diff mbox series

[SRU,oem-5.6] usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect

Message ID 20200916175129.392300-1-cascardo@canonical.com
State New
Headers show
Series [SRU,oem-5.6] usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect | expand

Commit Message

Thadeu Lima de Souza Cascardo Sept. 16, 2020, 5:51 p.m. UTC
From: Zqiang <qiang.zhang@windriver.com>

BUG: memory leak
unreferenced object 0xffff888055046e00 (size 256):
  comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
  hex dump (first 32 bytes):
    00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
    f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
  backtrace:
    [<00000000d121dccf>] kmemleak_alloc_recursive
include/linux/kmemleak.h:43 [inline]
    [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
    [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
    [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
    [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
    [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
    [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
drivers/usb/misc/usbtest.c:2790
    [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
drivers/usb/core/driver.c:361
    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
    [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
drivers/base/dd.c:831
    [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
    [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
    [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
    [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
    [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
    [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
drivers/usb/core/message.c:2030
    [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
    [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
drivers/usb/core/driver.c:266
    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Kyungtae Kim <kt0755@gmail.com>
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 28ebeb8db77035e058a510ce9bd17c2b9a009dba)
CVE-2020-15393
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 drivers/usb/misc/usbtest.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Stefan Bader Sept. 17, 2020, 7:40 a.m. UTC | #1
On 16.09.20 19:51, Thadeu Lima de Souza Cascardo wrote:
> From: Zqiang <qiang.zhang@windriver.com>
> 
> BUG: memory leak
> unreferenced object 0xffff888055046e00 (size 256):
>   comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
>   hex dump (first 32 bytes):
>     00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
>     f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
>   backtrace:
>     [<00000000d121dccf>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
>     [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
>     [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
>     [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
>     [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
>     [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
> drivers/usb/misc/usbtest.c:2790
>     [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
> drivers/usb/core/driver.c:361
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
>     [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
> drivers/base/dd.c:831
>     [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
>     [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
>     [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
>     [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
>     [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
>     [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
> drivers/usb/core/message.c:2030
>     [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
>     [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
> drivers/usb/core/driver.c:266
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
> 
> Acked-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-by: Kyungtae Kim <kt0755@gmail.com>
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> (cherry picked from commit 28ebeb8db77035e058a510ce9bd17c2b9a009dba)
> CVE-2020-15393
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  drivers/usb/misc/usbtest.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
> index 98ada1a3425c..bae88893ee8e 100644
> --- a/drivers/usb/misc/usbtest.c
> +++ b/drivers/usb/misc/usbtest.c
> @@ -2873,6 +2873,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
>  
>  	usb_set_intfdata(intf, NULL);
>  	dev_dbg(&intf->dev, "disconnect\n");
> +	kfree(dev->buf);
>  	kfree(dev);
>  }
>  
>
Colin King Sept. 17, 2020, 8:27 a.m. UTC | #2
On 16/09/2020 18:51, Thadeu Lima de Souza Cascardo wrote:
> From: Zqiang <qiang.zhang@windriver.com>
> 
> BUG: memory leak
> unreferenced object 0xffff888055046e00 (size 256):
>   comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
>   hex dump (first 32 bytes):
>     00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
>     f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
>   backtrace:
>     [<00000000d121dccf>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
>     [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
>     [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
>     [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
>     [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
>     [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
> drivers/usb/misc/usbtest.c:2790
>     [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
> drivers/usb/core/driver.c:361
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
>     [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
> drivers/base/dd.c:831
>     [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
>     [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
>     [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
>     [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
>     [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
>     [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
> drivers/usb/core/message.c:2030
>     [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
>     [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
> drivers/usb/core/driver.c:266
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
> 
> Acked-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-by: Kyungtae Kim <kt0755@gmail.com>
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> (cherry picked from commit 28ebeb8db77035e058a510ce9bd17c2b9a009dba)
> CVE-2020-15393
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  drivers/usb/misc/usbtest.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
> index 98ada1a3425c..bae88893ee8e 100644
> --- a/drivers/usb/misc/usbtest.c
> +++ b/drivers/usb/misc/usbtest.c
> @@ -2873,6 +2873,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
>  
>  	usb_set_intfdata(intf, NULL);
>  	dev_dbg(&intf->dev, "disconnect\n");
> +	kfree(dev->buf);
>  	kfree(dev);
>  }
>  
> 

Clean cherry pick.

Acked-by: Colin Ian King <colin.king@canonical.com>
Timo Aaltonen Sept. 22, 2020, 12:02 p.m. UTC | #3
On 16.9.2020 20.51, Thadeu Lima de Souza Cascardo wrote:
> From: Zqiang <qiang.zhang@windriver.com>
> 
> BUG: memory leak
> unreferenced object 0xffff888055046e00 (size 256):
>   comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
>   hex dump (first 32 bytes):
>     00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
>     f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
>   backtrace:
>     [<00000000d121dccf>] kmemleak_alloc_recursive
> include/linux/kmemleak.h:43 [inline]
>     [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
>     [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
>     [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
>     [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
>     [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
>     [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
> drivers/usb/misc/usbtest.c:2790
>     [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
> drivers/usb/core/driver.c:361
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
>     [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
> drivers/base/dd.c:831
>     [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
>     [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
>     [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
>     [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
>     [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
>     [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
> drivers/usb/core/message.c:2030
>     [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
>     [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
> drivers/usb/core/driver.c:266
>     [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
>     [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
> 
> Acked-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-by: Kyungtae Kim <kt0755@gmail.com>
> Signed-off-by: Zqiang <qiang.zhang@windriver.com>
> Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> (cherry picked from commit 28ebeb8db77035e058a510ce9bd17c2b9a009dba)
> CVE-2020-15393
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>  drivers/usb/misc/usbtest.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
> index 98ada1a3425c..bae88893ee8e 100644
> --- a/drivers/usb/misc/usbtest.c
> +++ b/drivers/usb/misc/usbtest.c
> @@ -2873,6 +2873,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
>  
>  	usb_set_intfdata(intf, NULL);
>  	dev_dbg(&intf->dev, "disconnect\n");
> +	kfree(dev->buf);
>  	kfree(dev);
>  }
>  
> 

applied to oem-5.6, thanks
diff mbox series

Patch

diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
index 98ada1a3425c..bae88893ee8e 100644
--- a/drivers/usb/misc/usbtest.c
+++ b/drivers/usb/misc/usbtest.c
@@ -2873,6 +2873,7 @@  static void usbtest_disconnect(struct usb_interface *intf)
 
 	usb_set_intfdata(intf, NULL);
 	dev_dbg(&intf->dev, "disconnect\n");
+	kfree(dev->buf);
 	kfree(dev);
 }