Netdev List
 help / color / mirror / Atom feed
From: Stanislaw Gruszka <stf_xl@wp.pl>
To: Deepanshu Kartikey <kartikey406@gmail.com>
Cc: castet.matthieu@free.fr, 3chas3@gmail.com,
	gregkh@linuxfoundation.org,
	linux-atm-general@lists.sourceforge.net, netdev@vger.kernel.org,
	linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
	syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com,
	Mauricio Faria de Oliveira <mfo@igalia.com>
Subject: Re: [PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware()
Date: Thu, 2 Jul 2026 11:37:07 +0200	[thread overview]
Message-ID: <20260702093707.GA6804@wp.pl> (raw)
In-Reply-To: <20260630041716.97102-1-kartikey406@gmail.com>

Hi, thanks for working at this,

On Tue, Jun 30, 2026 at 09:47:16AM +0530, Deepanshu Kartikey wrote:
> uea_load_firmware() calls request_firmware_nowait() passing a raw
> struct usb_device pointer as context, without holding a reference
> to it.
> 
> If the USB device is disconnected before the firmware workqueue
> fires, the usb_device and its usb_interface objects are freed while
> uea_upload_pre_firmware() is still pending on the workqueue. When
> the callback eventually runs, it accesses the freed memory causing
> a slab-use-after-free:
> 
>   BUG: KASAN: slab-use-after-free in __intf_to_usbdev
>   include/linux/usb.h:752 [inline]
>   BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640
>   drivers/usb/atm/ueagle-atm.c:598
>   Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664
> 
> Fix by calling usb_get_dev() before queuing the firmware request to
> pin the usb_device in memory for the lifetime of the async operation,
> and usb_put_dev() in the callback once it is finished with the
> pointer. On the error path where request_firmware_nowait() itself
> fails, drop the reference immediately since the callback will never
> fire.
> Reported-by: syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3d45d763d18796f97412

I think the problem is not lack of usb device reference.
request_firmware_nowait() does get_device() and after fw work 
finish - put_device().

I suspect the issue is that syskaller corrupt descriptor such
the below condition:

 else if (usb->config->desc.bNumInterfaces == 1) 

is not met for pre-firmware device.

Adding Mauricio, who has setup for reproducing syskaller bugs on ueagle.
Hopefully he can confirm the diagnostic. If it's correct, we could
either save flag to recognize pre-firmware device, or separate driver
probe/disconnect for pre-firmware and post-firmware, to fix the issue.

Regards
Stanislaw

> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
>  drivers/usb/atm/ueagle-atm.c | 7 +++++--
>  1 file changed, 5 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c
> index d610cdcef7d0..686cc58fb89f 100644
> --- a/drivers/usb/atm/ueagle-atm.c
> +++ b/drivers/usb/atm/ueagle-atm.c
> @@ -663,6 +663,7 @@ static void uea_upload_pre_firmware(const struct firmware *fw_entry,
>  	uea_err(usb, "firmware is corrupted\n");
>  err:
>  	release_firmware(fw_entry);
> +	usb_put_dev(usb);
>  }
>  
>  /*
> @@ -693,12 +694,14 @@ static int uea_load_firmware(struct usb_device *usb, unsigned int ver)
>  		break;
>  	}
>  
> +	usb_get_dev(usb);
>  	ret = request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev,
>  					GFP_KERNEL, usb,
>  					uea_upload_pre_firmware);
> -	if (ret)
> +	if (ret) {
>  		uea_err(usb, "firmware %s is not available\n", fw_name);
> -	else
> +		usb_put_dev(usb);
> +	} else
>  		uea_info(usb, "loading firmware %s\n", fw_name);
>  
>  	return ret;
> -- 
> 2.43.0
> 

      reply	other threads:[~2026-07-02  9:37 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-30  4:17 [PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware() Deepanshu Kartikey
2026-07-02  9:37 ` Stanislaw Gruszka [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702093707.GA6804@wp.pl \
    --to=stf_xl@wp.pl \
    --cc=3chas3@gmail.com \
    --cc=castet.matthieu@free.fr \
    --cc=gregkh@linuxfoundation.org \
    --cc=kartikey406@gmail.com \
    --cc=linux-atm-general@lists.sourceforge.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mfo@igalia.com \
    --cc=netdev@vger.kernel.org \
    --cc=syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox