usb: gadget: Fix double free of device descriptor pointers

Upon driver unbind usb_free_all_descriptors() function frees all speed descriptor pointers without setting them to NULL. In case gadget speed changes (i.e from super speed plus to super speed) after driver unbind only upto super speed descriptor pointers get populated. Super speed plus desc still holds the stale (already freed) pointer. As a result next composition switch results into double free of super speed plus descriptor. Fix this issue by setting all descriptor pointers to NULL after freeing them in usb_free_all_descriptors(). Also clean up gsi_unbind() which is setting up descriptor pointers to NULL already. Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50 Signed-off-by: Hemant Kumar <hemantk@codeaurora.org> Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
author: Hemant Kumar <hemantk@codeaurora.org> 2018-11-21 17:07:20 -0800
committer: Sriharsha Allenki <sallenki@codeaurora.org> 2018-12-04 14:00:44 +0530
commit: ceed3cc4a19356cfd8196f43238bc6be9b3b6ed5 (patch)
tree: 8c9f4bf591e9c87ddbbe3dc66fa9ad64357fffae /include/linux/usb
parent: 7daef91bee21338b504ddd8290e1133faef42c43 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
index 0e61b1f65359..2bf825f5b711 100644
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -1456,6 +1456,7 @@ struct usb_descriptor_header **usb_copy_descriptors(
 static inline void usb_free_descriptors(struct usb_descriptor_header **v)
 {
 	kfree(v);
+	v = NULL;
 }
 
 struct usb_function;
author	Hemant Kumar <hemantk@codeaurora.org>	2018-11-21 17:07:20 -0800
committer	Sriharsha Allenki <sallenki@codeaurora.org>	2018-12-04 14:00:44 +0530
commit	ceed3cc4a19356cfd8196f43238bc6be9b3b6ed5 (patch)
tree	8c9f4bf591e9c87ddbbe3dc66fa9ad64357fffae /include/linux/usb
parent	7daef91bee21338b504ddd8290e1133faef42c43 (diff)