From cf50d019cc93cd32c7fa9dce8904bdc8714be6b8 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 6 Jul 2020 22:24:07 +0200
Subject: [PATCH] usb: usbtest: fix missing kfree(dev->buf) in
 usbtest_disconnect (CVE-2020-15393)

---
 debian/changelog                              |  2 +
 ...missing-kfree-dev-buf-in-usbtest_dis.patch | 65 +++++++++++++++++++
 debian/patches/series                         |  1 +
 3 files changed, 68 insertions(+)
 create mode 100644 debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch

diff --git a/debian/changelog b/debian/changelog
index 786083ea0..edd3b9811 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1005,6 +1005,8 @@ linux (4.19.131-1) UNRELEASED; urgency=medium
     - fs/dcache: Include swait.h header
     - mm: slub: Always flush the delayed empty slubs in flush_all()
     - tasklet: Fix UP case for tasklet CHAINED state
+  * usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
+    (CVE-2020-15393)
 
   [ Ben Hutchings ]
   * [rt] Update "net: move xmit_recursion to per-task variable on -RT" to
diff --git a/debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch b/debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
new file mode 100644
index 000000000..0577b76f9
--- /dev/null
+++ b/debian/patches/bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
@@ -0,0 +1,65 @@
+From: Zqiang <qiang.zhang@windriver.com>
+Date: Fri, 12 Jun 2020 11:52:10 +0800
+Subject: usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect
+Origin: https://git.kernel.org/linus/28ebeb8db77035e058a510ce9bd17c2b9a009dba
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-15393
+
+BUG: memory leak
+unreferenced object 0xffff888055046e00 (size 256):
+  comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
+  hex dump (first 32 bytes):
+    00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
+    f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
+  backtrace:
+    [<00000000d121dccf>] kmemleak_alloc_recursive
+include/linux/kmemleak.h:43 [inline]
+    [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
+    [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
+    [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
+    [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
+    [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
+    [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
+drivers/usb/misc/usbtest.c:2790
+    [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
+drivers/usb/core/driver.c:361
+    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
+    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
+    [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
+drivers/base/dd.c:831
+    [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
+    [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
+    [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
+    [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
+    [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
+    [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
+drivers/usb/core/message.c:2030
+    [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
+    [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
+drivers/usb/core/driver.c:266
+    [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
+    [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Signed-off-by: Zqiang <qiang.zhang@windriver.com>
+Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/usbtest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/usb/misc/usbtest.c b/drivers/usb/misc/usbtest.c
+index 98ada1a3425c..bae88893ee8e 100644
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -2873,6 +2873,7 @@ static void usbtest_disconnect(struct usb_interface *intf)
+ 
+ 	usb_set_intfdata(intf, NULL);
+ 	dev_dbg(&intf->dev, "disconnect\n");
++	kfree(dev->buf);
+ 	kfree(dev);
+ }
+ 
+-- 
+2.27.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 63e710165..509f4ea48 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -295,5 +295,6 @@ features/arm/staging-vc04_services-Use-correct-cache-line-size.patch
 # Security fixes
 debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
+bugfix/all/usb-usbtest-fix-missing-kfree-dev-buf-in-usbtest_dis.patch
 
 # ABI maintenance