Re: [PATCH v2] usb: gadget: Fix double free of device descriptor pointers

From: Felipe Balbi
Date: Thu Apr 22 2021 - 07:01:54 EST



Hi,

Wesley Cheng <wcheng@xxxxxxxxxxxxxx> writes:

> From: Hemant Kumar <hemantk@xxxxxxxxxxxxxx>
>
> Upon driver unbind usb_free_all_descriptors() function frees all
> speed descriptor pointers without setting them to NULL. In case
> gadget speed changes (i.e from super speed plus to super speed)
> after driver unbind only upto super speed descriptor pointers get
> populated. Super speed plus desc still holds the stale (already
> freed) pointer. Fix this issue by setting all descriptor pointers
> to NULL after freeing them in usb_free_all_descriptors().

could you describe this a little better? How can one trigger this case?
Is the speed demotion happening after unbinding? It's not clear how to
cause this bug.

--
balbi

Attachment: signature.asc
Description: PGP signature