Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp309805pxj; Thu, 20 May 2021 09:49:12 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzp22y2pNm0Y4K2Rd8Hr4SWHQ3ol8rBA5hVrMaFKS1Rz0qmu9CgykS8ukj9EhoSrotBw/UP X-Received: by 2002:a17:906:4b19:: with SMTP id y25mr5810242eju.49.1621529352363; Thu, 20 May 2021 09:49:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621529352; cv=none; d=google.com; s=arc-20160816; b=hJj2pA8SrOW/BcLZ4gmYP98vxruM4+/i37/FPLjHxWD8+iI5sGdKj2IEzru73UHtiZ 6h6/UiVNZrKztHkT18Iubb4PI6DB00mtO/FCOUR7CHmACOzByI3Y4L2p7Smm51y5wQcQ 3tMPOTN1qD7u6ZwTLiOYDC0+eYCQPX0c4E7det7a7VQ7+a2yj+LvCZFLHdCJWMRDYdQd Wzy8r1mVmOa0T5ii2hBnaZKVmyYRejqwwz+/D+kvAX9K/3MwnrYmftmr+B9Wm87XDOSo +WPcYf1bmi2xxN3XTOaz7WsQ+1aOQsN/mWC2gDO4rWR8xnALAUfl9ys+k349/1uYHLU9 zOhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Q5Cbcl15b3Ju6cV26FVaXxiepfxn0x3YN/YrQ7Ehayg=; b=td0I1smSPCEc6Izqtv1dzs7Tp3hxS4Jnd04LaMG6Xn9L9wwwfIO1ZtUIynW/chbOPS wPHN+orv8g1z8hDoNPZOxlQ2S1+UybWoVLZWnf393e/iPgxyytd3CewZ9Pv9v/0tsHTk KG97y7iRIYs/Sv7m0DMGUjN4nUXozeERGW1CZ5bVjqXQzR5ryUg3SIn2M4Om0pjsDRhX dEsS/mN1deRNFnGIRqiA4PLEpRycSutkXwFnToRhlw9rOZYTJfp/+weWh64/VjoA/hom //neqyKko4nSuBL1z+C6z8ks2rud/wimnAdMghz9ARow0ocmB29pqaISDDFA88At/cg6 o6IA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LIraYpjH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jg13si4020609ejc.288.2021.05.20.09.48.48; Thu, 20 May 2021 09:49:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LIraYpjH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234283AbhETJtM (ORCPT + 99 others); Thu, 20 May 2021 05:49:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:47818 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233889AbhETJqk (ORCPT ); Thu, 20 May 2021 05:46:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8881D613EB; Thu, 20 May 2021 09:34:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621503248; bh=xYtFkeN39Orcq0WeEDTUJpCePQ2GI+uIcpy5yH+7+II=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LIraYpjH6eGqblhgBKHH5csqq3puXB9pGgEqAs3IR//KgJ8Om8m4EgxWKCKibyk68 r/2VjLYEY/EDNGq2dOf24huCuplyPdUgNl8xTIoN8zflYEMP/vDsvHItWqO8eR9bXs 0HSwIM4NbLJiIZSG+oqQ6Zr2CCpUHuGYIld41PIM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Peter Chen , Hemant Kumar , Wesley Cheng Subject: [PATCH 4.19 108/425] usb: gadget: Fix double free of device descriptor pointers Date: Thu, 20 May 2021 11:17:57 +0200 Message-Id: <20210520092135.002557667@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092131.308959589@linuxfoundation.org> References: <20210520092131.308959589@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hemant Kumar commit 43c4cab006f55b6ca549dd1214e22f5965a8675f upstream. Upon driver unbind usb_free_all_descriptors() function frees all speed descriptor pointers without setting them to NULL. In case gadget speed changes (i.e from super speed plus to super speed) after driver unbind only upto super speed descriptor pointers get populated. Super speed plus desc still holds the stale (already freed) pointer. Fix this issue by setting all descriptor pointers to NULL after freeing them in usb_free_all_descriptors(). Fixes: f5c61225cf29 ("usb: gadget: Update function for SuperSpeedPlus") cc: stable@vger.kernel.org Reviewed-by: Peter Chen Signed-off-by: Hemant Kumar Signed-off-by: Wesley Cheng Link: https://lore.kernel.org/r/1619034452-17334-1-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman --- drivers/usb/gadget/config.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/drivers/usb/gadget/config.c +++ b/drivers/usb/gadget/config.c @@ -194,9 +194,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors void usb_free_all_descriptors(struct usb_function *f) { usb_free_descriptors(f->fs_descriptors); + f->fs_descriptors = NULL; usb_free_descriptors(f->hs_descriptors); + f->hs_descriptors = NULL; usb_free_descriptors(f->ss_descriptors); + f->ss_descriptors = NULL; usb_free_descriptors(f->ssp_descriptors); + f->ssp_descriptors = NULL; } EXPORT_SYMBOL_GPL(usb_free_all_descriptors);