[BUG] KASAN: slab-use-after-free in au0828_dvb_register

[Shuangpeng]

Hi Kernel Maintainers,

We hit the following KASAN report while testing current upstream kernel:

KASAN: slab-use-after-free in au0828_dvb_register

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/c31163f8ef234ba4fe85038c2f97f9cc

I’m happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>


[  141.481576][   T48] ==================================================================
[  141.482348][   T48] BUG: KASAN: slab-use-after-free in au0828_dvb_register (drivers/media/usb/au0828/au0828-dvb.c:636)
[  141.483148][   T48] Read of size 8 at addr ffff888171d4a118 by task kworker/1:1/48
[  141.483903][   T48]
[  141.484144][   T48] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.34
[  141.484148][   T48] Workqueue: usb_hub_wq hub_event
[  141.484154][   T48] Call Trace:
[  141.484157][   T48]  <TASK>
[  141.484159][   T48]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  141.484164][   T48]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[  141.484177][   T48]  kasan_report (mm/kasan/report.c:595)
[  141.484183][   T48]  au0828_dvb_register (drivers/media/usb/au0828/au0828-dvb.c:636)
[  141.484190][   T48]  au0828_usb_probe (drivers/media/usb/au0828/au0828-core.c:733)
[  141.484193][   T48]  usb_probe_interface (drivers/usb/core/driver.c:396)
[  141.484198][   T48]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  141.484204][   T48]  __driver_probe_device (drivers/base/dd.c:871)
[  141.484207][   T48]  driver_probe_device (drivers/base/dd.c:901)
[  141.484211][   T48]  __device_attach_driver (drivers/base/dd.c:1029)
[  141.484217][   T48]  bus_for_each_drv (drivers/base/bus.c:500)
[  141.484264][   T48]  __device_attach (drivers/base/dd.c:1101)
[  141.484289][   T48]  device_initial_probe (drivers/base/dd.c:1156)
[  141.484292][   T48]  bus_probe_device (drivers/base/bus.c:613)
[  141.484296][   T48]  device_add (drivers/base/core.c:3706)
[  141.484299][   T48]  usb_set_configuration (drivers/usb/core/message.c:2268)
[  141.484303][   T48]  usb_generic_driver_probe (drivers/usb/core/generic.c:250)
[  141.484308][   T48]  usb_probe_device (drivers/usb/core/driver.c:291)
[  141.484311][   T48]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  141.484315][   T48]  __driver_probe_device (drivers/base/dd.c:871)
[  141.484318][   T48]  driver_probe_device (drivers/base/dd.c:901)
[  141.484321][   T48]  __device_attach_driver (drivers/base/dd.c:1029)
[  141.484328][   T48]  bus_for_each_drv (drivers/base/bus.c:500)
[  141.484346][   T48]  __device_attach (drivers/base/dd.c:1101)
[  141.484367][   T48]  device_initial_probe (drivers/base/dd.c:1156)
[  141.484370][   T48]  bus_probe_device (drivers/base/bus.c:613)
[  141.484374][   T48]  device_add (drivers/base/core.c:3706)
[  141.484376][   T48]  usb_new_device (drivers/usb/core/hub.c:2695)
[  141.484386][   T48]  hub_event (drivers/usb/core/hub.c:5567 drivers/usb/core/hub.c:5707 drivers/usb/core/hub.c:5871 drivers/usb/core/hub.c:5953)
[  141.484406][   T48]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  141.484412][   T48]  worker_thread (kernel/workqueue.c:3478)
[  141.484420][   T48]  kthread (kernel/kthread.c:436)
[  141.484431][   T48]  ret_from_fork (arch/x86/kernel/process.c:158)
[  141.484445][   T48]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  141.484450][   T48]  </TASK>
[  141.484451][   T48]
[  141.523531][   T48] Freed by task 48 on cpu 1 at 141.481575s:
[  141.524120][   T48]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[  141.524594][   T48]  kasan_save_free_info (mm/kasan/generic.c:584)
[  141.525089][   T48]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[  141.525570][   T48]  kfree (./include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[  141.525957][   T48]  au8522_release_state (drivers/media/dvb-frontends/au8522_common.c:124)
[  141.526467][   T48]  dvb_frontend_put (drivers/media/dvb-core/dvb_frontend.c:3093 drivers/media/dvb-core/dvb_frontend.c:141 drivers/media/dvb-core/dvb_frontend.c:166)
[  141.526957][   T48]  au0828_dvb_register (drivers/media/usb/au0828/au0828-dvb.c:518 drivers/media/usb/au0828/au0828-dvb.c:634)
[  141.527469][   T48]  au0828_usb_probe (drivers/media/usb/au0828/au0828-core.c:733)
[  141.527952][   T48]  usb_probe_interface (drivers/usb/core/driver.c:396)
[  141.528455][   T48]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  141.528908][   T48]  __driver_probe_device (drivers/base/dd.c:871)
[  141.529426][   T48]  driver_probe_device (drivers/base/dd.c:901)
[  141.529932][   T48]  __device_attach_driver (drivers/base/dd.c:1029)
[  141.530459][   T48]  bus_for_each_drv (drivers/base/bus.c:500)
[  141.530949][   T48]  __device_attach (drivers/base/dd.c:1101)
[  141.531419][   T48]  device_initial_probe (drivers/base/dd.c:1156)
[  141.531923][   T48]  bus_probe_device (drivers/base/bus.c:613)
[  141.532404][   T48]  device_add (drivers/base/core.c:3706)
[  141.532840][   T48]  usb_set_configuration (drivers/usb/core/message.c:2268)
[  141.533373][   T48]  usb_generic_driver_probe (drivers/usb/core/generic.c:250)
[  141.533907][   T48]  usb_probe_device (drivers/usb/core/driver.c:291)
[  141.534377][   T48]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[  141.534833][   T48]  __driver_probe_device (drivers/base/dd.c:871)
[  141.535352][   T48]  driver_probe_device (drivers/base/dd.c:901)
[  141.535856][   T48]  __device_attach_driver (drivers/base/dd.c:1029)
[  141.536384][   T48]  bus_for_each_drv (drivers/base/bus.c:500)
[  141.536869][   T48]  __device_attach (drivers/base/dd.c:1101)
[  141.537340][   T48]  device_initial_probe (drivers/base/dd.c:1156)
[  141.537839][   T48]  bus_probe_device (drivers/base/bus.c:613)
[  141.538320][   T48]  device_add (drivers/base/core.c:3706)
[  141.538753][   T48]  usb_new_device (drivers/usb/core/hub.c:2695)
[  141.539226][   T48]  hub_event (drivers/usb/core/hub.c:5567 drivers/usb/core/hub.c:5707 drivers/usb/core/hub.c:5871 drivers/usb/core/hub.c:5953)
[  141.539672][   T48]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  141.540205][   T48]  worker_thread (kernel/workqueue.c:3478)
[  141.540666][   T48]  kthread (kernel/kthread.c:436)
[  141.541069][   T48]  ret_from_fork (arch/x86/kernel/process.c:158)
[  141.541524][   T48]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  141.541999][   T48]
[  141.542236][   T48] The buggy address belongs to the object at ffff888171d4a000
[  141.542236][   T48]  which belongs to the cache kmalloc-4k of size 4096
[  141.543602][   T48] The buggy address is located 280 bytes inside of
[  141.543602][   T48]  freed 4096-byte region [ffff888171d4a000, ffff888171d4b000)



Best,
Shuangpeng