Re: KASAN: use-after-free Read in service_outstanding_interrupt
Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: KASAN: use-after-free Read in service_outstanding_interrupt == BUG: KASAN: use-after-free in usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 Read of size 4 at addr 888113e9f018 by task syz-executor.0/7799 CPU: 1 PID: 7799 Comm: syz-executor.0 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 service_outstanding_interrupt.part.0+0x5f/0xa0 drivers/usb/class/cdc-wdm.c:470 service_outstanding_interrupt drivers/usb/class/cdc-wdm.c:465 [inline] wdm_read+0x9a0/0xbd0 drivers/usb/class/cdc-wdm.c:583 vfs_read+0x1b5/0x570 fs/read_write.c:494 ksys_read+0x12d/0x250 fs/read_write.c:634 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45e149 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fcce8099c68 EFLAGS: 0246 ORIG_RAX: RAX: ffda RBX: 0003 RCX: 0045e149 RDX: 1000 RSI: 20001000 RDI: 0004 RBP: 0119c068 R08: R09: R10: R11: 0246 R12: 0119c034 R13: 7fffc13967df R14: 7fcce809a9c0 R15: 0119c034 Allocated by task 17: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:682 [inline] usb_alloc_dev+0x51/0xef0 drivers/usb/core/usb.c:582 hub_port_connect drivers/usb/core/hub.c:5129 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x1def/0x42d0 drivers/usb/core/hub.c:5591 process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Freed by task 2183: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:352 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3140 [inline] kfree+0xdb/0x3a0 mm/slub.c:4122 device_release+0x9f/0x240 drivers/base/core.c:1962 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:753 put_device+0x1b/0x30 drivers/base/core.c:3190 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591 process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Last potentially related work creation: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_record_aux_stack+0xc0/0xf0 mm/kasan/generic.c:343 insert_work+0x48/0x370 kernel/workqueue.c:1331 __queue_work+0x5c3/0xf60 kernel/workqueue.c:1497 queue_work_on+0xc7/0xd0 kernel/workqueue.c:1524 kref_put include/linux/kref.h:65 [inline] tty_kref_put drivers/tty/tty_io.c:1493 [inline] release_tty+0x4e9/0x610 drivers/tty/tty_io.c:1530 tty_release_struct+0xb4/0xe0 drivers/tty/tty_io.c:1629 tty_release+0xc70/0x1210 drivers/tty/tty_io.c:1789 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:168 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:174 [inline] exit_to_user_mode_prepare+0x186/0x190 kernel/entry/common.c:201 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x19/0x50 kernel/entry/common.c:302 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at 888113e9f000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 24 bytes inside of 2048-byte region [888113e9f000, 888113e9f800) The buggy address belongs to the page: page:e5a7bd64 refcount:1 mapcount:0 map
Re: KASAN: use-after-free Read in service_outstanding_interrupt
Am Donnerstag, den 17.12.2020, 19:21 -0800 schrieb syzbot: > syzbot has found a reproducer for the following issue on: > > HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. > git tree: > https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b62350 > kernel config: https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727 > dashboard link: https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175adf0750 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1672680f50 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+9e04e2df4a32fb661...@syzkaller.appspotmail.com #syz test: https://github.com/google/kasan.git 5e60366d >From f51e3c5a202f3abc805edd64b21a68d29dd9d60e Mon Sep 17 00:00:00 2001 From: Oliver Neukum Date: Mon, 4 Jan 2021 17:26:33 +0100 Subject: [PATCH] cdc-wdm: poison URBs upon disconnect We have a chicken and egg issue between interrupt and work. This should break the cycle. Signed-off-by: Oliver Neukum --- drivers/usb/class/cdc-wdm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/class/cdc-wdm.c b/drivers/usb/class/cdc-wdm.c index 02d0cfd23bb2..14eddda35280 100644 --- a/drivers/usb/class/cdc-wdm.c +++ b/drivers/usb/class/cdc-wdm.c @@ -324,9 +324,9 @@ static void wdm_int_callback(struct urb *urb) static void kill_urbs(struct wdm_device *desc) { /* the order here is essential */ - usb_kill_urb(desc->command); - usb_kill_urb(desc->validity); - usb_kill_urb(desc->response); + usb_poison_urb(desc->command); + usb_poison_urb(desc->validity); + usb_poison_urb(desc->response); } static void free_urbs(struct wdm_device *desc) -- 2.26.2
Re: KASAN: use-after-free Read in service_outstanding_interrupt
On Fri, Dec 18, 2020 at 06:01:34PM +0800, Hillf Danton wrote: > On Fri, 18 Dec 2020 09:28:16 +0100 Greg KH wrote: > >On Fri, Dec 18, 2020 at 04:21:13PM +0800, Hillf Danton wrote: > >> On Thu, 17 Dec 2020 19:21:10 -0800 > >> > syzbot has found a reproducer for the following issue on: > >> > > >> > HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of > >> > g.. > >> > git tree: > >> > https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git > >> > usb-testing > >> > console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b62350 > >> > kernel config: > >> > https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727 > >> > dashboard link: > >> > https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf > >> > compiler: gcc (GCC) 10.1.0-syz 20200507 > >> > syz repro: > >> > https://syzkaller.appspot.com/x/repro.syz?x=175adf0750 > >> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1672680f50 > >> > > >> > IMPORTANT: if you fix the issue, please add the following tag to the > >> > commit: > >> > Reported-by: syzbot+9e04e2df4a32fb661...@syzkaller.appspotmail.com > >> > > >> > == > >> > BUG: KASAN: use-after-free in usb_submit_urb+0x1210/0x1560 > >> > drivers/usb/core/urb.c:383 > >> > Read of size 4 at addr 888101d21018 by task syz-executor166/4405 > >> > > >> > CPU: 0 PID: 4405 Comm: syz-executor166 Not tainted 5.10.0-syzkaller #0 > >> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > >> > Google 01/01/2011 > >> > Call Trace: > >> > __dump_stack lib/dump_stack.c:79 [inline] > >> > dump_stack+0x107/0x163 lib/dump_stack.c:120 > >> > print_address_description.constprop.0.cold+0xae/0x4c8 > >> > mm/kasan/report.c:385 > >> > __kasan_report mm/kasan/report.c:545 [inline] > >> > kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 > >> > usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 > >> > service_outstanding_interrupt.part.0+0x5f/0xa0 > >> > drivers/usb/class/cdc-wdm.c:470 > >> > service_outstanding_interrupt drivers/usb/class/cdc-wdm.c:465 [inline] > >> > wdm_read+0x9a0/0xbd0 drivers/usb/class/cdc-wdm.c:583 > >> > vfs_read+0x1b5/0x570 fs/read_write.c:494 > >> > ksys_read+0x12d/0x250 fs/read_write.c:634 > >> > do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 > >> > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > >> > RIP: 0033:0x44b529 > >> > Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 > >> > f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 > >> > f0 ff ff 0f 83 8b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 > >> > RSP: 002b:7f2dfcb6ed98 EFLAGS: 0246 ORIG_RAX: > >> > RAX: ffda RBX: 006dcc38 RCX: 0044b529 > >> > RDX: 1000 RSI: 20001000 RDI: 0004 > >> > RBP: 006dcc30 R08: R09: > >> > R10: R11: 0246 R12: 006dcc3c > >> > R13: 0142006002090100 R14: 04010040a4157d25 R15: 40020112 > >> > > >> > Allocated by task 2632: > >> > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > >> > kasan_set_track mm/kasan/common.c:56 [inline] > >> > __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 > >> > kmalloc include/linux/slab.h:552 [inline] > >> > kzalloc include/linux/slab.h:682 [inline] > >> > usb_alloc_dev+0x51/0xef0 drivers/usb/core/usb.c:582 > >> > hub_port_connect drivers/usb/core/hub.c:5129 [inline] > >> > hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > >> > port_event drivers/usb/core/hub.c:5509 [inline] > >> > hub_event+0x1def/0x42d0 drivers/usb/core/hub.c:5591 > >> > process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 > >> > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > >> > kthread+0x38c/0x460 kernel/kthread.c:292 > >> > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > >> > > >> > Freed by task 2181: > >> > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > >> > kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 > >> > kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:352 > >> > __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 > >> > slab_free_hook mm/slub.c:1544 [inline] > >> > slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 > >> > slab_free mm/slub.c:3140 [inline] > >> > kfree+0xdb/0x3a0 mm/slub.c:4122 > >> > device_release+0x9f/0x240 drivers/base/core.c:1962 > >> > kobject_cleanup lib/kobject.c:705 [inline] > >> > kobject_release lib/kobject.c:736 [inline] > >> > kref_put include/linux/kref.h:65 [inline] > >> > kobject_put+0x1c8/0x540 lib/kobject.c:753 > >> > put_device+0x1b/0x30 drivers/base/core.c:3190 > >> > hub_port_connect drivers/usb/core/hub.c:5074 [inline] > >> > hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > >> > port_event drivers/usb/core/hub.c:5509 [inline] > >> > hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:55
Re: KASAN: use-after-free Read in service_outstanding_interrupt
On Fri, Dec 18, 2020 at 04:21:13PM +0800, Hillf Danton wrote: > On Thu, 17 Dec 2020 19:21:10 -0800 > > syzbot has found a reproducer for the following issue on: > > > > HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. > > git tree: > > https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing > > console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b62350 > > kernel config: https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727 > > dashboard link: https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf > > compiler: gcc (GCC) 10.1.0-syz 20200507 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175adf0750 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1672680f50 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+9e04e2df4a32fb661...@syzkaller.appspotmail.com > > > > == > > BUG: KASAN: use-after-free in usb_submit_urb+0x1210/0x1560 > > drivers/usb/core/urb.c:383 > > Read of size 4 at addr 888101d21018 by task syz-executor166/4405 > > > > CPU: 0 PID: 4405 Comm: syz-executor166 Not tainted 5.10.0-syzkaller #0 > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS > > Google 01/01/2011 > > Call Trace: > > __dump_stack lib/dump_stack.c:79 [inline] > > dump_stack+0x107/0x163 lib/dump_stack.c:120 > > print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 > > __kasan_report mm/kasan/report.c:545 [inline] > > kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 > > usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 > > service_outstanding_interrupt.part.0+0x5f/0xa0 > > drivers/usb/class/cdc-wdm.c:470 > > service_outstanding_interrupt drivers/usb/class/cdc-wdm.c:465 [inline] > > wdm_read+0x9a0/0xbd0 drivers/usb/class/cdc-wdm.c:583 > > vfs_read+0x1b5/0x570 fs/read_write.c:494 > > ksys_read+0x12d/0x250 fs/read_write.c:634 > > do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 > > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > RIP: 0033:0x44b529 > > Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 > > 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff > > ff 0f 83 8b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 > > RSP: 002b:7f2dfcb6ed98 EFLAGS: 0246 ORIG_RAX: > > RAX: ffda RBX: 006dcc38 RCX: 0044b529 > > RDX: 1000 RSI: 20001000 RDI: 0004 > > RBP: 006dcc30 R08: R09: > > R10: R11: 0246 R12: 006dcc3c > > R13: 0142006002090100 R14: 04010040a4157d25 R15: 40020112 > > > > Allocated by task 2632: > > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > > kasan_set_track mm/kasan/common.c:56 [inline] > > __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 > > kmalloc include/linux/slab.h:552 [inline] > > kzalloc include/linux/slab.h:682 [inline] > > usb_alloc_dev+0x51/0xef0 drivers/usb/core/usb.c:582 > > hub_port_connect drivers/usb/core/hub.c:5129 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > > port_event drivers/usb/core/hub.c:5509 [inline] > > hub_event+0x1def/0x42d0 drivers/usb/core/hub.c:5591 > > process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 > > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > > kthread+0x38c/0x460 kernel/kthread.c:292 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > > > > Freed by task 2181: > > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > > kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 > > kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:352 > > __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 > > slab_free_hook mm/slub.c:1544 [inline] > > slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 > > slab_free mm/slub.c:3140 [inline] > > kfree+0xdb/0x3a0 mm/slub.c:4122 > > device_release+0x9f/0x240 drivers/base/core.c:1962 > > kobject_cleanup lib/kobject.c:705 [inline] > > kobject_release lib/kobject.c:736 [inline] > > kref_put include/linux/kref.h:65 [inline] > > kobject_put+0x1c8/0x540 lib/kobject.c:753 > > put_device+0x1b/0x30 drivers/base/core.c:3190 > > hub_port_connect drivers/usb/core/hub.c:5074 [inline] > > hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > > port_event drivers/usb/core/hub.c:5509 [inline] > > hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591 > > process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 > > worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 > > kthread+0x38c/0x460 kernel/kthread.c:292 > > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 > > > > The buggy address belongs to the object at 888101d21000 > > which belongs to the cache kmalloc-2k of size 2048 > > The buggy address is located 24 bytes inside of > > 2048-byte region [8
Re: KASAN: use-after-free Read in service_outstanding_interrupt
syzbot has found a reproducer for the following issue on: HEAD commit:5e60366d Merge tag 'fallthrough-fixes-clang-5.11-rc1' of g.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing console output: https://syzkaller.appspot.com/x/log.txt?x=12c5b62350 kernel config: https://syzkaller.appspot.com/x/.config?x=5cea7506b7139727 dashboard link: https://syzkaller.appspot.com/bug?extid=9e04e2df4a32fb661daf compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=175adf0750 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1672680f50 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+9e04e2df4a32fb661...@syzkaller.appspotmail.com == BUG: KASAN: use-after-free in usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 Read of size 4 at addr 888101d21018 by task syz-executor166/4405 CPU: 0 PID: 4405 Comm: syz-executor166 Not tainted 5.10.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385 __kasan_report mm/kasan/report.c:545 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562 usb_submit_urb+0x1210/0x1560 drivers/usb/core/urb.c:383 service_outstanding_interrupt.part.0+0x5f/0xa0 drivers/usb/class/cdc-wdm.c:470 service_outstanding_interrupt drivers/usb/class/cdc-wdm.c:465 [inline] wdm_read+0x9a0/0xbd0 drivers/usb/class/cdc-wdm.c:583 vfs_read+0x1b5/0x570 fs/read_write.c:494 ksys_read+0x12d/0x250 fs/read_write.c:634 do_syscall_64+0x2d/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44b529 Code: e8 bc b4 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 8b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7f2dfcb6ed98 EFLAGS: 0246 ORIG_RAX: RAX: ffda RBX: 006dcc38 RCX: 0044b529 RDX: 1000 RSI: 20001000 RDI: 0004 RBP: 006dcc30 R08: R09: R10: R11: 0246 R12: 006dcc3c R13: 0142006002090100 R14: 04010040a4157d25 R15: 40020112 Allocated by task 2632: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461 kmalloc include/linux/slab.h:552 [inline] kzalloc include/linux/slab.h:682 [inline] usb_alloc_dev+0x51/0xef0 drivers/usb/core/usb.c:582 hub_port_connect drivers/usb/core/hub.c:5129 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x1def/0x42d0 drivers/usb/core/hub.c:5591 process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Freed by task 2181: kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:352 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422 slab_free_hook mm/slub.c:1544 [inline] slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577 slab_free mm/slub.c:3140 [inline] kfree+0xdb/0x3a0 mm/slub.c:4122 device_release+0x9f/0x240 drivers/base/core.c:1962 kobject_cleanup lib/kobject.c:705 [inline] kobject_release lib/kobject.c:736 [inline] kref_put include/linux/kref.h:65 [inline] kobject_put+0x1c8/0x540 lib/kobject.c:753 put_device+0x1b/0x30 drivers/base/core.c:3190 hub_port_connect drivers/usb/core/hub.c:5074 [inline] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] port_event drivers/usb/core/hub.c:5509 [inline] hub_event+0x1c8a/0x42d0 drivers/usb/core/hub.c:5591 process_one_work+0x98d/0x15c0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x38c/0x460 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 The buggy address belongs to the object at 888101d21000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 24 bytes inside of 2048-byte region [888101d21000, 888101d21800) The buggy address belongs to the page: page:19761127 refcount:1 mapcount:0 mapping: index:0x0 pfn:0x101d20 head:19761127 order:3 compound_mapcount:0 compound_pincount:0 flags: 0x2010200(slab|head) raw: 02010200 dead0100 dead0122 888100042000 raw: 80080008 0001 page dumped because: kasan: bad access detected Memory s