Forwarded: [PATCH] usb: core: fix memory leak in usb_new_device() error path

All of lore.kernel.org
 help / color / mirror / Atom feed

From: syzbot <syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Forwarded: [PATCH] usb: core: fix memory leak in usb_new_device() error path
Date: Fri, 24 Apr 2026 23:36:37 -0700	[thread overview]
Message-ID: <69ec60f5.a00a0220.1901e8.0004.GAE@google.com> (raw)
In-Reply-To: <69ec231a.a00a0220.7773.000c.GAE@google.com>

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] usb: core: fix memory leak in usb_new_device() error path
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

When usb_new_device() fails, it jumps to the 'fail' label which calls
pm_runtime_disable() but never balances the earlier
pm_runtime_get_noresume() call made at the top of the function.

This leaves the PM runtime usage count elevated, preventing
usb_put_dev() in hub_port_connect() from dropping the refcount to zero.
As a result, usb_release_dev() never fires and usb_destroy_configuration()
is never called, leaking all memory allocated during enumeration:

  - struct usb_device          (2048 bytes) via usb_alloc_dev()
  - raw config descriptor      (1024 bytes) via usb_get_configuration()
  - config metadata            (   8 bytes) via usb_get_configuration()
  - interface descriptor       (  64 bytes) via usb_parse_configuration()
  - struct device_private      ( 256 bytes) via device_private_init()

Fix this by adding pm_runtime_put_noidle() on the fail path to balance
the pm_runtime_get_noresume() at the top of the function.
pm_runtime_put_noidle() is correct here rather than pm_runtime_put()
because we are in a teardown path and must not trigger autosuspend
scheduling.

Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu kartikey <kartikey406@gmail.com>
---
 drivers/usb/core/hub.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 24960ba9caa9..148fadfbc30b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2733,6 +2733,7 @@ int usb_new_device(struct usb_device *udev)
 	usb_set_device_state(udev, USB_STATE_NOTATTACHED);
 	pm_runtime_disable(&udev->dev);
 	pm_runtime_set_suspended(&udev->dev);
+	pm_runtime_put_noidle(&udev->dev);
 	return err;
 }

-- 
2.43.0

next prev parent reply	other threads:[~2026-04-25  6:36 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-25  2:12 [syzbot] [usb?] memory leak in hub_event (4) syzbot
2026-04-25  6:36 ` syzbot [this message]
2026-04-25  7:52 ` Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure syzbot
2026-04-25  8:58 ` Forwarded: [PATCH] usb: core: hub: fix memory leak in hub_port_connect syzbot
2026-04-25  9:36 ` syzbot
2026-04-25 12:54 ` Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure syzbot
2026-04-25 14:43 ` syzbot
2026-04-26  2:33   ` Hillf Danton
2026-04-27 11:40 ` [syzbot] [usb?] memory leak in hub_event (4) Oliver Neukum
2026-04-27 12:37   ` syzbot
2026-04-27 14:19   ` Alan Stern
2026-04-28 11:33     ` Oliver Neukum
2026-04-28 15:12       ` Alan Stern
2026-04-29 10:42 ` [PATCH] usb: core: hcd: fix possible deadlock in rh control transfers Oliver Neukum
2026-04-29 19:04   ` Alan Stern
2026-04-29 19:13     ` Oliver Neukum
2026-04-29 19:18       ` Alan Stern
2026-04-29 10:45 ` [PATCH] sound: usb: caiaq: fix reference leak in probe error Oliver Neukum
2026-04-29 10:53   ` Takashi Iwai
2026-04-29 11:05     ` Oliver Neukum
2026-04-29 19:42   ` kernel test robot
2026-04-30  5:33   ` kernel test robot
2026-04-30 11:02   ` kernel test robot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:24960ba9caa dfblob:148fadfbc30 )
 OR (
bs:"usb: core: fix memory leak in usb_new_device() error path" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=69ec60f5.a00a0220.1901e8.0004.GAE@google.com \
    --to=syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.