4.9-stable patches

added patches:
	usb-gadget-clear-related-members-when-goto-fail.patch
	usb-gadget-don-t-release-an-existing-dev-buf.patch

diff --git a/queue-4.9/series b/queue-4.9/series
index dad0cf1abeff7756e93d04c7b7820d18a0ee343d..4091bd8dee7ab492473bb8b9a124c262ec022056 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -6,3 +6,5 @@ cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch
 dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
 i2c-qup-allow-compile_test.patch
 net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
+usb-gadget-don-t-release-an-existing-dev-buf.patch
+usb-gadget-clear-related-members-when-goto-fail.patch

diff --git a/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch b/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch
new file mode 100644 (file)
index 0000000..96af3df
--- /dev/null
+++ b/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch
@@ -0,0 +1,43 @@
+From 501e38a5531efbd77d5c73c0ba838a889bfc1d74 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:38 +0800
+Subject: usb: gadget: clear related members when goto fail
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream.
+
+dev->config and dev->hs_config and dev->dev need to be cleaned if
+dev_config fails to avoid UAF.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1883,8 +1883,8 @@ dev_config (struct file *fd, const char
+ 
+       value = usb_gadget_probe_driver(&gadgetfs_driver);
+       if (value != 0) {
+-              kfree (dev->buf);
+-              dev->buf = NULL;
++              spin_lock_irq(&dev->lock);
++              goto fail;
+       } else {
+               /* at this point "good" hardware has for the first time
+                * let the USB the host see us.  alternatively, if users
+@@ -1901,6 +1901,9 @@ dev_config (struct file *fd, const char
+       return value;
+ 
+ fail:
++      dev->config = NULL;
++      dev->hs_config = NULL;
++      dev->dev = NULL;
+       spin_unlock_irq (&dev->lock);
+       pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev);
+       kfree (dev->buf);

diff --git a/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch b/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch
new file mode 100644 (file)
index 0000000..337c686
--- /dev/null
+++ b/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch
@@ -0,0 +1,33 @@
+From 89f3594d0de58e8a57d92d497dea9fee3d4b9cda Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:37 +0800
+Subject: usb: gadget: don't release an existing dev->buf
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda upstream.
+
+dev->buf does not need to be released if it already exists before
+executing dev_config.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1833,8 +1833,9 @@ dev_config (struct file *fd, const char
+       spin_lock_irq (&dev->lock);
+       value = -EINVAL;
+       if (dev->buf) {
++              spin_unlock_irq(&dev->lock);
+               kfree(kbuf);
+-              goto fail;
++              return value;
+       }
+       dev->buf = kbuf;
+