syzbot

 sign-in | mailing list | source | docs
🐞 Open [87]
🐞 Fixed [11]
🐞 Invalid [113]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap
💬 Send us feedback

UBSAN: array-index-out-of-bounds in steelseries_remove

Status: premoderation: reported on 2026/06/08 15:56
Reported-by: syzbot+aa2517aaa552688c27e8@syzkaller.appspotmail.com
First crash: 7d06h, last: 7d06h

Sample crash report:
steelseries 0003:1038:1410.001C: unknown main item tag 0x0
steelseries 0003:1038:1410.001C: hidraw0: USB HID vff.7f Device [HID 1038:1410] on usb-dummy_hcd.4-1/input0
steelseries 0003:1038:1410.001C: implement() called with too large value 64 (n: 0)! (kworker/1:1)
usb 5-1: USB disconnect, device number 63
------------[ cut here ]------------
UBSAN: array-index-out-of-bounds in kernel/locking/qspinlock.c:131:9
index 1790 is out of range for type 'unsigned long[8]'
CPU: 1 UID: 0 PID: 45 Comm: kworker/1:1 Not tainted syzkaller #0 a1c00a42264c961a6d41d2b1b5aa50459b7aff2e
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack+0x21/0x30 lib/dump_stack.c:94
 dump_stack_lvl+0x140/0x1c0 lib/dump_stack.c:120
 dump_stack+0x19/0x20 lib/dump_stack.c:129
 ubsan_epilogue+0xe/0x40 lib/ubsan.c:231
 __ubsan_handle_out_of_bounds+0xe8/0xf0 lib/ubsan.c:429
 decode_tail kernel/locking/qspinlock.c:131 [inline]
 __pv_queued_spin_lock_slowpath+0xbfa/0xe90 kernel/locking/qspinlock.c:468
 pv_queued_spin_lock_slowpath arch/x86/include/asm/paravirt.h:584 [inline]
 queued_spin_lock_slowpath arch/x86/include/asm/qspinlock.h:51 [inline]
 queued_spin_lock include/asm-generic/qspinlock.h:114 [inline]
 do_raw_spin_lock include/linux/spinlock.h:187 [inline]
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:111 [inline]
 _raw_spin_lock_irqsave+0x153/0x160 kernel/locking/spinlock.c:162
 steelseries_remove+0x85/0x180 drivers/hid/hid-steelseries.c:564
 hid_device_remove+0x288/0x3f0 drivers/hid/hid-core.c:-1
 device_remove drivers/base/dd.c:567 [inline]
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x45f/0x790 drivers/base/dd.c:1295
 device_release_driver+0x1d/0x30 drivers/base/dd.c:1318
 bus_remove_device+0x359/0x380 drivers/base/bus.c:576
 device_del+0x581/0xd00 drivers/base/core.c:3881
 hid_remove_device drivers/hid/hid-core.c:2943 [inline]
 hid_destroy_device+0x6e/0x110 drivers/hid/hid-core.c:2963
 usbhid_disconnect+0xa3/0xc0 drivers/hid/usbhid/hid-core.c:1477
 usb_unbind_interface+0x2a7/0xa30 drivers/usb/core/driver.c:462
 device_remove drivers/base/dd.c:569 [inline]
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x4c2/0x790 drivers/base/dd.c:1295
 device_release_driver+0x1d/0x30 drivers/base/dd.c:1318
 bus_remove_device+0x359/0x380 drivers/base/bus.c:576
 device_del+0x581/0xd00 drivers/base/core.c:3881
 usb_disable_device+0x3af/0x770 drivers/usb/core/message.c:1476
 usb_disconnect+0x322/0x930 drivers/usb/core/hub.c:2353
 hub_port_connect drivers/usb/core/hub.c:5414 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5714 [inline]
 port_event drivers/usb/core/hub.c:5878 [inline]
 hub_event+0x1c7a/0x4700 drivers/usb/core/hub.c:5960
 process_one_work kernel/workqueue.c:3261 [inline]
 process_scheduled_works+0x7d4/0x1020 kernel/workqueue.c:3342
 worker_thread+0xc51/0x1370 kernel/workqueue.c:3423
 kthread+0x2c9/0x370 kernel/kthread.c:389
 ret_from_fork+0x67/0xa0 arch/x86/kernel/process.c:153
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
---[ end trace ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/08 15:55 android16-6.12 b31795d3d788 656e94c6 .config console log report info [disk image] [vmlinux] [kernel image] ci2-android-6-12-rust UBSAN: array-index-out-of-bounds in steelseries_remove
* Struck through repros no longer work on HEAD.