ANDROID: usb: gadget: f_accessory: Fix double-free · 53d85374b8 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

ANDROID: usb: gadget: f_accessory: Fix double-free

Set the request to null to avoid double free in
retry_rx_alloc.

Bug: 73645054
Test: no double free
Change-Id: Iecf22c807a4a23b4b2ba7ebee53c53502c616ec5
Signed-off-by: Jerry Zhang <zhangjerry@google.com>

This commit is contained in:

Jerry Zhang

2018-02-20 11:00:06 -08:00

• committed by

Timi

parent 4b0f74a70e

commit 53d85374b8

1 changed files with 8 additions and 3 deletions

									
										11

drivers/usb/gadget/function/f_accessory.c
									
										View file
										
					@ -610,8 +610,11 @@ retry_rx_alloc:

							if (!req) {

							if (!req) {

								if (acc_rx_req_len <= BULK_BUFFER_SIZE)

								if (acc_rx_req_len <= BULK_BUFFER_SIZE)

									goto fail;

									goto fail;

							for (i = 0; i < RX_REQ_MAX; i++)

								for (i = 0; i < RX_REQ_MAX; i++) {

								acc_request_free(dev->rx_req[i], dev->ep_out);

									acc_request_free(dev->rx_req[i],

											dev->ep_out);

									dev->rx_req[i] = NULL;

								}

								acc_rx_req_len /= 2;

								acc_rx_req_len /= 2;

								goto retry_rx_alloc;

								goto retry_rx_alloc;

							}

							}

					@ -625,8 +628,10 @@ fail:

						pr_err("acc_bind() could not allocate requests\n");

						pr_err("acc_bind() could not allocate requests\n");

						while ((req = req_get(dev, &dev->tx_idle)))

						while ((req = req_get(dev, &dev->tx_idle)))

							acc_request_free(req, dev->ep_in);

							acc_request_free(req, dev->ep_in);

						for (i = 0; i < RX_REQ_MAX; i++)

						for (i = 0; i < RX_REQ_MAX; i++) {

							acc_request_free(dev->rx_req[i], dev->ep_out);

							acc_request_free(dev->rx_req[i], dev->ep_out);

							dev->rx_req[i] = NULL;

						}

						return -1;

						return -1;

					}

					}