From patchwork Mon Oct 24 11:30:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg KH X-Patchwork-Id: 9647 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp533124wru; Mon, 24 Oct 2022 09:09:04 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5l9VxBPsuSIZEHdO8+DEx4zBJbqqI3idY0UJG3DsEAka/FUbjjZdnRs0pwucI+HfKrbGS0 X-Received: by 2002:aa7:c6c1:0:b0:460:f684:901a with SMTP id b1-20020aa7c6c1000000b00460f684901amr20724675eds.6.1666627743936; Mon, 24 Oct 2022 09:09:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666627743; cv=none; d=google.com; s=arc-20160816; b=fYoc6jvpBs4E9cS9M+8RTr/3QouxCUx4MFDO51brt4KGMIynmv3LFGkx5siHFiscOT qQtO2CF5Z0gMctYcTdfu68k4WPLch1LpREQxz8Cjzc3PyZdq4lXv4h0zyqVAN7qRGSo0 UeKT1nsXBZtorqtrbCTCZpelqbnukzZM/Q9Mzdaun+RdjftUNA0vBRujW21DGrM47mnw h5StO/Q8aZTNYDTdS1OUArVrtBL0mHbRHiLZAxVxX8o9ALi3iG/435dgEe5E/PBZDV1g GFbChChhkob+x+dhtddhK3Jv+zYCA3168yzDeJl0tCRK7tc6BWPLnVilZyvWVvECq+UG JNBQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6CEQwMpb+Q9/lFxWSrOCFLzPjDJ1QRDQ1Isfbkev+dE=; b=KF15bjzor4tYlz+rDipYEpxlMbAVDkuLXApBSvGXA/hZtQXKrf+pInyJBtgXVSK/Yn 9mnTClvnPOlWHH6jkIvpCONrG8vyPDRtle2b7PR5FFNlHvjKaKMmKR8Y9a0S7xrn3TaA CNerW2pBsUT+/6ww6AVqC7FEq0BdEt/ybCNdzDdWklVSGAonBTktTt+rFNifYM8piRKM zU3FjnTRMugVPXiT6GrZ1E31qIXwiMa+cxnQXO4dzX2Rd5YFxMiFyEmY7FJemzMMCsBz 8geBk/DbrgxwuHE1s82fD8wFvjYxyY38VePPBBExbVmlZ/taLl76+26ZirNNi3z/k/y1 39SA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xJVWRb9H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id cn11-20020a0564020cab00b00458ee128628si107471edb.470.2022.10.24.09.08.38; Mon, 24 Oct 2022 09:09:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=xJVWRb9H; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233209AbiJXQHy (ORCPT + 99 others); Mon, 24 Oct 2022 12:07:54 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233227AbiJXQEW (ORCPT ); Mon, 24 Oct 2022 12:04:22 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21EDFA6C1E; Mon, 24 Oct 2022 07:56:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 601D4B815BB; Mon, 24 Oct 2022 12:26:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id B64B5C433C1; Mon, 24 Oct 2022 12:26:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1666614366; bh=C9siqbLD2F5XDOB1ZhiQzMJY91MtUGHqYucspe1q/+I=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=xJVWRb9HkEiN9GTnFli6xl19LX4GXmbdwV8IYTBYYowPwWiVKZLR37Z7+ib5+0T0o rp/Ye1PC2I1oz+eC2ombIoi5qQAQNE3E330cIyQHrfPHDfuInZed65ws1Ibajt6L5U cUGCgKfZ+VtgMdrY+5EUhqEujF9Hy0RMz++MapOA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Albert Briscoe , Sasha Levin Subject: [PATCH 5.10 234/390] usb: gadget: function: fix dangling pnp_string in f_printer.c Date: Mon, 24 Oct 2022 13:30:31 +0200 Message-Id: <20221024113032.754593015@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221024113022.510008560@linuxfoundation.org> References: <20221024113022.510008560@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747585853377050921?= X-GMAIL-MSGID: =?utf-8?q?1747585853377050921?= From: Albert Briscoe [ Upstream commit 24b7ba2f88e04800b54d462f376512e8c41b8a3c ] When opts->pnp_string is changed with configfs, new memory is allocated for the string. It does not, however, update dev->pnp_string, even though the memory is freed. When rquesting the string, the host then gets old or corrupted data rather than the new string. The ieee 1284 id string should be allowed to change while the device is connected. The bug was introduced in commit fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer"), which changed opts->pnp_string from a char[] to a char*. This patch changes dev->pnp_string from a char* to a char** pointing to opts->pnp_string. Fixes: fdc01cc286be ("usb: gadget: printer: Remove pnp_string static buffer") Signed-off-by: Albert Briscoe Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/usb/gadget/function/f_printer.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c index 236ecc968998..c13bb29a160e 100644 --- a/drivers/usb/gadget/function/f_printer.c +++ b/drivers/usb/gadget/function/f_printer.c @@ -87,7 +87,7 @@ struct printer_dev { u8 printer_cdev_open; wait_queue_head_t wait; unsigned q_len; - char *pnp_string; /* We don't own memory! */ + char **pnp_string; /* We don't own memory! */ struct usb_function function; }; @@ -999,16 +999,16 @@ static int printer_func_setup(struct usb_function *f, if ((wIndex>>8) != dev->interface) break; - if (!dev->pnp_string) { + if (!*dev->pnp_string) { value = 0; break; } - value = strlen(dev->pnp_string); + value = strlen(*dev->pnp_string); buf[0] = (value >> 8) & 0xFF; buf[1] = value & 0xFF; - memcpy(buf + 2, dev->pnp_string, value); + memcpy(buf + 2, *dev->pnp_string, value); DBG(dev, "1284 PNP String: %x %s\n", value, - dev->pnp_string); + *dev->pnp_string); break; case GET_PORT_STATUS: /* Get Port Status */ @@ -1471,7 +1471,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) kref_init(&dev->kref); ++opts->refcnt; dev->minor = opts->minor; - dev->pnp_string = opts->pnp_string; + dev->pnp_string = &opts->pnp_string; dev->q_len = opts->q_len; mutex_unlock(&opts->lock);