Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)

Next message: Jisheng Zhang: "[PATCH] arm: Add runtime constant support for armv7 and !THUMB2_KERNEL"
Previous message: Krzysztof Kozlowski: "Re: [PATCH v10 1/2] dt-bindings: hwmon: add support for MCP998X"
In reply to: syzbot: "Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)"
Next in thread: syzbot: "Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Hillf Danton

Date: Sat Feb 21 2026 - 09:36:52 EST

> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000

#syz test

--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c
@@ -2911,6 +2911,8 @@ static int dvb_frontend_release(struct i
mb();
}

+ dvb_device_get(dvbdev); // for removing dev
+ dvb_device_get(dvbdev); // for releasing dev
ret = dvb_generic_release(inode, file);

if (dvbdev->users == -1) {
@@ -2931,6 +2933,8 @@ static int dvb_frontend_release(struct i
fe->ops.ts_bus_ctrl(fe, 0);
}

+ dvb_remove_device(dvbdev);
+ dvb_device_put(dvbdev);
dvb_frontend_put(fe);

return ret;
--