[4.14,1/2] usb: gadget: don't release an existing dev->buf

Message ID	20220301022608.10950-2-hbh25y@gmail.com
State	New
Headers	show Return-Path: <linux-usb-owner@kernel.org> From: Hangyu Hua <hbh25y@gmail.com> To: gregkh@linuxfoundation.org Cc: stable@vger.kernel.org, linux-usb@vger.kernel.org, linux-kernel@vger.kernel.org, ben@decadent.org.uk, balbi@kernel.org, axboe@kernel.dk, mingo@kernel.org, jj251510319013@gmail.com, zsm@chromium.org, stern@rowland.harvard.edu, Hangyu Hua <hbh25y@gmail.com> Subject: [PATCH 4.14 1/2] usb: gadget: don't release an existing dev->buf Date: Tue, 1 Mar 2022 10:26:07 +0800 Message-Id: <20220301022608.10950-2-hbh25y@gmail.com> In-Reply-To: <20220301022608.10950-1-hbh25y@gmail.com> References: <20220301022608.10950-1-hbh25y@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	usb: gadget: use after free in dev_config \| expand [4.14,0/2] usb: gadget: use after free in dev_config [4.14,1/2] usb: gadget: don't release an existing dev->buf [4.14,2/2] usb: gadget: clear related members when goto fail

Message ID

20220301022608.10950-2-hbh25y@gmail.com

State

New

Headers

From: Hangyu Hua <hbh25y@gmail.com>
To: gregkh@linuxfoundation.org
Cc: stable@vger.kernel.org, linux-usb@vger.kernel.org,
        linux-kernel@vger.kernel.org, ben@decadent.org.uk,
        balbi@kernel.org, axboe@kernel.dk, mingo@kernel.org,
        jj251510319013@gmail.com, zsm@chromium.org,
        stern@rowland.harvard.edu, Hangyu Hua <hbh25y@gmail.com>
Subject: [PATCH 4.14 1/2] usb: gadget: don't release an existing dev->buf
Date: Tue,  1 Mar 2022 10:26:07 +0800
Message-Id: <20220301022608.10950-2-hbh25y@gmail.com>
In-Reply-To: <20220301022608.10950-1-hbh25y@gmail.com>
References: <20220301022608.10950-1-hbh25y@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

usb: gadget: use after free in dev_config | expand

Commit Message

Hangyu Hua March 1, 2022, 2:26 a.m. UTC

dev->buf does not need to be released if it already exists before
executing dev_config.

Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable@vger.kernel.org #4.4+
---
 drivers/usb/gadget/legacy/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 3b58f4fc0a80..eaad03c0252f 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1826,8 +1826,9 @@  dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
 	if (dev->buf) {
+		spin_unlock_irq(&dev->lock);
 		kfree(kbuf);
-		goto fail;
+		return value;
 	}
 	dev->buf = kbuf;

[4.14,1/2] usb: gadget: don't release an existing dev->buf

Commit Message

Patch