[BUG] media: siano: WARNING in free_large_kmalloc from smsusb_term_device

[Shuangpeng Bai]

Hi,

I hit the following report while testing current upstream kernel:

WARNING in free_large_kmalloc from smsusb_term_device

I reproduced this on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The issue was reproduced with a Siano USB DVB raw gadget.

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/8e2dbdcbfc6362c50e18028dc5ecb810

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[  122.434215][  T776] WARNING: mm/slub.c:6476 at free_large_kmalloc+0x96/0xf0, CPU#0: kworker/0:2/776
[  122.434930][  T776] Modules linked in:
[  122.436062][  T776] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  122.436866][  T776] Workqueue: usb_hub_wq hub_event
[  122.437246][  T776] RIP: 0010:free_large_kmalloc (mm/slub.c:6491)
[  122.437623][  T776] Code: 8b 43 30 83 f8 ff 74 13 25 00 00 00 ff 3d 00 00 00 f8 75 55 c7 43 30 ff ff ff ff 48 89 df 44 89 f6 5b 41 5e 5d e9 ba f9 fc ff <0f> 0b 48 89 df 48 c7 c6 b0 ee 9c 8c 5b 41 5e 5d e9 45 df f0 ff 0f
[  122.438900][  T776] RSP: 0000:ffff88810cb373c0 EFLAGS: 00010206
[  122.439409][  T776] RAX: 00000000ff000000 RBX: ffffea00048cf880 RCX: 0000000000000028
[  122.440124][  T776] RDX: 0000000000000001 RSI: ffff8881233e2000 RDI: ffffea00048cf880
[  122.440674][  T776] RBP: ffff8881233e2000 R08: ffff8881187e4f03 R09: 1ffff110230fc9e0
[  122.441228][  T776] R10: dffffc0000000000 R11: ffffed10230fc9e1 R12: ffff888170006800
[  122.441817][  T776] R13: ffffffff90eec020 R14: 0000000000000000 R15: ffffffff86bdeb1c
[  122.442384][  T776] FS:  0000000000000000(0000) GS:ffff8882c5d34000(0000) knlGS:0000000000000000
[  122.443011][  T776] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  122.443485][  T776] CR2: 0000563ae7328600 CR3: 0000000169f46000 CR4: 00000000000006f0
[  122.444038][  T776] Call Trace:
[  122.444289][  T776]  <TASK>
[  122.444498][  T776]  kfree (mm/slub.c:6561)
[  122.445204][  T776]  usb_free_urb (drivers/usb/core/urb.c:25 include/linux/kref.h:65 drivers/usb/core/urb.c:96)
[  122.445513][  T776]  smsusb_term_device (drivers/media/usb/siano/smsusb.c:352)
[  122.445872][  T776]  usb_unbind_interface (drivers/usb/core/driver.c:458)
[  122.446999][  T776]  device_release_driver_internal (drivers/base/dd.c:621 drivers/base/dd.c:1352 drivers/base/dd.c:1375)
[  122.447444][  T776]  bus_remove_device (drivers/base/bus.c:657)
[  122.448591][  T776]  device_del (drivers/base/core.c:3895)
[  122.449952][  T776]  usb_disable_device (drivers/usb/core/message.c:1478)
[  122.450311][  T776]  usb_disconnect (drivers/usb/core/hub.c:2315)
[  122.450636][  T776]  hub_event (drivers/usb/core/hub.c:5407 drivers/usb/core/hub.c:5707 drivers/usb/core/hub.c:5871 drivers/usb/core/hub.c:5953)
[  122.453252][  T776]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[  122.453653][  T776]  worker_thread (kernel/workqueue.c:3478)
[  122.454355][  T776]  kthread (kernel/kthread.c:436)
[  122.455464][  T776]  ret_from_fork (arch/x86/kernel/process.c:158)
[  122.456865][  T776]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[  122.457222][  T776]  </TASK>
[  122.457452][  T776] Kernel panic - not syncing: kernel: panic_on_warn set ...
[  122.458826][  T776] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[  122.459672][  T776] Workqueue: usb_hub_wq hub_event
[  122.460034][  T776] Call Trace:
[  122.460284][  T776]  <TASK>
[  122.460501][  T776]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[  122.460838][  T776]  vpanic (kernel/panic.c:650)
[  122.462244][  T776]  panic (kernel/panic.c:787)
[  122.463524][  T776]  __report_bug (lib/bug.c:246)
[  122.467504][  T776]  report_bug (lib/bug.c:278)
[  122.468548][  T776]  handle_bug (arch/x86/kernel/traps.c:436)
[  122.468865][  T776]  exc_invalid_op (arch/x86/kernel/traps.c:490)
[  122.469198][  T776]  asm_exc_invalid_op (arch/x86/include/asm/idtentry.h:616)
[  122.469558][  T776] RIP: 0010:free_large_kmalloc (mm/slub.c:6491)
[  122.469951][  T776] Code: 8b 43 30 83 f8 ff 74 13 25 00 00 00 ff 3d 00 00 00 f8 75 55 c7 43 30 ff ff ff ff 48 89 df 44 89 f6 5b 41 5e 5d e9 ba f9 fc ff <0f> 0b 48 89 df 48 c7 c6 b0 ee 9c 8c 5b 41 5e 5d e9 45 df f0 ff 0f
[  122.471301][  T776] RSP: 0000:ffff88810cb373c0 EFLAGS: 00010206
[  122.471724][  T776] RAX: 00000000ff000000 RBX: ffffea00048cf880 RCX: 0000000000000028
[  122.472283][  T776] RDX: 0000000000000001 RSI: ffff8881233e2000 RDI: ffffea00048cf880
[  122.472849][  T776] RBP: ffff8881233e2000 R08: ffff8881187e4f03 R09: 1ffff110230fc9e0
[  122.473431][  T776] R10: dffffc0000000000 R11: ffffed10230fc9e1 R12: ffff888170006800
[  122.474003][  T776] R13: ffffffff90eec020 R14: 0000000000000000 R15: ffffffff86bdeb1c
[  122.474904][  T776]  kfree (mm/slub.c:6561)
[  122.475616][  T776]  usb_free_urb (drivers/usb/core/urb.c:25 include/linux/kref.h:65 drivers/usb/core/urb.c:96)
[  122.475927][  T776]  smsusb_term_device (drivers/media/usb/siano/smsusb.c:352)
[  122.476283][  T776]  usb_unbind_interface (drivers/usb/core/driver.c:458)


Best,
Shuangpeng