* Re: memory leak in hub_event [not found] ` <000000000000cc9e3405b4cc4ff8@google.com> @ 2020-11-23 21:53 ` Alan Stern 2020-11-23 22:09 ` syzbot 0 siblings, 1 reply; 9+ messages in thread From: Alan Stern @ 2020-11-23 21:53 UTC (permalink / raw) To: syzbot, Mauro Carvalho Chehab, Hans Verkuil Cc: linux-usb, linux-media, syzkaller-bugs Quick summary: syzbot found a memory leak in the gspca driver, apparently caused by a reference being taken but not released in a probe failure pathway. On Mon, Nov 23, 2020 at 12:48:08PM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > memory leak in usb_set_configuration > > BUG: memory leak > unreferenced object 0xffff8881268a1800 (size 1024): > comm "kworker/0:2", pid 3644, jiffies 4294944749 (age 12.820s) > hex dump (first 32 bytes): > 48 f3 6a 26 81 88 ff ff 48 f3 6a 26 81 88 ff ff H.j&....H.j&.... > 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [<0000000089bfe22c>] kmalloc include/linux/slab.h:552 [inline] > [<0000000089bfe22c>] kzalloc include/linux/slab.h:664 [inline] > [<0000000089bfe22c>] usb_set_configuration+0x18c/0xb90 drivers/usb/core/message.c:1987 > [<00000000207f81de>] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 > [<000000007aa490e0>] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 Okay, this does seem to pinpoint the problem. gspca_dev_probe2() calls v4l2_device_register() at the start, but doesn't call v4l2_device_disconnect() upon failure. I'm not at all familiar with the design of the v4l2 subsystem. Mauro or Hans: Is this the right solution? Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d02da97 Index: usb-devel/drivers/media/usb/gspca/gspca.c =================================================================== --- usb-devel.orig/drivers/media/usb/gspca/gspca.c +++ usb-devel/drivers/media/usb/gspca/gspca.c @@ -1575,6 +1575,7 @@ out: input_unregister_device(gspca_dev->input_dev); #endif v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_disconnect(&gspca_dev->v4l2_dev); kfree(gspca_dev->usb_buf); kfree(gspca_dev); return ret; ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event 2020-11-23 21:53 ` memory leak in hub_event Alan Stern @ 2020-11-23 22:09 ` syzbot 2020-11-23 22:24 ` Alan Stern 2020-12-02 16:22 ` memory leak in hub_event Alan Stern 0 siblings, 2 replies; 9+ messages in thread From: syzbot @ 2020-11-23 22:09 UTC (permalink / raw) To: hverkuil, linux-media, linux-usb, mchehab, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: memory leak in rxrpc_lookup_local BUG: memory leak unreferenced object 0xffff888117ab9900 (size 256): comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................ backtrace: [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888117d40d00 (size 256): comm "syz-executor.1", pid 8884, jiffies 4294943812 (age 433.610s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 c0 ac 17 81 88 ff ff ................ backtrace: [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888118236900 (size 256): comm "syz-executor.2", pid 8894, jiffies 4294943830 (age 433.430s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 00 34 18 81 88 ff ff ..........4..... backtrace: [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff8881170d5400 (size 256): comm "syz-executor.3", pid 8888, jiffies 4294943833 (age 433.400s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 40 35 18 81 88 ff ff .........@5..... backtrace: [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 write to /proc/sys/kernel/hung_task_check_interval_secs failed: No such file or directory write to /proc/sys/kernel/softlockup_all_cpu_backtrace failed: No such file or directory Tested on: commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=123a6611500000 kernel config: https://syzkaller.appspot.com/x/.config?x=b29e92cdfa2687df dashboard link: https://syzkaller.appspot.com/bug?extid=44e64397bd81d5e84cba compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=11c4e969500000 ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event 2020-11-23 22:09 ` syzbot @ 2020-11-23 22:24 ` Alan Stern 2020-11-24 11:38 ` Hans Verkuil 2020-12-02 16:22 ` memory leak in hub_event Alan Stern 1 sibling, 1 reply; 9+ messages in thread From: Alan Stern @ 2020-11-23 22:24 UTC (permalink / raw) To: syzbot; +Cc: hverkuil, linux-media, linux-usb, mchehab, syzkaller-bugs On Mon, Nov 23, 2020 at 02:09:05PM -0800, syzbot wrote: > Hello, > > syzbot has tested the proposed patch but the reproducer is still triggering an issue: > memory leak in rxrpc_lookup_local > > BUG: memory leak > unreferenced object 0xffff888117ab9900 (size 256): > comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................ > backtrace: > [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] > [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] > [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] > [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 > [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 > [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 > [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 > [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 > [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 > [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 > [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 > [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 > [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 > [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] > [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] > [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 > [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 > [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Okay, that confirms it. This is a completely different memory leak, as can be seen by comparing the stack trace with the previous one. The problem with the gspca driver is gone. Mauro/Hans, what should I do with the patch? Alan Stern ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event 2020-11-23 22:24 ` Alan Stern @ 2020-11-24 11:38 ` Hans Verkuil 2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern 0 siblings, 1 reply; 9+ messages in thread From: Hans Verkuil @ 2020-11-24 11:38 UTC (permalink / raw) To: Alan Stern, syzbot; +Cc: linux-media, linux-usb, mchehab, syzkaller-bugs On 23/11/2020 23:24, Alan Stern wrote: > On Mon, Nov 23, 2020 at 02:09:05PM -0800, syzbot wrote: >> Hello, >> >> syzbot has tested the proposed patch but the reproducer is still triggering an issue: >> memory leak in rxrpc_lookup_local >> >> BUG: memory leak >> unreferenced object 0xffff888117ab9900 (size 256): >> comm "syz-executor.0", pid 8883, jiffies 4294943811 (age 433.620s) >> hex dump (first 32 bytes): >> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ >> 00 00 00 00 0a 00 00 00 00 80 cb 17 81 88 ff ff ................ >> backtrace: >> [<000000009003383a>] kmalloc include/linux/slab.h:552 [inline] >> [<000000009003383a>] kzalloc include/linux/slab.h:664 [inline] >> [<000000009003383a>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] >> [<000000009003383a>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 >> [<00000000609410d3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 >> [<00000000661f73ad>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 >> [<00000000e3eb5768>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 >> [<000000002c6bf109>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 >> [<000000009ce0aa62>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 >> [<00000000db8c8dc2>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 >> [<00000000b04b70a8>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 >> [<000000005dc01eb8>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 >> [<00000000422ec6bd>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 >> [<0000000042f77bee>] __do_sys_unshare kernel/fork.c:3017 [inline] >> [<0000000042f77bee>] __se_sys_unshare kernel/fork.c:3015 [inline] >> [<0000000042f77bee>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 >> [<00000000e58e69f9>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 >> [<000000000a67195e>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 > > Okay, that confirms it. This is a completely different memory leak, as > can be seen by comparing the stack trace with the previous one. The > problem with the gspca driver is gone. > > Mauro/Hans, what should I do with the patch? Just post it to linux-media and I'll pick it up as gspca maintainer. Regards, Hans ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH] media: gspca: Fix memory leak in probe 2020-11-24 11:38 ` Hans Verkuil @ 2020-11-24 16:00 ` Alan Stern 2020-12-02 8:58 ` Hans Verkuil 0 siblings, 1 reply; 9+ messages in thread From: Alan Stern @ 2020-11-24 16:00 UTC (permalink / raw) To: Hans Verkuil; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs The gspca driver leaks memory when a probe fails. gspca_dev_probe2() calls v4l2_device_register(), which takes a reference to the underlying device node (in this case, a USB interface). But the failure pathway neglects to call v4l2_device_disconnect(), the routine responsible for dropping this reference. Consequently the memory for the USB interface and its device never gets released. This patch adds the missing function call. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> --- This doesn't fully fix syzbot's test case, because the test goes on and encounters another memory leak in a different driver. [as1949] drivers/media/usb/gspca/gspca.c | 1 + 1 file changed, 1 insertion(+) Index: usb-devel/drivers/media/usb/gspca/gspca.c =================================================================== --- usb-devel.orig/drivers/media/usb/gspca/gspca.c +++ usb-devel/drivers/media/usb/gspca/gspca.c @@ -1575,6 +1575,7 @@ out: input_unregister_device(gspca_dev->input_dev); #endif v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_disconnect(&gspca_dev->v4l2_dev); kfree(gspca_dev->usb_buf); kfree(gspca_dev); return ret; ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] media: gspca: Fix memory leak in probe 2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern @ 2020-12-02 8:58 ` Hans Verkuil 2020-12-02 17:20 ` [PATCH v2] " Alan Stern 0 siblings, 1 reply; 9+ messages in thread From: Hans Verkuil @ 2020-12-02 8:58 UTC (permalink / raw) To: Alan Stern; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs On 24/11/2020 17:00, Alan Stern wrote: > The gspca driver leaks memory when a probe fails. gspca_dev_probe2() > calls v4l2_device_register(), which takes a reference to the > underlying device node (in this case, a USB interface). But the > failure pathway neglects to call v4l2_device_disconnect(), the routine > responsible for dropping this reference. Consequently the memory for > the USB interface and its device never gets released. > > This patch adds the missing function call. > > Signed-off-by: Alan Stern <stern@rowland.harvard.edu> > Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com > CC: <stable@vger.kernel.org> > > --- > > This doesn't fully fix syzbot's test case, because the test goes on and > encounters another memory leak in a different driver. > > > [as1949] > > > drivers/media/usb/gspca/gspca.c | 1 + > 1 file changed, 1 insertion(+) > > Index: usb-devel/drivers/media/usb/gspca/gspca.c > =================================================================== > --- usb-devel.orig/drivers/media/usb/gspca/gspca.c > +++ usb-devel/drivers/media/usb/gspca/gspca.c > @@ -1575,6 +1575,7 @@ out: > input_unregister_device(gspca_dev->input_dev); > #endif > v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); > + v4l2_device_disconnect(&gspca_dev->v4l2_dev); Close, but no cigar. This should call v4l2_device_unregister(), the counterpart of video_device_register. This unregister function also calls v4l2_device_disconnect, but the code makes a lot more sense if the v4l2_device_register is matched with the v4l2_device_unregister. Regards, Hans > kfree(gspca_dev->usb_buf); > kfree(gspca_dev); > return ret; > ^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH v2] media: gspca: Fix memory leak in probe 2020-12-02 8:58 ` Hans Verkuil @ 2020-12-02 17:20 ` Alan Stern 0 siblings, 0 replies; 9+ messages in thread From: Alan Stern @ 2020-12-02 17:20 UTC (permalink / raw) To: Hans Verkuil; +Cc: syzbot, linux-media, linux-usb, mchehab, syzkaller-bugs The gspca driver leaks memory when a probe fails. gspca_dev_probe2() calls v4l2_device_register(), which takes a reference to the underlying device node (in this case, a USB interface). But the failure pathway neglects to call v4l2_device_unregister(), the routine responsible for dropping this reference. Consequently the memory for the USB interface and its device never gets released. This patch adds the missing function call. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com CC: <stable@vger.kernel.org> --- v2: Replace v4l2_device_disconnect() call with v4l2_device_unregister(). [as1949b] drivers/media/usb/gspca/gspca.c | 1 + 1 file changed, 1 insertion(+) Index: usb-devel/drivers/media/usb/gspca/gspca.c =================================================================== --- usb-devel.orig/drivers/media/usb/gspca/gspca.c +++ usb-devel/drivers/media/usb/gspca/gspca.c @@ -1575,6 +1575,7 @@ out: input_unregister_device(gspca_dev->input_dev); #endif v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_unregister(&gspca_dev->v4l2_dev); kfree(gspca_dev->usb_buf); kfree(gspca_dev); return ret; ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event 2020-11-23 22:09 ` syzbot 2020-11-23 22:24 ` Alan Stern @ 2020-12-02 16:22 ` Alan Stern 2020-12-02 16:37 ` syzbot 1 sibling, 1 reply; 9+ messages in thread From: Alan Stern @ 2020-12-02 16:22 UTC (permalink / raw) To: syzbot; +Cc: hverkuil, linux-media, linux-usb, mchehab, syzkaller-bugs > commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/.. > git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Hans says to call v4l2_device_unregister rather than v4l2_device_disconnect. Let's make sure that works. Alan Stern #syz test: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 4d02da97 Index: usb-devel/drivers/media/usb/gspca/gspca.c =================================================================== --- usb-devel.orig/drivers/media/usb/gspca/gspca.c +++ usb-devel/drivers/media/usb/gspca/gspca.c @@ -1575,6 +1575,7 @@ out: input_unregister_device(gspca_dev->input_dev); #endif v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler); + v4l2_device_unregister(&gspca_dev->v4l2_dev); kfree(gspca_dev->usb_buf); kfree(gspca_dev); return ret; ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: memory leak in hub_event 2020-12-02 16:22 ` memory leak in hub_event Alan Stern @ 2020-12-02 16:37 ` syzbot 0 siblings, 0 replies; 9+ messages in thread From: syzbot @ 2020-12-02 16:37 UTC (permalink / raw) To: hverkuil, linux-media, linux-usb, mchehab, stern, syzkaller-bugs Hello, syzbot has tested the proposed patch but the reproducer is still triggering an issue: memory leak in rxrpc_lookup_local BUG: memory leak unreferenced object 0xffff88810ae30400 (size 256): comm "syz-executor.2", pid 8878, jiffies 4294943959 (age 433.730s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 40 75 17 81 88 ff ff .........@u..... backtrace: [<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline] [<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline] [<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline] [<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline] [<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888117639d00 (size 256): comm "syz-executor.0", pid 8872, jiffies 4294943961 (age 433.710s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 40 7a 17 81 88 ff ff .........@z..... backtrace: [<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline] [<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline] [<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline] [<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline] [<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff888117a9cb00 (size 256): comm "syz-executor.7", pid 8882, jiffies 4294943964 (age 433.680s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 80 8b 17 81 88 ff ff ................ backtrace: [<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline] [<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline] [<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline] [<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline] [<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 BUG: memory leak unreferenced object 0xffff88810c9b9700 (size 256): comm "syz-executor.5", pid 8881, jiffies 4294943965 (age 433.670s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 c0 b4 0c 81 88 ff ff ................ backtrace: [<00000000d78976b4>] kmalloc include/linux/slab.h:552 [inline] [<00000000d78976b4>] kzalloc include/linux/slab.h:664 [inline] [<00000000d78976b4>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<00000000d78976b4>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<000000000f4771f3>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000a1ca3956>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<000000000b4e3083>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<0000000057174e11>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<000000001ef2d4d2>] setup_net+0xdb/0x2d0 net/core/net_namespace.c:342 [<000000000c0943a9>] copy_net_ns+0x14b/0x320 net/core/net_namespace.c:483 [<000000000134587c>] create_new_namespaces+0x199/0x4e0 kernel/nsproxy.c:110 [<00000000ab7ab634>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:231 [<000000000a7b8a55>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2949 [<000000007378cba1>] __do_sys_unshare kernel/fork.c:3017 [inline] [<000000007378cba1>] __se_sys_unshare kernel/fork.c:3015 [inline] [<000000007378cba1>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3015 [<000000002e47b3c4>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000daddea42>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Tested on: commit: 4d02da97 Merge tag 'net-5.10-rc5' of git://git.kernel.org/.. git tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git console output: https://syzkaller.appspot.com/x/log.txt?x=16754c55500000 kernel config: https://syzkaller.appspot.com/x/.config?x=9e70f46496e4daad dashboard link: https://syzkaller.appspot.com/bug?extid=44e64397bd81d5e84cba compiler: gcc (GCC) 10.1.0-syz 20200507 patch: https://syzkaller.appspot.com/x/patch.diff?x=12ca5c73500000 ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2020-12-02 17:20 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20201123203853.GB720000@rowland.harvard.edu>
[not found] ` <000000000000cc9e3405b4cc4ff8@google.com>
2020-11-23 21:53 ` memory leak in hub_event Alan Stern
2020-11-23 22:09 ` syzbot
2020-11-23 22:24 ` Alan Stern
2020-11-24 11:38 ` Hans Verkuil
2020-11-24 16:00 ` [PATCH] media: gspca: Fix memory leak in probe Alan Stern
2020-12-02 8:58 ` Hans Verkuil
2020-12-02 17:20 ` [PATCH v2] " Alan Stern
2020-12-02 16:22 ` memory leak in hub_event Alan Stern
2020-12-02 16:37 ` syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox