From patchwork Mon Oct 24 11:30:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 9248 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp461287wru; Mon, 24 Oct 2022 06:43:34 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7LJLeMG7lpKJRktrlv/8asSNdbwX23h0gw5EaE9ZB874kNVd9dNVXu04bgUZYTbXCq5UFJ X-Received: by 2002:a17:907:6e09:b0:78d:a326:49c6 with SMTP id sd9-20020a1709076e0900b0078da32649c6mr27203707ejc.507.1666619014130; Mon, 24 Oct 2022 06:43:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666619014; cv=none; d=google.com; s=arc-20160816; b=lqbjFzI6q3BgTI93FY7RbA5ytFIy0hCQHf+X1zBGPPlVogDWkGzQzZrv8HtfiNU+xx 7EkoL5xWfpM4BNrxpSmS6w6iqxa0MxphjMl16fF7XUg2F0U6JA6wpj22deJhi7Jmmeip 6S6kHe560mi7yN/WqN9Y+QBaNurddmh9w6T824ngK2PRZa3Q/52V+TXrdkEkMjkE+2qT ULUQ0lXPPja1oQjs2l3ElU4b7kabCjPqbSO5yLC8xnp5qlRd93EoBx3YMMXHqbQz8+Kq JeGr7qQ2h6zF+gxj4O6E+jLD7oiiAnZzUmEBXCJa6nfSMnDia1VjjplhVN5HiGMgm1m2 GvDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6mvQY2Q8JHJnrTgCD4CXvbtWrnxMW+ygr2dJrEEVEBA=; b=pgWZWCNl5aR8MqS0sXgGIrBMuxAitfhWYNXPvEZa+LY9sWe4RCXKC4Lk9PkmLpngwq PvdTUSr7h4VkIZ3HDg2/22rthzAWTHridLZp4VyhedgXD8tnso8uVvMA1cO2sE2aBNAW dc6j88It550QfoSGrE1SKdti0piwcHWUAlGUTgSXteLPa8TE/l+E4x2RV35GB9kCvD8v M3qRx6l4vQCjxzmHiqEX8nbaccMaVJIRqTsDKWpOCu1gAjv/wtp70oOhmOLqDJX/qfxV UhYEbwcKkrL8sEGyeHfmQ3PqT4GrU/Rhmu9IVuxzCu6rrZdX+zcC8gW96Mp85vkXLIAs p7mg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sP64IM20; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h2-20020a50c382000000b0045729070194si27937322edf.517.2022.10.24.06.43.10; Mon, 24 Oct 2022 06:43:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=sP64IM20; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236072AbiJXNej (ORCPT + 99 others); Mon, 24 Oct 2022 09:34:39 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42824 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236227AbiJXNaH (ORCPT ); Mon, 24 Oct 2022 09:30:07 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED9F51742A; Mon, 24 Oct 2022 05:33:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 9812C612F4; Mon, 24 Oct 2022 12:11:09 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A91CDC433C1; Mon, 24 Oct 2022 12:11:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666613469; bh=ZFD043lCmEwcZ86aV03p+0CQjj0aQci3UHQTAIeDJbo=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sP64IM20DXQUyhSwZtH4CkCOd0WzgaZ1hvGiLIL4izfOtHPYm8mnIIE1nEOA6UF0w NnMl3DNmri7VeBRRXt+TA//3hwDYkL60oRP/zGiejwZoa+cwbio0dC30+hlwwv4j5P lWmC8dz0d3150y4azGT+PoOaXilgLqLpkPkqi3JI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Albert Briscoe , Sasha Levin Subject: [PATCH 5.4 148/255] usb: gadget: function: fix dangling pnp_string in f_printer.c Date: Mon, 24 Oct 2022 13:30:58 +0200 Message-Id: <20221024113007.539350666@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024113002.471093005@linuxfoundation.org> References: <20221024113002.471093005@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747576699121122240?= X-GMAIL-MSGID: =?utf-8?q?1747576699121122240?= From: Albert Briscoe [ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] When opts->pnp_string is changed with configfs, new memory is allocated for the string. It does not, however, update dev->pnp_string, even though the memory is freed. When rquesting the string, the host then gets old or corrupted data rather than the new string. The ieee 1284 id string should be allowed to change while the device is connected. The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer"), which changed opts->pnp_string from a char[] to a char*. This patch changes dev->pnp_string from a char* to a char** pointing to opts->pnp_string. Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") Signed-off-by: Albert Briscoe Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_printer.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c index 2a1868b2d24c..dd5eb6202fe1 100644 --- a/drivers/usb/gadget/function/f_printer.c +++ b/drivers/usb/gadget/function/f_printer.c @@ -87,7 +87,7 @@ struct printer_dev { u8 printer_cdev_open; wait_queue_head_t wait; unsigned q_len; - char *pnp_string; /* We don't own memory! */ + char **pnp_string; /* We don't own memory! */ struct usb_function function; }; @@ -963,16 +963,16 @@ static int printer_func_setup(struct usb_function *f, if ((wIndex>>8) != dev->interface) break; - if (!dev->pnp_string) { + if (!*dev->pnp_string) { value = 0; break; } - value = strlen(dev->pnp_string); + value = strlen(*dev->pnp_string); buf[0] = (value >> 8) & 0xFF; buf[1] = value & 0xFF; - memcpy(buf + 2, dev->pnp_string, value); + memcpy(buf + 2, *dev->pnp_string, value); DBG(dev, "1284 PNP String: %x %s\n", value, - dev->pnp_string); + *dev->pnp_string); break; case GET_PORT_STATUS: /* Get Port Status */ @@ -1435,7 +1435,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) kref_init(&dev->kref); ++opts->refcnt; dev->minor = opts->minor; - dev->pnp_string = opts->pnp_string; + dev->pnp_string = &opts->pnp_string; dev->q_len = opts->q_len; mutex_unlock(&opts->lock);