From patchwork Wed Jul 27 22:24:34 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Viresh Kumar X-Patchwork-Id: 72915 Delivered-To: patch@linaro.org Received: by 10.140.29.52 with SMTP id a49csp541587qga; Wed, 27 Jul 2016 15:24:45 -0700 (PDT) X-Received: by 10.98.55.1 with SMTP id e1mr32621759pfa.58.1469658285137; Wed, 27 Jul 2016 15:24:45 -0700 (PDT) Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id uw3si8475579pac.158.2016.07.27.15.24.44; Wed, 27 Jul 2016 15:24:45 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@linaro.org; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=fail (p=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1163202AbcG0WYn (ORCPT + 3 others); Wed, 27 Jul 2016 18:24:43 -0400 Received: from mail-pa0-f44.google.com ([209.85.220.44]:36150 "EHLO mail-pa0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1162819AbcG0WYm (ORCPT ); Wed, 27 Jul 2016 18:24:42 -0400 Received: by mail-pa0-f44.google.com with SMTP id pp5so14187453pac.3 for ; Wed, 27 Jul 2016 15:24:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=qjYYjRPNuwu5NHks1FKW5JNs1WznqAjs3+toepT5W4g=; b=JVhqW8YxN1WrEkVK+AhvhYw4u6eJxPMWYozRykRTi3A8ZEyIO3LKQvkvRJDvs5PNJV +e+0IH61bzhprPXZZm0sN6x4nfOO7orDJQcr9fsL+Li/5YAb9cgNeKEmJ5hbI1zeLuzy fl9EcGXS+WdV1p6BMMR3E9RoKMj7BCTFsDiEc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=qjYYjRPNuwu5NHks1FKW5JNs1WznqAjs3+toepT5W4g=; b=c2bK5qZFGelDNY2YTMQ6b7s1cXqb9u9cc7avMc8LEJ0GI7mZLMfqglaoPAvXmDoMRV gUAjtLM2BRUN1q8ZA8q0COizCWiug2fRu63sq/0qh4Bq5znPJiHGWeaPbyqL2qhxFy6E 1dg1GH+/0dLGXz0NUj7C1QOSjADg4gjnVLn04qTA07GnHL6WvEiaKjfiI298zDM6DE/N nfhs7Yru2BLFo3DpcQ5lm7wZWZtyD32tScUIJbnPLlY7QBtkF0+2O+ps17xAdWxRp2wg +hCstUAzeV9+g37ddetShDYZPz1cdxyDSZkUvu/+4lqnFVgOjbOkWqNibmOtAGdwdyBj kPqA== X-Gm-Message-State: AEkoouuUExq7Kzll5NAw1zzsdkOCvEhAZHvYWsquaRNzzUyYnnK9ePH6c2kNAM/zEmDmo9tg X-Received: by 10.66.20.166 with SMTP id o6mr52987232pae.96.1469658281657; Wed, 27 Jul 2016 15:24:41 -0700 (PDT) Received: from localhost ([104.132.1.108]) by smtp.gmail.com with ESMTPSA id o8sm11647792pav.5.2016.07.27.15.24.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Jul 2016 15:24:40 -0700 (PDT) From: Viresh Kumar To: Greg Kroah-Hartman , Alan Stern Cc: linaro-kernel@lists.linaro.org, Alex Elder , Johan Hovold , Viresh Kumar , "#4 . 4+" , linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] usb: hub: Fix unbalanced reference count and memory leak Date: Wed, 27 Jul 2016 15:24:34 -0700 Message-Id: X-Mailer: git-send-email 2.7.4 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org If the hub gets disconnected while the core is still activating it, this can result in leaking memory of few USB structures. This will happen if we have done a kref_get() from hub_activate() and scheduled a delayed work item for HUB_INIT2/3. Now if hub_disconnect() gets called before the delayed work expires, then we will cancel the work from hub_quiesce(), but wouldn't do a kref_put(). And so the unbalance. kmemleak reports this as (with the commit e50293ef9775 backported to 3.10 kernel with other changes, though the same is true for mainline as well): unreferenced object 0xffffffc08af5b800 (size 1024): comm "khubd", pid 73, jiffies 4295051211 (age 6482.350s) hex dump (first 32 bytes): 30 68 f3 8c c0 ff ff ff 00 a0 b2 2e c0 ff ff ff 0h.............. 01 00 00 00 00 00 00 00 00 94 7d 40 c0 ff ff ff ..........}@.... backtrace: [] create_object+0x148/0x2a0 [] kmemleak_alloc+0x80/0xbc [] kmem_cache_alloc_trace+0x120/0x1ac [] hub_probe+0x120/0xb84 [] usb_probe_interface+0x1ec/0x298 [] driver_probe_device+0x160/0x374 [] __device_attach+0x28/0x4c [] bus_for_each_drv+0x78/0xac [] device_attach+0x6c/0x9c [] bus_probe_device+0x28/0xa0 [] device_add+0x324/0x604 [] usb_set_configuration+0x660/0x6cc [] generic_probe+0x44/0x84 [] usb_probe_device+0x54/0x74 [] driver_probe_device+0x160/0x374 [] __device_attach+0x28/0x4c Fix this by putting the reference in hub_quiesce() if we canceled a pending work. CC: #4.4+ Fixes: e50293ef9775 ("USB: fix invalid memory access in hub_activate()") Signed-off-by: Viresh Kumar --- Greg, This is tested over 3.10 with backported patches only, sorry didn't had a mainline setup to test this out. :( drivers/usb/core/hub.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.7.4 -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c index bee13517676f..3173693fa8e3 100644 --- a/drivers/usb/core/hub.c +++ b/drivers/usb/core/hub.c @@ -1315,7 +1315,8 @@ static void hub_quiesce(struct usb_hub *hub, enum hub_quiescing_type type) struct usb_device *hdev = hub->hdev; int i; - cancel_delayed_work_sync(&hub->init_work); + if (cancel_delayed_work_sync(&hub->init_work)) + kref_put(&hub->kref, hub_release); /* hub_wq and related activity won't re-trigger */ hub->quiescing = 1;