2022-03-10 10:08:19

by syzbot

[permalink] [raw]
Subject: [syzbot] memory leak in usb_get_configuration

Hello,

syzbot found the following issue on:

HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]

BUG: memory leak
unreferenced object 0xffff88810c0289e0 (size 32):
comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
hex dump (first 32 bytes):
09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
backtrace:
[<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
[<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
[<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
[<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
[<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
[<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
[<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
[<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
[<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
[<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
[<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff88810a600f40 (size 64):
comm "kworker/1:2", pid 139, jiffies 4294947866 (age 15.870s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 09 04 00 00 00 d0 bb 3a ...............:
00 00 00 00 00 00 00 00 f2 89 02 0c 81 88 ff ff ................
backtrace:
[<ffffffff82c9871d>] kmalloc include/linux/slab.h:586 [inline]
[<ffffffff82c9871d>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff82c9871d>] usb_parse_configuration drivers/usb/core/config.c:772 [inline]
[<ffffffff82c9871d>] usb_get_configuration+0x7bd/0x1cd0 drivers/usb/core/config.c:944
[<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
[<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
[<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
[<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
[<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
[<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
[<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
[<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
[<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295



---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches


2022-03-10 13:00:09

by Oliver Neukum

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration


On 10.03.22 00:54, syzbot wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0014404f9c18

 


Attachments:
0001-USB-hub-fix-memory-leak-on-failure-of-usb_get_config.patch (1.36 kB)

2022-03-10 16:01:10

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

>
> On 10.03.22 00:54, syzbot wrote:
>
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
>> dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: [email protected]
>>
> #syz test: upstream 0014404f9c18

"upstream" does not look like a valid git repo address.

>
>  

2022-03-10 16:49:36

by Oliver Neukum

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration


On 10.03.22 00:54, syzbot wrote:

> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
#syz test: upstream 0014404f9c18

 


Attachments:
0001-USB-hub-fix-memory-leak-on-failure-of-usb_get_config.patch (1.36 kB)

2022-03-10 21:31:38

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

Hello,

syzbot tried to test the proposed patch but the build/boot failed:

1] usbcore: registered new interface driver ftdi_sio
[ 5.441302][ T1] usbserial: USB Serial support registered for FTDI USB Serial Device
[ 5.442817][ T1] usbcore: registered new interface driver garmin_gps
[ 5.444351][ T1] usbserial: USB Serial support registered for Garmin GPS usb/tty
[ 5.446230][ T1] usbcore: registered new interface driver ipaq
[ 5.447590][ T1] usbserial: USB Serial support registered for PocketPC PDA
[ 5.448887][ T1] usbcore: registered new interface driver ipw
[ 5.450507][ T1] usbserial: USB Serial support registered for IPWireless converter
[ 5.452018][ T1] usbcore: registered new interface driver ir_usb
[ 5.453200][ T1] usbserial: USB Serial support registered for IR Dongle
[ 5.454435][ T1] usbcore: registered new interface driver iuu_phoenix
[ 5.455836][ T1] usbserial: USB Serial support registered for iuu_phoenix
[ 5.457168][ T1] usbcore: registered new interface driver keyspan
[ 5.458324][ T1] usbserial: USB Serial support registered for Keyspan - (without firmware)
[ 5.460443][ T1] usbserial: USB Serial support registered for Keyspan 1 port adapter
[ 5.461726][ T1] usbserial: USB Serial support registered for Keyspan 2 port adapter
[ 5.463474][ T1] usbserial: USB Serial support registered for Keyspan 4 port adapter
[ 5.464949][ T1] usbcore: registered new interface driver keyspan_pda
[ 5.466125][ T1] usbserial: USB Serial support registered for Keyspan PDA
[ 5.467341][ T1] usbserial: USB Serial support registered for Keyspan PDA - (prerenumeration)
[ 5.468789][ T1] usbcore: registered new interface driver kl5kusb105
[ 5.470271][ T1] usbserial: USB Serial support registered for KL5KUSB105D / PalmConnect
[ 5.471764][ T1] usbcore: registered new interface driver kobil_sct
[ 5.472861][ T1] usbserial: USB Serial support registered for KOBIL USB smart card terminal
[ 5.474462][ T1] usbcore: registered new interface driver mct_u232
[ 5.475760][ T1] usbserial: USB Serial support registered for MCT U232
[ 5.476978][ T1] usbcore: registered new interface driver metro_usb
[ 5.478278][ T1] usbserial: USB Serial support registered for Metrologic USB to Serial
[ 5.479903][ T1] usbcore: registered new interface driver mos7720
[ 5.481270][ T1] usbserial: USB Serial support registered for Moschip 2 port adapter
[ 5.482519][ T1] usbcore: registered new interface driver mos7840
[ 5.483564][ T1] usbserial: USB Serial support registered for Moschip 7840/7820 USB Serial Driver
[ 5.485397][ T1] usbcore: registered new interface driver mxuport
[ 5.486484][ T1] usbserial: USB Serial support registered for MOXA UPort
[ 5.487661][ T1] usbcore: registered new interface driver navman
[ 5.488684][ T1] usbserial: USB Serial support registered for navman
[ 5.489779][ T1] usbcore: registered new interface driver omninet
[ 5.491003][ T1] usbserial: USB Serial support registered for ZyXEL - omni.net usb
[ 5.492731][ T1] usbcore: registered new interface driver opticon
[ 5.494396][ T1] usbserial: USB Serial support registered for opticon
[ 5.495708][ T1] usbcore: registered new interface driver option
[ 5.496818][ T1] usbserial: USB Serial support registered for GSM modem (1-port)
[ 5.498671][ T1] usbcore: registered new interface driver oti6858
[ 5.499976][ T1] usbserial: USB Serial support registered for oti6858
[ 5.501237][ T1] usbcore: registered new interface driver pl2303
[ 5.502576][ T1] usbserial: USB Serial support registered for pl2303
[ 5.503913][ T1] usbcore: registered new interface driver qcaux
[ 5.505349][ T1] usbserial: USB Serial support registered for qcaux
[ 5.506983][ T1] usbcore: registered new interface driver qcserial
[ 5.508283][ T1] usbserial: USB Serial support registered for Qualcomm USB modem
[ 5.510280][ T1] usbcore: registered new interface driver quatech2
[ 5.511377][ T1] usbserial: USB Serial support registered for Quatech 2nd gen USB to Serial Driver
[ 5.513067][ T1] usbcore: registered new interface driver safe_serial
[ 5.514766][ T1] usbserial: USB Serial support registered for safe_serial
[ 5.516333][ T1] usbcore: registered new interface driver sierra
[ 5.517494][ T1] usbserial: USB Serial support registered for Sierra USB modem
[ 5.519626][ T1] usbcore: registered new interface driver usb_serial_simple
[ 5.521363][ T1] usbserial: USB Serial support registered for carelink
[ 5.522901][ T1] usbserial: USB Serial support registered for zio
[ 5.524620][ T1] usbserial: USB Serial support registered for funsoft
[ 5.525949][ T1] usbserial: USB Serial support registered for flashloader
[ 5.527179][ T1] usbserial: USB Serial support registered for google
[ 5.528746][ T1] usbserial: USB Serial support registered for libtransistor
[ 5.530414][ T1] usbserial: USB Serial support registered for vivopay
[ 5.531429][ T1] usbserial: USB Serial support registered for moto_modem
[ 5.533174][ T1] usbserial: USB Serial support registered for motorola_tetra
[ 5.535259][ T1] usbserial: USB Serial support registered for novatel_gps
[ 5.536637][ T1] usbserial: USB Serial support registered for hp4x
[ 5.537967][ T1] usbserial: USB Serial support registered for suunto
[ 5.539315][ T1] usbserial: USB Serial support registered for siemens_mpi
[ 5.540670][ T1] usbcore: registered new interface driver spcp8x5
[ 5.541718][ T1] usbserial: USB Serial support registered for SPCP8x5
[ 5.543047][ T1] usbcore: registered new interface driver ssu100
[ 5.544124][ T1] usbserial: USB Serial support registered for Quatech SSU-100 USB to Serial Driver
[ 5.546410][ T1] usbcore: registered new interface driver symbolserial
[ 5.547622][ T1] usbserial: USB Serial support registered for symbol
[ 5.548926][ T1] usbcore: registered new interface driver ti_usb_3410_5052
[ 5.550176][ T1] usbserial: USB Serial support registered for TI USB 3410 1 port adapter
[ 5.551822][ T1] usbserial: USB Serial support registered for TI USB 5052 2 port adapter
[ 5.553865][ T1] usbcore: registered new interface driver upd78f0730
[ 5.555511][ T1] usbserial: USB Serial support registered for upd78f0730
[ 5.557254][ T1] usbcore: registered new interface driver visor
[ 5.558590][ T1] usbserial: USB Serial support registered for Handspring Visor / Palm OS
[ 5.559852][ T1] usbserial: USB Serial support registered for Sony Clie 5.0
[ 5.561053][ T1] usbserial: USB Serial support registered for Sony Clie 3.5
[ 5.562196][ T1] usbcore: registered new interface driver wishbone_serial
[ 5.563411][ T1] usbserial: USB Serial support registered for wishbone_serial
[ 5.564868][ T1] usbcore: registered new interface driver whiteheat
[ 5.566295][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT - (prerenumeration)
[ 5.568057][ T1] usbserial: USB Serial support registered for Connect Tech - WhiteHEAT
[ 5.569588][ T1] usbcore: registered new interface driver xr_serial
[ 5.570749][ T1] usbserial: USB Serial support registered for xr_serial
[ 5.572449][ T1] usbcore: registered new interface driver xsens_mt
[ 5.573995][ T1] usbserial: USB Serial support registered for xsens_mt
[ 5.575599][ T1] usbcore: registered new interface driver adutux
[ 5.576912][ T1] usbcore: registered new interface driver appledisplay
[ 5.578299][ T1] usbcore: registered new interface driver cypress_cy7c63
[ 5.579875][ T1] usbcore: registered new interface driver cytherm
[ 5.581096][ T1] usbcore: registered new interface driver emi26 - firmware loader
[ 5.582351][ T1] usbcore: registered new interface driver emi62 - firmware loader
[ 5.583692][ T1] ftdi_elan: driver ftdi-elan
[ 5.584986][ T1] usbcore: registered new interface driver ftdi-elan
[ 5.586395][ T1] usbcore: registered new interface driver idmouse
[ 5.587912][ T1] usbcore: registered new interface driver iowarrior
[ 5.589125][ T1] usbcore: registered new interface driver isight_firmware
[ 5.590448][ T1] usbcore: registered new interface driver usblcd
[ 5.591723][ T1] usbcore: registered new interface driver ldusb
[ 5.592857][ T1] usbcore: registered new interface driver legousbtower
[ 5.594328][ T1] usbcore: registered new interface driver usbtest
[ 5.595531][ T1] usbcore: registered new interface driver usb_ehset_test
[ 5.596704][ T1] usbcore: registered new interface driver trancevibrator
[ 5.597994][ T1] usbcore: registered new interface driver uss720
[ 5.599467][ T1] uss720: USB Parport Cable driver for Cables using the Lucent Technologies USS720 Chip
[ 5.601116][ T1] uss720: NOTE: this is a special purpose driver to allow nonstandard
[ 5.602633][ T1] uss720: protocols (eg. bitbang) over USS720 usb to parallel cables
[ 5.604271][ T1] uss720: If you just want to connect to a printer, use usblp instead
[ 5.605764][ T1] usbcore: registered new interface driver usbsevseg
[ 5.607103][ T1] usbcore: registered new interface driver yurex
[ 5.608598][ T1] usbcore: registered new interface driver chaoskey
[ 5.609880][ T1] usbcore: registered new interface driver sisusb
[ 5.611270][ T1] usbcore: registered new interface driver lvs
[ 5.612432][ T1] usbcore: registered new interface driver cxacru
[ 5.613741][ T1] usbcore: registered new interface driver speedtch
[ 5.615224][ T1] usbcore: registered new interface driver ueagle-atm
[ 5.616318][ T1] xusbatm: malformed module parameters
[ 5.618076][ T1] dummy_hcd dummy_hcd.0: USB Host+Gadget Emulator, driver 02 May 2005
[ 5.619418][ T1] dummy_hcd dummy_hcd.0: Dummy host controller
[ 5.620801][ T1] dummy_hcd dummy_hcd.0: new USB bus registered, assigned bus number 1
[ 5.622385][ T1] usb usb1: New USB device found, idVendor=1d6b, idProduct=0002, bcdDevice= 5.17
[ 5.623968][ T1] usb usb1: New USB device strings: Mfr=3, Product=2, SerialNumber=1
[ 5.625214][ T1] usb usb1: Product: Dummy host controller
[ 5.626042][ T1] usb usb1: Manufacturer: Linux 5.17.0-rc6-syzkaller-00242-g0014404f9c18-dirty dummy_hcd
[ 5.627434][ T1] usb usb1: SerialNumber: dummy_hcd.0
[ 5.628888][ T1] BUG: kernel NULL pointer dereference, address: 0000000000000004
[ 5.630204][ T1] #PF: supervisor read access in kernel mode
[ 5.631138][ T1] #PF: error_code(0x0000) - not-present page
[ 5.632065][ T1] PGD 0 P4D 0
[ 5.632713][ T1] Oops: 0000 [#1] PREEMPT SMP
[ 5.633380][ T1] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc6-syzkaller-00242-g0014404f9c18-dirty #0
[ 5.635094][ T1] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 5.636772][ T1] RIP: 0010:usb_choose_configuration.part.0+0x1d0/0x4c0
[ 5.637898][ T1] Code: bf 6b fe 41 39 ed 0f 8e ae 01 00 00 49 83 c4 01 83 c5 01 48 81 c3 a8 02 00 00 48 8d 83 58 fd ff ff 48 89 04 24 e8 e0 ba 6b fe <44> 0f b6 bb 5c fd ff ff 31 ff 44 89 fe e8 9e c0 6b fe 45 84 ff 0f
[ 5.638381][ T1] RSP: 0000:ffffc90000e737d8 EFLAGS: 00010293
[ 5.638381][ T1] RAX: 0000000000000000 RBX: 00000000000002a8 RCX: 0000000000000000
[ 5.638381][ T1] RDX: ffff88810121e040 RSI: ffffffff82ca46e0 RDI: 0000000000000003
[ 5.638381][ T1] RBP: 0000000000000001 R08: 0000000000000004 R09: 0000000000000000
[ 5.638381][ T1] R10: ffffffff82ca4562 R11: 0000000000000000 R12: 0000000000000000
[ 5.638381][ T1] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 5.638381][ T1] FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
[ 5.638381][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.638381][ T1] CR2: 0000000000000004 CR3: 0000000005a29000 CR4: 00000000003506e0
[ 5.638381][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.638381][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.638381][ T1] Call Trace:
[ 5.638381][ T1] <TASK>
[ 5.638381][ T1] ? kernfs_create_link+0xb5/0xf0
[ 5.638381][ T1] usb_generic_driver_probe+0x52/0xc0
[ 5.638381][ T1] usb_probe_device+0x5c/0x140
[ 5.638381][ T1] ? unbind_marked_interfaces.isra.0+0xb0/0xb0
[ 5.638381][ T1] really_probe.part.0+0xe7/0x380
[ 5.638381][ T1] __driver_probe_device+0x10c/0x1e0
[ 5.638381][ T1] driver_probe_device+0x2a/0x120
[ 5.638381][ T1] __device_attach_driver+0xf6/0x140
[ 5.638381][ T1] ? driver_allows_async_probing+0x90/0x90
[ 5.638381][ T1] bus_for_each_drv+0xb7/0x100
[ 5.638381][ T1] __device_attach+0x122/0x260
[ 5.638381][ T1] bus_probe_device+0xc6/0xe0
[ 5.638381][ T1] device_add+0x5fb/0xdf0
[ 5.638381][ T1] ? _raw_spin_unlock_irqrestore+0x24/0x40
[ 5.638381][ T1] ? add_device_randomness+0xa8/0x2c0
[ 5.638381][ T1] usb_new_device.cold+0x10f/0x58e
[ 5.638381][ T1] usb_add_hcd.cold+0x651/0x8ec
[ 5.638381][ T1] dummy_hcd_probe+0xee/0x1d5
[ 5.638381][ T1] ? dummy_hcd_suspend.cold+0x20/0x20
[ 5.638381][ T1] platform_probe+0x81/0x120
[ 5.638381][ T1] ? platform_remove+0x50/0x50
[ 5.638381][ T1] really_probe.part.0+0xe7/0x380
[ 5.638381][ T1] __driver_probe_device+0x10c/0x1e0
[ 5.638381][ T1] driver_probe_device+0x2a/0x120
[ 5.638381][ T1] __device_attach_driver+0xf6/0x140
[ 5.638381][ T1] ? driver_allows_async_probing+0x90/0x90
[ 5.638381][ T1] bus_for_each_drv+0xb7/0x100
[ 5.638381][ T1] __device_attach+0x122/0x260
[ 5.638381][ T1] bus_probe_device+0xc6/0xe0
[ 5.638381][ T1] device_add+0x5fb/0xdf0
[ 5.638381][ T1] ? dev_set_name+0x63/0x90
[ 5.638381][ T1] platform_device_add+0x1d7/0x320
[ 5.638381][ T1] init+0x323/0x5ef
[ 5.638381][ T1] ? usb_udc_init+0x78/0x78
[ 5.638381][ T1] do_one_initcall+0x63/0x2e0
[ 5.638381][ T1] kernel_init_freeable+0x255/0x2cf
[ 5.638381][ T1] ? rest_init+0xd0/0xd0
[ 5.638381][ T1] kernel_init+0x1a/0x1c0
[ 5.638381][ T1] ? rest_init+0xd0/0xd0
[ 5.638381][ T1] ret_from_fork+0x1f/0x30
[ 5.638381][ T1] </TASK>
[ 5.638381][ T1] Modules linked in:
[ 5.638381][ T1] CR2: 0000000000000004
[ 5.638381][ T1] ---[ end trace 0000000000000000 ]---
[ 5.638381][ T1] RIP: 0010:usb_choose_configuration.part.0+0x1d0/0x4c0
[ 5.638381][ T1] Code: bf 6b fe 41 39 ed 0f 8e ae 01 00 00 49 83 c4 01 83 c5 01 48 81 c3 a8 02 00 00 48 8d 83 58 fd ff ff 48 89 04 24 e8 e0 ba 6b fe <44> 0f b6 bb 5c fd ff ff 31 ff 44 89 fe e8 9e c0 6b fe 45 84 ff 0f
[ 5.638381][ T1] RSP: 0000:ffffc90000e737d8 EFLAGS: 00010293
[ 5.638381][ T1] RAX: 0000000000000000 RBX: 00000000000002a8 RCX: 0000000000000000
[ 5.638381][ T1] RDX: ffff88810121e040 RSI: ffffffff82ca46e0 RDI: 0000000000000003
[ 5.638381][ T1] RBP: 0000000000000001 R08: 0000000000000004 R09: 0000000000000000
[ 5.638381][ T1] R10: ffffffff82ca4562 R11: 0000000000000000 R12: 0000000000000000
[ 5.638381][ T1] R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
[ 5.638381][ T1] FS: 0000000000000000(0000) GS:ffff88813bd00000(0000) knlGS:0000000000000000
[ 5.638381][ T1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 5.638381][ T1] CR2: 0000000000000004 CR3: 0000000005a29000 CR4: 00000000003506e0
[ 5.638381][ T1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 5.638381][ T1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 5.638381][ T1] Kernel panic - not syncing: Fatal exception
[ 5.638381][ T1] Kernel Offset: disabled
[ 5.638381][ T1] Rebooting in 86400 seconds..


Error text is too large and was truncated, full error text is at:
https://syzkaller.appspot.com/x/error.txt?x=125ae129700000


Tested on:

commit: 0014404f Merge branch 'akpm' (patches from Andrew)
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10e87036700000

2022-03-11 22:47:56

by Alan Stern

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

On Thu, Mar 10, 2022 at 10:51:42AM +0100, Oliver Neukum wrote:
>
> On 10.03.22 00:54, syzbot wrote:
>
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: [email protected]
> >
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0014404f9c18
>
> ?

> From 785609ab0d95c753dc31267b3c4da585c16e0274 Mon Sep 17 00:00:00 2001
> From: Oliver Neukum <[email protected]>
> Date: Thu, 10 Mar 2022 10:40:36 +0100
> Subject: [PATCH] USB: hub: fix memory leak on failure of usb_get_config
>
> kfree()s on the error path need to be added.

No, they don't. The config and rawdescriptors buffers get freed later
on in usb_destroy_configuration().

This problem is something else. Probably whatever driver is calling
gspca_probe() (see the console log) is taking a reference to the
usb_device or usb_interface and then failing to release that reference
on its error path.

Alan Stern

> Signed-off-by: Oliver Neukum <[email protected]>
> ---
> drivers/usb/core/config.c | 17 +++++++++++++----
> 1 file changed, 13 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 48bc8a4814ac..548ce5ca6847 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -885,12 +885,16 @@ int usb_get_configuration(struct usb_device *dev)
>
> length = ncfg * sizeof(char *);
> dev->rawdescriptors = kzalloc(length, GFP_KERNEL);
> - if (!dev->rawdescriptors)
> - return -ENOMEM;
> + if (!dev->rawdescriptors) {
> + result = -ENOMEM;
> + goto err2;
> + }
>
> desc = kmalloc(USB_DT_CONFIG_SIZE, GFP_KERNEL);
> - if (!desc)
> - return -ENOMEM;
> + if (!desc) {
> + result = -ENOMEM;
> + goto err2;
> + }
>
> for (cfgno = 0; cfgno < ncfg; cfgno++) {
> /* We grab just the first descriptor so we know how long
> @@ -952,6 +956,11 @@ int usb_get_configuration(struct usb_device *dev)
> err:
> kfree(desc);
> dev->descriptor.bNumConfigurations = cfgno;
> +err2:
> + kfree(dev->rawdescriptors);
> + kfree(dev->config);
> + dev->rawdescriptors = NULL;
> + dev->config = NULL;
>
> return result;
> }
> --
> 2.34.1
>

2022-03-11 23:40:36

by Alan Stern

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: [email protected]
>
> BUG: memory leak
> unreferenced object 0xffff88810c0289e0 (size 32):
> comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
> hex dump (first 32 bytes):
> 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
> 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
> backtrace:
> [<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
> [<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
> [<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
> [<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
> [<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
> [<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
> [<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
> [<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
> [<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
> [<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
> [<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
> [<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

The console log shows that this is connected to gspca_dev_probe. Let's
see who's calling it...

Alan Stern

#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 0014404f9c18

Index: usb-devel/drivers/media/usb/gspca/gspca.c
===================================================================
--- usb-devel.orig/drivers/media/usb/gspca/gspca.c
+++ usb-devel/drivers/media/usb/gspca/gspca.c
@@ -1599,6 +1599,7 @@ int gspca_dev_probe(struct usb_interface
if (dev->descriptor.bNumConfigurations != 1) {
pr_err("%04x:%04x too many config\n",
id->idVendor, id->idProduct);
+ dump_stack();
return -ENODEV;
}

2022-03-11 23:45:33

by syzbot

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in usb_get_configuration

BUG: memory leak
unreferenced object 0xffff8881128c0320 (size 32):
comm "kworker/1:1", pid 25, jiffies 4294943657 (age 15.110s)
hex dump (first 32 bytes):
09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
backtrace:
[<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
[<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
[<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
[<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
[<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
[<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
[<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
[<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
[<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
[<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
[<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff888108eeb640 (size 64):
comm "kworker/1:1", pid 25, jiffies 4294943661 (age 15.080s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 09 04 00 00 00 d0 bb 3a ...............:
00 00 00 00 00 00 00 00 32 03 8c 12 81 88 ff ff ........2.......
backtrace:
[<ffffffff82c9871d>] kmalloc include/linux/slab.h:586 [inline]
[<ffffffff82c9871d>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff82c9871d>] usb_parse_configuration drivers/usb/core/config.c:772 [inline]
[<ffffffff82c9871d>] usb_get_configuration+0x7bd/0x1cd0 drivers/usb/core/config.c:944
[<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
[<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
[<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
[<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
[<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
[<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
[<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
[<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
[<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295

BUG: memory leak
unreferenced object 0xffff888112a7bf00 (size 64):
comm "kworker/1:2", pid 1569, jiffies 4294944314 (age 8.550s)
hex dump (first 32 bytes):
01 00 00 00 01 00 00 00 09 04 00 00 00 d0 bb 3a ...............:
00 00 00 00 00 00 00 00 52 66 72 12 81 88 ff ff ........Rfr.....
backtrace:
[<ffffffff82c9871d>] kmalloc include/linux/slab.h:586 [inline]
[<ffffffff82c9871d>] kzalloc include/linux/slab.h:714 [inline]
[<ffffffff82c9871d>] usb_parse_configuration drivers/usb/core/config.c:772 [inline]
[<ffffffff82c9871d>] usb_get_configuration+0x7bd/0x1cd0 drivers/usb/core/config.c:944
[<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
[<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
[<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
[<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
[<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
[<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
[<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
[<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
[<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295



Tested on:

commit: 0014404f Merge branch 'akpm' (patches from Andrew)
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/
console output: https://syzkaller.appspot.com/x/log.txt?x=155954d9700000
kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1005e709700000

2022-03-12 23:54:32

by Pavel Skripkin

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

Hi Alan,

On 3/12/22 00:01, Alan Stern wrote:
> On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
>> git tree: upstream
>> console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
>> kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
>> dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
>> compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
>> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>>
>> IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> Reported-by: [email protected]
>>
>> BUG: memory leak
>> unreferenced object 0xffff88810c0289e0 (size 32):
>> comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
>> hex dump (first 32 bytes):
>> 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
>> 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
>> backtrace:
>> [<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
>> [<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
>> [<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
>> [<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
>> [<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
>> [<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
>> [<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
>> [<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
>> [<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
>> [<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
>> [<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
>> [<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
>
> The console log shows that this is connected to gspca_dev_probe. Let's
> see who's calling it...
>

The execution path is more complicated. I've done some debugging, but no
luck with root case... Just want to share what I found and maybe it will
help.

Firsly syzbot connects carl9170 device (usb ids from the log).
carl9170_usb_probe() calls usb_reset_device() which fails with -19. If I
remove this usb_reset_device() call then issue is no more reproducible.

Then 2 other probes are called: usbtest and spca501. spca501 calls
gspca_dev_probe(), but it fails early and I do not suspect this driver.
usbtest probe function also looks correct, so I do not suspect this
driver as well.

Looks like the issue either in usb_reset_device() call or somewhere in
usb internals




With regards,
Pavel Skripkin

2022-03-13 00:01:48

by Alan Stern

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

On Sat, Mar 12, 2022 at 06:08:18PM +0300, Pavel Skripkin wrote:
> Hi Alan,
>
> On 3/12/22 00:01, Alan Stern wrote:
> > On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: [email protected]
> > >
> > > BUG: memory leak
> > > unreferenced object 0xffff88810c0289e0 (size 32):
> > > comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
> > > hex dump (first 32 bytes):
> > > 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
> > > 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
> > > backtrace:
> > > [<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
> > > [<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
> > > [<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
> > > [<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
> > > [<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
> > > [<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
> > > [<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
> > > [<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
> > > [<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
> > > [<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
> > > [<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
> > > [<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> >
> > The console log shows that this is connected to gspca_dev_probe. Let's
> > see who's calling it...
> >
>
> The execution path is more complicated. I've done some debugging, but no
> luck with root case... Just want to share what I found and maybe it will
> help.
>
> Firsly syzbot connects carl9170 device (usb ids from the log).
> carl9170_usb_probe() calls usb_reset_device() which fails with -19. If I
> remove this usb_reset_device() call then issue is no more reproducible.
>
> Then 2 other probes are called: usbtest and spca501. spca501 calls
> gspca_dev_probe(), but it fails early and I do not suspect this driver.
> usbtest probe function also looks correct, so I do not suspect this driver
> as well.
>
> Looks like the issue either in usb_reset_device() call or somewhere in usb
> internals

Okay, thanks for the information.

Is there any reason for carl9170_usb_probe to do a reset? I can't
imagine why that would be needed. Maybe the simplest solution is just
to remove the reset.

Unfortunately, that won't tell us where the extra reference is coming
from. Here's one thing you could do if you want to continue your
debugging: At the start of the probe routines for carl9170, usbtest, and
spca501, add code to print in the kernel log the reference count value
for the usb_device and usb_interface. Maybe you'll be able to see where
the refcount goes up.

Alan Stern

2022-03-14 08:00:39

by Pavel Skripkin

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

Hi Alan,

On 3/12/22 18:25, Alan Stern wrote:
> On Sat, Mar 12, 2022 at 06:08:18PM +0300, Pavel Skripkin wrote:
>> Hi Alan,
>>
>> On 3/12/22 00:01, Alan Stern wrote:
>> > On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote:
>> > > Hello,
>> > >
>> > > syzbot found the following issue on:
>> > >
>> > > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
>> > > git tree: upstream
>> > > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
>> > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
>> > > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
>> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
>> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
>> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
>> > >
>> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
>> > > Reported-by: [email protected]
>> > >
>> > > BUG: memory leak
>> > > unreferenced object 0xffff88810c0289e0 (size 32):
>> > > comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
>> > > hex dump (first 32 bytes):
>> > > 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
>> > > 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
>> > > backtrace:
>> > > [<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
>> > > [<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
>> > > [<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
>> > > [<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
>> > > [<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
>> > > [<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
>> > > [<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
>> > > [<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
>> > > [<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
>> > > [<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
>> > > [<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
>> > > [<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
>> >
>> > The console log shows that this is connected to gspca_dev_probe. Let's
>> > see who's calling it...
>> >
>>
>> The execution path is more complicated. I've done some debugging, but no
>> luck with root case... Just want to share what I found and maybe it will
>> help.
>>
>> Firsly syzbot connects carl9170 device (usb ids from the log).
>> carl9170_usb_probe() calls usb_reset_device() which fails with -19. If I
>> remove this usb_reset_device() call then issue is no more reproducible.
>>
>> Then 2 other probes are called: usbtest and spca501. spca501 calls
>> gspca_dev_probe(), but it fails early and I do not suspect this driver.
>> usbtest probe function also looks correct, so I do not suspect this driver
>> as well.
>>
>> Looks like the issue either in usb_reset_device() call or somewhere in usb
>> internals
>
> Okay, thanks for the information.
>
> Is there any reason for carl9170_usb_probe to do a reset? I can't
> imagine why that would be needed. Maybe the simplest solution is just
> to remove the reset.
>

Can't say. The code was added 12 years ago

> Unfortunately, that won't tell us where the extra reference is coming
> from. Here's one thing you could do if you want to continue your
> debugging: At the start of the probe routines for carl9170, usbtest, and
> spca501, add code to print in the kernel log the reference count value
> for the usb_device and usb_interface. Maybe you'll be able to see where
> the refcount goes up.
>

Unfortunately refcount for dev and inf stays the same at the beginning
of each probe function:

6 for dev
3 for inf


With regards,
Pavel Skripkin

2022-03-14 09:28:50

by Alan Stern

[permalink] [raw]
Subject: Re: [syzbot] memory leak in usb_get_configuration

On Sat, Mar 12, 2022 at 06:45:08PM +0300, Pavel Skripkin wrote:
> > Unfortunately, that won't tell us where the extra reference is coming
> > from. Here's one thing you could do if you want to continue your
> > debugging: At the start of the probe routines for carl9170, usbtest, and
> > spca501, add code to print in the kernel log the reference count value
> > for the usb_device and usb_interface. Maybe you'll be able to see where
> > the refcount goes up.
> >
>
> Unfortunately refcount for dev and inf stays the same at the beginning of
> each probe function:
>
> 6 for dev
> 3 for inf

Can you find out how those numbers compare with the values for actual
working USB devices?

Also, can you see what the device's refcount is just before the
device_add() call in usb_new_device() and just before the put_device()
call at the end of usb_disconnect() (both in drivers/usb/core/hub.c)?

If they all are consistent with each then my guess that something is
failing to drop a reference is probably wrong.

Alan Stern