From: Felipe Balbi <balbi@kernel.org>
To: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Cc: linux-usb@vger.kernel.org,
Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Subject: Re: [PATCH V2] usb: gadget: composite: Fix possible double free memory bug
Date: Tue, 01 Oct 2019 09:09:19 +0300 [thread overview]
Message-ID: <87d0fhvvxs.fsf@gmail.com> (raw)
In-Reply-To: <1569842311-10353-1-git-send-email-cchiluve@codeaurora.org>
[-- Attachment #1: Type: text/plain, Size: 1450 bytes --]
Hi,
Chandana Kishori Chiluveru <cchiluve@codeaurora.org> writes:
> composite_dev_cleanup call from the failure of configfs_composite_bind
> frees up the cdev->os_desc_req and cdev->req. If the previous calls of
> bind and unbind is successful these will carry stale values.
>
> Consider the below sequence of function calls:
> configfs_composite_bind()
> composite_dev_prepare()
> - Allocate cdev->req, cdev->req->buf
> composite_os_desc_req_prepare()
> - Allocate cdev->os_desc_req, cdev->os_desc_req->buf
> configfs_composite_unbind()
> composite_dev_cleanup()
> - free the cdev->os_desc_req->buf and cdev->req->buf
> Next composition switch
> configfs_composite_bind()
> - If it fails goto err_comp_cleanup will call the
> composite_dev_cleanup() function
> composite_dev_cleanup()
> - calls kfree up with the stale values of cdev->req->buf and
> cdev->os_desc_req from the previous configfs_composite_bind
> call. The free call on these stale values leads to double free.
>
> Hence, Fix this issue by setting request and buffer pointer to NULL after
> kfree.
>
> Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
>
> Changes in v2:
> - Modified commit text.
These two lines...
> ---
... should be after this tearline :-)
We don't need that in the commit log
--
balbi
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
prev parent reply other threads:[~2019-10-01 6:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-30 11:18 [PATCH V2] usb: gadget: composite: Fix possible double free memory bug Chandana Kishori Chiluveru
2019-10-01 6:09 ` Felipe Balbi [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87d0fhvvxs.fsf@gmail.com \
--to=balbi@kernel.org \
--cc=cchiluve@codeaurora.org \
--cc=linux-usb@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.