diff mbox series

usb: gadget: composite: Fix double free memory bug

Message ID 1552648035-8281-1-git-send-email-cchiluve@codeaurora.org (mailing list archive)
State New, archived
Headers show
Series usb: gadget: composite: Fix double free memory bug | expand

Commit Message

Chandana Kishori Chiluveru March 15, 2019, 11:07 a.m. UTC 
configfs_dev_cleanup function can double free os_desc
and buffer when called from different context. For
example, this can be called from composite_unbind() and
when composite_bind() fails. Fix this issue by setting
request and buffer pointer to NULL after kfree.

Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
---
 drivers/usb/gadget/composite.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Manu Gautam March 19, 2019, 9:03 a.m. UTC | #1 
Hi,

On 2019-03-15 16:37, Chandana Kishori Chiluveru wrote:
> configfs_dev_cleanup function can double free os_desc
> and buffer when called from different context. For
> example, this can be called from composite_unbind() and
> when composite_bind() fails.

Shouldn't we instead fix the error path handling of composite_bind
and configfs_composite_bind?

> Fix this issue by setting
> request and buffer pointer to NULL after kfree.
> 
> Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
> ---
>  drivers/usb/gadget/composite.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/usb/gadget/composite.c 
> b/drivers/usb/gadget/composite.c
> index b8a1584..992f1e2 100644
> --- a/drivers/usb/gadget/composite.c
> +++ b/drivers/usb/gadget/composite.c
> @@ -2155,14 +2155,18 @@ void composite_dev_cleanup(struct
> usb_composite_dev *cdev)
>  			usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
> 
>  		kfree(cdev->os_desc_req->buf);
> +		cdev->os_desc_req->buf = NULL;
>  		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
> +		cdev->os_desc_req = NULL;

Better to move os_desc_cleanup handling to a different function
say - composite_os_desc_req_cleanup (to match 
composite_os_desc_req_prepare())

>  	}
>  	if (cdev->req) {
>  		if (cdev->setup_pending)
>  			usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
> 
>  		kfree(cdev->req->buf);
> +		cdev->req->buf = NULL;
>  		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
> +		cdev->req = NULL;
>  	}
>  	cdev->next_string_id = 0;
>  	device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);
diff mbox series

Patch

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index b8a1584..992f1e2 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2155,14 +2155,18 @@  void composite_dev_cleanup(struct usb_composite_dev *cdev)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
 
 		kfree(cdev->os_desc_req->buf);
+		cdev->os_desc_req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
+		cdev->os_desc_req = NULL;
 	}
 	if (cdev->req) {
 		if (cdev->setup_pending)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
 
 		kfree(cdev->req->buf);
+		cdev->req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
+		cdev->req = NULL;
 	}
 	cdev->next_string_id = 0;
 	device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);