From patchwork Sat Oct 22 07:25:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 7483 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4242:0:0:0:0:0 with SMTP id s2csp1104439wrr; Sat, 22 Oct 2022 01:31:59 -0700 (PDT) X-Google-Smtp-Source: AMsMyM46+WYuBty5Km5GPDmuB/PjugDRe5cY49cIkloLtZW6s3W9z4Z11dEUlrWOAWm8qqP1IhtQ X-Received: by 2002:a05:6a00:24c2:b0:52e:7181:a8a0 with SMTP id d2-20020a056a0024c200b0052e7181a8a0mr23530922pfv.57.1666427519003; Sat, 22 Oct 2022 01:31:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666427518; cv=none; d=google.com; s=arc-20160816; b=lprNpDbURZTZMMqJLeSwS1cQqAKecRjlTVOb8rt7AlD8oZLzhP7S9slF9Aa+4XcgnE L51np6Rl5nXkYjLhBZmLz/PE5hEwssyVDvgOCn4DtG7QB6A3aOCX0adOFofHsD3LmMjH VD56MQBBqYioihwN3KXljTOET0pXqIDdFgI7PgUA+XZ9pXsI6AYOmSExDNFb3QJkHOCP vui8Eje6jn24ipBaRl9nYPLeRZr5FY9YlTSX5KUbibB7CdhqLO91kxEasACDAgdhLr9W hrEnWxT8y2IrRtu3R7t0p+O6psm3g2PhsjvHEF7D3I6/V/Iz4d8tYxD5Lb47aoDbk3NT Y9QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GopUa9vsr1OxMVWo981lkrXIwnEQVOtAvY4d/Qv/5AE=; b=AplgSu0nXLXqEskrBr4yvGPxfZAm5L31d6Md3pSRPsGKBDBfIqA5pnoeJY0k5e6DPH DflxCGJat6F8Z3kj9toSsBLjFcCMEA9X6nPxwJOQkL0PWmlFuoIhkWMOyXv59qe0cppE 1+vkt1R5DqZXPBCKr9KWoaHTX10MCMMLYvpbFggdtSgzm19WrbQoPQylib0+E008JlCn QeiRRqjfsjUe0k0RlHLIzhYuv4V6Sl56+68Ij6Vy8CBiHvMzurVLneGayDbnhP4XeauZ BzDO7WbZRWFGOBIqEaiXiEcOgw1TVxqEt28g9L0HyVoKVr4tZMGGZVaTRdb3YqjojCta fWpg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="sNRRZpj/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z11-20020a056a001d8b00b0055f08bf4276si25168694pfw.41.2022.10.22.01.31.46; Sat, 22 Oct 2022 01:31:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="sNRRZpj/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233361AbiJVIMm (ORCPT + 99 others); Sat, 22 Oct 2022 04:12:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60224 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230424AbiJVIKk (ORCPT ); Sat, 22 Oct 2022 04:10:40 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6174C371A3; Sat, 22 Oct 2022 00:54:43 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 7DC4AB82E16; Sat, 22 Oct 2022 07:54:29 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BF0B0C433D6; Sat, 22 Oct 2022 07:54:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666425268; bh=0yp0MeoCQn55dZ0Ly+Cfe8r8xQVfv9yqt30m368kJ1M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sNRRZpj/NdGrNzVOHCPC/mqU7YdwfAc2Ur60N2gvwlPkPXYDxGk6H2UmyCPZ1Tb5b Tp8NP+phee5xO1yNggmN34Xb0l/VavgLmaImWJ1Gy1ZLQdGsRp26nlV53SB/ooTcD8 yt4DqjLNNZ/KjFxTmg7Ed1BmhuLVhwRBtQJYV6tk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Albert Briscoe , Sasha Levin Subject: [PATCH 5.19 445/717] usb: gadget: function: fix dangling pnp_string in f_printer.c Date: Sat, 22 Oct 2022 09:25:24 +0200 Message-Id: <20221022072517.968783270@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221022072415.034382448@linuxfoundation.org> References: <20221022072415.034382448@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747375902214386565?= X-GMAIL-MSGID: =?utf-8?q?1747375902214386565?= From: Albert Briscoe [ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] When opts->pnp_string is changed with configfs, new memory is allocated for the string. It does not, however, update dev->pnp_string, even though the memory is freed. When rquesting the string, the host then gets old or corrupted data rather than the new string. The ieee 1284 id string should be allowed to change while the device is connected. The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer"), which changed opts->pnp_string from a char[] to a char*. This patch changes dev->pnp_string from a char* to a char** pointing to opts->pnp_string. Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") Signed-off-by: Albert Briscoe Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_printer.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c index abec5c58f525..a881c69b1f2b 100644 --- a/drivers/usb/gadget/function/f_printer.c +++ b/drivers/usb/gadget/function/f_printer.c @@ -89,7 +89,7 @@ struct printer_dev { u8 printer_cdev_open; wait_queue_head_t wait; unsigned q_len; - char *pnp_string; /* We don't own memory! */ + char **pnp_string; /* We don't own memory! */ struct usb_function function; }; @@ -1000,16 +1000,16 @@ static int printer_func_setup(struct usb_function *f, if ((wIndex>>8) != dev->interface) break; - if (!dev->pnp_string) { + if (!*dev->pnp_string) { value = 0; break; } - value = strlen(dev->pnp_string); + value = strlen(*dev->pnp_string); buf[0] = (value >> 8) & 0xFF; buf[1] = value & 0xFF; - memcpy(buf + 2, dev->pnp_string, value); + memcpy(buf + 2, *dev->pnp_string, value); DBG(dev, "1284 PNP String: %x %s\n", value, - dev->pnp_string); + *dev->pnp_string); break; case GET_PORT_STATUS: /* Get Port Status */ @@ -1475,7 +1475,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) kref_init(&dev->kref); ++opts->refcnt; dev->minor = opts->minor; - dev->pnp_string = opts->pnp_string; + dev->pnp_string = &opts->pnp_string; dev->q_len = opts->q_len; mutex_unlock(&opts->lock);