Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)
From: Hillf Danton
Date: Sun Feb 22 2026 - 07:15:42 EST
> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000
#syz test
--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c
@@ -3072,12 +3072,15 @@ EXPORT_SYMBOL(dvb_register_frontend);
int dvb_unregister_frontend(struct dvb_frontend *fe)
{
struct dvb_frontend_private *fepriv = fe->frontend_priv;
+ struct dvb_device *dvbdev;
dev_dbg(fe->dvb->device, "%s:\n", __func__);
mutex_lock(&frontend_mutex);
dvb_frontend_stop(fe);
- dvb_remove_device(fepriv->dvbdev);
+ dvbdev = fepriv->dvbdev;
+ fepriv->dvbdev = NULL;
+ dvb_unregister_device(dvbdev);
/* fe is invalid now */
mutex_unlock(&frontend_mutex);
--