On Tue, 12 Dec 2017, Andrey Konovalov wrote:
> On Tue, Dec 12, 2017 at 4:41 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> > On Mon, 11 Dec 2017, Greg KH wrote:
> >
> >> From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> >>
> >> When cleaning up the configurations, make sure we only free the number
> >> of configurations and interfaces that we could have allocated.
> >>
> >> Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
> >> Cc: stable <stable@xxxxxxxxxxxxxxx>
> >> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> >>
> >> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> >> index 55b198ba629b..93b38471754e 100644
> >> --- a/drivers/usb/core/config.c
> >> +++ b/drivers/usb/core/config.c
> >> @@ -764,18 +764,21 @@ void usb_destroy_configuration(struct usb_device *dev)
> >> return;
> >>
> >> if (dev->rawdescriptors) {
> >> - for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
> >> + for (i = 0; i < dev->descriptor.bNumConfigurations &&
> >> + i < USB_MAXCONFIG; i++)
> >> kfree(dev->rawdescriptors[i]);
> >>
> >> kfree(dev->rawdescriptors);
> >> dev->rawdescriptors = NULL;
> >> }
> >>
> >> - for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
> >> + for (c = 0; c < dev->descriptor.bNumConfigurations &&
> >> + c < USB_MAXCONFIG; c++) {
> >> struct usb_host_config *cf = &dev->config[c];
> >>
> >> kfree(cf->string);
> >> - for (i = 0; i < cf->desc.bNumInterfaces; i++) {
> >> + for (i = 0; i < cf->desc.bNumInterfaces &&
> >> + i < USB_MAXINTERFACES; i++) {
> >> if (cf->intf_cache[i])
> >> kref_put(&cf->intf_cache[i]->ref,
> >> usb_release_interface_cache);
> >
> > None of these changes are necessary. The code is careful to reduce
> > dev->descriptor.bNumConfigurations and config->desc.bNumInterfaces when
> > necessary.
> >
> > In usb_get_configuration() (line 806 on my system):
> >
> > if (ncfg > USB_MAXCONFIG) {
> > dev_warn(ddev, "too many configurations: %d, "
> > "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
> > dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
> > }
> >
> > In usb_parse_configuration() (line 676 on my system):
> >
> > if (n != nintf)
> > dev_warn(ddev, "config %d has %d interface%s, different from "
> > "the descriptor's value: %d\n",
> > cfgno, n, plural(n), nintf_orig);
> > else if (n == 0)
> > dev_warn(ddev, "config %d has no interfaces?\n", cfgno);
> > config->desc.bNumInterfaces = nintf = n;
>
> usb_parse_configuration() might return before reducing
> config->desc.bNumInterfaces, and usb_destroy_configuration() is still
> called in this case.
True. Okay, how about this patch instead?
Index: usb-4.x/drivers/usb/core/config.c
===================================================================
--- usb-4.x.orig/drivers/usb/core/config.c
+++ usb-4.x/drivers/usb/core/config.c
@@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
unsigned iad_num = 0;
memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
+ nintf = nintf_orig = config->desc.bNumInterfaces;
+ config->desc.bNumInterfaces = 0; // Adjusted later
+
if (config->desc.bDescriptorType != USB_DT_CONFIG ||
config->desc.bLength < USB_DT_CONFIG_SIZE ||
config->desc.bLength > size) {
@@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
buffer += config->desc.bLength;
size -= config->desc.bLength;
- nintf = nintf_orig = config->desc.bNumInterfaces;
if (nintf > USB_MAXINTERFACES) {
dev_warn(ddev, "config %d has too many interfaces: %d, "
"using maximum allowed: %d\n",
Alan Stern
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
