5.15-stable patches

added patches:
	usb-gadget-clear-related-members-when-goto-fail.patch
	usb-gadget-don-t-release-an-existing-dev-buf.patch

diff --git a/queue-5.15/series b/queue-5.15/series
index c1a987d8c72ea6e712ca9347357a94f88de40855..c0868b6c341cd44b0919399c349578d6bfbbd818 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -24,3 +24,5 @@ i2c-imx-allow-compile_test.patch
 i2c-qup-allow-compile_test.patch
 net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
 block-map-add-__gfp_zero-flag-for-alloc_page-in-func.patch
+usb-gadget-don-t-release-an-existing-dev-buf.patch
+usb-gadget-clear-related-members-when-goto-fail.patch

diff --git a/queue-5.15/usb-gadget-clear-related-members-when-goto-fail.patch b/queue-5.15/usb-gadget-clear-related-members-when-goto-fail.patch
new file mode 100644 (file)
index 0000000..f927d3d
--- /dev/null
+++ b/queue-5.15/usb-gadget-clear-related-members-when-goto-fail.patch
@@ -0,0 +1,43 @@
+From 501e38a5531efbd77d5c73c0ba838a889bfc1d74 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:38 +0800
+Subject: usb: gadget: clear related members when goto fail
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream.
+
+dev->config and dev->hs_config and dev->dev need to be cleaned if
+dev_config fails to avoid UAF.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1878,8 +1878,8 @@ dev_config (struct file *fd, const char
+ 
+       value = usb_gadget_probe_driver(&gadgetfs_driver);
+       if (value != 0) {
+-              kfree (dev->buf);
+-              dev->buf = NULL;
++              spin_lock_irq(&dev->lock);
++              goto fail;
+       } else {
+               /* at this point "good" hardware has for the first time
+                * let the USB the host see us.  alternatively, if users
+@@ -1896,6 +1896,9 @@ dev_config (struct file *fd, const char
+       return value;
+ 
+ fail:
++      dev->config = NULL;
++      dev->hs_config = NULL;
++      dev->dev = NULL;
+       spin_unlock_irq (&dev->lock);
+       pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev);
+       kfree (dev->buf);

diff --git a/queue-5.15/usb-gadget-don-t-release-an-existing-dev-buf.patch b/queue-5.15/usb-gadget-don-t-release-an-existing-dev-buf.patch
new file mode 100644 (file)
index 0000000..4e7cd0c
--- /dev/null
+++ b/queue-5.15/usb-gadget-don-t-release-an-existing-dev-buf.patch
@@ -0,0 +1,33 @@
+From 89f3594d0de58e8a57d92d497dea9fee3d4b9cda Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:37 +0800
+Subject: usb: gadget: don't release an existing dev->buf
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda upstream.
+
+dev->buf does not need to be released if it already exists before
+executing dev_config.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1829,8 +1829,9 @@ dev_config (struct file *fd, const char
+       spin_lock_irq (&dev->lock);
+       value = -EINVAL;
+       if (dev->buf) {
++              spin_unlock_irq(&dev->lock);
+               kfree(kbuf);
+-              goto fail;
++              return value;
+       }
+       dev->buf = kbuf;
+