bisecting cause commit starting from 4641b32307b3b54397652a71f852bb0bafb0820d building syzkaller on 9d751681c8ca1ef150e96f3c1e18bdcaab99c9b9 testing commit 4641b32307b3b54397652a71f852bb0bafb0820d with gcc (GCC) 10.2.1 20210217 kernel signature: 9006d44e814b9a5cf29156665e2dcc58382319ca34a954d6832b7755362b3aa2 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b with gcc (GCC) 10.2.1 20210217 kernel signature: cb49576180cef3c3f396d23d955e24a28438e757206b58782fa9dc3bff6e2a20 all runs: OK # git bisect start 4641b32307b3b54397652a71f852bb0bafb0820d f40ddce88593482919761f74910f42f4b84c004b Bisecting: 6735 revisions left to test after this (roughly 13 steps) [d99676af540c2dc829999928fb81c58c80a1dce4] Merge tag 'drm-next-2021-02-19' of git://anongit.freedesktop.org/drm/drm testing commit d99676af540c2dc829999928fb81c58c80a1dce4 with gcc (GCC) 10.2.1 20210217 kernel signature: c787ee7a46cc50d85cd3132f41391013f48ec8abd027c25336c39d019e42dd3f all runs: OK # git bisect good d99676af540c2dc829999928fb81c58c80a1dce4 Bisecting: 3415 revisions left to test after this (roughly 12 steps) [cf64c2a905e0dabcc473ca70baf275fb3a61fac4] Merge branch 'work.sparc32' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs testing commit cf64c2a905e0dabcc473ca70baf275fb3a61fac4 with gcc (GCC) 10.2.1 20210217 kernel signature: 6652efb1bf2f019703b469dae034aa7529b2f8e8b55274afb6040bb227c67a33 all runs: OK # git bisect good cf64c2a905e0dabcc473ca70baf275fb3a61fac4 Bisecting: 1705 revisions left to test after this (roughly 11 steps) [6593fe0bdf0e135377b2f641dc8d2bfb0ff8c47c] Merge remote-tracking branch 'sh/for-next' testing commit 6593fe0bdf0e135377b2f641dc8d2bfb0ff8c47c with gcc (GCC) 10.2.1 20210217 kernel signature: 816434e248e131f6e556bf486f67532612f6718bc504267f51dab5969e8dd2e3 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 6593fe0bdf0e135377b2f641dc8d2bfb0ff8c47c Bisecting: 846 revisions left to test after this (roughly 10 steps) [efba6d3a7c4bb59f0750609fae0f9644d82304b6] Merge tag 'for-5.12/io_uring-2021-02-25' of git://git.kernel.dk/linux-block testing commit efba6d3a7c4bb59f0750609fae0f9644d82304b6 with gcc (GCC) 10.2.1 20210217 kernel signature: 1baf330dfda12c869a05d934dbd2235e4503f8400663a28403180819cfca2323 all runs: OK # git bisect good efba6d3a7c4bb59f0750609fae0f9644d82304b6 Bisecting: 420 revisions left to test after this (roughly 9 steps) [a7d41aa4973ec5a996103a48a83509ca3213b2d7] Merge remote-tracking branch 'rdma-fixes/for-rc' testing commit a7d41aa4973ec5a996103a48a83509ca3213b2d7 with gcc (GCC) 10.2.1 20210217 kernel signature: afdca662d8ac4f2667186535321622d1475475210d0155404dd569ddade8e628 all runs: OK # git bisect good a7d41aa4973ec5a996103a48a83509ca3213b2d7 Bisecting: 235 revisions left to test after this (roughly 8 steps) [0c79911f52ab8d5f915c0b14de742a28997bfbd6] Merge remote-tracking branch 'arm/for-next' testing commit 0c79911f52ab8d5f915c0b14de742a28997bfbd6 with gcc (GCC) 10.2.1 20210217 kernel signature: 816434e248e131f6e556bf486f67532612f6718bc504267f51dab5969e8dd2e3 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 0c79911f52ab8d5f915c0b14de742a28997bfbd6 Bisecting: 93 revisions left to test after this (roughly 7 steps) [014618b4977eee9dfd068c502be009b7fe2ab40a] Merge remote-tracking branch 'char-misc.current/char-misc-linus' testing commit 014618b4977eee9dfd068c502be009b7fe2ab40a with gcc (GCC) 10.2.1 20210217 kernel signature: 837321f6a0b28e882fcc4c1c456e08a84594e816b2590b6c205c00bd44687819 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 014618b4977eee9dfd068c502be009b7fe2ab40a Bisecting: 47 revisions left to test after this (roughly 6 steps) [4de6eeea1deb07877e0626bbe432ce315f022c91] Merge remote-tracking branch 'pci-current/for-linus' testing commit 4de6eeea1deb07877e0626bbe432ce315f022c91 with gcc (GCC) 10.2.1 20210217 kernel signature: b21a5ca91064484edbb6611467a30180224c7c3e13392b9c141745be2e16834c all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 4de6eeea1deb07877e0626bbe432ce315f022c91 Bisecting: 22 revisions left to test after this (roughly 5 steps) [e57c62bd692c7d7bf0d6ec3bddcad22579fd69ca] Merge remote-tracking branch 'asoc/for-5.12' into asoc-linus testing commit e57c62bd692c7d7bf0d6ec3bddcad22579fd69ca with gcc (GCC) 10.2.1 20210217 kernel signature: 36ce4d7712300023e6ac415f6703855a27a18a893c92d30a3e9e4f9dfc886654 all runs: OK # git bisect good e57c62bd692c7d7bf0d6ec3bddcad22579fd69ca Bisecting: 8 revisions left to test after this (roughly 4 steps) [102be08a780749d9e3f09a730d2036d5ff2b6612] Merge remote-tracking branch 'regulator-fixes/for-linus' testing commit 102be08a780749d9e3f09a730d2036d5ff2b6612 with gcc (GCC) 10.2.1 20210217 kernel signature: b21a5ca91064484edbb6611467a30180224c7c3e13392b9c141745be2e16834c all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 102be08a780749d9e3f09a730d2036d5ff2b6612 Bisecting: 6 revisions left to test after this (roughly 3 steps) [605d450fc75dd10d28e4b9f377d85883b0f25f53] Merge remote-tracking branch 'sound-asoc-fixes/for-linus' testing commit 605d450fc75dd10d28e4b9f377d85883b0f25f53 with gcc (GCC) 10.2.1 20210217 kernel signature: b21a5ca91064484edbb6611467a30180224c7c3e13392b9c141745be2e16834c all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 605d450fc75dd10d28e4b9f377d85883b0f25f53 Bisecting: 3 revisions left to test after this (roughly 2 steps) [a14a6219996ee6f6e858d83b11affc7907633687] ALSA: hda: ignore invalid NHLT table testing commit a14a6219996ee6f6e858d83b11affc7907633687 with gcc (GCC) 10.2.1 20210217 kernel signature: 4c30f109f2332df86be4f5702b405fa786e965a6af6e8852977194a3d0672778 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad a14a6219996ee6f6e858d83b11affc7907633687 Bisecting: 0 revisions left to test after this (roughly 1 step) [9799110825dba087c2bdce886977cf84dada2005] ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() testing commit 9799110825dba087c2bdce886977cf84dada2005 with gcc (GCC) 10.2.1 20210217 kernel signature: d19e9db878bf0b364b493a3a892a9823e56fcf77dc5f353486ed758ee2dac665 all runs: crashed: KASAN: use-after-free Read in usb_audio_disconnect # git bisect bad 9799110825dba087c2bdce886977cf84dada2005 Bisecting: 0 revisions left to test after this (roughly 0 steps) [fc7c5c208eb7bc2df3a9f4234f14eca250001cb6] ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk testing commit fc7c5c208eb7bc2df3a9f4234f14eca250001cb6 with gcc (GCC) 10.2.1 20210217 kernel signature: 709f47ad24bb30bec7c16d3f5bb539d41c9657a6970bfb398c32b4eef26b8ae1 all runs: OK # git bisect good fc7c5c208eb7bc2df3a9f4234f14eca250001cb6 9799110825dba087c2bdce886977cf84dada2005 is the first bad commit commit 9799110825dba087c2bdce886977cf84dada2005 Author: Kai-Heng Feng Date: Thu Mar 4 12:34:16 2021 +0800 ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() Rear audio on Lenovo ThinkStation P620 stops working after commit 1965c4364bdd ("ALSA: usb-audio: Disable autosuspend for Lenovo ThinkStation P620"): [ 6.013526] usbcore: registered new interface driver snd-usb-audio [ 6.023064] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.023083] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 [ 6.023090] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.023098] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 [ 6.023103] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.023110] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 [ 6.045846] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.045866] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 [ 6.045877] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.045886] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 [ 6.045894] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x100, wIndex = 0x0, type = 1 [ 6.045908] usb 3-6: cannot get ctl value: req = 0x81, wValue = 0x202, wIndex = 0x0, type = 4 I overlooked the issue because when I was working on the said commit, only the front audio is tested. Apology for that. Changing supports_autosuspend in driver is too late for disabling autosuspend, because it was already used by USB probe routine, so it can break the balance on the following code that depends on supports_autosuspend. Fix it by using usb_disable_autosuspend() helper, and balance the suspend count in disconnect callback. Fixes: 1965c4364bdd ("ALSA: usb-audio: Disable autosuspend for Lenovo ThinkStation P620") Signed-off-by: Kai-Heng Feng Cc: Link: https://lore.kernel.org/r/20210304043419.287191-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai sound/usb/card.c | 5 +++++ sound/usb/quirks.c | 2 +- sound/usb/usbaudio.h | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) culprit signature: d19e9db878bf0b364b493a3a892a9823e56fcf77dc5f353486ed758ee2dac665 parent signature: 709f47ad24bb30bec7c16d3f5bb539d41c9657a6970bfb398c32b4eef26b8ae1 revisions tested: 16, total time: 3h14m51.160345571s (build: 1h39m43.759062949s, test: 1h33m49.458056997s) first bad commit: 9799110825dba087c2bdce886977cf84dada2005 ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend() recipients (to): ["alsa-devel@alsa-project.org" "kai.heng.feng@canonical.com" "perex@perex.cz" "tiwai@suse.com" "tiwai@suse.de"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: KASAN: use-after-free Read in usb_audio_disconnect usb 4-1: USB disconnect, device number 2 ================================================================== BUG: KASAN: use-after-free in usb_audio_disconnect+0x673/0x720 sound/usb/card.c:918 Read of size 2 at addr ffff88802ac68f24 by task kworker/1:1/26 CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 5.12.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: usb_hub_wq hub_event Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x93/0xc2 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 usb_audio_disconnect+0x673/0x720 sound/usb/card.c:918 usb_unbind_interface+0x183/0x7e0 drivers/usb/core/driver.c:458 __device_release_driver+0x32f/0x660 drivers/base/dd.c:1156 device_release_driver_internal drivers/base/dd.c:1187 [inline] device_release_driver+0x21/0x30 drivers/base/dd.c:1210 bus_remove_device+0x298/0x550 drivers/base/bus.c:533 device_del+0x494/0xc10 drivers/base/core.c:3421 usb_disable_device+0x29c/0x660 drivers/usb/core/message.c:1413 usb_disconnect.cold+0x20c/0x681 drivers/usb/core/hub.c:2218 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xb22/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Allocated by task 26: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:46 [inline] set_alloc_info mm/kasan/common.c:427 [inline] ____kasan_kmalloc mm/kasan/common.c:506 [inline] ____kasan_kmalloc mm/kasan/common.c:465 [inline] __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515 kmalloc include/linux/slab.h:559 [inline] kzalloc include/linux/slab.h:684 [inline] snd_card_new+0xac/0xba0 sound/core/init.c:176 snd_usb_audio_create sound/usb/card.c:588 [inline] usb_audio_probe+0x1104/0x2930 sound/usb/card.c:755 usb_probe_interface+0x274/0x6a0 drivers/usb/core/driver.c:396 really_probe+0x1fd/0xc60 drivers/base/dd.c:554 driver_probe_device+0x1ed/0x380 drivers/base/dd.c:740 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:431 __device_attach+0x1db/0x400 drivers/base/dd.c:914 bus_probe_device+0x19d/0x250 drivers/base/bus.c:491 device_add+0x9eb/0x1ad0 drivers/base/core.c:3242 usb_set_configuration+0x9fc/0x1750 drivers/usb/core/message.c:2164 usb_generic_driver_probe+0x74/0xa0 drivers/usb/core/generic.c:238 usb_probe_device+0x98/0x240 drivers/usb/core/driver.c:293 really_probe+0x1fd/0xc60 drivers/base/dd.c:554 driver_probe_device+0x1ed/0x380 drivers/base/dd.c:740 bus_for_each_drv+0x11e/0x1a0 drivers/base/bus.c:431 __device_attach+0x1db/0x400 drivers/base/dd.c:914 bus_probe_device+0x19d/0x250 drivers/base/bus.c:491 device_add+0x9eb/0x1ad0 drivers/base/core.c:3242 usb_new_device.cold+0x69a/0xee1 drivers/usb/core/hub.c:2555 hub_port_connect drivers/usb/core/hub.c:5223 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x10a3/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Freed by task 26: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357 ____kasan_slab_free mm/kasan/common.c:360 [inline] ____kasan_slab_free mm/kasan/common.c:325 [inline] __kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367 kasan_slab_free include/linux/kasan.h:199 [inline] slab_free_hook mm/slub.c:1562 [inline] slab_free_freelist_hook+0x72/0x1b0 mm/slub.c:1600 slab_free mm/slub.c:3161 [inline] kfree+0xe5/0x7b0 mm/slub.c:4213 device_release+0x93/0x200 drivers/base/core.c:2108 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x139/0x410 lib/kobject.c:753 snd_card_free_when_closed+0x21/0x30 sound/core/init.c:518 usb_audio_disconnect+0x271/0x720 sound/usb/card.c:913 usb_unbind_interface+0x183/0x7e0 drivers/usb/core/driver.c:458 __device_release_driver+0x32f/0x660 drivers/base/dd.c:1156 device_release_driver_internal drivers/base/dd.c:1187 [inline] device_release_driver+0x21/0x30 drivers/base/dd.c:1210 bus_remove_device+0x298/0x550 drivers/base/bus.c:533 device_del+0x494/0xc10 drivers/base/core.c:3421 usb_disable_device+0x29c/0x660 drivers/usb/core/message.c:1413 usb_disconnect.cold+0x20c/0x681 drivers/usb/core/hub.c:2218 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0xb22/0x36b0 drivers/usb/core/hub.c:5591 process_one_work+0x84c/0x13b0 kernel/workqueue.c:2275 worker_thread+0x598/0xf80 kernel/workqueue.c:2421 kthread+0x36f/0x450 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 The buggy address belongs to the object at ffff88802ac68000 which belongs to the cache kmalloc-8k of size 8192 The buggy address is located 3876 bytes inside of 8192-byte region [ffff88802ac68000, ffff88802ac6a000) The buggy address belongs to the page: page:00000000258ce114 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2ac68 head:00000000258ce114 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head) raw: 00fff00000010200 0000000000000000 0000000100000001 ffff88800ec42280 raw: 0000000000000000 0000000000020002 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88802ac68e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ac68e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88802ac68f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88802ac68f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88802ac69000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================