[PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

[PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

[Hangyu Hua]

usb_put_dev shouldn't be called when uss720_probe succeeds because of
priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
before destroy_priv in uss720_disconnect because usb_put_dev is in
destroy_priv.

Fixes: dcb4b8ad6a44 ("misc/uss720: fix memory leak in uss720_probe")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
---
 drivers/usb/misc/uss720.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/usb/misc/uss720.c b/drivers/usb/misc/uss720.c
index 748139d26263..e243c155511e 100644
--- a/drivers/usb/misc/uss720.c
+++ b/drivers/usb/misc/uss720.c
@@ -736,7 +736,6 @@ static int uss720_probe(struct usb_interface *intf,
 	parport_announce_port(pp);
 
 	usb_set_intfdata(intf, pp);
-	usb_put_dev(usbdev);
 	return 0;
 
 probe_abort:
@@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
 	usb_set_intfdata(intf, NULL);
 	if (pp) {
 		priv = pp->private_data;
-		priv->usbdev = NULL;
 		priv->pp = NULL;
 		dev_dbg(&intf->dev, "parport_remove_port\n");
 		parport_remove_port(pp);
 		parport_put_port(pp);
 		kill_all_async_requests_priv(priv);
 		kref_put(&priv->ref_count, destroy_priv);
+		priv->usbdev = NULL;
 	}
 	dev_dbg(&intf->dev, "disconnect done\n");
 }
-- 
2.25.1

Re: [PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

[Oliver Neukum]

On 06.04.22 09:33, Hangyu Hua wrote:
> usb_put_dev shouldn't be called when uss720_probe succeeds because of
> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
> before destroy_priv in uss720_disconnect because usb_put_dev is in
> destroy_priv.

Hi,

I am sorry, but that's a clear NACK.
> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
>  	usb_set_intfdata(intf, NULL);
>  	if (pp) {
>  		priv = pp->private_data;
> -		priv->usbdev = NULL;
>  		priv->pp = NULL;
>  		dev_dbg(&intf->dev, "parport_remove_port\n");
>  		parport_remove_port(pp);
>  		parport_put_port(pp);
>  		kill_all_async_requests_priv(priv);
>  		kref_put(&priv->ref_count, destroy_priv);
> +		priv->usbdev = NULL;

That is a clear use after free The patch is no good in this state..

    HTH
        Oliver

Re: [PATCH] usb: misc: fix improper handling of refcount in uss720_probe()

[Hangyu Hua]

Oh, i sorry. Thank you for your reminder. I will remake a patch carefully.

On 2022/4/6 19:47, Oliver Neukum wrote:
> 
> 
> On 06.04.22 09:33, Hangyu Hua wrote:
>> usb_put_dev shouldn't be called when uss720_probe succeeds because of
>> priv->usbdev. At the same time, priv->usbdev shouldn't be set to NULL
>> before destroy_priv in uss720_disconnect because usb_put_dev is in
>> destroy_priv.
> 
> Hi,
> 
> I am sorry, but that's a clear NACK.
>> @@ -754,13 +753,13 @@ static void uss720_disconnect(struct usb_interface *intf)
>>   	usb_set_intfdata(intf, NULL);
>>   	if (pp) {
>>   		priv = pp->private_data;
>> -		priv->usbdev = NULL;
>>   		priv->pp = NULL;
>>   		dev_dbg(&intf->dev, "parport_remove_port\n");
>>   		parport_remove_port(pp);
>>   		parport_put_port(pp);
>>   		kill_all_async_requests_priv(priv);
>>   		kref_put(&priv->ref_count, destroy_priv);
>> +		priv->usbdev = NULL;
> 
> That is a clear use after free The patch is no good in this state..
> 
>      HTH
>          Oliver
>