Re: [syzbot] [media?] KASAN: slab-use-after-free Read in dvb_frontend_release (3)
From: Hillf Danton
Date: Sun Feb 22 2026 - 23:07:17 EST
> Date: Mon, 16 Feb 2026 01:34:34 -0800 [thread overview]
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: c22e26bd0906 Merge tag 'landlock-7.0-rc1' of git://git.ker..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=16bcf6e6580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=6428d17febdfb14e
> dashboard link: https://syzkaller.appspot.com/bug?extid=ae466a728017ec940b41
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ce3652580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1121515a580000
#syz test
--- x/drivers/media/dvb-core/dvb_frontend.c
+++ y/drivers/media/dvb-core/dvb_frontend.c
@@ -2836,6 +2836,7 @@ static int dvb_frontend_open(struct inod
if ((ret = dvb_generic_open(inode, file)) < 0)
goto err1;
+ dvb_device_get(dvbdev);
if ((file->f_flags & O_ACCMODE) != O_RDONLY) {
/* normal tune mode when opened R/W */
@@ -3077,7 +3078,8 @@ int dvb_unregister_frontend(struct dvb_f
mutex_lock(&frontend_mutex);
dvb_frontend_stop(fe);
- dvb_remove_device(fepriv->dvbdev);
+ dvb_unregister_device(fepriv->dvbdev);
+ fepriv->dvbdev = NULL;
/* fe is invalid now */
mutex_unlock(&frontend_mutex);
--