All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bui Quang Minh <minhquangbui99@gmail.com>
To: linux-usb@vger.kernel.org
Cc: a.darwish@linutronix.de, bigeasy@linutronix.de,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	linux-kernel@vger.kernel.org,
	Alan Stern <stern@rowland.harvard.edu>,
	syzkaller-bugs@googlegroups.com,
	Thomas Gleixner <tglx@linutronix.de>,
	Oliver Neukum <oneukum@suse.de>,
	Wolfgang Grandegger <wg@grandegger.com>,
	Marc Kleine-Budde <mkl@pengutronix.de>
Subject: Re: [PATCH v2] can: mcba_usb: Fix memory leak when cancelling urb
Date: Thu, 21 Jan 2021 22:19:55 +0700	[thread overview]
Message-ID: <20210121151955.GA3779@minh> (raw)
In-Reply-To: <CACtPs=FB_=JMEymLHE0_ko4ZF5zj9NBCHkRC7O3tj6pkSp3oiA@mail.gmail.com>

On Tue, Jan 12, 2021 at 01:42:33PM +0700, Minh Bùi Quang wrote:
> On Mon, Jan 11, 2021 at 9:31 PM Bui Quang Minh <minhquangbui99@gmail.com> wrote:
> >
> > On Mon, Jan 11, 2021 at 01:00:31PM +0100, Oliver Neukum wrote:
> > > Am Montag, den 11.01.2021, 10:49 +0000 schrieb Bui Quang Minh:
> > > > In mcba_usb_read_bulk_callback(), when we don't resubmit or fails to
> > > > resubmit the urb, we need to deallocate the transfer buffer that is
> > > > allocated in mcba_usb_start().
> > > >
> > > > Reported-by: syzbot+57281c762a3922e14dfe@syzkaller.appspotmail.com
> > > > Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
> > > > ---
> > > > v1: add memory leak fix when not resubmitting urb
> > > > v2: add memory leak fix when failing to resubmit urb
> > > >
> > > >  drivers/net/can/usb/mcba_usb.c | 11 ++++++++---
> > > >  1 file changed, 8 insertions(+), 3 deletions(-)
> > > >
> > > > diff --git a/drivers/net/can/usb/mcba_usb.c b/drivers/net/can/usb/mcba_usb.c
> > > > index df54eb7d4b36..30236e640116 100644
> > > > --- a/drivers/net/can/usb/mcba_usb.c
> > > > +++ b/drivers/net/can/usb/mcba_usb.c
> > > > @@ -584,6 +584,8 @@ static void mcba_usb_read_bulk_callback(struct urb *urb)
> > > >     case -EPIPE:
> > > >     case -EPROTO:
> > > >     case -ESHUTDOWN:
> > > > +           usb_free_coherent(urb->dev, urb->transfer_buffer_length,
> > > > +                             urb->transfer_buffer, urb->transfer_dma);
> > > >             return;
> > > >
> > >
> > > Can you call usb_free_coherent() in what can be hard IRQ context?
> >
> > You are right, I digged in the code and saw some comments that on some
> > architectures, usb_free_coherent() cannot be called in hard IRQ context.
> > I see the usb_free_coherent() is called in write_bulk_callback too. I will
> > send a patch that uses usb_anchor to keep track of these urbs and cleanup
> > the transfer buffer later in disconnect().
> 
> Hi, I have sent a version 3 patch. However, I found out that usb_free_coherent()
> is ok in this situation. In usb_free_coherent(), if the buffer is allocated via
> dma_alloc_coherent() in usb_alloc_coherent(), dma_free_coherent() is called.
> In dma_free_coherent(), ops->free() may be called in some cases which may
> contains calls to vunmap() that is not permitted in interrupt context. However,
> in usb_alloc_coherent(), buffer can be allocated from dma pool if the
> size is less
> than 2048 and the buffer size in mcba_usb is obviously less than 2048.
> As a result,
> usb_free_coherent() will at most fall in the path that calls
> dma_pool_free(), which is
> safe. Am I right?

Hi, I'm CC'ing CAN network driver maintainers so we can discuss the patch properly.

I'm so sorry for spamming emails.

Thanks,
Quang Minh.

      reply	other threads:[~2021-01-21 15:22 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-11 10:49 [PATCH v2] can: mcba_usb: Fix memory leak when cancelling urb Bui Quang Minh
2021-01-11 12:00 ` Oliver Neukum
2021-01-11 14:31   ` Bui Quang Minh
2021-01-12  6:42     ` Minh Bùi Quang
2021-01-21 15:19       ` Bui Quang Minh [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210121151955.GA3779@minh \
    --to=minhquangbui99@gmail.com \
    --cc=a.darwish@linutronix.de \
    --cc=bigeasy@linutronix.de \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=mkl@pengutronix.de \
    --cc=oneukum@suse.de \
    --cc=stern@rowland.harvard.edu \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=tglx@linutronix.de \
    --cc=wg@grandegger.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.