From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 2 Mar 2020 19:37:47 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.19.108~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=647087d08fe2a08b22c21029ffd1b177825ef85b;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
	i2c-jz4780-silence-log-flood-on-txabrt.patch
	mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
---

diff --git a/queue-4.9/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch b/queue-4.9/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
new file mode 100644
index 00000000000..901862ab881
--- /dev/null
+++ b/queue-4.9/hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
@@ -0,0 +1,39 @@
+From 5c02c447eaeda29d3da121a2e17b97ccaf579b51 Mon Sep 17 00:00:00 2001
+From: "dan.carpenter@oracle.com" <dan.carpenter@oracle.com>
+Date: Wed, 15 Jan 2020 20:46:28 +0300
+Subject: HID: hiddev: Fix race in in hiddev_disconnect()
+
+From: dan.carpenter@oracle.com <dan.carpenter@oracle.com>
+
+commit 5c02c447eaeda29d3da121a2e17b97ccaf579b51 upstream.
+
+Syzbot reports that "hiddev" is used after it's free in hiddev_disconnect().
+The hiddev_disconnect() function sets "hiddev->exist = 0;" so
+hiddev_release() can free it as soon as we drop the "existancelock"
+lock.  This patch moves the mutex_unlock(&hiddev->existancelock) until
+after we have finished using it.
+
+Reported-by: syzbot+784ccb935f9900cc7c9e@syzkaller.appspotmail.com
+Fixes: 7f77897ef2b6 ("HID: hiddev: fix potential use-after-free")
+Suggested-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -962,9 +962,9 @@ void hiddev_disconnect(struct hid_device
+ 	hiddev->exist = 0;
+ 
+ 	if (hiddev->open) {
+-		mutex_unlock(&hiddev->existancelock);
+ 		usbhid_close(hiddev->hid);
+ 		wake_up_interruptible(&hiddev->wait);
++		mutex_unlock(&hiddev->existancelock);
+ 	} else {
+ 		mutex_unlock(&hiddev->existancelock);
+ 		kfree(hiddev);
diff --git a/queue-4.9/i2c-jz4780-silence-log-flood-on-txabrt.patch b/queue-4.9/i2c-jz4780-silence-log-flood-on-txabrt.patch
new file mode 100644
index 00000000000..3beeec98158
--- /dev/null
+++ b/queue-4.9/i2c-jz4780-silence-log-flood-on-txabrt.patch
@@ -0,0 +1,76 @@
+From 9e661cedcc0a072d91a32cb88e0515ea26e35711 Mon Sep 17 00:00:00 2001
+From: Wolfram Sang <wsa@the-dreams.de>
+Date: Wed, 12 Feb 2020 10:35:30 +0100
+Subject: i2c: jz4780: silence log flood on txabrt
+
+From: Wolfram Sang <wsa@the-dreams.de>
+
+commit 9e661cedcc0a072d91a32cb88e0515ea26e35711 upstream.
+
+The printout for txabrt is way too talkative and is highly annoying with
+scanning programs like 'i2cdetect'. Reduce it to the minimum, the rest
+can be gained by I2C core debugging and datasheet information. Also,
+make it a debug printout, it won't help the regular user.
+
+Fixes: ba92222ed63a ("i2c: jz4780: Add i2c bus controller driver for Ingenic JZ4780")
+Reported-by: H. Nikolaus Schaller <hns@goldelico.com>
+Tested-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-jz4780.c |   36 ++----------------------------------
+ 1 file changed, 2 insertions(+), 34 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-jz4780.c
++++ b/drivers/i2c/busses/i2c-jz4780.c
+@@ -82,25 +82,6 @@
+ #define JZ4780_I2C_STA_TFNF		BIT(1)
+ #define JZ4780_I2C_STA_ACT		BIT(0)
+ 
+-static const char * const jz4780_i2c_abrt_src[] = {
+-	"ABRT_7B_ADDR_NOACK",
+-	"ABRT_10ADDR1_NOACK",
+-	"ABRT_10ADDR2_NOACK",
+-	"ABRT_XDATA_NOACK",
+-	"ABRT_GCALL_NOACK",
+-	"ABRT_GCALL_READ",
+-	"ABRT_HS_ACKD",
+-	"SBYTE_ACKDET",
+-	"ABRT_HS_NORSTRT",
+-	"SBYTE_NORSTRT",
+-	"ABRT_10B_RD_NORSTRT",
+-	"ABRT_MASTER_DIS",
+-	"ARB_LOST",
+-	"SLVFLUSH_TXFIFO",
+-	"SLV_ARBLOST",
+-	"SLVRD_INTX",
+-};
+-
+ #define JZ4780_I2C_INTST_IGC		BIT(11)
+ #define JZ4780_I2C_INTST_ISTT		BIT(10)
+ #define JZ4780_I2C_INTST_ISTP		BIT(9)
+@@ -538,21 +519,8 @@ done:
+ 
+ static void jz4780_i2c_txabrt(struct jz4780_i2c *i2c, int src)
+ {
+-	int i;
+-
+-	dev_err(&i2c->adap.dev, "txabrt: 0x%08x\n", src);
+-	dev_err(&i2c->adap.dev, "device addr=%x\n",
+-		jz4780_i2c_readw(i2c, JZ4780_I2C_TAR));
+-	dev_err(&i2c->adap.dev, "send cmd count:%d  %d\n",
+-		i2c->cmd, i2c->cmd_buf[i2c->cmd]);
+-	dev_err(&i2c->adap.dev, "receive data count:%d  %d\n",
+-		i2c->cmd, i2c->data_buf[i2c->cmd]);
+-
+-	for (i = 0; i < 16; i++) {
+-		if (src & BIT(i))
+-			dev_dbg(&i2c->adap.dev, "I2C TXABRT[%d]=%s\n",
+-				i, jz4780_i2c_abrt_src[i]);
+-	}
++	dev_dbg(&i2c->adap.dev, "txabrt: 0x%08x, cmd: %d, send: %d, recv: %d\n",
++		src, i2c->cmd, i2c->cmd_buf[i2c->cmd], i2c->data_buf[i2c->cmd]);
+ }
+ 
+ static inline int jz4780_i2c_xfer_read(struct jz4780_i2c *i2c,
diff --git a/queue-4.9/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch b/queue-4.9/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
new file mode 100644
index 00000000000..7d8ed6c2a47
--- /dev/null
+++ b/queue-4.9/mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
@@ -0,0 +1,42 @@
+From bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Sun, 2 Feb 2020 21:19:22 +0100
+Subject: MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit bef8e2dfceed6daeb6ca3e8d33f9c9d43b926580 upstream.
+
+Pointer on the memory allocated by 'alloc_progmem()' is stored in
+'v->load_addr'. So this is this memory that should be freed by
+'release_progmem()'.
+
+'release_progmem()' is only a call to 'kfree()'.
+
+With the current code, there is both a double free and a memory leak.
+Fix it by passing the correct pointer to 'release_progmem()'.
+
+Fixes: e01402b115ccc ("More AP / SP bits for the 34K, the Malta bits and things. Still wants")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Paul Burton <paulburton@kernel.org>
+Cc: ralf@linux-mips.org
+Cc: linux-mips@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Cc: kernel-janitors@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/kernel/vpe.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/mips/kernel/vpe.c
++++ b/arch/mips/kernel/vpe.c
+@@ -134,7 +134,7 @@ void release_vpe(struct vpe *v)
+ {
+ 	list_del(&v->list);
+ 	if (v->load_addr)
+-		release_progmem(v);
++		release_progmem(v->load_addr);
+ 	kfree(v);
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 8c187f685dd..fb429cbb1dc 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -32,3 +32,6 @@ acpica-introduce-acpi_access_byte_width-macro.patch
 acpi-watchdog-fix-gas-access_width-usage.patch
 hid-core-fix-off-by-one-memset-in-hid_report_raw_event.patch
 hid-core-increase-hid-report-buffer-size-to-8kib.patch
+hid-hiddev-fix-race-in-in-hiddev_disconnect.patch
+mips-vpe-fix-a-double-free-and-a-memory-leak-in-release_vpe.patch
+i2c-jz4780-silence-log-flood-on-txabrt.patch