em28xx 5-1:0.254: Registering V4L2 extension
i2c i2c-2: Invalid 7-bit I2C address 0x00
tuner: 2-0061: Tuner -1 found with type(s) Radio TV.
xc2028 2-0061: creating new instance
xc2028 2-0061: type set to XCeive xc2028/xc3028 tuner
em28xx 5-1:0.254: Config register raw data: 0xffffffed
em28xx 5-1:0.254: AC97 chip type couldn't be determined
em28xx 5-1:0.254: No AC97 audio processor
em28xx 5-1:0.254: Registered radio device as radio32
usb 5-1: Decoder not found
em28xx 5-1:0.254: failed to create media graph
em28xx 5-1:0.254: V4L2 device radio32 deregistered
em28xx 5-1:0.254: V4L2 device video71 deregistered
xc2028 2-0061: destroying instance
em28xx 5-1:0.254: Registering input extension
usb 5-1:0.254: Direct firmware load for xc3028-v27.fw failed with error -2
usb 5-1:0.254: Falling back to sysfs fallback for: xc3028-v27.fw
kobject_add_internal failed for firmware (error: -2 parent: 5-1:0.254)
firmware xc3028-v27.fw: fw_load_sysfs_fallback: device_register failed
==================================================================
BUG: KASAN: use-after-free in load_firmware_cb+0x269/0x290 drivers/media/tuners/tuner-xc2028.c:1364
Read of size 8 at addr ffff8880247b7318 by task kworker/0:3/3680
CPU: 0 PID: 3680 Comm: kworker/0:3 Not tainted 5.17.0-rc7-syzkaller-00235-gaad611a868d1 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue: events request_firmware_work_func
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
load_firmware_cb+0x269/0x290 drivers/media/tuners/tuner-xc2028.c:1364
request_firmware_work_func+0x12c/0x230 drivers/base/firmware_loader/main.c:1022
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
Allocated by task 3680:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
kasan_kmalloc include/linux/kasan.h:270 [inline]
kmem_cache_alloc_trace+0x1ea/0x4a0 mm/slab.c:3567
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638
i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x245/0xcc0 drivers/base/dd.c:596
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x228/0x4a0 drivers/base/dd.c:973
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xb83/0x1e20 drivers/base/core.c:3405
i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969
v4l2_i2c_new_subdev_board+0xaf/0x2c0 drivers/media/v4l2-core/v4l2-i2c.c:80
v4l2_i2c_new_subdev+0x102/0x170 drivers/media/v4l2-core/v4l2-i2c.c:135
em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2627 [inline]
em28xx_v4l2_init.cold+0x9cb/0x32a7 drivers/media/usb/em28xx/em28xx-video.c:2520
em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Freed by task 3680:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
__cache_free mm/slab.c:3437 [inline]
kfree+0xf8/0x2b0 mm/slab.c:3794
tuner_remove+0x198/0x200 drivers/media/v4l2-core/tuner-core.c:791
i2c_device_remove+0x7b/0x240 drivers/i2c/i2c-core-base.c:606
__device_release_driver+0x3bd/0x760 drivers/base/dd.c:1207
device_release_driver_internal drivers/base/dd.c:1242 [inline]
device_release_driver+0x26/0x40 drivers/base/dd.c:1265
bus_remove_device+0x2eb/0x5a0 drivers/base/bus.c:529
device_del+0x4f3/0xc80 drivers/base/core.c:3592
device_unregister+0x1f/0xc0 drivers/base/core.c:3624
i2c_unregister_device+0x38/0x40 include/linux/err.h:41
v4l2_i2c_subdev_unregister+0xa2/0xc0 drivers/media/v4l2-core/v4l2-i2c.c:28
v4l2_device_unregister drivers/media/v4l2-core/v4l2-device.c:102 [inline]
v4l2_device_unregister+0x20d/0x2e0 drivers/media/v4l2-core/v4l2-device.c:88
em28xx_v4l2_init drivers/media/usb/em28xx/em28xx-video.c:2908 [inline]
em28xx_v4l2_init.cold+0xd26/0x32a7 drivers/media/usb/em28xx/em28xx-video.c:2520
em28xx_init_extension+0x12f/0x1f0 drivers/media/usb/em28xx/em28xx-core.c:1126
request_module_async+0x5d/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3415
process_one_work+0x9ac/0x1650 kernel/workqueue.c:2307
worker_thread+0x657/0x1110 kernel/workqueue.c:2454
kthread+0x2e9/0x3a0 kernel/kthread.c:377
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
The buggy address belongs to the object at ffff8880247b7000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 792 bytes inside of
2048-byte region [ffff8880247b7000, ffff8880247b7800)
The buggy address belongs to the page:
page:ffffea000091edc0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x247b7
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea000098d148 ffffea000060fa88 ffff888010c40800
raw: 0000000000000000 ffff8880247b7000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x2420c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_COMP|__GFP_THISNODE), pid 3680, ts 59156936101, free_ts 59136567746
prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389
__alloc_pages_node include/linux/gfp.h:572 [inline]
kmem_getpages mm/slab.c:1378 [inline]
cache_grow_begin+0x75/0x390 mm/slab.c:2584
cache_alloc_refill+0x27f/0x380 mm/slab.c:2957
____cache_alloc mm/slab.c:3040 [inline]
____cache_alloc mm/slab.c:3023 [inline]
__do_cache_alloc mm/slab.c:3267 [inline]
slab_alloc mm/slab.c:3308 [inline]
kmem_cache_alloc_trace+0x380/0x4a0 mm/slab.c:3565
kmalloc include/linux/slab.h:581 [inline]
kzalloc include/linux/slab.h:714 [inline]
tuner_probe+0xa4/0x1180 drivers/media/v4l2-core/tuner-core.c:638
i2c_device_probe+0xa0c/0xb90 drivers/i2c/i2c-core-base.c:563
call_driver_probe drivers/base/dd.c:517 [inline]
really_probe+0x245/0xcc0 drivers/base/dd.c:596
__driver_probe_device+0x338/0x4d0 drivers/base/dd.c:755
driver_probe_device+0x4c/0x1a0 drivers/base/dd.c:785
__device_attach_driver+0x20b/0x2f0 drivers/base/dd.c:902
bus_for_each_drv+0x15f/0x1e0 drivers/base/bus.c:427
__device_attach+0x228/0x4a0 drivers/base/dd.c:973
bus_probe_device+0x1e4/0x290 drivers/base/bus.c:487
device_add+0xb83/0x1e20 drivers/base/core.c:3405
i2c_new_client_device+0x67b/0xb60 drivers/i2c/i2c-core-base.c:969
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1352 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404
free_unref_page_prepare mm/page_alloc.c:3325 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3404
slab_destroy mm/slab.c:1630 [inline]
slabs_destroy+0x89/0xc0 mm/slab.c:1650
cache_flusharray mm/slab.c:3410 [inline]
___cache_free+0x303/0x600 mm/slab.c:3472
qlink_free mm/kasan/quarantine.c:157 [inline]
qlist_free_all+0x50/0x1a0 mm/kasan/quarantine.c:176
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283
__kasan_slab_alloc+0x97/0xb0 mm/kasan/common.c:446
kasan_slab_alloc include/linux/kasan.h:260 [inline]
slab_post_alloc_hook mm/slab.h:732 [inline]
slab_alloc mm/slab.c:3315 [inline]
kmem_cache_alloc+0x265/0x560 mm/slab.c:3499
getname_flags.part.0+0x50/0x4f0 fs/namei.c:138
getname_flags+0x9a/0xe0 include/linux/audit.h:323
user_path_at_empty+0x2b/0x60 fs/namei.c:2850
user_path_at include/linux/namei.h:57 [inline]
vfs_statx+0x142/0x390 fs/stat.c:221
vfs_fstatat fs/stat.c:243 [inline]
__do_sys_newfstatat+0x96/0x120 fs/stat.c:412
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
Memory state around the buggy address:
ffff8880247b7200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880247b7280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880247b7300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880247b7380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880247b7400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================