From: Sasha Levin Date: Tue, 7 Feb 2023 03:15:38 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v5.15.93~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=868401e2c0896c5b1306d86684863d26e3287144;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/series b/queue-4.14/series index 593b5d005db..30010f6e921 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -8,3 +8,4 @@ net-openvswitch-fix-flow-memory-leak-in-ovs_flow_cmd.patch scsi-target-core-fix-warning-on-rt-kernels.patch scsi-iscsi_tcp-fix-uaf-during-login-when-accessing-t.patch net-x25-fix-to-not-accept-on-connected-socket.patch +usb-gadget-f_fs-fix-unbalanced-spinlock-in-__ffs_ep0.patch diff --git a/queue-4.14/usb-gadget-f_fs-fix-unbalanced-spinlock-in-__ffs_ep0.patch b/queue-4.14/usb-gadget-f_fs-fix-unbalanced-spinlock-in-__ffs_ep0.patch new file mode 100644 index 00000000000..91df9f6dc53 --- /dev/null +++ b/queue-4.14/usb-gadget-f_fs-fix-unbalanced-spinlock-in-__ffs_ep0.patch @@ -0,0 +1,45 @@ +From 3ee830f04845a39815ef67c3597260578fdc3ec8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 14:41:49 +0530 +Subject: usb: gadget: f_fs: Fix unbalanced spinlock in __ffs_ep0_queue_wait + +From: Udipto Goswami + +[ Upstream commit 921deb9da15851425ccbb6ee409dc2fd8fbdfe6b ] + +__ffs_ep0_queue_wait executes holding the spinlock of &ffs->ev.waitq.lock +and unlocks it after the assignments to usb_request are done. +However in the code if the request is already NULL we bail out returning +-EINVAL but never unlocked the spinlock. + +Fix this by adding spin_unlock_irq &ffs->ev.waitq.lock before returning. + +Fixes: 6a19da111057 ("usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait") +Reviewed-by: John Keeping +Signed-off-by: Udipto Goswami +Link: https://lore.kernel.org/r/20230124091149.18647-1-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 946cf039eddd..ba9af04ad37a 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -274,8 +274,10 @@ static int __ffs_ep0_queue_wait(struct ffs_data *ffs, char *data, size_t len) + struct usb_request *req = ffs->ep0req; + int ret; + +- if (!req) ++ if (!req) { ++ spin_unlock_irq(&ffs->ev.waitq.lock); + return -EINVAL; ++ } + + req->zero = len < le16_to_cpu(ffs->ev.setup.wLength); + +-- +2.39.0 +