linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
@ 2021-10-13 16:22 mark-yw.chen
  2021-10-13 16:32 ` Marcel Holtmann
  2021-10-13 17:26 ` bluez.test.bot
  0 siblings, 2 replies; 3+ messages in thread
From: mark-yw.chen @ 2021-10-13 16:22 UTC (permalink / raw)
  To: marcel, johan.hedberg
  Cc: mark-yw.chen, will-cy.lee, linux-bluetooth, linux-mediatek, linux-kernel

From: Mark-YW.Chen <mark-yw.chen@mediatek.com>

Driver should free `usb->setup_packet` to avoid the leak.

$ cat /sys/kernel/debug/kmemleak
unreferenced object 0xffffffa564a58080 (size 128):
    backtrace:
        [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384
        [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994
    [btusb]
        [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc
    [btusb]
        [<00000000c6105069>] hci_dev_do_open+0x290/0x974
    [bluetooth]
        [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth]
        [<000000005d80e687>] process_one_work+0x514/0xc80
        [<00000000f4d57637>] worker_thread+0x818/0xd0c
        [<00000000dc7bdb55>] kthread+0x2f8/0x3b8
        [<00000000f9999513>] ret_from_fork+0x10/0x30

Signed-off-by: Mark-YW.Chen <mark-yw.chen@mediatek.com>
---
 drivers/bluetooth/btusb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 75c83768c257..1bfcbcabc7d3 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2265,6 +2265,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 		skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
 		if (!skb) {
 			hdev->stat.err_rx++;
+			kfree(urb->setup_packet);
 			return;
 		}
 
@@ -2285,6 +2286,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 			data->evt_skb = skb_clone(skb, GFP_ATOMIC);
 			if (!data->evt_skb) {
 				kfree_skb(skb);
+				kfree(urb->setup_packet);
 				return;
 			}
 		}
@@ -2293,6 +2295,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 		if (err < 0) {
 			kfree_skb(data->evt_skb);
 			data->evt_skb = NULL;
+			kfree(urb->setup_packet);
 			return;
 		}
 
@@ -2303,6 +2306,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 			wake_up_bit(&data->flags,
 				    BTUSB_TX_WAIT_VND_EVT);
 		}
+		kfree(urb->setup_packet);
 		return;
 	} else if (urb->status == -ENOENT) {
 		/* Avoid suspend failed when usb_kill_urb */
@@ -2323,6 +2327,7 @@ static void btusb_mtk_wmt_recv(struct urb *urb)
 	usb_anchor_urb(urb, &data->ctrl_anchor);
 	err = usb_submit_urb(urb, GFP_ATOMIC);
 	if (err < 0) {
+		kfree(urb->setup_packet);
 		/* -EPERM: urb is being killed;
 		 * -ENODEV: device got disconnected
 		 */
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
  2021-10-13 16:22 [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() mark-yw.chen
@ 2021-10-13 16:32 ` Marcel Holtmann
  2021-10-13 17:26 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: Marcel Holtmann @ 2021-10-13 16:32 UTC (permalink / raw)
  To: mark-yw.chen
  Cc: Johan Hedberg, will-cy.lee, linux-bluetooth, linux-mediatek,
	linux-kernel

Hi Mark,

> Driver should free `usb->setup_packet` to avoid the leak.
> 
> $ cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffffffa564a58080 (size 128):
>    backtrace:
>        [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384
>        [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994
>    [btusb]
>        [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc
>    [btusb]
>        [<00000000c6105069>] hci_dev_do_open+0x290/0x974
>    [bluetooth]
>        [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth]
>        [<000000005d80e687>] process_one_work+0x514/0xc80
>        [<00000000f4d57637>] worker_thread+0x818/0xd0c
>        [<00000000dc7bdb55>] kthread+0x2f8/0x3b8
>        [<00000000f9999513>] ret_from_fork+0x10/0x30
> 
> Signed-off-by: Mark-YW.Chen <mark-yw.chen@mediatek.com>
> ---
> drivers/bluetooth/btusb.c | 5 +++++
> 1 file changed, 5 insertions(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel


^ permalink raw reply	[flat|nested] 3+ messages in thread
* RE: Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()
  2021-10-13 16:22 [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() mark-yw.chen
  2021-10-13 16:32 ` Marcel Holtmann
@ 2021-10-13 17:26 ` bluez.test.bot
  1 sibling, 0 replies; 3+ messages in thread
From: bluez.test.bot @ 2021-10-13 17:26 UTC (permalink / raw)
  To: linux-bluetooth, Mark-YW.Chen

[-- Attachment #1: Type: text/plain, Size: 935 bytes --]

This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=562869

---Test result---

Test Summary:
CheckPatch                    PASS      1.77 seconds
GitLint                       PASS      0.89 seconds
BuildKernel                   PASS      612.21 seconds
TestRunner: Setup             PASS      403.02 seconds
TestRunner: l2cap-tester      PASS      8.63 seconds
TestRunner: bnep-tester       PASS      4.94 seconds
TestRunner: mgmt-tester       PASS      84.39 seconds
TestRunner: rfcomm-tester     PASS      5.74 seconds
TestRunner: sco-tester        PASS      6.24 seconds
TestRunner: smp-tester        PASS      6.06 seconds
TestRunner: userchan-tester   PASS      5.21 seconds



---
Regards,
Linux Bluetooth


[-- Attachment #2: l2cap-tester.log --]
[-- Type: application/octet-stream, Size: 44357 bytes --]

[-- Attachment #3: bnep-tester.log --]
[-- Type: application/octet-stream, Size: 3564 bytes --]

[-- Attachment #4: mgmt-tester.log --]
[-- Type: application/octet-stream, Size: 646011 bytes --]

[-- Attachment #5: rfcomm-tester.log --]
[-- Type: application/octet-stream, Size: 11684 bytes --]

[-- Attachment #6: sco-tester.log --]
[-- Type: application/octet-stream, Size: 13924 bytes --]

[-- Attachment #7: smp-tester.log --]
[-- Type: application/octet-stream, Size: 11829 bytes --]

[-- Attachment #8: userchan-tester.log --]
[-- Type: application/octet-stream, Size: 6370 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-13 17:26 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-13 16:22 [PATCH] Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() mark-yw.chen
2021-10-13 16:32 ` Marcel Holtmann
2021-10-13 17:26 ` bluez.test.bot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).