LinuxLists.cc - [PATCH] usb: usbip: fix a refcount leak in stub

2022-04-06 14:57:50

Subject: [PATCH] usb: usbip: fix a refcount leak in stub_probe()

usb_get_dev is called in stub_device_alloc. When stub_probe fails after
that, usb_put_dev needs to be used.

Fix this by moving usb_put_dev to sdev_free.

Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
Signed-off-by: Hangyu Hua <[email protected]>
---
drivers/usb/usbip/stub_dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
index d8d3892e5a69..3c6d452e3bf4 100644
--- a/drivers/usb/usbip/stub_dev.c
+++ b/drivers/usb/usbip/stub_dev.c
@@ -393,7 +393,6 @@ static int stub_probe(struct usb_device *udev)

err_port:
dev_set_drvdata(&udev->dev, NULL);
- usb_put_dev(udev);

/* we already have busid_priv, just lock busid_lock */
spin_lock(&busid_priv->busid_lock);
@@ -408,6 +407,7 @@ static int stub_probe(struct usb_device *udev)
put_busid_priv(busid_priv);

sdev_free:
+ usb_put_dev(udev);
stub_device_free(sdev);

return rc;
--
2.25.1

2022-04-06 20:12:53

by Shuah Khan

[permalink] [raw]

Subject: Re: [PATCH] usb: usbip: fix a refcount leak in stub_probe()

On 4/6/22 12:17 AM, Hangyu Hua wrote:
> usb_get_dev is called in stub_device_alloc. When stub_probe fails after
> that, usb_put_dev needs to be used.
>

Thank you for the patch. Please include details on how you found
this problem.

Nit: Change this to:

usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
after that, usb_put_dev() needs to be called to release the reference.

> Fix this by moving usb_put_dev() to sdev_free
>

Nit: Change this to:

Fix this by moving usb_put_dev() to sdev_free error path handling.

> Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
> Signed-off-by: Hangyu Hua <[email protected]>
> ---
> drivers/usb/usbip/stub_dev.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
> index d8d3892e5a69..3c6d452e3bf4 100644
> --- a/drivers/usb/usbip/stub_dev.c
> +++ b/drivers/usb/usbip/stub_dev.c
> @@ -393,7 +393,6 @@ static int stub_probe(struct usb_device *udev)
>
> err_port:
> dev_set_drvdata(&udev->dev, NULL);
> - usb_put_dev(udev);
>
> /* we already have busid_priv, just lock busid_lock */
> spin_lock(&busid_priv->busid_lock);
> @@ -408,6 +407,7 @@ static int stub_probe(struct usb_device *udev)
> put_busid_priv(busid_priv);
>
> sdev_free:
> + usb_put_dev(udev);
> stub_device_free(sdev);
>
> return rc;
>

With the above addressed:

Reviewed-by: Shuah Khan <[email protected]>

thanks,
-- Shuah

2022-04-07 08:55:17

by Hangyu Hua

[permalink] [raw]

Subject: Re: [PATCH] usb: usbip: fix a refcount leak in stub_probe()

Thanks. I will send a v2.

On 2022/4/7 02:13, Shuah Khan wrote:
> On 4/6/22 12:17 AM, Hangyu Hua wrote:
>> usb_get_dev is called in stub_device_alloc. When stub_probe fails after
>> that, usb_put_dev needs to be used.
>>
>
> Thank you for the patch. Please include details on how you found
> this problem.
>
> Nit: Change this to:
>
> usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
> after that, usb_put_dev() needs to be called to release the reference.
>
>> Fix this by moving usb_put_dev() to sdev_free
>>
>
> Nit: Change this to:
>
> Fix this by moving usb_put_dev() to sdev_free error path handling.
>
>> Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
>> Signed-off-by: Hangyu Hua <[email protected]>
>> ---
>> drivers/usb/usbip/stub_dev.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
>> index d8d3892e5a69..3c6d452e3bf4 100644
>> --- a/drivers/usb/usbip/stub_dev.c
>> +++ b/drivers/usb/usbip/stub_dev.c
>> @@ -393,7 +393,6 @@ static int stub_probe(struct usb_device *udev)
>> err_port:
>>       dev_set_drvdata(&udev->dev, NULL);
>> -    usb_put_dev(udev);
>>       /* we already have busid_priv, just lock busid_lock */
>>       spin_lock(&busid_priv->busid_lock);
>> @@ -408,6 +407,7 @@ static int stub_probe(struct usb_device *udev)
>>       put_busid_priv(busid_priv);
>> sdev_free:
>> +    usb_put_dev(udev);
>>       stub_device_free(sdev);
>>       return rc;
>>
>
> With the above addressed:
>
> Reviewed-by: Shuah Khan <[email protected]>
>
> thanks,
> -- Shuah