From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 1 Jul 2018 14:55:00 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v3.18.114~8
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=014ad9c184443ae40f17d8dbdf7133ea220c9cf8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	xhci-fix-use-after-free-in-xhci_free_virt_device.patch
---

diff --git a/queue-4.14/series b/queue-4.14/series
index ced019aea5a..1c56ed6baab 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -154,3 +154,4 @@ block-fix-cloning-of-requests-with-a-special-payload.patch
 x86-efi-fix-efi_call_phys_epilog-with-config_x86_5level-y.patch
 dm-zoned-avoid-triggering-reclaim-from-inside-dmz_map.patch
 dm-thin-handle-running-out-of-data-space-vs-concurrent-discard.patch
+xhci-fix-use-after-free-in-xhci_free_virt_device.patch
diff --git a/queue-4.14/xhci-fix-use-after-free-in-xhci_free_virt_device.patch b/queue-4.14/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
new file mode 100644
index 00000000000..8f284a6b48a
--- /dev/null
+++ b/queue-4.14/xhci-fix-use-after-free-in-xhci_free_virt_device.patch
@@ -0,0 +1,45 @@
+From 44a182b9d17765514fa2b1cc911e4e65134eef93 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 3 May 2018 17:30:07 +0300
+Subject: xhci: Fix use-after-free in xhci_free_virt_device
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream.
+
+KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e
+where xhci_free_virt_device() sets slot id to 0 if udev exists:
+if (dev->udev && dev->udev->slot_id)
+	dev->udev->slot_id = 0;
+
+dev->udev will be true even if udev is freed because dev->udev is
+not set to NULL.
+
+set dev->udev pointer to NULL in xhci_free_dev()
+
+The original patch went to stable so this fix needs to be applied
+there as well.
+
+Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot")
+Cc: <stable@vger.kernel.org>
+Reported-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Tested-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3551,6 +3551,7 @@ static void xhci_free_dev(struct usb_hcd
+ 		del_timer_sync(&virt_dev->eps[i].stop_cmd_timer);
+ 	}
+ 
++	virt_dev->udev = NULL;
+ 	xhci_disable_slot(xhci, udev->slot_id);
+ 	/*
+ 	 * Event command completion handler will free any data structures