Debian Bug report logs - #367790
linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel

version graph

Package: linux-wlan-ng-source; Maintainer for linux-wlan-ng-source is Tormod Volden <debian.tormod@gmail.com>;

Reported by: Frédéric Brière <orphaned-bug@fbriere.net>

Date: Thu, 18 May 2006 02:48:05 UTC

Severity: important

Found in version linux-wlan-ng-source/0.2.4+svn20060414-3

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Victor Seva <linuxmaniac@torreviejawireless.org>:
Bug#367790; Package linux-wlan-ng-source. Full text and rfc822 format available.

Acknowledgement sent to Frederic Briere <fbriere@fbriere.net>:
New Bug report received and forwarded. Copy sent to Victor Seva <linuxmaniac@torreviejawireless.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Frederic Briere <fbriere@fbriere.net>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Wed, 17 May 2006 22:35:59 -0400
[Message part 1 (text/plain, inline)]
Package: linux-wlan-ng-source
Version: 0.2.4+svn20060414-3
Severity: critical
Justification: breaks the whole system

[I'm setting this to severity: critical because it has the potential to
bring the kernel to a grinding halt.]


My apologies for raising the RC bug count. :)

I'm currently using a Syntax USB-400 802.11b adaptor built around the
prism2 chipset.  (These used to be somewhat popular when eCost was
almost giving them away.)  I've had it for nearly two years, but only
used it very sporadically; it worked fine as far as I could tell.

Recently, I've been using this dongle in monitor mode with kismet.  I
noticed that all the while that kismet was running, the kernel was
slowly growing in size.  This growth would appear to pause when kismet
was stopped, but the memory thus allocated cannot be reclaimed, even
when unloading the prism2_usb and p80211 modules (or any other
unloadable module for that matter).

If kismet is left running, the kernel will keep bloating up, eventually
swapping stuff out and siccing its oom-killer on other processes, until
it completely runs out of memory and goes bonkers.  (Hence the
severity.)


A few precisions:

* The memory leak is obvious when running kismet, but I cannot swear
  that it does not occur otherwise.  Maybe it's not the monitor mode as
  much as the high level of traffic that results from it.

* As I pointed out, I only used this adaptor sporadically before, so I
  couldn't say whether this is a recent bug or an old one.

* Even going into runlevel 1 and unloading every module that allows
  itself to be unloaded (this includes all of the prism2 and USB
  modules) does not free the reserved memory.


I'm attaching my current .config file, in case that helps.  (The modules
themselves were compiled with their vanilla config.)


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-1-toroia
Locale: LANG=en_CA, LC_CTYPE=en_CA (charmap=ISO-8859-1)

Versions of packages linux-wlan-ng-source depends on:
ii  debhelper                     5.0.35     helper programs for debian/rules
ii  module-assistant              0.10.4     tool to make module package creati

linux-wlan-ng-source recommends no packages.

-- no debconf information
[config-2.6.16-1-toroia (text/plain, attachment)]

Message sent on to Frederic Briere <fbriere@fbriere.net>:
Bug#367790. Full text and rfc822 format available.

Message #8 received at 367790-submitter@bugs.debian.org (full text, mbox):

From: Christian Aichinger <Greek0@gmx.net>
To: 367790-submitter@bugs.debian.org
Subject: Re: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Sat, 10 Jun 2006 20:54:13 +0200
[Message part 1 (text/plain, inline)]
On Wed, May 17, 2006 at 10:35:59PM -0400, Frederic Briere wrote:
> [I'm setting this to severity: critical because it has the potential to
> bring the kernel to a grinding halt.]

Well, but it can only be done by root, and only be enabling monitor
mode for some longer time. It seems to be one of the "don't do that
then"-bugs.

> Recently, I've been using this dongle in monitor mode with kismet.  I
> noticed that all the while that kismet was running, the kernel was
> slowly growing in size.  This growth would appear to pause when kismet
> was stopped, but the memory thus allocated cannot be reclaimed, even
> when unloading the prism2_usb and p80211 modules (or any other
> unloadable module for that matter).
[...]
> A few precisions:
> 
> * The memory leak is obvious when running kismet, but I cannot swear
>   that it does not occur otherwise.  Maybe it's not the monitor mode as
>   much as the high level of traffic that results from it.
> 
> * As I pointed out, I only used this adaptor sporadically before, so I
>   couldn't say whether this is a recent bug or an old one.
> 
> * Even going into runlevel 1 and unloading every module that allows
>   itself to be unloaded (this includes all of the prism2 and USB
>   modules) does not free the reserved memory.

Thanks for the detailed report!

I think I've found a leak in the -usb monitor code. If I get this
right it leaks a few bytes on every received packet, since it copies
the device name, but doesn't free the string again.

The leak is in prism2/driver/hfa384x_usb.c, line 4359, msg->devname
isn't freed again AFAICS.

I've attached a patch that removes that strcpy and just uses
wlandev->name directly. Could you apply that patch and see if it
fixes the leak?

I'm not sure that just dropping the strcpy is entirely safe. It
could be possible that wlandev is freed (and ->name with it), while
it's still referenced by msg->devname. That'd probably cause an
oops.

So long story short, it'd be great if you could test this out, also
check if module unloading, bringing the interface up/down,
enabling/disabling monitor mode several times, ...

I'd probably save important stuff and sync before trying it though
:)

HTH,
Christian Aichinger
[linux-wlan-ng_367790_memleak-fix.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Message sent on to Frederic Briere <fbriere@fbriere.net>:
Bug#367790. Full text and rfc822 format available.

Message #11 received at 367790-submitter@bugs.debian.org (full text, mbox):

From: Christian Aichinger <Greek0@gmx.net>
To: 367790-submitter@bugs.debian.org
Subject: Re: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Sun, 11 Jun 2006 11:50:56 +0200
[Message part 1 (text/plain, inline)]
On Sat, Jun 10, 2006 at 08:54:13PM +0200, Christian Aichinger wrote:
> I think I've found a leak in the -usb monitor code. If I get this
> right it leaks a few bytes on every received packet, since it copies
> the device name, but doesn't free the string again.

Urgh, scratch that. It doesn't work, and afaics it doesn't even leak
memory.

I should have probably slept more before looking into this ;). I'll
take a look again later today or tomorrow.

Sorry,
Christian Aichinger
[signature.asc (application/pgp-signature, inline)]

Tags added: moreinfo Request was from Enrico Tassi <gareuselesinge@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Victor Seva <linuxmaniac@torreviejawireless.org>:
Bug#367790; Package linux-wlan-ng-source. Full text and rfc822 format available.

Acknowledgement sent to Enrico Tassi <gareuselesinge@debian.org>:
Extra info received and forwarded to list. Copy sent to Victor Seva <linuxmaniac@torreviejawireless.org>. Full text and rfc822 format available.

Message #18 received at 367790@bugs.debian.org (full text, mbox):

From: Enrico Tassi <gareuselesinge@debian.org>
To: 367790@bugs.debian.org
Subject: Re: Bug#367790: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Sun, 25 Jun 2006 19:10:18 +0200
On Sun, Jun 11, 2006 at 11:50:56AM +0200, Christian Aichinger wrote:
> On Sat, Jun 10, 2006 at 08:54:13PM +0200, Christian Aichinger wrote:
> > I think I've found a leak in the -usb monitor code. If I get this
> > right it leaks a few bytes on every received packet, since it copies
> > the device name, but doesn't free the string again.
> 
> Urgh, scratch that. It doesn't work, and afaics it doesn't even leak
> memory.
> 
> I should have probably slept more before looking into this ;). I'll
> take a look again later today or tomorrow.
> 
> Sorry,
> Christian Aichinger

By personal communication, Christian Aichinger reported that the patch
doesn't work.
-- 
Enrico Tassi



Tags removed: moreinfo Request was from Enrico Tassi <gareuselesinge@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Victor Seva <linuxmaniac@torreviejawireless.org>:
Bug#367790; Package linux-wlan-ng-source. Full text and rfc822 format available.

Acknowledgement sent to Enrico Tassi <gareuselesinge@debian.org>:
Extra info received and forwarded to list. Copy sent to Victor Seva <linuxmaniac@torreviejawireless.org>. Full text and rfc822 format available.

Message #25 received at 367790@bugs.debian.org (full text, mbox):

From: Enrico Tassi <gareuselesinge@debian.org>
To: control@bugs.debian.org
Cc: 367790@bugs.debian.org
Subject: This bug is probably important and not critical
Date: Sat, 15 Jul 2006 15:04:04 +0200
severity 367790 important
stop

This bug fits better as important, since it is
  
  a bug which has a major effect on the usability of a package, without
  rendering it completely unusable to everyone.

Moreover some fixes upstream will never reach testing users, that I
supposed will be happier with an updated version of the driver (and I'm
sure the version in testing has already this bug).  

I'll mention explicitly this bug in the documentation, warning about
using monitor mode and kismet (using the root account).

regards
-- 
Enrico Tassi



Severity set to `important' from `critical' Request was from Enrico Tassi <gareuselesinge@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Tormod Volden <debian.tormod@gmail.com>:
Bug#367790; Package linux-wlan-ng-source. (Sat, 19 Jun 2010 16:06:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frédéric Brière <fbriere@fbriere.net>:
Extra info received and forwarded to list. Copy sent to Tormod Volden <debian.tormod@gmail.com>. (Sat, 19 Jun 2010 16:06:04 GMT) Full text and rfc822 format available.

Message #32 received at 367790@bugs.debian.org (full text, mbox):

From: Frédéric Brière <fbriere@fbriere.net>
To: 367790@bugs.debian.org
Subject: Re: Bug#367790: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Sat, 19 Jun 2010 12:03:03 -0400
On Wed, May 17, 2006 at 10:35:59PM -0400, Frederic Briere wrote:
> I'm currently using a Syntax USB-400 802.11b adaptor built around the
> prism2 chipset.  (These used to be somewhat popular when eCost was

As you might imagine, that adaptor has been gathering dust for several
years now.  I tried to recreate this bug just for fun, but I couldn't
even get it to run with kismet in the first place.  (Although inserting
the adaptor the first time made the kernel crash, so it is apparently
cursed in more than one way.)

At this point, I don't really care what happens to this bug report
anymore.  (Can a bug report be orphaned?)  Four years is an eternity
when it comes to kernel code, and chances are this bug was either fixed,
or morphed into a different bug.  Besides, 11b is as useful as 10Base2
nowadays.

Still, if there's anyone masochistic enough to dare tackle this issue,
I'd be glad to give this adaptor away and mail it to that poor soul,
along with my best wishes.


-- 
No extensible language will be universal.
		-- T. Cheatham




Information forwarded to debian-bugs-dist@lists.debian.org, Tormod Volden <debian.tormod@gmail.com>:
Bug#367790; Package linux-wlan-ng-source. (Sun, 26 May 2013 20:48:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Frédéric Brière <fbriere@fbriere.net>:
Extra info received and forwarded to list. Copy sent to Tormod Volden <debian.tormod@gmail.com>. (Sun, 26 May 2013 20:48:04 GMT) Full text and rfc822 format available.

Message #37 received at 367790@bugs.debian.org (full text, mbox):

From: Frédéric Brière <fbriere@fbriere.net>
To: 367790@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#367790: linux-wlan-ng-source: Setting USB adapter to monitor mode triggers memory leak in kernel
Date: Sun, 26 May 2013 16:46:18 -0400
usertags 367790 - orphaned
submitter 367790 Frédéric Brière <orphaned-bug@fbriere.net>
thanks

On Sat, Jun 19, 2010 at 12:03:03PM -0400, Frédéric Brière wrote:
> At this point, I don't really care what happens to this bug report
> anymore.  (Can a bug report be orphaned?)

I'll do the next best thing and mark it as such.

If anyone has any interest in this bug report, feel free to adopt it and
set yourself as submitter.

> I'd be glad to give this adaptor away and mail it to that poor soul,
> along with my best wishes.

I think I threw it away some time ago.  Sorry.  :(


-- 
To kick or not to kick...
		-- Somewhere on IRC, inspired by Shakespeare



Changed Bug submitter to 'Frédéric Brière <orphaned-bug@fbriere.net>' from 'Frederic Briere <fbriere@fbriere.net>' Request was from Frédéric Brière <fbriere@fbriere.net> to control@bugs.debian.org. (Sun, 26 May 2013 20:48:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:00:56 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.