From patchwork Mon Oct 24 11:30:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 8795 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp430845wru; Mon, 24 Oct 2022 05:42:22 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5uzKOZ/WaoID1S0hWf/l0CXGsnakjqMst86m8mjPjyh+MG3YYlgOXKzOqGNF3U6AmnNhzK X-Received: by 2002:a05:6402:2546:b0:45d:8bff:7afc with SMTP id l6-20020a056402254600b0045d8bff7afcmr29971571edb.302.1666615341885; Mon, 24 Oct 2022 05:42:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666615341; cv=none; d=google.com; s=arc-20160816; b=P5/6i8pTqpn+jVgvo3BDTiV1ZmJWMVORrGxj9ef5J1K3DHLS8J/LjZx8TFzo0dZhPH s2mY97DX3NHtEUWftmwqnqPPlsyC6mWDISIEJZxwe+zMs59ZrtnvYvVAwjVcUuPpPS27 gIYZ0u+2sAR3SFe0sHSlIDt8A0ybs4uuZ4Nh90TmPKwD6DLL5FG0MHy6V6JEssB7Yr6R hVZPJ5BJrkUfYnIZPlrV073M4578C/l12MM6GtQ6SBUs9BK9EHrYcwQXoTUTfkWndxrG srPTJqzU20Bz6X64Nkx/EPQrtHSDpfY8n0Homl5yDDvEILZgwkoz5K4Nh43/Mc0FVtzf etTA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=w6fxF3kj07rkezi/3Aw018UQjQUM+52S43iTzjsh7wQ=; b=pSEuyCRDeySDpqHufwwOQ0HjBEcbQgrI4egbILqCbk0p2qJGVq8ACdIXK3PhJOhfo4 oxRVO1zamagI13Boaz00HNOPSp4JKm7BYyFN4uarIOOBZ3jAUCDpWC7EBe3V3dj6ingA Ug4BzcJfoK0xNNGFksl/GiTDZgdwE/fPKO4i6nAphimndx0HwyB/LmfYUtTvazt5pjlo TkD06+BHdHTFAINEAahpR/EGI9n7lEFeUCNXiExYdCGe5rETQTOerqc2YioWL9ZELntQ uuxm5n54QSr1I+V5Iarmd3ErWmZYyl5sF/qBps17iQGwyi5KKL4qYdOUebFtV3N1D+ST CFDA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bejunlF9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id du12-20020a17090772cc00b007aa3373e7fesi1053931ejc.520.2022.10.24.05.41.56; Mon, 24 Oct 2022 05:42:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bejunlF9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231965AbiJXMdI (ORCPT + 99 others); Mon, 24 Oct 2022 08:33:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42972 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234050AbiJXM3P (ORCPT ); Mon, 24 Oct 2022 08:29:15 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8B4E587FBA; Mon, 24 Oct 2022 05:03:09 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 26989612D4; Mon, 24 Oct 2022 11:52:28 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 36CEAC433C1; Mon, 24 Oct 2022 11:52:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666612347; bh=WuQ+a24g+3pSZIPtjL7lLPfmIo0ARrrOYfngw46IVJA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bejunlF9N+hDU0wO5wuZL0rBH8wqvpFWJVgGl2K5u/qZaCHTB69KzX4CT8d4qa6Xj rmi5vM/DGb2BQsj+kgiSJHr4XY0oxvDxyPUz2kwGE+UvwM03h+Bp55MEFBKD60rfyv S0HLQBQebMNAtG2hSEAYeLTOKZwtd2gD7lSg+lWA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Albert Briscoe , Sasha Levin Subject: [PATCH 4.14 136/210] usb: gadget: function: fix dangling pnp_string in f_printer.c Date: Mon, 24 Oct 2022 13:30:53 +0200 Message-Id: <20221024113001.407237479@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024112956.797777597@linuxfoundation.org> References: <20221024112956.797777597@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747572848820799356?= X-GMAIL-MSGID: =?utf-8?q?1747572848820799356?= From: Albert Briscoe [ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] When opts->pnp_string is changed with configfs, new memory is allocated for the string. It does not, however, update dev->pnp_string, even though the memory is freed. When rquesting the string, the host then gets old or corrupted data rather than the new string. The ieee 1284 id string should be allowed to change while the device is connected. The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer"), which changed opts->pnp_string from a char[] to a char*. This patch changes dev->pnp_string from a char* to a char** pointing to opts->pnp_string. Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") Signed-off-by: Albert Briscoe Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_printer.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c index 4e0afeabe8b8..830cc2bb0fdf 100644 --- a/drivers/usb/gadget/function/f_printer.c +++ b/drivers/usb/gadget/function/f_printer.c @@ -91,7 +91,7 @@ struct printer_dev { u8 printer_cdev_open; wait_queue_head_t wait; unsigned q_len; - char *pnp_string; /* We don't own memory! */ + char **pnp_string; /* We don't own memory! */ struct usb_function function; }; @@ -967,16 +967,16 @@ static int printer_func_setup(struct usb_function *f, if ((wIndex>>8) != dev->interface) break; - if (!dev->pnp_string) { + if (!*dev->pnp_string) { value = 0; break; } - value = strlen(dev->pnp_string); + value = strlen(*dev->pnp_string); buf[0] = (value >> 8) & 0xFF; buf[1] = value & 0xFF; - memcpy(buf + 2, dev->pnp_string, value); + memcpy(buf + 2, *dev->pnp_string, value); DBG(dev, "1284 PNP String: %x %s\n", value, - dev->pnp_string); + *dev->pnp_string); break; case GET_PORT_STATUS: /* Get Port Status */ @@ -1439,7 +1439,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) kref_init(&dev->kref); ++opts->refcnt; dev->minor = opts->minor; - dev->pnp_string = opts->pnp_string; + dev->pnp_string = &opts->pnp_string; dev->q_len = opts->q_len; mutex_unlock(&opts->lock);