syzbot

 sign-in | mailing list | source | docs
🐞 Open [1227]
Subsystems
🐞 Fixed [5639]
🐞 Invalid [13738]
Missing Backports [100]
Kernel Health Bugs/Month Bug Lifetimes Fuzzing Crashes
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in em28xx_close_extension (2)

Status: upstream: reported C repro on 2024/09/19 15:00
Subsystems: media
[Documentation on labels]
Reported-by: syzbot+a11c46f37ee083a73deb@syzkaller.appspotmail.com
First crash: 5d09h, last: 5d06h
Discussions (1)
Title Replies (including bot) Last reply
[syzbot] [media?] KASAN: use-after-free Read in em28xx_close_extension (2) 2 (5) 2024/09/20 23:19
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in em28xx_close_extension usb media C done done 20 962d 1164d 0/28 auto-obsoleted due to no activity on 2022/09/30 12:26
Last patch testing requests (2)
Created Duration User Patch Repo Result
2024/09/20 23:00 17m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2024/09/20 11:28 13m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log

Sample crash report:
list_del corruption. next->prev should be ffff888112424250, but was 0000000000000000. (next=ffff888112acc250)
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:65!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 42 Comm: kworker/0:2 Not tainted 6.11.0-rc7-syzkaller-00152-g68d4209158f4 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_del_entry_valid_or_report+0x141/0x1c0 lib/list_debug.c:65
Code: e1 fe 90 0f 0b 48 89 c2 48 c7 c7 a0 9e 46 87 e8 05 b1 e1 fe 90 0f 0b 48 89 d1 48 c7 c7 20 9f 46 87 48 89 c2 e8 f0 b0 e1 fe 90 <0f> 0b 48 89 34 24 e8 d4 2e 57 ff 48 8b 34 24 e9 d5 fe ff ff 48 89
RSP: 0018:ffffc900004d76f0 EFLAGS: 00010282
RAX: 000000000000006d RBX: ffffffff89df37a0 RCX: ffffffff813560b9
RDX: 0000000000000000 RSI: ffffffff8135f4f6 RDI: 0000000000000005
RBP: ffff888112424250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888112424000 R14: ffffffff89e0d908 R15: ffff888121f0c000
FS:  0000000000000000(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055853d6842e0 CR3: 0000000111614000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del include/linux/list.h:229 [inline]
 em28xx_close_extension+0x10e/0x2b0 drivers/media/usb/em28xx/em28xx-core.c:1137
 em28xx_usb_disconnect+0x19d/0x610 drivers/media/usb/em28xx/em28xx-cards.c:4197
 usb_unbind_interface+0x1e8/0x970 drivers/usb/core/driver.c:461
 device_remove drivers/base/dd.c:568 [inline]
 device_remove+0x122/0x170 drivers/base/dd.c:560
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x44a/0x610 drivers/base/dd.c:1295
 bus_remove_device+0x22f/0x420 drivers/base/bus.c:574
 device_del+0x396/0x9f0 drivers/base/core.c:3871
 usb_disable_device+0x36c/0x7f0 drivers/usb/core/message.c:1418
 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2304
 hub_port_connect drivers/usb/core/hub.c:5361 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5661 [inline]
 port_event drivers/usb/core/hub.c:5821 [inline]
 hub_event+0x1bed/0x4f40 drivers/usb/core/hub.c:5903
 process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
 process_scheduled_works kernel/workqueue.c:3312 [inline]
 worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
 kthread+0x2c1/0x3a0 kernel/kthread.c:389
 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid_or_report+0x141/0x1c0 lib/list_debug.c:65
Code: e1 fe 90 0f 0b 48 89 c2 48 c7 c7 a0 9e 46 87 e8 05 b1 e1 fe 90 0f 0b 48 89 d1 48 c7 c7 20 9f 46 87 48 89 c2 e8 f0 b0 e1 fe 90 <0f> 0b 48 89 34 24 e8 d4 2e 57 ff 48 8b 34 24 e9 d5 fe ff ff 48 89
RSP: 0018:ffffc900004d76f0 EFLAGS: 00010282
RAX: 000000000000006d RBX: ffffffff89df37a0 RCX: ffffffff813560b9
RDX: 0000000000000000 RSI: ffffffff8135f4f6 RDI: 0000000000000005
RBP: ffff888112424250 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: dffffc0000000000
R13: ffff888112424000 R14: ffffffff89e0d908 R15: ffff888121f0c000
FS:  0000000000000000(0000) GS:ffff8881f5800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055853d6842e0 CR3: 0000000111614000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2024/09/15 18:22 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-upstream-usb BUG: corrupted list in em28xx_close_extension
2024/09/15 15:01 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: use-after-free Read in em28xx_close_extension
2024/09/15 14:57 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: use-after-free Read in em28xx_close_extension
* Struck through repros no longer work on HEAD.