| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/07/05 | upstream (ToT) | a79a588fc176 | C | [report] WARNING in usb_free_urb |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/07/05 | upstream (ToT) | a79a588fc176 | C | [report] WARNING in usb_free_urb |
================================================================== BUG: KASAN: slab-use-after-free in __lock_acquire+0xff/0x7c80 kernel/locking/lockdep.c:5005 Read of size 8 at addr ffff8880604a1098 by task kworker/1:1/27 CPU: 1 PID: 27 Comm: kworker/1:1 Not tainted 6.6.95-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: events do_submit_urb Call Trace: <TASK> dump_stack_lvl+0x16c/0x230 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:364 [inline] print_report+0xac/0x230 mm/kasan/report.c:475 kasan_report+0x117/0x150 mm/kasan/report.c:588 __lock_acquire+0xff/0x7c80 kernel/locking/lockdep.c:5005 lock_acquire+0x197/0x410 kernel/locking/lockdep.c:5754 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0xa8/0xf0 kernel/locking/spinlock.c:162 get_entry drivers/media/common/siano/smscoreapi.c:1633 [inline] smscore_getbuffer+0xa9/0x440 drivers/media/common/siano/smscoreapi.c:1646 smsusb_submit_urb drivers/media/usb/siano/smsusb.c:155 [inline] do_submit_urb+0x98/0x360 drivers/media/usb/siano/smsusb.c:75 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 </TASK> Allocated by task 5814: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:374 [inline] __kasan_kmalloc+0x8f/0xa0 mm/kasan/common.c:383 kmalloc include/linux/slab.h:600 [inline] kzalloc include/linux/slab.h:721 [inline] smscore_register_device+0x63/0x10f0 drivers/media/common/siano/smscoreapi.c:650 smsusb_init_device drivers/media/usb/siano/smsusb.c:455 [inline] smsusb_probe+0x1362/0x1da0 drivers/media/usb/siano/smsusb.c:569 usb_probe_interface+0x5a4/0xb00 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x25b/0xb40 drivers/base/dd.c:658 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030 bus_probe_device+0x180/0x260 drivers/base/bus.c:534 device_add+0x85b/0xc20 drivers/base/core.c:3683 usb_set_configuration+0x1a79/0x20c0 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:238 usb_probe_device+0x13d/0x280 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x25b/0xb40 drivers/base/dd.c:658 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030 bus_probe_device+0x180/0x260 drivers/base/bus.c:534 device_add+0x85b/0xc20 drivers/base/core.c:3683 usb_new_device+0xa31/0x1630 drivers/usb/core/hub.c:2632 hub_port_connect drivers/usb/core/hub.c:5501 [inline] hub_port_connect_change drivers/usb/core/hub.c:5641 [inline] port_event drivers/usb/core/hub.c:5801 [inline] hub_event+0x2957/0x49c0 drivers/usb/core/hub.c:5883 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Freed by task 5814: kasan_save_stack mm/kasan/common.c:45 [inline] kasan_set_track+0x4e/0x70 mm/kasan/common.c:52 kasan_save_free_info+0x2e/0x50 mm/kasan/generic.c:522 ____kasan_slab_free+0x126/0x1e0 mm/kasan/common.c:236 kasan_slab_free include/linux/kasan.h:164 [inline] slab_free_hook mm/slub.c:1806 [inline] slab_free_freelist_hook+0x130/0x1b0 mm/slub.c:1832 slab_free mm/slub.c:3816 [inline] __kmem_cache_free+0xba/0x1f0 mm/slub.c:3829 smscore_unregister_device+0x603/0x6e0 drivers/media/common/siano/smscoreapi.c:1242 smsusb_term_device+0x18f/0x220 drivers/media/usb/siano/smsusb.c:349 smsusb_init_device drivers/media/usb/siano/smsusb.c:491 [inline] smsusb_probe+0x1708/0x1da0 drivers/media/usb/siano/smsusb.c:569 usb_probe_interface+0x5a4/0xb00 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x25b/0xb40 drivers/base/dd.c:658 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030 bus_probe_device+0x180/0x260 drivers/base/bus.c:534 device_add+0x85b/0xc20 drivers/base/core.c:3683 usb_set_configuration+0x1a79/0x20c0 drivers/usb/core/message.c:2207 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:238 usb_probe_device+0x13d/0x280 drivers/usb/core/driver.c:293 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x25b/0xb40 drivers/base/dd.c:658 __driver_probe_device+0x18c/0x330 drivers/base/dd.c:800 driver_probe_device+0x4f/0x420 drivers/base/dd.c:830 __device_attach_driver+0x2ca/0x520 drivers/base/dd.c:958 bus_for_each_drv+0x24b/0x2d0 drivers/base/bus.c:459 __device_attach+0x2b5/0x400 drivers/base/dd.c:1030 bus_probe_device+0x180/0x260 drivers/base/bus.c:534 device_add+0x85b/0xc20 drivers/base/core.c:3683 usb_new_device+0xa31/0x1630 drivers/usb/core/hub.c:2632 hub_port_connect drivers/usb/core/hub.c:5501 [inline] hub_port_connect_change drivers/usb/core/hub.c:5641 [inline] port_event drivers/usb/core/hub.c:5801 [inline] hub_event+0x2957/0x49c0 drivers/usb/core/hub.c:5883 process_one_work kernel/workqueue.c:2634 [inline] process_scheduled_works+0xa45/0x15b0 kernel/workqueue.c:2711 worker_thread+0xa55/0xfc0 kernel/workqueue.c:2792 kthread+0x2fa/0x390 kernel/kthread.c:388 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff8880604a1000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 152 bytes inside of freed 2048-byte region [ffff8880604a1000, ffff8880604a1800) The buggy address belongs to the physical page: page:ffffea0001812800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x604a0 head:ffffea0001812800 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0 flags: 0xfff00000000840(slab|head|node=0|zone=1|lastcpupid=0x7ff) page_type: 0xffffffff() raw: 00fff00000000840 ffff888017842000 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0x1d20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC|__GFP_HARDWALL), pid 5878, tgid 5878 (syz-executor), ts 98632945023, free_ts 27987823938 set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook+0x1cd/0x210 mm/page_alloc.c:1554 prep_new_page mm/page_alloc.c:1561 [inline] get_page_from_freelist+0x195c/0x19f0 mm/page_alloc.c:3191 __alloc_pages+0x1e3/0x460 mm/page_alloc.c:4457 alloc_slab_page+0x5d/0x170 mm/slub.c:1876 allocate_slab mm/slub.c:2023 [inline] new_slab+0x87/0x2e0 mm/slub.c:2076 ___slab_alloc+0xc6d/0x12f0 mm/slub.c:3230 __slab_alloc mm/slub.c:3329 [inline] __slab_alloc_node mm/slub.c:3382 [inline] slab_alloc_node mm/slub.c:3475 [inline] __kmem_cache_alloc_node+0x1a2/0x260 mm/slub.c:3524 __do_kmalloc_node mm/slab_common.c:1006 [inline] __kmalloc_node+0xa4/0x230 mm/slab_common.c:1014 kmalloc_node include/linux/slab.h:620 [inline] kzalloc_node include/linux/slab.h:732 [inline] qdisc_alloc+0x94/0xa50 net/sched/sch_generic.c:948 qdisc_create_dflt+0x63/0x430 net/sched/sch_generic.c:1009 attach_one_default_qdisc net/sched/sch_generic.c:1173 [inline] netdev_for_each_tx_queue include/linux/netdevice.h:2520 [inline] attach_default_qdiscs net/sched/sch_generic.c:1191 [inline] dev_activate+0x397/0x11a0 net/sched/sch_generic.c:1250 __dev_open+0x338/0x430 net/core/dev.c:1515 __dev_change_flags+0x20e/0x6a0 net/core/dev.c:8673 dev_change_flags+0x88/0x1a0 net/core/dev.c:8745 do_setlink+0xc74/0x3fb0 net/core/rtnetlink.c:2905 __rtnl_newlink net/core/rtnetlink.c:3703 [inline] rtnl_newlink+0x175b/0x2020 net/core/rtnetlink.c:3750 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1154 [inline] free_unref_page_prepare+0x7ce/0x8e0 mm/page_alloc.c:2336 free_unref_page+0x32/0x2e0 mm/page_alloc.c:2429 free_contig_range+0xa1/0x160 mm/page_alloc.c:6369 destroy_args+0x87/0x770 mm/debug_vm_pgtable.c:1015 debug_vm_pgtable+0x3cc/0x410 mm/debug_vm_pgtable.c:1395 do_one_initcall+0x1fd/0x750 init/main.c:1238 do_initcall_level+0x137/0x1f0 init/main.c:1300 do_initcalls+0x69/0xd0 init/main.c:1316 kernel_init_freeable+0x3d2/0x570 init/main.c:1553 kernel_init+0x1d/0x1c0 init/main.c:1443 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:152 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:293 Memory state around the buggy address: ffff8880604a0f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880604a1000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880604a1080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880604a1100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880604a1180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/07/03 01:35 | linux-6.6.y | 3f5b4c104b7d | bc80e4f0 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | |
| 2025/07/02 22:54 | linux-6.6.y | 3f5b4c104b7d | bc80e4f0 | .config | console log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | |
| 2025/08/19 13:38 | linux-6.6.y | bb9c90ab9c5a | 254a27c1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/08/06 22:38 | linux-6.6.y | 3a8ababb8b6a | 9a42d6b1 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/08/02 00:31 | linux-6.6.y | 3a8ababb8b6a | 7368264b | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/08/01 09:52 | linux-6.6.y | 3a8ababb8b6a | 0c075d67 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/18 20:48 | linux-6.6.y | d96eb99e2f0e | 7117feec | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/16 07:44 | linux-6.6.y | 9247f4e6573a | 124ec9cc | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/14 16:55 | linux-6.6.y | 9247f4e6573a | d8fc7335 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/14 16:54 | linux-6.6.y | 9247f4e6573a | d8fc7335 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/10 16:33 | linux-6.6.y | 59a2de10b81a | 956bd956 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/10 02:47 | linux-6.6.y | a5df3a702b2c | 956bd956 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/06 11:01 | linux-6.6.y | a5df3a702b2c | 4f67c4ae | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/05 06:58 | linux-6.6.y | 3f5b4c104b7d | 4f67c4ae | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/04 00:19 | linux-6.6.y | 3f5b4c104b7d | 76ad128c | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/03 04:11 | linux-6.6.y | 3f5b4c104b7d | 115ceea7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/02 00:14 | linux-6.6.y | 3f5b4c104b7d | 091a06cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer | ||
| 2025/07/02 00:08 | linux-6.6.y | 3f5b4c104b7d | 091a06cd | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-linux-6-6-kasan | KASAN: slab-use-after-free Read in smscore_getbuffer |