* [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
@ 2025-08-16 3:07 syzbot
2025-08-16 5:18 ` Hillf Danton
` (5 more replies)
0 siblings, 6 replies; 13+ messages in thread
From: syzbot @ 2025-08-16 3:07 UTC (permalink / raw)
To: gregkh, linux-kernel, linux-usb, syzkaller-bugs
Hello,
syzbot found the following issue on:
HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
git tree: linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/68e3ffeee4c1/disk-931e46dc.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3cc40de4a0c3/vmlinux-931e46dc.xz
kernel image: https://storage.googleapis.com/syzbot-assets/aed3e4f6a518/bzImage-931e46dc.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
usbtmc 1-1:16.0: invalid notification: 33
usbtmc 1-1:16.0: invalid notification: 36
usbtmc 1-1:16.0: invalid notification: 8
==================================================================
BUG: KASAN: slab-out-of-bounds in usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313
Read of size 1 at addr ffff8880291a69a1 by task swapper/1/0
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313
__usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661
dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
handle_softirqs+0x286/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: 53 e8 02 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 1a 25 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000197de0 EFLAGS: 000002c6
RAX: 01516c1b89febd00 RBX: ffffffff8196d368 RCX: 01516c1b89febd00
RDX: 0000000000000001 RSI: ffffffff8c04d960 RDI: ffffffff8196d368
RBP: ffffc90000197f20 R08: ffff8880b8732f9b R09: 1ffff110170e65f3
R10: dffffc0000000000 R11: ffffed10170e65f4 R12: ffffffff8fe4db30
R13: 0000000000000001 R14: 0000000000000001 R15: 1ffff11003a55b40
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:757
default_idle_call+0x74/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:330
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428
start_secondary+0x101/0x110 arch/x86/kernel/smpboot.c:315
common_startup_64+0x13e/0x147
</TASK>
Allocated by task 44:
kasan_save_stack mm/kasan/common.c:56 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:77
poison_kmalloc_redzone mm/kasan/common.c:397 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
usbtmc_probe+0xa3a/0x1a60 drivers/usb/class/usbtmc.c:2456
usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26a/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x711/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff8880291a69a0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 1-byte region [ffff8880291a69a0, ffff8880291a69a1)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x291a6
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 16852153284, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_node_track_caller_noprof+0x2f8/0x4e0 mm/slub.c:4384
__kmemdup_nul mm/util.c:64 [inline]
kstrdup+0x42/0x100 mm/util.c:84
__kernfs_new_node+0x9c/0x7e0 fs/kernfs/dir.c:633
kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:713
kernfs_create_dir_ns+0x44/0x130 fs/kernfs/dir.c:1083
sysfs_create_dir_ns+0x123/0x280 fs/sysfs/dir.c:59
create_dir lib/kobject.c:73 [inline]
kobject_add_internal+0x59f/0xb40 lib/kobject.c:240
kobject_add_varg lib/kobject.c:374 [inline]
kobject_add+0x155/0x220 lib/kobject.c:426
device_add+0x408/0xb50 drivers/base/core.c:3627
usb_create_ep_devs+0x12c/0x230 drivers/usb/core/endpoint.c:170
page_owner free stack trace missing
Memory state around the buggy address:
ffff8880291a6880: 04 fc fc fc 04 fc fc fc 06 fc fc fc 04 fc fc fc
ffff8880291a6900: 06 fc fc fc 06 fc fc fc fa fc fc fc fa fc fc fc
>ffff8880291a6980: fa fc fc fc 01 fc fc fc 00 fc fc fc 00 fc fc fc
^
ffff8880291a6a00: 00 fc fc fc 06 fc fc fc 06 fc fc fc 06 fc fc fc
ffff8880291a6a80: 07 fc fc fc 06 fc fc fc 06 fc fc fc 06 fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 53 push %rbx
1: e8 02 00 cc cc call 0xcccc0008
6: cc int3
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: f3 0f 1e fa endbr64
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d 33 1a 25 00 verw 0x251a33(%rip) # 0x251a57
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: cc int3
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: 90 nop
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
@ 2025-08-16 5:18 ` Hillf Danton
2025-08-16 5:43 ` syzbot
2025-08-17 2:08 ` Hillf Danton
` (4 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-16 5:18 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -2365,6 +2365,7 @@ static void usbtmc_free_int(struct usbtm
if (!data->iin_ep_present || !data->iin_urb)
return;
usb_kill_urb(data->iin_urb);
+ usb_kill_urb(data->iin_urb);
kfree(data->iin_buffer);
data->iin_buffer = NULL;
usb_free_urb(data->iin_urb);
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 5:18 ` Hillf Danton
@ 2025-08-16 5:43 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-16 5:43 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/smb/server/transport_rdma.h:64:61: error: expected expression
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1249bdbc580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
2025-08-16 5:18 ` Hillf Danton
@ 2025-08-17 2:08 ` Hillf Danton
2025-08-17 2:33 ` syzbot
2025-08-17 2:49 ` Hillf Danton
` (3 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-17 2:08 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -2365,6 +2365,7 @@ static void usbtmc_free_int(struct usbtm
if (!data->iin_ep_present || !data->iin_urb)
return;
usb_kill_urb(data->iin_urb);
+ usb_kill_urb(data->iin_urb);
kfree(data->iin_buffer);
data->iin_buffer = NULL;
usb_free_urb(data->iin_urb);
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-17 2:08 ` Hillf Danton
@ 2025-08-17 2:33 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-17 2:33 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot tried to test the proposed patch but the build/boot failed:
fs/smb/server/transport_rdma.h:64:61: error: expected expression
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1233b3a2580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
2025-08-16 5:18 ` Hillf Danton
2025-08-17 2:08 ` Hillf Danton
@ 2025-08-17 2:49 ` Hillf Danton
2025-08-17 3:19 ` syzbot
2025-08-17 4:11 ` Hillf Danton
` (2 subsequent siblings)
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-17 2:49 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -2365,6 +2365,7 @@ static void usbtmc_free_int(struct usbtm
if (!data->iin_ep_present || !data->iin_urb)
return;
usb_kill_urb(data->iin_urb);
+ usb_kill_urb(data->iin_urb);
kfree(data->iin_buffer);
data->iin_buffer = NULL;
usb_free_urb(data->iin_urb);
--- x/fs/smb/server/transport_rdma.h
+++ y/fs/smb/server/transport_rdma.h
@@ -61,7 +61,7 @@ void init_smbd_max_io_size(unsigned int
unsigned int get_smbd_max_read_write_size(void);
#else
static inline int ksmbd_rdma_init(void) { return 0; }
-static inline void ksmbd_rdma_stop_listening(void) { return };
+static inline void ksmbd_rdma_stop_listening(void) { }
static inline void ksmbd_rdma_destroy(void) { return; }
static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; }
static inline void init_smbd_max_io_size(unsigned int sz) { }
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-17 2:49 ` Hillf Danton
@ 2025-08-17 3:19 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-17 3:19 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in usbtmc_interrupt
usbtmc 1-1:16.0: invalid notification: 73
usbtmc 1-1:16.0: invalid notification: 33
usbtmc 1-1:16.0: invalid notification: 36
usbtmc 1-1:16.0: invalid notification: 8
==================================================================
BUG: KASAN: slab-out-of-bounds in usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313
Read of size 1 at addr ffff88801eac7cc1 by task kworker/u9:2/5912
CPU: 1 UID: 0 PID: 5912 Comm: kworker/u9:2 Not tainted 6.17.0-rc1-next-20250815-syzkaller-g1357b2649c02-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: hci0 hci_cmd_timeout
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313
__usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661
dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x529/0xc60 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x7f7/0xc40 kernel/printk/printk.c:3227
Code: 48 21 c3 0f 85 e9 01 00 00 e8 35 43 1f 00 48 8b 5c 24 20 4d 85 f6 75 07 e8 26 43 1f 00 eb 06 e8 1f 43 1f 00 fb 48 8b 44 24 28 <42> 80 3c 20 00 74 08 48 89 df e8 fa c0 82 00 48 8b 1b 48 8b 44 24
RSP: 0018:ffffc90004047500 EFLAGS: 00000293
RAX: 1ffffffff1db912f RBX: ffffffff8edc8978 RCX: ffff88802edc9e00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90004047650 R08: ffffffff8fe4e137 R09: 1ffffffff1fc9c26
R10: dffffc0000000000 R11: fffffbfff1fc9c27 R12: dffffc0000000000
R13: 0000000000000001 R14: 0000000000000200 R15: ffffffff8edc8920
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xc4/0x270 kernel/printk/printk.c:3325
vprintk_emit+0x5b7/0x7a0 kernel/printk/printk.c:2450
_printk+0xcf/0x120 kernel/printk/printk.c:2475
bt_err+0x10b/0x160 net/bluetooth/lib.c:296
hci_cmd_timeout+0xff/0x1e0 net/bluetooth/hci_core.c:1473
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 5979:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
usbtmc_probe+0xa3a/0x1a60 drivers/usb/class/usbtmc.c:2457
usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88801eac7cc0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 1-byte region [ffff88801eac7cc0, ffff88801eac7cc1)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eac7
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 2652454751, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
kzalloc_noprof include/linux/slab.h:1043 [inline]
lsm_blob_alloc security/security.c:690 [inline]
lsm_superblock_alloc security/security.c:901 [inline]
security_sb_alloc+0x48/0x330 security/security.c:1448
alloc_super+0x20c/0x970 fs/super.c:347
sget_fc+0x329/0xa40 fs/super.c:761
vfs_get_super fs/super.c:1320 [inline]
get_tree_single+0x2f/0x150 fs/super.c:1352
vfs_get_tree+0x8f/0x2b0 fs/super.c:1752
fc_mount fs/namespace.c:1250 [inline]
vfs_kern_mount+0xbe/0x160 fs/namespace.c:1289
simple_pin_fs+0xe1/0x160 fs/libfs.c:1082
securityfs_create_dentry+0x1bf/0x4d0 security/inode.c:123
securityfs_create_file security/inode.c:206 [inline]
securityfs_init+0xae/0xc0 security/inode.c:346
page_owner free stack trace missing
Memory state around the buggy address:
ffff88801eac7b80: 06 fc fc fc fa fc fc fc 00 fc fc fc 06 fc fc fc
ffff88801eac7c00: 06 fc fc fc 00 fc fc fc 06 fc fc fc 00 fc fc fc
>ffff88801eac7c80: 00 fc fc fc 00 fc fc fc 01 fc fc fc 06 fc fc fc
^
ffff88801eac7d00: 00 fc fc fc 06 fc fc fc 00 fc fc fc 00 fc fc fc
ffff88801eac7d80: fa fc fc fc 06 fc fc fc fa fc fc fc 06 fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 48 21 c3 and %rax,%rbx
3: 0f 85 e9 01 00 00 jne 0x1f2
9: e8 35 43 1f 00 call 0x1f4343
e: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx
13: 4d 85 f6 test %r14,%r14
16: 75 07 jne 0x1f
18: e8 26 43 1f 00 call 0x1f4343
1d: eb 06 jmp 0x25
1f: e8 1f 43 1f 00 call 0x1f4343
24: fb sti
25: 48 8b 44 24 28 mov 0x28(%rsp),%rax
* 2a: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) <-- trapping instruction
2f: 74 08 je 0x39
31: 48 89 df mov %rbx,%rdi
34: e8 fa c0 82 00 call 0x82c133
39: 48 8b 1b mov (%rbx),%rbx
3c: 48 rex.W
3d: 8b .byte 0x8b
3e: 44 rex.R
3f: 24 .byte 0x24
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=17e70ba2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6401f805169ac8b0
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=107b4442580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
` (2 preceding siblings ...)
2025-08-17 2:49 ` Hillf Danton
@ 2025-08-17 4:11 ` Hillf Danton
2025-08-17 4:33 ` syzbot
2025-08-17 5:00 ` Hillf Danton
2025-08-17 6:07 ` Hillf Danton
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-17 4:11 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/fs/smb/server/transport_rdma.h
+++ y/fs/smb/server/transport_rdma.h
@@ -61,7 +61,7 @@ void init_smbd_max_io_size(unsigned int
unsigned int get_smbd_max_read_write_size(void);
#else
static inline int ksmbd_rdma_init(void) { return 0; }
-static inline void ksmbd_rdma_stop_listening(void) { return };
+static inline void ksmbd_rdma_stop_listening(void) { }
static inline void ksmbd_rdma_destroy(void) { return; }
static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; }
static inline void init_smbd_max_io_size(unsigned int sz) { }
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -107,6 +107,7 @@ struct usbtmc_device_data {
struct usbtmc_dev_capabilities capabilities;
struct kref kref;
struct mutex io_mutex; /* only one i/o function running at a time */
+ atomic_t inflight, deinit;
wait_queue_head_t waitq;
struct fasync_struct *fasync;
spinlock_t dev_lock; /* lock for file_list */
@@ -2352,19 +2353,29 @@ static void usbtmc_interrupt(struct urb
default:
/* urb terminated, clean up */
dev_dbg(dev, "urb terminated, status: %d\n", status);
+ atomic_dec(&data->inflight);
return;
}
exit:
+ if (atomic_read(&data->deinit)) {
+ atomic_dec(&data->inflight);
+ return;
+ }
rv = usb_submit_urb(urb, GFP_ATOMIC);
- if (rv)
+ if (rv) {
+ atomic_dec(&data->inflight);
dev_err(dev, "usb_submit_urb failed: %d\n", rv);
+ }
}
static void usbtmc_free_int(struct usbtmc_device_data *data)
{
if (!data->iin_ep_present || !data->iin_urb)
return;
+ atomic_inc(&data->deinit);
usb_kill_urb(data->iin_urb);
+ while (atomic_read(&data->inflight))
+ schedule_timeout_idle(1);
kfree(data->iin_buffer);
data->iin_buffer = NULL;
usb_free_urb(data->iin_urb);
@@ -2467,8 +2478,10 @@ static int usbtmc_probe(struct usb_inter
usbtmc_interrupt,
data, data->iin_interval);
+ atomic_inc(&data->inflight);
retcode = usb_submit_urb(data->iin_urb, GFP_KERNEL);
if (retcode) {
+ atomic_dec(&data->inflight);
dev_err(&intf->dev, "Failed to submit iin_urb\n");
goto error_register;
}
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-17 4:11 ` Hillf Danton
@ 2025-08-17 4:33 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-17 4:33 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in usbtmc_interrupt
usbtmc 1-1:16.0: invalid notification: 33
usbtmc 1-1:16.0: invalid notification: 36
usbtmc 1-1:16.0: invalid notification: 8
==================================================================
BUG: KASAN: slab-out-of-bounds in usbtmc_interrupt+0x560/0x720 drivers/usb/class/usbtmc.c:2314
Read of size 1 at addr ffff888028fb8ae1 by task kworker/1:0/24
CPU: 1 UID: 0 PID: 24 Comm: kworker/1:0 Not tainted 6.17.0-rc1-next-20250815-syzkaller-g1357b2649c02-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Workqueue: events nsim_fib_event_work
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
usbtmc_interrupt+0x560/0x720 drivers/usb/class/usbtmc.c:2314
__usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661
dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x529/0xc60 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:rhashtable_insert_fast+0x1c/0xf70 include/linux/rhashtable.h:831
Code: 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48 81 ec 20 01 00 00 <48> 89 74 24 30 49 89 fc 65 48 8b 05 54 a5 c3 0b 48 89 84 24 00 01
RSP: 0018:ffffc900001e7560 EFLAGS: 00000286
RAX: 0000000000000000 RBX: ffff888022357068 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888145eb4e20 RDI: ffff888022357068
RBP: ffffc900001e76a8 R08: 0001000000000000 R09: 00200000001c0000
R10: 0000000000000003 R11: 0000000000000000 R12: ffff888022357000
R13: ffff888142fcb690 R14: ffffc900001e7840 R15: dffffc0000000000
nsim_fib6_rt_add drivers/net/netdevsim/fib.c:686 [inline]
nsim_fib6_rt_insert drivers/net/netdevsim/fib.c:759 [inline]
nsim_fib6_event drivers/net/netdevsim/fib.c:856 [inline]
nsim_fib_event drivers/net/netdevsim/fib.c:889 [inline]
nsim_fib_event_work+0x2319/0x3180 drivers/net/netdevsim/fib.c:1493
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 981:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
usbtmc_probe+0xa3a/0x1ad0 drivers/usb/class/usbtmc.c:2467
usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888028fb8ae0
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 1-byte region [ffff888028fb8ae0, ffff888028fb8ae1)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x28fb8
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1213, tgid 1213 (kworker/0:2), ts 9601359196, free_ts 9100050588
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__kmalloc_cache_noprof+0x296/0x3d0 mm/slub.c:4391
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_control_msg+0x73/0x3e0 drivers/usb/core/message.c:144
get_port_status drivers/usb/core/hub.c:611 [inline]
hub_ext_port_status+0x116/0x820 drivers/usb/core/hub.c:628
usb_hub_port_status drivers/usb/core/hub.c:678 [inline]
hub_activate+0x77d/0x1a70 drivers/usb/core/hub.c:1189
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
page last free pid 1213 tgid 1213 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
vfree+0x25a/0x400 mm/vmalloc.c:3434
delayed_vfree_work+0x55/0x80 mm/vmalloc.c:3353
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff888028fb8980: 04 fc fc fc 06 fc fc fc fa fc fc fc 06 fc fc fc
ffff888028fb8a00: 06 fc fc fc 06 fc fc fc 06 fc fc fc fa fc fc fc
>ffff888028fb8a80: 00 fc fc fc 00 fc fc fc 00 fc fc fc 01 fc fc fc
^
ffff888028fb8b00: 00 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc
ffff888028fb8b80: 00 fc fc fc 00 fc fc fc 00 fc fc fc 00 fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: f3 0f 1e fa endbr64
12: 55 push %rbp
13: 48 89 e5 mov %rsp,%rbp
16: 41 57 push %r15
18: 41 56 push %r14
1a: 41 55 push %r13
1c: 41 54 push %r12
1e: 53 push %rbx
1f: 48 83 e4 e0 and $0xffffffffffffffe0,%rsp
23: 48 81 ec 20 01 00 00 sub $0x120,%rsp
* 2a: 48 89 74 24 30 mov %rsi,0x30(%rsp) <-- trapping instruction
2f: 49 89 fc mov %rdi,%r12
32: 65 48 8b 05 54 a5 c3 mov %gs:0xbc3a554(%rip),%rax # 0xbc3a58e
39: 0b
3a: 48 rex.W
3b: 89 .byte 0x89
3c: 84 24 00 test %ah,(%rax,%rax,1)
3f: 01 .byte 0x1
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12ff0ba2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6401f805169ac8b0
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=1419baf0580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
` (3 preceding siblings ...)
2025-08-17 4:11 ` Hillf Danton
@ 2025-08-17 5:00 ` Hillf Danton
2025-08-17 5:30 ` syzbot
2025-08-17 6:07 ` Hillf Danton
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-17 5:00 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/fs/smb/server/transport_rdma.h
+++ y/fs/smb/server/transport_rdma.h
@@ -61,7 +61,7 @@ void init_smbd_max_io_size(unsigned int
unsigned int get_smbd_max_read_write_size(void);
#else
static inline int ksmbd_rdma_init(void) { return 0; }
-static inline void ksmbd_rdma_stop_listening(void) { return };
+static inline void ksmbd_rdma_stop_listening(void) { }
static inline void ksmbd_rdma_destroy(void) { return; }
static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; }
static inline void init_smbd_max_io_size(unsigned int sz) { }
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -107,6 +107,7 @@ struct usbtmc_device_data {
struct usbtmc_dev_capabilities capabilities;
struct kref kref;
struct mutex io_mutex; /* only one i/o function running at a time */
+ atomic_t inflight, deinit;
wait_queue_head_t waitq;
struct fasync_struct *fasync;
spinlock_t dev_lock; /* lock for file_list */
@@ -2352,19 +2353,29 @@ static void usbtmc_interrupt(struct urb
default:
/* urb terminated, clean up */
dev_dbg(dev, "urb terminated, status: %d\n", status);
+ atomic_dec(&data->inflight);
return;
}
exit:
+ if (atomic_read(&data->deinit)) {
+ atomic_dec(&data->inflight);
+ return;
+ }
rv = usb_submit_urb(urb, GFP_ATOMIC);
- if (rv)
+ if (rv) {
+ atomic_dec(&data->inflight);
dev_err(dev, "usb_submit_urb failed: %d\n", rv);
+ }
}
static void usbtmc_free_int(struct usbtmc_device_data *data)
{
if (!data->iin_ep_present || !data->iin_urb)
return;
+ atomic_inc(&data->deinit);
usb_kill_urb(data->iin_urb);
+ while (atomic_read(&data->inflight))
+ schedule_timeout_idle(1);
kfree(data->iin_buffer);
data->iin_buffer = NULL;
usb_free_urb(data->iin_urb);
@@ -2467,8 +2478,10 @@ static int usbtmc_probe(struct usb_inter
usbtmc_interrupt,
data, data->iin_interval);
+ atomic_inc(&data->inflight);
retcode = usb_submit_urb(data->iin_urb, GFP_KERNEL);
if (retcode) {
+ atomic_dec(&data->inflight);
dev_err(&intf->dev, "Failed to submit iin_urb\n");
goto error_register;
}
@@ -2555,10 +2568,14 @@ static int usbtmc_resume(struct usb_inte
struct usbtmc_device_data *data = usb_get_intfdata(intf);
int retcode = 0;
- if (data->iin_ep_present && data->iin_urb)
+ if (data->iin_ep_present && data->iin_urb) {
+ atomic_inc(&data->inflight);
retcode = usb_submit_urb(data->iin_urb, GFP_KERNEL);
- if (retcode)
- dev_err(&intf->dev, "Failed to submit iin_urb\n");
+ if (retcode) {
+ atomic_dec(&data->inflight);
+ dev_err(&intf->dev, "Failed to submit iin_urb\n");
+ }
+ }
return retcode;
}
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-17 5:00 ` Hillf Danton
@ 2025-08-17 5:30 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-17 5:30 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-out-of-bounds Read in usbtmc_interrupt
usbtmc 1-1:16.0: invalid notification: 73
usbtmc 1-1:16.0: invalid notification: 33
usbtmc 1-1:16.0: invalid notification: 36
usbtmc 1-1:16.0: invalid notification: 8
==================================================================
BUG: KASAN: slab-out-of-bounds in usbtmc_interrupt+0x560/0x720 drivers/usb/class/usbtmc.c:2314
Read of size 1 at addr ffff8880328ca261 by task swapper/1/0
CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.17.0-rc1-next-20250815-syzkaller-g1357b2649c02-dirty #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025
Call Trace:
<IRQ>
dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
usbtmc_interrupt+0x560/0x720 drivers/usb/class/usbtmc.c:2314
__usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661
dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x529/0xc60 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842
handle_softirqs+0x283/0x870 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82
Code: d3 e7 02 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 ea 24 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc90000197de0 EFLAGS: 000002c6
RAX: 9a4dc4a4e698df00 RBX: ffffffff8196d418 RCX: 9a4dc4a4e698df00
RDX: 0000000000000001 RSI: ffffffff8c04da60 RDI: ffffffff8196d418
RBP: ffffc90000197f20 R08: ffff8880b8732f9b R09: 1ffff110170e65f3
R10: dffffc0000000000 R11: ffffed10170e65f4 R12: ffffffff8fe4e130
R13: 0000000000000001 R14: 0000000000000001 R15: 1ffff11003ad8b40
arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
default_idle+0x13/0x20 arch/x86/kernel/process.c:757
default_idle_call+0x74/0xb0 kernel/sched/idle.c:122
cpuidle_idle_call kernel/sched/idle.c:190 [inline]
do_idle+0x1e8/0x510 kernel/sched/idle.c:330
cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428
start_secondary+0x101/0x110 arch/x86/kernel/smpboot.c:315
common_startup_64+0x13e/0x147
</TASK>
Allocated by task 921:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4365 [inline]
__kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
usbtmc_probe+0xa3a/0x1ad0 drivers/usb/class/usbtmc.c:2467
usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x26d/0x9e0 drivers/base/dd.c:659
__driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801
driver_probe_device+0x4f/0x430 drivers/base/dd.c:831
__device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959
bus_for_each_drv+0x24e/0x2e0 drivers/base/bus.c:462
__device_attach+0x2b8/0x400 drivers/base/dd.c:1031
bus_probe_device+0x185/0x260 drivers/base/bus.c:537
device_add+0x7b6/0xb50 drivers/base/core.c:3689
usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952
process_one_work kernel/workqueue.c:3236 [inline]
process_scheduled_works+0xade/0x17b0 kernel/workqueue.c:3319
worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400
kthread+0x70e/0x8a0 kernel/kthread.c:463
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff8880328ca260
which belongs to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes to the right of
allocated 1-byte region [ffff8880328ca260, ffff8880328ca261)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x328ca
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 5215, tgid 5215 (init), ts 19330584896, free_ts 18340276944
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148
alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2487 [inline]
allocate_slab+0x8a/0x370 mm/slub.c:2655
new_slab mm/slub.c:2709 [inline]
___slab_alloc+0xbeb/0x1410 mm/slub.c:3891
__slab_alloc mm/slub.c:3981 [inline]
__slab_alloc_node mm/slub.c:4056 [inline]
slab_alloc_node mm/slub.c:4217 [inline]
__do_kmalloc_node mm/slub.c:4364 [inline]
__kmalloc_noprof+0x305/0x4f0 mm/slub.c:4377
kmalloc_noprof include/linux/slab.h:913 [inline]
kzalloc_noprof include/linux/slab.h:1043 [inline]
ima_write_template_field_data+0x47/0x490 security/integrity/ima/ima_template_lib.c:55
ima_eventname_init_common+0x1e0/0x240 security/integrity/ima/ima_template_lib.c:522
ima_alloc_init_template+0x30d/0x6f0 security/integrity/ima/ima_api.c:70
ima_store_measurement+0x1b7/0x640 security/integrity/ima/ima_api.c:376
process_measurement+0x11eb/0x1a40 security/integrity/ima/ima_main.c:413
ima_bprm_check+0xfd/0x200 security/integrity/ima/ima_main.c:580
security_bprm_check+0xd9/0x270 security/security.c:1341
search_binary_handler fs/exec.c:1660 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve+0x8ee/0x1450 fs/exec.c:1754
do_execveat_common+0x510/0x6a0 fs/exec.c:1860
page last free pid 1 tgid 1 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0xbc4/0xd30 mm/page_alloc.c:2895
kasan_depopulate_vmalloc_pte+0x74/0xa0 mm/kasan/shadow.c:472
apply_to_pte_range mm/memory.c:3143 [inline]
apply_to_pmd_range mm/memory.c:3187 [inline]
apply_to_pud_range mm/memory.c:3223 [inline]
apply_to_p4d_range mm/memory.c:3259 [inline]
__apply_to_page_range+0xb92/0x1380 mm/memory.c:3295
kasan_release_vmalloc+0xa2/0xd0 mm/kasan/shadow.c:593
kasan_release_vmalloc_node mm/vmalloc.c:2249 [inline]
purge_vmap_node+0x214/0x8f0 mm/vmalloc.c:2266
__purge_vmap_area_lazy+0x7a4/0xb40 mm/vmalloc.c:2356
_vm_unmap_aliases+0x70f/0x7b0 mm/vmalloc.c:2951
change_page_attr_set_clr+0x305/0xeb0 arch/x86/mm/pat/set_memory.c:2088
change_page_attr_set arch/x86/mm/pat/set_memory.c:2129 [inline]
set_memory_nx+0xd6/0x110 arch/x86/mm/pat/set_memory.c:2318
free_init_pages arch/x86/mm/init.c:933 [inline]
free_kernel_image_pages+0x85/0x100 arch/x86/mm/init.c:952
kernel_init+0x31/0x1d0 init/main.c:1490
ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff8880328ca100: fa fc fc fc fa fc fc fc 06 fc fc fc 06 fc fc fc
ffff8880328ca180: 00 fc fc fc fa fc fc fc fa fc fc fc 00 fc fc fc
>ffff8880328ca200: fa fc fc fc 00 fc fc fc fa fc fc fc 01 fc fc fc
^
ffff8880328ca280: fa fc fc fc fa fc fc fc fa fc fc fc fa fc fc fc
ffff8880328ca300: fa fc fc fc fa fc fc fc 04 fc fc fc fa fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: d3 e7 shl %cl,%edi
2: 02 00 add (%rax),%al
4: cc int3
5: cc int3
6: cc int3
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: 90 nop
d: 90 nop
e: 90 nop
f: 90 nop
10: 90 nop
11: 90 nop
12: 90 nop
13: 90 nop
14: 90 nop
15: 90 nop
16: 90 nop
17: f3 0f 1e fa endbr64
1b: 66 90 xchg %ax,%ax
1d: 0f 00 2d 33 ea 24 00 verw 0x24ea33(%rip) # 0x24ea57
24: f3 0f 1e fa endbr64
28: fb sti
29: f4 hlt
* 2a: c3 ret <-- trapping instruction
2b: cc int3
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: cc int3
31: cc int3
32: cc int3
33: cc int3
34: cc int3
35: cc int3
36: cc int3
37: 90 nop
38: 90 nop
39: 90 nop
3a: 90 nop
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=12aa73a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6401f805169ac8b0
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=10a2e234580000
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
` (4 preceding siblings ...)
2025-08-17 5:00 ` Hillf Danton
@ 2025-08-17 6:07 ` Hillf Danton
2025-08-17 6:56 ` syzbot
5 siblings, 1 reply; 13+ messages in thread
From: Hillf Danton @ 2025-08-17 6:07 UTC (permalink / raw)
To: syzbot; +Cc: linux-kernel, syzkaller-bugs
> Date: Fri, 15 Aug 2025 20:07:34 -0700 [thread overview]
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 931e46dcbc7e Add linux-next specific files for 20250814
> git tree: linux-next
> console+strace: https://syzkaller.appspot.com/x/log.txt?x=11ef65a2580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=bb7fbecfa2364d1c
> dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
> compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14a99842580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=17108da2580000
#syz test
--- x/fs/smb/server/transport_rdma.h
+++ y/fs/smb/server/transport_rdma.h
@@ -61,7 +61,7 @@ void init_smbd_max_io_size(unsigned int
unsigned int get_smbd_max_read_write_size(void);
#else
static inline int ksmbd_rdma_init(void) { return 0; }
-static inline void ksmbd_rdma_stop_listening(void) { return };
+static inline void ksmbd_rdma_stop_listening(void) { }
static inline void ksmbd_rdma_destroy(void) { return; }
static inline bool ksmbd_rdma_capable_netdev(struct net_device *netdev) { return false; }
static inline void init_smbd_max_io_size(unsigned int sz) { }
--- x/drivers/usb/class/usbtmc.c
+++ y/drivers/usb/class/usbtmc.c
@@ -2453,7 +2453,7 @@ static int usbtmc_probe(struct usb_inter
kref_get(&data->kref);
/* allocate buffer for interrupt in */
- data->iin_buffer = kmalloc(data->iin_wMaxPacketSize,
+ data->iin_buffer = kzalloc(max(256, data->iin_wMaxPacketSize),
GFP_KERNEL);
if (!data->iin_buffer) {
retcode = -ENOMEM;
--
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025-08-17 6:07 ` Hillf Danton
@ 2025-08-17 6:56 ` syzbot
0 siblings, 0 replies; 13+ messages in thread
From: syzbot @ 2025-08-17 6:56 UTC (permalink / raw)
To: hdanton, linux-kernel, syzkaller-bugs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Tested-by: syzbot+abbfd103085885cf16a2@syzkaller.appspotmail.com
Tested on:
commit: 1357b264 Add linux-next specific files for 20250815
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=171173a2580000
kernel config: https://syzkaller.appspot.com/x/.config?x=6401f805169ac8b0
dashboard link: https://syzkaller.appspot.com/bug?extid=abbfd103085885cf16a2
compiler: Debian clang version 20.1.7 (++20250616065708+6146a88f6049-1~exp1~20250616065826.132), Debian LLD 20.1.7
patch: https://syzkaller.appspot.com/x/patch.diff?x=108cc442580000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2025-08-17 6:56 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-16 3:07 [syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt syzbot
2025-08-16 5:18 ` Hillf Danton
2025-08-16 5:43 ` syzbot
2025-08-17 2:08 ` Hillf Danton
2025-08-17 2:33 ` syzbot
2025-08-17 2:49 ` Hillf Danton
2025-08-17 3:19 ` syzbot
2025-08-17 4:11 ` Hillf Danton
2025-08-17 4:33 ` syzbot
2025-08-17 5:00 ` Hillf Danton
2025-08-17 5:30 ` syzbot
2025-08-17 6:07 ` Hillf Danton
2025-08-17 6:56 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).