Re: [PATCH V2] usb: gadget: composite: Fix possible double free memory bug

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

Chandana Kishori Chiluveru <cchiluve@xxxxxxxxxxxxxx> writes:
> composite_dev_cleanup call from the failure of configfs_composite_bind
> frees up the cdev->os_desc_req and cdev->req. If the previous calls of
> bind and unbind is successful these will carry stale values.
>
> Consider the below sequence of function calls:
> configfs_composite_bind()
>         composite_dev_prepare()
>                 - Allocate cdev->req, cdev->req->buf
>         composite_os_desc_req_prepare()
>                 - Allocate cdev->os_desc_req, cdev->os_desc_req->buf
> configfs_composite_unbind()
>         composite_dev_cleanup()
>                 - free the cdev->os_desc_req->buf and cdev->req->buf
> Next composition switch
> configfs_composite_bind()
>         - If it fails goto err_comp_cleanup will call the
> 	  composite_dev_cleanup() function
>         composite_dev_cleanup()
> 	        - calls kfree up with the stale values of cdev->req->buf and
> 		  cdev->os_desc_req from the previous configfs_composite_bind
> 		  call. The free call on these stale values leads to double free.
>
> Hence, Fix this issue by setting request and buffer pointer to NULL after
> kfree.
>
> Signed-off-by: Chandana Kishori Chiluveru <cchiluve@xxxxxxxxxxxxxx>
>
> Changes in v2:
> 	- Modified commit text.

These two lines...

> ---

... should be after this tearline :-)

We don't need that in the commit log

-- 
balbi

Attachment: signature.asc
Description: PGP signature


[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux