Input: ims-pcu - fix use-after-free and double-free in disconnect

ims_pcu_disconnect() only intended to perform cleanup when the primary
(control) interface is unbound. However, it currently relies on the
interface class to distinguish between control and data interfaces.
A malicious device could present a data interface with the same class
as the control interface, leading to premature cleanup and potential
use-after-free or double-free.

Switch to verifying that the interface being disconnected is indeed
the control interface.

Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
Cc: stable@vger.kernel.org
Reported-by: Sashiko bot <sashiko-bot@kernel.org>
Assisted-by: Gemini:gemini-3.1-pro
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>

diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index 75a0cadf7be9dbecccf2cac881d80f478f65b415..694490b2462920c04e60d26c428fbdfd9dc3fa4c 100644 (file)
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -2078,7 +2078,6 @@ err_free_mem:
 static void ims_pcu_disconnect(struct usb_interface *intf)
 {
        struct ims_pcu *pcu = usb_get_intfdata(intf);
-       struct usb_host_interface *alt = intf->cur_altsetting;
 
        usb_set_intfdata(intf, NULL);
 
@@ -2086,7 +2085,7 @@ static void ims_pcu_disconnect(struct usb_interface *intf)
         * See if we are dealing with control or data interface. The cleanup
         * happens when we unbind primary (control) interface.
         */
-       if (alt->desc.bInterfaceClass != USB_CLASS_COMM)
+       if (intf != pcu->ctrl_intf)
                return;
 
        ims_pcu_stop_io(pcu);