usb: gadget: Fix double free of device descriptor pointers

Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. As a result next composition switch results into
double free of super speed plus descriptor. Fix this issue by
setting all descriptor pointers to NULL after freeing them in
usb_free_all_descriptors(). Also clean up gsi_unbind() which is
setting up descriptor pointers to NULL already.

Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>

drivers/usb/gadget/function/f_gsi.c

@@ -2843,16 +2843,13 @@ static void gsi_unbind(struct usb_configuration *c, struct usb_function *f)
 	if (gsi->prot_id == IPA_USB_MBIM)
 		mbim_gsi_ext_config_desc.function.subCompatibleID[0] = 0;
 
-	if (gadget_is_superspeed(c->cdev->gadget)) {
+	if (gadget_is_superspeed(c->cdev->gadget))
 		usb_free_descriptors(f->ss_descriptors);
-		f->ss_descriptors = NULL;
-	}
-	if (gadget_is_dualspeed(c->cdev->gadget)) {
+
+	if (gadget_is_dualspeed(c->cdev->gadget))
 		usb_free_descriptors(f->hs_descriptors);
-		f->hs_descriptors = NULL;
-	}
+
 	usb_free_descriptors(f->fs_descriptors);
-	f->fs_descriptors = NULL;
 
 	if (gsi->c_port.notify) {
 		kfree(gsi->c_port.notify_req->buf);

include/linux/usb/gadget.h

@@ -1456,6 +1456,7 @@ struct usb_descriptor_header **usb_copy_descriptors(
 static inline void usb_free_descriptors(struct usb_descriptor_header **v)
 {
 	kfree(v);
+	v = NULL;
 }
 
 struct usb_function;