Extracting prog: 5m31.707239757s
Minimizing prog: 6m10.745520027s
Simplifying prog options: 0s
Extracting C: 1m48.167105505s
Simplifying C: 13m49.319237822s
extracting reproducer from 1 programs
testing a last program of every proc
single: executing 1 programs separately with timeout 30s
testing program (duration=30s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0)
program did not crash
single: failed to extract reproducer
single: executing 1 programs separately with timeout 6m0s
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0)
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
single: successfully extracted reproducer
found reproducer with 1 syscalls
minimizing guilty program
testing program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x0, 0x0, 0x0)
program did not crash
extracting C reproducer
testing compiled C program (duration=6m0s, {Threaded:true Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
simplifying C reproducer
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:4 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox:none SandboxArg:0 Leak:false NetInjection:true NetDevices:true NetReset:true Cgroups:true BinfmtMisc:true CloseFDs:true KCSAN:false DevlinkPCI:false NicVF:false USB:true VhciInjection:true Wifi:true IEEE802154:true Sysctl:true Swap:true UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:false Sysctl:true Swap:false UseTmpDir:true HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: general protection fault in uea_upload_pre_firmware
a never seen crash title: general protection fault in uea_upload_pre_firmware, ignore
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:true Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:true Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing compiled C program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0)
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0)
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
validation run: crashed=true
testing program (duration=6m0s, {Threaded:false Repeat:true RepeatTimes:0 Procs:1 Slowdown:1 Sandbox: SandboxArg:0 Leak:false NetInjection:false NetDevices:false NetReset:false Cgroups:false BinfmtMisc:false CloseFDs:false KCSAN:false DevlinkPCI:false NicVF:false USB:false VhciInjection:false Wifi:false IEEE802154:true Sysctl:false Swap:false UseTmpDir:false HandleSegv:false Trace:false CallComments:true LegacyOptions:{Collide:false Fault:false FaultCall:0 FaultNth:0}}): syz_usb_connect
detailed listing:
executing program 0:
syz_usb_connect(0x5, 0x40, &(0x7f0000000940)={{0x12, 0x1, 0x200, 0x63, 0xf8, 0xab, 0x20, 0xbaf, 0xfa, 0x1e65, 0x1, 0x2, 0x3, 0x1, [{{0x9, 0x2, 0x2e, 0x2, 0x4, 0x2, 0xd0, 0xc1, "", [{{0x9, 0x4, 0xa0, 0x0, 0x0, 0xad, 0x9d, 0xe7, 0x0, [@hid_hid={0x9, 0x21, 0x5, 0x0, 0x1, {0x22, 0x8eb}}, @uac_control={{0xa, 0x24, 0x1, 0xe, 0xa}}]}}, {{0x9, 0x4, 0xe8, 0x9, 0x0, 0x9, 0x97, 0xe, 0xa}}]}}]}}, 0x0)
program crashed: KASAN: slab-use-after-free Read in uea_upload_pre_firmware
validation run: crashed=true
reproducing took 34m28.863455304s
repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __intf_to_usbdev include/linux/usb.h:752 [inline]
BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664
CPU: 0 UID: 0 PID: 1664 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events request_firmware_work_func
Call Trace:
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__intf_to_usbdev include/linux/usb.h:752 [inline]
uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
request_firmware_work_func+0xf7/0x2d0 drivers/base/firmware_loader/main.c:1164
process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326
process_scheduled_works kernel/workqueue.c:3409 [inline]
worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Allocated by task 5937:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3d2/0x6b0 mm/slub.c:5515
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1290 [inline]
usb_set_configuration+0x3cc/0x2180 drivers/usb/core/message.c:2096
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c3/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x254/0xae0 drivers/base/dd.c:706
__driver_probe_device+0x1e8/0x360 drivers/base/dd.c:868
driver_probe_device+0x4f/0x240 drivers/base/dd.c:898
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1026
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c7/0x450 drivers/base/dd.c:1098
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1153
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7d7/0xb80 drivers/base/core.c:3772
usb_new_device+0x98d/0x1610 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x28cf/0x4cf0 drivers/usb/core/hub.c:5953
final repro crashed as (corrupted=false):
==================================================================
BUG: KASAN: slab-use-after-free in __intf_to_usbdev include/linux/usb.h:752 [inline]
BUG: KASAN: slab-use-after-free in uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
Read of size 8 at addr ffff88802b0710b8 by task kworker/0:2/1664
CPU: 0 UID: 0 PID: 1664 Comm: kworker/0:2 Not tainted syzkaller #0 PREEMPT_{RT,(full)}
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 05/09/2026
Workqueue: events request_firmware_work_func
Call Trace:
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description+0x55/0x1e0 mm/kasan/report.c:378
print_report+0x58/0x70 mm/kasan/report.c:482
kasan_report+0x117/0x150 mm/kasan/report.c:595
__intf_to_usbdev include/linux/usb.h:752 [inline]
uea_upload_pre_firmware+0x8d/0x640 drivers/usb/atm/ueagle-atm.c:598
request_firmware_work_func+0xf7/0x2d0 drivers/base/firmware_loader/main.c:1164
process_one_work+0x93a/0x12b0 kernel/workqueue.c:3326
process_scheduled_works kernel/workqueue.c:3409 [inline]
worker_thread+0xb05/0x10d0 kernel/workqueue.c:3490
kthread+0x388/0x470 kernel/kthread.c:436
ret_from_fork+0x514/0xb70 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
Allocated by task 5937:
kasan_save_stack mm/kasan/common.c:57 [inline]
kasan_save_track+0x3e/0x80 mm/kasan/common.c:78
poison_kmalloc_redzone mm/kasan/common.c:398 [inline]
__kasan_kmalloc+0x93/0xb0 mm/kasan/common.c:415
kasan_kmalloc include/linux/kasan.h:263 [inline]
__kmalloc_cache_noprof+0x3d2/0x6b0 mm/slub.c:5515
_kmalloc_noprof include/linux/slab.h:969 [inline]
_kzalloc_noprof include/linux/slab.h:1290 [inline]
usb_set_configuration+0x3cc/0x2180 drivers/usb/core/message.c:2096
usb_generic_driver_probe+0x8d/0x150 drivers/usb/core/generic.c:250
usb_probe_device+0x1c3/0x3b0 drivers/usb/core/driver.c:291
call_driver_probe drivers/base/dd.c:-1 [inline]
really_probe+0x254/0xae0 drivers/base/dd.c:706
__driver_probe_device+0x1e8/0x360 drivers/base/dd.c:868
driver_probe_device+0x4f/0x240 drivers/base/dd.c:898
__device_attach_driver+0x270/0x410 drivers/base/dd.c:1026
bus_for_each_drv+0x25b/0x2f0 drivers/base/bus.c:500
__device_attach+0x2c7/0x450 drivers/base/dd.c:1098
device_initial_probe+0xa1/0xd0 drivers/base/dd.c:1153
bus_probe_device+0x12d/0x220 drivers/base/bus.c:620
device_add+0x7d7/0xb80 drivers/base/core.c:3772
usb_new_device+0x98d/0x1610 drivers/usb/core/hub.c:2695
hub_port_connect drivers/usb/core/hub.c:5567 [inline]
hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
port_event drivers/usb/core/hub.c:5871 [inline]
hub_event+0x28cf/0x4cf0 drivers/usb/core/hub.c:5953