From ceed3cc4a19356cfd8196f43238bc6be9b3b6ed5 Mon Sep 17 00:00:00 2001
From: Hemant Kumar <hemantk@codeaurora.org>
Date: Wed, 21 Nov 2018 17:07:20 -0800
Subject: [PATCH] usb: gadget: Fix double free of device descriptor pointers

Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. As a result next composition switch results into
double free of super speed plus descriptor. Fix this issue by
setting all descriptor pointers to NULL after freeing them in
usb_free_all_descriptors(). Also clean up gsi_unbind() which is
setting up descriptor pointers to NULL already.

Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
---
 drivers/usb/gadget/function/f_gsi.c | 11 ++++-------
 include/linux/usb/gadget.h          |  1 +
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/drivers/usb/gadget/function/f_gsi.c b/drivers/usb/gadget/function/f_gsi.c
index ff61879767b3..266d19049986 100644
--- a/drivers/usb/gadget/function/f_gsi.c
+++ b/drivers/usb/gadget/function/f_gsi.c
@@ -2843,16 +2843,13 @@ static void gsi_unbind(struct usb_configuration *c, struct usb_function *f)
 	if (gsi->prot_id == IPA_USB_MBIM)
 		mbim_gsi_ext_config_desc.function.subCompatibleID[0] = 0;
 
-	if (gadget_is_superspeed(c->cdev->gadget)) {
+	if (gadget_is_superspeed(c->cdev->gadget))
 		usb_free_descriptors(f->ss_descriptors);
-		f->ss_descriptors = NULL;
-	}
-	if (gadget_is_dualspeed(c->cdev->gadget)) {
+
+	if (gadget_is_dualspeed(c->cdev->gadget))
 		usb_free_descriptors(f->hs_descriptors);
-		f->hs_descriptors = NULL;
-	}
+
 	usb_free_descriptors(f->fs_descriptors);
-	f->fs_descriptors = NULL;
 
 	if (gsi->c_port.notify) {
 		kfree(gsi->c_port.notify_req->buf);
diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h
index 0e61b1f65359..2bf825f5b711 100644
--- a/include/linux/usb/gadget.h
+++ b/include/linux/usb/gadget.h
@@ -1456,6 +1456,7 @@ struct usb_descriptor_header **usb_copy_descriptors(
 static inline void usb_free_descriptors(struct usb_descriptor_header **v)
 {
 	kfree(v);
+	v = NULL;
 }
 
 struct usb_function;