sound/usb/midi.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
removal") patched a UAF issue caused by the error timer.
However, because the error timer kill added in this patch occurs after the
endpoint delete, a race condition to UAF still occurs, albeit rarely.
Therefore, to prevent this, the error timer must be killed before freeing
the heap memory.
Cc: <stable@vger.kernel.org>
Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
---
sound/usb/midi.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..8d15f1caa92b 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ timer_shutdown_sync(&umidi->error_timer);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
snd_usbmidi_in_endpoint_delete(ep->in);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--On Sat, 27 Sep 2025 06:41:06 +0200,
Jeongjun Park wrote:
>
> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> removal") patched a UAF issue caused by the error timer.
>
> However, because the error timer kill added in this patch occurs after the
> endpoint delete, a race condition to UAF still occurs, albeit rarely.
>
> Therefore, to prevent this, the error timer must be killed before freeing
> the heap memory.
>
> Cc: <stable@vger.kernel.org>
> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
I suppose it's a fix for the recent syzbot reports?
https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
I had the very same fix in mind, as posted in
https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
so I'll happily apply if that's the case (and it was verified to
work). I'm just back from vacation and trying to catch up things.
thanks,
Takashi
> ---
> sound/usb/midi.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> index acb3bf92857c..8d15f1caa92b 100644
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> {
> int i;
>
> + timer_shutdown_sync(&umidi->error_timer);
> +
> for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> if (ep->out)
> @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> snd_usbmidi_in_endpoint_delete(ep->in);
> }
> mutex_destroy(&umidi->mutex);
> - timer_shutdown_sync(&umidi->error_timer);
> kfree(umidi);
> }
>
> --
On Sat, 27 Sep 2025 10:01:37 +0200 Takashi Iwai wrote:
>On Sat, 27 Sep 2025 06:41:06 +0200 Jeongjun Park wrote:
>>
>> The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
>> removal") patched a UAF issue caused by the error timer.
>>
>> However, because the error timer kill added in this patch occurs after the
>> endpoint delete, a race condition to UAF still occurs, albeit rarely.
>>
>> Therefore, to prevent this, the error timer must be killed before freeing
>> the heap memory.
>>
>> Cc: <stable@vger.kernel.org>
>> Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
>> Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> I suppose it's a fix for the recent syzbot reports?
> https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
> https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
#syz test upstream master
--- x/sound/usb/midi.c
+++ y/sound/usb/midi.c
@@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_
{
int i;
+ timer_shutdown_sync(&umidi->error_timer);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
@@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_
snd_usbmidi_in_endpoint_delete(ep->in);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
CPU: 1 UID: 0 PID: 5866 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872
Code: f9 3e 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 c2 d8 13 0f 0f 82 74 02 00 00 8b 35 5a 0a 14 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 19 f9 3e 12 0f 85 c7 02 00 00 48 83 c4
RSP: 0018:ffffc9000213f6a8 EFLAGS: 00000206
RAX: 0000000000000046 RBX: ffffffff8e5c16a0 RCX: 000000004089a3e6
RDX: 0000000000000000 RSI: ffffffff8de2c268 RDI: ffffffff8c163a00
RBP: 0000000000000002 R08: b04c8ca6f5f73b8b R09: 0000000000000000
R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
rcu_lock_acquire include/linux/rcupdate.h:331 [inline]
rcu_read_lock include/linux/rcupdate.h:841 [inline]
class_rcu_constructor include/linux/rcupdate.h:1155 [inline]
kernfs_root+0x34/0x2a0 fs/kernfs/kernfs-internal.h:75
__kernfs_remove+0x302/0x8a0 fs/kernfs/dir.c:1519
kernfs_remove_by_name_ns+0x68/0x110 fs/kernfs/dir.c:1717
kernfs_remove_by_name include/linux/kernfs.h:633 [inline]
remove_files+0x96/0x1c0 fs/sysfs/group.c:28
sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:322
sysfs_remove_groups fs/sysfs/group.c:346 [inline]
sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:338
device_remove_groups drivers/base/core.c:2843 [inline]
device_remove_attrs+0x192/0x290 drivers/base/core.c:2973
device_del+0x38e/0x9f0 drivers/base/core.c:3877
usb_disconnect+0x5bf/0x9c0 drivers/usb/core/hub.c:2375
hub_port_connect drivers/usb/core/hub.c:5406 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x1c81/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 9:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1342
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2364
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2647
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 9:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
snd_usbmidi_free sound/usb/midi.c:1532 [inline]
snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1592
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff888074717800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 323 bytes inside of
freed 512-byte region [ffff888074717800, ffff888074717a00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74714
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001d1c501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 289964868636, free_ts 191685793183
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4402
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
device_private_init drivers/base/core.c:3534 [inline]
device_add+0xccc/0x1aa0 drivers/base/core.c:3585
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
page last free pid 6777 tgid 6777 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4191 [inline]
slab_alloc_node mm/slub.c:4240 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
getname_flags.part.0+0x4c/0x550 fs/namei.c:146
getname_flags+0x93/0xf0 include/linux/audit.h:322
do_readlinkat+0xb4/0x3a0 fs/stat.c:575
__do_sys_readlink fs/stat.c:613 [inline]
__se_sys_readlink fs/stat.c:610 [inline]
__x64_sys_readlink+0x78/0xc0 fs/stat.c:610
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff888074717800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074717880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888074717900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff888074717980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888074717a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: f9 stc
1: 3e 12 83 f8 07 0f 87 ds adc -0x78f0f808(%rbx),%al
8: bc 02 00 00 89 mov $0x89000002,%esp
d: c0 48 0f a3 rorb $0xa3,0xf(%rax)
11: 05 c2 d8 13 0f add $0xf13d8c2,%eax
16: 0f 82 74 02 00 00 jb 0x290
1c: 8b 35 5a 0a 14 0f mov 0xf140a5a(%rip),%esi # 0xf140a7c
22: 85 f6 test %esi,%esi
24: 0f 85 8d 00 00 00 jne 0xb7
* 2a: 48 8b 44 24 30 mov 0x30(%rsp),%rax <-- trapping instruction
2f: 65 48 2b 05 19 f9 3e sub %gs:0x123ef919(%rip),%rax # 0x123ef950
36: 12
37: 0f 85 c7 02 00 00 jne 0x304
3d: 48 rex.W
3e: 83 .byte 0x83
3f: c4 .byte 0xc4
Tested on:
commit: fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13bb3d34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=17773142580000
syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote: > > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete > > ================================================================== > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251 > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866 > Wow, the UAF bug still occurs? But... this UAF seems to be a problem with how midi handles urb rather than a problem with my patch. Is there something wrong with the way snd_usbmidi_in_urb_complete() is implemented? > CPU: 1 UID: 0 PID: 5866 Comm: kworker/1:3 Not tainted syzkaller #0 PREEMPT(full) > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025 > Workqueue: usb_hub_wq hub_event > Call Trace: > <IRQ> > __dump_stack lib/dump_stack.c:94 [inline] > dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 > print_address_description mm/kasan/report.c:378 [inline] > print_report+0xcd/0x630 mm/kasan/report.c:482 > kasan_report+0xe0/0x110 mm/kasan/report.c:595 > snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251 > __usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661 > usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745 > dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995 > __run_hrtimer kernel/time/hrtimer.c:1761 [inline] > __hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825 > hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842 > handle_softirqs+0x219/0x8e0 kernel/softirq.c:579 > __do_softirq kernel/softirq.c:613 [inline] > invoke_softirq kernel/softirq.c:453 [inline] > __irq_exit_rcu+0x109/0x170 kernel/softirq.c:680 > irq_exit_rcu+0x9/0x30 kernel/softirq.c:696 > instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline] > sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050 > </IRQ> > <TASK> > asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702 > RIP: 0010:lock_acquire+0x62/0x350 kernel/locking/lockdep.c:5872 > Code: f9 3e 12 83 f8 07 0f 87 bc 02 00 00 89 c0 48 0f a3 05 c2 d8 13 0f 0f 82 74 02 00 00 8b 35 5a 0a 14 0f 85 f6 0f 85 8d 00 00 00 <48> 8b 44 24 30 65 48 2b 05 19 f9 3e 12 0f 85 c7 02 00 00 48 83 c4 > RSP: 0018:ffffc9000213f6a8 EFLAGS: 00000206 > RAX: 0000000000000046 RBX: ffffffff8e5c16a0 RCX: 000000004089a3e6 > RDX: 0000000000000000 RSI: ffffffff8de2c268 RDI: ffffffff8c163a00 > RBP: 0000000000000002 R08: b04c8ca6f5f73b8b R09: 0000000000000000 > R10: 0000000000000004 R11: 0000000000000000 R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > rcu_lock_acquire include/linux/rcupdate.h:331 [inline] > rcu_read_lock include/linux/rcupdate.h:841 [inline] > class_rcu_constructor include/linux/rcupdate.h:1155 [inline] > kernfs_root+0x34/0x2a0 fs/kernfs/kernfs-internal.h:75 > __kernfs_remove+0x302/0x8a0 fs/kernfs/dir.c:1519 > kernfs_remove_by_name_ns+0x68/0x110 fs/kernfs/dir.c:1717 > kernfs_remove_by_name include/linux/kernfs.h:633 [inline] > remove_files+0x96/0x1c0 fs/sysfs/group.c:28 > sysfs_remove_group+0x8b/0x180 fs/sysfs/group.c:322 > sysfs_remove_groups fs/sysfs/group.c:346 [inline] > sysfs_remove_groups+0x60/0xa0 fs/sysfs/group.c:338 > device_remove_groups drivers/base/core.c:2843 [inline] > device_remove_attrs+0x192/0x290 drivers/base/core.c:2973 > device_del+0x38e/0x9f0 drivers/base/core.c:3877 > usb_disconnect+0x5bf/0x9c0 drivers/usb/core/hub.c:2375 > hub_port_connect drivers/usb/core/hub.c:5406 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] > port_event drivers/usb/core/hub.c:5870 [inline] > hub_event+0x1c81/0x4fe0 drivers/usb/core/hub.c:5952 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 > process_scheduled_works kernel/workqueue.c:3319 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 > kthread+0x3c5/0x780 kernel/kthread.c:463 > ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > </TASK> > > Allocated by task 9: > kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 > kasan_save_track+0x14/0x30 mm/kasan/common.c:68 > poison_kmalloc_redzone mm/kasan/common.c:388 [inline] > __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405 > kmalloc_noprof include/linux/slab.h:905 [inline] > kzalloc_noprof include/linux/slab.h:1039 [inline] > snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1342 > snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2364 > __snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2647 > snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178 > snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541 > usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976 > usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396 > call_driver_probe drivers/base/dd.c:581 [inline] > really_probe+0x241/0xa90 drivers/base/dd.c:659 > __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 > driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 > __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959 > bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462 > __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031 > bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 > device_add+0x1148/0x1aa0 drivers/base/core.c:3689 > usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210 > usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250 > usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291 > call_driver_probe drivers/base/dd.c:581 [inline] > really_probe+0x241/0xa90 drivers/base/dd.c:659 > __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 > driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 > __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959 > bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462 > __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031 > bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 > device_add+0x1148/0x1aa0 drivers/base/core.c:3689 > usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694 > hub_port_connect drivers/usb/core/hub.c:5566 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] > port_event drivers/usb/core/hub.c:5870 [inline] > hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 > process_scheduled_works kernel/workqueue.c:3319 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 > kthread+0x3c5/0x780 kernel/kthread.c:463 > ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > Freed by task 9: > kasan_save_stack+0x33/0x60 mm/kasan/common.c:47 > kasan_save_track+0x14/0x30 mm/kasan/common.c:68 > kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576 > poison_slab_object mm/kasan/common.c:243 [inline] > __kasan_slab_free+0x60/0x70 mm/kasan/common.c:275 > kasan_slab_free include/linux/kasan.h:233 [inline] > slab_free_hook mm/slub.c:2422 [inline] > slab_free mm/slub.c:4695 [inline] > kfree+0x2b4/0x4d0 mm/slub.c:4894 > snd_usbmidi_free sound/usb/midi.c:1532 [inline] > snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1592 > snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934 > snd_rawmidi_free sound/core/rawmidi.c:1923 [inline] > snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945 > __snd_device_free+0x1a7/0x410 sound/core/device.c:76 > snd_device_free_all+0xf3/0x220 sound/core/device.c:233 > snd_card_do_free sound/core/init.c:587 [inline] > release_card_device+0x77/0x1d0 sound/core/init.c:153 > device_release+0xa4/0x240 drivers/base/core.c:2565 > kobject_cleanup lib/kobject.c:689 [inline] > kobject_release lib/kobject.c:720 [inline] > kref_put include/linux/kref.h:65 [inline] > kobject_put+0x1e7/0x5a0 lib/kobject.c:737 > put_device+0x1f/0x30 drivers/base/core.c:3797 > snd_card_free_when_closed sound/core/init.c:618 [inline] > snd_card_free_when_closed sound/core/init.c:612 [inline] > snd_card_free+0x11a/0x190 sound/core/init.c:650 > usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034 > usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396 > call_driver_probe drivers/base/dd.c:581 [inline] > really_probe+0x241/0xa90 drivers/base/dd.c:659 > __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 > driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 > __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959 > bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462 > __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031 > bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 > device_add+0x1148/0x1aa0 drivers/base/core.c:3689 > usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210 > usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250 > usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291 > call_driver_probe drivers/base/dd.c:581 [inline] > really_probe+0x241/0xa90 drivers/base/dd.c:659 > __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 > driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 > __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959 > bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462 > __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031 > bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537 > device_add+0x1148/0x1aa0 drivers/base/core.c:3689 > usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694 > hub_port_connect drivers/usb/core/hub.c:5566 [inline] > hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] > port_event drivers/usb/core/hub.c:5870 [inline] > hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952 > process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236 > process_scheduled_works kernel/workqueue.c:3319 [inline] > worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400 > kthread+0x3c5/0x780 kernel/kthread.c:463 > ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148 > ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 > > The buggy address belongs to the object at ffff888074717800 > which belongs to the cache kmalloc-512 of size 512 > The buggy address is located 323 bytes inside of > freed 512-byte region [ffff888074717800, ffff888074717a00) > > The buggy address belongs to the physical page: > page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74714 > head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 > flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff) > page_type: f5(slab) > raw: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122 > raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 > head: 00fff00000000040 ffff88801b841c80 dead000000000100 dead000000000122 > head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000 > head: 00fff00000000002 ffffea0001d1c501 00000000ffffffff 00000000ffffffff > head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004 > page dumped because: kasan: bad access detected > page_owner tracks the page as allocated > page last allocated via order 2, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 10, tgid 10 (kworker/0:1), ts 289964868636, free_ts 191685793183 > set_page_owner include/linux/page_owner.h:32 [inline] > post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851 > prep_new_page mm/page_alloc.c:1859 [inline] > get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858 > __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148 > alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416 > alloc_slab_page mm/slub.c:2492 [inline] > allocate_slab mm/slub.c:2660 [inline] > new_slab+0x247/0x330 mm/slub.c:2714 > ___slab_alloc+0xcf2/0x1750 mm/slub.c:3901 > __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992 > __slab_alloc_node mm/slub.c:4067 [inline] > slab_alloc_node mm/slub.c:4228 [inline] > __kmalloc_cache_noprof+0xfb/0x3e0 mm/slub.c:4402 > kmalloc_noprof include/linux/slab.h:905 [inline] > kzalloc_noprof include/linux/slab.h:1039 [inline] > device_private_init drivers/base/core.c:3534 [inline] > device_add+0xccc/0x1aa0 drivers/base/core.c:3585 > usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210 > usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250 > usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291 > call_driver_probe drivers/base/dd.c:581 [inline] > really_probe+0x241/0xa90 drivers/base/dd.c:659 > __driver_probe_device+0x1de/0x440 drivers/base/dd.c:801 > driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831 > __device_attach_driver+0x1df/0x310 drivers/base/dd.c:959 > page last free pid 6777 tgid 6777 stack trace: > reset_page_owner include/linux/page_owner.h:25 [inline] > free_pages_prepare mm/page_alloc.c:1395 [inline] > __free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895 > qlink_free mm/kasan/quarantine.c:163 [inline] > qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179 > kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286 > __kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340 > kasan_slab_alloc include/linux/kasan.h:250 [inline] > slab_post_alloc_hook mm/slub.c:4191 [inline] > slab_alloc_node mm/slub.c:4240 [inline] > kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247 > getname_flags.part.0+0x4c/0x550 fs/namei.c:146 > getname_flags+0x93/0xf0 include/linux/audit.h:322 > do_readlinkat+0xb4/0x3a0 fs/stat.c:575 > __do_sys_readlink fs/stat.c:613 [inline] > __se_sys_readlink fs/stat.c:610 [inline] > __x64_sys_readlink+0x78/0xc0 fs/stat.c:610 > do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] > do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94 > entry_SYSCALL_64_after_hwframe+0x77/0x7f > > Memory state around the buggy address: > ffff888074717800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888074717880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff888074717900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888074717980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888074717a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ================================================================== > ---------------- > Code disassembly (best guess): > 0: f9 stc > 1: 3e 12 83 f8 07 0f 87 ds adc -0x78f0f808(%rbx),%al > 8: bc 02 00 00 89 mov $0x89000002,%esp > d: c0 48 0f a3 rorb $0xa3,0xf(%rax) > 11: 05 c2 d8 13 0f add $0xf13d8c2,%eax > 16: 0f 82 74 02 00 00 jb 0x290 > 1c: 8b 35 5a 0a 14 0f mov 0xf140a5a(%rip),%esi # 0xf140a7c > 22: 85 f6 test %esi,%esi > 24: 0f 85 8d 00 00 00 jne 0xb7 > * 2a: 48 8b 44 24 30 mov 0x30(%rsp),%rax <-- trapping instruction > 2f: 65 48 2b 05 19 f9 3e sub %gs:0x123ef919(%rip),%rax # 0x123ef950 > 36: 12 > 37: 0f 85 c7 02 00 00 jne 0x304 > 3d: 48 rex.W > 3e: 83 .byte 0x83 > 3f: c4 .byte 0xc4 > > > Tested on: > > commit: fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13bb3d34580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9 > dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 > compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 > patch: https://syzkaller.appspot.com/x/patch.diff?x=17773142580000 >
On Sat, 27 Sep 2025 12:36:07 +0200,
Jeongjun Park wrote:
>
> syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> >
> > ==================================================================
> > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> >
>
> Wow, the UAF bug still occurs?
>
> But... this UAF seems to be a problem with how midi handles urb rather
> than a problem with my patch.
>
> Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> implemented?
This can be rather a missing kill-and-cleanup in the code path.
So the patch like below.
Could you check whether this works for you instead of your fix, too?
timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
and the call in snd_usbmidi_free() should be superfluous after this
change.
thanks,
Takashi
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
Hi,
Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 12:36:07 +0200,
> Jeongjun Park wrote:
> >
> > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > >
> >
> > Wow, the UAF bug still occurs?
> >
> > But... this UAF seems to be a problem with how midi handles urb rather
> > than a problem with my patch.
> >
> > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > implemented?
>
> This can be rather a missing kill-and-cleanup in the code path.
> So the patch like below.
>
> Could you check whether this works for you instead of your fix, too?
> timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> and the call in snd_usbmidi_free() should be superfluous after this
> change.
>
Since both my tests and syzbot tests did not cause any bugs when applying
this patch, I think the root cause of this vulnerability is the missing
kill error_timer + urb.
So, I think it would be okay to patch it this way, but in addition, since
most of the endpoint delete-related code that existed in
snd_usbmidi_free() is now done in snd_usbmidi_disconnect(),
I think it would be appropriate to modify it to only perform
kfree(ep->out) as in this patch below.
---
sound/usb/midi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..97e7e7662b12 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
- if (ep->out)
- snd_usbmidi_out_endpoint_delete(ep->out);
- if (ep->in)
- snd_usbmidi_in_endpoint_delete(ep->in);
+ kfree(ep->out);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--
>
> thanks,
>
> Takashi
>
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> {
> int i;
>
> + if (!umidi->disconnected)
> + snd_usbmidi_disconnect(&umidi->list);
> +
> for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> if (ep->out)
Regards,
Jeongjun Park
On Sat, 27 Sep 2025 17:41:09 +0200,
Jeongjun Park wrote:
>
> Hi,
>
> Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Sat, 27 Sep 2025 12:36:07 +0200,
> > Jeongjun Park wrote:
> > >
> > > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > > >
> > > > Hello,
> > > >
> > > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > > >
> > > > ==================================================================
> > > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > > >
> > >
> > > Wow, the UAF bug still occurs?
> > >
> > > But... this UAF seems to be a problem with how midi handles urb rather
> > > than a problem with my patch.
> > >
> > > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > > implemented?
> >
> > This can be rather a missing kill-and-cleanup in the code path.
> > So the patch like below.
> >
> > Could you check whether this works for you instead of your fix, too?
> > timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> > and the call in snd_usbmidi_free() should be superfluous after this
> > change.
> >
>
> Since both my tests and syzbot tests did not cause any bugs when applying
> this patch, I think the root cause of this vulnerability is the missing
> kill error_timer + urb.
>
> So, I think it would be okay to patch it this way, but in addition, since
> most of the endpoint delete-related code that existed in
> snd_usbmidi_free() is now done in snd_usbmidi_disconnect(),
> I think it would be appropriate to modify it to only perform
> kfree(ep->out) as in this patch below.
Yes, it makes sense.
thanks,
Takashi
> ---
> sound/usb/midi.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> index acb3bf92857c..97e7e7662b12 100644
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> {
> int i;
>
> + if (!umidi->disconnected)
> + snd_usbmidi_disconnect(&umidi->list);
> +
> for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> - if (ep->out)
> - snd_usbmidi_out_endpoint_delete(ep->out);
> - if (ep->in)
> - snd_usbmidi_in_endpoint_delete(ep->in);
> + kfree(ep->out);
> }
> mutex_destroy(&umidi->mutex);
> - timer_shutdown_sync(&umidi->error_timer);
> kfree(umidi);
> }
>
> --
>
> >
> > thanks,
> >
> > Takashi
> >
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> > {
> > int i;
> >
> > + if (!umidi->disconnected)
> > + snd_usbmidi_disconnect(&umidi->list);
> > +
> > for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> > struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> > if (ep->out)
>
> Regards,
> Jeongjun Park
Hi,
Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 12:36:07 +0200,
> Jeongjun Park wrote:
> >
> > syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
> > >
> > > Hello,
> > >
> > > syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> > > KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
> > >
> > > ==================================================================
> > > BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x389/0x3c0 sound/usb/midi.c:251
> > > Write of size 1 at addr ffff888074717943 by task kworker/1:3/5866
> > >
> >
> > Wow, the UAF bug still occurs?
> >
> > But... this UAF seems to be a problem with how midi handles urb rather
> > than a problem with my patch.
> >
> > Is there something wrong with the way snd_usbmidi_in_urb_complete() is
> > implemented?
>
> This can be rather a missing kill-and-cleanup in the code path.
> So the patch like below.
>
> Could you check whether this works for you instead of your fix, too?
> timer_shutdown_sync() is already called in snd_usbmidi_disconnect(),
> and the call in snd_usbmidi_free() should be superfluous after this
> change.
>
I'm not an expert on the usbmidi driver, but based on my analysis so far,
I think this patch is the most appropriate.
And I tested it with the PoC I have, and no UAF occurred. If the syzbot
test doesn't produce any bugs, I think it would be a good idea to apply
this patch.
>
> thanks,
>
> Takashi
>
> --- a/sound/usb/midi.c
> +++ b/sound/usb/midi.c
> @@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> {
> int i;
>
> + if (!umidi->disconnected)
> + snd_usbmidi_disconnect(&umidi->list);
> +
> for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> if (ep->out)
Regards,
Jeongjun Park
On Sat, 27 Sep 2025 12:03:03 +0200,
syzbot wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Write in snd_usbmidi_in_urb_complete
OK, so another fix is needed in addition.
Let's try the below.
#syz test upstream master
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -240,6 +240,9 @@ static void snd_usbmidi_in_urb_complete(struct urb *urb)
{
struct snd_usb_midi_in_endpoint *ep = urb->context;
+ if (ep->umidi->disconnected)
+ return;
+
if (urb->status == 0) {
dump_urb("received", urb->transfer_buffer, urb->actual_length);
ep->umidi->usb_protocol_ops->input(ep, urb->transfer_buffer,
@@ -275,6 +278,10 @@ static void snd_usbmidi_out_urb_complete(struct urb *urb)
wake_up(&ep->drain_wait);
}
spin_unlock_irqrestore(&ep->buffer_lock, flags);
+
+ if (ep->umidi->disconnected)
+ return;
+
if (urb->status < 0) {
int err = snd_usbmidi_urb_error(urb);
if (err < 0) {
@@ -1522,6 +1529,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ timer_shutdown_sync(&umidi->error_timer);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
@@ -1530,7 +1539,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
snd_usbmidi_in_endpoint_delete(ep->in);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
KASAN: slab-use-after-free Read in snd_usbmidi_in_urb_complete
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x368/0x410 sound/usb/midi.c:243
Read of size 8 at addr ffff88805ccd6800 by task kworker/1:1/43
CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_in_urb_complete+0x368/0x410 sound/usb/midi.c:243
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
dev_vprintk_emit drivers/base/core.c:4914 [inline]
dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
__dev_printk+0xf5/0x270 drivers/base/core.c:4937
_dev_info+0xe4/0x120 drivers/base/core.c:4983
announce_device drivers/usb/core/hub.c:2407 [inline]
usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1349
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2371
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2654
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
snd_usbmidi_free sound/usb/midi.c:1539 [inline]
snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1599
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88805ccd6800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 0 bytes inside of
freed 512-byte region [ffff88805ccd6800, ffff88805ccd6a00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ccd4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001733501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6287, tgid 6287 (syz-executor), ts 181369771590, free_ts 181363057805
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811
ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940
ip6_route_add+0x45/0x60 net/ipv6/route.c:3937
addrconf_prefix_route+0x2fd/0x510 net/ipv6/addrconf.c:2488
fixup_permanent_addr net/ipv6/addrconf.c:3598 [inline]
addrconf_permanent_addr net/ipv6/addrconf.c:3622 [inline]
addrconf_notify+0x12c6/0x19e0 net/ipv6/addrconf.c:3694
notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
page last free pid 5524 tgid 5524 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
skb_kfree_head net/core/skbuff.c:1047 [inline]
skb_free_head+0x114/0x210 net/core/skbuff.c:1059
skb_release_data+0x795/0x9e0 net/core/skbuff.c:1086
skb_release_all net/core/skbuff.c:1151 [inline]
__kfree_skb net/core/skbuff.c:1165 [inline]
consume_skb net/core/skbuff.c:1397 [inline]
consume_skb+0xbf/0x100 net/core/skbuff.c:1391
__unix_dgram_recvmsg+0x779/0xc30 net/unix/af_unix.c:2683
unix_dgram_recvmsg net/unix/af_unix.c:2700 [inline]
unix_seqpacket_recvmsg+0x11c/0x170 net/unix/af_unix.c:2567
sock_recvmsg_nosec net/socket.c:1065 [inline]
sock_recvmsg+0x1f9/0x250 net/socket.c:1087
sock_read_iter+0x2b9/0x3b0 net/socket.c:1157
do_iter_readv_writev+0x743/0x9e0 fs/read_write.c:825
vfs_readv+0x4cb/0x8b0 fs/read_write.c:1018
do_readv+0x28c/0x340 fs/read_write.c:1080
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805ccd6700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88805ccd6780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88805ccd6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ccd6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ccd6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x351/0x410 sound/usb/midi.c:243
Read of size 1 at addr ffff88802378d230 by task kworker/1:1/43
CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_in_urb_complete+0x351/0x410 sound/usb/midi.c:243
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
dev_vprintk_emit drivers/base/core.c:4914 [inline]
dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
__dev_printk+0xf5/0x270 drivers/base/core.c:4937
_dev_info+0xe4/0x120 drivers/base/core.c:4983
announce_device drivers/usb/core/hub.c:2407 [inline]
usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
__snd_usbmidi_create+0xe4/0x1e90 sound/usb/midi.c:2534
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88802378d000
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 560 bytes inside of
freed 1024-byte region [ffff88802378d000, ffff88802378d400)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x23788
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841dc0 dead000000000100 dead000000000122
raw: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841dc0 dead000000000100 dead000000000122
head: 0000000000000000 0000000080100010 00000000f5000000 0000000000000000
head: 00fff00000000003 ffffea00008de201 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000008
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5602, tgid 5602 (start-stop-daem), ts 71829928370, free_ts 71793603330
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
tomoyo_init_log+0x1385/0x2140 security/tomoyo/audit.c:275
tomoyo_supervisor+0x302/0x13b0 security/tomoyo/common.c:2198
tomoyo_audit_env_log security/tomoyo/environ.c:36 [inline]
tomoyo_env_perm+0x191/0x200 security/tomoyo/environ.c:63
tomoyo_environ security/tomoyo/domain.c:672 [inline]
tomoyo_find_next_domain+0xec2/0x20b0 security/tomoyo/domain.c:888
tomoyo_bprm_check_security security/tomoyo/tomoyo.c:102 [inline]
tomoyo_bprm_check_security+0x12e/0x1d0 security/tomoyo/tomoyo.c:92
security_bprm_check+0x1b9/0x1e0 security/security.c:1302
search_binary_handler fs/exec.c:1660 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve fs/exec.c:1754 [inline]
bprm_execve+0x81a/0x1640 fs/exec.c:1730
do_execveat_common.isra.0+0x4a5/0x610 fs/exec.c:1860
page last free pid 5600 tgid 5600 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4191 [inline]
slab_alloc_node mm/slub.c:4240 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
vm_area_alloc+0x1f/0x160 mm/vma_init.c:31
__mmap_new_vma mm/vma.c:2461 [inline]
__mmap_region+0xf90/0x27b0 mm/vma.c:2669
mmap_region+0x1ab/0x3f0 mm/vma.c:2739
do_mmap+0xa3e/0x1210 mm/mmap.c:558
vm_mmap_pgoff+0x29e/0x470 mm/util.c:580
ksys_mmap_pgoff+0x32c/0x5c0 mm/mmap.c:604
__do_sys_mmap arch/x86/kernel/sys_x86_64.c:89 [inline]
__se_sys_mmap arch/x86/kernel/sys_x86_64.c:82 [inline]
__x64_sys_mmap+0x125/0x190 arch/x86/kernel/sys_x86_64.c:82
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88802378d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802378d180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802378d200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88802378d280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88802378d300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_in_urb_complete+0x3e1/0x410 sound/usb/midi.c:254
Write of size 1 at addr ffff88805ccd6943 by task kworker/1:1/43
CPU: 1 UID: 0 PID: 43 Comm: kworker/1:1 Tainted: G B syzkaller #0 PREEMPT(full)
Tainted: [B]=BAD_PAGE
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Workqueue: usb_hub_wq hub_event
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_in_urb_complete+0x3e1/0x410 sound/usb/midi.c:254
__usb_hcd_giveback_urb+0x38b/0x610 drivers/usb/core/hcd.c:1661
usb_hcd_giveback_urb+0x39b/0x450 drivers/usb/core/hcd.c:1745
dummy_timer+0x1814/0x3a30 drivers/usb/gadget/udc/dummy_hcd.c:1995
__run_hrtimer kernel/time/hrtimer.c:1761 [inline]
__hrtimer_run_queues+0x202/0xad0 kernel/time/hrtimer.c:1825
hrtimer_run_softirq+0x17d/0x350 kernel/time/hrtimer.c:1842
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
</IRQ>
<TASK>
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:console_flush_all+0x9a2/0xc60 kernel/printk/printk.c:3227
Code: 00 e8 a2 d3 28 00 9c 5b 81 e3 00 02 00 00 31 ff 48 89 de e8 20 e8 20 00 48 85 db 0f 85 55 01 00 00 e8 a2 ec 20 00 fb 4c 89 e0 <48> c1 e8 03 42 80 3c 38 00 0f 84 11 ff ff ff 4c 89 e7 e8 77 5f 86
RSP: 0018:ffffc90000b37428 EFLAGS: 00000293
RAX: ffffffff8f2f1658 RBX: 0000000000000000 RCX: ffffffff819aad70
RDX: ffff88801eab5a00 RSI: ffffffff819aad7e RDI: 0000000000000007
RBP: 0000000000000001 R08: 0000000000000007 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8f2f1658
R13: ffffffff8f2f1600 R14: ffffc90000b374b8 R15: dffffc0000000000
__console_flush_and_unlock kernel/printk/printk.c:3285 [inline]
console_unlock+0xd8/0x210 kernel/printk/printk.c:3325
vprintk_emit+0x418/0x6d0 kernel/printk/printk.c:2450
dev_vprintk_emit drivers/base/core.c:4914 [inline]
dev_printk_emit+0xfa/0x140 drivers/base/core.c:4925
__dev_printk+0xf5/0x270 drivers/base/core.c:4937
_dev_info+0xe4/0x120 drivers/base/core.c:4983
announce_device drivers/usb/core/hub.c:2407 [inline]
usb_new_device+0x7d6/0x1a60 drivers/usb/core/hub.c:2675
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Allocated by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1349
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2371
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2654
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 6486:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
snd_usbmidi_free sound/usb/midi.c:1539 [inline]
snd_usbmidi_rawmidi_free+0xbd/0x130 sound/usb/midi.c:1599
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a7/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xef/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c5/0x780 kernel/kthread.c:463
ret_from_fork+0x56d/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff88805ccd6800
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 323 bytes inside of
freed 512-byte region [ffff88805ccd6800, ffff88805ccd6a00)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ccd4
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0001733501 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 6287, tgid 6287 (syz-executor), ts 181369771590, free_ts 181363057805
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811
ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940
ip6_route_add+0x45/0x60 net/ipv6/route.c:3937
addrconf_prefix_route+0x2fd/0x510 net/ipv6/addrconf.c:2488
fixup_permanent_addr net/ipv6/addrconf.c:3598 [inline]
addrconf_permanent_addr net/ipv6/addrconf.c:3622 [inline]
addrconf_notify+0x12c6/0x19e0 net/ipv6/addrconf.c:3694
notifier_call_chain+0xbc/0x410 kernel/notifier.c:85
call_netdevice_notifiers_info+0xbe/0x140 net/core/dev.c:2229
page last free pid 5524 tgid 5524 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
skb_kfree_head net/core/skbuff.c:1047 [inline]
skb_free_head+0x114/0x210 net/core/skbuff.c:1059
skb_release_data+0x795/0x9e0 net/core/skbuff.c:1086
skb_release_all net/core/skbuff.c:1151 [inline]
__kfree_skb net/core/skbuff.c:1165 [inline]
consume_skb net/core/skbuff.c:1397 [inline]
consume_skb+0xbf/0x100 net/core/skbuff.c:1391
__unix_dgram_recvmsg+0x779/0xc30 net/unix/af_unix.c:2683
unix_dgram_recvmsg net/unix/af_unix.c:2700 [inline]
unix_seqpacket_recvmsg+0x11c/0x170 net/unix/af_unix.c:2567
sock_recvmsg_nosec net/socket.c:1065 [inline]
sock_recvmsg+0x1f9/0x250 net/socket.c:1087
sock_read_iter+0x2b9/0x3b0 net/socket.c:1157
do_iter_readv_writev+0x743/0x9e0 fs/read_write.c:825
vfs_readv+0x4cb/0x8b0 fs/read_write.c:1018
do_readv+0x28c/0x340 fs/read_write.c:1080
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff88805ccd6800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ccd6880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ccd6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ccd6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ccd6a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
----------------
Code disassembly (best guess):
0: 00 e8 add %ch,%al
2: a2 d3 28 00 9c 5b 81 movabs %al,0xe3815b9c0028d3
9: e3 00
b: 02 00 add (%rax),%al
d: 00 31 add %dh,(%rcx)
f: ff 48 89 decl -0x77(%rax)
12: de e8 fsubrp %st,%st(0)
14: 20 e8 and %ch,%al
16: 20 00 and %al,(%rax)
18: 48 85 db test %rbx,%rbx
1b: 0f 85 55 01 00 00 jne 0x176
21: e8 a2 ec 20 00 call 0x20ecc8
26: fb sti
27: 4c 89 e0 mov %r12,%rax
* 2a: 48 c1 e8 03 shr $0x3,%rax <-- trapping instruction
2e: 42 80 3c 38 00 cmpb $0x0,(%rax,%r15,1)
33: 0f 84 11 ff ff ff je 0xffffff4a
39: 4c 89 e7 mov %r12,%rdi
3c: e8 .byte 0xe8
3d: 77 5f ja 0x9e
3f: 86 .byte 0x86
Tested on:
commit: fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=102f3d34580000
kernel config: https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9
dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947
compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=175302e2580000
On Sat, 27 Sep 2025 12:55:01 +0200,
syzbot wrote:
>
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> KASAN: slab-use-after-free Read in snd_usbmidi_in_urb_complete
Another try.
#syz test upstream master
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,6 +1522,9 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
if (ep->out)
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com Tested on: commit: fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12cc82e2580000 kernel config: https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9 dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=124c5f12580000 Note: testing is done by a robot and is best-effort only.
syzbot <syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot has tested the proposed patch and the reproducer did not trigger any issue:
>
> Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
> Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com
>
> Tested on:
>
#syz test upstream master
---
sound/usb/midi.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/sound/usb/midi.c b/sound/usb/midi.c
index acb3bf92857c..97e7e7662b12 100644
--- a/sound/usb/midi.c
+++ b/sound/usb/midi.c
@@ -1522,15 +1522,14 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
{
int i;
+ if (!umidi->disconnected)
+ snd_usbmidi_disconnect(&umidi->list);
+
for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
- if (ep->out)
- snd_usbmidi_out_endpoint_delete(ep->out);
- if (ep->in)
- snd_usbmidi_in_endpoint_delete(ep->in);
+ kfree(ep->out);
}
mutex_destroy(&umidi->mutex);
- timer_shutdown_sync(&umidi->error_timer);
kfree(umidi);
}
--
Hello, syzbot has tested the proposed patch and the reproducer did not trigger any issue: Reported-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com Tested-by: syzbot+f02665daa2abeef4a947@syzkaller.appspotmail.com Tested on: commit: fec734e8 Merge tag 'riscv-for-linus-v6.17-rc8' of git:.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=16295f12580000 kernel config: https://syzkaller.appspot.com/x/.config?x=927198eca77e75d9 dashboard link: https://syzkaller.appspot.com/bug?extid=f02665daa2abeef4a947 compiler: gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40 patch: https://syzkaller.appspot.com/x/patch.diff?x=169eb142580000 Note: testing is done by a robot and is best-effort only.
Hi,
Takashi Iwai <tiwai@suse.de> wrote:
>
> On Sat, 27 Sep 2025 06:41:06 +0200,
> Jeongjun Park wrote:
> >
> > The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> > removal") patched a UAF issue caused by the error timer.
> >
> > However, because the error timer kill added in this patch occurs after the
> > endpoint delete, a race condition to UAF still occurs, albeit rarely.
> >
> > Therefore, to prevent this, the error timer must be killed before freeing
> > the heap memory.
> >
> > Cc: <stable@vger.kernel.org>
> > Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
>
> I suppose it's a fix for the recent syzbot reports?
> https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
> https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
>
Oh, I didn't know it was already reported on syzbot.
> I had the very same fix in mind, as posted in
> https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
> so I'll happily apply if that's the case (and it was verified to
> work). I'm just back from vacation and trying to catch up things.
>
Although it's difficult to disclose right now, I have already completed
writing a PoC that triggers a UAF due to the error timer in a slightly
different way than the backtrace reported to syzbot, and I have confirmed
that no bugs occur when testing this patch through this PoC.
>
> thanks,
>
> Takashi
>
> > ---
> > sound/usb/midi.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/sound/usb/midi.c b/sound/usb/midi.c
> > index acb3bf92857c..8d15f1caa92b 100644
> > --- a/sound/usb/midi.c
> > +++ b/sound/usb/midi.c
> > @@ -1522,6 +1522,8 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> > {
> > int i;
> >
> > + timer_shutdown_sync(&umidi->error_timer);
> > +
> > for (i = 0; i < MIDI_MAX_ENDPOINTS; ++i) {
> > struct snd_usb_midi_endpoint *ep = &umidi->endpoints[i];
> > if (ep->out)
> > @@ -1530,7 +1532,6 @@ static void snd_usbmidi_free(struct snd_usb_midi *umidi)
> > snd_usbmidi_in_endpoint_delete(ep->in);
> > }
> > mutex_destroy(&umidi->mutex);
> > - timer_shutdown_sync(&umidi->error_timer);
> > kfree(umidi);
> > }
> >
> > --
Regards,
Jeongjun Park
On Sat, 27 Sep 2025 10:48:02 +0200,
Jeongjun Park wrote:
>
> Hi,
>
> Takashi Iwai <tiwai@suse.de> wrote:
> >
> > On Sat, 27 Sep 2025 06:41:06 +0200,
> > Jeongjun Park wrote:
> > >
> > > The previous commit 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at
> > > removal") patched a UAF issue caused by the error timer.
> > >
> > > However, because the error timer kill added in this patch occurs after the
> > > endpoint delete, a race condition to UAF still occurs, albeit rarely.
> > >
> > > Therefore, to prevent this, the error timer must be killed before freeing
> > > the heap memory.
> > >
> > > Cc: <stable@vger.kernel.org>
> > > Fixes: 0718a78f6a9f ("ALSA: usb-audio: Kill timer properly at removal")
> > > Signed-off-by: Jeongjun Park <aha310510@gmail.com>
> >
> > I suppose it's a fix for the recent syzbot reports?
> > https://lore.kernel.org/68d17f44.050a0220.13cd81.05b7.GAE@google.com
> > https://lore.kernel.org/68d38327.a70a0220.1b52b.02be.GAE@google.com
> >
>
> Oh, I didn't know it was already reported on syzbot.
>
> > I had the very same fix in mind, as posted in
> > https://lore.kernel.org/87plbhn16a.wl-tiwai@suse.de
> > so I'll happily apply if that's the case (and it was verified to
> > work). I'm just back from vacation and trying to catch up things.
> >
>
> Although it's difficult to disclose right now, I have already completed
> writing a PoC that triggers a UAF due to the error timer in a slightly
> different way than the backtrace reported to syzbot, and I have confirmed
> that no bugs occur when testing this patch through this PoC.
OK, so this sounds like a coincidence, but it's very likely the same
issue, so I'm going to put mark those syzbot reports.
thanks,
Takashi
© 2016 - 2025 Red Hat, Inc.