[1/3] usb: gadget: storage: Fix reference count if fsg_alloc

linux-usb.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [1/3] usb: gadget: storage: Fix reference count if fsg_alloc_inst() failed
@ 2018-06-14  9:23 Jaejoong Kim
  0 siblings, 0 replies; 3+ messages in thread
From: Jaejoong Kim @ 2018-06-14  9:23 UTC (permalink / raw)
  To: Felipe Balbi, Greg Kroah-Hartman, Krzysztof Opasiak, Alan Stern; +Cc: linux-usb

The reference count is initialized in fsg_alloc_inst(). So if
fsg_alloc_inst() fails, we need to add kref_put() to free an
allocated memory.

Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
---
 drivers/usb/gadget/function/f_mass_storage.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
index acecd13..83eeafe 100644
--- a/drivers/usb/gadget/function/f_mass_storage.c
+++ b/drivers/usb/gadget/function/f_mass_storage.c
@@ -3392,6 +3392,7 @@ static struct usb_function_instance *fsg_alloc_inst(void)
 release_buffers:
 	fsg_common_free_buffers(opts->common);
 release_opts:
+	fsg_common_put(opts->common);
 	kfree(opts);
 	return ERR_PTR(rc);
 }

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* [1/3] usb: gadget: storage: Fix reference count if fsg_alloc_inst() failed
@ 2018-06-14 14:55 Alan Stern
  0 siblings, 0 replies; 3+ messages in thread
From: Alan Stern @ 2018-06-14 14:55 UTC (permalink / raw)
  To: Jaejoong Kim
  Cc: Michal Nazarewicz, Felipe Balbi, Greg Kroah-Hartman,
	Krzysztof Opasiak, USB list

On Thu, 14 Jun 2018, Jaejoong Kim wrote:

> The reference count is initialized in fsg_alloc_inst(). So if
> fsg_alloc_inst() fails, we need to add kref_put() to free an
> allocated memory.
> 
> Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
> ---
>  drivers/usb/gadget/function/f_mass_storage.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/usb/gadget/function/f_mass_storage.c b/drivers/usb/gadget/function/f_mass_storage.c
> index acecd13..83eeafe 100644
> --- a/drivers/usb/gadget/function/f_mass_storage.c
> +++ b/drivers/usb/gadget/function/f_mass_storage.c
> @@ -3392,6 +3392,7 @@ static struct usb_function_instance *fsg_alloc_inst(void)
>  release_buffers:
>  	fsg_common_free_buffers(opts->common);
>  release_opts:
> +	fsg_common_put(opts->common);
>  	kfree(opts);
>  	return ERR_PTR(rc);
>  }

I'm not at all sure about this.  Michal is a lot more familiar with 
this part of the code than I am.

It looks like there's a memory leak if fsg_common_release() isn't 
called here.  But if it is called at this point, it might not behave 
properly.

Alan Stern
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [1/3] usb: gadget: storage: Fix reference count if fsg_alloc_inst() failed
@ 2018-06-26  9:04 Michał Nazarewicz
  0 siblings, 0 replies; 3+ messages in thread
From: Michał Nazarewicz @ 2018-06-26  9:04 UTC (permalink / raw)
  To: Jaejoong Kim
  Cc: Alan Stern, Felipe Balbi, Greg KH, Krzysztof Opasiak, USB list

2018-06-22 2:23 GMT+01:00 Jaejoong Kim <climbbb.kim@gmail.com>:
> Hi Michal,
>
> Could you check this patch?

Sorry about long delay, I haven’t settled in my new place yet (which
is also why I’m using Gmail).

> 2018년 6월 14일 (목) 오후 11:55, Alan Stern <stern@rowland.harvard.edu>님이 작성:
>>
>> On Thu, 14 Jun 2018, Jaejoong Kim wrote:
>>
>> > The reference count is initialized in fsg_alloc_inst(). So if
>> > fsg_alloc_inst() fails, we need to add kref_put() to free an
>> > allocated memory.
>> >
>> > Signed-off-by: Jaejoong Kim <climbbb.kim@gmail.com>
>> > ---
>> >  drivers/usb/gadget/function/f_mass_storage.c | 1 +
>> >  1 file changed, 1 insertion(+)
>> >
>> > diff --git a/drivers/usb/gadget/function/f_mass_storage.c
>> > b/drivers/usb/gadget/function/f_mass_storage.c
>> > index acecd13..83eeafe 100644
>> > --- a/drivers/usb/gadget/function/f_mass_storage.c
>> > +++ b/drivers/usb/gadget/function/f_mass_storage.c
>> > @@ -3392,6 +3392,7 @@ static struct usb_function_instance
>> > *fsg_alloc_inst(void)
>> >  release_buffers:
>> >       fsg_common_free_buffers(opts->common);
>> >  release_opts:
>> > +     fsg_common_put(opts->common);
>> >       kfree(opts);
>> >       return ERR_PTR(rc);
>> >  }

This looks legitimate but in the current form could lead to dereference
of an uninitialized pointer. Furthermore, calling free_buffers is no longer
necessary.  To solve the dereference problem, add

        commo->buffhds = NULL;

to fsg_common_setup (or add memset(common, 0, sizeof *common)
to the path without kzalloc). With that, the the two error handling labels
can be collapsed to one:

error:
      fsg_common_put(opts->common);
      kfree(opts);
      return ERR_PTR(rc);

>>
>> I'm not at all sure about this.  Michal is a lot more familiar with
>> this part of the code than I am.
>>
>> It looks like there's a memory leak if fsg_common_release() isn't
>> called here.  But if it is called at this point, it might not behave
>> properly.
>>
>> Alan Stern
>>
>
---
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2018-06-26  9:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-06-14  9:23 [1/3] usb: gadget: storage: Fix reference count if fsg_alloc_inst() failed Jaejoong Kim
  -- strict thread matches above, loose matches on Subject: below --
2018-06-14 14:55 Alan Stern
2018-06-26  9:04 Michał Nazarewicz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).