From: Greg KH <gregkh@linuxfoundation.org>
To: cen zhang <zzzccc427@gmail.com>
Cc: mathias.nyman@intel.com, linux-kernel@vger.kernel.org,
baijiaju1990@gmail.com, zhenghaoran154@gmail.com,
r33s3n6@gmail.com, linux-usb@vger.kernel.org,
gality365@gmail.com
Subject: Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control
Date: Thu, 17 Jul 2025 16:37:39 +0200 [thread overview]
Message-ID: <2025071748-unlovely-citadel-3dc8@gregkh> (raw)
In-Reply-To: <CAFRLqsUZTDm0KAfX_qziTrn6E3+sRksF5ormxhHConqTKWvHBQ@mail.gmail.com>
On Thu, Jul 17, 2025 at 08:24:17PM +0800, cen zhang wrote:
> Hi maintainers,
>
> I've encountered a kernel crash in the xhci driver, which was found by
> Syzkaller on kernel version 6.16.0-rc6 (commit 155a3c003e55).
>
> The KASAN report points to a slab-use-after-free read within
> xhci_hub_control. What we find puzzling is that the free operation
> occurred in a completely different module, as indicated by the free
> stack trace.
>
> We suspect this might not be a false positive, but rather a complex
> bug whose root cause is not a simple UAF within the same driver. We've
> tried to trace how this could happen but are struggling to understand
> the connection.
>
> Could you possibly offer your expertise and help us understand if this
> is a known issue or a new bug? Any insight you could provide would be
> immensely helpful.
>
> The full crash log and a C reproducer are attached. Please let me know
> if any further information is needed.
>
> The full KASAN crash report is attached. Below is the C reproducer.
You are talking to a specific USB hub in your system, I guess a xhci
root hub? Or one that is external? Can you clean up your reproducer to
be readable so we can try to run it locally with any USB hub as the
option?
thanks,
greg k-h
next prev parent reply other threads:[~2025-07-17 14:37 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 12:24 [BUG] KASAN: slab-use-after-free Read in xhci_hub_control cen zhang
2025-07-17 14:37 ` Greg KH [this message]
2025-07-18 2:05 ` Alan Stern
2025-07-18 2:40 ` cen zhang
2025-07-18 13:30 ` Alan Stern
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2025071748-unlovely-citadel-3dc8@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=baijiaju1990@gmail.com \
--cc=gality365@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mathias.nyman@intel.com \
--cc=r33s3n6@gmail.com \
--cc=zhenghaoran154@gmail.com \
--cc=zzzccc427@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).