[BUG] list_add corruption in em28xx_init_extension (em28xx driver) on 6.14.0-rc4

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear Maintainers, When using our customized Syzkaller to fuzz the
latest Linux kernel, the following crash was triggered.

Kernel commit: v6.14-rc4 (Commits on Feb 24, 2025)
Kernel Config : https://github.com/Strforexc/LinuxKernelbug/blob/main/.config
Kernel Log: attachment
reproduce: attachment

I’ve encountered a kernel BUG in the em28xx USB media driver on Linux
6.14.0-rc4, involving a linked list corruption. Here are the details:
The kernel reports a list_add corruption followed by a BUG at
lib/list_debug.c:32 in __list_add_valid_or_report. The issue occurs
during em28xx_init_extension when adding a device to em28xx_devlist,
crashing the kernel with an invalid opcode exception.
 The crash occurs in em28xx_init_extension at
list_add_tail(&dev->devlist, &em28xx_devlist). The list corruption
suggests prev->next was overwritten or dev is invalid.
 Possible Causes:
1. Race Condition: Rapid USB connect/disconnect events (e.g., usb 9-1:
USB disconnect) may race with request_module_async, freeing dev before
list_add_tail completes, despite em28xx_devlist_mutex.
2. Memory Corruption: The unexpected prev->next value
(ffffffff81868a07) indicates potential overwrite, possibly from a
use-after-free or concurrent access.


Our knowledge of the kernel is somewhat limited, and we'd appreciate
it if you could determine if there is such an issue. If this issue
doesn't have an impact, please ignore it ☺.
If you fix this issue, please add the following tag to the commit:
Reported-by: Zhizhuo Tang <strforexctzzchange@xxxxxxxxxxx>, Jianzhou
Zhao <xnxc22xnxc22@xxxxxx>, Haoran Liu <cherest_san@xxxxxxx>

list_add corruption. prev->next should be next (ffffffff8fbc78e0), but
was ffffffff81868a07. (prev=ffff8880129e8250).
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:32!
Oops: invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 UID: 0 PID: 11210 Comm: kworker/0:3 Not tainted 6.14.0-rc4 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: events request_module_async
RIP: 0010:__list_add_valid_or_report+0x13b/0x1a0 lib/list_debug.c:32
Code: 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 80 3c 02 00 75 5a 48
8b 16 48 89 f1 48 c7 c7 20 1c f2 8b 4c 89 e6 e8 16 68 d3 fc 90 <0f> 0b
48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 a0 1c f2 8b e8 fe 67 d3
RSP: 0018:ffffc90010987bf0 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffff88807c89dad8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880129e8250 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8fbc78e0
R13: ffff88807c89c250 R14: ffffffff8fbc78e8 R15: ffff88801b494000
FS:  0000000000000000(0000) GS:ffff88802b600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7f08a12000 CR3: 000000007473e000 CR4: 00000000000006f0
DR0: 0700000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
Call Trace:
 <TASK>
 __list_add_valid include/linux/list.h:88 [inline]
 __list_add include/linux/list.h:150 [inline]
 list_add_tail include/linux/list.h:183 [inline]
 em28xx_init_extension+0x48/0x200 drivers/media/usb/em28xx/em28xx-core.c:1114
 request_module_async+0x61/0x70 drivers/media/usb/em28xx/em28xx-cards.c:3457
 process_one_work+0x109d/0x18c0 kernel/workqueue.c:3236
 process_scheduled_works kernel/workqueue.c:3317 [inline]
 worker_thread+0x677/0xe90 kernel/workqueue.c:3398
 kthread+0x3b3/0x760 kernel/kthread.c:464
 ret_from_fork+0x48/0x80 arch/x86/kernel/process.c:148
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_add_valid_or_report+0x13b/0x1a0 lib/list_debug.c:32
Code: 00 00 00 00 fc ff df 48 89 f2 48 c1 ea 03 80 3c 02 00 75 5a 48
8b 16 48 89 f1 48 c7 c7 20 1c f2 8b 4c 89 e6 e8 16 68 d3 fc 90 <0f> 0b
48 89 f2 4c 89 e1 4c 89 ee 48 c7 c7 a0 1c f2 8b e8 fe 67 d3
RSP: 0018:ffffc90010987bf0 EFLAGS: 00010246
RAX: 0000000000000075 RBX: ffff88807c89dad8 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff8880129e8250 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8fbc78e0
R13: ffff88807c89c250 R14: ffffffff8fbc78e8 R15: ffff88801b494000
FS:  0000000000000000(0000) GS:ffff88802b600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f27f023e78 CR3: 000000004da88000 CR4: 00000000000006f0
DR0: 0700000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600

Thanks,
Zhizhuo Tang

Attachment: repro.cprog
Description: Binary data

Attachment: repro.log
Description: Binary data

Attachment: log0
Description: Binary data

[Index of Archives]     [Linux Input]     [Video for Linux]     [Gstreamer Embedded]     [Mplayer Users]     [Linux USB Devel]     [Linux Audio Users]     [Linux Kernel]     [Linux SCSI]     [Yosemite Backpacking]

  Powered by Linux