Received: by 2002:a05:6520:4211:b029:f4:110d:56bc with SMTP id o17csp2111465lkv; Thu, 20 May 2021 03:41:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxi1PUj7P4satg5PC9cXNxbEKWyWM4oTwhbb1JQjPYS+FCr8tDCVmAOocLg9BXBGSswzDhj X-Received: by 2002:aa7:db48:: with SMTP id n8mr4300487edt.11.1621507268482; Thu, 20 May 2021 03:41:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621507268; cv=none; d=google.com; s=arc-20160816; b=QSG8ady2/N0GdP3aBls8huq5GvkSmVVm0lchmFOiBJUWy6frgcLodnfaMCSuLqS/BO IPxS7wOeAEaRD07MSsKxTqqIfcLgftnrHNhduAoT0zC6FGNswls+Iot7ND9sYN0PLgi9 7CCmJH5I8pMGIv92tt7ZANoNIr2zvN1jfXAPbbD0m985G1dWZ+q/6mRVTS0u1GPG3ks/ WzFScR0cwzx2axdegL9bZ4fMPZC40rCQygGJYJqtxv8marvndVPmwp/IrAmYlJaGlDXU qYso7yJbwVEr9lHk3c3/kwIiT1aH4BLvhBGZGc2PzjO1JqQ0NWK41vXtqsaocfm0s6KZ qlTQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=2g6g9tevL4TNMuCmZVBSHe+/NGYzf5UTZ2C3OooeFNM=; b=XxWLegNCyZ3DJwhkjEYPLnevnaObwfIa9ol3N/aeTwrWOzIdNFIs0B9sJgjjfBpiGt JBMmCpm25KcYZQDZfcjxicGZPTIjdiX+FhPnBdno3bJhQt8QcjBdrt1+8ekh+lp+E/56 CKCzYtODTDfMRYSDlMrwndpJagFcS9q2G/kUjF0dMA/0edq4Kmh6dm1sdHyLkXEHqMHw ikPnEKX7VFPLMoWIHBL94Aq4CzMxB0z+HA/mRxkNO/bZxe9hf+iktXoSWYIDvSwOhyCp IO9QPxb+dzfZJW+OCfwqzcK0wR4/bvgy8sxl02+nEYHvpOpCuUX9fAxcH+BRt1ptsOCE X4AA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZlM2zaAJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s18si2789704eji.59.2021.05.20.03.40.36; Thu, 20 May 2021 03:41:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZlM2zaAJ; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236796AbhETKkP (ORCPT + 99 others); Thu, 20 May 2021 06:40:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:52120 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236033AbhETKZJ (ORCPT ); Thu, 20 May 2021 06:25:09 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 1D13C61358; Thu, 20 May 2021 09:49:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504184; bh=yenn2MovbEYOhqv8ZBhe6QTikmS7lPioOrbShAv+WZ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZlM2zaAJIc6N4cx0Z8nlOi0EE1nzCjYpuy97i/rIsGyFWNEc/g4jFs97Qt6ziwnYA hw2PVW3/9Ym9IfKAHh2OGayGxDrk6z4CkaHgBLzXpLvCh4lrtlSyEgTdvCFLQHgnzZ OOhhcxGUYroIFug4jkMu19RUTi0fFslcceWitlGM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Chen , Hemant Kumar , Wesley Cheng Subject: [PATCH 4.14 096/323] usb: gadget: Fix double free of device descriptor pointers Date: Thu, 20 May 2021 11:19:48 +0200 Message-Id: <20210520092123.396940763@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hemant Kumar commit 43c4cab006f55b6ca549dd1214e22f5965a8675f upstream. Upon driver unbind usb_free_all_descriptors() function frees all speed descriptor pointers without setting them to NULL. In case gadget speed changes (i.e from super speed plus to super speed) after driver unbind only upto super speed descriptor pointers get populated. Super speed plus desc still holds the stale (already freed) pointer. Fix this issue by setting all descriptor pointers to NULL after freeing them in usb_free_all_descriptors(). Fixes: f5c61225cf29 ("usb: gadget: Update function for SuperSpeedPlus") cc: stable@vger.kernel.org Reviewed-by: Peter Chen Signed-off-by: Hemant Kumar Signed-off-by: Wesley Cheng Link: https://lore.kernel.org/r/1619034452-17334-1-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/config.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/usb/gadget/config.c +++ b/drivers/usb/gadget/config.c @@ -198,9 +198,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors void usb_free_all_descriptors(struct usb_function *f) { usb_free_descriptors(f->fs_descriptors); + f->fs_descriptors = NULL; usb_free_descriptors(f->hs_descriptors); + f->hs_descriptors = NULL; usb_free_descriptors(f->ss_descriptors); + f->ss_descriptors = NULL; usb_free_descriptors(f->ssp_descriptors); + f->ssp_descriptors = NULL; } EXPORT_SYMBOL_GPL(usb_free_all_descriptors);