[syzbot] [sound?] [usb?] WARNING: ODEBUG bug in snd_rawmidi_free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, linux-sound@vger.kernel.org,
	 linux-usb@vger.kernel.org, perex@perex.cz,
	syzkaller-bugs@googlegroups.com,  tiwai@suse.com
Subject: [syzbot] [sound?] [usb?] WARNING: ODEBUG bug in snd_rawmidi_free
Date: Thu, 08 May 2025 01:52:39 -0700	[thread overview]
Message-ID: <681c70d7.050a0220.a19a9.00c6.GAE@google.com> (raw)

Hello,

syzbot found the following issue on:

HEAD commit:    2a239ffbebb5 Merge tag 'sound-6.15-rc5' of git://git.kerne..
git tree:       upstream
console+strace: https://syzkaller.appspot.com/x/log.txt?x=15045b68580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=a9a25b7a36123454
dashboard link: https://syzkaller.appspot.com/bug?extid=d8f72178ab6783a7daea
compiler:       Debian clang version 20.1.2 (++20250402124445+58df0ef89dd6-1~exp1~20250402004600.97), Debian LLD 20.1.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15cfd8d4580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=126c1a70580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/3398c42fd2ef/disk-2a239ffb.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a3e276dc6661/vmlinux-2a239ffb.xz
kernel image: https://storage.googleapis.com/syzbot-assets/f0c67a315802/bzImage-2a239ffb.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com

------------[ cut here ]------------
ODEBUG: free active (active state 0) object: ffff888027cf0040 object type: timer_list hint: snd_usbmidi_error_timer+0x0/0x660 sound/usb/midi.c:2343
WARNING: CPU: 0 PID: 10 at lib/debugobjects.c:615 debug_print_object+0x16b/0x1e0 lib/debugobjects.c:612
Modules linked in:

CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-rc4-syzkaller-00291-g2a239ffbebb5 #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/29/2025
Workqueue: usb_hub_wq hub_event

RIP: 0010:debug_print_object+0x16b/0x1e0 lib/debugobjects.c:612
Code: 4c 89 ff e8 47 42 63 fd 4d 8b 0f 48 c7 c7 c0 db c1 8b 48 8b 34 24 4c 89 ea 89 e9 4d 89 f0 41 54 e8 aa a9 c5 fc 48 83 c4 08 90 <0f> 0b 90 90 ff 05 57 95 c0 0a 48 83 c4 08 5b 41 5c 41 5d 41 5e 41
RSP: 0018:ffffc900000f6990 EFLAGS: 00010296

RAX: 847b0a2dc845ef00 RBX: dffffc0000000000 RCX: ffff88801b681e00
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000002
RBP: 0000000000000000 R08: ffffc900000f6667 R09: 1ffff9200001eccc
R10: dffffc0000000000 R11: fffff5200001eccd R12: ffffffff892410d0
R13: ffffffff8bc1dd40 R14: ffff888027cf0040 R15: ffffffff8b6cc2e0
FS:  0000000000000000(0000) GS:ffff8881260cb000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff286001b8 CR3: 00000000316c4000 CR4: 00000000003526f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __debug_check_no_obj_freed lib/debugobjects.c:1099 [inline]
 debug_check_no_obj_freed+0x3a2/0x470 lib/debugobjects.c:1129
 slab_free_hook mm/slub.c:2311 [inline]
 slab_free mm/slub.c:4642 [inline]
 kfree+0x117/0x440 mm/slub.c:4841
 snd_rawmidi_free+0x3bc/0x410 sound/core/rawmidi.c:1934
 snd_rawmidi_dev_free+0x38/0x50 sound/core/rawmidi.c:1945
 __snd_device_free+0x1d2/0x2e0 sound/core/device.c:76
 snd_device_free_all+0xcf/0x180 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x75/0x1b0 sound/core/init.c:153
 device_release+0x99/0x1c0 drivers/base/core.c:-1
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x228/0x480 lib/kobject.c:737
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free+0x110/0x190 sound/core/init.c:650
 usb_audio_probe+0x18ea/0x1dc0 sound/usb/card.c:940
 usb_probe_interface+0x641/0xbc0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x26a/0x9a0 drivers/base/dd.c:657
 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:799
 driver_probe_device+0x4f/0x430 drivers/base/dd.c:829
 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:957
 bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
 __device_attach+0x2b8/0x400 drivers/base/dd.c:1029
 bus_probe_device+0x185/0x260 drivers/base/bus.c:537
 device_add+0x7b6/0xb50 drivers/base/core.c:3692
 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c1/0x390 drivers/usb/core/driver.c:291


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

next             reply	other threads:[~2025-05-08  8:52 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-08  8:52 syzbot [this message]
     [not found] <20250508214743.1795-1-hdanton@sina.com>
2025-05-09  7:10 ` [syzbot] [sound?] [usb?] WARNING: ODEBUG bug in snd_rawmidi_free syzbot
     [not found] <20250509103741.1822-1-hdanton@sina.com>
2025-05-09 12:04 ` syzbot
     [not found] <20250509124246.1843-1-hdanton@sina.com>
2025-05-09 13:22 ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=681c70d7.050a0220.a19a9.00c6.GAE@google.com \
    --to=syzbot+d8f72178ab6783a7daea@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sound@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=perex@perex.cz \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tiwai@suse.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.