==================================================================
BUG: KASAN: slab-use-after-free in instrument_atomic_read include/linux/instrumented.h:68 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
BUG: KASAN: slab-use-after-free in snd_usbmidi_error_timer+0x1fd/0x410 sound/usb/midi.c:355
Read of size 4 at addr ffff888029f04c10 by task udevd/5227
CPU: 1 UID: 0 PID: 5227 Comm: udevd Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x100/0x1b0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:68 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:32 [inline]
snd_usbmidi_error_timer+0x1fd/0x410 sound/usb/midi.c:355
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x183/0x2f0 kernel/locking/lockdep.c:5893
Code: 0f c1 05 f8 3d 3f 12 83 f8 01 0f 85 1d 01 00 00 9c 58 f6 c4 02 0f 85 08 01 00 00 41 f7 c5 00 02 00 00 74 01 fb 48 8b 44 24 10 <65> 48 2b 05 0d fc 3e 12 0f 85 58 01 00 00 48 83 c4 18 5b 41 5c 41
RSP: 0018:ffffc90003bef930 EFLAGS: 00000206
RAX: 3e0f3f8c25dfe600 RBX: ffffffff8e5c15a0 RCX: ffffc90003bef93c
RDX: 0000000000000000 RSI: ffffffff8de2c018 RDI: ffffffff8c163a00
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff823ac8dc
R13: 0000000000000202 R14: ffff888075e6bc00 R15: 0000000000000001
rcu_lock_release include/linux/rcupdate.h:341 [inline]
rcu_read_unlock include/linux/rcupdate.h:871 [inline]
__d_lookup+0x261/0x4a0 fs/dcache.c:2413
lookup_fast+0x17c/0x610 fs/namei.c:1766
walk_component+0x5b/0x5b0 fs/namei.c:2125
link_path_walk+0x627/0xe20 fs/namei.c:2497
path_openat+0x1b0/0x2cb0 fs/namei.c:4042
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f244daa7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc53d21dc0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f244e162880 RCX: 00007f244daa7407
RDX: 0000000000080000 RSI: 00007ffc53d21f40 RDI: ffffffffffffff9c
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00005564ffa1d7f5
R13: 00005564ffa1d7f5 R14: 0000000000000001 R15: 0000000000000000
Allocated by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4376 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
snd_usbmidi_in_endpoint_create+0xf2/0xa70 sound/usb/midi.c:1348
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2363
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2646
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
urb_destroy drivers/usb/core/urb.c:27 [inline]
kref_put include/linux/kref.h:65 [inline]
usb_free_urb.part.0+0x9c/0x100 drivers/usb/core/urb.c:97
usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:96
free_urb_and_buffer sound/usb/midi.c:1309 [inline]
snd_usbmidi_in_endpoint_delete+0x114/0x220 sound/usb/midi.c:1322
snd_usbmidi_free sound/usb/midi.c:1530 [inline]
snd_usbmidi_rawmidi_free+0xb3/0x130 sound/usb/midi.c:1591
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888029f04c00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
freed 192-byte region [ffff888029f04c00, ffff888029f04cc0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29f04
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801b8413c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 24093831214, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
usb_internal_control_msg drivers/usb/core/message.c:96 [inline]
usb_control_msg+0x1d3/0x4a0 drivers/usb/core/message.c:154
usb_get_string+0xab/0x1a0 drivers/usb/core/message.c:844
usb_string_sub+0x107/0x390 drivers/usb/core/message.c:883
usb_string+0x307/0x670 drivers/usb/core/message.c:988
usb_cache_string+0x80/0x150 drivers/usb/core/message.c:1030
usb_enumerate_device drivers/usb/core/hub.c:2539 [inline]
usb_new_device+0x238/0x1a60 drivers/usb/core/hub.c:2664
register_root_hub+0x299/0x730 drivers/usb/core/hcd.c:994
page_owner free stack trace missing
Memory state around the buggy address:
ffff888029f04b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888029f04b80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888029f04c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888029f04c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888029f04d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
BUG: KASAN: slab-use-after-free in raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
BUG: KASAN: slab-use-after-free in atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
BUG: KASAN: slab-use-after-free in snd_usbmidi_error_timer+0x367/0x410 sound/usb/midi.c:355
Read of size 4 at addr ffff888029f04c10 by task udevd/5227
CPU: 1 UID: 0 PID: 5227 Comm: udevd Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
arch_atomic_read arch/x86/include/asm/atomic.h:23 [inline]
raw_atomic_read include/linux/atomic/atomic-arch-fallback.h:457 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:33 [inline]
snd_usbmidi_error_timer+0x367/0x410 sound/usb/midi.c:355
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x183/0x2f0 kernel/locking/lockdep.c:5893
Code: 0f c1 05 f8 3d 3f 12 83 f8 01 0f 85 1d 01 00 00 9c 58 f6 c4 02 0f 85 08 01 00 00 41 f7 c5 00 02 00 00 74 01 fb 48 8b 44 24 10 <65> 48 2b 05 0d fc 3e 12 0f 85 58 01 00 00 48 83 c4 18 5b 41 5c 41
RSP: 0018:ffffc90003bef930 EFLAGS: 00000206
RAX: 3e0f3f8c25dfe600 RBX: ffffffff8e5c15a0 RCX: ffffc90003bef93c
RDX: 0000000000000000 RSI: ffffffff8de2c018 RDI: ffffffff8c163a00
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff823ac8dc
R13: 0000000000000202 R14: ffff888075e6bc00 R15: 0000000000000001
rcu_lock_release include/linux/rcupdate.h:341 [inline]
rcu_read_unlock include/linux/rcupdate.h:871 [inline]
__d_lookup+0x261/0x4a0 fs/dcache.c:2413
lookup_fast+0x17c/0x610 fs/namei.c:1766
walk_component+0x5b/0x5b0 fs/namei.c:2125
link_path_walk+0x627/0xe20 fs/namei.c:2497
path_openat+0x1b0/0x2cb0 fs/namei.c:4042
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f244daa7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc53d21dc0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f244e162880 RCX: 00007f244daa7407
RDX: 0000000000080000 RSI: 00007ffc53d21f40 RDI: ffffffffffffff9c
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00005564ffa1d7f5
R13: 00005564ffa1d7f5 R14: 0000000000000001 R15: 0000000000000000
Allocated by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4376 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
snd_usbmidi_in_endpoint_create+0xf2/0xa70 sound/usb/midi.c:1348
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2363
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2646
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
urb_destroy drivers/usb/core/urb.c:27 [inline]
kref_put include/linux/kref.h:65 [inline]
usb_free_urb.part.0+0x9c/0x100 drivers/usb/core/urb.c:97
usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:96
free_urb_and_buffer sound/usb/midi.c:1309 [inline]
snd_usbmidi_in_endpoint_delete+0x114/0x220 sound/usb/midi.c:1322
snd_usbmidi_free sound/usb/midi.c:1530 [inline]
snd_usbmidi_rawmidi_free+0xb3/0x130 sound/usb/midi.c:1591
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888029f04c00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 16 bytes inside of
freed 192-byte region [ffff888029f04c00, ffff888029f04cc0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29f04
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801b8413c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 24093831214, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
usb_internal_control_msg drivers/usb/core/message.c:96 [inline]
usb_control_msg+0x1d3/0x4a0 drivers/usb/core/message.c:154
usb_get_string+0xab/0x1a0 drivers/usb/core/message.c:844
usb_string_sub+0x107/0x390 drivers/usb/core/message.c:883
usb_string+0x307/0x670 drivers/usb/core/message.c:988
usb_cache_string+0x80/0x150 drivers/usb/core/message.c:1030
usb_enumerate_device drivers/usb/core/hub.c:2539 [inline]
usb_new_device+0x238/0x1a60 drivers/usb/core/hub.c:2664
register_root_hub+0x299/0x730 drivers/usb/core/hcd.c:994
page_owner free stack trace missing
Memory state around the buggy address:
ffff888029f04b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888029f04b80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888029f04c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888029f04c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888029f04d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_error_timer+0x3e9/0x410 sound/usb/midi.c:357
Write of size 8 at addr ffff888029f04c40 by task udevd/5227
CPU: 1 UID: 0 PID: 5227 Comm: udevd Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_error_timer+0x3e9/0x410 sound/usb/midi.c:357
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_release+0x183/0x2f0 kernel/locking/lockdep.c:5893
Code: 0f c1 05 f8 3d 3f 12 83 f8 01 0f 85 1d 01 00 00 9c 58 f6 c4 02 0f 85 08 01 00 00 41 f7 c5 00 02 00 00 74 01 fb 48 8b 44 24 10 <65> 48 2b 05 0d fc 3e 12 0f 85 58 01 00 00 48 83 c4 18 5b 41 5c 41
RSP: 0018:ffffc90003bef930 EFLAGS: 00000206
RAX: 3e0f3f8c25dfe600 RBX: ffffffff8e5c15a0 RCX: ffffc90003bef93c
RDX: 0000000000000000 RSI: ffffffff8de2c018 RDI: ffffffff8c163a00
RBP: dffffc0000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff823ac8dc
R13: 0000000000000202 R14: ffff888075e6bc00 R15: 0000000000000001
rcu_lock_release include/linux/rcupdate.h:341 [inline]
rcu_read_unlock include/linux/rcupdate.h:871 [inline]
__d_lookup+0x261/0x4a0 fs/dcache.c:2413
lookup_fast+0x17c/0x610 fs/namei.c:1766
walk_component+0x5b/0x5b0 fs/namei.c:2125
link_path_walk+0x627/0xe20 fs/namei.c:2497
path_openat+0x1b0/0x2cb0 fs/namei.c:4042
do_filp_open+0x20b/0x470 fs/namei.c:4073
do_sys_openat2+0x11b/0x1d0 fs/open.c:1435
do_sys_open fs/open.c:1450 [inline]
__do_sys_openat fs/open.c:1466 [inline]
__se_sys_openat fs/open.c:1461 [inline]
__x64_sys_openat+0x174/0x210 fs/open.c:1461
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f244daa7407
Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
RSP: 002b:00007ffc53d21dc0 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 00007f244e162880 RCX: 00007f244daa7407
RDX: 0000000000080000 RSI: 00007ffc53d21f40 RDI: ffffffffffffff9c
RBP: 0000000000000008 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000202 R12: 00005564ffa1d7f5
R13: 00005564ffa1d7f5 R14: 0000000000000001 R15: 0000000000000000
Allocated by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kasan_kmalloc include/linux/kasan.h:260 [inline]
__do_kmalloc_node mm/slub.c:4376 [inline]
__kmalloc_noprof+0x223/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
snd_usbmidi_in_endpoint_create+0xf2/0xa70 sound/usb/midi.c:1348
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2363
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2646
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 5960:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
urb_destroy drivers/usb/core/urb.c:27 [inline]
kref_put include/linux/kref.h:65 [inline]
usb_free_urb.part.0+0x9c/0x100 drivers/usb/core/urb.c:97
usb_free_urb+0x1f/0x30 drivers/usb/core/urb.c:96
free_urb_and_buffer sound/usb/midi.c:1309 [inline]
snd_usbmidi_in_endpoint_delete+0x114/0x220 sound/usb/midi.c:1322
snd_usbmidi_free sound/usb/midi.c:1530 [inline]
snd_usbmidi_rawmidi_free+0xb3/0x130 sound/usb/midi.c:1591
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888029f04c00
which belongs to the cache kmalloc-192 of size 192
The buggy address is located 64 bytes inside of
freed 192-byte region [ffff888029f04c00, ffff888029f04cc0)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x29f04
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000000 ffff88801b8413c0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52c00(GFP_NOIO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 1, tgid 1 (swapper/0), ts 24093831214, free_ts 0
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
usb_alloc_urb+0x66/0xa0 drivers/usb/core/urb.c:75
usb_internal_control_msg drivers/usb/core/message.c:96 [inline]
usb_control_msg+0x1d3/0x4a0 drivers/usb/core/message.c:154
usb_get_string+0xab/0x1a0 drivers/usb/core/message.c:844
usb_string_sub+0x107/0x390 drivers/usb/core/message.c:883
usb_string+0x307/0x670 drivers/usb/core/message.c:988
usb_cache_string+0x80/0x150 drivers/usb/core/message.c:1030
usb_enumerate_device drivers/usb/core/hub.c:2539 [inline]
usb_new_device+0x238/0x1a60 drivers/usb/core/hub.c:2664
register_root_hub+0x299/0x730 drivers/usb/core/hcd.c:994
page_owner free stack trace missing
Memory state around the buggy address:
ffff888029f04b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888029f04b80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888029f04c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888029f04c80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888029f04d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
----------------
Code disassembly (best guess):
0: 0f c1 05 f8 3d 3f 12 xadd %eax,0x123f3df8(%rip) # 0x123f3dff
7: 83 f8 01 cmp $0x1,%eax
a: 0f 85 1d 01 00 00 jne 0x12d
10: 9c pushf
11: 58 pop %rax
12: f6 c4 02 test $0x2,%ah
15: 0f 85 08 01 00 00 jne 0x123
1b: 41 f7 c5 00 02 00 00 test $0x200,%r13d
22: 74 01 je 0x25
24: fb sti
25: 48 8b 44 24 10 mov 0x10(%rsp),%rax
* 2a: 65 48 2b 05 0d fc 3e sub %gs:0x123efc0d(%rip),%rax # 0x123efc3f <-- trapping instruction
31: 12
32: 0f 85 58 01 00 00 jne 0x190
38: 48 83 c4 18 add $0x18,%rsp
3c: 5b pop %rbx
3d: 41 5c pop %r12
3f: 41 rex.B