From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Aug 2019 15:04:12 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.2.9~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=287ce8119d6bfca980c42c87ec8911ad8ea21814;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	sound-fix-a-memory-leak-bug.patch
	usb-iowarrior-fix-deadlock-on-disconnect.patch
	usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
---

diff --git a/queue-4.9/sound-fix-a-memory-leak-bug.patch b/queue-4.9/sound-fix-a-memory-leak-bug.patch
new file mode 100644
index 00000000000..bcc066b25cf
--- /dev/null
+++ b/queue-4.9/sound-fix-a-memory-leak-bug.patch
@@ -0,0 +1,39 @@
+From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001
+From: Wenwen Wang <wenwen@cs.uga.edu>
+Date: Thu, 8 Aug 2019 00:15:21 -0500
+Subject: sound: fix a memory leak bug
+
+From: Wenwen Wang <wenwen@cs.uga.edu>
+
+commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream.
+
+In sound_insert_unit(), the controlling structure 's' is allocated through
+kmalloc(). Then it is added to the sound driver list by invoking
+__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is
+removed from the list through __sound_remove_unit(). If 'index' is not less
+than 0, -EBUSY is returned to indicate the error. However, 's' is not
+deallocated on this execution path, leading to a memory leak bug.
+
+To fix the above issue, free 's' before -EBUSY is returned.
+
+Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/sound_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/sound_core.c
++++ b/sound/sound_core.c
+@@ -287,7 +287,8 @@ retry:
+ 				goto retry;
+ 			}
+ 			spin_unlock(&sound_loader_lock);
+-			return -EBUSY;
++			r = -EBUSY;
++			goto fail;
+ 		}
+ 	}
+ 
diff --git a/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch b/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch
new file mode 100644
index 00000000000..71ba528dc86
--- /dev/null
+++ b/queue-4.9/usb-iowarrior-fix-deadlock-on-disconnect.patch
@@ -0,0 +1,50 @@
+From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 8 Aug 2019 11:27:28 +0200
+Subject: usb: iowarrior: fix deadlock on disconnect
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream.
+
+We have to drop the mutex before we close() upon disconnect()
+as close() needs the lock. This is safe to do by dropping the
+mutex as intfdata is already set to NULL, so open() will fail.
+
+Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior")
+Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -886,19 +886,20 @@ static void iowarrior_disconnect(struct
+ 	dev = usb_get_intfdata(interface);
+ 	mutex_lock(&iowarrior_open_disc_lock);
+ 	usb_set_intfdata(interface, NULL);
++	/* prevent device read, write and ioctl */
++	dev->present = 0;
+ 
+ 	minor = dev->minor;
++	mutex_unlock(&iowarrior_open_disc_lock);
++	/* give back our minor - this will call close() locks need to be dropped at this point*/
+ 
+-	/* give back our minor */
+ 	usb_deregister_dev(interface, &iowarrior_class);
+ 
+ 	mutex_lock(&dev->mutex);
+ 
+ 	/* prevent device read, write and ioctl */
+-	dev->present = 0;
+ 
+ 	mutex_unlock(&dev->mutex);
+-	mutex_unlock(&iowarrior_open_disc_lock);
+ 
+ 	if (dev->opened) {
+ 		/* There is a process that holds a filedescriptor to the device ,
diff --git a/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch b/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
new file mode 100644
index 00000000000..c9652531de9
--- /dev/null
+++ b/queue-4.9/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch
@@ -0,0 +1,34 @@
+From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001
+From: Gavin Li <git@thegavinli.com>
+Date: Sun, 4 Aug 2019 16:50:44 -0700
+Subject: usb: usbfs: fix double-free of usb memory upon submiturb error
+
+From: Gavin Li <git@thegavinli.com>
+
+commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream.
+
+Upon an error within proc_do_submiturb(), dec_usb_memory_use_count()
+gets called once by the error handling tail and again by free_async().
+Remove the first call.
+
+Signed-off-by: Gavin Li <git@thegavinli.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c |    2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1810,8 +1810,6 @@ static int proc_do_submiturb(struct usb_
+ 	return 0;
+ 
+  error:
+-	if (as && as->usbm)
+-		dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count);
+ 	kfree(isopkt);
+ 	kfree(dr);
+ 	if (as)