em28xx 5-1:0.254: Registering V4L2 extension i2c i2c-2: Invalid 7-bit I2C address 0x00 tuner: 2-0061: Tuner -1 found with type(s) Radio TV. xc2028 2-0061: creating new instance xc2028 2-0061: type set to XCeive xc2028/xc3028 tuner em28xx 5-1:0.254: Config register raw data: 0xffffffed em28xx 5-1:0.254: AC97 chip type couldn't be determined em28xx 5-1:0.254: No AC97 audio processor em28xx 5-1:0.254: Registered radio device as radio32 usb 5-1: Decoder not found em28xx 5-1:0.254: failed to create media graph em28xx 5-1:0.254: V4L2 device radio32 deregistered em28xx 5-1:0.254: V4L2 device video71 deregistered xc2028 2-0061: destroying instance em28xx 5-1:0.254: Registering input extension usb 5-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2 usb 5-1:0.254: Falling back to sysfs fallback for: xc3028-v27.fw kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254) firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364 Read of size 8 at addr ffff8880231c2318 by task kworker/0:0/6 CPU: 0 PID: 6 Comm: kworker/0:0 Not tainted 5.17.0-syzkaller-10734-gcb7cbaae7fd9 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 Workqueue: events request_firmware_work_func Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0xeb/0x467 mm/kasan/report.c:313 print_report mm/kasan/report.c:429 [inline] kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491 load_firmware_cb+0x269/0x290 drivers/media/tuners/xc2028.c:1364 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1022 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Allocated by task 6: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524 kasan_kmalloc include/linux/kasan.h:234 [inline] kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3582 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638 i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x245/0xcc0 drivers/base/dd.c:596 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:973 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xb83/0x1e20 drivers/base/core.c:3405 i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969 v4l2_i2c_new_subdev_board+0xaf/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:80 v4l2_i2c_new_subdev+0x102/0x170 drivers/media/v4l2-core/v4l2-i2c.c:135 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2627 [inline] em28xx_v4l2_init.cold+0x9cb/0x329c drivers/media/usb/em28xx/em28xx-video.c:2520 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 Freed by task 6: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x13d/0x180 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:200 [inline] __cache_free mm/slab.c:3438 [inline] kfree+0xfb/0x2c0 mm/slab.c:3809 tuner_remove+0x198/0x200 drivers/media/v4l2-core/tuner-core.c:791 i2c_device_remove+0x7b/0x240 drivers/i2c/i2c-core-base.c:606 __device_release_driver+0x3bd/0x760 drivers/base/dd.c:1207 device_release_driver_internal drivers/base/dd.c:1242 [inline] device_release_driver+0x26/0x40 drivers/base/dd.c:1265 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529 device_del+0x4f3/0xc80 drivers/base/core.c:3592 device_unregister+0x1f/0xc0 drivers/base/core.c:3624 i2c_unregister_device+0x38/0x40 include/linux/err.h:41 v4l2_i2c_subdev_unregister+0xa2/0xc0 drivers/media/v4l2-core/v4l2-i2c.c:28 v4l2_device_unregister drivers/media/v4l2-core/v4l2-device.c:102 [inline] v4l2_device_unregister+0x20d/0x2e0 drivers/media/v4l2-core/v4l2-device.c:88 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2908 [inline] em28xx_v4l2_init.cold+0xd26/0x329c drivers/media/usb/em28xx/em28xx-video.c:2520 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415 process_one_work+0x996/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e9/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 The buggy address belongs to the object at ffff8880231c2000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 792 bytes inside of 2048-byte region [ffff8880231c2000, ffff8880231c2800) The buggy address belongs to the physical page: page:ffffea00008c7080 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x231c2 flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000200 ffffea000054a8c8 ffffea000087ccc8 ffff888010c40800 raw: 0000000000000000 ffff8880231c2000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 6, tgid 6 (kworker/0:0), ts 50536143903, free_ts 48667167805 prep_new_page mm/page_alloc.c:2438 [inline] get_page_from_freelist+0xba2/0x3df0 mm/page_alloc.c:4179 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5405 __alloc_pages_node include/linux/gfp.h:589 [inline] kmem_getpages mm/slab.c:1378 [inline] cache_grow_begin+0x75/0x350 mm/slab.c:2584 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957 ____cache_alloc mm/slab.c:3040 [inline] ____cache_alloc mm/slab.c:3023 [inline] __do_cache_alloc mm/slab.c:3267 [inline] slab_alloc mm/slab.c:3309 [inline] kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3580 kmalloc include/linux/slab.h:581 [inline] kzalloc include/linux/slab.h:714 [inline] tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638 i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563 call_driver_probe drivers/base/dd.c:517 [inline] really_probe+0x245/0xcc0 drivers/base/dd.c:596 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427 __device_attach+0x228/0x4a0 drivers/base/dd.c:973 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487 device_add+0xb83/0x1e20 drivers/base/core.c:3405 i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1353 [inline] free_pcp_prepare+0x549/0xd20 mm/page_alloc.c:1403 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3420 rcu_do_batch kernel/rcu/tree.c:2535 [inline] rcu_core+0x7b1/0x1880 kernel/rcu/tree.c:2786 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 Memory state around the buggy address: ffff8880231c2200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880231c2280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880231c2300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880231c2380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880231c2400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================