Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp5887459rwr; Mon, 1 May 2023 12:24:35 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ44z/wKhXFOLkgs/EUet3LlfH6Xaq4T+tun+TWWckFv4jMlTdL/bJ+imJvr4xAdWdlzVEDc X-Received: by 2002:a17:903:2443:b0:1aa:efb2:ee74 with SMTP id l3-20020a170903244300b001aaefb2ee74mr6614995pls.66.1682969075396; Mon, 01 May 2023 12:24:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682969075; cv=none; d=google.com; s=arc-20160816; b=TGwgpOy/ed4qk4TQpKLKXmnt7fa2tSWc3kX6uNOgdX/qT1/jNdpKFhrvyMysUr2m3o hmkw3f+O18ggHPxybtTwQcfUqVjuFXZH/sZRgiZSUSdb5zi3cMXf30Z3dU4U31I5CRIH kcrUHOmDsj5CJGzAOGiTTR2bYo3Toh7NIvAWSWkopE8zJwL4taaB9w+NbEw+yFt2+qED c8pprX5ixccZITNi9cYx0rMJ9wSmozRebiXf+dpJwuruEXV5w/k3x28m2+M8b2NPwwYf eTC/lmhSgAck87WsDcT/Z5Ug/O0myZW24EPp2LBN16Vd+s37yc6DxvJf59+mJ+qzE0Xj qAEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=O1wOtVFn9kgB/iixKclkxOUor9aOpkJa+M+mXpYfuEg=; b=ceTNf+AwAUINzWsOTL46kjZUgm3CTkFP3sO9cunhw49NWxnpGO/PTIqzm31b4We3F9 MW/R6/Av2sr/gZqKGVa9gQz7c22Nq2mYIqc3svayFBlyghp0exNrMEJbyVV7MpOgfk2I R36OyurCcF27rrxkBKugk+hOtPnGPs2LH8XAH0UCk6C7NRh8DDl4Bpj81wRLkMbkdEjh 4A2LqVcaSp5ngLBi+ceBxBfzdWqHeXm0V+eoroYJQIyoBZQNLDn6JgpVdBkd91Gc08Al zFBxzLts2wLyErZ4sNG3l7QDGILMQqb/BZrD+20HOdP+yzOdCpDCviMQGWE8uJdIdAPJ 1D+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id q5-20020a17090311c500b001a6527f6adbsi30909856plh.137.2023.05.01.12.24.18; Mon, 01 May 2023 12:24:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232822AbjEATQw (ORCPT + 99 others); Mon, 1 May 2023 15:16:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232764AbjEATQs (ORCPT ); Mon, 1 May 2023 15:16:48 -0400 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 1F0CF2717 for ; Mon, 1 May 2023 12:16:46 -0700 (PDT) Received: (qmail 313863 invoked by uid 1000); 1 May 2023 15:16:45 -0400 Date: Mon, 1 May 2023 15:16:45 -0400 From: Alan Stern To: syzbot Cc: gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, rafael@kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [usb?] memory leak in class_create Message-ID: References: <00000000000077472605faa4aad5@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00000000000077472605faa4aad5@google.com> X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,SPF_HELO_PASS,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 01, 2023 at 09:53:45AM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 22b8cc3e78f5 Merge tag 'x86_mm_for_6.4' of git://git.kerne.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=16fc7958280000 > kernel config: https://syzkaller.appspot.com/x/.config?x=5046ebeca744dd40 > dashboard link: https://syzkaller.appspot.com/bug?extid=e7afd76ad060fa0d2605 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1599a2b4280000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14eb395fc80000 > > Downloadable assets: > disk image: https://storage.googleapis.com/syzbot-assets/3ad2088c196b/disk-22b8cc3e.raw.xz > vmlinux: https://storage.googleapis.com/syzbot-assets/61919a5b89c6/vmlinux-22b8cc3e.xz > kernel image: https://storage.googleapis.com/syzbot-assets/a7adb5503ac8/bzImage-22b8cc3e.xz > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+e7afd76ad060fa0d2605@syzkaller.appspotmail.com > > BUG: memory leak > unreferenced object 0xffff88810af67080 (size 96): > comm "kworker/0:2", pid 4402, jiffies 4294950769 (age 14.190s) > hex dump (first 32 bytes): > bf 03 9b 85 ff ff ff ff 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1057 > [] kmalloc include/linux/slab.h:559 [inline] > [] kzalloc include/linux/slab.h:680 [inline] > [] class_create+0x25/0x90 drivers/base/class.c:261 > [] init_usb_class drivers/usb/core/file.c:91 [inline] > [] usb_register_dev+0x290/0x3d0 drivers/usb/core/file.c:179 > [] usblp_probe+0x4e4/0x750 drivers/usb/class/usblp.c:1208 > [] usb_probe_interface+0x179/0x3c0 drivers/usb/core/driver.c:396 > [] call_driver_probe drivers/base/dd.c:579 [inline] > [] really_probe+0x12d/0x430 drivers/base/dd.c:658 > [] __driver_probe_device+0xc1/0x1a0 drivers/base/dd.c:800 > [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:830 > [] __device_attach_driver+0xfb/0x150 drivers/base/dd.c:958 > [] bus_for_each_drv+0xc1/0x110 drivers/base/bus.c:457 > [] __device_attach+0x102/0x2a0 drivers/base/dd.c:1030 > [] bus_probe_device+0xca/0xd0 drivers/base/bus.c:532 > [] device_add+0x993/0xc60 drivers/base/core.c:3625 > [] usb_set_configuration+0x9a9/0xc90 drivers/usb/core/message.c:2211 > [] usb_generic_driver_probe+0xa1/0x100 drivers/usb/core/generic.c:238 > [] usb_probe_device+0x60/0x140 drivers/usb/core/driver.c:293 There is definitely a memory leak in usb_register_dev()'s error pathways -- it doesn't call destroy_usb_class() -- but I don't think that is the cause of this bug. Let's try some diagnostics. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ 22b8cc3e78f5 Index: usb-devel/drivers/usb/core/file.c =================================================================== --- usb-devel.orig/drivers/usb/core/file.c +++ usb-devel/drivers/usb/core/file.c @@ -209,6 +209,8 @@ int usb_register_dev(struct usb_interfac retval = PTR_ERR(intf->usb_dev); } up_write(&minor_rwsem); + dev_info(&intf->dev, "Post class create: refcount %d\n", + atomic_read(&usb_class->kref.refcount.refs)); return retval; } EXPORT_SYMBOL_GPL(usb_register_dev); @@ -242,6 +244,8 @@ void usb_deregister_dev(struct usb_inter intf->usb_dev = NULL; intf->minor = -1; + dev_info(&intf->dev, "Pre class destroy: refcount %d\n", + atomic_read(&usb_class->kref.refcount.refs)); destroy_usb_class(); } EXPORT_SYMBOL_GPL(usb_deregister_dev);