em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor ================================================================== BUG: KASAN: use-after-free in __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32 Read of size 8 at addr ffff0000ccc2c250 by task kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.17.0-rc1-syzkaller-g8f5ae30d69d7 #0 PREEMPT Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/30/2025 Workqueue: usb_hub_wq hub_event Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C) __dump_stack+0x30/0x40 lib/dump_stack.c:94 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120 print_address_description+0xa8/0x238 mm/kasan/report.c:378 print_report+0x68/0x84 mm/kasan/report.c:482 kasan_report+0xb0/0x110 mm/kasan/report.c:595 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381 __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32 __list_add_valid include/linux/list.h:88 [inline] __list_add include/linux/list.h:150 [inline] list_add_tail include/linux/list.h:183 [inline] em28xx_init_extension+0x60/0x1b4 drivers/media/usb/em28xx/em28xx-core.c:1114 em28xx_init_dev+0x80c/0x1bf4 drivers/media/usb/em28xx/em28xx-cards.c:3679 em28xx_usb_probe+0x10c4/0x2440 drivers/media/usb/em28xx/em28xx-cards.c:4034 usb_probe_interface+0x5a4/0xaac drivers/usb/core/driver.c:396 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x3b4/0x944 drivers/base/dd.c:659 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:801 driver_probe_device+0x78/0x330 drivers/base/dd.c:831 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:959 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462 __device_attach+0x26c/0x388 drivers/base/dd.c:1031 device_initial_probe+0x24/0x34 drivers/base/dd.c:1080 bus_probe_device+0x178/0x240 drivers/base/bus.c:537 device_add+0x71c/0xa60 drivers/base/core.c:3689 usb_set_configuration+0x1640/0x1bac drivers/usb/core/message.c:2210 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:250 usb_probe_device+0x1a4/0x348 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x3b4/0x944 drivers/base/dd.c:659 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:801 driver_probe_device+0x78/0x330 drivers/base/dd.c:831 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:959 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462 __device_attach+0x26c/0x388 drivers/base/dd.c:1031 device_initial_probe+0x24/0x34 drivers/base/dd.c:1080 bus_probe_device+0x178/0x240 drivers/base/bus.c:537 device_add+0x71c/0xa60 drivers/base/core.c:3689 usb_new_device+0x7f0/0x123c drivers/usb/core/hub.c:2694 hub_port_connect drivers/usb/core/hub.c:5566 [inline] hub_port_connect_change drivers/usb/core/hub.c:5706 [inline] port_event drivers/usb/core/hub.c:5870 [inline] hub_event+0x211c/0x3c78 drivers/usb/core/hub.c:5952 process_one_work+0x7e8/0x155c kernel/workqueue.c:3236 process_scheduled_works kernel/workqueue.c:3319 [inline] worker_thread+0x990/0xed8 kernel/workqueue.c:3400 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 The buggy address belongs to the physical page: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0xffff0000ccc2fa80 pfn:0x10cc2c flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff) raw: 05ffc00000000000 fffffdffc355a608 fffffdffc3dc0b08 0000000000000000 raw: ffff0000ccc2fa80 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff0000ccc2c100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000ccc2c180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff0000ccc2c200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff0000ccc2c280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff0000ccc2c300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners. em28xx 1-1:0.0: unknown em28xx chip ID (0) em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor usb 1-1: USB disconnect, device number 3 em28xx 1-1:0.0: Disconnecting em28xx #1 em28xx 1-1:0.0: Disconnecting em28xx em28xx 1-1:0.0: Freeing device em28xx 1-1:0.0: Freeing device usb 1-1: new high-speed USB device number 4 using dummy_hcd usb 1-1: Using ep0 maxpacket: 16 usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83 usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7 usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024 usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: config 0 descriptor?? em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0) em28xx 1-1:0.0: Audio interface 0 found (Vendor Class) em28xx 1-1:0.0: unknown em28xx chip ID (0) em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners. em28xx 1-1:0.0: unknown em28xx chip ID (0) em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor usb 1-1: USB disconnect, device number 4 em28xx 1-1:0.0: Disconnecting em28xx #1 em28xx 1-1:0.0: Disconnecting em28xx em28xx 1-1:0.0: Freeing device em28xx 1-1:0.0: Freeing device usb 1-1: new high-speed USB device number 5 using dummy_hcd usb 1-1: Using ep0 maxpacket: 16 usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83 usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7 usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024 usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1 usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1: Product: syz usb 1-1: Manufacturer: syz usb 1-1: SerialNumber: syz usb 1-1: config 0 descriptor?? em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0) em28xx 1-1:0.0: Audio interface 0 found (Vendor Class) em28xx 1-1:0.0: unknown em28xx chip ID (0) em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners. em28xx 1-1:0.0: unknown em28xx chip ID (0) em28xx 1-1:0.0: Config register raw data: 0xfffffffb em28xx 1-1:0.0: AC97 chip type couldn't be determined em28xx 1-1:0.0: No AC97 audio processor usb 1-1: USB disconnect, device number 5 em28xx 1-1:0.0: Disconnecting em28xx #1 em28xx 1-1:0.0: Disconnecting em28xx em28xx 1-1:0.0: Freeing device em28xx 1-1:0.0: Freeing device