[PATCH] usb: cdns2: fix memory double free in cdns2_gadget

public inbox for linux-usb@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback
@ 2025-12-26  3:17 ReBeating
  2026-01-07 15:05 ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: ReBeating @ 2025-12-26  3:17 UTC (permalink / raw)
  To: gregkh; +Cc: linux-usb, ReBeating

A patch similar to commit 5fd9e45f1ebc("usb: cdns3: fix memory double
 free when handle zero packet").

As 5fd9e45f1ebc points out, the cdns2_gadget_giveback() function also has
the same memory double free issue when handling zero-length packets.

Add check for usb_gadget_giveback_request() to avoid double free of memory.
If it's additional zero length packet request, do not call 
usb_gadget_giveback_request().

Signed-off-by: ReBeating <rebeating@163.com>
---
 drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
index 7e69944ef18a..4f7898c2e364 100644
--- a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
+++ b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
@@ -253,7 +253,7 @@ void cdns2_gadget_giveback(struct cdns2_endpoint *pep,
 
 	trace_cdns2_request_giveback(preq);
 
-	if (request->complete) {
+	if (request->complete && request->buf != pdev->zlp_buf) {
 		spin_unlock(&pdev->lock);
 		usb_gadget_giveback_request(&pep->endpoint, request);
 		spin_lock(&pdev->lock);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback
  2025-12-26  3:17 [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback ReBeating
@ 2026-01-07 15:05 ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2026-01-07 15:05 UTC (permalink / raw)
  To: ReBeating; +Cc: linux-usb

On Fri, Dec 26, 2025 at 11:17:13AM +0800, ReBeating wrote:
> A patch similar to commit 5fd9e45f1ebc("usb: cdns3: fix memory double
>  free when handle zero packet").
> 
> As 5fd9e45f1ebc points out, the cdns2_gadget_giveback() function also has
> the same memory double free issue when handling zero-length packets.
> 
> Add check for usb_gadget_giveback_request() to avoid double free of memory.
> If it's additional zero length packet request, do not call 
> usb_gadget_giveback_request().
> 
> Signed-off-by: ReBeating <rebeating@163.com>
> ---
>  drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
> index 7e69944ef18a..4f7898c2e364 100644
> --- a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
> +++ b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
> @@ -253,7 +253,7 @@ void cdns2_gadget_giveback(struct cdns2_endpoint *pep,
>  
>  	trace_cdns2_request_giveback(preq);
>  
> -	if (request->complete) {
> +	if (request->complete && request->buf != pdev->zlp_buf) {
>  		spin_unlock(&pdev->lock);
>  		usb_gadget_giveback_request(&pep->endpoint, request);
>  		spin_lock(&pdev->lock);
> -- 
> 2.34.1
> 
> 

Hi,

This is the friendly patch-bot of Greg Kroah-Hartman.  You have sent him
a patch that has triggered this response.  He used to manually respond
to these common problems, but in order to save his sanity (he kept
writing the same thing over and over, yet to different people), I was
created.  Hopefully you will not take offence and will fix the problem
in your patch and resubmit it so that it can be accepted into the Linux
kernel tree.

You are receiving this message because of the following common error(s)
as indicated below:

- It looks like you did not use your "real" name for the patch on either
  the Signed-off-by: line, or the From: line (both of which have to
  match).  Please read the kernel file,
  Documentation/process/submitting-patches.rst for how to do this
  correctly.

If you wish to discuss this problem further, or you have questions about
how to resolve this issue, please feel free to respond to this email and
Greg will reply once he has dug out from the pending patches received
from other developers.

thanks,

greg k-h's patch email bot

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback
@ 2025-09-08 15:04 Chen Yufeng
  2025-10-08 11:15 ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Chen Yufeng @ 2025-09-08 15:04 UTC (permalink / raw)
  To: pawell; +Cc: gregkh, linux-usb, Chen Yufeng

A patch similar to commit 5fd9e45f1ebc("usb: cdns3: fix memory double
 free when handle zero packet").

As 5fd9e45f1ebc points out, the cdns2_gadget_giveback() function also has
the same memory double free issue when handling zero-length packets.

Add check for usb_gadget_giveback_request() to avoid double free of memory.
If it's additional zero length packet request, do not call 
usb_gadget_giveback_request().

Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
---
 drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
index 7e69944ef18a..4f7898c2e364 100644
--- a/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
+++ b/drivers/usb/gadget/udc/cdns2/cdns2-gadget.c
@@ -253,7 +253,7 @@ void cdns2_gadget_giveback(struct cdns2_endpoint *pep,
 
 	trace_cdns2_request_giveback(preq);
 
-	if (request->complete) {
+	if (request->complete && request->buf != pdev->zlp_buf) {
 		spin_unlock(&pdev->lock);
 		usb_gadget_giveback_request(&pep->endpoint, request);
 		spin_lock(&pdev->lock);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback
  2025-09-08 15:04 Chen Yufeng
@ 2025-10-08 11:15 ` Greg KH
  0 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2025-10-08 11:15 UTC (permalink / raw)
  To: Chen Yufeng; +Cc: pawell, linux-usb

On Mon, Sep 08, 2025 at 11:04:25PM +0800, Chen Yufeng wrote:
> A patch similar to commit 5fd9e45f1ebc("usb: cdns3: fix memory double
>  free when handle zero packet").
> 
> As 5fd9e45f1ebc points out, the cdns2_gadget_giveback() function also has
> the same memory double free issue when handling zero-length packets.
> 
> Add check for usb_gadget_giveback_request() to avoid double free of memory.
> If it's additional zero length packet request, do not call 
> usb_gadget_giveback_request().
> 
> Signed-off-by: Chen Yufeng <chenyufeng@iie.ac.cn>
> ---
>  drivers/usb/gadget/udc/cdns2/cdns2-gadget.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

What commit id does this fix?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-01-07 15:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-12-26  3:17 [PATCH] usb: cdns2: fix memory double free in cdns2_gadget_giveback ReBeating
2026-01-07 15:05 ` Greg KH
  -- strict thread matches above, loose matches on Subject: below --
2025-09-08 15:04 Chen Yufeng
2025-10-08 11:15 ` Greg KH

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox