From: syzbot <syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com>
To: halves@igalia.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups (2)
Date: Thu, 12 Mar 2026 04:52:02 -0700 [thread overview]
Message-ID: <69b2a8e2.a00a0220.94e15.0023.GAE@google.com> (raw)
In-Reply-To: <DH0RNNST0EFG.2Z52WZH6PSBB0@igalia.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups
==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
BUG: KASAN: slab-use-after-free in atomic_inc include/linux/atomic/atomic-instrumented.h:435 [inline]
BUG: KASAN: slab-use-after-free in usb_anchor_suspend_wakeups+0x28/0x50 drivers/usb/core/urb.c:909
Write of size 4 at addr ffff8880368169d0 by task ktimers/1/29
CPU: 1 UID: 0 PID: 29 Comm: ktimers/1 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/27/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xba/0x230 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:-1 [inline]
kasan_check_range+0x264/0x2c0 mm/kasan/generic.c:200
instrument_atomic_read_write include/linux/instrumented.h:112 [inline]
atomic_inc include/linux/atomic/atomic-instrumented.h:435 [inline]
usb_anchor_suspend_wakeups+0x28/0x50 drivers/usb/core/urb.c:909
__usb_hcd_giveback_urb+0x264/0x5e0 drivers/usb/core/hcd.c:1644
dummy_timer+0x8a6/0x4710 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1785 [inline]
__hrtimer_run_queues+0x55f/0xda0 kernel/time/hrtimer.c:1849
hrtimer_run_softirq+0x192/0x5d0 kernel/time/hrtimer.c:1866
handle_softirqs+0x1de/0x6f0 kernel/softirq.c:622
__do_softirq kernel/softirq.c:656 [inline]
run_ktimerd+0x69/0x100 kernel/softirq.c:1138
smpboot_thread_fn+0x541/0xa50 kernel/smpboot.c:160
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6693:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3a6/0x690 mm/slub.c:5383
kmalloc_noprof include/linux/slab.h:950 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
usbtmc_open+0x9c/0x910 drivers/usb/class/usbtmc.c:175
usb_open+0x159/0x1e0 drivers/usb/core/file.c:47
chrdev_open+0x4d0/0x5f0 fs/char_dev.c:411
do_dentry_open+0x83d/0x13e0 fs/open.c:949
vfs_open+0x3b/0x350 fs/open.c:1081
do_open fs/namei.c:4671 [inline]
path_openat+0x2e43/0x38a0 fs/namei.c:4830
do_file_open+0x23e/0x4a0 fs/namei.c:4859
do_sys_openat2+0x113/0x200 fs/open.c:1366
do_sys_open fs/open.c:1372 [inline]
__do_sys_openat fs/open.c:1388 [inline]
__se_sys_openat fs/open.c:1383 [inline]
__x64_sys_openat+0x138/0x170 fs/open.c:1383
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Freed by task 6693:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
poison_slab_object mm/kasan/common.c:253 [inline]
__kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:2692 [inline]
slab_free mm/slub.c:6168 [inline]
kfree+0x1c1/0x6c0 mm/slub.c:6486
usbtmc_release+0x249/0x280 drivers/usb/class/usbtmc.c:261
__fput+0x461/0xa90 fs/file_table.c:469
task_work_run+0x1d9/0x270 kernel/task_work.c:233
resume_user_mode_work include/linux/resume_user_mode.h:50 [inline]
__exit_to_user_mode_loop kernel/entry/common.c:67 [inline]
exit_to_user_mode_loop+0xed/0x480 kernel/entry/common.c:98
__exit_to_user_mode_prepare include/linux/irq-entry-common.h:226 [inline]
syscall_exit_to_user_mode_prepare include/linux/irq-entry-common.h:256 [inline]
syscall_exit_to_user_mode include/linux/entry-common.h:325 [inline]
do_syscall_64+0x32d/0xf80 arch/x86/entry/syscall_64.c:100
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff888036816800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 464 bytes inside of
freed 1024-byte region [ffff888036816800, ffff888036816c00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888036813000 pfn:0x36810
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0x80000000000240(workingset|head|node=0|zone=1)
page_type: f5(slab)
raw: 0080000000000240 ffff88813fe1cdc0 ffffea0000e04010 ffffea0000a7b210
raw: ffff888036813000 000000080010000d 00000000f5000000 0000000000000000
head: 0080000000000240 ffff88813fe1cdc0 ffffea0000e04010 ffffea0000a7b210
head: ffff888036813000 000000080010000d 00000000f5000000 0000000000000000
head: 0080000000000003 ffffea0000da0401 00000000ffffffff 00000000ffffffff
head: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 29, tgid 29 (ktimers/1), ts 86459514796, free_ts 86289503176
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x231/0x280 mm/page_alloc.c:1889
prep_new_page mm/page_alloc.c:1897 [inline]
get_page_from_freelist+0x28bb/0x2950 mm/page_alloc.c:3962
__alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5250
alloc_slab_page mm/slub.c:3296 [inline]
allocate_slab+0x77/0x660 mm/slub.c:3485
new_slab mm/slub.c:3543 [inline]
refill_objects+0x334/0x3c0 mm/slub.c:7178
__pcs_replace_empty_main+0x371/0x5c0 mm/slub.c:-1
alloc_from_pcs mm/slub.c:4720 [inline]
slab_alloc_node mm/slub.c:4854 [inline]
__do_kmalloc_node mm/slub.c:5262 [inline]
__kmalloc_noprof+0x530/0x7b0 mm/slub.c:5275
kmalloc_noprof include/linux/slab.h:954 [inline]
kzalloc_noprof include/linux/slab.h:1188 [inline]
ieee802_11_parse_elems_full+0x159/0x2ab0 net/mac80211/parse.c:1051
ieee802_11_parse_elems net/mac80211/ieee80211_i.h:2480 [inline]
ieee80211_inform_bss+0x161/0x1160 net/mac80211/scan.c:79
rdev_inform_bss net/wireless/rdev-ops.h:418 [inline]
cfg80211_inform_single_bss_data+0xd2f/0x1bd0 net/wireless/scan.c:2372
cfg80211_inform_bss_data+0x266/0x3c40 net/wireless/scan.c:3226
cfg80211_inform_bss_frame_data+0x3c7/0x760 net/wireless/scan.c:3317
ieee80211_bss_info_update+0x794/0xa40 net/mac80211/scan.c:230
ieee80211_scan_rx+0x552/0xa40 net/mac80211/scan.c:364
__ieee80211_rx_handle_packet net/mac80211/rx.c:5305 [inline]
ieee80211_rx_list+0x29fe/0x3740 net/mac80211/rx.c:5588
ieee80211_rx_napi+0x1b1/0x3e0 net/mac80211/rx.c:5611
page last free pid 5878 tgid 5878 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
__free_pages_prepare mm/page_alloc.c:1433 [inline]
__free_frozen_pages+0xfe3/0x1170 mm/page_alloc.c:2978
__slab_free+0x24f/0x2a0 mm/slub.c:5576
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x97/0x100 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
kasan_slab_alloc include/linux/kasan.h:253 [inline]
slab_post_alloc_hook mm/slub.c:4542 [inline]
slab_alloc_node mm/slub.c:4869 [inline]
kmem_cache_alloc_noprof+0x33b/0x680 mm/slub.c:4876
alloc_filename fs/namei.c:142 [inline]
do_getname+0x2e/0x250 fs/namei.c:182
getname include/linux/fs.h:2512 [inline]
class_filename_constructor include/linux/fs.h:2539 [inline]
__do_sys_chroot fs/open.c:595 [inline]
__se_sys_chroot+0x8d/0x3f0 fs/open.c:590
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888036816880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888036816900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888036816980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888036816a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888036816a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Tested on:
commit: 80234b5a Merge tag 'rproc-v7.0-fixes' of git://git.ker..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=129ccd52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=5b33ceebbe3e9ed3
dashboard link: https://syzkaller.appspot.com/bug?extid=9a3c54f52bd1edbd975f
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: no patches were applied.
next parent reply other threads:[~2026-03-12 11:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <DH0RNNST0EFG.2Z52WZH6PSBB0@igalia.com>
2026-03-12 11:52 ` syzbot [this message]
[not found] <DH0SAUDQWB1S.3A4ZGVEXE6PGV@igalia.com>
2026-03-12 12:23 ` [syzbot] [usb?] KASAN: slab-use-after-free Write in usb_anchor_suspend_wakeups (2) syzbot
[not found] <48d56857-fd66-44fd-8bd1-f5af7771c1adn@googlegroups.com>
2026-03-11 21:23 ` syzbot
2024-04-01 16:50 syzbot
2024-04-01 23:01 ` Hillf Danton
2024-04-02 3:52 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69b2a8e2.a00a0220.94e15.0023.GAE@google.com \
--to=syzbot+9a3c54f52bd1edbd975f@syzkaller.appspotmail.com \
--cc=halves@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.