From: Arnd Bergmann <arnd@arndb.de>
To: stable@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alan Stern <stern@rowland.harvard.edu>,
Suwan Kim <suwan.kim027@gmail.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Arnd Bergmann <arnd@arndb.de>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [BACKPORT 4.4.y 25/25] USB: core: only clean up what we allocated
Date: Fri, 22 Mar 2019 16:44:16 +0100 [thread overview]
Message-ID: <20190322154425.3852517-26-arnd@arndb.de> (raw)
In-Reply-To: <20190322154425.3852517-1-arnd@arndb.de>
From: Andrey Konovalov <andreyknvl@google.com>
When cleaning up the configurations, make sure we only free the number
of configurations and interfaces that we could have allocated.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3)
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/usb/core/config.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 6a287c81a7be..b8eb289e0b17 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -734,18 +734,21 @@ void usb_destroy_configuration(struct usb_device *dev)
return;
if (dev->rawdescriptors) {
- for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
+ for (i = 0; i < dev->descriptor.bNumConfigurations &&
+ i < USB_MAXCONFIG; i++)
kfree(dev->rawdescriptors[i]);
kfree(dev->rawdescriptors);
dev->rawdescriptors = NULL;
}
- for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
+ for (c = 0; c < dev->descriptor.bNumConfigurations &&
+ c < USB_MAXCONFIG; c++) {
struct usb_host_config *cf = &dev->config[c];
kfree(cf->string);
- for (i = 0; i < cf->desc.bNumInterfaces; i++) {
+ for (i = 0; i < cf->desc.bNumInterfaces &&
+ i < USB_MAXINTERFACES; i++) {
if (cf->intf_cache[i])
kref_put(&cf->intf_cache[i]->ref,
usb_release_interface_cache);
--
2.20.0
WARNING: multiple messages have this Message-ID (diff)
From: Arnd Bergmann <arnd@arndb.de>
To: stable@vger.kernel.org,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Alan Stern <stern@rowland.harvard.edu>,
Suwan Kim <suwan.kim027@gmail.com>,
"Gustavo A. R. Silva" <gustavo@embeddedor.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
Arnd Bergmann <arnd@arndb.de>,
linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [BACKPORT,4.4.y,25/25] USB: core: only clean up what we allocated
Date: Fri, 22 Mar 2019 16:44:16 +0100 [thread overview]
Message-ID: <20190322154425.3852517-26-arnd@arndb.de> (raw)
From: Andrey Konovalov <andreyknvl@google.com>
When cleaning up the configurations, make sure we only free the number
of configurations and interfaces that we could have allocated.
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3)
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/usb/core/config.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c
index 6a287c81a7be..b8eb289e0b17 100644
--- a/drivers/usb/core/config.c
+++ b/drivers/usb/core/config.c
@@ -734,18 +734,21 @@ void usb_destroy_configuration(struct usb_device *dev)
return;
if (dev->rawdescriptors) {
- for (i = 0; i < dev->descriptor.bNumConfigurations; i++)
+ for (i = 0; i < dev->descriptor.bNumConfigurations &&
+ i < USB_MAXCONFIG; i++)
kfree(dev->rawdescriptors[i]);
kfree(dev->rawdescriptors);
dev->rawdescriptors = NULL;
}
- for (c = 0; c < dev->descriptor.bNumConfigurations; c++) {
+ for (c = 0; c < dev->descriptor.bNumConfigurations &&
+ c < USB_MAXCONFIG; c++) {
struct usb_host_config *cf = &dev->config[c];
kfree(cf->string);
- for (i = 0; i < cf->desc.bNumInterfaces; i++) {
+ for (i = 0; i < cf->desc.bNumInterfaces &&
+ i < USB_MAXINTERFACES; i++) {
if (cf->intf_cache[i])
kref_put(&cf->intf_cache[i]->ref,
usb_release_interface_cache);
next prev parent reply other threads:[~2019-03-22 15:50 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-22 15:43 [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 01/25] mmc: pwrseq: constify mmc_pwrseq_ops structures Arnd Bergmann
2019-03-26 1:08 ` Greg KH
2019-03-26 6:44 ` Julia Lawall
2019-03-26 8:11 ` Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 02/25] ALSA: compress: add support for 32bit calls in a 64bit kernel Arnd Bergmann
2019-03-26 1:09 ` Greg KH
2019-03-26 7:55 ` Arnd Bergmann
2019-03-30 9:40 ` Greg KH
2019-03-22 15:43 ` [BACKPORT 4.4.y 03/25] mmc: pwrseq_simple: Make reset-gpios optional to match doc Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT,4.4.y,04/25] " Arnd Bergmann
2019-03-26 1:13 ` [BACKPORT 4.4.y 04/25] " Greg Kroah-Hartman
2019-03-26 1:13 ` [BACKPORT,4.4.y,04/25] " Greg Kroah-Hartman
2019-03-26 8:20 ` [BACKPORT 4.4.y 04/25] " Arnd Bergmann
2019-03-26 8:20 ` [BACKPORT,4.4.y,04/25] " Arnd Bergmann
2019-03-26 9:35 ` [BACKPORT 4.4.y 04/25] " Baolin Wang
2019-03-26 9:35 ` [BACKPORT,4.4.y,04/25] " Baolin Wang
2019-03-26 9:47 ` [BACKPORT 4.4.y 04/25] " 翟京 (Orson Zhai)
2019-03-26 9:47 ` [BACKPORT,4.4.y,04/25] " 翟京 (Orson Zhai)
2019-03-22 15:43 ` [BACKPORT 4.4.y 05/25] mmc: debugfs: Add a restriction to mmc debugfs clock setting Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 06/25] mmc: make MAN_BKOPS_EN message a debug Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 07/25] mmc: sanitize 'bus width' in debug output Arnd Bergmann
2019-03-22 15:43 ` [BACKPORT 4.4.y 08/25] mmc: core: shut up "voltage-ranges unspecified" pr_info() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 09/25] usb: dwc3: gadget: Fix suspend/resume during device mode Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,09/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 10/25] arm64: mm: Add trace_irqflags annotations to do_debug_exception() Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 11/25] mmc: core: fix using wrong io voltage if mmc_select_hs200 fails Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 12/25] mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 13/25] extcon: usb-gpio: Don't miss event during suspend/resume Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 14/25] kbuild: setlocalversion: print error to STDERR Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 15/25] usb: gadget: composite: fix dereference after null check coverify warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,15/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 16/25] usb: gadget: Add the gserial port checking in gs_start_tx() Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,16/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 17/25] mmc: core: don't try to switch block size for dual rate mode Arnd Bergmann
2019-03-26 1:27 ` Greg KH
2019-03-26 8:14 ` Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 18/25] tcp/dccp: drop SYN packets if accept queue is full Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 19/25] serial: sprd: adjust TIMEOUT to a big value Arnd Bergmann
2019-03-26 1:21 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 20/25] Hang/soft lockup in d_invalidate with simultaneous calls Arnd Bergmann
2019-03-26 1:30 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 21/25] arm64: traps: disable irq in die() Arnd Bergmann
2019-03-22 15:44 ` Arnd Bergmann
2019-03-26 1:31 ` Greg KH
2019-03-26 1:31 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 22/25] usb: renesas_usbhs: gadget: fix unused-but-set-variable warning Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT,4.4.y,22/25] " Arnd Bergmann
2019-03-22 15:44 ` [BACKPORT 4.4.y 23/25] serial: sprd: clear timeout interrupt only rather than all interrupts Arnd Bergmann
2019-03-26 1:34 ` Greg KH
2019-03-22 15:44 ` [BACKPORT 4.4.y 24/25] lib/int_sqrt: optimize small argument Arnd Bergmann
2019-03-26 1:36 ` Greg KH
2019-03-22 15:44 ` Arnd Bergmann [this message]
2019-03-22 15:44 ` [BACKPORT,4.4.y,25/25] USB: core: only clean up what we allocated Arnd Bergmann
2019-03-26 1:36 ` [BACKPORT 4.4.y 25/25] " Greg Kroah-Hartman
2019-03-26 1:36 ` [BACKPORT,4.4.y,25/25] " Greg Kroah-Hartman
2019-03-26 2:18 ` [BACKPORT 4.4.y 00/25] candidates from spreadtrum 4.4 product kernel Greg KH
2019-03-26 2:18 ` Greg KH
2019-03-26 2:18 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190322154425.3852517-26-arnd@arndb.de \
--to=arnd@arndb.de \
--cc=andreyknvl@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=gustavo@embeddedor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=stern@rowland.harvard.edu \
--cc=suwan.kim027@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.