[BUG] KASAN: slab-use-after-free in __list_del_entry_valid_or_report from media/go7007

[Shuangpeng Bai]

Hi Kernel Maintainers,

I hit the following report while testing current upstream kernel:

KASAN: slab-use-after-free in __list_del_entry_valid_or_report from media/go7007

on commit: e8c2f9fdadee7cbc75134dc463c1e0d856d6e5c7 (May 25 2026)

The reproducer and .config files are here.
https://gist.github.com/shuangpengbai/12e07f377ad7e3dec1c62335b155f08f

I'm happy to test debug patches or provide additional information.

Reported-by: Shuangpeng Bai <shuangpeng.kernel@xxxxxxxxx>

[39245.125984][ T8682] BUG: KASAN: slab-use-after-free in __list_del_entry_valid_or_report (lib/list_debug.c:65)
[39245.127242][ T8682] Read of size 8 at addr ffff8881678a1210 by task kworker/1:1/8682
[39245.128368][ T8682]
[39245.128732][ T8682] Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[39245.128737][ T8682] Workqueue: usb_hub_wq hub_event
[39245.128749][ T8682] Call Trace:
[39245.128754][ T8682]  <TASK>
[39245.128757][ T8682]  dump_stack_lvl (lib/dump_stack.c:94 lib/dump_stack.c:120)
[39245.128765][ T8682]  print_report (mm/kasan/report.c:378 mm/kasan/report.c:482)
[39245.128788][ T8682]  kasan_report (mm/kasan/report.c:595)
[39245.128801][ T8682]  __list_del_entry_valid_or_report (lib/list_debug.c:65)
[39245.128807][ T8682]  device_pm_remove (include/linux/list.h:132 include/linux/list.h:246 include/linux/list.h:318 drivers/base/power/main.c:174)
[39245.128834][ T8682]  device_del (drivers/base/core.c:3896)
[39245.128860][ T8682]  usb_disable_device (drivers/usb/core/message.c:1478)
[39245.128869][ T8682]  usb_disconnect (drivers/input/misc/yealink.c:421)
[39245.128877][ T8682]  hub_event (drivers/usb/core/hub.c:5407 drivers/usb/core/hub.c:5707 drivers/usb/core/hub.c:5871 drivers/usb/core/hub.c:5953)
[39245.128917][ T8682]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[39245.128929][ T8682]  worker_thread (kernel/workqueue.c:3478)
[39245.128942][ T8682]  kthread (kernel/kthread.c:436)
[39245.128957][ T8682]  ret_from_fork (kernel/process.c:158)
[39245.129320][ T8682]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)
[39245.129329][ T8682]  </TASK>
[39245.129331][ T8682]
[39245.156185][ T8682] Freed by task 8682 on cpu 1 at 39245.017827s:
[39245.157077][ T8682]  kasan_save_track (mm/kasan/common.c:57 mm/kasan/common.c:78)
[39245.157769][ T8682]  kasan_save_free_info (mm/kasan/generic.c:584)
[39245.158483][ T8682]  __kasan_slab_free (mm/kasan/common.c:253 mm/kasan/common.c:285)
[39245.159149][ T8682]  kfree (include/linux/kasan.h:235 mm/slub.c:2689 mm/slub.c:6251 mm/slub.c:6566)
[39245.159724][ T8682]  go7007_usb_probe (drivers/media/usb/go7007/go7007-usb.c:1324)
[39245.160455][ T8682]  usb_probe_interface (drivers/usb/core/driver.c:396)
[39245.161203][ T8682]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[39245.161840][ T8682]  __driver_probe_device (drivers/base/dd.c:871)
[39245.162605][ T8682]  driver_probe_device (drivers/base/dd.c:901)
[39245.163311][ T8682]  __device_attach_driver (drivers/base/dd.c:1029)
[39245.164060][ T8682]  bus_for_each_drv (drivers/base/bus.c:500)
[39245.164733][ T8682]  __device_attach (drivers/base/dd.c:1101)
[39245.165405][ T8682]  device_initial_probe (drivers/base/dd.c:1156)
[39245.166086][ T8682]  bus_probe_device (drivers/base/bus.c:613)
[39245.166754][ T8682]  device_add (drivers/base/core.c:3706)
[39245.167358][ T8682]  usb_set_configuration (drivers/usb/core/message.c:2268)
[39245.168129][ T8682]  usb_generic_driver_probe (drivers/usb/core/generic.c:250)
[39245.168861][ T8682]  usb_probe_device (drivers/usb/core/driver.c:291)
[39245.169503][ T8682]  really_probe (drivers/base/dd.c:? drivers/base/dd.c:709)
[39245.170123][ T8682]  __driver_probe_device (drivers/base/dd.c:871)
[39245.170841][ T8682]  driver_probe_device (drivers/base/dd.c:901)
[39245.171539][ T8682]  __device_attach_driver (drivers/base/dd.c:1029)
[39245.172277][ T8682]  bus_for_each_drv (drivers/base/bus.c:500)
[39245.172959][ T8682]  __device_attach (drivers/base/dd.c:1101)
[39245.173663][ T8682]  device_initial_probe (drivers/base/dd.c:1156)
[39245.174377][ T8682]  bus_probe_device (drivers/base/bus.c:613)
[39245.175054][ T8682]  device_add (drivers/base/core.c:3706)
[39245.175672][ T8682]  usb_new_device (drivers/usb/core/hub.c:2695)
[39245.176363][ T8682]  hub_event (drivers/usb/core/hub.c:5567 drivers/usb/core/hub.c:5707 drivers/usb/core/hub.c:5871 drivers/usb/core/hub.c:5953)
[39245.176996][ T8682]  process_scheduled_works (kernel/workqueue.c:3314 kernel/workqueue.c:3397)
[39245.177761][ T8682]  worker_thread (kernel/workqueue.c:3478)
[39245.178421][ T8682]  kthread (kernel/kthread.c:436)
[39245.178989][ T8682]  ret_from_fork (kernel/process.c:158)
[39245.179645][ T8682]  ret_from_fork_asm (arch/x86/entry/entry_64.S:245)


Best,
Shuangpeng