program:
r0 = gettid()
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc)) (async)
timer_create(0x0, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r0}, &(0x7f0000bbdffc))
fcntl$lock(0xffffffffffffffff, 0x6, &(0x7f0000000040)={0x0, 0x0, 0x60d3, 0x5})
syz_open_dev$dvb_frontend(&(0x7f0000000080), 0x0, 0x8000)
syz_open_procfs(0x0, &(0x7f0000000240)='fd/3\x00') (async)
r1 = syz_open_procfs(0x0, &(0x7f0000000240)='fd/3\x00')
r2 = syz_init_net_socket$nfc_llcp(0x27, 0x3, 0x1)
mount$9p_fd(0x0, &(0x7f0000000100)='.\x00', &(0x7f0000000040), 0x0, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}}) (async)
mount$9p_fd(0x0, &(0x7f0000000100)='.\x00', &(0x7f0000000040), 0x0, &(0x7f0000000080)={'trans=fd,', {'rfdno', 0x3d, r1}, 0x2c, {'wfdno', 0x3d, r2}})
mprotect(&(0x7f0000ff9000/0x4000)=nil, 0x4000, 0x0)
socket$nl_netfilter(0x10, 0x3, 0xc) (async)
r3 = socket$nl_netfilter(0x10, 0x3, 0xc)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0) (async)
sendmsg$kcm(0xffffffffffffffff, &(0x7f0000000180)={0x0, 0x0, &(0x7f0000000000)=[{0x0}, {&(0x7f0000000580)="d4fa0c511aad03aa5ed217677bc41c027d9c830c439c7f821ddd78b6915cb170e7603acf9e433c2903bb6773f4b0130668a1e5b5e08d21d0b69c28ca3455aed65855c86f3d1e5789d26375a0d85eaf5e92e19c9affcf76e7a94e76556d2b104ebf645747fadc91460f4b3c94e1a89b51be4a6aa4c65285f988329a8163b69c51b801500a5bacd0463976e2960e2679ef2feee5e6ce6bb78a51fb0e15820d13e4a5aa9e0742a6f8d677ad28fea356657bb550c8311b682d9003c82267a15aa7334bc53b65b9119a1a7d905c7dd365b85c230bbad0d5d0a79819e112637819d9a187cfdf782c6127d2d4281926ab0e22f7346b616fe28ed0b9f4a0c9fdac6d3a90a9c38b5e31448a45546388c95045bc22fe88c43b82a0a5d3eb61c238a5159ea98db9c00aeef644ae98a8cb8dffff3b7ba14d7971910b559623af8295", 0x13c}], 0x2}, 0x0)
setsockopt$CAN_RAW_RECV_OWN_MSGS(0xffffffffffffffff, 0x65, 0x4, &(0x7f0000000580)=0x1, 0x4)
r4 = socket$nl_generic(0x10, 0x3, 0x10)
ioctl$sock_SIOCGIFINDEX_80211(r4, 0x8b18, &(0x7f0000000000)={'wlan1\x00'})
sendmsg$NFT_BATCH(r3, &(0x7f00000000c0)={0x0, 0x0, &(0x7f0000000040)={&(0x7f0000000280)=ANY=[@ANYBLOB="140000001000010000000000000000000000000a20000000000a010200000000000000000100000009ec010073797a30000000002c000000030a010800000000000000010000000900030073797a32000000000900010073797a300000800050000000060a010400000000000000000100000008000b400000000009000100737907000000000028000480240001800b0001007470726f787900001400028008000240000000170800014000000002140000001100010000000000000000000000000a872b1c55a675d3962255c70191c6697283e90ed5448f556ee33d6c27ed"], 0xc4}}, 0x0)
timer_settime(0x0, 0x1, &(0x7f0000000040), 0x0)
r5 = getpid()
r6 = syz_pidfd_open(r5, 0x0)
process_mrelease(r6, 0x0) (async)
process_mrelease(r6, 0x0)
[ 85.212047][ T5340] 9p: Bad value for 'rfdno'
[ 85.216021][ T5337] i2c i2c-1: dvb_frontend_start: failed to start kthread (-4)
[ 85.236461][ T5337] ==================================================================
[ 85.239852][ T5337] BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x40a/0x4d0
[ 85.243370][ T5337] Read of size 4 at addr ffff888036cea63c by task syz.0.0/5337
[ 85.246622][ T5337]
[ 85.247696][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 85.247711][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 85.247718][ T5337] Call Trace:
[ 85.247724][ T5337]
[ 85.247730][ T5337] dump_stack_lvl+0xe8/0x150
[ 85.247746][ T5337] print_address_description+0x55/0x1e0
[ 85.247759][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.247771][ T5337] print_report+0x58/0x70
[ 85.247779][ T5337] kasan_report+0x117/0x150
[ 85.247794][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.247805][ T5337] dvb_frontend_release+0x40a/0x4d0
[ 85.247816][ T5337] ? __pfx_dvb_frontend_release+0x10/0x10
[ 85.247827][ T5337] __fput+0x44f/0xa60
[ 85.247840][ T5337] task_work_run+0x1d9/0x270
[ 85.247855][ T5337] ? __pfx_task_work_run+0x10/0x10
[ 85.247867][ T5337] ? do_raw_spin_unlock+0x4d/0x210
[ 85.247884][ T5337] do_exit+0x70f/0x22c0
[ 85.247897][ T5337] ? __kasan_slab_free+0x5c/0x80
[ 85.247909][ T5337] ? kmem_cache_free+0x182/0x650
[ 85.247922][ T5337] ? __pfx_do_exit+0x10/0x10
[ 85.247935][ T5337] ? do_raw_spin_lock+0x12b/0x2f0
[ 85.247950][ T5337] do_group_exit+0x21b/0x2d0
[ 85.247963][ T5337] ? _raw_spin_unlock_irq+0x23/0x50
[ 85.248021][ T5337] get_signal+0x1284/0x1330
[ 85.248036][ T5337] arch_do_signal_or_restart+0xbc/0x840
[ 85.248053][ T5337] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 85.248068][ T5337] ? do_sys_openat2+0x14c/0x200
[ 85.248083][ T5337] exit_to_user_mode_loop+0xa9/0x680
[ 85.248093][ T5337] ? rcu_is_watching+0x15/0xb0
[ 85.248107][ T5337] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.248118][ T5337] do_syscall_64+0x353/0x580
[ 85.248128][ T5337] ? trace_irq_disable+0x3b/0x140
[ 85.248142][ T5337] ? clear_bhb_loop+0x40/0x90
[ 85.248154][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.248165][ T5337] RIP: 0033:0x7f0c5675d68e
[ 85.248174][ T5337] Code: Unable to access opcode bytes at 0x7f0c5675d664.
[ 85.248179][ T5337] RSP: 002b:00007f0c576cde88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 85.248192][ T5337] RAX: fffffffffffffffc RBX: 00007f0c576ce6c0 RCX: 00007f0c5675d68e
[ 85.248200][ T5337] RDX: 0000000000000002 RSI: 00007f0c576cdf50 RDI: ffffffffffffff9c
[ 85.248207][ T5337] RBP: 00007f0c56832d6f R08: 0000000000000000 R09: 0000000000000000
[ 85.248213][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 85.248219][ T5337] R13: 00007f0c56a16128 R14: 00007f0c56a16090 R15: 00007ffc11b2a0c8
[ 85.248230][ T5337]
[ 85.248234][ T5337]
[ 85.350207][ T5337] Allocated by task 1:
[ 85.351937][ T5337] kasan_save_track+0x3e/0x80
[ 85.353943][ T5337] __kasan_kmalloc+0x93/0xb0
[ 85.355787][ T5337] __kmalloc_cache_noprof+0x31c/0x660
[ 85.358060][ T5337] dvb_register_device+0x2fd/0x21e0
[ 85.360320][ T5337] dvb_register_frontend+0x61b/0x920
[ 85.362829][ T5337] vidtv_bridge_probe+0x9aa/0xf80
[ 85.365110][ T5337] platform_probe+0xf9/0x190
[ 85.367157][ T5337] really_probe+0x267/0xaf0
[ 85.369071][ T5337] __driver_probe_device+0x1ef/0x380
[ 85.371435][ T5337] driver_probe_device+0x4f/0x240
[ 85.373558][ T5337] __driver_attach+0x34c/0x640
[ 85.375581][ T5337] bus_for_each_dev+0x23b/0x2c0
[ 85.377656][ T5337] bus_add_driver+0x345/0x670
[ 85.379576][ T5337] driver_register+0x23a/0x320
[ 85.381590][ T5337] vidtv_bridge_init+0x28/0x50
[ 85.383696][ T5337] do_one_initcall+0x250/0x870
[ 85.385708][ T5337] do_initcall_level+0x104/0x190
[ 85.387837][ T5337] do_initcalls+0x59/0xa0
[ 85.389712][ T5337] kernel_init_freeable+0x2a6/0x3e0
[ 85.391951][ T5337] kernel_init+0x1d/0x1d0
[ 85.393883][ T5337] ret_from_fork+0x514/0xb70
[ 85.395881][ T5337] ret_from_fork_asm+0x1a/0x30
[ 85.397926][ T5337]
[ 85.398942][ T5337] Freed by task 5337:
[ 85.400632][ T5337] kasan_save_track+0x3e/0x80
[ 85.402790][ T5337] kasan_save_free_info+0x46/0x50
[ 85.405138][ T5337] __kasan_slab_free+0x5c/0x80
[ 85.407370][ T5337] kfree+0x1c5/0x640
[ 85.409044][ T5337] dvb_generic_release+0x11d/0x1b0
[ 85.411223][ T5337] dvb_frontend_release+0x132/0x4d0
[ 85.413408][ T5337] __fput+0x44f/0xa60
[ 85.415104][ T5337] task_work_run+0x1d9/0x270
[ 85.417070][ T5337] do_exit+0x70f/0x22c0
[ 85.418911][ T5337] do_group_exit+0x21b/0x2d0
[ 85.420916][ T5337] get_signal+0x1284/0x1330
[ 85.422763][ T5337] arch_do_signal_or_restart+0xbc/0x840
[ 85.425109][ T5337] exit_to_user_mode_loop+0xa9/0x680
[ 85.427397][ T5337] do_syscall_64+0x353/0x580
[ 85.429402][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.431934][ T5337]
[ 85.433019][ T5337] The buggy address belongs to the object at ffff888036cea600
[ 85.433019][ T5337] which belongs to the cache kmalloc-256 of size 256
[ 85.438841][ T5337] The buggy address is located 60 bytes inside of
[ 85.438841][ T5337] freed 256-byte region [ffff888036cea600, ffff888036cea700)
[ 85.444581][ T5337]
[ 85.445625][ T5337] The buggy address belongs to the physical page:
[ 85.448407][ T5337] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x36cea
[ 85.452059][ T5337] flags: 0x4fff00000000000(node=1|zone=1|lastcpupid=0x7ff)
[ 85.454971][ T5337] page_type: f5(slab)
[ 85.456570][ T5337] raw: 04fff00000000000 ffff88801ac41b40 dead000000000122 0000000000000000
[ 85.459948][ T5337] raw: 0000000000000000 0000000800080008 00000000f5000000 0000000000000000
[ 85.463451][ T5337] page dumped because: kasan: bad access detected
[ 85.466071][ T5337] page_owner tracks the page as allocated
[ 85.468311][ T5337] page last allocated via order 0, migratetype Unmovable, gfp_mask 0xd2cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 23245531755, free_ts 23176630898
[ 85.475978][ T5337] post_alloc_hook+0x22d/0x280
[ 85.477956][ T5337] get_page_from_freelist+0x2593/0x2610
[ 85.480234][ T5337] __alloc_frozen_pages_noprof+0x18d/0x380
[ 85.482608][ T5337] allocate_slab+0x77/0x660
[ 85.484468][ T5337] refill_objects+0x339/0x3d0
[ 85.486396][ T5337] __pcs_replace_empty_main+0x321/0x720
[ 85.488640][ T5337] __kmalloc_cache_noprof+0x392/0x660
[ 85.490934][ T5337] bus_add_driver+0x162/0x670
[ 85.493075][ T5337] driver_register+0x23a/0x320
[ 85.495199][ T5337] usb_register_driver+0x1e4/0x390
[ 85.497330][ T5337] do_one_initcall+0x250/0x870
[ 85.499332][ T5337] do_initcall_level+0x104/0x190
[ 85.501520][ T5337] do_initcalls+0x59/0xa0
[ 85.503432][ T5337] kernel_init_freeable+0x2a6/0x3e0
[ 85.505708][ T5337] kernel_init+0x1d/0x1d0
[ 85.507555][ T5337] ret_from_fork+0x514/0xb70
[ 85.509447][ T5337] page last free pid 1 tgid 1 stack trace:
[ 85.511845][ T5337] __free_frozen_pages+0xc1c/0xd30
[ 85.514107][ T5337] __slab_free+0x274/0x2c0
[ 85.516031][ T5337] qlist_free_all+0x99/0x100
[ 85.518041][ T5337] kasan_quarantine_reduce+0x148/0x160
[ 85.520415][ T5337] __kasan_slab_alloc+0x22/0x80
[ 85.522544][ T5337] kmem_cache_alloc_noprof+0x2bc/0x650
[ 85.524808][ T5337] __kernfs_new_node+0xea/0x970
[ 85.526945][ T5337] kernfs_new_node+0x102/0x210
[ 85.529063][ T5337] __kernfs_create_file+0x4b/0x2e0
[ 85.531257][ T5337] sysfs_add_file_mode_ns+0x238/0x300
[ 85.533614][ T5337] sysfs_create_file_ns+0x12b/0x1b0
[ 85.536027][ T5337] usb_register_driver+0x30f/0x390
[ 85.538404][ T5337] do_one_initcall+0x250/0x870
[ 85.540605][ T5337] do_initcall_level+0x104/0x190
[ 85.542880][ T5337] do_initcalls+0x59/0xa0
[ 85.544812][ T5337] kernel_init_freeable+0x2a6/0x3e0
[ 85.547056][ T5337]
[ 85.548093][ T5337] Memory state around the buggy address:
[ 85.550459][ T5337] ffff888036cea500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 85.553971][ T5337] ffff888036cea580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 85.557516][ T5337] >ffff888036cea600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.560712][ T5337] ^
[ 85.563289][ T5337] ffff888036cea680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.566583][ T5337] ffff888036cea700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 85.569804][ T5337] ==================================================================
[ 85.597323][ T4660] Bluetooth: hci0: command tx timeout
[ 85.600108][ T5337] Kernel panic - not syncing: KASAN: panic_on_warn set ...
[ 85.603163][ T5337] CPU: 0 UID: 0 PID: 5337 Comm: syz.0.0 Not tainted syzkaller #0 PREEMPT(full)
[ 85.607252][ T5337] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 85.611398][ T5337] Call Trace:
[ 85.612809][ T5337]
[ 85.614050][ T5337] vpanic+0x56c/0xa60
[ 85.615695][ T5337] ? __pfx_vpanic+0x10/0x10
[ 85.617595][ T5337] ? __pfx___schedule+0x10/0x10
[ 85.619628][ T5337] panic+0xc5/0xd0
[ 85.621364][ T5337] ? __pfx_panic+0x10/0x10
[ 85.623410][ T5337] ? preempt_schedule_common+0x82/0xd0
[ 85.625859][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.628234][ T5337] check_panic_on_warn+0x89/0xb0
[ 85.630464][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.632746][ T5337] end_report+0x73/0x170
[ 85.634598][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.636920][ T5337] kasan_report+0x128/0x150
[ 85.638818][ T5337] ? dvb_frontend_release+0x40a/0x4d0
[ 85.640962][ T5337] dvb_frontend_release+0x40a/0x4d0
[ 85.643072][ T5337] ? __pfx_dvb_frontend_release+0x10/0x10
[ 85.645179][ T5337] __fput+0x44f/0xa60
[ 85.646905][ T5337] task_work_run+0x1d9/0x270
[ 85.648810][ T5337] ? __pfx_task_work_run+0x10/0x10
[ 85.651034][ T5337] ? do_raw_spin_unlock+0x4d/0x210
[ 85.653304][ T5337] do_exit+0x70f/0x22c0
[ 85.655153][ T5337] ? __kasan_slab_free+0x5c/0x80
[ 85.657524][ T5337] ? kmem_cache_free+0x182/0x650
[ 85.659666][ T5337] ? __pfx_do_exit+0x10/0x10
[ 85.661606][ T5337] ? do_raw_spin_lock+0x12b/0x2f0
[ 85.663719][ T5337] do_group_exit+0x21b/0x2d0
[ 85.665707][ T5337] ? _raw_spin_unlock_irq+0x23/0x50
[ 85.667975][ T5337] get_signal+0x1284/0x1330
[ 85.669906][ T5337] arch_do_signal_or_restart+0xbc/0x840
[ 85.672514][ T5337] ? __pfx_arch_do_signal_or_restart+0x10/0x10
[ 85.675884][ T5337] ? do_sys_openat2+0x14c/0x200
[ 85.678578][ T5337] exit_to_user_mode_loop+0xa9/0x680
[ 85.681305][ T5337] ? rcu_is_watching+0x15/0xb0
[ 85.683328][ T5337] ? entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.685914][ T5337] do_syscall_64+0x353/0x580
[ 85.687905][ T5337] ? trace_irq_disable+0x3b/0x140
[ 85.690069][ T5337] ? clear_bhb_loop+0x40/0x90
[ 85.692102][ T5337] entry_SYSCALL_64_after_hwframe+0x77/0x7f
[ 85.694962][ T5337] RIP: 0033:0x7f0c5675d68e
[ 85.697138][ T5337] Code: Unable to access opcode bytes at 0x7f0c5675d664.
[ 85.700206][ T5337] RSP: 002b:00007f0c576cde88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
[ 85.703823][ T5337] RAX: fffffffffffffffc RBX: 00007f0c576ce6c0 RCX: 00007f0c5675d68e
[ 85.707196][ T5337] RDX: 0000000000000002 RSI: 00007f0c576cdf50 RDI: ffffffffffffff9c
[ 85.710586][ T5337] RBP: 00007f0c56832d6f R08: 0000000000000000 R09: 0000000000000000
[ 85.713863][ T5337] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[ 85.717211][ T5337] R13: 00007f0c56a16128 R14: 00007f0c56a16090 R15: 00007ffc11b2a0c8
[ 85.720662][ T5337]
[ 85.722450][ T5337] Kernel Offset: disabled
[ 85.724541][ T5337] Rebooting in 86400 seconds..