Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f2b6d6e authored by Hemant Kumar's avatar Hemant Kumar
Browse files

usb: gadget: composite: Fix double free memory bug 



configfs_dev_cleanup function can double free os_desc
and buffer when called from different context. For
example, this can be called from composite_unbind() and
when composite_bind() fails. Fix this issue by setting
request and buffer pointer to NULL after kfree.

CRs-Fixed: 1013316
Change-Id: I6e87289627b23fc368f990fc7962854eeb3fbbc1
Signed-off-by: default avatarHemant Kumar <hemantk@codeaurora.org>
parent f5f7d651

drivers/usb/gadget/composite.c

+4 −0
Original line number Diff line number Diff line
@@ -2270,14 +2270,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev) 
			usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);



		kfree(cdev->os_desc_req->buf);

		cdev->os_desc_req->buf = NULL;

		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);

		cdev->os_desc_req = NULL;

	}

	if (cdev->req) {

		if (cdev->setup_pending)

			usb_ep_dequeue(cdev->gadget->ep0, cdev->req);



		kfree(cdev->req->buf);

		cdev->req->buf = NULL;

		usb_ep_free_request(cdev->gadget->ep0, cdev->req);

		cdev->req = NULL;

	}

	cdev->next_string_id = 0;

	device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);