On Wed, 28 Dec 2022, Greg Kroah-Hartman wrote:
From: John Keeping john@metanate.com
[ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]
The embedded struct cdev does not have its lifetime correctly tied to the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN is held open while the gadget is deleted.
This can readily be replicated with libusbgx's example programs (for conciseness - operating directly via configfs is equivalent):
gadget-hid exec 3<> /dev/hidg0 gadget-vid-pid-remove exec 3<&-
Pull the existing device up in to struct f_hidg and make use of the cdev_device_{add,del}() helpers. This changes the lifetime of the device object to match struct f_hidg, but note that it is still added and deleted at the same time.
Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver") Tested-by: Lee Jones lee@kernel.org Reviewed-by: Andrzej Pietrasiewicz andrzej.p@collabora.com Reviewed-by: Lee Jones lee@kernel.org Signed-off-by: John Keeping john@metanate.com Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org
drivers/usb/gadget/function/f_hid.c | 52 ++++++++++++++++------------- 1 file changed, 28 insertions(+), 24 deletions(-)
Dear Stable,
Would you be kind enough to take this back as far back as linux.4.14.y please? There is a trivial fix-up required for kernels older than v5.15, but it's the same fix-up back through v4.14.
Thanks.
--- Lee Jones [李琼斯]