4.9-stable patches

added patches:
	sound-fix-a-memory-leak-bug.patch
	usb-iowarrior-fix-deadlock-on-disconnect.patch
	usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch

diff --git a/queue-4.9/sound-fix-a-memory-leak-bug.patch b/queue-4.9/sound-fix-a-memory-leak-bug.patch
new file mode 100644 (file)
index 0000000..bcc066b
--- /dev/null
+++ b/queue-4.9/sound-fix-a-memory-leak-bug.patch
@@ -0,0 +1,39 @@
+From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:15:21 -0500
+Subject: sound: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.
+
+In sound_insert_unit(), the controlling structure 's' is allocated through
+kmalloc(). Then it is added to the sound driver list by invoking
+__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
+removed from the list through __sound_remove_unit(). If 'index' is not less
+than 0, -EBUSY is returned to indicate the error. However, 's' is not
+deallocated on this execution path, leading to a memory leak bug.
+
+To fix the above issue, free 's' before -EBUSY is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/sound_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/sound_core.c
++++ b/sound/sound_core.c
+@@ -287,7 +287,8 @@ retry:
+                               goto retry;
+                       }
+                       spin_unlock(&sound_loader_lock);
+-                      return -EBUSY;
++                      r = -EBUSY;
++                      goto fail;
+               }
+       }
+ 

diff --git a/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch b/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch
new file mode 100644 (file)
index 0000000..71ba528
--- /dev/null
+++ b/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch
@@ -0,0 +1,50 @@
+From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 11:27:28 +0200
+Subject: usb: iowarrior: fix deadlock on disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.
+
+We have to drop the mutex before we close() upon disconnect()
+as close() needs the lock. This is safe to do by dropping the
+mutex as intfdata is already set to NULL, so open() will fail.
+
+Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
+Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -886,19 +886,20 @@ static void iowarrior_disconnect(struct
+       dev = usb_get_intfdata(interface);
+       mutex_lock(&iowarrior_open_disc_lock);
+       usb_set_intfdata(interface, NULL);
++      /* prevent device read, write and ioctl */
++      dev->present = 0;
+ 
+       minor = dev->minor;
++      mutex_unlock(&iowarrior_open_disc_lock);
++      /* give back our minor - this will call close() locks need to be dropped at this point*/
+ 
+-      /* give back our minor */
+       usb_deregister_dev(interface, &iowarrior_class);
+ 
+       mutex_lock(&dev->mutex);
+ 
+       /* prevent device read, write and ioctl */
+-      dev->present = 0;
+ 
+       mutex_unlock(&dev->mutex);
+-      mutex_unlock(&iowarrior_open_disc_lock);
+ 
+       if (dev->opened) {
+               /* There is a process that holds a filedescriptor to the device ,

diff --git a/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch b/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
new file mode 100644 (file)
index 0000000..c965253
--- /dev/null
+++ b/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
@@ -0,0 +1,34 @@
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: usb: usbfs: fix double-free of usb memory upon submiturb error
+
+From: Gavin Li <git@thegavinli.com>
+
+commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream.
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1810,8 +1810,6 @@ static int proc_do_submiturb(struct usb_
+       return 0;
+ 
+  error:
+-      if (as && as->usbm)
+-              dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+       kfree(isopkt);
+       kfree(dr);
+       if (as)