* Re: memory leak in hub_event
[not found] ` <000000000000cc9e3405b4cc4ff8@google.com>
@ 2020-11-23 21:53 ` Alan Stern
2020-11-23 22:09 ` syzbot
0 siblings, 1 reply; 9+ messages in thread
From: Alan Stern @ 2020-11-23 21:53 UTC (permalink / raw)
To: syzbot, Mauro Carvalho Chehab, Hans Verkuil
Cc: linux-usb, linux-media, syzkaller-bugs
Quick summary: syzbot found a memory leak in the gspca driver,
apparently caused by a reference being taken but not released in a
probe failure pathway.
On Mon, Nov 23, 2020 at 12:48:08PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> memory leak in usb_set_configuration
>
> BUG: memory leak
> unreferenced object 0xffff8881268a1800 (size 1024):
> comm "kworker/0:2", pid 3644, jiffies 4294944749 (age 12.820s)
> hex dump (first 32 bytes):
> 48 f3 6a 26 81 88 ff ff 48 f3 6a 26 81 88 ff ff H.j&....H.j&....
> 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> backtrace:
> [<0000000089bfe22c>] kmalloc include/linux/slab.h:552 [inline]
> [<0000000089bfe22c>] kzalloc include/linux/slab.h:664 [inline]
> [<0000000089bfe22c>] usb_set_configuration+0x18c/0xb90 drivers/usb/core/message.c:1987
> [<00000000207f81de>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238
> [<000000007aa490e0>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293
Okay, this does seem to pinpoint the problem. gspca_dev_probe2() calls
v4l2_device_register() at the start, but doesn't call
v4l2_device_disconnect() upon failure.
I'm not at all familiar with the design of the v4l2 subsystem. Mauro or
Hans: Is this the right solution?
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d02da97
Index: usb-devel/drivers/media/usb/gspca/gspca.c
===================================================================
--- usb-devel.orig/drivers/media/usb/gspca/gspca.c
+++ usb-devel/drivers/media/usb/gspca/gspca.c
@@ -1575,6 +1575,7 @@ out:
input_unregister_device(gspca_dev->input_dev);
#endif
v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+ v4l2_device_disconnect(&gspca_dev->v4l2_dev);
kfree(gspca_dev->usb_buf);
kfree(gspca_dev);
return ret;
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event
2020-11-23 21:53 ` memory leak in hub_event Alan Stern
@ 2020-11-23 22:09 ` syzbot
2020-11-23 22:24 ` Alan Stern
2020-12-02 16:22 ` memory leak in hub_event Alan Stern
0 siblings, 2 replies; 9+ messages in thread
From: syzbot @ 2020-11-23 22:09 UTC (permalink / raw)
To: hverkuil, linux-media, linux-usb, mchehab, stern, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in rxrpc_lookup_local
BUG: memory leak
unreferenced object 0xffff888117ab9900 (size 256):
comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................
backtrace:
[<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
[<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
[<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888117d40d00 (size 256):
comm "syz-executor.1", pid 8884, jiffies 4294943812 (age 433.610s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 c0 ac 17 81 88 ff ff ................
backtrace:
[<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
[<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
[<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888118236900 (size 256):
comm "syz-executor.2", pid 8894, jiffies 4294943830 (age 433.430s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 00 34 18 81 88 ff ff ..........4.....
backtrace:
[<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
[<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
[<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff8881170d5400 (size 256):
comm "syz-executor.3", pid 8888, jiffies 4294943833 (age 433.400s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 40 35 18 81 88 ff ff .........@5.....
backtrace:
[<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
[<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
[<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory
write to /proc/sys/kernel/softlockup_all_cpu_backtrace failed: No such file or directory
Tested on:
commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=123a6611500000
kernel config: https://syzkaller.appspot.com/x/.config?x=b29e92cdfa2687df
dashboard link: https://syzkaller.appspot.com/bug?extid=44e64397bd81d5e84cba
compiler: gcc (GCC) 10.1.0-syz 20200507
patch: https://syzkaller.appspot.com/x/patch.diff?x=11c4e969500000
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event
2020-11-23 22:09 ` syzbot
@ 2020-11-23 22:24 ` Alan Stern
2020-11-24 11:38 ` Hans Verkuil
2020-12-02 16:22 ` memory leak in hub_event Alan Stern
1 sibling, 1 reply; 9+ messages in thread
From: Alan Stern @ 2020-11-23 22:24 UTC (permalink / raw)
To: syzbot; +Cc: hverkuil, linux-media, linux-usb, mchehab, syzkaller-bugs
On Mon, Nov 23, 2020 at 02:09:05PM -0800, syzbot wrote:
> Hello,
>
> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
> memory leak in rxrpc_lookup_local
>
> BUG: memory leak
> unreferenced object 0xffff888117ab9900 (size 256):
> comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s)
> hex dump (first 32 bytes):
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................
> backtrace:
> [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
> [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
> [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
> [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
> [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
> [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
> [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
> [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
> [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
> [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
> [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
> [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
> [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
> [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
> [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
> [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
> [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
> [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Okay, that confirms it. This is a completely different memory leak, as
can be seen by comparing the stack trace with the previous one. The
problem with the gspca driver is gone.
Mauro/Hans, what should I do with the patch?
Alan Stern
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event
2020-11-23 22:24 ` Alan Stern
@ 2020-11-24 11:38 ` Hans Verkuil
2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern
0 siblings, 1 reply; 9+ messages in thread
From: Hans Verkuil @ 2020-11-24 11:38 UTC (permalink / raw)
To: Alan Stern, syzbot; +Cc: linux-media, linux-usb, mchehab, syzkaller-bugs
On 23/11/2020 23:24, Alan Stern wrote:
> On Mon, Nov 23, 2020 at 02:09:05PM -0800, syzbot wrote:
>> Hello,
>>
>> syzbot has tested the proposed patch but the reproducer is still triggering an issue:
>> memory leak in rxrpc_lookup_local
>>
>> BUG: memory leak
>> unreferenced object 0xffff888117ab9900 (size 256):
>> comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s)
>> hex dump (first 32 bytes):
>> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
>> 00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................
>> backtrace:
>> [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline]
>> [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline]
>> [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
>> [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
>> [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
>> [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
>> [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
>> [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
>> [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
>> [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
>> [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
>> [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
>> [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
>> [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline]
>> [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline]
>> [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
>> [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
>> [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> Okay, that confirms it. This is a completely different memory leak, as
> can be seen by comparing the stack trace with the previous one. The
> problem with the gspca driver is gone.
>
> Mauro/Hans, what should I do with the patch?
Just post it to linux-media and I'll pick it up as gspca maintainer.
Regards,
Hans
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] media: gspca: Fix memory leak in probe
2020-11-24 11:38 ` Hans Verkuil
@ 2020-11-24 16:00 ` Alan Stern
2020-12-02 8:58 ` Hans Verkuil
0 siblings, 1 reply; 9+ messages in thread
From: Alan Stern @ 2020-11-24 16:00 UTC (permalink / raw)
To: Hans Verkuil; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs
The gspca driver leaks memory when a probe fails. gspca_dev_probe2()
calls v4l2_device_register(), which takes a reference to the
underlying device node (in this case, a USB interface). But the
failure pathway neglects to call v4l2_device_disconnect(), the routine
responsible for dropping this reference. Consequently the memory for
the USB interface and its device never gets released.
This patch adds the missing function call.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
---
This doesn't fully fix syzbot's test case, because the test goes on and
encounters another memory leak in a different driver.
[as1949]
drivers/media/usb/gspca/gspca.c | 1 +
1 file changed, 1 insertion(+)
Index: usb-devel/drivers/media/usb/gspca/gspca.c
===================================================================
--- usb-devel.orig/drivers/media/usb/gspca/gspca.c
+++ usb-devel/drivers/media/usb/gspca/gspca.c
@@ -1575,6 +1575,7 @@ out:
input_unregister_device(gspca_dev->input_dev);
#endif
v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+ v4l2_device_disconnect(&gspca_dev->v4l2_dev);
kfree(gspca_dev->usb_buf);
kfree(gspca_dev);
return ret;
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] media: gspca: Fix memory leak in probe
2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern
@ 2020-12-02 8:58 ` Hans Verkuil
2020-12-02 17:20 ` [PATCH v2] " Alan Stern
0 siblings, 1 reply; 9+ messages in thread
From: Hans Verkuil @ 2020-12-02 8:58 UTC (permalink / raw)
To: Alan Stern; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs
On 24/11/2020 17:00, Alan Stern wrote:
> The gspca driver leaks memory when a probe fails. gspca_dev_probe2()
> calls v4l2_device_register(), which takes a reference to the
> underlying device node (in this case, a USB interface). But the
> failure pathway neglects to call v4l2_device_disconnect(), the routine
> responsible for dropping this reference. Consequently the memory for
> the USB interface and its device never gets released.
>
> This patch adds the missing function call.
>
> Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
> Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com
> CC: <stable@vger.kernel.org>
>
> ---
>
> This doesn't fully fix syzbot's test case, because the test goes on and
> encounters another memory leak in a different driver.
>
>
> [as1949]
>
>
> drivers/media/usb/gspca/gspca.c | 1 +
> 1 file changed, 1 insertion(+)
>
> Index: usb-devel/drivers/media/usb/gspca/gspca.c
> ===================================================================
> --- usb-devel.orig/drivers/media/usb/gspca/gspca.c
> +++ usb-devel/drivers/media/usb/gspca/gspca.c
> @@ -1575,6 +1575,7 @@ out:
> input_unregister_device(gspca_dev->input_dev);
> #endif
> v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
> + v4l2_device_disconnect(&gspca_dev->v4l2_dev);
Close, but no cigar. This should call v4l2_device_unregister(), the
counterpart of video_device_register. This unregister function also
calls v4l2_device_disconnect, but the code makes a lot more sense if
the v4l2_device_register is matched with the v4l2_device_unregister.
Regards,
Hans
> kfree(gspca_dev->usb_buf);
> kfree(gspca_dev);
> return ret;
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event
2020-11-23 22:09 ` syzbot
2020-11-23 22:24 ` Alan Stern
@ 2020-12-02 16:22 ` Alan Stern
2020-12-02 16:37 ` syzbot
1 sibling, 1 reply; 9+ messages in thread
From: Alan Stern @ 2020-12-02 16:22 UTC (permalink / raw)
To: syzbot; +Cc: hverkuil, linux-media, linux-usb, mchehab, syzkaller-bugs
> commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/..
> git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Hans says to call v4l2_device_unregister rather than
v4l2_device_disconnect. Let's make sure that works.
Alan Stern
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d02da97
Index: usb-devel/drivers/media/usb/gspca/gspca.c
===================================================================
--- usb-devel.orig/drivers/media/usb/gspca/gspca.c
+++ usb-devel/drivers/media/usb/gspca/gspca.c
@@ -1575,6 +1575,7 @@ out:
input_unregister_device(gspca_dev->input_dev);
#endif
v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+ v4l2_device_unregister(&gspca_dev->v4l2_dev);
kfree(gspca_dev->usb_buf);
kfree(gspca_dev);
return ret;
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event
2020-12-02 16:22 ` memory leak in hub_event Alan Stern
@ 2020-12-02 16:37 ` syzbot
0 siblings, 0 replies; 9+ messages in thread
From: syzbot @ 2020-12-02 16:37 UTC (permalink / raw)
To: hverkuil, linux-media, linux-usb, mchehab, stern, syzkaller-bugs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in rxrpc_lookup_local
BUG: memory leak
unreferenced object 0xffff88810ae30400 (size 256):
comm "syz-executor.2", pid 8878, jiffies 4294943959 (age 433.730s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 40 75 17 81 88 ff ff .........@u.....
backtrace:
[<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline]
[<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline]
[<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888117639d00 (size 256):
comm "syz-executor.0", pid 8872, jiffies 4294943961 (age 433.710s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 40 7a 17 81 88 ff ff .........@z.....
backtrace:
[<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline]
[<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline]
[<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff888117a9cb00 (size 256):
comm "syz-executor.7", pid 8882, jiffies 4294943964 (age 433.680s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 80 8b 17 81 88 ff ff ................
backtrace:
[<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline]
[<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline]
[<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88810c9b9700 (size 256):
comm "syz-executor.5", pid 8881, jiffies 4294943965 (age 433.670s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 0a 00 00 00 00 c0 b4 0c 81 88 ff ff ................
backtrace:
[<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline]
[<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline]
[<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline]
[<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244
[<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149
[<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64
[<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126
[<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152
[<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342
[<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483
[<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110
[<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231
[<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949
[<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline]
[<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline]
[<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015
[<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
[<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Tested on:
commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/..
git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=16754c55500000
kernel config: https://syzkaller.appspot.com/x/.config?x=9e70f46496e4daad
dashboard link: https://syzkaller.appspot.com/bug?extid=44e64397bd81d5e84cba
compiler: gcc (GCC) 10.1.0-syz 20200507
patch: https://syzkaller.appspot.com/x/patch.diff?x=12ca5c73500000
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2] media: gspca: Fix memory leak in probe
2020-12-02 8:58 ` Hans Verkuil
@ 2020-12-02 17:20 ` Alan Stern
0 siblings, 0 replies; 9+ messages in thread
From: Alan Stern @ 2020-12-02 17:20 UTC (permalink / raw)
To: Hans Verkuil; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs
The gspca driver leaks memory when a probe fails. gspca_dev_probe2()
calls v4l2_device_register(), which takes a reference to the
underlying device node (in this case, a USB interface). But the
failure pathway neglects to call v4l2_device_unregister(), the routine
responsible for dropping this reference. Consequently the memory for
the USB interface and its device never gets released.
This patch adds the missing function call.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
---
v2: Replace v4l2_device_disconnect() call with v4l2_device_unregister().
[as1949b]
drivers/media/usb/gspca/gspca.c | 1 +
1 file changed, 1 insertion(+)
Index: usb-devel/drivers/media/usb/gspca/gspca.c
===================================================================
--- usb-devel.orig/drivers/media/usb/gspca/gspca.c
+++ usb-devel/drivers/media/usb/gspca/gspca.c
@@ -1575,6 +1575,7 @@ out:
input_unregister_device(gspca_dev->input_dev);
#endif
v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
+ v4l2_device_unregister(&gspca_dev->v4l2_dev);
kfree(gspca_dev->usb_buf);
kfree(gspca_dev);
return ret;
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-12-02 17:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20201123203853.GB720000@rowland.harvard.edu>
[not found] ` <000000000000cc9e3405b4cc4ff8@google.com>
2020-11-23 21:53 ` memory leak in hub_event Alan Stern
2020-11-23 22:09 ` syzbot
2020-11-23 22:24 ` Alan Stern
2020-11-24 11:38 ` Hans Verkuil
2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern
2020-12-02 8:58 ` Hans Verkuil
2020-12-02 17:20 ` [PATCH v2] " Alan Stern
2020-12-02 16:22 ` memory leak in hub_event Alan Stern
2020-12-02 16:37 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).