Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp6286864rwp; Mon, 17 Jul 2023 19:33:40 -0700 (PDT) X-Google-Smtp-Source: APBJJlFaDLfxq19m2trVt0qRhElC2AYi2VOzFUX+V/of/0gHnd9yyCKXs60UH+1/uCA+d/gkcWxM X-Received: by 2002:a17:90a:6f65:b0:263:5d42:79f7 with SMTP id d92-20020a17090a6f6500b002635d4279f7mr13481750pjk.23.1689647619782; Mon, 17 Jul 2023 19:33:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689647619; cv=none; d=google.com; s=arc-20160816; b=aJHLsZ6TyEI/TL4PlnUGPCfmWyHChzeE8VGYPh7gWUjSjURLu8C8SNHu98QP7lfDIA NQFtyXV35RF/4YnZcK90XKkTQzjacczsESs4F1MMUcxEVisPdr5rq/mWkFgszHBQY+Gv 6d63yhf5vRVJYapcaq5WTI7lqKJMfX3XP1Q6runtX2KnBn+xZFWHP8rIVwMWjvGd/phq H9sQnS8MzIymTHdaa9ZArVF7TNlRHrxVepuD5m8aHVH3VgGhhXHOGPB8CTKrAJ2UIg/z pGfgiYA6RPZUnRMQODrtSEK230k7IOeAjbj8RAtSZS2yLDhhLtp84zJV8fbJ6CWu1EgP Fkjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=a6Pq+3bBt/RhSrzZtH227af4Uxz0XBHsvG1iQYMeOrk=; fh=C4wymoLxWwJrz26VHaOue9swLjEzdOfFa/D+Jdo5KDI=; b=OzIiPWPRV/PIVvHgiiEQpTi/87yGIhqGkd4WhOui4kdC6rU3X2N4xLfnfChIHkNBx1 Gs52ksFMGNkBNC4ULGhg30/sM8YSuvRC8Ath3J5Eg1QgAZXeSg6mYvkLKRLZJgueGLDf 0VCS2+zucuqiy5ZHtV1Or6pJuRHHAmvV7iQ4r/RWzWYExB1CeNzfuISUW9RKUEJ6AXs/ L++uyABtj6eWBISPwt9woUz0FtVOU8NdMlzFYXU/rOym0/uDoBWZq0k4P4yfAt8wMA7D 2SFWsYiFfatPry/tCA7R94KeT2Dpnhg2x2gcM8RmAgDXuSKwb217D9Ptosz0jqJwDhVR sX/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=N27AjRph; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id on7-20020a17090b1d0700b00255fb1f4a17si6866957pjb.42.2023.07.17.19.33.26; Mon, 17 Jul 2023 19:33:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=N27AjRph; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230041AbjGRCRn (ORCPT + 99 others); Mon, 17 Jul 2023 22:17:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44360 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229481AbjGRCRl (ORCPT ); Mon, 17 Jul 2023 22:17:41 -0400 Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A615DB5; Mon, 17 Jul 2023 19:17:40 -0700 (PDT) Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-262e3c597b9so3646694a91.0; Mon, 17 Jul 2023 19:17:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689646660; x=1692238660; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=a6Pq+3bBt/RhSrzZtH227af4Uxz0XBHsvG1iQYMeOrk=; b=N27AjRphrmpqNrdgtzpRPeJAooJYMvLwqbhkq/cLJ2WxLk4pXRO8H+Jhw2ttMBRDbJ CbCEx+zD3DXJKhmhFgLNkqVqkRxdf3VuPBDF/Ar0vEHjcV03RYWkQ811YetzjIIp37DP Xtu13E476AzyBmVKR3qXI4IfuNGGPtkMate0ZW8yLyYuvv0Yrg7q2esLS++Lbf76eILS ViT4t326YagzK+WlDumZJsZ/sj36utLorSooZyjNV9P2TZRgGjB530VWGzf4x9G/dKkQ d4F9zHCaqZLttcVVANIY+AQ9r8D62nMXKrOiCZzPQB2bdTBbv7Ws+D/83gxEhCS7Bst8 gu1Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689646660; x=1692238660; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a6Pq+3bBt/RhSrzZtH227af4Uxz0XBHsvG1iQYMeOrk=; b=l21rSJsT//V20lLVe/gpFkNg5GTFfDUbvThhJVhMXmTZe4YV2NRF1RJoam7+EEI/h/ NwOgYvSCrebeXlW354JUIB2UPtrgFXcCl1nzGYJ5CVQs3Cwdewou8Yy9dIk/eIv9o8H8 hRHbrIYkrDYaA7egh1KGIGslu9Qk3TpopnHwJDcaqtr1P6kHMBbY6focVy7i8Owu8SSh 9k9400PcdTNYIkQOLFy8ogldX4lwa6/41ShbqSfSA8BNWg81mNbTrzdUr0Lzq4beG6rT ALo9GBhF43JHUEDUwQhfxnbwd8WroCabSPkLGlKjbNObfmr3lmgtIe1IMsY+G1z5Xjgx TrBA== X-Gm-Message-State: ABy/qLbwJiOXuf405N8kTzzmfsTUbd6xAB06SK58SPWgb8zgidB9e7N1 QLHXvoiSVRMXpVnoGHMeTBVKNcUA81TGD88pDvDXf0D01BY= X-Received: by 2002:a17:90a:458c:b0:263:d6a6:f37c with SMTP id v12-20020a17090a458c00b00263d6a6f37cmr12766463pjg.16.1689646660038; Mon, 17 Jul 2023 19:17:40 -0700 (PDT) MIME-Version: 1.0 References: <20230714074011.20989-1-qiang.zhang1211@gmail.com> In-Reply-To: From: Z qiang Date: Tue, 18 Jul 2023 10:17:28 +0800 Message-ID: Subject: Re: [PATCH] USB: gadget: Fix the memory leak in raw_gadget driver To: Andrey Konovalov Cc: gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > On Fri, Jul 14, 2023 at 9:40=E2=80=AFAM Zqiang wrote: > > > > Currently, increasing raw_dev->count happens before invoke the > > raw_queue_event(), if the raw_queue_event() return error, invoke > > raw_release() will not trigger the dev_free() to be called. > > > > [ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event > > [ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget:= -12 > > [ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with erro= r -12 > > [ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an avail= able UDC or it's busy > > [ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_drive= r returned -16 > > > > BUG: memory leak > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] kzalloc include/linux/slab.h:703 [inline] > > [] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191= [inline] > > [] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_= gadget.c:385 > > [] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165 > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legac= y/raw_gadget.c:460 > > [] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/r= aw_gadget.c:1250 > > [] vfs_ioctl fs/ioctl.c:51 [inline] > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] kzalloc include/linux/slab.h:703 [inline] > > [] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/u= dc/dummy_hcd.c:665 > > [] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/= udc/core.c:196 > > [] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/r= aw_gadget.c:292 > > > > This commit therefore invoke kref_get() under the condition that > > raw_queue_event() return success. > > > > Reported-by: syzbot+feb045d335c1fdde5bf7@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=3Dfeb045d335c1fdde5bf7 > > Signed-off-by: Zqiang > > --- > > drivers/usb/gadget/legacy/raw_gadget.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadge= t/legacy/raw_gadget.c > > index 2acece16b890..e549022642e5 100644 > > --- a/drivers/usb/gadget/legacy/raw_gadget.c > > +++ b/drivers/usb/gadget/legacy/raw_gadget.c > > @@ -310,13 +310,15 @@ static int gadget_bind(struct usb_gadget *gadget, > > dev->eps_num =3D i; > > spin_unlock_irqrestore(&dev->lock, flags); > > > > - /* Matches kref_put() in gadget_unbind(). */ > > - kref_get(&dev->count); > > - > > ret =3D raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); > > - if (ret < 0) > > + if (ret < 0) { > > dev_err(&gadget->dev, "failed to queue event\n"); > > + set_gadget_data(gadget, NULL); > > + return ret; > > + } > > > > + /* Matches kref_put() in gadget_unbind(). */ > > + kref_get(&dev->count); > > return ret; > > } > > > > -- > > 2.17.1 > > Indeed, if gadget_bind fails due to a raw_queue_event failure, the > core gadget code will never call gadget_unbind. > > > Reviewed-by: Andrey Konovalov > Tested-by: Andrey Konovalov Thanks for review and test ! > > Thanks!