Re: [PATCH] USB: core: only clean up what we allocated

Tue, 12 Dec 2017 07:42:08 -0800 

On Mon, 11 Dec 2017, Greg KH wrote:

> From: Andrey Konovalov <andreyk...@google.com>
> 
> When cleaning up the configurations, make sure we only free the number
> of configurations and interfaces that we could have allocated.
> 
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Cc: stable <sta...@vger.kernel.org>
> Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>
> 
> diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
> index 55b198ba629b..93b38471754e 100644
> --- a/drivers/usb/core/config.c
> +++ b/drivers/usb/core/config.c
> @@ -764,18 +764,21 @@ void usb_destroy_configuration(struct usb_device *dev)
>               return;
>  
>       if (dev->rawdescriptors) {
> -             for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
> +             for (i = 0; i < dev->descriptor.bNumConfigurations &&
> +                             i < USB_MAXCONFIG; i++)
>                       kfree(dev->rawdescriptors[i]);
>  
>               kfree(dev->rawdescriptors);
>               dev->rawdescriptors = NULL;
>       }
>  
> -     for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
> +     for (c = 0; c < dev->descriptor.bNumConfigurations &&
> +                     c < USB_MAXCONFIG; c++) {
>               struct usb_host_config *cf = &dev->config[c];
>  
>               kfree(cf->string);
> -             for (i = 0; i < cf->desc.bNumInterfaces; i++) {
> +             for (i = 0; i < cf->desc.bNumInterfaces &&
> +                             i < USB_MAXINTERFACES; i++) {
>                       if (cf->intf_cache[i])
>                               kref_put(&cf->intf_cache[i]->ref,
>                                         usb_release_interface_cache);

None of these changes are necessary.  The code is careful to reduce
dev->descriptor.bNumConfigurations and config->desc.bNumInterfaces when
necessary.

In usb_get_configuration() (line 806 on my system):

        if (ncfg > USB_MAXCONFIG) {
                dev_warn(ddev, "too many configurations: %d, "
                    "using maximum allowed: %d\n", ncfg, USB_MAXCONFIG);
                dev->descriptor.bNumConfigurations = ncfg = USB_MAXCONFIG;
        }

In usb_parse_configuration() (line 676 on my system):

        if (n != nintf)
                dev_warn(ddev, "config %d has %d interface%s, different from "
                    "the descriptor's value: %d\n",
                    cfgno, n, plural(n), nintf_orig);
        else if (n == 0)
                dev_warn(ddev, "config %d has no interfaces?\n", cfgno);
        config->desc.bNumInterfaces = nintf = n;

Alan Stern

--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to