From: Mathias Nyman <mathias.nyman@linux.intel.com>
To: Lu Baolu <baolu.lu@linux.intel.com>
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
zhengjun.xing@linux.intel.com,
Guoqing Zhang <guoqing.zhang@intel.com>
Subject: Re: [PATCH v2 2/5] usb: xhci: Fix potential memory leak in xhci_disable_slot()
Date: Wed, 9 Aug 2017 13:09:47 +0300 [thread overview]
Message-ID: <598ADF6B.1090309@linux.intel.com> (raw)
In-Reply-To: <1501122098-10935-3-git-send-email-baolu.lu@linux.intel.com>
On 27.07.2017 05:21, Lu Baolu wrote:
> xhci_disable_slot() allows the invoker to pass a command pointer
> as paramenter. Otherwise, it will allocate one. This will cause
> memory leak when a command structure was allocated inside of this
> function while queuing command trb fails. Another problem comes up
> when the invoker passed a command pointer, but xhci_disable_slot()
> frees it when it detects a dead host.
>
> This patch fixes these two problems by removing the command parameter
> from xhci_disable_slot().
>
> Fixes: f9e609b82479 ("usb: xhci: Add helper function xhci_disable_slot().")
> Cc: Guoqing Zhang <guoqing.zhang@intel.com>
> Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
> ---
> drivers/usb/host/xhci-hub.c | 2 +-
> drivers/usb/host/xhci.c | 30 +++++++++---------------------
> drivers/usb/host/xhci.h | 3 +--
> 3 files changed, 11 insertions(+), 24 deletions(-)
>
> diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c
> index 00721e8..c862d53 100644
> --- a/drivers/usb/host/xhci-hub.c
> +++ b/drivers/usb/host/xhci-hub.c
> @@ -612,7 +612,7 @@ static int xhci_enter_test_mode(struct xhci_hcd *xhci,
> xhci_dbg(xhci, "Disable all slots\n");
> spin_unlock_irqrestore(&xhci->lock, *flags);
> for (i = 1; i <= HCS_MAX_SLOTS(xhci->hcs_params1); i++) {
> - retval = xhci_disable_slot(xhci, NULL, i);
> + retval = xhci_disable_slot(xhci, i);
> if (retval)
> xhci_err(xhci, "Failed to disable slot %d, %d. Enter test mode anyway\n",
> i, retval);
> diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
> index e69073f..cb2461a 100644
> --- a/drivers/usb/host/xhci.c
> +++ b/drivers/usb/host/xhci.c
> @@ -3519,11 +3519,6 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
> struct xhci_virt_device *virt_dev;
> struct xhci_slot_ctx *slot_ctx;
> int i, ret;
> - struct xhci_command *command;
> -
> - command = xhci_alloc_command(xhci, false, false, GFP_KERNEL);
> - if (!command)
> - return;
>
> #ifndef CONFIG_USB_DEFAULT_PERSIST
> /*
> @@ -3539,10 +3534,8 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
> /* If the host is halted due to driver unload, we still need to free the
> * device.
> */
> - if (ret <= 0 && ret != -ENODEV) {
> - kfree(command);
> + if (ret <= 0 && ret != -ENODEV)
> return;
> - }
>
> virt_dev = xhci->devs[udev->slot_id];
> slot_ctx = xhci_get_slot_ctx(xhci, virt_dev->out_ctx);
> @@ -3554,22 +3547,21 @@ static void xhci_free_dev(struct usb_hcd *hcd, struct usb_device *udev)
> del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
> }
>
> - xhci_disable_slot(xhci, command, udev->slot_id);
> + xhci_disable_slot(xhci, udev->slot_id);
> /*
> * Event command completion handler will free any data structures
> * associated with the slot. XXX Can free sleep?
> */
> }
>
> -int xhci_disable_slot(struct xhci_hcd *xhci, struct xhci_command *command,
> - u32 slot_id)
> +int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)
> {
> + struct xhci_command *command;
> unsigned long flags;
> u32 state;
> int ret = 0;
>
> - if (!command)
> - command = xhci_alloc_command(xhci, false, false, GFP_KERNEL);
> + command = xhci_alloc_command(xhci, false, false, GFP_KERNEL);
> if (!command)
> return -ENOMEM;
>
> @@ -3588,7 +3580,7 @@ int xhci_disable_slot(struct xhci_hcd *xhci, struct xhci_command *command,
> slot_id);
> if (ret) {
> spin_unlock_irqrestore(&xhci->lock, flags);
> - xhci_dbg(xhci, "FIXME: allocate a command ring segment\n");
> + kfree(command);
> return ret;
> }
> xhci_ring_cmd_db(xhci);
> @@ -3663,6 +3655,8 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
> return 0;
> }
>
> + xhci_free_command(xhci, command);
> +
> if ((xhci->quirks & XHCI_EP_LIMIT_QUIRK)) {
> spin_lock_irqsave(&xhci->lock, flags);
> ret = xhci_reserve_host_control_ep_resources(xhci);
> @@ -3698,18 +3692,12 @@ int xhci_alloc_dev(struct usb_hcd *hcd, struct usb_device *udev)
> pm_runtime_get_noresume(hcd->self.controller);
> #endif
>
> -
> - xhci_free_command(xhci, command);
> /* Is this a LS or FS device under a HS hub? */
> /* Hub or peripherial? */
> return 1;
>
> disable_slot:
> - /* Disable slot, if we can do it without mem alloc */
> - kfree(command->completion);
> - command->completion = NULL;
> - command->status = 0;
> - return xhci_disable_slot(xhci, command, udev->slot_id);
> + return xhci_disable_slot(xhci, udev->slot_id);
avoiding allocating a new command after failing to allocate a virt dev was
probably the reason why xhci_disable_slot() supported a command
as a parameter in the first place.
But this is such a small corner case, and your patch fixes two more likely issues,
and simplifies the code a lot so I think It's well worth it
-Mathias
next prev parent reply other threads:[~2017-08-09 10:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-27 2:21 [PATCH v2 0/5] usb: xhci: Handle USB transaction error on address command Lu Baolu
2017-07-27 2:21 ` [PATCH v2 1/5] usb: xhci: Disable slot even virt-dev is null Lu Baolu
2017-08-09 7:58 ` Mathias Nyman
2017-08-10 0:35 ` Lu Baolu
2017-08-10 10:00 ` Mathias Nyman
2017-08-11 1:18 ` Lu Baolu
2017-07-27 2:21 ` [PATCH v2 2/5] usb: xhci: Fix potential memory leak in xhci_disable_slot() Lu Baolu
2017-08-09 10:09 ` Mathias Nyman [this message]
2017-07-27 2:21 ` [PATCH v2 3/5] usb: xhci: Fix memory leak when xhci_disable_slot() returns error Lu Baolu
2017-07-27 2:21 ` [PATCH v2 4/5] usb: xhci: Return error when host is dead in xhci_disable_slot() Lu Baolu
2017-07-27 2:21 ` [PATCH v2 5/5] usb: xhci: Handle USB transaction error on address command Lu Baolu
2017-07-27 7:55 ` Felipe Balbi
2017-07-27 8:56 ` Lu Baolu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=598ADF6B.1090309@linux.intel.com \
--to=mathias.nyman@linux.intel.com \
--cc=baolu.lu@linux.intel.com \
--cc=guoqing.zhang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=zhengjun.xing@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.