Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)
From: syzbot
Date: Sat Feb 21 2026 - 17:23:14 EST
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
_SRC_OVR (bus 0 bus_irq 10 global_irq 10 high level)
[ 0.324084][ T0] ACPI: INT_SRC_OVR (bus 0 bus_irq 11 global_irq 11 high level)
[ 0.324103][ T0] ACPI: Using ACPI (MADT) for SMP configuration information
[ 0.324118][ T0] CPU topo: Max. logical packages: 1
[ 0.324122][ T0] CPU topo: Max. logical dies: 1
[ 0.324126][ T0] CPU topo: Max. dies per package: 1
[ 0.324137][ T0] CPU topo: Max. threads per core: 2
[ 0.324142][ T0] CPU topo: Num. cores per package: 1
[ 0.324146][ T0] CPU topo: Num. threads per package: 2
[ 0.324150][ T0] CPU topo: Allowing 2 present CPUs plus 0 hotplug CPUs
[ 0.324260][ T0] PM: hibernation: Registered nosave memory: [mem 0x00000000-0x00000fff]
[ 0.324270][ T0] PM: hibernation: Registered nosave memory: [mem 0x0009f000-0x000fffff]
[ 0.324278][ T0] PM: hibernation: Registered nosave memory: [mem 0xbfffd000-0xffffffff]
[ 0.324303][ T0] [gap 0xc0000000-0xfffbbfff] available for PCI devices
[ 0.324309][ T0] Booting paravirtualized kernel on KVM
[ 0.324320][ T0] clocksource: refined-jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[ 0.457957][ T0] Zone ranges:
[ 0.457966][ T0] DMA [mem 0x0000000000001000-0x0000000000ffffff]
[ 0.457977][ T0] DMA32 [mem 0x0000000001000000-0x00000000ffffffff]
[ 0.457985][ T0] Normal [mem 0x0000000100000000-0x000000023fffffff]
[ 0.457993][ T0] Device empty
[ 0.457998][ T0] Movable zone start for each node
[ 0.458001][ T0] Early memory node ranges
[ 0.458005][ T0] node 0: [mem 0x0000000000001000-0x000000000009efff]
[ 0.458011][ T0] node 0: [mem 0x0000000000100000-0x00000000bfffcfff]
[ 0.458019][ T0] node 0: [mem 0x0000000100000000-0x0000000140000fff]
[ 0.458025][ T0] node 1: [mem 0x0000000140001000-0x000000023fffffff]
[ 0.458034][ T0] Initmem setup node 0 [mem 0x0000000000001000-0x0000000140000fff]
[ 0.458049][ T0] Initmem setup node 1 [mem 0x0000000140001000-0x000000023fffffff]
[ 0.458095][ T0] On node 0, zone DMA: 1 pages in unavailable ranges
[ 0.458339][ T0] On node 0, zone DMA: 97 pages in unavailable ranges
[ 0.520754][ T0] On node 0, zone Normal: 3 pages in unavailable ranges
[ 0.583334][ T0] setup_percpu: NR_CPUS:8 nr_cpumask_bits:2 nr_cpu_ids:2 nr_node_ids:2
[ 0.584030][ T0] percpu: Embedded 72 pages/cpu s254408 r8192 d32312 u1048576
[ 0.584054][ T0] pcpu-alloc: s254408 r8192 d32312 u1048576 alloc=1*2097152
[ 0.584066][ T0] pcpu-alloc: [0] 0 1
[ 0.584177][ T0] kvm-guest: PV spinlocks enabled
[ 0.584186][ T0] PV qspinlock hash table entries: 256 (order: 0, 4096 bytes, linear)
[ 0.584203][ T0] Kernel command line: earlyprintk=serial net.ifnames=0 sysctl.kernel.hung_task_all_cpu_backtrace=1 ima_policy=tcb nf-conntrack-ftp.ports=20000 nf-conntrack-tftp.ports=20000 nf-conntrack-sip.ports=20000 nf-conntrack-irc.ports=20000 nf-conntrack-sane.ports=20000 binder.debug_mask=0 rcupdate.rcu_expedited=1 rcupdate.rcu_cpu_stall_cputime=1 no_hash_pointers page_owner=on sysctl.vm.nr_hugepages=4 sysctl.vm.nr_overcommit_hugepages=4 secretmem.enable=1 sysctl.max_rcu_stall_to_panic=1 msr.allow_writes=off coredump_filter=0xffff root=/dev/sda console=ttyS0 vsyscall=native numa=fake=2 kvm-intel.nested=1 spec_store_bypass_disable=prctl nopcid vivid.n_devs=64 vivid.multiplanar=1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2,1,2 netrom.nr_ndevs=32 rose.rose_ndevs=32 smp.csd_lock_timeout=100000 watchdog_thresh=55 workqueue.watchdog_thresh=140 sysctl.net.core.netdev_unregister_timeout_secs=140 dummy_hcd.num=32 max_loop=32 nbds_max=32 \
[ 0.584229][ T0] Kernel command line: comedi.comedi_num_legacy_minors=4 panic_on_warn=1 BOOT_IMAGE=/boot/bzImage root=/dev/sda1 console=ttyS0
[ 0.588483][ T0] Unknown kernel command line parameters "nbds_max=32", will be passed to user space.
[ 0.588544][ T0] random: crng init done
[ 0.588547][ T0] printk: log buffer data + meta data: 262144 + 917504 = 1179648 bytes
[ 0.588761][ T0] software IO TLB: area num 2.
[ 0.616645][ T0] Fallback order for Node 0: 0 1
[ 0.616664][ T0] Fallback order for Node 1: 1 0
[ 0.616678][ T0] Built 2 zonelists, mobility grouping on. Total pages: 2097051
[ 0.616685][ T0] Policy zone: Normal
[ 0.617377][ T0] mem auto-init: stack:all(zero), heap alloc:on, heap free:off
[ 0.617385][ T0] stackdepot: allocating hash table via alloc_large_system_hash
[ 0.617395][ T0] stackdepot hash table entries: 1048576 (order: 12, 16777216 bytes, linear)
[ 0.622068][ T0] stackdepot: allocating space for 8192 stack pools via memblock
[ 1.210344][ T0] **********************************************************
[ 1.210354][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.210358][ T0] ** **
[ 1.210362][ T0] ** This system shows unhashed kernel memory addresses **
[ 1.210365][ T0] ** via the console, logs, and other interfaces. This **
[ 1.210369][ T0] ** might reduce the security of your system. **
[ 1.210373][ T0] ** **
[ 1.210376][ T0] ** If you see this message and you are not debugging **
[ 1.210380][ T0] ** the kernel, report this immediately to your system **
[ 1.210384][ T0] ** administrator! **
[ 1.210387][ T0] ** **
[ 1.210391][ T0] ** Use hash_pointers=always to force this mode off **
[ 1.210395][ T0] ** **
[ 1.210398][ T0] ** NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE NOTICE **
[ 1.210402][ T0] **********************************************************
[ 1.213877][ T0] SLUB: HWalign=64, Order=0-3, MinObjects=0, CPUs=2, Nodes=2
[ 1.344641][ T0] allocated 167772160 bytes of page_ext
[ 1.344682][ T0] Node 0, zone DMA: page owner found early allocated 0 pages
[ 1.358368][ T0] Node 0, zone DMA32: page owner found early allocated 21120 pages
[ 1.362689][ T0] Node 0, zone Normal: page owner found early allocated 130 pages
[ 1.373648][ T0] Node 1, zone Normal: page ownserialport: Connected to syzkaller.us-central1-c.ci-upstream-kasan-gce-smack-root-test-job-parallel-0 port 1 (session ID: 27e7da33582c2a1f5960f3e4d1e08a357e0ae697147fe044510b0304e2ed012c, active connections: 1).
er found early allocated 19848 pages
[ 1.374121][ T0] Kernel/User page tables isolation: enabled
[ 1.376324][ T0] Dynamic Preempt: full
[ 1.377426][ T0] ------------[ cut here ]------------
[ 1.377431][ T0] overflows_flex_counter_type(typeof(*ctx), pwq_tbl, __count)
[ 1.377435][ T0] WARNING: kernel/workqueue.c:5373 at apply_wqattrs_prepare+0xa5/0x1f0, CPU#0: swapper/0/0
[ 1.377461][ T0] Modules linked in:
[ 1.377470][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
[ 1.377481][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 1.377488][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0
[ 1.377507][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48
[ 1.377516][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097
[ 1.377524][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00
[ 1.377531][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1.377537][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[ 1.377543][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8
[ 1.377550][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
[ 1.377562][ T0] FS: 0000000000000000(0000) GS:ffff888126592000(0000) knlGS:0000000000000000
[ 1.377572][ T0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1.377579][ T0] CR2: ffff88823ffff000 CR3: 000000000d9ba000 CR4: 00000000000000b0
[ 1.377588][ T0] Call Trace:
[ 1.377593][ T0] <TASK>
[ 1.377599][ T0] __alloc_workqueue+0xfbe/0x1e70
[ 1.377617][ T0] alloc_workqueue_noprof+0xe3/0x210
[ 1.377629][ T0] ? is_dynamic_key+0xd6/0x1c0
[ 1.377644][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10
[ 1.377657][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690
[ 1.377670][ T0] ? workqueue_init_early+0x89b/0xcf0
[ 1.377687][ T0] workqueue_init_early+0xaac/0xcf0
[ 1.377700][ T0] ? __cpuhp_setup_state+0x46/0x60
[ 1.377717][ T0] ? __pfx_workqueue_init_early+0x10/0x10
[ 1.377733][ T0] ? register_trace_event+0x3f7/0x4b0
[ 1.377749][ T0] start_kernel+0x189/0x3d0
[ 1.377760][ T0] x86_64_start_reservations+0x24/0x30
[ 1.377773][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.377786][ T0] common_startup_64+0x13e/0x147
[ 1.377804][ T0] </TASK>
[ 1.377810][ T0] Kernel panic - not syncing: kernel: panic_on_warn set ...
[ 1.377816][ T0] CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
[ 1.377827][ T0] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
[ 1.377833][ T0] Call Trace:
[ 1.377837][ T0] <TASK>
[ 1.377840][ T0] vpanic+0x56c/0xa60
[ 1.377856][ T0] ? __pfx__printk+0x10/0x10
[ 1.377868][ T0] ? __pfx_vpanic+0x10/0x10
[ 1.377881][ T0] ? is_bpf_text_address+0x292/0x2b0
[ 1.377894][ T0] ? is_bpf_text_address+0x26/0x2b0
[ 1.377914][ T0] panic+0xc5/0xd0
[ 1.377928][ T0] ? __pfx_panic+0x10/0x10
[ 1.377947][ T0] ? common_startup_64+0x13e/0x147
[ 1.377959][ T0] __warn+0x315/0x4f0
[ 1.377973][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.377987][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378000][ T0] __report_bug+0x29a/0x540
[ 1.378020][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378033][ T0] ? __pfx___report_bug+0x10/0x10
[ 1.378049][ T0] ? do_raw_spin_unlock+0xf6/0x210
[ 1.378064][ T0] ? _raw_spin_unlock_irqrestore+0x4c/0x80
[ 1.378074][ T0] ? rt_mutex_slowunlock+0x1cb/0x300
[ 1.378088][ T0] ? __pfx_rt_mutex_slowunlock+0x10/0x10
[ 1.378102][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378115][ T0] report_bug+0x16a/0x220
[ 1.378130][ T0] ? apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378142][ T0] ? apply_wqattrs_prepare+0xa7/0x1f0
[ 1.378155][ T0] handle_bug+0x98/0x200
[ 1.378168][ T0] exc_invalid_op+0x1a/0x50
[ 1.378179][ T0] asm_exc_invalid_op+0x1a/0x20
[ 1.378190][ T0] RIP: 0010:apply_wqattrs_prepare+0xa5/0x1f0
[ 1.378203][ T0] Code: d8 48 c1 e8 03 42 0f b6 04 38 84 c0 0f 85 2b 01 00 00 8b 1b bf 05 00 00 00 89 de e8 55 2b 35 00 83 fb 06 0f 83 ce 00 00 00 90 <0f> 0b 90 48 c7 c0 60 61 5e 8d 48 c1 e8 03 42 80 3c 38 00 74 0c 48
[ 1.378211][ T0] RSP: 0000:ffffffff8d807bf8 EFLAGS: 00010097
[ 1.378219][ T0] RAX: ffffffff818e73bb RBX: 0000000000000000 RCX: ffffffff8d902f00
[ 1.378226][ T0] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005
[ 1.378231][ T0] RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
[ 1.378237][ T0] R10: dffffc0000000000 R11: fffffbfff1e912b7 R12: ffff88813fe749c8
[ 1.378244][ T0] R13: dffffc0000000000 R14: 0000000000000000 R15: dffffc0000000000
[ 1.378254][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0
[ 1.378270][ T0] ? apply_wqattrs_prepare+0x9b/0x1f0
[ 1.378284][ T0] __alloc_workqueue+0xfbe/0x1e70
[ 1.378300][ T0] alloc_workqueue_noprof+0xe3/0x210
[ 1.378312][ T0] ? is_dynamic_key+0xd6/0x1c0
[ 1.378326][ T0] ? __pfx_alloc_workqueue_noprof+0x10/0x10
[ 1.378339][ T0] ? __kmalloc_cache_noprof+0x3a6/0x690
[ 1.378351][ T0] ? workqueue_init_early+0x89b/0xcf0
[ 1.378367][ T0] workqueue_init_early+0xaac/0xcf0
[ 1.378380][ T0] ? __cpuhp_setup_state+0x46/0x60
[ 1.378396][ T0] ? __pfx_workqueue_init_early+0x10/0x10
[ 1.378412][ T0] ? register_trace_event+0x3f7/0x4b0
[ 1.378426][ T0] start_kernel+0x189/0x3d0
[ 1.378436][ T0] x86_64_start_reservations+0x24/0x30
[ 1.378449][ T0] x86_64_start_kernel+0x143/0x1c0
[ 1.378462][ T0] common_startup_64+0x13e/0x147
[ 1.378479][ T0] </TASK>
syzkaller build log:
go env (err=<nil>)
AR='ar'
CC='gcc'
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_ENABLED='1'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
CXX='g++'
GCCGO='gccgo'
GO111MODULE='auto'
GOAMD64='v1'
GOARCH='amd64'
GOAUTH='netrc'
GOBIN=''
GOCACHE='/syzkaller/.cache/go-build'
GOCACHEPROG=''
GODEBUG=''
GOENV='/syzkaller/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFIPS140='off'
GOFLAGS=''
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build634184225=/tmp/go-build -gno-record-gcc-switches'
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMOD='/syzkaller/jobs-2/linux/gopath/src/github.com/google/syzkaller/go.mod'
GOMODCACHE='/syzkaller/jobs-2/linux/gopath/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/syzkaller/jobs-2/linux/gopath'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTELEMETRY='local'
GOTELEMETRYDIR='/syzkaller/.config/go/telemetry'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.24.4'
GOWORK=''
PKG_CONFIG='pkg-config'
git status (err=<nil>)
HEAD detached at 1e62d19825
nothing to commit, working tree clean
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
go list -f '{{.Stale}}' -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen | grep -q false || go install -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" ./sys/syz-sysgen
make .descriptions
tput: No value for $TERM and no -T specified
tput: No value for $TERM and no -T specified
Makefile:31: run command via tools/syz-env for best compatibility, see:
Makefile:32: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env
bin/syz-sysgen
touch .descriptions
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w -X github.com/google/syzkaller/prog.GitRevision=1e62d1982527c3b4e18df04d61f2560fa1f434cc -X github.com/google/syzkaller/prog.gitRevisionDate=20260213-152336" -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog
mkdir -p ./bin/linux_amd64
g++ -o ./bin/linux_amd64/syz-executor executor/executor.cc \
-m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -Wno-unused-but-set-variable -Wno-unused-command-line-argument -static-pie -std=c++17 -I. -Iexecutor/_include -DGOOS_linux=1 -DGOARCH_amd64=1 \
-DHOSTGOOS_linux=1 -DGIT_REVISION=\"1e62d1982527c3b4e18df04d61f2560fa1f434cc\"
/usr/bin/ld: /tmp/ccZjc2ZB.o: in function `Connection::Connect(char const*, char const*)':
executor.cc:(.text._ZN10Connection7ConnectEPKcS1_[_ZN10Connection7ConnectEPKcS1_]+0x386): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
./tools/check-syzos.sh 2>/dev/null
Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=17938152580000
Tested on:
commit: 8934827d Merge tag 'kmalloc_obj-treewide-v7.0-rc1' of ..
git tree: upstream
kernel config: https://syzkaller.appspot.com/x/.config?x=5ca447d428dc7079
dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=114b7c02580000