Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp603388ybl; Wed, 8 Jan 2020 02:48:36 -0800 (PST) X-Google-Smtp-Source: APXvYqwFOgM5l/FlQ8gMxfNiwDhETp0T0Z8+HTti596PYji/iQ2B+eyPQJjP96tAOEu3BO4bZe9V X-Received: by 2002:aca:cdd6:: with SMTP id d205mr2427830oig.90.1578480516134; Wed, 08 Jan 2020 02:48:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1578480516; cv=none; d=google.com; s=arc-20160816; b=Xq7OA3Dmu86GwEht+Wuvda/tdslUcQ4Npg9KrVojma8HEbpBPbZy/ovZaPKDSwIDE2 c+Ue74k1ZaB9zETJoFIk+ZqaR3sXK0D88QEbLcSA9L4xSfxpIuLaaZ540MN3tpt+bO+0 h5gUSVkP4utv4DtJZPXcB0yJEtu9c+eU6C+9SnpxDCTCYWyY2gEv12G5mbygHHeyVcsp 9/FjLSd7ka3wVvmD/UIt441McRmL8/dsnVHH8V8YPuFtWPoATD3h+62VnXGpdbz4bBFi DAMGw8MRAxJKXp+cyGGBtbY4i8QdRJgo4DDmNKegRGToVoJngXLgqi93ks1DHYF8hdyx AYsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=LoznSxVPOekUvuInD/8fn2Bc/PXqy69QblY1JOoA20Y=; b=TsadQ7GnGimyUPq6ZWpsqsC2wEBlyHYnEqvpgbNwt+ToXFHT2Cv9fWCJWY2drwAdDO zY3SaghIOcsjX3k450cRVOV2ImWJaqxcrdmOxTWew9TiMc1AJYH33cMhQn5ZEHfi1QAY jyEchEs/oNRWd+lXcgQix4Uigo5r4Qzq7bFVHBsRqhza1OP/jWqewdNXZPPTcaTNv4kK kXVG2IHNbyliPVYu1Jj0loaXDGyCZXzClNLHjIpfPuhbjieBOF5kXP+CzNxCDK1y7NLT mvwzyNXwURzutrW6fms8yiONemnNCt4FDZfDby9QQ9MRNmWVGeFcfQffit+8N2knipM7 t77w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m24si1590204otn.67.2020.01.08.02.48.22; Wed, 08 Jan 2020 02:48:36 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727557AbgAHJcX (ORCPT + 99 others); Wed, 8 Jan 2020 04:32:23 -0500 Received: from mga01.intel.com ([192.55.52.88]:3452 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727205AbgAHJcW (ORCPT ); Wed, 8 Jan 2020 04:32:22 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga101.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Jan 2020 01:32:21 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.69,409,1571727600"; d="scan'208";a="303510529" Received: from mattu-haswell.fi.intel.com (HELO [10.237.72.170]) ([10.237.72.170]) by orsmga001.jf.intel.com with ESMTP; 08 Jan 2020 01:32:20 -0800 Subject: Re: BUG: KASAN: use-after-free in xhci_trb_virt_to_dma.part.24+0x1c/0x80 To: Paul Menzel , Mika Westerberg Cc: Greg KH , Mathias Nyman , linux-usb@vger.kernel.org, LKML References: <95b4bdb2-962f-561e-ac14-79cd44395915@molgen.mpg.de> <20180720095410.GA11904@kroah.com> <107dbdd1-4e45-836f-7f8f-85bc63374e4f@molgen.mpg.de> <30b069b5-63f6-dd9e-b323-668f06bff6cf@molgen.mpg.de> <20200103110451.GJ465886@lahna.fi.intel.com> <81c6f906-3f5a-729d-f3b4-1ac6ac607c05@linux.intel.com> <84369435-d355-0462-98ab-91bb1c5d3871@molgen.mpg.de> From: Mathias Nyman Message-ID: <572bea6f-06d4-938a-802e-93386acf59d9@linux.intel.com> Date: Wed, 8 Jan 2020 11:34:22 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0 MIME-Version: 1.0 In-Reply-To: <84369435-d355-0462-98ab-91bb1c5d3871@molgen.mpg.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7.1.2020 17.35, Paul Menzel wrote: > Dear Mathias, dear Mika, > > > On 2020-01-07 13:09, Mathias Nyman wrote: >> On 3.1.2020 13.04, Mika Westerberg wrote: >>> On Thu, Jan 02, 2020 at 03:10:14PM +0100, Paul Menzel wrote: >>>> Mika, as you fixed the other leak, any idea, how to continue from the >>>> kmemleak log below? >>>> >>>> ``` >>>> unreferenced object 0xffff8c207a1e1408 (size 8): >>>>    comm "systemd-udevd", pid 183, jiffies 4294667978 (age 752.292s) >>>>    hex dump (first 8 bytes): >>>>      34 01 05 00 00 00 00 00                          4....... >>>>    backtrace: >>>>      [<00000000aea7b46d>] xhci_mem_init+0xcfa/0xec0 [xhci_hcd] >>> >>> There are probably better ways for doing this but you can use objdump >>> for example: >>> >>>    $ objdump -l --prefix-addresses -j .text --disassemble=xhci_mem_init drivers/usb/host/xhci-hcd.ko >>> >>> then find the offset xhci_mem_init+0xcfa. It should show you the line >>> numbers as well if you have compiled your kernel with debug info. This >>> should be close to the line that allocated the memory that was leaked. > > Thank you. I actually remembered `script/f2addr2line`. > > $ scripts/faddr2line drivers/usb/host/xhci-hcd.o xhci_mem_init+0xcfa > xhci_mem_init+0xcfa/0xec0: > xhci_add_in_port at /mnt/drivers/usb/host/xhci-mem.c:2161 > (inlined by) xhci_setup_port_arrays at /mnt/drivers/usb/host/xhci-mem.c:2309 > (inlined by) xhci_mem_init at /mnt/drivers/usb/host/xhci-mem.c:2538 > >> Paul, it possible that your xhci controller has several >> supported protocol extended capabilities for usb 3 ports, each >> with their own custom protocol speed ID table. >> >> xhci driver assumes there is only one custome PSI table per roothub, >> and we will end up allocating the second PSI table on top of the first, >> leaking the first. >> >> Could you boot with xhci dynamic debug enabled, and show dmesg after boot, add: >> xhci_hcd.dyndbg=+p >> to you kernel cmdline. >> >> Or as an alternative, show output of: >> >> sudo cat /sys/kernel/debug/usb/xhci/*/reg-ext-protocol* > > `/sys/kernel/debug/` cannot be read by unprivileged users, so the wildcard does > not work with `sudo`. > > ``` > $ sudo ls /sys/kernel/debug/usb/xhci > 0000:12:00.0 0000:26:00.3 0000:26:00.4 > # cat /sys/kernel/debug/usb/xhci/*/reg-ext-protocol* problematic xhci: capability for first four USB 2 ports > EXTCAP_REVISION = 0x02000402 > EXTCAP_NAME = 0x20425355 > EXTCAP_PORTINFO = 0x00180401 > EXTCAP_PORTTYPE = 0x00000000 capability for one USB 3.1 port (5th port) > EXTCAP_REVISION = 0x03100802 > EXTCAP_NAME = 0x20425355 > EXTCAP_PORTINFO = 0x10000105 > EXTCAP_PORTTYPE = 0x00000000 > EXTCAP_MANTISSA1 = 0x00050134 capability for one USB 3.1 port (6th port) > EXTCAP_REVISION = 0x03100802 > EXTCAP_NAME = 0x20425355 > EXTCAP_PORTINFO = 0x10000106 > EXTCAP_PORTTYPE = 0x00000000 > EXTCAP_MANTISSA1 = 0x00050134 capability for one USB 3.1 port (7th port) > EXTCAP_REVISION = 0x03100802 > EXTCAP_NAME = 0x20425355 > EXTCAP_PORTINFO = 0x10000107 > EXTCAP_PORTTYPE = 0x00000000 > EXTCAP_MANTISSA1 = 0x00050134 capability for one USB 3.1 port (8th port) > EXTCAP_REVISION = 0x03100802 > EXTCAP_NAME = 0x20425355 > EXTCAP_PORTINFO = 0x10000108 > EXTCAP_PORTTYPE = 0x00000000 > EXTCAP_MANTISSA1 = 0x00050134 It has eight ports. last four of them are USB 3.1 ports. It has a very odd setup where each 3.1 port has their own supported protocol capability with a custom PSI, but all the PSI's are similar, telling the port only support a 5Gbps speed. We leak all the custom PSI tables for USB 3.1 ports except the last, these would be the EXTCAP_MANTISSA1 = 0x00050134, which is the same as the hex dump of the unreferenced object you posted earlier (considering byte order): hex dump (first 8 bytes): 34 01 05 00 00 00 00 00 4....... I'm working on a patch for this -Mathias