From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pl1-f202.google.com (mail-pl1-f202.google.com [209.85.214.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BA3E528B3EB for ; Tue, 16 Sep 2025 08:21:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010901; cv=none; b=sR/fovODJ2MN4QZbsO6/w17uucNOnjod8j2ONuahN8iHWcPP2RsqRgzKSohq7joY4U1sXZYCE/WNYyDMdFC8Ol54EdCGkSCCHYGe6y/87uasVIqrx08qehU008PUQ3EHmbTzE413jE/9EAkkOek3VX3x8ZeKWEBKg4bs19bvvoo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010901; c=relaxed/simple; bh=fuR/HXUqnZRqWnGet2GEWHTmMUaAcnq8fYUKv/t8unk=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=EDGZ8Xz4I0UddTwUctSqIwf3tZ5i4MViQjJBJ3KAYQH5URaIN/sb9RUURf70GmhO3VNcVw78+VBT+c0BAfkhuc6ucF2KxKfM8ZvMIKFtza/2HgiH9uzJTmfKx4rTz6Z3HXAGXigsXjOwboyKEdPkWKtQrTp0WbHQxikXLxxp4HE= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pKVIimtw; arc=none smtp.client-ip=209.85.214.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pKVIimtw" Received: by mail-pl1-f202.google.com with SMTP id d9443c01a7336-248d9301475so76814985ad.0 for ; Tue, 16 Sep 2025 01:21:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010899; x=1758615699; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=uJSapijpv/6eS2x0/D6s99HaO+7NYAKTfmN4io+/7yY=; b=pKVIimtwKEXvbSxmMRMIX3AtLbUH6UgBhkQRbLjMOxpJ7g2NA9j3mDpkUaaFh2ELkg X/4Sfo0JqFLfDePVRDGhPExt4w9vlISjD8cxUYh2KwyeioVQAHXDPuwksQjLRWgCgSyL 2yOTTr3M+l1mhvt1AN3CIbJD69NSCH6+EuVXV3UwFWZCPRmdSdsSKrsbAMLnVwNlKMbf KXp6mV3QEHJE9qlxGL4rKmF99JNthENTMdnwuITNhixwbY8ZLwEZUmPmPD3MR2/LifUo bzE9w6c+ce1tdSw46mKkwNCiAgU9wjeyyyCB4twpan5ReZo/ddn/02PaU5G4lSvH6Hh6 wK4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010899; x=1758615699; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uJSapijpv/6eS2x0/D6s99HaO+7NYAKTfmN4io+/7yY=; b=doP9ANHa+kMFCo0z6gMs842ZXHUuARLlLLNetxV3h/chFOBfMwbwdens6yUxF/XMyN xaAMptOXN37D+yqwqE12e3DGbvmnWMzVzxFHYdrdGOpnvLEuHF0HIt+CEB8ztGXdlhCJ PYGMhgXhBq/+cC1rq1d4Kk8c/dJ+DRyIgpZ036K9rFbn8aVtQt8ltyvJfN6Q4G1qUnta OQhVQyOwriyA1i0/9pnMLKuSBamITqrk9EbF5xvCW1UQTq2+2nS1rMk9jhwjWxfdiVFw RnkMNFO9c7qKoCq1SXB1q/sQRzAUUFU7D/u6czF7Yl9NlWBrgP12Hw6Wo1lAirvnzegI 6FHw== X-Forwarded-Encrypted: i=1; AJvYcCUwTJiQpJH/roW+QZjVL58tCCWQR+rgOoGITqyseACUnysFjejYSQLvylvbQAIXoAtHqeMH1k7Dq2GnuYg=@vger.kernel.org X-Gm-Message-State: AOJu0YzfhyyHAeNatFYIbRVsMMnSiXu0Tod4Iz6kd5u2m655v0G1G/aD oyAw1bmVWT7JmYEq608og+PrBlOwS1wKV98a3U/rGdUtmvUjsZGkJ0tAfMOVP+TCW57mQMauKBk pxHQkVA== X-Google-Smtp-Source: AGHT+IGaZqc2Q4WvhWmuDmDAk6WMZKnhHHrTTt9YQyfshktPNzfQnDqZkHiWjlMD1LvewhzbNxys7IK+ANg= X-Received: from plnw13.prod.google.com ([2002:a17:902:da4d:b0:25e:8dce:6855]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:2b0d:b0:267:95ad:8cc7 with SMTP id d9443c01a7336-26795ad8ec0mr84124875ad.54.1758010898317; Tue, 16 Sep 2025 01:21:38 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:32 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=1994; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=fuR/HXUqnZRqWnGet2GEWHTmMUaAcnq8fYUKv/t8unk=; b=0CJZmIP8dgVWvkzxm1xeVrkWf3hjwzIJfYYWdAue0Lss/T2CMGN3Wk6QQWZolZNX5IWT+mnfr CswxKlvCXGdB5jLuirA9yxTqmIgcsi3Mt1+o0eL8/TdXMUPIyErF11e X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-1-4997bf277548@google.com> Subject: [PATCH 1/6] usb: gadget: Store endpoint pointer in usb_request From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Gadget function drivers often have goto-based error handling in their bind paths, which can be bug-prone. Refactoring these paths to use __free() scope-based cleanup is desirable, but currently blocked. The blocker is that usb_ep_free_request(ep, req) requires two parameters, while the __free() mechanism can only pass a pointer to the request itself. Store an endpoint pointer in the struct usb_request. The pointer is populated centrally in usb_ep_alloc_request() on every successful allocation, making the request object self-contained. Signed-off-by: Kuen-Han Tsai --- drivers/usb/gadget/udc/core.c | 3 +++ include/linux/usb/gadget.h | 2 ++ 2 files changed, 5 insertions(+) diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c index d709e24c1fd4228c47f877d097faf987975ac392..e3d63b8fa0f4c17c6d59ab9d2f2= c529e98f20d45 100644 --- a/drivers/usb/gadget/udc/core.c +++ b/drivers/usb/gadget/udc/core.c @@ -194,6 +194,9 @@ struct usb_request *usb_ep_alloc_request(struct usb_ep = *ep, =20 req =3D ep->ops->alloc_request(ep, gfp_flags); =20 + if (req) + req->ep =3D ep; + trace_usb_ep_alloc_request(ep, req, req ? 0 : -ENOMEM); =20 return req; diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 0f28c5512fcb6ccd7a854ae8a66c21aec194c3c7..0f20794760887314d81a070755c= 8908c6ac4ed90 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -32,6 +32,7 @@ struct usb_ep; =20 /** * struct usb_request - describes one i/o request + * @ep: The associated endpoint set by usb_ep_alloc_request(). * @buf: Buffer used for data. Always provide this; some controllers * only use PIO, or don't use DMA for some endpoints. * @dma: DMA address corresponding to 'buf'. If you don't set this @@ -98,6 +99,7 @@ struct usb_ep; */ =20 struct usb_request { + struct usb_ep *ep; void *buf; unsigned length; dma_addr_t dma; --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pj1-f74.google.com (mail-pj1-f74.google.com [209.85.216.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9B2802EA49C for ; Tue, 16 Sep 2025 08:21:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.74 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010904; cv=none; b=knPuxWNzj5f3RyJaW65crZYKwn/OhTmBtBuMcQ4FIDHjdGwYHLjYKaNjWI1UasW/kq6XryR/PQgFy/G0YmvGGcElmhebFAbqUNPgEmkFYaeLhyGjHvwiYDGWRsUxnxLU368+cIK2e6Dp46Evdc6yEj2uoYmr4o9RjByZwEH4omc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010904; c=relaxed/simple; bh=KqbA0WSViw/fVd76NMhaeHHf8p8kF5dAyIDHRRkZY8Q=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=cLWJWQAwqvF0u4HtOq8hheEq61SdBAcdb2W/ylkxwNP/ew/0NcNquFxEDano+eP79Eu4CeVTdHOiFiNeQYGpJXT5ZI7q1ESnMcfV4yQLZo+wZtmm0BmAvQWxODvFLdfQKieiDXQ6xsbQTIoHGpc+IGTICRUhMaOjmsZeYJvHecw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=f4+w3xvT; arc=none smtp.client-ip=209.85.216.74 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="f4+w3xvT" Received: by mail-pj1-f74.google.com with SMTP id 98e67ed59e1d1-32db3d5f20aso4413190a91.1 for ; Tue, 16 Sep 2025 01:21:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010902; x=1758615702; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=I621x9QACwnsqEWtRQMfgrL9A04jGtrlDrBPDiOwIjA=; b=f4+w3xvTKp4JJB5SK06xCFsTdOP4MVHkhhxoACO8372jWID35jelO6gc6gb7Vz8bT9 yCIR/MSoyyi4vlIV5//kueq1XBbc88oWSN2mL9eTCaEexB8ipZr3MthHdvEnekMnOy2Q nPREqxsfE4MMRtgZTCjJXUafSIU+cQS+3jdGdbiMFIgT0eT93/2itSiTempLbo0Y0Ug9 k41or7RqZonmuVdNWG6XN7+7ItDqk33F2bZx93da4l8eLwGPBtNObzHt6Ybwkp5p27Qv +cI22HrVHpDGtvkYqMw4YywNuv3bJ65FFija14ab0KM552I9RdnloZrHP+3bR+mnGB25 BoMg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010902; x=1758615702; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=I621x9QACwnsqEWtRQMfgrL9A04jGtrlDrBPDiOwIjA=; b=J+58utZQiAJQ6fuMzzlH+8ARo/obcMtDYJxUw+5aynAd3O3D45JLQlrwYdVVOdK5rf zfZnhGWAVjbk+2j5tl/gs4C3Zqipl9RnYPyG8H1DLfo9tgs1m7GWqnGj7ZxlWyc7rAEf 3J4HRuFLDJJB0WKMr4ilr9azNi/wzHmrlRNKDgPnqsKYS2KwFWpTt9aHVIfUsw5NxY9S V/xu0cWGuZj718bw3dR/9jcYTz/B9R67IyD4iO4ux8M5ssS027o8huw04tZsKsJeRyZc Ix7EHWNsmKeDeSL8vHNQysiWpoQ3NSM7KqUGiLRKq+YUeG4i8fKBk+BDKRz0dx2qit7k BdKA== X-Forwarded-Encrypted: i=1; AJvYcCVPVeXZqVmfs/vvKy/bCnWPe7cmezfW8IkcFDWZQrRf3vSP6SLPKM2b8g5gM6D/4Yp1+dFMCvO/Dl1e5VM=@vger.kernel.org X-Gm-Message-State: AOJu0Yxup6NZib5f+AacjTzVmpJ64IOa7qTgkq8vAppPYSbncmNC/dfQ 24YGgc8sSnSJW6yHYZeJVzNb/9e8tf/JA7o6CWdW7UfZd/QgaBQKgCFhJYln7xtGG8bDEtvKoDi Kqb0G7w== X-Google-Smtp-Source: AGHT+IHmk1MDtIN07ez2FLbYyMNZcJFwEG2Tscu6eNO05ncxE//LK7cDAiARPiu9CqlmSuy+JGa3YS07U3Y= X-Received: from pjbst15.prod.google.com ([2002:a17:90b:1fcf:b0:325:5e4e:4bd4]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a17:90b:51d1:b0:32e:7270:94a1 with SMTP id 98e67ed59e1d1-32e72709694mr8334878a91.17.1758010901762; Tue, 16 Sep 2025 01:21:41 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:33 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=1880; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=KqbA0WSViw/fVd76NMhaeHHf8p8kF5dAyIDHRRkZY8Q=; b=s0Jiw3j5/HMGZaKpmRY7Gl8dJEQasTRNS0qen6WZeXkstOb7kARChj7e3cfvTMHj4dvR1Mile bHcWL5R4xaLCg4G8u4mVRFu80yAdsD9Q9h6bo0UXW8NfwTjfQD7l7OC X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-2-4997bf277548@google.com> Subject: [PATCH 2/6] usb: gadget: Introduce free_usb_request helper From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Introduce the free_usb_request() function that frees both the request's buffer and the request itself. This function serves as the cleanup callback for DEFINE_FREE() to enable automatic, scope-based cleanup for usb_request pointers. Signed-off-by: Kuen-Han Tsai --- include/linux/usb/gadget.h | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/include/linux/usb/gadget.h b/include/linux/usb/gadget.h index 0f20794760887314d81a070755c8908c6ac4ed90..3aaf19e775580b19cbb2b30d8df= 8a282945edfa0 100644 --- a/include/linux/usb/gadget.h +++ b/include/linux/usb/gadget.h @@ -15,6 +15,7 @@ #ifndef __LINUX_USB_GADGET_H #define __LINUX_USB_GADGET_H =20 +#include #include #include #include @@ -293,6 +294,28 @@ static inline void usb_ep_fifo_flush(struct usb_ep *ep) =20 /*------------------------------------------------------------------------= -*/ =20 +/** + * free_usb_request - frees a usb_request object and its buffer + * @req: the request being freed + * + * This helper function frees both the request's buffer and the request ob= ject + * itself by calling usb_ep_free_request(). Its signature is designed to b= e used + * with DEFINE_FREE() to enable automatic, scope-based cleanup for usb_req= uest + * pointers. + */ +static inline void free_usb_request(struct usb_request *req) +{ + if (!req) + return; + + kfree(req->buf); + usb_ep_free_request(req->ep, req); +} + +DEFINE_FREE(free_usb_request, struct usb_request *, free_usb_request(_T)) + +/*------------------------------------------------------------------------= -*/ + struct usb_dcd_config_params { __u8 bU1devExitLat; /* U1 Device exit Latency */ #define USB_DEFAULT_U1_DEV_EXIT_LAT 0x01 /* Less then 1 microsec */ --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pf1-f201.google.com (mail-pf1-f201.google.com [209.85.210.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 92511287256 for ; Tue, 16 Sep 2025 08:21:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010906; cv=none; b=STg9LIO0RBzDRYWJ9RZjf+qhIcslO15hk+YUuS/i5sEQ7P6kyZ+8PeIQ58Yq9EdYPCysLsaKcrjWrv/zKVFj/pNYADCbR5PZNKnNt6ndFknCKrsVW/qyGjWfnTo48DviA83CTp2y3KrRe1U6AMdaEjRpx/yJvt6QBibkFjkEk9k= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010906; c=relaxed/simple; bh=N/7rPySAgQOu8W8dwCVj3UJzonthS9K7jZ498RsuujQ=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=TUzgmdc8Y9CkOSRRMvW0uk1j2UvoyDiKwiQu0zScPZMWdkZPgfXQPTOUxzuePzle+wFK5FaIpBUaD+N1AmmqtMmYVRQlOWeLPS66Lmkk641cEQEeR9AUM77h0+AZOTLTeoawbQr5kzgix6lmfEPIxL6Kfke1rtWrJY67+1MwbMo= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=rj7qE2tp; arc=none smtp.client-ip=209.85.210.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="rj7qE2tp" Received: by mail-pf1-f201.google.com with SMTP id d2e1a72fcca58-77253535b2cso4744624b3a.3 for ; Tue, 16 Sep 2025 01:21:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010904; x=1758615704; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=EqhhgJga+nem6ZRi78lVMECZxqVyLV2vinhBZXlldyA=; b=rj7qE2tp7b6/+wL+PzZB+dslzPq7ZySxGt/MvIjxuGDhhOnttxZlMfysDK15H00RCa SzlCesBwnqpz+8Z3pT0B6aRo9G8eRa3Non1jVgQ63lnzJQS9/xQ2jnbstg9P13RyGkHu CPkuFq80/RXr2B3xXDbZXU6vL4VbRPEdUV0NCs5YmYnpJ8RKQbYBvd7awT5KXbYPk43O OPBht4VQHi3pGaq/PhAiW0JfT5h/vV3kQcVgh/aL9YjKNX4eVU8eusBFLxA89fTlnup6 R4GS2Mvzg/JWWoDLkqzfzjkYRs4dunwFfnUt7LUZ9or4QhvW7f7wh4fAXH0PL7QMxFWn EjXg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010904; x=1758615704; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=EqhhgJga+nem6ZRi78lVMECZxqVyLV2vinhBZXlldyA=; b=K+gZZDASxY30+hOqpPq5VO9E9WBMEAZlHTGz3+FJ4umvdTXEUX3wK8rOeErUPu30Sd k/PkIFYXWXsInuPhuTg4XXvzu1VqXtjHG+VOaru6lXIgrFp+2Cwq9+LVjqMHoues0yK/ gOx/tmfQ7FYw78N75ZMu4L9DJOrLOcKxP7zGPzsQNp0yo4QdiQiGIuWTgqh9cO3U0Q1b nSzJCJ8Tj0j1OwahliIMGFjzQ7d1svS3kulxedgYAqF4SRQ4Q7S9K2mFRMfA3amu7ucj ptNXVoLWCuvjmpY8nNPY1jvnZgik2L38dujqmOf3TNR/HviZAyfQtIiBHtnzOa2uJq0t 5lOA== X-Forwarded-Encrypted: i=1; AJvYcCVKawE5dVpQgMs9mABk/rYPQ0gBQWqKXEZ+l57+MJ8a7+PZZrYVYbKaON3xIk9TkD7YvANqAVl8GqStb8A=@vger.kernel.org X-Gm-Message-State: AOJu0YyPgqi4mW08t6mb/mP+Q5cUBFMp4guoe8/uo+nQqjZKUzOa8ZQw M6oZ2J42/Yjow5+MqeraNfjYPMXJjobYcNTY6MLzN5I9vqyD+8IKfotp2OIx3rk66s/Bm/ZqGou EZyfG2g== X-Google-Smtp-Source: AGHT+IG85Cw5/Sxac3Ad82ihlrD1bHJAF+MbMWjVkCwp94Y+r6uFS/36rHDY7PypBjIn2FxOYjLJtROkXGc= X-Received: from pfst40.prod.google.com ([2002:aa7:8fa8:0:b0:771:e00d:cee]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:9289:b0:772:4759:e433 with SMTP id d2e1a72fcca58-7761209bdeemr18234364b3a.2.1758010903803; Tue, 16 Sep 2025 01:21:43 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:34 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=6688; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=N/7rPySAgQOu8W8dwCVj3UJzonthS9K7jZ498RsuujQ=; b=c3qch1HdrAPIjLCTmXnfXgir5tbyX9bJ6SdqN3sXIbawHDzDxRndIBP3FxzliNyu9izEaw6CT pZiynYcaFbWBK+Zh933MfzBZq63ZpX0Ii9AVPz/2nL/7GQxqN586/62 X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-3-4997bf277548@google.com> Subject: [PATCH 3/6] usb: gadget: f_ncm: Refactor bind path to use __free() From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai , stable@kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable After an bind/unbind cycle, the ncm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000= 000000020 Call trace: usb_ep_free_request+0x2c/0xec ncm_bind+0x39c/0x3dc usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai --- drivers/usb/gadget/function/f_ncm.c | 78 ++++++++++++++++-----------------= ---- 1 file changed, 33 insertions(+), 45 deletions(-) diff --git a/drivers/usb/gadget/function/f_ncm.c b/drivers/usb/gadget/funct= ion/f_ncm.c index 58b0dd575af32a95f8ae1fa7d9483638d37fd052..0148d60926dcf751b7c464c2922= d194ef965bdfd 100644 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@ -11,6 +11,7 @@ * Copyright (C) 2008 Nokia Corporation */ =20 +#include #include #include #include @@ -20,6 +21,7 @@ #include =20 #include +#include =20 #include "u_ether.h" #include "u_ether_configfs.h" @@ -1436,18 +1438,18 @@ static int ncm_bind(struct usb_configuration *c, st= ruct usb_function *f) struct usb_ep *ep; struct f_ncm_opts *ncm_opts; =20 + struct usb_os_desc_table *os_desc_table __free(kfree) =3D NULL; + struct usb_request *request __free(free_usb_request) =3D NULL; + if (!can_support_ecm(cdev->gadget)) return -EINVAL; =20 ncm_opts =3D container_of(f->fi, struct f_ncm_opts, func_inst); =20 if (cdev->use_os_string) { - f->os_desc_table =3D kzalloc(sizeof(*f->os_desc_table), - GFP_KERNEL); - if (!f->os_desc_table) + os_desc_table =3D kzalloc(sizeof(*os_desc_table), GFP_KERNEL); + if (!os_desc_table) return -ENOMEM; - f->os_desc_n =3D 1; - f->os_desc_table[0].os_desc =3D &ncm_opts->ncm_os_desc; } =20 mutex_lock(&ncm_opts->lock); @@ -1459,16 +1461,15 @@ static int ncm_bind(struct usb_configuration *c, st= ruct usb_function *f) mutex_unlock(&ncm_opts->lock); =20 if (status) - goto fail; + return status; =20 ncm_opts->bound =3D true; =20 us =3D usb_gstrings_attach(cdev, ncm_strings, ARRAY_SIZE(ncm_string_defs)); - if (IS_ERR(us)) { - status =3D PTR_ERR(us); - goto fail; - } + if (IS_ERR(us)) + return PTR_ERR(us); + ncm_control_intf.iInterface =3D us[STRING_CTRL_IDX].id; ncm_data_nop_intf.iInterface =3D us[STRING_DATA_IDX].id; ncm_data_intf.iInterface =3D us[STRING_DATA_IDX].id; @@ -1478,20 +1479,16 @@ static int ncm_bind(struct usb_configuration *c, st= ruct usb_function *f) /* allocate instance-specific interface IDs */ status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->ctrl_id =3D status; ncm_iad_desc.bFirstInterface =3D status; =20 ncm_control_intf.bInterfaceNumber =3D status; ncm_union_desc.bMasterInterface0 =3D status; =20 - if (cdev->use_os_string) - f->os_desc_table[0].if_id =3D - ncm_iad_desc.bFirstInterface; - status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ncm->data_id =3D status; =20 ncm_data_nop_intf.bInterfaceNumber =3D status; @@ -1500,35 +1497,31 @@ static int ncm_bind(struct usb_configuration *c, st= ruct usb_function *f) =20 ecm_desc.wMaxSegmentSize =3D cpu_to_le16(ncm_opts->max_segment_size); =20 - status =3D -ENODEV; - /* allocate instance-specific endpoints */ ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ncm_in_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.in_ep =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ncm_out_desc); if (!ep) - goto fail; + return -ENODEV; ncm->port.out_ep =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ncm_notify_desc); if (!ep) - goto fail; + return -ENODEV; ncm->notify =3D ep; =20 - status =3D -ENOMEM; - /* allocate notification request and buffer */ - ncm->notify_req =3D usb_ep_alloc_request(ep, GFP_KERNEL); - if (!ncm->notify_req) - goto fail; - ncm->notify_req->buf =3D kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); - if (!ncm->notify_req->buf) - goto fail; - ncm->notify_req->context =3D ncm; - ncm->notify_req->complete =3D ncm_notify_complete; + request =3D usb_ep_alloc_request(ep, GFP_KERNEL); + if (!request) + return -ENOMEM; + request->buf =3D kmalloc(NCM_STATUS_BYTECOUNT, GFP_KERNEL); + if (!request->buf) + return -ENOMEM; + request->context =3D ncm; + request->complete =3D ncm_notify_complete; =20 /* * support all relevant hardware speeds... we expect that when @@ -1548,7 +1541,7 @@ static int ncm_bind(struct usb_configuration *c, stru= ct usb_function *f) status =3D usb_assign_descriptors(f, ncm_fs_function, ncm_hs_function, ncm_ss_function, ncm_ss_function); if (status) - goto fail; + return status; =20 /* * NOTE: all that is done without knowing or caring about @@ -1561,23 +1554,18 @@ static int ncm_bind(struct usb_configuration *c, st= ruct usb_function *f) =20 hrtimer_setup(&ncm->task_timer, ncm_tx_timeout, CLOCK_MONOTONIC, HRTIMER_= MODE_REL_SOFT); =20 + if (cdev->use_os_string) { + os_desc_table[0].os_desc =3D &ncm_opts->ncm_os_desc; + os_desc_table[0].if_id =3D ncm_iad_desc.bFirstInterface; + f->os_desc_table =3D no_free_ptr(os_desc_table); + f->os_desc_n =3D 1; + } + ncm->notify_req =3D no_free_ptr(request); + DBG(cdev, "CDC Network: IN/%s OUT/%s NOTIFY/%s\n", ncm->port.in_ep->name, ncm->port.out_ep->name, ncm->notify->name); return 0; - -fail: - kfree(f->os_desc_table); - f->os_desc_n =3D 0; - - if (ncm->notify_req) { - kfree(ncm->notify_req->buf); - usb_ep_free_request(ncm->notify, ncm->notify_req); - } - - ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); - - return status; } =20 static inline struct f_ncm_opts *to_f_ncm_opts(struct config_item *item) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pf1-f202.google.com (mail-pf1-f202.google.com [209.85.210.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B53B32EBDDE for ; Tue, 16 Sep 2025 08:21:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010909; cv=none; b=dtCcglgdg39Mz440OOjwH29BDTln2AuLBQK3hBZ0n7MVl4dTlJ1B9kfqph00iwqdJGc+mvdj2a8368J0vkLE0N+74LUEi6ULJRVy8YWfDCJFvG7Zga6ggW/t7lWiHUB/LVWqyGFZxA05sR9Jkq13ekhLNij0OkhD6s2DX0At9vk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010909; c=relaxed/simple; bh=P1LfRxrcrGhzoZEKvZbzrpnaEprQNC1g8Qth+X5e6xs=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=XrjdImf6NM+PligozyTmE6Xz+KvqFogxBePtCjFYGrGnaVNMxwPfXzkg39Qe8NweGqTi83Mm/LHLVCYNkBT3Lv7O2IvcOLHx64O/i8z++3niUUA+91GaIxwLRT+vZNyqjw2GfjEmIN7UKCnaH7ypERYRMMNkIw3SsBBs9+NydmY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=UyKAjIU3; arc=none smtp.client-ip=209.85.210.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="UyKAjIU3" Received: by mail-pf1-f202.google.com with SMTP id d2e1a72fcca58-77619bb3871so6049724b3a.1 for ; Tue, 16 Sep 2025 01:21:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010907; x=1758615707; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=DG760754b6pvLc5Zdigx6UGTSLqlU0NzUMtufzKH57g=; b=UyKAjIU3UwUpki3+ebEWxbcOIlPl/Yd6bSm0y+uOOO2VCUXgxbOizehaANb1sLGYkf fLNjn2sVy6s/zpgIeUBhuRr+4WASzZSHgjnGANyLTZLeh2tyD/eOw3/yqgeUh/h6K4f1 G1JzyhTjbQaZqVsnL4QhBOq0B3UuKSH5JMtnWJjY3mMzFIj0kGHCBJbPoLJyxCUZVJAV o4bJhHl2Uep1naFVKEao/1EjdVZqiwZs9e60iVJj1vYheUPxyn4y17imSney3S0vFwfB mb3M+FtY/p2ToDD7tewVHpfHr4JgDEgUkDMYZSAg3GX3yW5Fcb67Zf1j+jE0NK23qWCE XrVg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010907; x=1758615707; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=DG760754b6pvLc5Zdigx6UGTSLqlU0NzUMtufzKH57g=; b=ZqgIVeyYARg8XOX14DeHehBr5fnoz2Fo0nwT81TLE4he1oGW3qEgQSi2pesEj+7r0N UTO9JfsF5M9XWVF2ZH7NFsv83PMjVkhW7uqkyt6cJYevtaMGiU+lpeOOTuJ6XunDI93c enpcCZYNCDR7SssOI38vO0U7bZUxihO4cz/DY0YdYCwZvmemvHUy0BACCcDtMkEfv5C1 Zag68rFbs6cZdrYImkcIgPT8r+Y0F/C8oYWoFS/1s7hM6ww8XMcreXY3/zAmnkm0GXXM LwnzlLNef5aFAqRfCo+Z8cxGUqoNw+gLVbsO/hbQ63CJlXwafxMwgsv5w/VtR/yiF8XW ZAjA== X-Forwarded-Encrypted: i=1; AJvYcCVVjw9rkXgkhSzjX2qRe4Uj8Odup4feZFwn2sAZRBD79bpwRXG2qur5jKWtB9UrFTEmWZoYZjiXRQKE7qs=@vger.kernel.org X-Gm-Message-State: AOJu0YyPNaH/RVx4m5QWInoVA2Y3R8Zqa0WhJx1JoBrDKL7ntYRFb8iB rMuqeTJHyXhbOm65QlfJM0OchnNx368wj44GAjhNcr2K563v3em05f6uSnhOqUhVLM6TfHA3xBO encijvQ== X-Google-Smtp-Source: AGHT+IE/0Vv546PDeVtNiWrkwmA+p4ogC/9GnEu3AVLh9mD580agcG1I3jbi197WFqLLkWttRZiWdsxHsQE= X-Received: from pfbft4.prod.google.com ([2002:a05:6a00:81c4:b0:776:130f:e189]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:1708:b0:76e:8cf4:7bc4 with SMTP id d2e1a72fcca58-7761218c807mr17784493b3a.26.1758010906973; Tue, 16 Sep 2025 01:21:46 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:35 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=4996; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=P1LfRxrcrGhzoZEKvZbzrpnaEprQNC1g8Qth+X5e6xs=; b=ngT80pto5NMDDKcMxDtTWqjfpJrj74zFXpjGVXpoFlYPvuJUmGwrlyJslN0GVGqt1N1O+klY7 JS8hsEnrmNgA3QsBlF3dSrOIkwmCg1Ls7FD2ntSq3776GW2bkJ80wgQ X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-4-4997bf277548@google.com> Subject: [PATCH 4/6] usb: gadget: f_acm: Refactor bind path to use __free() From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai , stable@kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Unable to handle kernel NULL pointer dereference at virtual address 0000000= 000000020 Call trace: usb_ep_free_request+0x2c/0xec gs_free_req+0x30/0x44 acm_bind+0x1b8/0x1f4 usb_add_function+0xcc/0x1f0 configfs_composite_bind+0x468/0x588 gadget_bind_driver+0x104/0x270 really_probe+0x190/0x374 __driver_probe_device+0xa0/0x12c driver_probe_device+0x3c/0x218 __device_attach_driver+0x14c/0x188 bus_for_each_drv+0x10c/0x168 __device_attach+0xfc/0x198 device_initial_probe+0x14/0x24 bus_probe_device+0x94/0x11c device_add+0x268/0x48c usb_add_gadget+0x198/0x28c dwc3_gadget_init+0x700/0x858 __dwc3_set_mode+0x3cc/0x664 process_scheduled_works+0x1d8/0x488 worker_thread+0x244/0x334 kthread+0x114/0x1bc ret_from_fork+0x10/0x20 Fixes: 1f1ba11b6494 ("usb gadget: issue notifications from ACM function") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai --- drivers/usb/gadget/function/f_acm.c | 42 +++++++++++++++++----------------= ---- 1 file changed, 19 insertions(+), 23 deletions(-) diff --git a/drivers/usb/gadget/function/f_acm.c b/drivers/usb/gadget/funct= ion/f_acm.c index 7061720b9732e4182b02ac3523d49c8e053176b7..106046e17c4e11253e325789904= 2ab803f3f2657 100644 --- a/drivers/usb/gadget/function/f_acm.c +++ b/drivers/usb/gadget/function/f_acm.c @@ -11,12 +11,15 @@ =20 /* #define VERBOSE_DEBUG */ =20 +#include #include #include #include #include #include =20 +#include + #include "u_serial.h" =20 =20 @@ -613,6 +616,7 @@ acm_bind(struct usb_configuration *c, struct usb_functi= on *f) struct usb_string *us; int status; struct usb_ep *ep; + struct usb_request *request __free(free_usb_request) =3D NULL; =20 /* REVISIT might want instance-specific strings to help * distinguish instances ... @@ -630,7 +634,7 @@ acm_bind(struct usb_configuration *c, struct usb_functi= on *f) /* allocate instance-specific interface IDs, and patch descriptors */ status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; acm->ctrl_id =3D status; acm_iad_descriptor.bFirstInterface =3D status; =20 @@ -639,43 +643,41 @@ acm_bind(struct usb_configuration *c, struct usb_func= tion *f) =20 status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; acm->data_id =3D status; =20 acm_data_interface_desc.bInterfaceNumber =3D status; acm_union_desc.bSlaveInterface0 =3D status; acm_call_mgmt_descriptor.bDataInterface =3D status; =20 - status =3D -ENODEV; - /* allocate instance-specific endpoints */ ep =3D usb_ep_autoconfig(cdev->gadget, &acm_fs_in_desc); if (!ep) - goto fail; + return -ENODEV; acm->port.in =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &acm_fs_out_desc); if (!ep) - goto fail; + return -ENODEV; acm->port.out =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &acm_fs_notify_desc); if (!ep) - goto fail; + return -ENODEV; acm->notify =3D ep; =20 acm_iad_descriptor.bFunctionProtocol =3D acm->bInterfaceProtocol; acm_control_interface_desc.bInterfaceProtocol =3D acm->bInterfaceProtocol; =20 /* allocate notification */ - acm->notify_req =3D gs_alloc_req(ep, - sizeof(struct usb_cdc_notification) + 2, - GFP_KERNEL); - if (!acm->notify_req) - goto fail; + request =3D gs_alloc_req(ep, + sizeof(struct usb_cdc_notification) + 2, + GFP_KERNEL); + if (!request) + return -ENODEV; =20 - acm->notify_req->complete =3D acm_cdc_notify_complete; - acm->notify_req->context =3D acm; + request->complete =3D acm_cdc_notify_complete; + request->context =3D acm; =20 /* support all relevant hardware speeds... we expect that when * hardware is dual speed, all bulk-capable endpoints work at @@ -692,7 +694,9 @@ acm_bind(struct usb_configuration *c, struct usb_functi= on *f) status =3D usb_assign_descriptors(f, acm_fs_function, acm_hs_function, acm_ss_function, acm_ss_function); if (status) - goto fail; + return status; + + acm->notify_req =3D no_free_ptr(request); =20 dev_dbg(&cdev->gadget->dev, "acm ttyGS%d: IN/%s OUT/%s NOTIFY/%s\n", @@ -700,14 +704,6 @@ acm_bind(struct usb_configuration *c, struct usb_funct= ion *f) acm->port.in->name, acm->port.out->name, acm->notify->name); return 0; - -fail: - if (acm->notify_req) - gs_free_req(acm->notify, acm->notify_req); - - ERROR(cdev, "%s/%p: can't bind, err %d\n", f->name, f, status); - - return status; } =20 static void acm_unbind(struct usb_configuration *c, struct usb_function *f) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pl1-f201.google.com (mail-pl1-f201.google.com [209.85.214.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD8F62EC092 for ; Tue, 16 Sep 2025 08:21:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010911; cv=none; b=mxK8cCuwhJlLsYXsmHTcwApF+grYzsuzJ3meMa9qCmvK7BW6DVDr9CRC0JJaIqqM97zuBV2LNfgF2Qi+oAQ3cIJy82lhmcY9PRwmXCCQFF6xh+9/WZHTfXi4A2u907LFSBUvtlhHl+7ablVACxTCzPUCWe/zwNvQYCFjAnezdrk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010911; c=relaxed/simple; bh=nzUJUBQUDY6IjnlDTIkln8mW+kfgV5L3cPxxckekh/M=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=vGVeyvlBwplTz3AVv6jbXfEIAHZGW1pe5nKjP7ORYfe35yJUyaTwy7m+kVYY8HkpGWwh9S2jKme1NOwg6CIVSv6M48vzh4GVg6mqpbnqtdE4lpeR+cjaVW7NnkPQnTq3E9Z8pdheilH2uydiiUAll2wprXfBeX7/rUXTXFGSn6Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=pSnccMmS; arc=none smtp.client-ip=209.85.214.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="pSnccMmS" Received: by mail-pl1-f201.google.com with SMTP id d9443c01a7336-244581ce13aso106261435ad.2 for ; Tue, 16 Sep 2025 01:21:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010909; x=1758615709; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=T6KEyWg5U4Q05BuxI9yT5T5sEUrMlo9n5Xv8LbVudls=; b=pSnccMmSFgskPzC1X2TP9RAOk58y6jbkpwX551tK6OOLCz9Wd/ZP2vlP2vtc5ZrqeB xBiyk7NGfw0d9VggVi/a3Er488Fmag5d9hm7s5eB+jv/lRlahrV5WtM98smL1F4+cG1M ktojoDC6ePGYdwj4e58EH+s70C3xZR279cogbjVueRtMDlDEN/YiUDHYIZ/N6K9TASch /RFc0V6clD4pZBSOGqVXNNayYmXkSGWPFI0dxMk2XSaYWbQO2wieHWWPsgpRIJVX0FSP DP6Q8WBGEiaSOLlfB6pC8UvSy0Cc57pU42GmKeHt2BfReAVJgpK613O0uDj+8ydhHcSN B1sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010909; x=1758615709; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=T6KEyWg5U4Q05BuxI9yT5T5sEUrMlo9n5Xv8LbVudls=; b=IAzY3NTCra9KtcJ+ErZtJCTAuh7zcPpTJjWtBh3mvu3zaVnWs8m9FIntY41FmVQ9WZ VXeCMCdfvruzOGU74yY+0+1RWKQRnf6nCMUV4LFxGinXSfv9L9iUAy1YKlmMWlkXE8Am mGaISh/LLf30SJ5kZdM6S2E7lxJ8b9bjr5iKDhPvGOqPoJXowVGowGcwsMuskLfcFDdU IZZO9/sjVhS7g2m69xgQN4HmLWq/z85zuLEbjwgse/Nzk39kYg2MzzZWm8PdAdunBNNs XaVD1xMZjvTFtPuiE3ByyqmYD2C1fwcRH83jM3Mc1Xn7nQlLiF3RxTiqXALvdj4PQ1f+ W4Rg== X-Forwarded-Encrypted: i=1; AJvYcCXEHSqIWRHy/DvfmA9ghn2FlCPejLba8IgjEiSkaEAzoLKNdb96vWZ93bfsCOJEzHtU/aNLnjqu9hl2PFc=@vger.kernel.org X-Gm-Message-State: AOJu0Yztwm5N0GNCsyweWSwIRSWBA127bLYRSAnwnRBvpICR6IyTvdQu VprGLbBDN3Rq5HFvbC8PSJT1I1zaDun7ywZj6Pfi7tp4qAPbBPhQy2cNu1FgCDMe3rYf8JLRPug 8jsQ5GQ== X-Google-Smtp-Source: AGHT+IFQoROC6DO6NsAcnx7lNpGk7R8oDG7xj1iNrSLy1+m6NH3iLLjA9tVJeTEuD+rPSe8yUuz1smsBOoY= X-Received: from plgi5.prod.google.com ([2002:a17:902:cf05:b0:267:e3c2:182d]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a17:903:478d:b0:265:acc3:d312 with SMTP id d9443c01a7336-265acc3d46bmr93071495ad.43.1758010909064; Tue, 16 Sep 2025 01:21:49 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:36 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=4610; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=nzUJUBQUDY6IjnlDTIkln8mW+kfgV5L3cPxxckekh/M=; b=FXplXMMjNF7hhFe9P3At0BZbxF/fa0xizJlEnR67dc3Hlb3Kd/sDpeo2ok4ItCJryANkscJ+R 9ims8ubyAQPDYyR6h2TCbWnOU3BV3ZCVOpBOFygIqtvugLG5UkK738s X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-5-4997bf277548@google.com> Subject: [PATCH 5/6] usb: gadget: f_ecm: Refactor bind path to use __free() From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai , stable@kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable After an bind/unbind cycle, the ecm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Fixes: da741b8c56d6 ("usb ethernet gadget: split CDC Ethernet function") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai --- drivers/usb/gadget/function/f_ecm.c | 48 ++++++++++++++++-----------------= ---- 1 file changed, 20 insertions(+), 28 deletions(-) diff --git a/drivers/usb/gadget/function/f_ecm.c b/drivers/usb/gadget/funct= ion/f_ecm.c index 027226325039f0c8eaee27a339513a758c01786b..675d2bc538a45747de601b0fcf2= b7b8757642214 100644 --- a/drivers/usb/gadget/function/f_ecm.c +++ b/drivers/usb/gadget/function/f_ecm.c @@ -8,6 +8,7 @@ =20 /* #define VERBOSE_DEBUG */ =20 +#include #include #include #include @@ -15,6 +16,8 @@ #include #include =20 +#include + #include "u_ether.h" #include "u_ether_configfs.h" #include "u_ecm.h" @@ -678,6 +681,7 @@ ecm_bind(struct usb_configuration *c, struct usb_functi= on *f) struct usb_ep *ep; =20 struct f_ecm_opts *ecm_opts; + struct usb_request *request __free(free_usb_request) =3D NULL; =20 if (!can_support_ecm(cdev->gadget)) return -EINVAL; @@ -711,7 +715,7 @@ ecm_bind(struct usb_configuration *c, struct usb_functi= on *f) /* allocate instance-specific interface IDs */ status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ecm->ctrl_id =3D status; ecm_iad_descriptor.bFirstInterface =3D status; =20 @@ -720,24 +724,22 @@ ecm_bind(struct usb_configuration *c, struct usb_func= tion *f) =20 status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; ecm->data_id =3D status; =20 ecm_data_nop_intf.bInterfaceNumber =3D status; ecm_data_intf.bInterfaceNumber =3D status; ecm_union_desc.bSlaveInterface0 =3D status; =20 - status =3D -ENODEV; - /* allocate instance-specific endpoints */ ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ecm_in_desc); if (!ep) - goto fail; + return -ENODEV; ecm->port.in_ep =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ecm_out_desc); if (!ep) - goto fail; + return -ENODEV; ecm->port.out_ep =3D ep; =20 /* NOTE: a status/notification endpoint is *OPTIONAL* but we @@ -746,20 +748,18 @@ ecm_bind(struct usb_configuration *c, struct usb_func= tion *f) */ ep =3D usb_ep_autoconfig(cdev->gadget, &fs_ecm_notify_desc); if (!ep) - goto fail; + return -ENODEV; ecm->notify =3D ep; =20 - status =3D -ENOMEM; - /* allocate notification request and buffer */ - ecm->notify_req =3D usb_ep_alloc_request(ep, GFP_KERNEL); - if (!ecm->notify_req) - goto fail; - ecm->notify_req->buf =3D kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL); - if (!ecm->notify_req->buf) - goto fail; - ecm->notify_req->context =3D ecm; - ecm->notify_req->complete =3D ecm_notify_complete; + request =3D usb_ep_alloc_request(ep, GFP_KERNEL); + if (!request) + return -ENOMEM; + request->buf =3D kmalloc(ECM_STATUS_BYTECOUNT, GFP_KERNEL); + if (!request->buf) + return -ENOMEM; + request->context =3D ecm; + request->complete =3D ecm_notify_complete; =20 /* support all relevant hardware speeds... we expect that when * hardware is dual speed, all bulk-capable endpoints work at @@ -778,7 +778,7 @@ ecm_bind(struct usb_configuration *c, struct usb_functi= on *f) status =3D usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function, ecm_ss_function, ecm_ss_function); if (status) - goto fail; + return status; =20 /* NOTE: all that is done without knowing or caring about * the network link ... which is unavailable to this code @@ -788,20 +788,12 @@ ecm_bind(struct usb_configuration *c, struct usb_func= tion *f) ecm->port.open =3D ecm_open; ecm->port.close =3D ecm_close; =20 + ecm->notify_req =3D no_free_ptr(request); + DBG(cdev, "CDC Ethernet: IN/%s OUT/%s NOTIFY/%s\n", ecm->port.in_ep->name, ecm->port.out_ep->name, ecm->notify->name); return 0; - -fail: - if (ecm->notify_req) { - kfree(ecm->notify_req->buf); - usb_ep_free_request(ecm->notify, ecm->notify_req); - } - - ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); - - return status; } =20 static inline struct f_ecm_opts *to_f_ecm_opts(struct config_item *item) --=20 2.51.0.384.g4c02a37b29-goog From nobody Thu Oct 2 14:22:16 2025 Received: from mail-pg1-f202.google.com (mail-pg1-f202.google.com [209.85.215.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB9402EC54D for ; Tue, 16 Sep 2025 08:21:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.202 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010913; cv=none; b=Z49gNv+Xfr4jffsULb5wxTnnzE/B5v6AxHSrqKAouOMMmmy4BqFcI+hkCOKTVWzOeLcmzAvnZLiHhOUnxUPtVgkaJ9L6OqfMUHJomrJa7BRlg1TcTpMs48BEAzGISfYI5lN4xtc5Eq9asSt4o6VDq0IuwIv4n2fvlN3umrar1X8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1758010913; c=relaxed/simple; bh=gO8LFeI/+o03WnmBv2jX8TdardPbXLXtsEzXuYiKjDw=; h=Date:In-Reply-To:Mime-Version:References:Message-ID:Subject:From: To:Cc:Content-Type; b=NL88xQ9A1ixavpEQox48Go1KN6s6adRGi7u3ebr887D6TvHy/PwO/fvE3AZ8B2uBf91D8lOBOnu25tdlgZRVYxwzFNq/KY1eTjyeweiFfDQkcN8a0xl14gddNkBd/7lKoRQ2tA+kzWEQ8BRHJsTMgUo1BHbhf059MREsyN/cTCM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=Qw/2MVXX; arc=none smtp.client-ip=209.85.215.202 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--khtsai.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="Qw/2MVXX" Received: by mail-pg1-f202.google.com with SMTP id 41be03b00d2f7-b54d6a67b5fso1104872a12.1 for ; Tue, 16 Sep 2025 01:21:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20230601; t=1758010911; x=1758615711; darn=vger.kernel.org; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:from:to:cc:subject:date:message-id:reply-to; bh=mxxZMuabP77fzCNAu6ns7uDcQNnrGMEiu1qaNMAlJKc=; b=Qw/2MVXXI4+U6khxxzHHNmLOaqzkTxbAdCjpel7k/4+Odgp4eCZ192aLpxnfUdBB53 +ufeaQlgOPWrBer3aE/9zKI2AWVaYoi3I5KO0VliADNcw3bHrlZCVhwyaN6NNd0eIdrA 1vekEKsUs9bQgq3sPU8SKxi1flXhm0TbYY+G9z7LZXGUD4ib7VzDcakl/zWgZNSSUFx8 gVJAvjk/V7hGOn2kECnbfkaBfwdsGfN65jLo/xAl9vkzE9ZPiLRe1hBIQ47PdBiVT5W0 oQvzGKyYrIXcEGtrQ2GUBoX/hCeVVz5Ty2wV2Ju7mDx2iMbLCVMTo0oPoFX9vzqMgtCr 4JUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1758010911; x=1758615711; h=cc:to:from:subject:message-id:references:mime-version:in-reply-to :date:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=mxxZMuabP77fzCNAu6ns7uDcQNnrGMEiu1qaNMAlJKc=; b=xT7j6AfH5GC+vMs9Py7gbe315sz/rCt8MAHvDl0GmfwAP8go3d4o2d6lQmIPNtb8cc zONyoPc2sdoKlJGHkks5E0i8hh2vFJc/7tQrQYPN2hWpk4N7MCnWDsVW8bShQ7mW7iZU hhpt/E3QAHSWloYjmOwlel5v7Kp/Dx1us00wMJIMXTa/xZv0JjmBJXtIWHghe0jYhTYz 0m4x77eICkqAyJEsLNuzr0juDoDLXWPfyTazuBcZVsA77FxBYSsesqsdJpNLe6HwbMLT 0gD6+64a6I4FJ6jmG7oJ9NBgnjn8ot04hyZcD7XQnlao79ff4Ek1KFPtWGlxdytJlGlM tj5Q== X-Forwarded-Encrypted: i=1; AJvYcCWF8/yNIsVHL4Gdtbqn/dh2WDYGxvzkKkWO3e0FoN3OZXA/CHulPlMhfnFgFXSaZd9yeiENooEBxjyTAPc=@vger.kernel.org X-Gm-Message-State: AOJu0YwWwKckmQgSIr0KRFwnyIoQCRvL8eYx3pJl6aLqeZC5z/Z+U7yn 9liKgUBOWkf/rvUpM/AcY5+vYHWU3W7/TlC/9WaPyJ/eNg+qJNGx0lyJmTYRbw1uGCXPuCJllZ3 IRIGsZA== X-Google-Smtp-Source: AGHT+IGbsEvJwYuHYiLrlamCcZiyi2o8aJOya7PXQ67510ZXAeyToGMNv1NeiH3Jj1DGtKcTVwFq9nL8Lcc= X-Received: from pgct18.prod.google.com ([2002:a05:6a02:5292:b0:b4b:1913:2421]) (user=khtsai job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a20:4fa7:b0:262:4ec2:aa7a with SMTP id adf61e73a8af0-2624ec2fdbbmr10607264637.27.1758010911136; Tue, 16 Sep 2025 01:21:51 -0700 (PDT) Date: Tue, 16 Sep 2025 16:21:37 +0800 In-Reply-To: <20250916-ready-v1-0-4997bf277548@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 References: <20250916-ready-v1-0-4997bf277548@google.com> X-Developer-Key: i=khtsai@google.com; a=ed25519; pk=abA4Pw6dY2ZufSbSXW9mtp7xiv1AVPtgRhCFWJSEqLE= X-Developer-Signature: v=1; a=ed25519-sha256; t=1758010894; l=6500; i=khtsai@google.com; s=20250916; h=from:subject:message-id; bh=gO8LFeI/+o03WnmBv2jX8TdardPbXLXtsEzXuYiKjDw=; b=h9Av5nkVOciOUDe9ZC190oUe45UWHEh1s3NwGniTtyVRFhU7wW1qgp7wbx1yWAMhB22kGKqYC zbCk9r4Me0KBVvTQs8x6f1f9qegGwsNXZMKB8sqzXFFFzjIYh1uJ3P5 X-Mailer: b4 0.14.2 Message-ID: <20250916-ready-v1-6-4997bf277548@google.com> Subject: [PATCH 6/6] usb: gadget: f_rndis: Refactor bind path to use __free() From: Kuen-Han Tsai To: Greg Kroah-Hartman , David Brownell , Nam Cao , Zack Rusin , Krzysztof Kozlowski , Prashanth K , Thinh Nguyen , John Keeping , Roy Luo Cc: linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, Kuen-Han Tsai , stable@kernel.org Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. Fixes: 45fe3b8e5342 ("usb ethernet gadget: split RNDIS function") Cc: stable@kernel.org Signed-off-by: Kuen-Han Tsai --- drivers/usb/gadget/function/f_rndis.c | 85 +++++++++++++++----------------= ---- 1 file changed, 35 insertions(+), 50 deletions(-) diff --git a/drivers/usb/gadget/function/f_rndis.c b/drivers/usb/gadget/fun= ction/f_rndis.c index 7cec19d65fb534364127ed7fb8cf83cf3b04defe..7451e7cb7a8523acc9fefa6088e= 6b273bea2e616 100644 --- a/drivers/usb/gadget/function/f_rndis.c +++ b/drivers/usb/gadget/function/f_rndis.c @@ -19,6 +19,8 @@ =20 #include =20 +#include + #include "u_ether.h" #include "u_ether_configfs.h" #include "u_rndis.h" @@ -662,6 +664,8 @@ rndis_bind(struct usb_configuration *c, struct usb_func= tion *f) struct usb_ep *ep; =20 struct f_rndis_opts *rndis_opts; + struct usb_os_desc_table *os_desc_table __free(kfree) =3D NULL; + struct usb_request *request __free(free_usb_request) =3D NULL; =20 if (!can_support_rndis(c)) return -EINVAL; @@ -669,12 +673,9 @@ rndis_bind(struct usb_configuration *c, struct usb_fun= ction *f) rndis_opts =3D container_of(f->fi, struct f_rndis_opts, func_inst); =20 if (cdev->use_os_string) { - f->os_desc_table =3D kzalloc(sizeof(*f->os_desc_table), - GFP_KERNEL); - if (!f->os_desc_table) + os_desc_table =3D kzalloc(sizeof(*os_desc_table), GFP_KERNEL); + if (!os_desc_table) return -ENOMEM; - f->os_desc_n =3D 1; - f->os_desc_table[0].os_desc =3D &rndis_opts->rndis_os_desc; } =20 rndis_iad_descriptor.bFunctionClass =3D rndis_opts->class; @@ -692,16 +693,14 @@ rndis_bind(struct usb_configuration *c, struct usb_fu= nction *f) gether_set_gadget(rndis_opts->net, cdev->gadget); status =3D gether_register_netdev(rndis_opts->net); if (status) - goto fail; + return status; rndis_opts->bound =3D true; } =20 us =3D usb_gstrings_attach(cdev, rndis_strings, ARRAY_SIZE(rndis_string_defs)); - if (IS_ERR(us)) { - status =3D PTR_ERR(us); - goto fail; - } + if (IS_ERR(us)) + return PTR_ERR(us); rndis_control_intf.iInterface =3D us[0].id; rndis_data_intf.iInterface =3D us[1].id; rndis_iad_descriptor.iFunction =3D us[2].id; @@ -709,36 +708,30 @@ rndis_bind(struct usb_configuration *c, struct usb_fu= nction *f) /* allocate instance-specific interface IDs */ status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; rndis->ctrl_id =3D status; rndis_iad_descriptor.bFirstInterface =3D status; =20 rndis_control_intf.bInterfaceNumber =3D status; rndis_union_desc.bMasterInterface0 =3D status; =20 - if (cdev->use_os_string) - f->os_desc_table[0].if_id =3D - rndis_iad_descriptor.bFirstInterface; - status =3D usb_interface_id(c, f); if (status < 0) - goto fail; + return status; rndis->data_id =3D status; =20 rndis_data_intf.bInterfaceNumber =3D status; rndis_union_desc.bSlaveInterface0 =3D status; =20 - status =3D -ENODEV; - /* allocate instance-specific endpoints */ ep =3D usb_ep_autoconfig(cdev->gadget, &fs_in_desc); if (!ep) - goto fail; + return -ENODEV; rndis->port.in_ep =3D ep; =20 ep =3D usb_ep_autoconfig(cdev->gadget, &fs_out_desc); if (!ep) - goto fail; + return -ENODEV; rndis->port.out_ep =3D ep; =20 /* NOTE: a status/notification endpoint is, strictly speaking, @@ -747,21 +740,19 @@ rndis_bind(struct usb_configuration *c, struct usb_fu= nction *f) */ ep =3D usb_ep_autoconfig(cdev->gadget, &fs_notify_desc); if (!ep) - goto fail; + return -ENODEV; rndis->notify =3D ep; =20 - status =3D -ENOMEM; - /* allocate notification request and buffer */ - rndis->notify_req =3D usb_ep_alloc_request(ep, GFP_KERNEL); - if (!rndis->notify_req) - goto fail; - rndis->notify_req->buf =3D kmalloc(STATUS_BYTECOUNT, GFP_KERNEL); - if (!rndis->notify_req->buf) - goto fail; - rndis->notify_req->length =3D STATUS_BYTECOUNT; - rndis->notify_req->context =3D rndis; - rndis->notify_req->complete =3D rndis_response_complete; + request =3D usb_ep_alloc_request(ep, GFP_KERNEL); + if (!request) + return -ENOMEM; + request->buf =3D kmalloc(STATUS_BYTECOUNT, GFP_KERNEL); + if (!request->buf) + return -ENOMEM; + request->length =3D STATUS_BYTECOUNT; + request->context =3D rndis; + request->complete =3D rndis_response_complete; =20 /* support all relevant hardware speeds... we expect that when * hardware is dual speed, all bulk-capable endpoints work at @@ -778,7 +769,7 @@ rndis_bind(struct usb_configuration *c, struct usb_func= tion *f) status =3D usb_assign_descriptors(f, eth_fs_function, eth_hs_function, eth_ss_function, eth_ss_function); if (status) - goto fail; + return status; =20 rndis->port.open =3D rndis_open; rndis->port.close =3D rndis_close; @@ -789,9 +780,18 @@ rndis_bind(struct usb_configuration *c, struct usb_fun= ction *f) if (rndis->manufacturer && rndis->vendorID && rndis_set_param_vendor(rndis->params, rndis->vendorID, rndis->manufacturer)) { - status =3D -EINVAL; - goto fail_free_descs; + usb_free_all_descriptors(f); + return -EINVAL; + } + + if (cdev->use_os_string) { + os_desc_table[0].os_desc =3D &rndis_opts->rndis_os_desc; + os_desc_table[0].if_id =3D rndis_iad_descriptor.bFirstInterface; + f->os_desc_table =3D no_free_ptr(os_desc_table); + f->os_desc_n =3D 1; + } + rndis->notify_req =3D no_free_ptr(request); =20 /* NOTE: all that is done without knowing or caring about * the network link ... which is unavailable to this code @@ -802,21 +802,6 @@ rndis_bind(struct usb_configuration *c, struct usb_fun= ction *f) rndis->port.in_ep->name, rndis->port.out_ep->name, rndis->notify->name); return 0; - -fail_free_descs: - usb_free_all_descriptors(f); -fail: - kfree(f->os_desc_table); - f->os_desc_n =3D 0; - - if (rndis->notify_req) { - kfree(rndis->notify_req->buf); - usb_ep_free_request(rndis->notify, rndis->notify_req); - } - - ERROR(cdev, "%s: can't bind, err %d\n", f->name, status); - - return status; } =20 void rndis_borrow_net(struct usb_function_instance *f, struct net_device *= net) --=20 2.51.0.384.g4c02a37b29-goog