program:
sendmsg$nl_route(0xffffffffffffffff, &(0x7f00000006c0)={0x0, 0x0, 0x0}, 0x0)
syz_init_net_socket$nl_generic(0x10, 0x3, 0x10)
syz_open_dev$dri(&(0x7f0000000000), 0xb, 0x0)
r0 = syz_open_dev$dri(&(0x7f0000000000), 0x2, 0x0)
ioctl$DRM_IOCTL_MODE_GETRESOURCES(r0, 0xc04064a0, &(0x7f0000000300)={0x0, &(0x7f0000000240)=[<r1=>0x0], 0x0, 0x0, 0x0, 0x1})
ioctl$DRM_IOCTL_MODE_GETCRTC(r0, 0xc06864a1, &(0x7f00000000c0)={0x0, 0x0, r1, <r2=>0x0})
ioctl$DRM_IOCTL_MODE_DIRTYFB(r0, 0xc01864b1, &(0x7f0000000080)={r2, 0x2, 0x6, 0x0, &(0x7f0000000040)})
ioctl$DRM_IOCTL_MODE_PAGE_FLIP(r0, 0xc01864b0, &(0x7f0000000040)={r1, r2, 0x0, 0x0, 0x20})

[   85.213222][ T5337] Bluetooth: hci0: command tx timeout
[   85.304787][   T13] ==================================================================
[   85.308048][   T13] BUG: KASAN: slab-use-after-free in drm_atomic_helper_wait_for_vblanks+0x367/0x980
[   85.312009][   T13] Read of size 1 at addr ffff8880401a9809 by task kworker/u4:1/13
[   85.315587][   T13] 
[   85.316681][   T13] CPU: 0 UID: 0 PID: 13 Comm: kworker/u4:1 Not tainted syzkaller #0 PREEMPT(full) 
[   85.316696][   T13] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
[   85.316704][   T13] Workqueue: events_unbound commit_work
[   85.316724][   T13] Call Trace:
[   85.316731][   T13]  <TASK>
[   85.316736][   T13]  dump_stack_lvl+0x189/0x250
[   85.316751][   T13]  ? __kasan_check_byte+0x12/0x40
[   85.316765][   T13]  ? __pfx_dump_stack_lvl+0x10/0x10
[   85.316777][   T13]  ? lock_release+0x4b/0x3e0
[   85.316792][   T13]  ? __virt_addr_valid+0x4a5/0x5c0
[   85.316807][   T13]  print_report+0xca/0x240
[   85.316817][   T13]  ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[   85.316830][   T13]  kasan_report+0x118/0x150
[   85.316841][   T13]  ? preempt_schedule+0xae/0xc0
[   85.316896][   T13]  ? drm_atomic_helper_wait_for_vblanks+0x367/0x980
[   85.316909][   T13]  drm_atomic_helper_wait_for_vblanks+0x367/0x980
[   85.316923][   T13]  ? __pfx__raw_spin_unlock_irqrestore+0x10/0x10
[   85.316937][   T13]  ? __pfx_drm_atomic_helper_wait_for_vblanks+0x10/0x10
[   85.316949][   T13]  ? complete_all+0x11c/0x330
[   85.316961][   T13]  ? drm_atomic_helper_commit_hw_done+0x3da/0x410
[   85.316976][   T13]  drm_atomic_helper_commit_tail+0x302/0x520
[   85.316990][   T13]  commit_tail+0x29a/0x3a0
[   85.317003][   T13]  ? process_scheduled_works+0x9ef/0x17b0
[   85.317013][   T13]  process_scheduled_works+0xae1/0x17b0
[   85.317028][   T13]  ? __pfx_process_scheduled_works+0x10/0x10
[   85.317041][   T13]  worker_thread+0x8a0/0xda0
[   85.317058][   T13]  kthread+0x70e/0x8a0
[   85.317070][   T13]  ? __pfx_worker_thread+0x10/0x10
[   85.317079][   T13]  ? __pfx_kthread+0x10/0x10
[   85.317091][   T13]  ? _raw_spin_unlock_irq+0x23/0x50
[   85.317103][   T13]  ? lockdep_hardirqs_on+0x9c/0x150
[   85.317117][   T13]  ? __pfx_kthread+0x10/0x10
[   85.317129][   T13]  ret_from_fork+0x3fc/0x770
[   85.317140][   T13]  ? __pfx_ret_from_fork+0x10/0x10
[   85.317152][   T13]  ? __pfx_kthread+0x10/0x10
[   85.317163][   T13]  ret_from_fork_asm+0x1a/0x30
[   85.317176][   T13]  </TASK>
[   85.317179][   T13] 
[   85.401388][   T13] Allocated by task 5362:
[   85.403111][   T13]  kasan_save_track+0x3e/0x80
[   85.405200][   T13]  __kasan_kmalloc+0x93/0xb0
[   85.407199][   T13]  __kmalloc_cache_noprof+0x230/0x3d0
[   85.409461][   T13]  drm_atomic_helper_crtc_duplicate_state+0x72/0xb0
[   85.412196][   T13]  drm_atomic_get_crtc_state+0x19a/0x460
[   85.414599][   T13]  page_flip_common+0x56/0x2a0
[   85.416625][   T13]  drm_atomic_helper_page_flip+0xa5/0x160
[   85.419006][   T13]  drm_mode_page_flip_ioctl+0xc6d/0x11d0
[   85.421339][   T13]  drm_ioctl_kernel+0x2cf/0x390
[   85.423371][   T13]  drm_ioctl+0x67f/0xb10
[   85.425139][   T13]  __se_sys_ioctl+0xfc/0x170
[   85.427058][   T13]  do_syscall_64+0xfa/0x3b0
[   85.428957][   T13]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.431485][   T13] 
[   85.432561][   T13] Freed by task 5361:
[   85.434217][   T13]  kasan_save_track+0x3e/0x80
[   85.436272][   T13]  kasan_save_free_info+0x46/0x50
[   85.438462][   T13]  __kasan_slab_free+0x5b/0x80
[   85.440583][   T13]  kfree+0x18e/0x440
[   85.442336][   T13]  drm_atomic_state_default_clear+0x41f/0xbe0
[   85.444978][   T13]  __drm_atomic_state_free+0xaf/0x210
[   85.447337][   T13]  drm_client_modeset_commit_atomic+0x6ac/0x760
[   85.450024][   T13]  drm_client_modeset_commit_locked+0xcb/0x4d0
[   85.452706][   T13]  drm_client_modeset_commit+0x4a/0x70
[   85.455096][   T13]  drm_fb_helper_lastclose+0xa4/0x1c0
[   85.457338][   T13]  drm_fbdev_client_restore+0x34/0x40
[   85.459700][   T13]  drm_client_dev_restore+0x13c/0x270
[   85.461936][   T13]  drm_release+0x318/0x3f0
[   85.463766][   T13]  __fput+0x449/0xa70
[   85.465467][   T13]  task_work_run+0x1d1/0x260
[   85.467447][   T13]  exit_to_user_mode_loop+0xec/0x110
[   85.469709][   T13]  do_syscall_64+0x2bd/0x3b0
[   85.471710][   T13]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.474240][   T13] 
[   85.475259][   T13] The buggy address belongs to the object at ffff8880401a9800
[   85.475259][   T13]  which belongs to the cache kmalloc-512 of size 512
[   85.481039][   T13] The buggy address is located 9 bytes inside of
[   85.481039][   T13]  freed 512-byte region [ffff8880401a9800, ffff8880401a9a00)
[   85.486601][   T13] 
[   85.487638][   T13] The buggy address belongs to the physical page:
[   85.490242][   T13] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x401a8
[   85.493939][   T13] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[   85.497555][   T13] flags: 0x4fff00000000040(head|node=1|zone=1|lastcpupid=0x7ff)
[   85.500840][   T13] page_type: f5(slab)
[   85.502592][   T13] raw: 04fff00000000040 ffff88801a441c80 dead000000000100 dead000000000122
[   85.506288][   T13] raw: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   85.509897][   T13] head: 04fff00000000040 ffff88801a441c80 dead000000000100 dead000000000122
[   85.513690][   T13] head: 0000000000000000 0000000000080008 00000000f5000000 0000000000000000
[   85.517227][   T13] head: 04fff00000000001 ffffea0001006a01 00000000ffffffff 00000000ffffffff
[   85.520683][   T13] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
[   85.524244][   T13] page dumped because: kasan: bad access detected
[   85.527043][   T13] page_owner tracks the page as allocated
[   85.529520][   T13] page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1360, tgid 1360 (kworker/0:3), ts 79806508287, free_ts 64294075929
[   85.537904][   T13]  post_alloc_hook+0x240/0x2a0
[   85.539729][   T13]  get_page_from_freelist+0x21e4/0x22c0
[   85.542023][   T13]  __alloc_frozen_pages_noprof+0x181/0x370
[   85.544531][   T13]  alloc_pages_mpol+0x232/0x4a0
[   85.546777][   T13]  allocate_slab+0x8a/0x370
[   85.548761][   T13]  ___slab_alloc+0xbeb/0x1420
[   85.550908][   T13]  __kmalloc_cache_noprof+0x296/0x3d0
[   85.553068][   T13]  drm_atomic_helper_setup_commit+0x1c9/0x1370
[   85.555764][   T13]  drm_atomic_helper_commit+0x6a/0xb10
[   85.558073][   T13]  drm_atomic_commit+0x262/0x2c0
[   85.560126][   T13]  drm_atomic_helper_dirtyfb+0xd7b/0xee0
[   85.562354][   T13]  drm_fbdev_shmem_helper_fb_dirty+0x160/0x2f0
[   85.564708][   T13]  drm_fb_helper_damage_work+0x224/0x710
[   85.566967][   T13]  process_scheduled_works+0xae1/0x17b0
[   85.569220][   T13]  worker_thread+0x8a0/0xda0
[   85.571133][   T13]  kthread+0x70e/0x8a0
[   85.572936][   T13] page last free pid 5259 tgid 5259 stack trace:
[   85.575649][   T13]  __free_frozen_pages+0xbc4/0xd30
[   85.577864][   T13]  __put_partials+0x156/0x1a0
[   85.579806][   T13]  put_cpu_partial+0x17c/0x250
[   85.581825][   T13]  __slab_free+0x2d5/0x3c0
[   85.583756][   T13]  qlist_free_all+0x97/0x140
[   85.585766][   T13]  kasan_quarantine_reduce+0x148/0x160
[   85.588071][   T13]  __kasan_slab_alloc+0x22/0x80
[   85.590048][   T13]  kmem_cache_alloc_noprof+0x1c1/0x3c0
[   85.592434][   T13]  vm_area_alloc+0x24/0x140
[   85.594418][   T13]  mmap_region+0xdc7/0x20c0
[   85.596463][   T13]  do_mmap+0xc45/0x10d0
[   85.598281][   T13]  vm_mmap_pgoff+0x2a6/0x4d0
[   85.600215][   T13]  ksys_mmap_pgoff+0x51f/0x760
[   85.601974][   T13]  do_syscall_64+0xfa/0x3b0
[   85.604124][   T13]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
[   85.606689][   T13] 
[   85.607727][   T13] Memory state around the buggy address:
[   85.610178][   T13]  ffff8880401a9700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.613657][   T13]  ffff8880401a9780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   85.617160][   T13] >ffff8880401a9800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.620689][   T13]                       ^
[   85.622606][   T13]  ffff8880401a9880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.625811][   T13]  ffff8880401a9900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[   85.628795][   T13] ==================================================================
[   85.632308][    C0] vkms_vblank_simulate: vblank timer overrun