From: Catalin Marinas <catalin.marinas@arm.com>
To: Johannes Berg <johannes@sipsolutions.net>,
linux-wireless@vger.kernel.org
Cc: linux-kernel <linux-kernel@vger.kernel.org>
Subject: Possible memory leak in net/wireless/scan.c
Date: Tue, 07 Jul 2009 18:04:29 +0100 [thread overview]
Message-ID: <1246986269.9451.105.camel@pc1117.cambridge.arm.com> (raw)
Hi,
I'm investigating several kmemleak reports like the one below (it could
as well be a false positive but it needs more digging):
unreferenced object 0xc338af70 (size 256):
comm "softirq", pid 0, jiffies 4294903018
backtrace:
[<c01e0c3a>] create_object+0xfa/0x250
[<c01e1e7d>] kmemleak_alloc+0x5d/0x70
[<c01db2d5>] __kmalloc+0x115/0x1f0
[<f826395b>] cfg80211_inform_bss_frame+0x5b/0x170 [cfg80211]
[<f8fa82de>] ieee80211_bss_info_update+0x3e/0x1b0 [mac80211]
[<f8fa85c5>] ieee80211_scan_rx+0x165/0x1a0 [mac80211]
[<f8fb58dc>] ieee80211_invoke_rx_handlers+0x1cc/0x21d0 [mac80211]
[<f8fb50c2>] __ieee80211_rx_handle_packet+0x2d2/0x5f0 [mac80211]
[<f8fb7c8b>] __ieee80211_rx+0x3ab/0x670 [mac80211]
[<f8fa469e>] ieee80211_tasklet_handler+0xfe/0x120 [mac80211]
[<c0143b13>] tasklet_action+0x63/0xe0
[<c0144142>] __do_softirq+0xc2/0x1a0
[<c0144285>] do_softirq+0x65/0x70
[<c01443d5>] irq_exit+0x65/0x90
[<c0104a6f>] do_IRQ+0x4f/0xc0
[<c010376e>] common_interrupt+0x2e/0x40
The reported object seems to be the struct cfg80211_internal_bss *res
allocated in cfg80211_inform_bss_frame(). This object is passed to
cfg80211_bss_update(). What looks a bit suspicious to me is that if an
object is found in the rb tree, this function calls kref_get() on it in
the "if (found)" block and one more time before return. Should it only
call kref_get(&found->ref) once:
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e95b638..f8e71b3 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -366,7 +366,6 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev,
found = rb_find_bss(dev, res);
if (found) {
- kref_get(&found->ref);
found->pub.beacon_interval = res->pub.beacon_interval;
found->pub.tsf = res->pub.tsf;
found->pub.signal = res->pub.signal;
I'll try this later today to see if it fixes the leak. If that's not
correct, I'll post more information about the content of the reported
object (in general, it shouldn't be on any valid list or rb tree since
kmemleak can't find it).
Thanks.
--
Catalin
next reply other threads:[~2009-07-07 17:04 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-07-07 17:04 Catalin Marinas [this message]
2009-07-07 17:12 ` Possible memory leak in net/wireless/scan.c Johannes Berg
2009-07-07 21:29 ` Catalin Marinas
2009-07-07 21:47 ` Johannes Berg
2009-07-08 3:06 ` Johannes Berg
2009-07-08 8:46 ` Catalin Marinas
2009-07-08 10:24 ` Johannes Berg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1246986269.9451.105.camel@pc1117.cambridge.arm.com \
--to=catalin.marinas@arm.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox