syzbot

 sign-in | mailing list | source | docs
🐞 Open [1571]
Subsystems
🐞 Fixed [6330]
🐞 Invalid [16131]
Missing Backports [191]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in em28xx_close_extension (2)

Status: upstream: reported C repro on 2024/09/19 15:00
Subsystems: usb media
[Documentation on labels]
Reported-by: syzbot+a11c46f37ee083a73deb@syzkaller.appspotmail.com
First crash: 284d, last: 5d16h
Cause bisection: failed (error log, bisect log)
  
Discussions (4)
Title Replies (including bot) Last reply
[syzbot] Monthly media report (Jun 2025) 0 (1) 2025/06/24 13:52
[syzbot] Monthly media report (Feb 2025) 0 (1) 2025/02/19 12:35
[syzbot] Monthly media report (Dec 2024) 0 (1) 2024/12/19 18:40
[syzbot] [media?] KASAN: use-after-free Read in em28xx_close_extension (2) 2 (5) 2024/09/20 23:19
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in em28xx_close_extension usb media C done done 20 1242d 1443d 0/29 auto-obsoleted due to no activity on 2022/09/30 12:26
Last patch testing requests (11)
Created Duration User Patch Repo Result
2025/06/21 16:33 11m retest repro upstream report log
2025/06/21 16:33 11m retest repro upstream report log
2025/06/21 16:33 12m retest repro upstream report log
2025/05/26 10:35 17m retest repro upstream report log
2025/05/26 10:35 17m retest repro upstream report log
2025/04/29 03:24 11m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2025/02/17 15:18 27m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/12/09 14:55 9m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/09/29 18:55 8m retest repro https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log
2024/09/20 23:00 17m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing OK log
2024/09/20 11:28 13m hdanton@sina.com patch https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing report log

Sample crash report:
usb 8-1: USB disconnect, device number 2
em28xx 8-1:0.0: Disconnecting em28xx #5
em28xx 8-1:0.0: Disconnecting em28xx
==================================================================
BUG: KASAN: use-after-free in __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62
Read of size 8 at addr ffff888034bc4250 by task kworker/0:1/10

CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Not tainted 6.15.0-syzkaller-13655-gbdc7f8c5adad #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:94 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
 print_address_description mm/kasan/report.c:408 [inline]
 print_report+0xcd/0x680 mm/kasan/report.c:521
 kasan_report+0xe0/0x110 mm/kasan/report.c:634
 __list_del_entry_valid_or_report+0x1d4/0x200 lib/list_debug.c:62
 __list_del_entry_valid include/linux/list.h:124 [inline]
 __list_del_entry include/linux/list.h:215 [inline]
 list_del include/linux/list.h:229 [inline]
 em28xx_close_extension+0x10b/0x2b0 drivers/media/usb/em28xx/em28xx-core.c:1137
 em28xx_usb_disconnect+0x19d/0x610 drivers/media/usb/em28xx/em28xx-cards.c:4197
 usb_unbind_interface+0x1da/0x9a0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:569 [inline]
 device_remove+0x125/0x170 drivers/base/dd.c:561
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1295
 bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
 device_del+0x396/0x9f0 drivers/base/core.c:3881
 usb_disable_device+0x355/0x7d0 drivers/usb/core/message.c:1418
 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
 hub_port_connect drivers/usb/core/hub.c:5375 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x1c57/0x4fa0 drivers/usb/core/hub.c:5917
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c5/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff888034bc7a80 pfn:0x34bc4
flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000000 ffffea0001144608 ffffea0000a38208 0000000000000000
raw: ffff888034bc7a80 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 2, migratetype Unmovable, gfp_mask 0x40cc0(GFP_KERNEL|__GFP_COMP), pid 6007, tgid 6007 (kworker/2:4), ts 49041146747, free_ts 49461643565
 set_page_owner include/linux/page_owner.h:32 [inline]
 post_alloc_hook+0x1c0/0x230 mm/page_alloc.c:1704
 prep_new_page mm/page_alloc.c:1712 [inline]
 get_page_from_freelist+0x1321/0x3890 mm/page_alloc.c:3669
 __alloc_frozen_pages_noprof+0x261/0x23f0 mm/page_alloc.c:4959
 __alloc_pages_noprof+0xb/0x1b0 mm/page_alloc.c:4993
 __alloc_pages_node_noprof include/linux/gfp.h:284 [inline]
 alloc_pages_node_noprof include/linux/gfp.h:311 [inline]
 ___kmalloc_large_node+0x84/0x1e0 mm/slub.c:4272
 __kmalloc_large_node_noprof+0x1c/0x70 mm/slub.c:4300
 __do_kmalloc_node mm/slub.c:4316 [inline]
 __kmalloc_node_track_caller_noprof.cold+0x5/0x5e mm/slub.c:4347
 kmemdup_noprof+0x29/0x60 mm/util.c:137
 kmemdup_noprof include/linux/fortify-string.h:765 [inline]
 em28xx_duplicate_dev drivers/media/usb/em28xx/em28xx-cards.c:3732 [inline]
 em28xx_usb_probe+0x16dc/0x3770 drivers/media/usb/em28xx/em28xx-cards.c:4082
 usb_probe_interface+0x303/0x9c0 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:579 [inline]
 really_probe+0x23e/0xa90 drivers/base/dd.c:657
 __driver_probe_device+0x1de/0x440 drivers/base/dd.c:799
 driver_probe_device+0x4c/0x1b0 drivers/base/dd.c:829
 __device_attach_driver+0x1df/0x310 drivers/base/dd.c:957
 bus_for_each_drv+0x156/0x1e0 drivers/base/bus.c:462
 __device_attach+0x1e4/0x4b0 drivers/base/dd.c:1029
page last free pid 6007 tgid 6007 stack trace:
 reset_page_owner include/linux/page_owner.h:25 [inline]
 free_pages_prepare mm/page_alloc.c:1248 [inline]
 __free_frozen_pages+0x7fe/0x1180 mm/page_alloc.c:2706
 __folio_put+0x329/0x450 mm/swap.c:112
 em28xx_free_device drivers/media/usb/em28xx/em28xx-cards.c:3566 [inline]
 kref_put include/linux/kref.h:65 [inline]
 em28xx_usb_disconnect+0x4e0/0x610 drivers/media/usb/em28xx/em28xx-cards.c:4204
 usb_unbind_interface+0x1da/0x9a0 drivers/usb/core/driver.c:458
 device_remove drivers/base/dd.c:569 [inline]
 device_remove+0x125/0x170 drivers/base/dd.c:561
 __device_release_driver drivers/base/dd.c:1272 [inline]
 device_release_driver_internal+0x44b/0x620 drivers/base/dd.c:1295
 bus_remove_device+0x22f/0x420 drivers/base/bus.c:579
 device_del+0x396/0x9f0 drivers/base/core.c:3881
 usb_disable_device+0x355/0x7d0 drivers/usb/core/message.c:1418
 usb_disconnect+0x2e1/0x920 drivers/usb/core/hub.c:2316
 hub_port_connect drivers/usb/core/hub.c:5375 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5675 [inline]
 port_event drivers/usb/core/hub.c:5835 [inline]
 hub_event+0x1c57/0x4fa0 drivers/usb/core/hub.c:5917
 process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x6c8/0xf10 kernel/workqueue.c:3402
 kthread+0x3c5/0x780 kernel/kthread.c:464
 ret_from_fork+0x5d4/0x6f0 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

Memory state around the buggy address:
 ffff888034bc4100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888034bc4180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888034bc4200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff888034bc4280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff888034bc4300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (9):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2025/06/07 15:41 upstream bdc7f8c5adad 4826c28e .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in em28xx_close_extension
2025/06/07 12:07 upstream bdc7f8c5adad 4826c28e .config console log report syz / log C [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream KASAN: use-after-free Read in em28xx_close_extension
2025/05/12 06:44 upstream cd802e7e5f1e 77908e5f .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: corrupted list in em28xx_close_extension
2024/09/15 18:22 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci2-upstream-usb BUG: corrupted list in em28xx_close_extension
2025/05/12 05:53 upstream cd802e7e5f1e 77908e5f .config console log report syz / log [disk image] [vmlinux] [kernel image] ci-upstream-kasan-gce BUG: corrupted list in em28xx_close_extension
2025/06/07 16:15 upstream bdc7f8c5adad 4826c28e .config console log report syz / log [disk image (non-bootable)] [vmlinux] [kernel image] ci-qemu-upstream BUG: corrupted list in em28xx_close_extension
2024/11/15 02:00 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing d6fa15bbcf96 a8c99394 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: use-after-free Read in em28xx_close_extension
2024/09/15 15:01 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: use-after-free Read in em28xx_close_extension
2024/09/15 14:57 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 68d4209158f4 08d8a733 .config console log report info [disk image] [vmlinux] [kernel image] ci2-upstream-usb KASAN: use-after-free Read in em28xx_close_extension
* Struck through repros no longer work on HEAD.