Re: WARNING in usb_free_urb - Vlastimil Babka (SUSE)

Linux-mm Archive on lore.kernel.org
 help / color / mirror / Atom feed

From: "Vlastimil Babka (SUSE)" <vbabka@kernel.org>
To: sanan.hasanou@gmail.com, vbabka@suse.cz,
	akpm@linux-foundation.org, cl@gentwo.org, rientjes@google.com,
	roman.gushchin@linux.dev, harry.yoo@oracle.com,
	linux-mm@kvack.org, linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com, contact@pgazz.com,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-usb@vger.kernel.org,
	Mauro Carvalho Chehab <mchehab@kernel.org>,
	linux-media@vger.kernel.org
Subject: Re: WARNING in usb_free_urb
Date: Mon, 29 Jun 2026 08:27:48 +0200	[thread overview]
Message-ID: <85cf5045-b52b-4aaa-a038-ca1b856b55f9@kernel.org> (raw)
In-Reply-To: <6a3eeead.7fb353d3.354599.b0b0@mx.google.com>

On 6/26/26 23:27, sanan.hasanou@gmail.com wrote:
> Good day, dear maintainers,
> 
> We found a bug using a modified version of syzkaller.

Subject says "usb_free_urb" but you only CC'd slab maintainers, where slab
slab is most likely a victim here of e.g. double kfree() or a kfree() of
otherwise broken pointer.

Ccing USB and EM28XX maintainers. But they can feel free to ignore this per
the next point.

> Kernel Branch: 7.0-rc1

Why use such a version for fuzzing? rc1 will have many bugs that are already
fixed in 7.0 final. And it's not even latest, 7.1 was released 2 weeks ago too.

> Kernel Config: <https://drive.google.com/open?id=1zJHAs5GUroGFBkxAlzfDaWAd_NVPZTfJ>
> Unfortunately, we don't have any reproducer for this bug yet.
> Thank you!
> 
> Best regards,
> Sanan Hasanov
> 
> 179683 pages reserved
> 0 pages cma reserved
> Memory cgroup min protection 0kB -- low protection 0kB
> ------------[ cut here ]------------
> !PageLargeKmalloc(page)
> WARNING: mm/slub.c:6352 at free_large_kmalloc+0xb3/0x160 mm/slub.c:6352, CPU#1: kworker/1:4/12317

A kfree() was attempted on a pointer that's neither from a slab page nor a
large kmalloc page. Might be double free or corrupted.

> Modules linked in:
> CPU: 1 UID: 0 PID: 12317 Comm: kworker/1:4 Tainted: G             L      7.0.0-rc1 #1 PREEMPT(full) 
> Tainted: [L]=SOFTLOCKUP
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Workqueue: events request_module_async
> RIP: 0010:free_large_kmalloc+0xb3/0x160 mm/slub.c:6352
> Code: 25 00 00 00 ff 3d 00 00 00 f8 0f 85 a6 00 00 00 c7 43 30 ff ff ff ff 48 89 df 44 89 f6 e8 45 d9 fc ff 5b 41 5e 41 5f 5d c3 90 <0f> 0b 90 48 89 df 48 c7 c6 b7 4c 72 8d e8 cb e8 08 ff eb e4 90 0f
> RSP: 0018:ffffc900028e76f8 EFLAGS: 00010287
> RAX: 00000000f0000000 RBX: ffffea00019a5c00 RCX: ffff888067550001
> RDX: 0000000000000000 RSI: ffff888066970000 RDI: ffffea00019a5c00
> RBP: ffffc900028e7710 R08: ffff888049c40603 R09: 1ffff110093880c0
> R10: dffffc0000000000 R11: ffffed10093880c1 R12: ffff888066970000
> R13: ffffffff870bc0f1 R14: 0000000000000000 R15: dffffc0000000000
> FS:  0000000000000000(0000) GS:ffff8880ef136000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fba7e4bf008 CR3: 000000005776b000 CR4: 00000000000006f0
> Call Trace:
>  <TASK>
>  kfree+0xae/0x630 mm/slub.c:6437
>  urb_destroy drivers/usb/core/urb.c:25 [inline]

static void urb_destroy(struct kref *kref)
{
        struct urb *urb = to_urb(kref);

        if (urb->transfer_flags & URB_FREE_BUFFER)
                kfree(urb->transfer_buffer);  <--- this one

        kfree(urb);
}

>  kref_put include/linux/kref.h:65 [inline]
>  usb_free_urb+0xd1/0x120 drivers/usb/core/urb.c:96

USB layer itself is likely also not the root cause.

>  em28xx_uninit_usb_xfer+0x165/0x310 drivers/media/usb/em28xx/em28xx-core.c:833
>  em28xx_alloc_urbs+0xf2a/0x1130 drivers/media/usb/em28xx/em28xx-core.c:-1
>  em28xx_dvb_init+0x2b0/0x4a20 drivers/media/usb/em28xx/em28xx-dvb.c:-1
>  em28xx_init_extension+0x121/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1117

So it might be this driver doing something wrong?

>  request_module_async+0x5e/0x80 drivers/media/usb/em28xx/em28xx-cards.c:3457
>  process_one_work kernel/workqueue.c:3275 [inline]
>  process_scheduled_works+0xae1/0x1800 kernel/workqueue.c:3358
>  worker_thread+0xa0f/0xf70 kernel/workqueue.c:3439
>  kthread+0x37d/0x470 kernel/kthread.c:467
>  ret_from_fork+0x507/0xb90 arch/x86/kernel/process.c:158
>  ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:245
>  </TASK>
> 
> <<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>
> 
> Modules linked in:
> CPU: 1 UID: 0 PID: 12317 Comm: kworker/1:4 Tainted: G             L      7.0.0-rc1 #1 PREEMPT(full) 
> Tainted: [L]=SOFTLOCKUP
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Workqueue: events request_module_async
> RIP: 0010:free_large_kmalloc+0xb3/0x160
> Code: 25 00 00 00 ff 3d 00 00 00 f8 0f 85 a6 00 00 00 c7 43 30 ff ff ff ff 48 89 df 44 89 f6 e8 45 d9 fc ff 5b 41 5e 41 5f 5d c3 90 <0f> 0b 90 48 89 df 48 c7 c6 b7 4c 72 8d e8 cb e8 08 ff eb e4 90 0f
> RSP: 0018:ffffc900028e76f8 EFLAGS: 00010287
> RAX: 00000000f0000000 RBX: ffffea00019a5c00 RCX: ffff888067550001
> RDX: 0000000000000000 RSI: ffff888066970000 RDI: ffffea00019a5c00
> RBP: ffffc900028e7710 R08: ffff888049c40603 R09: 1ffff110093880c0
> R10: dffffc0000000000 R11: ffffed10093880c1 R12: ffff888066970000
> R13: ffffffff870bc0f1 R14: 0000000000000000 R15: dffffc0000000000
> FS:  0000000000000000(0000) GS:ffff8880ef136000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007fba7e4bf008 CR3: 000000005776b000 CR4: 00000000000006f0
> Call Trace:
>  <TASK>
>  kfree+0xae/0x630
>  usb_free_urb+0xd1/0x120
>  em28xx_uninit_usb_xfer+0x165/0x310
>  em28xx_alloc_urbs+0xf2a/0x1130
>  em28xx_dvb_init+0x2b0/0x4a20
>  em28xx_init_extension+0x121/0x1d0
>  request_module_async+0x5e/0x80
>  process_scheduled_works+0xae1/0x1800
>  worker_thread+0xa0f/0xf70
>  kthread+0x37d/0x470
>  ret_from_fork+0x507/0xb90
>  ret_from_fork_asm+0x11/0x20
>  </TASK>
> Kernel panic - not syncing: kernel: panic_on_warn set ...
> CPU: 1 UID: 0 PID: 12317 Comm: kworker/1:4 Tainted: G             L      7.0.0-rc1 #1 PREEMPT(full) 
> Tainted: [L]=SOFTLOCKUP
> Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> Workqueue: events request_module_async
> Call Trace:
>  <TASK>
>  __dump_stack+0x21/0x30
>  dump_stack_lvl+0x2b/0x150
>  dump_stack+0x19/0x20
>  vpanic+0x53e/0xa20
>  panic+0xb9/0xc0
>  __warn+0x320/0x500
>  __report_bug+0x28d/0x500
>  report_bug+0x175/0x220
>  handle_bug+0x9c/0x200
>  exc_invalid_op+0x1f/0x50
>  asm_exc_invalid_op+0x1f/0x30
> RIP: 0010:free_large_kmalloc+0xb3/0x160
> Code: 25 00 00 00 ff 3d 00 00 00 f8 0f 85 a6 00 00 00 c7 43 30 ff ff ff ff 48 89 df 44 89 f6 e8 45 d9 fc ff 5b 41 5e 41 5f 5d c3 90 <0f> 0b 90 48 89 df 48 c7 c6 b7 4c 72 8d e8 cb e8 08 ff eb e4 90 0f
> RSP: 0018:ffffc900028e76f8 EFLAGS: 00010287
> RAX: 00000000f0000000 RBX: ffffea00019a5c00 RCX: ffff888067550001
> RDX: 0000000000000000 RSI: ffff888066970000 RDI: ffffea00019a5c00
> RBP: ffffc900028e7710 R08: ffff888049c40603 R09: 1ffff110093880c0
> R10: dffffc0000000000 R11: ffffed10093880c1 R12: ffff888066970000
> R13: ffffffff870bc0f1 R14: 0000000000000000 R15: dffffc0000000000
>  kfree+0xae/0x630
>  usb_free_urb+0xd1/0x120
>  em28xx_uninit_usb_xfer+0x165/0x310
>  em28xx_alloc_urbs+0xf2a/0x1130
>  em28xx_dvb_init+0x2b0/0x4a20
>  em28xx_init_extension+0x121/0x1d0
>  request_module_async+0x5e/0x80
>  process_scheduled_works+0xae1/0x1800
>  worker_thread+0xa0f/0xf70
>  kthread+0x37d/0x470
>  ret_from_fork+0x507/0xb90
>  ret_from_fork_asm+0x11/0x20
>  </TASK>
> Kernel Offset: disabled
> Rebooting in 86400 seconds..
> 
> <<<<<<<<<<<<<<< tail report >>>>>>>>>>>>>>>

next prev parent reply	other threads:[~2026-06-29  6:27 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-26 21:27 WARNING in usb_free_urb sanan.hasanou
2026-06-29  6:27 ` Vlastimil Babka (SUSE) [this message]
2026-06-29  7:20   ` Michal Pecio
2026-06-29  7:28     ` Michal Pecio
2026-06-29  7:31     ` Vlastimil Babka (SUSE)
2026-06-29  7:40       ` Hans Verkuil

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=85cf5045-b52b-4aaa-a038-ca1b856b55f9@kernel.org \
    --to=vbabka@kernel.org \
    --cc=akpm@linux-foundation.org \
    --cc=cl@gentwo.org \
    --cc=contact@pgazz.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=harry.yoo@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-media@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mchehab@kernel.org \
    --cc=rientjes@google.com \
    --cc=roman.gushchin@linux.dev \
    --cc=sanan.hasanou@gmail.com \
    --cc=syzkaller@googlegroups.com \
    --cc=vbabka@suse.cz \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox