* [PATCH] USB: Fix error handling in gadget driver
@ 2025-11-16 1:49 Ma Ke
2025-11-21 14:04 ` Greg KH
0 siblings, 1 reply; 2+ messages in thread
From: Ma Ke @ 2025-11-16 1:49 UTC (permalink / raw)
To: gregkh, vz, piotr.wojtaszczyk, make24, arnd, stigge
Cc: linux-usb, linux-arm-kernel, linux-kernel, akpm, stable
lpc32xx_udc_probe() acquires an i2c_client reference through
isp1301_get_client() but fails to release it in both error handling
paths and the normal removal path. This could result in a reference
count leak for the I2C device, preventing proper cleanup and
potentially leading to resource exhaustion. Add put_device() to
release the reference in the probe failure path and in the remove
function.
Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
i2c_find_device_by_fwnode(). As comments of
i2c_find_device_by_fwnode() says, 'The user must call
put_device(&client->dev) once done with the i2c client.'
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
---
drivers/usb/gadget/udc/lpc32xx_udc.c | 35 +++++++++++++++++++++++-----
1 file changed, 29 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
index 1a7d3c4f652f..b6fddfff712d 100644
--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
+++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
@@ -2986,6 +2986,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
int retval, i;
dma_addr_t dma_handle;
struct device_node *isp1301_node;
+ bool isp1301_acquired = false;
udc = devm_kmemdup(dev, &controller_template, sizeof(*udc), GFP_KERNEL);
if (!udc)
@@ -3013,6 +3014,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
if (!udc->isp1301_i2c_client) {
return -EPROBE_DEFER;
}
+ isp1301_acquired = true;
dev_info(udc->dev, "ISP1301 I2C device at address 0x%x\n",
udc->isp1301_i2c_client->addr);
@@ -3020,7 +3022,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
if (retval)
- return retval;
+ goto i2c_fail;
udc->board = &lpc32xx_usbddata;
@@ -3038,28 +3040,32 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
/* Get IRQs */
for (i = 0; i < 4; i++) {
udc->udp_irq[i] = platform_get_irq(pdev, i);
- if (udc->udp_irq[i] < 0)
- return udc->udp_irq[i];
+ if (udc->udp_irq[i] < 0) {
+ retval = udc->udp_irq[i];
+ goto i2c_fail;
+ }
}
udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
if (IS_ERR(udc->udp_baseaddr)) {
dev_err(udc->dev, "IO map failure\n");
- return PTR_ERR(udc->udp_baseaddr);
+ retval = PTR_ERR(udc->udp_baseaddr);
+ goto i2c_fail;
}
/* Get USB device clock */
udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
if (IS_ERR(udc->usb_slv_clk)) {
dev_err(udc->dev, "failed to acquire USB device clock\n");
- return PTR_ERR(udc->usb_slv_clk);
+ retval = PTR_ERR(udc->usb_slv_clk);
+ goto i2c_fail;
}
/* Enable USB device clock */
retval = clk_prepare_enable(udc->usb_slv_clk);
if (retval < 0) {
dev_err(udc->dev, "failed to start USB device clock\n");
- return retval;
+ goto i2c_fail;
}
/* Setup deferred workqueue data */
@@ -3161,6 +3167,8 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
i2c_fail:
+ if (isp1301_acquired && udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
clk_disable_unprepare(udc->usb_slv_clk);
dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
@@ -3170,6 +3178,18 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
static void lpc32xx_udc_remove(struct platform_device *pdev)
{
struct lpc32xx_udc *udc = platform_get_drvdata(pdev);
+ struct device *dev = &pdev->dev;
+ struct device_node *isp1301_node;
+ bool isp1301_acquired = false;
+
+ /* Check if we acquired isp1301 via device tree */
+ if (dev->of_node) {
+ isp1301_node = of_parse_phandle(dev->of_node, "transceiver", 0);
+ if (isp1301_node) {
+ isp1301_acquired = true;
+ of_node_put(isp1301_node);
+ }
+ }
usb_del_gadget_udc(&udc->gadget);
if (udc->driver) {
@@ -3189,6 +3209,9 @@ static void lpc32xx_udc_remove(struct platform_device *pdev)
dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
udc->udca_v_base, udc->udca_p_base);
+ if (isp1301_acquired && udc->isp1301_i2c_client)
+ put_device(&udc->isp1301_i2c_client->dev);
+
clk_disable_unprepare(udc->usb_slv_clk);
}
--
2.17.1
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] USB: Fix error handling in gadget driver
2025-11-16 1:49 [PATCH] USB: Fix error handling in gadget driver Ma Ke
@ 2025-11-21 14:04 ` Greg KH
0 siblings, 0 replies; 2+ messages in thread
From: Greg KH @ 2025-11-21 14:04 UTC (permalink / raw)
To: Ma Ke
Cc: vz, piotr.wojtaszczyk, arnd, stigge, linux-usb, linux-arm-kernel,
linux-kernel, akpm, stable
On Sun, Nov 16, 2025 at 09:49:48AM +0800, Ma Ke wrote:
> lpc32xx_udc_probe() acquires an i2c_client reference through
> isp1301_get_client() but fails to release it in both error handling
> paths and the normal removal path. This could result in a reference
> count leak for the I2C device, preventing proper cleanup and
> potentially leading to resource exhaustion. Add put_device() to
> release the reference in the probe failure path and in the remove
> function.
>
> Calling path: isp1301_get_client() -> of_find_i2c_device_by_node() ->
> i2c_find_device_by_fwnode(). As comments of
> i2c_find_device_by_fwnode() says, 'The user must call
> put_device(&client->dev) once done with the i2c client.'
>
> Found by code review.
>
> Cc: stable@vger.kernel.org
> Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
> Signed-off-by: Ma Ke <make24@iscas.ac.cn>
> ---
> drivers/usb/gadget/udc/lpc32xx_udc.c | 35 +++++++++++++++++++++++-----
> 1 file changed, 29 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/lpc32xx_udc.c b/drivers/usb/gadget/udc/lpc32xx_udc.c
> index 1a7d3c4f652f..b6fddfff712d 100644
> --- a/drivers/usb/gadget/udc/lpc32xx_udc.c
> +++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
> @@ -2986,6 +2986,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> int retval, i;
> dma_addr_t dma_handle;
> struct device_node *isp1301_node;
> + bool isp1301_acquired = false;
This bool should not be needed, you "know" if you have acquired this or
not by virtue of being later in the function call.
>
> udc = devm_kmemdup(dev, &controller_template, sizeof(*udc), GFP_KERNEL);
> if (!udc)
> @@ -3013,6 +3014,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> if (!udc->isp1301_i2c_client) {
> return -EPROBE_DEFER;
> }
> + isp1301_acquired = true;
>
> dev_info(udc->dev, "ISP1301 I2C device at address 0x%x\n",
> udc->isp1301_i2c_client->addr);
> @@ -3020,7 +3022,7 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> pdev->dev.dma_mask = &lpc32xx_usbd_dmamask;
> retval = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32));
> if (retval)
> - return retval;
> + goto i2c_fail;
>
> udc->board = &lpc32xx_usbddata;
>
> @@ -3038,28 +3040,32 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> /* Get IRQs */
> for (i = 0; i < 4; i++) {
> udc->udp_irq[i] = platform_get_irq(pdev, i);
> - if (udc->udp_irq[i] < 0)
> - return udc->udp_irq[i];
> + if (udc->udp_irq[i] < 0) {
> + retval = udc->udp_irq[i];
> + goto i2c_fail;
> + }
> }
>
> udc->udp_baseaddr = devm_platform_ioremap_resource(pdev, 0);
> if (IS_ERR(udc->udp_baseaddr)) {
> dev_err(udc->dev, "IO map failure\n");
> - return PTR_ERR(udc->udp_baseaddr);
> + retval = PTR_ERR(udc->udp_baseaddr);
> + goto i2c_fail;
> }
>
> /* Get USB device clock */
> udc->usb_slv_clk = devm_clk_get(&pdev->dev, NULL);
> if (IS_ERR(udc->usb_slv_clk)) {
> dev_err(udc->dev, "failed to acquire USB device clock\n");
> - return PTR_ERR(udc->usb_slv_clk);
> + retval = PTR_ERR(udc->usb_slv_clk);
> + goto i2c_fail;
> }
>
> /* Enable USB device clock */
> retval = clk_prepare_enable(udc->usb_slv_clk);
> if (retval < 0) {
> dev_err(udc->dev, "failed to start USB device clock\n");
> - return retval;
> + goto i2c_fail;
> }
>
> /* Setup deferred workqueue data */
> @@ -3161,6 +3167,8 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> dma_free_coherent(&pdev->dev, UDCA_BUFF_SIZE,
> udc->udca_v_base, udc->udca_p_base);
> i2c_fail:
> + if (isp1301_acquired && udc->isp1301_i2c_client)
> + put_device(&udc->isp1301_i2c_client->dev);
> clk_disable_unprepare(udc->usb_slv_clk);
> dev_err(udc->dev, "%s probe failed, %d\n", driver_name, retval);
>
> @@ -3170,6 +3178,18 @@ static int lpc32xx_udc_probe(struct platform_device *pdev)
> static void lpc32xx_udc_remove(struct platform_device *pdev)
> {
> struct lpc32xx_udc *udc = platform_get_drvdata(pdev);
> + struct device *dev = &pdev->dev;
> + struct device_node *isp1301_node;
> + bool isp1301_acquired = false;
This bool isn't needed either, just trigger off of isp1301_node.
But really:
> +
> + /* Check if we acquired isp1301 via device tree */
> + if (dev->of_node) {
> + isp1301_node = of_parse_phandle(dev->of_node, "transceiver", 0);
Shouldn't this node be saved in the device structure instead? That's
the "correct" solution here.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-21 14:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-11-16 1:49 [PATCH] USB: Fix error handling in gadget driver Ma Ke
2025-11-21 14:04 ` Greg KH
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).