Message ID | 20191113173222.33468-1-mika.westerberg@linux.intel.com (mailing list archive) |
---|---|
State | Mainlined |
Commit | ce91f1a43b37463f517155bdfbd525eb43adbd1a |
Headers | show |
Series | xhci: Fix memory leak in xhci_add_in_port() | expand |
On 13.11.2019 19.32, Mika Westerberg wrote: > When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and > the xHCI device is hot-removed as a result of unplugging a dock for > example, the driver leaks memory it allocates for xhci->usb3_rhub.psi > and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak: > > unreferenced object 0xffff922c24ef42f0 (size 16): > comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) > hex dump (first 16 bytes): > 21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00 !.......#....... > backtrace: > [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 > [<0000000001b6d775>] xhci_init+0x7c/0x160 > [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 > [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 > [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 > [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 > [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 > [<00000000b9231f25>] local_pci_probe+0x3d/0x70 > [<000000006385c9d7>] pci_device_probe+0xd0/0x150 > [<0000000070241068>] really_probe+0xf5/0x3c0 > [<0000000061f35c0a>] driver_probe_device+0x58/0x100 > [<000000009da11198>] bus_for_each_drv+0x79/0xc0 > [<000000009ce45f69>] __device_attach+0xda/0x160 > [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 > [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 > [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 > unreferenced object 0xffff922c24ef3318 (size 8): > comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) > hex dump (first 8 bytes): > 34 01 05 00 35 41 0a 00 4...5A.. > backtrace: > [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 > [<0000000001b6d775>] xhci_init+0x7c/0x160 > [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 > [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 > [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 > [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 > [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 > [<00000000b9231f25>] local_pci_probe+0x3d/0x70 > [<000000006385c9d7>] pci_device_probe+0xd0/0x150 > [<0000000070241068>] really_probe+0xf5/0x3c0 > [<0000000061f35c0a>] driver_probe_device+0x58/0x100 > [<000000009da11198>] bus_for_each_drv+0x79/0xc0 > [<000000009ce45f69>] __device_attach+0xda/0x160 > [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 > [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 > [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 > > Fix this by calling kfree() for the both psi objects in > xhci_mem_cleanup(). > > Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> > --- > I'm not 100% sure the kfree()s below are in correct place so please double > check :) > Thanks, looks good Nice catch Adding to queue with stable and fixes tags -Mathias
diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index e16eda6e2b8b..3b1388fa2f36 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1909,13 +1909,17 @@ void xhci_mem_cleanup(struct xhci_hcd *xhci) xhci->usb3_rhub.num_ports = 0; xhci->num_active_eps = 0; kfree(xhci->usb2_rhub.ports); + kfree(xhci->usb2_rhub.psi); kfree(xhci->usb3_rhub.ports); + kfree(xhci->usb3_rhub.psi); kfree(xhci->hw_ports); kfree(xhci->rh_bw); kfree(xhci->ext_caps); xhci->usb2_rhub.ports = NULL; + xhci->usb2_rhub.psi = NULL; xhci->usb3_rhub.ports = NULL; + xhci->usb3_rhub.psi = NULL; xhci->hw_ports = NULL; xhci->rh_bw = NULL; xhci->ext_caps = NULL;
When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and the xHCI device is hot-removed as a result of unplugging a dock for example, the driver leaks memory it allocates for xhci->usb3_rhub.psi and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak: unreferenced object 0xffff922c24ef42f0 (size 16): comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) hex dump (first 16 bytes): 21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00 !.......#....... backtrace: [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 [<0000000001b6d775>] xhci_init+0x7c/0x160 [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 [<00000000b9231f25>] local_pci_probe+0x3d/0x70 [<000000006385c9d7>] pci_device_probe+0xd0/0x150 [<0000000070241068>] really_probe+0xf5/0x3c0 [<0000000061f35c0a>] driver_probe_device+0x58/0x100 [<000000009da11198>] bus_for_each_drv+0x79/0xc0 [<000000009ce45f69>] __device_attach+0xda/0x160 [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 unreferenced object 0xffff922c24ef3318 (size 8): comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s) hex dump (first 8 bytes): 34 01 05 00 35 41 0a 00 4...5A.. backtrace: [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7 [<0000000001b6d775>] xhci_init+0x7c/0x160 [<00000000db443fe3>] xhci_gen_setup+0x214/0x340 [<00000000fdffd320>] xhci_pci_setup+0x48/0x110 [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747 [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4 [<0000000021043861>] xhci_pci_probe+0x24/0x1c0 [<00000000b9231f25>] local_pci_probe+0x3d/0x70 [<000000006385c9d7>] pci_device_probe+0xd0/0x150 [<0000000070241068>] really_probe+0xf5/0x3c0 [<0000000061f35c0a>] driver_probe_device+0x58/0x100 [<000000009da11198>] bus_for_each_drv+0x79/0xc0 [<000000009ce45f69>] __device_attach+0xda/0x160 [<00000000df201aaf>] pci_bus_add_device+0x46/0x70 [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60 [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60 Fix this by calling kfree() for the both psi objects in xhci_mem_cleanup(). Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com> --- I'm not 100% sure the kfree()s below are in correct place so please double check :) drivers/usb/host/xhci-mem.c | 4 ++++ 1 file changed, 4 insertions(+)