Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp1614738pxp; Sat, 12 Mar 2022 16:01:48 -0800 (PST) X-Google-Smtp-Source: ABdhPJwfmjdgVv1f7s8t85w212+6DiYHB6NvHC8PEblk4xl1QE5/LEzC6M0B5J6A7PO8+uxnP4xy X-Received: by 2002:a17:906:1b4e:b0:6da:d7ed:f3e0 with SMTP id p14-20020a1709061b4e00b006dad7edf3e0mr14177295ejg.721.1647129708460; Sat, 12 Mar 2022 16:01:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647129708; cv=none; d=google.com; s=arc-20160816; b=vIVWRZW2O0aY8FxsJwtFftGrJydoRBApkl1E4nQz6UpxRQRAxnW/tshvt7MmzxFEFW U74uwe3d9IlSxduymELFR6QDrtxgC9Zs0iez0TgMgxB0QSF6sYWiqyvxTrvM/zwt33aT FK2CeiAnfMDw5sfqdxOxOk4Uhkd6LV9Wh8xUH+xVihoOqLkg/BS8adyQwV9bKYketC3F KY9nw/s0SdiF3ntlvisRr/Gk5syScb//zukWpDbuiCtEIOc5hzruSHgt99O9XA/2TvOT 2rJwebDQgZGMCLj8XTvgz0l5wvsiKxID1JaUroL6N93GTAetjsdbT67ME+B3om9cAkSv HI2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=VwKjFUZ+Q7IgPUKN3M/XUyE+qH1TWfjHFJYqpneW3iQ=; b=Lzg7YRwjF71YB/lRZEWkUmwXaQ+fIKw2Dfst7pJwt6NWarNXauOIOtR1Yfg/M3GPwT 5g5vFa7XdzIG7tIzwBbBHSHTrotwri/ycDQJVVaZnRdHaNcFpdTn9igdFZOQhYLAIVph 9G08rYG5RDXPVkxW9w8DxLJPHKuQS52n5yLsnk5zQxQFCOnaSlk/nu4sznFa0UONxT8y M8gRtj1zepaYWBg56xa7dqGp/sjkzsK01wd1kNXOstn9+oyf0D/Wu0xjrzwUGSdyx6Ae Pu2uXpuFdsFYv0InqyS42Mz+gziOOUvkLPzCsPuxRd0cDsfuRNqZpHdWUlheafBa9pfE mc5A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id r7-20020aa7cb87000000b00412d5ff5f19si6746635edt.436.2022.03.12.16.01.17; Sat, 12 Mar 2022 16:01:48 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230232AbiCLP07 (ORCPT + 99 others); Sat, 12 Mar 2022 10:26:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231791AbiCLP06 (ORCPT ); Sat, 12 Mar 2022 10:26:58 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id DA5855C35A for ; Sat, 12 Mar 2022 07:25:52 -0800 (PST) Received: (qmail 1618232 invoked by uid 1000); 12 Mar 2022 10:25:52 -0500 Date: Sat, 12 Mar 2022 10:25:52 -0500 From: Alan Stern To: Pavel Skripkin Cc: syzbot , gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, pavel.hofman@ivitera.com, rob@robgreener.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] memory leak in usb_get_configuration Message-ID: References: <000000000000351b8605d9d1d1bf@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Mar 12, 2022 at 06:08:18PM +0300, Pavel Skripkin wrote: > Hi Alan, > > On 3/12/22 00:01, Alan Stern wrote: > > On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote: > > > Hello, > > > > > > syzbot found the following issue on: > > > > > > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew) > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9 > > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000 > > > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > > Reported-by: syzbot+f0fae482604e6d9a87c9@syzkaller.appspotmail.com > > > > > > BUG: memory leak > > > unreferenced object 0xffff88810c0289e0 (size 32): > > > comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s) > > > hex dump (first 32 bytes): > > > 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................ > > > 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :............... > > > backtrace: > > > [] kmalloc include/linux/slab.h:586 [inline] > > > [] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919 > > > [] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline] > > > [] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536 > > > [] hub_port_connect drivers/usb/core/hub.c:5358 [inline] > > > [] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline] > > > [] port_event drivers/usb/core/hub.c:5660 [inline] > > > [] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742 > > > [] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307 > > > [] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454 > > > [] kthread+0x125/0x160 kernel/kthread.c:377 > > > [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295 > > > > The console log shows that this is connected to gspca_dev_probe. Let's > > see who's calling it... > > > > The execution path is more complicated. I've done some debugging, but no > luck with root case... Just want to share what I found and maybe it will > help. > > Firsly syzbot connects carl9170 device (usb ids from the log). > carl9170_usb_probe() calls usb_reset_device() which fails with -19. If I > remove this usb_reset_device() call then issue is no more reproducible. > > Then 2 other probes are called: usbtest and spca501. spca501 calls > gspca_dev_probe(), but it fails early and I do not suspect this driver. > usbtest probe function also looks correct, so I do not suspect this driver > as well. > > Looks like the issue either in usb_reset_device() call or somewhere in usb > internals Okay, thanks for the information. Is there any reason for carl9170_usb_probe to do a reset? I can't imagine why that would be needed. Maybe the simplest solution is just to remove the reset. Unfortunately, that won't tell us where the extra reference is coming from. Here's one thing you could do if you want to continue your debugging: At the start of the probe routines for carl9170, usbtest, and spca501, add code to print in the kernel log the reference count value for the usb_device and usb_interface. Maybe you'll be able to see where the refcount goes up. Alan Stern