On Thu, Aug 13, 2020 at 11:19:49AM +0800, Peter Chen wrote:
> From: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
>
> As Anton and Evgeny have noted, the net2280 UDC driver has a problem
> with leaking memory along some of its failure pathways. It also has
> another problem, not previously noted, in that some of the failure
> pathways will call usb_del_gadget_udc() without first calling
> usb_add_gadget_udc_release(). And it leaks memory by calling kfree()
> when it should call put_device().
>
> Previous attempts to fix the problems have failed because of lack of
> support in the UDC core for separately initializing and adding
> gadgets, or for separately deleting and freeing gadgets. The previous
> patch in this series adds the necessary support, making it possible to
> fix the outstanding problems properly.
>
> This patch adds an "added" flag to the net2280 structure to indicate
> whether or not the gadget has been registered (and thus whether or not
> to call usb_del_gadget()), and it fixes the deallocation issues by
> calling usb_put_gadget() at the appropriate point.
>
> A similar memory leak issue, apparently never before recognized, stems
> from the fact that the driver never initializes the drvdata field in
> the gadget's embedded struct device! Evidently this wasn't noticed
> because the pointer is only ever used as an argument to kfree(), which
> doesn't mind getting called with a NULL pointer. In fact, the drvdata
> for gadget device will be written by usb_composite_dev structure if
> any gadget class is loaded, so it needs to use usb_gadget structure
> to get net2280 private data.
>
> CC: Benjamin Herrenschmidt <benh@xxxxxxxxxxxxxxxxxxx>
> Reported-by: Anton Vasilyev <vasilyev@xxxxxxxxx>
> Reported-by: Evgeny Novikov <novikov@xxxxxxxxx>
> Signed-off-by: Alan Stern <stern@xxxxxxxxxxxxxxxxxxx>
> ---
> drivers/usb/gadget/udc/net2280.c | 13 +++++++++----
> drivers/usb/gadget/udc/net2280.h | 1 +
> 2 files changed, 10 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/usb/gadget/udc/net2280.c b/drivers/usb/gadget/udc/net2280.c
> index 7530bd9a08c4..31e49cc34316 100644
> --- a/drivers/usb/gadget/udc/net2280.c
> +++ b/drivers/usb/gadget/udc/net2280.c
> @@ -3561,7 +3561,9 @@ static irqreturn_t net2280_irq(int irq, void *_dev)
>
> static void gadget_release(struct device *_dev)
> {
> - struct net2280 *dev = dev_get_drvdata(_dev);
> + struct usb_gadget *gadget = container_of(_dev,
> + struct usb_gadget, dev);
> + struct net2280 *dev = container_of(gadget, struct net2280, gadget);
Please change this to
struct net2280 *dev = container_of(_dev, struct net2280, gadget,dev);
And do the same for the net2272 patch.
Alan Stern
