Linux-USB Archive on lore.kernel.org
 help / color / Atom feed
From: Paul Menzel <pmenzel@molgen.mpg.de>
To: Mathias Nyman <mathias.nyman@linux.intel.com>,
	Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Greg KH <greg@kroah.com>, Mathias Nyman <mathias.nyman@intel.com>,
	linux-usb@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Subject: Re: BUG: KASAN: use-after-free in xhci_trb_virt_to_dma.part.24+0x1c/0x80
Date: Tue, 7 Jan 2020 16:35:05 +0100
Message-ID: <84369435-d355-0462-98ab-91bb1c5d3871@molgen.mpg.de> (raw)
In-Reply-To: <81c6f906-3f5a-729d-f3b4-1ac6ac607c05@linux.intel.com>

[-- Attachment #1: Type: text/plain, Size: 3659 bytes --]

Dear Mathias, dear Mika,


On 2020-01-07 13:09, Mathias Nyman wrote:
> On 3.1.2020 13.04, Mika Westerberg wrote:
>> On Thu, Jan 02, 2020 at 03:10:14PM +0100, Paul Menzel wrote:
>>> Mika, as you fixed the other leak, any idea, how to continue from the
>>> kmemleak log below?
>>>
>>> ```
>>> unreferenced object 0xffff8c207a1e1408 (size 8):
>>>    comm "systemd-udevd", pid 183, jiffies 4294667978 (age 752.292s)
>>>    hex dump (first 8 bytes):
>>>      34 01 05 00 00 00 00 00                          4.......
>>>    backtrace:
>>>      [<00000000aea7b46d>] xhci_mem_init+0xcfa/0xec0 [xhci_hcd]
>>
>> There are probably better ways for doing this but you can use objdump
>> for example:
>>
>>    $ objdump -l --prefix-addresses -j .text --disassemble=xhci_mem_init drivers/usb/host/xhci-hcd.ko
>>
>> then find the offset xhci_mem_init+0xcfa. It should show you the line
>> numbers as well if you have compiled your kernel with debug info. This
>> should be close to the line that allocated the memory that was leaked.

Thank you. I actually remembered `script/f2addr2line`.

    $ scripts/faddr2line drivers/usb/host/xhci-hcd.o xhci_mem_init+0xcfa
    xhci_mem_init+0xcfa/0xec0:
    xhci_add_in_port at /mnt/drivers/usb/host/xhci-mem.c:2161
    (inlined by) xhci_setup_port_arrays at /mnt/drivers/usb/host/xhci-mem.c:2309
    (inlined by) xhci_mem_init at /mnt/drivers/usb/host/xhci-mem.c:2538

> Paul, it possible that your xhci controller has several
> supported protocol extended capabilities for usb 3 ports, each
> with their own custom protocol speed ID table.
> 
> xhci driver assumes there is only one custome PSI table per roothub,
> and we will end up allocating the second PSI table on top of the first,
> leaking the first.
> 
> Could you boot with xhci dynamic debug enabled, and show dmesg after boot, add:
> xhci_hcd.dyndbg=+p
> to you kernel cmdline.
> 
> Or as an alternative, show output of:
> 
> sudo cat /sys/kernel/debug/usb/xhci/*/reg-ext-protocol*

`/sys/kernel/debug/` cannot be read by unprivileged users, so the wildcard does
not work with `sudo`.

```
$ sudo ls /sys/kernel/debug/usb/xhci
0000:12:00.0  0000:26:00.3  0000:26:00.4
# cat /sys/kernel/debug/usb/xhci/*/reg-ext-protocol*
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x00000201
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_REVISION = 0x03000802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x00000203
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_REVISION = 0x02000802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x00190a05
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_REVISION = 0x02000402
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x00180401
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x10000105
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_MANTISSA1 = 0x00050134
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x10000106
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_MANTISSA1 = 0x00050134
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x10000107
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_MANTISSA1 = 0x00050134
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x10000108
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_MANTISSA1 = 0x00050134
EXTCAP_REVISION = 0x02000402
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x00180101
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_REVISION = 0x03100802
EXTCAP_NAME = 0x20425355
EXTCAP_PORTINFO = 0x10000102
EXTCAP_PORTTYPE = 0x00000000
EXTCAP_MANTISSA1 = 0x00050134
```


Kind regards,

Paul


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 5174 bytes --]

  reply index

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <95b4bdb2-962f-561e-ac14-79cd44395915@molgen.mpg.de>
     [not found] ` <20180720095410.GA11904@kroah.com>
     [not found]   ` <107dbdd1-4e45-836f-7f8f-85bc63374e4f@molgen.mpg.de>
2020-01-02 14:10     ` Paul Menzel
2020-01-03 11:04       ` Mika Westerberg
2020-01-07 12:09         ` Mathias Nyman
2020-01-07 15:35           ` Paul Menzel [this message]
2020-01-08  9:34             ` Mathias Nyman
2020-01-08 15:17               ` [RFT PATCH] xhci: Fix memory leak when caching protocol extended capability PSI tables Mathias Nyman
2020-01-08 15:40                 ` Greg KH
2020-01-08 15:56                   ` Mathias Nyman
     [not found]                 ` <CGME20200211105613eucas1p27cac4202c4287a5967b2ed988779d523@eucas1p2.samsung.com>
2020-02-11 10:56                   ` Marek Szyprowski
2020-02-11 12:23                     ` Greg KH
2020-02-11 12:29                       ` Mathias Nyman
2020-02-11 14:08                         ` Mathias Nyman
2020-02-11 15:01                           ` [RFT PATCH v2] " Mathias Nyman
2020-02-11 15:12                             ` Marek Szyprowski
2020-02-11 16:13                               ` Greg KH
2020-02-12  9:01                                 ` Mathias Nyman
2020-02-12 17:51                                   ` Greg KH
2020-02-13 13:33                             ` Jon Hunter
2020-02-14  7:47                               ` Mathias Nyman
2020-02-14  8:35                                 ` Jon Hunter
2020-01-09  8:53         ` BUG: KASAN: use-after-free in xhci_trb_virt_to_dma.part.24+0x1c/0x80 Felipe Balbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=84369435-d355-0462-98ab-91bb1c5d3871@molgen.mpg.de \
    --to=pmenzel@molgen.mpg.de \
    --cc=greg@kroah.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mathias.nyman@intel.com \
    --cc=mathias.nyman@linux.intel.com \
    --cc=mika.westerberg@linux.intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-USB Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-usb/0 linux-usb/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-usb linux-usb/ https://lore.kernel.org/linux-usb \
		linux-usb@vger.kernel.org
	public-inbox-index linux-usb

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-usb


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git