* memory leak in usbtest_probe
@ 2020-06-02 20:36 Kyungtae Kim
2020-06-03 7:19 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Kyungtae Kim @ 2020-06-02 20:36 UTC (permalink / raw)
To: Greg KH; +Cc: USB list, LKML, syzkaller, Dave Tian
We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
of syzkaller)
The buf of an usbtest_dev instance (dev->buf) allocated in
usbtest_probe() leaked.
The usbtest_dev instance holding the buf is attached to a
corresponding device instance
through usb_set_intfdata().
But later, the usbtest_dev instance seems to be freed without
deallocating its buf field ahead.
kernel config: https://kt0755.github.io/etc/config_v5.6.11
==================================================================
BUG: memory leak
unreferenced object 0xffff888055046e00 (size 256):
comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
hex dump (first 32 bytes):
00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....
f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......
backtrace:
[<00000000d121dccf>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
[<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
[<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
[<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
[<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
[<000000005c3c3381>] usbtest_probe+0x286/0x19d0
drivers/usb/misc/usbtest.c:2790
[<000000001cec6910>] usb_probe_interface+0x2bd/0x870
drivers/usb/core/driver.c:361
[<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
[<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
[<000000003ef66004>] __device_attach_driver+0x1b6/0x240
drivers/base/dd.c:831
[<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
[<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
[<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
[<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
[<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
[<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
drivers/usb/core/message.c:2030
[<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
[<0000000098ade0f1>] usb_probe_device+0x90/0xd0
drivers/usb/core/driver.c:266
[<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
[<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
==================================================================
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: memory leak in usbtest_probe
2020-06-02 20:36 memory leak in usbtest_probe Kyungtae Kim
@ 2020-06-03 7:19 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2020-06-03 7:19 UTC (permalink / raw)
To: Kyungtae Kim; +Cc: USB list, LKML, syzkaller, Dave Tian
On Tue, Jun 02, 2020 at 04:36:22PM -0400, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
> of syzkaller)
>
> The buf of an usbtest_dev instance (dev->buf) allocated in
> usbtest_probe() leaked.
>
> The usbtest_dev instance holding the buf is attached to a
> corresponding device instance
> through usb_set_intfdata().
> But later, the usbtest_dev instance seems to be freed without
> deallocating its buf field ahead.
>
> kernel config: https://kt0755.github.io/etc/config_v5.6.11
>
> ==================================================================
> BUG: memory leak
> unreferenced object 0xffff888055046e00 (size 256):
> comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
> hex dump (first 32 bytes):
> 00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff .p.U......Z.....
> f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff ..x.....7.......
> backtrace:
> [<00000000d121dccf>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
> [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
> [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
> [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
> [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
> [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
> [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
> drivers/usb/misc/usbtest.c:2790
> [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
> drivers/usb/core/driver.c:361
> [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
> [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
> [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
> drivers/base/dd.c:831
> [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
> [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
> [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
> [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
> [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
> [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
> drivers/usb/core/message.c:2030
> [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
> [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
> drivers/usb/core/driver.c:266
> [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
> [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
> ==================================================================
Can you send a patch to fix this so that you get full credit for
finding, and fixing the issue?
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-06-03 7:19 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-02 20:36 memory leak in usbtest_probe Kyungtae Kim
2020-06-03 7:19 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).