Re: [PATCH] USB: core: only clean up what we allocated

Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> · Tue, 12 Dec 2017 10:41:04 -0500 (EST)

On Mon, 11 Dec 2017, Greg KH wrote:

> From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> 
> When cleaning up the configurations, make sure we only free the number
> of configurations and interfaces that we could have allocated.
> 
> Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> Cc: stable <stable@xxxxxxxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 55b198ba629b..93b38471754e 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -764,18 +764,21 @@ void usb_destroy_configuration(struct usb_device *dev)
>  		return;
>  
>  	if (dev->rawdescriptors) {
> -		for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
> +		for (i = 0; i < dev->descriptor.bNumConfigurations &&
> +				i < USB_MAXCONFIG; i++)
>  			kfree(dev->rawdescriptors[i]);
>  
>  		kfree(dev->rawdescriptors);
>  		dev->rawdescriptors = NULL;
>  	}
>  
> -	for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
> +	for (c = 0; c < dev->descriptor.bNumConfigurations &&
> +			c < USB_MAXCONFIG; c++) {
>  		struct usb_host_config *cf = &dev->config[c];
>  
>  		kfree(cf->string);
> -		for (i = 0; i < cf->desc.bNumInterfaces; i++) {
> +		for (i = 0; i < cf->desc.bNumInterfaces &&
> +				i < USB_MAXINTERFACES; i++) {
>  			if (cf->intf_cache[i])
>  				kref_put(&cf->intf_cache[i]->ref,
>  					  usb_release_interface_cache);

None of these changes are necessary.  The code is careful to reduce
dev->descriptor.bNumConfigurations and config->desc.bNumInterfaces when
necessary.

In usb_get_configuration() (line 806 on my system):

	if (ncfg > USB_MAXCONFIG) {
		dev_warn(ddev, "too many configurations: %d, "
		    "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
		dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
	}

In usb_parse_configuration() (line 676 on my system):

	if (n != nintf)
		dev_warn(ddev, "config %d has %d interface%s, different from "
		    "the descriptor's value: %d\n",
		    cfgno, n, plural(n), nintf_orig);
	else if (n == 0)
		dev_warn(ddev, "config %d has no interfaces?\n", cfgno);
	config->desc.bNumInterfaces = nintf = n;

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html