Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2914144pxb; Mon, 19 Apr 2021 17:59:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyae+GJaUz/vfVYeT2EPxdNLCaPEOTksZUE1s12nqN24cPC7PlUbHTspmoK158Yx85ovjSw X-Received: by 2002:a17:906:e4b:: with SMTP id q11mr24817423eji.540.1618880369770; Mon, 19 Apr 2021 17:59:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618880369; cv=none; d=google.com; s=arc-20160816; b=ct8dLhgvstAvlsd5vdpXc5LW7viN2A86nAI8giY6tCtEarJt2nawHVXbjUknan7wjF Za0Ac3yoHqRP2/QVb0finNDz0F7ZIrUiyDLJ1xPYZGBRluUZ/Irf3ZxlXgHIzmb3LNum yB1AJxCuM8ksMWj43zF8ztEUAW20J5856BGZt3pFqpgFsEcE33TBthHv/7zloVdoUhyj okUE1Re6voZvHY3gEbA9tCf9AI+xwA0hjA/G/oZ6VpnwT/GeqdqTaQ/nWPCaYJD4Mz7+ QddBA/IoMxyW1stSTOdALq3vCtydcF+VAnRkewvUZ5a+qfc4Ct6ZyYRt2A4XFMAIt6Ni 2J0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=0nJ9KQAA3aNT7gtR/ALApukbGsSZTp/YBggYLf3zk24=; b=p7CvgUVFyODsEEUm71KJE0aILZLnxqkXjjbcSfqrN/cke3nMzvT27Tv2zfNVpOmzHY XbwF6uJE99FbAJcHusWzPlv8xkVljkw++fJVTGdYcsd70OMSd6BMvN9LLRa948N184Hp tqLZs5SPw/H7bAX+RthiZPocVIPVSnTsd1crs+HHMW7uKVwc/8ZgkwrQaJK9S2hQquhv jl+IUQD+iye4hyDekY/JI0++N/B1eul9aDiwWAbWocNWk5ZcoX8FkTq/m+3AaJdfqM9e JiNHt2DlL9lj+hlytycLnEcL2dytdbB6la+zShN2ZeSIKUhpsvt5F18WrU9Ik2fXV4I+ raCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xq2jKbGV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j16si16565328edj.401.2021.04.19.17.59.03; Mon, 19 Apr 2021 17:59:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xq2jKbGV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230382AbhDTAzG (ORCPT + 99 others); Mon, 19 Apr 2021 20:55:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:54024 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229936AbhDTAzF (ORCPT ); Mon, 19 Apr 2021 20:55:05 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4F2FB6135F; Tue, 20 Apr 2021 00:54:33 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1618880075; bh=qTK3Fpvc67yWL/Kayfv/rqU7Z0F1EUK2wV7/8jEgAZU=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Xq2jKbGVk6uctWQjVax3OjBzu4mHMAGLMqyexDSDFi37dH9ZQHIfNf18VDL02fYGk 4iIXFRNTbAFmkME79UD3mrwl7WIzL9H3CIttpVTuN5BWd7I24+wKTJ13WwVpBM1GjL SRLA2XD6/oEX54penqMetgjw1b7ucY+fQ/DSaM4mAt2T14l3p01r/xLGQTJ26DSYDo gTdrLt18louCkjEW/7sfU9Hfqmhz0wNzdekIG3Foa6mpNBoOpARxB20i+qcCbZTJor U0Hfbn9FHc9Zq+GZiIC4ImEbTR6E6A1MOtm4M/UyfTCU+1mV4QxzouCZFagoDmw01I ptfKdINW0XDkg== Date: Tue, 20 Apr 2021 08:54:29 +0800 From: Peter Chen To: Wesley Cheng Cc: balbi@kernel.org, gregkh@linuxfoundation.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, jackp@codeaurora.org, Hemant Kumar Subject: Re: [PATCH] usb: gadget: Fix double free of device descriptor pointers Message-ID: <20210420005429.GA5069@nchen> References: <1618862240-5965-1-git-send-email-wcheng@codeaurora.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1618862240-5965-1-git-send-email-wcheng@codeaurora.org> User-Agent: Mutt/1.9.4 (2018-02-28) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 21-04-19 12:57:20, Wesley Cheng wrote: > From: Hemant Kumar > > Upon driver unbind usb_free_all_descriptors() function frees all > speed descriptor pointers without setting them to NULL. In case > gadget speed changes (i.e from super speed plus to super speed) > after driver unbind only upto super speed descriptor pointers get > populated. Super speed plus desc still holds the stale (already > freed) pointer. Fix this issue by setting all descriptor pointers > to NULL after freeing them in usb_free_all_descriptors(). > > Signed-off-by: Hemant Kumar > Signed-off-by: Wesley Cheng > --- > drivers/usb/gadget/config.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/usb/gadget/config.c b/drivers/usb/gadget/config.c > index 2d11535..8bb2577 100644 > --- a/drivers/usb/gadget/config.c > +++ b/drivers/usb/gadget/config.c > @@ -194,9 +194,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors); > void usb_free_all_descriptors(struct usb_function *f) > { > usb_free_descriptors(f->fs_descriptors); > + f->fs_descriptors = NULL; > usb_free_descriptors(f->hs_descriptors); > + f->hs_descriptors = NULL; > usb_free_descriptors(f->ss_descriptors); > + f->ss_descriptors = NULL; > usb_free_descriptors(f->ssp_descriptors); > + f->ssp_descriptors = NULL; > } > EXPORT_SYMBOL_GPL(usb_free_all_descriptors); > Reviewed-by: Peter Chen You may add Fixed-by tag, and cc to stable tree. -- Thanks, Peter Chen