USB: gadget: f_midi: fixing a possible double-free in f_midi - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Yavuz, Tuba <tuba@ece.ufl.edu>	2018-03-23 17:00:38 +0000
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-03-26 11:53:14 +0200
commit	7fafcfdf6377b18b2a726ea554d6e593ba44349f (patch)
tree	370ef3f405e25513e822accb22243855036d5720 /drivers/usb/roles
parent	4d8d5a392ae110d9b5889afd2b4beef9a09e712d (diff)
download	linux-7fafcfdf6377b18b2a726ea554d6e593ba44349f.tar.bz2

USB: gadget: f_midi: fixing a possible double-free in f_midi

It looks like there is a possibility of a double-free vulnerability on an error path of the f_midi_set_alt function in the f_midi driver. If the path is feasible then free_ep_req gets called twice: req->complete = f_midi_complete; err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC); => ... usb_gadget_giveback_request => f_midi_complete (CALLBACK) (inside f_midi_complete, for various cases of status) free_ep_req(ep, req); // first kfree if (err) { ERROR(midi, "%s: couldn't enqueue request: %d\n", midi->out_ep->name, err); free_ep_req(midi->out_ep, req); // second kfree return err; } The double-free possibility was introduced with commit ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests"). Found by MOXCAFE tool. Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu> Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests") Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'drivers/usb/roles')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: