usb: gadget: Fix double free of device descriptor pointers
Upon driver unbind usb_free_all_descriptors() function frees all speed descriptor pointers without setting them to NULL. In case gadget speed changes (i.e from super speed plus to super speed) after driver unbind only upto super speed descriptor pointers get populated. Super speed plus desc still holds the stale (already freed) pointer. As a result next composition switch results into double free of super speed plus descriptor. Fix this issue by setting all descriptor pointers to NULL after freeing them in usb_free_all_descriptors(). Also clean up gsi_unbind() which is setting up descriptor pointers to NULL already. Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50 Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
This commit is contained in:
Hemant Kumar
Gerrit - the friendly Code Review server
parent
6e9f8d3097
commit
65873c2988
2 changed files with 4 additions and 4 deletions
|
|
@ -194,9 +194,13 @@ EXPORT_SYMBOL_GPL(usb_assign_descriptors);
|
|||
void usb_free_all_descriptors(struct usb_function *f)
|
||||
{
|
||||
usb_free_descriptors(f->fs_descriptors);
|
||||
f->fs_descriptors = NULL;
|
||||
usb_free_descriptors(f->hs_descriptors);
|
||||
f->hs_descriptors = NULL;
|
||||
usb_free_descriptors(f->ss_descriptors);
|
||||
f->ss_descriptors = NULL;
|
||||
usb_free_descriptors(f->ssp_descriptors);
|
||||
f->ssp_descriptors = NULL;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(usb_free_all_descriptors);
|
||||
|
||||
|
|
|
|||
|
|
@ -2945,10 +2945,6 @@ static void gsi_unbind(struct usb_configuration *c, struct usb_function *f)
|
|||
mbim_gsi_ext_config_desc.function.subCompatibleID[0] = 0;
|
||||
|
||||
usb_free_all_descriptors(f);
|
||||
f->hs_descriptors = NULL;
|
||||
f->fs_descriptors = NULL;
|
||||
f->ss_descriptors = NULL;
|
||||
f->ssp_descriptors = NULL;
|
||||
|
||||
if (gsi->c_port.notify) {
|
||||
kfree(gsi->c_port.notify_req->buf);
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue