Re: [BUG] usb: xhci: Possible resource leaks when xhci_run() fails

[Jia-Ju Bai <baijiaju1990@gmail.com>]

On 2019/5/15 0:55, Greg KH wrote:
> On Tue, May 14, 2019 at 10:58:05PM +0800, Jia-Ju Bai wrote:
>> xhci_pci_setup() is assigned to hc_driver.reset;
>> xhci_run() is assigned to hc_driver.start();
>> xhci_stop() is assigned to hc_driver.stop().
>>
>> xhci_pci_setup() calls xhci_gen_setup, which calls xhci_init(). And
>> xhci_init() calls xhci_mem_init() to allocate resources.
>>
>> xhci_stop() calls xhci_mem_cleanup(), to release the resources allocated in
>> xhci_mem_init() (also namely xhci_pci_setup()).
>>
>> xhci_run() can fail, because xhci_try_enable_msi() or xhci_alloc_command()
>> in this function can fail.
>>
>> In drivers/usb/core/hcd.c:
>>      retval = hcd->driver->reset(hcd);
>>      if (retval < 0) {
>>          ......
>>          goto err_hcd_driver_setup;
>>      }
>>      ......
>>      retval = hcd->driver->start(hcd);
>>      if (retval < 0) {
>>          ......
>>          goto err_hcd_driver_start;
>>      }
>>      .......
>>      hcd->driver->stop(hcd);
>>      hcd->state = HC_STATE_HALT;
>>      clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
>>      del_timer_sync(&hcd->rh_timer);
>> err_hcd_driver_start:
>>      if (usb_hcd_is_primary_hcd(hcd) && hcd->irq > 0)
>>          free_irq(irqnum, hcd);
>> err_request_irq:
>> err_hcd_driver_setup:
>> err_set_rh_speed:
>>      usb_put_invalidate_rhdev(hcd);
>> err_allocate_root_hub:
>>      usb_deregister_bus(&hcd->self);
>> err_register_bus:
>>      hcd_buffer_destroy(hcd);
>> err_create_buf:
>>      usb_phy_roothub_power_off(hcd->phy_roothub);
>> err_usb_phy_roothub_power_on:
>>      usb_phy_roothub_exit(hcd->phy_roothub);
>>
>> Thus, when hcd->driver->reset() succeeds and hcd->driver->start() fails,
>> hcd->driver->stop() is not called.
>>
>> Namely, when xhci_pci_setup() successfully allocates resources, and
>> xhci_run() fails, xhci_stop() is not called to release the resources.
>> For this reason, resource leaks occur in this case.
>>
>> I check the code of the ehci driver, uhci driver and ohci driver, and find
>> that they do not have such problem, because:
>> In the ehci driver, ehci_run() (namely hcd->driver->start()) never fails.
>> In the uhci driver, all the resources are allocated in uhci_start (namely
>> hcd->driver->start()), and no resources are allocated in uhci_pci_init()
>> (namely hcd->driver->reset()).
>> In the ohci driver, ohci_setup() (namely hcd->driver->reset()) also
>> allocates resources. But when ohci_start() (namely hcd->driver->start()) is
>> going to fail, ohci_stop() is directly called to release the resources
>> allocated by ohci_setup().
>>
>> Thus, there are two possible ways of fixing bugs:
>> 1) Call xhci_stop() when xhci_run() is going to fail (like the ohci driver)
>> 2) Move all resource-allocation operations into xhci_run() (like the uhci
>> driver).
>>
>> I am not sure whether these ways are correct, so I only report bugs.
> Can you create a patch to show how you would fix this potential issue?
> Given that making this type of thing fail is pretty rare, it's not a
> real high priority to get to, so it might be a while for anyone here to
> look at it.

Okay, I will send a patch soon.


Best wishes,
Jia-Ju Bai