lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <c7ad4630-5659-4e06-9f4b-3fa7ec2c9472@linux.intel.com>
Date: Thu, 29 Jan 2026 13:38:26 +0200
From: Mathias Nyman <mathias.nyman@...ux.intel.com>
To: Michal Pecio <michal.pecio@...il.com>, Zilin Guan <zilin@....edu.cn>
Cc: mathias.nyman@...el.com, gregkh@...uxfoundation.org,
 linux-usb@...r.kernel.org, linux-kernel@...r.kernel.org,
 jianhao.xu@....edu.cn, stable@...r.kernel.org
Subject: Re: [PATCH v3] usb: xhci: Fix memory leak in xhci_disable_slot()

On 1/29/26 10:56, Michal Pecio wrote:
> On Fri,  9 Jan 2026 04:54:10 +0000, Zilin Guan wrote:
>> xhci_alloc_command() allocates a command structure and, when the
>> second argument is true, also allocates a completion structure.
>> Currently, the error handling path in xhci_disable_slot() only frees
>> the command structure using kfree(), causing the completion structure
>> to leak.
>>
>> Use xhci_free_command() instead of kfree(). xhci_free_command()
>> correctly frees both the command structure and the associated
>> completion structure. Since the command structure is allocated with
>> zero-initialization, command->in_ctx is NULL and will not be
>> erroneously freed by xhci_free_command().
>>
>> This bug was found using an experimental static analysis tool we are
>> developing. The tool is based on the LLVM framework and is
>> specifically designed to detect memory management issues. It is
>> currently under active development and not yet publicly available,
>> but we plan to open-source it after our research is published.
>>
>> The bug was originally detected on v6.13-rc1 using our static analysis
>> tool, and we have verified that the issue persists in the latest
>> mainline kernel.
>>
>> We performed build testing on x86_64 with allyesconfig using
>> GCC=11.4.0. Since triggering these error paths in xhci_disable_slot()
>> requires specific hardware conditions or abnormal state, we were
>> unable to construct a test case to reliably trigger these specific
>> error paths at runtime.
>>
>> Fixes: 7faac1953ed1 ("xhci: avoid race between disable slot command
>> and host runtime suspend") CC: stable@...r.kernel.org
>> Signed-off-by: Zilin Guan <zilin@....edu.cn>
> 
> This looks like correct fix to an actual bug, but it seems that it has
> been missed? I see it neither in usb-next nor usb-linus or mainline.
> 
> The leak is still there, even if arguably a small and rare one.

Thanks for the reminder.
We are so late in the cycle now that I'll send it after rc1

Thanks
Mathias

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ