From 15d9d6a67ce25e829dabd4428f3a32ae8660bbe6 Mon Sep 17 00:00:00 2001 From: Jerry Zhang <zhangjerry@google.com> Date: Tue, 20 Feb 2018 11:00:06 -0800 Subject: [PATCH] ANDROID: usb: gadget: f_accessory: Fix double-free Set the request to null to avoid double free in retry_rx_alloc. Bug: 73645054 Test: no double free Signed-off-by: Jerry Zhang <zhangjerry@google.com> --- drivers/usb/gadget/function/f_accessory.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_accessory.c b/drivers/usb/gadget/function/f_accessory.c index 6536f5039ed5..29c418abdc16 100644 --- a/drivers/usb/gadget/function/f_accessory.c +++ b/drivers/usb/gadget/function/f_accessory.c @@ -602,8 +602,11 @@ retry_rx_alloc: if (!req) { if (acc_rx_req_len <= BULK_BUFFER_SIZE) goto fail; - for (i = 0; i < RX_REQ_MAX; i++) - acc_request_free(dev->rx_req[i], dev->ep_out); + for (i = 0; i < RX_REQ_MAX; i++) { + acc_request_free(dev->rx_req[i], + dev->ep_out); + dev->rx_req[i] = NULL; + } acc_rx_req_len /= 2; goto retry_rx_alloc; } @@ -617,8 +620,10 @@ fail: pr_err("acc_bind() could not allocate requests\n"); while ((req = req_get(dev, &dev->tx_idle))) acc_request_free(req, dev->ep_in); - for (i = 0; i < RX_REQ_MAX; i++) + for (i = 0; i < RX_REQ_MAX; i++) { acc_request_free(dev->rx_req[i], dev->ep_out); + dev->rx_req[i] = NULL; + } return -1; } -- GitLab