On Tue, Nov 05, 2024 at 08:11:47PM -0800, Chang Yu wrote: > syzkaller reported a double free bug > (https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c) in > raw_release. > > >From the stack traces it looks like either raw_release was invoked > twice or there were some between kref_get in raw_ioctl_run and > kref_put raw_release. But these should not be possible. We need > more logs to understand the cause. > > Make raw_release and raw_ioctl_run report the ref count before > and after get/put to help debug this. > > Signed-off-by: Chang Yu <marcus.yu.56@xxxxxxxxx> > Reported-by: syzbot+3e563d99e70973c0755c@xxxxxxxxxxxxxxxxxxxxxxxxx > Link: https://syzkaller.appspot.com/bug?extid=3e563d99e70973c0755c > --- > drivers/usb/gadget/legacy/raw_gadget.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > > diff --git a/drivers/usb/gadget/legacy/raw_gadget.c b/drivers/usb/gadget/legacy/raw_gadget.c > index 112fd18d8c99..ac4e319c743f 100644 > --- a/drivers/usb/gadget/legacy/raw_gadget.c > +++ b/drivers/usb/gadget/legacy/raw_gadget.c > @@ -194,6 +194,8 @@ static struct raw_dev *dev_new(void) > return NULL; > /* Matches kref_put() in raw_release(). */ > kref_init(&dev->count); > + dev_dbg(dev->dev, "%s kref count initialized: %d\n", > + __func__, kref_read(&dev->count)); Please note that you never need to add a __func__ to a dev_dbg() call, as it is already present automatically for you. thanks, greg k-h
