| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 27 Apr 2021 15:29:28 +0300
From: Pavel Skripkin <paskripkin@...il.com>
To: Atul Gopinathan <atulgopinathan@...il.com>,
Greg KH <gregkh@...uxfoundation.org>
Cc: brookebasile@...il.com, ath9k-devel@....qualcomm.com,
davem@...emloft.net, kuba@...nel.org, kvalo@...eaurora.org,
linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org,
syzbot+89bd486af9427a9fc605@...kaller.appspotmail.com,
syzkaller-bugs@...glegroups.com
Subject: Re: Memory leak in ath9k_hif_usb_dealloc_tx_urbs()
On Tue, 27 Apr 2021 15:04:29 +0300
Pavel Skripkin <paskripkin@...il.com> wrote:
> Hi!
>
> On Tue, 2021-04-27 at 17:05 +0530, Atul Gopinathan wrote:
> > On Wed, Mar 31, 2021 at 08:28:15AM +0200, Greg KH wrote:
> > > On Tue, Mar 30, 2021 at 10:36:52PM +0300, Pavel Skripkin wrote:
> > > > Hi!
> > > >
> > > > I did some debugging on this
> > > > https://syzkaller.appspot.com/bug?id=3ea507fb3c47426497b52bd82b8ef0dd5b6cc7ee
> > > > and, I believe, I recognized the problem. The problem appears in
> > > > case of
> > > > ath9k_htc_hw_init() fail. In case of this fail all tx_buf->urb
> > > > krefs will be
> > > > initialized to 1, but in free function:
> > > >
> > > > static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb
> > > > *hif_dev)
> > > >
> > > > ....
> > > >
> > > > static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb
> > > > *hif_dev)
> > > > {
> > > > ...
> > > > list_for_each_entry_safe(tx_buf, tx_buf_tmp,
> > > > &hif_dev->tx.tx_buf, list) {
> > > > usb_get_urb(tx_buf->urb);
> > > > ...
> > > > usb_free_urb(tx_buf->urb);
> > > > ...
> > > > }
> > > >
> > > > Krefs are incremented and then decremented, that means urbs
> > > > won't be freed.
> > > > I found your patch and I can't properly understand why You added
> > > > usb_get_urb(tx_buf->urb).
> > > > Can You explain please, I believe this will help me or somebody
> > > > to fix this ussue :)
> > >
> > > I think almost everyone who has looked into this has given up due
> > > to the
> > > mess of twisty-passages here with almost no real-world benefits
> > > for unwinding them :)
> >
> > Just wanted to confirm, what is the status of this bug then, as in
> > is it
> > invalid (not sure if that's the correct word)? I happened to stumble
> > across the same syzkaller bug report Pavel posted above, in the
> > morning.
> > Saw that there has been no patch tests/fixes on this yet according
> > to syzkaller. Spent a couple of hours going through it before
> > sending a test patch to syzbot which returned an "OK" (and the
> > patch is exactly what Pavel pointed out, I simply removed the
> > `usb_get_urb()`). Before sending anything to the mailing list, I
> > made sure to search all the relavant networking lists to see if
> > this topic had been brought up (learnt
> > to do this from my preious mistakes of sending already accepted
> > patches) and
> > luckily I found this.
> >
> > Syzbot has had 380 crashes caused by this bug, with the latest being
> > today. So I wanted to confirm what should be done be about this
> > bug.
> >
>
> I saw on dashboard, that Dmitry tested latest upstream commit and
> syzbot returned "OK", but usb_get_urb(tx_buf->urb); is still there.
>
I am sorry, I clicked wrong link on dashboard :( My bad.
I believe, You can test your patch on this
https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf.
usb_get_urb(tx_buf->urb) was introduced in patch related to this bug
> I think, this usb_get_urb prevents race condition, but I'm not sure
> about it, that's why I sent an email to patch author. As You can see,
> he has not responded yet :)
>
> > Thank you!
> > Atul
>
> With regards,
> Pavel Skripkin
>
>
With regards,
Pavel Skripkin
Powered by blists - more mailing lists