--- /dev/null
+From 25e44338321af545ab34243a6081c3f0fc6107d0 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:22 +0000
+Subject: crypto: ccp - Fix oops by properly managing allocated structures
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit 25e44338321af545ab34243a6081c3f0fc6107d0 upstream.
+
+A plaintext or ciphertext length of 0 is allowed in AES, in which case
+no encryption occurs. Ensure that we don't clean up data structures
+that were never allocated.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -841,11 +841,11 @@ e_tag:
+ ccp_dm_free(&final_wa);
+
+ e_dst:
+- if (aes->src_len && !in_place)
++ if (ilen > 0 && !in_place)
+ ccp_free_data(&dst, cmd_q);
+
+ e_src:
+- if (aes->src_len)
++ if (ilen > 0)
+ ccp_free_data(&src, cmd_q);
+
+ e_aad:
--- /dev/null
+From e2664ecbb2f26225ac6646876f2899558ffb2604 Mon Sep 17 00:00:00 2001
+From: Gary R Hook <gary.hook@amd.com>
+Date: Tue, 30 Jul 2019 16:05:26 +0000
+Subject: crypto: ccp - Ignore tag length when decrypting GCM ciphertext
+
+From: Gary R Hook <gary.hook@amd.com>
+
+commit e2664ecbb2f26225ac6646876f2899558ffb2604 upstream.
+
+AES GCM input buffers for decryption contain AAD+CTEXT+TAG. Only
+decrypt the ciphertext, and use the tag for comparison.
+
+Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-ops.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -752,8 +752,7 @@ static int ccp_run_aes_gcm_cmd(struct cc
+ while (src.sg_wa.bytes_left) {
+ ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true);
+ if (!src.sg_wa.bytes_left) {
+- unsigned int nbytes = aes->src_len
+- % AES_BLOCK_SIZE;
++ unsigned int nbytes = ilen % AES_BLOCK_SIZE;
+
+ if (nbytes) {
+ op.eom = 1;
--- /dev/null
+From ae8cc91a7d85e018c0c267f580820b2bb558cd48 Mon Sep 17 00:00:00 2001
+From: Joe Perches <joe@perches.com>
+Date: Tue, 9 Jul 2019 22:04:17 -0700
+Subject: iio: adc: max9611: Fix misuse of GENMASK macro
+
+From: Joe Perches <joe@perches.com>
+
+commit ae8cc91a7d85e018c0c267f580820b2bb558cd48 upstream.
+
+Arguments are supposed to be ordered high then low.
+
+Signed-off-by: Joe Perches <joe@perches.com>
+Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/max9611.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/max9611.c
++++ b/drivers/iio/adc/max9611.c
+@@ -86,7 +86,7 @@
+ #define MAX9611_TEMP_MAX_POS 0x7f80
+ #define MAX9611_TEMP_MAX_NEG 0xff80
+ #define MAX9611_TEMP_MIN_NEG 0xd980
+-#define MAX9611_TEMP_MASK GENMASK(7, 15)
++#define MAX9611_TEMP_MASK GENMASK(15, 7)
+ #define MAX9611_TEMP_SHIFT 0x07
+ #define MAX9611_TEMP_RAW(_r) ((_r) >> MAX9611_TEMP_SHIFT)
+ #define MAX9611_TEMP_SCALE_NUM 1000000
--- /dev/null
+From 25f8c834e2a6871920cc1ca113f02fb301d007c3 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 12 Jul 2019 11:37:17 -0700
+Subject: Input: synaptics - enable RMI mode for HP Spectre X360
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 25f8c834e2a6871920cc1ca113f02fb301d007c3 upstream.
+
+The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better
+with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4
+mode automatically.
+
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115
+Reported-by: Nate Graham <pointedstick@zoho.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/synaptics.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/mouse/synaptics.c
++++ b/drivers/input/mouse/synaptics.c
+@@ -185,6 +185,7 @@ static const char * const smbus_pnp_ids[
+ "LEN2055", /* E580 */
+ "SYN3052", /* HP EliteBook 840 G4 */
+ "SYN3221", /* HP 15-ay000 */
++ "SYN323d", /* HP Spectre X360 13-w013dx */
+ NULL
+ };
+
--- /dev/null
+From d0a255e795ab976481565f6ac178314b34fbf891 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Thu, 8 Aug 2019 11:17:01 -0400
+Subject: loop: set PF_MEMALLOC_NOIO for the worker thread
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit d0a255e795ab976481565f6ac178314b34fbf891 upstream.
+
+A deadlock with this stacktrace was observed.
+
+The loop thread does a GFP_KERNEL allocation, it calls into dm-bufio
+shrinker and the shrinker depends on I/O completion in the dm-bufio
+subsystem.
+
+In order to fix the deadlock (and other similar ones), we set the flag
+PF_MEMALLOC_NOIO at loop thread entry.
+
+PID: 474 TASK: ffff8813e11f4600 CPU: 10 COMMAND: "kswapd0"
+ #0 [ffff8813dedfb938] __schedule at ffffffff8173f405
+ #1 [ffff8813dedfb990] schedule at ffffffff8173fa27
+ #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec
+ #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186
+ #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f
+ #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8
+ #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81
+ #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio]
+ #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio]
+ #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio]
+ #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce
+ #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778
+ #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f
+ #13 [ffff8813dedfbec0] kthread at ffffffff810a8428
+ #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242
+
+ PID: 14127 TASK: ffff881455749c00 CPU: 11 COMMAND: "loop1"
+ #0 [ffff88272f5af228] __schedule at ffffffff8173f405
+ #1 [ffff88272f5af280] schedule at ffffffff8173fa27
+ #2 [ffff88272f5af2a0] schedule_preempt_disabled at ffffffff8173fd5e
+ #3 [ffff88272f5af2b0] __mutex_lock_slowpath at ffffffff81741fb5
+ #4 [ffff88272f5af330] mutex_lock at ffffffff81742133
+ #5 [ffff88272f5af350] dm_bufio_shrink_count at ffffffffa03865f9 [dm_bufio]
+ #6 [ffff88272f5af380] shrink_slab at ffffffff811a86bd
+ #7 [ffff88272f5af470] shrink_zone at ffffffff811ad778
+ #8 [ffff88272f5af500] do_try_to_free_pages at ffffffff811adb34
+ #9 [ffff88272f5af590] try_to_free_pages at ffffffff811adef8
+ #10 [ffff88272f5af610] __alloc_pages_nodemask at ffffffff811a09c3
+ #11 [ffff88272f5af710] alloc_pages_current at ffffffff811e8b71
+ #12 [ffff88272f5af760] new_slab at ffffffff811f4523
+ #13 [ffff88272f5af7b0] __slab_alloc at ffffffff8173a1b5
+ #14 [ffff88272f5af880] kmem_cache_alloc at ffffffff811f484b
+ #15 [ffff88272f5af8d0] do_blockdev_direct_IO at ffffffff812535b3
+ #16 [ffff88272f5afb00] __blockdev_direct_IO at ffffffff81255dc3
+ #17 [ffff88272f5afb30] xfs_vm_direct_IO at ffffffffa01fe3fc [xfs]
+ #18 [ffff88272f5afb90] generic_file_read_iter at ffffffff81198994
+ #19 [ffff88272f5afc50] __dta_xfs_file_read_iter_2398 at ffffffffa020c970 [xfs]
+ #20 [ffff88272f5afcc0] lo_rw_aio at ffffffffa0377042 [loop]
+ #21 [ffff88272f5afd70] loop_queue_work at ffffffffa0377c3b [loop]
+ #22 [ffff88272f5afe60] kthread_worker_fn at ffffffff810a8a0c
+ #23 [ffff88272f5afec0] kthread at ffffffff810a8428
+ #24 [ffff88272f5aff50] ret_from_fork at ffffffff81745242
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/loop.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/loop.c
++++ b/drivers/block/loop.c
+@@ -857,7 +857,7 @@ static void loop_unprepare_queue(struct
+
+ static int loop_kthread_worker_fn(void *worker_ptr)
+ {
+- current->flags |= PF_LESS_THROTTLE;
++ current->flags |= PF_LESS_THROTTLE | PF_MEMALLOC_NOIO;
+ return kthread_worker_fn(worker_ptr);
+ }
+
--- /dev/null
+From b803974a86039913d5280add083d730b2b9ed8ec Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Fri, 26 Jul 2019 10:30:49 +0800
+Subject: mmc: cavium: Add the missing dma unmap when the dma has finished.
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit b803974a86039913d5280add083d730b2b9ed8ec upstream.
+
+This fixes the below calltrace when the CONFIG_DMA_API_DEBUG is enabled.
+ DMA-API: thunderx_mmc 0000:01:01.4: cpu touching an active dma mapped cacheline [cln=0x000000002fdf9800]
+ WARNING: CPU: 21 PID: 1 at kernel/dma/debug.c:596 debug_dma_assert_idle+0x1f8/0x270
+ Modules linked in:
+ CPU: 21 PID: 1 Comm: init Not tainted 5.3.0-rc1-next-20190725-yocto-standard+ #64
+ Hardware name: Marvell OcteonTX CN96XX board (DT)
+ pstate: 80400009 (Nzcv daif +PAN -UAO)
+ pc : debug_dma_assert_idle+0x1f8/0x270
+ lr : debug_dma_assert_idle+0x1f8/0x270
+ sp : ffff0000113cfc10
+ x29: ffff0000113cfc10 x28: 0000ffff8c880000
+ x27: ffff800bc72a0000 x26: ffff000010ff8000
+ x25: ffff000010ff8940 x24: ffff000010ff8968
+ x23: 0000000000000000 x22: ffff000010e83700
+ x21: ffff000010ea2000 x20: ffff000010e835c8
+ x19: ffff800bc2c73300 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: ffff000010e835c8 x14: 6d20616d64206576
+ x13: 69746361206e6120 x12: 676e696863756f74
+ x11: 20757063203a342e x10: 31303a31303a3030
+ x9 : 303020636d6d5f78 x8 : 3230303030303030
+ x7 : 00000000000002fd x6 : ffff000010fd57d0
+ x5 : 0000000000000000 x4 : ffff0000106c5210
+ x3 : 00000000ffffffff x2 : 0000800bee9c0000
+ x1 : 57d5843f4aa62800 x0 : 0000000000000000
+ Call trace:
+ debug_dma_assert_idle+0x1f8/0x270
+ wp_page_copy+0xb0/0x688
+ do_wp_page+0xa8/0x5b8
+ __handle_mm_fault+0x600/0xd00
+ handle_mm_fault+0x118/0x1e8
+ do_page_fault+0x200/0x500
+ do_mem_abort+0x50/0xb0
+ el0_da+0x20/0x24
+ ---[ end trace a005534bd23e109f ]---
+ DMA-API: Mapped at:
+ debug_dma_map_sg+0x94/0x350
+ cvm_mmc_request+0x3c4/0x988
+ __mmc_start_request+0x9c/0x1f8
+ mmc_start_request+0x7c/0xb0
+ mmc_blk_mq_issue_rq+0x5c4/0x7b8
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/cavium.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/cavium.c
++++ b/drivers/mmc/host/cavium.c
+@@ -374,6 +374,7 @@ static int finish_dma_single(struct cvm_
+ {
+ data->bytes_xfered = data->blocks * data->blksz;
+ data->error = 0;
++ dma_unmap_sg(host->dev, data->sg, data->sg_len, get_dma_dir(data));
+ return 1;
+ }
+
--- /dev/null
+From fa25eba6993b3750f417baabba169afaba076178 Mon Sep 17 00:00:00 2001
+From: Kevin Hao <haokexin@gmail.com>
+Date: Fri, 26 Jul 2019 10:30:48 +0800
+Subject: mmc: cavium: Set the correct dma max segment size for mmc_host
+
+From: Kevin Hao <haokexin@gmail.com>
+
+commit fa25eba6993b3750f417baabba169afaba076178 upstream.
+
+We have set the mmc_host.max_seg_size to 8M, but the dma max segment
+size of PCI device is set to 64K by default in function pci_device_add().
+The mmc_host.max_seg_size is used to set the max segment size of
+the blk queue. Then this mismatch will trigger a calltrace like below
+when a bigger than 64K segment request arrives at mmc dev. So we should
+consider the limitation of the cvm_mmc_host when setting the
+mmc_host.max_seg_size.
+ DMA-API: thunderx_mmc 0000:01:01.4: mapping sg segment longer than device claims to support [len=131072] [max=65536]
+ WARNING: CPU: 6 PID: 238 at kernel/dma/debug.c:1221 debug_dma_map_sg+0x2b8/0x350
+ Modules linked in:
+ CPU: 6 PID: 238 Comm: kworker/6:1H Not tainted 5.3.0-rc1-next-20190724-yocto-standard+ #62
+ Hardware name: Marvell OcteonTX CN96XX board (DT)
+ Workqueue: kblockd blk_mq_run_work_fn
+ pstate: 80c00009 (Nzcv daif +PAN +UAO)
+ pc : debug_dma_map_sg+0x2b8/0x350
+ lr : debug_dma_map_sg+0x2b8/0x350
+ sp : ffff00001770f9e0
+ x29: ffff00001770f9e0 x28: ffffffff00000000
+ x27: 00000000ffffffff x26: ffff800bc2c73180
+ x25: ffff000010e83700 x24: 0000000000000002
+ x23: 0000000000000001 x22: 0000000000000001
+ x21: 0000000000000000 x20: ffff800bc48ba0b0
+ x19: ffff800bc97e8c00 x18: ffffffffffffffff
+ x17: 0000000000000000 x16: 0000000000000000
+ x15: ffff000010e835c8 x14: 6874207265676e6f
+ x13: 6c20746e656d6765 x12: 7320677320676e69
+ x11: 7070616d203a342e x10: 31303a31303a3030
+ x9 : 303020636d6d5f78 x8 : 35363d78616d5b20
+ x7 : 00000000000002fd x6 : ffff000010fd57dc
+ x5 : 0000000000000000 x4 : ffff0000106c61f0
+ x3 : 00000000ffffffff x2 : 0000800bee060000
+ x1 : 7010678df3041a00 x0 : 0000000000000000
+ Call trace:
+ debug_dma_map_sg+0x2b8/0x350
+ cvm_mmc_request+0x3c4/0x988
+ __mmc_start_request+0x9c/0x1f8
+ mmc_start_request+0x7c/0xb0
+ mmc_blk_mq_issue_rq+0x5c4/0x7b8
+ mmc_mq_queue_rq+0x11c/0x278
+ blk_mq_dispatch_rq_list+0xb0/0x568
+ blk_mq_do_dispatch_sched+0x6c/0x108
+ blk_mq_sched_dispatch_requests+0x110/0x1b8
+ __blk_mq_run_hw_queue+0xb0/0x118
+ blk_mq_run_work_fn+0x28/0x38
+ process_one_work+0x210/0x490
+ worker_thread+0x48/0x458
+ kthread+0x130/0x138
+ ret_from_fork+0x10/0x1c
+
+Signed-off-by: Kevin Hao <haokexin@gmail.com>
+Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs")
+Cc: stable@vger.kernel.org
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/cavium.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/cavium.c
++++ b/drivers/mmc/host/cavium.c
+@@ -1046,7 +1046,8 @@ int cvm_mmc_of_slot_probe(struct device
+ mmc->max_segs = 1;
+
+ /* DMA size field can address up to 8 MB */
+- mmc->max_seg_size = 8 * 1024 * 1024;
++ mmc->max_seg_size = min_t(unsigned int, 8 * 1024 * 1024,
++ dma_get_max_seg_size(host->dev));
+ mmc->max_req_size = mmc->max_seg_size;
+ /* External DMA is in 512 byte blocks */
+ mmc->max_blk_size = 512;
--- /dev/null
+From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:15:21 -0500
+Subject: sound: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.
+
+In sound_insert_unit(), the controlling structure 's' is allocated through
+kmalloc(). Then it is added to the sound driver list by invoking
+__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
+removed from the list through __sound_remove_unit(). If 'index' is not less
+than 0, -EBUSY is returned to indicate the error. However, 's' is not
+deallocated on this execution path, leading to a memory leak bug.
+
+To fix the above issue, free 's' before -EBUSY is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/sound_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/sound_core.c
++++ b/sound/sound_core.c
+@@ -287,7 +287,8 @@ retry:
+ goto retry;
+ }
+ spin_unlock(&sound_loader_lock);
+- return -EBUSY;
++ r = -EBUSY;
++ goto fail;
+ }
+ }
+
--- /dev/null
+From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 11:27:28 +0200
+Subject: usb: iowarrior: fix deadlock on disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.
+
+We have to drop the mutex before we close() upon disconnect()
+as close() needs the lock. This is safe to do by dropping the
+mutex as intfdata is already set to NULL, so open() will fail.
+
+Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
+Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -870,19 +870,20 @@ static void iowarrior_disconnect(struct
+ dev = usb_get_intfdata(interface);
+ mutex_lock(&iowarrior_open_disc_lock);
+ usb_set_intfdata(interface, NULL);
++ /* prevent device read, write and ioctl */
++ dev->present = 0;
+
+ minor = dev->minor;
++ mutex_unlock(&iowarrior_open_disc_lock);
++ /* give back our minor - this will call close() locks need to be dropped at this point*/
+
+- /* give back our minor */
+ usb_deregister_dev(interface, &iowarrior_class);
+
+ mutex_lock(&dev->mutex);
+
+ /* prevent device read, write and ioctl */
+- dev->present = 0;
+
+ mutex_unlock(&dev->mutex);
+- mutex_unlock(&iowarrior_open_disc_lock);
+
+ if (dev->opened) {
+ /* There is a process that holds a filedescriptor to the device ,
--- /dev/null
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: usb: usbfs: fix double-free of usb memory upon submiturb error
+
+From: Gavin Li <git@thegavinli.com>
+
+commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream.
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1811,8 +1811,6 @@ static int proc_do_submiturb(struct usb_
+ return 0;
+
+ error:
+- if (as && as->usbm)
+- dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+ kfree(isopkt);
+ kfree(dr);
+ if (as)
projects / thirdparty / kernel / stable-queue.git / commitdiff
