lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Z8iFeEWq16pNQdMa@pluto>
Date: Wed, 5 Mar 2025 17:10:16 +0000
From: Cristian Marussi <cristian.marussi@....com>
To: Alice Ryhl <aliceryhl@...gle.com>
Cc: Sudeep Holla <sudeep.holla@....com>,
	Cristian Marussi <cristian.marussi@....com>,
	linux-arm-kernel@...ts.infradead.org, arm-scmi@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [Bug report] Memory leak in scmi_device_create

On Wed, Mar 05, 2025 at 11:59:58AM +0000, Alice Ryhl wrote:
> Dear SYSTEM CONTROL & POWER/MANAGEMENT INTERFACE (SCPI/SCMI) Message
> Protocol drivers maintainers,
> 
> I flashed a v6.13-rc3 kernel onto a Rock5B board and noticed the
> following output in my terminal:
> 
> [  687.694465] kmemleak: 4 new suspected memory leaks (see /sys/kernel/debug/kmemleak)
> 
> It seems that there is a memory leak for devices created with
> scmi_device_create.
> 
`
Hi Alice,

thanks for this report.

> This was with a kernel running v6.13-rc3, but as far as I can tell, no
> relevant changes have landed since v6.13-rc3. My tree *does* include
> commit 295416091e44 ("firmware: arm_scmi: Fix slab-use-after-free in
> scmi_bus_notifier()"). I've only seen this kmemleak report once, so it's
> not happening consistently.
> 
> See below for the full kmemleak report.
> 
> Alice
> 
> $ sudo cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffffff8106c86000 (size 2048):
>   comm "swapper/0", pid 1, jiffies 4294893094
>   hex dump (first 32 bytes):
>     02 00 00 00 10 00 00 00 c0 01 bc 03 81 ff ff ff  ................
>     60 67 ba 03 81 ff ff ff 18 60 c8 06 81 ff ff ff  `g.......`......
>   backtrace (crc feae9680):
>     [<00000000197aa008>] kmemleak_alloc+0x34/0xa0
>     [<0000000056fe02c9>] __kmalloc_cache_noprof+0x1e0/0x450
>     [<00000000a8b3dfe1>] __scmi_device_create+0xb4/0x2b4
>     [<000000008714917b>] scmi_device_create+0x40/0x194
>     [<000000001818f3cf>] scmi_chan_setup+0x144/0x3b8
>     [<00000000970bad38>] scmi_probe+0x584/0xa78
>     [<000000002600d2fd>] platform_probe+0xbc/0xf0
>     [<00000000f6f556b4>] really_probe+0x1b8/0x520
>     [<00000000eed93d59>] __driver_probe_device+0xe0/0x1d8
>     [<00000000d613b754>] driver_probe_device+0x6c/0x208
>     [<00000000187a9170>] __driver_attach+0x168/0x328
>     [<00000000e3ff1834>] bus_for_each_dev+0x14c/0x178
>     [<00000000984a3176>] driver_attach+0x34/0x44
>     [<00000000fc35bf2a>] bus_add_driver+0x1bc/0x358
>     [<00000000747fce19>] driver_register+0xc0/0x1a0
>     [<0000000081cb8754>] __platform_driver_register+0x40/0x50
> unreferenced object 0xffffff8103bc01c0 (size 32):

I could not reproduce on my setup, even though I run a system with
all the existent SCMI protocols (and related drivers) enabled (and
so a lot of device creations) and a downstream test driver that causes
even more SCMI devices to be created/destroyed at load/unload.

Coming down the path from scmi_chan_setup(), it seems something around
transport devices creation, but it is not obvious to me where the leak
could hide....

...any particular setup on your side ? ...using LKMs, loading/unloading,
any usage pattern that could help me reproduce ?

Thanks,
Cristian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ