--- /dev/null
+From 94989e318b2f11e217e86bee058088064fa9a2e9 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 17 Oct 2019 17:04:11 +0200
+Subject: ALSA: hda - Force runtime PM on Nvidia HDMI codecs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 94989e318b2f11e217e86bee058088064fa9a2e9 upstream.
+
+Przemysław Kopa reports that since commit b516ea586d71 ("PCI: Enable
+NVIDIA HDA controllers"), the discrete GPU Nvidia GeForce GT 540M on his
+2011 Samsung laptop refuses to runtime suspend, resulting in a power
+regression and excessive heat.
+
+Rivera Valdez witnesses the same issue with a GeForce GT 525M (GF108M)
+of the same era, as does another Arch Linux user named "R0AR" with a
+more recent GeForce GTX 1050 Ti (GP107M).
+
+The commit exposes the discrete GPU's HDA controller and all four codecs
+on the controller do not set the CLKSTOP and EPSS bits in the Supported
+Power States Response. They also do not set the PS-ClkStopOk bit in the
+Get Power State Response. hda_codec_runtime_suspend() therefore does
+not call snd_hdac_codec_link_down(), which prevents each codec and the
+PCI device from runtime suspending.
+
+The same issue is present on some AMD discrete GPUs and we addressed it
+by forcing runtime PM despite the bits not being set, see commit
+57cb54e53bdd ("ALSA: hda - Force to link down at runtime suspend on
+ATI/AMD HDMI").
+
+Do the same for Nvidia HDMI codecs.
+
+Fixes: b516ea586d71 ("PCI: Enable NVIDIA HDA controllers")
+Link: https://bbs.archlinux.org/viewtopic.php?pid=1865512
+Link: https://bugs.freedesktop.org/show_bug.cgi?id=75985#c81
+Reported-by: Przemysław Kopa <prymoo@gmail.com>
+Reported-by: Rivera Valdez <riveravaldez@ysinembargo.com>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: Daniel Drake <dan@reactivated.net>
+Cc: stable@vger.kernel.org # v5.3+
+Link: https://lore.kernel.org/r/3086bc75135c1e3567c5bc4f3cc4ff5cbf7a56c2.1571324194.git.lukas@wunner.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_hdmi.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_hdmi.c
++++ b/sound/pci/hda/patch_hdmi.c
+@@ -3264,6 +3264,8 @@ static int patch_nvhdmi(struct hda_codec
+ nvhdmi_chmap_cea_alloc_validate_get_type;
+ spec->chmap.ops.chmap_validate = nvhdmi_chmap_validate;
+
++ codec->link_down_at_suspend = 1;
++
+ return 0;
+ }
+
--- /dev/null
+From 83629532ce45ef9df1f297b419b9ea112045685d Mon Sep 17 00:00:00 2001
+From: Kailang Yang <kailang@realtek.com>
+Date: Thu, 2 May 2019 16:03:26 +0800
+Subject: ALSA: hda/realtek - Add support for ALC711
+
+From: Kailang Yang <kailang@realtek.com>
+
+commit 83629532ce45ef9df1f297b419b9ea112045685d upstream.
+
+Support new codec ALC711.
+
+Signed-off-by: Kailang Yang <kailang@realtek.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -405,6 +405,7 @@ static void alc_fill_eapd_coef(struct hd
+ case 0x10ec0700:
+ case 0x10ec0701:
+ case 0x10ec0703:
++ case 0x10ec0711:
+ alc_update_coef_idx(codec, 0x10, 1<<15, 0);
+ break;
+ case 0x10ec0662:
+@@ -7752,6 +7753,7 @@ static int patch_alc269(struct hda_codec
+ case 0x10ec0700:
+ case 0x10ec0701:
+ case 0x10ec0703:
++ case 0x10ec0711:
+ spec->codec_variant = ALC269_TYPE_ALC700;
+ spec->gen.mixer_nid = 0; /* ALC700 does not have any loopback mixer path */
+ alc_update_coef_idx(codec, 0x4a, 1 << 15, 0); /* Combo jack auto trigger control */
+@@ -8883,6 +8885,7 @@ static const struct hda_device_id snd_hd
+ HDA_CODEC_ENTRY(0x10ec0700, "ALC700", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0701, "ALC701", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0703, "ALC703", patch_alc269),
++ HDA_CODEC_ENTRY(0x10ec0711, "ALC711", patch_alc269),
+ HDA_CODEC_ENTRY(0x10ec0867, "ALC891", patch_alc662),
+ HDA_CODEC_ENTRY(0x10ec0880, "ALC880", patch_alc880),
+ HDA_CODEC_ENTRY(0x10ec0882, "ALC882", patch_alc882),
--- /dev/null
+From 8c8967a7dc01a25f57a0757fdca10987773cd1f2 Mon Sep 17 00:00:00 2001
+From: Daniel Drake <drake@endlessm.com>
+Date: Thu, 17 Oct 2019 16:15:01 +0800
+Subject: ALSA: hda/realtek - Enable headset mic on Asus MJ401TA
+
+From: Daniel Drake <drake@endlessm.com>
+
+commit 8c8967a7dc01a25f57a0757fdca10987773cd1f2 upstream.
+
+On Asus MJ401TA (with Realtek ALC256), the headset mic is connected to
+pin 0x19, with default configuration value 0x411111f0 (indicating no
+physical connection).
+
+Enable this by quirking the pin. Mic jack detection was also tested and
+found to be working.
+
+This enables use of the headset mic on this product.
+
+Signed-off-by: Daniel Drake <drake@endlessm.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191017081501.17135-1-drake@endlessm.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -5677,6 +5677,7 @@ enum {
+ ALC225_FIXUP_WYSE_AUTO_MUTE,
+ ALC225_FIXUP_WYSE_DISABLE_MIC_VREF,
+ ALC286_FIXUP_ACER_AIO_HEADSET_MIC,
++ ALC256_FIXUP_ASUS_HEADSET_MIC,
+ ALC256_FIXUP_ASUS_MIC_NO_PRESENCE,
+ ALC299_FIXUP_PREDATOR_SPK,
+ ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC,
+@@ -6693,6 +6694,15 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC286_FIXUP_ACER_AIO_MIC_NO_PRESENCE
+ },
++ [ALC256_FIXUP_ASUS_HEADSET_MIC] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x19, 0x03a11020 }, /* headset mic with jack detect */
++ { }
++ },
++ .chained = true,
++ .chain_id = ALC256_FIXUP_ASUS_HEADSET_MODE
++ },
+ [ALC256_FIXUP_ASUS_MIC_NO_PRESENCE] = {
+ .type = HDA_FIXUP_PINS,
+ .v.pins = (const struct hda_pintbl[]) {
+@@ -6889,6 +6899,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
+ SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
+ SND_PCI_QUIRK(0x1043, 0x17d1, "ASUS UX431FL", ALC294_FIXUP_ASUS_INTSPK_HEADSET_MIC),
++ SND_PCI_QUIRK(0x1043, 0x18b1, "Asus MJ401TA", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1a13, "Asus G73Jw", ALC269_FIXUP_ASUS_G73JW),
+ SND_PCI_QUIRK(0x1043, 0x1a30, "ASUS X705UD", ALC256_FIXUP_ASUS_MIC),
+ SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
--- /dev/null
+From 7571b6a17fcc5e4f6903f065a82d0e38011346ed Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Szabolcs=20Sz=C5=91ke?= <szszoke.code@gmail.com>
+Date: Fri, 11 Oct 2019 19:19:36 +0200
+Subject: ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Szabolcs Szőke <szszoke.code@gmail.com>
+
+commit 7571b6a17fcc5e4f6903f065a82d0e38011346ed upstream.
+
+BOSS Katana amplifiers cannot be used for recording or playback if quirks
+are applied
+
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195223
+Signed-off-by: Szabolcs Szőke <szszoke.code@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191011171937.8013-1-szszoke.code@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/pcm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -355,6 +355,9 @@ static int set_sync_ep_implicit_fb_quirk
+ ep = 0x81;
+ ifnum = 1;
+ goto add_sync_ep_from_ifnum;
++ case USB_ID(0x0582, 0x01d8): /* BOSS Katana */
++ /* BOSS Katana amplifiers do not need quirks */
++ return 0;
+ }
+
+ if (attr == USB_ENDPOINT_SYNC_ASYNC &&
net-stmmac-disable-enable-ptp_ref_clk-in-suspend-resume-flow.patch
sctp-change-sctp_prot-.no_autobind-with-true.patch
memfd-fix-locking-when-tagging-pins.patch
+usb-legousbtower-fix-memleak-on-disconnect.patch
+alsa-hda-realtek-add-support-for-alc711.patch
+alsa-hda-realtek-enable-headset-mic-on-asus-mj401ta.patch
+alsa-usb-audio-disable-quirks-for-boss-katana-amplifiers.patch
+alsa-hda-force-runtime-pm-on-nvidia-hdmi-codecs.patch
+usb-udc-lpc32xx-fix-bad-bit-shift-operation.patch
+usb-serial-ti_usb_3410_5052-fix-port-close-races.patch
+usb-ldusb-fix-memleak-on-disconnect.patch
+usb-usblp-fix-use-after-free-on-disconnect.patch
+usb-ldusb-fix-read-info-leaks.patch
--- /dev/null
+From b14a39048c1156cfee76228bf449852da2f14df8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 14:58:34 +0200
+Subject: USB: ldusb: fix memleak on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b14a39048c1156cfee76228bf449852da2f14df8 upstream.
+
+If disconnect() races with release() after a process has been
+interrupted, release() could end up returning early and the driver would
+fail to free its driver data.
+
+Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.13
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191010125835.27031-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/ldusb.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/ldusb.c
++++ b/drivers/usb/misc/ldusb.c
+@@ -380,10 +380,7 @@ static int ld_usb_release(struct inode *
+ goto exit;
+ }
+
+- if (mutex_lock_interruptible(&dev->mutex)) {
+- retval = -ERESTARTSYS;
+- goto exit;
+- }
++ mutex_lock(&dev->mutex);
+
+ if (dev->open_count != 1) {
+ retval = -ENODEV;
--- /dev/null
+From 7a6f22d7479b7a0b68eadd308a997dd64dda7dae Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 18 Oct 2019 17:19:54 +0200
+Subject: USB: ldusb: fix read info leaks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a6f22d7479b7a0b68eadd308a997dd64dda7dae upstream.
+
+Fix broken read implementation, which could be used to trigger slab info
+leaks.
+
+The driver failed to check if the custom ring buffer was still empty
+when waking up after having waited for more data. This would happen on
+every interrupt-in completion, even if no data had been added to the
+ring buffer (e.g. on disconnect events).
+
+Due to missing sanity checks and uninitialised (kmalloced) ring-buffer
+entries, this meant that huge slab info leaks could easily be triggered.
+
+Note that the empty-buffer check after wakeup is enough to fix the info
+leak on disconnect, but let's clear the buffer on allocation and add a
+sanity check to read() to prevent further leaks.
+
+Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.13
+Reported-by: syzbot+6fe95b826644f7f12b0b@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191018151955.25135-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/ldusb.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/misc/ldusb.c
++++ b/drivers/usb/misc/ldusb.c
+@@ -464,7 +464,7 @@ static ssize_t ld_usb_read(struct file *
+
+ /* wait for data */
+ spin_lock_irq(&dev->rbsl);
+- if (dev->ring_head == dev->ring_tail) {
++ while (dev->ring_head == dev->ring_tail) {
+ dev->interrupt_in_done = 0;
+ spin_unlock_irq(&dev->rbsl);
+ if (file->f_flags & O_NONBLOCK) {
+@@ -474,12 +474,17 @@ static ssize_t ld_usb_read(struct file *
+ retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done);
+ if (retval < 0)
+ goto unlock_exit;
+- } else {
+- spin_unlock_irq(&dev->rbsl);
++
++ spin_lock_irq(&dev->rbsl);
+ }
++ spin_unlock_irq(&dev->rbsl);
+
+ /* actual_buffer contains actual_length + interrupt_in_buffer */
+ actual_buffer = (size_t *)(dev->ring_buffer + dev->ring_tail * (sizeof(size_t)+dev->interrupt_in_endpoint_size));
++ if (*actual_buffer > dev->interrupt_in_endpoint_size) {
++ retval = -EIO;
++ goto unlock_exit;
++ }
+ bytes_to_read = min(count, *actual_buffer);
+ if (bytes_to_read < *actual_buffer)
+ dev_warn(&dev->intf->dev, "Read buffer overflow, %zd bytes dropped\n",
+@@ -690,10 +695,9 @@ static int ld_usb_probe(struct usb_inter
+ dev_warn(&intf->dev, "Interrupt out endpoint not found (using control endpoint instead)\n");
+
+ dev->interrupt_in_endpoint_size = usb_endpoint_maxp(dev->interrupt_in_endpoint);
+- dev->ring_buffer =
+- kmalloc_array(ring_buffer_size,
+- sizeof(size_t) + dev->interrupt_in_endpoint_size,
+- GFP_KERNEL);
++ dev->ring_buffer = kcalloc(ring_buffer_size,
++ sizeof(size_t) + dev->interrupt_in_endpoint_size,
++ GFP_KERNEL);
+ if (!dev->ring_buffer)
+ goto error;
+ dev->interrupt_in_buffer = kmalloc(dev->interrupt_in_endpoint_size, GFP_KERNEL);
--- /dev/null
+From b6c03e5f7b463efcafd1ce141bd5a8fc4e583ae2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 10 Oct 2019 14:58:35 +0200
+Subject: USB: legousbtower: fix memleak on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b6c03e5f7b463efcafd1ce141bd5a8fc4e583ae2 upstream.
+
+If disconnect() races with release() after a process has been
+interrupted, release() could end up returning early and the driver would
+fail to free its driver data.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191010125835.27031-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -419,10 +419,7 @@ static int tower_release (struct inode *
+ goto exit;
+ }
+
+- if (mutex_lock_interruptible(&dev->lock)) {
+- retval = -ERESTARTSYS;
+- goto exit;
+- }
++ mutex_lock(&dev->lock);
+
+ if (dev->open_count != 1) {
+ dev_dbg(&dev->udev->dev, "%s: device not opened exactly once\n",
--- /dev/null
+From 6f1d1dc8d540a9aa6e39b9cb86d3a67bbc1c8d8d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 11 Oct 2019 11:57:35 +0200
+Subject: USB: serial: ti_usb_3410_5052: fix port-close races
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6f1d1dc8d540a9aa6e39b9cb86d3a67bbc1c8d8d upstream.
+
+Fix races between closing a port and opening or closing another port on
+the same device which could lead to a failure to start or stop the
+shared interrupt URB. The latter could potentially cause a
+use-after-free or worse in the completion handler on driver unbind.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 10 +++-------
+ 1 file changed, 3 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -776,7 +776,6 @@ static void ti_close(struct usb_serial_p
+ struct ti_port *tport;
+ int port_number;
+ int status;
+- int do_unlock;
+ unsigned long flags;
+
+ tdev = usb_get_serial_data(port->serial);
+@@ -800,16 +799,13 @@ static void ti_close(struct usb_serial_p
+ "%s - cannot send close port command, %d\n"
+ , __func__, status);
+
+- /* if mutex_lock is interrupted, continue anyway */
+- do_unlock = !mutex_lock_interruptible(&tdev->td_open_close_lock);
++ mutex_lock(&tdev->td_open_close_lock);
+ --tport->tp_tdev->td_open_port_count;
+- if (tport->tp_tdev->td_open_port_count <= 0) {
++ if (tport->tp_tdev->td_open_port_count == 0) {
+ /* last port is closed, shut down interrupt urb */
+ usb_kill_urb(port->serial->port[0]->interrupt_in_urb);
+- tport->tp_tdev->td_open_port_count = 0;
+ }
+- if (do_unlock)
+- mutex_unlock(&tdev->td_open_close_lock);
++ mutex_unlock(&tdev->td_open_close_lock);
+ }
+
+
--- /dev/null
+From b987b66ac3a2bc2f7b03a0ba48a07dc553100c07 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Mon, 14 Oct 2019 14:18:30 -0500
+Subject: usb: udc: lpc32xx: fix bad bit shift operation
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit b987b66ac3a2bc2f7b03a0ba48a07dc553100c07 upstream.
+
+It seems that the right variable to use in this case is *i*, instead of
+*n*, otherwise there is an undefined behavior when right shifiting by more
+than 31 bits when multiplying n by 8; notice that *n* can take values
+equal or greater than 4 (4, 8, 16, ...).
+
+Also, notice that under the current conditions (bl = 3), we are skiping
+the handling of bytes 3, 7, 31... So, fix this by updating this logic
+and limit *bl* up to 4 instead of up to 3.
+
+This fix is based on function udc_stuff_fifo().
+
+Addresses-Coverity-ID: 1454834 ("Bad bit shift operation")
+Fixes: 24a28e428351 ("USB: gadget driver for LPC32xx")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Link: https://lore.kernel.org/r/20191014191830.GA10721@embeddedor
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/lpc32xx_udc.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/udc/lpc32xx_udc.c
++++ b/drivers/usb/gadget/udc/lpc32xx_udc.c
+@@ -1165,11 +1165,11 @@ static void udc_pop_fifo(struct lpc32xx_
+ tmp = readl(USBD_RXDATA(udc->udp_baseaddr));
+
+ bl = bytes - n;
+- if (bl > 3)
+- bl = 3;
++ if (bl > 4)
++ bl = 4;
+
+ for (i = 0; i < bl; i++)
+- data[n + i] = (u8) ((tmp >> (n * 8)) & 0xFF);
++ data[n + i] = (u8) ((tmp >> (i * 8)) & 0xFF);
+ }
+ break;
+
--- /dev/null
+From 7a759197974894213621aa65f0571b51904733d6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 15 Oct 2019 19:55:22 +0200
+Subject: USB: usblp: fix use-after-free on disconnect
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a759197974894213621aa65f0571b51904733d6 upstream.
+
+A recent commit addressing a runtime PM use-count regression, introduced
+a use-after-free by not making sure we held a reference to the struct
+usb_interface for the lifetime of the driver data.
+
+Fixes: 9a31535859bf ("USB: usblp: fix runtime PM after driver unbind")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot+cd24df4d075c319ebfc5@syzkaller.appspotmail.com
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191015175522.18490-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/usblp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -445,6 +445,7 @@ static void usblp_cleanup(struct usblp *
+ kfree(usblp->readbuf);
+ kfree(usblp->device_id_string);
+ kfree(usblp->statusbuf);
++ usb_put_intf(usblp->intf);
+ kfree(usblp);
+ }
+
+@@ -1107,7 +1108,7 @@ static int usblp_probe(struct usb_interf
+ init_waitqueue_head(&usblp->wwait);
+ init_usb_anchor(&usblp->urbs);
+ usblp->ifnum = intf->cur_altsetting->desc.bInterfaceNumber;
+- usblp->intf = intf;
++ usblp->intf = usb_get_intf(intf);
+
+ /* Malloc device ID string buffer to the largest expected length,
+ * since we can re-query it on an ioctl and a dynamic string
+@@ -1196,6 +1197,7 @@ abort:
+ kfree(usblp->readbuf);
+ kfree(usblp->statusbuf);
+ kfree(usblp->device_id_string);
++ usb_put_intf(usblp->intf);
+ kfree(usblp);
+ abort_ret:
+ return retval;
projects / thirdparty / kernel / stable-queue.git / commitdiff
