5.3-stable patches

added patches:
	usb-gadget-configfs-fix-missing-spin_lock_init.patch
	usb-gadget-pch_udc-fix-use-after-free.patch

diff --git a/queue-5.3/usb-gadget-configfs-fix-missing-spin_lock_init.patch b/queue-5.3/usb-gadget-configfs-fix-missing-spin_lock_init.patch
new file mode 100644 (file)
index 0000000..76bad47
--- /dev/null
+++ b/queue-5.3/usb-gadget-configfs-fix-missing-spin_lock_init.patch
@@ -0,0 +1,35 @@
+From 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 Mon Sep 17 00:00:00 2001
+From: Wei Yongjun <weiyongjun1@huawei.com>
+Date: Wed, 30 Oct 2019 03:40:46 +0000
+Subject: usb: gadget: configfs: Fix missing spin_lock_init()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+commit 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 upstream.
+
+The driver allocates the spinlock but not initialize it.
+Use spin_lock_init() on it to initialize it correctly.
+
+This is detected by Coccinelle semantic patch.
+
+Fixes: 1a1c851bbd70 ("usb: gadget: configfs: fix concurrent issue between composite APIs")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Link: https://lore.kernel.org/r/20191030034046.188808-1-weiyongjun1@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/configfs.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -1544,6 +1544,7 @@ static struct config_group *gadgets_make
+       gi->composite.resume = NULL;
+       gi->composite.max_speed = USB_SPEED_SUPER;
+ 
++      spin_lock_init(&gi->spinlock);
+       mutex_init(&gi->lock);
+       INIT_LIST_HEAD(&gi->string_list);
+       INIT_LIST_HEAD(&gi->available_func);

diff --git a/queue-5.3/usb-gadget-pch_udc-fix-use-after-free.patch b/queue-5.3/usb-gadget-pch_udc-fix-use-after-free.patch
new file mode 100644 (file)
index 0000000..5593ad4
--- /dev/null
+++ b/queue-5.3/usb-gadget-pch_udc-fix-use-after-free.patch
@@ -0,0 +1,35 @@
+From 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Wed, 6 Nov 2019 14:28:21 -0600
+Subject: usb: gadget: pch_udc: fix use after free
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream.
+
+Remove pointer dereference after free.
+
+pci_pool_free doesn't care about contents of td.
+It's just a void* for it
+
+Addresses-Coverity-ID: 1091173 ("Use after free")
+Cc: stable@vger.kernel.org
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/pch_udc.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/pch_udc.c
++++ b/drivers/usb/gadget/udc/pch_udc.c
+@@ -1519,7 +1519,6 @@ static void pch_udc_free_dma_chain(struc
+               td = phys_to_virt(addr);
+               addr2 = (dma_addr_t)td->next;
+               dma_pool_free(dev->data_requests, td, addr);
+-              td->next = 0x00;
+               addr = addr2;
+       }
+       req->chain_len = 1;