From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Zqiang <qiang.zhang@windriver.com>,
syzbot+bd38200f53df6259e6bf@syzkaller.appspotmail.com,
Felipe Balbi <balbi@kernel.org>, Sasha Levin <sashal@kernel.org>,
linux-usb@vger.kernel.org
Subject: [PATCH AUTOSEL 5.9 08/55] usb: raw-gadget: fix memory leak in gadget_setup
Date: Mon, 9 Nov 2020 22:52:31 -0500 [thread overview]
Message-ID: <20201110035318.423757-8-sashal@kernel.org> (raw)
In-Reply-To: <20201110035318.423757-1-sashal@kernel.org>
From: Zqiang <qiang.zhang@windriver.com>
[ Upstream commit 129aa9734559a17990ee933351c7b6956f1dba62 ]
When fetch 'event' from event queue, after copy its address
space content to user space, the 'event' the memory space
pointed to by the 'event' pointer need be freed.
BUG: memory leak
unreferenced object 0xffff888110622660 (size 32):
comm "softirq", pid 0, jiffies 4294941981 (age 12.480s)
hex dump (first 32 bytes):
02 00 00 00 08 00 00 00 80 06 00 01 00 00 40 00 ..............@.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000efd29abd>] kmalloc include/linux/slab.h:554 [inline]
[<00000000efd29abd>] raw_event_queue_add drivers/usb/gadget/legacy/raw_gadget.c:66 [inline]
[<00000000efd29abd>] raw_queue_event drivers/usb/gadget/legacy/raw_gadget.c:225 [inline]
[<00000000efd29abd>] gadget_setup+0xf6/0x220 drivers/usb/gadget/legacy/raw_gadget.c:343
[<00000000952c4a46>] dummy_timer+0xb9f/0x14c0 drivers/usb/gadget/udc/dummy_hcd.c:1899
[<0000000074ac2c54>] call_timer_fn+0x38/0x200 kernel/time/timer.c:1415
[<00000000560a3a79>] expire_timers kernel/time/timer.c:1460 [inline]
[<00000000560a3a79>] __run_timers.part.0+0x319/0x400 kernel/time/timer.c:1757
[<000000009d9503d0>] __run_timers kernel/time/timer.c:1738 [inline]
[<000000009d9503d0>] run_timer_softirq+0x3d/0x80 kernel/time/timer.c:1770
[<000000009df27c89>] __do_softirq+0xcc/0x2c2 kernel/softirq.c:298
[<000000007a3f1a47>] asm_call_irq_on_stack+0xf/0x20
[<000000004a62cc2e>] __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
[<000000004a62cc2e>] run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
[<000000004a62cc2e>] do_softirq_own_stack+0x32/0x40 arch/x86/kernel/irq_64.c:77
[<00000000b0086800>] invoke_softirq kernel/softirq.c:393 [inline]
[<00000000b0086800>] __irq_exit_rcu kernel/softirq.c:423 [inline]
[<00000000b0086800>] irq_exit_rcu+0x91/0xc0 kernel/softirq.c:435
[<00000000175f9523>] sysvec_apic_timer_interrupt+0x36/0x80 arch/x86/kernel/apic/apic.c:1091
[<00000000a348e847>] asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:631
[<0000000060661100>] native_safe_halt arch/x86/include/asm/irqflags.h:60 [inline]
[<0000000060661100>] arch_safe_halt arch/x86/include/asm/irqflags.h:103 [inline]
[<0000000060661100>] acpi_safe_halt drivers/acpi/processor_idle.c:111 [inline]
[<0000000060661100>] acpi_idle_do_entry+0xc3/0xd0 drivers/acpi/processor_idle.c:517
[<000000003f413b99>] acpi_idle_enter+0x128/0x1f0 drivers/acpi/processor_idle.c:648
[<00000000f5e5afb8>] cpuidle_enter_state+0xc9/0x650 drivers/cpuidle/cpuidle.c:237
[<00000000d50d51fc>] cpuidle_enter+0x29/0x40 drivers/cpuidle/cpuidle.c:351
[<00000000d674baed>] call_cpuidle kernel/sched/idle.c:132 [inline]
[<00000000d674baed>] cpuidle_idle_call kernel/sched/idle.c:213 [inline]
[<00000000d674baed>] do_idle+0x1c8/0x250 kernel/sched/idle.c:273
Reported-by: syzbot+bd38200f53df6259e6bf@syzkaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang@windriver.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/gadget/legacy/raw_gadget.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index e01e366d89cd5..062dfac303996 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -564,9 +564,12 @@ static int raw_ioctl_event_fetch(struct raw_dev *dev, unsigned long value)
return -ENODEV;
}
length = min(arg.length, event->length);
- if (copy_to_user((void __user *)value, event, sizeof(*event) + length))
+ if (copy_to_user((void __user *)value, event, sizeof(*event) + length)) {
+ kfree(event);
return -EFAULT;
+ }
+ kfree(event);
return 0;
}
--
2.27.0
next prev parent reply other threads:[~2020-11-10 4:09 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-10 3:52 [PATCH AUTOSEL 5.9 01/55] ASoC: mediatek: mt8183-da7219: fix DAPM paths for rt1015 Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 02/55] ASoC: qcom: sdm845: set driver name correctly Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 03/55] ASoC: cs42l51: manage mclk shutdown delay Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 04/55] ASoC: SOF: loader: handle all SOF_IPC_EXT types Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 05/55] usb: dwc3: pci: add support for the Intel Alder Lake-S Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 06/55] opp: Reduce the size of critical section in _opp_table_kref_release() Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 07/55] usb: gadget: goku_udc: fix potential crashes in probe Sasha Levin
2020-11-10 3:52 ` Sasha Levin [this message]
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 09/55] selftests/ftrace: check for do_sys_openat2 in user-memory test Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 10/55] selftests: pidfd: fix compilation errors due to wait.h Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 11/55] ALSA: hda: Separate runtime and system suspend Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 12/55] ALSA: hda: Reinstate runtime_allow() for all hda controllers Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 13/55] x86/boot/compressed/64: Introduce sev_status Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 14/55] gfs2: Free rd_bits later in gfs2_clear_rgrpd to fix use-after-free Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 15/55] gfs2: Add missing truncate_inode_pages_final for sd_aspace Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 16/55] gfs2: check for live vs. read-only file system in gfs2_fitrim Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 17/55] scsi: hpsa: Fix memory leak in hpsa_init_one() Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 18/55] drm/amdgpu: perform srbm soft reset always on SDMA resume Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 19/55] drm/amd/pm: correct the baco reset sequence for CI ASICs Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 20/55] drm/amd/pm: perform SMC reset on suspend/hibernation Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 21/55] drm/amd/pm: do not use ixFEATURE_STATUS for checking smc running Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 22/55] mac80211: fix use of skb payload instead of header Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 23/55] cfg80211: initialize wdev data earlier Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 24/55] mac80211: always wind down STA state Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 25/55] cfg80211: regulatory: Fix inconsistent format argument Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 26/55] wireguard: selftests: check that route_me_harder packets use the right sk Sasha Levin
2020-11-10 12:29 ` Jason A. Donenfeld
2020-11-10 17:21 ` Greg KH
2020-11-13 22:40 ` Jason A. Donenfeld
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 27/55] tracing: Fix the checking of stackidx in __ftrace_trace_stack Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 28/55] Revert "nvme-pci: remove last_sq_tail" Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 29/55] ARC: [plat-hsdk] Remap CCMs super early in asm boot trampoline Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 30/55] scsi: scsi_dh_alua: Avoid crash during alua_bus_detach() Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 31/55] scsi: mpt3sas: Fix timeouts observed while reenabling IRQ Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 32/55] nvme: introduce nvme_sync_io_queues Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 33/55] nvme-rdma: avoid race between time out and tear down Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 34/55] nvme-tcp: " Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 35/55] nvme-rdma: avoid repeated request completion Sasha Levin
2020-11-10 3:52 ` [PATCH AUTOSEL 5.9 36/55] nvme-tcp: " Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 37/55] iommu/amd: Increase interrupt remapping table limit to 512 entries Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 38/55] s390/smp: move rcu_cpu_starting() earlier Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 39/55] vfio: platform: fix reference leak in vfio_platform_open Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 40/55] vfio/pci: Bypass IGD init in case of -ENODEV Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 41/55] i2c: mediatek: move dma reset before i2c reset Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 42/55] net: usb: qmi_wwan: add Telit LE910Cx 0x1230 composition Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 43/55] amd/amdgpu: Disable VCN DPG mode for Picasso Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 44/55] kprobes: Tell lockdep about kprobe nesting Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 45/55] iomap: clean up writeback state logic on writepage error Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 46/55] selftests: proc: fix warning: _GNU_SOURCE redefined Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 47/55] arm64: kexec_file: try more regions if loading segments fails Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 48/55] riscv: Set text_offset correctly for M-Mode Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 49/55] i2c: sh_mobile: implement atomic transfers Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 50/55] i2c: designware: call i2c_dw_read_clear_intrbits_slave() once Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 51/55] i2c: designware: slave should do WRITE_REQUESTED before WRITE_RECEIVED Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 52/55] tpm_tis: Disable interrupts on ThinkPad T490s Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 53/55] seq_file: add seq_read_iter Sasha Levin
2020-11-10 6:30 ` Greg Kroah-Hartman
2020-11-10 9:05 ` Christoph Hellwig
2020-11-10 17:35 ` Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 54/55] vt: Disable KD_FONT_OP_COPY Sasha Levin
2020-11-10 3:53 ` [PATCH AUTOSEL 5.9 55/55] fork: fix copy_process(CLONE_PARENT) race with the exiting ->real_parent Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201110035318.423757-8-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=balbi@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=qiang.zhang@windriver.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+bd38200f53df6259e6bf@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox