Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp6605ybt;
        Tue, 23 Jun 2020 13:49:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz0ZSmwDTSj14Y6R21BbnClfiFwedZfstWp65zkNfQMrmXUL10dUq3fFcHiXLKPpQBRU4Y0
X-Received: by 2002:a05:6402:21d3:: with SMTP id bi19mr3927718edb.56.1592945384864;
        Tue, 23 Jun 2020 13:49:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592945384; cv=none;
        d=google.com; s=arc-20160816;
        b=dAJR3xjqdpzn4LHWEumXOrDiGpXSD38IVsqC1fc/LaiFvoM3YoN41UWBzqAj4nHNiq
         /hCi8z1pmwgMhWUQpCDRFZX/UYiiqKI8RQvfdRynm6AQNNr3i0QLY++V36DJkqy9Y9Fg
         IqEkBmPvz8uy+UrDk/KWEScF3MqqDyILReBMTnlDHZBvFGxDR9mvPN6bsY7QqUGiaURS
         FewrQ+sCj7fCgGtfuA7Gc0zqN81f/2X5kk0PnzffeEOQ+sAXmEVIqxk95RNtof24EUEM
         terFOGIT0k0vacjggRrO+2+QwYBRXZ9D5169KJxYsofEymg3GnYXsZyAW5J/ch20QHaJ
         t8pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=41S+HeKVkk8ByW3f2CfjUm/xixKTyL0KltUpZ1TxjWo=;
        b=LZjcaPD2/pDVm4vjoaRXPB1Uhm8175f2Tvx065aOl5mbShzzGilvoCGu2+MdXnTXMl
         WGRXlNddZ1+869TqkaRJkNaibT+jnAsXE95kp31pg6FInWRBsKDHRPeFmBb/rRYHNyDU
         pJf2zC8LmUt0blMSZ5h865LdzdUuX1Ebh5wKZuQNzvA6i7D7PzNUdlA8lzp+gfHTSwhC
         n5cXGEZPLQYby6npliEaHO5mWgOqJTuTixU7sZRkPmO9yG7RACED0WBvVgvjKaMVkdav
         wWEnwSZig+i1xU4sPcKk7UlI6qrmooDP7F+43a6Mv3HpcJ8bolExfhj2ytOoSWxfN+Ch
         lEkw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="Tmj/PCky";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id do18si15148915ejc.668.2020.06.23.13.49.18;
        Tue, 23 Jun 2020 13:49:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="Tmj/PCky";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2391267AbgFWUrw (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 23 Jun 2020 16:47:52 -0400
Received: from mail.kernel.org ([198.145.29.99]:46414 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2404079AbgFWUrr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 23 Jun 2020 16:47:47 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 482D121548;
        Tue, 23 Jun 2020 20:47:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1592945267;
        bh=fo5IicuzVZcxkY15Ztxrcpm6Hb1BOiwqofyzoKjdMBk=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=Tmj/PCkygy6axZMSlYMLZSKWrzMyEV16JNCYu/Ok9wtsqRyh+M989nROtA2dBeYF2
         4RnpPcLmcWTHqC2n2f4UxsBZLKd8dN57X9sARvrveuocfAJRRlDvpjLmZeswX7t5ci
         E8J0YpV+YLl7ZwF5E+W21WSJ33BT9Q/3ClbQCM18=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Qiushi Wu <wu000273@umn.edu>,
        Felipe Balbi <balbi@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 074/136] usb: gadget: fix potential double-free in m66592_probe.
Date:   Tue, 23 Jun 2020 21:58:50 +0200
Message-Id: <20200623195307.401290675@linuxfoundation.org>
X-Mailer: git-send-email 2.27.0
In-Reply-To: <20200623195303.601828702@linuxfoundation.org>
References: <20200623195303.601828702@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Qiushi Wu <wu000273@umn.edu>

[ Upstream commit 44734a594196bf1d474212f38fe3a0d37a73278b ]

m66592_free_request() is called under label "err_add_udc"
and "clean_up", and m66592->ep0_req is not set to NULL after
first free, leading to a double-free. Fix this issue by
setting m66592->ep0_req to NULL after the first free.

Fixes: 0f91349b89f3 ("usb: gadget: convert all users to the new udc infrastructure")
Signed-off-by: Qiushi Wu <wu000273@umn.edu>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/udc/m66592-udc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/m66592-udc.c b/drivers/usb/gadget/udc/m66592-udc.c
index 46ce7bc15f2b0..53abad98af6d8 100644
--- a/drivers/usb/gadget/udc/m66592-udc.c
+++ b/drivers/usb/gadget/udc/m66592-udc.c
@@ -1672,7 +1672,7 @@ static int m66592_probe(struct platform_device *pdev)
 
 err_add_udc:
 	m66592_free_request(&m66592->ep[0].ep, m66592->ep0_req);
-
+	m66592->ep0_req = NULL;
 clean_up3:
 	if (m66592->pdata->on_chip) {
 		clk_disable(m66592->clk);
-- 
2.25.1