Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp3419580pxy; Tue, 4 May 2021 01:32:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwpok6pecA/AOSzicPRIqP3cwpyp0rFog2cT49k+Eo3cW38sQyfe/NwXIGzqRRsFQq6dzcO X-Received: by 2002:a05:6402:2712:: with SMTP id y18mr283202edd.41.1620117132605; Tue, 04 May 2021 01:32:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620117132; cv=none; d=google.com; s=arc-20160816; b=iABWW/UvM6t1KU68ISML9MeheZ0YexTKXED46x/nJa5AMwe3KveIZEiOz8G6oF3t8L eKCdLIcWrWWK5MrFnL7uXT4qekdYltoQ2Ka9NQoy7D4sYBsxzQ3OzB37srFdzj6odVc/ 2CupzlxC8S1OGwGnBOnl58t1WBDyFQ4/DsLj+QBimXvujOZ54eyU15vLd6z7/GS907iX MgSsvB8kyNmIRHHiVKJtPxNGt7xSO863wyv0H9NDswjqFZskTP+l82M+NxsQevwy8ueT AhX/y4iP025E+0N/C/IPbNGeLT8kleAUouNJ43nTzfuQLKbnxXpsrcJl8WSZILx3B0RZ qgkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:references:in-reply-to :subject:cc:to:from:message-id:date; bh=3ve8YHSsCjv1RqhVQ5KF70W1O2JjXtWeHa66VuWHLIA=; b=XtW6r+9rKjFxkdOzMBV39Bl5YxxVACXhtLKIAbqEHP1IRQ2v6XinZqqqtay4BF1GrU wAoejjFlVYl5y2zLvOm988K+alcrlSZK4V65fZ20sM7akgZpuFfBZr4XZdiMXrsvyoX1 zEEMoohIm6HPB79eKV3JAduMbHl/ZTHWeXWu4DXgsi6m6jHjkAmqGAWBuwFYbrnSPF+o i9fkcYnzfNXQaDYeirQcXfgextGoH0Yn3De5AwfGqBcjRW6y4Q0SrhNMIXLr2Vt1deZP vYD/6eMF5KDzebl3yn89l+s3ULq/KUYUWeYwUZXD2gA3VCJuKn2RlxCqY8Sr11FQSzOZ kJtQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q17si4798647edb.242.2021.05.04.01.31.49; Tue, 04 May 2021 01:32:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230023AbhEDI2a (ORCPT + 99 others); Tue, 4 May 2021 04:28:30 -0400 Received: from mx2.suse.de ([195.135.220.15]:41786 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229875AbhEDI23 (ORCPT ); Tue, 4 May 2021 04:28:29 -0400 X-Virus-Scanned: by amavisd-new at test-mx.suse.de Received: from relay2.suse.de (unknown [195.135.221.27]) by mx2.suse.de (Postfix) with ESMTP id 2F88AB04F; Tue, 4 May 2021 08:27:34 +0000 (UTC) Date: Tue, 04 May 2021 10:27:34 +0200 Message-ID: From: Takashi Iwai To: Jaroslav Kysela Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org Subject: Re: [PATCH 37/69] ALSA: usx2y: check for failure of usb_alloc_urb() In-Reply-To: References: <20210503115736.2104747-1-gregkh@linuxfoundation.org> <20210503115736.2104747-38-gregkh@linuxfoundation.org> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.6 (Maruoka) FLIM/1.14.9 (=?UTF-8?B?R29qxY0=?=) APEL/10.8 Emacs/25.3 (x86_64-suse-linux-gnu) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 03 May 2021 22:33:52 +0200, Jaroslav Kysela wrote: > > Dne 03. 05. 21 v 13:57 Greg Kroah-Hartman napsal(a): > > While it is almost impossible to hit an error calling usb_alloc_urb(), > > to make systems like syzbot which does error injection, and some static > > analysis tools happy, properly handle errors on this path by unwinding > > the previously allocated urbs and freeing them. > > Perhaps, I miss something, but this revert and add the cleanup to the wrong > place makes things worse: > > The usb_stream_free() is called when init_urbs() fails (returns an error), so > all urbs are freed there and pointers are reset to NULL. Your code frees urbs > twice on an allocation error. > > The reverted code does the job better. Right, the suggested patch will cause the double-free, and the reverted code is fine in this regard. In anyway, the cleanup of this driver code is on my post-15.3 TODO list. So, Greg, could you drop the revert and the additional fix at this round for usx2y driver? Thanks! Takashi > > Jaroslav > > > Cc: Takashi Iwai > > Cc: Jaroslav Kysela > > Signed-off-by: Greg Kroah-Hartman > > --- > > sound/usb/usx2y/usb_stream.c | 21 +++++++++++++++++++-- > > 1 file changed, 19 insertions(+), 2 deletions(-) > > > > diff --git a/sound/usb/usx2y/usb_stream.c b/sound/usb/usx2y/usb_stream.c > > index 6bba17bf689a..1091ea96a29a 100644 > > --- a/sound/usb/usx2y/usb_stream.c > > +++ b/sound/usb/usx2y/usb_stream.c > > @@ -88,18 +88,35 @@ static int init_urbs(struct usb_stream_kernel *sk, unsigned use_packsize, > > sizeof(struct usb_stream_packet) * > > s->inpackets; > > int u; > > + int i; > > + int err = -ENOMEM; > > > > for (u = 0; u < USB_STREAM_NURBS; ++u) { > > + sk->outurb[u] = NULL; > > sk->inurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL); > > + if (!sk->inurb[u]) > > + goto error; > > sk->outurb[u] = usb_alloc_urb(sk->n_o_ps, GFP_KERNEL); > > + if (!sk->outurb[u]) > > + goto error; > > } > > + u--; > > > > if (init_pipe_urbs(sk, use_packsize, sk->inurb, indata, dev, in_pipe) || > > init_pipe_urbs(sk, use_packsize, sk->outurb, sk->write_page, dev, > > - out_pipe)) > > - return -EINVAL; > > + out_pipe)) { > > + err = -EINVAL; > > + goto error; > > + } > > > > return 0; > > + > > +error: > > + for (i = 0; i <= u; ++i) { > > + usb_free_urb(sk->inurb[i]); > > + usb_free_urb(sk->outurb[i]); > > + } > > + return err; > > > > -- > Jaroslav Kysela > Linux Sound Maintainer; ALSA Project; Red Hat, Inc. >