Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1755319AbdFLP7w (ORCPT <rfc822;w@1wt.eu>);
        Mon, 12 Jun 2017 11:59:52 -0400
Received: from mail-wr0-f196.google.com ([209.85.128.196]:33919 "EHLO
        mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752099AbdFLP7t (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 12 Jun 2017 11:59:49 -0400
Date: Mon, 12 Jun 2017 17:59:45 +0200
From: Tomas Hlavacek <tmshlvck@gmail.com>
Subject: rtl8723bs memory leak
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Message-Id: <1497283185.13388.0@smtp.gmail.com>
X-Mailer: geary/master~gd84fe3c1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2255
Lines: 58

Hello!

It seems that we have discovered a memory leak in the rtl8723bs driver. 
The problem is that when the SDIO read fails in sd_recv_rxfifo() (in 
drivers/staging/rtl8723bs/hal/sdio_ops.c, l1016) the function simply 
returns NULL, but the dequeued recvbuf is never returned to the 
precvpriv->free_recv_buf_queue.

After several SDIO read failures it would bleed off the recvbuf queue 
and it would subsequently stop processing packets while producing 
endless flow of messages like this:

[   49.618639] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.624340] RTL8723BS: ERROR precvbuf is Null for 8 times because 
alloc memory failed
[   49.641654] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.648015] RTL8723BS: ERROR precvbuf is Null for 9 times because 
alloc memory failed
[   49.665105] RTL8723BS: ERROR sd_recv_rxfifo: alloc recvbuf FAIL!
[   49.671474] RTL8723BS: ERROR precvbuf is Null for 10 times because 
alloc memory failed
[   49.679394] RTL8723BS: ERROR exit because alloc memory failed more 
than 10 times
...

A possible fix might look like the following (however, this is only my 
testing hot-fix to make the driver work and I have to admit that I do 
not fully understand the whole thing - that's why I am not posting a 
patch at this point):

diff --git a/drivers/staging/rtl8723bs/hal/sdio_ops.c 
b/drivers/staging/rtl8723bs/hal/sdio_ops.c
index 6285b72faa9a..ad65cd74c3c8 100644
--- a/drivers/staging/rtl8723bs/hal/sdio_ops.c
+++ b/drivers/staging/rtl8723bs/hal/sdio_ops.c
@@ -1008,6 +1008,7 @@ static struct recv_buf *sd_recv_rxfifo(struct 
adapter *padapter, u32 size)
 		}

 		if (precvbuf->pskb == NULL) {
+			rtw_enqueue_recvbuf(precvbuf, &precvpriv->free_recv_buf_queue);
 			DBG_871X("%s: alloc_skb fail! read =%d\n", __func__, readsize);
 			return NULL;
 		}
@@ -1017,6 +1018,7 @@ static struct recv_buf *sd_recv_rxfifo(struct 
adapter *padapter, u32 size)
 	preadbuf = precvbuf->pskb->data;
 	ret = sdio_read_port(&padapter->iopriv.intf, WLAN_RX0FF_DEVICE_ID, 
readsize, preadbuf);
 	if (ret == _FAIL) {
+		rtw_enqueue_recvbuf(precvbuf, &precvpriv->free_recv_buf_queue);
 		RT_TRACE(_module_hci_ops_os_c_, _drv_err_, ("%s: read port FAIL!\n", 
__func__));
 		return NULL;
 	}

Cheers,
Tomas