From nobody Wed Jun 10 08:24:49 2026 Received: from fanzine2.igalia.com (fanzine2.igalia.com [213.97.179.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 310C635E1B2; Fri, 15 May 2026 23:52:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=213.97.179.56 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778889163; cv=none; b=iGd38/sZ/aEhYMm229NENRgGI2Pu2MpsVhMABhaq8ZCdoTTQ0PiP7HNlnQD2dftr7dy6FBgWEMxTppggACWbOluJIlAHyGVG6YgDvjilM8sN5RG4o6Tj83VuUNc8sXMJG+YLME6YfyH5k5bAbP/TmNZ5kyuWJj+qjH2zqLtboyU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778889163; c=relaxed/simple; bh=Mcz4V34eTHqjLAAR1Sr2CaV+JdwcCNPQPf4HHOpLnCw=; h=From:Date:Subject:MIME-Version:Content-Type:Message-Id:To:Cc; b=vBOpIBGznBUOAtznXD2MACwVUTGntWMqPJPqbvU+EH1AHXVaaOEycyTk1jdgLRQMWJLDm40NvSe4AC3tdmnBvAYRj72RyzaeFvuzwMVaEsib1ICVIC3VH65hAIPa1O/emyjkb9RhVNX7w2Bkire5YxFuhtwrjeOFiz+XA7ArGXs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=igalia.com; spf=pass smtp.mailfrom=igalia.com; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b=ZdCHnzVd; arc=none smtp.client-ip=213.97.179.56 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=igalia.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=igalia.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=igalia.com header.i=@igalia.com header.b="ZdCHnzVd" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=igalia.com; s=20170329; h=Cc:To:Message-Id:Content-Transfer-Encoding:Content-Type: MIME-Version:Subject:Date:From:Sender:Reply-To:Content-ID:Content-Description :Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=NL/zC74CGvN+Dwja+bjDgW3wUszQNdUHhaSKFMuMopQ=; b=ZdCHnzVdrVjyv1PS9XA+FeQfk2 8fRF27eLS9Nr5CLoHEOvaV4SUfgwiuPLX2CR6toegvVEa8oLPwLHyQeEg1QYCMgso6Fq89fUj7HVB xQV/KWVpwe+fjY72n0ZPYrcHuZ3ebu8tPmErWZKAo+pGYlQ9RMO1nmHQnqo9Q3DkRp3nXzc225yWr dcxjQx9jv5UxlQ8vwEnKnpwoGbmQ0fcxK74tDNAXS2ug1janp6ASG9Gm/sw9g9w3XPkKW8ywTf8K9 1lb0TTDGE9si8Z2LHEDg/VySvcEusmwn3b7e+AKLQ77y7Id7uG3MKSUik1cGEBG2BPxENs3KM5UKZ s0PH9X/w==; Received: from 186-249-149-153.shared.desktop.com.br ([186.249.149.153] helo=[192.168.1.68]) by fanzine2.igalia.com with esmtpsa (Cipher TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim) id 1wO2KR-000kcp-RU; Sat, 16 May 2026 01:52:28 +0200 From: Mauricio Faria de Oliveira Date: Fri, 15 May 2026 20:52:16 -0300 Subject: [PATCH] usb: atm: ueagle-atm: use synchronous request_firmware() Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <20260515-ueagle-atm_req-fw-sync-v1-1-406ca3939e2a@igalia.com> X-B4-Tracking: v=1; b=H4sIAK+xB2oC/6tWKk4tykwtVrJSqFYqSi3LLM7MzwNyDHUUlJIzE vPSU3UzU4B8JSMDIzMDU0NT3dLUxPScVN3Ektz4otRC3bRy3eLKvGRdIwMTczPDtEQDCwNLJaD mgqLUtMwKsMHRsbW1AA2MCBpoAAAA X-Change-ID: 20260515-ueagle-atm_req-fw-sync-204761fa0809 To: Matthieu CASTET , Stanislaw Gruszka , Greg Kroah-Hartman Cc: kernel-dev@igalia.com, linux-atm-general@lists.sourceforge.net, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+ce1e5a1b4e086b43e56d@syzkaller.appspotmail.com, syzbot+306212936b13e520679d@syzkaller.appspotmail.com, Mauricio Faria de Oliveira X-Mailer: b4 0.14.2 ueagle-atm uses the asynchronous request_firmware_nowait() in .probe(), but does not wait for its completion, not even in .disconnect(); so, if the device is unplugged meanwhile, its teardown runs concurrently with that. Even though this inconsistency is worth addressing on its own, it has also triggered several bug reports in syzbot over the years (some auto-closed) where the firmware sysfs fallback mechanism (CONFIG_FW_LOADER_USER_HELPER) creates a firmware subdirectory in the device directory during its removal, which might hit unexpected conditions in kernfs, apparently, depending at which point the add and remove operations raced. (See links.) The pattern is: usb ?-?: Direct firmware load for ueagle-atm/eagle?.fw failed with error -2 usb ?-?: Falling back to sysfs fallback for: ueagle-atm/eagle?.fw Call trace: ... kernfs_create_dir_ns sysfs_create_dir_ns create_dir kobject_add_internal kobject_add_varg kobject_add class_dir_create_and_add get_device_parent device_add fw_load_sysfs_fallback fw_load_from_user_helper firmware_fallback_sysfs _request_firmware request_firmware_work_func ... While the kernfs side is being looked at, the ueagle-atm side can be fixed by converting .probe() to the synchronous request_firmware(), which blocks the device directory removal until it is finished, preventing such errors. This has been tested with a synthetic reproducer to check the error path and with a USB gadget (virtual device) to check the firmware upload path. (The latter was written by AI/Claude; no other code/text in this commit.) Links (year first reported): 2025 https://syzbot.org/bug?extid=3Dce1e5a1b4e086b43e56d 2025 https://syzbot.org/bug?extid=3D9af8471255ac36e34fd4 2024 https://syzbot.org/bug?extid=3D306212936b13e520679d 2022 https://syzbot.org/bug?extid=3D782984d6f1701b526edb 2021 https://syzbot.org/bug?id=3Df3f221579f4ef7e9691281f3c6f56c05f83e8490 2021 https://syzbot.org/bug?id=3D84d86f0d71394829df6fc53daf6642c045983881 2021 https://syzbot.org/bug?id=3D3302dc1c0e2b9c94f2e8edb404eabc9267bc6f90 Reported-by: syzbot+ce1e5a1b4e086b43e56d@syzkaller.appspotmail.com Closes: https://syzbot.org/bug?extid=3Dce1e5a1b4e086b43e56d Reported-by: syzbot+306212936b13e520679d@syzkaller.appspotmail.com Closes: https://syzbot.org/bug?extid=3D306212936b13e520679d Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver") Assisted-by: Claude:claude-sonnet-4.6 # test USB gadget Signed-off-by: Mauricio Faria de Oliveira --- Testing: =3D=3D=3D=3D=3D=3D=3D Firmware upload path: -------------------- This has been tested with a USB gadget (virtual device) written by Claude [= 1]. It ACKs the firmware upload commands, so the driver considers that successf= ul: [ 296.997194] usb 1-1: [ueagle-atm] firmware uploaded =20 Log (blocks separated for clarity): # echo 'file drivers/base/firmware_loader/* +p' >/sys/kernel/debug/dynami= c_debug/control # insmod ueagle_gadget.ko [ 294.840943] ueagle_gadget gadget.0: [ueagle-gadget] bound: VID=3D0x103= 9 PID=3D0x2101 bcdDev=3D0x2581 [ 294.841341] [ueagle-gadget] registered (VID=3D0x1039 PID=3D0x2101) =20 [ 295.066627] usb 1-1: new full-speed USB device number 4 using dummy_hcd [ 295.222302] usb 1-1: New USB device found, idVendor=3D1039, idProduct= =3D2101, bcdDevice=3D25.81 [ 295.222315] usb 1-1: New USB device strings: Mfr=3D0, Product=3D0, Ser= ialNumber=3D0 [ 295.227343] ueagle_gadget gadget.0: [ueagle-gadget] SET_CONFIGURATION 1 [ 295.228029] usb 1-1: [ueagle-atm] ADSL device founded vid (0X1039) pid= (0X2101) Rev (0X2581): Eagle I =20 [ 295.343162] usb 1-1: reset full-speed USB device number 4 using dummy_= hcd [ 295.482615] ueagle_gadget gadget.0: [ueagle-gadget] SET_CONFIGURATION 1 =20 [ 295.482682] usb 1-1: [ueagle-atm] pre-firmware device, uploading firmw= are [ 295.482723] firmware_class: __allocate_fw_priv: fw-ueagle-atm/eagleI.f= w fw_priv=3D00000000470f8800 [ 295.482839] usb 1-1: loading /lib/firmware/updates/7.1.0-rc2-next-2026= 0508-dirty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 295.482900] usb 1-1: loading /lib/firmware/updates/ueagle-atm/eagleI.f= w failed for no such file or directory. [ 295.482960] usb 1-1: loading /lib/firmware/7.1.0-rc2-next-20260508-dir= ty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 295.483037] usb 1-1: Loading firmware from /lib/firmware/ueagle-atm/ea= gleI.fw [ 295.483040] usb 1-1: direct-loading ueagle-atm/eagleI.fw [ 295.483065] firmware_class: fw_set_page_data: fw-ueagle-atm/eagleI.fw = fw_priv=3D00000000470f8800 data=3D00000000c4ccb93b size=3D10981 =20 [ 295.483186] usb 1-1: Loaded FW: ueagle-atm/eagleI.fw, sha256: 8c5047be= 3b02ed4a8b98c22ed03c010afae1782f6056d8bf2f32bbdde834a74a [ 295.483191] usb 1-1: [ueagle-atm] loading firmware ueagle-atm/eagleI.fw [ 295.487856] ueagle_gadget gadget.0: [ueagle-gadget] LOAD_INTERNAL addr= =3D0x7f92 (F8051_USBCS reset), len=3D1 [ 296.997153] ueagle_gadget gadget.0: [ueagle-gadget] LOAD_INTERNAL addr= =3D0x7f92 (F8051_USBCS reset), len=3D1 [ 296.997194] usb 1-1: [ueagle-atm] firmware uploaded [ 296.997199] firmware_class: __free_fw_priv: fw-ueagle-atm/eagleI.fw fw= _priv=3D00000000470f8800 data=3D00000000c4ccb93b size=3D10981 =20 # rmmod ueagle_gadget [ 362.899931] ueagle_gadget gadget.0: [ueagle-gadget] disconnected [ 362.899947] ueagle_gadget gadget.0: [ueagle-gadget] unbound [ 362.978201] [ueagle-gadget] unregistered [ 363.080344] usb 1-1: USB disconnect, device number 4 [ 363.085192] firmware_class: fw_name_devm_release: fw_name-ueagle-atm/e= agleI.fw devm-0000000037b7f4fe released Error path: ---------- This has been tested with a synthetic reproducer [2]: # echo 'file drivers/base/firmware_loader/* +p' >/sys/kernel/debug/dynami= c_debug/control # echo 'file drivers/usb/atm/ueagle-atm.c +p' >/sys/kernel/debug/dynamic_= debug/control # echo 2 >/sys/module/ueagle_atm/parameters/debug =20 # mv /lib/firmware/ueagle-atm/eagleI.fw \ /lib/firmware/ueagle-atm/eagleI.fw.NOT-FOUND =20 # cat ueagle-atm.syzlang syz_usb_connect(0x3, 0x2d, &(0x7f00000002c0)=3DANY=3D[@ANYBLOB=3D"1201100= 3faff82083910012181250102030109021b00028c4400600904"], &(0x7f0000000240)=3D= {0x0, 0x0, 0x0, 0x0}) =20 # ./syz-execprog -procs=3D1 -enable=3D'' ueagle-atm.syzlang Modified:=20 .probe() fails with -ETIMEDOUT from the firmware load timeout of 60 secon= ds per struct firmware_fallback_config fw_fallback_config =3D { .loading_timeout= =3D 60, } =20 [ 176.023944] usb 1-1: new high-speed USB device number 2 using dummy_hcd ... [ 176.158744] usb 1-1: New USB device found, idVendor=3D1039, idProduct= =3D2101, bcdDevice=3D25.81 ... [ 176.363215] usb 1-1: [ueagle-atm vdbg] entering uea_probe [ 176.363221] usb 1-1: [ueagle-atm] ADSL device founded vid (0X1039) pid= (0X2101) Rev (0X2581): Eagle I [ 177.113140] usb 1-1: [ueagle-atm vdbg] entering uea_load_firmware [ 177.113156] usb 1-1: [ueagle-atm] pre-firmware device, uploading firmw= are =20 [ 177.113194] firmware_class: __allocate_fw_priv: fw-ueagle-atm/eagleI.f= w fw_priv=3D000000005bf63c12 [ 177.113404] usb 1-1: loading /lib/firmware/updates/7.1.0-rc2-next-2026= 0508-dirty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 177.113617] usb 1-1: loading /lib/firmware/updates/ueagle-atm/eagleI.f= w failed for no such file or directory. [ 177.113775] usb 1-1: loading /lib/firmware/7.1.0-rc2-next-20260508-dir= ty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 177.113905] usb 1-1: loading /lib/firmware/ueagle-atm/eagleI.fw failed= for no such file or directory. =20 [ 177.113926] usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw fai= led with error -2 [ 177.113934] usb 1-1: Falling back to sysfs fallback for: ueagle-atm/ea= gleI.fw =20 [ 177.114706] test kernfs_activate(): sleep 3s [ 180.125483] test kernfs_activate(): slept 3s [ 180.126005] firmware ueagle-atm!eagleI.fw: firmware: requesting ueagle= -atm/eagleI.fw [ 242.849608] test __kernfs_remove(): done =20 [ 242.849648] firmware_class: __free_fw_priv: fw-ueagle-atm/eagleI.fw fw= _priv=3D000000005bf63c12 data=3D0000000000000000 size=3D0 [ 242.849670] usb 1-1: [UEAGLE-ATM] firmware ueagle-atm/eagleI.fw is not= available [ 242.849674] usb 1-1: [ueagle-atm vdbg] leaving uea_load_firmware [ 242.849681] ueagle-atm 1-1:140.0: probe with driver ueagle-atm failed = with error -110 [ 242.854626] usb 1-1: USB disconnect, device number 2 Original: [ 184.103791] usb 1-1: new high-speed USB device number 2 using dummy_hcd ... [ 184.390454] usb 1-1: New USB device found, idVendor=3D1039, idProduct= =3D2101, bcdDevice=3D25.81 ... [ 184.770574] usb 1-1: [ueagle-atm vdbg] entering uea_probe [ 184.770582] usb 1-1: [ueagle-atm] ADSL device founded vid (0X1039) pid= (0X2101) Rev (0X2581): Eagle I [ 185.526950] usb 1-1: [ueagle-atm vdbg] entering uea_load_firmware [ 185.526967] usb 1-1: [ueagle-atm] pre-firmware device, uploading firmw= are =20 [ 185.527004] usb 1-1: [ueagle-atm] loading firmware ueagle-atm/eagleI.fw [ 185.530762] usb 1-1: [ueagle-atm vdbg] leaving uea_load_firmware =20 [ 185.535543] firmware_class: __allocate_fw_priv: fw-ueagle-atm/eagleI.f= w fw_priv=3D00000000e8499bd6 [ 185.535677] usb 1-1: loading /lib/firmware/updates/7.1.0-rc2-next-2026= 0508-dirty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 185.535743] usb 1-1: loading /lib/firmware/updates/ueagle-atm/eagleI.f= w failed for no such file or directory. [ 185.535820] usb 1-1: loading /lib/firmware/7.1.0-rc2-next-20260508-dir= ty/ueagle-atm/eagleI.fw failed for no such file or directory. [ 185.535886] usb 1-1: loading /lib/firmware/ueagle-atm/eagleI.fw failed= for no such file or directory. [ 185.535898] usb 1-1: Direct firmware load for ueagle-atm/eagleI.fw fai= led with error -2 [ 185.535906] usb 1-1: Falling back to sysfs fallback for: ueagle-atm/ea= gleI.fw [ 185.535994] test kernfs_activate(): sleep 3s [ 185.542397] usb 1-1: USB disconnect, device number 2 [ 185.560753] usb 1-1: [ueagle-atm vdbg] entering uea_disconnect [ 185.560766] usb 1-1: [ueagle-atm vdbg] leaving uea_disconnect [ 185.584851] test __kernfs_remove(): done [ 188.566069] test kernfs_activate(): slept 3s [ 188.566086] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 188.566092] BUG: KASAN: slab-use-after-free in kernfs_root+0x68/0x80 [ 188.566110] Read of size 8 at addr ffff88800b387a30 by task kworker/0:= 1/11 [ 188.566119] [ 188.566127] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 7.1.0-= rc2-next-20260508-dirty #92 PREEMPT_{RT,(lazy)} [ 188.566139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1= .16.2-debian-1.16.2-1 04/01/2014 [ 188.566146] Workqueue: events request_firmware_work_func [ 188.566162] Call Trace: [ 188.566171] [ 188.566177] dump_stack_lvl+0x64/0x80 [ 188.566192] print_report+0xce/0x620 [ 188.566213] kasan_report+0xce/0x100 [ 188.566229] kernfs_root+0x68/0x80 [ 188.566236] kernfs_next_descendant_post+0x1b/0x270 [ 188.566245] kernfs_activate+0x79/0x110 [ 188.566253] kernfs_add_one+0x267/0x3d0 [ 188.566262] kernfs_create_dir_ns+0xcc/0x140 [ 188.566507] sysfs_create_dir_ns+0x130/0x280 [ 188.566556] kobject_add_internal+0x21b/0x9c0 [ 188.566564] kobject_add+0x13a/0x200 [ 188.566601] device_add+0x21e/0x1540 [ 188.566632] firmware_fallback_sysfs+0x232/0x980 [ 188.566642] _request_firmware+0xa53/0x1100 [ 188.566691] request_firmware_work_func+0xeb/0x360 [ 188.566709] process_one_work+0x610/0x1150 [ 188.566741] worker_thread+0x50d/0xd60 [ 188.566771] kthread+0x318/0x400 [ 188.566790] ret_from_fork+0x447/0x6a0 [ 188.566853] ret_from_fork_asm+0x1a/0x30 [ 188.566866] [ 188.566869] [ 188.566871] Allocated by task 11: [ 188.566876] kasan_save_stack+0x33/0x60 [ 188.566884] kasan_save_track+0x14/0x30 [ 188.566891] __kasan_slab_alloc+0x6e/0x70 [ 188.566898] kmem_cache_alloc_noprof+0x1a5/0x4d0 [ 188.566907] __kernfs_new_node+0xce/0x950 [ 188.566913] kernfs_new_node+0xeb/0x170 [ 188.566920] kernfs_create_dir_ns+0x2b/0x140 [ 188.566927] sysfs_create_dir_ns+0x130/0x280 [ 188.566935] kobject_add_internal+0x21b/0x9c0 [ 188.566941] kobject_add+0x13a/0x200 [ 188.566947] device_add+0x21e/0x1540 [ 188.566956] firmware_fallback_sysfs+0x232/0x980 [ 188.566963] _request_firmware+0xa53/0x1100 [ 188.566969] request_firmware_work_func+0xeb/0x360 [ 188.566976] process_one_work+0x610/0x1150 [ 188.566985] worker_thread+0x50d/0xd60 [ 188.566993] kthread+0x318/0x400 [ 188.567001] ret_from_fork+0x447/0x6a0 [ 188.567007] ret_from_fork_asm+0x1a/0x30 [ 188.567015] [ 188.567016] Freed by task 20: [ 188.567021] kasan_save_stack+0x33/0x60 [ 188.567027] kasan_save_track+0x14/0x30 [ 188.567032] kasan_save_free_info+0x3b/0x60 [ 188.567040] __kasan_slab_free+0x43/0x70 [ 188.567046] kmem_cache_free+0xc3/0x510 [ 188.567055] rcu_core+0x5d1/0x1a50 [ 188.567063] rcu_cpu_kthread+0x148/0x6f0 [ 188.567070] smpboot_thread_fn+0x347/0x8e0 [ 188.567080] kthread+0x318/0x400 [ 188.567087] ret_from_fork+0x447/0x6a0 [ 188.567093] ret_from_fork_asm+0x1a/0x30 [ 188.567101] [ 188.567103] Last potentially related work creation: [ 188.567107] kasan_save_stack+0x33/0x60 [ 188.567113] kasan_record_aux_stack+0x8c/0xa0 [ 188.567121] __call_rcu_common.constprop.0+0x76/0xa20 [ 188.567129] kernfs_put.part.0+0x1aa/0x540 [ 188.567135] __kernfs_remove.part.0+0x3f2/0x820 [ 188.567142] kernfs_remove+0x9e/0xd0 [ 188.567149] __kobject_del+0xc3/0x340 [ 188.567158] kobject_del+0x35/0x50 [ 188.567163] device_del+0x5ef/0x960 [ 188.567170] usb_disconnect+0x504/0x970 [ 188.567181] hub_event+0x2898/0x4670 [ 188.567187] process_one_work+0x610/0x1150 [ 188.567196] worker_thread+0x50d/0xd60 [ 188.567204] kthread+0x318/0x400 [ 188.567212] ret_from_fork+0x447/0x6a0 [ 188.567217] ret_from_fork_asm+0x1a/0x30 [ 188.567225] [ 188.567227] The buggy address belongs to the object at ffff88800b387a28 [ 188.567227] which belongs to the cache kernfs_node_cache of size 136 [ 188.567235] The buggy address is located 8 bytes inside of [ 188.567235] freed 136-byte region [ffff88800b387a28, ffff88800b387ab0) [ 188.567243] [ 188.567245] The buggy address belongs to the physical page: [ 188.567251] page: refcount:0 mapcount:0 mapping:0000000000000000 index= :0x0 pfn:0xb387 [ 188.567259] flags: 0x100000000000000(node=3D0|zone=3D1) [ 188.567267] page_type: f5(slab) [ 188.567277] raw: 0100000000000000 ffff888006ead640 dead000000000100 de= ad000000000122 [ 188.567284] raw: 0000000000000000 0000000000140014 00000000f5000000 00= 00000000000000 [ 188.567288] page dumped because: kasan: bad access detected [ 188.567291] [ 188.567293] Memory state around the buggy address: [ 188.567297] ffff88800b387900: fc fc fc fc fc fc fc fc fc fc fc fc fc = fc fc fc [ 188.567302] ffff88800b387980: fc fc fc fc fc fc fc fc fc fc fc fc fc = fc fc fc [ 188.567308] >ffff88800b387a00: fc fc fc fc fc fa fb fb fb fb fb fb fb = fb fb fb [ 188.567311] ^ [ 188.567316] ffff88800b387a80: fb fb fb fb fb fb fc fc fc fc fc fc fc = fc 00 00 [ 188.567320] ffff88800b387b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 = 00 00 fc [ 188.567324] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 188.568915] Disabling lock debugging due to kernel taint References: [1] https://gist.github.com/mfoliveira/c6b77fbae3d8083be6944477aedbc5d2 [2] https://gist.github.com/mfoliveira/cd1d78561e2db80dd87103e835e3ebec --- drivers/usb/atm/ueagle-atm.c | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/drivers/usb/atm/ueagle-atm.c b/drivers/usb/atm/ueagle-atm.c index f3ae72feb5bfc313ccfa1ab6a9bb40fcd8f5800a..8f8c63f613cccb7cce29bff62af= e82587776f6b5 100644 --- a/drivers/usb/atm/ueagle-atm.c +++ b/drivers/usb/atm/ueagle-atm.c @@ -597,20 +597,15 @@ static int uea_send_modem_cmd(struct usb_device *usb, return (ret =3D=3D size) ? 0 : -EIO; } =20 -static void uea_upload_pre_firmware(const struct firmware *fw_entry, - void *context) +static int uea_upload_pre_firmware(const struct firmware *fw_entry, + struct usb_device *usb) { - struct usb_device *usb =3D context; const u8 *pfw; u8 value; u32 crc =3D 0; int ret, size; =20 uea_enters(usb); - if (!fw_entry) { - uea_err(usb, "firmware is not available\n"); - goto err; - } =20 pfw =3D fw_entry->data; size =3D fw_entry->size; @@ -668,9 +663,11 @@ static void uea_upload_pre_firmware(const struct firmw= are *fw_entry, =20 err_fw_corrupted: uea_err(usb, "firmware is corrupted\n"); + ret =3D -EINVAL; err: release_firmware(fw_entry); uea_leaves(usb); + return ret; } =20 /* @@ -680,6 +677,7 @@ static int uea_load_firmware(struct usb_device *usb, un= signed int ver) { int ret; char *fw_name =3D EAGLE_FIRMWARE; + const struct firmware *firmware; =20 uea_enters(usb); uea_info(usb, "pre-firmware device, uploading firmware\n"); @@ -702,13 +700,13 @@ static int uea_load_firmware(struct usb_device *usb, = unsigned int ver) break; } =20 - ret =3D request_firmware_nowait(THIS_MODULE, 1, fw_name, &usb->dev, - GFP_KERNEL, usb, - uea_upload_pre_firmware); - if (ret) + ret =3D request_firmware(&firmware, fw_name, &usb->dev); + if (ret) { uea_err(usb, "firmware %s is not available\n", fw_name); - else + } else { uea_info(usb, "loading firmware %s\n", fw_name); + ret =3D uea_upload_pre_firmware(firmware, usb); + } =20 uea_leaves(usb); return ret; --- base-commit: e98d21c170b01ddef366f023bbfcf6b31509fa83 change-id: 20260515-ueagle-atm_req-fw-sync-204761fa0809 Best regards, --=20 Mauricio Faria de Oliveira