Re: [PATCH] USB: Fix error handling in gadget driver

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Ma Ke <make24@iscas.ac.cn>
Cc: vz@mleia.com, piotr.wojtaszczyk@timesys.com, arnd@arndb.de,
	stigge@antcom.de, linux-usb@vger.kernel.org,
	linux-arm-kernel@lists.infradead.org,
	linux-kernel@vger.kernel.org, akpm@linux-foundation.org,
	stable@vger.kernel.org
Subject: Re: [PATCH] USB: Fix error handling in gadget driver
Date: Fri, 21 Nov 2025 15:04:45 +0100	[thread overview]
Message-ID: <2025112122-fedora-tiny-6fa3@gregkh> (raw)
In-Reply-To: <20251116014948.14093-1-make24@iscas.ac.cn>

On Sun, Nov 16, 2025 at 09:49:48AM +0800, Ma Ke wrote:
> lpc32xx_udc_probe() acquires an i2c_client reference through
> isp1301_get_client() but fails to release it in both error handling
> paths and the normal removal path. This could result in a reference
> count leak for the I2C device, preventing proper cleanup and
> potentially leading to resource exhaustion. Add put_device() to
> release the reference in the probe failure path and in the remove
> function.
> 
> Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
> i2c_find_device_by_fwnode(). As comments of
> i2c_find_device_by_fwnode() says, 'The user must call
> put_device(&client->dev) once done with the i2c client.'
> 
> Found by code review.
> 
> Cc: stable@vger.kernel.org
> Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
>  drivers/usb/gadget/udc/lpc32xx_udc.c | 35 +++++++++++++++++++++++-----
>  1 file changed, 29 insertions(+), 6 deletions(-)
> 
> diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
> index 1a7d3c4f652f..b6fddfff712d 100644
> --- a/drivers/usb/gadget/udc/lpc32xx_udc.c
> +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
> @@ -2986,6 +2986,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  	int retval, i;
>  	dma_addr_t dma_handle;
>  	struct device_node *isp1301_node;
> +	bool isp1301_acquired = false;

This bool should not be needed, you "know" if you have acquired this or
not by virtue of being later in the function call.


>  
>  	udc = devm_kmemdup(dev, &controller_template, sizeof(*udc), GFP_KERNEL);
>  	if (!udc)
> @@ -3013,6 +3014,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  	if (!udc->isp1301_i2c_client) {
>  		return -EPROBE_DEFER;
>  	}
> +	isp1301_acquired = true;
>  
>  	dev_info(udc->dev, "ISP1301 I2C device at address 0x%x\n",
>  		 udc->isp1301_i2c_client->addr);
> @@ -3020,7 +3022,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  	pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
>  	retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
>  	if (retval)
> -		return retval;
> +		goto i2c_fail;
>  
>  	udc->board = &lpc32xx_usbddata;
>  
> @@ -3038,28 +3040,32 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  	/* Get IRQs */
>  	for (i = 0; i < 4; i++) {
>  		udc->udp_irq[i] = platform_get_irq(pdev, i);
> -		if (udc->udp_irq[i] < 0)
> -			return udc->udp_irq[i];
> +		if (udc->udp_irq[i] < 0) {
> +			retval = udc->udp_irq[i];
> +			goto i2c_fail;
> +		}
>  	}
>  
>  	udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
>  	if (IS_ERR(udc->udp_baseaddr)) {
>  		dev_err(udc->dev, "IO map failure\n");
> -		return PTR_ERR(udc->udp_baseaddr);
> +		retval = PTR_ERR(udc->udp_baseaddr);
> +		goto i2c_fail;
>  	}
>  
>  	/* Get USB device clock */
>  	udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
>  	if (IS_ERR(udc->usb_slv_clk)) {
>  		dev_err(udc->dev, "failed to acquire USB device clock\n");
> -		return PTR_ERR(udc->usb_slv_clk);
> +		retval = PTR_ERR(udc->usb_slv_clk);
> +		goto i2c_fail;
>  	}
>  
>  	/* Enable USB device clock */
>  	retval = clk_prepare_enable(udc->usb_slv_clk);
>  	if (retval < 0) {
>  		dev_err(udc->dev, "failed to start USB device clock\n");
> -		return retval;
> +		goto i2c_fail;
>  	}
>  
>  	/* Setup deferred workqueue data */
> @@ -3161,6 +3167,8 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  	dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
>  			  udc->udca_v_base, udc->udca_p_base);
>  i2c_fail:
> +	if (isp1301_acquired && udc->isp1301_i2c_client)
> +		put_device(&udc->isp1301_i2c_client->dev);
>  	clk_disable_unprepare(udc->usb_slv_clk);
>  	dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
>  
> @@ -3170,6 +3178,18 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
>  static void lpc32xx_udc_remove(struct platform_device *pdev)
>  {
>  	struct lpc32xx_udc *udc = platform_get_drvdata(pdev);
> +	struct device *dev = &pdev->dev;
> +	struct device_node *isp1301_node;
> +	bool isp1301_acquired = false;

This bool isn't needed either, just trigger off of isp1301_node.

But really:

> +
> +	/* Check if we acquired isp1301 via device tree */
> +	if (dev->of_node) {
> +		isp1301_node = of_parse_phandle(dev->of_node, "transceiver", 0);

Shouldn't this node be saved in the device structure instead?  That's
the "correct" solution here.

thanks,

greg k-h

     prev parent reply	other threads:[~2025-11-21 14:18 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-16  1:49 [PATCH] USB: Fix error handling in gadget driver Ma Ke
2025-11-21 14:04 ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2025112122-fedora-tiny-6fa3@gregkh \
    --to=gregkh@linuxfoundation.org \
    --cc=akpm@linux-foundation.org \
    --cc=arnd@arndb.de \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-usb@vger.kernel.org \
    --cc=make24@iscas.ac.cn \
    --cc=piotr.wojtaszczyk@timesys.com \
    --cc=stable@vger.kernel.org \
    --cc=stigge@antcom.de \
    --cc=vz@mleia.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.