[syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    3b08f56fbbb9 Merge tag 'x86-urgent-2025-09-20' of git://gi..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=176950e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14006712580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e950e2580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/459cbf9146bd/disk-3b08f56f.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/6836a598801b/vmlinux-3b08f56f.xz
kernel image: https://storage.googleapis.com/syzbot-assets/92e1bc34a72e/bzImage-3b08f56f.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc0000000011: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000088-0x000000000000008f]
CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
RIP: 0010:snd_usbmidi_do_output+0x22d/0x570 sound/usb/midi.c:310
Code: f8 48 c1 e8 03 42 80 3c 28 00 0f 85 14 03 00 00 89 d8 48 c1 e0 04 4c 8b 64 05 08 49 8d 84 24 88 00 00 00 48 89 c2 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e ad 02 00 00 48 8b 74 24
RSP: 0018:ffffc90000007b80 EFLAGS: 00010016
RAX: 0000000000000088 RBX: 0000000000000000 RCX: ffffffff894338b8
RDX: 0000000000000011 RSI: ffffffff894338c6 RDI: ffff88805e0fc008
RBP: ffff88805e0fc000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffed100bc1f80f R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881246b3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32d63fff CR3: 000000007e1d5000 CR4: 0000000000350ef0
Call Trace:
 <IRQ>
 snd_usbmidi_error_timer+0x119/0x410 sound/usb/midi.c:362
 call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
 expire_timers kernel/time/timer.c:1798 [inline]
 __run_timers+0x6ef/0x960 kernel/time/timer.c:2372
 __run_timer_base kernel/time/timer.c:2384 [inline]
 __run_timer_base kernel/time/timer.c:2376 [inline]
 run_timer_base+0x114/0x190 kernel/time/timer.c:2393
 run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:pv_native_safe_halt+0xf/0x20 arch/x86/kernel/paravirt.c:82
Code: 1d 63 02 e9 9e 5a 7d f5 0f 1f 00 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d d3 16 17 00 fb f4 <e9> 77 5a 7d f5 66 2e 0f 1f 84 00 00 00 00 00 66 90 90 90 90 90 90
RSP: 0018:ffffffff8e207e08 EFLAGS: 000002c2
RAX: 00000000000ab2b9 RBX: 0000000000000000 RCX: ffffffff8b92fb49
RDX: 0000000000000000 RSI: ffffffff8de5156d RDI: ffffffff8c163a00
RBP: fffffbfff1c52ef8 R08: 0000000000000001 R09: ffffed1017086655
R10: ffff8880b84332ab R11: 0000000000000000 R12: 0000000000000000
R13: ffffffff8e2977c0 R14: ffffffff90abad90 R15: 0000000000000000
 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline]
 default_idle+0x13/0x20 arch/x86/kernel/process.c:757
 default_idle_call+0x6d/0xb0 kernel/sched/idle.c:122
 cpuidle_idle_call kernel/sched/idle.c:190 [inline]
 do_idle+0x391/0x510 kernel/sched/idle.c:330
 cpu_startup_entry+0x4f/0x60 kernel/sched/idle.c:428
 rest_init+0x16b/0x2b0 init/main.c:744
 start_kernel+0x3ee/0x4d0 init/main.c:1097
 x86_64_start_reservations+0x18/0x30 arch/x86/kernel/head64.c:307
 x86_64_start_kernel+0x130/0x190 arch/x86/kernel/head64.c:288
 common_startup_64+0x13e/0x148
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:snd_usbmidi_do_output+0x22d/0x570 sound/usb/midi.c:310
Code: f8 48 c1 e8 03 42 80 3c 28 00 0f 85 14 03 00 00 89 d8 48 c1 e0 04 4c 8b 64 05 08 49 8d 84 24 88 00 00 00 48 89 c2 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e ad 02 00 00 48 8b 74 24
RSP: 0018:ffffc90000007b80 EFLAGS: 00010016
RAX: 0000000000000088 RBX: 0000000000000000 RCX: ffffffff894338b8
RDX: 0000000000000011 RSI: ffffffff894338c6 RDI: ffff88805e0fc008
RBP: ffff88805e0fc000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffed100bc1f80f R15: 0000000000000001
FS:  0000000000000000(0000) GS:ffff8881246b3000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32d63fff CR3: 000000007e1d5000 CR4: 0000000000350ef0
----------------
Code disassembly (best guess):
   0:	f8                   	clc
   1:	48 c1 e8 03          	shr    $0x3,%rax
   5:	42 80 3c 28 00       	cmpb   $0x0,(%rax,%r13,1)
   a:	0f 85 14 03 00 00    	jne    0x324
  10:	89 d8                	mov    %ebx,%eax
  12:	48 c1 e0 04          	shl    $0x4,%rax
  16:	4c 8b 64 05 08       	mov    0x8(%rbp,%rax,1),%r12
  1b:	49 8d 84 24 88 00 00 	lea    0x88(%r12),%rax
  22:	00
  23:	48 89 c2             	mov    %rax,%rdx
  26:	48 c1 ea 03          	shr    $0x3,%rdx
* 2a:	42 0f b6 14 2a       	movzbl (%rdx,%r13,1),%edx <-- trapping instruction
  2f:	84 d2                	test   %dl,%dl
  31:	74 09                	je     0x3c
  33:	80 fa 03             	cmp    $0x3,%dl
  36:	0f 8e ad 02 00 00    	jle    0x2e9
  3c:	48                   	rex.W
  3d:	8b                   	.byte 0x8b
  3e:	74 24                	je     0x64


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Hillf Danton]

> Date: Mon, 22 Sep 2025 09:54:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    3b08f56fbbb9 Merge tag 'x86-urgent-2025-09-20' of git://gi..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=176950e2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
> dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14006712580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e950e2580000

#syz test upstream master

--- x/sound/usb/midi.c
+++ y/sound/usb/midi.c
@@ -307,6 +307,8 @@ static void snd_usbmidi_do_output(struct
 	for (;;) {
 		if (!(ep->active_urbs & (1 << urb_index))) {
 			urb = ep->urbs[urb_index].urb;
+			if (!urb)
+				goto next;
 			urb->transfer_buffer_length = 0;
 			ep->umidi->usb_protocol_ops->output(ep, urb);
 			if (urb->transfer_buffer_length == 0)
@@ -319,6 +321,7 @@ static void snd_usbmidi_do_output(struct
 				break;
 			ep->active_urbs |= 1 << urb_index;
 		}
+	next:
 		if (++urb_index >= OUTPUT_URBS)
 			urb_index = 0;
 		if (urb_index == ep->next_urb)
@@ -1396,13 +1399,19 @@ static int snd_usbmidi_in_endpoint_creat
 static void snd_usbmidi_out_endpoint_clear(struct snd_usb_midi_out_endpoint *ep)
 {
 	unsigned int i;
+	unsigned long flags;
 
+	spin_lock_irqsave(&ep->buffer_lock, flags);
 	for (i = 0; i < OUTPUT_URBS; ++i)
 		if (ep->urbs[i].urb) {
-			free_urb_and_buffer(ep->umidi, ep->urbs[i].urb,
-					    ep->max_transfer);
+			struct urb *urb = ep->urbs[i].urb;
+
 			ep->urbs[i].urb = NULL;
+			spin_unlock_irqrestore(&ep->buffer_lock, flags);
+			free_urb_and_buffer(ep->umidi, urb, ep->max_transfer);
+			spin_lock_irqsave(&ep->buffer_lock, flags);
 		}
+	spin_unlock_irqrestore(&ep->buffer_lock, flags);
 }
 
 static void snd_usbmidi_out_endpoint_delete(struct snd_usb_midi_out_endpoint *ep)
--

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete

==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
Write of size 1 at addr ffff88805cb67943 by task kworker/u8:7/1159

CPU: 1 UID: 0 PID: 1159 Comm: kworker/u8:7 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: netns cleanup_net
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 b2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 30 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 b2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 67 5f 86
RSP: 0018:ffffc900038ff550 EFLAGS: 00000293
RAX: ffffffff8f2f1698 RBX: 0000000000000000 RCX: ffffffff819ab010
RDX: ffff888028051e00 RSI: ffffffff819ab01e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 615f6e616d746162 R12: ffffffff8f2f1698
R13: ffffffff8f2f1640 R14: ffffc900038ff5e0 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
 vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
 _printk+0xc7/0x100 kernel/printk/printk.c:2475
 batadv_hardif_disable_interface+0x2b2/0xe70 net/batman-adv/hard-interface.c:826
 batadv_meshif_destroy_netlink+0x79/0x150 net/batman-adv/mesh-interface.c:1106
 default_device_exit_batch+0x769/0xaf0 net/core/dev.c:12728
 ops_exit_list net/core/net_namespace.c:204 [inline]
 ops_undo_list+0x363/0xab0 net/core/net_namespace.c:251
 cleanup_net+0x408/0x890 net/core/net_namespace.c:682
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6562:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1345
 snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2372
 __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2655
 snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
 snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
 usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6562:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4894
 snd_usbmidi_free sound/usb/midi.c:1539 [inline]
 snd_usbmidi_rawmidi_free+0xb3/0x130 sound/usb/midi.c:1600
 snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
 snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
 snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
 __snd_device_free+0x1a7/0x410 sound/core/device.c:76
 snd_device_free_all+0xf3/0x220 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x77/0x1d0 sound/core/init.c:153
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free_when_closed sound/core/init.c:612 [inline]
 snd_card_free+0x11a/0x190 sound/core/init.c:650
 usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88805cb67800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 323 bytes inside of
 freed 512-byte region [ffff88805cb67800, ffff88805cb67a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff88805cb65400 pfn:0x5cb64
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000240(workingset|head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000240 ffff88801b841c80 ffffea0001cc1910 ffffea0000c27910
raw: ffff88805cb65400 000000000010000a 00000000f5000000 0000000000000000
head: 00fff00000000240 ffff88801b841c80 ffffea0001cc1910 ffffea0000c27910
head: ffff88805cb65400 000000000010000a 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea000172d901 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 6539, tgid 6539 (kworker/1:8), ts 490477154046, free_ts 189435416717
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4402
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 device_private_init drivers/base/core.c:3534 [inline]
 device_add+0xccc/0x1aa0 drivers/base/core.c:3585
 snd_register_device+0x328/0x4d0 sound/core/sound.c:278
 snd_ctl_dev_register+0x77/0x1b0 sound/core/control.c:2296
 __snd_device_register sound/core/device.c:149 [inline]
 snd_device_register_all+0x10f/0x1b0 sound/core/device.c:197
 snd_card_register+0x106/0x7c0 sound/core/init.c:893
 try_to_register_card+0x1d7/0x370 sound/usb/card.c:856
 usb_audio_probe+0xe96/0x3cf0 sound/usb/card.c:1025
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
page last free pid 6554 tgid 6553 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4191 [inline]
 slab_alloc_node mm/slub.c:4240 [inline]
 __kmalloc_cache_noprof+0x1f1/0x3e0 mm/slub.c:4402
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 dev_new drivers/usb/gadget/legacy/raw_gadget.c:192 [inline]
 raw_open+0x8b/0x500 drivers/usb/gadget/legacy/raw_gadget.c:434
 misc_open+0x35d/0x420 drivers/char/misc.c:161
 chrdev_open+0x234/0x6a0 fs/char_dev.c:414
 do_dentry_open+0x982/0x1530 fs/open.c:965
 vfs_open+0x82/0x3f0 fs/open.c:1095
 do_open fs/namei.c:3887 [inline]
 path_openat+0x1de4/0x2cb0 fs/namei.c:4046
 do_filp_open+0x20b/0x470 fs/namei.c:4073
 do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
 do_sys_open fs/open.c:1450 [inline]
 __do_sys_openat fs/open.c:1466 [inline]
 __se_sys_openat fs/open.c:1461 [inline]
 __x64_sys_openat+0x174/0x210 fs/open.c:1461
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805cb67800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805cb67880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805cb67900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88805cb67980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805cb67a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	b2 d3                	mov    $0xd3,%dl
   4:	28 00                	sub    %al,(%rax)
   6:	9c                   	pushf
   7:	5b                   	pop    %rbx
   8:	81 e3 00 02 00 00    	and    $0x200,%ebx
   e:	31 ff                	xor    %edi,%edi
  10:	48 89 de             	mov    %rbx,%rsi
  13:	e8 30 e8 20 00       	call   0x20e848
  18:	48 85 db             	test   %rbx,%rbx
  1b:	0f 85 55 01 00 00    	jne    0x176
  21:	e8 b2 ec 20 00       	call   0x20ecd8
  26:	fb                   	sti
  27:	4c 89 e0             	mov    %r12,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  33:	0f 84 11 ff ff ff    	je     0xffffff4a
  39:	4c 89 e7             	mov    %r12,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	67 5f                	addr32 pop %rdi
  3f:	86                   	.byte 0x86


Tested on:

commit:         cec1e6e5 Merge tag 'sched_ext-for-6.17-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=176338e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=12fad712580000

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Hillf Danton]

> Date: Mon, 22 Sep 2025 09:54:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    3b08f56fbbb9 Merge tag 'x86-urgent-2025-09-20' of git://gi..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=176950e2580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
> dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14006712580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=14e950e2580000

#syz test upstream master

--- x/sound/usb/midi.c
+++ y/sound/usb/midi.c
@@ -307,6 +307,8 @@ static void snd_usbmidi_do_output(struct
 	for (;;) {
 		if (!(ep->active_urbs & (1 << urb_index))) {
 			urb = ep->urbs[urb_index].urb;
+			if (!urb)
+				goto next;
 			urb->transfer_buffer_length = 0;
 			ep->umidi->usb_protocol_ops->output(ep, urb);
 			if (urb->transfer_buffer_length == 0)
@@ -319,6 +321,7 @@ static void snd_usbmidi_do_output(struct
 				break;
 			ep->active_urbs |= 1 << urb_index;
 		}
+	next:
 		if (++urb_index >= OUTPUT_URBS)
 			urb_index = 0;
 		if (urb_index == ep->next_urb)
@@ -1396,13 +1399,19 @@ static int snd_usbmidi_in_endpoint_creat
 static void snd_usbmidi_out_endpoint_clear(struct snd_usb_midi_out_endpoint *ep)
 {
 	unsigned int i;
+	unsigned long flags;
 
+	spin_lock_irqsave(&ep->buffer_lock, flags);
 	for (i = 0; i < OUTPUT_URBS; ++i)
 		if (ep->urbs[i].urb) {
-			free_urb_and_buffer(ep->umidi, ep->urbs[i].urb,
-					    ep->max_transfer);
+			struct urb *urb = ep->urbs[i].urb;
+
 			ep->urbs[i].urb = NULL;
+			spin_unlock_irqrestore(&ep->buffer_lock, flags);
+			free_urb_and_buffer(ep->umidi, urb, ep->max_transfer);
+			spin_lock_irqsave(&ep->buffer_lock, flags);
 		}
+	spin_unlock_irqrestore(&ep->buffer_lock, flags);
 }
 
 static void snd_usbmidi_out_endpoint_delete(struct snd_usb_midi_out_endpoint *ep)
@@ -1522,15 +1531,23 @@ static void snd_usbmidi_free(struct snd_
 {
 	int i;
 
+	timer_shutdown_sync(&umidi->error_timer);
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
-		if (ep->out)
+		int j;
+
+		if (ep->out) {
+			for (j = 0; j < OUTPUT_URBS; ++j)
+				usb_kill_urb(ep->out->urbs[j].urb);
 			snd_usbmidi_out_endpoint_delete(ep->out);
-		if (ep->in)
+		}
+		if (ep->in) {
+			for (j = 0; j < INPUT_URBS; ++j)
+				usb_kill_urb(ep->in->urbs[j]);
 			snd_usbmidi_in_endpoint_delete(ep->in);
+		}
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 
--

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com

Tested on:

commit:         cec1e6e5 Merge tag 'sched_ext-for-6.17-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=116b04e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=13f34142580000

Note: testing is done by a robot and is best-effort only.

[PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

[Jeongjun Park]

The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.

However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.

Therefore, to prevent this, the error timer must be killed before freeing
the heap memory.

Cc: <stable@vger.kernel.org>
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
 sound/usb/midi.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..8d15f1caa92b 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	timer_shutdown_sync(&umidi->error_timer);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 			snd_usbmidi_in_endpoint_delete(ep->in);
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 
--

Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

[Takashi Iwai]

On Sat, 27 Sep 2025 06:41:06 +0200,
Jeongjun Park wrote:
> 
> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> removal") patched a UAF issue caused by the error timer.
> 
> However, because the error timer kill added in this patch occurs after the
> endpoint delete, a race condition to UAF still occurs, albeit rarely.
> 
> Therefore, to prevent this, the error timer must be killed before freeing
> the heap memory.
> 
> Cc: <stable@vger.kernel.org>
> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>

I suppose it's a fix for the recent syzbot reports?
  https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
  https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com

I had the very same fix in mind, as posted in
  https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
so I'll happily apply if that's the case (and it was verified to
work).  I'm just back from vacation and trying to catch up things.


thanks,

Takashi

> ---
>  sound/usb/midi.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> index acb3bf92857c..8d15f1caa92b 100644
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
>  {
>  	int i;
>  
> +	timer_shutdown_sync(&umidi->error_timer);
> +
>  	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
>  		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
>  		if (ep->out)
> @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
>  			snd_usbmidi_in_endpoint_delete(ep->in);
>  	}
>  	mutex_destroy(&umidi->mutex);
> -	timer_shutdown_sync(&umidi->error_timer);
>  	kfree(umidi);
>  }
>  
> --

Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

[Jeongjun Park]

Hi,

Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 06:41:06 +0200,
> Jeongjun Park wrote:
> >
> > The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> > removal") patched a UAF issue caused by the error timer.
> >
> > However, because the error timer kill added in this patch occurs after the
> > endpoint delete, a race condition to UAF still occurs, albeit rarely.
> >
> > Therefore, to prevent this, the error timer must be killed before freeing
> > the heap memory.
> >
> > Cc: <stable@vger.kernel.org>
> > Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> I suppose it's a fix for the recent syzbot reports?
>   https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
>   https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
>

Oh, I didn't know it was already reported on syzbot.

> I had the very same fix in mind, as posted in
>   https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
> so I'll happily apply if that's the case (and it was verified to
> work).  I'm just back from vacation and trying to catch up things.
>

Although it's difficult to disclose right now, I have already completed
writing a PoC that triggers a UAF due to the error timer in a slightly
different way than the backtrace reported to syzbot, and I have confirmed
that no bugs occur when testing this patch through this PoC.

>
> thanks,
>
> Takashi
>
> > ---
> >  sound/usb/midi.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> > index acb3bf92857c..8d15f1caa92b 100644
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> >  {
> >       int i;
> >
> > +     timer_shutdown_sync(&umidi->error_timer);
> > +
> >       for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> >               struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> >               if (ep->out)
> > @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> >                       snd_usbmidi_in_endpoint_delete(ep->in);
> >       }
> >       mutex_destroy(&umidi->mutex);
> > -     timer_shutdown_sync(&umidi->error_timer);
> >       kfree(umidi);
> >  }
> >
> > --

Regards,
Jeongjun Park

Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

[Hillf Danton]

On Sat, 27 Sep 2025 10:01:37 +0200 Takashi Iwai wrote:
>On Sat, 27 Sep 2025 06:41:06 +0200 Jeongjun Park wrote:
>> 
>> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
>> removal") patched a UAF issue caused by the error timer.
>> 
>> However, because the error timer kill added in this patch occurs after the
>> endpoint delete, a race condition to UAF still occurs, albeit rarely.
>> 
>> Therefore, to prevent this, the error timer must be killed before freeing
>> the heap memory.
>> 
>> Cc: <stable@vger.kernel.org>
>> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> I suppose it's a fix for the recent syzbot reports?
>   https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
>   https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com

#syz test upstream master

--- x/sound/usb/midi.c
+++ y/sound/usb/midi.c
@@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_
 {
 	int i;
 
+	timer_shutdown_sync(&umidi->error_timer);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_
 			snd_usbmidi_in_endpoint_delete(ep->in);
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 
--

Re: [PATCH] ALSA: usb-audio: fix race condition to UAF in snd_usbmidi_free

[Takashi Iwai]

On Sat, 27 Sep 2025 10:48:02 +0200,
Jeongjun Park wrote:
> 
> Hi,
> 
> Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Sat, 27 Sep 2025 06:41:06 +0200,
> > Jeongjun Park wrote:
> > >
> > > The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> > > removal") patched a UAF issue caused by the error timer.
> > >
> > > However, because the error timer kill added in this patch occurs after the
> > > endpoint delete, a race condition to UAF still occurs, albeit rarely.
> > >
> > > Therefore, to prevent this, the error timer must be killed before freeing
> > > the heap memory.
> > >
> > > Cc: <stable@vger.kernel.org>
> > > Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> >
> > I suppose it's a fix for the recent syzbot reports?
> >   https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
> >   https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
> >
> 
> Oh, I didn't know it was already reported on syzbot.
> 
> > I had the very same fix in mind, as posted in
> >   https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
> > so I'll happily apply if that's the case (and it was verified to
> > work).  I'm just back from vacation and trying to catch up things.
> >
> 
> Although it's difficult to disclose right now, I have already completed
> writing a PoC that triggers a UAF due to the error timer in a slightly
> different way than the backtrace reported to syzbot, and I have confirmed
> that no bugs occur when testing this patch through this PoC.

OK, so this sounds like a coincidence, but it's very likely the same
issue, so I'm going to put mark those syzbot reports.


thanks,

Takashi

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete

==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866

CPU: 1 UID: 0 PID: 5866 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872
Code: f9 3e 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 c2 d8 13 0f 0f 82 74 02 00 00 8b 35 5a 0a 14 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 19 f9 3e 12 0f 85 c7 02 00 00 48 83 c4
RSP: 0018:ffffc9000213f6a8 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffffffff8e5c16a0 RCX: 000000004089a3e6
RDX: 0000000000000000 RSI: ffffffff8de2c268 RDI: ffffffff8c163a00
RBP: 0000000000000002 R08: b04c8ca6f5f73b8b R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
 rcu_read_lock include/linux/rcupdate.h:841 [inline]
 class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
 kernfs_root+0x34/0x2a0 fs/kernfs/kernfs-internal.h:75
 __kernfs_remove+0x302/0x8a0 fs/kernfs/dir.c:1519
 kernfs_remove_by_name_ns+0x68/0x110 fs/kernfs/dir.c:1717
 kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
 remove_files+0x96/0x1c0 fs/sysfs/group.c:28
 sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:322
 sysfs_remove_groups fs/sysfs/group.c:346 [inline]
 sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:338
 device_remove_groups drivers/base/core.c:2843 [inline]
 device_remove_attrs+0x192/0x290 drivers/base/core.c:2973
 device_del+0x38e/0x9f0 drivers/base/core.c:3877
 usb_disconnect+0x5bf/0x9c0 drivers/usb/core/hub.c:2375
 hub_port_connect drivers/usb/core/hub.c:5406 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x1c81/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 9:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1342
 snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2364
 __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2647
 snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
 snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
 usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 9:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4894
 snd_usbmidi_free sound/usb/midi.c:1532 [inline]
 snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1592
 snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
 snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
 snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
 __snd_device_free+0x1a7/0x410 sound/core/device.c:76
 snd_device_free_all+0xf3/0x220 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x77/0x1d0 sound/core/init.c:153
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free_when_closed sound/core/init.c:612 [inline]
 snd_card_free+0x11a/0x190 sound/core/init.c:650
 usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff888074717800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 323 bytes inside of
 freed 512-byte region [ffff888074717800, ffff888074717a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74714
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001d1c501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 289964868636, free_ts 191685793183
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4402
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 device_private_init drivers/base/core.c:3534 [inline]
 device_add+0xccc/0x1aa0 drivers/base/core.c:3585
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
page last free pid 6777 tgid 6777 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4191 [inline]
 slab_alloc_node mm/slub.c:4240 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
 getname_flags.part.0+0x4c/0x550 fs/namei.c:146
 getname_flags+0x93/0xf0 include/linux/audit.h:322
 do_readlinkat+0xb4/0x3a0 fs/stat.c:575
 __do_sys_readlink fs/stat.c:613 [inline]
 __se_sys_readlink fs/stat.c:610 [inline]
 __x64_sys_readlink+0x78/0xc0 fs/stat.c:610
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff888074717800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888074717880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888074717900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff888074717980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888074717a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	f9                   	stc
   1:	3e 12 83 f8 07 0f 87 	ds adc -0x78f0f808(%rbx),%al
   8:	bc 02 00 00 89       	mov    $0x89000002,%esp
   d:	c0 48 0f a3          	rorb   $0xa3,0xf(%rax)
  11:	05 c2 d8 13 0f       	add    $0xf13d8c2,%eax
  16:	0f 82 74 02 00 00    	jb     0x290
  1c:	8b 35 5a 0a 14 0f    	mov    0xf140a5a(%rip),%esi        # 0xf140a7c
  22:	85 f6                	test   %esi,%esi
  24:	0f 85 8d 00 00 00    	jne    0xb7
* 2a:	48 8b 44 24 30       	mov    0x30(%rsp),%rax <-- trapping instruction
  2f:	65 48 2b 05 19 f9 3e 	sub    %gs:0x123ef919(%rip),%rax        # 0x123ef950
  36:	12
  37:	0f 85 c7 02 00 00    	jne    0x304
  3d:	48                   	rex.W
  3e:	83                   	.byte 0x83
  3f:	c4                   	.byte 0xc4


Tested on:

commit:         fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13bb3d34580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17773142580000

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Takashi Iwai]

On Sat, 27 Sep 2025 12:03:03 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete

OK, so another fix is needed in addition.
Let's try the below.


#syz test upstream master

--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -240,6 +240,9 @@ static void snd_usbmidi_in_urb_complete(struct urb *urb)
 {
 	struct snd_usb_midi_in_endpoint *ep = urb->context;
 
+	if (ep->umidi->disconnected)
+		return;
+
 	if (urb->status == 0) {
 		dump_urb("received", urb->transfer_buffer, urb->actual_length);
 		ep->umidi->usb_protocol_ops->input(ep, urb->transfer_buffer,
@@ -275,6 +278,10 @@ static void snd_usbmidi_out_urb_complete(struct urb *urb)
 		wake_up(&ep->drain_wait);
 	}
 	spin_unlock_irqrestore(&ep->buffer_lock, flags);
+
+	if (ep->umidi->disconnected)
+		return;
+
 	if (urb->status < 0) {
 		int err = snd_usbmidi_urb_error(urb);
 		if (err < 0) {
@@ -1522,6 +1529,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	timer_shutdown_sync(&umidi->error_timer);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)
@@ -1530,7 +1539,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 			snd_usbmidi_in_endpoint_delete(ep->in);
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Jeongjun Park]

syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
>

Wow, the UAF bug still occurs?

But... this UAF seems to be a problem with how midi handles urb rather
than a problem with my patch.

Is there something wrong with the way snd_usbmidi_in_urb_complete() is
implemented?

> CPU: 1 UID: 0 PID: 5866 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full)
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
> Workqueue: usb_hub_wq hub_event
> Call Trace:
>  <IRQ>
>  __dump_stack lib/dump_stack.c:94 [inline]
>  dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
>  print_address_description mm/kasan/report.c:378 [inline]
>  print_report+0xcd/0x630 mm/kasan/report.c:482
>  kasan_report+0xe0/0x110 mm/kasan/report.c:595
>  snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
>  __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
>  usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
>  dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
>  __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
>  __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
>  hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
>  handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
>  __do_softirq kernel/softirq.c:613 [inline]
>  invoke_softirq kernel/softirq.c:453 [inline]
>  __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
>  irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
>  instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
>  sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
>  </IRQ>
>  <TASK>
>  asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
> RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872
> Code: f9 3e 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 c2 d8 13 0f 0f 82 74 02 00 00 8b 35 5a 0a 14 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 19 f9 3e 12 0f 85 c7 02 00 00 48 83 c4
> RSP: 0018:ffffc9000213f6a8 EFLAGS: 00000206
> RAX: 0000000000000046 RBX: ffffffff8e5c16a0 RCX: 000000004089a3e6
> RDX: 0000000000000000 RSI: ffffffff8de2c268 RDI: ffffffff8c163a00
> RBP: 0000000000000002 R08: b04c8ca6f5f73b8b R09: 0000000000000000
> R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>  rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
>  rcu_read_lock include/linux/rcupdate.h:841 [inline]
>  class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
>  kernfs_root+0x34/0x2a0 fs/kernfs/kernfs-internal.h:75
>  __kernfs_remove+0x302/0x8a0 fs/kernfs/dir.c:1519
>  kernfs_remove_by_name_ns+0x68/0x110 fs/kernfs/dir.c:1717
>  kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
>  remove_files+0x96/0x1c0 fs/sysfs/group.c:28
>  sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:322
>  sysfs_remove_groups fs/sysfs/group.c:346 [inline]
>  sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:338
>  device_remove_groups drivers/base/core.c:2843 [inline]
>  device_remove_attrs+0x192/0x290 drivers/base/core.c:2973
>  device_del+0x38e/0x9f0 drivers/base/core.c:3877
>  usb_disconnect+0x5bf/0x9c0 drivers/usb/core/hub.c:2375
>  hub_port_connect drivers/usb/core/hub.c:5406 [inline]
>  hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
>  port_event drivers/usb/core/hub.c:5870 [inline]
>  hub_event+0x1c81/0x4fe0 drivers/usb/core/hub.c:5952
>  process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
>  process_scheduled_works kernel/workqueue.c:3319 [inline]
>  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
>  kthread+0x3c5/0x780 kernel/kthread.c:463
>  ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>  </TASK>
>
> Allocated by task 9:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
>  __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
>  kmalloc_noprof include/linux/slab.h:905 [inline]
>  kzalloc_noprof include/linux/slab.h:1039 [inline]
>  snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1342
>  snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2364
>  __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2647
>  snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
>  snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
>  usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
>  usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
>  call_driver_probe drivers/base/dd.c:581 [inline]
>  really_probe+0x241/0xa90 drivers/base/dd.c:659
>  __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
>  driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
>  __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
>  bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
>  __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
>  bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>  device_add+0x1148/0x1aa0 drivers/base/core.c:3689
>  usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
>  usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
>  usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
>  call_driver_probe drivers/base/dd.c:581 [inline]
>  really_probe+0x241/0xa90 drivers/base/dd.c:659
>  __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
>  driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
>  __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
>  bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
>  __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
>  bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>  device_add+0x1148/0x1aa0 drivers/base/core.c:3689
>  usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
>  hub_port_connect drivers/usb/core/hub.c:5566 [inline]
>  hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
>  port_event drivers/usb/core/hub.c:5870 [inline]
>  hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
>  process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
>  process_scheduled_works kernel/workqueue.c:3319 [inline]
>  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
>  kthread+0x3c5/0x780 kernel/kthread.c:463
>  ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> Freed by task 9:
>  kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
>  kasan_save_track+0x14/0x30 mm/kasan/common.c:68
>  kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
>  poison_slab_object mm/kasan/common.c:243 [inline]
>  __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
>  kasan_slab_free include/linux/kasan.h:233 [inline]
>  slab_free_hook mm/slub.c:2422 [inline]
>  slab_free mm/slub.c:4695 [inline]
>  kfree+0x2b4/0x4d0 mm/slub.c:4894
>  snd_usbmidi_free sound/usb/midi.c:1532 [inline]
>  snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1592
>  snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
>  snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
>  snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
>  __snd_device_free+0x1a7/0x410 sound/core/device.c:76
>  snd_device_free_all+0xf3/0x220 sound/core/device.c:233
>  snd_card_do_free sound/core/init.c:587 [inline]
>  release_card_device+0x77/0x1d0 sound/core/init.c:153
>  device_release+0xa4/0x240 drivers/base/core.c:2565
>  kobject_cleanup lib/kobject.c:689 [inline]
>  kobject_release lib/kobject.c:720 [inline]
>  kref_put include/linux/kref.h:65 [inline]
>  kobject_put+0x1e7/0x5a0 lib/kobject.c:737
>  put_device+0x1f/0x30 drivers/base/core.c:3797
>  snd_card_free_when_closed sound/core/init.c:618 [inline]
>  snd_card_free_when_closed sound/core/init.c:612 [inline]
>  snd_card_free+0x11a/0x190 sound/core/init.c:650
>  usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
>  usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
>  call_driver_probe drivers/base/dd.c:581 [inline]
>  really_probe+0x241/0xa90 drivers/base/dd.c:659
>  __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
>  driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
>  __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
>  bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
>  __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
>  bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>  device_add+0x1148/0x1aa0 drivers/base/core.c:3689
>  usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
>  usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
>  usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
>  call_driver_probe drivers/base/dd.c:581 [inline]
>  really_probe+0x241/0xa90 drivers/base/dd.c:659
>  __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
>  driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
>  __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
>  bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
>  __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
>  bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
>  device_add+0x1148/0x1aa0 drivers/base/core.c:3689
>  usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
>  hub_port_connect drivers/usb/core/hub.c:5566 [inline]
>  hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
>  port_event drivers/usb/core/hub.c:5870 [inline]
>  hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
>  process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
>  process_scheduled_works kernel/workqueue.c:3319 [inline]
>  worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
>  kthread+0x3c5/0x780 kernel/kthread.c:463
>  ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
>  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
>
> The buggy address belongs to the object at ffff888074717800
>  which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 323 bytes inside of
>  freed 512-byte region [ffff888074717800, ffff888074717a00)
>
> The buggy address belongs to the physical page:
> page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74714
> head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
> page_type: f5(slab)
> raw: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
> raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
> head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
> head: 00fff00000000002 ffffea0001d1c501 00000000ffffffff 00000000ffffffff
> head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
> page dumped because: kasan: bad access detected
> page_owner tracks the page as allocated
> page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 289964868636, free_ts 191685793183
>  set_page_owner include/linux/page_owner.h:32 [inline]
>  post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
>  prep_new_page mm/page_alloc.c:1859 [inline]
>  get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
>  __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
>  alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
>  alloc_slab_page mm/slub.c:2492 [inline]
>  allocate_slab mm/slub.c:2660 [inline]
>  new_slab+0x247/0x330 mm/slub.c:2714
>  ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
>  __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
>  __slab_alloc_node mm/slub.c:4067 [inline]
>  slab_alloc_node mm/slub.c:4228 [inline]
>  __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4402
>  kmalloc_noprof include/linux/slab.h:905 [inline]
>  kzalloc_noprof include/linux/slab.h:1039 [inline]
>  device_private_init drivers/base/core.c:3534 [inline]
>  device_add+0xccc/0x1aa0 drivers/base/core.c:3585
>  usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
>  usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
>  usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
>  call_driver_probe drivers/base/dd.c:581 [inline]
>  really_probe+0x241/0xa90 drivers/base/dd.c:659
>  __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
>  driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
>  __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
> page last free pid 6777 tgid 6777 stack trace:
>  reset_page_owner include/linux/page_owner.h:25 [inline]
>  free_pages_prepare mm/page_alloc.c:1395 [inline]
>  __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
>  qlink_free mm/kasan/quarantine.c:163 [inline]
>  qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
>  kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
>  __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
>  kasan_slab_alloc include/linux/kasan.h:250 [inline]
>  slab_post_alloc_hook mm/slub.c:4191 [inline]
>  slab_alloc_node mm/slub.c:4240 [inline]
>  kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
>  getname_flags.part.0+0x4c/0x550 fs/namei.c:146
>  getname_flags+0x93/0xf0 include/linux/audit.h:322
>  do_readlinkat+0xb4/0x3a0 fs/stat.c:575
>  __do_sys_readlink fs/stat.c:613 [inline]
>  __se_sys_readlink fs/stat.c:610 [inline]
>  __x64_sys_readlink+0x78/0xc0 fs/stat.c:610
>  do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
>  do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
>  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>
> Memory state around the buggy address:
>  ffff888074717800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888074717880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888074717900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>                                            ^
>  ffff888074717980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  ffff888074717a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
> ----------------
> Code disassembly (best guess):
>    0:   f9                      stc
>    1:   3e 12 83 f8 07 0f 87    ds adc -0x78f0f808(%rbx),%al
>    8:   bc 02 00 00 89          mov    $0x89000002,%esp
>    d:   c0 48 0f a3             rorb   $0xa3,0xf(%rax)
>   11:   05 c2 d8 13 0f          add    $0xf13d8c2,%eax
>   16:   0f 82 74 02 00 00       jb     0x290
>   1c:   8b 35 5a 0a 14 0f       mov    0xf140a5a(%rip),%esi        # 0xf140a7c
>   22:   85 f6                   test   %esi,%esi
>   24:   0f 85 8d 00 00 00       jne    0xb7
> * 2a:   48 8b 44 24 30          mov    0x30(%rsp),%rax <-- trapping instruction
>   2f:   65 48 2b 05 19 f9 3e    sub    %gs:0x123ef919(%rip),%rax        # 0x123ef950
>   36:   12
>   37:   0f 85 c7 02 00 00       jne    0x304
>   3d:   48                      rex.W
>   3e:   83                      .byte 0x83
>   3f:   c4                      .byte 0xc4
>
>
> Tested on:
>
> commit:         fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=13bb3d34580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
> dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
> compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> patch:          https://syzkaller.appspot.com/x/patch.diff?x=17773142580000
>

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in snd_usbmidi_in_urb_complete

==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x368/0x410 sound/usb/midi.c:243
Read of size 8 at addr ffff88805ccd6800 by task kworker/1:1/43

CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 snd_usbmidi_in_urb_complete+0x368/0x410 sound/usb/midi.c:243
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
 vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
 dev_vprintk_emit drivers/base/core.c:4914 [inline]
 dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
 __dev_printk+0xf5/0x270 drivers/base/core.c:4937
 _dev_info+0xe4/0x120 drivers/base/core.c:4983
 announce_device drivers/usb/core/hub.c:2407 [inline]
 usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1349
 snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2371
 __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2654
 snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
 snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
 usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4894
 snd_usbmidi_free sound/usb/midi.c:1539 [inline]
 snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1599
 snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
 snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
 snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
 __snd_device_free+0x1a7/0x410 sound/core/device.c:76
 snd_device_free_all+0xf3/0x220 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x77/0x1d0 sound/core/init.c:153
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free_when_closed sound/core/init.c:612 [inline]
 snd_card_free+0x11a/0x190 sound/core/init.c:650
 usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88805ccd6800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
 freed 512-byte region [ffff88805ccd6800, ffff88805ccd6a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ccd4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001733501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6287, tgid 6287 (syz-executor), ts 181369771590, free_ts 181363057805
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 __do_kmalloc_node mm/slub.c:4375 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811
 ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940
 ip6_route_add+0x45/0x60 net/ipv6/route.c:3937
 addrconf_prefix_route+0x2fd/0x510 net/ipv6/addrconf.c:2488
 fixup_permanent_addr net/ipv6/addrconf.c:3598 [inline]
 addrconf_permanent_addr net/ipv6/addrconf.c:3622 [inline]
 addrconf_notify+0x12c6/0x19e0 net/ipv6/addrconf.c:3694
 notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
page last free pid 5524 tgid 5524 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 skb_kfree_head net/core/skbuff.c:1047 [inline]
 skb_free_head+0x114/0x210 net/core/skbuff.c:1059
 skb_release_data+0x795/0x9e0 net/core/skbuff.c:1086
 skb_release_all net/core/skbuff.c:1151 [inline]
 __kfree_skb net/core/skbuff.c:1165 [inline]
 consume_skb net/core/skbuff.c:1397 [inline]
 consume_skb+0xbf/0x100 net/core/skbuff.c:1391
 __unix_dgram_recvmsg+0x779/0xc30 net/unix/af_unix.c:2683
 unix_dgram_recvmsg net/unix/af_unix.c:2700 [inline]
 unix_seqpacket_recvmsg+0x11c/0x170 net/unix/af_unix.c:2567
 sock_recvmsg_nosec net/socket.c:1065 [inline]
 sock_recvmsg+0x1f9/0x250 net/socket.c:1087
 sock_read_iter+0x2b9/0x3b0 net/socket.c:1157
 do_iter_readv_writev+0x743/0x9e0 fs/read_write.c:825
 vfs_readv+0x4cb/0x8b0 fs/read_write.c:1018
 do_readv+0x28c/0x340 fs/read_write.c:1080
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805ccd6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88805ccd6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805ccd6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff88805ccd6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ccd6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x351/0x410 sound/usb/midi.c:243
Read of size 1 at addr ffff88802378d230 by task kworker/1:1/43

CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 snd_usbmidi_in_urb_complete+0x351/0x410 sound/usb/midi.c:243
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
 vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
 dev_vprintk_emit drivers/base/core.c:4914 [inline]
 dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
 __dev_printk+0xf5/0x270 drivers/base/core.c:4937
 _dev_info+0xe4/0x120 drivers/base/core.c:4983
 announce_device drivers/usb/core/hub.c:2407 [inline]
 usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 __snd_usbmidi_create+0xe4/0x1e90 sound/usb/midi.c:2534
 snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
 snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
 usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4894
 snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
 snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
 snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
 __snd_device_free+0x1a7/0x410 sound/core/device.c:76
 snd_device_free_all+0xf3/0x220 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x77/0x1d0 sound/core/init.c:153
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free_when_closed sound/core/init.c:612 [inline]
 snd_card_free+0x11a/0x190 sound/core/init.c:650
 usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88802378d000
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 560 bytes inside of
 freed 1024-byte region [ffff88802378d000, ffff88802378d400)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23788
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00008de201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5602, tgid 5602 (start-stop-daem), ts 71829928370, free_ts 71793603330
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 __do_kmalloc_node mm/slub.c:4375 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 tomoyo_init_log+0x1385/0x2140 security/tomoyo/audit.c:275
 tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
 tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
 tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
 tomoyo_environ security/tomoyo/domain.c:672 [inline]
 tomoyo_find_next_domain+0xec2/0x20b0 security/tomoyo/domain.c:888
 tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
 tomoyo_bprm_check_security+0x12e/0x1d0 security/tomoyo/tomoyo.c:92
 security_bprm_check+0x1b9/0x1e0 security/security.c:1302
 search_binary_handler fs/exec.c:1660 [inline]
 exec_binprm fs/exec.c:1702 [inline]
 bprm_execve fs/exec.c:1754 [inline]
 bprm_execve+0x81a/0x1640 fs/exec.c:1730
 do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1860
page last free pid 5600 tgid 5600 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 qlink_free mm/kasan/quarantine.c:163 [inline]
 qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
 kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
 __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
 kasan_slab_alloc include/linux/kasan.h:250 [inline]
 slab_post_alloc_hook mm/slub.c:4191 [inline]
 slab_alloc_node mm/slub.c:4240 [inline]
 kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
 vm_area_alloc+0x1f/0x160 mm/vma_init.c:31
 __mmap_new_vma mm/vma.c:2461 [inline]
 __mmap_region+0xf90/0x27b0 mm/vma.c:2669
 mmap_region+0x1ab/0x3f0 mm/vma.c:2739
 do_mmap+0xa3e/0x1210 mm/mmap.c:558
 vm_mmap_pgoff+0x29e/0x470 mm/util.c:580
 ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:604
 __do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
 __se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
 __x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88802378d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802378d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802378d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                     ^
 ffff88802378d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802378d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x3e1/0x410 sound/usb/midi.c:254
Write of size 1 at addr ffff88805ccd6943 by task kworker/1:1/43

CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Tainted: G    B               syzkaller #0 PREEMPT(full) 
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:378 [inline]
 print_report+0xcd/0x630 mm/kasan/report.c:482
 kasan_report+0xe0/0x110 mm/kasan/report.c:595
 snd_usbmidi_in_urb_complete+0x3e1/0x410 sound/usb/midi.c:254
 __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
 usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
 dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
 __run_hrtimer kernel/time/hrtimer.c:1761 [inline]
 __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
 hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
 handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
 __do_softirq kernel/softirq.c:613 [inline]
 invoke_softirq kernel/softirq.c:453 [inline]
 __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
 sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
 __console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
 console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
 vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
 dev_vprintk_emit drivers/base/core.c:4914 [inline]
 dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
 __dev_printk+0xf5/0x270 drivers/base/core.c:4937
 _dev_info+0xe4/0x120 drivers/base/core.c:4983
 announce_device drivers/usb/core/hub.c:2407 [inline]
 usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
 __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
 kmalloc_noprof include/linux/slab.h:905 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1349
 snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2371
 __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2654
 snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
 snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
 usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Freed by task 6486:
 kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
 kasan_save_track+0x14/0x30 mm/kasan/common.c:68
 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
 poison_slab_object mm/kasan/common.c:243 [inline]
 __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
 kasan_slab_free include/linux/kasan.h:233 [inline]
 slab_free_hook mm/slub.c:2422 [inline]
 slab_free mm/slub.c:4695 [inline]
 kfree+0x2b4/0x4d0 mm/slub.c:4894
 snd_usbmidi_free sound/usb/midi.c:1539 [inline]
 snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1599
 snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
 snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
 snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
 __snd_device_free+0x1a7/0x410 sound/core/device.c:76
 snd_device_free_all+0xf3/0x220 sound/core/device.c:233
 snd_card_do_free sound/core/init.c:587 [inline]
 release_card_device+0x77/0x1d0 sound/core/init.c:153
 device_release+0xa4/0x240 drivers/base/core.c:2565
 kobject_cleanup lib/kobject.c:689 [inline]
 kobject_release lib/kobject.c:720 [inline]
 kref_put include/linux/kref.h:65 [inline]
 kobject_put+0x1e7/0x5a0 lib/kobject.c:737
 put_device+0x1f/0x30 drivers/base/core.c:3797
 snd_card_free_when_closed sound/core/init.c:618 [inline]
 snd_card_free_when_closed sound/core/init.c:612 [inline]
 snd_card_free+0x11a/0x190 sound/core/init.c:650
 usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
 usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
 usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:581 [inline]
 really_probe+0x241/0xa90 drivers/base/dd.c:659
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
 bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
 bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
 device_add+0x1148/0x1aa0 drivers/base/core.c:3689
 usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3319 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
 kthread+0x3c5/0x780 kernel/kthread.c:463
 ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

The buggy address belongs to the object at ffff88805ccd6800
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 323 bytes inside of
 freed 512-byte region [ffff88805ccd6800, ffff88805ccd6a00)

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ccd4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001733501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6287, tgid 6287 (syz-executor), ts 181369771590, free_ts 181363057805
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
 prep_new_page mm/page_alloc.c:1859 [inline]
 get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
 alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
 alloc_slab_page mm/slub.c:2492 [inline]
 allocate_slab mm/slub.c:2660 [inline]
 new_slab+0x247/0x330 mm/slub.c:2714
 ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
 __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
 __slab_alloc_node mm/slub.c:4067 [inline]
 slab_alloc_node mm/slub.c:4228 [inline]
 __do_kmalloc_node mm/slub.c:4375 [inline]
 __kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
 kmalloc_noprof include/linux/slab.h:909 [inline]
 kzalloc_noprof include/linux/slab.h:1039 [inline]
 fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
 ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811
 ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940
 ip6_route_add+0x45/0x60 net/ipv6/route.c:3937
 addrconf_prefix_route+0x2fd/0x510 net/ipv6/addrconf.c:2488
 fixup_permanent_addr net/ipv6/addrconf.c:3598 [inline]
 addrconf_permanent_addr net/ipv6/addrconf.c:3622 [inline]
 addrconf_notify+0x12c6/0x19e0 net/ipv6/addrconf.c:3694
 notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
 call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
page last free pid 5524 tgid 5524 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1395 [inline]
 __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
 skb_kfree_head net/core/skbuff.c:1047 [inline]
 skb_free_head+0x114/0x210 net/core/skbuff.c:1059
 skb_release_data+0x795/0x9e0 net/core/skbuff.c:1086
 skb_release_all net/core/skbuff.c:1151 [inline]
 __kfree_skb net/core/skbuff.c:1165 [inline]
 consume_skb net/core/skbuff.c:1397 [inline]
 consume_skb+0xbf/0x100 net/core/skbuff.c:1391
 __unix_dgram_recvmsg+0x779/0xc30 net/unix/af_unix.c:2683
 unix_dgram_recvmsg net/unix/af_unix.c:2700 [inline]
 unix_seqpacket_recvmsg+0x11c/0x170 net/unix/af_unix.c:2567
 sock_recvmsg_nosec net/socket.c:1065 [inline]
 sock_recvmsg+0x1f9/0x250 net/socket.c:1087
 sock_read_iter+0x2b9/0x3b0 net/socket.c:1157
 do_iter_readv_writev+0x743/0x9e0 fs/read_write.c:825
 vfs_readv+0x4cb/0x8b0 fs/read_write.c:1018
 do_readv+0x28c/0x340 fs/read_write.c:1080
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Memory state around the buggy address:
 ffff88805ccd6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ccd6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ccd6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88805ccd6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88805ccd6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
   0:	00 e8                	add    %ch,%al
   2:	a2 d3 28 00 9c 5b 81 	movabs %al,0xe3815b9c0028d3
   9:	e3 00
   b:	02 00                	add    (%rax),%al
   d:	00 31                	add    %dh,(%rcx)
   f:	ff 48 89             	decl   -0x77(%rax)
  12:	de e8                	fsubrp %st,%st(0)
  14:	20 e8                	and    %ch,%al
  16:	20 00                	and    %al,(%rax)
  18:	48 85 db             	test   %rbx,%rbx
  1b:	0f 85 55 01 00 00    	jne    0x176
  21:	e8 a2 ec 20 00       	call   0x20ecc8
  26:	fb                   	sti
  27:	4c 89 e0             	mov    %r12,%rax
* 2a:	48 c1 e8 03          	shr    $0x3,%rax <-- trapping instruction
  2e:	42 80 3c 38 00       	cmpb   $0x0,(%rax,%r15,1)
  33:	0f 84 11 ff ff ff    	je     0xffffff4a
  39:	4c 89 e7             	mov    %r12,%rdi
  3c:	e8                   	.byte 0xe8
  3d:	77 5f                	ja     0x9e
  3f:	86                   	.byte 0x86


Tested on:

commit:         fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102f3d34580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=175302e2580000

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Takashi Iwai]

On Sat, 27 Sep 2025 12:36:07 +0200,
Jeongjun Park wrote:
> 
> syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> >
> 
> Wow, the UAF bug still occurs?
> 
> But... this UAF seems to be a problem with how midi handles urb rather
> than a problem with my patch.
> 
> Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> implemented?

This can be rather a missing kill-and-cleanup in the code path.
So the patch like below.

Could you check whether this works for you instead of your fix, too?
timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
and the call in snd_usbmidi_free() should be superfluous after this
change.


thanks,

Takashi

--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	if (!umidi->disconnected)
+		snd_usbmidi_disconnect(&umidi->list);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Takashi Iwai]

On Sat, 27 Sep 2025 12:55:01 +0200,
syzbot wrote:
> 
> Hello,
> 
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Read in snd_usbmidi_in_urb_complete

Another try.

#syz test upstream master

--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	if (!umidi->disconnected)
+		snd_usbmidi_disconnect(&umidi->list);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
 		if (ep->out)

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Jeongjun Park]

Hi,

Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 12:36:07 +0200,
> Jeongjun Park wrote:
> >
> > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > >
> >
> > Wow, the UAF bug still occurs?
> >
> > But... this UAF seems to be a problem with how midi handles urb rather
> > than a problem with my patch.
> >
> > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > implemented?
>
> This can be rather a missing kill-and-cleanup in the code path.
> So the patch like below.
>
> Could you check whether this works for you instead of your fix, too?
> timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> and the call in snd_usbmidi_free() should be superfluous after this
> change.
>

I'm not an expert on the usbmidi driver, but based on my analysis so far,
I think this patch is the most appropriate.

And I tested it with the PoC I have, and no UAF occurred. If the syzbot
test doesn't produce any bugs, I think it would be a good idea to apply
this patch.

>
> thanks,
>
> Takashi
>
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
>  {
>         int i;
>
> +       if (!umidi->disconnected)
> +               snd_usbmidi_disconnect(&umidi->list);
> +
>         for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
>                 struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
>                 if (ep->out)

Regards,
Jeongjun Park

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com

Tested on:

commit:         fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12cc82e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=124c5f12580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Jeongjun Park]

Hi,

Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 12:36:07 +0200,
> Jeongjun Park wrote:
> >
> > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > >
> >
> > Wow, the UAF bug still occurs?
> >
> > But... this UAF seems to be a problem with how midi handles urb rather
> > than a problem with my patch.
> >
> > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > implemented?
>
> This can be rather a missing kill-and-cleanup in the code path.
> So the patch like below.
>
> Could you check whether this works for you instead of your fix, too?
> timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> and the call in snd_usbmidi_free() should be superfluous after this
> change.
>

Since both my tests and syzbot tests did not cause any bugs when applying
this patch, I think the root cause of this vulnerability is the missing
kill error_timer + urb.

So, I think it would be okay to patch it this way, but in addition, since
most of the endpoint delete-related code that existed in
snd_usbmidi_free() is now done in snd_usbmidi_disconnect(),
I think it would be appropriate to modify it to only perform
kfree(ep->out) as in this patch below.

---
 sound/usb/midi.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..97e7e7662b12 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	if (!umidi->disconnected)
+		snd_usbmidi_disconnect(&umidi->list);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
-		if (ep->out)
-			snd_usbmidi_out_endpoint_delete(ep->out);
-		if (ep->in)
-			snd_usbmidi_in_endpoint_delete(ep->in);
+		kfree(ep->out);
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 
--

>
> thanks,
>
> Takashi
>
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
>  {
>         int i;
>
> +       if (!umidi->disconnected)
> +               snd_usbmidi_disconnect(&umidi->list);
> +
>         for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
>                 struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
>                 if (ep->out)

Regards,
Jeongjun Park

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Jeongjun Park]

syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
> Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
>
> Tested on:
>

#syz test upstream master

---
 sound/usb/midi.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..97e7e7662b12 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
 {
 	int i;
 
+	if (!umidi->disconnected)
+		snd_usbmidi_disconnect(&umidi->list);
+
 	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
 		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
-		if (ep->out)
-			snd_usbmidi_out_endpoint_delete(ep->out);
-		if (ep->in)
-			snd_usbmidi_in_endpoint_delete(ep->in);
+		kfree(ep->out);
 	}
 	mutex_destroy(&umidi->mutex);
-	timer_shutdown_sync(&umidi->error_timer);
 	kfree(umidi);
 }
 
--

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[Takashi Iwai]

On Sat, 27 Sep 2025 17:41:09 +0200,
Jeongjun Park wrote:
> 
> Hi,
> 
> Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Sat, 27 Sep 2025 12:36:07 +0200,
> > Jeongjun Park wrote:
> > >
> > > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > > >
> > >
> > > Wow, the UAF bug still occurs?
> > >
> > > But... this UAF seems to be a problem with how midi handles urb rather
> > > than a problem with my patch.
> > >
> > > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > > implemented?
> >
> > This can be rather a missing kill-and-cleanup in the code path.
> > So the patch like below.
> >
> > Could you check whether this works for you instead of your fix, too?
> > timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> > and the call in snd_usbmidi_free() should be superfluous after this
> > change.
> >
> 
> Since both my tests and syzbot tests did not cause any bugs when applying
> this patch, I think the root cause of this vulnerability is the missing
> kill error_timer + urb.
> 
> So, I think it would be okay to patch it this way, but in addition, since
> most of the endpoint delete-related code that existed in
> snd_usbmidi_free() is now done in snd_usbmidi_disconnect(),
> I think it would be appropriate to modify it to only perform
> kfree(ep->out) as in this patch below.

Yes, it makes sense.


thanks,

Takashi


> ---
>  sound/usb/midi.c | 9 ++++-----
>  1 file changed, 4 insertions(+), 5 deletions(-)
> 
> diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> index acb3bf92857c..97e7e7662b12 100644
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
>  {
>  	int i;
>  
> +	if (!umidi->disconnected)
> +		snd_usbmidi_disconnect(&umidi->list);
> +
>  	for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
>  		struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> -		if (ep->out)
> -			snd_usbmidi_out_endpoint_delete(ep->out);
> -		if (ep->in)
> -			snd_usbmidi_in_endpoint_delete(ep->in);
> +		kfree(ep->out);
>  	}
>  	mutex_destroy(&umidi->mutex);
> -	timer_shutdown_sync(&umidi->error_timer);
>  	kfree(umidi);
>  }
>  
> --
> 
> >
> > thanks,
> >
> > Takashi
> >
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> >  {
> >         int i;
> >
> > +       if (!umidi->disconnected)
> > +               snd_usbmidi_disconnect(&umidi->list);
> > +
> >         for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> >                 struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> >                 if (ep->out)
> 
> Regards,
> Jeongjun Park

Re: [syzbot] [sound?] [usb?] general protection fault in snd_usbmidi_do_output

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com

Tested on:

commit:         fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=16295f12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=169eb142580000

Note: testing is done by a robot and is best-effort only.