evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ANDROID: usb: gadget: f_accessory: Fix double-free

Browse source 
Set the request to null to avoid double free in
retry_rx_alloc.

Bug: 73645054
Test: no double free
Change-Id: Iecf22c807a4a23b4b2ba7ebee53c53502c616ec5
Signed-off-by: Jerry Zhang <zhangjerry@google.com>
This commit is contained in:
Jerry Zhang 2018-02-20 11:00:06 -08:00 committed by Timi
parent 4b0f74a70e
commit 53d85374b8
1 changed files with 8 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
drivers/usb/gadget/function/f_accessory.c
View file

@ -610,8 +610,11 @@ retry_rx_alloc:
if (!req) {
if (acc_rx_req_len <= BULK_BUFFER_SIZE)
goto fail;
for (i = 0; i < RX_REQ_MAX; i++)
acc_request_free(dev->rx_req[i], dev->ep_out);
for (i = 0; i < RX_REQ_MAX; i++) {
acc_request_free(dev->rx_req[i],
dev->ep_out);
dev->rx_req[i] = NULL;
}
acc_rx_req_len /= 2;
goto retry_rx_alloc;
}
@ -625,8 +628,10 @@ fail:
pr_err("acc_bind() could not allocate requests\n");
while ((req = req_get(dev, &dev->tx_idle)))
acc_request_free(req, dev->ep_in);
for (i = 0; i < RX_REQ_MAX; i++)
for (i = 0; i < RX_REQ_MAX; i++) {
acc_request_free(dev->rx_req[i], dev->ep_out);
dev->rx_req[i] = NULL;
}
return -1;
}