Re: [PATCH 5.4 0/3] usb: hso: backport CVE-2021-37159 fix

From: Salvatore Bonaccorso <carnil@debian.org>
To: Ovidiu Panait <ovidiu.panait@windriver.com>
Cc: Sasha Levin <sashal@kernel.org>, stable@vger.kernel.org, greg@kroah.com
Subject: Re: [PATCH 5.4 0/3] usb: hso: backport CVE-2021-37159 fix
Date: Sat, 2 Oct 2021 20:51:07 +0200	[thread overview]
Message-ID: <YViqG5Yun6N7bhVl@eldamar.lan> (raw)
In-Reply-To: <18e2816e-cf21-27c2-afc6-bc46fcebde88@windriver.com>

Hi,

On Sat, Oct 02, 2021 at 03:36:21PM +0300, Ovidiu Panait wrote:
> Hi Sasha,
> 
> On 10/1/21 7:55 PM, Sasha Levin wrote:
> > [Please note: This e-mail is from an EXTERNAL e-mail address]
> > 
> > On Wed, Sep 29, 2021 at 11:03:19AM +0300, Ovidiu Panait wrote:
> > > Hi Salvatore,
> > > 
> > > On 9/28/21 10:29 PM, Salvatore Bonaccorso wrote:
> > > > [Please note: This e-mail is from an EXTERNAL e-mail address]
> > > > 
> > > > Hi Ovidiu
> > > > 
> > > > On Tue, Sep 28, 2021 at 04:15:20PM +0300, Ovidiu Panait wrote:
> > > > > All 3 upstream commits apply cleanly:
> > > > >    * 5fcfb6d0bfcd ("hso: fix bailout in error case of
> > > > > probe") is a support
> > > > >      patch needed for context
> > > > >    * a6ecfb39ba9d ("usb: hso: fix error handling code of
> > > > > hso_create_net_device")
> > > > >      is the actual fix
> > > > >    * dcb713d53e2e ("usb: hso: remove the bailout parameter")
> > > > > is a follow up
> > > > >      cleanup commit
> > > > > 
> > > > > Dongliang Mu (2):
> > > > >   usb: hso: fix error handling code of hso_create_net_device
> > > > >   usb: hso: remove the bailout parameter
> > > > > 
> > > > > Oliver Neukum (1):
> > > > >   hso: fix bailout in error case of probe
> > > > > 
> > > > >  drivers/net/usb/hso.c | 33 +++++++++++++++++++++++----------
> > > > >  1 file changed, 23 insertions(+), 10 deletions(-)
> > > > Noticing you sent this patch series for 4.14, 4.19 and 5.4 but am I
> > > > right that the last commit dcb713d53e2e ("usb: hso: remove the bailout
> > > > parameter") as cleanup commit should ideally as well be applied to
> > > > 5.10.y and 5.14.y?
> > > > 
> > > > Whilst it's probably not strictly needed it would otherwise leave the
> > > > upper 5.10.y and 5.14.y inconsistent with those where these series are
> > > > applied.
> > > 
> > > You're right, I have sent the cleanup patch for 5.10/5.14 integration
> > > as well:
> > > 
> > > https://lore.kernel.org/stable/20210929075940.1961832-1-ovidiu.panait@windriver.com/T/#t
> > > 
> > 
> > Why do we need that cleanup commit in <=5.4 to begin with? Does it
> > actually fix anything?
> > 
> The cleanup patch was part of the same patchset with a6ecfb39ba9d ("usb:
> hso: fix error handling code of hso_create_net_device") fix .
> 
> 
> I think it can be dropped, as it doesn't seem to fix anything. Can only the
> first two commits be cherry-picked for <=5.4, or should I resend?

Probably the right thing to do, Sasha and Ovidiu. Picking it would
have the small advantage of future commits to backport which would
conflict around the changed lines.

But I have no voice on that matter, I was really only going thorugh
some stable commits backports request covering CVEs and noticed the
submission and it's discrepancy.

For Debian I have for now picked all three commits on top of 4.19.208.

Regards,
Salvatore