| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Aug 2019 18:37:06 +0200
From: Marcel Holtmann <marcel@...tmann.org>
To: Claire Chang <tientzu@...omium.org>
Cc: Johan Hedberg <johan.hedberg@...il.com>, johan@...nel.org,
linux-bluetooth@...r.kernel.org, linux-kernel@...r.kernel.org,
bgodavar@...eaurora.org, hemantg@...eaurora.org,
rjliao@...eaurora.org
Subject: Re: [PATCH] Bluetooth: btqca: release_firmware after
qca_inject_cmd_complete_event
Hi Claire,
> commit 32646db8cc28 ("Bluetooth: btqca: inject command complete event
> during fw download") added qca_inject_cmd_complete_event() for certain
> qualcomm chips. However, qca_download_firmware() will return without
> calling release_firmware() in this case.
>
> This leads to a memory leak like the following found by kmemleak:
>
> unreferenced object 0xfffffff3868a5880 (size 128):
> comm "kworker/u17:5", pid 347, jiffies 4294676481 (age 312.157s)
> hex dump (first 32 bytes):
> ac fd 00 00 00 00 00 00 00 d0 7e 17 80 ff ff ff ..........~.....
> 00 00 00 00 00 00 00 00 00 59 8a 86 f3 ff ff ff .........Y......
> backtrace:
> [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
> [<000000006ea0398c>] _request_firmware+0x74/0x4e4
> [<000000004da31ca0>] request_firmware+0x44/0x64
> [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
> [<00000000b24d615a>] qca_uart_setup+0xc0/0x2b0 [btqca]
> [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
> [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
> [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
> [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
> [<00000000d4151583>] process_one_work+0x210/0x420
> [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
> [<000000007ccaf055>] kthread+0x124/0x134
> [<00000000bef1f723>] ret_from_fork+0x10/0x18
> [<00000000c36ee3dd>] 0xffffffffffffffff
> unreferenced object 0xfffffff37b16de00 (size 128):
> comm "kworker/u17:5", pid 347, jiffies 4294676873 (age 311.766s)
> hex dump (first 32 bytes):
> da 07 00 00 00 00 00 00 00 50 ff 0b 80 ff ff ff .........P......
> 00 00 00 00 00 00 00 00 00 dd 16 7b f3 ff ff ff ...........{....
> backtrace:
> [<00000000978ce31d>] kmem_cache_alloc_trace+0x194/0x298
> [<000000006ea0398c>] _request_firmware+0x74/0x4e4
> [<000000004da31ca0>] request_firmware+0x44/0x64
> [<0000000094572996>] qca_download_firmware+0x74/0x6e4 [btqca]
> [<000000000cde20a9>] qca_uart_setup+0x144/0x2b0 [btqca]
> [<00000000364a6d5a>] qca_setup+0x204/0x570 [hci_uart]
> [<000000006be1a544>] hci_uart_setup+0xa8/0x148 [hci_uart]
> [<00000000d64c0f4f>] hci_dev_do_open+0x144/0x530 [bluetooth]
> [<00000000f69f5110>] hci_power_on+0x84/0x288 [bluetooth]
> [<00000000d4151583>] process_one_work+0x210/0x420
> [<000000003cf3dcfb>] worker_thread+0x2c4/0x3e4
> [<000000007ccaf055>] kthread+0x124/0x134
> [<00000000bef1f723>] ret_from_fork+0x10/0x18
> [<00000000c36ee3dd>] 0xffffffffffffffff
>
> Make sure release_firmware() is called aftre
> qca_inject_cmd_complete_event() to avoid the memory leak.
>
> Fixes: 32646db8cc28 ("Bluetooth: btqca: inject command complete event during fw download")
> Signed-off-by: Claire Chang <tientzu@...omium.org>
> ---
> drivers/bluetooth/btqca.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
patch has been applied to bluetooth-stable tree.
Regards
Marcel
Powered by blists - more mailing lists