[PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Chang Yu <marcus.yu.56@gmail.com>
To: syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
Cc: syzkaller-bugs@googlegroups.com, linux-kernel@vger.kernel.org
Subject: [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release.
Date: Tue, 5 Nov 2024 20:43:57 -0800	[thread overview]
Message-ID: <Zyr0DaD6yG6WDHXz@gmail.com> (raw)

#syz test

syzkaller reported a double free bug
(https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c) in
raw_release.

From the stack traces it looks like either raw_release was invoked
twice or there were some between kref_get in raw_ioctl_run and
kref_put raw_release. But these should not be possible. We need
more logs to understand the cause.

Make raw_release and raw_ioctl_run report the ref count before
and after get/put to help debug this.

Signed-off-by: Chang Yu <marcus.yu.56@gmail.com>
Reported-by: syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c
---
 drivers/usb/gadget/legacy/raw_gadget.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
index 112fd18d8c99..ac4e319c743f 100644
--- a/drivers/usb/gadget/legacy/raw_gadget.c
+++ b/drivers/usb/gadget/legacy/raw_gadget.c
@@ -194,6 +194,8 @@ static struct raw_dev *dev_new(void)
 		return NULL;
 	/* Matches kref_put() in raw_release(). */
 	kref_init(&dev->count);
+	dev_dbg(dev->dev, "%s kref count initialized: %d\n",
+		__func__, kref_read(&dev->count));
 	spin_lock_init(&dev->lock);
 	init_completion(&dev->ep0_done);
 	raw_event_queue_init(&dev->queue);
@@ -464,13 +466,21 @@ static int raw_release(struct inode *inode, struct file *fd)
 			dev_err(dev->dev,
 				"usb_gadget_unregister_driver() failed with %d\n",
 				ret);
+		dev_dbg(dev->dev, "%s kref count before unregister driver put: %d\n",
+				__func__, kref_read(&dev->count));
 		/* Matches kref_get() in raw_ioctl_run(). */
 		kref_put(&dev->count, dev_free);
+		dev_dbg(dev->dev, "%s kref count after unregister driver put: %d\n",
+				__func__, kref_read(&dev->count));
 	}
 
 out_put:
+	dev_dbg(dev->dev, "%s kref count before final put: %d\n",
+			__func__, kref_read(&dev->count));
 	/* Matches dev_new() in raw_open(). */
 	kref_put(&dev->count, dev_free);
+	dev_dbg(dev->dev, "%s kref count after final put: %d\n",
+			__func__, kref_read(&dev->count));
 	return ret;
 }
 
@@ -603,8 +613,12 @@ static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)
 	}
 	dev->gadget_registered = true;
 	dev->state = STATE_DEV_RUNNING;
+	dev_dbg(dev->dev, "%s kref count before get: %d\n",
+			__func__, kref_read(&dev->count));
 	/* Matches kref_put() in raw_release(). */
 	kref_get(&dev->count);
+	dev_dbg(dev->dev, "%s kref count after get: %d\n",
+			__func__, kref_read(&dev->count));
 
 out_unlock:
 	spin_unlock_irqrestore(&dev->lock, flags);
-- 
2.47.0

next             reply	other threads:[~2024-11-06  4:44 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-06  4:43 Chang Yu [this message]
2024-11-06  5:08 ` [syzbot] [usb?] KASAN: invalid-free in dev_free syzbot
  -- strict thread matches above, loose matches on Subject: below --
2024-11-06  4:11 [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release Chang Yu
2024-11-06  4:35 ` Andrey Konovalov
2024-11-06  4:41   ` Chang Yu
2024-11-06 15:24   ` Alan Stern
2024-11-06  5:05 ` Greg KH

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:112fd18d8c9 dfblob:ac4e319c743 )
 OR (
bs:"[PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Zyr0DaD6yG6WDHXz@gmail.com \
    --to=marcus.yu.56@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.