From: Greg Kroah-Hartman Date: Fri, 13 Dec 2019 17:39:11 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v5.4.4~93 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4999577fb8c54008c70504469d26314d14d4b22a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: usb-gadget-configfs-fix-missing-spin_lock_init.patch usb-gadget-pch_udc-fix-use-after-free.patch --- diff --git a/queue-4.14/series b/queue-4.14/series index fb3d15ecda4..7f4c6730ad0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -154,6 +154,8 @@ asoc-rsnd-fixup-mix-kctrl-registration.patch kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch appletalk-set-error-code-if-register_snap_client-failed.patch +usb-gadget-configfs-fix-missing-spin_lock_init.patch +usb-gadget-pch_udc-fix-use-after-free.patch alsa-hda-fix-pending-unsol-events-at-shutdown.patch md-raid0-fix-an-error-message-in-raid0_make_request.patch watchdog-aspeed-fix-clock-behaviour-for-ast2600.patch diff --git a/queue-4.14/usb-gadget-configfs-fix-missing-spin_lock_init.patch b/queue-4.14/usb-gadget-configfs-fix-missing-spin_lock_init.patch new file mode 100644 index 00000000000..8c20962d1aa --- /dev/null +++ b/queue-4.14/usb-gadget-configfs-fix-missing-spin_lock_init.patch @@ -0,0 +1,35 @@ +From 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 30 Oct 2019 03:40:46 +0000 +Subject: usb: gadget: configfs: Fix missing spin_lock_init() + +From: Wei Yongjun + +commit 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 upstream. + +The driver allocates the spinlock but not initialize it. +Use spin_lock_init() on it to initialize it correctly. + +This is detected by Coccinelle semantic patch. + +Fixes: 1a1c851bbd70 ("usb: gadget: configfs: fix concurrent issue between composite APIs") +Signed-off-by: Wei Yongjun +Cc: stable +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20191030034046.188808-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1543,6 +1543,7 @@ static struct config_group *gadgets_make + gi->composite.resume = NULL; + gi->composite.max_speed = USB_SPEED_SUPER; + ++ spin_lock_init(&gi->spinlock); + mutex_init(&gi->lock); + INIT_LIST_HEAD(&gi->string_list); + INIT_LIST_HEAD(&gi->available_func); diff --git a/queue-4.14/usb-gadget-pch_udc-fix-use-after-free.patch b/queue-4.14/usb-gadget-pch_udc-fix-use-after-free.patch new file mode 100644 index 00000000000..690805caabd --- /dev/null +++ b/queue-4.14/usb-gadget-pch_udc-fix-use-after-free.patch @@ -0,0 +1,35 @@ +From 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 6 Nov 2019 14:28:21 -0600 +Subject: usb: gadget: pch_udc: fix use after free + +From: Gustavo A. R. Silva + +commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream. + +Remove pointer dereference after free. + +pci_pool_free doesn't care about contents of td. +It's just a void* for it + +Addresses-Coverity-ID: 1091173 ("Use after free") +Cc: stable@vger.kernel.org +Acked-by: Michal Nazarewicz +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/pch_udc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1523,7 +1523,6 @@ static void pch_udc_free_dma_chain(struc + td = phys_to_virt(addr); + addr2 = (dma_addr_t)td->next; + dma_pool_free(dev->data_requests, td, addr); +- td->next = 0x00; + addr = addr2; + } + req->chain_len = 1;