diff mbox series

Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb()

Message ID 20211013162204.13919-1-mark-yw.chen@mediatek.com (mailing list archive)
State Accepted
Headers show
Series Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() | expand

Checks

Context Check Description
tedd_an/checkpatch success Checkpatch PASS
tedd_an/gitlint success Gitlint PASS
tedd_an/buildkernel success Build Kernel PASS
tedd_an/testrunnersetup success Test Runner Setup PASS
tedd_an/testrunnerl2cap-tester success Total: 40, Passed: 40 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnerbnep-tester success Total: 1, Passed: 1 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnermgmt-tester success Total: 468, Passed: 468 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnerrfcomm-tester success Total: 9, Passed: 9 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnersco-tester success Total: 12, Passed: 12 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunnersmp-tester success Total: 8, Passed: 8 (100.0%), Failed: 0, Not Run: 0
tedd_an/testrunneruserchan-tester success Total: 4, Passed: 4 (100.0%), Failed: 0, Not Run: 0

Commit Message

Mark-YW Chen (陳揚文) Oct. 13, 2021, 4:22 p.m. UTC 
From: Mark-YW.Chen <mark-yw.chen@mediatek.com>

Driver should free `usb->setup_packet` to avoid the leak.

$ cat /sys/kernel/debug/kmemleak
unreferenced object 0xffffffa564a58080 (size 128):
    backtrace:
        [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384
        [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994
    [btusb]
        [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc
    [btusb]
        [<00000000c6105069>] hci_dev_do_open+0x290/0x974
    [bluetooth]
        [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth]
        [<000000005d80e687>] process_one_work+0x514/0xc80
        [<00000000f4d57637>] worker_thread+0x818/0xd0c
        [<00000000dc7bdb55>] kthread+0x2f8/0x3b8
        [<00000000f9999513>] ret_from_fork+0x10/0x30

Signed-off-by: Mark-YW.Chen <mark-yw.chen@mediatek.com>
---
 drivers/bluetooth/btusb.c | 5 +++++
 1 file changed, 5 insertions(+)

Comments

Marcel Holtmann Oct. 13, 2021, 4:32 p.m. UTC | #1 
Hi Mark,

> Driver should free `usb->setup_packet` to avoid the leak.
> 
> $ cat /sys/kernel/debug/kmemleak
> unreferenced object 0xffffffa564a58080 (size 128):
>    backtrace:
>        [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384
>        [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994
>    [btusb]
>        [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc
>    [btusb]
>        [<00000000c6105069>] hci_dev_do_open+0x290/0x974
>    [bluetooth]
>        [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth]
>        [<000000005d80e687>] process_one_work+0x514/0xc80
>        [<00000000f4d57637>] worker_thread+0x818/0xd0c
>        [<00000000dc7bdb55>] kthread+0x2f8/0x3b8
>        [<00000000f9999513>] ret_from_fork+0x10/0x30
> 
> Signed-off-by: Mark-YW.Chen <mark-yw.chen@mediatek.com>
> ---
> drivers/bluetooth/btusb.c | 5 +++++
> 1 file changed, 5 insertions(+)

patch has been applied to bluetooth-next tree.

Regards

Marcel
bluez.test.bot@gmail.com Oct. 13, 2021, 5:26 p.m. UTC | #2 
This is automated email and please do not reply to this email!

Dear submitter,

Thank you for submitting the patches to the linux bluetooth mailing list.
This is a CI test results with your patch series:
PW Link:https://patchwork.kernel.org/project/bluetooth/list/?series=562869

---Test result---

Test Summary:
CheckPatch                    PASS      1.77 seconds
GitLint                       PASS      0.89 seconds
BuildKernel                   PASS      612.21 seconds
TestRunner: Setup             PASS      403.02 seconds
TestRunner: l2cap-tester      PASS      8.63 seconds
TestRunner: bnep-tester       PASS      4.94 seconds
TestRunner: mgmt-tester       PASS      84.39 seconds
TestRunner: rfcomm-tester     PASS      5.74 seconds
TestRunner: sco-tester        PASS      6.24 seconds
TestRunner: smp-tester        PASS      6.06 seconds
TestRunner: userchan-tester   PASS      5.21 seconds



---
Regards,
Linux Bluetooth
diff mbox series

Patch

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 75c83768c257..1bfcbcabc7d3 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2265,6 +2265,7 @@  static void btusb_mtk_wmt_recv(struct urb *urb)
 		skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC);
 		if (!skb) {
 			hdev->stat.err_rx++;
+			kfree(urb->setup_packet);
 			return;
 		}
 
@@ -2285,6 +2286,7 @@  static void btusb_mtk_wmt_recv(struct urb *urb)
 			data->evt_skb = skb_clone(skb, GFP_ATOMIC);
 			if (!data->evt_skb) {
 				kfree_skb(skb);
+				kfree(urb->setup_packet);
 				return;
 			}
 		}
@@ -2293,6 +2295,7 @@  static void btusb_mtk_wmt_recv(struct urb *urb)
 		if (err < 0) {
 			kfree_skb(data->evt_skb);
 			data->evt_skb = NULL;
+			kfree(urb->setup_packet);
 			return;
 		}
 
@@ -2303,6 +2306,7 @@  static void btusb_mtk_wmt_recv(struct urb *urb)
 			wake_up_bit(&data->flags,
 				    BTUSB_TX_WAIT_VND_EVT);
 		}
+		kfree(urb->setup_packet);
 		return;
 	} else if (urb->status == -ENOENT) {
 		/* Avoid suspend failed when usb_kill_urb */
@@ -2323,6 +2327,7 @@  static void btusb_mtk_wmt_recv(struct urb *urb)
 	usb_anchor_urb(urb, &data->ctrl_anchor);
 	err = usb_submit_urb(urb, GFP_ATOMIC);
 	if (err < 0) {
+		kfree(urb->setup_packet);
 		/* -EPERM: urb is being killed;
 		 * -ENODEV: device got disconnected
 		 */