usb: gadget: composite: Fix double free memory bug

configfs_dev_cleanup function can double free os_desc and buffer when called from different context. For example, this can be called from composite_unbind() and when composite_bind() fails. Fix this issue by setting request and buffer pointer to NULL after kfree. CRs-Fixed: 1013316 Change-Id: I6e87289627b23fc368f990fc7962854eeb3fbbc1 Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
author: Hemant Kumar <hemantk@codeaurora.org> 2016-05-04 18:22:14 -0700
committer: Jeevan Shriram <jshriram@codeaurora.org> 2016-05-11 17:43:57 -0700
commit: 6f856046e001fbb16a9e3f74a5fda8f924c445d5 (patch)
tree: 14861266c14307c4b9870ad5dc882c2f8ab5b39c /drivers/usb
parent: 17d496f66a45ac03235f97211516e34ce439ed60 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 0bcb73bc8cb1..67aa070effe4 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -2211,14 +2211,18 @@ void composite_dev_cleanup(struct usb_composite_dev *cdev)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->os_desc_req);
 
 		kfree(cdev->os_desc_req->buf);
+		cdev->os_desc_req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->os_desc_req);
+		cdev->os_desc_req = NULL;
 	}
 	if (cdev->req) {
 		if (cdev->setup_pending)
 			usb_ep_dequeue(cdev->gadget->ep0, cdev->req);
 
 		kfree(cdev->req->buf);
+		cdev->req->buf = NULL;
 		usb_ep_free_request(cdev->gadget->ep0, cdev->req);
+		cdev->req = NULL;
 	}
 	cdev->next_string_id = 0;
 	device_remove_file(&cdev->gadget->dev, &dev_attr_suspended);
author	Hemant Kumar <hemantk@codeaurora.org>	2016-05-04 18:22:14 -0700
committer	Jeevan Shriram <jshriram@codeaurora.org>	2016-05-11 17:43:57 -0700
commit	6f856046e001fbb16a9e3f74a5fda8f924c445d5 (patch)
tree	14861266c14307c4b9870ad5dc882c2f8ab5b39c /drivers/usb
parent	17d496f66a45ac03235f97211516e34ce439ed60 (diff)