• Andrzej Pietrasiewicz's avatar
    usb: gadget: configfs: don't NUL-terminate (sub)compatible ids · a71afa37
    Andrzej Pietrasiewicz authored
    commit a0456399 upstream.
    
    The "Extended Compat ID OS Feature Descriptor Specification" does not
    require the (sub)compatible ids to be NUL-terminated, because they
    are placed in a fixed-size buffer and only unused parts of it should
    contain NULs. If the buffer is fully utilized, there is no place for NULs.
    
    Consequently, the code which uses desc->ext_compat_id never expects the
    data contained to be NUL terminated.
    
    If the compatible id is stored after sub-compatible id, and the compatible
    id is full length (8 bytes), the (useless) NUL terminator overwrites the
    first byte of the sub-compatible id.
    
    If the sub-compatible id is full length (8 bytes), the (useless) NUL
    terminator ends up out of the buffer. The situation can happen in the RNDIS
    function, where the buffer is a part of struct f_rndis_opts. The next
    member of struct f_rndis_opts is a mutex, so its first byte gets
    overwritten. The said byte is a part of a mutex'es member which contains
    the information on whether the muext is locked or not. This can lead to a
    deadlock, because, in a configfs-composed gadget when a function is linked
    into a configuration with config_usb_cfg_link(), usb_get_function()
    is called, which then calls rndis_alloc(), which tries locking the same
    mutex and (wrongly) finds it already locked.
    
    This patch eliminates NUL terminating of the (sub)compatible id.
    
    Fixes: da424314: "usb: gadget: configfs: OS Extended Compatibility descriptors support"
    Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: default avatarAndrzej Pietrasiewicz <andrzej.p@samsung.com>
    Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
    Signed-off-by: default avatarLuis Henriques <luis.henriques@canonical.com>
    a71afa37
configfs.c 38.4 KB