From: Deepanshu Kartikey <kartikey406@gmail.com>
To: castet.matthieu@free.fr, stf_xl@wp.pl, 3chas3@gmail.com,
gregkh@linuxfoundation.org
Cc: linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
Deepanshu Kartikey <kartikey406@gmail.com>,
syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com
Subject: [PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware()
Date: Tue, 30 Jun 2026 09:47:16 +0530 [thread overview]
Message-ID: <20260630041716.97102-1-kartikey406@gmail.com> (raw)
uea_load_firmware() calls request_firmware_nowait() passing a raw
struct usb_device pointer as context, without holding a reference
to it.
If the USB device is disconnected before the firmware workqueue
fires, the usb_device and its usb_interface objects are freed while
uea_upload_pre_firmware() is still pending on the workqueue. When
the callback eventually runs, it accesses the freed memory causing
a slab-use-after-free:
BUG: KASAN: slab-use-after-free in __intf_to_usbdev
include/linux/usb.h:752 [inline]
BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640
drivers/usb/atm/ueagle-atm.c:598
Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664
Fix by calling usb_get_dev() before queuing the firmware request to
pin the usb_device in memory for the lifetime of the async operation,
and usb_put_dev() in the callback once it is finished with the
pointer. On the error path where request_firmware_nowait() itself
fails, drop the reference immediately since the callback will never
fire.
Reported-by: syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3d45d763d18796f97412
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
drivers/usb/atm/ueagle-atm.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
index d610cdcef7d0..686cc58fb89f 100644
--- a/drivers/usb/atm/ueagle-atm.c
+++ b/drivers/usb/atm/ueagle-atm.c
@@ -663,6 +663,7 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry,
uea_err(usb, "firmware is corrupted\n");
err:
release_firmware(fw_entry);
+ usb_put_dev(usb);
}
/*
@@ -693,12 +694,14 @@ static int uea_load_firmware(struct usb_device *usb, unsigned int ver)
break;
}
+ usb_get_dev(usb);
ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
GFP_KERNEL, usb,
uea_upload_pre_firmware);
- if (ret)
+ if (ret) {
uea_err(usb, "firmware %s is not available\n", fw_name);
- else
+ usb_put_dev(usb);
+ } else
uea_info(usb, "loading firmware %s\n", fw_name);
return ret;
--
2.43.0
reply other threads:[~2026-06-30 4:17 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260630041716.97102-1-kartikey406@gmail.com \
--to=kartikey406@gmail.com \
--cc=3chas3@gmail.com \
--cc=castet.matthieu@free.fr \
--cc=gregkh@linuxfoundation.org \
--cc=linux-atm-general@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stf_xl@wp.pl \
--cc=syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox