athn(4) hostap: mem leak

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

athn(4) hostap: mem leak

Benjamin Baier
Hi

There is a leak of *arg in
dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
since Rev. 1.49
Because athn_usb_do_async() memcpy's the argument anyway.

Found with llvm/scan-build.

Instead of adding free(arg) I opted to make this function
more like the other ones which call athn_usb_do_async.

Only compile tested... looking for tests.

Greetings Ben

Index: if_athn_usb.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
retrieving revision 1.51
diff -u -p -r1.51 if_athn_usb.c
--- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
+++ if_athn_usb.c 29 Nov 2018 18:33:40 -0000
@@ -1231,7 +1231,7 @@ athn_usb_newauth(struct ieee80211com *ic
  struct ifnet *ifp = &ic->ic_if;
  struct athn_node *an = (struct athn_node *)ni;
  int nsta;
- struct athn_usb_newauth_cb_arg *arg;
+ struct athn_usb_newauth_cb_arg arg;
 
  if (ic->ic_opmode != IEEE80211_M_HOSTAP)
  return 0;
@@ -1254,12 +1254,9 @@ athn_usb_newauth(struct ieee80211com *ic
  * In a process context, try to add this node to the
  * firmware table and confirm the AUTH request.
  */
- arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
- if (arg == NULL)
- return ENOMEM;
- arg->ni = ieee80211_ref_node(ni);
- arg->seq = seq;
- athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
+ arg.ni = ieee80211_ref_node(ni);
+ arg.seq = seq;
+ athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
  return EBUSY;
 #else
  return 0;

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Stefan Sperling-5
On Fri, Nov 30, 2018 at 01:49:56PM +0100, Benjamin Baier wrote:

> Hi
>
> There is a leak of *arg in
> dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> since Rev. 1.49
> Because athn_usb_do_async() memcpy's the argument anyway.
>
> Found with llvm/scan-build.
>
> Instead of adding free(arg) I opted to make this function
> more like the other ones which call athn_usb_do_async.
>
> Only compile tested... looking for tests.
>
> Greetings Ben

Looks good to me. I would appreciate someone else testing this, too.

>
> Index: if_athn_usb.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
> retrieving revision 1.51
> diff -u -p -r1.51 if_athn_usb.c
> --- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
> +++ if_athn_usb.c 29 Nov 2018 18:33:40 -0000
> @@ -1231,7 +1231,7 @@ athn_usb_newauth(struct ieee80211com *ic
>   struct ifnet *ifp = &ic->ic_if;
>   struct athn_node *an = (struct athn_node *)ni;
>   int nsta;
> - struct athn_usb_newauth_cb_arg *arg;
> + struct athn_usb_newauth_cb_arg arg;
>  
>   if (ic->ic_opmode != IEEE80211_M_HOSTAP)
>   return 0;
> @@ -1254,12 +1254,9 @@ athn_usb_newauth(struct ieee80211com *ic
>   * In a process context, try to add this node to the
>   * firmware table and confirm the AUTH request.
>   */
> - arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
> - if (arg == NULL)
> - return ENOMEM;
> - arg->ni = ieee80211_ref_node(ni);
> - arg->seq = seq;
> - athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
> + arg.ni = ieee80211_ref_node(ni);
> + arg.seq = seq;
> + athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
>   return EBUSY;
>  #else
>   return 0;
>

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Alexandre Ratchov-2
In reply to this post by Benjamin Baier
On Fri, Nov 30, 2018 at 01:49:56PM +0100, Benjamin Baier wrote:

> Hi
>
> There is a leak of *arg in
> dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> since Rev. 1.49
> Because athn_usb_do_async() memcpy's the argument anyway.
>
> Found with llvm/scan-build.
>
> Instead of adding free(arg) I opted to make this function
> more like the other ones which call athn_usb_do_async.
>

Hi,

AFAICS, athn_usb_do_async() will schedule a call to
athn_usb_newauth_cb(), which will use arg after the functin has
returned. The arg memory location must stay valid after return from
athn_usb_newauth(). So we can neither use free() nor a local variable.

The athn_usb_newauth_cb() callback calls free(), so there's no memory
leak unless the callback is cancelled. I don't know it can be
cancelled, I see no code doing so.

> Only compile tested... looking for tests.
>
> Greetings Ben
>
> Index: if_athn_usb.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
> retrieving revision 1.51
> diff -u -p -r1.51 if_athn_usb.c
> --- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
> +++ if_athn_usb.c 29 Nov 2018 18:33:40 -0000
> @@ -1231,7 +1231,7 @@ athn_usb_newauth(struct ieee80211com *ic
>   struct ifnet *ifp = &ic->ic_if;
>   struct athn_node *an = (struct athn_node *)ni;
>   int nsta;
> - struct athn_usb_newauth_cb_arg *arg;
> + struct athn_usb_newauth_cb_arg arg;
>  
>   if (ic->ic_opmode != IEEE80211_M_HOSTAP)
>   return 0;
> @@ -1254,12 +1254,9 @@ athn_usb_newauth(struct ieee80211com *ic
>   * In a process context, try to add this node to the
>   * firmware table and confirm the AUTH request.
>   */
> - arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
> - if (arg == NULL)
> - return ENOMEM;
> - arg->ni = ieee80211_ref_node(ni);
> - arg->seq = seq;
> - athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
> + arg.ni = ieee80211_ref_node(ni);
> + arg.seq = seq;
> + athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
>   return EBUSY;
>  #else
>   return 0;
>

--

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Benjamin Baier
On Fri, 30 Nov 2018 16:55:42 +0100
Alexandre Ratchov <[hidden email]> wrote:

> On Fri, Nov 30, 2018 at 01:49:56PM +0100, Benjamin Baier wrote:
> > Hi
> >
> > There is a leak of *arg in
> > dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> > since Rev. 1.49
> > Because athn_usb_do_async() memcpy's the argument anyway.
> >
> > Found with llvm/scan-build.
> >
> > Instead of adding free(arg) I opted to make this function
> > more like the other ones which call athn_usb_do_async.
> >  
>
> Hi,
>
> AFAICS, athn_usb_do_async() will schedule a call to
> athn_usb_newauth_cb(), which will use arg after the functin has
> returned. The arg memory location must stay valid after return from
> athn_usb_newauth(). So we can neither use free() nor a local variable.

athn_usb_do_async() takes care of that by memcpy-ing arg to cmd->data
before calling usb_add_task().

other calls to athn_usb_do_async() do use local variables.
if_athn_usb.c:1032:athn_usb_do_async(usc, athn_usb_newstate_cb, &cmd, sizeof(cmd));
if_athn_usb.c:1317:athn_usb_do_async(usc, athn_usb_ampdu_tx_start_cb, &cmd, sizeof(cmd));
if_athn_usb.c:1641:athn_usb_do_async(usc, athn_usb_set_key_cb, &cmd, sizeof(cmd));
if_athn_usb.c:1673:athn_usb_do_async(usc, athn_usb_delete_key_cb, &cmd, sizeof(cmd));

> The athn_usb_newauth_cb() callback calls free(), so there's no memory
> leak unless the callback is cancelled. I don't know it can be
> cancelled, I see no code doing so.
>
> > Only compile tested... looking for tests.
> >
> > Greetings Ben
> >
> > Index: if_athn_usb.c
> > ===================================================================
> > RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
> > retrieving revision 1.51
> > diff -u -p -r1.51 if_athn_usb.c
> > --- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
> > +++ if_athn_usb.c 29 Nov 2018 18:33:40 -0000
> > @@ -1231,7 +1231,7 @@ athn_usb_newauth(struct ieee80211com *ic
> >   struct ifnet *ifp = &ic->ic_if;
> >   struct athn_node *an = (struct athn_node *)ni;
> >   int nsta;
> > - struct athn_usb_newauth_cb_arg *arg;
> > + struct athn_usb_newauth_cb_arg arg;
> >  
> >   if (ic->ic_opmode != IEEE80211_M_HOSTAP)
> >   return 0;
> > @@ -1254,12 +1254,9 @@ athn_usb_newauth(struct ieee80211com *ic
> >   * In a process context, try to add this node to the
> >   * firmware table and confirm the AUTH request.
> >   */
> > - arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
> > - if (arg == NULL)
> > - return ENOMEM;
> > - arg->ni = ieee80211_ref_node(ni);
> > - arg->seq = seq;
> > - athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
> > + arg.ni = ieee80211_ref_node(ni);
> > + arg.seq = seq;
> > + athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
> >   return EBUSY;
> >  #else
> >   return 0;
> >  
>

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Alexandre Ratchov-2
On Sat, Dec 01, 2018 at 10:14:38AM +0100, Benjamin Baier wrote:

> On Fri, 30 Nov 2018 16:55:42 +0100
> Alexandre Ratchov <[hidden email]> wrote:
>
> > On Fri, Nov 30, 2018 at 01:49:56PM +0100, Benjamin Baier wrote:
> > > Hi
> > >
> > > There is a leak of *arg in
> > > dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> > > since Rev. 1.49
> > > Because athn_usb_do_async() memcpy's the argument anyway.
> > >
> > > Found with llvm/scan-build.
> > >
> > > Instead of adding free(arg) I opted to make this function
> > > more like the other ones which call athn_usb_do_async.
> > >  
> >
> > Hi,
> >
> > AFAICS, athn_usb_do_async() will schedule a call to
> > athn_usb_newauth_cb(), which will use arg after the functin has
> > returned. The arg memory location must stay valid after return from
> > athn_usb_newauth(). So we can neither use free() nor a local variable.
>
> athn_usb_do_async() takes care of that by memcpy-ing arg to cmd->data
> before calling usb_add_task().
>
> other calls to athn_usb_do_async() do use local variables.
> if_athn_usb.c:1032:athn_usb_do_async(usc, athn_usb_newstate_cb, &cmd, sizeof(cmd));
> if_athn_usb.c:1317:athn_usb_do_async(usc, athn_usb_ampdu_tx_start_cb, &cmd, sizeof(cmd));
> if_athn_usb.c:1641:athn_usb_do_async(usc, athn_usb_set_key_cb, &cmd, sizeof(cmd));
> if_athn_usb.c:1673:athn_usb_do_async(usc, athn_usb_delete_key_cb, &cmd, sizeof(cmd));
>

You're right, I missed the memcpy() call, sorry.

Your diff is correct.

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Martin Pieuchot
In reply to this post by Benjamin Baier
On 30/11/18(Fri) 13:49, Benjamin Baier wrote:

> Hi
>
> There is a leak of *arg in
> dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> since Rev. 1.49
> Because athn_usb_do_async() memcpy's the argument anyway.
>
> Found with llvm/scan-build.
>
> Instead of adding free(arg) I opted to make this function
> more like the other ones which call athn_usb_do_async.
>
> Only compile tested... looking for tests.

You should also remove the free(arg...) in athn_usb_newauth_cb().

> Index: if_athn_usb.c
> ===================================================================
> RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
> retrieving revision 1.51
> diff -u -p -r1.51 if_athn_usb.c
> --- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
> +++ if_athn_usb.c 29 Nov 2018 18:33:40 -0000
> @@ -1231,7 +1231,7 @@ athn_usb_newauth(struct ieee80211com *ic
>   struct ifnet *ifp = &ic->ic_if;
>   struct athn_node *an = (struct athn_node *)ni;
>   int nsta;
> - struct athn_usb_newauth_cb_arg *arg;
> + struct athn_usb_newauth_cb_arg arg;
>  
>   if (ic->ic_opmode != IEEE80211_M_HOSTAP)
>   return 0;
> @@ -1254,12 +1254,9 @@ athn_usb_newauth(struct ieee80211com *ic
>   * In a process context, try to add this node to the
>   * firmware table and confirm the AUTH request.
>   */
> - arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
> - if (arg == NULL)
> - return ENOMEM;
> - arg->ni = ieee80211_ref_node(ni);
> - arg->seq = seq;
> - athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
> + arg.ni = ieee80211_ref_node(ni);
> + arg.seq = seq;
> + athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
>   return EBUSY;
>  #else
>   return 0;
>

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Benjamin Baier
On Sat, 1 Dec 2018 15:48:13 -0200
Martin Pieuchot <[hidden email]> wrote:

> On 30/11/18(Fri) 13:49, Benjamin Baier wrote:
> > Hi
> >
> > There is a leak of *arg in
> > dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> > since Rev. 1.49
> > Because athn_usb_do_async() memcpy's the argument anyway.
> >
> > Found with llvm/scan-build.
> >
> > Instead of adding free(arg) I opted to make this function
> > more like the other ones which call athn_usb_do_async.
> >
> > Only compile tested... looking for tests.  
>
> You should also remove the free(arg...) in athn_usb_newauth_cb().
Indeed, new patch attached.

Index: if_athn_usb.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
retrieving revision 1.51
diff -u -p -r1.51 if_athn_usb.c
--- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
+++ if_athn_usb.c 2 Dec 2018 09:09:29 -0000
@@ -1202,8 +1202,6 @@ athn_usb_newauth_cb(struct athn_usb_soft
  struct athn_node *an = (struct athn_node *)ni;
  int s, error = 0;
 
- free(arg, M_DEVBUF, sizeof(*arg));
-
  if (ic->ic_state != IEEE80211_S_RUN)
  return;
 
@@ -1231,7 +1229,7 @@ athn_usb_newauth(struct ieee80211com *ic
  struct ifnet *ifp = &ic->ic_if;
  struct athn_node *an = (struct athn_node *)ni;
  int nsta;
- struct athn_usb_newauth_cb_arg *arg;
+ struct athn_usb_newauth_cb_arg arg;
 
  if (ic->ic_opmode != IEEE80211_M_HOSTAP)
  return 0;
@@ -1254,12 +1252,9 @@ athn_usb_newauth(struct ieee80211com *ic
  * In a process context, try to add this node to the
  * firmware table and confirm the AUTH request.
  */
- arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
- if (arg == NULL)
- return ENOMEM;
- arg->ni = ieee80211_ref_node(ni);
- arg->seq = seq;
- athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
+ arg.ni = ieee80211_ref_node(ni);
+ arg.seq = seq;
+ athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
  return EBUSY;
 #else
  return 0;

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Benjamin Baier
Finally got a usb athn device. I can confirm that this codepath is hit
in hostap mode and the device still works with the patch.

athn0 at uhub4 port 2 configuration 1 interface 0 "ATHEROS USB2.0 WLAN" rev 2.00/1.08 addr 3
athn0: AR9271 rev 1 (1T1R), ROM rev 13, address c4:e9:84:dc:27:11

Full dmesg below.

On Sun, 2 Dec 2018 10:15:44 +0100
Benjamin Baier <[hidden email]> wrote:

> On Sat, 1 Dec 2018 15:48:13 -0200
> Martin Pieuchot <[hidden email]> wrote:
>
> > On 30/11/18(Fri) 13:49, Benjamin Baier wrote:  
> > > Hi
> > >
> > > There is a leak of *arg in
> > > dev/usb/if_athn_usb.c:athn_usb_newauth() line 1263
> > > since Rev. 1.49
> > > Because athn_usb_do_async() memcpy's the argument anyway.
> > >
> > > Found with llvm/scan-build.
> > >
> > > Instead of adding free(arg) I opted to make this function
> > > more like the other ones which call athn_usb_do_async.
> > >
> > > Only compile tested... looking for tests.    
> >
> > You should also remove the free(arg...) in athn_usb_newauth_cb().  
> Indeed, new patch attached.


Index: if_athn_usb.c
===================================================================
RCS file: /cvs/src/sys/dev/usb/if_athn_usb.c,v
retrieving revision 1.51
diff -u -p -r1.51 if_athn_usb.c
--- if_athn_usb.c 6 Sep 2018 11:50:54 -0000 1.51
+++ if_athn_usb.c 2 Dec 2018 09:09:29 -0000
@@ -1202,8 +1202,6 @@ athn_usb_newauth_cb(struct athn_usb_soft
  struct athn_node *an = (struct athn_node *)ni;
  int s, error = 0;
 
- free(arg, M_DEVBUF, sizeof(*arg));
-
  if (ic->ic_state != IEEE80211_S_RUN)
  return;
 
@@ -1231,7 +1229,7 @@ athn_usb_newauth(struct ieee80211com *ic
  struct ifnet *ifp = &ic->ic_if;
  struct athn_node *an = (struct athn_node *)ni;
  int nsta;
- struct athn_usb_newauth_cb_arg *arg;
+ struct athn_usb_newauth_cb_arg arg;
 
  if (ic->ic_opmode != IEEE80211_M_HOSTAP)
  return 0;
@@ -1254,12 +1252,9 @@ athn_usb_newauth(struct ieee80211com *ic
  * In a process context, try to add this node to the
  * firmware table and confirm the AUTH request.
  */
- arg = malloc(sizeof(*arg), M_DEVBUF, M_NOWAIT);
- if (arg == NULL)
- return ENOMEM;
- arg->ni = ieee80211_ref_node(ni);
- arg->seq = seq;
- athn_usb_do_async(usc, athn_usb_newauth_cb, arg, sizeof(*arg));
+ arg.ni = ieee80211_ref_node(ni);
+ arg.seq = seq;
+ athn_usb_do_async(usc, athn_usb_newauth_cb, &arg, sizeof(arg));
  return EBUSY;
 #else
  return 0;



OpenBSD 6.4-current (GENERIC.MP) #492: Mon Dec  3 21:37:10 MST 2018
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8451125248 (8059MB)
avail mem = 8185712640 (7806MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (64 entries)
bios0: vendor LENOVO version "8DET69WW (1.39 )" date 07/18/2013
bios0: LENOVO 4287CTO
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF! TCPA SSDT SSDT DMAR UEFI UEFI UEFI
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4) EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2492.26 MHz, 06-2a-07
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu2: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i5-2520M CPU @ 2.50GHz, 2491.91 MHz, 06-2a-07
cpu3: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,RDTSCP,LONG,LAHF,PERF,ITSC,IBRS,IBPB,STIBP,L1DF,SSBD,SENSOR,ARAT,XSAVEOPT,MELTDOWN
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0
acpimcfg0: addr 0xf8000000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus 5 (EXP4)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus -1 (EXP7)
acpicpu0 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu1 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu2 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu3 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
acpipci0 at acpi0 PCI0: 0x00000000 0x00000011 0x00000001
acpicmos0 at acpi0
acpibat0 at acpi0: BAT0 model "42T4861" serial 12675 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"IBM0079" at acpi0 not configured
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK docked (15)
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2492 MHz: speeds: 2501, 2500, 2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768, 32bpp
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address f0:de:f1:cd:a7:0f
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi
azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6205" rev 0x34: msi, MIMO 2T2R, MoW, address 10:0b:a9:9e:65:34
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
pci3 at ppb2 bus 5
ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
pci4 at ppb3 bus 13
sdhc0 at pci4 dev 0 function 0 "Ricoh 5U823 SD/MMC" rev 0x04: apic 2 int 16
sdhc0: SDHC 3.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23
usb1 at ehci1: USB revision 2.0
uhub1 at usb1 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
ahci0: port 1: 1.5Gb/s
ahci0: port 2: 3.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, SanDisk SD6SB1M1, X230> SCSI3 0/direct fixed naa.5001b449c700768f
sd0: 122104MB, 512 bytes/sector, 250069680 sectors, thin
cd0 at scsibus1 targ 1 lun 0: <Optiarc, DVD RW AD-7930H, 1.D1> ATAPI 5/cdrom removable
sd1 at scsibus1 targ 2 lun 0: <ATA, TOSHIBA THNSNH25, HTGA> SCSI3 0/direct fixed naa.500080db000064dc
sd1: 244198MB, 512 bytes/sector, 500118192 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
spdmem1 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-10600 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics clickpad, firmware 8.0, 0x1e2b1 0x940300
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
vmm0 at mainbus0: VMX/EPT
uhub2 at uhub0 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
uhub3 at uhub2 port 1 configuration 1 interface 0 "Standard Microsystems product 0x2514" rev 2.00/0.00 addr 3
uhidev0 at uhub3 port 2 configuration 1 interface 0 "TypeMatrix.com USB Keyboard" rev 1.10/1.50 addr 4
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub3 port 2 configuration 1 interface 1 "TypeMatrix.com USB Keyboard" rev 1.10/1.50 addr 4
uhidev1: iclass 3/1, 3 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid2 at uhidev1 reportid 3: input=2, output=1, feature=0
uhidev2 at uhub3 port 4 configuration 1 interface 0 "SteelSeries Kinzu V2 Gaming Mouse" rev 1.10/0.96 addr 5
uhidev2: iclass 3/0
uhid3 at uhidev2: input=32, output=32, feature=255
uhidev3 at uhub3 port 4 configuration 1 interface 1 "SteelSeries Kinzu V2 Gaming Mouse" rev 1.10/0.96 addr 5
uhidev3: iclass 3/1
ums0 at uhidev3: 8 buttons, Z dir
wsmouse2 at ums0 mux 0
ugen0 at uhub2 port 4 "Broadcom Corp Broadcom Bluetooth Device" rev 2.00/7.48 addr 6
uvideo0 at uhub2 port 6 configuration 1 interface 0 "Chicony Electronics Co., Ltd. Integrated Camera" rev 2.00/8.54 addr 7
video0 at uvideo0
uhub4 at uhub1 port 1 configuration 1 interface 0 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
athn0 at uhub4 port 2 configuration 1 interface 0 "ATHEROS USB2.0 WLAN" rev 2.00/1.08 addr 3
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
sd2 at scsibus3 targ 1 lun 0: <OPENBSD, SR RAID 0, 006> SCSI2 0/direct fixed
sd2: 223732MB, 512 bytes/sector, 458204672 sectors
root on sd1a (cb2b25d2bc04572e.a) swap on sd1b dump on sd1b
athn0: AR9271 rev 1 (1T1R), ROM rev 13, address c4:e9:84:dc:27:11
wskbd1: disconnecting from wsdisplay0
wskbd1 detached
ukbd0 detached
uhidev0 detached
uhid0 detached
uhid1 detached
uhid2 detached
uhidev1 detached
uhidev0 at uhub3 port 2 configuration 1 interface 0 "TypeMatrix.com USB Keyboard" rev 1.10/1.50 addr 4
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 variable keys, 6 key codes
wskbd1 at ukbd0: console keyboard, using wsdisplay0
uhidev1 at uhub3 port 2 configuration 1 interface 1 "TypeMatrix.com USB Keyboard" rev 1.10/1.50 addr 4
uhidev1: iclass 3/1, 3 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=2, output=0, feature=0
uhid2 at uhidev1 reportid 3: input=2, output=1, feature=0

Reply | Threaded
Open this post in threaded view
|

Re: athn(4) hostap: mem leak

Stefan Sperling-5
On Wed, Dec 05, 2018 at 07:55:07PM +0100, Benjamin Baier wrote:
> Finally got a usb athn device. I can confirm that this codepath is hit
> in hostap mode and the device still works with the patch.
>
> athn0 at uhub4 port 2 configuration 1 interface 0 "ATHEROS USB2.0 WLAN" rev 2.00/1.08 addr 3
> athn0: AR9271 rev 1 (1T1R), ROM rev 13, address c4:e9:84:dc:27:11
>
> Full dmesg below.

Committed, thanks!