From: Kalle Valo <kvalo@codeaurora.org>
To: Julian Calaby <julian.calaby@gmail.com>
Cc: Dongliang Mu <mudongliangabcd@gmail.com>,
QCA ath9k Development <ath9k-devel@qca.qualcomm.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>,
Brooke Basile <brookebasile@gmail.com>,
syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com,
linux-wireless <linux-wireless@vger.kernel.org>,
netdev@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] ath9k: hif_usb: fix memory leak in ath9k_hif_usb_firmware_cb
Date: Tue, 27 Jul 2021 15:26:14 +0300 [thread overview]
Message-ID: <877dhcgcyh.fsf@codeaurora.org> (raw)
In-Reply-To: <CAGRGNgUNnf=62xnFE4zUiVJ+n6NyGjFUmdR2JChbRkhsDSy0Yw@mail.gmail.com> (Julian Calaby's message of "Tue, 27 Jul 2021 17:24:44 +1000")
Julian Calaby <julian.calaby@gmail.com> writes:
> Hi Dongliang,
>
> (Drive-by review, I know almost nothing about the code in question)
>
> On Fri, Jul 9, 2021 at 6:47 PM Dongliang Mu <mudongliangabcd@gmail.com> wrote:
>>
>> The commit 03fb92a432ea ("ath9k: hif_usb: fix race condition between
>> usb_get_urb() and usb_kill_anchored_urbs()") adds three usb_get_urb
>> in ath9k_hif_usb_dealloc_tx_urbs and usb_free_urb.
>>
>> Fix this bug by adding corresponding usb_free_urb in
>> ath9k_hif_usb_dealloc_tx_urbs other and hif_usb_stop.
>>
>> Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com
>> Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()")
>> Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
>> ---
>> drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
>> index 860da13bfb6a..bda91ff3289b 100644
>> --- a/drivers/net/wireless/ath/ath9k/hif_usb.c
>> +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
>> @@ -457,6 +457,7 @@ static void hif_usb_stop(void *hif_handle)
>> usb_kill_urb(tx_buf->urb);
>> list_del(&tx_buf->list);
>> usb_free_urb(tx_buf->urb);
>> + usb_free_urb(tx_buf->urb);
>
> Ok, so if I'm reading this correctly, before the first usb_free_urb()
> call, we have two references to the urb at tx_buf->urb.
>
> Why?
>
> Isn't the better fix here to detangle why there's more than one
> reference to it and resolve it that way? This looks like a hack to fix
> something much more fundamentally broken.
Yeah, this looks very suspicious.
One more thing: also the patch should be tested with real hardware. I'm
worried that people are just trying to fix a syzbot warning and not
really considering how it works in real life. That's why I'm extra
careful with syzbot patches for wireless drivers.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
prev parent reply other threads:[~2021-07-27 12:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-09 8:43 [PATCH] ath9k: hif_usb: fix memory leak in ath9k_hif_usb_firmware_cb Dongliang Mu
2021-07-23 10:12 ` Dongliang Mu
2021-07-27 6:02 ` Kalle Valo
2021-07-27 7:24 ` Julian Calaby
2021-07-27 12:26 ` Kalle Valo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=877dhcgcyh.fsf@codeaurora.org \
--to=kvalo@codeaurora.org \
--cc=ath9k-devel@qca.qualcomm.com \
--cc=brookebasile@gmail.com \
--cc=davem@davemloft.net \
--cc=julian.calaby@gmail.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=mudongliangabcd@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.