[BUG] usb: xhci: Possible resource leaks when xhci_run() fails

[Jia-Ju Bai <baijiaju1990@gmail.com>]

xhci_pci_setup() is assigned to hc_driver.reset;
xhci_run() is assigned to hc_driver.start();
xhci_stop() is assigned to hc_driver.stop().

xhci_pci_setup() calls xhci_gen_setup, which calls xhci_init(). And 
xhci_init() calls xhci_mem_init() to allocate resources.

xhci_stop() calls xhci_mem_cleanup(), to release the resources allocated 
in xhci_mem_init() (also namely xhci_pci_setup()).

xhci_run() can fail, because xhci_try_enable_msi() or 
xhci_alloc_command() in this function can fail.

In drivers/usb/core/hcd.c:
     retval = hcd->driver->reset(hcd);
     if (retval < 0) {
         ......
         goto err_hcd_driver_setup;
     }
     ......
     retval = hcd->driver->start(hcd);
     if (retval < 0) {
         ......
         goto err_hcd_driver_start;
     }
     .......
     hcd->driver->stop(hcd);
     hcd->state = HC_STATE_HALT;
     clear_bit(HCD_FLAG_POLL_RH, &hcd->flags);
     del_timer_sync(&hcd->rh_timer);
err_hcd_driver_start:
     if (usb_hcd_is_primary_hcd(hcd) && hcd->irq > 0)
         free_irq(irqnum, hcd);
err_request_irq:
err_hcd_driver_setup:
err_set_rh_speed:
     usb_put_invalidate_rhdev(hcd);
err_allocate_root_hub:
     usb_deregister_bus(&hcd->self);
err_register_bus:
     hcd_buffer_destroy(hcd);
err_create_buf:
     usb_phy_roothub_power_off(hcd->phy_roothub);
err_usb_phy_roothub_power_on:
     usb_phy_roothub_exit(hcd->phy_roothub);

Thus, when hcd->driver->reset() succeeds and hcd->driver->start() fails, 
hcd->driver->stop() is not called.

Namely, when xhci_pci_setup() successfully allocates resources, and 
xhci_run() fails, xhci_stop() is not called to release the resources.
For this reason, resource leaks occur in this case.

I check the code of the ehci driver, uhci driver and ohci driver, and 
find that they do not have such problem, because:
In the ehci driver, ehci_run() (namely hcd->driver->start()) never fails.
In the uhci driver, all the resources are allocated in uhci_start 
(namely hcd->driver->start()), and no resources are allocated in 
uhci_pci_init() (namely hcd->driver->reset()).
In the ohci driver, ohci_setup() (namely hcd->driver->reset()) also 
allocates resources. But when ohci_start() (namely hcd->driver->start()) 
is going to fail, ohci_stop() is directly called to release the 
resources allocated by ohci_setup().

Thus, there are two possible ways of fixing bugs:
1) Call xhci_stop() when xhci_run() is going to fail (like the ohci driver)
2) Move all resource-allocation operations into xhci_run() (like the 
uhci driver).

I am not sure whether these ways are correct, so I only report bugs.

These bugs are found by a runtime fuzzing tool named FIZZER written by us.


Best wishes,
Jia-Ju Bai