Memory leaks in cfg80211 and mac80211

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Larry Finger <Larry.Finger@lwfinger.net>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless <linux-wireless@vger.kernel.org>
Subject: Memory leaks in cfg80211 and mac80211
Date: Tue, 05 Mar 2013 15:08:12 -0600	[thread overview]
Message-ID: <51365EBC.9080602@lwfinger.net> (raw)

Johannes,

While monitoring the latest rtlwifi drivers for memory leaks, I found the 
following two in cfg80211 and mac80211:

unreferenced object 0xffff8800b2479100 (size 256):
   comm "softirq", pid 0, jiffies 4295010840 (age 324.612s)
   hex dump (first 32 bytes):
     00 91 47 b2 00 88 ff ff 00 91 47 b2 00 88 ff ff  ..G.......G.....
     10 91 47 b2 00 88 ff ff 10 91 47 b2 00 88 ff ff  ..G.......G.....
   backtrace:
     [<ffffffff81455f41>] kmemleak_alloc+0x21/0x50
     [<ffffffff811485c0>] __kmalloc+0x130/0x2c0
     [<ffffffffa04ee6e8>] cfg80211_bss_update+0x148/0x870 [cfg80211]
     [<ffffffffa04eef62>] cfg80211_inform_bss_frame+0x152/0x410 [cfg80211]
     [<ffffffffa0658d65>] ieee80211_bss_info_update+0x55/0x300 [mac80211]
     [<ffffffffa065912d>] ieee80211_scan_rx+0x11d/0x280 [mac80211]
     [<ffffffffa067b8ed>] ieee80211_rx+0xcdd/0xda0 [mac80211]
     [<ffffffffa064d4e3>] ieee80211_tasklet_handler+0xc3/0x320 [mac80211]

and

unreferenced object 0xffff880079a33e00 (size 512):
   comm "softirq", pid 0, jiffies 4295010891 (age 324.412s)
   hex dump (first 32 bytes):
     83 41 93 fe 49 02 00 00 00 00 3e 00 00 00 00 00  .A..I.....>.....
     00 00 00 00 00 00 00 00 e4 00 00 00 00 08 6c 77  ..............lw
   backtrace:
     [<ffffffff81455f41>] kmemleak_alloc+0x21/0x50
     [<ffffffff811485c0>] __kmalloc+0x130/0x2c0
     [<ffffffffa04eeed2>] cfg80211_inform_bss_frame+0xc2/0x410 [cfg80211]
     [<ffffffffa0658d65>] ieee80211_bss_info_update+0x55/0x300 [mac80211]
     [<ffffffffa065912d>] ieee80211_scan_rx+0x11d/0x280 [mac80211]
     [<ffffffffa067b8ed>] ieee80211_rx+0xcdd/0xda0 [mac80211]
     [<ffffffffa064d4e3>] ieee80211_tasklet_handler+0xc3/0x320 [mac80211]
     [<ffffffff8104aa58>] tasklet_action+0x78/0x100

The first one is cleared when the module is unloaded, and is false. It is fixed 
with the following patch:

Index: wireless-testing-new/net/wireless/scan.c
===================================================================
--- wireless-testing-new.orig/net/wireless/scan.c
+++ wireless-testing-new/net/wireless/scan.c
@@ -10,6 +10,7 @@
  #include <linux/wireless.h>
  #include <linux/nl80211.h>
  #include <linux/etherdevice.h>
+#include <linux/kmemleak.h>
  #include <net/arp.h>
  #include <net/cfg80211.h>
  #include <net/cfg80211-wext.h>
@@ -782,6 +783,7 @@ cfg80211_bss_update(struct cfg80211_regi
                                 kfree_rcu(ies, rcu_head);
                         goto drop;
                 }
+               kmemleak_not_leak(new);
                 memcpy(new, tmp, sizeof(*new));
                 new->refcount = 1;
                 INIT_LIST_HEAD(&new->hidden_list);

The second leak is real and happens at line 954 of net/wireless/scan.c:

         ies = kmalloc(sizeof(*ies) + ielen, gfp);
         if (!ies)
                 return NULL;

As the memory allocated to ies is still used when the routine exits, I'm not 
sure where to look for the missing free. Any suggestions?

Thanks,

Larry

next             reply	other threads:[~2013-03-05 21:08 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-03-05 21:08 Larry Finger [this message]
2013-03-06  9:31 ` Memory leaks in cfg80211 and mac80211 Johannes Berg
2013-03-06 16:17   ` Larry Finger
2013-03-06 23:53   ` Larry Finger
2013-03-07 11:50     ` Johannes Berg
2013-03-07 16:00       ` Larry Finger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51365EBC.9080602@lwfinger.net \
    --to=larry.finger@lwfinger.net \
    --cc=johannes@sipsolutions.net \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).