From: Greg Kroah-Hartman Date: Wed, 17 Sep 2025 10:44:55 +0000 (+0200) Subject: Merge patch series "usb: gadget: Refactor function drivers to use __free() cleanup" X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=41f71deda1c12e063a0793252021f37e790d1ef1;p=users%2Fhch%2Fmisc.git Merge patch series "usb: gadget: Refactor function drivers to use __free() cleanup" Kuen-Han Tsai says: This patch series refactors the error-handling paths in the bind() function for f_ncm, f_acm, f_ecm, and f_rndis drivers. The current, unified goto logic in these drivers is vulnerable to a null pointer dereference. This is caused by the cleanup logic incorrectly handling the stale usb_request pointer after a bind/unbind cycle. This series fixes this issue by converting the drivers to use the modern __free() scope-based cleanup mechanism. Patches 1-2 are preparatory, adding the endpoint pointer to struct usb_request and defining helpers for the __free() cleanup. The remaining four patches use this new plumbing to refactor each driver. Future work ----------- 1. Refactor usb_ep_free_request(), usb_ep_queue(), and usb_ep_dequeue() functions as the ep parameter becomes redudant. 2. Convert the remaining gadget function drivers to use the new __free() cleanup mechanism. Link: https://lore.kernel.org/r/20250916-ready-v1-0-4997bf277548@google.com Signed-off-by: Greg Kroah-Hartman --- 41f71deda1c12e063a0793252021f37e790d1ef1 diff --cc drivers/usb/gadget/function/f_ncm.c index cad111f33552,0148d60926dc..0e38330271d5 --- a/drivers/usb/gadget/function/f_ncm.c +++ b/drivers/usb/gadget/function/f_ncm.c @@@ -1463,14 -1465,11 +1465,13 @@@ static int ncm_bind(struct usb_configur ncm_opts->bound = true; + ncm_string_defs[1].s = ncm->ethaddr; + us = usb_gstrings_attach(cdev, ncm_strings, ARRAY_SIZE(ncm_string_defs)); - if (IS_ERR(us)) { - status = PTR_ERR(us); - goto fail; - } + if (IS_ERR(us)) + return PTR_ERR(us); + ncm_control_intf.iInterface = us[STRING_CTRL_IDX].id; ncm_data_nop_intf.iInterface = us[STRING_DATA_IDX].id; ncm_data_intf.iInterface = us[STRING_DATA_IDX].id;