Re: memory leak in usb_copy_descriptors

Greg KH <gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 31 May 2020 08:39:47 +0200

On Sat, May 30, 2020 at 06:25:02PM +0000, Kyungtae Kim wrote:
> We report a bug (in linux-5.6.11) found by FuzzUSB (a modified version
> of syzkaller)
> 
> kernel config: https://kt0755.github.io/etc/config_v5.6.11
> 
> A USB descriptor held by fs_descriotors in usb_function leaked.
> 
> ==================================================================
> BUG: memory leak
> unreferenced object 0xffff888058b7a700 (size 64):
>   comm "syz-executor.0", pid 2473, jiffies 4294942614 (age 3131.830s)
>   hex dump (first 32 bytes):
>     20 a7 b7 58 80 88 ff ff 29 a7 b7 58 80 88 ff ff   ..X....)..X....
>     30 a7 b7 58 80 88 ff ff 00 00 00 00 00 00 00 00  0..X............
>   backtrace:
>     [<000000008820290b>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
>     [<000000008820290b>] slab_post_alloc_hook mm/slab.h:586 [inline]
>     [<000000008820290b>] slab_alloc_node mm/slub.c:2786 [inline]
>     [<000000008820290b>] slab_alloc mm/slub.c:2794 [inline]
>     [<000000008820290b>] __kmalloc+0x144/0x310 mm/slub.c:3837
>     [<0000000069f64afa>] kmalloc include/linux/slab.h:560 [inline]
>     [<0000000069f64afa>] usb_copy_descriptors+0xcb/0x270 drivers/usb/gadget/config.c:135
>     [<000000004a667526>] usb_assign_descriptors+0x9f/0x310 drivers/usb/gadget/config.c:168
>     [<0000000001ee4653>] loopback_bind+0x188/0x280 drivers/usb/gadget/function/f_loopback.c:209
>     [<0000000067b9c558>] usb_add_function+0x1f0/0x6c0 drivers/usb/gadget/composite.c:279
>     [<0000000084caf39b>] configfs_composite_bind+0x9d3/0x1110 drivers/usb/gadget/configfs.c:1397
>     [<0000000065d7065c>] udc_bind_to_driver+0x1c6/0x530 drivers/usb/gadget/udc/core.c:1358
>     [<00000000fe783078>] usb_gadget_probe_driver+0x42a/0x4e0 drivers/usb/gadget/udc/core.c:1421
>     [<0000000063f1f5c5>] gadget_dev_desc_UDC_store+0x158/0x200 drivers/usb/gadget/configfs.c:282
>     [<00000000fb18ff7c>] flush_write_buffer fs/configfs/file.c:251 [inline]
>     [<00000000fb18ff7c>] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283
>     [<0000000085920ac6>] __vfs_write+0x85/0x110 fs/read_write.c:494
>     [<0000000052812ae5>] vfs_write+0x1cd/0x510 fs/read_write.c:558
>     [<00000000334feaef>] ksys_write+0x18a/0x220 fs/read_write.c:611
>     [<00000000db0255b5>] __do_sys_write fs/read_write.c:623 [inline]
>     [<00000000db0255b5>] __se_sys_write fs/read_write.c:620 [inline]
>     [<00000000db0255b5>] __x64_sys_write+0x73/0xb0 fs/read_write.c:620
>     [<0000000012ddffe1>] do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294
>     [<000000008496dc30>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> ==================================================================

Great, can you send a patch fixing this please so you can get the proper
credit for finding and fixing the issue?

thanks,

greg k-h