usb: gadget: Fix double free of device descriptor pointers

Message ID	1618862240-5965-1-git-send-email-wcheng@codeaurora.org (mailing list archive)
State	Superseded
Headers	show Return-Path: <linux-usb-owner@kernel.org> Date: Subject: Cc: To: From: Sender; bh=AvrEgEbjYaBKxlur+JILsbveSoz50Kp16VLzJNNL5+I=; b=ot9lDOlEyuR5ahgdvT28T1ekBoqJi+TxUutDLCKSAJfQ6UFb3bfdr27QPe25Hjm9U+VmWBAV wnARw0uciuU5qJ0vFW0TGx9/O5iXC6D8cGT+Z+kTqFEONlZJ2Z1rvJ0ZQeElchXWmV6Ylunp isZj1/rrd5MW8JVOU/3IK/Q3BFQ= Sender: wcheng=codeaurora.org@mg.codeaurora.org sender: wcheng) by smtp.codeaurora.org (Postfix) with ESMTPSA id 77B6BC433D3; Mon, 19 Apr 2021 19:57:23 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 77B6BC433D3 From: Wesley Cheng <wcheng@codeaurora.org> To: balbi@kernel.org, gregkh@linuxfoundation.org Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, jackp@codeaurora.org, Hemant Kumar <hemantk@codeaurora.org>, Wesley Cheng <wcheng@codeaurora.org> Subject: [PATCH] usb: gadget: Fix double free of device descriptor pointers Date: Mon, 19 Apr 2021 12:57:20 -0700 Message-Id: <1618862240-5965-1-git-send-email-wcheng@codeaurora.org> Precedence: bulk
Series	usb: gadget: Fix double free of device descriptor pointers \| expand usb: gadget: Fix double free of device descriptor pointers

Message ID

1618862240-5965-1-git-send-email-wcheng@codeaurora.org (mailing list archive)

State

Superseded

Headers

Sender: wcheng=codeaurora.org@mg.codeaurora.org
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 77B6BC433D3
From: Wesley Cheng <wcheng@codeaurora.org>
To: balbi@kernel.org, gregkh@linuxfoundation.org
Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org,
        jackp@codeaurora.org, Hemant Kumar <hemantk@codeaurora.org>,
        Wesley Cheng <wcheng@codeaurora.org>
Subject: [PATCH] usb: gadget: Fix double free of device descriptor pointers
Date: Mon, 19 Apr 2021 12:57:20 -0700
Message-Id: <1618862240-5965-1-git-send-email-wcheng@codeaurora.org>
Precedence: bulk

Series

usb: gadget: Fix double free of device descriptor pointers | expand

Commit Message

Wesley Cheng April 19, 2021, 7:57 p.m. UTC

From: Hemant Kumar <hemantk@codeaurora.org>

Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. Fix this issue by setting all descriptor pointers
to NULL after freeing them in usb_free_all_descriptors().

Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
---
 drivers/usb/gadget/config.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Peter Chen April 20, 2021, 12:54 a.m. UTC | #1

On 21-04-19 12:57:20, Wesley Cheng wrote:
> From: Hemant Kumar <hemantk@codeaurora.org>
> 
> Upon driver unbind usb_free_all_descriptors() function frees all
> speed descriptor pointers without setting them to NULL. In case
> gadget speed changes (i.e from super speed plus to super speed)
> after driver unbind only upto super speed descriptor pointers get
> populated. Super speed plus desc still holds the stale (already
> freed) pointer. Fix this issue by setting all descriptor pointers
> to NULL after freeing them in usb_free_all_descriptors().
> 
> Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
> Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
> ---
>  drivers/usb/gadget/config.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/gadget/config.c b/drivers/usb/gadget/config.c
> index 2d11535..8bb2577 100644
> --- a/drivers/usb/gadget/config.c
> +++ b/drivers/usb/gadget/config.c
> @@ -194,9 +194,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors);
>  void usb_free_all_descriptors(struct usb_function *f)
>  {
>  	usb_free_descriptors(f->fs_descriptors);
> +	f->fs_descriptors = NULL;
>  	usb_free_descriptors(f->hs_descriptors);
> +	f->hs_descriptors = NULL;
>  	usb_free_descriptors(f->ss_descriptors);
> +	f->ss_descriptors = NULL;
>  	usb_free_descriptors(f->ssp_descriptors);
> +	f->ssp_descriptors = NULL;
>  }
>  EXPORT_SYMBOL_GPL(usb_free_all_descriptors);
>  

Reviewed-by: Peter Chen <peter.chen@kernel.org>

You may add Fixed-by tag, and cc to stable tree.

diff --git a/drivers/usb/gadget/config.c b/drivers/usb/gadget/config.c
index 2d11535..8bb2577 100644
--- a/drivers/usb/gadget/config.c
+++ b/drivers/usb/gadget/config.c
@@ -194,9 +194,13 @@  EXPORT_SYMBOL_GPL(usb_assign_descriptors);
 void usb_free_all_descriptors(struct usb_function *f)
 {
 	usb_free_descriptors(f->fs_descriptors);
+	f->fs_descriptors = NULL;
 	usb_free_descriptors(f->hs_descriptors);
+	f->hs_descriptors = NULL;
 	usb_free_descriptors(f->ss_descriptors);
+	f->ss_descriptors = NULL;
 	usb_free_descriptors(f->ssp_descriptors);
+	f->ssp_descriptors = NULL;
 }
 EXPORT_SYMBOL_GPL(usb_free_all_descriptors);

usb: gadget: Fix double free of device descriptor pointers

Commit Message

Comments

Patch