kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254)
firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290 drivers/media/tuners/tuner-xc2028.c:1364
Read of size 8 at addr ffff88801c96d318 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.17.0-rc7-syzkaller-00235-gaad611a868d1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
 load_firmware_cb+0x269/0x290 drivers/media/tuners/tuner-xc2028.c:1364
 request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1022
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 worker_thread+0x657/0x1110 kernel/workqueue.c:2454
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
 </TASK>

Allocated by task 5:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:45 [inline]
 set_alloc_info mm/kasan/common.c:436 [inline]
 ____kasan_kmalloc mm/kasan/common.c:515 [inline]
 ____kasan_kmalloc mm/kasan/common.c:474 [inline]
 __kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
 kasan_kmalloc include/linux/kasan.h:270 [inline]
 kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
 kmalloc include/linux/slab.h:581 [inline]
 kzalloc include/linux/slab.h:714 [inline]
 tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638
 i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563
 call_driver_probe drivers/base/dd.c:517 [inline]
 really_probe+0x245/0xcc0 drivers/base/dd.c:596
 __driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755
 driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785
 __device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902
 bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
 __device_attach+0x228/0x4a0 drivers/base/dd.c:973
 bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
 device_add+0xb83/0x1e20 drivers/base/core.c:3405
 i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969
 v4l2_i2c_new_subdev_board+0xaf/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:80
 v4l2_i2c_new_subdev+0x102/0x170 drivers/media/v4l2-core/v4l2-i2c.c:135
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2627 [inline]
 em28xx_v4l2_init.cold+0x9cb/0x32a7 drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 process_scheduled_works kernel/workqueue.c:2370 [inline]
 worker_thread+0x7e2/0x1110 kernel/workqueue.c:2459
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Freed by task 5:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 kasan_set_track+0x21/0x30 mm/kasan/common.c:45
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
 ____kasan_slab_free mm/kasan/common.c:366 [inline]
 ____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
 kasan_slab_free include/linux/kasan.h:236 [inline]
 __cache_free mm/slab.c:3437 [inline]
 kfree+0xf8/0x2b0 mm/slab.c:3794
 tuner_remove+0x198/0x200 drivers/media/v4l2-core/tuner-core.c:791
 i2c_device_remove+0x7b/0x240 drivers/i2c/i2c-core-base.c:606
 __device_release_driver+0x3bd/0x760 drivers/base/dd.c:1207
 device_release_driver_internal drivers/base/dd.c:1242 [inline]
 device_release_driver+0x26/0x40 drivers/base/dd.c:1265
 bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529
 device_del+0x4f3/0xc80 drivers/base/core.c:3592
 device_unregister+0x1f/0xc0 drivers/base/core.c:3624
 i2c_unregister_device+0x38/0x40 include/linux/err.h:41
 v4l2_i2c_subdev_unregister+0xa2/0xc0 drivers/media/v4l2-core/v4l2-i2c.c:28
 v4l2_device_unregister drivers/media/v4l2-core/v4l2-device.c:102 [inline]
 v4l2_device_unregister+0x20d/0x2e0 drivers/media/v4l2-core/v4l2-device.c:88
 em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2908 [inline]
 em28xx_v4l2_init.cold+0xd26/0x32a7 drivers/media/usb/em28xx/em28xx-video.c:2520
 em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
 request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
 process_scheduled_works kernel/workqueue.c:2370 [inline]
 worker_thread+0x7e2/0x1110 kernel/workqueue.c:2459
 kthread+0x2e9/0x3a0 kernel/kthread.c:377
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

Last potentially related work creation:
 kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
 __kasan_record_aux_stack+0x7e/0x90 mm/kasan/generic.c:348
 __call_rcu kernel/rcu/tree.c:3026 [inline]
 call_rcu+0xb1/0x740 kernel/rcu/tree.c:3106
 netlink_release+0xf08/0x1db0 net/netlink/af_netlink.c:813
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1318
 __fput+0x286/0x9f0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:164
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:175 [inline]
 exit_to_user_mode_prepare+0x27e/0x290 kernel/entry/common.c:207
 __syscall_exit_to_user_mode_work kernel/entry/common.c:289 [inline]
 syscall_exit_to_user_mode+0x19/0x60 kernel/entry/common.c:300
 do_syscall_64+0x42/0xb0 arch/x86/entry/common.c:86
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff88801c96d000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 792 bytes inside of
 2048-byte region [ffff88801c96d000, ffff88801c96d800)
The buggy address belongs to the page:
page:ffffea0000725b40 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c96d
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea00004ee108 ffffea0000714a08 ffff888010c40800
raw: 0000000000000000 ffff88801c96d000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_THISNODE), pid 968, ts 36293287433, free_ts 36268103858
 prep_new_page mm/page_alloc.c:2434 [inline]
 get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
 __alloc_pages_node include/linux/gfp.h:572 [inline]
 kmem_getpages mm/slab.c:1378 [inline]
 cache_grow_begin+0x75/0x390 mm/slab.c:2584
 cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
 ____cache_alloc mm/slab.c:3040 [inline]
 ____cache_alloc mm/slab.c:3023 [inline]
 slab_alloc_node mm/slab.c:3241 [inline]
 kmem_cache_alloc_node_trace+0x49c/0x5b0 mm/slab.c:3609
 __do_kmalloc_node mm/slab.c:3631 [inline]
 __kmalloc_node_track_caller+0x38/0x60 mm/slab.c:3646
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 pskb_expand_head+0x15e/0x1060 net/core/skbuff.c:1699
 netlink_trim+0x1ea/0x240 net/netlink/af_netlink.c:1299
 netlink_broadcast+0x5b/0xd50 net/netlink/af_netlink.c:1495
 nlmsg_multicast include/net/netlink.h:1033 [inline]
 nlmsg_notify+0x8f/0x280 net/netlink/af_netlink.c:2537
 rtnl_notify net/core/rtnetlink.c:730 [inline]
 rtmsg_ifinfo_send net/core/rtnetlink.c:3857 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:3872 [inline]
 rtmsg_ifinfo_event net/core/rtnetlink.c:3860 [inline]
 rtmsg_ifinfo+0xf0/0x120 net/core/rtnetlink.c:3878
 netdev_state_change net/core/dev.c:1311 [inline]
 netdev_state_change+0x114/0x130 net/core/dev.c:1302
 linkwatch_do_dev+0x10e/0x150 net/core/link_watch.c:167
 __linkwatch_run_queue+0x243/0x6b0 net/core/link_watch.c:220
 linkwatch_event+0x4a/0x60 net/core/link_watch.c:263
 process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1352 [inline]
 free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
 free_unref_page_prepare mm/page_alloc.c:3325 [inline]
 free_unref_page+0x19/0x690 mm/page_alloc.c:3404
 __put_single_page mm/swap.c:99 [inline]
 __put_page+0x13d/0x1e0 mm/swap.c:130
 folio_put include/linux/mm.h:1199 [inline]
 put_page include/linux/mm.h:1237 [inline]
 free_page_and_swap_cache+0x1f2/0x270 mm/swap_state.c:305
 __tlb_remove_table arch/x86/include/asm/tlb.h:37 [inline]
 __tlb_remove_table_free mm/mmu_gather.c:102 [inline]
 tlb_remove_table_rcu+0x85/0xe0 mm/mmu_gather.c:157
 rcu_do_batch kernel/rcu/tree.c:2527 [inline]
 rcu_core+0x7b1/0x1820 kernel/rcu/tree.c:2778
 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558

Memory state around the buggy address:
 ffff88801c96d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801c96d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88801c96d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                            ^
 ffff88801c96d380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88801c96d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================