[syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit: cd7a5651db26 alpha: add missing address argument in call t..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1103415a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6d9e410399043c26
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

Unfortunately, I don't have any reproducer for this issue yet.

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/6546859ef2b7/disk-cd7a5651.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/f2e4c96e79f7/vmlinux-cd7a5651.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7e21013889c0/bzImage-cd7a5651.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae466a...@syzkaller.appspotmail.com

==================================================================
BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x40a/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2916
Read of size 4 at addr ffff88802b33a43c by task syz.0.10208/29088

CPU: 1 UID: 0 PID: 29088 Comm: syz.0.10208 Tainted: G L syzkaller #0 PREEMPT(full)
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/24/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
dvb_frontend_release+0x40a/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2916
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2310 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f0a9c79bc0b
Code: Unable to access opcode bytes at 0x7f0a9c79bbe1.
RSP: 002b:00007f0a9d607f00 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: fffffffffffffffc RBX: 0000000000000006 RCX: 00007f0a9c79bc0b
RDX: 00007f0a9d608fd0 RSI: 0000000080085502 RDI: 0000000000000006
RBP: 00007f0a9d608fd0 R08: 0000000000000001 R09: 00000000ffffffff
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000080085502
R13: 0000000800000000 R14: 0000000000000000 R15: 00007f0a9c85076a
</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x31c/0x660 mm/slub.c:5297
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475
dvb_register_frontend+0x649/0x950 drivers/media/dvb-core/dvb_frontend.c:3051
vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x3e7/0x710 drivers/base/dd.c:1227
bus_for_each_dev+0x23b/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x345/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
do_one_initcall+0x250/0x840 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 29088:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2670 [inline]
slab_free mm/slub.c:6082 [inline]
kfree+0x1c1/0x610 mm/slub.c:6399
dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
kref_put include/linux/kref.h:65 [inline]
dvb_device_put drivers/media/dvb-core/dvbdev.c:632 [inline]
dvb_generic_release+0x11d/0x1b0 drivers/media/dvb-core/dvbdev.c:169
dvb_frontend_release+0x132/0x4d0 drivers/media/dvb-core/dvb_frontend.c:2914
__fput+0x44f/0xa70 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
exit_task_work include/linux/task_work.h:40 [inline]
do_exit+0x69b/0x2310 kernel/exit.c:971
do_group_exit+0x21b/0x2d0 kernel/exit.c:1112
get_signal+0x1284/0x1330 kernel/signal.c:3034
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b33a400
which belongs to the cache kmalloc-256 of size 256
The buggy address is located 60 bytes inside of
freed 256-byte region [ffff88802b33a400, ffff88802b33a500)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b33a
head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813fe9db40 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813fe9db40 dead000000000122 0000000000000000
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000001 ffffea0000acce81 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13065394638, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1883
prep_new_page mm/page_alloc.c:1891 [inline]
get_page_from_freelist+0x24dc/0x2580 mm/page_alloc.c:3956
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5244
alloc_slab_page mm/slub.c:3238 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3411
new_slab mm/slub.c:3469 [inline]
refill_objects+0x331/0x3c0 mm/slub.c:7091
refill_sheaf mm/slub.c:2787 [inline]
__pcs_replace_empty_main+0x2b9/0x620 mm/slub.c:4536
alloc_from_pcs mm/slub.c:4639 [inline]
slab_alloc_node mm/slub.c:4773 [inline]
__kmalloc_cache_noprof+0x392/0x660 mm/slub.c:5292
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
bus_add_driver+0x162/0x670 drivers/base/bus.c:699
driver_register+0x23a/0x320 drivers/base/driver.c:249
usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078
do_one_initcall+0x250/0x840 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
page_owner free stack trace missing

Memory state around the buggy address:
ffff88802b33a300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b33a380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b33a400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b33a480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b33a500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[syzbot]

syzbot has found a reproducer for the following issue on:

HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/b33c549157ca/disk-c22e26bd.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/34c7ded19553/vmlinux-c22e26bd.xz
kernel image: https://storage.googleapis.com/syzbot-assets/66faec2158ed/bzImage-c22e26bd.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+ae466a...@syzkaller.appspotmail.com

==================================================================

BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916
Read of size 4 at addr ffff88802b75b83c by task syz.0.18/5958

CPU: 1 UID: 0 PID: 5958 Comm: syz.0.18 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026

Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595

dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916
__fput+0x45e/0xa80 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
get_signal+0x11c3/0x1310 kernel/signal.c:2807

arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fc97690bf79
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffed13b68c8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffed13b69b0 RCX: 00007fc97690bf79
RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003
RBP: 00000000000195a3 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b2d420000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fc976b85fac R14: 00007fc976b85fa8 R15: 00007fc976b85fa0

</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]

__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297

kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475

dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3051

vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833

__driver_attach+0x349/0x640 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x348/0x670 drivers/base/bus.c:715

driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598

do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578

ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 5958:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2670 [inline]
slab_free mm/slub.c:6082 [inline]

kfree+0x1c1/0x690 mm/slub.c:6399

dvb_free_device drivers/media/dvb-core/dvbdev.c:619 [inline]
kref_put include/linux/kref.h:65 [inline]
dvb_device_put drivers/media/dvb-core/dvbdev.c:632 [inline]

dvb_generic_release+0x123/0x1c0 drivers/media/dvb-core/dvbdev.c:169
dvb_frontend_release+0x138/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2914
__fput+0x45e/0xa80 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
get_signal+0x11c3/0x1310 kernel/signal.c:2807

arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]
exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b75b800
which belongs to the cache kmalloc-512 of size 512

The buggy address is located 60 bytes inside of

freed 512-byte region [ffff88802b75b800, ffff88802b75ba00)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b758
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122

raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122

head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000002 ffffea0000add601 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004

page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 14639760172, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245

alloc_slab_page mm/slub.c:3238 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3411
new_slab mm/slub.c:3469 [inline]

refill_objects+0x334/0x3c0 mm/slub.c:7091
refill_sheaf mm/slub.c:2787 [inline]
__pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536

alloc_from_pcs mm/slub.c:4639 [inline]
slab_alloc_node mm/slub.c:4773 [inline]

__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292

kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

set_kthread_struct+0xbb/0x340 kernel/kthread.c:125
copy_process+0x128c/0x3d00 kernel/fork.c:2152
kernel_clone+0x249/0x7f0 kernel/fork.c:2654
kernel_thread+0x13f/0x1b0 kernel/fork.c:2715
create_kthread kernel/kthread.c:490 [inline]
kthreadd+0x4ec/0x6e0 kernel/kthread.c:849

ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

page_owner free stack trace missing

Memory state around the buggy address:

ffff88802b75b700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b75b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b75b800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b75b880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b75b900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

failed to apply patch:
checking file drivers/media/dvb-core/dvb_frontend.c
patch: **** unexpected end of file in patch



Tested on:

commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler:

patch: https://syzkaller.appspot.com/x/patch.diff?x=13b541e6580000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in dvb_device_open

==================================================================
BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff88802b430818 by task syz.0.19/6566

CPU: 1 UID: 0 PID: 6566 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595

dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99
chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:949
vfs_open+0x3b/0x350 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x2e3d/0x38a0 fs/namei.c:4830
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f6a5c68c84e
Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08
RSP: 002b:00007f6a5bd25b28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f6a5bd266c0 RCX: 00007f6a5c68c84e
RDX: 0000000000000400 RSI: 00007f6a5bd25c00 RDI: ffffffffffffff9c
RBP: 00007f6a5bd25c00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd
R13: 00007f6a5c946038 R14: 00007f6a5c945fa0 R15: 00007ffc29cccd18

</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]
dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475

dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053

vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x349/0x640 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x348/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6559:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2670 [inline]
slab_free mm/slub.c:6082 [inline]
kfree+0x1c1/0x690 mm/slub.c:6399

dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2935

__fput+0x45e/0xa80 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b430800

which belongs to the cache kmalloc-512 of size 512

The buggy address is located 24 bytes inside of
freed 512-byte region [ffff88802b430800, ffff88802b430a00)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b430

head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000002 ffffea0000ad0c01 00000000ffffffff 00000000ffffffff

head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14672887637, free_ts 14671573424

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245
alloc_slab_page mm/slub.c:3238 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3411
new_slab mm/slub.c:3469 [inline]
refill_objects+0x334/0x3c0 mm/slub.c:7091
refill_sheaf mm/slub.c:2787 [inline]
__pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536
alloc_from_pcs mm/slub.c:4639 [inline]
slab_alloc_node mm/slub.c:4773 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475
dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053

vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x349/0x640 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383

page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xfd0/0x1160 mm/page_alloc.c:2973
stack_depot_save_flags+0x40e/0x810 lib/stackdepot.c:735
kasan_save_stack mm/kasan/common.c:58 [inline]
kasan_save_track+0x4f/0x80 mm/kasan/common.c:78

poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

kobject_uevent_env+0x28f/0x9e0 lib/kobject_uevent.c:540
device_add+0x557/0xb80 drivers/base/core.c:3670
i2c_new_client_device+0xa1f/0x1160 drivers/i2c/i2c-core-base.c:1019
dvb_module_probe+0x1c7/0x310 drivers/media/dvb-core/dvbdev.c:1042
vidtv_bridge_probe_tuner drivers/media/test-drivers/vidtv/vidtv_bridge.c:405 [inline]
vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:432 [inline]
vidtv_bridge_probe+0x93b/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508

platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x349/0x640 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383

Memory state around the buggy address:

ffff88802b430700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b430780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b430800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b430880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b430900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Tested on:

commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=12ebf652580000

kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41

compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1733495a580000

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in dvb_device_open

==================================================================

BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in refcount_read include/linux/refcount.h:170 [inline]
BUG: KASAN: slab-use-after-free in __refcount_add_not_zero include/linux/refcount.h:176 [inline]
BUG: KASAN: slab-use-after-free in __refcount_inc_not_zero include/linux/refcount.h:317 [inline]
BUG: KASAN: slab-use-after-free in refcount_inc_not_zero include/linux/refcount.h:335 [inline]
BUG: KASAN: slab-use-after-free in kref_get_unless_zero include/linux/kref.h:133 [inline]
BUG: KASAN: slab-use-after-free in dvb_device_open+0x117/0x590 drivers/media/dvb-core/dvbdev.c:99
Read of size 4 at addr ffff88802bb50010 by task syz.0.19/6537

CPU: 1 UID: 0 PID: 6537 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595

check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
refcount_read include/linux/refcount.h:170 [inline]
__refcount_add_not_zero include/linux/refcount.h:176 [inline]
__refcount_inc_not_zero include/linux/refcount.h:317 [inline]
refcount_inc_not_zero include/linux/refcount.h:335 [inline]
kref_get_unless_zero include/linux/kref.h:133 [inline]
dvb_device_open+0x117/0x590 drivers/media/dvb-core/dvbdev.c:99

chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:949
vfs_open+0x3b/0x350 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x2e3d/0x38a0 fs/namei.c:4830
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f8a3bbbc84e

Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08

RSP: 002b:00007f8a3b25db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f8a3b25e6c0 RCX: 00007f8a3bbbc84e
RDX: 0000000000000400 RSI: 00007f8a3b25dc00 RDI: ffffffffffffff9c
RBP: 00007f8a3b25dc00 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd

R13: 00007f8a3be76038 R14: 00007f8a3be75fa0 R15: 00007ffd6024f3a8

</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5297
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:477

dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053
vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x349/0x640 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x348/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6534:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2670 [inline]
slab_free mm/slub.c:6082 [inline]
kfree+0x1c1/0x690 mm/slub.c:6399
dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2935
__fput+0x45e/0xa80 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

get_signal+0x11c3/0x1310 kernel/signal.c:2807
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]

exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802bb50000

which belongs to the cache kmalloc-512 of size 512

The buggy address is located 16 bytes inside of
freed 512-byte region [ffff88802bb50000, ffff88802bb50200)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2bb50

head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 0080000000000040 ffff88813fe0dc80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000002 ffffea0000aed401 00000000ffffffff 00000000ffffffff

head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 14383756285, free_ts 0

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x228/0x280 mm/page_alloc.c:1884
prep_new_page mm/page_alloc.c:1892 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3950
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5245
alloc_slab_page mm/slub.c:3238 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3411
new_slab mm/slub.c:3469 [inline]
refill_objects+0x334/0x3c0 mm/slub.c:7091
refill_sheaf mm/slub.c:2787 [inline]
__pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4536
alloc_from_pcs mm/slub.c:4639 [inline]
slab_alloc_node mm/slub.c:4773 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5292
kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

device_private_init drivers/base/core.c:3534 [inline]
device_add+0xbe/0xb80 drivers/base/core.c:3585
platform_device_add+0x46a/0x800 drivers/base/platform.c:757
vidtv_bridge_init+0x12/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:594

do_one_initcall+0x250/0x840 init/main.c:1378
do_initcall_level+0x104/0x190 init/main.c:1440
do_initcalls+0x59/0xa0 init/main.c:1456
kernel_init_freeable+0x2a6/0x3d0 init/main.c:1688
kernel_init+0x1d/0x1d0 init/main.c:1578
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158

page_owner free stack trace missing

Memory state around the buggy address:

ffff88802bb4ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88802bb4ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802bb50000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802bb50080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802bb50100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================


Tested on:

commit: c22e26bd Merge tag 'landlock-7.0-rc1' of git://git.ker..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

console output: https://syzkaller.appspot.com/x/log.txt?x=16c73c02580000

kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=15f7195a580000

[Paletka]

#syz test upstream c22e26bd0906e9c8325462993f01adb16b8ea2c0

[Paletka]

#syz test upstream c22e26bd0906e9c8325462993f01adb16b8ea2c0

[Paletka]

#syz test upstream c22e26bd0906e9c8325462993f01adb16b8ea2c0

--- a/drivers/media/dvb-core/dvb_frontend.c
+++ b/drivers/media/dvb-core/dvb_frontend.c
@@ -2911,6 +2911,7 @@ static int dvb_frontend_release(struct inode *inode, struct file *file)
                mb();
        }
 
+       dvb_device_get(dvbdev);
        ret = dvb_generic_release(inode, file);
 
        if (dvbdev->users == -1) {
@@ -2931,6 +2932,7 @@ static int dvb_frontend_release(struct inode *inode, struct file *file)
                        fe->ops.ts_bus_ctrl(fe, 0);
        }
 
+       dvb_device_put(dvbdev);
        dvb_frontend_put(fe);
 
        return ret;

[Hillf Danton]

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c

@@ -2911,6 +2911,7 @@ static int dvb_frontend_release(struct i

mb();
}

+ dvb_device_get(dvbdev);
ret = dvb_generic_release(inode, file);

if (dvbdev->users == -1) {

@@ -2930,6 +2931,7 @@ static int dvb_frontend_release(struct i
if (fe->ops.ts_bus_ctrl)

fe->ops.ts_bus_ctrl(fe, 0);
}
+ dvb_device_put(dvbdev);

dvb_frontend_put(fe);

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in dvb_device_open

==================================================================

BUG: KASAN: slab-use-after-free in dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99
Read of size 8 at addr ffff88802b6da418 by task syz.0.19/6637

CPU: 1 UID: 0 PID: 6637 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595

dvb_device_open+0xc4/0x360 drivers/media/dvb-core/dvbdev.c:99

chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:949
vfs_open+0x3b/0x350 fs/open.c:1081
do_open fs/namei.c:4671 [inline]

path_openat+0x2e43/0x38a0 fs/namei.c:4830

do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f0b55cdc84e

Code: 08 0f 85 a5 a8 ff ff 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 80 00 00 00 00 48 83 ec 08

RSP: 002b:00007f0b5537db28 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f0b5537e6c0 RCX: 00007f0b55cdc84e
RDX: 0000000000000400 RSI: 00007f0b5537dc00 RDI: ffffffffffffff9c
RBP: 00007f0b5537dc00 R08: 0000000000000000 R09: 0000000000000000

R10: 0000000000000000 R11: 0000000000000246 R12: cccccccccccccccd

R13: 00007f0b55f96038 R14: 00007f0b55f95fa0 R15: 00007ffc62e6c1b8

</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]

__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5339

kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

dvb_register_device+0x2fd/0x2210 drivers/media/dvb-core/dvbdev.c:475

dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3053
vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833

__driver_attach+0x3e7/0x710 drivers/base/dd.c:1227

bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x348/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598

do_one_initcall+0x250/0x8d0 init/main.c:1382

do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582

ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6634:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]

slab_free_hook mm/slub.c:2687 [inline]
slab_free mm/slub.c:6124 [inline]
kfree+0x1c1/0x6c0 mm/slub.c:6442
dvb_frontend_release+0x3de/0x500 drivers/media/dvb-core/dvb_frontend.c:2934
__fput+0x461/0xa90 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]

exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b6da400

which belongs to the cache kmalloc-512 of size 512

The buggy address is located 24 bytes inside of
freed 512-byte region [ffff88802b6da400, ffff88802b6da600)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b6d8

head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)

raw: 0080000000000040 ffff88813fe1cc80 dead000000000100 dead000000000122

raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000040 ffff88813fe1cc80 dead000000000100 dead000000000122

head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000002 ffffea0000adb601 00000000ffffffff 00000000ffffffff

head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13477098013, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3255 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3444
new_slab mm/slub.c:3502 [inline]
refill_objects+0x334/0x3c0 mm/slub.c:7134
refill_sheaf mm/slub.c:2804 [inline]
__pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4578
alloc_from_pcs mm/slub.c:4681 [inline]
slab_alloc_node mm/slub.c:4815 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5334

kmalloc_noprof include/linux/slab.h:962 [inline]
kzalloc_noprof include/linux/slab.h:1204 [inline]

bus_add_driver+0x165/0x670 drivers/base/bus.c:699

driver_register+0x23a/0x320 drivers/base/driver.c:249
usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078

do_one_initcall+0x250/0x8d0 init/main.c:1382

do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582

ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
page_owner free stack trace missing

Memory state around the buggy address:

ffff88802b6da300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b6da380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b6da400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b6da480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b6da500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: d79526b8 Merge tag 'spi-fix-v7.0-merge-window' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14195722580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b084d82ac8e0fbd

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=178a0006580000

[Hillf Danton]

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c

@@ -2911,6 +2911,8 @@ static int dvb_frontend_release(struct i
mb();
}

+ dvb_device_get(dvbdev); // for removing dev
+ dvb_device_get(dvbdev); // for releasing dev

ret = dvb_generic_release(inode, file);

if (dvbdev->users == -1) {

@@ -2931,6 +2933,8 @@ static int dvb_frontend_release(struct i
fe->ops.ts_bus_ctrl(fe, 0);
}

+ dvb_remove_device(dvbdev);

+ dvb_device_put(dvbdev);
dvb_frontend_put(fe);

return ret;

--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

BUG: corrupted list in dvb_remove_device

non-paged memory
list_del corruption, ffff88802b938400->next is LIST_POISON1 (dead000000000100)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:58!
Oops: invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 1 UID: 0 PID: 6584 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT_{RT,(full)}

Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026

RIP: 0010:__list_del_entry_valid_or_report+0x10e/0x190 lib/list_debug.c:56
Code: a0 47 a6 8b 48 89 de e8 20 01 80 fc 90 0f 0b 4c 89 e7 e8 b5 c4 61 fd 48 c7 c7 00 48 a6 8b 48 89 de 4c 89 e2 e8 03 01 80 fc 90 <0f> 0b 4c 89 e7 e8 98 c4 61 fd 48 c7 c7 60 48 a6 8b 48 89 de 4c 89
RSP: 0018:ffffc90003b6fa88 EFLAGS: 00010246
RAX: 000000000000004e RBX: ffff88802b938400 RCX: 70c5d03fc278f600
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1017124923 R12: dead000000000100
R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122
FS: 000055556ef5d500(0000) GS:ffff888126442000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f467ca4efeb CR3: 0000000025052000 CR4: 00000000003526f0
Call Trace:
<TASK>
__list_del_entry_valid include/linux/list.h:132 [inline]
__list_del_entry include/linux/list.h:223 [inline]
list_del include/linux/list.h:237 [inline]
dvb_remove_device+0x131/0x280 drivers/media/dvb-core/dvbdev.c:611
dvb_frontend_release+0x3e6/0x510 drivers/media/dvb-core/dvb_frontend.c:2936

__fput+0x461/0xa90 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

get_signal+0x11c3/0x1310 kernel/signal.c:2807
arch_do_signal_or_restart+0xbc/0x830 arch/x86/kernel/signal.c:337
__exit_to_user_mode_loop kernel/entry/common.c:64 [inline]

exit_to_user_mode_loop+0x86/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7fe67637bf79

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffc7f8caa78 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffc7f8cab60 RCX: 00007fe67637bf79

RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003

RBP: 0000000000023360 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b30020000 R11: 0000000000000246 R12: 00007ffc7f8caba0
R13: 00007fe6765f5fac R14: 00000000000233c3 R15: 00007fe6765f5fa0
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x10e/0x190 lib/list_debug.c:56
Code: a0 47 a6 8b 48 89 de e8 20 01 80 fc 90 0f 0b 4c 89 e7 e8 b5 c4 61 fd 48 c7 c7 00 48 a6 8b 48 89 de 4c 89 e2 e8 03 01 80 fc 90 <0f> 0b 4c 89 e7 e8 98 c4 61 fd 48 c7 c7 60 48 a6 8b 48 89 de 4c 89
RSP: 0018:ffffc90003b6fa88 EFLAGS: 00010246
RAX: 000000000000004e RBX: ffff88802b938400 RCX: 70c5d03fc278f600
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: ffffed1017124923 R12: dead000000000100
R13: dffffc0000000000 R14: dead000000000100 R15: dead000000000122
FS: 000055556ef5d500(0000) GS:ffff888126442000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f467ca4efeb CR3: 0000000025052000 CR4: 00000000003526f0

Tested on:

commit: d79526b8 Merge tag 'spi-fix-v7.0-merge-window' of git:..

git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=143a8152580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4b084d82ac8e0fbd

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=1572f95a580000

[Hillf Danton]

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c

@@ -2836,6 +2836,7 @@ static int dvb_frontend_open(struct inod

if ((ret = dvb_generic_open(inode, file)) < 0)
goto err1;
+ dvb_device_get(dvbdev);

if ((file->f_flags & O_ACCMODE) != O_RDONLY) {
/* normal tune mode when opened R/W */
--

[syzbot]

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.324084][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.324103][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.324118][ T0] CPU topo: Max. logical packages: 1
[ 0.324122][ T0] CPU topo: Max. logical dies: 1
[ 0.324126][ T0] CPU topo: Max. dies per package: 1
[ 0.324137][ T0] CPU topo: Max. threads per core: 2
[ 0.324142][ T0] CPU topo: Num. cores per package: 1
[ 0.324146][ T0] CPU topo: Num. threads per package: 2
[ 0.324150][ T0] CPU topo: Allowing 2 present CPUs plus 0 hotplug CPUs
[ 0.324260][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.324270][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.324278][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xffffffff]
[ 0.324303][ T0] [gap 0xc0000000-0xfffbbfff] available for PCI devices
[ 0.324309][ T0] Booting paravirtualized kernel on KVM
[ 0.324320][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.457957][ T0] Zone ranges:
[ 0.457966][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.457977][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.457985][ T0] Normal [mem 0x0000000100000000-0x000000023fffffff]
[ 0.457993][ T0] Device empty
[ 0.457998][ T0] Movable zone start for each node
[ 0.458001][ T0] Early memory node ranges
[ 0.458005][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.458011][ T0] node 0: [mem 0x0000000000100000-0x00000000bfffcfff]
[ 0.458019][ T0] node 0: [mem 0x0000000100000000-0x0000000140000fff]
[ 0.458025][ T0] node 1: [mem 0x0000000140001000-0x000000023fffffff]
[ 0.458034][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x0000000140000fff]
[ 0.458049][ T0] Initmem setup node 1 [mem 0x0000000140001000-0x000000023fffffff]
[ 0.458095][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.458339][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.520754][ T0] On node 0, zone Normal: 3 pages in unavailable ranges
[ 0.583334][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[ 0.584030][ T0] percpu: Embedded 72 pages/cpu s254408 r8192 d32312 u1048576
[ 0.584054][ T0] pcpu-alloc: s254408 r8192 d32312 u1048576 alloc=1*2097152
[ 0.584066][ T0] pcpu-alloc: [0] 0 1
[ 0.584177][ T0] kvm-guest: PV spinlocks enabled
[ 0.584186][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.584203][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 \
[ 0.584229][ T0] Kernel command line: comedi.comedi_num_legacy_minors=4 panic_on_warn=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.588483][ T0] Unknown kernel command line parameters "nbds_max=32", will be passed to user space.
[ 0.588544][ T0] random: crng init done
[ 0.588547][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.588761][ T0] software IO TLB: area num 2.
[ 0.616645][ T0] Fallback order for Node 0: 0 1
[ 0.616664][ T0] Fallback order for Node 1: 1 0
[ 0.616678][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2097051
[ 0.616685][ T0] Policy zone: Normal
[ 0.617377][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[ 0.617385][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.617395][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 0.622068][ T0] stackdepot: allocating space for 8192 stack pools via memblock
[ 1.210344][ T0] **********************************************************
[ 1.210354][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.210358][ T0] ** **
[ 1.210362][ T0] ** This system shows unhashed kernel memory addresses **
[ 1.210365][ T0] ** via the console, logs, and other interfaces. This **
[ 1.210369][ T0] ** might reduce the security of your system. **
[ 1.210373][ T0] ** **
[ 1.210376][ T0] ** If you see this message and you are not debugging **
[ 1.210380][ T0] ** the kernel, report this immediately to your system **
[ 1.210384][ T0] ** administrator! **
[ 1.210387][ T0] ** **
[ 1.210391][ T0] ** Use hash_pointers=always to force this mode off **
[ 1.210395][ T0] ** **
[ 1.210398][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.210402][ T0] **********************************************************
[ 1.213877][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 1.344641][ T0] allocated 167772160 bytes of page_ext
[ 1.344682][ T0] Node 0, zone DMA: page owner found early allocated 0 pages
[ 1.358368][ T0] Node 0, zone DMA32: page owner found early allocated 21120 pages
[ 1.362689][ T0] Node 0, zone Normal: page owner found early allocated 130 pages
[ 1.373648][ T0] Node 1, zone Normal: page ownserialport: Connected to syzkaller.us-central1-c.ci-upstream-kasan-gce-smack-root-test-job-parallel-0 port 1 (session ID: 27e7da33582c2a1f5960f3e4d1e08a357e0ae697147fe044510b0304e2ed012c, active connections: 1).
er found early allocated 19848 pages
[ 1.374121][ T0] Kernel/User page tables isolation: enabled
[ 1.376324][ T0] Dynamic Preempt: full
[ 1.377426][ T0] ------------[ cut here ]------------
[ 1.377431][ T0] overflows_flex_counter_type(typeof(*ctx), pwq_tbl, __count)
[ 1.377435][ T0] WARNING: kernel/workqueue.c:5373 at apply_wqattrs_prepare+0xa5/0x1f0, CPU#0: swapper/0/0
[ 1.377461][ T0] Modules linked in:
[ 1.377470][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
[ 1.377481][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 1.377488][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0
[ 1.377507][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48
[ 1.377516][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097
[ 1.377524][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00
[ 1.377531][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1.377537][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[ 1.377543][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8
[ 1.377550][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
[ 1.377562][ T0] FS: 0000000000000000(0000) GS:ffff888126592000(0000) knlGS:0000000000000000
[ 1.377572][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.377579][ T0] CR2: ffff88823ffff000 CR3: 000000000d9ba000 CR4: 00000000000000b0
[ 1.377588][ T0] Call Trace:
[ 1.377593][ T0] <TASK>
[ 1.377599][ T0] __alloc_workqueue+0xfbe/0x1e70
[ 1.377617][ T0] alloc_workqueue_noprof+0xe3/0x210
[ 1.377629][ T0] ? is_dynamic_key+0xd6/0x1c0
[ 1.377644][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10
[ 1.377657][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690
[ 1.377670][ T0] ? workqueue_init_early+0x89b/0xcf0
[ 1.377687][ T0] workqueue_init_early+0xaac/0xcf0
[ 1.377700][ T0] ? __cpuhp_setup_state+0x46/0x60
[ 1.377717][ T0] ? __pfx_workqueue_init_early+0x10/0x10
[ 1.377733][ T0] ? register_trace_event+0x3f7/0x4b0
[ 1.377749][ T0] start_kernel+0x189/0x3d0
[ 1.377760][ T0] x86_64_start_reservations+0x24/0x30
[ 1.377773][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.377786][ T0] common_startup_64+0x13e/0x147
[ 1.377804][ T0] </TASK>
[ 1.377810][ T0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 1.377816][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
[ 1.377827][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 1.377833][ T0] Call Trace:
[ 1.377837][ T0] <TASK>
[ 1.377840][ T0] vpanic+0x56c/0xa60
[ 1.377856][ T0] ? __pfx__printk+0x10/0x10
[ 1.377868][ T0] ? __pfx_vpanic+0x10/0x10
[ 1.377881][ T0] ? is_bpf_text_address+0x292/0x2b0
[ 1.377894][ T0] ? is_bpf_text_address+0x26/0x2b0
[ 1.377914][ T0] panic+0xc5/0xd0
[ 1.377928][ T0] ? __pfx_panic+0x10/0x10
[ 1.377947][ T0] ? common_startup_64+0x13e/0x147
[ 1.377959][ T0] __warn+0x315/0x4f0
[ 1.377973][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.377987][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378000][ T0] __report_bug+0x29a/0x540
[ 1.378020][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378033][ T0] ? __pfx___report_bug+0x10/0x10
[ 1.378049][ T0] ? do_raw_spin_unlock+0xf6/0x210
[ 1.378064][ T0] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[ 1.378074][ T0] ? rt_mutex_slowunlock+0x1cb/0x300
[ 1.378088][ T0] ? __pfx_rt_mutex_slowunlock+0x10/0x10
[ 1.378102][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378115][ T0] report_bug+0x16a/0x220
[ 1.378130][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378142][ T0] ? apply_wqattrs_prepare+0xa7/0x1f0
[ 1.378155][ T0] handle_bug+0x98/0x200
[ 1.378168][ T0] exc_invalid_op+0x1a/0x50
[ 1.378179][ T0] asm_exc_invalid_op+0x1a/0x20
[ 1.378190][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378203][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48
[ 1.378211][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097
[ 1.378219][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00
[ 1.378226][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1.378231][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[ 1.378237][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8
[ 1.378244][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
[ 1.378254][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0
[ 1.378270][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0
[ 1.378284][ T0] __alloc_workqueue+0xfbe/0x1e70
[ 1.378300][ T0] alloc_workqueue_noprof+0xe3/0x210
[ 1.378312][ T0] ? is_dynamic_key+0xd6/0x1c0
[ 1.378326][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10
[ 1.378339][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690
[ 1.378351][ T0] ? workqueue_init_early+0x89b/0xcf0
[ 1.378367][ T0] workqueue_init_early+0xaac/0xcf0
[ 1.378380][ T0] ? __cpuhp_setup_state+0x46/0x60
[ 1.378396][ T0] ? __pfx_workqueue_init_early+0x10/0x10
[ 1.378412][ T0] ? register_trace_event+0x3f7/0x4b0
[ 1.378426][ T0] start_kernel+0x189/0x3d0
[ 1.378436][ T0] x86_64_start_reservations+0x24/0x30
[ 1.378449][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.378462][ T0] common_startup_64+0x13e/0x147
[ 1.378479][ T0] </TASK>


syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build634184225=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'

git status (err=<nil>)
HEAD detached at 1e62d19825
nothing to commit, working tree clean


tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"1e62d1982527c3b4e18df04d61f2560fa1f434cc\"
/usr/bin/ld: /tmp/ccZjc2ZB.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=17938152580000


Tested on:

commit: 8934827d Merge tag 'kmalloc_obj-treewide-v7.0-rc1' of ..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=5ca447d428dc7079

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=114b7c02580000

[Hillf Danton]

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c

@@ -3072,12 +3072,15 @@ EXPORT_SYMBOL(dvb_register_frontend);
int dvb_unregister_frontend(struct dvb_frontend *fe)
{
struct dvb_frontend_private *fepriv = fe->frontend_priv;
+ struct dvb_device *dvbdev;

dev_dbg(fe->dvb->device, "%s:\n", __func__);

mutex_lock(&frontend_mutex);
dvb_frontend_stop(fe);
- dvb_remove_device(fepriv->dvbdev);
+ dvbdev = fepriv->dvbdev;
+ fepriv->dvbdev = NULL;
+ dvb_unregister_device(dvbdev);

/* fe is invalid now */
mutex_unlock(&frontend_mutex);
--

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:

KASAN: slab-use-after-free Read in dvb_frontend_release

==================================================================
BUG: KASAN: slab-use-after-free in dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916
Read of size 4 at addr ffff88802b9c543c by task syz.0.19/6629

CPU: 1 UID: 0 PID: 6629 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engi[ 145.718954][ T6629] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026

Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595

dvb_frontend_release+0x410/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2916

__fput+0x461/0xa90 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]

exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

RIP: 0033:0x7f5097f2bf79

Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48

RSP: 002b:00007ffe9efc5af8 EFLAGS: 00000246 ORIG_RAX: 00000000000001b4
RAX: 0000000000000000 RBX: 00007ffe9efc5be0 RCX: 00007f5097f2bf79

RDX: 0000000000000000 RSI: 000000000000001e RDI: 0000000000000003

RBP: 0000000000023863 R08: 0000000000000001 R09: 0000000000000000
R10: 0000001b33620000 R11: 0000000000000246 R12: 00007ffe9efc5c20
R13: 00007f50981a5fac R14: 00000000000238a9 R15: 00007f50981a5fa0

</TASK>

Allocated by task 1:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5339
kmalloc_noprof include/linux/slab.h:962 [inline]

kzalloc_noprof include/linux/slab.h:1200 [inline]
dvb_register_device+0x2fd/0x21e0 drivers/media/dvb-core/dvbdev.c:472
dvb_register_frontend+0x665/0x970 drivers/media/dvb-core/dvb_frontend.c:3051

vidtv_bridge_dvb_init drivers/media/test-drivers/vidtv/vidtv_bridge.c:436 [inline]
vidtv_bridge_probe+0x9aa/0xf80 drivers/media/test-drivers/vidtv/vidtv_bridge.c:508
platform_probe+0xf9/0x190 drivers/base/platform.c:1446
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x267/0xaf0 drivers/base/dd.c:661
__driver_probe_device+0x18c/0x320 drivers/base/dd.c:803
driver_probe_device+0x4f/0x240 drivers/base/dd.c:833
__driver_attach+0x3e7/0x710 drivers/base/dd.c:1227
bus_for_each_dev+0x23e/0x2c0 drivers/base/bus.c:383
bus_add_driver+0x348/0x670 drivers/base/bus.c:715
driver_register+0x23a/0x320 drivers/base/driver.c:249
vidtv_bridge_init+0x28/0x50 drivers/media/test-drivers/vidtv/vidtv_bridge.c:598
do_one_initcall+0x250/0x8d0 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6629:

kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2687 [inline]
slab_free mm/slub.c:6124 [inline]
kfree+0x1c1/0x6c0 mm/slub.c:6442

dvb_free_device drivers/media/dvb-core/dvbdev.c:616 [inline]
kref_put include/linux/kref.h:65 [inline]
dvb_device_put drivers/media/dvb-core/dvbdev.c:629 [inline]

dvb_generic_release+0x123/0x1c0 drivers/media/dvb-core/dvbdev.c:169
dvb_frontend_release+0x138/0x4e0 drivers/media/dvb-core/dvb_frontend.c:2914

__fput+0x461/0xa90 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233

resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]

exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98

__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff88802b9c5400

which belongs to the cache kmalloc-512 of size 512

The buggy address is located 60 bytes inside of
freed 512-byte region [ffff88802b9c5400, ffff88802b9c5600)

The buggy address belongs to the physical page:

page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2b9c4

head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000040(head|node=0|zone=1)
page_type: f5(slab)

raw: 0080000000000040 ffff88813fe17c80 dead000000000100 dead000000000122

raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000040 ffff88813fe17c80 dead000000000100 dead000000000122

head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000

head: 0080000000000002 ffffea0000ae7101 00000000ffffffff 00000000ffffffff

head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated

page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 1, tgid 1 (swapper/0), ts 13901801393, free_ts 0

set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3255 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3444
new_slab mm/slub.c:3502 [inline]
refill_objects+0x334/0x3c0 mm/slub.c:7134
refill_sheaf mm/slub.c:2804 [inline]
__pcs_replace_empty_main+0x328/0x5f0 mm/slub.c:4578
alloc_from_pcs mm/slub.c:4681 [inline]
slab_alloc_node mm/slub.c:4815 [inline]
__kmalloc_cache_noprof+0x44e/0x690 mm/slub.c:5334
kmalloc_noprof include/linux/slab.h:962 [inline]

kzalloc_noprof include/linux/slab.h:1200 [inline]

bus_add_driver+0x165/0x670 drivers/base/bus.c:699
driver_register+0x23a/0x320 drivers/base/driver.c:249
usb_register_driver+0x1e4/0x390 drivers/usb/core/driver.c:1078
do_one_initcall+0x250/0x8d0 init/main.c:1382
do_initcall_level+0x104/0x190 init/main.c:1444
do_initcalls+0x59/0xa0 init/main.c:1460
kernel_init_freeable+0x2a6/0x3e0 init/main.c:1692
kernel_init+0x1d/0x1d0 init/main.c:1582
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
page_owner free stack trace missing

Memory state around the buggy address:

ffff88802b9c5300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88802b9c5380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88802b9c5400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802b9c5480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802b9c5500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit: 32a92f8c Convert more 'alloc_obj' cases to default GFP..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=178a055a580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5ca447d428dc7079

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=14cadd94580000

[Hillf Danton]

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]

> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c

@@ -2836,6 +2836,7 @@ static int dvb_frontend_open(struct inod

if ((ret = dvb_generic_open(inode, file)) < 0)
goto err1;
+ dvb_device_get(dvbdev);

if ((file->f_flags & O_ACCMODE) != O_RDONLY) {
/* normal tune mode when opened R/W */

@@ -3077,7 +3078,8 @@ int dvb_unregister_frontend(struct dvb_f

mutex_lock(&frontend_mutex);
dvb_frontend_stop(fe);
- dvb_remove_device(fepriv->dvbdev);

+ dvb_unregister_device(fepriv->dvbdev);

+ fepriv->dvbdev = NULL;

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+ae466a...@syzkaller.appspotmail.com
Tested-by: syzbot+ae466a...@syzkaller.appspotmail.com

Tested on:

commit: 6de23f81 Linux 7.0-rc1
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10953722580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4322f17fa28ade5f

dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8

patch: https://syzkaller.appspot.com/x/patch.diff?x=157cc152580000

Note: testing is done by a robot and is best-effort only.