kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254) firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364 Read of size 8 at addr ffff888021c28318 by task kworker/1:5/3700 CPU: 1 PID: 3700 Comm: kworker/1:5 Not tainted 6.0.0-rc3-syzkaller-00792-gdcf8e5633e2e #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold+0x2ba/0x6e9 mm/kasan/report.c:433 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495 load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1107 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Allocated by task 3700: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:437 [inline] ____kasan_kmalloc mm/kasan/common.c:516 [inline] ____kasan_kmalloc mm/kasan/common.c:475 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:525 kasan_kmalloc include/linux/kasan.h:234 [inline] kmem_cache_alloc_trace+0x25a/0x460 mm/slab.c:3559 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:733 [inline] tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638 i2c_device_probe+0xa1b/0xba0 drivers/i2c/i2c-core-base.c:563 call_driver_probe drivers/base/dd.c:530 [inline] really_probe+0x249/0xb90 drivers/base/dd.c:609 __driver_probe_device+0x1df/0x4d0 drivers/base/dd.c:748 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:778 __device_attach_driver+0x206/0x2e0 drivers/base/dd.c:901 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x1e4/0x530 drivers/base/dd.c:973 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xbd5/0x1e90 drivers/base/core.c:3517 i2c_new_client_device+0x61d/0xb00 drivers/i2c/i2c-core-base.c:969 v4l2_i2c_new_subdev_board+0xaf/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:80 v4l2_i2c_new_subdev+0x102/0x170 drivers/media/v4l2-core/v4l2-i2c.c:135 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2617 [inline] em28xx_v4l2_init.cold+0x9cb/0x3268 drivers/media/usb/em28xx/em28xx-video.c:2510 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1116 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3405 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Freed by task 3700: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:367 [inline] ____kasan_slab_free+0x13d/0x1a0 mm/kasan/common.c:329 kasan_slab_free include/linux/kasan.h:200 [inline] __cache_free mm/slab.c:3418 [inline] kfree+0x173/0x390 mm/slab.c:3786 tuner_remove+0x198/0x200 drivers/media/v4l2-core/tuner-core.c:791 i2c_device_remove+0x76/0x250 drivers/i2c/i2c-core-base.c:606 device_remove+0xc8/0x170 drivers/base/dd.c:518 __device_release_driver drivers/base/dd.c:1209 [inline] device_release_driver_internal+0x4a1/0x700 drivers/base/dd.c:1235 bus_remove_device+0x2e3/0x590 drivers/base/bus.c:529 device_del+0x4f3/0xc80 drivers/base/core.c:3704 device_unregister+0x1a/0xc0 drivers/base/core.c:3736 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_subdev_unregister+0xa2/0xc0 drivers/media/v4l2-core/v4l2-i2c.c:28 v4l2_device_unregister drivers/media/v4l2-core/v4l2-device.c:102 [inline] v4l2_device_unregister+0x20d/0x2e0 drivers/media/v4l2-core/v4l2-device.c:88 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2898 [inline] em28xx_v4l2_init.cold+0xca7/0x3268 drivers/media/usb/em28xx/em28xx-video.c:2510 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1116 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3405 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 The buggy address belongs to the object at ffff888021c28000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 792 bytes inside of 2048-byte region [ffff888021c28000, ffff888021c28800) The buggy address belongs to the physical page: page:ffffea0000870a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x21c28 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000087a848 ffffea000052d508 ffff888010c40800 raw: 0000000000000000 ffff888021c28000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2c2220(__GFP_HIGH|__GFP_ATOMIC|__GFP_NOWARN|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 2673, tgid 2673 (kworker/3:2), ts 66713261328, free_ts 65903756468 prep_new_page mm/page_alloc.c:2532 [inline] get_page_from_freelist+0x109b/0x2ce0 mm/page_alloc.c:4283 __alloc_pages_slowpath.constprop.0+0x2d7/0x2240 mm/page_alloc.c:5058 __alloc_pages+0x43d/0x510 mm/page_alloc.c:5528 __alloc_pages_node include/linux/gfp.h:243 [inline] kmem_getpages mm/slab.c:1363 [inline] cache_grow_begin+0x75/0x360 mm/slab.c:2569 cache_alloc_refill+0x27f/0x380 mm/slab.c:2942 ____cache_alloc mm/slab.c:3018 [inline] ____cache_alloc mm/slab.c:3001 [inline] slab_alloc_node mm/slab.c:3220 [inline] kmem_cache_alloc_node_trace+0x50a/0x570 mm/slab.c:3601 __do_kmalloc_node mm/slab.c:3623 [inline] __kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3638 kmalloc_reserve net/core/skbuff.c:358 [inline] __alloc_skb+0xd9/0x2f0 net/core/skbuff.c:430 alloc_skb include/linux/skbuff.h:1257 [inline] nlmsg_new include/net/netlink.h:953 [inline] inet6_ifinfo_notify+0x72/0x150 net/ipv6/addrconf.c:6043 addrconf_notify+0x49b/0x1b90 net/ipv6/addrconf.c:3653 notifier_call_chain+0xb5/0x200 kernel/notifier.c:87 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1945 netdev_state_change net/core/dev.c:1334 [inline] netdev_state_change+0x100/0x130 net/core/dev.c:1327 linkwatch_do_dev+0x10e/0x150 net/core/link_watch.c:168 __linkwatch_run_queue+0x23f/0x6a0 net/core/link_watch.c:221 linkwatch_event+0x4a/0x60 net/core/link_watch.c:264 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1449 [inline] free_pcp_prepare+0x5e4/0xd20 mm/page_alloc.c:1499 free_unref_page_prepare mm/page_alloc.c:3380 [inline] free_unref_page+0x19/0x4d0 mm/page_alloc.c:3476 slab_destroy mm/slab.c:1615 [inline] drain_freelist.isra.0+0xc6/0x130 mm/slab.c:2207 cache_reap+0x1b9/0x2e0 mm/slab.c:4017 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Memory state around the buggy address: ffff888021c28200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888021c28280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff888021c28300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888021c28380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888021c28400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================