program: r0 = syz_open_dev$vim2m(&(0x7f0000000000), 0x0, 0x2) ioctl$vim2m_VIDIOC_REQBUFS(r0, 0xc0145608, &(0x7f00000000c0)={0x10002, 0x1, 0x1}) r1 = gettid() openat$vimc0(0xffffffffffffff9c, &(0x7f0000000080), 0x2, 0x0) timer_create(0x7, &(0x7f0000533fa0)={0x0, 0x21, 0x800000000004, @tid=r1}, &(0x7f0000bbdffc)=0x0) r3 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r4 = syz_genetlink_get_family_id$nbd(&(0x7f0000000240), 0xffffffffffffffff) socketpair$nbd(0x1, 0x1, 0x0, &(0x7f0000000280)={0xffffffffffffffff}) fanotify_init(0x200, 0x0) setxattr$trusted_overlay_upper(0x0, 0x0, 0x0, 0x835, 0x0) setxattr$trusted_overlay_upper(0x0, 0x0, 0x0, 0x835, 0x0) bpf$PROG_LOAD(0x5, 0x0, 0x0) syz_emit_vhci(&(0x7f0000000140)=ANY=[@ANYBLOB="040e0109220c"], 0x7) socket$nl_route(0x10, 0x3, 0x0) sendmsg$NBD_CMD_CONNECT(r3, &(0x7f00000003c0)={0x0, 0x0, &(0x7f0000000380)={&(0x7f0000000300)={0x30, r4, 0x1, 0x70bd25, 0x25dfdbfd, {}, [@NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r5}}]}, @NBD_ATTR_SIZE_BYTES={0xc, 0x2, 0x5}]}, 0x30}, 0x1, 0x0, 0x0, 0x4010}, 0x40040) r6 = syz_open_dev$ndb(&(0x7f0000000200), 0x0, 0x80000) ioctl$NBD_CLEAR_SOCK(r6, 0xab04) r7 = syz_init_net_socket$nl_generic(0x10, 0x3, 0x10) r8 = syz_genetlink_get_family_id$nbd(&(0x7f0000000040), 0xffffffffffffffff) sendmsg$NBD_CMD_RECONFIGURE(r7, &(0x7f00000002c0)={0x0, 0x0, &(0x7f0000000140)={&(0x7f0000000400)={0x2c, r8, 0x981, 0xfffffffe, 0x0, {}, [@NBD_ATTR_INDEX={0x8, 0x1, 0x0}, @NBD_ATTR_SOCKETS={0x10, 0x7, 0x0, 0x1, [{0xc, 0x1, 0x0, 0x1, {0x8, 0x1, r5}}]}]}, 0x2c}, 0x1, 0x0, 0x0, 0x2008810}, 0x0) timer_settime(r2, 0x0, &(0x7f0000000340)={{0x0, 0x989680}, {0x0, 0x989680}}, 0x0) openat(0xffffffffffffff9c, &(0x7f0000000080)='./file0\x00', 0x441, 0x0) [ 75.184685][ T5302] Bluetooth: hci0: command tx timeout [ 75.459341][ T5327] block nbd0: shutting down sockets [ 76.136131][ T5302] ================================================================== [ 76.139705][ T5302] BUG: KASAN: slab-use-after-free in recv_work+0x1b1a/0x1c10 [ 76.142976][ T5302] Write of size 4 at addr ffff88803dc6b078 by task kworker/u5:2/5302 [ 76.146309][ T5302] [ 76.147308][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 76.147322][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.147331][ T5302] Workqueue: nbd0-recv recv_work [ 76.147346][ T5302] Call Trace: [ 76.147355][ T5302] [ 76.147360][ T5302] dump_stack_lvl+0x189/0x250 [ 76.147376][ T5302] ? rcu_is_watching+0x15/0xb0 [ 76.147388][ T5302] ? __kasan_check_byte+0x12/0x40 [ 76.147402][ T5302] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.147414][ T5302] ? rcu_is_watching+0x15/0xb0 [ 76.147425][ T5302] ? lock_release+0x4b/0x3e0 [ 76.147435][ T5302] ? __virt_addr_valid+0x1c8/0x5c0 [ 76.147449][ T5302] ? __virt_addr_valid+0x4a5/0x5c0 [ 76.147462][ T5302] print_report+0xca/0x240 [ 76.147475][ T5302] ? recv_work+0x1b1a/0x1c10 [ 76.147483][ T5302] kasan_report+0x118/0x150 [ 76.147497][ T5302] ? recv_work+0x1b1a/0x1c10 [ 76.147508][ T5302] kasan_check_range+0x2b0/0x2c0 [ 76.147522][ T5302] recv_work+0x1b1a/0x1c10 [ 76.147532][ T5302] ? lockdep_unlock+0x89/0x120 [ 76.147550][ T5302] ? __pfx_recv_work+0x10/0x10 [ 76.147560][ T5302] ? __lock_acquire+0xab9/0xd20 [ 76.147573][ T5302] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.147631][ T5302] ? process_scheduled_works+0x9ef/0x17b0 [ 76.147643][ T5302] ? process_scheduled_works+0x9ef/0x17b0 [ 76.147654][ T5302] process_scheduled_works+0xae1/0x17b0 [ 76.147670][ T5302] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.147692][ T5302] worker_thread+0x8a0/0xda0 [ 76.147703][ T5302] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.147717][ T5302] ? __kthread_parkme+0x7b/0x200 [ 76.147731][ T5302] kthread+0x711/0x8a0 [ 76.147746][ T5302] ? __pfx_worker_thread+0x10/0x10 [ 76.147757][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.147770][ T5302] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.147782][ T5302] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.147794][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.147807][ T5302] ret_from_fork+0x4bc/0x870 [ 76.147819][ T5302] ? __pfx_ret_from_fork+0x10/0x10 [ 76.147831][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.147843][ T5302] ret_from_fork_asm+0x1a/0x30 [ 76.147856][ T5302] [ 76.147860][ T5302] [ 76.241557][ T5302] Allocated by task 5326: [ 76.243369][ T5302] kasan_save_track+0x3e/0x80 [ 76.245376][ T5302] __kasan_kmalloc+0x93/0xb0 [ 76.247237][ T5302] __kmalloc_cache_noprof+0x3d5/0x6f0 [ 76.249653][ T5302] nbd_alloc_and_init_config+0x88/0x260 [ 76.252134][ T5302] nbd_genl_connect+0x9d7/0x18f0 [ 76.254349][ T5302] genl_family_rcv_msg_doit+0x215/0x300 [ 76.256282][ T5302] genl_rcv_msg+0x60e/0x790 [ 76.257864][ T5302] netlink_rcv_skb+0x208/0x470 [ 76.259390][ T5302] genl_rcv+0x28/0x40 [ 76.260635][ T5302] netlink_unicast+0x82f/0x9e0 [ 76.262145][ T5302] netlink_sendmsg+0x805/0xb30 [ 76.263673][ T5302] __sock_sendmsg+0x21c/0x270 [ 76.265694][ T5302] ____sys_sendmsg+0x505/0x830 [ 76.267728][ T5302] ___sys_sendmsg+0x21f/0x2a0 [ 76.269752][ T5302] __x64_sys_sendmsg+0x19b/0x260 [ 76.271974][ T5302] do_syscall_64+0xfa/0xfa0 [ 76.274002][ T5302] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 76.276351][ T5302] [ 76.277363][ T5302] Freed by task 5302: [ 76.279138][ T5302] kasan_save_track+0x3e/0x80 [ 76.281430][ T5302] __kasan_save_free_info+0x46/0x50 [ 76.283596][ T5302] __kasan_slab_free+0x5c/0x80 [ 76.285471][ T5302] kfree+0x19a/0x6d0 [ 76.287117][ T5302] nbd_config_put+0x642/0x790 [ 76.289181][ T5302] recv_work+0x1b04/0x1c10 [ 76.291058][ T5302] process_scheduled_works+0xae1/0x17b0 [ 76.293268][ T5302] worker_thread+0x8a0/0xda0 [ 76.295198][ T5302] kthread+0x711/0x8a0 [ 76.296944][ T5302] ret_from_fork+0x4bc/0x870 [ 76.298926][ T5302] ret_from_fork_asm+0x1a/0x30 [ 76.300893][ T5302] [ 76.301890][ T5302] The buggy address belongs to the object at ffff88803dc6b000 [ 76.301890][ T5302] which belongs to the cache kmalloc-256 of size 256 [ 76.307719][ T5302] The buggy address is located 120 bytes inside of [ 76.307719][ T5302] freed 256-byte region [ffff88803dc6b000, ffff88803dc6b100) [ 76.313416][ T5302] [ 76.314468][ T5302] The buggy address belongs to the physical page: [ 76.317181][ T5302] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88803dc6bc00 pfn:0x3dc6b [ 76.321520][ T5302] flags: 0x4fff00000000200(workingset|node=1|zone=1|lastcpupid=0x7ff) [ 76.325045][ T5302] page_type: f5(slab) [ 76.326831][ T5302] raw: 04fff00000000200 ffff88801a041b40 ffffea0000d42a10 ffff888030400708 [ 76.330389][ T5302] raw: ffff88803dc6bc00 0000000000080006 00000000f5000000 0000000000000000 [ 76.333882][ T5302] page dumped because: kasan: bad access detected [ 76.336646][ T5302] page_owner tracks the page as allocated [ 76.339073][ T5302] page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 21533481260, free_ts 0 [ 76.346476][ T5302] post_alloc_hook+0x234/0x290 [ 76.348596][ T5302] get_page_from_freelist+0x2365/0x2440 [ 76.351010][ T5302] __alloc_frozen_pages_noprof+0x181/0x370 [ 76.353557][ T5302] alloc_pages_mpol+0x232/0x4a0 [ 76.355799][ T5302] allocate_slab+0x96/0x350 [ 76.357879][ T5302] ___slab_alloc+0xf56/0x1990 [ 76.360030][ T5302] __slab_alloc+0x65/0x100 [ 76.362081][ T5302] __kvmalloc_node_noprof+0x6ba/0x910 [ 76.364550][ T5302] v4l2_ctrl_new+0x9d5/0x1790 [ 76.366673][ T5302] v4l2_ctrl_new_custom+0x57c/0x7b0 [ 76.368924][ T5302] vivid_create_controls+0x50b/0x3a60 [ 76.371295][ T5302] vivid_probe+0x41bf/0x7180 [ 76.373378][ T5302] platform_probe+0xf9/0x190 [ 76.375464][ T5302] really_probe+0x26d/0x9e0 [ 76.377416][ T5302] __driver_probe_device+0x18c/0x2f0 [ 76.379770][ T5302] driver_probe_device+0x4f/0x430 [ 76.381860][ T5302] page_owner free stack trace missing [ 76.384052][ T5302] [ 76.385056][ T5302] Memory state around the buggy address: [ 76.387483][ T5302] ffff88803dc6af00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [ 76.390882][ T5302] ffff88803dc6af80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.394251][ T5302] >ffff88803dc6b000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.397607][ T5302] ^ [ 76.401009][ T5302] ffff88803dc6b080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 76.404321][ T5302] ffff88803dc6b100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 76.407849][ T5302] ================================================================== [ 76.488922][ T5302] Kernel panic - not syncing: KASAN: panic_on_warn set ... [ 76.492072][ T5302] CPU: 0 UID: 0 PID: 5302 Comm: kworker/u5:2 Not tainted syzkaller #0 PREEMPT(full) [ 76.495981][ T5302] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 [ 76.500416][ T5302] Workqueue: nbd0-recv recv_work [ 76.502742][ T5302] Call Trace: [ 76.504173][ T5302] [ 76.505530][ T5302] dump_stack_lvl+0x99/0x250 [ 76.507572][ T5302] ? __asan_memcpy+0x40/0x70 [ 76.509590][ T5302] ? __pfx_dump_stack_lvl+0x10/0x10 [ 76.511869][ T5302] ? __pfx__printk+0x10/0x10 [ 76.513839][ T5302] vpanic+0x237/0x6d0 [ 76.515600][ T5302] ? __pfx_vpanic+0x10/0x10 [ 76.517600][ T5302] ? preempt_schedule+0xae/0xc0 [ 76.519737][ T5302] ? __pfx_preempt_schedule+0x10/0x10 [ 76.522059][ T5302] panic+0xb9/0xc0 [ 76.523672][ T5302] ? __pfx_panic+0x10/0x10 [ 76.525637][ T5302] ? _raw_spin_unlock_irqrestore+0xfd/0x110 [ 76.528210][ T5302] ? recv_work+0x1b1a/0x1c10 [ 76.530233][ T5302] check_panic_on_warn+0x89/0xb0 [ 76.532408][ T5302] ? recv_work+0x1b1a/0x1c10 [ 76.534437][ T5302] end_report+0x78/0x160 [ 76.536254][ T5302] kasan_report+0x129/0x150 [ 76.538181][ T5302] ? recv_work+0x1b1a/0x1c10 [ 76.540155][ T5302] kasan_check_range+0x2b0/0x2c0 [ 76.542275][ T5302] recv_work+0x1b1a/0x1c10 [ 76.544136][ T5302] ? lockdep_unlock+0x89/0x120 [ 76.546194][ T5302] ? __pfx_recv_work+0x10/0x10 [ 76.548169][ T5302] ? __lock_acquire+0xab9/0xd20 [ 76.550281][ T5302] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.552566][ T5302] ? process_scheduled_works+0x9ef/0x17b0 [ 76.555082][ T5302] ? process_scheduled_works+0x9ef/0x17b0 [ 76.557570][ T5302] process_scheduled_works+0xae1/0x17b0 [ 76.560005][ T5302] ? __pfx_process_scheduled_works+0x10/0x10 [ 76.562570][ T5302] worker_thread+0x8a0/0xda0 [ 76.564591][ T5302] ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10 [ 76.567708][ T5302] ? __kthread_parkme+0x7b/0x200 [ 76.570229][ T5302] kthread+0x711/0x8a0 [ 76.572235][ T5302] ? __pfx_worker_thread+0x10/0x10 [ 76.574609][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.576563][ T5302] ? _raw_spin_unlock_irq+0x23/0x50 [ 76.578747][ T5302] ? lockdep_hardirqs_on+0x9c/0x150 [ 76.580945][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.583000][ T5302] ret_from_fork+0x4bc/0x870 [ 76.585130][ T5302] ? __pfx_ret_from_fork+0x10/0x10 [ 76.587248][ T5302] ? __pfx_kthread+0x10/0x10 [ 76.589184][ T5302] ret_from_fork_asm+0x1a/0x30 [ 76.591239][ T5302] [ 76.592907][ T5302] Kernel Offset: disabled [ 76.594652][ T5302] Rebooting in 86400 seconds..