From 9b719c7119e77e8ddeefe4772c554d2863579c2b Mon Sep 17 00:00:00 2001 From: Alan Stern Date: Fri, 21 Aug 2020 10:55:46 +0800 Subject: [PATCH] USB: UDC: net2272: Fix memory leaks Like net2280 (on which it was based), the net2272 UDC driver has a problem with leaking memory along some of its failure pathways. It also has another problem, not previously noted, in that some of the failure pathways will call usb_del_gadget_udc() without first calling usb_add_gadget_udc_release(). And it leaks memory by calling kfree() when it should call put_device(). Until now it has been impossible to handle the memory leaks, because of lack of support in the UDC core for separately initializing and adding gadgets, or for separately deleting and freeing gadgets. An earlier patch in this series adds the necessary support, making it possible to fix the outstanding problems properly. This patch adds an "added" flag to the net2272 structure to indicate whether or not the gadget has been registered (and thus whether or not to call usb_del_gadget()), and it fixes the deallocation issues by calling usb_put_gadget() at the appropriate places. A similar memory leak issue, apparently never before recognized, stems from the fact that the driver never initializes the drvdata field in the gadget's embedded struct device! Evidently this wasn't noticed because the pointer is only ever used as an argument to kfree(), which doesn't mind getting called with a NULL pointer. In fact, the drvdata for gadget device will be written by usb_composite_dev structure if any gadget class is loaded, so it needs to use usb_gadget structure to get net2280 private data. CC: Anton Vasilyev CC: Evgeny Novikov CC: Benjamin Herrenschmidt Reviewed-by: Greg Kroah-Hartman Signed-off-by: Alan Stern Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi --- drivers/usb/gadget/udc/net2272.c | 23 +++++++++++++---------- drivers/usb/gadget/udc/net2272.h | 1 + 2 files changed, 14 insertions(+), 10 deletions(-) diff --git a/drivers/usb/gadget/udc/net2272.c b/drivers/usb/gadget/udc/net2272.c index 440bcb3b6c23..23a735641c3d 100644 --- a/drivers/usb/gadget/udc/net2272.c +++ b/drivers/usb/gadget/udc/net2272.c @@ -2195,7 +2195,8 @@ static int net2272_present(struct net2272 *dev) static void net2272_gadget_release(struct device *_dev) { - struct net2272 *dev = dev_get_drvdata(_dev); + struct net2272 *dev = container_of(_dev, struct net2272, gadget.dev); + kfree(dev); } @@ -2204,7 +2205,8 @@ net2272_gadget_release(struct device *_dev) static void net2272_remove(struct net2272 *dev) { - usb_del_gadget_udc(&dev->gadget); + if (dev->added) + usb_del_gadget(&dev->gadget); free_irq(dev->irq, dev); iounmap(dev->base_addr); device_remove_file(dev->dev, &dev_attr_registers); @@ -2234,6 +2236,7 @@ static struct net2272 *net2272_probe_init(struct device *dev, unsigned int irq) /* the "gadget" abstracts/virtualizes the controller */ ret->gadget.name = driver_name; + usb_initialize_gadget(dev, &ret->gadget, net2272_gadget_release); return ret; } @@ -2272,10 +2275,10 @@ net2272_probe_fin(struct net2272 *dev, unsigned int irqflags) if (ret) goto err_irq; - ret = usb_add_gadget_udc_release(dev->dev, &dev->gadget, - net2272_gadget_release); + ret = usb_add_gadget(&dev->gadget); if (ret) goto err_add_udc; + dev->added = 1; return 0; @@ -2450,7 +2453,7 @@ net2272_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) if (pci_enable_device(pdev) < 0) { ret = -ENODEV; - goto err_free; + goto err_put; } pci_set_master(pdev); @@ -2473,8 +2476,8 @@ net2272_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) err_pci: pci_disable_device(pdev); - err_free: - kfree(dev); + err_put: + usb_put_gadget(&dev->gadget); return ret; } @@ -2535,7 +2538,7 @@ net2272_pci_remove(struct pci_dev *pdev) pci_disable_device(pdev); - kfree(dev); + usb_put_gadget(&dev->gadget); } /* Table of matching PCI IDs */ @@ -2648,7 +2651,7 @@ net2272_plat_probe(struct platform_device *pdev) err_req: release_mem_region(base, len); err: - kfree(dev); + usb_put_gadget(&dev->gadget); return ret; } @@ -2663,7 +2666,7 @@ net2272_plat_remove(struct platform_device *pdev) release_mem_region(pdev->resource[0].start, resource_size(&pdev->resource[0])); - kfree(dev); + usb_put_gadget(&dev->gadget); return 0; } diff --git a/drivers/usb/gadget/udc/net2272.h b/drivers/usb/gadget/udc/net2272.h index 87d0ab9ffeeb..c669308111c2 100644 --- a/drivers/usb/gadget/udc/net2272.h +++ b/drivers/usb/gadget/udc/net2272.h @@ -441,6 +441,7 @@ struct net2272 { unsigned protocol_stall:1, softconnect:1, wakeup:1, + added:1, dma_eot_polarity:1, dma_dack_polarity:1, dma_dreq_polarity:1, -- 2.34.1