On 2024-09-17 01:29:37 [+0300], Mikhail Arkhipov wrote:
> The function r8a66597_free_request is called to free r8a66597->ep0_req,
> but the pointer is not set to NULL afterward, which may lead to a double
> free if the function is called again.
>
> If the probe process fails and the r8a66597_probe function subsequently
> goes through its error handling path. Since r8a66597_free_request is called
> multiple times in different error handling sections, it leads to an attempt
> to free the same memory twice.
>
> Set r8a66597->ep0_req to NULL after calling r8a66597_free_request
> to prevent any further attempts to free this pointer.
>
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
>
> Fixes: 0f91349b89f3 ("usb: gadget: convert all users to the new udc infrastructure")
> Signed-off-by: Mikhail Arkhipov <m.arhipov@xxxxxxx>
Looking at how the code looks now and how it looks back then, I simply
haven't seen it. I would suggest to instead assigning NULL simply remove
the second block. The request gets allocated shortly before
usb_add_gadget_udc() is invoked. It does not make sense to have this
conditional check all the way from clean_up2 where it is not allocated.
> drivers/usb/gadget/udc/r8a66597-udc.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/usb/gadget/udc/r8a66597-udc.c b/drivers/usb/gadget/udc/r8a66597-udc.c
> index db4a10a979f9..43b81cae7d17 100644
> --- a/drivers/usb/gadget/udc/r8a66597-udc.c
> +++ b/drivers/usb/gadget/udc/r8a66597-udc.c
> @@ -1952,12 +1952,14 @@ static int r8a66597_probe(struct platform_device *pdev)
>
> err_add_udc:
> r8a66597_free_request(&r8a66597->ep[0].ep, r8a66597->ep0_req);
> + r8a66597->ep0_req = NULL;
> clean_up2:
> if (r8a66597->pdata->on_chip)
> clk_disable_unprepare(r8a66597->clk);
>
> if (r8a66597->ep0_req)
> r8a66597_free_request(&r8a66597->ep[0].ep, r8a66597->ep0_req);
> + r8a66597->ep0_req = NULL;
>
> return ret;
> }
Sebastian
