From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 3 Mar 2022 15:02:24 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.305~106
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=579ccb007adc0cbef8095a9197a12b2f5c01fc74;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	usb-gadget-clear-related-members-when-goto-fail.patch
	usb-gadget-don-t-release-an-existing-dev-buf.patch
---

diff --git a/queue-4.9/series b/queue-4.9/series
index dad0cf1abef..4091bd8dee7 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -6,3 +6,5 @@ cifs-fix-double-free-race-when-mount-fails-in-cifs_g.patch
 dmaengine-shdma-fix-runtime-pm-imbalance-on-error.patch
 i2c-qup-allow-compile_test.patch
 net-usb-cdc_mbim-avoid-altsetting-toggling-for-telit.patch
+usb-gadget-don-t-release-an-existing-dev-buf.patch
+usb-gadget-clear-related-members-when-goto-fail.patch
diff --git a/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch b/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch
new file mode 100644
index 00000000000..96af3dff8b2
--- /dev/null
+++ b/queue-4.9/usb-gadget-clear-related-members-when-goto-fail.patch
@@ -0,0 +1,43 @@
+From 501e38a5531efbd77d5c73c0ba838a889bfc1d74 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:38 +0800
+Subject: usb: gadget: clear related members when goto fail
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream.
+
+dev->config and dev->hs_config and dev->dev need to be cleaned if
+dev_config fails to avoid UAF.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1883,8 +1883,8 @@ dev_config (struct file *fd, const char
+ 
+ 	value = usb_gadget_probe_driver(&gadgetfs_driver);
+ 	if (value != 0) {
+-		kfree (dev->buf);
+-		dev->buf = NULL;
++		spin_lock_irq(&dev->lock);
++		goto fail;
+ 	} else {
+ 		/* at this point "good" hardware has for the first time
+ 		 * let the USB the host see us.  alternatively, if users
+@@ -1901,6 +1901,9 @@ dev_config (struct file *fd, const char
+ 	return value;
+ 
+ fail:
++	dev->config = NULL;
++	dev->hs_config = NULL;
++	dev->dev = NULL;
+ 	spin_unlock_irq (&dev->lock);
+ 	pr_debug ("%s: %s fail %Zd, %p\n", shortname, __func__, value, dev);
+ 	kfree (dev->buf);
diff --git a/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch b/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch
new file mode 100644
index 00000000000..337c6869699
--- /dev/null
+++ b/queue-4.9/usb-gadget-don-t-release-an-existing-dev-buf.patch
@@ -0,0 +1,33 @@
+From 89f3594d0de58e8a57d92d497dea9fee3d4b9cda Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Sat, 1 Jan 2022 01:21:37 +0800
+Subject: usb: gadget: don't release an existing dev->buf
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 89f3594d0de58e8a57d92d497dea9fee3d4b9cda upstream.
+
+dev->buf does not need to be released if it already exists before
+executing dev_config.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/inode.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/inode.c
++++ b/drivers/usb/gadget/legacy/inode.c
+@@ -1833,8 +1833,9 @@ dev_config (struct file *fd, const char
+ 	spin_lock_irq (&dev->lock);
+ 	value = -EINVAL;
+ 	if (dev->buf) {
++		spin_unlock_irq(&dev->lock);
+ 		kfree(kbuf);
+-		goto fail;
++		return value;
+ 	}
+ 	dev->buf = kbuf;
+