| From 501e38a5531efbd77d5c73c0ba838a889bfc1d74 Mon Sep 17 00:00:00 2001 |
| From: Hangyu Hua <hbh25y@gmail.com> |
| Date: Sat, 1 Jan 2022 01:21:38 +0800 |
| Subject: usb: gadget: clear related members when goto fail |
| |
| From: Hangyu Hua <hbh25y@gmail.com> |
| |
| commit 501e38a5531efbd77d5c73c0ba838a889bfc1d74 upstream. |
| |
| dev->config and dev->hs_config and dev->dev need to be cleaned if |
| dev_config fails to avoid UAF. |
| |
| Acked-by: Alan Stern <stern@rowland.harvard.edu> |
| Signed-off-by: Hangyu Hua <hbh25y@gmail.com> |
| Link: https://lore.kernel.org/r/20211231172138.7993-3-hbh25y@gmail.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| drivers/usb/gadget/legacy/inode.c | 7 +++++-- |
| 1 file changed, 5 insertions(+), 2 deletions(-) |
| |
| --- a/drivers/usb/gadget/legacy/inode.c |
| +++ b/drivers/usb/gadget/legacy/inode.c |
| @@ -1878,8 +1878,8 @@ dev_config (struct file *fd, const char |
| |
| value = usb_gadget_probe_driver(&gadgetfs_driver); |
| if (value != 0) { |
| - kfree (dev->buf); |
| - dev->buf = NULL; |
| + spin_lock_irq(&dev->lock); |
| + goto fail; |
| } else { |
| /* at this point "good" hardware has for the first time |
| * let the USB the host see us. alternatively, if users |
| @@ -1896,6 +1896,9 @@ dev_config (struct file *fd, const char |
| return value; |
| |
| fail: |
| + dev->config = NULL; |
| + dev->hs_config = NULL; |
| + dev->dev = NULL; |
| spin_unlock_irq (&dev->lock); |
| pr_debug ("%s: %s fail %zd, %p\n", shortname, __func__, value, dev); |
| kfree (dev->buf); |
