From patchwork Wed Oct 19 08:30:41 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Greg KH <gregkh@linuxfoundation.org>
X-Patchwork-Id: 5455
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp329960wrs;
        Wed, 19 Oct 2022 06:33:58 -0700 (PDT)
X-Google-Smtp-Source: 
 AMsMyM4cD5ghbTFx8zOEdXWhXh66/qB741ENywe6TSpakJ1RpjHn/+tjUzT3yrix2r5GjfSdFvgk
X-Received: by 2002:a05:6a00:168e:b0:53b:3f2c:3213 with SMTP id
 k14-20020a056a00168e00b0053b3f2c3213mr8490434pfc.56.1666186437780;
        Wed, 19 Oct 2022 06:33:57 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1666186437; cv=none;
        d=google.com; s=arc-20160816;
        b=iGrI5zD/OCJVCgrJ3bX2PqjoPuubH6/yazR6yxLaQkmMHG4CIoYYs8GCw0jdWWf1rb
         KMKyTQEQfPBQuZ0+Iq1S+2TebdPCcIcPUm/8B1Ccm0WxOxqQecemxEZr5jLU3VKOPXql
         2WOiVFwgLH7pXlP8Z9Bz3NsTKQ5zKedLOTuxp83RldF8ZikHO19sj3b6+jxzYiiROcfn
         yYC99axluLTCsBMKIX8e+X/iJ3eCIArJaVQFsbRH4zORAtJPeUEBTF2ghYNZXe2kEZbn
         u05PJsXfzHjitos5TbNONNVJap+yiFSNMY08iCY1fVhw0oyeUTHhqzLaoIMyY1mSbL1a
         Ezuw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=GopUa9vsr1OxMVWo981lkrXIwnEQVOtAvY4d/Qv/5AE=;
        b=UX/OqM34WiMvsekAjiE4VepqlH2BC68HftorJ4tBpjW/xhkVGoaWc9EXfl41eMMxbv
         NekEFy8wD8LLWdNh2XcSbS8jdfus/GUOj4HrY359jWNufdNIzLkosQKWzOu9q5AlbRwZ
         7kxTfKSus3x1I2BLYiMP2OZcVuHpmd7K59tqAxCZmle4SVwdSP5ExDt9s/tJKMqvL4gx
         3VS7yc8gAZjwzhROKO5GK8GOKZyLO2hI3Zi3fQ/npF822RNRzYgDwQQiDN7alCB74gOH
         GUEvxIWs1Qch1xPJ2JXRIAXLk9lBh+qaZYuSjyEa/qX7eq9yfN7bO/Y115lLEXfq/hw8
         kjFA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=TgB+xAWd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id
 f23-20020a17090aa79700b0020b07bfc54esi21819248pjq.108.2022.10.19.06.33.44;
        Wed, 19 Oct 2022 06:33:57 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg
 header.b=TgB+xAWd;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
 designates 2620:137:e000::1:20 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232271AbiJSNVO (ORCPT <rfc822;samuel.l.nystrom@gmail.com>
        + 99 others); Wed, 19 Oct 2022 09:21:14 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37048 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231607AbiJSNUn (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Oct 2022 09:20:43 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org
 [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE60DFC1D0;
        Wed, 19 Oct 2022 06:06:11 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 4AAF5B8246D;
        Wed, 19 Oct 2022 09:02:56 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A73FDC433D6;
        Wed, 19 Oct 2022 09:02:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1666170175;
        bh=0yp0MeoCQn55dZ0Ly+Cfe8r8xQVfv9yqt30m368kJ1M=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=TgB+xAWdEjxjpbt4FFdSu7fwAD//sYyPQy40yATI72Q9z7kL+CfaZxLnYcKTiSaff
         pPvQI8B2wTDcUz56uN1yIcbbNorm/0M49lqFjoGeO91dA1ZjTc0GaJ9ouLdD1h4Jtl
         KKuTzAs0OucmyS4IxNmTylz2NoAozoRgAiS4vB9I=
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Albert Briscoe <albertsbriscoe@gmail.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.0 554/862] usb: gadget: function: fix dangling pnp_string in
 f_printer.c
Date: Wed, 19 Oct 2022 10:30:41 +0200
Message-Id: <20221019083314.455865060@linuxfoundation.org>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221019083249.951566199@linuxfoundation.org>
References: <20221019083249.951566199@linuxfoundation.org>
User-Agent: quilt/0.67
MIME-Version: 1.0
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1747123110056670408?=
X-GMAIL-MSGID: =?utf-8?q?1747123110056670408?=

From: Albert Briscoe <albertsbriscoe@gmail.com>

[ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ]

When opts->pnp_string is changed with configfs, new memory is allocated for
the string. It does not, however, update dev->pnp_string, even though the
memory is freed. When rquesting the string, the host then gets old or
corrupted data rather than the new string. The ieee 1284 id string should
be allowed to change while the device is connected.

The bug was introduced in commit fdc01cc286be ("usb: gadget: printer:
Remove pnp_string static buffer"), which changed opts->pnp_string from a
char[] to a char*.
This patch changes dev->pnp_string from a char* to a char** pointing to
opts->pnp_string.

Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer")
Signed-off-by: Albert Briscoe <albertsbriscoe@gmail.com>
Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/function/f_printer.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index abec5c58f525..a881c69b1f2b 100644
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -89,7 +89,7 @@ struct printer_dev {
 	u8			printer_cdev_open;
 	wait_queue_head_t	wait;
 	unsigned		q_len;
-	char			*pnp_string;	/* We don't own memory! */
+	char			**pnp_string;	/* We don't own memory! */
 	struct usb_function	function;
 };
 
@@ -1000,16 +1000,16 @@ static int printer_func_setup(struct usb_function *f,
 			if ((wIndex>>8) != dev->interface)
 				break;
 
-			if (!dev->pnp_string) {
+			if (!*dev->pnp_string) {
 				value = 0;
 				break;
 			}
-			value = strlen(dev->pnp_string);
+			value = strlen(*dev->pnp_string);
 			buf[0] = (value >> 8) & 0xFF;
 			buf[1] = value & 0xFF;
-			memcpy(buf + 2, dev->pnp_string, value);
+			memcpy(buf + 2, *dev->pnp_string, value);
 			DBG(dev, "1284 PNP String: %x %s\n", value,
-			    dev->pnp_string);
+			    *dev->pnp_string);
 			break;
 
 		case GET_PORT_STATUS: /* Get Port Status */
@@ -1475,7 +1475,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
 	kref_init(&dev->kref);
 	++opts->refcnt;
 	dev->minor = opts->minor;
-	dev->pnp_string = opts->pnp_string;
+	dev->pnp_string = &opts->pnp_string;
 	dev->q_len = opts->q_len;
 	mutex_unlock(&opts->lock);