Re: [PATCH v2 1/2] USB: core: add a memory pool to urb for host-controller private data
From: David Wang
Date: Fri May 16 2025 - 13:14:29 EST
At 2025-05-14 20:03:02, "Oliver Neukum" <oneukum@xxxxxxxx> wrote:
>
>
>On 14.05.25 13:51, David Wang wrote:
>
>> I am not quite sure about the concern here, do you mean somebody create a urb,
>> and then usb_init_urb() here, and never use urb_destroy to release it?
>
>Yes.
>
>>
>> That would cause memory leak if urb_destroy is not called......But is this really possible?.
>
>I think a few drivers under drivers/media do so.
I search through codes, some drivers will use usb_free_urb which would invoke urb_destroy;
But there are indeed several drivers use urb as a struct member, which is not directly kmalloced and
should not be kfreed via usb_free_urb..... It would involve lots of changes.....
On the bright side, when I made the code check, I notice something off:
in drivers/net/wireless/realtek/rtl8xxxu/core.c
5168 usb_free_urb(&tx_urb->urb);
5868 usb_free_urb(&rx_urb->urb);
5890 usb_free_urb(&rx_urb->urb);
5938 usb_free_urb(&rx_urb->urb);
usb_free_urb would kfree the urb pointer, which would be wrong here since rx_urb and tx_urb defined
in drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h
1944 struct rtl8xxxu_rx_urb {
1945 struct urb urb;
1946 struct ieee80211_hw *hw;
1947 struct list_head list;
1948 };
1949
1950 struct rtl8xxxu_tx_urb {
1951 struct urb urb;
1952 struct ieee80211_hw *hw;
1953 struct list_head list;
1954 };
Hi, Jes
Would you take a look? I feel usb_free_urb needs a pointer which is allokedd directly, but I would be wrong.....
Thanks
David
>
> Regards
> Oliver