From: Chang Yu <marcus.yu.56@gmail.com>
To: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Chang Yu <marcus.yu.56@gmail.com>,
gregkh@linuxfoundation.org, viro@zeniv.linux.org.uk,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
stern@rowland.harvard.edu, skhan@linuxfoundation.org,
syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
Subject: Re: [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release.
Date: Tue, 5 Nov 2024 20:41:32 -0800 [thread overview]
Message-ID: <ZyrzfBtNhPjwRFZk@gmail.com> (raw)
In-Reply-To: <CA+fCnZeThG-J7kCraPbr4NCpys=jne3dD4sOLT_0h6iPw2YZEw@mail.gmail.com>
On Wed, Nov 06, 2024 at 01:35:27PM +0900, Andrey Konovalov wrote:
> On Wed, Nov 6, 2024 at 1:11 PM Chang Yu <marcus.yu.56@gmail.com> wrote:
> >
> > syzkaller reported a double free bug
> > (https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c) in
> > raw_release.
> >
> > From the stack traces it looks like either raw_release was invoked
> > twice or there were some between kref_get in raw_ioctl_run and
> > kref_put raw_release. But these should not be possible. We need
> > more logs to understand the cause.
> >
> > Make raw_release and raw_ioctl_run report the ref count before
> > and after get/put to help debug this.
> >
> > Signed-off-by: Chang Yu <marcus.yu.56@gmail.com>
> > Reported-by: syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com
> > Link: https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c
> > ---
> > drivers/usb/gadget/legacy/raw_gadget.c | 14 ++++++++++++++
> > 1 file changed, 14 insertions(+)
> >
> > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c
> > index 112fd18d8c99..ac4e319c743f 100644
> > --- a/drivers/usb/gadget/legacy/raw_gadget.c
> > +++ b/drivers/usb/gadget/legacy/raw_gadget.c
> > @@ -194,6 +194,8 @@ static struct raw_dev *dev_new(void)
> > return NULL;
> > /* Matches kref_put() in raw_release(). */
> > kref_init(&dev->count);
> > + dev_dbg(dev->dev, "%s kref count initialized: %d\n",
> > + __func__, kref_read(&dev->count));
> > spin_lock_init(&dev->lock);
> > init_completion(&dev->ep0_done);
> > raw_event_queue_init(&dev->queue);
> > @@ -464,13 +466,21 @@ static int raw_release(struct inode *inode, struct file *fd)
> > dev_err(dev->dev,
> > "usb_gadget_unregister_driver() failed with %d\n",
> > ret);
> > + dev_dbg(dev->dev, "%s kref count before unregister driver put: %d\n",
> > + __func__, kref_read(&dev->count));
> > /* Matches kref_get() in raw_ioctl_run(). */
> > kref_put(&dev->count, dev_free);
> > + dev_dbg(dev->dev, "%s kref count after unregister driver put: %d\n",
> > + __func__, kref_read(&dev->count));
> > }
> >
> > out_put:
> > + dev_dbg(dev->dev, "%s kref count before final put: %d\n",
> > + __func__, kref_read(&dev->count));
> > /* Matches dev_new() in raw_open(). */
> > kref_put(&dev->count, dev_free);
> > + dev_dbg(dev->dev, "%s kref count after final put: %d\n",
> > + __func__, kref_read(&dev->count));
> > return ret;
> > }
> >
> > @@ -603,8 +613,12 @@ static int raw_ioctl_run(struct raw_dev *dev, unsigned long value)
> > }
> > dev->gadget_registered = true;
> > dev->state = STATE_DEV_RUNNING;
> > + dev_dbg(dev->dev, "%s kref count before get: %d\n",
> > + __func__, kref_read(&dev->count));
> > /* Matches kref_put() in raw_release(). */
> > kref_get(&dev->count);
> > + dev_dbg(dev->dev, "%s kref count after get: %d\n",
> > + __func__, kref_read(&dev->count));
> >
> > out_unlock:
> > spin_unlock_irqrestore(&dev->lock, flags);
> > --
> > 2.47.0
> >
>
> Hi Chang,
>
> This patch looks very specific to the bug we're trying to debug - I
> don't think it makes sense to apply it to the mainline.
>
> What you can do instead is ask syzbot to run the reproducer it has
> with this patch applied via the #syz test command.
>
> Thank you!
Thank you for the tips, Andrey. I will do that. My apologies for the
rookie mistake. I'm pretty new to kernel patching/debugging and I'm
still learning the correct way to do stuff.
Thank you again for your help!
next prev parent reply other threads:[~2024-11-06 4:41 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-06 4:11 [PATCH] usb: raw_gadget: Add debug logs to a troubleshoot a double-free bug in raw_release Chang Yu
2024-11-06 4:35 ` Andrey Konovalov
2024-11-06 4:41 ` Chang Yu [this message]
2024-11-06 15:24 ` Alan Stern
2024-11-06 5:05 ` Greg KH
-- strict thread matches above, loose matches on Subject: below --
2024-11-06 4:43 Chang Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZyrzfBtNhPjwRFZk@gmail.com \
--to=marcus.yu.56@gmail.com \
--cc=andreyknvl@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=stern@rowland.harvard.edu \
--cc=syzbot+3e563d99e70973c0755c@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.