On Wed, 28 Dec 2022, Greg Kroah-Hartman wrote:
> From: John Keeping <john@xxxxxxxxxxxx>
>
> [ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ]
>
> The embedded struct cdev does not have its lifetime correctly tied to
> the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN
> is held open while the gadget is deleted.
>
> This can readily be replicated with libusbgx's example programs (for
> conciseness - operating directly via configfs is equivalent):
>
> gadget-hid
> exec 3<> /dev/hidg0
> gadget-vid-pid-remove
> exec 3<&-
>
> Pull the existing device up in to struct f_hidg and make use of the
> cdev_device_{add,del}() helpers. This changes the lifetime of the
> device object to match struct f_hidg, but note that it is still added
> and deleted at the same time.
>
> Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver")
> Tested-by: Lee Jones <lee@xxxxxxxxxx>
> Reviewed-by: Andrzej Pietrasiewicz <andrzej.p@xxxxxxxxxxxxx>
> Reviewed-by: Lee Jones <lee@xxxxxxxxxx>
> Signed-off-by: John Keeping <john@xxxxxxxxxxxx>
> Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@xxxxxxxxxxxx
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
> ---
> drivers/usb/gadget/function/f_hid.c | 52 ++++++++++++++++-------------
> 1 file changed, 28 insertions(+), 24 deletions(-)
Dear Stable,
Would you be kind enough to take this back as far back as linux.4.14.y
please? There is a trivial fix-up required for kernels older than
v5.15, but it's the same fix-up back through v4.14.
Thanks.
---
Lee Jones [李琼斯]
