On Tue, Dec 12, 2017 at 5:12 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
> On Tue, 12 Dec 2017, Andrey Konovalov wrote:
>
>> On Tue, Dec 12, 2017 at 4:41 PM, Alan Stern <stern@xxxxxxxxxxxxxxxxxxx> wrote:
>> > On Mon, 11 Dec 2017, Greg KH wrote:
>> >
>> >> From: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
>> >>
>> >> When cleaning up the configurations, make sure we only free the number
>> >> of configurations and interfaces that we could have allocated.
>> >>
>> >> Reported-by: Andrey Konovalov <andreyknvl@xxxxxxxxxx>
>> >> Cc: stable <stable@xxxxxxxxxxxxxxx>
>> >> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
>> >>
>> >> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
>> >> index 55b198ba629b..93b38471754e 100644
>> >> --- a/drivers/usb/core/config.c
>> >> +++ b/drivers/usb/core/config.c
>> >> @@ -764,18 +764,21 @@ void usb_destroy_configuration(struct usb_device *dev)
>> >> return;
>> >>
>> >> if (dev->rawdescriptors) {
>> >> - for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
>> >> + for (i = 0; i < dev->descriptor.bNumConfigurations &&
>> >> + i < USB_MAXCONFIG; i++)
>> >> kfree(dev->rawdescriptors[i]);
>> >>
>> >> kfree(dev->rawdescriptors);
>> >> dev->rawdescriptors = NULL;
>> >> }
>> >>
>> >> - for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
>> >> + for (c = 0; c < dev->descriptor.bNumConfigurations &&
>> >> + c < USB_MAXCONFIG; c++) {
>> >> struct usb_host_config *cf = &dev->config[c];
>> >>
>> >> kfree(cf->string);
>> >> - for (i = 0; i < cf->desc.bNumInterfaces; i++) {
>> >> + for (i = 0; i < cf->desc.bNumInterfaces &&
>> >> + i < USB_MAXINTERFACES; i++) {
>> >> if (cf->intf_cache[i])
>> >> kref_put(&cf->intf_cache[i]->ref,
>> >> usb_release_interface_cache);
>> >
>> > None of these changes are necessary. The code is careful to reduce
>> > dev->descriptor.bNumConfigurations and config->desc.bNumInterfaces when
>> > necessary.
>> >
>> > In usb_get_configuration() (line 806 on my system):
>> >
>> > if (ncfg > USB_MAXCONFIG) {
>> > dev_warn(ddev, "too many configurations: %d, "
>> > "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
>> > dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
>> > }
>> >
>> > In usb_parse_configuration() (line 676 on my system):
>> >
>> > if (n != nintf)
>> > dev_warn(ddev, "config %d has %d interface%s, different from "
>> > "the descriptor's value: %d\n",
>> > cfgno, n, plural(n), nintf_orig);
>> > else if (n == 0)
>> > dev_warn(ddev, "config %d has no interfaces?\n", cfgno);
>> > config->desc.bNumInterfaces = nintf = n;
>>
>> usb_parse_configuration() might return before reducing
>> config->desc.bNumInterfaces, and usb_destroy_configuration() is still
>> called in this case.
>
> True. Okay, how about this patch instead?
Looks good to me.
>
> Index: usb-4.x/drivers/usb/core/config.c
> ===================================================================
> --- usb-4.x.orig/drivers/usb/core/config.c
> +++ usb-4.x/drivers/usb/core/config.c
> @@ -555,6 +555,9 @@ static int usb_parse_configuration(struc
> unsigned iad_num = 0;
>
> memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
> + nintf = nintf_orig = config->desc.bNumInterfaces;
> + config->desc.bNumInterfaces = 0; // Adjusted later
> +
> if (config->desc.bDescriptorType != USB_DT_CONFIG ||
> config->desc.bLength < USB_DT_CONFIG_SIZE ||
> config->desc.bLength > size) {
> @@ -568,7 +571,6 @@ static int usb_parse_configuration(struc
> buffer += config->desc.bLength;
> size -= config->desc.bLength;
>
> - nintf = nintf_orig = config->desc.bNumInterfaces;
> if (nintf > USB_MAXINTERFACES) {
> dev_warn(ddev, "config %d has too many interfaces: %d, "
> "using maximum allowed: %d\n",
>
> Alan Stern
>
--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
