4.4-stable patches

added patches:
	hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
	i2c-jz4780-silence-log-flood-on-txabrt.patch
	mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch

diff --git a/queue-4.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch b/queue-4.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
new file mode 100644 (file)
index 0000000..901862a
--- /dev/null
+++ b/queue-4.4/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
@@ -0,0 +1,39 @@
+From 5c02c447eaeda29d3da121a2e17b97ccaf579b51 Mon Sep 17 00:00:00 2001
+From: "dan.carpenter@oracle.com" <dan.carpenter@oracle.com>
+Date: Wed, 15 Jan 2020 20:46:28 +0300
+Subject: HID: hiddev: Fix race in in hiddev_disconnect()
+
+From: dan.carpenter@oracle.com <dan.carpenter@oracle.com>
+
+commit 5c02c447eaeda29d3da121a2e17b97ccaf579b51 upstream.
+
+Syzbot reports that "hiddev" is used after it's free in hiddev_disconnect().
+The hiddev_disconnect() function sets "hiddev->exist = 0;" so
+hiddev_release() can free it as soon as we drop the "existancelock"
+lock.  This patch moves the mutex_unlock(&hiddev->existancelock) until
+after we have finished using it.
+
+Reported-by: syzbot+784ccb935f9900cc7c9e@syzkaller.appspotmail.com
+Fixes: 7f77897ef2b6 ("HID: hiddev: fix potential use-after-free")
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -962,9 +962,9 @@ void hiddev_disconnect(struct hid_device
+       hiddev->exist = 0;
+ 
+       if (hiddev->open) {
+-              mutex_unlock(&hiddev->existancelock);
+               usbhid_close(hiddev->hid);
+               wake_up_interruptible(&hiddev->wait);
++              mutex_unlock(&hiddev->existancelock);
+       } else {
+               mutex_unlock(&hiddev->existancelock);
+               kfree(hiddev);

diff --git a/queue-4.4/i2c-jz4780-silence-log-flood-on-txabrt.patch b/queue-4.4/i2c-jz4780-silence-log-flood-on-txabrt.patch
new file mode 100644 (file)
index 0000000..3beeec9
--- /dev/null
+++ b/queue-4.4/i2c-jz4780-silence-log-flood-on-txabrt.patch
@@ -0,0 +1,76 @@
+From 9e661cedcc0a072d91a32cb88e0515ea26e35711 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa@the-dreams.de>
+Date: Wed, 12 Feb 2020 10:35:30 +0100
+Subject: i2c: jz4780: silence log flood on txabrt
+
+From: Wolfram Sang <wsa@the-dreams.de>
+
+commit 9e661cedcc0a072d91a32cb88e0515ea26e35711 upstream.
+
+The printout for txabrt is way too talkative and is highly annoying with
+scanning programs like 'i2cdetect'. Reduce it to the minimum, the rest
+can be gained by I2C core debugging and datasheet information. Also,
+make it a debug printout, it won't help the regular user.
+
+Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780")
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-jz4780.c |   36 ++----------------------------------
+ 1 file changed, 2 insertions(+), 34 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-jz4780.c
++++ b/drivers/i2c/busses/i2c-jz4780.c
+@@ -82,25 +82,6 @@
+ #define JZ4780_I2C_STA_TFNF           BIT(1)
+ #define JZ4780_I2C_STA_ACT            BIT(0)
+ 
+-static const char * const jz4780_i2c_abrt_src[] = {
+-      "ABRT_7B_ADDR_NOACK",
+-      "ABRT_10ADDR1_NOACK",
+-      "ABRT_10ADDR2_NOACK",
+-      "ABRT_XDATA_NOACK",
+-      "ABRT_GCALL_NOACK",
+-      "ABRT_GCALL_READ",
+-      "ABRT_HS_ACKD",
+-      "SBYTE_ACKDET",
+-      "ABRT_HS_NORSTRT",
+-      "SBYTE_NORSTRT",
+-      "ABRT_10B_RD_NORSTRT",
+-      "ABRT_MASTER_DIS",
+-      "ARB_LOST",
+-      "SLVFLUSH_TXFIFO",
+-      "SLV_ARBLOST",
+-      "SLVRD_INTX",
+-};
+-
+ #define JZ4780_I2C_INTST_IGC          BIT(11)
+ #define JZ4780_I2C_INTST_ISTT         BIT(10)
+ #define JZ4780_I2C_INTST_ISTP         BIT(9)
+@@ -538,21 +519,8 @@ done:
+ 
+ static void jz4780_i2c_txabrt(struct jz4780_i2c *i2c, int src)
+ {
+-      int i;
+-
+-      dev_err(&i2c->adap.dev, "txabrt: 0x%08x\n", src);
+-      dev_err(&i2c->adap.dev, "device addr=%x\n",
+-              jz4780_i2c_readw(i2c, JZ4780_I2C_TAR));
+-      dev_err(&i2c->adap.dev, "send cmd count:%d  %d\n",
+-              i2c->cmd, i2c->cmd_buf[i2c->cmd]);
+-      dev_err(&i2c->adap.dev, "receive data count:%d  %d\n",
+-              i2c->cmd, i2c->data_buf[i2c->cmd]);
+-
+-      for (i = 0; i < 16; i++) {
+-              if (src & BIT(i))
+-                      dev_dbg(&i2c->adap.dev, "I2C TXABRT[%d]=%s\n",
+-                              i, jz4780_i2c_abrt_src[i]);
+-      }
++      dev_dbg(&i2c->adap.dev, "txabrt: 0x%08x, cmd: %d, send: %d, recv: %d\n",
++              src, i2c->cmd, i2c->cmd_buf[i2c->cmd], i2c->data_buf[i2c->cmd]);
+ }
+ 
+ static inline int jz4780_i2c_xfer_read(struct jz4780_i2c *i2c,

diff --git a/queue-4.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch b/queue-4.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
new file mode 100644 (file)
index 0000000..7d8ed6c
--- /dev/null
+++ b/queue-4.4/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
@@ -0,0 +1,42 @@
+From bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 2 Feb 2020 21:19:22 +0100
+Subject: MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 upstream.
+
+Pointer on the memory allocated by 'alloc_progmem()' is stored in
+'v->load_addr'. So this is this memory that should be freed by
+'release_progmem()'.
+
+'release_progmem()' is only a call to 'kfree()'.
+
+With the current code, there is both a double free and a memory leak.
+Fix it by passing the correct pointer to 'release_progmem()'.
+
+Fixes: e01402b115ccc ("More AP / SP bits for the 34K, the Malta bits and things. Still wants")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Cc: ralf@linux-mips.org
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-janitors@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vpe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/vpe.c
++++ b/arch/mips/kernel/vpe.c
+@@ -134,7 +134,7 @@ void release_vpe(struct vpe *v)
+ {
+       list_del(&v->list);
+       if (v->load_addr)
+-              release_progmem(v);
++              release_progmem(v->load_addr);
+       kfree(v);
+ }
+ 

diff --git a/queue-4.4/series b/queue-4.4/series
index c08a1bb083aea71efdf98f9ba5726be05854d89e..67bf683ffb42705e726ea572dae2aabdc7a9b9ba 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -21,3 +21,6 @@ ext4-potential-crash-on-allocation-error-in-ext4_alloc_flex_bg_array.patch
 audit-fix-error-handling-in-audit_data_to_entry.patch
 hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch
 hid-core-increase-hid-report-buffer-size-to-8kib.patch
+hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
+mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
+i2c-jz4780-silence-log-flood-on-txabrt.patch