==================================================================
BUG: KASAN: slab-use-after-free in dvb_device_open+0xd4/0x370 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff0000d1253818 by task syz.4.21/6774

CPU: 0 UID: 0 PID: 6774 Comm: syz.4.21 Not tainted syzkaller #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x238 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:482
 kasan_report+0xb0/0x110 mm/kasan/report.c:595
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 dvb_device_open+0xd4/0x370 drivers/media/dvb-core/dvbdev.c:99
 chrdev_open+0x1b0/0x4b0 fs/char_dev.c:414
 do_dentry_open+0x68c/0x1154 fs/open.c:962
 vfs_open+0x44/0x2d4 fs/open.c:1094
 do_open fs/namei.c:4628 [inline]
 path_openat+0x2890/0x3114 fs/namei.c:4787
 do_filp_open+0x18c/0x36c fs/namei.c:4814
 do_sys_openat2+0x11c/0x1f0 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __arm64_sys_openat+0x120/0x158 fs/open.c:1447
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

Allocated by task 1:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_alloc_info+0x44/0x54 mm/kasan/generic.c:570
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x9c/0xb4 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3b8/0x698 mm/slub.c:5776
 kmalloc_noprof include/linux/slab.h:957 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 dvb_register_device+0x1a0/0x17d4 drivers/media/dvb-core/dvbdev.c:475
 dvb_register_frontend+0x47c/0x708 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
 vidtv_bridge_probe+0x968/0xde8 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
 platform_probe+0xfc/0x198 drivers/base/platform.c:1446
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x3b4/0xa00 drivers/base/dd.c:659
 __driver_probe_device+0x180/0x2f8 drivers/base/dd.c:801
 driver_probe_device+0x6c/0x1a4 drivers/base/dd.c:831
 __driver_attach+0x2d4/0x564 drivers/base/dd.c:1225
 bus_for_each_dev+0x204/0x290 drivers/base/bus.c:383
 driver_attach+0x4c/0x5c drivers/base/dd.c:1243
 bus_add_driver+0x2e4/0x5ec drivers/base/bus.c:715
 driver_register+0x220/0x30c drivers/base/driver.c:249
 __platform_driver_register+0x6c/0x80 drivers/base/platform.c:908
 vidtv_bridge_init+0x34/0x5c drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
 do_one_initcall+0x248/0x9b4 init/main.c:1378
 do_initcall_level+0x128/0x1c4 init/main.c:1440
 do_initcalls+0x70/0xd0 init/main.c:1456
 do_basic_setup+0x78/0x8c init/main.c:1475
 kernel_init_freeable+0x268/0x39c init/main.c:1688
 kernel_init+0x24/0x1dc init/main.c:1578
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

Freed by task 6764:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x40/0x78 mm/kasan/common.c:78
 kasan_save_free_info+0x58/0x70 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x74/0xa4 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6670 [inline]
 kfree+0x1c4/0x5fc mm/slub.c:6878
 dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put drivers/media/dvb-core/dvbdev.c:632 [inline]
 dvb_device_open+0x2bc/0x370 drivers/media/dvb-core/dvbdev.c:113
 chrdev_open+0x1b0/0x4b0 fs/char_dev.c:414
 do_dentry_open+0x68c/0x1154 fs/open.c:962
 vfs_open+0x44/0x2d4 fs/open.c:1094
 do_open fs/namei.c:4628 [inline]
 path_openat+0x2890/0x3114 fs/namei.c:4787
 do_filp_open+0x18c/0x36c fs/namei.c:4814
 do_sys_openat2+0x11c/0x1f0 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __arm64_sys_openat+0x120/0x158 fs/open.c:1447
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596

The buggy address belongs to the object at ffff0000d1253800
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 24 bytes inside of
 freed 256-byte region [ffff0000d1253800, ffff0000d1253900)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x111252
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 05ffc00000000040 ffff0000c0001b40 fffffdffc3449d80 dead000000000006
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 05ffc00000000040 ffff0000c0001b40 fffffdffc3449d80 dead000000000006
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 05ffc00000000001 fffffdffc3449481 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000d1253700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff0000d1253780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff0000d1253800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff0000d1253880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff0000d1253900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
------------[ cut here ]------------
refcount_t: addition on 0; use-after-free.
WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25, CPU#1: syz.4.21/6774
Modules linked in:
CPU: 1 UID: 0 PID: 6774 Comm: syz.4.21 Tainted: G    B               syzkaller #0 PREEMPT 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/03/2025
pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--)
pc : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
lr : refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25
sp : ffff8000a40575a0
x29: ffff8000a40575a0 x28: ffff0000cfbcd008 x27: 1ffff0001480aec4
x26: dfff800000000000 x25: 1fffe00019f79a01 x24: 0000000000000000
x23: ffff0000d04e7c00 x22: ffff0000d1253810 x21: ffff0000d05c3540
x20: ffff0000d1253810 x19: ffff800092e87000 x18: 1fffe00033781890
x17: ffff80008f86e000 x16: ffff800082e5e68c x15: 0000000000000001
x14: 1ffff0001480adec x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000080000 x10: 0000000000016aee x9 : 73b20ce386479c00
x8 : 73b20ce386479c00 x7 : 0000000000000001 x6 : ffff8000805761f8
x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000002
x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000
Call trace:
 refcount_warn_saturate+0x134/0x1f8 lib/refcount.c:25 (P)
 __refcount_add include/linux/refcount.h:-1 [inline]
 __refcount_inc include/linux/refcount.h:366 [inline]
 refcount_inc include/linux/refcount.h:383 [inline]
 kref_get include/linux/kref.h:45 [inline]
 dvb_device_get drivers/media/dvb-core/dvbdev.c:624 [inline]
 dvb_device_open+0x308/0x370 drivers/media/dvb-core/dvbdev.c:106
 chrdev_open+0x1b0/0x4b0 fs/char_dev.c:414
 do_dentry_open+0x68c/0x1154 fs/open.c:962
 vfs_open+0x44/0x2d4 fs/open.c:1094
 do_open fs/namei.c:4628 [inline]
 path_openat+0x2890/0x3114 fs/namei.c:4787
 do_filp_open+0x18c/0x36c fs/namei.c:4814
 do_sys_openat2+0x11c/0x1f0 fs/open.c:1430
 do_sys_open fs/open.c:1436 [inline]
 __do_sys_openat fs/open.c:1452 [inline]
 __se_sys_openat fs/open.c:1447 [inline]
 __arm64_sys_openat+0x120/0x158 fs/open.c:1447
 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
 invoke_syscall+0x98/0x254 arch/arm64/kernel/syscall.c:49
 el0_svc_common+0xe8/0x23c arch/arm64/kernel/syscall.c:132
 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
 el0_svc+0x5c/0x26c arch/arm64/kernel/entry-common.c:724
 el0t_64_sync_handler+0x84/0x12c arch/arm64/kernel/entry-common.c:743
 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:596
irq event stamp: 101
hardirqs last  enabled at (101): [<ffff80008049eb1c>] raw_spin_rq_unlock_irq kernel/sched/sched.h:1570 [inline]
hardirqs last  enabled at (101): [<ffff80008049eb1c>] finish_lock_switch+0xb0/0x1c0 kernel/sched/core.c:4995
hardirqs last disabled at (100): [<ffff80008afa5c60>] __schedule+0x2f8/0x2a7c kernel/sched/core.c:6747
softirqs last  enabled at (74): [<ffff8000801fa738>] local_bh_enable+0x10/0x34 include/linux/bottom_half.h:32
softirqs last disabled at (72): [<ffff8000801fa704>] local_bh_disable+0x10/0x34 include/linux/bottom_half.h:19
---[ end trace 0000000000000000 ]---