usb: gadget: don't release an existing dev->buf

mainline inclusion
from mainline-v5.17-rc1
commit 89f3594d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I4U74M
CVE: CVE-2022-24958

--------------------------------

dev->buf does not need to be released if it already exists before
executing dev_config.
Acked-by: NAlan Stern <stern@rowland.harvard.edu>
Signed-off-by: NHangyu Hua <hbh25y@gmail.com>
Link: https://lore.kernel.org/r/20211231172138.7993-2-hbh25y@gmail.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: NYuan Can <yuancan@huawei.com>
Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>

drivers/usb/gadget/legacy/inode.c

@@ -1828,8 +1828,9 @@ dev_config (struct file *fd, const char __user *buf, size_t len, loff_t *ptr)
 	spin_lock_irq (&dev->lock);
 	value = -EINVAL;
 	if (dev->buf) {
+		spin_unlock_irq(&dev->lock);
 		kfree(kbuf);
-		goto fail;
+		return value;
 	}
 	dev->buf = kbuf;