Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
MIME-Version: 1.0
References: <CAEAjamthOsn9JfL1K-sGUmTUJ-1GV6eCnn3baLNnG_MnUk12ow@mail.gmail.com>
In-Reply-To: <CAEAjamthOsn9JfL1K-sGUmTUJ-1GV6eCnn3baLNnG_MnUk12ow@mail.gmail.com>
From:   Kyungtae Kim <kt0755@gmail.com>
Date:   Tue, 27 Oct 2020 11:50:25 -0400
Message-ID: <CAEAjams+ztDnt80M37ivQtGSUS1y6_zs-o0BoLDrTfBGAt+8ow@mail.gmail.com>
Subject: Re: memory leak in u_audio_start_playback
To:     Felipe Balbi <balbi@kernel.org>,
        Greg KH <gregkh@linuxfoundation.org>
Cc:     USB list <linux-usb@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        syzkaller <syzkaller@googlegroups.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

On Sun, Oct 25, 2020 at 3:32 PM Kyungtae Kim <kt0755@gmail.com> wrote:
>
> We report a bug (in linux-5.8.13) found by FuzzUSB (a modified version
> of syzkaller).
>
> An instance of struct usb_request allocated in f_audio_set_alt() leaked.
>
> ==================================================================
> BUG: memory leak
> unreferenced object 0xffff888053df0e00 (size 128):
>   comm "softirq", pid 0, jiffies 4294940573 (age 17.540s)
>   hex dump (first 32 bytes):
>     00 0e df 53 80 88 ff ff 00 0e df 53 80 88 ff ff  ...S.......S....
>     00 82 df 53 80 88 ff ff c0 00 00 00 00 00 00 00  ...S............
>   backtrace:
>     [<000000000694647e>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000000694647e>] slab_post_alloc_hook mm/slab.h:588 [inline]
>     [<000000000694647e>] slab_alloc_node mm/slub.c:2824 [inline]
>     [<000000000694647e>] slab_alloc mm/slub.c:2832 [inline]
>     [<000000000694647e>] kmem_cache_alloc_trace+0x15c/0x310 mm/slub.c:2849
>     [<00000000d7d91433>] kmalloc include/linux/slab.h:555 [inline]
>     [<00000000d7d91433>] kzalloc include/linux/slab.h:669 [inline]
>     [<00000000d7d91433>] dummy_alloc_request+0x83/0x120 drivers/usb/gadget/udc/dummy_hcd.c:663
>     [<000000006e043557>] usb_ep_alloc_request+0x23/0x170 drivers/usb/gadget/udc/core.c:178
>     [<00000000fb13871b>] u_audio_start_playback+0x224/0x3c0 drivers/usb/gadget/function/u_audio.c:449
>     [<0000000017cb1f54>] f_audio_set_alt+0x8e/0x170 drivers/usb/gadget/function/f_uac1.c:463
>     [<0000000063ba610c>] composite_setup+0x62e/0x2690 drivers/usb/gadget/composite.c:1793
>     [<00000000e86333ed>] configfs_composite_setup+0xa5/0xd0 drivers/usb/gadget/configfs.c:1457
>     [<00000000f9a524ea>] dummy_timer+0x5a7/0x1460 drivers/usb/gadget/udc/dummy_hcd.c:1899
>     [<00000000182f2904>] call_timer_fn+0xdd/0x3a0 kernel/time/timer.c:1416
>     [<000000000d926b91>] expire_timers kernel/time/timer.c:1461 [inline]
>     [<000000000d926b91>] __run_timers kernel/time/timer.c:1792 [inline]
>     [<000000000d926b91>] run_timer_softirq+0x286/0x670 kernel/time/timer.c:1805
>     [<000000008902fa26>] __do_softirq+0xfa/0x684 kernel/softirq.c:292
>     [<000000003597f960>] asm_call_on_stack+0xf/0x20 arch/x86/entry/entry_64.S:711
>     [<000000005c5a9a83>] __run_on_irqstack arch/x86/include/asm/irq_stack.h:22 [inline]
>     [<000000005c5a9a83>] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:48 [inline]
>     [<000000005c5a9a83>] do_softirq_own_stack+0x8b/0xb0 arch/x86/kernel/irq_64.c:77
>     [<00000000590d59e5>] invoke_softirq kernel/softirq.c:387 [inline]
>     [<00000000590d59e5>] __irq_exit_rcu kernel/softirq.c:417 [inline]
>     [<00000000590d59e5>] irq_exit_rcu+0xb5/0xf0 kernel/softirq.c:429
>     [<00000000689d4053>] sysvec_apic_timer_interrupt+0x83/0xf0 arch/x86/kernel/apic/apic.c:1091
>     [<00000000f2e90960>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:585
> ==================================================================
>
> Regards,
> Kyungtae Kim