Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10481891rwp; Thu, 20 Jul 2023 23:05:24 -0700 (PDT) X-Google-Smtp-Source: APBJJlF0W5nQbRhAc+2Q7WVdPJ2DhP37jSqm5Q3IxP3mPH4ZQ9aXxy0jbQPPwbGMbOm0/o8pmlrs X-Received: by 2002:a05:6358:262a:b0:134:d78f:67bc with SMTP id l42-20020a056358262a00b00134d78f67bcmr1121307rwc.14.1689919524236; Thu, 20 Jul 2023 23:05:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689919524; cv=none; d=google.com; s=arc-20160816; b=fgbfnJpYK8Q8IZf9LzqE5NTiXLJ62W6RVFu4uP4ahAYrzHoT5uHw8aMAu+L4tzRnTq /TzgovWBdNBC2ASXCrDlXEKBMWzNISyjAFjlLJYtPsE0+vIUz5ttW3dSJUqtAPhATZWm LbDSilk3FE+698Oz+aXcxqB9pi9E424GSh9GhpP4kHQ0rsCu5MDYEu/xnphfuMN4zUp8 rG1Z4TzB1smu7Ja6kyT4e/+0oQ/fz/FMYxi1zRzV4/a/bmjF1j/tsK9RTFTIGOiOAm4U VM5cGhQvg0sRds0wDlRBXAPZduA4Mvwx/3gKA435paH2pAjS8tI5eCCXnAxkaWTE33M7 ZhwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=1VvmUuvocKT0p8P+1xMQjftTbnP9MxxAarU5pfhilHM=; fh=t1uWMJsT3g15mh4b8SmD8yw9cAgmB0qYyb5nfSqgllA=; b=Q8AN26eWNuhRAdHVZq9SoWjBhNo8As3RpQhQU9f7JagptJiaGmd6jhPWPuEpiLO+IS kT95xjMt5CsRzgt4MbZyG07ewVqfX3R209QADy8JYxBinuNtxmwfU58fHfcmI7tkc4V1 WQbL8kJbPTsqpME8p/J3Qf6GdWmUk+R7MIwRcjVkR70P9Jh2iexCICYh2E5cwp6SPHEK aYE//EygHCG+SofLBqzE9O3EwvvUhVsJkOrAo6JNLHran2rxXlSjzfWpx7vtW1je9CPt lfeV1F4+ArLn4RgKX4BBpwqMao5fKZeakuTdKyE1YXW9LuM3NuVA186Qv++oRERrvqiP rBNA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=sMkNBSnD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p15-20020a63f44f000000b00557673fdd1asi2163583pgk.313.2023.07.20.23.05.11; Thu, 20 Jul 2023 23:05:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=sMkNBSnD; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229651AbjGUF4t (ORCPT + 99 others); Fri, 21 Jul 2023 01:56:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39762 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229500AbjGUF4s (ORCPT ); Fri, 21 Jul 2023 01:56:48 -0400 Received: from mail-pj1-x1032.google.com (mail-pj1-x1032.google.com [IPv6:2607:f8b0:4864:20::1032]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 11CBA9E; Thu, 20 Jul 2023 22:56:48 -0700 (PDT) Received: by mail-pj1-x1032.google.com with SMTP id 98e67ed59e1d1-267c41ca947so739783a91.1; Thu, 20 Jul 2023 22:56:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689919007; x=1690523807; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1VvmUuvocKT0p8P+1xMQjftTbnP9MxxAarU5pfhilHM=; b=sMkNBSnDoqSrEiaDbuunvLPeDJ9lPJOpblWhV/J9YBZImKUGrFEDjl/vUDf8c4u6gB Ehp+Qpy1uBIQpT2QNdy5ouR1t9nShjot0Gla5TLKCUZNeWp+GbBe1FUK1VCcRySapToy RcF6ZhPOJQjMSKEp9si9ipQCgb5OAW+dZgSipTrA1PWxb3EeIEAEtiXsFeqrwY429pbR KPCh16O0av4wcVN6JFDtS9GXBRIuymPtFK/1VwBfRDo66kR7siGnnohOU+uQhxOLFxzX 4XUf1mUKp81i82hWQ1MdzWMWi0usuXp/Q+MZsuz1bSvDpuiv6VF91QQWtPYy0t3C8SB9 GY5w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689919007; x=1690523807; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1VvmUuvocKT0p8P+1xMQjftTbnP9MxxAarU5pfhilHM=; b=UlWChHgOst7xtYCpnLQzf1OV7uRMgVGNamLFdE5TF6kn5sUaRZuCu6Wyr1AjoGIr5A FOF1uTvd5hIzEuoiSaRB6Iv0cFFmQQAiAfeEnNkhjlX4Ti9FzHoYAaVAW0g8TfW+MPUZ cPZQmZXNkiFvspFDLYVQ57EEUiK2rJRShu4cRmQlQRpsrOMl+nOFSrFFhTuHUQSxwATm /8qEctzayHdHQxnHRvsajh8XypFzFzZsn7Na3eZpfIUt2iWycjePNmv35s9wmb2sb0Ig Jkee8oRh8IlyEyspA4qE4C9xc2DOYg6qVcQiz75ofzyg2hyOOBJFwY2cGP8v6H5azPn0 Xkpg== X-Gm-Message-State: ABy/qLayx894UNQrf/ol4uzcpaNBxujn5KNgQ26wBxrikGlLAC+cwD8i 25Wc6GxPsq1c0cWO4DVpn2UFtmK3lmYXrAf9FiNC/Wu0GaA= X-Received: by 2002:a17:90a:1b62:b0:262:ebb9:dd60 with SMTP id q89-20020a17090a1b6200b00262ebb9dd60mr573492pjq.20.1689919007410; Thu, 20 Jul 2023 22:56:47 -0700 (PDT) MIME-Version: 1.0 References: <20230714074011.20989-1-qiang.zhang1211@gmail.com> In-Reply-To: From: Z qiang Date: Fri, 21 Jul 2023 13:56:35 +0800 Message-ID: Subject: Re: [PATCH] USB: gadget: Fix the memory leak in raw_gadget driver To: Andrey Konovalov , gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT, FREEMAIL_FROM,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > > On Fri, Jul 14, 2023 at 9:40=E2=80=AFAM Zqiang wrote: > > > > Currently, increasing raw_dev->count happens before invoke the > > raw_queue_event(), if the raw_queue_event() return error, invoke > > raw_release() will not trigger the dev_free() to be called. > > > > [ 268.905865][ T5067] raw-gadget.0 gadget.0: failed to queue event > > [ 268.912053][ T5067] udc dummy_udc.0: failed to start USB Raw Gadget:= -12 > > [ 268.918885][ T5067] raw-gadget.0: probe of gadget.0 failed with erro= r -12 > > [ 268.925956][ T5067] UDC core: USB Raw Gadget: couldn't find an avail= able UDC or it's busy > > [ 268.934657][ T5067] misc raw-gadget: fail, usb_gadget_register_drive= r returned -16 > > > > BUG: memory leak > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] kzalloc include/linux/slab.h:703 [inline] > > [] dev_new drivers/usb/gadget/legacy/raw_gadget.c:191= [inline] > > [] raw_open+0x45/0x110 drivers/usb/gadget/legacy/raw_= gadget.c:385 > > [] misc_open+0x1a9/0x1f0 drivers/char/misc.c:165 > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] raw_ioctl_init+0xdf/0x410 drivers/usb/gadget/legac= y/raw_gadget.c:460 > > [] raw_ioctl+0x5f9/0x1120 drivers/usb/gadget/legacy/r= aw_gadget.c:1250 > > [] vfs_ioctl fs/ioctl.c:51 [inline] > > > > [] kmalloc_trace+0x24/0x90 mm/slab_common.c:1076 > > [] kmalloc include/linux/slab.h:582 [inline] > > [] kzalloc include/linux/slab.h:703 [inline] > > [] dummy_alloc_request+0x5a/0xe0 drivers/usb/gadget/u= dc/dummy_hcd.c:665 > > [] usb_ep_alloc_request+0x22/0xd0 drivers/usb/gadget/= udc/core.c:196 > > [] gadget_bind+0x6d/0x370 drivers/usb/gadget/legacy/r= aw_gadget.c:292 > > > > This commit therefore invoke kref_get() under the condition that > > raw_queue_event() return success. > > > > Reported-by: syzbot+feb045d335c1fdde5bf7@syzkaller.appspotmail.com > > Closes: https://syzkaller.appspot.com/bug?extid=3Dfeb045d335c1fdde5bf7 > > Signed-off-by: Zqiang > > --- > > drivers/usb/gadget/legacy/raw_gadget.c | 10 ++++++---- > > 1 file changed, 6 insertions(+), 4 deletions(-) > > > > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadge= t/legacy/raw_gadget.c > > index 2acece16b890..e549022642e5 100644 > > --- a/drivers/usb/gadget/legacy/raw_gadget.c > > +++ b/drivers/usb/gadget/legacy/raw_gadget.c > > @@ -310,13 +310,15 @@ static int gadget_bind(struct usb_gadget *gadget, > > dev->eps_num =3D i; > > spin_unlock_irqrestore(&dev->lock, flags); > > > > - /* Matches kref_put() in gadget_unbind(). */ > > - kref_get(&dev->count); > > - > > ret =3D raw_queue_event(dev, USB_RAW_EVENT_CONNECT, 0, NULL); > > - if (ret < 0) > > + if (ret < 0) { > > dev_err(&gadget->dev, "failed to queue event\n"); > > + set_gadget_data(gadget, NULL); > > + return ret; > > + } > > > > + /* Matches kref_put() in gadget_unbind(). */ > > + kref_get(&dev->count); > > return ret; > > } > > > > -- > > 2.17.1 > > Indeed, if gadget_bind fails due to a raw_queue_event failure, the > core gadget code will never call gadget_unbind. > > Reviewed-by: Andrey Konovalov > Tested-by: Andrey Konovalov > Hi Greg Friendly ping :) Thanks Zqiang > Thanks!