Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7fafcfdf authored by Yavuz, Tuba's avatar Yavuz, Tuba Committed by Greg Kroah-Hartman
Browse files

USB: gadget: f_midi: fixing a possible double-free in f_midi 



It looks like there is a possibility of a double-free vulnerability on an
error path of the f_midi_set_alt function in the f_midi driver. If the
path is feasible then free_ep_req gets called twice:

         req->complete = f_midi_complete;
         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
            => ...
             usb_gadget_giveback_request
               =>
                 f_midi_complete (CALLBACK)
                   (inside f_midi_complete, for various cases of status)
                   free_ep_req(ep, req); // first kfree
         if (err) {
                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
                             midi->out_ep->name, err);
                 free_ep_req(midi->out_ep, req); // second kfree
                 return err;
         }

The double-free possibility was introduced with commit ad0d1a05
("usb: gadget: f_midi: fix leak on failed to enqueue out requests").

Found by MOXCAFE tool.

Signed-off-by: default avatarTuba Yavuz <tuba@ece.ufl.edu>
Fixes: ad0d1a05 ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 4d8d5a39

drivers/usb/gadget/function/f_midi.c

+2 −1
Original line number Diff line number Diff line
@@ -404,6 +404,7 @@ static int f_midi_set_alt(struct usb_function *f, unsigned intf, unsigned alt) 
		if (err) {

			ERROR(midi, "%s: couldn't enqueue request: %d\n",

				    midi->out_ep->name, err);

			if (req->buf != NULL)

				free_ep_req(midi->out_ep, req);

			return err;

		}

drivers/usb/gadget/u_f.h

+2 −0
Original line number Diff line number Diff line
@@ -61,7 +61,9 @@ struct usb_request *alloc_ep_req(struct usb_ep *ep, size_t len); 
/* Frees a usb_request previously allocated by alloc_ep_req() */

static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)

{

	WARN_ON(req->buf == NULL);

	kfree(req->buf);

	req->buf = NULL;

	usb_ep_free_request(ep, req);

}