[PATCH] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure

[PATCH] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure

[Deepakkumar Karn]

  In async_set_registers(), when usb_submit_urb() fails, the allocated
  async_req structure and URB are not freed, causing a memory leak.

  The completion callback async_set_reg_cb() is responsible for freeing
  these allocations, but it is only called after the URB is successfully
  submitted and completes (successfully or with error). If submission
  fails, the callback never runs and the memory is leaked.

  Fix this by freeing both the URB and the request structure in the error
  path when usb_submit_urb() fails.

Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
---
 drivers/net/usb/rtl8150.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index 278e6cb6f4d9..e40b0669d9f4 100644
--- a/drivers/net/usb/rtl8150.c
+++ b/drivers/net/usb/rtl8150.c
@@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
 		if (res == -ENODEV)
 			netif_device_detach(dev->netdev);
 		dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
+		kfree(req);
+		usb_free_urb(async_urb);
 	}
 	return res;
 }
-- 
2.52.0

Re: [PATCH] net: usb: rtl8150: fix memory leak on usb_submit_urb() failure

[Petko Manolov]

On 25-12-16 20:43:05, Deepakkumar Karn wrote:
>   In async_set_registers(), when usb_submit_urb() fails, the allocated
>   async_req structure and URB are not freed, causing a memory leak.
> 
>   The completion callback async_set_reg_cb() is responsible for freeing
>   these allocations, but it is only called after the URB is successfully
>   submitted and completes (successfully or with error). If submission
>   fails, the callback never runs and the memory is leaked.
> 
>   Fix this by freeing both the URB and the request structure in the error
>   path when usb_submit_urb() fails.
> 
> Reported-by: syzbot+8dd915c7cb0490fc8c52@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=8dd915c7cb0490fc8c52
> Fixes: 4d12997a9bb3 ("drivers: net: usb: rtl8150: concurrent URB bugfix")
> Signed-off-by: Deepakkumar Karn <dkarn@redhat.com>
> ---
>  drivers/net/usb/rtl8150.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
> index 278e6cb6f4d9..e40b0669d9f4 100644
> --- a/drivers/net/usb/rtl8150.c
> +++ b/drivers/net/usb/rtl8150.c
> @@ -211,6 +211,8 @@ static int async_set_registers(rtl8150_t *dev, u16 indx, u16 size, u16 reg)
>  		if (res == -ENODEV)
>  			netif_device_detach(dev->netdev);
>  		dev_err(&dev->udev->dev, "%s failed with %d\n", __func__, res);
> +		kfree(req);
> +		usb_free_urb(async_urb);
>  	}
>  	return res;
>  }
> -- 
> 2.52.0


ACK.

Nice catch.  This bug has been lurking for a very long time... :)


cheers,
Petko