==================================================================
BUG: KASAN: slab-use-after-free in snd_usbmidi_error_timer+0x359/0x410 sound/usb/midi.c:355
Read of size 8 at addr ffff8880ad713410 by task modprobe/23705
CPU: 0 UID: 0 PID: 23705 Comm: modprobe Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/18/2025
Call Trace:
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xcd/0x630 mm/kasan/report.c:482
kasan_report+0xe0/0x110 mm/kasan/report.c:595
snd_usbmidi_error_timer+0x359/0x410 sound/usb/midi.c:355
call_timer_fn+0x19a/0x620 kernel/time/timer.c:1747
expire_timers kernel/time/timer.c:1798 [inline]
__run_timers+0x6ef/0x960 kernel/time/timer.c:2372
__run_timer_base kernel/time/timer.c:2384 [inline]
__run_timer_base kernel/time/timer.c:2376 [inline]
run_timer_base+0x114/0x190 kernel/time/timer.c:2393
run_timer_softirq+0x1a/0x40 kernel/time/timer.c:2403
handle_softirqs+0x219/0x8e0 kernel/softirq.c:579
__do_softirq kernel/softirq.c:613 [inline]
invoke_softirq kernel/softirq.c:453 [inline]
__irq_exit_rcu+0x109/0x170 kernel/softirq.c:680
irq_exit_rcu+0x9/0x30 kernel/softirq.c:696
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1050 [inline]
sysvec_apic_timer_interrupt+0xa4/0xc0 arch/x86/kernel/apic/apic.c:1050
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:152 [inline]
RIP: 0010:_raw_spin_unlock_irqrestore+0x31/0x80 kernel/locking/spinlock.c:194
Code: f5 53 48 8b 74 24 10 48 89 fb 48 83 c7 18 e8 66 2c 00 f6 48 89 df e8 4e 80 00 f6 f7 c5 00 02 00 00 75 23 9c 58 f6 c4 02 75 37 01 00 00 00 e8 75 81 f0 f5 65 8b 05 9e 4c 3f 08 85 c0 74 16 5b
RSP: 0018:ffffc900058f75a0 EFLAGS: 00000246
RAX: 0000000000000006 RBX: ffffffff9afd0e08 RCX: ffffffff81c380af
RDX: 0000000000000000 RSI: ffffffff8de52fc1 RDI: ffffffff8c163380
RBP: 0000000000000202 R08: 0000000000000001 R09: 0000000000000001
R10: ffffffff90ab7697 R11: 0000000000000000 R12: 0000000000000001
R13: ffffffff9afd0e08 R14: 0000000000000188 R15: 0000000000000001
spin_unlock_irqrestore include/linux/spinlock.h:406 [inline]
avc_reclaim_node security/selinux/avc.c:488 [inline]
avc_alloc_node+0x420/0x6a0 security/selinux/avc.c:507
avc_insert security/selinux/avc.c:618 [inline]
avc_compute_av+0x100/0x7f0 security/selinux/avc.c:993
avc_perm_nonode+0xab/0x180 security/selinux/avc.c:1117
avc_has_perm_noaudit+0x2de/0x3b0 security/selinux/avc.c:1160
avc_has_perm+0xbe/0x1f0 security/selinux/avc.c:1195
file_has_perm+0x1c8/0x350 security/selinux/hooks.c:1760
file_map_prot_check+0x24e/0x360 security/selinux/hooks.c:3949
selinux_mmap_file+0x143/0x1b0 security/selinux/hooks.c:3985
security_mmap_file+0x82a/0x990 security/security.c:3012
vm_mmap_pgoff+0xec/0x470 mm/util.c:574
vm_mmap+0x8e/0xc0 mm/util.c:616
elf_map fs/binfmt_elf.c:384 [inline]
elf_load+0x36d/0x780 fs/binfmt_elf.c:407
load_elf_interp fs/binfmt_elf.c:674 [inline]
load_elf_binary+0x37a6/0x4fe0 fs/binfmt_elf.c:1239
search_binary_handler fs/exec.c:1670 [inline]
exec_binprm fs/exec.c:1702 [inline]
bprm_execve fs/exec.c:1754 [inline]
bprm_execve+0x8be/0x1640 fs/exec.c:1730
kernel_execve+0x2ef/0x3b0 fs/exec.c:1920
call_usermodehelper_exec_async+0x255/0x4c0 kernel/umh.c:109
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Allocated by task 21777:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
poison_kmalloc_redzone mm/kasan/common.c:388 [inline]
__kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:405
kmalloc_noprof include/linux/slab.h:905 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
snd_usbmidi_in_endpoint_create+0x8c/0xa70 sound/usb/midi.c:1342
snd_usbmidi_create_endpoints_midiman+0x4c4/0xaf0 sound/usb/midi.c:2363
__snd_usbmidi_create+0x14a4/0x1e90 sound/usb/midi.c:2646
snd_usb_midi_v2_create+0x1ad/0x42d0 sound/usb/midi2.c:1178
snd_usb_create_quirk+0xad/0x140 sound/usb/quirks.c:541
usb_audio_probe+0x7f7/0x3cf0 sound/usb/card.c:976
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Freed by task 21777:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:576
poison_slab_object mm/kasan/common.c:243 [inline]
__kasan_slab_free+0x60/0x70 mm/kasan/common.c:275
kasan_slab_free include/linux/kasan.h:233 [inline]
slab_free_hook mm/slub.c:2422 [inline]
slab_free mm/slub.c:4695 [inline]
kfree+0x2b4/0x4d0 mm/slub.c:4894
snd_usbmidi_free sound/usb/midi.c:1530 [inline]
snd_usbmidi_rawmidi_free+0xb3/0x130 sound/usb/midi.c:1591
snd_rawmidi_free.part.0+0x398/0x560 sound/core/rawmidi.c:1934
snd_rawmidi_free sound/core/rawmidi.c:1923 [inline]
snd_rawmidi_dev_free+0x3e/0x60 sound/core/rawmidi.c:1945
__snd_device_free+0x1a4/0x410 sound/core/device.c:76
snd_device_free_all+0xf3/0x220 sound/core/device.c:233
snd_card_do_free sound/core/init.c:587 [inline]
release_card_device+0x77/0x1d0 sound/core/init.c:153
device_release+0xa4/0x240 drivers/base/core.c:2565
kobject_cleanup lib/kobject.c:689 [inline]
kobject_release lib/kobject.c:720 [inline]
kref_put include/linux/kref.h:65 [inline]
kobject_put+0x1e7/0x5a0 lib/kobject.c:737
put_device+0x1f/0x30 drivers/base/core.c:3797
snd_card_free_when_closed sound/core/init.c:618 [inline]
snd_card_free_when_closed sound/core/init.c:612 [inline]
snd_card_free+0x11a/0x190 sound/core/init.c:650
usb_audio_probe+0x1507/0x3cf0 sound/usb/card.c:1034
usb_probe_interface+0x303/0xa40 drivers/usb/core/driver.c:396
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_set_configuration+0x1187/0x1e20 drivers/usb/core/message.c:2210
usb_generic_driver_probe+0xb1/0x110 drivers/usb/core/generic.c:250
usb_probe_device+0xec/0x3e0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:581 [inline]
really_probe+0x241/0xa90 drivers/base/dd.c:659
__driver_probe_device+0x1de/0x440 drivers/base/dd.c:801
driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:831
__device_attach_driver+0x1df/0x310 drivers/base/dd.c:959
bus_for_each_drv+0x159/0x1e0 drivers/base/bus.c:462
__device_attach+0x1e4/0x4b0 drivers/base/dd.c:1031
bus_probe_device+0x17f/0x1c0 drivers/base/bus.c:537
device_add+0x1148/0x1aa0 drivers/base/core.c:3689
usb_new_device+0xd07/0x1a60 drivers/usb/core/hub.c:2694
hub_port_connect drivers/usb/core/hub.c:5566 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
port_event drivers/usb/core/hub.c:5870 [inline]
hub_event+0x2f34/0x4fe0 drivers/usb/core/hub.c:5952
process_one_work+0x9cc/0x1b70 kernel/workqueue.c:3236
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
The buggy address belongs to the object at ffff8880ad713400
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 16 bytes inside of
freed 512-byte region [ffff8880ad713400, ffff8880ad713600)
The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xad710
head: order:2 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
anon flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
raw: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000040 ffff88801b841c80 0000000000000000 dead000000000001
head: 0000000000000000 0000000000100010 00000000f5000000 0000000000000000
head: 00fff00000000002 ffffea0002b5c401 00000000ffffffff 00000000ffffffff
head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000004
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52820(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 8011, tgid 8011 (kworker/u8:14), ts 497590305548, free_ts 491381013875
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1851
prep_new_page mm/page_alloc.c:1859 [inline]
get_page_from_freelist+0x132b/0x38e0 mm/page_alloc.c:3858
__alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:5148
alloc_pages_mpol+0x1fb/0x550 mm/mempolicy.c:2416
alloc_slab_page mm/slub.c:2492 [inline]
allocate_slab mm/slub.c:2660 [inline]
new_slab+0x247/0x330 mm/slub.c:2714
___slab_alloc+0xcf2/0x1750 mm/slub.c:3901
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3992
__slab_alloc_node mm/slub.c:4067 [inline]
slab_alloc_node mm/slub.c:4228 [inline]
__do_kmalloc_node mm/slub.c:4375 [inline]
__kmalloc_noprof+0x2f2/0x510 mm/slub.c:4388
kmalloc_noprof include/linux/slab.h:909 [inline]
kzalloc_noprof include/linux/slab.h:1039 [inline]
fib6_info_alloc+0x40/0x160 net/ipv6/ip6_fib.c:155
ip6_route_info_create+0x14c/0x870 net/ipv6/route.c:3811
ip6_route_add.part.0+0x22/0x1d0 net/ipv6/route.c:3940
ip6_route_add+0x45/0x60 net/ipv6/route.c:3937
addrconf_prefix_route+0x2fd/0x510 net/ipv6/addrconf.c:2488
addrconf_add_linklocal+0x329/0x500 net/ipv6/addrconf.c:3313
addrconf_addr_gen+0x364/0x3b0 net/ipv6/addrconf.c:3442
addrconf_dev_config net/ipv6/addrconf.c:3489 [inline]
addrconf_init_auto_addrs+0x2ba/0x810 net/ipv6/addrconf.c:3567
page last free pid 5186 tgid 5186 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1395 [inline]
__free_frozen_pages+0x7d5/0x10f0 mm/page_alloc.c:2895
discard_slab mm/slub.c:2758 [inline]
__put_partials+0x165/0x1c0 mm/slub.c:3223
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x4d/0x120 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x195/0x1e0 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x69/0x90 mm/kasan/common.c:340
kasan_slab_alloc include/linux/kasan.h:250 [inline]
slab_post_alloc_hook mm/slub.c:4191 [inline]
slab_alloc_node mm/slub.c:4240 [inline]
kmem_cache_alloc_noprof+0x1cb/0x3b0 mm/slub.c:4247
alloc_buffer_head+0x21/0x160 fs/buffer.c:3025
folio_alloc_buffers+0x2b5/0x6c0 fs/buffer.c:935
grow_dev_folio fs/buffer.c:1075 [inline]
grow_buffers fs/buffer.c:1116 [inline]
__getblk_slow+0x1f4/0x560 fs/buffer.c:1134
bdev_getblk+0xd4/0xe0 fs/buffer.c:1461
__getblk include/linux/buffer_head.h:380 [inline]
jbd2_journal_get_descriptor_buffer+0x176/0x4c0 fs/jbd2/journal.c:976
jbd2_journal_commit_transaction+0x2102/0x68f0 fs/jbd2/commit.c:610
kjournald2+0x1f4/0x760 fs/jbd2/journal.c:201
kthread+0x3c2/0x780 kernel/kthread.c:463
ret_from_fork+0x56a/0x730 arch/x86/kernel/process.c:148
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Memory state around the buggy address:
ffff8880ad713300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880ad713380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880ad713400: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880ad713480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880ad713500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
----------------
Code disassembly (best guess):
0: f5 cmc
1: 53 push %rbx
2: 48 8b 74 24 10 mov 0x10(%rsp),%rsi
7: 48 89 fb mov %rdi,%rbx
a: 48 83 c7 18 add $0x18,%rdi
e: e8 66 2c 00 f6 call 0xf6002c79
13: 48 89 df mov %rbx,%rdi
16: e8 4e 80 00 f6 call 0xf6008069
1b: f7 c5 00 02 00 00 test $0x200,%ebp
21: 75 23 jne 0x46
23: 9c pushf
24: 58 pop %rax
25: f6 c4 02 test $0x2,%ah
28: 75 37 jne 0x61
* 2a: bf 01 00 00 00 mov $0x1,%edi <-- trapping instruction
2f: e8 75 81 f0 f5 call 0xf5f081a9
34: 65 8b 05 9e 4c 3f 08 mov %gs:0x83f4c9e(%rip),%eax # 0x83f4cd9
3b: 85 c0 test %eax,%eax
3d: 74 16 je 0x55
3f: 5b pop %rbx