| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 2 Jan 2020 15:10:14 +0100
From: Paul Menzel <pmenzel@...gen.mpg.de>
To: Greg KH <greg@...ah.com>,
Mika Westerberg <mika.westerberg@...ux.intel.com>
Cc: Mathias Nyman <mathias.nyman@...el.com>, linux-usb@...r.kernel.org,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: BUG: KASAN: use-after-free in
xhci_trb_virt_to_dma.part.24+0x1c/0x80
Dear Linux folks,
On 2018-07-23 13:23, Paul Menzel wrote:
> On 07/20/18 11:54, Greg KH wrote:
>> On Fri, Jul 20, 2018 at 11:44:49AM +0200, Paul Menzel wrote:
>
>>> Using Linux 4.18-rc5+ with kmemleak enabled on a MSI B350M MORTAR (MS-7A37)
>>> with an AMD Ryzen 3 2200G, the memory leak below is suspected.
>>>
>>> ```
>>> $ sudo less /sys/kernel/debug/kmemleak
>>> unreferenced object 0xffff894f8874a2b8 (size 8):
>>> comm "systemd-udevd", pid 119, jiffies 4294893109 (age 908.348s)
>>> hex dump (first 8 bytes):
>>> 34 01 05 00 00 00 00 00 4.......
>>> backtrace:
>>> [<00000000308e4456>] xhci_init+0x81/0x170 [xhci_hcd]
>>> [<00000000269aa18f>] xhci_gen_setup+0x2cb/0x510 [xhci_hcd]
>>> [<000000007b70d85f>] xhci_pci_setup+0x4d/0x120 [xhci_pci]
>>> [<0000000059f49127>] usb_add_hcd+0x2b6/0x800 [usbcore]
>>> [<000000009a16d67c>] usb_hcd_pci_probe+0x1f3/0x460 [usbcore]
>>> [<0000000001295c2e>] xhci_pci_probe+0x27/0x1d7 [xhci_pci]
>>> [<00000000395bd8f9>] local_pci_probe+0x41/0x90
>>> [<00000000a344e362>] pci_device_probe+0x189/0x1a0
>>> [<00000000318999e5>] driver_probe_device+0x2b9/0x460
>>> [<00000000c29d8a55>] __driver_attach+0xdd/0x110
>>> [<00000000975b7f46>] bus_for_each_dev+0x76/0xc0
>>> [<000000006bc40955>] bus_add_driver+0x152/0x230
>>> [<00000000840ed63c>] driver_register+0x6b/0xb0
>>> [<00000000123908c4>] do_one_initcall+0x46/0x1c3
>>> [<00000000ce69c793>] do_init_module+0x5a/0x210
>>> [<0000000091d4aef2>] load_module+0x21c4/0x2410
>>> […]
>>> ```
>>
>> That's really vague. Any chance for a reproducer or some other types of
>> hints as to what you feel the problem is here?
I guess you just have to run your system also with kmemleak, and you will
be notified about similar leaks.
> Unfortunately, not really. I have a SanDisk USB storage medium attached.
On the system there is now an external DVD drive connected over USB Type-C.
> ```
> $ lsusb
> Bus 006 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 005 Device 002: ID 413c:3012 Dell Computer Corp. Optical Wheel Mouse
> Bus 005 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 004 Device 002: ID 0781:558b SanDisk Corp.
> Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
> Bus 001 Device 002: ID 413c:2105 Dell Computer Corp. Model L100 Keyboard
> Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
> ```
>
> After ten or eleven minutes after boot, systemd-udevd gets triggered
> and causes the kmemleak message.
>
> ```
> [ 82.196740] calling fuse_init+0x0/0x1a6 [fuse] @ 4455
> [ 82.196741] fuse init (API version 7.27)
> [ 82.201779] initcall fuse_init+0x0/0x1a6 [fuse] returned 0 after 4925 usecs
> [ 677.532745] kmemleak: 3 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
> ```
[…]
> Please tell me, if I can provide more information. Sorry for forgetting
> to attach the Linux messages.
I am still getting this with Linux 5.5-rc4, and the commit below
included.
> commit ce91f1a43b37463f517155bdfbd525eb43adbd1a
> Author: Mika Westerberg <mika.westerberg@...ux.intel.com>
> Date: Wed Dec 11 16:20:02 2019 +0200
>
> xhci: Fix memory leak in xhci_add_in_port()
Mika, as you fixed the other leak, any idea, how to continue from the
kmemleak log below?
```
unreferenced object 0xffff8c207a1e1408 (size 8):
comm "systemd-udevd", pid 183, jiffies 4294667978 (age 752.292s)
hex dump (first 8 bytes):
34 01 05 00 00 00 00 00 4.......
backtrace:
[<00000000aea7b46d>] xhci_mem_init+0xcfa/0xec0 [xhci_hcd]
[<00000000417c4e3f>] xhci_init+0x81/0x170 [xhci_hcd]
[<00000000dcdd3292>] xhci_gen_setup+0x26a/0x340 [xhci_hcd]
[<0000000079014433>] xhci_pci_setup+0x4d/0x120 [xhci_pci]
[<000000008f4fc4d1>] usb_add_hcd.cold+0x266/0x74b
[<0000000023fadb59>] usb_hcd_pci_probe+0x216/0x3b1
[<0000000006043143>] xhci_pci_probe+0x29/0x1bc [xhci_pci]
[<000000006e8744e3>] local_pci_probe+0x42/0x80
[<00000000120e570a>] pci_device_probe+0x107/0x1a0
[<0000000074c180e1>] really_probe+0x147/0x3c0
[<000000002d64c344>] driver_probe_device+0xb6/0x100
[<00000000e695e4ae>] device_driver_attach+0x53/0x60
[<00000000b7832c47>] __driver_attach+0x8a/0x150
[<0000000069df77eb>] bus_for_each_dev+0x78/0xc0
[<00000000aa6d98a4>] bus_add_driver+0x14d/0x1f0
[<0000000002c7d24b>] driver_register+0x6c/0xc0
unreferenced object 0xffff8c207a1e1718 (size 8):
comm "systemd-udevd", pid 183, jiffies 4294667978 (age 752.292s)
hex dump (first 8 bytes):
34 01 05 00 00 00 00 00 4.......
backtrace:
[<00000000aea7b46d>] xhci_mem_init+0xcfa/0xec0 [xhci_hcd]
[<00000000417c4e3f>] xhci_init+0x81/0x170 [xhci_hcd]
[<00000000dcdd3292>] xhci_gen_setup+0x26a/0x340 [xhci_hcd]
[<0000000079014433>] xhci_pci_setup+0x4d/0x120 [xhci_pci]
[<000000008f4fc4d1>] usb_add_hcd.cold+0x266/0x74b
[<0000000023fadb59>] usb_hcd_pci_probe+0x216/0x3b1
[<0000000006043143>] xhci_pci_probe+0x29/0x1bc [xhci_pci]
[<000000006e8744e3>] local_pci_probe+0x42/0x80
[<00000000120e570a>] pci_device_probe+0x107/0x1a0
[<0000000074c180e1>] really_probe+0x147/0x3c0
[<000000002d64c344>] driver_probe_device+0xb6/0x100
[<00000000e695e4ae>] device_driver_attach+0x53/0x60
[<00000000b7832c47>] __driver_attach+0x8a/0x150
[<0000000069df77eb>] bus_for_each_dev+0x78/0xc0
[<00000000aa6d98a4>] bus_add_driver+0x14d/0x1f0
[<0000000002c7d24b>] driver_register+0x6c/0xc0
unreferenced object 0xffff8c207a1e1338 (size 8):
comm "systemd-udevd", pid 183, jiffies 4294667978 (age 752.292s)
hex dump (first 8 bytes):
34 01 05 00 00 00 00 00 4.......
backtrace:
[<00000000aea7b46d>] xhci_mem_init+0xcfa/0xec0 [xhci_hcd]
[<00000000417c4e3f>] xhci_init+0x81/0x170 [xhci_hcd]
[<00000000dcdd3292>] xhci_gen_setup+0x26a/0x340 [xhci_hcd]
[<0000000079014433>] xhci_pci_setup+0x4d/0x120 [xhci_pci]
[<000000008f4fc4d1>] usb_add_hcd.cold+0x266/0x74b
[<0000000023fadb59>] usb_hcd_pci_probe+0x216/0x3b1
[<0000000006043143>] xhci_pci_probe+0x29/0x1bc [xhci_pci]
[<000000006e8744e3>] local_pci_probe+0x42/0x80
[<00000000120e570a>] pci_device_probe+0x107/0x1a0
[<0000000074c180e1>] really_probe+0x147/0x3c0
[<000000002d64c344>] driver_probe_device+0xb6/0x100
[<00000000e695e4ae>] device_driver_attach+0x53/0x60
[<00000000b7832c47>] __driver_attach+0x8a/0x150
[<0000000069df77eb>] bus_for_each_dev+0x78/0xc0
[<00000000aa6d98a4>] bus_add_driver+0x14d/0x1f0
[<0000000002c7d24b>] driver_register+0x6c/0xc0
```
Kind regards,
Paul
> [1]: https://bugs.freedesktop.org/show_bug.cgi?id=105684
> "Loading amdgpu hits general protection fault: 0000 [#1] SMP NOPTI"[2]: https://patchwork.kernel.org/patch/11242383/
View attachment "20200101–msi-MS-7A37–linux-5.5.0-rc4-drm-tip-messages-kmemleak.txt" of type "text/plain" (71512 bytes)
Download attachment "smime.p7s" of type "application/pkcs7-signature" (5174 bytes)
Powered by blists - more mailing lists