From patchwork Fri Mar 15 11:07:15 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
X-Patchwork-Id: 10854549
Return-Path: <linux-usb-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A228714DE
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Fri, 15 Mar 2019 11:07:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 8B6742A94B
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Fri, 15 Mar 2019 11:07:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7FF432A94D; Fri, 15 Mar 2019 11:07:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.7 required=2.0 tests=BAYES_00,DKIM_INVALID,
	DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1F2C22A94B
	for <patchwork-linux-usb@patchwork.kernel.org>;
 Fri, 15 Mar 2019 11:07:30 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726951AbfCOLH3 (ORCPT
        <rfc822;patchwork-linux-usb@patchwork.kernel.org>);
        Fri, 15 Mar 2019 07:07:29 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:39554 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726707AbfCOLH3 (ORCPT
        <rfc822;linux-usb@vger.kernel.org>); Fri, 15 Mar 2019 07:07:29 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id 3733860265; Fri, 15 Mar 2019 11:07:28 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1552648048;
        bh=P8uL019tjQLE87eUZlXGV0pn4/KyHu73Sl0Z0HqHzJ4=;
        h=From:To:Cc:Subject:Date:From;
        b=EaNMS1ZNCbzerbNMIgdSl9X7S/mPqTZrbarTyHH+V7ZQW/xfkXvL8q7kTTXwJCmtW
         R252dVurL6li/4BuPh4xV/g4G9IJ2pfHSP/5d84ZWkikmbzsC1yg8GKdfTp8EpzOmx
         i2MhtY47Ao9Kv4Zez57bYE15Y/M5MjPO/MDEQbnU=
Received: from cchiluve-linux.qualcomm.com
 (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: cchiluve@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id 99C4E6087A;
        Fri, 15 Mar 2019 11:07:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1552648047;
        bh=P8uL019tjQLE87eUZlXGV0pn4/KyHu73Sl0Z0HqHzJ4=;
        h=From:To:Cc:Subject:Date:From;
        b=j1N0mrp4HS8Ioys1QallKsDdSV3wt/6B0MfN1ZLBQCV7nOgS5Vt/QkXRl9NoYEYEw
         wN0HVK6InNzN6xQ9tevi6GlDJd+d75Q7Uxk5cQXczKsQjj5VWome+Fo/ge/5hbtGPi
         Xr/uFi/W+Nr/Wu/+C8MdbaCC+YgpZHlVoDUIzpy8=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 99C4E6087A
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 spf=none smtp.mailfrom=cchiluve@codeaurora.org
From: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
To: linux-usb@vger.kernel.org
Cc: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Subject: [PATCH] [PATCH] usb: gadget: composite: Fix double free memory bug
Date: Fri, 15 Mar 2019 16:37:15 +0530
Message-Id: <1552648035-8281-1-git-send-email-cchiluve@codeaurora.org>
X-Mailer: git-send-email 1.9.1
Sender: linux-usb-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-usb.vger.kernel.org>
X-Mailing-List: linux-usb@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

configfs_dev_cleanup function can double free os_desc
and buffer when called from different context. For
example, this can be called from composite_unbind() and
when composite_bind() fails. Fix this issue by setting
request and buffer pointer to NULL after kfree.

Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
---
 drivers/usb/gadget/composite.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index b8a1584..992f1e2 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2155,14 +2155,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
 
 		kfree(cdev->os_desc_req->buf);
+		cdev->os_desc_req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
+		cdev->os_desc_req = NULL;
 	}
 	if (cdev->req) {
 		if (cdev->setup_pending)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
 
 		kfree(cdev->req->buf);
+		cdev->req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
+		cdev->req = NULL;
 	}
 	cdev->next_string_id = 0;
 	device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);