lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20160820071504.GA9663@t440s.P-661HNU-F1>
Date:   Sat, 20 Aug 2016 10:15:04 +0300
From:   Johan Hedberg <johan.hedberg@...il.com>
To:     Marcel Holtmann <marcel@...tmann.org>
Cc:     Larry Finger <Larry.Finger@...inger.net>,
        "Gustavo F. Padovan" <gustavo@...ovan.org>,
        Linux Bluetooth mailing list 
        <linux-bluetooth@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: Memory (skb) leak in kernel 4.8-rc2

Hi Marcel,

On Sat, Aug 20, 2016, Marcel Holtmann wrote:
> > I am seeing two skb leaks in the BT sub-system for kernel 4.8-rc2. I
> > only recently re-enabled kmemleak, but I do not think I saw these
> > leaks in 4.7.
> > 
> > The first leak is at btusb_recv_intr+0x12b/0x170 [btusb]. This
> > address refers to the call to bt_skb_alloc() in routine
> > btusb_recv_intr().
> 
> do you have a backtrace for this one? Also which hardware is this?
> 
> > The second leak is at hci_event_packet+0xb8/0x30b0 [bluetooth]. The
> > backtrace for this address is
> > 
> > 0x13d38 is in hci_event_packet (net/bluetooth/hci_event.c:5254).
> > 5249             * various handlers may modify the original one through
> > 5250             * skb_pull() calls, etc.
> > 5251             */
> > 5252            if (req_complete_skb || event == HCI_EV_CMD_STATUS ||
> > 5253                event == HCI_EV_CMD_COMPLETE)
> > 5254                    orig_skb = skb_clone(skb, GFP_KERNEL);
> > 5255
> > 5256            skb_pull(skb, HCI_EVENT_HDR_SIZE);
> > 5257
> > 5258            switch (event) {
> > 
> > I am unable to unload module bluetooth to verify that the second
> > leak is not a false positive; however, the one in btusb is a real
> > memory leak.
> 
> I can not see a leak. Maybe Johan has an idea.

Unfortunately I don't have any ideas either - there is no exit path from
hci_event_packet() after orig_skb has been allocated that would not
result in kfree_skb(orig_skb) being called first.

Johan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ