Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp4183147pxv; Tue, 27 Jul 2021 00:26:05 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxWL8J7TVAQfGiLyax2QISxC86SZDVOfeCiY+F5/bDUA/zeHBhekBkoEaBwttYSBIMnkujL X-Received: by 2002:a05:6402:2899:: with SMTP id eg25mr26063443edb.13.1627370765029; Tue, 27 Jul 2021 00:26:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627370765; cv=none; d=google.com; s=arc-20160816; b=lspG9sIWGuLUj/k+b9R+2kaQddWdPcpuw+AxRmYrfgsOqxfGUtRnNnFxaqpbqWMDNU I73536cZsia2JpwHnWnUBBEAuM998UzFyZs4SCQRFZ5n+baImDE0y46Wp+3Db1pGuo3A 4P52s8i4B/sfV9EBzcI1aHuqtPEW4PAlUQqts7yyiSVuZcC4i3Sl2o/cz1qw6fVYzTup 3pDDRAtRMLqR/ehLe0Ypj6T5M+bZp0/Okv5swwE9JNBVlozFWsdlslbmSa0nNDUIO2F5 Z+r8oaW9pd7Bj0C/Zwdz9psjewTakFqM+gIkhwptOPHAnzxHJs4iPbYOLZUmqHujOCGl zwnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=806cL16Fyf0R0k5TtItiv7yjEE5s8rfxhJRcoiiIZI8=; b=Cwi0VsXyTxlLIjsgmFn09qCXxllfn/qTouggQzndOpVI+wotnFCh9E54x10DfK9E/l mHm36Dp6/AydSGXaR34dP6Pzb1Dn31XtKLwZp2unCO02Ju30sxn7DCtZTgdOaVc7hOZM czLN6gjow/2qbRV//0z1+iVZKCrvrmLshsS+WlF0K84dcP0uxSmRKDuX1GYQ1PSjCKbD M5WK8N1I39TU1HSGjvpw+4hPA1KmCTBhoKX+54duTvLXr13vLeKIbivy1PsHrPXqQkhe fUOs91hS5OlajJj4VtQ8F2wQP755f3jQUW++LvqoRSToydBkvwt2ROQtvrNfW2Re/WJQ J2sg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IlLAneyG; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 1si2169539eje.240.2021.07.27.00.25.35; Tue, 27 Jul 2021 00:26:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=IlLAneyG; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235675AbhG0HY5 (ORCPT + 99 others); Tue, 27 Jul 2021 03:24:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35720 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235558AbhG0HY5 (ORCPT ); Tue, 27 Jul 2021 03:24:57 -0400 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C9DAC061757; Tue, 27 Jul 2021 00:24:57 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id r23so11538892lji.3; Tue, 27 Jul 2021 00:24:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=806cL16Fyf0R0k5TtItiv7yjEE5s8rfxhJRcoiiIZI8=; b=IlLAneyGPnlS2hQN1TxR9M7nnWMmWAD1IoNw4jgl31gbP7Gl190ID+c/vecid0UgVP rHuV3s+pQbmbdofWpD0qZIuRom+AAe+awhfC+K3B3VW1jB8gMqWNetalT7HHDphLFSvQ vIS9uVGw1quoLziome9XnRNyemE0hh5rOW9MjS4/sdmNr+tkeGsPKnev0k/Lw5G8izg+ +XeM49Q+bfViNvVissj0Hc5lmsUP/6hrKt8peDfVsCVTsDaUBBlZw1z+nsT2KjiExem9 KIKhqmX+v9Us//v6HnxqfgyraGbxeHA4LP5iKeXuBfJPW8Ka8whi9dpsTv/0/+iw2z7j 6epA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=806cL16Fyf0R0k5TtItiv7yjEE5s8rfxhJRcoiiIZI8=; b=rYbyEyb9V5NvVUvQK7Es3pzKsJhCMspPaSxX5cTI0gaM/2v3eoU5AzSLAcRz2IwMby QOk/2ldeaxddNX1JgQK1afPx2I3FVQtdBsgtkAGsFsUeQaoJhzaFmmyygPOv3Mz2E1PP inYxXeMSOJIeKls7aJcnYLkqmNMYYifktZXFbP1WfLiwWWNtpvzJWo5ndG8N7GSyPPbi cu2oUHJZ1QZU6yzlY5UqEs6hbaAAAdw3ngAK5q0j4vG5bGmcCi/nRNft8K/yrJWoSeKo lyJLGx6zEWxr8g/5GPtfdpaWyG9zol3ZqSHrOuTxPZb/fw955ygf1vAOaEemBIE0XeVu aQ5g== X-Gm-Message-State: AOAM532UBcHMl78AFhMTgg90Oq0GeYZzCcGXH/AoPiMJWlc5lmeqdgdu 9uSRBT/jBHs0JdjYsEgFVxjAdaSN4WEdupG7u90= X-Received: by 2002:a2e:901a:: with SMTP id h26mr14390354ljg.218.1627370695895; Tue, 27 Jul 2021 00:24:55 -0700 (PDT) MIME-Version: 1.0 References: <20210709084351.2087311-1-mudongliangabcd@gmail.com> In-Reply-To: <20210709084351.2087311-1-mudongliangabcd@gmail.com> From: Julian Calaby Date: Tue, 27 Jul 2021 17:24:44 +1000 Message-ID: Subject: Re: [PATCH] ath9k: hif_usb: fix memory leak in ath9k_hif_usb_firmware_cb To: Dongliang Mu Cc: QCA ath9k Development , Kalle Valo , "David S. Miller" , Jakub Kicinski , Brooke Basile , syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com, linux-wireless , netdev@vger.kernel.org, LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Hi Dongliang, (Drive-by review, I know almost nothing about the code in question) On Fri, Jul 9, 2021 at 6:47 PM Dongliang Mu wrote: > > The commit 03fb92a432ea ("ath9k: hif_usb: fix race condition between > usb_get_urb() and usb_kill_anchored_urbs()") adds three usb_get_urb > in ath9k_hif_usb_dealloc_tx_urbs and usb_free_urb. > > Fix this bug by adding corresponding usb_free_urb in > ath9k_hif_usb_dealloc_tx_urbs other and hif_usb_stop. > > Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com > Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()") > Signed-off-by: Dongliang Mu > --- > drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c > index 860da13bfb6a..bda91ff3289b 100644 > --- a/drivers/net/wireless/ath/ath9k/hif_usb.c > +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c > @@ -457,6 +457,7 @@ static void hif_usb_stop(void *hif_handle) > usb_kill_urb(tx_buf->urb); > list_del(&tx_buf->list); > usb_free_urb(tx_buf->urb); > + usb_free_urb(tx_buf->urb); Ok, so if I'm reading this correctly, before the first usb_free_urb() call, we have two references to the urb at tx_buf->urb. Why? Isn't the better fix here to detangle why there's more than one reference to it and resolve it that way? This looks like a hack to fix something much more fundamentally broken. Thanks, -- Julian Calaby Email: julian.calaby@gmail.com Profile: http://www.google.com/profiles/julian.calaby/