Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 60f86fc0 authored by Vijayavardhan Vennapusa's avatar Vijayavardhan Vennapusa
Browse files

USB: core: hub.c: Fix bug in accessing freed memory 



Current driver is accessing the buffer memory after it is freed.
This could result in getting wrong value and might could cause
memory corruption. Hence fix this issue by taking idvendor value
into a variable before freeing it.

CRs-Fixed: 550211
Change-Id: I271dbf3518e7b6e0d30c684bd05c835945de0950
Signed-off-by: default avatarVijayavardhan Vennapusa <vvreddy@codeaurora.org>
parent 220d664b

drivers/usb/core/hub.c

+3 −1
Original line number Diff line number Diff line
@@ -4114,6 +4114,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, 
			!(hcd->driver->flags & HCD_USB3) &&

			!(hcd->driver->flags & HCD_OLD_ENUM)) {

			struct usb_device_descriptor *buf;

			ushort idvendor;

			int r = 0;



#define GET_DESCRIPTOR_BUFSIZE	64
@@ -4152,6 +4153,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, 
			}

			udev->descriptor.bMaxPacketSize0 =

					buf->bMaxPacketSize0;

			idvendor = le16_to_cpu(buf->idVendor);

			kfree(buf);



			/*
@@ -4159,7 +4161,7 @@ hub_port_init (struct usb_hub *hub, struct usb_device *udev, int port1, 
			 * second reset which results in failure due to

			 * speed change.

			 */

			if (le16_to_cpu(buf->idVendor) != 0x1a0a) {

			if (idvendor != 0x1a0a) {

				retval = hub_port_reset(hub, port1, udev,

							 delay, false);

				if (retval < 0)	/* error or disconnect */

drivers/usb/host/xhci.c

+1 −1
Original line number Diff line number Diff line
@@ -3995,7 +3995,7 @@ int xhci_set_usb2_hardware_lpm(struct usb_hcd *hcd, 
	unsigned int	port_num;

	unsigned long	flags;

	int		hird;

	bool		delay;

	bool		delay = false;



	if (hcd->speed == HCD_USB3 || !xhci->hw_lpm_support ||

			!udev->lpm_capable)