* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) [not found] <CAD9jT-fYG58jR7baSm-1pFaJPO5Fp+sYv+s3YZUjTdUZST9syw@mail.gmail.com> @ 2026-02-20 7:18 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-20 7:18 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, ttt978615 Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in dvb_device_open ================================================================== BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline] BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:170 [inline] BUG: KASAN: slab-use-after-free in __refcount_add_not_zero include/linux/refcount.h:176 [inline] BUG: KASAN: slab-use-after-free in __refcount_inc_not_zero include/linux/refcount.h:317 [inline] BUG: KASAN: slab-use-after-free in refcount_inc_not_zero include/linux/refcount.h:335 [inline] BUG: KASAN: slab-use-after-free in kref_get_unless_zero include/linux/kref.h:133 [inline] BUG: KASAN: slab-use-after-free in dvb_device_open+0x117/0x590 drivers/media/dvb-core/dvbdev.c:99 Read of size 4 at addr ffff88802bb50010 by task syz.0.19/6537 CPU: 1 UID: 0 PID: 6537 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200 instrument_atomic_read include/linux/instrumented.h:68 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline] refcount_read include/linux/refcount.h:170 [inline] __refcount_add_not_zero include/linux/refcount.h:176 [inline] __refcount_inc_not_zero include/linux/refcount.h:317 [inline] refcount_inc_not_zero include/linux/refcount.h:335 [inline] kref_get_unless_zero include/linux/kref.h:133 [inline] dvb_device_open+0x117/0x590 drivers/media/dvb-core/dvbdev.c:99 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411 do_dentry_open+0x83d/0x13e0 fs/open.c:949 vfs_open+0x3b/0x350 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e3d/0x38a0 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f8a3bbbc84e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007f8a3b25db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f8a3b25e6c0 RCX: 00007f8a3bbbc84e RDX: 0000000000000400 RSI: 00007f8a3b25dc00 RDI: ffffffffffffff9c RBP: 00007f8a3b25dc00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd R13: 00007f8a3be76038 R14: 00007f8a3be75fa0 R15: 00007ffd6024f3a8 </TASK> Allocated by task 1: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:477 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x349/0x640 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 bus_add_driver+0x348/0x670 drivers/base/bus.c:715 driver_register+0x23a/0x320 drivers/base/driver.c:249 vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598 do_one_initcall+0x250/0x840 init/main.c:1378 do_initcall_level+0x104/0x190 init/main.c:1440 do_initcalls+0x59/0xa0 init/main.c:1456 kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688 kernel_init+0x1d/0x1d0 init/main.c:1578 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6534: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2670 [inline] slab_free mm/slub.c:6082 [inline] kfree+0x1c1/0x690 mm/slub.c:6399 dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2935 __fput+0x45e/0xa80 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 get_signal+0x11c3/0x1310 kernel/signal.c:2807 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802bb50000 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 16 bytes inside of freed 512-byte region [ffff88802bb50000, ffff88802bb50200) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2bb50 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000002 ffffea0000aed401 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14383756285, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245 alloc_slab_page mm/slub.c:3238 [inline] allocate_slab+0x77/0x660 mm/slub.c:3411 new_slab mm/slub.c:3469 [inline] refill_objects+0x334/0x3c0 mm/slub.c:7091 refill_sheaf mm/slub.c:2787 [inline] __pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536 alloc_from_pcs mm/slub.c:4639 [inline] slab_alloc_node mm/slub.c:4773 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] device_private_init drivers/base/core.c:3534 [inline] device_add+0xbe/0xb80 drivers/base/core.c:3585 platform_device_add+0x46a/0x800 drivers/base/platform.c:757 vidtv_bridge_init+0x12/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:594 do_one_initcall+0x250/0x840 init/main.c:1378 do_initcall_level+0x104/0x190 init/main.c:1440 do_initcalls+0x59/0xa0 init/main.c:1456 kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688 kernel_init+0x1d/0x1d0 init/main.c:1578 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 page_owner free stack trace missing Memory state around the buggy address: ffff88802bb4ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88802bb4ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88802bb50000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802bb50080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802bb50100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=16c73c02580000 kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=15f7195a580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <CAD9jT-dJThQYbDcOTQxp-QiZ-msAfteita6bJcexzU4gZio0GA@mail.gmail.com>]
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) [not found] <CAD9jT-dJThQYbDcOTQxp-QiZ-msAfteita6bJcexzU4gZio0GA@mail.gmail.com> @ 2026-02-19 19:12 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-19 19:12 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, ttt978615 Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in dvb_device_open ================================================================== BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99 Read of size 8 at addr ffff88802b430818 by task syz.0.19/6566 CPU: 1 UID: 0 PID: 6566 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411 do_dentry_open+0x83d/0x13e0 fs/open.c:949 vfs_open+0x3b/0x350 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e3d/0x38a0 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f6a5c68c84e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007f6a5bd25b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f6a5bd266c0 RCX: 00007f6a5c68c84e RDX: 0000000000000400 RSI: 00007f6a5bd25c00 RDI: ffffffffffffff9c RBP: 00007f6a5bd25c00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd R13: 00007f6a5c946038 R14: 00007f6a5c945fa0 R15: 00007ffc29cccd18 </TASK> Allocated by task 1: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x349/0x640 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 bus_add_driver+0x348/0x670 drivers/base/bus.c:715 driver_register+0x23a/0x320 drivers/base/driver.c:249 vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598 do_one_initcall+0x250/0x840 init/main.c:1378 do_initcall_level+0x104/0x190 init/main.c:1440 do_initcalls+0x59/0xa0 init/main.c:1456 kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688 kernel_init+0x1d/0x1d0 init/main.c:1578 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6559: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2670 [inline] slab_free mm/slub.c:6082 [inline] kfree+0x1c1/0x690 mm/slub.c:6399 dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2935 __fput+0x45e/0xa80 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802b430800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of freed 512-byte region [ffff88802b430800, ffff88802b430a00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b430 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000002 ffffea0000ad0c01 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14672887637, free_ts 14671573424 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245 alloc_slab_page mm/slub.c:3238 [inline] allocate_slab+0x77/0x660 mm/slub.c:3411 new_slab mm/slub.c:3469 [inline] refill_objects+0x334/0x3c0 mm/slub.c:7091 refill_sheaf mm/slub.c:2787 [inline] __pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536 alloc_from_pcs mm/slub.c:4639 [inline] slab_alloc_node mm/slub.c:4773 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x349/0x640 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 page last free pid 1 tgid 1 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] free_pages_prepare mm/page_alloc.c:1433 [inline] __free_frozen_pages+0xfd0/0x1160 mm/page_alloc.c:2973 stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735 kasan_save_stack mm/kasan/common.c:58 [inline] kasan_save_track+0x4f/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] kobject_uevent_env+0x28f/0x9e0 lib/kobject_uevent.c:540 device_add+0x557/0xb80 drivers/base/core.c:3670 i2c_new_client_device+0xa1f/0x1160 drivers/i2c/i2c-core-base.c:1019 dvb_module_probe+0x1c7/0x310 drivers/media/dvb-core/dvbdev.c:1042 vidtv_bridge_probe_tuner drivers/media/test-drivers/vidtv/vidtv_bridge.c:405 [inline] vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:432 [inline] vidtv_bridge_probe+0x93b/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x349/0x640 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 Memory state around the buggy address: ffff88802b430700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802b430780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802b430800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802b430880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802b430900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=12ebf652580000 kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1733495a580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
[parent not found: <CAD9jT-cVX1GVH30EAGvQkbxsDRyuSug1Zcz8Fi-NVbecB6OLnw@mail.gmail.com>]
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) [not found] <CAD9jT-cVX1GVH30EAGvQkbxsDRyuSug1Zcz8Fi-NVbecB6OLnw@mail.gmail.com> @ 2026-02-19 18:45 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-19 18:45 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs, ttt978615 Hello, syzbot tried to test the proposed patch but the build/boot failed: failed to apply patch: checking file drivers/media/dvb-core/dvb_frontend.c patch: **** unexpected end of file in patch Tested on: commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker.. git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: patch: https://syzkaller.appspot.com/x/patch.diff?x=13b541e6580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
* [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)
@ 2026-02-14 12:34 syzbot
2026-02-16 9:34 ` syzbot
0 siblings, 1 reply; 15+ messages in thread
From: syzbot @ 2026-02-14 12:34 UTC (permalink / raw)
To: linux-kernel, linux-media, mchehab, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: cd7a5651db26 alpha: add missing address argument in call t..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1103415a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d9e410399043c26
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6546859ef2b7/disk-cd7a5651.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2e4c96e79f7/vmlinux-cd7a5651.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7e21013889c0/bzImage-cd7a5651.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae466a728017ec940b41@syzkaller.appspotmail.com
==================================================================
BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x40a/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2916
Read of size 4 at addr ffff88802b33a43c by task syz.0.10208/29088
CPU: 1 UID: 0 PID: 29088 Comm: syz.0.10208 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
dvb_frontend_release+0x40a/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2916
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2310 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a9c79bc0b
Code: Unable to access opcode bytes at 0x7f0a9c79bbe1.
RSP: 002b:00007f0a9d607f00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffffc RBX: 0000000000000006 RCX: 00007f0a9c79bc0b
RDX: 00007f0a9d608fd0 RSI: 0000000080085502 RDI: 0000000000000006
RBP: 00007f0a9d608fd0 R08: 0000000000000001 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000080085502
R13: 0000000800000000 R14: 0000000000000000 R15: 00007f0a9c85076a
</TASK>
Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5297
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475
dvb_register_frontend+0x649/0x950 drivers/media/dvb-core/dvb_frontend.c:3051
vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x3e7/0x710 drivers/base/dd.c:1227
bus_for_each_dev+0x23b/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x345/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
do_one_initcall+0x250/0x840 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 29088:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2670 [inline]
slab_free mm/slub.c:6082 [inline]
kfree+0x1c1/0x610 mm/slub.c:6399
dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
kref_put include/linux/kref.h:65 [inline]
dvb_device_put drivers/media/dvb-core/dvbdev.c:632 [inline]
dvb_generic_release+0x11d/0x1b0 drivers/media/dvb-core/dvbdev.c:169
dvb_frontend_release+0x132/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2914
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2310 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88802b33a400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 60 bytes inside of
freed 256-byte region [ffff88802b33a400, ffff88802b33a500)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b33a
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fe9db40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fe9db40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000001 ffffea0000acce81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13065394638, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1883
prep_new_page mm/page_alloc.c:1891 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3956
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5244
alloc_slab_page mm/slub.c:3238 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3411
new_slab mm/slub.c:3469 [inline]
refill_objects+0x331/0x3c0 mm/slub.c:7091
refill_sheaf mm/slub.c:2787 [inline]
__pcs_replace_empty_main+0x2b9/0x620 mm/slub.c:4536
alloc_from_pcs mm/slub.c:4639 [inline]
slab_alloc_node mm/slub.c:4773 [inline]
__kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5292
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
bus_add_driver+0x162/0x670 drivers/base/bus.c:699
driver_register+0x23a/0x320 drivers/base/driver.c:249
usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078
do_one_initcall+0x250/0x840 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
page_owner free stack trace missing
Memory state around the buggy address:
ffff88802b33a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b33a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b33a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b33a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b33a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 15+ messages in thread* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-14 12:34 syzbot @ 2026-02-16 9:34 ` syzbot 2026-02-21 13:40 ` Hillf Danton ` (4 more replies) 0 siblings, 5 replies; 15+ messages in thread From: syzbot @ 2026-02-16 9:34 UTC (permalink / raw) To: linux-kernel, linux-media, mchehab, syzkaller-bugs syzbot has found a reproducer for the following issue on: HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 Downloadable assets: disk image: https://storage.googleapis.com/syzbot-assets/b33c549157ca/disk-c22e26bd.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/34c7ded19553/vmlinux-c22e26bd.xz kernel image: https://storage.googleapis.com/syzbot-assets/66faec2158ed/bzImage-c22e26bd.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+ae466a728017ec940b41@syzkaller.appspotmail.com ================================================================== BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916 Read of size 4 at addr ffff88802b75b83c by task syz.0.18/5958 CPU: 1 UID: 0 PID: 5958 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916 __fput+0x45e/0xa80 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 get_signal+0x11c3/0x1310 kernel/signal.c:2807 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fc97690bf79 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffed13b68c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007ffed13b69b0 RCX: 00007fc97690bf79 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 00000000000195a3 R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b2d420000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fc976b85fac R14: 00007fc976b85fa8 R15: 00007fc976b85fa0 </TASK> Allocated by task 1: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3051 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x349/0x640 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 bus_add_driver+0x348/0x670 drivers/base/bus.c:715 driver_register+0x23a/0x320 drivers/base/driver.c:249 vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598 do_one_initcall+0x250/0x840 init/main.c:1378 do_initcall_level+0x104/0x190 init/main.c:1440 do_initcalls+0x59/0xa0 init/main.c:1456 kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688 kernel_init+0x1d/0x1d0 init/main.c:1578 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 5958: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2670 [inline] slab_free mm/slub.c:6082 [inline] kfree+0x1c1/0x690 mm/slub.c:6399 dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline] kref_put include/linux/kref.h:65 [inline] dvb_device_put drivers/media/dvb-core/dvbdev.c:632 [inline] dvb_generic_release+0x123/0x1c0 drivers/media/dvb-core/dvbdev.c:169 dvb_frontend_release+0x138/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2914 __fput+0x45e/0xa80 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 get_signal+0x11c3/0x1310 kernel/signal.c:2807 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802b75b800 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 60 bytes inside of freed 512-byte region [ffff88802b75b800, ffff88802b75ba00) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b758 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000002 ffffea0000add601 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 14639760172, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884 prep_new_page mm/page_alloc.c:1892 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245 alloc_slab_page mm/slub.c:3238 [inline] allocate_slab+0x77/0x660 mm/slub.c:3411 new_slab mm/slub.c:3469 [inline] refill_objects+0x334/0x3c0 mm/slub.c:7091 refill_sheaf mm/slub.c:2787 [inline] __pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536 alloc_from_pcs mm/slub.c:4639 [inline] slab_alloc_node mm/slub.c:4773 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] set_kthread_struct+0xbb/0x340 kernel/kthread.c:125 copy_process+0x128c/0x3d00 kernel/fork.c:2152 kernel_clone+0x249/0x7f0 kernel/fork.c:2654 kernel_thread+0x13f/0x1b0 kernel/fork.c:2715 create_kthread kernel/kthread.c:490 [inline] kthreadd+0x4ec/0x6e0 kernel/kthread.c:849 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 page_owner free stack trace missing Memory state around the buggy address: ffff88802b75b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802b75b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802b75b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802b75b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802b75b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== --- If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-16 9:34 ` syzbot @ 2026-02-21 13:40 ` Hillf Danton 2026-02-21 13:58 ` syzbot 2026-02-21 14:35 ` Hillf Danton ` (3 subsequent siblings) 4 siblings, 1 reply; 15+ messages in thread From: Hillf Danton @ 2026-02-21 13:40 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs > Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview] > syzbot has found a reproducer for the following issue on: > > HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e > dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 #syz test --- x/drivers/media/dvb-core/dvb_frontend.c +++ y/drivers/media/dvb-core/dvb_frontend.c @@ -2911,6 +2911,7 @@ static int dvb_frontend_release(struct i mb(); } + dvb_device_get(dvbdev); ret = dvb_generic_release(inode, file); if (dvbdev->users == -1) { @@ -2930,6 +2931,7 @@ static int dvb_frontend_release(struct i if (fe->ops.ts_bus_ctrl) fe->ops.ts_bus_ctrl(fe, 0); } + dvb_device_put(dvbdev); dvb_frontend_put(fe); -- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-21 13:40 ` Hillf Danton @ 2026-02-21 13:58 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-21 13:58 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in dvb_device_open ================================================================== BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99 Read of size 8 at addr ffff88802b6da418 by task syz.0.19/6637 CPU: 1 UID: 0 PID: 6637 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99 chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411 do_dentry_open+0x83d/0x13e0 fs/open.c:949 vfs_open+0x3b/0x350 fs/open.c:1081 do_open fs/namei.c:4671 [inline] path_openat+0x2e43/0x38a0 fs/namei.c:4830 do_file_open+0x23e/0x4a0 fs/namei.c:4859 do_sys_openat2+0x113/0x200 fs/open.c:1366 do_sys_open fs/open.c:1372 [inline] __do_sys_openat fs/open.c:1388 [inline] __se_sys_openat fs/open.c:1383 [inline] __x64_sys_openat+0x138/0x170 fs/open.c:1383 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f0b55cdc84e Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08 RSP: 002b:00007f0b5537db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 00007f0b5537e6c0 RCX: 00007f0b55cdc84e RDX: 0000000000000400 RSI: 00007f0b5537dc00 RDI: ffffffffffffff9c RBP: 00007f0b5537dc00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd R13: 00007f0b55f96038 R14: 00007f0b55f95fa0 R15: 00007ffc62e6c1b8 </TASK> Allocated by task 1: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5339 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x3e7/0x710 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 bus_add_driver+0x348/0x670 drivers/base/bus.c:715 driver_register+0x23a/0x320 drivers/base/driver.c:249 vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598 do_one_initcall+0x250/0x8d0 init/main.c:1382 do_initcall_level+0x104/0x190 init/main.c:1444 do_initcalls+0x59/0xa0 init/main.c:1460 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692 kernel_init+0x1d/0x1d0 init/main.c:1582 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6634: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kfree+0x1c1/0x6c0 mm/slub.c:6442 dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2934 __fput+0x461/0xa90 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802b6da400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 24 bytes inside of freed 512-byte region [ffff88802b6da400, ffff88802b6da600) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b6d8 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88813fe1cc80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88813fe1cc80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000002 ffffea0000adb601 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13477098013, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3255 [inline] allocate_slab+0x77/0x660 mm/slub.c:3444 new_slab mm/slub.c:3502 [inline] refill_objects+0x334/0x3c0 mm/slub.c:7134 refill_sheaf mm/slub.c:2804 [inline] __pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4578 alloc_from_pcs mm/slub.c:4681 [inline] slab_alloc_node mm/slub.c:4815 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5334 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1204 [inline] bus_add_driver+0x165/0x670 drivers/base/bus.c:699 driver_register+0x23a/0x320 drivers/base/driver.c:249 usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078 do_one_initcall+0x250/0x8d0 init/main.c:1382 do_initcall_level+0x104/0x190 init/main.c:1444 do_initcalls+0x59/0xa0 init/main.c:1460 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692 kernel_init+0x1d/0x1d0 init/main.c:1582 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 page_owner free stack trace missing Memory state around the buggy address: ffff88802b6da300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802b6da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802b6da400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802b6da480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802b6da500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: d79526b8 Merge tag 'spi-fix-v7.0-merge-window' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=14195722580000 kernel config: https://syzkaller.appspot.com/x/.config?x=4b084d82ac8e0fbd dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=178a0006580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-16 9:34 ` syzbot 2026-02-21 13:40 ` Hillf Danton @ 2026-02-21 14:35 ` Hillf Danton 2026-02-21 14:53 ` syzbot 2026-02-21 21:57 ` Hillf Danton ` (2 subsequent siblings) 4 siblings, 1 reply; 15+ messages in thread From: Hillf Danton @ 2026-02-21 14:35 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs > Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview] > syzbot has found a reproducer for the following issue on: > > HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e > dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 #syz test --- x/drivers/media/dvb-core/dvb_frontend.c +++ y/drivers/media/dvb-core/dvb_frontend.c @@ -2911,6 +2911,8 @@ static int dvb_frontend_release(struct i mb(); } + dvb_device_get(dvbdev); // for removing dev + dvb_device_get(dvbdev); // for releasing dev ret = dvb_generic_release(inode, file); if (dvbdev->users == -1) { @@ -2931,6 +2933,8 @@ static int dvb_frontend_release(struct i fe->ops.ts_bus_ctrl(fe, 0); } + dvb_remove_device(dvbdev); + dvb_device_put(dvbdev); dvb_frontend_put(fe); return ret; -- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-21 14:35 ` Hillf Danton @ 2026-02-21 14:53 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-21 14:53 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: BUG: corrupted list in dvb_remove_device non-paged memory list_del corruption, ffff88802b938400->next is LIST_POISON1 (dead000000000100) ------------[ cut here ]------------ kernel BUG at lib/list_debug.c:58! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 6584 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 RIP: 0010:__list_del_entry_valid_or_report+0x10e/0x190 lib/list_debug.c:56 Code: a0 47 a6 8b 48 89 de e8 20 01 80 fc 90 0f 0b 4c 89 e7 e8 b5 c4 61 fd 48 c7 c7 00 48 a6 8b 48 89 de 4c 89 e2 e8 03 01 80 fc 90 <0f> 0b 4c 89 e7 e8 98 c4 61 fd 48 c7 c7 60 48 a6 8b 48 89 de 4c 89 RSP: 0018:ffffc90003b6fa88 EFLAGS: 00010246 RAX: 000000000000004e RBX: ffff88802b938400 RCX: 70c5d03fc278f600 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffed1017124923 R12: dead000000000100 R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122 FS: 000055556ef5d500(0000) GS:ffff888126442000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f467ca4efeb CR3: 0000000025052000 CR4: 00000000003526f0 Call Trace: <TASK> __list_del_entry_valid include/linux/list.h:132 [inline] __list_del_entry include/linux/list.h:223 [inline] list_del include/linux/list.h:237 [inline] dvb_remove_device+0x131/0x280 drivers/media/dvb-core/dvbdev.c:611 dvb_frontend_release+0x3e6/0x510 drivers/media/dvb-core/dvb_frontend.c:2936 __fput+0x461/0xa90 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 get_signal+0x11c3/0x1310 kernel/signal.c:2807 arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337 __exit_to_user_mode_loop kernel/entry/common.c:64 [inline] exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7fe67637bf79 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc7f8caa78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007ffc7f8cab60 RCX: 00007fe67637bf79 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000023360 R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b30020000 R11: 0000000000000246 R12: 00007ffc7f8caba0 R13: 00007fe6765f5fac R14: 00000000000233c3 R15: 00007fe6765f5fa0 </TASK> Modules linked in: ---[ end trace 0000000000000000 ]--- RIP: 0010:__list_del_entry_valid_or_report+0x10e/0x190 lib/list_debug.c:56 Code: a0 47 a6 8b 48 89 de e8 20 01 80 fc 90 0f 0b 4c 89 e7 e8 b5 c4 61 fd 48 c7 c7 00 48 a6 8b 48 89 de 4c 89 e2 e8 03 01 80 fc 90 <0f> 0b 4c 89 e7 e8 98 c4 61 fd 48 c7 c7 60 48 a6 8b 48 89 de 4c 89 RSP: 0018:ffffc90003b6fa88 EFLAGS: 00010246 RAX: 000000000000004e RBX: ffff88802b938400 RCX: 70c5d03fc278f600 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: dffffc0000000000 R11: ffffed1017124923 R12: dead000000000100 R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122 FS: 000055556ef5d500(0000) GS:ffff888126442000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f467ca4efeb CR3: 0000000025052000 CR4: 00000000003526f0 Tested on: commit: d79526b8 Merge tag 'spi-fix-v7.0-merge-window' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=143a8152580000 kernel config: https://syzkaller.appspot.com/x/.config?x=4b084d82ac8e0fbd dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=1572f95a580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-16 9:34 ` syzbot 2026-02-21 13:40 ` Hillf Danton 2026-02-21 14:35 ` Hillf Danton @ 2026-02-21 21:57 ` Hillf Danton 2026-02-21 22:23 ` syzbot 2026-02-22 12:15 ` Hillf Danton 2026-02-23 4:06 ` Hillf Danton 4 siblings, 1 reply; 15+ messages in thread From: Hillf Danton @ 2026-02-21 21:57 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs > Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview] > syzbot has found a reproducer for the following issue on: > > HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e > dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 #syz test --- x/drivers/media/dvb-core/dvb_frontend.c +++ y/drivers/media/dvb-core/dvb_frontend.c @@ -2836,6 +2836,7 @@ static int dvb_frontend_open(struct inod if ((ret = dvb_generic_open(inode, file)) < 0) goto err1; + dvb_device_get(dvbdev); if ((file->f_flags & O_ACCMODE) != O_RDONLY) { /* normal tune mode when opened R/W */ -- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-21 21:57 ` Hillf Danton @ 2026-02-21 22:23 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-21 22:23 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot tried to test the proposed patch but the build/boot failed: _SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level) [ 0.324084][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level) [ 0.324103][ T0] ACPI: Using ACPI (MADT) for SMP configuration information [ 0.324118][ T0] CPU topo: Max. logical packages: 1 [ 0.324122][ T0] CPU topo: Max. logical dies: 1 [ 0.324126][ T0] CPU topo: Max. dies per package: 1 [ 0.324137][ T0] CPU topo: Max. threads per core: 2 [ 0.324142][ T0] CPU topo: Num. cores per package: 1 [ 0.324146][ T0] CPU topo: Num. threads per package: 2 [ 0.324150][ T0] CPU topo: Allowing 2 present CPUs plus 0 hotplug CPUs [ 0.324260][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff] [ 0.324270][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff] [ 0.324278][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xffffffff] [ 0.324303][ T0] [gap 0xc0000000-0xfffbbfff] available for PCI devices [ 0.324309][ T0] Booting paravirtualized kernel on KVM [ 0.324320][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns [ 0.457957][ T0] Zone ranges: [ 0.457966][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff] [ 0.457977][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff] [ 0.457985][ T0] Normal [mem 0x0000000100000000-0x000000023fffffff] [ 0.457993][ T0] Device empty [ 0.457998][ T0] Movable zone start for each node [ 0.458001][ T0] Early memory node ranges [ 0.458005][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff] [ 0.458011][ T0] node 0: [mem 0x0000000000100000-0x00000000bfffcfff] [ 0.458019][ T0] node 0: [mem 0x0000000100000000-0x0000000140000fff] [ 0.458025][ T0] node 1: [mem 0x0000000140001000-0x000000023fffffff] [ 0.458034][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x0000000140000fff] [ 0.458049][ T0] Initmem setup node 1 [mem 0x0000000140001000-0x000000023fffffff] [ 0.458095][ T0] On node 0, zone DMA: 1 pages in unavailable ranges [ 0.458339][ T0] On node 0, zone DMA: 97 pages in unavailable ranges [ 0.520754][ T0] On node 0, zone Normal: 3 pages in unavailable ranges [ 0.583334][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2 [ 0.584030][ T0] percpu: Embedded 72 pages/cpu s254408 r8192 d32312 u1048576 [ 0.584054][ T0] pcpu-alloc: s254408 r8192 d32312 u1048576 alloc=1*2097152 [ 0.584066][ T0] pcpu-alloc: [0] 0 1 [ 0.584177][ T0] kvm-guest: PV spinlocks enabled [ 0.584186][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.584203][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 \ [ 0.584229][ T0] Kernel command line: comedi.comedi_num_legacy_minors=4 panic_on_warn=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0 [ 0.588483][ T0] Unknown kernel command line parameters "nbds_max=32", will be passed to user space. [ 0.588544][ T0] random: crng init done [ 0.588547][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes [ 0.588761][ T0] software IO TLB: area num 2. [ 0.616645][ T0] Fallback order for Node 0: 0 1 [ 0.616664][ T0] Fallback order for Node 1: 1 0 [ 0.616678][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2097051 [ 0.616685][ T0] Policy zone: Normal [ 0.617377][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off [ 0.617385][ T0] stackdepot: allocating hash table via alloc_large_system_hash [ 0.617395][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear) [ 0.622068][ T0] stackdepot: allocating space for 8192 stack pools via memblock [ 1.210344][ T0] ********************************************************** [ 1.210354][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** [ 1.210358][ T0] ** ** [ 1.210362][ T0] ** This system shows unhashed kernel memory addresses ** [ 1.210365][ T0] ** via the console, logs, and other interfaces. This ** [ 1.210369][ T0] ** might reduce the security of your system. ** [ 1.210373][ T0] ** ** [ 1.210376][ T0] ** If you see this message and you are not debugging ** [ 1.210380][ T0] ** the kernel, report this immediately to your system ** [ 1.210384][ T0] ** administrator! ** [ 1.210387][ T0] ** ** [ 1.210391][ T0] ** Use hash_pointers=always to force this mode off ** [ 1.210395][ T0] ** ** [ 1.210398][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE ** [ 1.210402][ T0] ********************************************************** [ 1.213877][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2 [ 1.344641][ T0] allocated 167772160 bytes of page_ext [ 1.344682][ T0] Node 0, zone DMA: page owner found early allocated 0 pages [ 1.358368][ T0] Node 0, zone DMA32: page owner found early allocated 21120 pages [ 1.362689][ T0] Node 0, zone Normal: page owner found early allocated 130 pages [ 1.373648][ T0] Node 1, zone Normal: page ownserialport: Connected to syzkaller.us-central1-c.ci-upstream-kasan-gce-smack-root-test-job-parallel-0 port 1 (session ID: 27e7da33582c2a1f5960f3e4d1e08a357e0ae697147fe044510b0304e2ed012c, active connections: 1). er found early allocated 19848 pages [ 1.374121][ T0] Kernel/User page tables isolation: enabled [ 1.376324][ T0] Dynamic Preempt: full [ 1.377426][ T0] ------------[ cut here ]------------ [ 1.377431][ T0] overflows_flex_counter_type(typeof(*ctx), pwq_tbl, __count) [ 1.377435][ T0] WARNING: kernel/workqueue.c:5373 at apply_wqattrs_prepare+0xa5/0x1f0, CPU#0: swapper/0/0 [ 1.377461][ T0] Modules linked in: [ 1.377470][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 1.377481][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 1.377488][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0 [ 1.377507][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48 [ 1.377516][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097 [ 1.377524][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00 [ 1.377531][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 1.377537][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 1.377543][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8 [ 1.377550][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000 [ 1.377562][ T0] FS: 0000000000000000(0000) GS:ffff888126592000(0000) knlGS:0000000000000000 [ 1.377572][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1.377579][ T0] CR2: ffff88823ffff000 CR3: 000000000d9ba000 CR4: 00000000000000b0 [ 1.377588][ T0] Call Trace: [ 1.377593][ T0] <TASK> [ 1.377599][ T0] __alloc_workqueue+0xfbe/0x1e70 [ 1.377617][ T0] alloc_workqueue_noprof+0xe3/0x210 [ 1.377629][ T0] ? is_dynamic_key+0xd6/0x1c0 [ 1.377644][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10 [ 1.377657][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690 [ 1.377670][ T0] ? workqueue_init_early+0x89b/0xcf0 [ 1.377687][ T0] workqueue_init_early+0xaac/0xcf0 [ 1.377700][ T0] ? __cpuhp_setup_state+0x46/0x60 [ 1.377717][ T0] ? __pfx_workqueue_init_early+0x10/0x10 [ 1.377733][ T0] ? register_trace_event+0x3f7/0x4b0 [ 1.377749][ T0] start_kernel+0x189/0x3d0 [ 1.377760][ T0] x86_64_start_reservations+0x24/0x30 [ 1.377773][ T0] x86_64_start_kernel+0x143/0x1c0 [ 1.377786][ T0] common_startup_64+0x13e/0x147 [ 1.377804][ T0] </TASK> [ 1.377810][ T0] Kernel panic - not syncing: kernel: panic_on_warn set ... [ 1.377816][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)} [ 1.377827][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 [ 1.377833][ T0] Call Trace: [ 1.377837][ T0] <TASK> [ 1.377840][ T0] vpanic+0x56c/0xa60 [ 1.377856][ T0] ? __pfx__printk+0x10/0x10 [ 1.377868][ T0] ? __pfx_vpanic+0x10/0x10 [ 1.377881][ T0] ? is_bpf_text_address+0x292/0x2b0 [ 1.377894][ T0] ? is_bpf_text_address+0x26/0x2b0 [ 1.377914][ T0] panic+0xc5/0xd0 [ 1.377928][ T0] ? __pfx_panic+0x10/0x10 [ 1.377947][ T0] ? common_startup_64+0x13e/0x147 [ 1.377959][ T0] __warn+0x315/0x4f0 [ 1.377973][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0 [ 1.377987][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0 [ 1.378000][ T0] __report_bug+0x29a/0x540 [ 1.378020][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0 [ 1.378033][ T0] ? __pfx___report_bug+0x10/0x10 [ 1.378049][ T0] ? do_raw_spin_unlock+0xf6/0x210 [ 1.378064][ T0] ? _raw_spin_unlock_irqrestore+0x4c/0x80 [ 1.378074][ T0] ? rt_mutex_slowunlock+0x1cb/0x300 [ 1.378088][ T0] ? __pfx_rt_mutex_slowunlock+0x10/0x10 [ 1.378102][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0 [ 1.378115][ T0] report_bug+0x16a/0x220 [ 1.378130][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0 [ 1.378142][ T0] ? apply_wqattrs_prepare+0xa7/0x1f0 [ 1.378155][ T0] handle_bug+0x98/0x200 [ 1.378168][ T0] exc_invalid_op+0x1a/0x50 [ 1.378179][ T0] asm_exc_invalid_op+0x1a/0x20 [ 1.378190][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0 [ 1.378203][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48 [ 1.378211][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097 [ 1.378219][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00 [ 1.378226][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 [ 1.378231][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000 [ 1.378237][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8 [ 1.378244][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000 [ 1.378254][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0 [ 1.378270][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0 [ 1.378284][ T0] __alloc_workqueue+0xfbe/0x1e70 [ 1.378300][ T0] alloc_workqueue_noprof+0xe3/0x210 [ 1.378312][ T0] ? is_dynamic_key+0xd6/0x1c0 [ 1.378326][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10 [ 1.378339][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690 [ 1.378351][ T0] ? workqueue_init_early+0x89b/0xcf0 [ 1.378367][ T0] workqueue_init_early+0xaac/0xcf0 [ 1.378380][ T0] ? __cpuhp_setup_state+0x46/0x60 [ 1.378396][ T0] ? __pfx_workqueue_init_early+0x10/0x10 [ 1.378412][ T0] ? register_trace_event+0x3f7/0x4b0 [ 1.378426][ T0] start_kernel+0x189/0x3d0 [ 1.378436][ T0] x86_64_start_reservations+0x24/0x30 [ 1.378449][ T0] x86_64_start_kernel+0x143/0x1c0 [ 1.378462][ T0] common_startup_64+0x13e/0x147 [ 1.378479][ T0] </TASK> syzkaller build log: go env (err=<nil>) AR='ar' CC='gcc' CGO_CFLAGS='-O2 -g' CGO_CPPFLAGS='' CGO_CXXFLAGS='-O2 -g' CGO_ENABLED='1' CGO_FFLAGS='-O2 -g' CGO_LDFLAGS='-O2 -g' CXX='g++' GCCGO='gccgo' GO111MODULE='auto' GOAMD64='v1' GOARCH='amd64' GOAUTH='netrc' GOBIN='' GOCACHE='/syzkaller/.cache/go-build' GOCACHEPROG='' GODEBUG='' GOENV='/syzkaller/.config/go/env' GOEXE='' GOEXPERIMENT='' GOFIPS140='off' GOFLAGS='' GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build634184225=/tmp/go-build -gno-record-gcc-switches' GOHOSTARCH='amd64' GOHOSTOS='linux' GOINSECURE='' GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod' GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod' GONOPROXY='' GONOSUMDB='' GOOS='linux' GOPATH='/syzkaller/jobs-2/linux/gopath' GOPRIVATE='' GOPROXY='https://proxy.golang.org,direct' GOROOT='/usr/local/go' GOSUMDB='sum.golang.org' GOTELEMETRY='local' GOTELEMETRYDIR='/syzkaller/.config/go/telemetry' GOTMPDIR='' GOTOOLCHAIN='auto' GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64' GOVCS='' GOVERSION='go1.24.4' GOWORK='' PKG_CONFIG='pkg-config' git status (err=<nil>) HEAD detached at 1e62d19825 nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:31: run command via tools/syz-env for best compatibility, see: Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog mkdir -p ./bin/linux_amd64 g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"1e62d1982527c3b4e18df04d61f2560fa1f434cc\" /usr/bin/ld: /tmp/ccZjc2ZB.o: in function `Connection::Connect(char const*, char const*)': executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking ./tools/check-syzos.sh 2>/dev/null Error text is too large and was truncated, full error text is at: https://syzkaller.appspot.com/x/error.txt?x=17938152580000 Tested on: commit: 8934827d Merge tag 'kmalloc_obj-treewide-v7.0-rc1' of .. git tree: upstream kernel config: https://syzkaller.appspot.com/x/.config?x=5ca447d428dc7079 dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=114b7c02580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-16 9:34 ` syzbot ` (2 preceding siblings ...) 2026-02-21 21:57 ` Hillf Danton @ 2026-02-22 12:15 ` Hillf Danton 2026-02-22 12:46 ` syzbot 2026-02-23 4:06 ` Hillf Danton 4 siblings, 1 reply; 15+ messages in thread From: Hillf Danton @ 2026-02-22 12:15 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs > Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview] > syzbot has found a reproducer for the following issue on: > > HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e > dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 #syz test --- x/drivers/media/dvb-core/dvb_frontend.c +++ y/drivers/media/dvb-core/dvb_frontend.c @@ -3072,12 +3072,15 @@ EXPORT_SYMBOL(dvb_register_frontend); int dvb_unregister_frontend(struct dvb_frontend *fe) { struct dvb_frontend_private *fepriv = fe->frontend_priv; + struct dvb_device *dvbdev; dev_dbg(fe->dvb->device, "%s:\n", __func__); mutex_lock(&frontend_mutex); dvb_frontend_stop(fe); - dvb_remove_device(fepriv->dvbdev); + dvbdev = fepriv->dvbdev; + fepriv->dvbdev = NULL; + dvb_unregister_device(dvbdev); /* fe is invalid now */ mutex_unlock(&frontend_mutex); -- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-22 12:15 ` Hillf Danton @ 2026-02-22 12:46 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-22 12:46 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: slab-use-after-free Read in dvb_frontend_release ================================================================== BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916 Read of size 4 at addr ffff88802b9c543c by task syz.0.19/6629 CPU: 1 UID: 0 PID: 6629 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engi[ 145.718954][ T6629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xba/0x230 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916 __fput+0x461/0xa90 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f5097f2bf79 Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe9efc5af8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4 RAX: 0000000000000000 RBX: 00007ffe9efc5be0 RCX: 00007f5097f2bf79 RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003 RBP: 0000000000023863 R08: 0000000000000001 R09: 0000000000000000 R10: 0000001b33620000 R11: 0000000000000246 R12: 00007ffe9efc5c20 R13: 00007f50981a5fac R14: 00000000000238a9 R15: 00007f50981a5fa0 </TASK> Allocated by task 1: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5339 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1200 [inline] dvb_register_device+0x2fd/0x21e0 drivers/media/dvb-core/dvbdev.c:472 dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3051 vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline] vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508 platform_probe+0xf9/0x190 drivers/base/platform.c:1446 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:661 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:803 driver_probe_device+0x4f/0x240 drivers/base/dd.c:833 __driver_attach+0x3e7/0x710 drivers/base/dd.c:1227 bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383 bus_add_driver+0x348/0x670 drivers/base/bus.c:715 driver_register+0x23a/0x320 drivers/base/driver.c:249 vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598 do_one_initcall+0x250/0x8d0 init/main.c:1382 do_initcall_level+0x104/0x190 init/main.c:1444 do_initcalls+0x59/0xa0 init/main.c:1460 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692 kernel_init+0x1d/0x1d0 init/main.c:1582 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 6629: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2687 [inline] slab_free mm/slub.c:6124 [inline] kfree+0x1c1/0x6c0 mm/slub.c:6442 dvb_free_device drivers/media/dvb-core/dvbdev.c:616 [inline] kref_put include/linux/kref.h:65 [inline] dvb_device_put drivers/media/dvb-core/dvbdev.c:629 [inline] dvb_generic_release+0x123/0x1c0 drivers/media/dvb-core/dvbdev.c:169 dvb_frontend_release+0x138/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2914 __fput+0x461/0xa90 fs/file_table.c:469 task_work_run+0x1d9/0x270 kernel/task_work.c:233 resume_user_mode_work include/linux/resume_user_mode.h:50 [inline] __exit_to_user_mode_loop kernel/entry/common.c:67 [inline] exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98 __exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline] syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline] syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline] do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100 entry_SYSCALL_64_after_hwframe+0x77/0x7f The buggy address belongs to the object at ffff88802b9c5400 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 60 bytes inside of freed 512-byte region [ffff88802b9c5400, ffff88802b9c5600) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9c4 head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0x80000000000040(head|node=0|zone=1) page_type: f5(slab) raw: 0080000000000040 ffff88813fe17c80 dead000000000100 dead000000000122 raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000040 ffff88813fe17c80 dead000000000100 dead000000000122 head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 head: 0080000000000002 ffffea0000ae7101 00000000ffffffff 00000000ffffffff head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13901801393, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889 prep_new_page mm/page_alloc.c:1897 [inline] get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250 alloc_slab_page mm/slub.c:3255 [inline] allocate_slab+0x77/0x660 mm/slub.c:3444 new_slab mm/slub.c:3502 [inline] refill_objects+0x334/0x3c0 mm/slub.c:7134 refill_sheaf mm/slub.c:2804 [inline] __pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4578 alloc_from_pcs mm/slub.c:4681 [inline] slab_alloc_node mm/slub.c:4815 [inline] __kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5334 kmalloc_noprof include/linux/slab.h:962 [inline] kzalloc_noprof include/linux/slab.h:1200 [inline] bus_add_driver+0x165/0x670 drivers/base/bus.c:699 driver_register+0x23a/0x320 drivers/base/driver.c:249 usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078 do_one_initcall+0x250/0x8d0 init/main.c:1382 do_initcall_level+0x104/0x190 init/main.c:1444 do_initcalls+0x59/0xa0 init/main.c:1460 kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692 kernel_init+0x1d/0x1d0 init/main.c:1582 ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158 page_owner free stack trace missing Memory state around the buggy address: ffff88802b9c5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88802b9c5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88802b9c5400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802b9c5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802b9c5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 32a92f8c Convert more 'alloc_obj' cases to default GFP.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=178a055a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=5ca447d428dc7079 dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=14cadd94580000 ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-16 9:34 ` syzbot ` (3 preceding siblings ...) 2026-02-22 12:15 ` Hillf Danton @ 2026-02-23 4:06 ` Hillf Danton 2026-02-23 5:26 ` syzbot 4 siblings, 1 reply; 15+ messages in thread From: Hillf Danton @ 2026-02-23 4:06 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs > Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview] > syzbot has found a reproducer for the following issue on: > > HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e > dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 > compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000 #syz test --- x/drivers/media/dvb-core/dvb_frontend.c +++ y/drivers/media/dvb-core/dvb_frontend.c @@ -2836,6 +2836,7 @@ static int dvb_frontend_open(struct inod if ((ret = dvb_generic_open(inode, file)) < 0) goto err1; + dvb_device_get(dvbdev); if ((file->f_flags & O_ACCMODE) != O_RDONLY) { /* normal tune mode when opened R/W */ @@ -3077,7 +3078,8 @@ int dvb_unregister_frontend(struct dvb_f mutex_lock(&frontend_mutex); dvb_frontend_stop(fe); - dvb_remove_device(fepriv->dvbdev); + dvb_unregister_device(fepriv->dvbdev); + fepriv->dvbdev = NULL; /* fe is invalid now */ mutex_unlock(&frontend_mutex); -- ^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) 2026-02-23 4:06 ` Hillf Danton @ 2026-02-23 5:26 ` syzbot 0 siblings, 0 replies; 15+ messages in thread From: syzbot @ 2026-02-23 5:26 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+ae466a728017ec940b41@syzkaller.appspotmail.com Tested-by: syzbot+ae466a728017ec940b41@syzkaller.appspotmail.com Tested on: commit: 6de23f81 Linux 7.0-rc1 git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=10953722580000 kernel config: https://syzkaller.appspot.com/x/.config?x=4322f17fa28ade5f dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=157cc152580000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2026-02-23 5:26 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAD9jT-fYG58jR7baSm-1pFaJPO5Fp+sYv+s3YZUjTdUZST9syw@mail.gmail.com>
2026-02-20 7:18 ` [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3) syzbot
[not found] <CAD9jT-dJThQYbDcOTQxp-QiZ-msAfteita6bJcexzU4gZio0GA@mail.gmail.com>
2026-02-19 19:12 ` syzbot
[not found] <CAD9jT-cVX1GVH30EAGvQkbxsDRyuSug1Zcz8Fi-NVbecB6OLnw@mail.gmail.com>
2026-02-19 18:45 ` syzbot
2026-02-14 12:34 syzbot
2026-02-16 9:34 ` syzbot
2026-02-21 13:40 ` Hillf Danton
2026-02-21 13:58 ` syzbot
2026-02-21 14:35 ` Hillf Danton
2026-02-21 14:53 ` syzbot
2026-02-21 21:57 ` Hillf Danton
2026-02-21 22:23 ` syzbot
2026-02-22 12:15 ` Hillf Danton
2026-02-22 12:46 ` syzbot
2026-02-23 4:06 ` Hillf Danton
2026-02-23 5:26 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox