On Sun, Sep 05, 2021 at 05:16:36PM +0200, Florian Faber wrote: > Greg, > > On 9/5/21 4:56 PM, Greg KH wrote: > > On Sat, Sep 04, 2021 at 05:34:29PM +0200, Florian Faber wrote: > > > The memory for the udc structure allocated via kzalloc in line 1295 is not > > > freed in the error handling code, leading to a memory leak in case of an > > > error. > > > > > > Singed-off-by: Florian Faber <faber@xxxxxxxxxxx> > > > > > > --- > > > drivers/usb/gadget/udc/core.c | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c > > > index 14fdf918ecfe..a1270a44855a 100644 > > > --- a/drivers/usb/gadget/udc/core.c > > > +++ b/drivers/usb/gadget/udc/core.c > > > @@ -1346,6 +1346,8 @@ int usb_add_gadget(struct usb_gadget *gadget) > > > > > > err_put_udc: > > > put_device(&udc->dev); > > > + kfree(udc); > > > + gadget->udc = NULL; > > > > > > error: > > > return ret; > > > -- > > > 2.33.0 > > > > > > Flo > > > -- > > > Machines can do the work, so people have time to think. > > > > Did you test this? I think you will find that you just caused a > > use-after-free :( > > Correct, please forget about this patch. > > This 'leak' was found by Klocwork and seemed plausible at first oversight. > Sorry for wasting your time and not checking it further. What is "Klockwork"? How can it miss the reference counted logic that all drivers use in the kernel? > > Please read the documentation for device_initialize() for why this is > > not the correct thing to do here. > > I know now :) It was a bit counter intuitive that two different methods are > used for memory allocation and freeing. The joy of reference counted stuff, sorry. thanks, greg k-h
