bisecting cause commit starting from f5b6eb1e018203913dfefcf6fa988649ad11ad6e building syzkaller on 500c23397f34dde583da6d31f9d9fd21cae289f8 testing commit f5b6eb1e018203913dfefcf6fa988649ad11ad6e with gcc (GCC) 10.2.1 20210217 kernel signature: bd32f4f832aea60df7b9fe31bfd032281157c30ce17747e586f2950611c107ec all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 with gcc (GCC) 10.2.1 20210217 kernel signature: d440b4cda7d2ab4e7a9fb717e84bf516b6131e0226170a2accac2a704eba3a26 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: 765cd1540c326c0950c950fbd0fec8db62a5661f5639cb7fd27d9b0db4d90c60 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 with gcc (GCC) 10.2.1 20210217 kernel signature: df7feb4d91f8944dbc6f04c6ce0d62cee0e23c247a3d664c8d09e4380a1d4db4 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.9 testing commit bbf5c979011a099af5dc76498918ed7df445635b with gcc (GCC) 10.2.1 20210217 kernel signature: 729377365c17b92d66ed1bdf532053d69e13d473b5ea80ef6b5eacb7eb88528b all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.8 testing commit bcf876870b95592b52519ed4aafcf9d95999bc9c with gcc (GCC) 8.4.1 20210217 kernel signature: fe4cf10963fe22623041f7dd2621a870da3a6c1c0337ee4720a2074a1ed96570 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.7 testing commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 with gcc (GCC) 8.4.1 20210217 kernel signature: 2c6056a2dfdd16b432db0590dcf44d9466ab6d94a2975fdc54052aff1a1c3cf4 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe testing release v5.6 testing commit 7111951b8d4973bda27ff663f2cf18b663d15b48 with gcc (GCC) 8.4.1 20210217 kernel signature: 3e55c7c138041a575a7239b7dc3aeb1b6aecc1db234951c50f555812908a4b2a all runs: OK # git bisect start 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 7111951b8d4973bda27ff663f2cf18b663d15b48 Bisecting: 7542 revisions left to test after this (roughly 13 steps) [50a5de895dbe5df947b3a695777db5b2c313e065] Merge tag 'for-linus-hmm' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma testing commit 50a5de895dbe5df947b3a695777db5b2c313e065 with gcc (GCC) 8.4.1 20210217 kernel signature: d5f4d81b23e95f18faadcc720741b77c66489cbf2e05f8b28565d2c7c51e5314 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad 50a5de895dbe5df947b3a695777db5b2c313e065 Bisecting: 4204 revisions left to test after this (roughly 12 steps) [56a451b780676bc1cdac011735fe2869fa2e9abf] Merge tag 'ntb-5.7' of git://github.com/jonmason/ntb testing commit 56a451b780676bc1cdac011735fe2869fa2e9abf with gcc (GCC) 8.4.1 20210217 kernel signature: ffc7280f4a3b228a71843faed3b4a8aa6b49e90b816029334bd8c797a4900326 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad 56a451b780676bc1cdac011735fe2869fa2e9abf Bisecting: 1643 revisions left to test after this (roughly 11 steps) [49835c15a55225e9b3ff9cc9317135b334ea2d49] Merge tag 'pm-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm testing commit 49835c15a55225e9b3ff9cc9317135b334ea2d49 with gcc (GCC) 8.4.1 20210217 kernel signature: 41978dd5cf4c767d835e0096ff02ffd103ca1c2ba755b57377469bc7633a4cba all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad 49835c15a55225e9b3ff9cc9317135b334ea2d49 Bisecting: 934 revisions left to test after this (roughly 10 steps) [063d1942247668eb0bb800aef5afbbef337344be] Merge tag 'media/v5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media testing commit 063d1942247668eb0bb800aef5afbbef337344be with gcc (GCC) 8.4.1 20210217 kernel signature: 8842be13eb075fe52153fa6d4225ac715e0368d5f881b8296dbff0e4addb8615 all runs: OK # git bisect good 063d1942247668eb0bb800aef5afbbef337344be Bisecting: 516 revisions left to test after this (roughly 9 steps) [e681bb287f40e7a9dbcb04cef80fd87a2511ab86] staging: vt6656: Use DIV_ROUND_UP macro instead of specific code testing commit e681bb287f40e7a9dbcb04cef80fd87a2511ab86 with gcc (GCC) 8.4.1 20210217 kernel signature: 90af3d910531ae36759570bae4e6d753dd13d94af578637a48f7d19fc3ed0763 all runs: OK # git bisect good e681bb287f40e7a9dbcb04cef80fd87a2511ab86 Bisecting: 266 revisions left to test after this (roughly 8 steps) [db34c5ffee649e2c4c870d1031a996398a187cf5] Merge tag 'usb-5.7-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb testing commit db34c5ffee649e2c4c870d1031a996398a187cf5 with gcc (GCC) 8.4.1 20210217 kernel signature: bd792a50b39787300292b272dd53b9bb7cda0abb488087a5e202b39cf4fe16cd all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad db34c5ffee649e2c4c870d1031a996398a187cf5 Bisecting: 121 revisions left to test after this (roughly 7 steps) [a8ab3e76297ea85d92f4ee0833bd469816a13ccf] Merge tag 'usb-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-next testing commit a8ab3e76297ea85d92f4ee0833bd469816a13ccf with gcc (GCC) 8.4.1 20210217 kernel signature: 6bfc6704aa5ef96c66331c73890cfeb9c96160ddf15e5b5b22b29a6a2ad20f71 all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad a8ab3e76297ea85d92f4ee0833bd469816a13ccf Bisecting: 63 revisions left to test after this (roughly 6 steps) [d1c6a769cdf466053ae211789f2b0671c8a72331] usb: typec: mux: Allow the mux handles to be requested with fwnode testing commit d1c6a769cdf466053ae211789f2b0671c8a72331 with gcc (GCC) 8.4.1 20210217 kernel signature: d774fd58598d66d625069c71623dbeccd9b4c9535b2cbc6adf0726771c7bfbec all runs: OK # git bisect good d1c6a769cdf466053ae211789f2b0671c8a72331 Bisecting: 31 revisions left to test after this (roughly 5 steps) [eeead847487f726fa177d0f4060c4f0816ad9cd9] usb: gadget: amd5536udc: fix spelling mistake "reserverd" -> "reserved" testing commit eeead847487f726fa177d0f4060c4f0816ad9cd9 with gcc (GCC) 8.4.1 20210217 kernel signature: 58bbaaca7abf76c642414e779af97819c304f91a61386f384840d0d6451d897e run #0: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #1: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #2: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #3: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #4: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #5: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #6: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #7: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #8: crashed: KASAN: slab-out-of-bounds Write in betop_probe run #9: boot failed: can't ssh into the instance # git bisect bad eeead847487f726fa177d0f4060c4f0816ad9cd9 Bisecting: 15 revisions left to test after this (roughly 4 steps) [3d157c28d2289edf0439e8308e8de3a06acaaf0e] doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode testing commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e with gcc (GCC) 8.4.1 20210217 kernel signature: 1d62b86df0e93a136a36493170c35899654afa0a4f635f6d9c559933d5c49120 all runs: OK # git bisect good 3d157c28d2289edf0439e8308e8de3a06acaaf0e Bisecting: 7 revisions left to test after this (roughly 3 steps) [0227cc84c44417a29c8102e41db8ec2c11ebc6b2] usb: dwc3: core: don't do suspend for device mode if already suspended testing commit 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 with gcc (GCC) 8.4.1 20210217 kernel signature: e69142b9cda635a2873d5f48e1e8aad2274f0dfa1e42f4b39a38df5b7301c780 all runs: OK # git bisect good 0227cc84c44417a29c8102e41db8ec2c11ebc6b2 Bisecting: 3 revisions left to test after this (roughly 2 steps) [95b18f28979e12539cc02f6ec4e2c776e8551f39] dt-bindings: usb: dwc2: add compatible property for rk3328 usb testing commit 95b18f28979e12539cc02f6ec4e2c776e8551f39 with gcc (GCC) 8.4.1 20210217 kernel signature: 50a371809a5019b3804b6bf3b90802be70a1ac20b93ab74b98695528049b0c5b all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad 95b18f28979e12539cc02f6ec4e2c776e8551f39 Bisecting: 1 revision left to test after this (roughly 1 step) [1a0808cb9e417170ed6ab97254cf319dc3e3c310] usb: dwc2: Implement set_selfpowered() testing commit 1a0808cb9e417170ed6ab97254cf319dc3e3c310 with gcc (GCC) 8.4.1 20210217 kernel signature: e69142b9cda635a2873d5f48e1e8aad2274f0dfa1e42f4b39a38df5b7301c780 all runs: OK # git bisect good 1a0808cb9e417170ed6ab97254cf319dc3e3c310 Bisecting: 0 revisions left to test after this (roughly 0 steps) [f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10] usb: gadget: add raw-gadget interface testing commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 with gcc (GCC) 8.4.1 20210217 kernel signature: 50a371809a5019b3804b6bf3b90802be70a1ac20b93ab74b98695528049b0c5b all runs: crashed: KASAN: slab-out-of-bounds Write in betop_probe # git bisect bad f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 is the first bad commit commit f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 Author: Andrey Konovalov Date: Mon Feb 24 17:13:03 2020 +0100 usb: gadget: add raw-gadget interface USB Raw Gadget is a kernel module that provides a userspace interface for the USB Gadget subsystem. Essentially it allows to emulate USB devices from userspace. Enabled with CONFIG_USB_RAW_GADGET. Raw Gadget is currently a strictly debugging feature and shouldn't be used in production. Raw Gadget is similar to GadgetFS, but provides a more low-level and direct access to the USB Gadget layer for the userspace. The key differences are: 1. Every USB request is passed to the userspace to get a response, while GadgetFS responds to some USB requests internally based on the provided descriptors. However note, that the UDC driver might respond to some requests on its own and never forward them to the Gadget layer. 2. GadgetFS performs some sanity checks on the provided USB descriptors, while Raw Gadget allows you to provide arbitrary data as responses to USB requests. 3. Raw Gadget provides a way to select a UDC device/driver to bind to, while GadgetFS currently binds to the first available UDC. 4. Raw Gadget uses predictable endpoint names (handles) across different UDCs (as long as UDCs have enough endpoints of each required transfer type). 5. Raw Gadget has ioctl-based interface instead of a filesystem-based one. Reviewed-by: Greg Kroah-Hartman Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi Documentation/usb/index.rst | 1 + Documentation/usb/raw-gadget.rst | 61 ++ drivers/usb/gadget/legacy/Kconfig | 11 + drivers/usb/gadget/legacy/Makefile | 1 + drivers/usb/gadget/legacy/raw_gadget.c | 1078 ++++++++++++++++++++++++++++++++ include/uapi/linux/usb/raw_gadget.h | 167 +++++ 6 files changed, 1319 insertions(+) create mode 100644 Documentation/usb/raw-gadget.rst create mode 100644 drivers/usb/gadget/legacy/raw_gadget.c create mode 100644 include/uapi/linux/usb/raw_gadget.h culprit signature: 50a371809a5019b3804b6bf3b90802be70a1ac20b93ab74b98695528049b0c5b parent signature: e69142b9cda635a2873d5f48e1e8aad2274f0dfa1e42f4b39a38df5b7301c780 revisions tested: 22, total time: 4h47m9.333743283s (build: 2h46m57.599427577s, test: 1h57m10.256587163s) first bad commit: f2c2e717642c66f7fe7e5dd69b2e8ff5849f4d10 usb: gadget: add raw-gadget interface recipients (to): ["andreyknvl@google.com" "balbi@kernel.org" "gregkh@linuxfoundation.org"] recipients (cc): [] crash: KASAN: slab-out-of-bounds Write in betop_probe betop 0003:11C0:5506.0001: hidraw0: USB HID v0.00 Device [HID 11c0:5506] on usb-dummy_hcd.1-1/input0 ================================================================== BUG: KASAN: slab-out-of-bounds in set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline] BUG: KASAN: slab-out-of-bounds in betopff_init drivers/hid/hid-betopff.c:99 [inline] BUG: KASAN: slab-out-of-bounds in betop_probe+0x2f0/0x690 drivers/hid/hid-betopff.c:134 Write of size 8 at addr ffff8880a440e5c0 by task kworker/1:5/3490 CPU: 1 PID: 3490 Comm: kworker/1:5 Not tainted 5.6.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x96/0xe0 lib/dump_stack.c:118 print_address_description.constprop.4.cold.6+0x9/0x373 mm/kasan/report.c:374 __kasan_report.cold.7+0x7a/0x92 mm/kasan/report.c:506 kasan_report+0xe/0x20 mm/kasan/common.c:641 check_memory_region_inline mm/kasan/generic.c:185 [inline] check_memory_region+0x144/0x1c0 mm/kasan/generic.c:192 set_bit include/asm-generic/bitops/instrumented-atomic.h:28 [inline] betopff_init drivers/hid/hid-betopff.c:99 [inline] betop_probe+0x2f0/0x690 drivers/hid/hid-betopff.c:134 hid_device_probe+0x274/0x360 drivers/hid/hid-core.c:2263 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 hid_add_device+0x2da/0x940 drivers/hid/hid-core.c:2419 usbhid_probe+0x9b7/0xec0 drivers/hid/usbhid/hid-core.c:1386 usb_probe_interface+0x277/0x840 drivers/usb/core/driver.c:361 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 usb_set_configuration+0xc81/0x1940 drivers/usb/core/message.c:2023 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 usb_new_device+0x866/0x14e0 drivers/usb/core/hub.c:2548 hub_port_connect drivers/usb/core/hub.c:5195 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x1079/0x3240 drivers/usb/core/hub.c:5563 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 3490: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:515 [inline] __kasan_kmalloc.constprop.15+0xc1/0xd0 mm/kasan/common.c:488 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] hidraw_connect+0x49/0x510 drivers/hid/hidraw.c:521 hid_connect+0x502/0xa50 drivers/hid/hid-core.c:1939 hid_hw_start+0x75/0x100 drivers/hid/hid-core.c:2035 betop_probe+0x8f/0x690 drivers/hid/hid-betopff.c:128 hid_device_probe+0x274/0x360 drivers/hid/hid-core.c:2263 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 hid_add_device+0x2da/0x940 drivers/hid/hid-core.c:2419 usbhid_probe+0x9b7/0xec0 drivers/hid/usbhid/hid-core.c:1386 usb_probe_interface+0x277/0x840 drivers/usb/core/driver.c:361 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 usb_set_configuration+0xc81/0x1940 drivers/usb/core/message.c:2023 generic_probe+0x61/0x8a drivers/usb/core/generic.c:210 really_probe+0x20b/0xb00 drivers/base/dd.c:551 driver_probe_device+0x259/0x370 drivers/base/dd.c:724 bus_for_each_drv+0x118/0x1b0 drivers/base/bus.c:431 __device_attach+0x1be/0x2e0 drivers/base/dd.c:897 bus_probe_device+0x19e/0x250 drivers/base/bus.c:491 device_add+0x10f7/0x1920 drivers/base/core.c:2500 usb_new_device+0x866/0x14e0 drivers/usb/core/hub.c:2548 hub_port_connect drivers/usb/core/hub.c:5195 [inline] hub_port_connect_change drivers/usb/core/hub.c:5335 [inline] port_event drivers/usb/core/hub.c:5481 [inline] hub_event+0x1079/0x3240 drivers/usb/core/hub.c:5563 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Freed by task 10: save_stack+0x19/0x80 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x124/0x170 mm/kasan/common.c:476 slab_free_hook mm/slub.c:1444 [inline] slab_free_freelist_hook+0x53/0x140 mm/slub.c:1477 slab_free mm/slub.c:3024 [inline] kfree+0xd6/0x3c0 mm/slub.c:3976 security_cred_free+0xa2/0x100 security/security.c:1580 put_cred_rcu+0xe6/0x430 kernel/cred.c:114 rcu_do_batch kernel/rcu/tree.c:2186 [inline] rcu_core+0x9c6/0x10b0 kernel/rcu/tree.c:2410 __do_softirq+0x24a/0xa97 kernel/softirq.c:292 The buggy address belongs to the object at ffff8880a440e500 which belongs to the cache kmalloc-192 of size 192 The buggy address is located 0 bytes to the right of 192-byte region [ffff8880a440e500, ffff8880a440e5c0) The buggy address belongs to the page: page:ffffea0002910380 refcount:1 mapcount:0 mapping:ffff8880b5802a00 index:0x0 flags: 0xfff00000000200(slab) raw: 00fff00000000200 ffffea0002c71800 0000000900000009 ffff8880b5802a00 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x12cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY) set_page_owner include/linux/page_owner.h:31 [inline] post_alloc_hook mm/page_alloc.c:2151 [inline] prep_new_page+0x12f/0x240 mm/page_alloc.c:2157 get_page_from_freelist+0xfc1/0x40f0 mm/page_alloc.c:3684 __alloc_pages_nodemask+0x29c/0x830 mm/page_alloc.c:4731 __alloc_pages include/linux/gfp.h:496 [inline] alloc_page_interleave+0xf/0x1a0 mm/mempolicy.c:2077 alloc_pages include/linux/gfp.h:532 [inline] alloc_slab_page+0xd5/0x4e0 mm/slub.c:1515 allocate_slab mm/slub.c:1660 [inline] new_slab+0x84/0x440 mm/slub.c:1726 new_slab_objects mm/slub.c:2477 [inline] ___slab_alloc+0x485/0x730 mm/slub.c:2628 __slab_alloc.isra.46+0x74/0xe0 mm/slub.c:2668 slab_alloc_node mm/slub.c:2742 [inline] slab_alloc mm/slub.c:2786 [inline] kmem_cache_alloc_trace+0x163/0x1b0 mm/slub.c:2803 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] call_usermodehelper_setup+0x93/0x340 kernel/umh.c:386 kobject_uevent_env+0xbe2/0x1220 lib/kobject_uevent.c:613 kset_register+0x2b/0x40 lib/kobject.c:867 __class_register+0x1ed/0x440 drivers/base/class.c:188 __class_create+0xb6/0x110 drivers/base/class.c:242 comedi_init+0xc9/0x1de drivers/staging/comedi/comedi_fops.c:3023 do_one_initcall+0xc3/0x520 init/main.c:1152 page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1163 [inline] free_pcp_prepare+0x3e8/0x500 mm/page_alloc.c:1198 free_unref_page_prepare mm/page_alloc.c:3011 [inline] free_unref_page+0xc/0x70 mm/page_alloc.c:3060 __vunmap+0x4db/0x860 mm/vmalloc.c:2315 free_work+0x48/0x60 mm/vmalloc.c:66 process_one_work+0x8ff/0x1690 kernel/workqueue.c:2264 worker_thread+0x82/0xb50 kernel/workqueue.c:2410 kthread+0x31d/0x3e0 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Memory state around the buggy address: ffff8880a440e480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ffff8880a440e500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8880a440e580: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8880a440e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8880a440e680: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ==================================================================