On Fri, Feb 11, 2022 at 08:50:37PM -0500, Alan Stern wrote:
> Syzbot identified a refcount leak in the hid-elo driver:
>
> BUG: memory leak
> unreferenced object 0xffff88810d49e800 (size 2048):
> comm "kworker/1:1", pid 25, jiffies 4294954629 (age 16.460s)
> hex dump (first 32 bytes):
> ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1...........
> 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................
> backtrace:
> [<ffffffff82c87a62>] kmalloc include/linux/slab.h:581 [inline]
> [<ffffffff82c87a62>] kzalloc include/linux/slab.h:715 [inline]
> [<ffffffff82c87a62>] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582
> [<ffffffff82c91a47>] hub_port_connect drivers/usb/core/hub.c:5260 [inline]
> [<ffffffff82c91a47>] hub_port_connect_change drivers/usb/core/hub.c:5502 [inline]
> [<ffffffff82c91a47>] port_event drivers/usb/core/hub.c:5660 [inline]
> [<ffffffff82c91a47>] hub_event+0x1097/0x21a0 drivers/usb/core/hub.c:5742
> [<ffffffff8126c3ef>] process_one_work+0x2bf/0x600 kernel/workqueue.c:2307
> [<ffffffff8126ccd9>] worker_thread+0x59/0x5b0 kernel/workqueue.c:2454
> [<ffffffff81276765>] kthread+0x125/0x160 kernel/kthread.c:377
> [<ffffffff810022ff>] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
>
> Not shown in the bug report but present in the console log:
>
> [ 182.014764][ T3257] elo 0003:04E7:0030.0006: item fetching failed at offset 0/1
> [ 182.022255][ T3257] elo 0003:04E7:0030.0006: parse failed
> [ 182.027904][ T3257] elo: probe of 0003:04E7:0030.0006 failed with error -22
> [ 182.214767][ T3257] usb 1-1: USB disconnect, device number 7
> [ 188.090199][ T3604] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
> BUG: memory leak
>
> which points to hid-elo as the buggy driver.
>
> The leak is caused by elo_probe() failing to release the reference it
> holds to the struct usb_device in its failure pathway. In the end the
> driver doesn't need to take this reference at all, because the
> elo_priv structure is always deallocated synchronously when the driver
> unbinds from the interface.
>
> Therefore this patch fixes the reference leak by not taking the
> reference in the first place.
>
> Reported-and-tested-by: syzbot+8caaaec4e7a55d75e243@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> CC: <stable@xxxxxxxxxxxxxxx>
>
Alan, this bug was fixed a different way in 817b8b9c5396 ("HID: elo: fix
memory leak in elo_probe") so now the two fixes lead to a use after
free. Your patch is more elegant so we should revert 817b8b9c5396.
regards,
dan carpenter
