lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <1497283185.13388.0@smtp.gmail.com>
Date:   Mon, 12 Jun 2017 17:59:45 +0200
From:   Tomas Hlavacek <tmshlvck@...il.com>
To:     linux-kernel@...r.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: rtl8723bs memory leak

Hello!

It seems that we have discovered a memory leak in the rtl8723bs driver. 
The problem is that when the SDIO read fails in sd_recv_rxfifo() (in 
drivers/staging/rtl8723bs/hal/sdio_ops.c, l1016) the function simply 
returns NULL, but the dequeued recvbuf is never returned to the 
precvpriv->free_recv_buf_queue.

After several SDIO read failures it would bleed off the recvbuf queue 
and it would subsequently stop processing packets while producing 
endless flow of messages like this:

[   49.618639] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.624340] RTL8723BS: ERROR precvbuf is Null for 8 times because 
alloc memory failed
[   49.641654] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.648015] RTL8723BS: ERROR precvbuf is Null for 9 times because 
alloc memory failed
[   49.665105] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.671474] RTL8723BS: ERROR precvbuf is Null for 10 times because 
alloc memory failed
[   49.679394] RTL8723BS: ERROR exit because alloc memory failed more 
than 10 times
...

A possible fix might look like the following (however, this is only my 
testing hot-fix to make the driver work and I have to admit that I do 
not fully understand the whole thing - that's why I am not posting a 
patch at this point):

diff --git a/drivers/staging/rtl8723bs/hal/sdio_ops.c 
b/drivers/staging/rtl8723bs/hal/sdio_ops.c
index 6285b72faa9a..ad65cd74c3c8 100644
--- a/drivers/staging/rtl8723bs/hal/sdio_ops.c
+++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c
@@ -1008,6 +1008,7 @@ static struct recv_buf *sd_recv_rxfifo(struct 
adapter *padapter, u32 size)
 		}

 		if (precvbuf->pskb == NULL) {
+			rtw_enqueue_recvbuf(precvbuf, &precvpriv->free_recv_buf_queue);
 			DBG_871X("%s: alloc_skb fail! read =%d\n", __func__, readsize);
 			return NULL;
 		}
@@ -1017,6 +1018,7 @@ static struct recv_buf *sd_recv_rxfifo(struct 
adapter *padapter, u32 size)
 	preadbuf = precvbuf->pskb->data;
 	ret = sdio_read_port(&padapter->iopriv.intf, WLAN_RX0FF_DEVICE_ID, 
readsize, preadbuf);
 	if (ret == _FAIL) {
+		rtw_enqueue_recvbuf(precvbuf, &precvpriv->free_recv_buf_queue);
 		RT_TRACE(_module_hci_ops_os_c_, _drv_err_, ("%s: read port FAIL!\n", 
__func__));
 		return NULL;
 	}

Cheers,
Tomas

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ