lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <20210111104927.2561-1-minhquangbui99@gmail.com>
Date:   Mon, 11 Jan 2021 10:49:27 +0000
From:   Bui Quang Minh <minhquangbui99@...il.com>
To:     linux-usb@...r.kernel.org
Cc:     a.darwish@...utronix.de, bigeasy@...utronix.de,
        gregkh@...uxfoundation.org, linux-kernel@...r.kernel.org,
        minhquangbui99@...il.com, stern@...land.harvard.edu,
        syzkaller-bugs@...glegroups.com, tglx@...utronix.de
Subject: [PATCH v2] can: mcba_usb: Fix memory leak when cancelling urb

In mcba_usb_read_bulk_callback(), when we don't resubmit or fails to
resubmit the urb, we need to deallocate the transfer buffer that is
allocated in mcba_usb_start().

Reported-by: syzbot+57281c762a3922e14dfe@...kaller.appspotmail.com
Signed-off-by: Bui Quang Minh <minhquangbui99@...il.com>
---
v1: add memory leak fix when not resubmitting urb
v2: add memory leak fix when failing to resubmit urb

 drivers/net/can/usb/mcba_usb.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
index df54eb7d4b36..30236e640116 100644
--- a/drivers/net/can/usb/mcba_usb.c
+++ b/drivers/net/can/usb/mcba_usb.c
@@ -584,6 +584,8 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
 	case -EPIPE:
 	case -EPROTO:
 	case -ESHUTDOWN:
+		usb_free_coherent(urb->dev, urb->transfer_buffer_length,
+				  urb->transfer_buffer, urb->transfer_dma);
 		return;
 
 	default:
@@ -615,11 +617,14 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
 
 	retval = usb_submit_urb(urb, GFP_ATOMIC);
 
-	if (retval == -ENODEV)
-		netif_device_detach(netdev);
-	else if (retval)
+	if (retval < 0) {
 		netdev_err(netdev, "failed resubmitting read bulk urb: %d\n",
 			   retval);
+		usb_free_coherent(urb->dev, urb->transfer_buffer_length,
+				  urb->transfer_buffer, urb->transfer_dma);
+		if (retval == -ENODEV)
+			netif_device_detach(netdev);
+	}
 }
 
 /* Start USB device */
-- 
2.17.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ