usb: gadget: function: fix dangling pnp_string in f_printer.c

[ Upstream commit 308defc0ae6bc2cb6dccb7ba47d777bf3136760f ]

When opts->pnp_string is changed with configfs, new memory is allocated for
the string. It does not, however, update dev->pnp_string, even though the
memory is freed. When rquesting the string, the host then gets old or
corrupted data rather than the new string. The ieee 1284 id string should
be allowed to change while the device is connected.

The bug was introduced in commit 0d60940f97f0 ("usb: gadget: printer:
Remove pnp_string static buffer"), which changed opts->pnp_string from a
char[] to a char*.
This patch changes dev->pnp_string from a char* to a char** pointing to
opts->pnp_string.

Fixes: 0d60940f97f0 ("usb: gadget: printer: Remove pnp_string static buffer")
Signed-off-by: Albert Briscoe <albertsbriscoe@gmail.com>
Link: https://lore.kernel.org/r/20220911223753.20417-1-albertsbriscoe@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c
index 2a1868b2d24cff2c64037aba7cb9b5da9ed95097..dd5eb6202fe11b81f98fb626c444f527bdd6e5ef 100644 (file)
--- a/drivers/usb/gadget/function/f_printer.c
+++ b/drivers/usb/gadget/function/f_printer.c
@@ -87,7 +87,7 @@ struct printer_dev {
        u8                      printer_cdev_open;
        wait_queue_head_t       wait;
        unsigned                q_len;
-       char                    *pnp_string;    /* We don't own memory! */
+       char                    **pnp_string;   /* We don't own memory! */
        struct usb_function     function;
 };
 
@@ -963,16 +963,16 @@ static int printer_func_setup(struct usb_function *f,
                        if ((wIndex>>8) != dev->interface)
                                break;
 
-                       if (!dev->pnp_string) {
+                       if (!*dev->pnp_string) {
                                value = 0;
                                break;
                        }
-                       value = strlen(dev->pnp_string);
+                       value = strlen(*dev->pnp_string);
                        buf[0] = (value >> 8) & 0xFF;
                        buf[1] = value & 0xFF;
-                       memcpy(buf + 2, dev->pnp_string, value);
+                       memcpy(buf + 2, *dev->pnp_string, value);
                        DBG(dev, "1284 PNP String: %x %s\n", value,
-                           dev->pnp_string);
+                           *dev->pnp_string);
                        break;
 
                case GET_PORT_STATUS: /* Get Port Status */
@@ -1435,7 +1435,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi)
        kref_init(&dev->kref);
        ++opts->refcnt;
        dev->minor = opts->minor;
-       dev->pnp_string = opts->pnp_string;
+       dev->pnp_string = &opts->pnp_string;
        dev->q_len = opts->q_len;
        mutex_unlock(&opts->lock);