Re: [PATCH v4] char: xillybus: Check endpoint type at probe time

From: Eli Billauer
Date: Mon Jun 06 2022 - 05:28:56 EST

Next message: Lina Wang: "[PATCH v3] selftests net: fix bpf build error"
Previous message: Barry Song: "Re: [PATCH v11 07/14] mm: multi-gen LRU: exploit locality in rmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 31/05/22 08:44, Zheyu Ma wrote:

static int xillyusb_setup_base_eps(struct xillyusb_dev *xdev)
{
+ if (xillyusb_check_endpoint(xdev, IN_EP_NUM | USB_DIR_IN) ||
+ xillyusb_check_endpoint(xdev, MSG_EP_NUM | USB_DIR_OUT))
+ return -EINVAL;
+
xdev->msg_ep = endpoint_alloc(xdev, MSG_EP_NUM | USB_DIR_OUT,
bulk_out_work, 1, 2);
if (!xdev->msg_ep)
@@ -1962,6 +1986,10 @@ static int setup_channels(struct xillyusb_dev *xdev,
chan->out_log2_element_size = out_desc& 0x0f;
chan->out_log2_fifo_size =
((out_desc>> 8)& 0x1f) + 16;
+ if (xillyusb_check_endpoint(xdev, (i+2) | USB_DIR_OUT)) {
+ kfree(xdev->channels);
+ return -EINVAL;
+ }
}
}

I just checked this against hardware, and made it fail deliberately by replacing the (i+2) part with (i+3). I got a kernel memory corruption, because xdev->channels was freed twice: Once in the snippet above, and a second time in cleanup_dev().

So the kfree() call here should go away. xdev->channels is freed when xdev's reference count goes to zero.

Thanks,
Eli

Next message: Lina Wang: "[PATCH v3] selftests net: fix bpf build error"
Previous message: Barry Song: "Re: [PATCH v11 07/14] mm: multi-gen LRU: exploit locality in rmap"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]