netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 0/3] misc bug fixes for the hso driver
@ 2020-08-05 12:07 Oliver Neukum
  2020-08-05 12:07 ` [PATCH 1/3] hso: fix bailout in error case of probe Oliver Neukum
                   ` (3 more replies)
  0 siblings, 4 replies; 5+ messages in thread
From: Oliver Neukum @ 2020-08-05 12:07 UTC (permalink / raw)
  To: netdev, davem

1. Code reuse led to an unregistration of a net driver that has not been
registered
2. The kernel complains generically if kmalloc with GFP_KERNEL fails
3. A race that can lead to an URB that is in use being reused or
a use after free


^ permalink raw reply	[flat|nested] 5+ messages in thread
* [PATCH 1/3] hso: fix bailout in error case of probe
  2020-08-05 12:07 [PATCH 0/3] misc bug fixes for the hso driver Oliver Neukum
@ 2020-08-05 12:07 ` Oliver Neukum
  2020-08-05 12:07 ` [PATCH 2/3] usb: hso: no complaint about kmalloc failure Oliver Neukum
                   ` (2 subsequent siblings)
  3 siblings, 0 replies; 5+ messages in thread
From: Oliver Neukum @ 2020-08-05 12:07 UTC (permalink / raw)
  To: netdev, davem; +Cc: Oliver Neukum

The driver tries to reuse code for disconnect in case
of a failed probe.
If resources need to be freed after an error in probe, the
netdev must not be freed because it has never been registered.
Fix it by telling the helper which path we are in.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/hso.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index d2fdb5430d27..031a5ad25500 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2357,7 +2357,7 @@ static int remove_net_device(struct hso_device *hso_dev)
 }
 
 /* Frees our network device */
-static void hso_free_net_device(struct hso_device *hso_dev)
+static void hso_free_net_device(struct hso_device *hso_dev, bool bailout)
 {
 	int i;
 	struct hso_net *hso_net = dev2net(hso_dev);
@@ -2380,7 +2380,7 @@ static void hso_free_net_device(struct hso_device *hso_dev)
 	kfree(hso_net->mux_bulk_tx_buf);
 	hso_net->mux_bulk_tx_buf = NULL;
 
-	if (hso_net->net)
+	if (hso_net->net && !bailout)
 		free_netdev(hso_net->net);
 
 	kfree(hso_dev);
@@ -2556,7 +2556,7 @@ static struct hso_device *hso_create_net_device(struct usb_interface *interface,
 
 	return hso_dev;
 exit:
-	hso_free_net_device(hso_dev);
+	hso_free_net_device(hso_dev, true);
 	return NULL;
 }
 
@@ -3133,7 +3133,7 @@ static void hso_free_interface(struct usb_interface *interface)
 				rfkill_unregister(rfk);
 				rfkill_destroy(rfk);
 			}
-			hso_free_net_device(network_table[i]);
+			hso_free_net_device(network_table[i], false);
 		}
 	}
 }
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 2/3] usb: hso: no complaint about kmalloc failure
  2020-08-05 12:07 [PATCH 0/3] misc bug fixes for the hso driver Oliver Neukum
  2020-08-05 12:07 ` [PATCH 1/3] hso: fix bailout in error case of probe Oliver Neukum
@ 2020-08-05 12:07 ` Oliver Neukum
  2020-08-05 12:07 ` [PATCH 3/3] usb: hso: remove bogus check for EINPROGRESS Oliver Neukum
  2020-08-06  0:44 ` [PATCH 0/3] misc bug fixes for the hso driver David Miller
  3 siblings, 0 replies; 5+ messages in thread
From: Oliver Neukum @ 2020-08-05 12:07 UTC (permalink / raw)
  To: netdev, davem; +Cc: Oliver Neukum

If this fails, kmalloc() will print a report including
a stack trace. There is no need for a separate complaint.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/hso.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 031a5ad25500..5762876e3105 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -2465,10 +2465,9 @@ static void hso_create_rfkill(struct hso_device *hso_dev,
 				       &interface_to_usbdev(interface)->dev,
 				       RFKILL_TYPE_WWAN,
 				       &hso_rfkill_ops, hso_dev);
-	if (!hso_net->rfkill) {
-		dev_err(dev, "%s - Out of memory\n", __func__);
+	if (!hso_net->rfkill)
 		return;
-	}
+
 	if (rfkill_register(hso_net->rfkill) < 0) {
 		rfkill_destroy(hso_net->rfkill);
 		hso_net->rfkill = NULL;
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* [PATCH 3/3] usb: hso: remove bogus check for EINPROGRESS
  2020-08-05 12:07 [PATCH 0/3] misc bug fixes for the hso driver Oliver Neukum
  2020-08-05 12:07 ` [PATCH 1/3] hso: fix bailout in error case of probe Oliver Neukum
  2020-08-05 12:07 ` [PATCH 2/3] usb: hso: no complaint about kmalloc failure Oliver Neukum
@ 2020-08-05 12:07 ` Oliver Neukum
  2020-08-06  0:44 ` [PATCH 0/3] misc bug fixes for the hso driver David Miller
  3 siblings, 0 replies; 5+ messages in thread
From: Oliver Neukum @ 2020-08-05 12:07 UTC (permalink / raw)
  To: netdev, davem; +Cc: Oliver Neukum

This check an inherent race. It opens a race where
an error code has already been set or cleared yet
the URB has not been given back. We cannot do
such an optimization and must unlink unconditionally.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
---
 drivers/net/usb/hso.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
index 5762876e3105..2bb28db89432 100644
--- a/drivers/net/usb/hso.c
+++ b/drivers/net/usb/hso.c
@@ -831,8 +831,7 @@ static void hso_net_tx_timeout(struct net_device *net, unsigned int txqueue)
 	dev_warn(&net->dev, "Tx timed out.\n");
 
 	/* Tear the waiting frame off the list */
-	if (odev->mux_bulk_tx_urb &&
-	    (odev->mux_bulk_tx_urb->status == -EINPROGRESS))
+	if (odev->mux_bulk_tx_urb)
 		usb_unlink_urb(odev->mux_bulk_tx_urb);
 
 	/* Update statistics */
-- 
2.16.4


^ permalink raw reply related	[flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] misc bug fixes for the hso driver
  2020-08-05 12:07 [PATCH 0/3] misc bug fixes for the hso driver Oliver Neukum
                   ` (2 preceding siblings ...)
  2020-08-05 12:07 ` [PATCH 3/3] usb: hso: remove bogus check for EINPROGRESS Oliver Neukum
@ 2020-08-06  0:44 ` David Miller
  3 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2020-08-06  0:44 UTC (permalink / raw)
  To: oneukum; +Cc: netdev

From: Oliver Neukum <oneukum@suse.com>
Date: Wed,  5 Aug 2020 14:07:06 +0200

> 1. Code reuse led to an unregistration of a net driver that has not been
> registered
> 2. The kernel complains generically if kmalloc with GFP_KERNEL fails
> 3. A race that can lead to an URB that is in use being reused or
> a use after free

Series applied, thanks Oliver.

^ permalink raw reply	[flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-08-06  0:45 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-08-05 12:07 [PATCH 0/3] misc bug fixes for the hso driver Oliver Neukum
2020-08-05 12:07 ` [PATCH 1/3] hso: fix bailout in error case of probe Oliver Neukum
2020-08-05 12:07 ` [PATCH 2/3] usb: hso: no complaint about kmalloc failure Oliver Neukum
2020-08-05 12:07 ` [PATCH 3/3] usb: hso: remove bogus check for EINPROGRESS Oliver Neukum
2020-08-06  0:44 ` [PATCH 0/3] misc bug fixes for the hso driver David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).