Extracting prog: 5m31.707239757s Minimizing prog: 6m10.745520027s Simplifying prog options: 0s Extracting C: 1m48.167105505s Simplifying C: 13m49.319237822s extracting reproducer from 1 programs testing a last program of every proc single: executing 1 programs separately with timeout 30s testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0) program did not crash single: failed to extract reproducer single: executing 1 programs separately with timeout 6m0s testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0) program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware single: successfully extracted reproducer found reproducer with 1 syscalls minimizing guilty program testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x0, 0x0, 0x0) program did not crash extracting C reproducer testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware simplifying C reproducer testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: general protection fault in uea_upload_pre_firmware a never seen crash title: general protection fault in uea_upload_pre_firmware, ignore testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0) program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware validation run: crashed=true testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0) program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware validation run: crashed=true testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect detailed listing: executing program 0: syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0) program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware validation run: crashed=true reproducing took 34m28.863455304s repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in __intf_to_usbdev include/linux/usb.h:752 [inline] BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598 Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664 CPU: 0 UID: 0 PID: 1664 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: events request_firmware_work_func Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __intf_to_usbdev include/linux/usb.h:752 [inline] uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598 request_firmware_work_func+0xf7/0x2d0 drivers/base/firmware_loader/main.c:1164 process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326 process_scheduled_works kernel/workqueue.c:3409 [inline] worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5937: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3d2/0x6b0 mm/slub.c:5515 _kmalloc_noprof include/linux/slab.h:969 [inline] _kzalloc_noprof include/linux/slab.h:1290 [inline] usb_set_configuration+0x3cc/0x2180 drivers/usb/core/message.c:2096 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c3/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x254/0xae0 drivers/base/dd.c:706 __driver_probe_device+0x1e8/0x360 drivers/base/dd.c:868 driver_probe_device+0x4f/0x240 drivers/base/dd.c:898 __device_attach_driver+0x270/0x410 drivers/base/dd.c:1026 bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c7/0x450 drivers/base/dd.c:1098 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1153 bus_probe_device+0x12d/0x220 drivers/base/bus.c:620 device_add+0x7d7/0xb80 drivers/base/core.c:3772 usb_new_device+0x98d/0x1610 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x28cf/0x4cf0 drivers/usb/core/hub.c:5953 final repro crashed as (corrupted=false): ================================================================== BUG: KASAN: slab-use-after-free in __intf_to_usbdev include/linux/usb.h:752 [inline] BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598 Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664 CPU: 0 UID: 0 PID: 1664 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)} Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026 Workqueue: events request_firmware_work_func Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description+0x55/0x1e0 mm/kasan/report.c:378 print_report+0x58/0x70 mm/kasan/report.c:482 kasan_report+0x117/0x150 mm/kasan/report.c:595 __intf_to_usbdev include/linux/usb.h:752 [inline] uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598 request_firmware_work_func+0xf7/0x2d0 drivers/base/firmware_loader/main.c:1164 process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326 process_scheduled_works kernel/workqueue.c:3409 [inline] worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490 kthread+0x388/0x470 kernel/kthread.c:436 ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245 Allocated by task 5937: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 poison_kmalloc_redzone mm/kasan/common.c:398 [inline] __kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415 kasan_kmalloc include/linux/kasan.h:263 [inline] __kmalloc_cache_noprof+0x3d2/0x6b0 mm/slub.c:5515 _kmalloc_noprof include/linux/slab.h:969 [inline] _kzalloc_noprof include/linux/slab.h:1290 [inline] usb_set_configuration+0x3cc/0x2180 drivers/usb/core/message.c:2096 usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250 usb_probe_device+0x1c3/0x3b0 drivers/usb/core/driver.c:291 call_driver_probe drivers/base/dd.c:-1 [inline] really_probe+0x254/0xae0 drivers/base/dd.c:706 __driver_probe_device+0x1e8/0x360 drivers/base/dd.c:868 driver_probe_device+0x4f/0x240 drivers/base/dd.c:898 __device_attach_driver+0x270/0x410 drivers/base/dd.c:1026 bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500 __device_attach+0x2c7/0x450 drivers/base/dd.c:1098 device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1153 bus_probe_device+0x12d/0x220 drivers/base/bus.c:620 device_add+0x7d7/0xb80 drivers/base/core.c:3772 usb_new_device+0x98d/0x1610 drivers/usb/core/hub.c:2695 hub_port_connect drivers/usb/core/hub.c:5567 [inline] hub_port_connect_change drivers/usb/core/hub.c:5707 [inline] port_event drivers/usb/core/hub.c:5871 [inline] hub_event+0x28cf/0x4cf0 drivers/usb/core/hub.c:5953