From patchwork Mon Apr 17 16:03:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Larry Finger X-Patchwork-Id: 674489 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 02F0FC77B7A for ; Mon, 17 Apr 2023 16:04:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229982AbjDQQEF (ORCPT ); Mon, 17 Apr 2023 12:04:05 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59668 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229933AbjDQQEE (ORCPT ); Mon, 17 Apr 2023 12:04:04 -0400 Received: from mail-ot1-x331.google.com (mail-ot1-x331.google.com [IPv6:2607:f8b0:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22F0F8A74 for ; Mon, 17 Apr 2023 09:03:39 -0700 (PDT) Received: by mail-ot1-x331.google.com with SMTP id k101-20020a9d19ee000000b006a14270bc7eso9967637otk.6 for ; Mon, 17 Apr 2023 09:03:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681747417; x=1684339417; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:from:to:cc:subject:date:message-id:reply-to; bh=l0crzzW89BIFjvoLdInrsQtw1pgBJPEt/usufoThRT0=; b=YF1z/YdibqD1JtJUFsXdGciAxwBMn8YAVQi7eXRgpR3VF3JrKiYU8OGxwOR2KkMWWu y1atuk7M+94CLWLhMD59M3IvY31jvq6u19XGsnYt530V3B6ADgmA7cnfCaLKvOKhQsh+ y0pvG+JwV8ox0BufhGXuXGrDRjX6s3PiEY+ubtNfGE4RXMSWujDTg0wpiA7IWBbwO3wi 4gfkXF+Wb0ndt4/ccC4wBRfUQuIKeII8aDduVyyv9zXVGCFZsOgl4g2uw7q/5NvLuchk EPa+BxkUPlsoc2BDrV9BY1WHRqIGy6RkkPTrJV2VN9+Ot9fY+ljzKGkyiP/y4wcVnXkz E+WQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681747417; x=1684339417; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:sender:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=l0crzzW89BIFjvoLdInrsQtw1pgBJPEt/usufoThRT0=; b=bBcCsS7vdfPems3vf8q+TsOy9TwPWhWrAstDZJWfXaMq10d0hYFANJF319o/Fa1kvR GaxRL/3jA6BLjvaEezng811qjhK9b3gVLze3SUByTiELKv2ua96VJJLTsxg+TEre7vVI b+dz1dQG4GyqDGTnpi1wBdbjQEXDbNPv38cRya58JYEvbNmut1kHWfGKPN1AF6/PCfSj HCKMqcd8JCKeMP5df67D729hojm6xatSdMNJI/Lr19RpF98bG2/goEpkJb8FcOnmmYKZ 2kE0fG+FhuPA7ErvDNBU6HTI1L7aZRmu4uGKWfRZGUa9nUoua/IJrHrGqo1bFWi3IhJM foRg== X-Gm-Message-State: AAQBX9e6GfEbh/xThRhALx8V9G+ucB8jkrKB/vBTDTTl6srw1qyR8hxp EJ+PxgzHfCCgrRtAXZHfiiHVSjqOd1k= X-Google-Smtp-Source: AKy350Zw1wc/+/mUNSQzVpVwApcUpAG/je5v2iwrAEVuWzu4wA7Ho7DqW+ZM1QGBOWMlufu8+hZLlQ== X-Received: by 2002:a05:6830:147:b0:69f:a723:bd60 with SMTP id j7-20020a056830014700b0069fa723bd60mr6632215otp.5.1681747417394; Mon, 17 Apr 2023 09:03:37 -0700 (PDT) Received: from localhost.localdomain ([216.130.59.33]) by smtp.gmail.com with ESMTPSA id m9-20020a0568301e6900b0069f8ff38bcbsm4594256otr.16.2023.04.17.09.03.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 17 Apr 2023 09:03:37 -0700 (PDT) Sender: Larry Finger From: Larry Finger To: Kalle Valo Cc: Johannes Berg , linux-wireless@vger.kernel.org, Larry Finger , Sascha Hauer , Ping-Ke Shih Subject: [PATCH v2] wifi: rtw88: Fix memory leak in rtw88_usb Date: Mon, 17 Apr 2023 11:03:31 -0500 Message-Id: <20230417160331.23071-1-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.40.0 MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Kmemleak shows the following leak arising from routine in the usb probe routine: unreferenced object 0xffff895cb29bba00 (size 512): comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s) hex dump (first 32 bytes): 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0... 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U...... backtrace: [] kmalloc_trace+0x26/0x90 [] rtw_usb_probe+0x2f1/0x680 [rtw_usb] [] usb_probe_interface+0xdd/0x2e0 [usbcore] [] really_probe+0x18e/0x3d0 [] __driver_probe_device+0x78/0x160 [] driver_probe_device+0x1f/0x90 [] __driver_attach+0xbf/0x1b0 [] bus_for_each_dev+0x70/0xc0 [] bus_add_driver+0x10e/0x210 [] driver_register+0x55/0xf0 [] usb_register_driver+0x88/0x140 [usbcore] [] do_one_initcall+0x43/0x210 [] do_init_module+0x4a/0x200 [] __do_sys_finit_module+0xac/0x120 [] do_syscall_64+0x56/0x80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 The leak was verified to be real by unloading the driver, which resulted in a dangling pointer to the allocation. The allocated memory is freed in rtw_usb_intf_deinit(). Signed-off-by: Larry Finger Cc: Sascha Hauer Cc: Ping-Ke Shih Reviewed-by: Ping-Ke Shih --- v2 - Moved the kfree call as suggested by Ping-Ke Shih, --- drivers/net/wireless/realtek/rtw88/usb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c index 68e1b782d199..05c732644361 100644 --- a/drivers/net/wireless/realtek/rtw88/usb.c +++ b/drivers/net/wireless/realtek/rtw88/usb.c @@ -780,6 +780,7 @@ static void rtw_usb_intf_deinit(struct rtw_dev *rtwdev, struct rtw_usb *rtwusb = rtw_get_usb_priv(rtwdev); usb_put_dev(rtwusb->udev); + kfree(rtwusb->usb_data); usb_set_intfdata(intf, NULL); }