Re: [syzbot] memory leak in usb_get_configuration
From: Alan Stern
Date: Sat Mar 12 2022 - 10:25:56 EST
On Sat, Mar 12, 2022 at 06:08:18PM +0300, Pavel Skripkin wrote:
> Hi Alan,
>
> On 3/12/22 00:01, Alan Stern wrote:
> > On Wed, Mar 09, 2022 at 03:54:24PM -0800, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew)
> > > git tree: upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000
> > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+f0fae482604e6d9a87c9@xxxxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > BUG: memory leak
> > > unreferenced object 0xffff88810c0289e0 (size 32):
> > > comm "kworker/1:2", pid 139, jiffies 4294947862 (age 15.910s)
> > > hex dump (first 32 bytes):
> > > 09 02 12 00 01 00 00 00 00 09 04 00 00 00 d0 bb ................
> > > 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 :...............
> > > backtrace:
> > > [<ffffffff82c98127>] kmalloc include/linux/slab.h:586 [inline]
> > > [<ffffffff82c98127>] usb_get_configuration+0x1c7/0x1cd0 drivers/usb/core/config.c:919
> > > [<ffffffff82c863f9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
> > > [<ffffffff82c863f9>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2536
> > > [<ffffffff82c88ea4>] hub_port_connect drivers/usb/core/hub.c:5358 [inline]
> > > [<ffffffff82c88ea4>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
> > > [<ffffffff82c88ea4>] port_event drivers/usb/core/hub.c:5660 [inline]
> > > [<ffffffff82c88ea4>] hub_event+0x1364/0x21a0 drivers/usb/core/hub.c:5742
> > > [<ffffffff8126a41f>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
> > > [<ffffffff8126ad49>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
> > > [<ffffffff81274705>] kthread+0x125/0x160 kernel/kthread.c:377
> > > [<ffffffff810021ef>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
> >
> > The console log shows that this is connected to gspca_dev_probe. Let's
> > see who's calling it...
> >
>
> The execution path is more complicated. I've done some debugging, but no
> luck with root case... Just want to share what I found and maybe it will
> help.
>
> Firsly syzbot connects carl9170 device (usb ids from the log).
> carl9170_usb_probe() calls usb_reset_device() which fails with -19. If I
> remove this usb_reset_device() call then issue is no more reproducible.
>
> Then 2 other probes are called: usbtest and spca501. spca501 calls
> gspca_dev_probe(), but it fails early and I do not suspect this driver.
> usbtest probe function also looks correct, so I do not suspect this driver
> as well.
>
> Looks like the issue either in usb_reset_device() call or somewhere in usb
> internals
Okay, thanks for the information.
Is there any reason for carl9170_usb_probe to do a reset? I can't
imagine why that would be needed. Maybe the simplest solution is just
to remove the reset.
Unfortunately, that won't tell us where the extra reference is coming
from. Here's one thing you could do if you want to continue your
debugging: At the start of the probe routines for carl9170, usbtest, and
spca501, add code to print in the kernel log the reference count value
for the usb_device and usb_interface. Maybe you'll be able to see where
the refcount goes up.
Alan Stern