4.4-stable patches

added patches:
	usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
	usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index 53fca8dd56d9562f7b11129ba438e3016e4128fb..c54d098c708751a940554e76c0bf90c7098e85aa 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -32,3 +32,5 @@ smb3-send-cap_dfs-capability-during-session-setup.patch
 mwifiex-fix-802.11n-wpa-detection.patch
 scsi-mpt3sas-use-63-bit-dma-addressing-on-sas35-hba.patch
 sh-kernel-hw_breakpoint-fix-missing-break-in-switch-statement.patch
+usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
+usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch

diff --git a/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch b/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
new file mode 100644 (file)
index 0000000..92c7e64
--- /dev/null
+++ b/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
@@ -0,0 +1,36 @@
+From f0f1b8cac4d8d973e95f25d9ea132775fb43c5f4 Mon Sep 17 00:00:00 2001
+From: "Felipe F. Tonello" <eu@felipetonello.com>
+Date: Tue, 1 Dec 2015 18:31:01 +0000
+Subject: usb: gadget: f_midi: fail if set_alt fails to allocate requests
+
+From: Felipe F. Tonello <eu@felipetonello.com>
+
+commit f0f1b8cac4d8d973e95f25d9ea132775fb43c5f4 upstream.
+
+This ensures that the midi function will only work if the proper number of
+IN and OUT requrests are allocated. Otherwise the function will work with less
+requests then what the user wants.
+
+Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+From: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -364,9 +364,10 @@ static int f_midi_set_alt(struct usb_fun
+               req->complete = f_midi_complete;
+               err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
+               if (err) {
+-                      ERROR(midi, "%s queue req: %d\n",
++                      ERROR(midi, "%s: couldn't enqueue request: %d\n",
+                                   midi->out_ep->name, err);
+                       free_ep_req(midi->out_ep, req);
++                      return err;
+               }
+       }
+ 

diff --git a/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch b/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
new file mode 100644 (file)
index 0000000..351b6c9
--- /dev/null
+++ b/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
@@ -0,0 +1,69 @@
+From 7fafcfdf6377b18b2a726ea554d6e593ba44349f Mon Sep 17 00:00:00 2001
+From: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Date: Fri, 23 Mar 2018 17:00:38 +0000
+Subject: USB: gadget: f_midi: fixing a possible double-free in f_midi
+
+From: Yavuz, Tuba <tuba@ece.ufl.edu>
+
+commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f upstream.
+
+It looks like there is a possibility of a double-free vulnerability on an
+error path of the f_midi_set_alt function in the f_midi driver. If the
+path is feasible then free_ep_req gets called twice:
+
+         req->complete = f_midi_complete;
+         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
+            => ...
+             usb_gadget_giveback_request
+               =>
+                 f_midi_complete (CALLBACK)
+                   (inside f_midi_complete, for various cases of status)
+                   free_ep_req(ep, req); // first kfree
+         if (err) {
+                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
+                             midi->out_ep->name, err);
+                 free_ep_req(midi->out_ep, req); // second kfree
+                 return err;
+         }
+
+The double-free possibility was introduced with commit ad0d1a058eac
+("usb: gadget: f_midi: fix leak on failed to enqueue out requests").
+
+Found by MOXCAFE tool.
+
+Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu>
+Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c |    3 ++-
+ drivers/usb/gadget/u_f.h             |    2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -366,7 +366,8 @@ static int f_midi_set_alt(struct usb_fun
+               if (err) {
+                       ERROR(midi, "%s: couldn't enqueue request: %d\n",
+                                   midi->out_ep->name, err);
+-                      free_ep_req(midi->out_ep, req);
++                      if (req->buf != NULL)
++                              free_ep_req(midi->out_ep, req);
+                       return err;
+               }
+       }
+--- a/drivers/usb/gadget/u_f.h
++++ b/drivers/usb/gadget/u_f.h
+@@ -65,7 +65,9 @@ struct usb_request *alloc_ep_req(struct
+ /* Frees a usb_request previously allocated by alloc_ep_req() */
+ static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
+ {
++      WARN_ON(req->buf == NULL);
+       kfree(req->buf);
++      req->buf = NULL;
+       usb_ep_free_request(ep, req);
+ }
+