| Message ID | 20210514110317.2041580-1-mudongliangabcd@gmail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | misc/uss720: fix memory leak in uss720_probe | expand |
On Fri, May 14, 2021 at 07:03:17PM +0800, Dongliang Mu wrote: > uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. > Fix this by decreasing the refcount of usbdev by usb_put_dev. > > BUG: memory leak > unreferenced object 0xffff888101113800 (size 2048): > comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) > hex dump (first 32 bytes): > ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... > 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ > backtrace: > [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] > [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] > [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 > [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] > [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] > [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 > [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 > [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 > [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 > [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > --- > drivers/usb/misc/uss720.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c > index b5d661644263..748139d26263 100644 > --- a/drivers/usb/misc/uss720.c > +++ b/drivers/usb/misc/uss720.c > @@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, > parport_announce_port(pp); > > usb_set_intfdata(intf, pp); > + usb_put_dev(usbdev); > return 0; > > probe_abort: > -- > 2.25.1 > Nice catch!
On Fri, May 14, 2021 at 7:14 PM Greg KH <gregkh@linuxfoundation.org> wrote: > > On Fri, May 14, 2021 at 07:03:17PM +0800, Dongliang Mu wrote: > > uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. > > Fix this by decreasing the refcount of usbdev by usb_put_dev. > > > > BUG: memory leak > > unreferenced object 0xffff888101113800 (size 2048): > > comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) > > hex dump (first 32 bytes): > > ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... > > 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ > > backtrace: > > [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] > > [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] > > [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 > > [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] > > [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > > [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] > > [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 > > [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 > > [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 > > [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 > > [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > > > Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > --- > > drivers/usb/misc/uss720.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c > > index b5d661644263..748139d26263 100644 > > --- a/drivers/usb/misc/uss720.c > > +++ b/drivers/usb/misc/uss720.c > > @@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, > > parport_announce_port(pp); > > > > usb_set_intfdata(intf, pp); > > + usb_put_dev(usbdev); > > return 0; > > > > probe_abort: > > -- > > 2.25.1 > > > > Nice catch! Thanks. This should be a bug fix. From the document, "Fixes" tag is needed for bug fixes. How do I quickly get this bug-inducing commit? Any suggestion here?
On Fri, May 14, 2021 at 07:48:57PM +0800, 慕冬亮 wrote: > On Fri, May 14, 2021 at 7:14 PM Greg KH <gregkh@linuxfoundation.org> wrote: > > > > On Fri, May 14, 2021 at 07:03:17PM +0800, Dongliang Mu wrote: > > > uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. > > > Fix this by decreasing the refcount of usbdev by usb_put_dev. > > > > > > BUG: memory leak > > > unreferenced object 0xffff888101113800 (size 2048): > > > comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) > > > hex dump (first 32 bytes): > > > ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... > > > 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ > > > backtrace: > > > [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] > > > [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] > > > [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 > > > [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] > > > [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > > > [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] > > > [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 > > > [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 > > > [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 > > > [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 > > > [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > > > > > Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com > > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > > --- > > > drivers/usb/misc/uss720.c | 1 + > > > 1 file changed, 1 insertion(+) > > > > > > diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c > > > index b5d661644263..748139d26263 100644 > > > --- a/drivers/usb/misc/uss720.c > > > +++ b/drivers/usb/misc/uss720.c > > > @@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, > > > parport_announce_port(pp); > > > > > > usb_set_intfdata(intf, pp); > > > + usb_put_dev(usbdev); > > > return 0; > > > > > > probe_abort: > > > -- > > > 2.25.1 > > > > > > > Nice catch! > > Thanks. > > This should be a bug fix. From the document, "Fixes" tag is needed for > bug fixes. It would be good, yes, please resend with that added. > How do I quickly get this bug-inducing commit? Any > suggestion here? look at the log for this one file to find where the offending change happend. Try `git log -p drivers/usb/misc/uss720.c` thanks, greg k-h
On Fri, May 14, 2021 at 7:52 PM Greg KH <gregkh@linuxfoundation.org> wrote: > > On Fri, May 14, 2021 at 07:48:57PM +0800, 慕冬亮 wrote: > > On Fri, May 14, 2021 at 7:14 PM Greg KH <gregkh@linuxfoundation.org> wrote: > > > > > > On Fri, May 14, 2021 at 07:03:17PM +0800, Dongliang Mu wrote: > > > > uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. > > > > Fix this by decreasing the refcount of usbdev by usb_put_dev. > > > > > > > > BUG: memory leak > > > > unreferenced object 0xffff888101113800 (size 2048): > > > > comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) > > > > hex dump (first 32 bytes): > > > > ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... > > > > 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ > > > > backtrace: > > > > [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] > > > > [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] > > > > [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 > > > > [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] > > > > [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] > > > > [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] > > > > [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 > > > > [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 > > > > [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 > > > > [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 > > > > [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 > > > > > > > > Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com > > > > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> > > > > --- > > > > drivers/usb/misc/uss720.c | 1 + > > > > 1 file changed, 1 insertion(+) > > > > > > > > diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c > > > > index b5d661644263..748139d26263 100644 > > > > --- a/drivers/usb/misc/uss720.c > > > > +++ b/drivers/usb/misc/uss720.c > > > > @@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, > > > > parport_announce_port(pp); > > > > > > > > usb_set_intfdata(intf, pp); > > > > + usb_put_dev(usbdev); > > > > return 0; > > > > > > > > probe_abort: > > > > -- > > > > 2.25.1 > > > > > > > > > > Nice catch! > > > > Thanks. > > > > This should be a bug fix. From the document, "Fixes" tag is needed for > > bug fixes. > > It would be good, yes, please resend with that added. Sure. I will resend the patch. > > > How do I quickly get this bug-inducing commit? Any > > suggestion here? > > look at the log for this one file to find where the offending change > happend. Try `git log -p drivers/usb/misc/uss720.c` 0f36163d3abefbda1b21a330b3fdf3c2dc076d94 [PATCH] usb: fix uss720 schedule with interrupts off @@ -536,93 +682,91 @@ static struct parport_operations parport_uss720_ops = static int uss720_probe(struct usb_interface *intf, const struct usb_device_id *id) { - struct usb_device *usbdev = interface_to_usbdev(intf); + struct usb_device *usbdev = usb_get_dev(interface_to_usbdev(intf)); Then only the code only decreases the refcount at failure sites. > > thanks, > > greg k-h
diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c index b5d661644263..748139d26263 100644 --- a/drivers/usb/misc/uss720.c +++ b/drivers/usb/misc/uss720.c @@ -736,6 +736,7 @@ static int uss720_probe(struct usb_interface *intf, parport_announce_port(pp); usb_set_intfdata(intf, pp); + usb_put_dev(usbdev); return 0; probe_abort:
uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [<ffffffff82b8e822>] kmalloc include/linux/slab.h:554 [inline] [<ffffffff82b8e822>] kzalloc include/linux/slab.h:684 [inline] [<ffffffff82b8e822>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [<ffffffff82b98441>] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [<ffffffff82b98441>] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [<ffffffff82b98441>] port_event drivers/usb/core/hub.c:5509 [inline] [<ffffffff82b98441>] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [<ffffffff81259229>] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [<ffffffff81259b19>] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [<ffffffff81261228>] kthread+0x178/0x1b0 kernel/kthread.c:292 [<ffffffff8100227f>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> --- drivers/usb/misc/uss720.c | 1 + 1 file changed, 1 insertion(+)