program: r0 = gettid() timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) (async) timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) fcntl$lock(0xffffffffffffffff, 0x6, &(0x7f0000000040)={0x0, 0x0, 0x60d3, 0x5}) syz_open_dev$dvb_frontend(&(0x7f0000000080), 0x0, 0x8000) syz_open_procfs(0x0, &(0x7f0000000240)='fd/3\x00') (async) r1 = syz_open_procfs(0x0, &(0x7f0000000240)='fd/3\x00') r2 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1) mount$9p_fd(0x0, &(0x7f0000000100)='.\x00', &(0x7f0000000040), 0x0, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) (async) mount$9p_fd(0x0, &(0x7f0000000100)='.\x00', &(0x7f0000000040), 0x0, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) mprotect(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0) socket$nl_netfilter(0x10, 0x3, 0xc) (async) r3 = socket$nl_netfilter(0x10, 0x3, 0xc) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) (async) sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) setsockopt$CAN_RAW_RECV_OWN_MSGS(0xffffffffffffffff, 0x65, 0x4, &(0x7f0000000580)=0x1, 0x4) r4 = socket$nl_generic(0x10, 0x3, 0x10) ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8b18, &(0x7f0000000000)={'wlan1\x00'}) sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a010200000000000000000100000009ec010073797a30000000002c000000030a010800000000000000010000000900030073797a32000000000900010073797a300000800050000000060a010400000000000000000100000008000b400000000009000100737907000000000028000480240001800b0001007470726f787900001400028008000240000000170800014000000002140000001100010000000000000000000000000a872b1c55a675d3962255c70191c6697283e90ed5448f556ee33d6c27ed"], 0xc4}}, 0x0) timer_settime(0x0, 0x1, &(0x7f0000000040), 0x0) r5 = getpid() r6 = syz_pidfd_open(r5, 0x0) process_mrelease(r6, 0x0) (async) process_mrelease(r6, 0x0) [ 85.212047][ T5340] 9p: Bad value for 'rfdno' [ 85.216021][ T5337] i2c i2c-1: dvb_frontend_start: failed to start kthread (-4) [ 85.236461][ T5337] ================================================================== [ 85.239852][ T5337] BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x40a/0x4d0 [ 85.243370][ T5337] Read of size 4 at addr ffff888036cea63c by task syz.0.0/5337 [ 85.246622][ T5337] [ 85.247696][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.247711][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.247718][ T5337] Call Trace: [ 85.247724][ T5337] [ 85.247730][ T5337] dump_stack_lvl+0xe8/0x150 [ 85.247746][ T5337] print_address_description+0x55/0x1e0 [ 85.247759][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.247771][ T5337] print_report+0x58/0x70 [ 85.247779][ T5337] kasan_report+0x117/0x150 [ 85.247794][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.247805][ T5337] dvb_frontend_release+0x40a/0x4d0 [ 85.247816][ T5337] ? __pfx_dvb_frontend_release+0x10/0x10 [ 85.247827][ T5337] __fput+0x44f/0xa60 [ 85.247840][ T5337] task_work_run+0x1d9/0x270 [ 85.247855][ T5337] ? __pfx_task_work_run+0x10/0x10 [ 85.247867][ T5337] ? do_raw_spin_unlock+0x4d/0x210 [ 85.247884][ T5337] do_exit+0x70f/0x22c0 [ 85.247897][ T5337] ? __kasan_slab_free+0x5c/0x80 [ 85.247909][ T5337] ? kmem_cache_free+0x182/0x650 [ 85.247922][ T5337] ? __pfx_do_exit+0x10/0x10 [ 85.247935][ T5337] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.247950][ T5337] do_group_exit+0x21b/0x2d0 [ 85.247963][ T5337] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.248021][ T5337] get_signal+0x1284/0x1330 [ 85.248036][ T5337] arch_do_signal_or_restart+0xbc/0x840 [ 85.248053][ T5337] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 85.248068][ T5337] ? do_sys_openat2+0x14c/0x200 [ 85.248083][ T5337] exit_to_user_mode_loop+0xa9/0x680 [ 85.248093][ T5337] ? rcu_is_watching+0x15/0xb0 [ 85.248107][ T5337] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.248118][ T5337] do_syscall_64+0x353/0x580 [ 85.248128][ T5337] ? trace_irq_disable+0x3b/0x140 [ 85.248142][ T5337] ? clear_bhb_loop+0x40/0x90 [ 85.248154][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.248165][ T5337] RIP: 0033:0x7f0c5675d68e [ 85.248174][ T5337] Code: Unable to access opcode bytes at 0x7f0c5675d664. [ 85.248179][ T5337] RSP: 002b:00007f0c576cde88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.248192][ T5337] RAX: fffffffffffffffc RBX: 00007f0c576ce6c0 RCX: 00007f0c5675d68e [ 85.248200][ T5337] RDX: 0000000000000002 RSI: 00007f0c576cdf50 RDI: ffffffffffffff9c [ 85.248207][ T5337] RBP: 00007f0c56832d6f R08: 0000000000000000 R09: 0000000000000000 [ 85.248213][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.248219][ T5337] R13: 00007f0c56a16128 R14: 00007f0c56a16090 R15: 00007ffc11b2a0c8 [ 85.248230][ T5337] [ 85.248234][ T5337] [ 85.350207][ T5337] Allocated by task 1: [ 85.351937][ T5337] kasan_save_track+0x3e/0x80 [ 85.353943][ T5337] __kasan_kmalloc+0x93/0xb0 [ 85.355787][ T5337] __kmalloc_cache_noprof+0x31c/0x660 [ 85.358060][ T5337] dvb_register_device+0x2fd/0x21e0 [ 85.360320][ T5337] dvb_register_frontend+0x61b/0x920 [ 85.362829][ T5337] vidtv_bridge_probe+0x9aa/0xf80 [ 85.365110][ T5337] platform_probe+0xf9/0x190 [ 85.367157][ T5337] really_probe+0x267/0xaf0 [ 85.369071][ T5337] __driver_probe_device+0x1ef/0x380 [ 85.371435][ T5337] driver_probe_device+0x4f/0x240 [ 85.373558][ T5337] __driver_attach+0x34c/0x640 [ 85.375581][ T5337] bus_for_each_dev+0x23b/0x2c0 [ 85.377656][ T5337] bus_add_driver+0x345/0x670 [ 85.379576][ T5337] driver_register+0x23a/0x320 [ 85.381590][ T5337] vidtv_bridge_init+0x28/0x50 [ 85.383696][ T5337] do_one_initcall+0x250/0x870 [ 85.385708][ T5337] do_initcall_level+0x104/0x190 [ 85.387837][ T5337] do_initcalls+0x59/0xa0 [ 85.389712][ T5337] kernel_init_freeable+0x2a6/0x3e0 [ 85.391951][ T5337] kernel_init+0x1d/0x1d0 [ 85.393883][ T5337] ret_from_fork+0x514/0xb70 [ 85.395881][ T5337] ret_from_fork_asm+0x1a/0x30 [ 85.397926][ T5337] [ 85.398942][ T5337] Freed by task 5337: [ 85.400632][ T5337] kasan_save_track+0x3e/0x80 [ 85.402790][ T5337] kasan_save_free_info+0x46/0x50 [ 85.405138][ T5337] __kasan_slab_free+0x5c/0x80 [ 85.407370][ T5337] kfree+0x1c5/0x640 [ 85.409044][ T5337] dvb_generic_release+0x11d/0x1b0 [ 85.411223][ T5337] dvb_frontend_release+0x132/0x4d0 [ 85.413408][ T5337] __fput+0x44f/0xa60 [ 85.415104][ T5337] task_work_run+0x1d9/0x270 [ 85.417070][ T5337] do_exit+0x70f/0x22c0 [ 85.418911][ T5337] do_group_exit+0x21b/0x2d0 [ 85.420916][ T5337] get_signal+0x1284/0x1330 [ 85.422763][ T5337] arch_do_signal_or_restart+0xbc/0x840 [ 85.425109][ T5337] exit_to_user_mode_loop+0xa9/0x680 [ 85.427397][ T5337] do_syscall_64+0x353/0x580 [ 85.429402][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.431934][ T5337] [ 85.433019][ T5337] The buggy address belongs to the object at ffff888036cea600 [ 85.433019][ T5337] which belongs to the cache kmalloc-256 of size 256 [ 85.438841][ T5337] The buggy address is located 60 bytes inside of [ 85.438841][ T5337] freed 256-byte region [ffff888036cea600, ffff888036cea700) [ 85.444581][ T5337] [ 85.445625][ T5337] The buggy address belongs to the physical page: [ 85.448407][ T5337] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36cea [ 85.452059][ T5337] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff) [ 85.454971][ T5337] page_type: f5(slab) [ 85.456570][ T5337] raw: 04fff00000000000 ffff88801ac41b40 dead000000000122 0000000000000000 [ 85.459948][ T5337] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000 [ 85.463451][ T5337] page dumped because: kasan: bad access detected [ 85.466071][ T5337] page_owner tracks the page as allocated [ 85.468311][ T5337] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 23245531755, free_ts 23176630898 [ 85.475978][ T5337] post_alloc_hook+0x22d/0x280 [ 85.477956][ T5337] get_page_from_freelist+0x2593/0x2610 [ 85.480234][ T5337] __alloc_frozen_pages_noprof+0x18d/0x380 [ 85.482608][ T5337] allocate_slab+0x77/0x660 [ 85.484468][ T5337] refill_objects+0x339/0x3d0 [ 85.486396][ T5337] __pcs_replace_empty_main+0x321/0x720 [ 85.488640][ T5337] __kmalloc_cache_noprof+0x392/0x660 [ 85.490934][ T5337] bus_add_driver+0x162/0x670 [ 85.493075][ T5337] driver_register+0x23a/0x320 [ 85.495199][ T5337] usb_register_driver+0x1e4/0x390 [ 85.497330][ T5337] do_one_initcall+0x250/0x870 [ 85.499332][ T5337] do_initcall_level+0x104/0x190 [ 85.501520][ T5337] do_initcalls+0x59/0xa0 [ 85.503432][ T5337] kernel_init_freeable+0x2a6/0x3e0 [ 85.505708][ T5337] kernel_init+0x1d/0x1d0 [ 85.507555][ T5337] ret_from_fork+0x514/0xb70 [ 85.509447][ T5337] page last free pid 1 tgid 1 stack trace: [ 85.511845][ T5337] __free_frozen_pages+0xc1c/0xd30 [ 85.514107][ T5337] __slab_free+0x274/0x2c0 [ 85.516031][ T5337] qlist_free_all+0x99/0x100 [ 85.518041][ T5337] kasan_quarantine_reduce+0x148/0x160 [ 85.520415][ T5337] __kasan_slab_alloc+0x22/0x80 [ 85.522544][ T5337] kmem_cache_alloc_noprof+0x2bc/0x650 [ 85.524808][ T5337] __kernfs_new_node+0xea/0x970 [ 85.526945][ T5337] kernfs_new_node+0x102/0x210 [ 85.529063][ T5337] __kernfs_create_file+0x4b/0x2e0 [ 85.531257][ T5337] sysfs_add_file_mode_ns+0x238/0x300 [ 85.533614][ T5337] sysfs_create_file_ns+0x12b/0x1b0 [ 85.536027][ T5337] usb_register_driver+0x30f/0x390 [ 85.538404][ T5337] do_one_initcall+0x250/0x870 [ 85.540605][ T5337] do_initcall_level+0x104/0x190 [ 85.542880][ T5337] do_initcalls+0x59/0xa0 [ 85.544812][ T5337] kernel_init_freeable+0x2a6/0x3e0 [ 85.547056][ T5337] [ 85.548093][ T5337] Memory state around the buggy address: [ 85.550459][ T5337] ffff888036cea500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.553971][ T5337] ffff888036cea580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.557516][ T5337] >ffff888036cea600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.560712][ T5337] ^ [ 85.563289][ T5337] ffff888036cea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 85.566583][ T5337] ffff888036cea700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 85.569804][ T5337] ================================================================== [ 85.597323][ T4660] Bluetooth: hci0: command tx timeout [ 85.600108][ T5337] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 85.603163][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full) [ 85.607252][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 [ 85.611398][ T5337] Call Trace: [ 85.612809][ T5337] [ 85.614050][ T5337] vpanic+0x56c/0xa60 [ 85.615695][ T5337] ? __pfx_vpanic+0x10/0x10 [ 85.617595][ T5337] ? __pfx___schedule+0x10/0x10 [ 85.619628][ T5337] panic+0xc5/0xd0 [ 85.621364][ T5337] ? __pfx_panic+0x10/0x10 [ 85.623410][ T5337] ? preempt_schedule_common+0x82/0xd0 [ 85.625859][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.628234][ T5337] check_panic_on_warn+0x89/0xb0 [ 85.630464][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.632746][ T5337] end_report+0x73/0x170 [ 85.634598][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.636920][ T5337] kasan_report+0x128/0x150 [ 85.638818][ T5337] ? dvb_frontend_release+0x40a/0x4d0 [ 85.640962][ T5337] dvb_frontend_release+0x40a/0x4d0 [ 85.643072][ T5337] ? __pfx_dvb_frontend_release+0x10/0x10 [ 85.645179][ T5337] __fput+0x44f/0xa60 [ 85.646905][ T5337] task_work_run+0x1d9/0x270 [ 85.648810][ T5337] ? __pfx_task_work_run+0x10/0x10 [ 85.651034][ T5337] ? do_raw_spin_unlock+0x4d/0x210 [ 85.653304][ T5337] do_exit+0x70f/0x22c0 [ 85.655153][ T5337] ? __kasan_slab_free+0x5c/0x80 [ 85.657524][ T5337] ? kmem_cache_free+0x182/0x650 [ 85.659666][ T5337] ? __pfx_do_exit+0x10/0x10 [ 85.661606][ T5337] ? do_raw_spin_lock+0x12b/0x2f0 [ 85.663719][ T5337] do_group_exit+0x21b/0x2d0 [ 85.665707][ T5337] ? _raw_spin_unlock_irq+0x23/0x50 [ 85.667975][ T5337] get_signal+0x1284/0x1330 [ 85.669906][ T5337] arch_do_signal_or_restart+0xbc/0x840 [ 85.672514][ T5337] ? __pfx_arch_do_signal_or_restart+0x10/0x10 [ 85.675884][ T5337] ? do_sys_openat2+0x14c/0x200 [ 85.678578][ T5337] exit_to_user_mode_loop+0xa9/0x680 [ 85.681305][ T5337] ? rcu_is_watching+0x15/0xb0 [ 85.683328][ T5337] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.685914][ T5337] do_syscall_64+0x353/0x580 [ 85.687905][ T5337] ? trace_irq_disable+0x3b/0x140 [ 85.690069][ T5337] ? clear_bhb_loop+0x40/0x90 [ 85.692102][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 85.694962][ T5337] RIP: 0033:0x7f0c5675d68e [ 85.697138][ T5337] Code: Unable to access opcode bytes at 0x7f0c5675d664. [ 85.700206][ T5337] RSP: 002b:00007f0c576cde88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 [ 85.703823][ T5337] RAX: fffffffffffffffc RBX: 00007f0c576ce6c0 RCX: 00007f0c5675d68e [ 85.707196][ T5337] RDX: 0000000000000002 RSI: 00007f0c576cdf50 RDI: ffffffffffffff9c [ 85.710586][ T5337] RBP: 00007f0c56832d6f R08: 0000000000000000 R09: 0000000000000000 [ 85.713863][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 85.717211][ T5337] R13: 00007f0c56a16128 R14: 00007f0c56a16090 R15: 00007ffc11b2a0c8 [ 85.720662][ T5337] [ 85.722450][ T5337] Kernel Offset: disabled [ 85.724541][ T5337] Rebooting in 86400 seconds..