| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 25 Sep 2015 11:25:16 +0100
From: Felipe Tonello <eu@...ipetonello.com>
To: Peter Chen <peter.chen@...escale.com>
Cc: USB list <linux-usb@...r.kernel.org>,
Kernel development list <linux-kernel@...r.kernel.org>,
Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
Felipe Balbi <balbi@...com>,
Andrzej Pietrasiewicz <andrzej.p@...sung.com>
Subject: Re: [PATCH 3/3] usb: gadget: f_midi: free request when usb_ep_queue fails
On Fri, Sep 25, 2015 at 10:02 AM, Peter Chen <peter.chen@...escale.com> wrote:
> On Fri, Sep 25, 2015 at 09:27:49AM +0100, Felipe Tonello wrote:
>> On Thu, Sep 24, 2015 at 2:20 AM, Peter Chen <peter.chen@...escale.com> wrote:
>> > On Wed, Sep 23, 2015 at 12:40:46PM +0100, Felipe Tonello wrote:
>> >> Hi Peter,
>> >>
>> >> On Wed, Sep 23, 2015 at 8:09 AM, Peter Chen <peter.chen@...escale.com> wrote:
>> >> > On Tue, Sep 22, 2015 at 07:59:10PM +0100, Felipe F. Tonello wrote:
>> >> >> This fix a memory leak that will occur in this case.
>> >> >>
>> >> >> Signed-off-by: Felipe F. Tonello <eu@...ipetonello.com>
>> >> >> ---
>> >> >> drivers/usb/gadget/function/f_midi.c | 4 +++-
>> >> >> 1 file changed, 3 insertions(+), 1 deletion(-)
>> >> >>
>> >> >> diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c
>> >> >> index e92aff5..e6a114b 100644
>> >> >> --- a/drivers/usb/gadget/function/f_midi.c
>> >> >> +++ b/drivers/usb/gadget/function/f_midi.c
>> >> >> @@ -550,9 +550,11 @@ static void f_midi_transmit(struct f_midi *midi, struct usb_request *req)
>> >> >> int err;
>> >> >>
>> >> >> err = usb_ep_queue(ep, req, GFP_ATOMIC);
>> >> >> - if (err < 0)
>> >> >> + if (err < 0) {
>> >> >> ERROR(midi, "%s queue req: %d\n",
>> >> >> midi->in_ep->name, err);
>> >> >> + free_ep_req(ep, req);
>> >> >> + }
>> >> >> } else {
>> >> >> free_ep_req(ep, req);
>> >> >> }
>> >> >> --
>> >> >> 2.1.4
>> >> >>
>> >> >
>> >> > I may know your problem, current midi library, alsa and this driver
>> >> > allow device sends as much data as possible, but without block the
>> >> > sending until host reads data, it only allocates the request buffer
>> >> > (using midi_alloc_ep_req), but without free, so after you send
>> >> > enough data, it is out of memory.
>> >>
>> >> Yes. Also there is the case where the usb cable is not conected, thus
>> >> failing to hardware enqueue the request, causing a memory leak on this
>> >> request.
>> >>
>> >
>> > If the usb cable is not connected, the related endpoints should be
>> > not enabled. Would you really observe enqueue the request without
>> > cable connected?
>>
>> The usb_ep_queue() returns an error if it is not connected, causing
>> the request never to be freed and never to be queued. Thus a memory
>> leak happens.
>>
>
> If it is not connected, the ep is not enabled, why we will call
> usb_ep_queue? If it really does, there must be something wrong.
Ok. I can do another patch to check for that. But this patch still
applies, because if for some reason the usb_ep_queue() returns an
error, it will not leak memory.
Felipe
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists