* [syzbot] [media?] [usb?] WARNING in usb_free_urb @ 2024-06-02 1:44 syzbot 2024-06-02 3:20 ` Hillf Danton 2026-04-17 12:05 ` Tetsuo Handa 0 siblings, 2 replies; 5+ messages in thread From: syzbot @ 2024-06-02 1:44 UTC (permalink / raw) To: linux-kernel, linux-media, linux-usb, mchehab, syzkaller-bugs Hello, syzbot found the following issue on: HEAD commit: e0cce98fe279 Merge tag 'tpmdd-next-6.10-rc2' of git://git... git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=15c9b13c980000 kernel config: https://syzkaller.appspot.com/x/.config?x=238430243a58f702 dashboard link: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f3e2fc980000 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157ada62980000 Downloadable assets: disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e0cce98f.raw.xz vmlinux: https://storage.googleapis.com/syzbot-assets/5a8fbe5a0be1/vmlinux-e0cce98f.xz kernel image: https://storage.googleapis.com/syzbot-assets/1f8ed6b81845/bzImage-e0cce98f.xz IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com usb 5-1: Product: syz usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz smsusb:smsusb_probe: board id=7, interface number 55 smsusb:smsusb_probe: board id=7, interface number 147 smsusb:smsusb_probe: board id=7, interface number 0 smsusb:siano_media_device_register: media controller created smsusb:smsusb_start_streaming: smsusb_submit_urb(...) failed smsusb:smsusb_init_device: smsusb_start_streaming(...) failed ------------[ cut here ]------------ WARNING: CPU: 2 PID: 55 at mm/slub.c:4519 free_large_kmalloc+0xda/0x140 mm/slub.c:4519 Modules linked in: CPU: 2 PID: 55 Comm: kworker/2:1 Not tainted 6.10.0-rc1-syzkaller-00021-ge0cce98fe279 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:free_large_kmalloc+0xda/0x140 mm/slub.c:4519 Code: 56 fb 8b 43 34 85 c0 75 c7 48 c7 c6 90 f0 26 8d 48 89 df e8 e8 08 f1 ff 90 0f 0b 48 89 df 5b 5d 41 5c 41 5d e9 47 a2 e4 ff 90 <0f> 0b 90 80 3d 3c b9 ee 0d 00 74 28 48 8b 74 24 20 48 89 ef e8 bd RSP: 0018:ffffc90000a76e18 EFLAGS: 00010246 RAX: 00fff00000000000 RBX: ffffea0000c9d880 RCX: ffffffff813e21dc RDX: ffff88801a924880 RSI: ffff888032762000 RDI: ffffea0000c9d880 RBP: ffff888032762000 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff88801ade0000 R13: ffff88801ac2b000 R14: dffffc0000000000 R15: ffff88801ade00f0 FS: 0000000000000000(0000) GS:ffff88806b200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f66ab5c8388 CR3: 000000002a16a000 CR4: 0000000000350ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> urb_destroy drivers/usb/core/urb.c:25 [inline] kref_put include/linux/kref.h:65 [inline] usb_free_urb.part.0+0xf8/0x110 drivers/usb/core/urb.c:97 usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:96 smsusb_term_device+0x108/0x1e0 drivers/media/usb/siano/smsusb.c:352 smsusb_init_device+0xaa2/0xe10 drivers/media/usb/siano/smsusb.c:497 smsusb_probe+0x5e2/0x10b0 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x309/0x9d0 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:578 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:656 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:798 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:828 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:956 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:532 device_add+0x114b/0x1a70 drivers/base/core.c:3721 usb_set_configuration+0x10cb/0x1c50 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:254 usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:578 [inline] really_probe+0x23e/0xa90 drivers/base/dd.c:656 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:798 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:828 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:956 bus_for_each_drv+0x157/0x1e0 drivers/base/bus.c:457 __device_attach+0x1e8/0x4b0 drivers/base/dd.c:1028 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:532 device_add+0x114b/0x1a70 drivers/base/core.c:3721 usb_new_device+0xd90/0x1a10 drivers/usb/core/hub.c:2651 hub_port_connect drivers/usb/core/hub.c:5521 [inline] hub_port_connect_change drivers/usb/core/hub.c:5661 [inline] port_event drivers/usb/core/hub.c:5821 [inline] hub_event+0x2db0/0x4e20 drivers/usb/core/hub.c:5903 process_one_work+0x9fb/0x1b60 kernel/workqueue.c:3231 process_scheduled_works kernel/workqueue.c:3312 [inline] worker_thread+0x6c8/0xf70 kernel/workqueue.c:3393 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> --- This report is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this issue. See: https://goo.gl/tpsmEJ#status for how to communicate with syzbot. If the report is already addressed, let syzbot know by replying with: #syz fix: exact-commit-title If you want syzbot to run the reproducer, reply with: #syz test: git://repo/address.git branch-or-commit-hash If you attach or paste a git patch, syzbot will apply it before testing. If you want to overwrite report's subsystems, reply with: #syz set subsystems: new-subsystem (See the list of subsystem names on the web dashboard) If the report is a duplicate of another one, reply with: #syz dup: exact-subject-of-another-report If you want to undo deduplication, reply with: #syz undup ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] WARNING in usb_free_urb 2024-06-02 1:44 [syzbot] [media?] [usb?] WARNING in usb_free_urb syzbot @ 2024-06-02 3:20 ` Hillf Danton 2024-06-02 3:45 ` syzbot 2026-04-17 12:05 ` Tetsuo Handa 1 sibling, 1 reply; 5+ messages in thread From: Hillf Danton @ 2024-06-02 3:20 UTC (permalink / raw) To: syzbot; +Cc: linux-kernel, syzkaller-bugs On Sat, 01 Jun 2024 18:44:29 -0700 > syzbot found the following issue on: > > HEAD commit: e0cce98fe279 Merge tag 'tpmdd-next-6.10-rc2' of git://git... > git tree: upstream > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=157ada62980000 #syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master --- x/drivers/media/usb/siano/smsusb.c +++ y/drivers/media/usb/siano/smsusb.c @@ -168,7 +168,6 @@ static int smsusb_submit_urb(struct smsu smsusb_onresponse, surb ); - surb->urb->transfer_flags |= URB_FREE_BUFFER; return usb_submit_urb(surb->urb, GFP_ATOMIC); } -- ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [syzbot] [media?] [usb?] WARNING in usb_free_urb 2024-06-02 3:20 ` Hillf Danton @ 2024-06-02 3:45 ` syzbot 0 siblings, 0 replies; 5+ messages in thread From: syzbot @ 2024-06-02 3:45 UTC (permalink / raw) To: hdanton, linux-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-and-tested-by: syzbot+b466336413a1fba398a5@syzkaller.appspotmail.com Tested on: commit: 83814698 Merge tag 'powerpc-6.10-2' of git://git.kerne.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master console output: https://syzkaller.appspot.com/x/log.txt?x=12b77be6980000 kernel config: https://syzkaller.appspot.com/x/.config?x=238430243a58f702 dashboard link: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5 compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=1209fabc980000 Note: testing is done by a robot and is best-effort only. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: WARNING in usb_free_urb 2024-06-02 1:44 [syzbot] [media?] [usb?] WARNING in usb_free_urb syzbot 2024-06-02 3:20 ` Hillf Danton @ 2026-04-17 12:05 ` Tetsuo Handa 2026-04-17 13:00 ` [syzbot] [usb?] [media?] " syzbot 1 sibling, 1 reply; 5+ messages in thread From: Tetsuo Handa @ 2026-04-17 12:05 UTC (permalink / raw) To: syzbot+b466336413a1fba398a5, LKML #syz test diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c index 017629e3cf84..10159c07d295 100644 --- a/drivers/media/common/siano/smscoreapi.c +++ b/drivers/media/common/siano/smscoreapi.c @@ -612,8 +612,24 @@ static int smscore_notify_callbacks(struct smscore_device_t *coredev, } static struct -smscore_buffer_t *smscore_createbuffer(u8 *buffer, void *common_buffer, - dma_addr_t common_buffer_phys) +smscore_buffer_t *smscore_create_usb_buffer(int buffer_size) +{ + struct smscore_buffer_t *cb; + + cb = kzalloc_obj(*cb); + if (!cb) + return NULL; + cb->p = kzalloc(buffer_size, GFP_KERNEL); + if (!cb->p) { + kfree(cb); + return NULL; + } + return cb; +} + +static struct +smscore_buffer_t *smscore_create_dma_buffer(u8 *buffer, void *common_buffer, + dma_addr_t common_buffer_phys) { struct smscore_buffer_t *cb; @@ -622,9 +638,8 @@ smscore_buffer_t *smscore_createbuffer(u8 *buffer, void *common_buffer, return NULL; cb->p = buffer; - cb->offset_in_common = buffer - (u8 *) common_buffer; if (common_buffer_phys) - cb->phys = common_buffer_phys + cb->offset_in_common; + cb->phys = common_buffer_phys + (buffer - (u8 *) common_buffer); return cb; } @@ -684,27 +699,32 @@ int smscore_register_device(struct smsdevice_params_t *params, init_waitqueue_head(&dev->buffer_mng_waitq); /* alloc common buffer */ - dev->common_buffer_size = params->buffer_size * params->num_buffers; - if (params->usb_device) - buffer = kzalloc(dev->common_buffer_size, GFP_KERNEL); - else + if (params->usb_device) { + dev->common_dma_buffer_size = 0; + buffer = NULL; + } else { + dev->common_dma_buffer_size = params->buffer_size * params->num_buffers; buffer = dma_alloc_coherent(params->device, - dev->common_buffer_size, - &dev->common_buffer_phys, + dev->common_dma_buffer_size, + &dev->common_dma_buffer_phys, GFP_KERNEL | dev->gfp_buf_flags); - if (!buffer) { - smscore_unregister_device(dev); - return -ENOMEM; + if (!buffer) { + smscore_unregister_device(dev); + return -ENOMEM; + } } - dev->common_buffer = buffer; + dev->common_dma_buffer = buffer; /* prepare dma buffers */ for (; dev->num_buffers < params->num_buffers; dev->num_buffers++, buffer += params->buffer_size) { struct smscore_buffer_t *cb; - cb = smscore_createbuffer(buffer, dev->common_buffer, - dev->common_buffer_phys); + if (params->usb_device) + cb = smscore_create_usb_buffer(params->buffer_size); + else + cb = smscore_create_dma_buffer(buffer, dev->common_dma_buffer, + dev->common_dma_buffer_phys); if (!cb) { smscore_unregister_device(dev); return -ENOMEM; @@ -1204,6 +1224,8 @@ void smscore_unregister_device(struct smscore_device_t *coredev) while (!list_empty(&coredev->buffers)) { cb = (struct smscore_buffer_t *) coredev->buffers.next; list_del(&cb->entry); + if (coredev->usb_device) + kfree(cb->p); kfree(cb); num_buffers++; } @@ -1223,15 +1245,11 @@ void smscore_unregister_device(struct smscore_device_t *coredev) pr_debug("freed %d buffers\n", num_buffers); - if (coredev->common_buffer) { - if (coredev->usb_device) - kfree(coredev->common_buffer); - else - dma_free_coherent(coredev->device, - coredev->common_buffer_size, - coredev->common_buffer, - coredev->common_buffer_phys); - } + if (coredev->common_dma_buffer) + dma_free_coherent(coredev->device, + coredev->common_dma_buffer_size, + coredev->common_dma_buffer, + coredev->common_dma_buffer_phys); kfree(coredev->fw_buf); list_del(&coredev->entry); diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h index d945a2d6d624..a06c8af6eb3a 100644 --- a/drivers/media/common/siano/smscoreapi.h +++ b/drivers/media/common/siano/smscoreapi.h @@ -112,7 +112,6 @@ struct smscore_buffer_t { /* private members, read-only for clients */ void *p; dma_addr_t phys; - unsigned long offset_in_common; }; struct smsdevice_params_t { @@ -154,9 +153,9 @@ struct smscore_device_t { spinlock_t bufferslock; int num_buffers; - void *common_buffer; - int common_buffer_size; - dma_addr_t common_buffer_phys; + void *common_dma_buffer; + int common_dma_buffer_size; + dma_addr_t common_dma_buffer_phys; void *context; struct device *device; ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [syzbot] [usb?] [media?] WARNING in usb_free_urb 2026-04-17 12:05 ` Tetsuo Handa @ 2026-04-17 13:00 ` syzbot 0 siblings, 0 replies; 5+ messages in thread From: syzbot @ 2026-04-17 13:00 UTC (permalink / raw) To: linux-kernel, penguin-kernel, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: invalid-free in usb_free_urb smsmdtv:smscore_sendrequest_and_wait: sendrequest returned error -22 smsmdtv:smscore_set_device_mode: mode detect failed -22 smsmdtv:smscore_start_device: set device mode failed , rc -22 smsusb:smsusb_init_device: smscore_start_device(...) failed ================================================================== BUG: KASAN: double-free in urb_destroy drivers/usb/core/urb.c:25 [inline] BUG: KASAN: double-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: double-free in usb_free_urb+0xd0/0x120 drivers/usb/core/urb.c:96 Free of addr ffff888031560000 by task kworker/0:3/5873 CPU: 0 UID: 0 PID: 5873 Comm: kworker/0:3 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report_invalid_free+0xea/0x110 mm/kasan/report.c:557 check_slab_allocation mm/kasan/common.c:-1 [inline] __kasan_slab_pre_free+0x104/0x120 mm/kasan/common.c:261 kasan_slab_pre_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:2634 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x173/0x640 mm/slub.c:6561 urb_destroy drivers/usb/core/urb.c:25 [inline] kref_put include/linux/kref.h:65 [inline] usb_free_urb+0xd0/0x120 drivers/usb/core/urb.c:96 smsusb_term_device+0x1d7/0x3e0 drivers/media/usb/siano/smsusb.c:352 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline] smsusb_probe+0x1aba/0x2280 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 </TASK> Allocated by task 5873: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __do_kmalloc_node mm/slub.c:5295 [inline] __kmalloc_noprof+0x35c/0x760 mm/slub.c:5307 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] smscore_create_usb_buffer drivers/media/common/siano/smscoreapi.c:622 [inline] smscore_register_device+0x721/0x12b0 drivers/media/common/siano/smscoreapi.c:724 smsusb_init_device drivers/media/usb/siano/smsusb.c:458 [inline] smsusb_probe+0x13f7/0x2280 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Freed by task 5873: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 kasan_save_free_info+0x46/0x50 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:253 [inline] __kasan_slab_free+0x5c/0x80 mm/kasan/common.c:285 kasan_slab_free include/linux/kasan.h:235 [inline] slab_free_hook mm/slub.c:2689 [inline] slab_free mm/slub.c:6246 [inline] kfree+0x1c5/0x640 mm/slub.c:6561 smscore_unregister_device+0x33e/0x7e0 drivers/media/common/siano/smscoreapi.c:1228 smsusb_term_device+0x1a7/0x3e0 drivers/media/usb/siano/smsusb.c:349 smsusb_init_device drivers/media/usb/siano/smsusb.c:497 [inline] smsusb_probe+0x1aba/0x2280 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_set_configuration+0x1a87/0x2110 drivers/usb/core/message.c:2266 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1136 bus_probe_device+0x12a/0x220 drivers/base/bus.c:613 device_add+0x7b6/0xb70 drivers/base/core.c:3691 usb_new_device+0xa08/0x16f0 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x2a1c/0x4f30 drivers/usb/core/hub.c:5953 process_one_work kernel/workqueue.c:3302 [inline] process_scheduled_works+0xb5d/0x1860 kernel/workqueue.c:3385 worker_thread+0xa53/0xfc0 kernel/workqueue.c:3466 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff888031560000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 0 bytes inside of 8192-byte region [ffff888031560000, ffff888031562000) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888031564000 pfn:0x31560 head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000240 ffff88813fe30280 ffffea0001e6ac10 ffff88813fe2aac8 raw: ffff888031564000 0000000800020001 00000000f5000000 0000000000000000 head: 00fff00000000240 ffff88813fe30280 ffffea0001e6ac10 ffff88813fe2aac8 head: ffff888031564000 0000000800020001 00000000f5000000 0000000000000000 head: 00fff00000000003 fffffffffffffe01 00000000ffffffff 00000000ffffffff head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5873, tgid 5873 (kworker/0:3), ts 124014915400, free_ts 123135935773 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x231/0x280 mm/page_alloc.c:1860 prep_new_page mm/page_alloc.c:1868 [inline] get_page_from_freelist+0x24ba/0x2540 mm/page_alloc.c:3948 __alloc_frozen_pages_noprof+0x18d/0x380 mm/page_alloc.c:5228 alloc_slab_page mm/slub.c:3278 [inline] allocate_slab+0x77/0x660 mm/slub.c:3467 new_slab mm/slub.c:3525 [inline] refill_objects+0x339/0x3d0 mm/slub.c:7251 refill_sheaf mm/slub.c:2816 [inline] __pcs_replace_empty_main+0x321/0x720 mm/slub.c:4651 alloc_from_pcs mm/slub.c:4749 [inline] slab_alloc_node mm/slub.c:4883 [inline] __do_kmalloc_node mm/slub.c:5294 [inline] __kmalloc_noprof+0x474/0x760 mm/slub.c:5307 kmalloc_noprof include/linux/slab.h:954 [inline] kzalloc_noprof include/linux/slab.h:1188 [inline] smscore_create_usb_buffer drivers/media/common/siano/smscoreapi.c:622 [inline] smscore_register_device+0x721/0x12b0 drivers/media/common/siano/smscoreapi.c:724 smsusb_init_device drivers/media/usb/siano/smsusb.c:458 [inline] smsusb_probe+0x13f7/0x2280 drivers/media/usb/siano/smsusb.c:575 usb_probe_interface+0x659/0xc70 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x267/0xaf0 drivers/base/dd.c:709 __driver_probe_device+0x18c/0x320 drivers/base/dd.c:851 driver_probe_device+0x4f/0x240 drivers/base/dd.c:881 __device_attach_driver+0x279/0x430 drivers/base/dd.c:1009 bus_for_each_drv+0x258/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c5/0x450 drivers/base/dd.c:1081 page last free pid 6478 tgid 6478 stack trace: reset_page_owner include/linux/page_owner.h:25 [inline] __free_pages_prepare mm/page_alloc.c:1404 [inline] __free_frozen_pages+0xbc7/0xd30 mm/page_alloc.c:2945 __slab_free+0x274/0x2c0 mm/slub.c:5608 qlink_free mm/kasan/quarantine.c:163 [inline] qlist_free_all+0x99/0x100 mm/kasan/quarantine.c:179 kasan_quarantine_reduce+0x148/0x160 mm/kasan/quarantine.c:286 __kasan_slab_alloc+0x22/0x80 mm/kasan/common.c:350 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4569 [inline] slab_alloc_node mm/slub.c:4898 [inline] kmem_cache_alloc_noprof+0x2bc/0x650 mm/slub.c:4905 vm_area_alloc+0x24/0x140 mm/vma_init.c:32 __mmap_new_vma mm/vma.c:2547 [inline] __mmap_region mm/vma.c:2771 [inline] mmap_region+0x11cd/0x2280 mm/vma.c:2856 do_mmap+0xc39/0x10c0 mm/mmap.c:560 vm_mmap_pgoff+0x2c9/0x4f0 mm/util.c:581 ksys_mmap_pgoff+0x51e/0x760 mm/mmap.c:606 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x15f/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Memory state around the buggy address: ffff88803155ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88803155ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff888031560000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888031560080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888031560100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Tested on: commit: 43cfbdda Merge tag 'for-linus-iommufd' of git://git.ke.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=17169a6a580000 kernel config: https://syzkaller.appspot.com/x/.config?x=8195c5b22e79c2cf dashboard link: https://syzkaller.appspot.com/bug?extid=b466336413a1fba398a5 compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8 patch: https://syzkaller.appspot.com/x/patch.diff?x=15f641ba580000 ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2026-04-17 13:00 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-06-02 1:44 [syzbot] [media?] [usb?] WARNING in usb_free_urb syzbot 2024-06-02 3:20 ` Hillf Danton 2024-06-02 3:45 ` syzbot 2026-04-17 12:05 ` Tetsuo Handa 2026-04-17 13:00 ` [syzbot] [usb?] [media?] " syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox