[BUG]drivers: usb: serial: mos7840.c: dangling pointer in function mos7840_open

[BUG]drivers: usb: serial: mos7840.c: dangling pointer in function mos7840_open

[nil Yi]

Hi, there is a dangling pointer in mos7840_port->write_urb_pool[j]  in function
mos7840_open in v5.14-rc3.

in function mos7840_open err path :

717: err:
718: for (j = 0; j < NUM_URBS; ++j) {
719: urb = mos7840_port->write_urb_pool[j];
720:  if (!urb)
721:     continue;
722: kfree(urb->transfer_buffer);
723:  usb_free_urb(urb);
}

leave a dangling pointer here,  I'm not sure whether it  can be
triggered somewhere.

Any feedback would be appreciated, thanks :)


Best wishes,
Nil Yi

Re: [BUG]drivers: usb: serial: mos7840.c: dangling pointer in function mos7840_open

[Greg KH]

On Sun, Aug 01, 2021 at 05:03:30PM +0800, nil Yi wrote:
> Hi, there is a dangling pointer in mos7840_port->write_urb_pool[j]  in function
> mos7840_open in v5.14-rc3.
> 
> in function mos7840_open err path :
> 
> 717: err:
> 718: for (j = 0; j < NUM_URBS; ++j) {
> 719: urb = mos7840_port->write_urb_pool[j];
> 720:  if (!urb)
> 721:     continue;
> 722: kfree(urb->transfer_buffer);
> 723:  usb_free_urb(urb);
> }
> 
> leave a dangling pointer here,  I'm not sure whether it  can be
> triggered somewhere.

What exactly do you mean by "dangling pointer"?  What specifically is
the bug here?

thanks,

greg k-h

Re: [BUG]drivers: usb: serial: mos7840.c: dangling pointer in function mos7840_open

[nil Yi]

Sorry for the ambiguous description. I mean after usb_free_urb(urb) at line 723,
do we need set NULL to mos7840_port->write_urb_pool[j], otherwise the
freed urb pointer
may be used somewhere?

Sorry for the non-specfic comment again.

thanks,

Nil Yi


Greg KH <gregkh@linuxfoundation.org> 于2021年8月1日周日 下午8:15写道：
>
> On Sun, Aug 01, 2021 at 05:03:30PM +0800, nil Yi wrote:
> > Hi, there is a dangling pointer in mos7840_port->write_urb_pool[j]  in function
> > mos7840_open in v5.14-rc3.
> >
> > in function mos7840_open err path :
> >
> > 717: err:
> > 718: for (j = 0; j < NUM_URBS; ++j) {
> > 719: urb = mos7840_port->write_urb_pool[j];
> > 720:  if (!urb)
> > 721:     continue;
> > 722: kfree(urb->transfer_buffer);
> > 723:  usb_free_urb(urb);
> > }
> >
> > leave a dangling pointer here,  I'm not sure whether it  can be
> > triggered somewhere.
>
> What exactly do you mean by "dangling pointer"?  What specifically is
> the bug here?
>
> thanks,
>
> greg k-h

Re: [BUG]drivers: usb: serial: mos7840.c: dangling pointer in function mos7840_open

[Greg KH]

A: http://en.wikipedia.org/wiki/Top_post
Q: Were do I find info about this thing called top-posting?
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

A: No.
Q: Should I include quotations after my reply?

http://daringfireball.net/2007/07/on_top


On Sat, Aug 07, 2021 at 11:45:54AM +0800, nil Yi wrote:
> Sorry for the ambiguous description. I mean after usb_free_urb(urb) at line 723,
> do we need set NULL to mos7840_port->write_urb_pool[j], otherwise the
> freed urb pointer
> may be used somewhere?

How exactly could it be "used somewhere"?  I do not understand the
problem that you are trying to point out here.  Perhaps you could make a
patch to show how you think it needs to be fixed?

thanks,

greg k-h