Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752421AbdHPQAV (ORCPT <rfc822;w@1wt.eu>);
        Wed, 16 Aug 2017 12:00:21 -0400
Received: from mail.ispras.ru ([83.149.199.45]:50954 "EHLO mail.ispras.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1752262AbdHPQAS (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 16 Aug 2017 12:00:18 -0400
Subject: Re: [PATCH] udc: Memory leak on error path and use after free
To: Alan Stern <stern@rowland.harvard.edu>
Cc: Felipe Balbi <balbi@kernel.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Jussi Kivilinna <jussi.kivilinna@haltian.com>,
        Peter Senna Tschudin <peter.senna@collabora.com>,
        Raz Manor <Raz.Manor@valens.com>,
        Romain Perier <romain.perier@collabora.com>, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org, ldv-project@linuxtesting.org
References: <Pine.LNX.4.44L0.1708161125520.3053-100000@iolanthe.rowland.org>
From: Anton Vasilyev <vasilyev@ispras.ru>
Message-ID: <682044ba-e4c2-a1b9-3652-a01e81a40ac2@ispras.ru>
Date: Wed, 16 Aug 2017 19:00:05 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <Pine.LNX.4.44L0.1708161125520.3053-100000@iolanthe.rowland.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 1065
Lines: 38



On 16.08.2017 18:29, Alan Stern wrote:
> On Wed, 16 Aug 2017, Anton Vasilyev wrote:
> 
>> gadget_release() is responsible for cleanup dev memory.
>> But if net2280_probe() fails after dev allocation, then
>> gadget_release() become unregistered and dev memory leaks.
> 
> This isn't needed if usb_add_gadget_udc_release() is fixed, right?
> 

No, this situation could appear before call
usb_add_gadget_udc_release().

>> Also net2280_remove() calls usb_del_gadget_udc() which
>> perform schedule_delayed_work() with gadget_release(), so
>> it is possible that dev will be deallocated exactly after
>> this call and leads to use after free.
> 
> Where is there a possible use after free?
> 

net2280_remove() continue work with struct net2280 *dev after call
usb_del_gadget_udc(&dev->gadget), but this net2280 *dev could be
deallocated by gadget_release()

>> The patch moves deallocation from gadget_release() to
>> net2280_remove().
> 
> Alan Stern
> 

-- 
Anton Vasilyev
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: vasilyev@ispras.ru