Vamshi K Sthambamkadi b9afcdcddf Bluetooth: btusb: fix memory leak on suspend and resume ... [ Upstream commit 5ff20cbe67 ] kmemleak report: unreferenced object 0xffff9b1127f00500 (size 208): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 60 ed 05 11 9b ff ff 00 00 00 00 00 00 00 00 .`.............. backtrace: [<000000006ab3fd59>] kmem_cache_alloc_node+0x17a/0x480 [<0000000051a5f6f9>] __alloc_skb+0x5b/0x1d0 [<0000000037e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<0000000010b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<00000000d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<00000000f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<000000001deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<000000002677dd79>] process_one_work+0x209/0x3b0 [<00000000aaa62b07>] worker_thread+0x34/0x400 [<00000000826d176c>] kthread+0x126/0x140 [<000000002305e558>] ret_from_fork+0x22/0x30 unreferenced object 0xffff9b1125c6ee00 (size 512): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 32 bytes): 04 00 00 00 0d 00 00 00 05 0c 01 00 11 9b ff ff ................ 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................ backtrace: [<000000009f07c0cc>] slab_post_alloc_hook+0x59/0x270 [<0000000049431dc2>] __kmalloc_node_track_caller+0x15f/0x330 [<00000000027a42f6>] __kmalloc_reserve.isra.70+0x31/0x90 [<00000000e8e3e76a>] __alloc_skb+0x87/0x1d0 [<0000000037e2d252>] hci_prepare_cmd+0x32/0xc0 [bluetooth] [<0000000010b586d5>] hci_req_add_ev+0x84/0xe0 [bluetooth] [<00000000d2deb520>] hci_req_clear_event_filter+0x42/0x70 [bluetooth] [<00000000f864bd8c>] hci_req_prepare_suspend+0x84/0x470 [bluetooth] [<000000001deb2cc4>] hci_prepare_suspend+0x31/0x40 [bluetooth] [<000000002677dd79>] process_one_work+0x209/0x3b0 [<00000000aaa62b07>] worker_thread+0x34/0x400 [<00000000826d176c>] kthread+0x126/0x140 [<000000002305e558>] ret_from_fork+0x22/0x30 unreferenced object 0xffff9b112b395788 (size 8): comm "kworker/u17:2", pid 500, jiffies 4294937470 (age 580.136s) hex dump (first 8 bytes): 20 00 00 00 00 00 04 00 ....... backtrace: [<0000000052dc28d2>] kmem_cache_alloc_trace+0x15e/0x460 [<0000000046147591>] alloc_ctrl_urb+0x52/0xe0 [btusb] [<00000000a2ed3e9e>] btusb_send_frame+0x91/0x100 [btusb] [<000000001e66030e>] hci_send_frame+0x7e/0xf0 [bluetooth] [<00000000bf6b7269>] hci_cmd_work+0xc5/0x130 [bluetooth] [<000000002677dd79>] process_one_work+0x209/0x3b0 [<00000000aaa62b07>] worker_thread+0x34/0x400 [<00000000826d176c>] kthread+0x126/0x140 [<000000002305e558>] ret_from_fork+0x22/0x30 In pm sleep-resume context, while the btusb device rebinds, it enters hci_unregister_dev(), whilst there is a possibility of hdev receiving PM_POST_SUSPEND suspend_notifier event, leading to generation of msg frames. When hci_unregister_dev() completes, i.e. hdev context is destroyed/freed, those intermittently sent msg frames cause memory leak. BUG details: Below is stack trace of thread that enters hci_unregister_dev(), marks the hdev flag HCI_UNREGISTER to 1, and then goes onto to wait on notifier lock - refer unregister_pm_notifier(). hci_unregister_dev+0xa5/0x320 [bluetoot] btusb_disconnect+0x68/0x150 [btusb] usb_unbind_interface+0x77/0x250 ? kernfs_remove_by_name_ns+0x75/0xa0 device_release_driver_internal+0xfe/0x1 device_release_driver+0x12/0x20 bus_remove_device+0xe1/0x150 device_del+0x192/0x3e0 ? usb_remove_ep_devs+0x1f/0x30 usb_disable_device+0x92/0x1b0 usb_disconnect+0xc2/0x270 hub_event+0x9f6/0x15d0 ? rpm_idle+0x23/0x360 ? rpm_idle+0x26b/0x360 process_one_work+0x209/0x3b0 worker_thread+0x34/0x400 ? process_one_work+0x3b0/0x3b0 kthread+0x126/0x140 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Below is stack trace of thread executing hci_suspend_notifier() which processes the PM_POST_SUSPEND event, while the unbinding thread is waiting on lock. hci_suspend_notifier.cold.39+0x5/0x2b [bluetooth] blocking_notifier_call_chain+0x69/0x90 pm_notifier_call_chain+0x1a/0x20 pm_suspend.cold.9+0x334/0x352 state_store+0x84/0xf0 kobj_attr_store+0x12/0x20 sysfs_kf_write+0x3b/0x40 kernfs_fop_write+0xda/0x1c0 vfs_write+0xbb/0x250 ksys_write+0x61/0xe0 __x64_sys_write+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fix hci_suspend_notifer(), not to act on events when flag HCI_UNREGISTER is set. Signed-off-by: Vamshi K Sthambamkadi <vamshi.k.sthambamkadi@gmail.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2021-03-07 12:34:09 +01:00
..
bnep	net: make ->{get,set}sockopt in proto_ops optional	2020-07-19 18:16:41 -07:00
cmtp	net: make ->{get,set}sockopt in proto_ops optional	2020-07-19 18:16:41 -07:00
hidp	net: make ->{get,set}sockopt in proto_ops optional	2020-07-19 18:16:41 -07:00
rfcomm	Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next	2020-07-31 15:11:52 -07:00
6lowpan.c	Bluetooth: add a mutex lock to avoid UAF in do_enale_set	2020-06-23 14:30:07 +02:00
a2mp.c	Bluetooth: drop HCI device reference before return	2021-03-04 11:37:25 +01:00
a2mp.h	Bluetooth: Replace zero-length array with flexible-array member	2020-02-28 08:30:02 +01:00
af_bluetooth.c	Bluetooth: Add support for BT_PKT_STATUS CMSG data for SCO connections	2020-06-12 15:08:49 +02:00
amp.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284	2019-06-05 17:36:37 +02:00
amp.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 284	2019-06-05 17:36:37 +02:00
ecdh_helper.c	mm, treewide: rename kzfree() to kfree_sensitive()	2020-08-07 11:33:22 -07:00
ecdh_helper.h	Bluetooth: let the crypto subsystem generate the ecc privkey	2017-10-06 20:35:47 +02:00
hci_conn.c	net: bluetooth: delete duplicated words	2020-09-18 14:12:43 -07:00
hci_core.c	Bluetooth: btusb: fix memory leak on suspend and resume	2021-03-07 12:34:09 +01:00
hci_debugfs.c	Bluetooth: debugfs option to unset MITM flag	2020-04-07 18:32:21 +02:00
hci_debugfs.h
hci_event.c	Bluetooth: Fix null pointer dereference in hci_event_packet()	2020-12-30 11:53:05 +01:00
hci_request.c	Bluetooth: Fix: LL PRivacy BLE device fails to connect	2020-12-30 11:53:05 +01:00
hci_request.h	Bluetooth: Enable/Disable address resolution during le create conn	2020-07-30 09:34:43 +02:00
hci_sock.c	Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next	2020-07-31 15:11:52 -07:00
hci_sysfs.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-11-04 09:26:51 +09:00
Kconfig	Bluetooth: Disable High Speed by default	2020-09-25 20:21:55 +02:00
l2cap_core.c	Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel	2020-09-25 20:21:55 +02:00
l2cap_sock.c	Bluetooth: L2CAP: Fix calling sk_filter on non-socket based channel	2020-09-25 20:21:55 +02:00
leds.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
leds.h	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500	2019-06-19 17:09:55 +02:00
lib.c	Bluetooth: Introduce debug feature when dynamic debug is disabled	2020-05-11 12:16:27 +02:00
Makefile	Bluetooth: implement read/set default system parameters mgmt	2020-06-12 21:41:07 +02:00
mgmt_config.c	Bluetooth: Adding a configurable autoconnect timeout	2020-07-07 17:37:03 +02:00
mgmt_config.h	Bluetooth: mgmt: Add commands for runtime configuration	2020-06-18 13:11:03 +03:00
mgmt_util.c
mgmt_util.h
mgmt.c	Bluetooth: MGMT: Fix not checking if BT_HS is enabled	2020-09-25 20:21:55 +02:00
msft.c	Bluetooth: Replace zero-length array with flexible-array member	2020-10-29 17:22:59 -05:00
msft.h	Bluetooth: Add handler of MGMT_OP_READ_ADV_MONITOR_FEATURES	2020-06-18 13:11:21 +03:00
sco.c	Bluetooth: sco: Fix crash when using BT_SNDMTU/BT_RCVMTU option	2020-12-30 11:53:40 +01:00
selftest.c	Bluetooth: Remove CRYPTO_ALG_INTERNAL flag	2020-07-31 16:42:04 +03:00
selftest.h
smp.c	mm, treewide: rename kzfree() to kfree_sensitive()	2020-08-07 11:33:22 -07:00
smp.h	Bluetooth: SMP: fix crash in unpairing	2018-09-26 12:39:32 +03:00