Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1754724AbbL0WVJ (ORCPT <rfc822;w@1wt.eu>);
	Sun, 27 Dec 2015 17:21:09 -0500
Received: from senderalt163-mail.zoho.com ([165.254.167.163]:25122 "EHLO
	senderalt163-mail.zoho.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1754384AbbL0WUm (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Sun, 27 Dec 2015 17:20:42 -0500
X-Greylist: delayed 919 seconds by postgrey-1.27 at vger.kernel.org; Sun, 27 Dec 2015 17:20:42 EST
Subject: Re: [PATCH] usb: gadget: acm: set notify_req to NULL after freed to
 avoid double free
To: changbin.du@intel.com, balbi@ti.com, gregkh@linuxfoundation.org
References: <1451102260-13204-1-git-send-email-changbin.du@intel.com>
Cc: r.baldyga@samsung.com, nab@linux-iscsi.org, andrzej.p@samsung.com,
        linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
From: Robert Baldyga <r.baldyga@hackerion.com>
Message-ID: <5680609B.3070209@hackerion.com>
Date: Sun, 27 Dec 2015 23:05:15 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <1451102260-13204-1-git-send-email-changbin.du@intel.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-Zoho-Virus-Status: 1
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 2144
Lines: 67

On 12/26/2015 04:57 AM, changbin.du@intel.com wrote:
> From: "Du, Changbin" <changbin.du@intel.com>
> 
> If acm_bind fails before allocate notification and acm->notify_req is
> not set to NULL after freed last time, double free will happen.

Looks good to me.

Similar problem can occur with another USB functions (at least f_ecm,
f_ncm, f_rndis and f_hid handle USB requests in analogical way). Maybe
it's worth to fix them all at once?

> 
> kernel BUG at mm/slub.c:3392!
> invalid opcode: 0000 [#1] PREEMPT SMP
> EIP is at kfree+0x172/0x180
> Call Trace:
> [<80c0e3b6>] ? usb_ep_autoconfig_ss+0x86/0x170
> [<80c13345>] gs_free_req+0x15/0x30
> [<80c12df1>] acm_bind+0x1c1/0x2d0
> [<80c0e9be>] usb_add_function+0x6e/0x120
> [<80c213cb>] acm_function_bind_config+0x2b/0x90
> 

Reviewed-by: Robert Baldyga <r.baldyga@hackerion.com>

> Signed-off-by: Du, Changbin <changbin.du@intel.com>
> ---
>  drivers/usb/gadget/function/f_acm.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/function/f_acm.c
> index 2fa1e80..e10c8d4 100644
> --- a/drivers/usb/gadget/function/f_acm.c
> +++ b/drivers/usb/gadget/function/f_acm.c
> @@ -699,8 +699,10 @@ acm_bind(struct usb_configuration *c, struct usb_function *f)
>  	return 0;
>  
>  fail:
> -	if (acm->notify_req)
> +	if (acm->notify_req) {
>  		gs_free_req(acm->notify, acm->notify_req);
> +		acm->notify_req = NULL;
> +	}
>  
>  	ERROR(cdev, "%s/%p: can't bind, err %d\n", f->name, f, status);
>  
> @@ -713,8 +715,10 @@ static void acm_unbind(struct usb_configuration *c, struct usb_function *f)
>  
>  	acm_string_defs[0].id = 0;
>  	usb_free_all_descriptors(f);
> -	if (acm->notify_req)
> +	if (acm->notify_req) {
>  		gs_free_req(acm->notify, acm->notify_req);
> +		acm->notify_req = NULL;
> +	}
>  }
>  
>  static void acm_free_func(struct usb_function *f)
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/