[syzbot] memory leak in hub_event (2)

23 views

Skip to first unread message

syzbot

unread,

Mar 15, 2021, 12:38:15 AM3/15/21

to a.da...@linutronix.de, ba...@kernel.org, big...@linutronix.de, gre...@linuxfoundation.org, linux-...@vger.kernel.org, linu...@vger.kernel.org, st...@rowland.harvard.edu, syzkall...@googlegroups.com, tg...@linutronix.de

Hello,

syzbot found the following issue on:

HEAD commit: 05a59d79 Merge git://git.kernel.org:/pub/scm/linux/kernel/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=164e6ba2d00000
kernel config: https://syzkaller.appspot.com/x/.config?x=796675cee501159f
dashboard link: https://syzkaller.appspot.com/bug?extid=636c58f40a86b4a879e7
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=111849ecd00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16037376d00000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+636c58...@syzkaller.appspotmail.com

BUG: memory leak
unreferenced object 0xffff888109985800 (size 2048):
comm "kworker/1:1", pid 35, jiffies 4294966369 (age 27.230s)
hex dump (first 32 bytes):
ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........
00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................
backtrace:
[<000000004dfe56d1>] kmalloc include/linux/slab.h:554 [inline]
[<000000004dfe56d1>] kzalloc include/linux/slab.h:684 [inline]
[<000000004dfe56d1>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582
[<00000000d2920859>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]
[<00000000d2920859>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<00000000d2920859>] port_event drivers/usb/core/hub.c:5509 [inline]
[<00000000d2920859>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff88810cec9900 (size 32):
comm "kworker/1:1", pid 35, jiffies 4294966421 (age 26.710s)
hex dump (first 32 bytes):
00 65 d0 10 81 88 ff ff 00 00 00 00 00 00 00 00 .e..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000008a69447c>] kmalloc include/linux/slab.h:559 [inline]
[<000000008a69447c>] kzalloc include/linux/slab.h:684 [inline]
[<000000008a69447c>] usb_get_configuration+0xce/0x1dd0 drivers/usb/core/config.c:887
[<00000000a636fc1f>] usb_enumerate_device drivers/usb/core/hub.c:2388 [inline]
[<00000000a636fc1f>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2524
[<0000000024685ce9>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<0000000024685ce9>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<0000000024685ce9>] port_event drivers/usb/core/hub.c:5509 [inline]
[<0000000024685ce9>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff88810b1b75c0 (size 32):
comm "kworker/1:1", pid 35, jiffies 4294966448 (age 26.440s)
hex dump (first 32 bytes):
73 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 syz.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000007889c4a2>] kmalloc include/linux/slab.h:559 [inline]
[<000000007889c4a2>] usb_cache_string+0x8a/0xf0 drivers/usb/core/message.c:1025
[<00000000c372c0b9>] usb_enumerate_device drivers/usb/core/hub.c:2398 [inline]
[<00000000c372c0b9>] usb_new_device+0x98/0x2e0 drivers/usb/core/hub.c:2524
[<0000000024685ce9>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<0000000024685ce9>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<0000000024685ce9>] port_event drivers/usb/core/hub.c:5509 [inline]
[<0000000024685ce9>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff88810cec9800 (size 32):
comm "kworker/1:1", pid 35, jiffies 4294966452 (age 26.400s)
hex dump (first 32 bytes):
73 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 syz.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000007889c4a2>] kmalloc include/linux/slab.h:559 [inline]
[<000000007889c4a2>] usb_cache_string+0x8a/0xf0 drivers/usb/core/message.c:1025
[<00000000b8074d2b>] usb_enumerate_device drivers/usb/core/hub.c:2399 [inline]
[<00000000b8074d2b>] usb_new_device+0xae/0x2e0 drivers/usb/core/hub.c:2524
[<0000000024685ce9>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<0000000024685ce9>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<0000000024685ce9>] port_event drivers/usb/core/hub.c:5509 [inline]
[<0000000024685ce9>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff88810cec9140 (size 32):
comm "kworker/1:1", pid 35, jiffies 4294966456 (age 26.360s)
hex dump (first 32 bytes):
73 79 7a 00 00 00 00 00 00 00 00 00 00 00 00 00 syz.............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000007889c4a2>] kmalloc include/linux/slab.h:559 [inline]
[<000000007889c4a2>] usb_cache_string+0x8a/0xf0 drivers/usb/core/message.c:1025
[<000000002dd0377f>] usb_enumerate_device drivers/usb/core/hub.c:2401 [inline]
[<000000002dd0377f>] usb_new_device+0xc4/0x2e0 drivers/usb/core/hub.c:2524
[<0000000024685ce9>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<0000000024685ce9>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<0000000024685ce9>] port_event drivers/usb/core/hub.c:5509 [inline]
[<0000000024685ce9>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff8881101a8800 (size 256):
comm "kworker/1:1", pid 35, jiffies 4294966459 (age 26.330s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 08 88 1a 10 81 88 ff ff ................
08 88 1a 10 81 88 ff ff 30 23 5e 82 ff ff ff ff ........0#^.....
backtrace:
[<000000002a4ba0cb>] kmalloc include/linux/slab.h:554 [inline]
[<000000002a4ba0cb>] kzalloc include/linux/slab.h:684 [inline]
[<000000002a4ba0cb>] device_private_init drivers/base/core.c:3084 [inline]
[<000000002a4ba0cb>] device_add+0x811/0xc40 drivers/base/core.c:3134
[<00000000440fa047>] usb_new_device.cold+0x16a/0x582 drivers/usb/core/hub.c:2555
[<0000000024685ce9>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<0000000024685ce9>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<0000000024685ce9>] port_event drivers/usb/core/hub.c:5509 [inline]
[<0000000024685ce9>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<0000000099d99129>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<00000000a83d9aee>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<00000000aaaf0fda>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<00000000d2888c70>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

syzbot

unread,

Mar 22, 2021, 8:33:05 AM3/22/21

to alaaemadh...@gmail.com, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hub_event

BUG: memory leak
unreferenced object 0xffff8881250c6800 (size 2048):
comm "kworker/1:7", pid 10515, jiffies 4294946774 (age 15.650s)

hex dump (first 32 bytes):
ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........
00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................
backtrace:

[<ffffffff82b8eb12>] kmalloc include/linux/slab.h:554 [inline]
[<ffffffff82b8eb12>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82b8eb12>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582
[<ffffffff82b98731>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]
[<ffffffff82b98731>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b98731>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b98731>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff888125310bc0 (size 32):
comm "kworker/1:7", pid 10515, jiffies 4294946774 (age 15.650s)

hex dump (first 32 bytes):

33 2d 31 00 00 00 00 00 00 00 00 00 00 00 00 00 3-1.............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:

[<ffffffff8223286c>] kvasprintf+0x6c/0xf0 lib/kasprintf.c:25
[<ffffffff82232948>] kvasprintf_const+0x58/0x110 lib/kasprintf.c:49
[<ffffffff822f277b>] kobject_set_name_vargs+0x3b/0xe0 lib/kobject.c:289
[<ffffffff825eaaa3>] dev_set_name+0x63/0x90 drivers/base/core.c:3028
[<ffffffff82b8ecce>] usb_alloc_dev+0x1ee/0x450 drivers/usb/core/usb.c:650
[<ffffffff82b98731>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]
[<ffffffff82b98731>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b98731>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b98731>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff888127288400 (size 1024):
comm "kworker/1:7", pid 10515, jiffies 4294946823 (age 15.160s)

hex dump (first 32 bytes):

09 02 48 00 01 00 00 00 00 00 00 00 00 00 00 00 ..H.............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:

[<ffffffff82ba780c>] kmalloc include/linux/slab.h:559 [inline]
[<ffffffff82ba780c>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82ba780c>] usb_get_configuration+0x9c/0x1dd0 drivers/usb/core/config.c:882
[<ffffffff82b95f79>] usb_enumerate_device drivers/usb/core/hub.c:2388 [inline]
[<ffffffff82b95f79>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2524
[<ffffffff82b989ee>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<ffffffff82b989ee>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b989ee>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b989ee>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff888125310be0 (size 32):
comm "kworker/1:7", pid 10515, jiffies 4294946823 (age 15.160s)

hex dump (first 32 bytes):

80 b6 74 24 81 88 ff ff 00 00 00 00 00 00 00 00 ..t$............

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:

[<ffffffff82ba783e>] kmalloc include/linux/slab.h:559 [inline]
[<ffffffff82ba783e>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82ba783e>] usb_get_configuration+0xce/0x1dd0 drivers/usb/core/config.c:887
[<ffffffff82b95f79>] usb_enumerate_device drivers/usb/core/hub.c:2388 [inline]
[<ffffffff82b95f79>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2524
[<ffffffff82b989ee>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<ffffffff82b989ee>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b989ee>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b989ee>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff8881285d7880 (size 128):
comm "kworker/1:7", pid 10515, jiffies 4294946867 (age 14.720s)

hex dump (first 32 bytes):

03 00 00 00 01 00 00 00 09 04 7d 00 03 1d 5a bf ..........}...Z.
00 00 00 00 00 00 00 00 92 b6 74 24 81 88 ff ff ..........t$....
backtrace:
[<ffffffff82ba7f55>] kmalloc include/linux/slab.h:559 [inline]
[<ffffffff82ba7f55>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82ba7f55>] usb_parse_configuration drivers/usb/core/config.c:772 [inline]
[<ffffffff82ba7f55>] usb_get_configuration+0x7e5/0x1dd0 drivers/usb/core/config.c:944
[<ffffffff82b95f79>] usb_enumerate_device drivers/usb/core/hub.c:2388 [inline]
[<ffffffff82b95f79>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2524
[<ffffffff82b989ee>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<ffffffff82b989ee>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b989ee>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b989ee>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

BUG: memory leak
unreferenced object 0xffff8881284e2880 (size 96):
comm "kworker/1:7", pid 10515, jiffies 4294946892 (age 14.470s)

hex dump (first 32 bytes):

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:

[<ffffffff82ba82ef>] kmalloc include/linux/slab.h:559 [inline]
[<ffffffff82ba82ef>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82ba82ef>] usb_parse_interface drivers/usb/core/config.c:571 [inline]
[<ffffffff82ba82ef>] usb_parse_configuration drivers/usb/core/config.c:795 [inline]
[<ffffffff82ba82ef>] usb_get_configuration+0xb7f/0x1dd0 drivers/usb/core/config.c:944
[<ffffffff82b95f79>] usb_enumerate_device drivers/usb/core/hub.c:2388 [inline]
[<ffffffff82b95f79>] usb_new_device+0x1a9/0x2e0 drivers/usb/core/hub.c:2524
[<ffffffff82b989ee>] hub_port_connect drivers/usb/core/hub.c:5223 [inline]
[<ffffffff82b989ee>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b989ee>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b989ee>] hub_event+0x142e/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff812597b9>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a0a9>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff812617d8>] kthread+0x178/0x1b0 kernel/kthread.c:292
[<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Tested on:

commit: 0d02ec6b Linux 5.12-rc4
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=123da73ad00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4363b65b34bdbff8
dashboard link: https://syzkaller.appspot.com/bug?extid=636c58f40a86b4a879e7
compiler:

syzbot

unread,

Mar 25, 2021, 6:43:04 PM3/25/21

to alaaemadh...@gmail.com, syzkall...@googlegroups.com

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
memory leak in hub_event

BUG: memory leak

unreferenced object 0xffff88810e77d800 (size 2048):
comm "kworker/1:5", pid 10456, jiffies 4294945576 (age 16.470s)

hex dump (first 32 bytes):
ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........
00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................
backtrace:

[<ffffffff82b8f5c2>] kmalloc include/linux/slab.h:554 [inline]
[<ffffffff82b8f5c2>] kzalloc include/linux/slab.h:684 [inline]
[<ffffffff82b8f5c2>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582
[<ffffffff82b991e1>] hub_port_connect drivers/usb/core/hub.c:5129 [inline]
[<ffffffff82b991e1>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline]
[<ffffffff82b991e1>] port_event drivers/usb/core/hub.c:5509 [inline]
[<ffffffff82b991e1>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591
[<ffffffff81259839>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275
[<ffffffff8125a129>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421
[<ffffffff81261858>] kthread+0x178/0x1b0 kernel/kthread.c:292