From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 17 Aug 2019 14:39:52 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v4.19.68~64
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=db86656462986b936136646ccfd9966614d605f0;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
	usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
---

diff --git a/queue-4.4/series b/queue-4.4/series
index 53fca8dd56d..c54d098c708 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -32,3 +32,5 @@ smb3-send-cap_dfs-capability-during-session-setup.patch
 mwifiex-fix-802.11n-wpa-detection.patch
 scsi-mpt3sas-use-63-bit-dma-addressing-on-sas35-hba.patch
 sh-kernel-hw_breakpoint-fix-missing-break-in-switch-statement.patch
+usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
+usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
diff --git a/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch b/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
new file mode 100644
index 00000000000..92c7e647e3a
--- /dev/null
+++ b/queue-4.4/usb-gadget-f_midi-fail-if-set_alt-fails-to-allocate-requests.patch
@@ -0,0 +1,36 @@
+From f0f1b8cac4d8d973e95f25d9ea132775fb43c5f4 Mon Sep 17 00:00:00 2001
+From: "Felipe F. Tonello" <eu@felipetonello.com>
+Date: Tue, 1 Dec 2015 18:31:01 +0000
+Subject: usb: gadget: f_midi: fail if set_alt fails to allocate requests
+
+From: Felipe F. Tonello <eu@felipetonello.com>
+
+commit f0f1b8cac4d8d973e95f25d9ea132775fb43c5f4 upstream.
+
+This ensures that the midi function will only work if the proper number of
+IN and OUT requrests are allocated. Otherwise the function will work with less
+requests then what the user wants.
+
+Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
+Signed-off-by: Felipe Balbi <balbi@ti.com>
+From: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -364,9 +364,10 @@ static int f_midi_set_alt(struct usb_fun
+ 		req->complete = f_midi_complete;
+ 		err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
+ 		if (err) {
+-			ERROR(midi, "%s queue req: %d\n",
++			ERROR(midi, "%s: couldn't enqueue request: %d\n",
+ 				    midi->out_ep->name, err);
+ 			free_ep_req(midi->out_ep, req);
++			return err;
+ 		}
+ 	}
+ 
diff --git a/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch b/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
new file mode 100644
index 00000000000..351b6c989b3
--- /dev/null
+++ b/queue-4.4/usb-gadget-f_midi-fixing-a-possible-double-free-in-f_midi.patch
@@ -0,0 +1,69 @@
+From 7fafcfdf6377b18b2a726ea554d6e593ba44349f Mon Sep 17 00:00:00 2001
+From: "Yavuz, Tuba" <tuba@ece.ufl.edu>
+Date: Fri, 23 Mar 2018 17:00:38 +0000
+Subject: USB: gadget: f_midi: fixing a possible double-free in f_midi
+
+From: Yavuz, Tuba <tuba@ece.ufl.edu>
+
+commit 7fafcfdf6377b18b2a726ea554d6e593ba44349f upstream.
+
+It looks like there is a possibility of a double-free vulnerability on an
+error path of the f_midi_set_alt function in the f_midi driver. If the
+path is feasible then free_ep_req gets called twice:
+
+         req->complete = f_midi_complete;
+         err = usb_ep_queue(midi->out_ep, req, GFP_ATOMIC);
+            => ...
+             usb_gadget_giveback_request
+               =>
+                 f_midi_complete (CALLBACK)
+                   (inside f_midi_complete, for various cases of status)
+                   free_ep_req(ep, req); // first kfree
+         if (err) {
+                 ERROR(midi, "%s: couldn't enqueue request: %d\n",
+                             midi->out_ep->name, err);
+                 free_ep_req(midi->out_ep, req); // second kfree
+                 return err;
+         }
+
+The double-free possibility was introduced with commit ad0d1a058eac
+("usb: gadget: f_midi: fix leak on failed to enqueue out requests").
+
+Found by MOXCAFE tool.
+
+Signed-off-by: Tuba Yavuz <tuba@ece.ufl.edu>
+Fixes: ad0d1a058eac ("usb: gadget: f_midi: fix leak on failed to enqueue out requests")
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_midi.c |    3 ++-
+ drivers/usb/gadget/u_f.h             |    2 ++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_midi.c
++++ b/drivers/usb/gadget/function/f_midi.c
+@@ -366,7 +366,8 @@ static int f_midi_set_alt(struct usb_fun
+ 		if (err) {
+ 			ERROR(midi, "%s: couldn't enqueue request: %d\n",
+ 				    midi->out_ep->name, err);
+-			free_ep_req(midi->out_ep, req);
++			if (req->buf != NULL)
++				free_ep_req(midi->out_ep, req);
+ 			return err;
+ 		}
+ 	}
+--- a/drivers/usb/gadget/u_f.h
++++ b/drivers/usb/gadget/u_f.h
+@@ -65,7 +65,9 @@ struct usb_request *alloc_ep_req(struct
+ /* Frees a usb_request previously allocated by alloc_ep_req() */
+ static inline void free_ep_req(struct usb_ep *ep, struct usb_request *req)
+ {
++	WARN_ON(req->buf == NULL);
+ 	kfree(req->buf);
++	req->buf = NULL;
+ 	usb_ep_free_request(ep, req);
+ }
+