Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp254964iof;
        Mon, 6 Jun 2022 02:51:04 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxMtOp+G9/90kBt8RRnxUJw2VHjijfAdq2jtHbj7VfzKOQ03O1SYlF+TxS/43uREIRKdgrC
X-Received: by 2002:a05:6a00:e8e:b0:518:287c:ce82 with SMTP id bo14-20020a056a000e8e00b00518287cce82mr23307048pfb.4.1654509064724;
        Mon, 06 Jun 2022 02:51:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1654509064; cv=none;
        d=google.com; s=arc-20160816;
        b=JzLbXWgvCHQQ3TVdjH2X4SVu52yNOv9xWHo+AyshNbMjfBnzGYvHk/MV++MzyotWCa
         EYHHRb8RIk5XmDtauRfa5ZjpjHVrhz4k+wF9vyUmtO0jKYLRA9d6juI2XQR6Qp6TfL0P
         ger1d++/uMPm0kOngy7j4EhSfDHWB1OEUUPI8l6CcoioAJ/p5znyd7M/iKDpqdUI4CH1
         mQQN44VTqALim/iwoYCsTlHRgvPWj4/dWAf2wxaoK13SqrIaOiMJvWs1b7u85XcSkppR
         osPdyVPr16ncD8wYT5anNID72jWFVbnv6kYi3sjAIa8o65t/MKWFZ4n68xQw9uaqMAHS
         qB0Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:references
         :subject:cc:to:mime-version:user-agent:from:date:message-id
         :dkim-signature;
        bh=CZYagJgYZ1zkpsLL362Hu3OFzejYcv3wUUFkHLhcy4U=;
        b=qj0pZw5D1oXUrtDVUhkwxDRxrbs0M/KiqSAndmSd4MDvrENtjGFSlOCbHfIOfs00NZ
         5fNd9JLJcv52pwWUhmNMuxxrPJRbfmhqDW17MrQtgjGe3a3FgU62f0O86turmasn967j
         7OYQPcQsWcPCY2Y84er8qFNxIthJHmWkQlAu6DO3dr9VcJ9TgovdSzXPhGrMyFGyFwxq
         6oVo6fUsrmXaHTZ+QovhaTGcD1d6DtJisH4qT/BLnwZrYrARvoqtDDjsUXNspKjeYzYA
         0tm2j46963Foy+hM4Gojw8s9mNVEhUWZ1nJU7OmQt1lif9n9owLoIA8WWY2RQEkGQ3G7
         H4xg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=MEYM2+ib;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18])
        by mx.google.com with ESMTPS id w191-20020a6382c8000000b003fcb87a92a1si17231388pgd.305.2022.06.06.02.51.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 06 Jun 2022 02:51:04 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20210112 header.b=MEYM2+ib;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id A81AAE01A;
	Mon,  6 Jun 2022 02:28:59 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232867AbiFFJ2x (ORCPT <rfc822;abrown110010@gmail.com>
        + 99 others); Mon, 6 Jun 2022 05:28:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43298 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232855AbiFFJ2n (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 6 Jun 2022 05:28:43 -0400
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 84DACBF77
        for <linux-kernel@vger.kernel.org>; Mon,  6 Jun 2022 02:28:41 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id b8so1286551edj.11
        for <linux-kernel@vger.kernel.org>; Mon, 06 Jun 2022 02:28:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-transfer-encoding;
        bh=CZYagJgYZ1zkpsLL362Hu3OFzejYcv3wUUFkHLhcy4U=;
        b=MEYM2+ibWfzWS3t1mRebwtFZljOOSal2v84sjKN2Bud6nMJI0rJE+VLSitCngN0asq
         YAMjPgJztYLJDTUkndEHNR/WbZp+Xd/C2BTRfFaGpolmyT9sUmXa9lMNCR/wGdag8npb
         4p5tD4UayZO9Ls9zs3Eep6IdKXHqU0CG2IA82q7Cqr/SqJ1ZlcE2ZHWqWztn4RwK2mUc
         4rIYWxdGPP0BnZAPo46ENvisH15Av5wO8gP+qWZdQmviq7FXOsz65BKcY4R/zJfs0ioE
         PEgLAi6NBkZTEj+ZgDSg40oqgoc+hZWwEslOLvWef51kWf2bUQF4TqoCrPmqtxhRnuTW
         Vxug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to
         :cc:subject:references:in-reply-to:content-transfer-encoding;
        bh=CZYagJgYZ1zkpsLL362Hu3OFzejYcv3wUUFkHLhcy4U=;
        b=Xbn6Xhn0vgoHBpyuXXvSeL5kFR/sJAP2EQCySgGIuAdN3ay0CkzWF6hSOcImpnsqgf
         npXv7XDf4Aa8m0nCWUI6NlpvtrVT6t9ibxc8YVKIFM2wLwZjjPwsW1nKYHLgsPJzs3fl
         9HklR+4+riqpaYEh3TkvqhBFJpL9MmgD7hDzQWEWH1KqKG96LmfUzYbcTh/ld49e2mfM
         wg0+YPKGhThI4u1WpwUyL/gPU1YIjOkqZFuPhVxM3TnIJanYLEQQAOMQSgYzh/uXY/Vg
         +xqKTykHX0lz/8ALiF6zsMj8Hu+VUoOSg60Tj9Z0FnVImLyiwAy8SPzG4Ewhb1CvlUMI
         MkvQ==
X-Gm-Message-State: AOAM530CJjjEvat1fRImtM/REBruOViSCfkPmWr+JSfZxeMgNwnomad4
        wRIBuzmKGBrpezKErnEfWmM=
X-Received: by 2002:a05:6402:2948:b0:42a:ae0c:2f26 with SMTP id ed8-20020a056402294800b0042aae0c2f26mr25337943edb.425.1654507720027;
        Mon, 06 Jun 2022 02:28:40 -0700 (PDT)
Received: from [89.139.32.160] (89-139-32-160.bb.netvision.net.il. [89.139.32.160])
        by smtp.gmail.com with ESMTPSA id jg36-20020a170907972400b00701eb600df8sm6319059ejc.169.2022.06.06.02.28.38
        (version=TLS1 cipher=AES128-SHA bits=128/128);
        Mon, 06 Jun 2022 02:28:39 -0700 (PDT)
Message-ID: <629DC880.8050708@gmail.com>
Date:   Mon, 06 Jun 2022 12:27:28 +0300
From:   Eli Billauer <eli.billauer@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.12) Gecko/20100907 Fedora/3.0.7-1.fc12 Thunderbird/3.0.7
MIME-Version: 1.0
To:     Zheyu Ma <zheyuma97@gmail.com>
CC:     arnd@arndb.de, gregkh@linuxfoundation.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v4] char: xillybus: Check endpoint type at probe time
References: <20220531054431.3978424-1-zheyuma97@gmail.com>
In-Reply-To: <20220531054431.3978424-1-zheyuma97@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-4.6 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,NICE_REPLY_A,
	RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable
	autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 31/05/22 08:44, Zheyu Ma wrote:
>   static int xillyusb_setup_base_eps(struct xillyusb_dev *xdev)
>   {
> +	if (xillyusb_check_endpoint(xdev, IN_EP_NUM | USB_DIR_IN) ||
> +		xillyusb_check_endpoint(xdev, MSG_EP_NUM | USB_DIR_OUT))
> +		return -EINVAL;
> +
>   	xdev->msg_ep = endpoint_alloc(xdev, MSG_EP_NUM | USB_DIR_OUT,
>   				      bulk_out_work, 1, 2);
>   	if (!xdev->msg_ep)
> @@ -1962,6 +1986,10 @@ static int setup_channels(struct xillyusb_dev *xdev,
>   			chan->out_log2_element_size = out_desc&  0x0f;
>   			chan->out_log2_fifo_size =
>   				((out_desc>>  8)&  0x1f) + 16;
> +			if (xillyusb_check_endpoint(xdev, (i+2) | USB_DIR_OUT)) {
> +				kfree(xdev->channels);
> +				return -EINVAL;
> +			}
>   		}
>   	}
>
>    
I just checked this against hardware, and made it fail deliberately by 
replacing the (i+2) part with (i+3). I got a kernel memory corruption, 
because xdev->channels was freed twice: Once in the snippet above, and a 
second time in cleanup_dev().

So the kfree() call here should go away. xdev->channels is freed when 
xdev's reference count goes to zero.

Thanks,
    Eli