2022-04-06 14:21:08

by Hangyu Hua

Subject: [PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

usb_put_dev shouldn't be called when uss720_probe succeeds because of
priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
before destroy_priv in uss720_disconnect because usb_put_dev is in
destroy_priv.

Fixes: dcb4b8ad6a44 ("misc/uss720: fix memory leak in uss720_probe")
Signed-off-by: Hangyu Hua <[email protected]>
---
drivers/usb/misc/uss720.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
index 748139d26263..e243c155511e 100644
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -736,7 +736,6 @@ static int uss720_probe(struct usb_interface *intf,
parport_announce_port(pp);

usb_set_intfdata(intf, pp);
- usb_put_dev(usbdev);
return 0;

probe_abort:
@@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
usb_set_intfdata(intf, NULL);
if (pp) {
priv = pp->private_data;
- priv->usbdev = NULL;
priv->pp = NULL;
dev_dbg(&intf->dev, "parport_remove_port\n");
parport_remove_port(pp);
parport_put_port(pp);
kill_all_async_requests_priv(priv);
kref_put(&priv->ref_count, destroy_priv);
+ priv->usbdev = NULL;
}
dev_dbg(&intf->dev, "disconnect done\n");
}
--
2.25.1

2022-04-06 15:45:24

by Oliver Neukum

Subject: Re: [PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

On 06.04.22 09:33, Hangyu Hua wrote:
> usb_put_dev shouldn't be called when uss720_probe succeeds because of
> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
> before destroy_priv in uss720_disconnect because usb_put_dev is in
> destroy_priv.

Hi,

I am sorry, but that's a clear NACK.
> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
> usb_set_intfdata(intf, NULL);
> if (pp) {
> priv = pp->private_data;
> - priv->usbdev = NULL;
> priv->pp = NULL;
> dev_dbg(&intf->dev, "parport_remove_port\n");
> parport_remove_port(pp);
> parport_put_port(pp);
> kill_all_async_requests_priv(priv);
> kref_put(&priv->ref_count, destroy_priv);
> + priv->usbdev = NULL;

That is a clear use after free The patch is no good in this state..

    HTH
        Oliver

2022-04-07 08:58:43

by Hangyu Hua

Subject: Re: [PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

Oh, i sorry. Thank you for your reminder. I will remake a patch carefully.

On 2022/4/6 19:47, Oliver Neukum wrote:
>
>
> On 06.04.22 09:33, Hangyu Hua wrote:
>> usb_put_dev shouldn't be called when uss720_probe succeeds because of
>> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
>> before destroy_priv in uss720_disconnect because usb_put_dev is in
>> destroy_priv.
>
> Hi,
>
> I am sorry, but that's a clear NACK.
>> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
>> usb_set_intfdata(intf, NULL);
>> if (pp) {
>> priv = pp->private_data;
>> - priv->usbdev = NULL;
>> priv->pp = NULL;
>> dev_dbg(&intf->dev, "parport_remove_port\n");
>> parport_remove_port(pp);
>> parport_put_port(pp);
>> kill_all_async_requests_priv(priv);
>> kref_put(&priv->ref_count, destroy_priv);
>> + priv->usbdev = NULL;
>
> That is a clear use after free The patch is no good in this state..
>
>     HTH
>         Oliver
>