lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210427152928.0871e17a@gmail.com>
Date:   Tue, 27 Apr 2021 15:29:28 +0300
From:   Pavel Skripkin <paskripkin@...il.com>
To:     Atul Gopinathan <atulgopinathan@...il.com>,
        Greg KH <gregkh@...uxfoundation.org>
Cc:     brookebasile@...il.com, ath9k-devel@....qualcomm.com,
        davem@...emloft.net, kuba@...nel.org, kvalo@...eaurora.org,
        linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
        syzbot+89bd486af9427a9fc605@...kaller.appspotmail.com,
        syzkaller-bugs@...glegroups.com
Subject: Re: Memory leak in ath9k_hif_usb_dealloc_tx_urbs()

On Tue, 27 Apr 2021 15:04:29 +0300
Pavel Skripkin <paskripkin@...il.com> wrote:

> Hi!
> 
> On Tue, 2021-04-27 at 17:05 +0530, Atul Gopinathan wrote:
> > On Wed, Mar 31, 2021 at 08:28:15AM +0200, Greg KH wrote:
> > > On Tue, Mar 30, 2021 at 10:36:52PM +0300, Pavel Skripkin wrote:
> > > > Hi!
> > > > 
> > > > I did some debugging on this
> > > > https://syzkaller.appspot.com/bug?id=3ea507fb3c47426497b52bd82b8ef0dd5b6cc7ee
> > > > and, I believe, I recognized the problem. The problem appears in
> > > > case of
> > > > ath9k_htc_hw_init() fail. In case of this fail all tx_buf->urb
> > > > krefs will be
> > > > initialized to 1, but in free function:
> > > > 
> > > > static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb
> > > > *hif_dev)
> > > > 
> > > > ....
> > > > 
> > > > static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb
> > > > *hif_dev)
> > > > {
> > > >     ...
> > > >         list_for_each_entry_safe(tx_buf, tx_buf_tmp,
> > > >                                  &hif_dev->tx.tx_buf, list) {
> > > >                 usb_get_urb(tx_buf->urb);
> > > >                 ...
> > > >                 usb_free_urb(tx_buf->urb);
> > > >                 ...
> > > >                 }
> > > > 
> > > > Krefs are incremented and then decremented, that means urbs
> > > > won't be freed.
> > > > I found your patch and I can't properly understand why You added
> > > > usb_get_urb(tx_buf->urb).
> > > > Can You explain please, I believe this will help me or somebody
> > > > to fix this ussue :)
> > > 
> > > I think almost everyone who has looked into this has given up due
> > > to the
> > > mess of twisty-passages here with almost no real-world benefits
> > > for unwinding them :)
> > 
> > Just wanted to confirm, what is the status of this bug then, as in
> > is it
> > invalid (not sure if that's the correct word)? I happened to stumble
> > across the same syzkaller bug report Pavel posted above, in the
> > morning.
> > Saw that there has been no patch tests/fixes on this yet according
> > to syzkaller. Spent a couple of hours going through it before
> > sending a test patch to syzbot which returned an "OK" (and the
> > patch is exactly what Pavel pointed out, I simply removed the
> > `usb_get_urb()`). Before sending anything to the mailing list, I
> > made sure to search all the relavant networking lists to see if
> > this topic had been brought up (learnt
> > to do this from my preious mistakes of sending already accepted
> > patches) and
> > luckily I found this.
> > 
> > Syzbot has had 380 crashes caused by this bug, with the latest being
> > today. So I wanted to confirm what should be done be about this
> > bug. 
> > 
> 
> I saw on dashboard, that Dmitry tested latest upstream commit and
> syzbot returned "OK", but usb_get_urb(tx_buf->urb); is still there.
> 

I am sorry, I clicked wrong link on dashboard :( My bad.

I believe, You can test your patch on this
https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf.

usb_get_urb(tx_buf->urb) was introduced in patch related to this bug

> I think, this usb_get_urb prevents race condition, but I'm not sure
> about it, that's why I sent an email to patch author. As You can see,
> he has not responded yet :)
> 
> > Thank you!
> > Atul
> 
> With regards,
> Pavel Skripkin
> 
> 



With regards,
Pavel Skripkin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ