[syzbot] [usb?] memory leak in hub_event (4)

[syzbot] [usb?] memory leak in hub_event (4)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    dd6c438c3e64 Merge tag 'vfs-7.1-rc1.fixes' of git://git.ke..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15cf7702580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ac5083db84233db3
dashboard link: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
compiler:       gcc (Debian 14.2.0-19) 14.2.0, GNU ld (GNU Binutils for Debian) 2.44
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=13cf7702580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17941c36580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/dea6ab846ab3/disk-dd6c438c.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/acebe380aa03/vmlinux-dd6c438c.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2cdbd012d0d3/bzImage-dd6c438c.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff8881277dc000 (size 2048):
  comm "kworker/0:2", pid 1783, jiffies 4294946784
  hex dump (first 32 bytes):
    ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00  ....1...........
    00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00  ................
  backtrace (crc 20105372):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5410
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    usb_alloc_dev+0x36/0x4e0 drivers/usb/core/usb.c:651
    hub_port_connect drivers/usb/core/hub.c:5470 [inline]
    hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
    port_event drivers/usb/core/hub.c:5871 [inline]
    hub_event+0x14d0/0x2180 drivers/usb/core/hub.c:5953
    process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
    process_scheduled_works kernel/workqueue.c:3385 [inline]
    worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
    kthread+0x14e/0x1a0 kernel/kthread.c:436
    ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888128b06c00 (size 1024):
  comm "kworker/0:2", pid 1783, jiffies 4294946815
  hex dump (first 32 bytes):
    09 02 49 00 02 01 00 10 40 00 00 00 00 00 00 00  ..I.....@.......
    00 00 00 00 00 00 00 00 89 b8 69 09 81 88 ff ff  ..........i.....
  backtrace (crc b43c3ef8):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __do_kmalloc_node mm/slub.c:5294 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    usb_get_configuration+0xeb/0x2110 drivers/usb/core/config.c:940
    usb_enumerate_device drivers/usb/core/hub.c:2527 [inline]
    usb_new_device+0x1b4/0x300 drivers/usb/core/hub.c:2665
    hub_port_connect drivers/usb/core/hub.c:5567 [inline]
    hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
    port_event drivers/usb/core/hub.c:5871 [inline]
    hub_event+0x1723/0x2180 drivers/usb/core/hub.c:5953
    process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
    process_scheduled_works kernel/workqueue.c:3385 [inline]
    worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
    kthread+0x14e/0x1a0 kernel/kthread.c:436
    ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88810c3d5a50 (size 8):
  comm "kworker/0:2", pid 1783, jiffies 4294946815
  hex dump (first 8 bytes):
    80 b8 69 09 81 88 ff ff                          ..i.....
  backtrace (crc 66af3167):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __do_kmalloc_node mm/slub.c:5294 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    usb_get_configuration+0x11d/0x2110 drivers/usb/core/config.c:945
    usb_enumerate_device drivers/usb/core/hub.c:2527 [inline]
    usb_new_device+0x1b4/0x300 drivers/usb/core/hub.c:2665
    hub_port_connect drivers/usb/core/hub.c:5567 [inline]
    hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
    port_event drivers/usb/core/hub.c:5871 [inline]
    hub_event+0x1723/0x2180 drivers/usb/core/hub.c:5953
    process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
    process_scheduled_works kernel/workqueue.c:3385 [inline]
    worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
    kthread+0x14e/0x1a0 kernel/kthread.c:436
    ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff888113c25840 (size 64):
  comm "kworker/0:2", pid 1783, jiffies 4294946817
  hex dump (first 32 bytes):
    01 00 00 00 01 00 00 00 09 04 00 00 00 01 01 30  ...............0
    00 00 00 00 0a 00 00 00 9a b8 69 09 81 88 ff ff  ..........i.....
  backtrace (crc a90fa323):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __do_kmalloc_node mm/slub.c:5294 [inline]
    __kmalloc_noprof+0x3b7/0x550 mm/slub.c:5307
    kmalloc_noprof include/linux/slab.h:954 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    usb_parse_configuration drivers/usb/core/config.c:826 [inline]
    usb_get_configuration+0x88f/0x2110 drivers/usb/core/config.c:1002
    usb_enumerate_device drivers/usb/core/hub.c:2527 [inline]
    usb_new_device+0x1b4/0x300 drivers/usb/core/hub.c:2665
    hub_port_connect drivers/usb/core/hub.c:5567 [inline]
    hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
    port_event drivers/usb/core/hub.c:5871 [inline]
    hub_event+0x1723/0x2180 drivers/usb/core/hub.c:5953
    process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
    process_scheduled_works kernel/workqueue.c:3385 [inline]
    worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
    kthread+0x14e/0x1a0 kernel/kthread.c:436
    ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

BUG: memory leak
unreferenced object 0xffff88811d54a500 (size 256):
  comm "kworker/0:2", pid 1783, jiffies 4294946821
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 08 a5 54 1d 81 88 ff ff  ..........T.....
    08 a5 54 1d 81 88 ff ff 20 e7 41 83 ff ff ff ff  ..T..... .A.....
  backtrace (crc 85d09f91):
    kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline]
    slab_post_alloc_hook mm/slub.c:4574 [inline]
    slab_alloc_node mm/slub.c:4898 [inline]
    __kmalloc_cache_noprof+0x371/0x480 mm/slub.c:5410
    kmalloc_noprof include/linux/slab.h:950 [inline]
    kzalloc_noprof include/linux/slab.h:1188 [inline]
    device_private_init drivers/base/core.c:3536 [inline]
    device_add+0x73c/0xc70 drivers/base/core.c:3587
    usb_new_device.cold+0x115/0x626 drivers/usb/core/hub.c:2695
    hub_port_connect drivers/usb/core/hub.c:5567 [inline]
    hub_port_connect_change drivers/usb/core/hub.c:5707 [inline]
    port_event drivers/usb/core/hub.c:5871 [inline]
    hub_event+0x1723/0x2180 drivers/usb/core/hub.c:5953
    process_one_work+0x277/0x5b0 kernel/workqueue.c:3302
    process_scheduled_works kernel/workqueue.c:3385 [inline]
    worker_thread+0x255/0x4a0 kernel/workqueue.c:3466
    kthread+0x14e/0x1a0 kernel/kthread.c:436
    ret_from_fork+0x219/0x490 arch/x86/kernel/process.c:158
    ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

connection error: failed to recv *flatrpc.ExecutorMessageRawT: EOF


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Forwarded: [PATCH] usb: core: fix memory leak in usb_new_device() error path

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] usb: core: fix memory leak in usb_new_device() error path
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


When usb_new_device() fails, it jumps to the 'fail' label which calls
pm_runtime_disable() but never balances the earlier
pm_runtime_get_noresume() call made at the top of the function.

This leaves the PM runtime usage count elevated, preventing
usb_put_dev() in hub_port_connect() from dropping the refcount to zero.
As a result, usb_release_dev() never fires and usb_destroy_configuration()
is never called, leaking all memory allocated during enumeration:

  - struct usb_device          (2048 bytes) via usb_alloc_dev()
  - raw config descriptor      (1024 bytes) via usb_get_configuration()
  - config metadata            (   8 bytes) via usb_get_configuration()
  - interface descriptor       (  64 bytes) via usb_parse_configuration()
  - struct device_private      ( 256 bytes) via device_private_init()

Fix this by adding pm_runtime_put_noidle() on the fail path to balance
the pm_runtime_get_noresume() at the top of the function.
pm_runtime_put_noidle() is correct here rather than pm_runtime_put()
because we are in a teardown path and must not trigger autosuspend
scheduling.

Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu kartikey <kartikey406@gmail.com>
---
 drivers/usb/core/hub.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 24960ba9caa9..148fadfbc30b 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -2733,6 +2733,7 @@ int usb_new_device(struct usb_device *udev)
 	usb_set_device_state(udev, USB_STATE_NOTATTACHED);
 	pm_runtime_disable(&udev->dev);
 	pm_runtime_set_suspended(&udev->dev);
+	pm_runtime_put_noidle(&udev->dev);
 	return err;
 }
 
-- 
2.43.0

Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().

Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 sound/usb/caiaq/device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 51177ebfb8c6..f084a0f782ad 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -411,6 +411,7 @@ static int create_card(struct usb_device *usb_dev,
 
 	cdev = caiaqdev(card);
 	cdev->chip.dev = usb_get_dev(usb_dev);
+	card->private_free = card_free;
 	cdev->chip.card = card;
 	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
 				  le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -500,7 +501,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 		       cdev->vendor_name, cdev->product_name, usbpath);
 
 	setup_card(cdev);
-	card->private_free = card_free;
 	return 0;
 
  err_kill_urb:
-- 
2.43.0

Forwarded: [PATCH] usb: core: hub: fix memory leak in hub_port_connect

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] usb: core: hub: fix memory leak in hub_port_connect
Author: souradiptodas6@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
master
diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 24960ba9caa9..2924ce770066 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5405,6 +5405,7 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
                if (hcd->usb_phy && !hdev->parent)
                        usb_phy_notify_disconnect(hcd->usb_phy,
udev->speed);
                usb_disconnect(&port_dev->child);
+               udev = NULL;
        }

        /* We can forget about a "removed" device when there's a physical
@@ -5582,6 +5583,7 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
                        goto loop_disable;

                status = hub_power_remaining(hub);
+               udev = NULL;
                if (status)
                        dev_dbg(hub->intfdev, "%dmA power budget left\n",
status);

@@ -5624,6 +5626,8 @@ static void hub_port_connect(struct usb_hub *hub, int
port1, u16 portstatus,
                if (status != -ENOTCONN && status != -ENODEV)
                        hcd->driver->relinquish_port(hcd, port1);
        }
+       if (udev)
+               usb_put_dev(udev);
 }

 /* Handle physical or logical connection change events.

Forwarded: [PATCH] usb: core: hub: fix memory leak in hub_port_connect

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] usb: core: hub: fix memory leak in hub_port_connect
Author: souradiptodas6@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master

---
 drivers/usb/core/hub.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
index 24960ba9caa9..2924ce770066 100644
--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -5405,6 +5405,7 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 		if (hcd->usb_phy && !hdev->parent)
 			usb_phy_notify_disconnect(hcd->usb_phy, udev->speed);
 		usb_disconnect(&port_dev->child);
+		udev = NULL;
 	}
 
 	/* We can forget about a "removed" device when there's a physical
@@ -5582,6 +5583,7 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 			goto loop_disable;
 
 		status = hub_power_remaining(hub);
+		udev = NULL;
 		if (status)
 			dev_dbg(hub->intfdev, "%dmA power budget left\n", status);
 
@@ -5624,6 +5626,8 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
 		if (status != -ENOTCONN && status != -ENODEV)
 			hcd->driver->relinquish_port(hcd, port1);
 	}
+	if (udev)
+    		usb_put_dev(udev);
 }
 
 /* Handle physical or logical connection change events.
-- 
2.52.0

Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master


create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().

Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 sound/usb/caiaq/device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 51177ebfb8c6..f084a0f782ad 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -411,6 +411,7 @@ static int create_card(struct usb_device *usb_dev,
 
 	cdev = caiaqdev(card);
 	cdev->chip.dev = usb_get_dev(usb_dev);
+	card->private_free = card_free;
 	cdev->chip.card = card;
 	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
 				  le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -500,7 +501,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 		       cdev->vendor_name, cdev->product_name, usbpath);
 
 	setup_card(cdev);
-	card->private_free = card_free;
 	return 0;
 
  err_kill_urb:
-- 
2.43.0

Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master



create_card() takes a reference on the USB device with usb_get_dev()
and stores the matching usb_put_dev() in card_free(), which is
installed as the snd_card's ->private_free destructor.

However, ->private_free is only assigned near the end of init_card(),
after several failure points (usb_set_interface(), EP type checks,
usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
timeout). When any of those fail, init_card() returns an error to
snd_probe(), which calls snd_card_free(card). Because ->private_free
is still NULL, card_free() never runs, the usb_get_dev() reference
is not dropped, and the struct usb_device leaks along with its
descriptor allocations and device_private.

syzbot reproduces this with a malformed UAC3 device whose only valid
altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
fails with -EIO and triggers the leak.

Move the ->private_free assignment into create_card(), immediately
after usb_get_dev(), so that every error path reaching snd_card_free()
balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
free_urbs, kfree) already tolerate the partially-initialized state
because the chip private area is zero-initialized by snd_card_new().

Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 sound/usb/caiaq/device.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
index 8af0c04041ee..ad9f744b496b 100644
--- a/sound/usb/caiaq/device.c
+++ b/sound/usb/caiaq/device.c
@@ -423,6 +423,7 @@ static int create_card(struct usb_device *usb_dev,
 
 	cdev = caiaqdev(card);
 	cdev->chip.dev = usb_get_dev(usb_dev);
+	card->private_free = card_free;
 	cdev->chip.card = card;
 	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
 				  le16_to_cpu(usb_dev->descriptor.idProduct));
@@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
 	scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
 		       cdev->vendor_name, cdev->product_name, usbpath);
 
-	card->private_free = card_free;
 	err = setup_card(cdev);
 	if (err < 0)
 		return err;
-- 
2.43.0

Re: Forwarded: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure

[Hillf Danton]

> Date: Sat, 25 Apr 2026 07:43:17 -0700
> For archival purposes, forwarding an incoming command email to
> linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.
> 
> ***
> 
> Subject: [PATCH] ALSA: caiaq: fix usb_dev refcount leak on probe failure
> Author: kartikey406@gmail.com
> 
Deepanshu, can you please correctly fill your Cc list as required to 
avoid this forwarded message which is a waste of net bandwidth?

> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
> 
> 
> 
> create_card() takes a reference on the USB device with usb_get_dev()
> and stores the matching usb_put_dev() in card_free(), which is
> installed as the snd_card's ->private_free destructor.
> 
> However, ->private_free is only assigned near the end of init_card(),
> after several failure points (usb_set_interface(), EP type checks,
> usb_submit_urb(), the EP1_CMD_GET_DEVICE_INFO exchange, and its
> timeout). When any of those fail, init_card() returns an error to
> snd_probe(), which calls snd_card_free(card). Because ->private_free
> is still NULL, card_free() never runs, the usb_get_dev() reference
> is not dropped, and the struct usb_device leaks along with its
> descriptor allocations and device_private.
> 
> syzbot reproduces this with a malformed UAC3 device whose only valid
> altsetting is 0; init_card()'s usb_set_interface(usb_dev, 0, 1) call
> fails with -EIO and triggers the leak.
> 
> Move the ->private_free assignment into create_card(), immediately
> after usb_get_dev(), so that every error path reaching snd_card_free()
> balances the reference. card_free()'s callees (snd_usb_caiaq_input_free,
> free_urbs, kfree) already tolerate the partially-initialized state
> because the chip private area is zero-initialized by snd_card_new().
> 
> Reported-by: syzbot+2afd7e71155c7e241560@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=2afd7e71155c7e241560
> Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
> ---
>  sound/usb/caiaq/device.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/sound/usb/caiaq/device.c b/sound/usb/caiaq/device.c
> index 8af0c04041ee..ad9f744b496b 100644
> --- a/sound/usb/caiaq/device.c
> +++ b/sound/usb/caiaq/device.c
> @@ -423,6 +423,7 @@ static int create_card(struct usb_device *usb_dev,
>  
>  	cdev = caiaqdev(card);
>  	cdev->chip.dev = usb_get_dev(usb_dev);
> +	card->private_free = card_free;
>  	cdev->chip.card = card;
>  	cdev->chip.usb_id = USB_ID(le16_to_cpu(usb_dev->descriptor.idVendor),
>  				  le16_to_cpu(usb_dev->descriptor.idProduct));
> @@ -511,7 +512,6 @@ static int init_card(struct snd_usb_caiaqdev *cdev)
>  	scnprintf(card->longname, sizeof(card->longname), "%s %s (%s)",
>  		       cdev->vendor_name, cdev->product_name, usbpath);
>  
> -	card->private_free = card_free;
>  	err = setup_card(cdev);
>  	if (err < 0)
>  		return err;
> -- 
> 2.43.0