| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/30 | lts (merge base) | e0e2f7824338 | C | [report] KASAN: slab-out-of-bounds Read in mon_bin_event |
| 2025/06/30 | upstream (ToT) | d0b3b7b22dfa | C | [report] KASAN: slab-out-of-bounds Read in mon_bin_event |
syzbot |
sign-in | mailing list | source | docs |
| Date | Name | Commit | Repro | Result |
|---|---|---|---|---|
| 2025/06/30 | lts (merge base) | e0e2f7824338 | C | [report] KASAN: slab-out-of-bounds Read in mon_bin_event |
| 2025/06/30 | upstream (ToT) | d0b3b7b22dfa | C | [report] KASAN: slab-out-of-bounds Read in mon_bin_event |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in mon_bin_event usb | C | 2 | 1d17h | 1d08h | 0/29 | upstream: reported C repro on 2025/07/02 17:42 | ||
| android-5-15 | KASAN: slab-out-of-bounds Read in mon_bin_event | 1 | 3d08h | 3d08h | 0/2 | premoderation: reported on 2025/06/30 17:27 | |||
| android-5-10 | KASAN: slab-out-of-bounds Read in mon_bin_event | C | 15 | 1d17h | 2d07h | 0/2 | upstream: reported C repro on 2025/07/01 18:26 |
usb 1-1: config 0 descriptor?? microsoft 0003:045E:07DA.0001: unknown main item tag 0x0 microsoft 0003:045E:07DA.0001: ignoring exceeding usage max ================================================================== BUG: KASAN: slab-out-of-bounds in mon_copy_to_buff drivers/usb/mon/mon_bin.c:252 [inline] BUG: KASAN: slab-out-of-bounds in mon_bin_get_data drivers/usb/mon/mon_bin.c:420 [inline] BUG: KASAN: slab-out-of-bounds in mon_bin_event+0x12c1/0x23e0 drivers/usb/mon/mon_bin.c:606 Read of size 832 at addr ffff88811e4be481 by task kworker/0:1/10 CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.12.30-syzkaller-g648383294760 #0 93f95243d2c671158253b6b51cea62df3148036e Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025 Workqueue: usb_hub_wq hub_event Call Trace: <TASK> __dump_stack+0x21/0x30 lib/dump_stack.c:94 dump_stack_lvl+0x10c/0x190 lib/dump_stack.c:120 print_address_description+0x71/0x220 mm/kasan/report.c:377 print_report+0x4a/0x70 mm/kasan/report.c:488 kasan_report+0x163/0x1a0 mm/kasan/report.c:601 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x299/0x2a0 mm/kasan/generic.c:189 __asan_memcpy+0x31/0x80 mm/kasan/shadow.c:105 mon_copy_to_buff drivers/usb/mon/mon_bin.c:252 [inline] mon_bin_get_data drivers/usb/mon/mon_bin.c:420 [inline] mon_bin_event+0x12c1/0x23e0 drivers/usb/mon/mon_bin.c:606 mon_bin_submit+0x2b/0x40 drivers/usb/mon/mon_bin.c:626 mon_bus_submit drivers/usb/mon/mon_main.c:89 [inline] mon_submit+0x1b9/0x230 drivers/usb/mon/mon_main.c:100 usbmon_urb_submit include/linux/usb/hcd.h:740 [inline] usb_hcd_submit_urb+0x12d/0x1a20 drivers/usb/core/hcd.c:1518 usb_submit_urb+0x111b/0x1800 drivers/usb/core/urb.c:581 usb_start_wait_urb+0x11b/0x2f0 drivers/usb/core/message.c:59 usb_internal_control_msg drivers/usb/core/message.c:103 [inline] usb_control_msg+0x25a/0x490 drivers/usb/core/message.c:154 usbhid_set_raw_report drivers/hid/usbhid/hid-core.c:928 [inline] usbhid_raw_request+0x457/0x590 drivers/hid/usbhid/hid-core.c:1296 __hid_request+0x1e8/0x410 drivers/hid/hid-core.c:1979 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline] hidinput_connect+0x241b/0x3340 drivers/hid/hid-input.c:2327 hid_connect+0x49a/0x1a20 drivers/hid/hid-core.c:2236 hid_hw_start+0xcb/0x160 drivers/hid/hid-core.c:2351 ms_probe+0x194/0x460 drivers/hid/hid-microsoft.c:391 __hid_device_probe drivers/hid/hid-core.c:2702 [inline] hid_device_probe+0x2c4/0x5d0 drivers/hid/hid-core.c:2739 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 hid_add_device+0x39b/0x560 drivers/hid/hid-core.c:2885 usbhid_probe+0xde3/0x12b0 drivers/hid/usbhid/hid-core.c:1432 usb_probe_interface+0x696/0xc00 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 usb_set_configuration+0x1ad4/0x20b0 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x95/0x160 drivers/usb/core/generic.c:254 usb_probe_device+0x1d4/0x380 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 usb_new_device+0x9ed/0x1590 drivers/usb/core/hub.c:2662 hub_port_connect drivers/usb/core/hub.c:5533 [inline] hub_port_connect_change drivers/usb/core/hub.c:5673 [inline] port_event drivers/usb/core/hub.c:5833 [inline] hub_event+0x265b/0x41a0 drivers/usb/core/hub.c:5915 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400 kthread+0x2ca/0x370 kernel/kthread.c:389 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Allocated by task 10: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:565 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x96/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4347 [inline] __kmalloc_noprof+0x1b1/0x450 mm/slub.c:4359 kmalloc_noprof include/linux/slab.h:885 [inline] kzalloc_noprof include/linux/slab.h:1017 [inline] hid_alloc_report_buf drivers/hid/hid-core.c:1880 [inline] __hid_request+0xa9/0x410 drivers/hid/hid-core.c:1970 hidinput_change_resolution_multipliers drivers/hid/hid-input.c:1950 [inline] hidinput_connect+0x241b/0x3340 drivers/hid/hid-input.c:2327 hid_connect+0x49a/0x1a20 drivers/hid/hid-core.c:2236 hid_hw_start+0xcb/0x160 drivers/hid/hid-core.c:2351 ms_probe+0x194/0x460 drivers/hid/hid-microsoft.c:391 __hid_device_probe drivers/hid/hid-core.c:2702 [inline] hid_device_probe+0x2c4/0x5d0 drivers/hid/hid-core.c:2739 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 hid_add_device+0x39b/0x560 drivers/hid/hid-core.c:2885 usbhid_probe+0xde3/0x12b0 drivers/hid/usbhid/hid-core.c:1432 usb_probe_interface+0x696/0xc00 drivers/usb/core/driver.c:399 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 usb_set_configuration+0x1ad4/0x20b0 drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x95/0x160 drivers/usb/core/generic.c:254 usb_probe_device+0x1d4/0x380 drivers/usb/core/driver.c:294 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x2d3/0x890 drivers/base/dd.c:657 __driver_probe_device+0x198/0x280 drivers/base/dd.c:799 driver_probe_device+0x54/0x3f0 drivers/base/dd.c:829 __device_attach_driver+0x2f1/0x4b0 drivers/base/dd.c:957 bus_for_each_drv+0x260/0x2f0 drivers/base/bus.c:459 __device_attach+0x2bd/0x3a0 drivers/base/dd.c:1029 device_initial_probe+0x1e/0x30 drivers/base/dd.c:1078 bus_probe_device+0x18b/0x270 drivers/base/bus.c:534 device_add+0x80c/0xc00 drivers/base/core.c:3692 usb_new_device+0x9ed/0x1590 drivers/usb/core/hub.c:2662 hub_port_connect drivers/usb/core/hub.c:5533 [inline] hub_port_connect_change drivers/usb/core/hub.c:5673 [inline] port_event drivers/usb/core/hub.c:5833 [inline] hub_event+0x265b/0x41a0 drivers/usb/core/hub.c:5915 process_one_work kernel/workqueue.c:3238 [inline] process_scheduled_works+0x7d2/0x1020 kernel/workqueue.c:3319 worker_thread+0xc58/0x1250 kernel/workqueue.c:3400 kthread+0x2ca/0x370 kernel/kthread.c:389 ret_from_fork+0x64/0xa0 arch/x86/kernel/process.c:153 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 The buggy address belongs to the object at ffff88811e4be480 which belongs to the cache kmalloc-8 of size 8 The buggy address is located 1 bytes inside of allocated 7-byte region [ffff88811e4be480, ffff88811e4be487) The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11e4be flags: 0x4000000000000000(zone=1) page_type: f5(slab) raw: 4000000000000000 ffff888100041500 dead000000000122 0000000000000000 raw: 0000000000000000 0000000080800080 00000001f5000000 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 0, migratetype Unmovable, gfp_mask 0x52cc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 145, tgid 145 (dhcpcd), ts 7524742718, free_ts 0 set_page_owner include/linux/page_owner.h:35 [inline] post_alloc_hook+0x3b9/0x3f0 mm/page_alloc.c:1795 prep_new_page+0x1c/0x120 mm/page_alloc.c:1803 get_page_from_freelist+0x46bb/0x4750 mm/page_alloc.c:3854 __alloc_pages_noprof+0x30d/0x6c0 mm/page_alloc.c:5186 alloc_slab_page+0x6b/0x1f0 mm/slub.c:-1 allocate_slab+0x69/0x440 mm/slub.c:2655 new_slab mm/slub.c:2709 [inline] ___slab_alloc+0x59a/0x8b0 mm/slub.c:3897 __slab_alloc mm/slub.c:3987 [inline] __slab_alloc_node mm/slub.c:4040 [inline] slab_alloc_node mm/slub.c:4201 [inline] __do_kmalloc_node mm/slub.c:4346 [inline] __kmalloc_node_noprof+0x23e/0x450 mm/slub.c:4353 kmalloc_node_noprof include/linux/slab.h:908 [inline] __vmalloc_area_node mm/vmalloc.c:3652 [inline] __vmalloc_node_range_noprof+0x544/0x1420 mm/vmalloc.c:3856 __vmalloc_node_noprof mm/vmalloc.c:3927 [inline] __vmalloc_noprof+0xfe/0x1d0 mm/vmalloc.c:3941 bpf_prog_alloc_no_stats+0x67/0x7a0 kernel/bpf/core.c:113 bpf_prog_alloc+0x44/0x230 kernel/bpf/core.c:155 bpf_prog_create_from_user+0xac/0x2c0 net/core/filter.c:1436 seccomp_prepare_filter kernel/seccomp.c:693 [inline] seccomp_prepare_user_filter kernel/seccomp.c:730 [inline] seccomp_set_mode_filter kernel/seccomp.c:1965 [inline] do_seccomp+0x7bd/0xee0 kernel/seccomp.c:2085 prctl_set_seccomp+0x50/0x80 kernel/seccomp.c:2138 __do_sys_prctl kernel/sys.c:2558 [inline] __se_sys_prctl+0x2e4/0x1460 kernel/sys.c:2476 page_owner free stack trace missing Memory state around the buggy address: ffff88811e4be380: fa fc fc fc fa fc fc fc 04 fc fc fc fc fc fc fc ffff88811e4be400: fa fc fc fc 04 fc fc fc fc fc fc fc fc fc fc fc >ffff88811e4be480: 07 fc fc fc fc fc fc fc fa fc fc fc fa fc fc fc ^ ffff88811e4be500: fa fc fc fc fa fc fc fc fc fc fc fc fc fc fc fc
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2025/07/01 19:27 | android16-6.12 | 648383294760 | 091a06cd | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | |
| 2025/06/30 23:22 | android16-6.12 | 668635cd345a | 6e83b42d | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | |
| 2025/06/30 15:51 | android16-6.12 | 1493f0937f6d | fc9d8ee5 | .config | strace log | report | syz / log | C | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | |
| 2025/06/30 20:44 | android16-6.12 | 668635cd345a | 6e83b42d | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/06/30 20:14 | android16-6.12 | 668635cd345a | 6e83b42d | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/06/30 15:10 | android16-6.12 | 1493f0937f6d | fc9d8ee5 | .config | console log | report | syz / log | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/07/03 16:10 | android16-6.12 | 06ca12d7d229 | 115ceea7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/07/03 10:42 | android16-6.12 | 06ca12d7d229 | 115ceea7 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/06/30 03:23 | android16-6.12 | 68f4f0b0690a | fc9d8ee5 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event | ||
| 2025/06/29 20:20 | android16-6.12 | 68f4f0b0690a | fc9d8ee5 | .config | console log | report | info | [disk image] [vmlinux] [kernel image] | ci2-android-6-12-rust | KASAN: slab-out-of-bounds Read in mon_bin_event |