------------[ cut here ]------------ sysfs group 'power' not found for kobject 'xc3028-v27.fw' WARNING: CPU: 0 PID: 5078 at fs/sysfs/group.c:280 sysfs_remove_group+0x174/0x288 fs/sysfs/group.c:278 Modules linked in: CPU: 0 PID: 5078 Comm: kworker/0:14 Not tainted 6.1.111-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events request_firmware_work_func pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : sysfs_remove_group+0x174/0x288 fs/sysfs/group.c:278 lr : sysfs_remove_group+0x174/0x288 fs/sysfs/group.c:278 sp : ffff8000243176a0 x29: ffff8000243176a0 x28: 1fffe0001a32b37d x27: dfff800000000000 x26: ffff800024317760 x25: 1fffe00018686a0a x24: 1ffff00002659dcc x23: dfff800000000000 x22: ffff0000c3435068 x21: ffff0000c3435008 x20: ffff0000c411bbc8 x19: ffff8000132cee40 x18: ffff800024316aa0 x17: 0000000000000000 x16: ffff800012297edc x15: 0000000000000000 x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001 x11: 0000000000ff0100 x10: 0000000000000000 x9 : 9d1731c535a03c00 x8 : 9d1731c535a03c00 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff800024316f98 x4 : ffff800015ab2d80 x3 : ffff80000858e5e8 x2 : 0000000000000001 x1 : 0000000100000000 x0 : 0000000000000000 Call trace: sysfs_remove_group+0x174/0x288 fs/sysfs/group.c:278 dpm_sysfs_remove+0xa4/0xd4 drivers/base/power/sysfs.c:837 device_del+0x268/0x9bc drivers/base/core.c:3857 fw_load_sysfs_fallback drivers/base/firmware_loader/fallback.c:120 [inline] fw_load_from_user_helper drivers/base/firmware_loader/fallback.c:158 [inline] firmware_fallback_sysfs+0x5c4/0x8b8 drivers/base/firmware_loader/fallback.c:234 _request_firmware+0xccc/0xf4c drivers/base/firmware_loader/main.c:856 request_firmware_work_func+0xfc/0x214 drivers/base/firmware_loader/main.c:1105 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 irq event stamp: 21556 hardirqs last enabled at (21555): [] __up_console_sem+0xb4/0x100 kernel/printk/printk.c:261 hardirqs last disabled at (21556): [] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:405 softirqs last enabled at (21442): [] softirq_handle_end kernel/softirq.c:414 [inline] softirqs last enabled at (21442): [] handle_softirqs+0xb84/0xd58 kernel/softirq.c:599 softirqs last disabled at (21347): [] __do_softirq+0x14/0x20 kernel/softirq.c:605 ---[ end trace 0000000000000000 ]--- ================================================================== BUG: KASAN: use-after-free in load_firmware_cb+0xbc/0x1638 drivers/media/tuners/xc2028.c:1372 Read of size 8 at addr ffff0000c3437318 by task kworker/0:14/5078 CPU: 0 PID: 5078 Comm: kworker/0:14 Tainted: G W 6.1.111-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events request_firmware_work_func Call trace: dump_backtrace+0x1c8/0x1f4 arch/arm64/kernel/stacktrace.c:158 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:165 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x174/0x4c0 mm/kasan/report.c:395 kasan_report+0xd4/0x130 mm/kasan/report.c:495 __asan_report_load8_noabort+0x2c/0x38 mm/kasan/report_generic.c:351 load_firmware_cb+0xbc/0x1638 drivers/media/tuners/xc2028.c:1372 request_firmware_work_func+0x150/0x214 drivers/base/firmware_loader/main.c:1107 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Allocated by task 4423: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_alloc_info+0x24/0x30 mm/kasan/generic.c:505 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:383 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:936 [inline] __kmalloc_node_track_caller+0xd0/0x1c0 mm/slab_common.c:956 kmalloc_reserve net/core/skbuff.c:446 [inline] pskb_expand_head+0x188/0x10ac net/core/skbuff.c:1848 netlink_trim+0x160/0x204 net/netlink/af_netlink.c:1308 netlink_broadcast+0x70/0xff4 net/netlink/af_netlink.c:1502 nlmsg_multicast include/net/netlink.h:1071 [inline] nlmsg_notify+0xf4/0x1d0 net/netlink/af_netlink.c:2550 rtnl_notify net/core/rtnetlink.c:767 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:3958 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:3973 [inline] rtmsg_ifinfo+0xe8/0x128 net/core/rtnetlink.c:3979 dev_close_many+0x244/0x468 net/core/dev.c:1569 unregister_netdevice_many+0x3fc/0x175c net/core/dev.c:10856 default_device_exit_batch+0x9f4/0xa70 net/core/dev.c:11395 ops_exit_list net/core/net_namespace.c:177 [inline] cleanup_net+0x5dc/0x994 net/core/net_namespace.c:604 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Freed by task 4423: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4c/0x80 mm/kasan/common.c:52 kasan_save_free_info+0x38/0x5c mm/kasan/generic.c:516 ____kasan_slab_free+0x144/0x1c0 mm/kasan/common.c:236 __kasan_slab_free+0x18/0x28 mm/kasan/common.c:244 kasan_slab_free include/linux/kasan.h:177 [inline] slab_free_hook mm/slub.c:1724 [inline] slab_free_freelist_hook mm/slub.c:1750 [inline] slab_free mm/slub.c:3661 [inline] __kmem_cache_free+0x2c0/0x4b4 mm/slub.c:3674 kfree+0xcc/0x1b8 mm/slab_common.c:988 skb_free_head net/core/skbuff.c:762 [inline] skb_release_data+0x488/0x6b0 net/core/skbuff.c:791 skb_release_all net/core/skbuff.c:856 [inline] __kfree_skb net/core/skbuff.c:870 [inline] consume_skb+0xa0/0x178 net/core/skbuff.c:1035 netlink_broadcast+0xe70/0xff4 net/netlink/af_netlink.c:1523 nlmsg_multicast include/net/netlink.h:1071 [inline] nlmsg_notify+0xf4/0x1d0 net/netlink/af_netlink.c:2550 rtnl_notify net/core/rtnetlink.c:767 [inline] rtmsg_ifinfo_send net/core/rtnetlink.c:3958 [inline] rtmsg_ifinfo_event net/core/rtnetlink.c:3973 [inline] rtmsg_ifinfo+0xe8/0x128 net/core/rtnetlink.c:3979 dev_close_many+0x244/0x468 net/core/dev.c:1569 unregister_netdevice_many+0x3fc/0x175c net/core/dev.c:10856 default_device_exit_batch+0x9f4/0xa70 net/core/dev.c:11395 ops_exit_list net/core/net_namespace.c:177 [inline] cleanup_net+0x5dc/0x994 net/core/net_namespace.c:604 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 The buggy address belongs to the object at ffff0000c3437000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 792 bytes inside of 2048-byte region [ffff0000c3437000, ffff0000c3437800) The buggy address belongs to the physical page: page:000000004d0f429f refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x103430 head:000000004d0f429f order:3 compound_mapcount:0 compound_pincount:0 flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000010200 dead000000000100 dead000000000122 ffff0000c0002900 raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000c3437200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000c3437280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff0000c3437300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff0000c3437380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff0000c3437400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Unable to handle kernel paging request at virtual address 0000c05180000005 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000012953e000 [0000c05180000005] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5078 Comm: kworker/0:14 Tainted: G B W 6.1.111-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Workqueue: events request_firmware_work_func pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : load_firmware_cb+0x1a8/0x1638 drivers/media/tuners/xc2028.c:1376 lr : load_firmware_cb+0xdc/0x1638 drivers/media/tuners/xc2028.c:1374 sp : ffff8000243178c0 x29: ffff800024317a20 x28: 000a028c00000001 x27: ffff700004862f30 x26: 0000000000000000 x25: 1ffff00004862f54 x24: 1fffe00018686e63 x23: ffff800024317980 x22: dfff800000000000 x21: ffff0000f14be360 x20: dfff800000000000 x19: ffff0000c3437318 x18: 1fffe0003679f176 x17: 0000000000000000 x16: ffff8000121e5fc0 x15: 0000000000000000 x14: 00000000ffffffff x13: 0000000000000001 x12: 0000000000000001 x11: 0000000000ff0100 x10: 0000000000000000 x9 : ffff80000e5f0388 x8 : 0001405180000005 x7 : 0000000000000001 x6 : 0000000000000001 x5 : ffff8000243170d8 x4 : ffff800015ab2d80 x3 : ffff8000081ae3ec x2 : 0000000000000001 x1 : 0000000000000000 x0 : 000a028c00000029 Call trace: load_firmware_cb+0x1a8/0x1638 drivers/media/tuners/xc2028.c:1376 request_firmware_work_func+0x150/0x214 drivers/base/firmware_loader/main.c:1107 process_one_work+0x7ac/0x1404 kernel/workqueue.c:2292 worker_thread+0x8e4/0xfec kernel/workqueue.c:2439 kthread+0x250/0x2d8 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:864 Code: 9100a380 d2d00016 d343fc08 f2fbfff6 (38746908) ---[ end trace 0000000000000000 ]--- ---------------- Code disassembly (best guess): 0: 9100a380 add x0, x28, #0x28 4: d2d00016 mov x22, #0x800000000000 // #140737488355328 8: d343fc08 lsr x8, x0, #3 c: f2fbfff6 movk x22, #0xdfff, lsl #48 * 10: 38746908 ldrb w8, [x8, x20] <-- trapping instruction