Re: memory leak in usb_copy_descriptors
From: Greg KH
Date: Sun May 31 2020 - 02:40:08 EST
On Sat, May 30, 2020 at 06:25:02PM +0000, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
> of syzkaller)
>
> kernel config: https://kt0755.github.io/etc/config_v5.6.11
>
> A USB descriptor held by fs_descriotors in usb_function leaked.
>
> ==================================================================
> BUG: memory leak
> unreferenced object 0xffff888058b7a700 (size 64):
> comm "syz-executor.0", pid 2473, jiffies 4294942614 (age 3131.830s)
> hex dump (first 32 bytes):
> 20 a7 b7 58 80 88 ff ff 29 a7 b7 58 80 88 ff ff ..X....)..X....
> 30 a7 b7 58 80 88 ff ff 00 00 00 00 00 00 00 00 0..X............
> backtrace:
> [<000000008820290b>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
> [<000000008820290b>] slab_post_alloc_hook mm/slab.h:586 [inline]
> [<000000008820290b>] slab_alloc_node mm/slub.c:2786 [inline]
> [<000000008820290b>] slab_alloc mm/slub.c:2794 [inline]
> [<000000008820290b>] __kmalloc+0x144/0x310 mm/slub.c:3837
> [<0000000069f64afa>] kmalloc include/linux/slab.h:560 [inline]
> [<0000000069f64afa>] usb_copy_descriptors+0xcb/0x270 drivers/usb/gadget/config.c:135
> [<000000004a667526>] usb_assign_descriptors+0x9f/0x310 drivers/usb/gadget/config.c:168
> [<0000000001ee4653>] loopback_bind+0x188/0x280 drivers/usb/gadget/function/f_loopback.c:209
> [<0000000067b9c558>] usb_add_function+0x1f0/0x6c0 drivers/usb/gadget/composite.c:279
> [<0000000084caf39b>] configfs_composite_bind+0x9d3/0x1110 drivers/usb/gadget/configfs.c:1397
> [<0000000065d7065c>] udc_bind_to_driver+0x1c6/0x530 drivers/usb/gadget/udc/core.c:1358
> [<00000000fe783078>] usb_gadget_probe_driver+0x42a/0x4e0 drivers/usb/gadget/udc/core.c:1421
> [<0000000063f1f5c5>] gadget_dev_desc_UDC_store+0x158/0x200 drivers/usb/gadget/configfs.c:282
> [<00000000fb18ff7c>] flush_write_buffer fs/configfs/file.c:251 [inline]
> [<00000000fb18ff7c>] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
> [<0000000085920ac6>] __vfs_write+0x85/0x110 fs/read_write.c:494
> [<0000000052812ae5>] vfs_write+0x1cd/0x510 fs/read_write.c:558
> [<00000000334feaef>] ksys_write+0x18a/0x220 fs/read_write.c:611
> [<00000000db0255b5>] __do_sys_write fs/read_write.c:623 [inline]
> [<00000000db0255b5>] __se_sys_write fs/read_write.c:620 [inline]
> [<00000000db0255b5>] __x64_sys_write+0x73/0xb0 fs/read_write.c:620
> [<0000000012ddffe1>] do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
> [<000000008496dc30>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> ==================================================================
Great, can you send a patch fixing this please so you can get the proper
credit for finding and fixing the issue?
thanks,
greg k-h