--- /dev/null
+iio-adc-max9611-fix-misuse-of-genmask-macro.patch
+crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch
+crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch
+usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
+usb-iowarrior-fix-deadlock-on-disconnect.patch
+sound-fix-a-memory-leak-bug.patch
+mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch
+mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch
+loop-set-pf_memalloc_noio-for-the-worker-thread.patch
+input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch
--- /dev/null
+iio-cros_ec_accel_legacy-fix-incorrect-channel-setting.patch
+iio-adc-max9611-fix-misuse-of-genmask-macro.patch
+staging-gasket-apex-fix-copy-paste-typo.patch
+staging-wilc1000-flush-the-workqueue-before-deinit-the-host.patch
+staging-android-ion-bail-out-upon-sigkill-when-allocating-memory.patch
+crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch
+crypto-ccp-add-support-for-valid-authsize-values-less-than-16.patch
+crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch
+usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
+usb-iowarrior-fix-deadlock-on-disconnect.patch
+sound-fix-a-memory-leak-bug.patch
+mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch
+mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch
+loop-set-pf_memalloc_noio-for-the-worker-thread.patch
+input-usbtouchscreen-initialize-pm-mutex-before-using-it.patch
+input-elantech-enable-smbus-on-new-2018-systems.patch
+input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch
--- /dev/null
+usb-iowarrior-fix-deadlock-on-disconnect.patch
+sound-fix-a-memory-leak-bug.patch
--- /dev/null
+From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:15:21 -0500
+Subject: sound: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.
+
+In sound_insert_unit(), the controlling structure 's' is allocated through
+kmalloc(). Then it is added to the sound driver list by invoking
+__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
+removed from the list through __sound_remove_unit(). If 'index' is not less
+than 0, -EBUSY is returned to indicate the error. However, 's' is not
+deallocated on this execution path, leading to a memory leak bug.
+
+To fix the above issue, free 's' before -EBUSY is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/sound_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/sound_core.c
++++ b/sound/sound_core.c
+@@ -287,7 +287,8 @@ retry:
+ goto retry;
+ }
+ spin_unlock(&sound_loader_lock);
+- return -EBUSY;
++ r = -EBUSY;
++ goto fail;
+ }
+ }
+
--- /dev/null
+From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 11:27:28 +0200
+Subject: usb: iowarrior: fix deadlock on disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.
+
+We have to drop the mutex before we close() upon disconnect()
+as close() needs the lock. This is safe to do by dropping the
+mutex as intfdata is already set to NULL, so open() will fail.
+
+Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
+Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -898,19 +898,20 @@ static void iowarrior_disconnect(struct
+ dev = usb_get_intfdata(interface);
+ mutex_lock(&iowarrior_open_disc_lock);
+ usb_set_intfdata(interface, NULL);
++ /* prevent device read, write and ioctl */
++ dev->present = 0;
+
+ minor = dev->minor;
++ mutex_unlock(&iowarrior_open_disc_lock);
++ /* give back our minor - this will call close() locks need to be dropped at this point*/
+
+- /* give back our minor */
+ usb_deregister_dev(interface, &iowarrior_class);
+
+ mutex_lock(&dev->mutex);
+
+ /* prevent device read, write and ioctl */
+- dev->present = 0;
+
+ mutex_unlock(&dev->mutex);
+- mutex_unlock(&iowarrior_open_disc_lock);
+
+ if (dev->opened) {
+ /* There is a process that holds a filedescriptor to the device ,
--- /dev/null
+usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
+usb-iowarrior-fix-deadlock-on-disconnect.patch
+sound-fix-a-memory-leak-bug.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
