[syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    59dbb9d81adf Merge tag 'xsa465+xsa466-6.13-tag' of git://g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=142942df980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=c22efbd20f8da769
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c5dbdd280188/disk-59dbb9d8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/9a6753a4cd2e/vmlinux-59dbb9d8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aa643efa107f/bzImage-59dbb9d8.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff888029e2a018 by task syz.7.923/10944

CPU: 1 UID: 0 PID: 10944 Comm: syz.7.923 Not tainted 6.13.0-rc3-syzkaller-00026-g59dbb9d81adf #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/25/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6f1f385d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6f2011a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f6f1f576160 RCX: 00007f6f1f385d29
RDX: 0000000000040002 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00007f6f1f401a20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f6f1f576160 R15: 00007ffccac03e88
 </TASK>

Allocated by task 1:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 dvb_register_device+0x1e2/0x2380 drivers/media/dvb-core/dvbdev.c:475
 dvb_register_frontend+0x5a7/0x880 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:430 [inline]
 vidtv_bridge_probe+0x45e/0xa90 drivers/media/test-drivers/vidtv/vidtv_bridge.c:502
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
 bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 vidtv_bridge_init+0x45/0x80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:592
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 10936:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put.part.0+0x60/0x90 drivers/media/dvb-core/dvbdev.c:632
 dvb_device_put drivers/media/dvb-core/dvbdev.c:631 [inline]
 dvb_device_open+0x2a4/0x3b0 drivers/media/dvb-core/dvbdev.c:113
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888029e2a000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 24 bytes inside of
 freed 256-byte region [ffff888029e2a000, ffff888029e2a100)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29e2a
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 00fff00000000001 ffffea0000a78a81 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13838120121, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 dvb_register_device+0x1e2/0x2380 drivers/media/dvb-core/dvbdev.c:475
 dvb_register_frontend+0x5a7/0x880 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:430 [inline]
 vidtv_bridge_probe+0x45e/0xa90 drivers/media/test-drivers/vidtv/vidtv_bridge.c:502
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888029e29f00: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
 ffff888029e29f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888029e2a000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888029e2a080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888029e2a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit:    595523945be0 Merge tag 'devicetree-fixes-for-6.13-2' of gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17237a18580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5e182416a4b418f
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=144891f8580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12183fc4580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/1051770fb50b/disk-59552394.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/390a709a05b7/vmlinux-59552394.xz
kernel image: https://storage.googleapis.com/syzbot-assets/72a0a455bf23/bzImage-59552394.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff8881476baa18 by task syz-executor353/9116

CPU: 1 UID: 0 PID: 9116 Comm: syz-executor353 Not tainted 6.13.0-rc7-syzkaller-00189-g595523945be0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbafad2db29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3ae8be88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbafad2db29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00000000000f4240 R08: 0000000000008000 R09: 0000000000008000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000015edd
R13: 00007fff3ae8beac R14: 00007fff3ae8bec0 R15: 00007fff3ae8beb0
 </TASK>

Allocated by task 1:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 dvb_register_device+0x1e2/0x2380 drivers/media/dvb-core/dvbdev.c:475
 dvb_register_frontend+0x5a7/0x880 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:430 [inline]
 vidtv_bridge_probe+0x45e/0xa90 drivers/media/test-drivers/vidtv/vidtv_bridge.c:502
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
 bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 vidtv_bridge_init+0x45/0x80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:592
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 9110:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put.part.0+0x60/0x90 drivers/media/dvb-core/dvbdev.c:632
 dvb_device_put drivers/media/dvb-core/dvbdev.c:631 [inline]
 dvb_device_open+0x2a4/0x3b0 drivers/media/dvb-core/dvbdev.c:113
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff8881476baa00
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 24 bytes inside of
 freed 256-byte region [ffff8881476baa00, ffff8881476bab00)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1476ba
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 057ff00000000001 ffffea00051dae81 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 21808544918, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1558
 prep_new_page mm/page_alloc.c:1566 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3476
 __alloc_pages_noprof+0x223/0x25b0 mm/page_alloc.c:4753
 alloc_pages_mpol_noprof+0x2c8/0x620 mm/mempolicy.c:2269
 alloc_slab_page mm/slub.c:2423 [inline]
 allocate_slab mm/slub.c:2589 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2642
 ___slab_alloc+0xce2/0x1650 mm/slub.c:3830
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3920
 __slab_alloc_node mm/slub.c:3995 [inline]
 slab_alloc_node mm/slub.c:4156 [inline]
 __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4324
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 bus_add_driver+0x92/0x690 drivers/base/bus.c:659
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 usb_register_driver+0x216/0x4d0 drivers/usb/core/driver.c:1078
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page_owner free stack trace missing

Memory state around the buggy address:
 ffff8881476ba900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8881476ba980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8881476baa00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff8881476baa80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8881476bab00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[Hillf Danton]

On Sat, 18 Jan 2025 11:50:29 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    595523945be0 Merge tag 'devicetree-fixes-for-6.13-2' of gi..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12183fc4580000

#syz test

--- x/drivers/media/dvb-core/dvbdev.c
+++ y/drivers/media/dvb-core/dvbdev.c
@@ -109,8 +109,10 @@ static int dvb_device_open(struct inode
 			err = file->f_op->open(inode, file);
 		up_read(&minor_rwsem);
 		mutex_unlock(&dvbdev_mutex);
-		if (err)
+		if (err) {
+			WARN(1, "open %pS\n", file->f_op->open);
 			dvb_device_put(dvbdev);
+		}
 		return err;
 	}
 fail:
--

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in dvb_device_open

------------[ cut here ]------------
open dvb_frontend_open+0x0/0x1750 drivers/media/dvb-core/dvb_frontend.c:2428
WARNING: CPU: 0 PID: 6885 at drivers/media/dvb-core/dvbdev.c:113 dvb_device_open+0x2f7/0x420 drivers/media/dvb-core/dvbdev.c:113
Modules linked in:
CPU: 0 UID: 0 PID: 6885 Comm: syz.3.32 Not tainted 6.13.0-rc7-syzkaller-gfda5e3f28400-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
RIP: 0010:dvb_device_open+0x2f7/0x420 drivers/media/dvb-core/dvbdev.c:113
Code: 24 50 49 8d 7c 24 68 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 31 01 00 00 49 8b 74 24 68 48 c7 c7 60 aa 2f 8c e8 4a ea d3 f9 90 <0f> 0b 90 90 48 89 ef e8 9d e8 ff ff e8 48 22 13 fa 89 d8 5b 5d 41
RSP: 0018:ffffc90003357920 EFLAGS: 00010286
RAX: 0000000000000000 RBX: 00000000fffffff0 RCX: ffffffff815a17c9
RDX: ffff88802ffdda00 RSI: ffffffff815a17d6 RDI: 0000000000000001
RBP: ffff888143aec000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802982f400
R13: ffff88802982f400 R14: ffff88802a198808 R15: ffff8880331aa910
FS:  00007f35dfb9e6c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 00000000329e2000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f35ded85d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f35dfb9e038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f35def75fa0 RCX: 00007f35ded85d29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00007f35dee01b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f35def75fa0 R15: 00007ffc3f7cc208
 </TASK>


Tested on:

commit:         fda5e3f2 Merge tag 'trace-v6.13-rc7-2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12d2fa18580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5e182416a4b418f
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15a962b0580000

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux mdbc/syz

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[Hillf Danton]

On Sat, 18 Jan 2025 11:50:29 -0800
> syzbot has found a reproducer for the following issue on:
> 
> HEAD commit:    595523945be0 Merge tag 'devicetree-fixes-for-6.13-2' of gi..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12183fc4580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c
@@ -2887,6 +2887,7 @@ err3:
 	mutex_unlock(&fe->dvb->mdev_lock);
 err2:
 #endif
+	dvb_device_get(dvbdev);
 	dvb_generic_release(inode, file);
 err1:
 	if (dvbdev->users == -1 && fe->ops.ts_bus_ctrl)
--

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com
Tested-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com

Tested on:

commit:         20d06ce9 dvb: prevent use of freed dvb device
git tree:       https://github.com/ea1davis/linux mdbc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=16953fc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux mdbc/syz

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com
Tested-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com

Tested on:

commit:         fda5e3f2 Merge tag 'trace-v6.13-rc7-2' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17133fc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=f5e182416a4b418f
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=103562b0580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in dvb_device_open

==================================================================
BUG: KASAN: slab-use-after-free in dvb_device_open+0x405/0x470 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff888143aaf018 by task syz.3.546/8305

CPU: 0 UID: 0 PID: 8305 Comm: syz.3.546 Not tainted 6.12.0-syzkaller-10299-gae5cd00f92cb #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 dvb_device_open+0x405/0x470 drivers/media/dvb-core/dvbdev.c:99
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f9a46d85d29
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f9a47b85038 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f9a46f75fa0 RCX: 00007f9a46d85d29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00007f9a46e01b08 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f9a46f75fa0 R15: 00007ffe1e4113f8
 </TASK>

Allocated by task 1:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 dvb_register_device+0x1e2/0x2380 drivers/media/dvb-core/dvbdev.c:479
 dvb_register_frontend+0x5a7/0x880 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:430 [inline]
 vidtv_bridge_probe+0x45e/0xa90 drivers/media/test-drivers/vidtv/vidtv_bridge.c:502
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
 bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 vidtv_bridge_init+0x45/0x80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:592
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 8297:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2338 [inline]
 slab_free mm/slub.c:4598 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4746
 dvb_free_device drivers/media/dvb-core/dvbdev.c:623 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put.part.0+0x60/0x90 drivers/media/dvb-core/dvbdev.c:636
 dvb_device_put drivers/media/dvb-core/dvbdev.c:635 [inline]
 dvb_device_open+0x374/0x470 drivers/media/dvb-core/dvbdev.c:117
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888143aaf000
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 24 bytes inside of
 freed 256-byte region [ffff888143aaf000, ffff888143aaf100)

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x143aae
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x57ff00000000040(head|node=1|zone=2|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 057ff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 057ff00000000040 ffff88801ac41b40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000001f5000000 0000000000000000
head: 057ff00000000001 ffffea00050eab81 ffffffffffffffff 0000000000000000
head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14768145455, free_ts 0
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
 prep_new_page mm/page_alloc.c:1564 [inline]
 get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
 __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4751
 alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
 alloc_slab_page mm/slub.c:2408 [inline]
 allocate_slab mm/slub.c:2574 [inline]
 new_slab+0x2c9/0x410 mm/slub.c:2627
 ___slab_alloc+0xd1d/0x16e0 mm/slub.c:3815
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3905
 __slab_alloc_node mm/slub.c:3980 [inline]
 slab_alloc_node mm/slub.c:4141 [inline]
 __kmalloc_cache_noprof+0xf6/0x420 mm/slub.c:4309
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 bus_add_driver+0x92/0x690 drivers/base/bus.c:659
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 usb_register_driver+0x24a/0x500 drivers/usb/core/driver.c:1082
 uvc_init+0x24/0x60 drivers/media/usb/uvc/uvc_driver.c:3170
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
page_owner free stack trace missing

Memory state around the buggy address:
 ffff888143aaef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888143aaef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888143aaf000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff888143aaf080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888143aaf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


Tested on:

commit:         ae5cd00f dvb: prevent double free dvb device
git tree:       https://github.com/ea1davis/linux mdbc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=163d91f8580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[Edward Adam Davis]

#syz test: https://github.com/ea1davis/linux mdbc/syz

Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_device_open

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com
Tested-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com

Tested on:

commit:         4f88ca5c media: dvbdev: prevent double put of dvb device
git tree:       https://github.com/ea1davis/linux mdbc/syz
console output: https://syzkaller.appspot.com/x/log.txt?x=12fb3fc4580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e8d97faf7b870c89
dashboard link: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40

Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.

[PATCH] media: dvbdev: keep dvb device ref balanced in dvb generic release and open

[Edward Adam Davis]

syzbot report a slab-use-after-free Read in dvb_device_open. [1]

The dvb device have been putted by dvb_generic_release() in dvb_frontend_open()
and have been freed in dvb_device_open() by dvb_device_put().

[1]
BUG: KASAN: slab-use-after-free in dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff8881476baa18 by task syz-executor353/9116

CPU: 1 UID: 0 PID: 9116 Comm: syz-executor353 Not tainted 6.13.0-rc7-syzkaller-00189-g595523945be0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xc3/0x620 mm/kasan/report.c:489
 kasan_report+0xd9/0x110 mm/kasan/report.c:602
 dvb_device_open+0x36a/0x3b0 drivers/media/dvb-core/dvbdev.c:99
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fbafad2db29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff3ae8be88 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fbafad2db29
RDX: 0000000000000001 RSI: 0000000020000000 RDI: ffffffffffffff9c
RBP: 00000000000f4240 R08: 0000000000008000 R09: 0000000000008000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000015edd
R13: 00007fff3ae8beac R14: 00007fff3ae8bec0 R15: 00007fff3ae8beb0
 </TASK>

Allocated by task 1:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:377 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:394
 kmalloc_noprof include/linux/slab.h:901 [inline]
 kzalloc_noprof include/linux/slab.h:1037 [inline]
 dvb_register_device+0x1e2/0x2380 drivers/media/dvb-core/dvbdev.c:475
 dvb_register_frontend+0x5a7/0x880 drivers/media/dvb-core/dvb_frontend.c:3051
 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:430 [inline]
 vidtv_bridge_probe+0x45e/0xa90 drivers/media/test-drivers/vidtv/vidtv_bridge.c:502
 platform_probe+0xff/0x1f0 drivers/base/platform.c:1404
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:658
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:800
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:830
 __driver_attach+0x283/0x580 drivers/base/dd.c:1216
 bus_for_each_dev+0x13c/0x1d0 drivers/base/bus.c:370
 bus_add_driver+0x2e9/0x690 drivers/base/bus.c:675
 driver_register+0x15c/0x4b0 drivers/base/driver.c:246
 vidtv_bridge_init+0x45/0x80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:592
 do_one_initcall+0x128/0x630 init/main.c:1266
 do_initcall_level init/main.c:1328 [inline]
 do_initcalls init/main.c:1344 [inline]
 do_basic_setup init/main.c:1363 [inline]
 kernel_init_freeable+0x58f/0x8b0 init/main.c:1577
 kernel_init+0x1c/0x2b0 init/main.c:1466
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244

Freed by task 9110:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:582
 poison_slab_object mm/kasan/common.c:247 [inline]
 __kasan_slab_free+0x51/0x70 mm/kasan/common.c:264
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2353 [inline]
 slab_free mm/slub.c:4613 [inline]
 kfree+0x14f/0x4b0 mm/slub.c:4761
 dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
 kref_put include/linux/kref.h:65 [inline]
 dvb_device_put.part.0+0x60/0x90 drivers/media/dvb-core/dvbdev.c:632
 dvb_device_put drivers/media/dvb-core/dvbdev.c:631 [inline]
 dvb_device_open+0x2a4/0x3b0 drivers/media/dvb-core/dvbdev.c:113
 chrdev_open+0x237/0x6a0 fs/char_dev.c:414
 do_dentry_open+0xf59/0x1ea0 fs/open.c:945
 vfs_open+0x82/0x3f0 fs/open.c:1075
 do_open fs/namei.c:3828 [inline]
 path_openat+0x1e6a/0x2d60 fs/namei.c:3987
 do_filp_open+0x20c/0x470 fs/namei.c:4014
 do_sys_openat2+0x17a/0x1e0 fs/open.c:1402
 do_sys_open fs/open.c:1417 [inline]
 __do_sys_openat fs/open.c:1433 [inline]
 __se_sys_openat fs/open.c:1428 [inline]
 __x64_sys_openat+0x175/0x210 fs/open.c:1428
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Reported-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=1eb177ecc3943b883f0a
Tested-by: syzbot+1eb177ecc3943b883f0a@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 drivers/media/dvb-core/dvb_frontend.c | 1 +
 drivers/media/dvb-core/dvbdev.c       | 1 +
 2 files changed, 2 insertions(+)

diff --git a/drivers/media/dvb-core/dvb_frontend.c b/drivers/media/dvb-core/dvb_frontend.c
index a05aa271a1ba..738b63255e5c 100644
--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2873,6 +2873,7 @@ static int dvb_frontend_open(struct inode *inode, struct file *file)
 
 	if (adapter->mfe_shared)
 		mutex_unlock(&adapter->mfe_lock);
+	dvb_generic_release(inode, file);
 	return ret;
 
 err3:
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index 9df7c213716a..d17f08adf443 100644
--- a/drivers/media/dvb-core/dvbdev.c
+++ b/drivers/media/dvb-core/dvbdev.c
@@ -148,6 +148,7 @@ int dvb_generic_open(struct inode *inode, struct file *file)
 	}
 
 	dvbdev->users--;
+	dvb_device_get(dvbdev);
 	return 0;
 }
 EXPORT_SYMBOL(dvb_generic_open);
-- 
2.47.0