Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp286443ybg; Wed, 3 Jun 2020 00:23:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzmE3T0Vx8IRpKhxW9CzO2brfoinhegcZXWxiUqDnrC8hMbnpQIPLI+FA1cEOFs9+K+TeLe X-Received: by 2002:a17:906:90c1:: with SMTP id v1mr26156521ejw.322.1591169034491; Wed, 03 Jun 2020 00:23:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591169034; cv=none; d=google.com; s=arc-20160816; b=ABouxH6Z1sy3hnCh+o7JjvkiF46MxAsqFmo91kSa7jTlS8vi6INs4zSqt0IFahFLLb OkM9/KeyNEHHaFFy7pz5dXPU/o56pmSFAN8xLvCpkI7QxA6yjhYhxBie5jZexm7XFk2r wRX5LdfzHjZlKKUIvTVqMPKybHRzecf1O5aLSrJzWkTbnsjdyGbwqz9MpGWxqLp5bhQV mXw063AC5Lm/Ja9ke9C3mdiQzEqPEkaeXTIBTBHviQ25fLF0uuH5r+iM/iAbN2KMN7/5 zvvItDQbutaeO2Whpj/wtmGt8mlIS8gmzQstPegThfoNh7+QkR/Nw3QwrbECUS9A4fbW wpJg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=R03pAbSSsUad1g76G17XILrCiyxCcIt7lNxzq88a/iU=; b=BIe0fe7hTXZtwnz16FQiv11gv6eznE6/Bd2rSLdcbrLHAq82LxUjDv/BGsJ6rM0pFv noQ/Vp7XU0Ud78ry0NRg0YQPI90k8WoW4Yy7CM2xOsIFB17EAmH2SNGbHczHUzyJW+Nn 3jFFwIaYH5s9MCJiCNSKJayVubUakouehJlW88+0Yq2Lkns3exIkPPzICgQdXbipC+8T 2n7+Bh5bJPW+/x6a52geo9ulN3ny3wwn8i0+W8dFpk5Ba2OHoJO5Kj8nDSMwzbUuNLve eI0AQ0XhA4TzdyZ76GubeVXc6/jvdBKgmVscZp3nGXcMty7cFKUKwacnxXhOz0SBvmjW gxPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ftnFtIcK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q12si724687edc.303.2020.06.03.00.23.31; Wed, 03 Jun 2020 00:23:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ftnFtIcK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726154AbgFCHTK (ORCPT + 99 others); Wed, 3 Jun 2020 03:19:10 -0400 Received: from mail.kernel.org ([198.145.29.99]:58958 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725275AbgFCHTJ (ORCPT ); Wed, 3 Jun 2020 03:19:09 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 65114207D3; Wed, 3 Jun 2020 07:19:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1591168748; bh=mSICe9XPh8wNHseU/SsQKI1JdtwOoz/Og30hbCOZdrI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ftnFtIcK2o9TqiwntWRMZs0H1IHQVOwL4+vSbzTdsPxVYvkM8othvyN0XYHdAbd+Z qM0vjNV/BSCCB5hqJpg48gDCW6zOdutw2vaeFAvKGOvnrdyyBYBrS1RKJwu1y4RgCU FqEbDZkfL9EsD6MQGiZUjqbMwepLUIYAmG2u6+G4= Date: Wed, 3 Jun 2020 09:19:06 +0200 From: Greg KH To: Kyungtae Kim Cc: USB list , LKML , syzkaller , Dave Tian Subject: Re: memory leak in usbtest_probe Message-ID: <20200603071906.GC612108@kroah.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jun 02, 2020 at 04:36:22PM -0400, Kyungtae Kim wrote: > We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version > of syzkaller) > > The buf of an usbtest_dev instance (dev->buf) allocated in > usbtest_probe() leaked. > > The usbtest_dev instance holding the buf is attached to a > corresponding device instance > through usb_set_intfdata(). > But later, the usbtest_dev instance seems to be freed without > deallocating its buf field ahead. > > kernel config: https://kt0755.github.io/etc/config_v5.6.11 > > ================================================================== > BUG: memory leak > unreferenced object 0xffff888055046e00 (size 256): > comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s) > hex dump (first 32 bytes): > 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z..... > f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7....... > backtrace: > [<00000000d121dccf>] kmemleak_alloc_recursive > include/linux/kmemleak.h:43 [inline] > [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline] > [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline] > [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline] > [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811 > [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline] > [<000000005c3c3381>] usbtest_probe+0x286/0x19d0 > drivers/usb/misc/usbtest.c:2790 > [<000000001cec6910>] usb_probe_interface+0x2bd/0x870 > drivers/usb/core/driver.c:361 > [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551 > [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724 > [<000000003ef66004>] __device_attach_driver+0x1b6/0x240 > drivers/base/dd.c:831 > [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431 > [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897 > [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944 > [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491 > [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504 > [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0 > drivers/usb/core/message.c:2030 > [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210 > [<0000000098ade0f1>] usb_probe_device+0x90/0xd0 > drivers/usb/core/driver.c:266 > [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551 > [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724 > ================================================================== Can you send a patch to fix this so that you get full credit for finding, and fixing the issue? thanks, greg k-h