From: Greg KH <gregkh@linuxfoundation.org>
To: Chang Yu <marcus.yu.56@gmail.com>
Cc: andreyknvl@gmail.com, viro@zeniv.linux.org.uk,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
stern@rowland.harvard.edu, skhan@linuxfoundation.org,
syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
Subject: Re: [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release.
Date: Wed, 6 Nov 2024 06:05:30 +0100 [thread overview]
Message-ID: <2024110657-tummy-decaf-66ee@gregkh> (raw)
In-Reply-To: <Zyrsg3bvNu1rswqb@gmail.com>
On Tue, Nov 05, 2024 at 08:11:47PM -0800, Chang Yu wrote:
> syzkaller reported a double free bug
> (https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c) in
> raw_release.
>
> >From the stack traces it looks like either raw_release was invoked
> twice or there were some between kref_get in raw_ioctl_run and
> kref_put raw_release. But these should not be possible. We need
> more logs to understand the cause.
>
> Make raw_release and raw_ioctl_run report the ref count before
> and after get/put to help debug this.
>
> Signed-off-by: Chang Yu <marcus.yu.56@gmail.com>
> Reported-by: syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c
> ---
> drivers/usb/gadget/legacy/raw_gadget.c | 14 ++++++++++++++
> 1 file changed, 14 insertions(+)
>
> diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> index 112fd18d8c99..ac4e319c743f 100644
> --- a/drivers/usb/gadget/legacy/raw_gadget.c
> +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> @@ -194,6 +194,8 @@ static struct raw_dev *dev_new(void)
> return NULL;
> /* Matches kref_put() in raw_release(). */
> kref_init(&dev->count);
> + dev_dbg(dev->dev, "%s kref count initialized: %d\n",
> + __func__, kref_read(&dev->count));
Please note that you never need to add a __func__ to a dev_dbg() call,
as it is already present automatically for you.
thanks,
greg k-h
next prev parent reply other threads:[~2024-11-06 5:05 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 4:11 [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release Chang Yu
2024-11-06 4:35 ` Andrey Konovalov
2024-11-06 4:41 ` Chang Yu
2024-11-06 15:24 ` Alan Stern
2024-11-06 5:05 ` Greg KH [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-11-06 4:43 Chang Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024110657-tummy-decaf-66ee@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=andreyknvl@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=marcus.yu.56@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.