Extracting prog: 3m59.748282224s
Minimizing prog: 18m34.388133661s
Simplifying prog options: 4m41.136241991s
Extracting C: 29.353500043s
Simplifying C: 0s


extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program did not crash
program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: KASAN: slab-use-after-free Read in em28xx_init_extension
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, 0x0, 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[], 0x0)

program did not crash
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB, @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
a never seen crash title: BUG: corrupted list in em28xx_init_extension, ignore
simplifying guilty program options
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: KASAN: slab-use-after-free Read in em28xx_init_extension
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: BUG: corrupted list in em28xx_init_extension
a never seen crash title: BUG: corrupted list in em28xx_init_extension, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
a never seen crash title: BUG: corrupted list in em28xx_init_extension, ignore
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: KASAN: use-after-free Read in em28xx_init_extension
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: BUG: corrupted list in em28xx_init_extension
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:5 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x2d, &(0x7f00000005c0)=ANY=[@ANYBLOB="9f01000083667d1040206502d14e0102030109021b000100000000090400000190f19c000905f3ede8e9384088477da5163aeacac5aef6b35899848f884763144ec6a2aeada635e54cdc8fb569daf4797849ac735823c41a718ab016b0c1ec7613250780", @ANYRESHEX=0x0, @ANYRESDEC=0x0, @ANYRESHEX, @ANYRES32, @ANYRES8=0x0], 0x0)

program crashed: KASAN: use-after-free Read in em28xx_init_extension
validation run: crashed=true
reproducing took 31m36.452319892s
repro crashed as (corrupted=false):
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
==================================================================
BUG: KASAN: use-after-free in __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32
Read of size 8 at addr ffff0000c72ec250 by task kworker/1:5/6746

CPU: 1 UID: 0 PID: 6746 Comm: kworker/1:5 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x220 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:480
 kasan_report+0xb0/0x110 mm/kasan/report.c:593
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32
 __list_add_valid include/linux/list.h:88 [inline]
 __list_add include/linux/list.h:150 [inline]
 list_add_tail include/linux/list.h:183 [inline]
 em28xx_init_extension+0x60/0x1b4 drivers/media/usb/em28xx/em28xx-core.c:1114
 em28xx_init_dev+0x80c/0x1bf4 drivers/media/usb/em28xx/em28xx-cards.c:3679
 em28xx_usb_probe+0x10c4/0x2440 drivers/media/usb/em28xx/em28xx-cards.c:4034
 usb_probe_interface+0x584/0xa44 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x394/0x910 drivers/base/dd.c:657
 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:799
 driver_probe_device+0x78/0x330 drivers/base/dd.c:829
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:957
 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462
 __device_attach+0x26c/0x388 drivers/base/dd.c:1029
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1078
 bus_probe_device+0x178/0x240 drivers/base/bus.c:537
 device_add+0x71c/0xa60 drivers/base/core.c:3692
 usb_set_configuration+0x1640/0x1bac drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:250
 usb_probe_device+0x1a4/0x348 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x394/0x910 drivers/base/dd.c:657
 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:799
 driver_probe_device+0x78/0x330 drivers/base/dd.c:829
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:957
 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462
 __device_attach+0x26c/0x388 drivers/base/dd.c:1029
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1078
 bus_probe_device+0x178/0x240 drivers/base/bus.c:537
 device_add+0x71c/0xa60 drivers/base/core.c:3692
 usb_new_device+0x7f0/0x1220 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x211c/0x3c78 drivers/usb/core/hub.c:5952
 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x990/0xed8 kernel/workqueue.c:3402
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1072ec
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffdffc373b608 fffffdffc3dfd408 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c72ec100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000c72ec180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000c72ec200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff0000c72ec280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000c72ec300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 3
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 4 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 4
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 5 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 5
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 7 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 7
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device

final repro crashed as (corrupted=false):
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
==================================================================
BUG: KASAN: use-after-free in __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32
Read of size 8 at addr ffff0000c72ec250 by task kworker/1:5/6746

CPU: 1 UID: 0 PID: 6746 Comm: kworker/1:5 Not tainted 6.16.0-rc7-syzkaller-g82af5ea7c611 #0 PREEMPT 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/07/2025
Workqueue: usb_hub_wq hub_event
Call trace:
 show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:499 (C)
 __dump_stack+0x30/0x40 lib/dump_stack.c:94
 dump_stack_lvl+0xd8/0x12c lib/dump_stack.c:120
 print_address_description+0xa8/0x220 mm/kasan/report.c:378
 print_report+0x68/0x84 mm/kasan/report.c:480
 kasan_report+0xb0/0x110 mm/kasan/report.c:593
 __asan_report_load8_noabort+0x20/0x2c mm/kasan/report_generic.c:381
 __list_add_valid_or_report+0x6c/0x148 lib/list_debug.c:32
 __list_add_valid include/linux/list.h:88 [inline]
 __list_add include/linux/list.h:150 [inline]
 list_add_tail include/linux/list.h:183 [inline]
 em28xx_init_extension+0x60/0x1b4 drivers/media/usb/em28xx/em28xx-core.c:1114
 em28xx_init_dev+0x80c/0x1bf4 drivers/media/usb/em28xx/em28xx-cards.c:3679
 em28xx_usb_probe+0x10c4/0x2440 drivers/media/usb/em28xx/em28xx-cards.c:4034
 usb_probe_interface+0x584/0xa44 drivers/usb/core/driver.c:396
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x394/0x910 drivers/base/dd.c:657
 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:799
 driver_probe_device+0x78/0x330 drivers/base/dd.c:829
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:957
 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462
 __device_attach+0x26c/0x388 drivers/base/dd.c:1029
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1078
 bus_probe_device+0x178/0x240 drivers/base/bus.c:537
 device_add+0x71c/0xa60 drivers/base/core.c:3692
 usb_set_configuration+0x1640/0x1bac drivers/usb/core/message.c:2210
 usb_generic_driver_probe+0x8c/0x144 drivers/usb/core/generic.c:250
 usb_probe_device+0x1a4/0x348 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x394/0x910 drivers/base/dd.c:657
 __driver_probe_device+0x180/0x2d4 drivers/base/dd.c:799
 driver_probe_device+0x78/0x330 drivers/base/dd.c:829
 __device_attach_driver+0x290/0x4e0 drivers/base/dd.c:957
 bus_for_each_drv+0x220/0x2b4 drivers/base/bus.c:462
 __device_attach+0x26c/0x388 drivers/base/dd.c:1029
 device_initial_probe+0x24/0x34 drivers/base/dd.c:1078
 bus_probe_device+0x178/0x240 drivers/base/bus.c:537
 device_add+0x71c/0xa60 drivers/base/core.c:3692
 usb_new_device+0x7f0/0x1220 drivers/usb/core/hub.c:2694
 hub_port_connect drivers/usb/core/hub.c:5566 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5706 [inline]
 port_event drivers/usb/core/hub.c:5870 [inline]
 hub_event+0x211c/0x3c78 drivers/usb/core/hub.c:5952
 process_one_work+0x7e8/0x155c kernel/workqueue.c:3238
 process_scheduled_works kernel/workqueue.c:3321 [inline]
 worker_thread+0x990/0xed8 kernel/workqueue.c:3402
 kthread+0x5fc/0x75c kernel/kthread.c:464
 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844

The buggy address belongs to the physical page:
page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1072ec
flags: 0x5ffc00000000000(node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000000000 fffffdffc373b608 fffffdffc3dfd408 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff0000c72ec100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000c72ec180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff0000c72ec200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
 ffff0000c72ec280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff0000c72ec300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 3
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 4 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 4
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 5 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 5
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device
usb 1-1: new high-speed USB device number 7 using dummy_hcd
usb 1-1: Using ep0 maxpacket: 16
usb 1-1: config 0 interface 0 altsetting 0 has an endpoint descriptor with address 0xF3, changing to 0x83
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has an invalid bInterval 56, changing to 7
usb 1-1: config 0 interface 0 altsetting 0 endpoint 0x83 has invalid maxpacket 57832, setting to 1024
usb 1-1: New USB device found, idVendor=2040, idProduct=0265, bcdDevice=4e.d1
usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
usb 1-1: Product: syz
usb 1-1: Manufacturer: syz
usb 1-1: SerialNumber: syz
usb 1-1: config 0 descriptor??
em28xx 1-1:0.0: New device syz syz @ 480 Mbps (2040:0265, interface 0, class 0)
em28xx 1-1:0.0: Audio interface 0 found (Vendor Class)
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
em28xx 1-1:0.0: We currently don't support analog TV or stream capture on dual tuners.
em28xx 1-1:0.0: unknown em28xx chip ID (0)
em28xx 1-1:0.0: Config register raw data: 0xfffffffb
em28xx 1-1:0.0: AC97 chip type couldn't be determined
em28xx 1-1:0.0: No AC97 audio processor
usb 1-1: USB disconnect, device number 7
em28xx 1-1:0.0: Disconnecting em28xx #1
em28xx 1-1:0.0: Disconnecting em28xx
em28xx 1-1:0.0: Freeing device
em28xx 1-1:0.0: Freeing device