Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752219AbdHPP3L (ORCPT ); Wed, 16 Aug 2017 11:29:11 -0400 Received: from iolanthe.rowland.org ([192.131.102.54]:49930 "HELO iolanthe.rowland.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with SMTP id S1751692AbdHPP3H (ORCPT ); Wed, 16 Aug 2017 11:29:07 -0400 Date: Wed, 16 Aug 2017 11:29:06 -0400 (EDT) From: Alan Stern X-X-Sender: stern@iolanthe.rowland.org To: Anton Vasilyev cc: Felipe Balbi , Greg Kroah-Hartman , Jussi Kivilinna , Peter Senna Tschudin , Raz Manor , Romain Perier , , , Subject: Re: [PATCH] udc: Memory leak on error path and use after free In-Reply-To: <1502891248-7827-1-git-send-email-vasilyev@ispras.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 640 Lines: 19 On Wed, 16 Aug 2017, Anton Vasilyev wrote: > gadget_release() is responsible for cleanup dev memory. > But if net2280_probe() fails after dev allocation, then > gadget_release() become unregistered and dev memory leaks. This isn't needed if usb_add_gadget_udc_release() is fixed, right? > Also net2280_remove() calls usb_del_gadget_udc() which > perform schedule_delayed_work() with gadget_release(), so > it is possible that dev will be deallocated exactly after > this call and leads to use after free. Where is there a possible use after free? > The patch moves deallocation from gadget_release() to > net2280_remove(). Alan Stern