From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: castet.matthieu@free.fr, 3chas3@gmail.com,
gregkh@linuxfoundation.org,
linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com,
Mauricio Faria de Oliveira <mfo@igalia.com>
Subject: Re: [PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware()
Date: Thu, 2 Jul 2026 11:37:07 +0200 [thread overview]
Message-ID: <20260702093707.GA6804@wp.pl> (raw)
In-Reply-To: <20260630041716.97102-1-kartikey406@gmail.com>
Hi, thanks for working at this,
On Tue, Jun 30, 2026 at 09:47:16AM +0530, Deepanshu Kartikey wrote:
> uea_load_firmware() calls request_firmware_nowait() passing a raw
> struct usb_device pointer as context, without holding a reference
> to it.
>
> If the USB device is disconnected before the firmware workqueue
> fires, the usb_device and its usb_interface objects are freed while
> uea_upload_pre_firmware() is still pending on the workqueue. When
> the callback eventually runs, it accesses the freed memory causing
> a slab-use-after-free:
>
> BUG: KASAN: slab-use-after-free in __intf_to_usbdev
> include/linux/usb.h:752 [inline]
> BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640
> drivers/usb/atm/ueagle-atm.c:598
> Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664
>
> Fix by calling usb_get_dev() before queuing the firmware request to
> pin the usb_device in memory for the lifetime of the async operation,
> and usb_put_dev() in the callback once it is finished with the
> pointer. On the error path where request_firmware_nowait() itself
> fails, drop the reference immediately since the callback will never
> fire.
> Reported-by: syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3d45d763d18796f97412
I think the problem is not lack of usb device reference.
request_firmware_nowait() does get_device() and after fw work
finish - put_device().
I suspect the issue is that syskaller corrupt descriptor such
the below condition:
else if (usb->config->desc.bNumInterfaces == 1)
is not met for pre-firmware device.
Adding Mauricio, who has setup for reproducing syskaller bugs on ueagle.
Hopefully he can confirm the diagnostic. If it's correct, we could
either save flag to recognize pre-firmware device, or separate driver
probe/disconnect for pre-firmware and post-firmware, to fix the issue.
Regards
Stanislaw
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
> drivers/usb/atm/ueagle-atm.c | 7 +++++--
> 1 file changed, 5 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
> index d610cdcef7d0..686cc58fb89f 100644
> --- a/drivers/usb/atm/ueagle-atm.c
> +++ b/drivers/usb/atm/ueagle-atm.c
> @@ -663,6 +663,7 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry,
> uea_err(usb, "firmware is corrupted\n");
> err:
> release_firmware(fw_entry);
> + usb_put_dev(usb);
> }
>
> /*
> @@ -693,12 +694,14 @@ static int uea_load_firmware(struct usb_device *usb, unsigned int ver)
> break;
> }
>
> + usb_get_dev(usb);
> ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
> GFP_KERNEL, usb,
> uea_upload_pre_firmware);
> - if (ret)
> + if (ret) {
> uea_err(usb, "firmware %s is not available\n", fw_name);
> - else
> + usb_put_dev(usb);
> + } else
> uea_info(usb, "loading firmware %s\n", fw_name);
>
> return ret;
> --
> 2.43.0
>
prev parent reply other threads:[~2026-07-02 9:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-30 4:17 [PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware() Deepanshu Kartikey
2026-07-02 9:37 ` Stanislaw Gruszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260702093707.GA6804@wp.pl \
--to=stf_xl@wp.pl \
--cc=3chas3@gmail.com \
--cc=castet.matthieu@free.fr \
--cc=gregkh@linuxfoundation.org \
--cc=kartikey406@gmail.com \
--cc=linux-atm-general@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=mfo@igalia.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox