From patchwork Mon Apr  6 21:58:30 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Kamal Mostafa <kamal@canonical.com>
X-Patchwork-Id: 458517
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id D56EA14008F;
	Tue,  7 Apr 2015 08:02:14 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1YfF5u-00020e-Pu; Mon, 06 Apr 2015 22:02:10 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtp (Exim 4.76)
	(envelope-from <kamal@canonical.com>) id 1YfF2P-0008TE-Kf
	for kernel-team@lists.ubuntu.com; Mon, 06 Apr 2015 21:58:33 +0000
Received: from 1.general.kamal.us.vpn ([10.172.68.52] helo=fourier)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <kamal@canonical.com>)
	id 1YfF2P-0006oR-D8; Mon, 06 Apr 2015 21:58:33 +0000
Received: from kamal by fourier with local (Exim 4.82)
	(envelope-from <kamal@whence.com>)
	id 1YfF2M-0004Lm-UR; Mon, 06 Apr 2015 14:58:30 -0700
From: Kamal Mostafa <kamal@canonical.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Subject: [3.13.y-ckt stable] Patch "gadgetfs: use-after-free in ->aio_read()"
	has been added to staging queue
Date: Mon,  6 Apr 2015 14:58:30 -0700
Message-Id: <1428357510-16692-1-git-send-email-kamal@canonical.com>
X-Mailer: git-send-email 1.9.1
X-Extended-Stable: 3.13
Cc: Kamal Mostafa <kamal@canonical.com>, kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: kernel-team-bounces@lists.ubuntu.com

This is a note to let you know that I have just added a patch titled

    gadgetfs: use-after-free in ->aio_read()

to the linux-3.13.y-queue branch of the 3.13.y-ckt extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.13.y-queue

This patch is scheduled to be released in version 3.13.11-ckt19.

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.13.y-ckt tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Kamal

------

From 29e97f7298ed490b12f6c27e60b0607b4f06f081 Mon Sep 17 00:00:00 2001
From: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri, 6 Feb 2015 02:07:45 -0500
Subject: gadgetfs: use-after-free in ->aio_read()

commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream.

AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
we are going to access it asynchronously, we'd better get ourselves
a copy - the one on kernel stack of aio_run_iocb() won't be there
anymore.  function/f_fs.c take care of doing that, legacy/inode.c
doesn't...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
 drivers/usb/gadget/inode.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--
1.9.1

diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c
index b94c049..ff3e6e6 100644
--- a/drivers/usb/gadget/inode.c
+++ b/drivers/usb/gadget/inode.c
@@ -568,7 +568,6 @@ static ssize_t ep_copy_to_user(struct kiocb_priv *priv)
 		if (total == 0)
 			break;
 	}
-
 	return len;
 }

@@ -587,6 +586,7 @@ static void ep_user_copy_worker(struct work_struct *work)
 	aio_complete(iocb, ret, ret);

 	kfree(priv->buf);
+	kfree(priv->iv);
 	kfree(priv);
 }

@@ -607,6 +607,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
 	 */
 	if (priv->iv == NULL || unlikely(req->actual == 0)) {
 		kfree(req->buf);
+		kfree(priv->iv);
 		kfree(priv);
 		iocb->private = NULL;
 		/* aio_complete() reports bytes-transferred _and_ faults */
@@ -642,7 +643,7 @@ ep_aio_rwtail(
 	struct usb_request	*req;
 	ssize_t			value;

-	priv = kmalloc(sizeof *priv, GFP_KERNEL);
+	priv = kzalloc(sizeof *priv, GFP_KERNEL);
 	if (!priv) {
 		value = -ENOMEM;
 fail:
@@ -651,7 +652,14 @@ fail:
 	}
 	iocb->private = priv;
 	priv->iocb = iocb;
-	priv->iv = iv;
+	if (iv) {
+		priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
+				   GFP_KERNEL);
+		if (!priv->iv) {
+			kfree(priv);
+			goto fail;
+		}
+	}
 	priv->nr_segs = nr_segs;
 	INIT_WORK(&priv->work, ep_user_copy_worker);

@@ -691,6 +699,7 @@ fail:
 	mutex_unlock(&epdata->lock);

 	if (unlikely(value)) {
+		kfree(priv->iv);
 		kfree(priv);
 		put_ep(epdata);
 	} else