--- /dev/null
+From 942a48730faf149ccbf3e12ac718aee120bb3529 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Tue, 25 Apr 2017 22:49:21 +0300
+Subject: usb: misc: legousbtower: Fix buffers on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
+
+Allocate buffers on HEAP instead of STACK for local structures
+that are to be received using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Tested-by: Alfredo Rafael Vicente Boix <alviboi@gmail.com>;
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino
+ int subminor;
+ int retval = 0;
+ struct usb_interface *interface;
+- struct tower_reset_reply reset_reply;
++ struct tower_reset_reply *reset_reply;
+ int result;
+
++ reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
++
++ if (!reset_reply) {
++ retval = -ENOMEM;
++ goto exit;
++ }
++
+ nonseekable_open(inode, file);
+ subminor = iminor(inode);
+
+@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino
+ USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 0,
+ 0,
+- &reset_reply,
+- sizeof(reset_reply),
++ reset_reply,
++ sizeof(*reset_reply),
+ 1000);
+ if (result < 0) {
+ dev_err(&dev->udev->dev,
+@@ -406,6 +413,7 @@ unlock_exit:
+ mutex_unlock(&dev->lock);
+
+ exit:
++ kfree(reset_reply);
+ return retval;
+ }
+
+@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter
+ struct lego_usb_tower *dev = NULL;
+ struct usb_host_interface *iface_desc;
+ struct usb_endpoint_descriptor* endpoint;
+- struct tower_get_version_reply get_version_reply;
++ struct tower_get_version_reply *get_version_reply = NULL;
+ int i;
+ int retval = -ENOMEM;
+ int result;
+@@ -886,6 +894,13 @@ static int tower_probe (struct usb_inter
+ dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
+ dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
+
++ get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
++
++ if (!get_version_reply) {
++ retval = -ENOMEM;
++ goto error;
++ }
++
+ /* get the firmware version and log it */
+ result = usb_control_msg (udev,
+ usb_rcvctrlpipe(udev, 0),
+@@ -893,18 +908,19 @@ static int tower_probe (struct usb_inter
+ USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 0,
+ 0,
+- &get_version_reply,
+- sizeof(get_version_reply),
++ get_version_reply,
++ sizeof(*get_version_reply),
+ 1000);
+ if (result < 0) {
+ dev_err(idev, "LEGO USB Tower get version control request failed\n");
+ retval = result;
+ goto error;
+ }
+- dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
+- "build %d\n", get_version_reply.major,
+- get_version_reply.minor,
+- le16_to_cpu(get_version_reply.build_no));
++ dev_info(&interface->dev,
++ "LEGO USB Tower firmware version is %d.%d build %d\n",
++ get_version_reply->major,
++ get_version_reply->minor,
++ le16_to_cpu(get_version_reply->build_no));
+
+ /* we can register the device now, as it is ready */
+ usb_set_intfdata (interface, dev);
+@@ -928,6 +944,7 @@ exit:
+ return retval;
+
+ error:
++ kfree(get_version_reply);
+ tower_delete(dev);
+ return retval;
+ }
--- /dev/null
+From 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Sat, 13 May 2017 23:49:26 +0300
+Subject: usb: misc: legousbtower: Fix memory leak
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit 0bd193d62b4270a2a7a09da43ad1034c7ca5b3d3 upstream.
+
+get_version_reply is not freed if function returns with success.
+
+Fixes: 942a48730faf ("usb: misc: legousbtower: Fix buffers on stack")
+Reported-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -941,6 +941,7 @@ static int tower_probe (struct usb_inter
+ USB_MAJOR, dev->minor);
+
+ exit:
++ kfree(get_version_reply);
+ return retval;
+
+ error:
projects / thirdparty / kernel / stable-queue.git / commitdiff
