syzbot

tool grepper failed: error: failed to run ["git" "grep" "--extended-regexp" "--line-number" "--show-function" "-C1" "--no-color" "->phys ="]: exit status 129
error: unknown switch `>'
usage: git grep [<options>] [-e] <pattern> [<rev>...] [[--] <path>...]

    --[no-]cached         search in index instead of in the work tree
    --no-index            find in contents not managed by git
    --index               opposite of --no-index
    --[no-]untracked      search in both tracked and untracked files
    --[no-]exclude-standard
                          ignore files specified via '.gitignore'
    --[no-]recurse-submodules
                          recursively search in each submodule

    -v, --[no-]invert-match
                          show non-matching lines
    -i, --[no-]ignore-case
                          case insensitive matching
    -w, --[no-]word-regexp
                          match patterns only at word boundaries
    -a, --[no-]text       process binary files as text
    -I                    don't match patterns in binary files
    --[no-]textconv       process binary files with textconv filters
    -r, --[no-]recursive  search in subdirectories (default)
    --max-depth <n>       descend at most <n> levels

    -E, --[no-]extended-regexp
                          use extended POSIX regular expressions
    -G, --[no-]basic-regexp
                          use basic POSIX regular expressions (default)
    -F, --[no-]fixed-strings
                          interpret patterns as fixed strings
    -P, --[no-]perl-regexp
                          use Perl-compatible regular expressions

    -n, --[no-]line-number
                          show line numbers
    --[no-]column         show column number of first match
    -h                    don't show filenames
    -H                    show filenames
    --[no-]full-name      show filenames relative to top directory
    -l, --[no-]files-with-matches
                          show only filenames instead of matching lines
    --[no-]name-only      synonym for --files-with-matches
    -L, --[no-]files-without-match
                          show only the names of files without match
    -z, --[no-]null       print NUL after filenames
    -o, --[no-]only-matching
                          show only matching parts of a line
    -c, --[no-]count      show the number of matches instead of matching lines
    --[no-]color[=<when>] highlight matches
    --[no-]break          print empty line between matches from different files
    --[no-]heading        show filename only once above matches from same file

    -C, --[no-]context <n>
                          show <n> context lines before and after matches
    -B, --before-context <n>
                          show <n> context lines before matches
    -A, --after-context <n>
                          show <n> context lines after matches
    --[no-]threads <n>    use <n> worker threads
    -NUM                  shortcut for -C NUM
    -p, --[no-]show-function
                          show a line with the function name before matches
    -W, --[no-]function-context
                          show the surrounding function

    -f <file>             read patterns from file
    -e <pattern>          match <pattern>
    --and                 combine patterns specified with -e
    --or
    --not
    (
    )
    -q, --[no-]quiet      indicate hit with exit status without output
    --[no-]all-match      show only matches from files that match all patterns

    -O, --[no-]open-files-in-pager[=<pager>]
                          show matching files in the pager
    --[no-]ext-grep       allow calling of grep(1) (ignored by this build)
    -m, --[no-]max-count <n>
                          maximum number of results per file


args: map[Expression:->phys =]

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/cb24f0835974de80148d21636f6b653d93682021]

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/937d5996a1bbadcc53e9225f96b2420402480993]

map[Index:codesearch-index]

gemini-3-flash-preview

tool grepper failed: error: failed to run ["git" "grep" "--extended-regexp" "--line-number" "--show-function" "-C1" "--no-color" "->phys ="]: exit status 129
error: unknown switch `>'
usage: git grep [<options>] [-e] <pattern> [<rev>...] [[--] <path>...]

    --[no-]cached         search in index instead of in the work tree
    --no-index            find in contents not managed by git
    --index               opposite of --no-index
    --[no-]untracked      search in both tracked and untracked files
    --[no-]exclude-standard
                          ignore files specified via '.gitignore'
    --[no-]recurse-submodules
                          recursively search in each submodule

    -v, --[no-]invert-match
                          show non-matching lines
    -i, --[no-]ignore-case
                          case insensitive matching
    -w, --[no-]word-regexp
                          match patterns only at word boundaries
    -a, --[no-]text       process binary files as text
    -I                    don't match patterns in binary files
    --[no-]textconv       process binary files with textconv filters
    -r, --[no-]recursive  search in subdirectories (default)
    --max-depth <n>       descend at most <n> levels

    -E, --[no-]extended-regexp
                          use extended POSIX regular expressions
    -G, --[no-]basic-regexp
                          use basic POSIX regular expressions (default)
    -F, --[no-]fixed-strings
                          interpret patterns as fixed strings
    -P, --[no-]perl-regexp
                          use Perl-compatible regular expressions

    -n, --[no-]line-number
                          show line numbers
    --[no-]column         show column number of first match
    -h                    don't show filenames
    -H                    show filenames
    --[no-]full-name      show filenames relative to top directory
    -l, --[no-]files-with-matches
                          show only filenames instead of matching lines
    --[no-]name-only      synonym for --files-with-matches
    -L, --[no-]files-without-match
                          show only the names of files without match
    -z, --[no-]null       print NUL after filenames
    -o, --[no-]only-matching
                          show only matching parts of a line
    -c, --[no-]count      show the number of matches instead of matching lines
    --[no-]color[=<when>] highlight matches
    --[no-]break          print empty line between matches from different files
    --[no-]heading        show filename only once above matches from same file

    -C, --[no-]context <n>
                          show <n> context lines before and after matches
    -B, --before-context <n>
                          show <n> context lines before matches
    -A, --after-context <n>
                          show <n> context lines after matches
    --[no-]threads <n>    use <n> worker threads
    -NUM                  shortcut for -C NUM
    -p, --[no-]show-function
                          show a line with the function name before matches
    -W, --[no-]function-context
                          show the surrounding function

    -f <file>             read patterns from file
    -e <pattern>          match <pattern>
    --and                 combine patterns specified with -e
    --or
    --not
    (
    )
    -q, --[no-]quiet      indicate hit with exit status without output
    --[no-]all-match      show only matches from files that match all patterns

    -O, --[no-]open-files-in-pager[=<pager>]
                          show matching files in the pager
    --[no-]ext-grep       allow calling of grep(1) (ignored by this build)
    -m, --[no-]max-count <n>
                          maximum number of results per file


args: map[Expression:->phys =]

You are an experienced Linux kernel developer tasked with determining if the given kernel bug
report is actionable or not. Actionable means that it contains enough info to root cause
the underlying bug, and that the report is self-consistent and makes sense, rather than
e.g. a one-off nonsensical crash induced by a previous memory corruption.


The bug report is about a use-after-free bug generated by KASAN tool.
It should contain 3 stack traces: the bad memory access stack, the heap block allocation stack,
and the heap block free stack. If the report does not contain 3 stacks, it's not actionable.

All 3 stack traces should be related to the same object type,
and usually be in the same kernel subsystem (at least leaf stack frames).
An example of an actionable and consistent report would be: first access stack relates
to an access to a field of struct Foo, allocation/free stacks relate to allocation/free
of the struct Foo.
In inconsistent/nonsensical reports an access may be to a struct Foo, but allocation
stack allocates a different structure in a different subsystem.
Look for other suspicious signals/inconsistencies that can make this report hard to
debug/understand. 


In the final reply explain why you think the report is self-consistent and actionable,
or why it's inconsistent and/or not actionable.

Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.

Prefer calling several tools at the same time to save round-trips.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

The bug report is:

==================================================================
BUG: KASAN: slab-use-after-free in string_nocheck lib/vsprintf.c:654 [inline]
BUG: KASAN: slab-use-after-free in string+0x231/0x2b0 lib/vsprintf.c:736
Read of size 1 at addr ffff888059a15a20 by task syz.1.395/7511

CPU: 1 UID: 0 PID: 7511 Comm: syz.1.395 Tainted: G             L      syzkaller #0 PREEMPT(full) 
Tainted: [L]=SOFTLOCKUP
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xca/0x240 mm/kasan/report.c:482
 kasan_report+0x118/0x150 mm/kasan/report.c:595
 string_nocheck lib/vsprintf.c:654 [inline]
 string+0x231/0x2b0 lib/vsprintf.c:736
 vsnprintf+0x739/0xee0 lib/vsprintf.c:2947
 seq_vprintf fs/seq_file.c:391 [inline]
 seq_printf+0x178/0x270 fs/seq_file.c:406
 input_devices_seq_show+0x145/0x640 drivers/input/input.c:1099
 seq_read_iter+0x9bb/0xe20 fs/seq_file.c:272
 seq_read+0x369/0x480 fs/seq_file.c:162
 pde_read fs/proc/inode.c:308 [inline]
 proc_reg_read+0x1e9/0x2e0 fs/proc/inode.c:320
 do_loop_readv_writev fs/read_write.c:847 [inline]
 vfs_readv+0x5aa/0x850 fs/read_write.c:1020
 do_preadv fs/read_write.c:1132 [inline]
 __do_sys_preadv fs/read_write.c:1179 [inline]
 __se_sys_preadv fs/read_write.c:1174 [inline]
 __x64_sys_preadv+0x197/0x2a0 fs/read_write.c:1174
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f3fbc58f749
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f3fbd4ec038 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007f3fbc7e5fa0 RCX: 00007f3fbc58f749
RDX: 0000000000000001 RSI: 00002000000015c0 RDI: 0000000000000003
RBP: 00007f3fbc613f91 R08: 0000000000207fff R09: 0000000000000000
R10: 00000000000000f2 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f3fbc7e6038 R14: 00007f3fbc7e5fa0 R15: 00007f3fbc90fa28
 </TASK>

Allocated by task 7472:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5657 [inline]
 __kmalloc_noprof+0x41d/0x800 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ieee802_11_parse_elems_full+0x152/0x2ab0 net/mac80211/parse.c:1031
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2469 [inline]
 ieee80211_inform_bss+0x147/0x1130 net/mac80211/scan.c:79
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1a8/0x3d0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22b/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ip_mc_clear_src net/ipv4/igmp.c:2253 [inline]
 __ip_mc_dec_group+0x4c7/0x670 net/ipv4/igmp.c:1780
 inetdev_event+0x297/0x15b0 net/ipv4/devinet.c:1641
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
 rtnl_group_changelink net/core/rtnetlink.c:3790 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3944 [inline]
 rtnl_newlink+0x14b0/0x1c90 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 ____sys_sendmsg+0x505/0x820 net/socket.c:2592
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Freed by task 7472:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2540 [inline]
 slab_free mm/slub.c:6670 [inline]
 kfree+0x1c0/0x660 mm/slub.c:6878
 ieee80211_inform_bss+0xc4e/0x1130 net/mac80211/scan.c:164
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
 ieee80211_rx_napi+0x1a8/0x3d0 net/mac80211/rx.c:5567
 ieee80211_rx include/net/mac80211.h:5216 [inline]
 ieee80211_handle_queued_frames+0xe8/0x1e0 net/mac80211/main.c:452
 tasklet_action_common+0x2da/0x4b0 kernel/softirq.c:925
 handle_softirqs+0x22b/0x7c0 kernel/softirq.c:622
 do_softirq+0x76/0xd0 kernel/softirq.c:523
 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
 spin_unlock_bh include/linux/spinlock.h:396 [inline]
 ip_mc_clear_src net/ipv4/igmp.c:2253 [inline]
 __ip_mc_dec_group+0x4c7/0x670 net/ipv4/igmp.c:1780
 inetdev_event+0x297/0x15b0 net/ipv4/devinet.c:1641
 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85
 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline]
 call_netdevice_notifiers net/core/dev.c:2282 [inline]
 __dev_notify_flags+0x18d/0x2e0 net/core/dev.c:-1
 netif_change_flags+0xe8/0x1a0 net/core/dev.c:9804
 do_setlink+0xc55/0x41c0 net/core/rtnetlink.c:3158
 rtnl_group_changelink net/core/rtnetlink.c:3790 [inline]
 __rtnl_newlink net/core/rtnetlink.c:3944 [inline]
 rtnl_newlink+0x14b0/0x1c90 net/core/rtnetlink.c:4072
 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958
 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x21c/0x270 net/socket.c:742
 ____sys_sendmsg+0x505/0x820 net/socket.c:2592
 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0x19b/0x260 net/socket.c:2681
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xec/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The buggy address belongs to the object at ffff888059a15800
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 544 bytes inside of
 freed 1024-byte region [ffff888059a15800, ffff888059a15c00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x59a10
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88813ffa6dc0 ffffea0001333000 dead000000000002
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88813ffa6dc0 ffffea0001333000 dead000000000002
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea0001668401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 36, tgid 36 (kworker/u8:2), ts 110548083117, free_ts 39099257608
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x234/0x290 mm/page_alloc.c:1857
 prep_new_page mm/page_alloc.c:1865 [inline]
 get_page_from_freelist+0x24e0/0x2580 mm/page_alloc.c:3915
 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5210
 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2486
 alloc_slab_page mm/slub.c:3075 [inline]
 allocate_slab+0x86/0x3b0 mm/slub.c:3248
 new_slab mm/slub.c:3302 [inline]
 ___slab_alloc+0xe53/0x1820 mm/slub.c:4656
 __slab_alloc+0x65/0x100 mm/slub.c:4779
 __slab_alloc_node mm/slub.c:4855 [inline]
 slab_alloc_node mm/slub.c:5251 [inline]
 __do_kmalloc_node mm/slub.c:5656 [inline]
 __kmalloc_noprof+0x47d/0x800 mm/slub.c:5669
 kmalloc_noprof include/linux/slab.h:961 [inline]
 kzalloc_noprof include/linux/slab.h:1094 [inline]
 ieee802_11_parse_elems_full+0x152/0x2ab0 net/mac80211/parse.c:1031
 ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2469 [inline]
 ieee80211_inform_bss+0x147/0x1130 net/mac80211/scan.c:79
 rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
 cfg80211_inform_single_bss_data+0xd14/0x1ad0 net/wireless/scan.c:2373
 cfg80211_inform_bss_data+0x203/0x3b40 net/wireless/scan.c:3228
 cfg80211_inform_bss_frame_data+0x3c7/0x710 net/wireless/scan.c:3319
 ieee80211_bss_info_update+0x749/0x9e0 net/mac80211/scan.c:230
 ieee80211_scan_rx+0x593/0xa20 net/mac80211/scan.c:359
 __ieee80211_rx_handle_packet net/mac80211/rx.c:5287 [inline]
 ieee80211_rx_list+0x2485/0x2f90 net/mac80211/rx.c:5544
page last free pid 1 tgid 1 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1406 [inline]
 __free_frozen_pages+0xbc8/0xd30 mm/page_alloc.c:2943
 __free_pages mm/page_alloc.c:5329 [inline]
 free_contig_range+0x1bd/0x490 mm/page_alloc.c:7197
 destroy_args+0x69/0x660 mm/debug_vm_pgtable.c:983
 debug_vm_pgtable+0x38f/0x3a0 mm/debug_vm_pgtable.c:1372
 do_one_initcall+0x1f1/0x800 init/main.c:1378
 do_initcall_level+0x104/0x190 init/main.c:1440
 do_initcalls+0x59/0xa0 init/main.c:1456
 kernel_init_freeable+0x2a7/0x3d0 init/main.c:1688
 kernel_init+0x1d/0x1d0 init/main.c:1578
 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246

Memory state around the buggy address:
 ffff888059a15900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888059a15980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888059a15a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff888059a15a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888059a15b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

gemini-3-flash-preview

							input: 9660
							output: 43
							thoughts: 496
						

**KASAN Slab-Use-After-Free Deep Dive**

Okay, so I've got a KASAN slab-use-after-free on my hands. From the access stack trace, it looks like the issue is being triggered in `input_devices_seq_show`, which is reading some data – probably from `/proc/bus/input/devices` or something similar, judging by the context. I can see the call chain winding its way through `vsprintf` in the standard C library.

The access is in `string_nocheck` at `lib/vsprintf.c:654`. I know these `vsprintf` functions can be tricky, so that's a key area to keep in mind.

Now, where did this thing get allocated and freed? The allocation and free stacks point to `mac80211`. Specifically, I'm seeing `ieee802_11_parse_elems_full` as the allocation point. Then, both the allocation and free seem to converge on `ieee80211_inform_bss`, which makes me think there might be a race condition in the wireless stack. And I see that it is all triggered by `rtnetlink_rcv_msg`. Interesting.

So, let me recap: `input_devices_seq_show` – that's input devices – is accessing memory that's being allocated and freed within `mac80211`, wireless network stuff. A bit of a head-scratcher!

Right, I need to check those specific functions. Let's look at `input_devices_seq_show` in `drivers/input/input.c:1099` and then jump to `ieee802_11_parse_elems_full` in `net/mac80211/parse.c:1031`.

The buggy address is `ffff888059a15a20`. The object itself is located at `ffff888059a15800`, with a size of 1024 bytes. The use-after-free is happening at an offset of 544 bytes. It's time to dig into the code and see what data structure is at that offset. I should check `input_devices_seq_show` first.

map[ContextFile:drivers/input/input.c IncludeLines:true Name:input_devices_seq_show]

map[SourceCode:1089:	static int input_devices_seq_show(struct seq_file *seq, void *v)
1090:	{
1091:		struct input_dev *dev = container_of(v, struct input_dev, node);
1092:		const char *path = kobject_get_path(&dev->dev.kobj, GFP_KERNEL);
1093:		struct input_handle *handle;
1094:	
1095:		seq_printf(seq, "I: Bus=%04x Vendor=%04x Product=%04x Version=%04x\n",
1096:			   dev->id.bustype, dev->id.vendor, dev->id.product, dev->id.version);
1097:	
1098:		seq_printf(seq, "N: Name=\"%s\"\n", dev->name ? dev->name : "");
1099:		seq_printf(seq, "P: Phys=%s\n", dev->phys ? dev->phys : "");
1100:		seq_printf(seq, "S: Sysfs=%s\n", path ? path : "");
1101:		seq_printf(seq, "U: Uniq=%s\n", dev->uniq ? dev->uniq : "");
1102:		seq_puts(seq, "H: Handlers=");
1103:	
1104:		list_for_each_entry(handle, &dev->h_list, d_node)
1105:			seq_printf(seq, "%s ", handle->name);
1106:		seq_putc(seq, '\n');
1107:	
1108:		input_seq_print_bitmap(seq, "PROP", dev->propbit, INPUT_PROP_MAX);
1109:	
1110:		input_seq_print_bitmap(seq, "EV", dev->evbit, EV_MAX);
1111:		if (test_bit(EV_KEY, dev->evbit))
1112:			input_seq_print_bitmap(seq, "KEY", dev->keybit, KEY_MAX);
1113:		if (test_bit(EV_REL, dev->evbit))
1114:			input_seq_print_bitmap(seq, "REL", dev->relbit, REL_MAX);
1115:		if (test_bit(EV_ABS, dev->evbit))
1116:			input_seq_print_bitmap(seq, "ABS", dev->absbit, ABS_MAX);
1117:		if (test_bit(EV_MSC, dev->evbit))
1118:			input_seq_print_bitmap(seq, "MSC", dev->mscbit, MSC_MAX);
1119:		if (test_bit(EV_LED, dev->evbit))
1120:			input_seq_print_bitmap(seq, "LED", dev->ledbit, LED_MAX);
1121:		if (test_bit(EV_SND, dev->evbit))
1122:			input_seq_print_bitmap(seq, "SND", dev->sndbit, SND_MAX);
1123:		if (test_bit(EV_FF, dev->evbit))
1124:			input_seq_print_bitmap(seq, "FF", dev->ffbit, FF_MAX);
1125:		if (test_bit(EV_SW, dev->evbit))
1126:			input_seq_print_bitmap(seq, "SW", dev->swbit, SW_MAX);
1127:	
1128:		seq_putc(seq, '\n');
1129:	
1130:		kfree(path);
1131:		return 0;
1132:	}
 SourceFile:drivers/input/input.c]

gemini-3-flash-preview

							input: 11692
							output: 55
							thoughts: 266
						

**Debugging a Kernel Crash**

Okay, so the crash happened at line 1099, specifically during a `seq_printf` call. It looks like it's trying to access `dev->phys`. That's where the problem *appears* to be.

But, hold on a second. The KASAN report throws a wrench into that initial thought. It's a slab-use-after-free in `string_nocheck`, specifically during a `%s` format specifier. That's a key detail! So the issue isn't *just* the access, it's that `dev->phys` points to freed memory. `string_nocheck` is called by `string`, meaning it's trying to *read* the string data pointed to by `dev->phys`.

Now, the real investigation begins. I need to trace this memory back. Where was `dev->phys` allocated and freed? The backtrace points to `ieee802_11_parse_elems_full` in `net/mac80211/parse.c` at line 1031.  I have to check what is allocated in there and where it is freed. This seems to be where the bad memory is being allocated.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee802_11_parse_elems_full]

map[SourceCode:1015:	struct ieee802_11_elems *
1016:	ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params)
1017:	{
1018:		struct ieee80211_elems_parse_params sub = {};
1019:		struct ieee80211_elems_parse *elems_parse;
1020:		const struct element *non_inherit = NULL;
1021:		struct ieee802_11_elems *elems;
1022:		size_t scratch_len = 3 * params->len;
1023:		bool multi_link_inner = false;
1024:	
1025:		BUILD_BUG_ON(offsetof(typeof(*elems_parse), elems) != 0);
1026:	
1027:		/* cannot parse for both a specific link and non-transmitted BSS */
1028:		if (WARN_ON(params->link_id >= 0 && params->bss))
1029:			return NULL;
1030:	
1031:		elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032:				      GFP_ATOMIC);
1033:		if (!elems_parse)
1034:			return NULL;
1035:	
1036:		elems_parse->scratch_len = scratch_len;
1037:		elems_parse->scratch_pos = elems_parse->scratch;
1038:	
1039:		elems = &elems_parse->elems;
1040:		elems->ie_start = params->start;
1041:		elems->total_len = params->len;
1042:	
1043:		/* set all TPE entries to unlimited (but invalid) */
1044:		ieee80211_clear_tpe(&elems->tpe);
1045:		ieee80211_clear_tpe(&elems->csa_tpe);
1046:	
1047:		/*
1048:		 * If we're looking for a non-transmitted BSS then we cannot at
1049:		 * the same time be looking for a second link as the two can only
1050:		 * appear in the same frame carrying info for different BSSes.
1051:		 *
1052:		 * In any case, we only look for one at a time, as encoded by
1053:		 * the WARN_ON above.
1054:		 */
1055:		if (params->bss) {
1056:			int nontx_len =
1057:				ieee802_11_find_bssid_profile(params->start,
1058:							      params->len,
1059:							      elems, params->bss,
1060:							      elems_parse->scratch_pos);
1061:			sub.start = elems_parse->scratch_pos;
1062:			sub.mode = params->mode;
1063:			sub.len = nontx_len;
1064:			sub.type = params->type;
1065:			sub.link_id = params->link_id;
1066:	
1067:			/* consume the space used for non-transmitted profile */
1068:			elems_parse->scratch_pos += nontx_len;
1069:	
1070:			non_inherit = cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
1071:							     sub.start, nontx_len);
1072:		} else {
1073:			/* must always parse to get elems_parse->ml_basic_elem */
1074:			non_inherit = ieee80211_prep_mle_link_parse(elems_parse, params,
1075:								    &sub);
1076:			multi_link_inner = true;
1077:		}
1078:	
1079:		elems_parse->skip_vendor =
1080:			cfg80211_find_elem(WLAN_EID_VENDOR_SPECIFIC,
1081:					   sub.start, sub.len);
1082:		elems->crc = _ieee802_11_parse_elems_full(params, elems_parse,
1083:							  non_inherit);
1084:	
1085:		/* Override with nontransmitted/per-STA profile if found */
1086:		if (sub.len) {
1087:			elems_parse->multi_link_inner = multi_link_inner;
1088:			elems_parse->skip_vendor = false;
1089:			_ieee802_11_parse_elems_full(&sub, elems_parse, NULL);
1090:		}
1091:	
1092:		ieee80211_mle_defrag_reconf(elems_parse);
1093:	
1094:		ieee80211_mle_defrag_epcs(elems_parse);
1095:	
1096:		if (elems->tim && !elems->parse_error) {
1097:			const struct ieee80211_tim_ie *tim_ie = elems->tim;
1098:	
1099:			elems->dtim_period = tim_ie->dtim_period;
1100:			elems->dtim_count = tim_ie->dtim_count;
1101:		}
1102:	
1103:		/* Override DTIM period and count if needed */
1104:		if (elems->bssid_index &&
1105:		    elems->bssid_index_len >=
1106:		    offsetofend(struct ieee80211_bssid_index, dtim_period))
1107:			elems->dtim_period = elems->bssid_index->dtim_period;
1108:	
1109:		if (elems->bssid_index &&
1110:		    elems->bssid_index_len >=
1111:		    offsetofend(struct ieee80211_bssid_index, dtim_count))
1112:			elems->dtim_count = elems->bssid_index->dtim_count;
1113:	
1114:		return elems;
1115:	}
 SourceFile:net/mac80211/parse.c]

gemini-3-flash-preview

							input: 14045
							output: 52
							thoughts: 178
						

**Allocation and Return of Element Parsing Structure**

Okay, so I'm looking at this code and it's allocating a `struct ieee80211_elems_parse`. Specifically, it's using `kzalloc` to allocate a block of memory sized according to the `struct_size` of `elems_parse`, taking into account `scratch` and `scratch_len` fields. Then it looks like the function returns a pointer to the `elems` member of the allocated structure; specifically, `&elems_parse->elems`. That seems straightforward.

```c
1031:		elems_parse = kzalloc(struct_size(elems_parse, scratch, scratch_len),
1032:				      GFP_ATOMIC);
...
1039:		elems = &elems_parse->elems;
...
1114:		return elems;
```

I see that the memory allocated by the above snippet can be freed by `ieee80211_inform_bss` which is in `net/mac80211/scan.c` at line 164. I should check that code to see how the memory is freed.

map[ContextFile:net/mac80211/scan.c IncludeLines:true Name:ieee80211_inform_bss]

map[SourceCode:  63:	void ieee80211_inform_bss(struct wiphy *wiphy,
  64:				  struct cfg80211_bss *cbss,
  65:				  const struct cfg80211_bss_ies *ies,
  66:				  void *data)
  67:	{
  68:		struct ieee80211_local *local = wiphy_priv(wiphy);
  69:		struct inform_bss_update_data *update_data = data;
  70:		struct ieee80211_bss *bss = (void *)cbss->priv;
  71:		struct ieee80211_rx_status *rx_status;
  72:		struct ieee802_11_elems *elems;
  73:		int clen, srlen;
  74:	
  75:		/* This happens while joining an IBSS */
  76:		if (!update_data)
  77:			return;
  78:	
  79:		elems = ieee802_11_parse_elems(ies->data, ies->len,
  80:					       update_data->beacon ?
  81:						IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_BEACON :
  82:						IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_PROBE_RESP,
  83:					       NULL);
  84:		if (!elems)
  85:			return;
  86:	
  87:		rx_status = update_data->rx_status;
  88:	
  89:		if (update_data->beacon)
  90:			bss->device_ts_beacon = rx_status->device_timestamp;
  91:		else
  92:			bss->device_ts_presp = rx_status->device_timestamp;
  93:	
  94:		if (elems->parse_error) {
  95:			if (update_data->beacon)
  96:				bss->corrupt_data |= IEEE80211_BSS_CORRUPT_BEACON;
  97:			else
  98:				bss->corrupt_data |= IEEE80211_BSS_CORRUPT_PROBE_RESP;
  99:		} else {
 100:			if (update_data->beacon)
 101:				bss->corrupt_data &= ~IEEE80211_BSS_CORRUPT_BEACON;
 102:			else
 103:				bss->corrupt_data &= ~IEEE80211_BSS_CORRUPT_PROBE_RESP;
 104:		}
 105:	
 106:		/* save the ERP value so that it is available at association time */
 107:		if (elems->erp_info && (!elems->parse_error ||
 108:					!(bss->valid_data & IEEE80211_BSS_VALID_ERP))) {
 109:			bss->erp_value = elems->erp_info[0];
 110:			bss->has_erp_value = true;
 111:			if (!elems->parse_error)
 112:				bss->valid_data |= IEEE80211_BSS_VALID_ERP;
 113:		}
 114:	
 115:		/* replace old supported rates if we get new values */
 116:		if (!elems->parse_error ||
 117:		    !(bss->valid_data & IEEE80211_BSS_VALID_RATES)) {
 118:			srlen = 0;
 119:			if (elems->supp_rates) {
 120:				clen = IEEE80211_MAX_SUPP_RATES;
 121:				if (clen > elems->supp_rates_len)
 122:					clen = elems->supp_rates_len;
 123:				memcpy(bss->supp_rates, elems->supp_rates, clen);
 124:				srlen += clen;
 125:			}
 126:			if (elems->ext_supp_rates) {
 127:				clen = IEEE80211_MAX_SUPP_RATES - srlen;
 128:				if (clen > elems->ext_supp_rates_len)
 129:					clen = elems->ext_supp_rates_len;
 130:				memcpy(bss->supp_rates + srlen, elems->ext_supp_rates,
 131:				       clen);
 132:				srlen += clen;
 133:			}
 134:			if (srlen) {
 135:				bss->supp_rates_len = srlen;
 136:				if (!elems->parse_error)
 137:					bss->valid_data |= IEEE80211_BSS_VALID_RATES;
 138:			}
 139:		}
 140:	
 141:		if (!elems->parse_error ||
 142:		    !(bss->valid_data & IEEE80211_BSS_VALID_WMM)) {
 143:			bss->wmm_used = elems->wmm_param || elems->wmm_info;
 144:			bss->uapsd_supported = is_uapsd_supported(elems);
 145:			if (!elems->parse_error)
 146:				bss->valid_data |= IEEE80211_BSS_VALID_WMM;
 147:		}
 148:	
 149:		if (update_data->beacon) {
 150:			struct ieee80211_supported_band *sband =
 151:				local->hw.wiphy->bands[rx_status->band];
 152:			if (!(rx_status->encoding == RX_ENC_HT) &&
 153:			    !(rx_status->encoding == RX_ENC_VHT))
 154:				bss->beacon_rate =
 155:					&sband->bitrates[rx_status->rate_idx];
 156:		}
 157:	
 158:		if (elems->vht_cap_elem)
 159:			bss->vht_cap_info =
 160:				le32_to_cpu(elems->vht_cap_elem->vht_cap_info);
 161:		else
 162:			bss->vht_cap_info = 0;
 163:	
 164:		kfree(elems);
 165:	}
 SourceFile:net/mac80211/scan.c]

gemini-3-flash-preview

							input: 16316
							output: 52
							thoughts: 159
						

**Memory Management Mystery**

Okay, hold on a second. I'm looking at this code and something feels...off. Line 164: `kfree(elems)`. Right, that's freeing memory. But where did `elems` come from? Ah, yes, it was returned by `ieee802_11_parse_elems`, which, in turn, calls `ieee802_11_parse_elems_full`. And *that* function returns `&elems_parse->elems`.

Now, here's where my alarm bells start to ring. `elems_parse` was allocated using `kzalloc`. So, `elems_parse` is the start of the memory block, and `&elems_parse->elems` would be somewhere offset from the start of `elems_parse`. Now we are calling `kfree(elems)`. This means we're freeing the memory starting at the address `elems`. But wait a minute, isn't that *inside* the allocated block of `elems_parse`, and *not* at the beginning? We should be freeing the memory starting at `elems_parse`, not `elems`.

This could be a pretty nasty memory leak or even a double-free situation in the making. Let's dig deeper and inspect the `struct ieee80211_elems_parse` definition to understand its layout.

map[ContextFile:net/mac80211/parse.c IncludeLines:true Name:ieee80211_elems_parse]

map[SourceCode:  37:	struct ieee80211_elems_parse {
  38:		/* must be first for kfree to work */
  39:		struct ieee802_11_elems elems;
  40:	
  41:		/* The basic Multi-Link element in the original elements */
  42:		const struct element *ml_basic_elem;
  43:	
  44:		/* The reconfiguration Multi-Link element in the original elements */
  45:		const struct element *ml_reconf_elem;
  46:	
  47:		/* The EPCS Multi-Link element in the original elements */
  48:		const struct element *ml_epcs_elem;
  49:	
  50:		bool multi_link_inner;
  51:		bool skip_vendor;
  52:	
  53:		/*
  54:		 * scratch buffer that can be used for various element parsing related
  55:		 * tasks, e.g., element de-fragmentation etc.
  56:		 */
  57:		size_t scratch_len;
  58:		u8 *scratch_pos;
  59:		u8 scratch[] __counted_by(scratch_len);
  60:	};
 SourceFile:net/mac80211/parse.c]

gemini-3-flash-preview

							input: 17177
							output: 17
							thoughts: 650
						

**Analyzing a Kernel Memory Access Bug**

Okay, so I'm looking at this crash report, and it's pointing to a memory access violation within the kernel. The error involves `input_devices_seq_show`, which is reading from an address (`ffff888059a15a20`) that appears to be problematic. The object at `ffff888059a15800` is being accessed at an offset of 544 bytes.

The immediate thought is about the layout. I see a `struct ieee802_11_elems elems` declared. Since it is first it should be at offset 0. And if it's the target, `kfree(elems)` should be fine. However, it's immediately jumping out that `input_devices_seq_show` is accessing this region via the `dev->phys` pointer of a `struct input_dev`. That's the first red flag.

The report also mentions that `dev->phys` *seems* to be pointing inside an `ieee80211_elems_parse` object. And that is interesting. That structure has a `scratch` buffer at the end of the struct. The length of this buffer, `scratch_len`, is calculated as `3 * params->len`. This means the size is variable. Looking back at how `ieee802_11_parse_elems_full` allocates this `elems_parse` object, it uses `kzalloc` with `struct_size` to handle the variable-length `scratch` buffer. This is good to check.

The crucial question is how did `dev->phys` get set to point within this temporary object? Usually, `dev->phys` holds a string. So how did a pointer to this parsing buffer end up there?

The report specifies the memory was allocated by task 7472 and freed by the same task, both within `ieee80211_inform_bss`. The access (the read causing the crash) happens in `input_devices_seq_show` from task 7511. So, it looks like a classic use-after-free scenario. This `ieee80211_elems_parse` object is temporary, allocated within `ieee80211_inform_bss` and freed at the end. That structure is used during the parsing of information. Somehow, a pointer to a field inside it has been assigned to `dev->phys` and that means the object has a lifetime that is longer than the parsing process.

So, the next step is to find out where `input_dev->phys` is being set. I'll need to grep the kernel source for `phys =` to trace the assignment and identify where this dangling pointer could have been introduced.

map[Expression:\.phys =]

map[Output:
Full output is too long, showing 500 out of 868 lines.
Use more precise expression if possible.

[arch/mips/cavium-octeon/flash_setup.c=71=static int octeon_flash_probe(struct platform_device *pdev)
 --
 arch/mips/cavium-octeon/flash_setup.c-97-		flash_map.name = "phys_mapped_flash";
 arch/mips/cavium-octeon/flash_setup.c:98:		flash_map.phys = region_cfg.s.base << 16;
 arch/mips/cavium-octeon/flash_setup.c-99-		flash_map.size = 0x1fc00000 - flash_map.phys;
 --
 arch/powerpc/mm/book3s32/mmu.c=260=void __init setbat(int index, unsigned long virt, phys_addr_t phys,
 --
 arch/powerpc/mm/book3s32/mmu.c-296-	bat_addrs[index].limit = virt + ((bl + 1) << 17) - 1;
 arch/powerpc/mm/book3s32/mmu.c:297:	bat_addrs[index].phys = phys;
 arch/powerpc/mm/book3s32/mmu.c-298-}
 --
 arch/powerpc/mm/nohash/e500.c=97=static void settlbcam(int index, unsigned long virt, phys_addr_t phys,
 --
 arch/powerpc/mm/nohash/e500.c-134-	tlbcam_addrs[index].limit = virt + size - 1;
 arch/powerpc/mm/nohash/e500.c:135:	tlbcam_addrs[index].phys = phys;
 arch/powerpc/mm/nohash/e500.c-136-}
 --
 arch/x86/mm/mmio-mod.c=219=static void ioremap_trace_core(resource_size_t offset, unsigned long size,
 --
 arch/x86/mm/mmio-mod.c-225-	struct mmiotrace_map map = {
 arch/x86/mm/mmio-mod.c:226:		.phys = offset,
 arch/x86/mm/mmio-mod.c-227-		.virt = (unsigned long)addr,
 --
 arch/x86/mm/mmio-mod.c-244-		},
 arch/x86/mm/mmio-mod.c:245:		.phys = offset,
 arch/x86/mm/mmio-mod.c-246-		.id = atomic_inc_return(&next_id)
 --
 arch/x86/mm/mmio-mod.c=278=static void iounmap_trace_core(volatile void __iomem *addr)
 --
 arch/x86/mm/mmio-mod.c-280-	struct mmiotrace_map map = {
 arch/x86/mm/mmio-mod.c:281:		.phys = 0,
 arch/x86/mm/mmio-mod.c-282-		.virt = (unsigned long)addr,
 --
 drivers/atm/he.c=770=static int he_init_group(struct he_dev *he_dev, int group)
 --
 drivers/atm/he.c-827-		he_dev->rbpl_base[i].idx =  i << RBP_IDX_OFFSET;
 drivers/atm/he.c:828:		he_dev->rbpl_base[i].phys = mapping + offsetof(struct he_buff, data);
 drivers/atm/he.c-829-	}
 --
 drivers/bus/arm-cci.c=438=static int cci_probe_ports(struct device_node *np)
 --
 drivers/bus/arm-cci.c-482-			ports[i].base = ioremap(res.start, resource_size(&res));
 drivers/bus/arm-cci.c:483:			ports[i].phys = res.start;
 drivers/bus/arm-cci.c-484-		}
 --
 drivers/dma/at_xdmac.c=564=static struct at_xdmac_desc *at_xdmac_alloc_desc(struct dma_chan *chan,
 --
 drivers/dma/at_xdmac.c-575-		desc->tx_dma_desc.tx_submit = at_xdmac_tx_submit;
 drivers/dma/at_xdmac.c:576:		desc->tx_dma_desc.phys = phys;
 drivers/dma/at_xdmac.c-577-	}
 --
 drivers/dma/bcm-sba-raid.c=1463=static int sba_prealloc_channel_resources(struct sba_device *sba)
 --
 drivers/dma/bcm-sba-raid.c-1514-		req->tx.tx_submit = sba_tx_submit;
 drivers/dma/bcm-sba-raid.c:1515:		req->tx.phys = sba->resp_dma_base + i * sba->hw_resp_size;
 drivers/dma/bcm-sba-raid.c-1516-		list_add_tail(&req->node, &sba->reqs_free_list);
 --
 drivers/dma/dw/core.c=78=static struct dw_desc *dwc_desc_get(struct dw_dma_chan *dwc)
 --
 drivers/dma/dw/core.c-92-	desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/dw/core.c:93:	desc->txd.phys = phys;
 drivers/dma/dw/core.c-94-	return desc;
 --
 drivers/dma/dw/core.c=298=static void dwc_scan_descriptors(struct dw_dma *dw, struct dw_dma_chan *dwc)
 --
 drivers/dma/dw/core.c-367-		/* Check first descriptors addr */
 drivers/dma/dw/core.c:368:		if (desc->txd.phys == DWC_LLP_LOC(llp)) {
 drivers/dma/dw/core.c-369-			spin_unlock_irqrestore(&dwc->lock, flags);
 --
 drivers/dma/fsldma.c=459=static struct fsl_desc_sw *fsl_dma_alloc_descriptor(struct fsldma_chan *chan)
 --
 drivers/dma/fsldma.c-472-	desc->async_tx.tx_submit = fsl_dma_tx_submit;
 drivers/dma/fsldma.c:473:	desc->async_tx.phys = pdesc;
 drivers/dma/fsldma.c-474-
 --
 drivers/dma/fsldma.c=636=static void fsldma_cleanup_descriptors(struct fsldma_chan *chan)
 --
 drivers/dma/fsldma.c-658-		 */
 drivers/dma/fsldma.c:659:		if (desc->async_tx.phys == curr_phys) {
 drivers/dma/fsldma.c-660-			seen_current = 1;
 --
 drivers/dma/ioat/dma.c=337=ioat_alloc_ring_ent(struct dma_chan *chan, int idx, gfp_t flags)
 --
 drivers/dma/ioat/dma.c-361-	desc->hw = hw;
 drivers/dma/ioat/dma.c:362:	desc->txd.phys = phys;
 drivers/dma/ioat/dma.c-363-	return desc;
 --
 drivers/dma/mmp_pdma.c=521=mmp_pdma_alloc_descriptor(struct mmp_pdma_chan *chan)
 --
 drivers/dma/mmp_pdma.c-535-	desc->async_tx.tx_submit = mmp_pdma_tx_submit;
 drivers/dma/mmp_pdma.c:536:	desc->async_tx.phys = pdesc;
 drivers/dma/mmp_pdma.c-537-
 --
 drivers/dma/mv_xor.c=263=static void mv_chan_slot_cleanup(struct mv_xor_chan *mv_chan)
 --
 drivers/dma/mv_xor.c-292-			/* break if we did cleaned the current */
 drivers/dma/mv_xor.c:293:			if (iter->async_tx.phys == current_desc) {
 drivers/dma/mv_xor.c-294-				current_cleaned = 1;
 --
 drivers/dma/mv_xor.c-297-		} else {
 drivers/dma/mv_xor.c:298:			if (iter->async_tx.phys == current_desc) {
 drivers/dma/mv_xor.c-299-				current_cleaned = 0;
 --
 drivers/dma/mv_xor.c=434=static int mv_xor_alloc_chan_resources(struct dma_chan *chan)
 --
 drivers/dma/mv_xor.c-460-		dma_desc = mv_chan->dma_desc_pool;
 drivers/dma/mv_xor.c:461:		slot->async_tx.phys = dma_desc + idx * MV_XOR_SLOT_SIZE;
 drivers/dma/mv_xor.c-462-		slot->idx = idx++;
 --
 drivers/dma/pch_dma.c=421=static struct pch_dma_desc *pdc_alloc_desc(struct dma_chan *chan, gfp_t flags)
 --
 drivers/dma/pch_dma.c-432-		desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/pch_dma.c:433:		desc->txd.phys = addr;
 drivers/dma/pch_dma.c-434-	}
 --
 drivers/dma/timb_dma.c=322=static struct timb_dma_desc *td_alloc_init_desc(struct timb_dma_chan *td_chan)
 --
 drivers/dma/timb_dma.c-341-
 drivers/dma/timb_dma.c:342:	td_desc->txd.phys = dma_map_single(chan2dmadev(chan),
 drivers/dma/timb_dma.c-343-		td_desc->desc_list, td_desc->desc_list_len, DMA_TO_DEVICE);
 --
 drivers/dma/txx9dmac.c=189=static struct txx9dmac_desc *txx9dmac_desc_alloc(struct txx9dmac_chan *dc,
 --
 drivers/dma/txx9dmac.c-202-	desc->txd.flags = DMA_CTRL_ACK;
 drivers/dma/txx9dmac.c:203:	desc->txd.phys = dma_map_single(chan2parent(&dc->chan), &desc->hwdesc,
 drivers/dma/txx9dmac.c-204-					ddev->descsize, DMA_TO_DEVICE);
 --
 drivers/dma/xgene-dma.c=489=static struct xgene_dma_desc_sw *xgene_dma_alloc_descriptor(
 --
 drivers/dma/xgene-dma.c-501-	INIT_LIST_HEAD(&desc->tx_list);
 drivers/dma/xgene-dma.c:502:	desc->tx.phys = phys;
 drivers/dma/xgene-dma.c-503-	desc->tx.tx_submit = xgene_dma_tx_submit;
 --
 drivers/dma/xilinx/xilinx_dma.c=1114=static int xilinx_dma_alloc_chan_resources(struct dma_chan *dchan)
 --
 drivers/dma/xilinx/xilinx_dma.c-1164-				((i + 1) % XILINX_DMA_NUM_DESCS));
 drivers/dma/xilinx/xilinx_dma.c:1165:			chan->seg_v[i].phys = chan->seg_p +
 drivers/dma/xilinx/xilinx_dma.c-1166-				sizeof(*chan->seg_v) * i;
 --
 drivers/dma/xilinx/xilinx_dma.c-1188-				((i + 1) % XILINX_DMA_NUM_DESCS));
 drivers/dma/xilinx/xilinx_dma.c:1189:			chan->seg_mv[i].phys = chan->seg_p +
 drivers/dma/xilinx/xilinx_dma.c-1190-				sizeof(*chan->seg_mv) * i;
 --
 drivers/dma/xilinx/xilinx_dma.c=2043=xilinx_vdma_dma_prep_interleaved(struct dma_chan *dchan,
 --
 drivers/dma/xilinx/xilinx_dma.c-2109-				   struct xilinx_vdma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2110:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2111-
 --
 drivers/dma/xilinx/xilinx_dma.c=2130=xilinx_cdma_prep_memcpy(struct dma_chan *dchan, dma_addr_t dma_dst,
 --
 drivers/dma/xilinx/xilinx_dma.c-2164-
 drivers/dma/xilinx/xilinx_dma.c:2165:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2166-	hw->next_desc = segment->phys;
 --
 drivers/dma/xilinx/xilinx_dma.c=2186=static struct dma_async_tx_descriptor *xilinx_dma_prep_peripheral_dma_vec(
 --
 drivers/dma/xilinx/xilinx_dma.c-2246-	head = list_first_entry(&desc->segments, struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2247:	desc->async_tx.phys = head->phys;
 drivers/dma/xilinx/xilinx_dma.c-2248-
 --
 drivers/dma/xilinx/xilinx_dma.c=2279=static struct dma_async_tx_descriptor *xilinx_dma_prep_slave_sg(
 --
 drivers/dma/xilinx/xilinx_dma.c-2348-				   struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2349:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2350-
 --
 drivers/dma/xilinx/xilinx_dma.c=2381=static struct dma_async_tx_descriptor *xilinx_dma_prep_dma_cyclic(
 --
 drivers/dma/xilinx/xilinx_dma.c-2451-				   struct xilinx_axidma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2452:	desc->async_tx.phys = head_segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2453-
 --
 drivers/dma/xilinx/xilinx_dma.c=2489=xilinx_mcdma_prep_slave_sg(struct dma_chan *dchan, struct scatterlist *sgl,
 --
 drivers/dma/xilinx/xilinx_dma.c-2555-				   struct xilinx_aximcdma_tx_segment, node);
 drivers/dma/xilinx/xilinx_dma.c:2556:	desc->async_tx.phys = segment->phys;
 drivers/dma/xilinx/xilinx_dma.c-2557-
 --
 drivers/firmware/google/memconsole-coreboot.c=40=static ssize_t memconsole_coreboot_read(char *buf, loff_t pos, size_t count)
 --
 drivers/firmware/google/memconsole-coreboot.c-54-			cursor = 0;
 drivers/firmware/google/memconsole-coreboot.c:55:		seg[0] = (struct seg){.phys = cursor, .len = size - cursor};
 drivers/firmware/google/memconsole-coreboot.c:56:		seg[1] = (struct seg){.phys = 0, .len = cursor};
 drivers/firmware/google/memconsole-coreboot.c-57-	} else {
 drivers/firmware/google/memconsole-coreboot.c:58:		seg[0] = (struct seg){.phys = 0, .len = min(cursor, size)};
 drivers/firmware/google/memconsole-coreboot.c-59-	}
 --
 drivers/firmware/tegra/bpmp-tegra186.c=192=static int tegra186_bpmp_dram_init(struct tegra_bpmp *bpmp)
 --
 drivers/firmware/tegra/bpmp-tegra186.c-214-
 drivers/firmware/tegra/bpmp-tegra186.c:215:	priv->tx.phys = res.start;
 drivers/firmware/tegra/bpmp-tegra186.c:216:	priv->rx.phys = res.start + SZ_4K;
 drivers/firmware/tegra/bpmp-tegra186.c-217-
 --
 drivers/firmware/tegra/ivc.c=646=int tegra_ivc_init(struct tegra_ivc *ivc, struct device *peer, const struct iosys_map *rx,
 --
 drivers/firmware/tegra/ivc.c-672-	if (peer) {
 drivers/firmware/tegra/ivc.c:673:		ivc->rx.phys = dma_map_single(peer, iosys_map_get_vaddr(rx), queue_size,
 drivers/firmware/tegra/ivc.c-674-					      DMA_BIDIRECTIONAL);
 --
 drivers/firmware/tegra/ivc.c-677-
 drivers/firmware/tegra/ivc.c:678:		ivc->tx.phys = dma_map_single(peer, iosys_map_get_vaddr(tx), queue_size,
 drivers/firmware/tegra/ivc.c-679-					      DMA_BIDIRECTIONAL);
 --
 drivers/firmware/tegra/ivc.c-685-	} else {
 drivers/firmware/tegra/ivc.c:686:		ivc->rx.phys = rx_phys;
 drivers/firmware/tegra/ivc.c:687:		ivc->tx.phys = tx_phys;
 drivers/firmware/tegra/ivc.c-688-	}
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c=3335=struct dw_hdmi *dw_hdmi_probe(struct platform_device *pdev,
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3535-
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c:3536:		audio.phys = iores->start;
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3537-		audio.base = hdmi->regs;
 --
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3566-
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c:3567:		audio.phys = iores->start;
 drivers/gpu/drm/bridge/synopsys/dw-hdmi.c-3568-		audio.base = hdmi->regs;
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c=23=void __i915_gem_object_set_pages(struct drm_i915_gem_object *obj,
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-51-
 drivers/gpu/drm/i915/gem/i915_gem_pages.c:52:	obj->mm.page_sizes.phys = i915_sg_dma_sizes(pages->sgl);
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-53-	GEM_BUG_ON(!obj->mm.page_sizes.phys);
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c=214=__i915_gem_object_unset_pages(struct drm_i915_gem_object *obj)
 --
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-235-	__i915_gem_object_reset_page_iter(obj);
 drivers/gpu/drm/i915/gem/i915_gem_pages.c:236:	obj->mm.page_sizes.phys = obj->mm.page_sizes.sg = 0;
 drivers/gpu/drm/i915/gem/i915_gem_pages.c-237-
 --
 drivers/gpu/drm/tegra/nvdec.c=244=static int nvdec_load_falcon_firmware(struct nvdec *nvdec)
 --
 drivers/gpu/drm/tegra/nvdec.c-292-
 drivers/gpu/drm/tegra/nvdec.c:293:		nvdec->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/nvdec.c-294-	}
 --
 drivers/gpu/drm/tegra/nvjpg.c=110=static int nvjpg_load_falcon_firmware(struct nvjpg *nvjpg)
 --
 drivers/gpu/drm/tegra/nvjpg.c-158-
 drivers/gpu/drm/tegra/nvjpg.c:159:		nvjpg->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/nvjpg.c-160-	}
 --
 drivers/gpu/drm/tegra/vic.c=210=static int vic_load_firmware(struct vic *vic)
 --
 drivers/gpu/drm/tegra/vic.c-268-
 drivers/gpu/drm/tegra/vic.c:269:		vic->falcon.firmware.phys = phys;
 drivers/gpu/drm/tegra/vic.c-270-	}
 --
 drivers/hwtracing/coresight/coresight-stm.c=828=static int __stm_probe(struct device *dev, struct resource *res)
 --
 drivers/hwtracing/coresight/coresight-stm.c-859-		return ret;
 drivers/hwtracing/coresight/coresight-stm.c:860:	drvdata->chs.phys = ch_res.start;
 drivers/hwtracing/coresight/coresight-stm.c-861-
 --
 drivers/input/misc/pm8941-pwrkey.c=423=static const struct pm8941_data pwrkey_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-426-	.name = "pm8941_pwrkey",
 drivers/input/misc/pm8941-pwrkey.c:427:	.phys = "pm8941_pwrkey/input0",
 drivers/input/misc/pm8941-pwrkey.c-428-	.supports_ps_hold_poff_config = true,
 --
 drivers/input/misc/pm8941-pwrkey.c=434=static const struct pm8941_data resin_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-437-	.name = "pm8941_resin",
 drivers/input/misc/pm8941-pwrkey.c:438:	.phys = "pm8941_resin/input0",
 drivers/input/misc/pm8941-pwrkey.c-439-	.supports_ps_hold_poff_config = true,
 --
 drivers/input/misc/pm8941-pwrkey.c=445=static const struct pm8941_data pon_gen3_pwrkey_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-447-	.name = "pmic_pwrkey",
 drivers/input/misc/pm8941-pwrkey.c:448:	.phys = "pmic_pwrkey/input0",
 drivers/input/misc/pm8941-pwrkey.c-449-	.supports_ps_hold_poff_config = false,
 --
 drivers/input/misc/pm8941-pwrkey.c=455=static const struct pm8941_data pon_gen3_resin_data = {
 --
 drivers/input/misc/pm8941-pwrkey.c-457-	.name = "pmic_resin",
 drivers/input/misc/pm8941-pwrkey.c:458:	.phys = "pmic_resin/input0",
 drivers/input/misc/pm8941-pwrkey.c-459-	.supports_ps_hold_poff_config = false,
 --
 drivers/media/pci/cobalt/cobalt-flash.c=18=static struct map_info cobalt_flash_map = {
 --
 drivers/media/pci/cobalt/cobalt-flash.c-21-	.size =		0x4000000, /* 64MB */
 drivers/media/pci/cobalt/cobalt-flash.c:22:	.phys =		0,         /* offset  */
 drivers/media/pci/cobalt/cobalt-flash.c-23-};
 --
 drivers/media/pci/tw686x/tw686x-video.c=184=static int tw686x_sg_desc_fill(struct tw686x_sg_desc *descs,
 --
 drivers/media/pci/tw686x/tw686x-video.c-208-			entry_len = min_t(unsigned int, entry_len, buf_len);
 drivers/media/pci/tw686x/tw686x-video.c:209:			descs[count].phys = cpu_to_le32(phys);
 drivers/media/pci/tw686x/tw686x-video.c-210-			descs[count++].flags_length =
 --
 drivers/media/platform/amphion/venc.c=1004=static void venc_request_mem_resource(struct vpu_inst *inst,
 --
 drivers/media/platform/amphion/venc.c-1050-	venc->act[0].length = act_frame_size;
 drivers/media/platform/amphion/venc.c:1051:	venc->act[0].phys = inst->act.phys;
 drivers/media/platform/amphion/venc.c-1052-	venc->act[0].virt = inst->act.virt;
 --
 drivers/media/platform/amphion/vpu_core.c=413=int vpu_inst_register(struct vpu_inst *inst)
 --
 drivers/media/platform/amphion/vpu_core.c-450-	if (core->res->act_size) {
 drivers/media/platform/amphion/vpu_core.c:451:		inst->act.phys = core->act.phys + core->res->act_size * inst->id;
 drivers/media/platform/amphion/vpu_core.c-452-		inst->act.virt = core->act.virt + core->res->act_size * inst->id;
 --
 drivers/media/platform/amphion/vpu_core.c=543=static int vpu_core_parse_dt(struct vpu_core *core, struct device_node *np)
 --
 drivers/media/platform/amphion/vpu_core.c-553-
 drivers/media/platform/amphion/vpu_core.c:554:	core->fw.phys = res.start;
 drivers/media/platform/amphion/vpu_core.c-555-	core->fw.length = resource_size(&res);
 --
 drivers/media/platform/amphion/vpu_core.c-562-
 drivers/media/platform/amphion/vpu_core.c:563:	core->rpc.phys = res.start;
 drivers/media/platform/amphion/vpu_core.c-564-	core->rpc.length = resource_size(&res);
 --
 drivers/media/platform/amphion/vpu_core.c-582-
 drivers/media/platform/amphion/vpu_core.c:583:	core->log.phys = core->rpc.phys + core->res->rpc_size;
 drivers/media/platform/amphion/vpu_core.c-584-	core->log.virt = core->rpc.virt + core->res->rpc_size;
 drivers/media/platform/amphion/vpu_core.c-585-	core->log.length = core->res->fwlog_size;
 drivers/media/platform/amphion/vpu_core.c:586:	core->act.phys = core->log.phys + core->log.length;
 drivers/media/platform/amphion/vpu_core.c-587-	core->act.virt = core->log.virt + core->log.length;
 --
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c=963=static void rvin_fill_hw_slot(struct rvin_dev *vin, int slot)
 --
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c-989-
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c:990:	vin->buf_hw[slot].phys = phys_addr;
 drivers/media/platform/renesas/rcar-vin/rcar-dma.c-991-	rvin_set_slot_addr(vin, slot, phys_addr);
 --
 drivers/mtd/maps/amd76xrom.c=104=static int amd76xrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/amd76xrom.c-197-		map->map.name = map->map_name;
 drivers/mtd/maps/amd76xrom.c:198:		map->map.phys = map_top;
 drivers/mtd/maps/amd76xrom.c-199-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/amd76xrom.c-255-		map->map.virt = window->virt;
 drivers/mtd/maps/amd76xrom.c:256:		map->map.phys = window->phys;
 drivers/mtd/maps/amd76xrom.c-257-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/cfi_flagadm.c=91=static int __init init_flagadm(void)
 --
 drivers/mtd/maps/cfi_flagadm.c-95-
 drivers/mtd/maps/cfi_flagadm.c:96:	flagadm_map.phys = FLASH_PHYS_ADDR;
 drivers/mtd/maps/cfi_flagadm.c-97-	flagadm_map.virt = ioremap(FLASH_PHYS_ADDR,
 --
 drivers/mtd/maps/ck804xrom.c=116=static int __init ck804xrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/ck804xrom.c-227-		map->map.name = map->map_name;
 drivers/mtd/maps/ck804xrom.c:228:		map->map.phys = map_top;
 drivers/mtd/maps/ck804xrom.c-229-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/ck804xrom.c-285-		map->map.virt = window->virt;
 drivers/mtd/maps/ck804xrom.c:286:		map->map.phys = window->phys;
 drivers/mtd/maps/ck804xrom.c-287-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/dc21285.c=139=static struct map_info dc21285_map = {
 drivers/mtd/maps/dc21285.c-140-	.name = "DC21285 flash",
 drivers/mtd/maps/dc21285.c:141:	.phys = NO_XIP,
 drivers/mtd/maps/dc21285.c-142-	.size = 16*1024*1024,
 --
 drivers/mtd/maps/esb2rom.c=148=static int __init esb2rom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/esb2rom.c-287-		map->map.name = map->map_name;
 drivers/mtd/maps/esb2rom.c:288:		map->map.phys = map_top;
 drivers/mtd/maps/esb2rom.c-289-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/esb2rom.c-347-		map->map.virt = window->virt;
 drivers/mtd/maps/esb2rom.c:348:		map->map.phys = window->phys;
 drivers/mtd/maps/esb2rom.c-349-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/ichxrom.c=90=static int __init ichxrom_init_one(struct pci_dev *pdev,
 --
 drivers/mtd/maps/ichxrom.c-221-		map->map.name = map->map_name;
 drivers/mtd/maps/ichxrom.c:222:		map->map.phys = map_top;
 drivers/mtd/maps/ichxrom.c-223-		offset = map_top - window->phys;
 --
 drivers/mtd/maps/ichxrom.c-282-		map->map.virt = window->virt;
 drivers/mtd/maps/ichxrom.c:283:		map->map.phys = window->phys;
 drivers/mtd/maps/ichxrom.c-284-		cfi = map->map.fldrv_priv;
 --
 drivers/mtd/maps/impa7.c=56=static int __init init_impa7(void)
 --
 drivers/mtd/maps/impa7.c-70-
 drivers/mtd/maps/impa7.c:71:		impa7_map[i].phys = pt[i].addr;
 drivers/mtd/maps/impa7.c-72-		impa7_map[i].virt = ioremap(pt[i].addr, pt[i].size);
 --
 drivers/mtd/maps/l440gx.c=48=static struct map_info l440gx_map = {
 --
 drivers/mtd/maps/l440gx.c-51-	.bankwidth = BUSWIDTH,
 drivers/mtd/maps/l440gx.c:52:	.phys = WINDOW_ADDR,
 drivers/mtd/maps/l440gx.c-53-#if 0
 --
 drivers/mtd/maps/netsc520.c=69=static struct map_info netsc520_map = {
 --
 drivers/mtd/maps/netsc520.c-72-	.bankwidth = 4,
 drivers/mtd/maps/netsc520.c:73:	.phys = WINDOW_ADDR,
 drivers/mtd/maps/netsc520.c-74-};
 --
 drivers/mtd/maps/nettel.c=164=static int __init nettel_init(void)
 --
 drivers/mtd/maps/nettel.c-218-
 drivers/mtd/maps/nettel.c:219:	nettel_amd_map.phys = amdaddr;
 drivers/mtd/maps/nettel.c-220-	nettel_amd_map.virt = ioremap(amdaddr, maxsize);
 --
 drivers/mtd/maps/nettel.c-304-	nettel_intel_map.size = maxsize;
 drivers/mtd/maps/nettel.c:305:	nettel_intel_map.phys = intel0addr;
 drivers/mtd/maps/nettel.c-306-	nettel_intel_map.virt = ioremap(intel0addr, maxsize);
 --
 drivers/mtd/maps/pci.c=77=static const struct map_info mtd_pci_map = {
 drivers/mtd/maps/pci.c:78:	.phys =		NO_XIP,
 drivers/mtd/maps/pci.c-79-	.copy_from =	mtd_pci_copyfrom,
 --
 drivers/mtd/maps/pcmciamtd.c=462=static int pcmciamtd_config(struct pcmcia_device *link)
 --
 drivers/mtd/maps/pcmciamtd.c-474-
 drivers/mtd/maps/pcmciamtd.c:475:	dev->pcmcia_map.phys = NO_XIP;
 drivers/mtd/maps/pcmciamtd.c-476-	dev->pcmcia_map.copy_from = pcmcia_copy_from_remap;
 --
 drivers/mtd/maps/physmap-core.c=328=static int physmap_flash_of_init(struct platform_device *dev)
 --
 drivers/mtd/maps/physmap-core.c-392-		if (map_indirect)
 drivers/mtd/maps/physmap-core.c:393:			info->maps[i].phys = NO_XIP;
 drivers/mtd/maps/physmap-core.c-394-	}
 --
 drivers/mtd/maps/physmap-core.c=446=static int physmap_flash_probe(struct platform_device *dev)
 --
 drivers/mtd/maps/physmap-core.c-518-		if (!info->maps[i].phys)
 drivers/mtd/maps/physmap-core.c:519:			info->maps[i].phys = res->start;
 drivers/mtd/maps/physmap-core.c-520-
 --
 drivers/mtd/maps/plat-ram.c=95=static int platram_probe(struct platform_device *pdev)
 --
 drivers/mtd/maps/plat-ram.c-134-
 drivers/mtd/maps/plat-ram.c:135:	info->map.phys = res->start;
 drivers/mtd/maps/plat-ram.c-136-	info->map.size = resource_size(res);
 --
 drivers/mtd/maps/pxa2xx-flash.c=44=static int pxa2xx_flash_probe(struct platform_device *pdev)
 --
 drivers/mtd/maps/pxa2xx-flash.c-59-	info->map.bankwidth = flash->width;
 drivers/mtd/maps/pxa2xx-flash.c:60:	info->map.phys = res->start;
 drivers/mtd/maps/pxa2xx-flash.c-61-	info->map.size = resource_size(res);
 --
 drivers/mtd/maps/sa1100-flash.c=67=static int sa1100_probe_subdev(struct sa_subdev_info *subdev, struct resource *res)
 --
 drivers/mtd/maps/sa1100-flash.c-101-
 drivers/mtd/maps/sa1100-flash.c:102:	subdev->map.phys = phys;
 drivers/mtd/maps/sa1100-flash.c-103-	subdev->map.size = size;
 --
 drivers/mtd/maps/sbc_gxx.c=154=static struct map_info sbc_gxx_map = {
 drivers/mtd/maps/sbc_gxx.c-155-	.name = "SBC-GXx flash",
 drivers/mtd/maps/sbc_gxx.c:156:	.phys = NO_XIP,
 drivers/mtd/maps/sbc_gxx.c-157-	.size = MAX_SIZE_KiB*1024, /* this must be set to a maximum possible amount
 --
 drivers/mtd/maps/sc520cdp.c=72=static struct map_info sc520cdp_map[] = {
 --
 drivers/mtd/maps/sc520cdp.c-76-		.bankwidth = 4,
 drivers/mtd/maps/sc520cdp.c:77:		.phys = WINDOW_ADDR_0
 drivers/mtd/maps/sc520cdp.c-78-	},
 --
 drivers/mtd/maps/sc520cdp.c-82-		.bankwidth = 4,
 drivers/mtd/maps/sc520cdp.c:83:		.phys = WINDOW_ADDR_1
 drivers/mtd/maps/sc520cdp.c-84-	},
 --
 drivers/mtd/maps/sc520cdp.c-88-		.bankwidth = 1,
 drivers/mtd/maps/sc520cdp.c:89:		.phys = WINDOW_ADDR_2
 drivers/mtd/maps/sc520cdp.c-90-	},
 --
 drivers/mtd/maps/sc520cdp.c=170=static void sc520cdp_setup_par(void)
 --
 drivers/mtd/maps/sc520cdp.c-180-		for(i = 0; i < NUM_FLASH_BANKS; i++)
 drivers/mtd/maps/sc520cdp.c:181:			sc520cdp_map[i].phys = par_table[i].default_address;
 drivers/mtd/maps/sc520cdp.c-182-		return;
 --
 drivers/mtd/maps/sc520cdp.c-205-				par_table[i].default_address);
 drivers/mtd/maps/sc520cdp.c:206:			sc520cdp_map[i].phys = par_table[i].default_address;
 drivers/mtd/maps/sc520cdp.c-207-		}
 --
 drivers/mtd/maps/scb2_flash.c=135=static int scb2_flash_probe(struct pci_dev *dev,
 --
 drivers/mtd/maps/scb2_flash.c-162-
 drivers/mtd/maps/scb2_flash.c:163:	scb2_map.phys = SCB2_ADDR;
 drivers/mtd/maps/scb2_flash.c-164-	scb2_map.virt = scb2_ioaddr;
 --
 drivers/mtd/maps/scx200_docflash.c=76=static int __init init_scx200_docflash(void)
 --
 drivers/mtd/maps/scx200_docflash.c-177-
 drivers/mtd/maps/scx200_docflash.c:178:	scx200_docflash_map.phys = docmem.start;
 drivers/mtd/maps/scx200_docflash.c-179-	scx200_docflash_map.virt = ioremap(docmem.start, scx200_docflash_map.size);
 --
 drivers/mtd/maps/solutionengine.c=36=static int __init init_soleng_maps(void)
 --
 drivers/mtd/maps/solutionengine.c-38-	/* First probe at offset 0 */
 drivers/mtd/maps/solutionengine.c:39:	soleng_flash_map.phys = 0;
 drivers/mtd/maps/solutionengine.c-40-	soleng_flash_map.virt = (void __iomem *)P2SEGADDR(0);
 drivers/mtd/maps/solutionengine.c:41:	soleng_eprom_map.phys = 0x01000000;
 drivers/mtd/maps/solutionengine.c-42-	soleng_eprom_map.virt = (void __iomem *)P1SEGADDR(0x01000000);
 --
 drivers/mtd/maps/solutionengine.c-50-		printk(KERN_NOTICE "Probing for flash chips at 0x01000000:\n");
 drivers/mtd/maps/solutionengine.c:51:		soleng_flash_map.phys = 0x01000000;
 drivers/mtd/maps/solutionengine.c-52-		soleng_flash_map.virt = P2SEGADDR(0x01000000);
 drivers/mtd/maps/solutionengine.c:53:		soleng_eprom_map.phys = 0;
]
]

gemini-3-flash-preview

							input: 30402
							output: 17
							thoughts: 605
						

**Debugging a Dangling Pointer in Input Device's `phys` Field**

Okay, first things first, that broad `grep` for `.phys =` isn't going to cut it. I need to narrow the search to `input_dev`'s `phys` field specifically. I remember that's a `const char *` inside the `input_dev` struct.

Alright, the game plan is to trace how and where `input_dev` is allocated and, crucially, where its `phys` field gets set, particularly within the `mac80211` or `cfg80211` subsystems. Hmm, wait... `mac80211` doesn't usually *directly* create input devices. So, maybe it's some wireless driver acting on its behalf? Let's keep that in mind.

Aha! The allocation and deallocation happening in `ieee80211_inform_bss` have got my attention. That function gets called every time a BSS is discovered during a scan, which is frequent. It's parsing the Information Elements (IEs) of the BSS, and the `ieee80211_elems_parse` object is used to hold the parsed IEs. Those IEs often contain strings.

The pieces are starting to fit. If `dev->phys` is pointing to one of these strings, but the string lives inside the `ieee80211_elems_parse` object, like in its `scratch` buffer, then when that object gets freed, `dev->phys` becomes a dangling pointer!

But... why on earth would an `input_dev`'s `phys` point to a BSS IE? That doesn't seem right.

Wait, it's clear now, `input_devices_seq_show` is dumping *all* input devices. This is it. One of them is showing a `phys` pointer that's pointing to freed memory.

Let me revisit that `input_devices_seq_show` code block:
```c
1099:		seq_printf(seq, "P: Phys=%s\n", dev->phys ? dev->phys : "");
```
Yep, it's reading `dev->phys`. This confirms the problem.

Alright, the memory was freed by `ieee80211_inform_bss`. That means `dev->phys` *was* pointing to something within the `ieee80211_elems_parse` object.

And just to reiterate, `ieee80211_inform_bss` is called on every single BSS discovery. That's a *very* frequent operation during scanning. If somewhere, someone did something like this:
`input_dev->phys = some_pointer_into_ieee80211_elems_parse;`
That's the bug. That's the source of the dangling pointer.

Now, the question is *where*? What driver? Maybe some input device driver that's loosely coupled with wireless, like `applespi`?

Okay, time to get to work. Let's dig into the `input_dev` structure and get precise. Let's search the *whole* kernel, but scoped to `input_dev`, specifically for where `phys` is assigned. Actually, let's search for `->phys =`. That should be revealing.

failed to run ["git" "grep" "--extended-regexp" "--line-number" "--show-function" "-C1" "--no-color" "->phys ="]: exit status 129
error: unknown switch `>'
usage: git grep [<options>] [-e] <pattern> [<rev>...] [[--] <path>...]

    --[no-]cached         search in index instead of in the work tree
    --no-index            find in contents not managed by git
    --index               opposite of --no-index
    --[no-]untracked      search in both tracked and untracked files
    --[no-]exclude-standard
                          ignore files specified via '.gitignore'
    --[no-]recurse-submodules
                          recursively search in each submodule

    -v, --[no-]invert-match
                          show non-matching lines
    -i, --[no-]ignore-case
                          case insensitive matching
    -w, --[no-]word-regexp
                          match patterns only at word boundaries
    -a, --[no-]text       process binary files as text
    -I                    don't match patterns in binary files
    --[no-]textconv       process binary files with textconv filters
    -r, --[no-]recursive  search in subdirectories (default)
    --max-depth <n>       descend at most <n> levels

    -E, --[no-]extended-regexp
                          use extended POSIX regular expressions
    -G, --[no-]basic-regexp
                          use basic POSIX regular expressions (default)
    -F, --[no-]fixed-strings
                          interpret patterns as fixed strings
    -P, --[no-]perl-regexp
                          use Perl-compatible regular expressions

    -n, --[no-]line-number
                          show line numbers
    --[no-]column         show column number of first match
    -h                    don't show filenames
    -H                    show filenames
    --[no-]full-name      show filenames relative to top directory
    -l, --[no-]files-with-matches
                          show only filenames instead of matching lines
    --[no-]name-only      synonym for --files-with-matches
    -L, --[no-]files-without-match
                          show only the names of files without match
    -z, --[no-]null       print NUL after filenames
    -o, --[no-]only-matching
                          show only matching parts of a line
    -c, --[no-]count      show the number of matches instead of matching lines
    --[no-]color[=<when>] highlight matches
    --[no-]break          print empty line between matches from different files
    --[no-]heading        show filename only once above matches from same file

    -C, --[no-]context <n>
                          show <n> context lines before and after matches
    -B, --before-context <n>
                          show <n> context lines before matches
    -A, --after-context <n>
                          show <n> context lines after matches
    --[no-]threads <n>    use <n> worker threads
    -NUM                  shortcut for -C NUM
    -p, --[no-]show-function
                          show a line with the function name before matches
    -W, --[no-]function-context
                          show the surrounding function

    -f <file>             read patterns from file
    -e <pattern>          match <pattern>
    --and                 combine patterns specified with -e
    --or
    --not
    (
    )
    -q, --[no-]quiet      indicate hit with exit status without output
    --[no-]all-match      show only matches from files that match all patterns

    -O, --[no-]open-files-in-pager[=<pager>]
                          show matching files in the pager
    --[no-]ext-grep       allow calling of grep(1) (ignored by this build)
    -m, --[no-]max-count <n>
                          maximum number of results per file

map[Expression:->phys =]

map[Output:]