syzbot


KASAN: vmalloc-out-of-bounds Read in kcov_remote_start

Status: upstream: reported on 2025/10/05 04:26
Subsystems: bluetooth usb
Labels: prio:normal
[Documentation on labels]
Reported-by: syzbot+8a173e13208949931dc7@syzkaller.appspotmail.com
Fix commit: kcov: fix data corruption and race conditions on PREEMPT_RT by moving saved remote state to task_struct
Patched on: [ci-upstream-linux-next-kasan-gce-root ci-upstream-rust-kasan-gce], missing on: [ci-qemu-gce-upstream-auto ci-qemu-native-arm64-kvm ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-qemu2-riscv64 ci-snapshot-upstream-root ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-badwrites-root ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce-386-root ci-upstream-kmsan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb]
First crash: 291d, last: 3h33m
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
4a93e1b2-5dbe-4aa4-aa4c-12062719945b assessment-security DenialOfService: ❌ Exploitable: ❌ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ❌ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ❌ KASAN: vmalloc-out-of-bounds Read in kcov_remote_start 2026/05/23 06:13 2026/05/23 06:13 2026/05/23 07:07 c69befb30ac10e158cc9d1557b508ee3f0eca1de

			
		
Discussions (10)
Title Replies (including bot) Last reply
[PATCH v6] kcov: fix data corruption and race conditions on PREEMPT_RT by moving saved remote state to task_struct 5 (5) 2026/07/16 09:12
Re: [PATCH v5] kcov: fix data corruption and race conditions on PREEMPT_RT by moving saved remote state to task_struct 2 (2) 2026/07/10 10:43
[syzbot] Monthly bluetooth report (Jul 2026) 0 (1) 2026/07/04 04:32
[PATCH] kcov: fix potential kcov_mode corruption under CONFIG_PREEMPT_RT 5 (5) 2026/05/21 08:38
[syzbot] Monthly usb report (May 2026) 0 (1) 2026/05/02 12:32
[syzbot] Monthly bluetooth report (May 2026) 0 (1) 2026/05/02 12:32
[syzbot] Monthly bluetooth report (Apr 2026) 0 (1) 2026/04/01 07:42
[syzbot] Monthly bluetooth report (Jan 2026) 0 (1) 2026/01/28 22:38
[syzbot] Monthly bluetooth report (Dec 2025) 0 (1) 2025/12/29 08:12
[syzbot] [usb?] KASAN: vmalloc-out-of-bounds Read in kcov_remote_start 0 (1) 2025/10/05 04:26

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in __list_del_entry_valid_or_report+0xb5/0x190 lib/list_debug.c:65
BUG: KASAN: vmalloc-out-of-bounds in __list_del_entry_valid_or_report+0xb5/0x190 lib/list_debug.c:65
Read of size 8 at addr ffffc90006f31008 by task kworker/0:8/18394

CPU: 0 UID: 0 PID: 18394 Comm: kworker/0:8 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __list_del_entry_valid_or_report+0xb5/0x190 lib/list_debug.c:65
 __list_del_entry_valid include/linux/list.h:132 [inline]
 __list_del_entry include/linux/list.h:246 [inline]
 list_del include/linux/list.h:260 [inline]
 kcov_remote_area_get kernel/kcov.c:143 [inline]
 kcov_remote_start+0x295/0x6f0 kernel/kcov.c:930
 kcov_remote_start_usb include/linux/kcov.h:53 [inline]
 hub_event+0x15d/0x4cf0 drivers/usb/core/hub.c:5889
 process_one_work kernel/workqueue.c:3322 [inline]
 process_scheduled_works+0xa8e/0x14e0 kernel/workqueue.c:3405
 worker_thread+0xa47/0xfb0 kernel/workqueue.c:3486
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to a vmalloc virtual mapping
Memory state around the buggy address:
 ffffc90006f30f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90006f30f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90006f31000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                      ^
 ffffc90006f31080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90006f31100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (3307):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/07/19 11:56 upstream f2ec6312bf71 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/18 16:25 upstream 1229e2e57a5c 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/18 07:12 upstream af5e34a41cd6 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/18 02:11 upstream af5e34a41cd6 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/17 06:36 upstream fce2dfa773ce 7f27c57a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/16 14:19 upstream 37e2f878a7a6 8f30cfd7 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/16 06:53 upstream 58717b2a1365 27a8bd60 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 20:37 upstream 58717b2a1365 209f0369 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 18:26 upstream 58717b2a1365 209f0369 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 13:29 upstream 58717b2a1365 209f0369 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 08:05 upstream 58717b2a1365 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 06:29 upstream 58717b2a1365 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/15 04:58 upstream 58717b2a1365 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/14 18:01 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/14 16:43 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/14 13:25 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/14 09:06 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/13 22:44 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/13 05:48 upstream a13c140cc289 d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/12 07:25 upstream cab9e339cfbc d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/11 19:00 upstream d96fcfe1b7f9 d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/05/22 20:33 upstream 45255ea1ca09 e16cf9f3 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/03/09 04:48 upstream 014441d1e4b2 5cb44a80 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2025/10/05 02:43 upstream d104e3d17f7b 49379ee0 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2025/10/01 04:17 upstream 50c19e20ed2e 65a0eece .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/08 03:35 linux-next 5c73cd9f0819 88a4b44c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: vmalloc-out-of-bounds Read in kcov_remote_start
2026/07/19 13:17 upstream f2ec6312bf71 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/18 22:09 upstream 1229e2e57a5c 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/18 19:33 upstream 1229e2e57a5c 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/18 12:11 upstream af5e34a41cd6 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/18 11:03 upstream af5e34a41cd6 72524a66 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/17 20:29 upstream fce2dfa773ce 7f27c57a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/17 17:26 upstream fce2dfa773ce 7f27c57a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/17 10:15 upstream fce2dfa773ce 7f27c57a .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/16 12:48 upstream 37e2f878a7a6 27a8bd60 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/16 04:02 upstream 58717b2a1365 27a8bd60 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/16 02:20 upstream 58717b2a1365 27a8bd60 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in kcov_remote_start
2026/07/15 18:25 upstream 58717b2a1365 209f0369 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/15 12:08 upstream 58717b2a1365 209f0369 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in kcov_remote_start
2026/07/15 01:25 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/15 00:10 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/14 22:49 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/14 14:33 upstream 3b029c035b34 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/14 11:53 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/14 06:49 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/14 03:42 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in kcov_remote_start
2026/07/14 02:10 upstream 0f26556c5eee 2130f682 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/13 15:03 upstream a13c140cc289 a870962e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in kcov_remote_start
2026/07/13 12:28 upstream a13c140cc289 a870962e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/13 11:09 upstream a13c140cc289 a870962e .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/12 18:03 upstream 44696aa3a489 d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel paging request in kcov_remote_start
2026/07/12 12:17 upstream 44696aa3a489 d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: corrupted list in kcov_remote_start
2026/07/11 22:34 upstream cab9e339cfbc d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/11 17:31 upstream d96fcfe1b7f9 d78ea535 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce-smack-root BUG: unable to handle kernel NULL pointer dereference in kcov_remote_start
2026/07/08 14:04 linux-next 5c73cd9f0819 ab40da58 .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root BUG: unable to handle kernel paging request in kcov_remote_start
* Struck through repros no longer work on HEAD.