summaryrefslogtreecommitdiff
path: root/drivers/usb/gadget/function
diff options
context:
space:
mode:
authorJerry Zhang <zhangjerry@google.com>2018-02-20 11:00:06 -0800
committerMichael Bestas <mkbestas@lineageos.org>2019-12-23 23:43:36 +0200
commit2e9e74df5578ebedcec07354791d98cd0ba18cc1 (patch)
tree550c3dcad6d0e0af990774340415a710808dd372 /drivers/usb/gadget/function
parentea257d1bf43a11e5499d98a5042c76db2bbbf4f6 (diff)
ANDROID: usb: gadget: f_accessory: Fix double-free
Set the request to null to avoid double free in retry_rx_alloc. Bug: 73645054 Test: no double free Change-Id: Iecf22c807a4a23b4b2ba7ebee53c53502c616ec5 Signed-off-by: Jerry Zhang <zhangjerry@google.com>
Diffstat (limited to 'drivers/usb/gadget/function')
-rw-r--r--drivers/usb/gadget/function/f_accessory.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c
index fced02db3f5f..a2a73aa8f3da 100644
--- a/drivers/usb/gadget/function/f_accessory.c
+++ b/drivers/usb/gadget/function/f_accessory.c
@@ -610,8 +610,11 @@ retry_rx_alloc:
if (!req) {
if (acc_rx_req_len <= BULK_BUFFER_SIZE)
goto fail;
- for (i = 0; i < RX_REQ_MAX; i++)
- acc_request_free(dev->rx_req[i], dev->ep_out);
+ for (i = 0; i < RX_REQ_MAX; i++) {
+ acc_request_free(dev->rx_req[i],
+ dev->ep_out);
+ dev->rx_req[i] = NULL;
+ }
acc_rx_req_len /= 2;
goto retry_rx_alloc;
}
@@ -625,8 +628,10 @@ fail:
pr_err("acc_bind() could not allocate requests\n");
while ((req = req_get(dev, &dev->tx_idle)))
acc_request_free(req, dev->ep_in);
- for (i = 0; i < RX_REQ_MAX; i++)
+ for (i = 0; i < RX_REQ_MAX; i++) {
acc_request_free(dev->rx_req[i], dev->ep_out);
+ dev->rx_req[i] = NULL;
+ }
return -1;
}