Re: [syzbot] [usb?] memory leak in hub_event (4)

From: Alan Stern

Date: Mon Apr 27 2026 - 10:19:19 EST

On Mon, Apr 27, 2026 at 01:40:02PM +0200, Oliver Neukum wrote:
> On 25.04.26 04:12, syzbot wrote:
>
> #syz test: git://repo/address.git dd6c438c3e64

> From 001175f4d2e1c2ceac98b4af2521fc4d0253d0c8 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <oneukum@xxxxxxxx>
> Date: Mon, 27 Apr 2026 13:35:38 +0200
> Subject: [PATCH] usb: core: fix memory of error case in usb_get_configuration
>
> Prior allocations need to be reversed if subsequent
> allocations fail.
>
> Fixes: dd2057e544dc9 ("USB: core: drop OOM message")
> Signed-off-by: Oliver Neukum <oneukum@xxxxxxxx>
> Reported-by: syzbot+2afd7e71155c7e241560@xxxxxxxxxxxxxxxxxxxxxxxxx
> ---
> drivers/usb/core/config.c | 13 +++++++++++--
> 1 file changed, 11 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 417140b012bb..67475ff81641 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -944,11 +944,11 @@ int usb_get_configuration(struct usb_device *dev)
> length = ncfg * sizeof(char *);
> dev->rawdescriptors = kzalloc(length, GFP_KERNEL);
> if (!dev->rawdescriptors)
> - return -ENOMEM;
> + goto bailout2;
>
> desc = kmalloc(USB_DT_CONFIG_SIZE, GFP_KERNEL);
> if (!desc)
> - return -ENOMEM;
> + goto bailout;
>
> for (cfgno = 0; cfgno < ncfg; cfgno++) {
> /* We grab just the first descriptor so we know how long
> @@ -1012,6 +1012,15 @@ int usb_get_configuration(struct usb_device *dev)
> dev->descriptor.bNumConfigurations = cfgno;
>
> return result;
> +
> +bailout:
> + kfree(dev->rawdescriptors);
> + dev->rawdescriptors = NULL;
> +bailout2:
> + kfree(dev->config);
> + dev->config = NULL;
> +
> + return -ENOMEM;
> }

This is not needed. dev->rawdescriptors and dev->config are deallocated
in usb_destroy_configuration(), which gets called when the usb_device
structure is released.

The memory leak must have a different cause.

Alan Stern