From b8199c2b852f1e23c988e10b8fbb8d34c98b4a1c Mon Sep 17 00:00:00 2001
From: Arumuga Durai A <cadurai@codeaurora.org>
Date: Tue, 27 Dec 2016 19:50:06 +0530
Subject: USB: gadget: mbim: Avoid copying uninitialized data to userspace

A race condition bug in function 'mbim_bind_config' allows to
change 'mbim->xport' type to invalid value. This allows
mbim_ioctl() to copy the uninitialized data to userspace. Fix
this by avoiding copy_to_user() call when transport type is invalid.

Change-Id: If8e8b6d4e2c347e1aff529bed0a798128eaea07c
CRs-Fixed: 1102418
Signed-off-by: Arumuga Durai A <cadurai@codeaurora.org>
---
 drivers/usb/gadget/function/f_mbim.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_mbim.c b/drivers/usb/gadget/function/f_mbim.c
index 717ee23..84c0066 100644
--- a/drivers/usb/gadget/function/f_mbim.c
+++ b/drivers/usb/gadget/function/f_mbim.c
@@ -2030,7 +2030,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
 		default:
 			ret = -ENODEV;
 			pr_err("unknown transport\n");
-			break;
+			goto fail;
 		}
 
 		ret = copy_to_user((void __user *)arg, &info,
@@ -2046,6 +2046,7 @@ static long mbim_ioctl(struct file *fp, unsigned cmd, unsigned long arg)
 		ret = -EINVAL;
 	}
 
+fail:
 	mbim_unlock(&mbim->ioctl_excl);
 
 	return ret;
-- 
cgit v1.1