Re: [syzbot] [usb?] [media?] WARNING in usb_free_urb

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, penguin-kernel@i-love.sakura.ne.jp,
	 syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [usb?] [media?] WARNING in usb_free_urb
Date: Fri, 17 Apr 2026 06:00:02 -0700	[thread overview]
Message-ID: <69e22ed2.050a0220.1de265.0021.GAE@google.com> (raw)
In-Reply-To: <d104e4e6-24ff-4e02-b16b-4b5fc9a91221@I-love.SAKURA.ne.jp>

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: invalid-free in usb_free_urb

smsmdtv:smscore_sendrequest_and_wait: sendrequest returned error -22
smsmdtv:smscore_set_device_mode: mode detect failed -22
smsmdtv:smscore_start_device: set device mode failed , rc -22
smsusb:smsusb_init_device: smscore_start_device(...) failed
==================================================================
BUG: KASAN: double-free in urb_destroy drivers/usb/core/urb.c:25 [inline]
BUG: KASAN: double-free in kref_put include/linux/kref.h:65 [inline]
BUG: KASAN: double-free in usb_free_urb+0xd0/0x120 drivers/usb/core/urb.c:96
Free of addr ffff888031560000 by task kworker/0:3/5873

CPU: 0 UID: 0 PID: 5873 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report_invalid_free+0xea/0x110 mm/kasan/report.c:557
 check_slab_allocation mm/kasan/common.c:-1 [inline]
 __kasan_slab_pre_free+0x104/0x120 mm/kasan/common.c:261
 kasan_slab_pre_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:2634 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x173/0x640 mm/slub.c:6561
 urb_destroy drivers/usb/core/urb.c:25 [inline]
 kref_put include/linux/kref.h:65 [inline]
 usb_free_urb+0xd0/0x120 drivers/usb/core/urb.c:96
 smsusb_term_device+0x1d7/0x3e0 drivers/media/usb/siano/smsusb.c:352
 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline]
 smsusb_probe+0x1aba/0x2280 drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5873:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __do_kmalloc_node mm/slub.c:5295 [inline]
 __kmalloc_noprof+0x35c/0x760 mm/slub.c:5307
 kmalloc_noprof include/linux/slab.h:954 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 smscore_create_usb_buffer drivers/media/common/siano/smscoreapi.c:622 [inline]
 smscore_register_device+0x721/0x12b0 drivers/media/common/siano/smscoreapi.c:724
 smsusb_init_device drivers/media/usb/siano/smsusb.c:458 [inline]
 smsusb_probe+0x13f7/0x2280 drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 5873:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584
 poison_slab_object mm/kasan/common.c:253 [inline]
 __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285
 kasan_slab_free include/linux/kasan.h:235 [inline]
 slab_free_hook mm/slub.c:2689 [inline]
 slab_free mm/slub.c:6246 [inline]
 kfree+0x1c5/0x640 mm/slub.c:6561
 smscore_unregister_device+0x33e/0x7e0 drivers/media/common/siano/smscoreapi.c:1228
 smsusb_term_device+0x1a7/0x3e0 drivers/media/usb/siano/smsusb.c:349
 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline]
 smsusb_probe+0x1aba/0x2280 drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136
 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613
 device_add+0x7b6/0xb70 drivers/base/core.c:3691
 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953
 process_one_work kernel/workqueue.c:3302 [inline]
 process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385
 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888031560000
 which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 0 bytes inside of
 8192-byte region [ffff888031560000, ffff888031562000)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031564000 pfn:0x31560
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88813fe30280 ffffea0001e6ac10 ffff88813fe2aac8
raw: ffff888031564000 0000000800020001 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88813fe30280 ffffea0001e6ac10 ffff88813fe2aac8
head: ffff888031564000 0000000800020001 00000000f5000000 0000000000000000
head: 00fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5873, tgid 5873 (kworker/0:3), ts 124014915400, free_ts 123135935773
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860
 prep_new_page mm/page_alloc.c:1868 [inline]
 get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3948
 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228
 alloc_slab_page mm/slub.c:3278 [inline]
 allocate_slab+0x77/0x660 mm/slub.c:3467
 new_slab mm/slub.c:3525 [inline]
 refill_objects+0x339/0x3d0 mm/slub.c:7251
 refill_sheaf mm/slub.c:2816 [inline]
 __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651
 alloc_from_pcs mm/slub.c:4749 [inline]
 slab_alloc_node mm/slub.c:4883 [inline]
 __do_kmalloc_node mm/slub.c:5294 [inline]
 __kmalloc_noprof+0x474/0x760 mm/slub.c:5307
 kmalloc_noprof include/linux/slab.h:954 [inline]
 kzalloc_noprof include/linux/slab.h:1188 [inline]
 smscore_create_usb_buffer drivers/media/common/siano/smscoreapi.c:622 [inline]
 smscore_register_device+0x721/0x12b0 drivers/media/common/siano/smscoreapi.c:724
 smsusb_init_device drivers/media/usb/siano/smsusb.c:458 [inline]
 smsusb_probe+0x13f7/0x2280 drivers/media/usb/siano/smsusb.c:575
 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x267/0xaf0 drivers/base/dd.c:709
 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881
 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009
 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081
page last free pid 6478 tgid 6478 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 __free_pages_prepare mm/page_alloc.c:1404 [inline]
 __free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2945
 __slab_free+0x274/0x2c0 mm/slub.c:5608
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350
 kasan_slab_alloc include/linux/kasan.h:253 [inline]
 slab_post_alloc_hook mm/slub.c:4569 [inline]
 slab_alloc_node mm/slub.c:4898 [inline]
 kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4905
 vm_area_alloc+0x24/0x140 mm/vma_init.c:32
 __mmap_new_vma mm/vma.c:2547 [inline]
 __mmap_region mm/vma.c:2771 [inline]
 mmap_region+0x11cd/0x2280 mm/vma.c:2856
 do_mmap+0xc39/0x10c0 mm/mmap.c:560
 vm_mmap_pgoff+0x2c9/0x4f0 mm/util.c:581
 ksys_mmap_pgoff+0x51e/0x760 mm/mmap.c:606
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88803155ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88803155ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888031560000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff888031560080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888031560100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


Tested on:

commit:         43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=17169a6a580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8195c5b22e79c2cf
dashboard link: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15f641ba580000

     prev parent reply	other threads:[~2026-04-17 13:00 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-02  1:44 [syzbot] [media?] [usb?] WARNING in usb_free_urb syzbot
2024-06-02  3:20 ` Hillf Danton
2024-06-02  3:45   ` syzbot
2026-04-17 12:05 ` Tetsuo Handa
2026-04-17 13:00   ` syzbot [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69e22ed2.050a0220.1de265.0021.GAE@google.com \
    --to=syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.