syzbot


KASAN: slab-use-after-free Read in uea_upload_pre_firmware

Status: upstream: reported C repro on 2026/06/29 21:09
Subsystems: usb
Labels: prio:high
[Documentation on labels]
Reported-by: syzbot+3d45d763d18796f97412@syzkaller.appspotmail.com
First crash: 4d09h, last: 16h03m
Cause bisection: failed (error log, bisect log)
  
✨ AI Jobs (1)
ID Workflow Result Correct Bug Created Started Finished Revision Error
9d38f252-24e9-4e37-b716-7ef69df4e036 assessment-security DenialOfService: ✅ Exploitable: ✅ FilesystemTrigger: ❌ NetworkTrigger: ❌ PeripheralTrigger: ✅ RemoteTrigger: ❌ Unprivileged: ❌ UserNamespace: ❌ VMGuestTrigger: ❌ VMHostTrigger: ✅ KASAN: slab-use-after-free Read in uea_upload_pre_firmware 2026/06/29 00:02 2026/06/29 00:02 2026/06/29 00:40 fb92f11c4789d9647a75c09c983dbee5c8488ccf

			
		
Discussions (2)
Title Replies (including bot) Last reply
[PATCH] usb: atm: ueagle: fix use-after-free in uea_upload_pre_firmware() 1 (1) 2026/06/30 04:17
[syzbot] [usb?] KASAN: slab-use-after-free Read in uea_upload_pre_firmware 0 (2) 2026/06/30 00:31
Last patch testing requests (1)
Created Duration User Patch Repo Result
2026/06/30 00:31 2h00m kartikey406@gmail.com patch linux-next error

Sample crash report:
==================================================================
BUG: KASAN: slab-use-after-free in __intf_to_usbdev include/linux/usb.h:752 [inline]
BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664

CPU: 0 UID: 0 PID: 1664 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events request_firmware_work_func

Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_address_description+0x55/0x1e0 mm/kasan/report.c:378
 print_report+0x58/0x70 mm/kasan/report.c:482
 kasan_report+0x117/0x150 mm/kasan/report.c:595
 __intf_to_usbdev include/linux/usb.h:752 [inline]
 uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
 request_firmware_work_func+0xf7/0x2d0 drivers/base/firmware_loader/main.c:1164
 process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326
 process_scheduled_works kernel/workqueue.c:3409 [inline]
 worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490
 kthread+0x388/0x470 kernel/kthread.c:436
 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
 </TASK>

Allocated by task 5937:
 kasan_save_stack mm/kasan/common.c:57 [inline]
 kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
 poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
 __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
 kasan_kmalloc include/linux/kasan.h:263 [inline]
 __kmalloc_cache_noprof+0x3d2/0x6b0 mm/slub.c:5515
 _kmalloc_noprof include/linux/slab.h:969 [inline]
 _kzalloc_noprof include/linux/slab.h:1290 [inline]
 usb_set_configuration+0x3cc/0x2180 drivers/usb/core/message.c:2096
 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
 usb_probe_device+0x1c3/0x3b0 drivers/usb/core/driver.c:291
 call_driver_probe drivers/base/dd.c:-1 [inline]
 really_probe+0x254/0xae0 drivers/base/dd.c:706
 __driver_probe_device+0x1e8/0x360 drivers/base/dd.c:868
 driver_probe_device+0x4f/0x240 drivers/base/dd.c:898
 __device_attach_driver+0x270/0x410 drivers/base/dd.c:1026
 bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
 __device_attach+0x2c7/0x450 drivers/base/dd.c:1098
 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1153
 bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
 device_add+0x7d7/0xb80 drivers/base/core.c:3772
 usb_new_device+0x98d/0x1610 drivers/usb/core/hub.c:2695
 hub_port_connect drivers/usb/core/hub.c:5567 [inline]
 hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
 port_event drivers/usb/core/hub.c:5871 [inline]
 hub_event+0x28cf/0x4cf0 drivers/usb/core/hub.c:5953

Crashes (5):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2026/06/29 02:49 linux-next 3d5670d672ae fb92f11c .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in uea_upload_pre_firmware
2026/06/29 01:58 linux-next 3d5670d672ae fb92f11c .config console log report syz / log C [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in uea_upload_pre_firmware
2026/06/30 22:49 linux-next 7de6ae9e1220 00e8b0fd .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in uea_upload_pre_firmware
2026/06/28 21:02 linux-next 3d5670d672ae fb92f11c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-linux-next-kasan-gce-root KASAN: slab-use-after-free Read in uea_upload_pre_firmware
2026/06/27 05:51 linux-next 3d5670d672ae fb92f11c .config console log report info [disk image] [vmlinux] [kernel image] ci-upstream-rust-kasan-gce KASAN: slab-use-after-free Read in uea_upload_pre_firmware
* Struck through repros no longer work on HEAD.