KASAN: slab-out-of-bounds Read in usbtmc

Title	Replies (including bot)	Last reply
[syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt	6 (13)	2025/08/17 06:56

Title

Replies (including bot)

Last reply

[syzbot] [usb?] KASAN: slab-out-of-bounds Read in usbtmc_interrupt

6 (13)

2025/08/17 06:56


Created	Duration	User	Patch	Repo	Result
2025/08/28 16:06	20m	retest repro		linux-next	error
2025/08/17 06:07	23m	hdanton@sina.com	patch	linux-next	OK log
2025/08/17 05:01	20m	hdanton@sina.com	patch	linux-next	report log
2025/08/17 04:12	17m	hdanton@sina.com	patch	linux-next	report log
2025/08/17 02:49	21m	hdanton@sina.com	patch	linux-next	report log
2025/08/17 02:08	8m	hdanton@sina.com	patch	linux-next	error
2025/08/16 05:18	9m	hdanton@sina.com	patch	linux-next	error

usbtmc 1-1:16.0: invalid notification: 33 usbtmc 1-1:16.0: invalid notification: 36 usbtmc 1-1:16.0: invalid notification: 8 ================================================================== BUG: KASAN: slab-out-of-bounds in usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313 Read of size 1 at addr ffff8880291a69a1 by task swapper/1/0 CPU: 1 UID: 0 PID: 0 Comm: swapper/1 Not tainted 6.17.0-rc1-next-20250814-syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 Call Trace: <IRQ> dump_stack_lvl+0x189/0x250 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 usbtmc_interrupt+0x4c7/0x690 drivers/usb/class/usbtmc.c:2313 __usb_hcd_giveback_urb+0x376/0x540 drivers/usb/core/hcd.c:1661 dummy_timer+0x862/0x4550 drivers/usb/gadget/udc/dummy_hcd.c:1995 __run_hrtimer kernel/time/hrtimer.c:1761 [inline] __hrtimer_run_queues+0x52c/0xc60 kernel/time/hrtimer.c:1825 hrtimer_run_softirq+0x187/0x2b0 kernel/time/hrtimer.c:1842 handle_softirqs+0x286/0x870 kernel/softirq.c:579 __do_softirq kernel/softirq.c:613 [inline] invoke_softirq kernel/softirq.c:453 [inline] __irq_exit_rcu+0xca/0x1f0 kernel/softirq.c:680 irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1050 </IRQ> <TASK> asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 RIP: 0010:pv_native_safe_halt+0x13/0x20 arch/x86/kernel/paravirt.c:82 Code: 53 e8 02 00 cc cc cc 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 66 90 0f 00 2d 33 1a 25 00 f3 0f 1e fa fb f4 <c3> cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 RSP: 0018:ffffc90000197de0 EFLAGS: 000002c6 RAX: 01516c1b89febd00 RBX: ffffffff8196d368 RCX: 01516c1b89febd00 RDX: 0000000000000001 RSI: ffffffff8c04d960 RDI: ffffffff8196d368 RBP: ffffc90000197f20 R08: ffff8880b8732f9b R09: 1ffff110170e65f3 R10: dffffc0000000000 R11: ffffed10170e65f4 R12: ffffffff8fe4db30 R13: 0000000000000001 R14: 0000000000000001 R15: 1ffff11003a55b40 arch_safe_halt arch/x86/include/asm/paravirt.h:107 [inline] default_idle+0x13/0x20 arch/x86/kernel/process.c:757 default_idle_call+0x74/0xb0 kernel/sched/idle.c:122 cpuidle_idle_call kernel/sched/idle.c:190 [inline] do_idle+0x1e8/0x510 kernel/sched/idle.c:330 cpu_startup_entry+0x44/0x60 kernel/sched/idle.c:428 start_secondary+0x101/0x110 arch/x86/kernel/smpboot.c:315 common_startup_64+0x13e/0x147 </TASK> Allocated by task 44: kasan_save_stack mm/kasan/common.c:56 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:414 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4365 [inline] __kmalloc_noprof+0x27a/0x4f0 mm/slub.c:4377 kmalloc_noprof include/linux/slab.h:913 [inline] usbtmc_probe+0xa3a/0x1a60 drivers/usb/class/usbtmc.c:2456 usb_probe_interface+0x665/0xc30 drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26a/0x9e0 drivers/base/dd.c:659 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031 bus_probe_device+0x185/0x260 drivers/base/bus.c:537 device_add+0x7b6/0xb50 drivers/base/core.c:3689 usb_set_configuration+0x1a87/0x20e0 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c4/0x390 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x26a/0x9e0 drivers/base/dd.c:659 __driver_probe_device+0x18c/0x2f0 drivers/base/dd.c:801 driver_probe_device+0x4f/0x430 drivers/base/dd.c:831 __device_attach_driver+0x2ce/0x530 drivers/base/dd.c:959 bus_for_each_drv+0x251/0x2e0 drivers/base/bus.c:462 __device_attach+0x2b8/0x400 drivers/base/dd.c:1031 bus_probe_device+0x185/0x260 drivers/base/bus.c:537 device_add+0x7b6/0xb50 drivers/base/core.c:3689 usb_new_device+0xa39/0x16f0 drivers/usb/core/hub.c:2694 hub_port_connect drivers/usb/core/hub.c:5566 [inline] hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] port_event drivers/usb/core/hub.c:5870 [inline] hub_event+0x2958/0x4a20 drivers/usb/core/hub.c:5952 process_one_work kernel/workqueue.c:3236 [inline] process_scheduled_works+0xae1/0x17b0 kernel/workqueue.c:3319 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3400 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x3f9/0x770 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 The buggy address belongs to the object at ffff8880291a69a0 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 0 bytes to the right of allocated 1-byte region [ffff8880291a69a0, ffff8880291a69a1) The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x291a6 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) page_type: f5(slab) raw: 00fff00000000000 ffff88801a841500 dead000000000100 dead000000000122 raw: 0000000000000000 0000000080800080 00000000f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 16852153284, free_ts 0 set_page_owner include/linux/page_owner.h:32 [inline] post_alloc_hook+0x240/0x2a0 mm/page_alloc.c:1851 prep_new_page mm/page_alloc.c:1859 [inline] get_page_from_freelist+0x21e4/0x22c0 mm/page_alloc.c:3858 __alloc_frozen_pages_noprof+0x181/0x370 mm/page_alloc.c:5148 alloc_pages_mpol+0x232/0x4a0 mm/mempolicy.c:2416 alloc_slab_page mm/slub.c:2487 [inline] allocate_slab+0x8a/0x370 mm/slub.c:2655 new_slab mm/slub.c:2709 [inline] ___slab_alloc+0xbeb/0x1410 mm/slub.c:3891 __slab_alloc mm/slub.c:3981 [inline] __slab_alloc_node mm/slub.c:4056 [inline] slab_alloc_node mm/slub.c:4217 [inline] __do_kmalloc_node mm/slub.c:4364 [inline] __kmalloc_node_track_caller_noprof+0x2f8/0x4e0 mm/slub.c:4384 __kmemdup_nul mm/util.c:64 [inline] kstrdup+0x42/0x100 mm/util.c:84 __kernfs_new_node+0x9c/0x7e0 fs/kernfs/dir.c:633 kernfs_new_node+0x102/0x210 fs/kernfs/dir.c:713 kernfs_create_dir_ns+0x44/0x130 fs/kernfs/dir.c:1083 sysfs_create_dir_ns+0x123/0x280 fs/sysfs/dir.c:59 create_dir lib/kobject.c:73 [inline] kobject_add_internal+0x59f/0xb40 lib/kobject.c:240 kobject_add_varg lib/kobject.c:374 [inline] kobject_add+0x155/0x220 lib/kobject.c:426 device_add+0x408/0xb50 drivers/base/core.c:3627 usb_create_ep_devs+0x12c/0x230 drivers/usb/core/endpoint.c:170 page_owner free stack trace missing Memory state around the buggy address: ffff8880291a6880: 04 fc fc fc 04 fc fc fc 06 fc fc fc 04 fc fc fc ffff8880291a6900: 06 fc fc fc 06 fc fc fc fa fc fc fc fa fc fc fc >ffff8880291a6980: fa fc fc fc 01 fc fc fc 00 fc fc fc 00 fc fc fc ^ ffff8880291a6a00: 00 fc fc fc 06 fc fc fc 06 fc fc fc 06 fc fc fc ffff8880291a6a80: 07 fc fc fc 06 fc fc fc 06 fc fc fc 06 fc fc fc ================================================================== ---------------- Code disassembly (best guess): 0: 53 push %rbx 1: e8 02 00 cc cc call 0xcccc0008 6: cc int3 7: 90 nop 8: 90 nop 9: 90 nop a: 90 nop b: 90 nop c: 90 nop d: 90 nop e: 90 nop f: 90 nop 10: 90 nop 11: 90 nop 12: 90 nop 13: 90 nop 14: 90 nop 15: 90 nop 16: 90 nop 17: f3 0f 1e fa endbr64 1b: 66 90 xchg %ax,%ax 1d: 0f 00 2d 33 1a 25 00 verw 0x251a33(%rip) # 0x251a57 24: f3 0f 1e fa endbr64 28: fb sti 29: f4 hlt * 2a: c3 ret <-- trapping instruction 2b: cc int3 2c: cc int3 2d: cc int3 2e: cc int3 2f: cc int3 30: cc int3 31: cc int3 32: cc int3 33: cc int3 34: cc int3 35: cc int3 36: cc int3 37: 90 nop 38: 90 nop 39: 90 nop 3a: 90 nop 3b: 90 nop 3c: 90 nop 3d: 90 nop 3e: 90 nop 3f: 90 nop

Crashes (4):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2025/08/14 16:05	linux-next	931e46dcbc7e	dcc075fb	.config	strace log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci-upstream-rust-kasan-gce	KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025/08/14 12:35	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	c0485e864a2e	22ec1469	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025/08/14 11:30	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	c0485e864a2e	22ec1469	.config	console log	report	syz / log	C		[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in usbtmc_interrupt
2025/08/14 10:25	https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing	c0485e864a2e	22ec1469	.config	console log	report			info	[disk image] [vmlinux] [kernel image]	ci2-upstream-usb	KASAN: slab-out-of-bounds Read in usbtmc_interrupt

Crashes (4):

Assets (help?)