diff mbox series

wifi: rt2x00: Fix memory leak when handling surveys

Message ID 20230330215637.4332-1-W_Armin@gmx.de (mailing list archive)
State Accepted
Commit cbef9a83c51dfcb07f77cfa6ac26f53a1ea86f49
Delegated to: Kalle Valo
Headers show
Series wifi: rt2x00: Fix memory leak when handling surveys | expand

Commit Message

Armin Wolf March 30, 2023, 9:56 p.m. UTC
When removing a rt2x00 device, its associated channel surveys
are not freed, causing a memory leak observable with kmemleak:

unreferenced object 0xffff9620f0881a00 (size 512):
  comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s)
  hex dump (first 32 bytes):
    70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00  pD..............
    00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00  ................
  backtrace:
    [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130
    [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]
    [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]
    [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]
    [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]
    [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore]
    [<ffffffffb13be2d5>] really_probe+0x1a5/0x410
    [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180
    [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90
    [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0
    [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0
    [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210
    [<ffffffffb13bfc6c>] driver_register+0x5c/0x120
    [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore]
    [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220
    [<ffffffffb0d6134c>] do_init_module+0x4c/0x220

Fix this by freeing the channel surveys on device removal.

Tested with a RT3070 based USB wireless adapter.

Fixes: 5447626910f5 ("rt2x00: save survey for every channel visited")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
---
 drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 1 +
 1 file changed, 1 insertion(+)

--
2.30.2

Comments

Simon Horman March 31, 2023, 3:17 p.m. UTC | #1
On Thu, Mar 30, 2023 at 11:56:37PM +0200, Armin Wolf wrote:
> When removing a rt2x00 device, its associated channel surveys
> are not freed, causing a memory leak observable with kmemleak:
> 
> unreferenced object 0xffff9620f0881a00 (size 512):
>   comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s)
>   hex dump (first 32 bytes):
>     70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00  pD..............
>     00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130
>     [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]
>     [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]
>     [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]
>     [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]
>     [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore]
>     [<ffffffffb13be2d5>] really_probe+0x1a5/0x410
>     [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180
>     [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90
>     [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0
>     [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0
>     [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210
>     [<ffffffffb13bfc6c>] driver_register+0x5c/0x120
>     [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore]
>     [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220
>     [<ffffffffb0d6134c>] do_init_module+0x4c/0x220
> 
> Fix this by freeing the channel surveys on device removal.
> 
> Tested with a RT3070 based USB wireless adapter.
> 
> Fixes: 5447626910f5 ("rt2x00: save survey for every channel visited")
> Signed-off-by: Armin Wolf <W_Armin@gmx.de>

Reviewed-by: Simon Horman <simon.horman@corigine.com>
Stanislaw Gruszka April 1, 2023, 10:47 a.m. UTC | #2
On Thu, Mar 30, 2023 at 11:56:37PM +0200, Armin Wolf wrote:
> When removing a rt2x00 device, its associated channel surveys
> are not freed, causing a memory leak observable with kmemleak:
> 
> unreferenced object 0xffff9620f0881a00 (size 512):
>   comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s)
>   hex dump (first 32 bytes):
>     70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00  pD..............
>     00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130
>     [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]
>     [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]
>     [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]
>     [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]
>     [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore]
>     [<ffffffffb13be2d5>] really_probe+0x1a5/0x410
>     [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180
>     [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90
>     [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0
>     [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0
>     [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210
>     [<ffffffffb13bfc6c>] driver_register+0x5c/0x120
>     [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore]
>     [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220
>     [<ffffffffb0d6134c>] do_init_module+0x4c/0x220
> 
> Fix this by freeing the channel surveys on device removal.
> 
> Tested with a RT3070 based USB wireless adapter.
> 
> Fixes: 5447626910f5 ("rt2x00: save survey for every channel visited")
> Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Kalle Valo April 3, 2023, 1:44 p.m. UTC | #3
Armin Wolf <W_Armin@gmx.de> wrote:

> When removing a rt2x00 device, its associated channel surveys
> are not freed, causing a memory leak observable with kmemleak:
> 
> unreferenced object 0xffff9620f0881a00 (size 512):
>   comm "systemd-udevd", pid 2290, jiffies 4294906974 (age 33.768s)
>   hex dump (first 32 bytes):
>     70 44 12 00 00 00 00 00 92 8a 00 00 00 00 00 00  pD..............
>     00 00 00 00 00 00 00 00 ab 87 01 00 00 00 00 00  ................
>   backtrace:
>     [<ffffffffb0ed858b>] __kmalloc+0x4b/0x130
>     [<ffffffffc1b0f29b>] rt2800_probe_hw+0xc2b/0x1380 [rt2800lib]
>     [<ffffffffc1a9496e>] rt2800usb_probe_hw+0xe/0x60 [rt2800usb]
>     [<ffffffffc1ae491a>] rt2x00lib_probe_dev+0x21a/0x7d0 [rt2x00lib]
>     [<ffffffffc1b3b83e>] rt2x00usb_probe+0x1be/0x980 [rt2x00usb]
>     [<ffffffffc05981e2>] usb_probe_interface+0xe2/0x310 [usbcore]
>     [<ffffffffb13be2d5>] really_probe+0x1a5/0x410
>     [<ffffffffb13be5c8>] __driver_probe_device+0x78/0x180
>     [<ffffffffb13be6fe>] driver_probe_device+0x1e/0x90
>     [<ffffffffb13be972>] __driver_attach+0xd2/0x1c0
>     [<ffffffffb13bbc57>] bus_for_each_dev+0x77/0xd0
>     [<ffffffffb13bd2a2>] bus_add_driver+0x112/0x210
>     [<ffffffffb13bfc6c>] driver_register+0x5c/0x120
>     [<ffffffffc0596ae8>] usb_register_driver+0x88/0x150 [usbcore]
>     [<ffffffffb0c011c4>] do_one_initcall+0x44/0x220
>     [<ffffffffb0d6134c>] do_init_module+0x4c/0x220
> 
> Fix this by freeing the channel surveys on device removal.
> 
> Tested with a RT3070 based USB wireless adapter.
> 
> Fixes: 5447626910f5 ("rt2x00: save survey for every channel visited")
> Signed-off-by: Armin Wolf <W_Armin@gmx.de>
> Reviewed-by: Simon Horman <simon.horman@corigine.com>
> Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>

Patch applied to wireless-next.git, thanks.

cbef9a83c51d wifi: rt2x00: Fix memory leak when handling surveys
diff mbox series

Patch

diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
index 3a035afcf7f9..9a9cfd0ce402 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
@@ -1091,6 +1091,7 @@  static void rt2x00lib_remove_hw(struct rt2x00_dev *rt2x00dev)
 	}

 	kfree(rt2x00dev->spec.channels_info);
+	kfree(rt2x00dev->chan_survey);
 }

 static const struct ieee80211_tpt_blink rt2x00_tpt_blink[] = {