lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20260109031429.1472804-1-zilin@seu.edu.cn>
Date: Fri,  9 Jan 2026 03:14:29 +0000
From: Zilin Guan <zilin@....edu.cn>
To: gregkh@...uxfoundation.org
Cc: jianhao.xu@....edu.cn,
	linux-kernel@...r.kernel.org,
	linux-usb@...r.kernel.org,
	mathias.nyman@...el.com,
	stable@...r.kernel.org,
	zilin@....edu.cn
Subject: Re: [PATCH v2] usb: xhci: Fix memory leak in xhci_disable_slot()

On Thu, Jan 08, 2026 at 04:28:42PM +0100, Greg KH wrote:
> On Thu, Jan 08, 2026 at 02:11:08PM +0000, Zilin Guan wrote:
> > xhci_alloc_command() allocates a command structure and, when the
> > second argument is true, also allocates a completion structure.
> > Currently, the error handling path in xhci_disable_slot() only frees
> > the command structure using kfree(), causing the completion structure
> > to leak.
> > 
> > Use xhci_free_command() instead of kfree(). xhci_free_command() correctly
> > frees both the command structure and the associated completion structure.
> > Since the command structure is allocated with zero-initialization,
> > command->in_ctx is NULL and will not be erroneously freed by
> > xhci_free_command().
> > 
> > This bug was found using an experimental static analysis tool we are
> > developing. The tool is based on the LLVM framework and is specifically
> > designed to detect memory management issues. It is currently under
> > active development and not yet publicly available, but we plan to
> > open-source it after our research is published.
> > 
> > The analysis was performed on Linux kernel v6.13-rc1.
> 
> That is a very old kernel version, from December 2024, please redo this
> to verify it is relevent to todays tree.
> 
> thanks,
> 
> greg k-h

Sorry for the confusion caused by our description. While the static 
analysis was indeed performed on v6.13-rc1, we have manually verified 
that the bug still exists in the latest mainline kernel before submitting
the patch.

I will clarify this distinction in the v3 patch and update the version 
information.

Thanks,
Zilin Guan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ