529][ T5331] RSP: 002b:00007f399c5cbae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 117.615538][ T5331] RAX: ffffffffffffffda RBX: 00007f399c5cc6c0 RCX: 00007f39a015cfce [ 117.615546][ T5331] RDX: 0000000000000002 RSI: 00007f399c5cbbc0 RDI: ffffffffffffff9c [ 117.615553][ T5331] RBP: 00007f399c5cbbc0 R08: 0000000000000000 R09: 0000000000000000 [ 117.615560][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd [ 117.615566][ T5331] R13: 00007f39a0416128 R14: 00007f39a0416090 R15: 00007fff23c06768 [ 117.615578][ T5331] [ 117.615582][ T5331] [ 117.754877][ T5331] Allocated by task 1: [ 117.757142][ T5331] kasan_save_track+0x3e/0x80 [ 117.759525][ T5331] __kasan_kmalloc+0x93/0xb0 [ 117.761589][ T5331] __kmalloc_cache_noprof+0x31c/0x660 [ 117.764411][ T5331] dvb_register_device+0x2fd/0x21e0 [ 117.767488][ T5331] dvb_register_frontend+0x649/0x950 [ 117.770308][ T5331] vidtv_bridge_probe+0x9aa/0xf80 [ 117.772684][ T5331] platform_probe+0xf9/0x190 [ 117.774910][ T5331] really_probe+0x267/0xaf0 [ 117.777064][ T5331] __driver_probe_device+0x18c/0x320 [ 117.779593][ T5331] driver_probe_device+0x4f/0x240 [ 117.781961][ T5331] __driver_attach+0x34c/0x640 [ 117.784362][ T5331] bus_for_each_dev+0x23b/0x2c0 [ 117.786915][ T5331] bus_add_driver+0x345/0x670 [ 117.789167][ T5331] driver_register+0x23a/0x320 [ 117.791466][ T5331] vidtv_bridge_init+0x28/0x50 [ 117.793764][ T5331] do_one_initcall+0x250/0x8d0 [ 117.796198][ T5331] do_initcall_level+0x104/0x190 [ 117.799364][ T5331] do_initcalls+0x59/0xa0 [ 117.801600][ T5331] kernel_init_freeable+0x2a6/0x3e0 [ 117.803766][ T5331] kernel_init+0x1d/0x1d0 [ 117.805521][ T5331] ret_from_fork+0x51e/0xb90 [ 117.807505][ T5331] ret_from_fork_asm+0x1a/0x30 [ 117.809785][ T5331] [ 117.811334][ T5331] Freed by task 5331: [ 117.813870][ T5331] kasan_save_track+0x3e/0x80 [ 117.816084][ T5331] kasan_save_free_info+0x46/0x50 [ 117.818208][ T5331] __kasan_slab_free+0x5c/0x80 [ 117.820369][ T5331] kfree+0x1c1/0x630 [ 117.822159][ T5331] dvb_device_open+0x2cd/0x350 [ 117.824261][ T5331] chrdev_open+0x4cd/0x5e0 [ 117.826396][ T5331] do_dentry_open+0x785/0x14e0 [ 117.828501][ T5331] vfs_open+0x3b/0x340 [ 117.830159][ T5331] path_openat+0x2e08/0x3860 [ 117.832288][ T5331] do_file_open+0x23e/0x4a0 [ 117.834807][ T5331] do_sys_openat2+0x113/0x200 [ 117.837415][ T5331] __x64_sys_openat+0x138/0x170 [ 117.840076][ T5331] do_syscall_64+0x14d/0xf80 [ 117.842260][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 117.844936][ T5331] [ 117.846071][ T5331] The buggy address belongs to the object at ffff8880330bfe00 [ 117.846071][ T5331] which belongs to the cache kmalloc-256 of size 256 [ 117.853267][ T5331] The buggy address is located 24 bytes inside of [ 117.853267][ T5331] freed 256-byte region [ffff8880330bfe00, ffff8880330bff00) [ 117.859830][ T5331] [ 117.860946][ T5331] The buggy address belongs to the physical page: [ 117.863948][ T5331] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x330bf [ 117.867645][ T5331] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 117.871197][ T5331] page_type: f5(slab) [ 117.873628][ T5331] raw: 04fff00000000000 ffff88801ac41b40 dead000000000100 dead000000000122 [ 117.877854][ T5331] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 117.882409][ T5331] page dumped because: kasan: bad access detected [ 117.886021][ T5331] page_owner tracks the page as allocated [ 117.888893][ T5331] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 16427285438, free_ts 16426890531 [ 117.898058][ T5331] post_alloc_hook+0x231/0x280 [ 117.900469][ T5331] get_page_from_freelist+0x24dc/0x2580 [ 117.903787][ T5331] __alloc_frozen_pages_noprof+0x18d/0x380 [ 117.907087][ T5331] allocate_slab+0x77/0x660 [ 117.909116][ T5331] refill_objects+0x331/0x3c0 [ 117.911611][ T5331] __pcs_replace_empty_main+0x2e6/0x730 [ 117.914668][ T5331] __kmalloc_cache_noprof+0x392/0x660 [ 117.917773][ T5331] bus_add_driver+0x162/0x670 [ 117.920595][ T5331] driver_register+0x23a/0x320 [ 117.923826][ T5331] phy_driver_register+0x198/0x300 [ 117.927013][ T5331] phy_drivers_register+0x3f/0xd0 [ 117.929415][ T5331] do_one_initcall+0x250/0x8d0 [ 117.931655][ T5331] do_initcall_level+0x104/0x190 [ 117.934010][ T5331] do_initcalls+0x59/0xa0 [ 117.936048][ T5331] kernel_init_freeable+0x2a6/0x3e0 [ 117.938705][ T5331] kernel_init+0x1d/0x1d0 [ 117.941373][ T5331] page last free pid 1042 tgid 1042 stack trace: [ 117.944476][ T5331] __free_frozen_pages+0xc2b/0xdb0 [ 117.946708][ T5331] __kasan_populate_vmalloc+0x1b2/0x1d0 [ 117.948995][ T5331] alloc_vmap_area+0xd73/0x14b0 [ 117.951427][ T5331] __get_vm_area_node+0x1f8/0x300 [ 117.954250][ T5331] __vmalloc_node_range_noprof+0x372/0x1730 [ 117.956678][ T5331] __vmalloc_node_noprof+0xc2/0x100 [ 117.958889][ T5331] dup_task_struct+0x275/0x9a0 [ 117.960971][ T5331] copy_process+0x508/0x3cd0 [ 117.963138][ T5331] kernel_clone+0x248/0x8e0 [ 117.965716][ T5331] user_mode_thread+0x110/0x180 [ 117.968455][ T5331] call_usermodehelper_exec_work+0x5c/0x230 [ 117.971475][ T5331] process_scheduled_works+0xb6e/0x18c0 [ 117.974034][ T5331] worker_thread+0xa53/0xfc0 [ 117.976197][ T5331] kthread+0x388/0x470 [ 117.978073][ T5331] ret_from_fork+0x51e/0xb90 [ 117.980229][ T5331] ret_from_fork_asm+0x1a/0x30 [ 117.982437][ T5331] [ 117.983564][ T5331] Memory state around the buggy address: [ 117.986378][ T5331] ffff8880330bfd00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 117.990459][ T5331] ffff8880330bfd80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 117.994168][ T5331] >ffff8880330bfe00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 117.997825][ T5331] ^ [ 118.000382][ T5331] ffff8880330bfe80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 118.006476][ T5331] ffff8880330bff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 118.010959][ T5331] ================================================================== [ 118.137130][ T5331] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 118.140455][ T5331] CPU: 0 UID: 0 PID: 5331 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 118.144785][ T5331] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 118.150461][ T5331] Call Trace: [ 118.152312][ T5331] [ 118.153612][ T5331] vpanic+0x56c/0xa60 [ 118.155444][ T5331] ? __pfx_vpanic+0x10/0x10 [ 118.157522][ T5331] ? __pfx___schedule+0x10/0x10 [ 118.159629][ T5331] panic+0xc5/0xd0 [ 118.161137][ T5331] ? __pfx_panic+0x10/0x10 [ 118.162908][ T5331] ? preempt_schedule_thunk+0x16/0x30 [ 118.165331][ T5331] ? dvb_device_open+0xc4/0x350 [ 118.168117][ T5331] check_panic_on_warn+0x89/0xb0 [ 118.170947][ T5331] ? dvb_device_open+0xc4/0x350 [ 118.173626][ T5331] end_report+0x73/0x180 [ 118.175535][ T5331] ? dvb_device_open+0xc4/0x350 [ 118.177704][ T5331] kasan_report+0x128/0x150 [ 118.179852][ T5331] ? dvb_device_open+0xc4/0x350 [ 118.182179][ T5331] dvb_device_open+0xc4/0x350 [ 118.184253][ T5331] ? do_raw_spin_unlock+0x4d/0x210 [ 118.186634][ T5331] chrdev_open+0x4cd/0x5e0 [ 118.188727][ T5331] ? __pfx_chrdev_open+0x10/0x10 [ 118.191495][ T5331] ? fsnotify_open_perm_and_set_mode+0x135/0x6d0 [ 118.194659][ T5331] ? __pfx_chrdev_open+0x10/0x10 [ 118.196849][ T5331] do_dentry_open+0x785/0x14e0 [ 118.198772][ T5331] vfs_open+0x3b/0x340 [ 118.200367][ T5331] ? path_openat+0x2df0/0x3860 [ 118.202388][ T5331] path_openat+0x2e08/0x3860 [ 118.204416][ T5331] ? __pfx_stack_trace_save+0x10/0x10 [ 118.206971][ T5331] ? stack_depot_save_flags+0x33/0x810 [ 118.209631][ T5331] ? __pfx_path_openat+0x10/0x10 [ 118.212118][ T5331] ? __x64_sys_openat+0x138/0x170 [ 118.214530][ T5331] ? do_syscall_64+0x14d/0xf80 [ 118.216760][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.219653][ T5331] ? __lock_acquire+0x6b5/0x2cf0 [ 118.222090][ T5331] do_file_open+0x23e/0x4a0 [ 118.224340][ T5331] ? __pfx_do_file_open+0x10/0x10 [ 118.226902][ T5331] ? _raw_spin_unlock+0x28/0x50 [ 118.229268][ T5331] ? alloc_fd+0x64b/0x6c0 [ 118.231293][ T5331] do_sys_openat2+0x113/0x200 [ 118.233436][ T5331] ? __pfx_do_sys_openat2+0x10/0x10 [ 118.236122][ T5331] ? __task_pid_nr_ns+0x28/0x470 [ 118.238978][ T5331] __x64_sys_openat+0x138/0x170 [ 118.241752][ T5331] do_syscall_64+0x14d/0xf80 [ 118.244162][ T5331] ? trace_irq_disable+0x3b/0x150 [ 118.246366][ T5331] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.249003][ T5331] ? clear_bhb_loop+0x40/0x90 [ 118.250981][ T5331] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 118.253682][ T5331] RIP: 0033:0x7f39a015cfce [ 118.255685][ T5331] Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 [ 118.265508][ T5331] RSP: 002b:00007f399c5cbae8 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 118.269062][ T5331] RAX: ffffffffffffffda RBX: 00007f399c5cc6c0 RCX: 00007f39a015cfce [ 118.272496][ T5331] RDX: 0000000000000002 RSI: 00007f399c5cbbc0 RDI: ffffffffffffff9c [ 118.277478][ T5331] RBP: 00007f399c5cbbc0 R08: 0000000000000000 R09: 0000000000000000 [ 118.281922][ T5331] R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd [ 118.285556][ T5331] R13: 00007f39a0416128 R14: 00007f39a0416090 R15: 00007fff23c06768 [ 118.289058][ T5331] [ 118.290881][ T5331] Kernel Offset: disabled [ 118.292829][ T5331] Rebooting in 86400 seconds..