syzbot

 sign-in | mailing list | source | docs
🐞 Open [1113] 🐞 Fixed [4192] 🐞 Invalid [9322] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

BUG: corrupted list in em28xx_init_extension

Status: fixed on 2022/03/08 16:11
Reported-by: syzbot+a6969ef522a36d3344c9@syzkaller.appspotmail.com
Fix commit: 2c98b8a3458d media: em28xx: add missing em28xx_close_extension
First crash: 1042d, last: 497d

Cause bisection: failed (bisect log)
duplicates (3):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
BUG: corrupted list in corrupted (3) C 1 893d 889d 0/24 closed as dup on 2020/06/24 12:45
WARNING in em28xx_init_extension C 4 1117d 1159d 0/24 closed as dup on 2020/03/09 15:24
KASAN: use-after-free Read in em28xx_init_extension C 6 459d 1164d 0/24 closed as dup on 2020/03/09 15:23
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in em28xx_init_extension (2) C 1 91d 245d 0/24 upstream: reported C repro on 2022/03/30 17:36
upstream KASAN: use-after-free Read in em28xx_init_extension C 6 459d 1164d 0/24 closed as dup on 2020/03/09 15:23
Patch testing requests:
Created Duration User Patch Repo Result
2021/07/29 17:38 19m paskripkin@gmail.com patch upstream OK
2021/07/21 12:26 38m paskripkin@gmail.com patch upstream OK
2021/07/06 13:55 19m mudongliangabcd@gmail.com upstream error

Sample crash report:
em28xx 1-1:0.108: Audio interface 108 found (Vendor Class)
em28xx 1-1:0.108: unknown em28xx chip ID (0)
em28xx 1-1:0.108: Config register raw data: 0xfffffffb
em28xx 1-1:0.108: AC97 chip type couldn't be determined
em28xx 1-1:0.108: No AC97 audio processor
list_add corruption. prev->next should be next (ffffffff8d430ee0), but was ffffffff85ca68b8. (prev=ffff88801cdc4250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:28!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.14.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: usb_hub_wq hub_event
RIP: 0010:__list_add_valid+0xb6/0xc0 lib/list_debug.c:26
Code: 48 c7 c7 a0 79 93 8a 4c 89 e6 4c 89 f1 31 c0 e8 28 b3 5b fd 0f 0b 48 c7 c7 60 7a 93 8a 4c 89 f6 4c 89 e1 31 c0 e8 12 b3 5b fd <0f> 0b 0f 1f 84 00 00 00 00 00 41 57 41 56 41 54 53 49 89 fe 49 bc
RSP: 0018:ffffc90000ca66e8 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8d430ee8 RCX: de978ae683561100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81663b82 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffff88801cdc4250
R13: dffffc0000000000 R14: ffffffff8d430ee0 R15: ffff8880149bc250
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fdd3e5a6740 CR3: 000000002c61d000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __list_add include/linux/list.h:67 [inline]
 list_add_tail include/linux/list.h:100 [inline]
 em28xx_init_extension+0x52/0x1d0 drivers/media/usb/em28xx/em28xx-core.c:1123
 em28xx_init_dev+0x8e9/0x2b40 drivers/media/usb/em28xx/em28xx-cards.c:3630
 em28xx_usb_probe+0x15b1/0x2fc0 drivers/media/usb/em28xx/em28xx-cards.c:3979
 usb_probe_interface+0x633/0xb40 drivers/usb/core/driver.c:396
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9c0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3352
 usb_set_configuration+0x1a86/0x2100 drivers/usb/core/message.c:2170
 usb_generic_driver_probe+0x83/0x140 drivers/usb/core/generic.c:238
 usb_probe_device+0x13a/0x260 drivers/usb/core/driver.c:293
 call_driver_probe+0x96/0x250 drivers/base/dd.c:517
 really_probe+0x223/0x9c0 drivers/base/dd.c:595
 __driver_probe_device+0x1f8/0x3e0 drivers/base/dd.c:747
 driver_probe_device+0x50/0x240 drivers/base/dd.c:777
 __device_attach_driver+0x1e1/0x3b0 drivers/base/dd.c:894
 bus_for_each_drv+0x16a/0x1f0 drivers/base/bus.c:427
 __device_attach+0x301/0x560 drivers/base/dd.c:965
 bus_probe_device+0xb8/0x1f0 drivers/base/bus.c:487
 device_add+0x1295/0x1790 drivers/base/core.c:3352
 usb_new_device+0x108a/0x1940 drivers/usb/core/hub.c:2559
 hub_port_connect+0x1055/0x27a0 drivers/usb/core/hub.c:5300
 hub_port_connect_change+0x5d0/0xbf0 drivers/usb/core/hub.c:5440
 port_event+0xaee/0x1140 drivers/usb/core/hub.c:5586
 hub_event+0x48d/0xd80 drivers/usb/core/hub.c:5668
 process_one_work+0x833/0x10c0 kernel/workqueue.c:2276
 process_scheduled_works kernel/workqueue.c:2338 [inline]
 worker_thread+0xe28/0x1320 kernel/workqueue.c:2424
 kthread+0x453/0x480 kernel/kthread.c:319
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
Modules linked in:
---[ end trace 2992d227907d3a06 ]---
RIP: 0010:__list_add_valid+0xb6/0xc0 lib/list_debug.c:26
Code: 48 c7 c7 a0 79 93 8a 4c 89 e6 4c 89 f1 31 c0 e8 28 b3 5b fd 0f 0b 48 c7 c7 60 7a 93 8a 4c 89 f6 4c 89 e1 31 c0 e8 12 b3 5b fd <0f> 0b 0f 1f 84 00 00 00 00 00 41 57 41 56 41 54 53 49 89 fe 49 bc
RSP: 0018:ffffc90000ca66e8 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffffffff8d430ee8 RCX: de978ae683561100
RDX: 0000000000000000 RSI: 0000000080000000 RDI: 0000000000000000
RBP: dffffc0000000000 R08: ffffffff81663b82 R09: ffffed1017389798
R10: ffffed1017389798 R11: 0000000000000000 R12: ffff88801cdc4250
R13: dffffc0000000000 R14: ffffffff8d430ee0 R15: ffff8880149bc250
FS:  0000000000000000(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9f43406710 CR3: 000000002c61d000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Fix bisection attempts:
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/06/01 19:44 upstream c2131f7e73c9 92ead296 .config log report syz C
ci-upstream-kasan-gce 2021/05/02 13:18 upstream 17ae69aba89d 92ead296 .config log report syz C
ci-upstream-kasan-gce 2021/04/02 12:56 upstream 1678e493d530 92ead296 .config log report syz C
* Struck through repros no longer work on HEAD.
Crashes (18):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-smack-root 2021/07/20 21:25 upstream 8cae8cd89f05 1b201b48 .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-root 2021/07/11 10:11 upstream 3dbdb38e2869 8f5a7b8c .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-smack-root 2021/06/22 00:32 upstream 13311e74253f aba2b2fb .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce-root 2021/06/13 15:00 upstream 8ecfa36cd4db 1ba81399 .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce 2021/03/02 18:38 upstream 7a7fd0de4a98 92ead296 .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-kasan-gce 2021/02/08 01:30 upstream b75dba7f472c 2ce644fc .config log report syz C BUG: corrupted list in em28xx_init_extension
ci-upstream-linux-next-kasan-gce-root 2021/07/15 18:27 linux-next c1a6d08348fc b9a2f64e .config log report syz C BUG: corrupted list in em28xx_init_extension
ci2-upstream-usb 2021/01/10 00:11 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 841081d89d5a 2c1f2513 .config log report syz C
ci2-upstream-usb 2020/12/22 10:27 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 3644e2d2dda7 04201c06 .config log report syz C
ci2-upstream-usb 2020/07/06 03:13 https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git usb-testing 768a07412843 22f87567 .config log report syz C
ci2-upstream-usb 2020/06/09 06:39 https://github.com/google/kasan.git usb-fuzzer 2089c6ed5a17 0d60b78a .config log report syz C
ci2-upstream-usb 2020/05/29 01:51 https://github.com/google/kasan.git usb-fuzzer d19c64b3d097 d19ed305 .config log report syz C
ci2-upstream-usb 2020/05/14 04:52 https://github.com/google/kasan.git usb-fuzzer 059e7e0ff26c a885920d .config log report syz C
ci2-upstream-usb 2020/03/06 18:04 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 7fb694ef .config log report syz C
ci2-upstream-usb 2020/03/06 14:14 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c 7fb694ef .config log report syz C
ci2-upstream-usb 2020/02/29 23:47 https://github.com/google/kasan.git usb-fuzzer d6ff8147a51c c88c7b75 .config log report syz C
ci2-upstream-usb 2020/01/23 03:16 https://github.com/google/kasan.git usb-fuzzer 4cc301ee04d9 3334d684 .config log report syz C
ci2-upstream-usb 2020/01/25 01:03 https://github.com/google/kasan.git usb-fuzzer cd234325a5f1 2e95ab33 .config log report
* Struck through repros no longer work on HEAD.