Re: [PATCH] net: usb: rtl8150: fix use-after-free in rtl8150_start_xmit()

From: Andrew Lunn

Date: Tue Apr 21 2026 - 08:35:40 EST

On Tue, Apr 21, 2026 at 07:04:12PM +0800, Morduan Zang wrote:
> From: Zhan Jun <zhanjun@xxxxxxxxxxxxx>
>
> syzbot reported a KASAN slab-use-after-free read in rtl8150_start_xmit()
> when accessing skb->len for tx statistics after usb_submit_urb() has
> been called:
>
> BUG: KASAN: slab-use-after-free in rtl8150_start_xmit+0x71f/0x760
> drivers/net/usb/rtl8150.c:712
> Read of size 4 at addr ffff88810eb7a930 by task kworker/0:4/5226
>
> The URB completion handler write_bulk_callback() frees the skb via
> dev_kfree_skb_irq(dev->tx_skb). The URB may complete on another CPU
> in softirq context before usb_submit_urb() returns in the submitter,
> so by the time the submitter reads skb->len the skb has already been
> queued to the per-CPU completion_queue and freed by net_tx_action():
>
> CPU A (xmit) CPU B (USB completion softirq)
> ------------ ------------------------------
> dev->tx_skb = skb;
> usb_submit_urb() --+
> |-------> write_bulk_callback()
> | dev_kfree_skb_irq(dev->tx_skb)
> | net_tx_action()
> | napi_skb_cache_put() <-- free
> netdev->stats.tx_bytes |
> += skb->len; <-- UAF read
>
> Fix it by caching skb->len before submitting the URB and using the
> cached value when updating the tx_bytes counter. This mirrors the
> fix pattern used by other USB network drivers.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Reported-by: syzbot+3f46c095ac0ca048cb71@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://lore.kernel.org/all/69e69ee7.050a0220.24bfd3.002b.GAE@xxxxxxxxxx/
> Closes: https://syzkaller.appspot.com/bug?extid=3f46c095ac0ca048cb71
> Signed-off-by: Zhan Jun <zhanjun@xxxxxxxxxxxxx>

Reviewed-by: Andrew Lunn <andrew@xxxxxxx>

For future patches, please could you set the subject line correctly. See

https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html

Andrew