Hi,
Wesley Cheng <[email protected]> writes:
> From: Hemant Kumar <[email protected]>
>
> Upon driver unbind usb_free_all_descriptors() function frees all
> speed descriptor pointers without setting them to NULL. In case
> gadget speed changes (i.e from super speed plus to super speed)
> after driver unbind only upto super speed descriptor pointers get
> populated. Super speed plus desc still holds the stale (already
> freed) pointer. Fix this issue by setting all descriptor pointers
> to NULL after freeing them in usb_free_all_descriptors().
could you describe this a little better? How can one trigger this case?
Is the speed demotion happening after unbinding? It's not clear how to
cause this bug.
--
balbi