Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control

From: Alan Stern
Date: Thu Jul 17 2025 - 22:05:31 EST

Next message: Baochen Qiang: "Re: [PATCH 4/6] wifi: ath12k: Use pci_{enable/disable}_link_state() APIs to enable/disable ASPM states"
Previous message: Jason Wang: "Re: [PATCH net-next V2 0/3] in order support for vhost-net"
In reply to: Greg KH: "Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control"
Next in thread: cen zhang: "Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jul 17, 2025 at 08:24:17PM +0800, cen zhang wrote:
> Hi maintainers,
>
> I've encountered a kernel crash in the xhci driver, which was found by
> Syzkaller on kernel version 6.16.0-rc6 (commit 155a3c003e55).
>
> The KASAN report points to a slab-use-after-free read within
> xhci_hub_control. What we find puzzling is that the free operation
> occurred in a completely different module, as indicated by the free
> stack trace.
>
> We suspect this might not be a false positive, but rather a complex
> bug whose root cause is not a simple UAF within the same driver. We've
> tried to trace how this could happen but are struggling to understand
> the connection.
>
> Could you possibly offer your expertise and help us understand if this
> is a known issue or a new bug? Any insight you could provide would be
> immensely helpful.

My initial guess is that you're experiencing pointer corruption. Such
bugs are notoriously difficult to locate and pin down.

Alan Stern

Next message: Baochen Qiang: "Re: [PATCH 4/6] wifi: ath12k: Use pci_{enable/disable}_link_state() APIs to enable/disable ASPM states"
Previous message: Jason Wang: "Re: [PATCH net-next V2 0/3] in order support for vhost-net"
In reply to: Greg KH: "Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control"
Next in thread: cen zhang: "Re: [BUG] KASAN: slab-use-after-free Read in xhci_hub_control"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]