From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Subject: [usb_add_gadget_udc_release] BUG: KASAN: double-free or invalid-free in (null) From: Felipe Balbi Message-Id: <87bmi3z8dn.fsf@linux.intel.com> Date: Tue, 09 Jan 2018 11:31:00 +0200 To: Alan Stern , Fengguang Wu Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman , Linus Torvalds , Krzysztof Opasiak , Florian Fainelli , Felix =?utf-8?Q?H=C3=A4dicke?= , Stefan Agner , linux-kernel@vger.kernel.org, lkp@01.org List-ID: SGksCgpBbGFuIFN0ZXJuIDxzdGVybkByb3dsYW5kLmhhcnZhcmQuZWR1PiB3cml0ZXM6Cj4gT24g U3VuLCAxNyBEZWMgMjAxNywgRmVuZ2d1YW5nIFd1IHdyb3RlOgo+Cj4+IEhlbGxvLAo+PiAKPj4g RllJIHRoaXMgaGFwcGVucyBpbiBtYWlubGluZSBrZXJuZWwgNC4xNS4wLXJjMy4KPj4gSXQgbG9v a3MgbGlrZSBhIG5ldyByZWdyZXNzaW9uLgo+PiAKPj4gSXQgb2NjdXJzIGluIDIzIG91dCBvZiAz NiBib290cy4KPj4gCj4+IFsgICAzOC41OTIzNjBdIExVTjogcmVtb3ZhYmxlIGZpbGU6IChubyBt ZWRpdW0pCj4+IFsgICAzOC41OTM0NDJdIG5vIGZpbGUgZ2l2ZW4gZm9yIExVTjAKPj4gWyAgIDM4 LjU5NDU4OV0gZ19tYXNzX3N0b3JhZ2UgdXNiaXAtdnVkYy4wOiBmYWlsZWQgdG8gc3RhcnQgZ19t YXNzX3N0b3JhZ2U6IC0yMgo+PiBbICAgMzguNjAwODgxXSB1ZGMgdXNiaXAtdnVkYy4wOiByZWxl YXNpbmcgJ3VzYmlwLXZ1ZGMuMCcKPj4gWyAgIDM4LjYwNDM5N10gPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4+IFsgICAz OC42MDUwMzRdIEJVRzogS0FTQU46IGRvdWJsZS1mcmVlIG9yIGludmFsaWQtZnJlZSBpbiAgICAg ICAgICAgKG51bGwpCj4+IFsgICAzOC42MDUwMzRdCj4+IFsgICAzOC42MDUwMzRdIENQVTogMCBQ SUQ6IDEgQ29tbTogc3dhcHBlciBOb3QgdGFpbnRlZCA0LjE1LjAtcmMzICM0NjgKPj4gWyAgIDM4 LjYwNTAzNF0gQ2FsbCBUcmFjZToKPj4gWyAgIDM4LjYwNTAzNF0gIGR1bXBfc3RhY2srMHgyZi8w eDNlOgo+PiAJCQkJCQlfX2R1bXBfc3RhY2sgYXQgbGliL2R1bXBfc3RhY2suYzoxNwo+PiAJCQkJ CQkgKGlubGluZWQgYnkpIGR1bXBfc3RhY2sgYXQgbGliL2R1bXBfc3RhY2suYzo2Mwo+PiBbICAg MzguNjA1MDM0XSAgcHJpbnRfYWRkcmVzc19kZXNjcmlwdGlvbisweGMyLzB4M2I3Ogo+PiAJCQkJ CQlwcmludF9hZGRyZXNzX2Rlc2NyaXB0aW9uIGF0IG1tL2thc2FuL3JlcG9ydC5jOjI1Mwo+PiBb ICAgMzguNjA1MDM0XSAga2FzYW5fcmVwb3J0X2RvdWJsZV9mcmVlKzB4NTAvMHg4YzoKPj4gCQkJ CQkJa2FzYW5fcmVwb3J0X2RvdWJsZV9mcmVlIGF0IG1tL2thc2FuL3JlcG9ydC5jOjMzNAo+PiBb ICAgMzguNjA1MDM0XSAga2FzYW5fc2xhYl9mcmVlKzB4NjAvMHgxZWY6Cj4+IAkJCQkJCWthc2Fu X3NsYWJfZnJlZSBhdCBtbS9rYXNhbi9rYXNhbi5jOjUxNAo+PiBbICAgMzguNjA1MDM0XSAgPyBm dHJhY2VfbGlrZWx5X3VwZGF0ZSsweDVjLzB4YzQ6Cj4+IAkJCQkJCWZ0cmFjZV9saWtlbHlfdXBk YXRlIGF0IGtlcm5lbC90cmFjZS90cmFjZV9icmFuY2guYzoyMjMKPj4gWyAgIDM4LjYwNTAzNF0g ID8ga29ial9rc2V0X2xlYXZlKzB4MTkzLzB4MWRjOgo+PiAJCQkJCQlrb2JqX2tzZXRfbGVhdmUg YXQgbGliL2tvYmplY3QuYzoxODQKPj4gWyAgIDM4LjYwNTAzNF0gID8gbG9ja19hY3F1aXJlZCsw eDhkMi8weDhkMjoKPj4gCQkJCQkJbG9ja19yZWxlYXNlIGF0IGtlcm5lbC9sb2NraW5nL2xvY2tk ZXAuYzo0MDEzCj4+IFsgICAzOC42MDUwMzRdICA/IGZ0cmFjZV9saWtlbHlfdXBkYXRlKzB4NWMv MHhjNDoKPj4gCQkJCQkJZnRyYWNlX2xpa2VseV91cGRhdGUgYXQga2VybmVsL3RyYWNlL3RyYWNl X2JyYW5jaC5jOjIyMwo+PiBbICAgMzguNjA1MDM0XSAgPyB0cmFjZV9wcmVlbXB0X29uKzB4NDg5 LzB4NGQ3Ogo+PiAJCQkJCQl0cmFjZV9wcmVlbXB0X2VuYWJsZV9yY3VpZGxlIGF0IGluY2x1ZGUv dHJhY2UvZXZlbnRzL3ByZWVtcHRpcnEuaDo1MAo+PiAJCQkJCQkgKGlubGluZWQgYnkpIHRyYWNl X3ByZWVtcHRfb24gYXQga2VybmVsL3RyYWNlL3RyYWNlX2lycXNvZmYuYzo4NTUKPj4gWyAgIDM4 LjYwNTAzNF0gID8gc3RhdGljX29iaisweDQwLzB4NDA6Cj4+IAkJCQkJCW1hdGNoX2hlbGRfbG9j ayBhdCBrZXJuZWwvbG9ja2luZy9sb2NrZGVwLmM6MzU2Nwo+PiBbICAgMzguNjA1MDM0XSAgPyBr b2JqZWN0X3B1dCsweGY1LzB4NjQyOgo+PiAJCQkJCQlyZWZjb3VudF9kZWNfYW5kX3Rlc3QgYXQg YXJjaC94ODYvaW5jbHVkZS9hc20vcmVmY291bnQuaDo3NQo+PiAJCQkJCQkgKGlubGluZWQgYnkp IGtyZWZfcHV0IGF0IGluY2x1ZGUvbGludXgva3JlZi5oOjY5Cj4+IAkJCQkJCSAoaW5saW5lZCBi eSkga29iamVjdF9wdXQgYXQgbGliL2tvYmplY3QuYzo2OTQKPj4gWyAgIDM4LjYwNTAzNF0gID8g dHJhY2VfaGFyZGlycXNfb2ZmKzB4MTcvMHgxZjoKPj4gCQkJCQkJdHJhY2VfaGFyZGlycXNfb2Zm IGF0IGtlcm5lbC9sb2NraW5nL2xvY2tkZXAuYzoyOTg0Cj4+IFsgICAzOC42MDUwMzRdICA/IGtm cmVlKzB4NDE5LzB4NWU3Ogo+PiAJCQkJCQlzbGFiX2ZyZWVfaG9vayBhdCBtbS9zbHViLmM6MTM4 MAo+PiAJCQkJCQkgKGlubGluZWQgYnkpIHNsYWJfZnJlZV9mcmVlbGlzdF9ob29rIGF0IG1tL3Ns dWIuYzoxNDEyCj4+IAkJCQkJCSAoaW5saW5lZCBieSkgc2xhYl9mcmVlIGF0IG1tL3NsdWIuYzoy OTY4Cj4+IAkJCQkJCSAoaW5saW5lZCBieSkga2ZyZWUgYXQgbW0vc2x1Yi5jOjM4OTkKPj4gWyAg IDM4LjYwNTAzNF0gIGtmcmVlKzB4NDNjLzB4NWU3Ogo+PiAJCQkJCQlzbGFiX2ZyZWUgYXQgbW0v c2x1Yi5jOjI5NzMKPj4gCQkJCQkJIChpbmxpbmVkIGJ5KSBrZnJlZSBhdCBtbS9zbHViLmM6Mzg5 OQo+PiBbICAgMzguNjA1MDM0XSAgdXNiX2FkZF9nYWRnZXRfdWRjX3JlbGVhc2UrMHg2OTMvMHg2 Y2E6Cj4+IAkJCQkJCXVzYl9hZGRfZ2FkZ2V0X3VkY19yZWxlYXNlIGF0IGRyaXZlcnMvdXNiL2dh ZGdldC91ZGMvY29yZS5jOjExOTkKPgo+IEJveSwgdGhlIGVycm9yIGhhbmRsaW5nIGluIHRoYXQg cm91dGluZSBpcyBhIG1lc3MuICBUaGUgcGF0Y2ggYmVsb3cgCj4gc2hvdWxkIHN0cmFpZ2h0ZW4g aXQgb3V0LgoKbG9va3MgZ29vZDoKCkFja2VkLWJ5OiBGZWxpcGUgQmFsYmkgPGZlbGlwZS5iYWxi aUBsaW51eC5pbnRlbC5jb20+CgoKPiBBbGFuIFN0ZXJuCj4KPgo+Cj4gSW5kZXg6IHVzYi00Lngv ZHJpdmVycy91c2IvZ2FkZ2V0L3VkYy9jb3JlLmMKPiA9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Cj4gLS0tIHVzYi00Lngu b3JpZy9kcml2ZXJzL3VzYi9nYWRnZXQvdWRjL2NvcmUuYwo+ICsrKyB1c2ItNC54L2RyaXZlcnMv dXNiL2dhZGdldC91ZGMvY29yZS5jCj4gQEAgLTExNDcsMTEgKzExNDcsNyBAQCBpbnQgdXNiX2Fk ZF9nYWRnZXRfdWRjX3JlbGVhc2Uoc3RydWN0IGRlCj4gIAo+ICAJdWRjID0ga3phbGxvYyhzaXpl b2YoKnVkYyksIEdGUF9LRVJORUwpOwo+ICAJaWYgKCF1ZGMpCj4gLQkJZ290byBlcnIxOwo+IC0K PiAtCXJldCA9IGRldmljZV9hZGQoJmdhZGdldC0+ZGV2KTsKPiAtCWlmIChyZXQpCj4gLQkJZ290 byBlcnIyOwo+ICsJCWdvdG8gZXJyX3B1dF9nYWRnZXQ7Cj4gIAo+ICAJZGV2aWNlX2luaXRpYWxp emUoJnVkYy0+ZGV2KTsKPiAgCXVkYy0+ZGV2LnJlbGVhc2UgPSB1c2JfdWRjX3JlbGVhc2U7Cj4g QEAgLTExNjAsNyArMTE1NiwxMSBAQCBpbnQgdXNiX2FkZF9nYWRnZXRfdWRjX3JlbGVhc2Uoc3Ry dWN0IGRlCj4gIAl1ZGMtPmRldi5wYXJlbnQgPSBwYXJlbnQ7Cj4gIAlyZXQgPSBkZXZfc2V0X25h bWUoJnVkYy0+ZGV2LCAiJXMiLCBrb2JqZWN0X25hbWUoJnBhcmVudC0+a29iaikpOwo+ICAJaWYg KHJldCkKPiAtCQlnb3RvIGVycjM7Cj4gKwkJZ290byBlcnJfcHV0X3VkYzsKPiArCj4gKwlyZXQg PSBkZXZpY2VfYWRkKCZnYWRnZXQtPmRldik7Cj4gKwlpZiAocmV0KQo+ICsJCWdvdG8gZXJyX3B1 dF91ZGM7Cj4gIAo+ICAJdWRjLT5nYWRnZXQgPSBnYWRnZXQ7Cj4gIAlnYWRnZXQtPnVkYyA9IHVk YzsKPiBAQCAtMTE3MCw3ICsxMTcwLDcgQEAgaW50IHVzYl9hZGRfZ2FkZ2V0X3VkY19yZWxlYXNl KHN0cnVjdCBkZQo+ICAKPiAgCXJldCA9IGRldmljZV9hZGQoJnVkYy0+ZGV2KTsKPiAgCWlmIChy ZXQpCj4gLQkJZ290byBlcnI0Owo+ICsJCWdvdG8gZXJyX3VubGlzdF91ZGM7Cj4gIAo+ICAJdXNi X2dhZGdldF9zZXRfc3RhdGUoZ2FkZ2V0LCBVU0JfU1RBVEVfTk9UQVRUQUNIRUQpOwo+ICAJdWRj LT52YnVzID0gdHJ1ZTsKPiBAQCAtMTE3OCwyNyArMTE3OCwyNSBAQCBpbnQgdXNiX2FkZF9nYWRn ZXRfdWRjX3JlbGVhc2Uoc3RydWN0IGRlCj4gIAkvKiBwaWNrIHVwIG9uZSBvZiBwZW5kaW5nIGdh ZGdldCBkcml2ZXJzICovCj4gIAlyZXQgPSBjaGVja19wZW5kaW5nX2dhZGdldF9kcml2ZXJzKHVk Yyk7Cj4gIAlpZiAocmV0KQo+IC0JCWdvdG8gZXJyNTsKPiArCQlnb3RvIGVycl9kZWxfdWRjOwo+ ICAKPiAgCW11dGV4X3VubG9jaygmdWRjX2xvY2spOwo+ICAKPiAgCXJldHVybiAwOwo+ICAKPiAt ZXJyNToKPiArIGVycl9kZWxfdWRjOgo+ICAJZGV2aWNlX2RlbCgmdWRjLT5kZXYpOwo+ICAKPiAt ZXJyNDoKPiArIGVycl91bmxpc3RfdWRjOgo+ICAJbGlzdF9kZWwoJnVkYy0+bGlzdCk7Cj4gIAlt dXRleF91bmxvY2soJnVkY19sb2NrKTsKPiAgCj4gLWVycjM6Cj4gLQlwdXRfZGV2aWNlKCZ1ZGMt PmRldik7Cj4gIAlkZXZpY2VfZGVsKCZnYWRnZXQtPmRldik7Cj4gIAo+IC1lcnIyOgo+IC0Ja2Zy ZWUodWRjKTsKPiArIGVycl9wdXRfdWRjOgo+ICsJcHV0X2RldmljZSgmdWRjLT5kZXYpOwo+ICAK PiAtZXJyMToKPiArIGVycl9wdXRfZ2FkZ2V0Ogo+ICAJcHV0X2RldmljZSgmZ2FkZ2V0LT5kZXYp Owo+ICAJcmV0dXJuIHJldDsKPiAgfQo+Cj4gLS0KPiBUbyB1bnN1YnNjcmliZSBmcm9tIHRoaXMg bGlzdDogc2VuZCB0aGUgbGluZSAidW5zdWJzY3JpYmUgbGludXgtdXNiIiBpbgo+IHRoZSBib2R5 IG9mIGEgbWVzc2FnZSB0byBtYWpvcmRvbW9Admdlci5rZXJuZWwub3JnCj4gTW9yZSBtYWpvcmRv bW8gaW5mbyBhdCAgaHR0cDovL3ZnZXIua2VybmVsLm9yZy9tYWpvcmRvbW8taW5mby5odG1sCg== From mboxrd@z Thu Jan 1 00:00:00 1970 Content-Type: multipart/mixed; boundary="===============7050186536000244886==" MIME-Version: 1.0 From: Felipe Balbi To: lkp@lists.01.org Subject: Re: [usb_add_gadget_udc_release] BUG: KASAN: double-free or invalid-free in (null) Date: Tue, 09 Jan 2018 11:31:00 +0200 Message-ID: <87bmi3z8dn.fsf@linux.intel.com> In-Reply-To: List-Id: --===============7050186536000244886== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Hi, Alan Stern writes: > On Sun, 17 Dec 2017, Fengguang Wu wrote: > >> Hello, >> = >> FYI this happens in mainline kernel 4.15.0-rc3. >> It looks like a new regression. >> = >> It occurs in 23 out of 36 boots. >> = >> [ 38.592360] LUN: removable file: (no medium) >> [ 38.593442] no file given for LUN0 >> [ 38.594589] g_mass_storage usbip-vudc.0: failed to start g_mass_stora= ge: -22 >> [ 38.600881] udc usbip-vudc.0: releasing 'usbip-vudc.0' >> [ 38.604397] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >> [ 38.605034] BUG: KASAN: double-free or invalid-free in (nul= l) >> [ 38.605034] >> [ 38.605034] CPU: 0 PID: 1 Comm: swapper Not tainted 4.15.0-rc3 #468 >> [ 38.605034] Call Trace: >> [ 38.605034] dump_stack+0x2f/0x3e: >> __dump_stack at lib/dump_stack.c:17 >> (inlined by) dump_stack at lib/dump_stack.c:63 >> [ 38.605034] print_address_description+0xc2/0x3b7: >> print_address_description at mm/kasan/report.c:253 >> [ 38.605034] kasan_report_double_free+0x50/0x8c: >> kasan_report_double_free at mm/kasan/report.c:334 >> [ 38.605034] kasan_slab_free+0x60/0x1ef: >> kasan_slab_free at mm/kasan/kasan.c:514 >> [ 38.605034] ? ftrace_likely_update+0x5c/0xc4: >> ftrace_likely_update at kernel/trace/trace_branch.c:223 >> [ 38.605034] ? kobj_kset_leave+0x193/0x1dc: >> kobj_kset_leave at lib/kobject.c:184 >> [ 38.605034] ? lock_acquired+0x8d2/0x8d2: >> lock_release at kernel/locking/lockdep.c:4013 >> [ 38.605034] ? ftrace_likely_update+0x5c/0xc4: >> ftrace_likely_update at kernel/trace/trace_branch.c:223 >> [ 38.605034] ? trace_preempt_on+0x489/0x4d7: >> trace_preempt_enable_rcuidle at include/trace/events/preemptirq.h:= 50 >> (inlined by) trace_preempt_on at kernel/trace/trace_irqsoff.c:855 >> [ 38.605034] ? static_obj+0x40/0x40: >> match_held_lock at kernel/locking/lockdep.c:3567 >> [ 38.605034] ? kobject_put+0xf5/0x642: >> refcount_dec_and_test at arch/x86/include/asm/refcount.h:75 >> (inlined by) kref_put at include/linux/kref.h:69 >> (inlined by) kobject_put at lib/kobject.c:694 >> [ 38.605034] ? trace_hardirqs_off+0x17/0x1f: >> trace_hardirqs_off at kernel/locking/lockdep.c:2984 >> [ 38.605034] ? kfree+0x419/0x5e7: >> slab_free_hook at mm/slub.c:1380 >> (inlined by) slab_free_freelist_hook at mm/slub.c:1412 >> (inlined by) slab_free at mm/slub.c:2968 >> (inlined by) kfree at mm/slub.c:3899 >> [ 38.605034] kfree+0x43c/0x5e7: >> slab_free at mm/slub.c:2973 >> (inlined by) kfree at mm/slub.c:3899 >> [ 38.605034] usb_add_gadget_udc_release+0x693/0x6ca: >> usb_add_gadget_udc_release at drivers/usb/gadget/udc/core.c:1199 > > Boy, the error handling in that routine is a mess. The patch below = > should straighten it out. looks good: Acked-by: Felipe Balbi > Alan Stern > > > > Index: usb-4.x/drivers/usb/gadget/udc/core.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- usb-4.x.orig/drivers/usb/gadget/udc/core.c > +++ usb-4.x/drivers/usb/gadget/udc/core.c > @@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct de > = > udc =3D kzalloc(sizeof(*udc), GFP_KERNEL); > if (!udc) > - goto err1; > - > - ret =3D device_add(&gadget->dev); > - if (ret) > - goto err2; > + goto err_put_gadget; > = > device_initialize(&udc->dev); > udc->dev.release =3D usb_udc_release; > @@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct de > udc->dev.parent =3D parent; > ret =3D dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj)); > if (ret) > - goto err3; > + goto err_put_udc; > + > + ret =3D device_add(&gadget->dev); > + if (ret) > + goto err_put_udc; > = > udc->gadget =3D gadget; > gadget->udc =3D udc; > @@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct de > = > ret =3D device_add(&udc->dev); > if (ret) > - goto err4; > + goto err_unlist_udc; > = > usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED); > udc->vbus =3D true; > @@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct de > /* pick up one of pending gadget drivers */ > ret =3D check_pending_gadget_drivers(udc); > if (ret) > - goto err5; > + goto err_del_udc; > = > mutex_unlock(&udc_lock); > = > return 0; > = > -err5: > + err_del_udc: > device_del(&udc->dev); > = > -err4: > + err_unlist_udc: > list_del(&udc->list); > mutex_unlock(&udc_lock); > = > -err3: > - put_device(&udc->dev); > device_del(&gadget->dev); > = > -err2: > - kfree(udc); > + err_put_udc: > + put_device(&udc->dev); > = > -err1: > + err_put_gadget: > put_device(&gadget->dev); > return ret; > } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-usb" in > the body of a message to majordomo(a)vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- = balbi --===============7050186536000244886==-- From mboxrd@z Thu Jan 1 00:00:00 1970 Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752676AbeAIJbM (ORCPT + 1 other); Tue, 9 Jan 2018 04:31:12 -0500 Received: from mga02.intel.com ([134.134.136.20]:33394 "EHLO mga02.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752655AbeAIJbJ (ORCPT ); Tue, 9 Jan 2018 04:31:09 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,334,1511856000"; d="scan'208";a="9293275" From: Felipe Balbi To: Alan Stern , Fengguang Wu Cc: linux-usb@vger.kernel.org, Greg Kroah-Hartman , Linus Torvalds , Krzysztof Opasiak , Florian Fainelli , Felix =?utf-8?Q?H=C3=A4dicke?= , Stefan Agner , linux-kernel@vger.kernel.org, lkp@01.org Subject: Re: [usb_add_gadget_udc_release] BUG: KASAN: double-free or invalid-free in (null) In-Reply-To: References: Date: Tue, 09 Jan 2018 11:31:00 +0200 Message-ID: <87bmi3z8dn.fsf@linux.intel.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: Hi, Alan Stern writes: > On Sun, 17 Dec 2017, Fengguang Wu wrote: > >> Hello, >> >> FYI this happens in mainline kernel 4.15.0-rc3. >> It looks like a new regression. >> >> It occurs in 23 out of 36 boots. >> >> [ 38.592360] LUN: removable file: (no medium) >> [ 38.593442] no file given for LUN0 >> [ 38.594589] g_mass_storage usbip-vudc.0: failed to start g_mass_storage: -22 >> [ 38.600881] udc usbip-vudc.0: releasing 'usbip-vudc.0' >> [ 38.604397] ================================================================== >> [ 38.605034] BUG: KASAN: double-free or invalid-free in (null) >> [ 38.605034] >> [ 38.605034] CPU: 0 PID: 1 Comm: swapper Not tainted 4.15.0-rc3 #468 >> [ 38.605034] Call Trace: >> [ 38.605034] dump_stack+0x2f/0x3e: >> __dump_stack at lib/dump_stack.c:17 >> (inlined by) dump_stack at lib/dump_stack.c:63 >> [ 38.605034] print_address_description+0xc2/0x3b7: >> print_address_description at mm/kasan/report.c:253 >> [ 38.605034] kasan_report_double_free+0x50/0x8c: >> kasan_report_double_free at mm/kasan/report.c:334 >> [ 38.605034] kasan_slab_free+0x60/0x1ef: >> kasan_slab_free at mm/kasan/kasan.c:514 >> [ 38.605034] ? ftrace_likely_update+0x5c/0xc4: >> ftrace_likely_update at kernel/trace/trace_branch.c:223 >> [ 38.605034] ? kobj_kset_leave+0x193/0x1dc: >> kobj_kset_leave at lib/kobject.c:184 >> [ 38.605034] ? lock_acquired+0x8d2/0x8d2: >> lock_release at kernel/locking/lockdep.c:4013 >> [ 38.605034] ? ftrace_likely_update+0x5c/0xc4: >> ftrace_likely_update at kernel/trace/trace_branch.c:223 >> [ 38.605034] ? trace_preempt_on+0x489/0x4d7: >> trace_preempt_enable_rcuidle at include/trace/events/preemptirq.h:50 >> (inlined by) trace_preempt_on at kernel/trace/trace_irqsoff.c:855 >> [ 38.605034] ? static_obj+0x40/0x40: >> match_held_lock at kernel/locking/lockdep.c:3567 >> [ 38.605034] ? kobject_put+0xf5/0x642: >> refcount_dec_and_test at arch/x86/include/asm/refcount.h:75 >> (inlined by) kref_put at include/linux/kref.h:69 >> (inlined by) kobject_put at lib/kobject.c:694 >> [ 38.605034] ? trace_hardirqs_off+0x17/0x1f: >> trace_hardirqs_off at kernel/locking/lockdep.c:2984 >> [ 38.605034] ? kfree+0x419/0x5e7: >> slab_free_hook at mm/slub.c:1380 >> (inlined by) slab_free_freelist_hook at mm/slub.c:1412 >> (inlined by) slab_free at mm/slub.c:2968 >> (inlined by) kfree at mm/slub.c:3899 >> [ 38.605034] kfree+0x43c/0x5e7: >> slab_free at mm/slub.c:2973 >> (inlined by) kfree at mm/slub.c:3899 >> [ 38.605034] usb_add_gadget_udc_release+0x693/0x6ca: >> usb_add_gadget_udc_release at drivers/usb/gadget/udc/core.c:1199 > > Boy, the error handling in that routine is a mess. The patch below > should straighten it out. looks good: Acked-by: Felipe Balbi > Alan Stern > > > > Index: usb-4.x/drivers/usb/gadget/udc/core.c > =================================================================== > --- usb-4.x.orig/drivers/usb/gadget/udc/core.c > +++ usb-4.x/drivers/usb/gadget/udc/core.c > @@ -1147,11 +1147,7 @@ int usb_add_gadget_udc_release(struct de > > udc = kzalloc(sizeof(*udc), GFP_KERNEL); > if (!udc) > - goto err1; > - > - ret = device_add(&gadget->dev); > - if (ret) > - goto err2; > + goto err_put_gadget; > > device_initialize(&udc->dev); > udc->dev.release = usb_udc_release; > @@ -1160,7 +1156,11 @@ int usb_add_gadget_udc_release(struct de > udc->dev.parent = parent; > ret = dev_set_name(&udc->dev, "%s", kobject_name(&parent->kobj)); > if (ret) > - goto err3; > + goto err_put_udc; > + > + ret = device_add(&gadget->dev); > + if (ret) > + goto err_put_udc; > > udc->gadget = gadget; > gadget->udc = udc; > @@ -1170,7 +1170,7 @@ int usb_add_gadget_udc_release(struct de > > ret = device_add(&udc->dev); > if (ret) > - goto err4; > + goto err_unlist_udc; > > usb_gadget_set_state(gadget, USB_STATE_NOTATTACHED); > udc->vbus = true; > @@ -1178,27 +1178,25 @@ int usb_add_gadget_udc_release(struct de > /* pick up one of pending gadget drivers */ > ret = check_pending_gadget_drivers(udc); > if (ret) > - goto err5; > + goto err_del_udc; > > mutex_unlock(&udc_lock); > > return 0; > > -err5: > + err_del_udc: > device_del(&udc->dev); > > -err4: > + err_unlist_udc: > list_del(&udc->list); > mutex_unlock(&udc_lock); > > -err3: > - put_device(&udc->dev); > device_del(&gadget->dev); > > -err2: > - kfree(udc); > + err_put_udc: > + put_device(&udc->dev); > > -err1: > + err_put_gadget: > put_device(&gadget->dev); > return ret; > } > > -- > To unsubscribe from this list: send the line "unsubscribe linux-usb" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- balbi