From 1d0ede934b0d47196ca262841d15107764a6a4a4 Mon Sep 17 00:00:00 2001 From: Hemant Kumar Date: Fri, 14 Oct 2016 18:58:16 -0700 Subject: [PATCH] usb: gadget: f_midi: Fix use after free bug Upon cable disconnect usb composition switches from midi to default composition as a result midi function driver frees the midi function. When cable is plugged back in android_setup calls function setup call back for all the function instances having non-null function pointer. This results into access to already freed function pointer stored in function instance. Fix this issue by setting function instance's function pointer to NULL so that android_setup will skip calling midi function setup upon next cable connect. Change-Id: Ia619650c94c35aea015a89841c59a1f9dbc521f9 Signed-off-by: Hemant Kumar --- drivers/usb/gadget/function/f_midi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/usb/gadget/function/f_midi.c b/drivers/usb/gadget/function/f_midi.c index 8a0e7f988d25..e8fed99256d7 100644 --- a/drivers/usb/gadget/function/f_midi.c +++ b/drivers/usb/gadget/function/f_midi.c @@ -1139,6 +1139,7 @@ static void f_midi_free(struct usb_function *f) mutex_lock(&opts->lock); for (i = opts->in_ports - 1; i >= 0; --i) kfree(midi->in_port[i]); + opts->func_inst.f = NULL; kfree(midi); --opts->refcnt; mutex_unlock(&opts->lock);