rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
rc rc0: IR event FIFO is full!
==================================================================
BUG: KASAN: slab-use-after-free in ir_raw_event_store_with_filter+0x4f9/0x590 drivers/media/rc/rc-ir-raw.c:178
Read of size 4 at addr ffff88810bb3d0d8 by task udevd/9449

CPU: 1 PID: 9449 Comm: udevd Not tainted 6.5.0-rc3-syzkaller-00067-gba0b3af70630 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2023
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd9/0x1b0 lib/dump_stack.c:106
 print_address_description mm/kasan/report.c:364 [inline]
 print_report+0xc4/0x620 mm/kasan/report.c:475
 kasan_report+0xda/0x110 mm/kasan/report.c:588
 ir_raw_event_store_with_filter+0x4f9/0x590 drivers/media/rc/rc-ir-raw.c:178
 sz_push+0x97/0x1d0 drivers/media/rc/streamzap.c:104
 sz_push_full_pulse drivers/media/rc/streamzap.c:115 [inline]
 sz_push_half_pulse drivers/media/rc/streamzap.c:121 [inline]
 streamzap_callback+0x536/0x7e0 drivers/media/rc/streamzap.c:189
 __usb_hcd_giveback_urb+0x359/0x5c0 drivers/usb/core/hcd.c:1671
 usb_hcd_giveback_urb+0x389/0x430 drivers/usb/core/hcd.c:1754
 dummy_timer+0x1415/0x35f0 drivers/usb/gadget/udc/dummy_hcd.c:1987
 call_timer_fn+0x1a0/0x580 kernel/time/timer.c:1700
 expire_timers kernel/time/timer.c:1751 [inline]
 __run_timers+0x764/0xb10 kernel/time/timer.c:2022
 run_timer_softirq+0x58/0xd0 kernel/time/timer.c:2035
 __do_softirq+0x20b/0x94e kernel/softirq.c:553
 invoke_softirq kernel/softirq.c:427 [inline]
 __irq_exit_rcu kernel/softirq.c:632 [inline]
 irq_exit_rcu+0xa7/0x110 kernel/softirq.c:644
 sysvec_apic_timer_interrupt+0x8e/0xb0 arch/x86/kernel/apic/apic.c:1109
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:645
RIP: 0010:stack_trace_consume_entry+0x96/0x160 kernel/stacktrace.c:89
Code: 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 90 00 00 00 8b 43 0c <85> c0 75 53 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 80
RSP: 0018:ffffc9000278f5e0 EFLAGS: 00000246
RAX: 0000000000000000 RBX: ffffc9000278f6c0 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff819dfb80 RDI: ffffc9000278f6cc
RBP: 000000000000000a R08: ffffc9000278f634 R09: ffffffff898d8a62
R10: ffffc9000278f600 R11: 0000000000009df3 R12: ffffffff813a4fb0
R13: ffffc9000278f6c0 R14: 0000000000000000 R15: ffff88811ba53a00
 arch_stack_walk+0x7f/0xf0 arch/x86/kernel/stacktrace.c:27
 stack_trace_save+0x96/0xd0 kernel/stacktrace.c:122
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x87/0x90 mm/kasan/common.c:383
 kasan_kmalloc include/linux/kasan.h:196 [inline]
 __do_kmalloc_node mm/slab_common.c:985 [inline]
 __kmalloc+0x5d/0x100 mm/slab_common.c:998
 kmalloc include/linux/slab.h:586 [inline]
 kzalloc include/linux/slab.h:703 [inline]
 tomoyo_encode2+0x100/0x3d0 security/tomoyo/realpath.c:45
 tomoyo_encode+0x29/0x50 security/tomoyo/realpath.c:80
 tomoyo_realpath_from_path+0x196/0x710 security/tomoyo/realpath.c:283
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x271/0x450 security/tomoyo/file.c:822
 security_inode_getattr+0xf1/0x150 security/security.c:2114
 vfs_getattr fs/stat.c:167 [inline]
 vfs_statx+0x180/0x430 fs/stat.c:242
 vfs_fstatat+0x90/0xb0 fs/stat.c:276
 __do_sys_newfstatat+0x98/0x110 fs/stat.c:446
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f788b8105f4
Code: 64 c7 00 09 00 00 00 83 c8 ff c3 48 89 f2 b9 00 01 00 00 48 89 fe bf 9c ff ff ff e9 00 00 00 00 41 89 ca b8 06 01 00 00 0f 05 <45> 31 c0 3d 00 f0 ff ff 76 10 48 8b 15 03 a8 0d 00 f7 d8 41 83 c8
RSP: 002b:00007ffe632e3488 EFLAGS: 00000202 ORIG_RAX: 0000000000000106
RAX: ffffffffffffffda RBX: 000055b9c0bc7550 RCX: 00007f788b8105f4
RDX: 00007ffe632e3498 RSI: 00007ffe632e3528 RDI: 00000000ffffff9c
RBP: 000055b9bfdc0df3 R08: 000055b9bfdc0df3 R09: 0000000000000000
R10: 0000000000000100 R11: 0000000000000202 R12: 0000000000000000
R13: 000055b9c0bc7640 R14: 00007ffe632e3528 R15: 000055b9bfdc0a04
 </TASK>

Allocated by task 5505:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:374 [inline]
 __kasan_kmalloc+0x87/0x90 mm/kasan/common.c:383
 kmalloc include/linux/slab.h:582 [inline]
 kzalloc include/linux/slab.h:703 [inline]
 ir_raw_event_prepare+0x5a/0x320 drivers/media/rc/rc-ir-raw.c:617
 rc_register_device+0x1517/0x1bd0 drivers/media/rc/rc-main.c:1921
 streamzap_init_rc_dev drivers/media/rc/streamzap.c:249 [inline]
 streamzap_probe+0x805/0x1090 drivers/media/rc/streamzap.c:331
 usb_probe_interface+0x307/0x930 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:798
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:828
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:956
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3625
 usb_set_configuration+0x10cb/0x1c40 drivers/usb/core/message.c:2212
 usb_generic_driver_probe+0xca/0x130 drivers/usb/core/generic.c:238
 usb_probe_device+0xda/0x2c0 drivers/usb/core/driver.c:293
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x234/0xc90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x4b0 drivers/base/dd.c:798
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:828
 __device_attach_driver+0x1d4/0x300 drivers/base/dd.c:956
 bus_for_each_drv+0x157/0x1d0 drivers/base/bus.c:457
 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028
 bus_probe_device+0x17c/0x1c0 drivers/base/bus.c:532
 device_add+0x11f1/0x1b40 drivers/base/core.c:3625
 usb_new_device+0xd80/0x1960 drivers/usb/core/hub.c:2613
 hub_port_connect drivers/usb/core/hub.c:5445 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5589 [inline]
 port_event drivers/usb/core/hub.c:5749 [inline]
 hub_event+0x30fd/0x5330 drivers/usb/core/hub.c:5831
 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
 worker_thread+0x687/0x1110 kernel/workqueue.c:2748
 kthread+0x33a/0x430 kernel/kthread.c:389
 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296

Freed by task 9:
 kasan_save_stack+0x33/0x50 mm/kasan/common.c:45
 kasan_set_track+0x25/0x30 mm/kasan/common.c:52
 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:522
 ____kasan_slab_free mm/kasan/common.c:236 [inline]
 ____kasan_slab_free+0x13f/0x190 mm/kasan/common.c:200
 kasan_slab_free include/linux/kasan.h:162 [inline]
 slab_free_hook mm/slub.c:1792 [inline]
 slab_free_freelist_hook mm/slub.c:1818 [inline]
 slab_free mm/slub.c:3801 [inline]
 __kmem_cache_free+0xff/0x340 mm/slub.c:3814
 ir_raw_event_free drivers/media/rc/rc-ir-raw.c:653 [inline]
 ir_raw_event_free drivers/media/rc/rc-ir-raw.c:648 [inline]
 ir_raw_event_unregister+0x2e3/0x400 drivers/media/rc/rc-ir-raw.c:676
 rc_unregister_device+0x35c/0x410 drivers/media/rc/rc-main.c:2022
 streamzap_disconnect+0xa6/0x1f0 drivers/media/rc/streamzap.c:388
 usb_unbind_interface+0x1dd/0x8d0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:569 [inline]
 device_remove+0x11f/0x170 drivers/base/dd.c:561
 __device_release_driver drivers/base/dd.c:1270 [inline]
 device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1293
 bus_remove_device+0x22c/0x420 drivers/base/bus.c:574
 device_del+0x39a/0xa40 drivers/base/core.c:3814
 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1421
 usb_disconnect+0x2e1/0x890 drivers/usb/core/hub.c:2276
 hub_port_connect drivers/usb/core/hub.c:5284 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5589 [inline]
 port_event drivers/usb/core/hub.c:5749 [inline]
 hub_event+0x2221/0x5330 drivers/usb/core/hub.c:5831
 process_one_work+0xaa2/0x16f0 kernel/workqueue.c:2597
 worker_thread+0x687/0x1110 kernel/workqueue.c:2748
 kthread+0x33a/0x430 kernel/kthread.c:389
 ret_from_fork+0x2c/0x70 arch/x86/kernel/process.c:145
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:296

The buggy address belongs to the object at ffff88810bb3c000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 4312 bytes inside of
 freed 8192-byte region [ffff88810bb3c000, ffff88810bb3e000)

The buggy address belongs to the physical page:
page:ffffea00042ece00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10bb38
head:ffffea00042ece00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x200000000010200(slab|head|node=0|zone=2)
page_type: 0xffffffff()
raw: 0200000000010200 ffff888100042280 ffffea00047d9000 dead000000000002
raw: 0000000000000000 0000000080020002 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 9401092942, free_ts 0
 set_page_owner include/linux/page_owner.h:31 [inline]
 post_alloc_hook+0x2d2/0x350 mm/page_alloc.c:1570
 prep_new_page mm/page_alloc.c:1577 [inline]
 get_page_from_freelist+0x10e1/0x2fd0 mm/page_alloc.c:3221
 __alloc_pages+0x1d0/0x4a0 mm/page_alloc.c:4477
 alloc_page_interleave+0x1e/0x230 mm/mempolicy.c:2112
 alloc_pages+0x22a/0x270 mm/mempolicy.c:2274
 alloc_slab_page mm/slub.c:1862 [inline]
 allocate_slab+0x24e/0x380 mm/slub.c:2009
 new_slab mm/slub.c:2062 [inline]
 ___slab_alloc+0x8bc/0x1570 mm/slub.c:3215
 __slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3314
 __slab_alloc_node mm/slub.c:3367 [inline]
 slab_alloc_node mm/slub.c:3460 [inline]
 __kmem_cache_alloc_node+0x132/0x310 mm/slub.c:3509
 __do_kmalloc_node mm/slab_common.c:984 [inline]
 __kmalloc+0x4c/0x100 mm/slab_common.c:998
 kmalloc_array include/linux/slab.h:619 [inline]
 kcalloc include/linux/slab.h:650 [inline]
 cache_create_net+0xa0/0x220 net/sunrpc/cache.c:1749
 rsc_cache_create_net net/sunrpc/auth_gss/svcauth_gss.c:2065 [inline]
 gss_svc_init_net+0x69/0x660 net/sunrpc/auth_gss/svcauth_gss.c:2093
 ops_init+0xb9/0x650 net/core/net_namespace.c:136
 __register_pernet_operations net/core/net_namespace.c:1165 [inline]
 register_pernet_operations+0x34b/0x820 net/core/net_namespace.c:1234
 register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1275
 init_rpcsec_gss+0x58/0xb0 net/sunrpc/auth_gss/auth_gss.c:2261
page_owner free stack trace missing

Memory state around the buggy address:
 ffff88810bb3cf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810bb3d000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88810bb3d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                    ^
 ffff88810bb3d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88810bb3d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess), 6 bytes skipped:
   0:	df 48 89             	fisttps -0x77(%rax)
   3:	fa                   	cli
   4:	48 c1 ea 03          	shr    $0x3,%rdx
   8:	0f b6 14 02          	movzbl (%rdx,%rax,1),%edx
   c:	48 89 f8             	mov    %rdi,%rax
   f:	83 e0 07             	and    $0x7,%eax
  12:	83 c0 03             	add    $0x3,%eax
  15:	38 d0                	cmp    %dl,%al
  17:	7c 08                	jl     0x21
  19:	84 d2                	test   %dl,%dl
  1b:	0f 85 90 00 00 00    	jne    0xb1
  21:	8b 43 0c             	mov    0xc(%rbx),%eax
* 24:	85 c0                	test   %eax,%eax <-- trapping instruction
  26:	75 53                	jne    0x7b
  28:	48 b8 00 00 00 00 00 	movabs $0xdffffc0000000000,%rax
  2f:	fc ff df
  32:	48 89 da             	mov    %rbx,%rdx
  35:	48 c1 ea 03          	shr    $0x3,%rdx
  39:	80                   	.byte 0x80