| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20210330193652.10642-1-paskripkin@gmail.com>
Date: Tue, 30 Mar 2021 22:36:52 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: brookebasile@...il.com
Cc: ath9k-devel@....qualcomm.com, davem@...emloft.net,
gregkh@...uxfoundation.org, kuba@...nel.org, kvalo@...eaurora.org,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
syzbot+89bd486af9427a9fc605@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Memory leak in ath9k_hif_usb_dealloc_tx_urbs()
Hi!
I did some debugging on this
https://syzkaller.appspot.com/bug?id=3ea507fb3c47426497b52bd82b8ef0dd5b6cc7ee
and, I believe, I recognized the problem. The problem appears in case of
ath9k_htc_hw_init() fail. In case of this fail all tx_buf->urb krefs will be
initialized to 1, but in free function:
static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
....
static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
{
...
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_buf, list) {
usb_get_urb(tx_buf->urb);
...
usb_free_urb(tx_buf->urb);
...
}
Krefs are incremented and then decremented, that means urbs won't be freed.
I found your patch and I can't properly understand why You added usb_get_urb(tx_buf->urb).
Can You explain please, I believe this will help me or somebody to fix this ussue :)
With regards,
Pavel Skripkin
Powered by blists - more mailing lists