Return-Path: Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\)) Subject: Re: Memory leak in btusb From: Marcel Holtmann In-Reply-To: <55638D99.5000704@lwfinger.net> Date: Sat, 6 Jun 2015 18:37:41 +0200 Cc: "Gustavo F. Padovan" , Johan Hedberg , Linux Bluetooth mailing list Message-Id: References: <55638D99.5000704@lwfinger.net> To: Larry Finger Sender: linux-bluetooth-owner@vger.kernel.org List-ID: Hi Larry, > While using kmemleak to check for memory leaks in a wireless driver, I noticed the following stack traceback for a leak in btusb: > > ] __alloc_skb+0x7e/0x2b0 > [] btusb_recv_intr+0x136/0x180 [btusb] > [] btusb_intr_complete+0xb8/0x150 [btusb] > [] __usb_hcd_giveback_urb+0x72/0x120 > > To eliminate a false positive, I unloaded the driver and got the following for the virtual address: > > [] __alloc_skb+0x7e/0x2b0 > [] 0xffffffffa06029d6 > [] 0xffffffffa0602ad8 > [] __usb_hcd_giveback_urb+0x72/0x120 if this is really an alloc_skb from btusb_recv_intr, then it is the HCI event reassembly handling. Meaning this is data->evt_skb since that is the only one that is ever allocated there. All the SKBs allocated in that function are consumed by the core or later on freed by btusb_free_frags. Is this some rare case on suspend/resume where we forget to free the frags when we get disconnected and re-enumerate via probe? When the core consumes this SKB via hci_recv_frame it really consumes it. If for some reason this function returns an error, it still frees the SKB. So for all intense in purposes it could be even void. So I need some more info on what is causing this memory leak. The one in the Intel setup routine was obvious. If that does not fix it, then this is not obvious. You might need to check which alloc_skb this really is. As I said, if it is the one in btusb_recv_intr, then it is the data->evt_skb that is leaking in some corner case. Regards Marcel