From: Greg Kroah-Hartman Date: Sun, 11 Aug 2019 15:04:27 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v5.2.9~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7c7975207b728626e6c0055360742f951fc59ee;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch iio-adc-max9611-fix-misuse-of-genmask-macro.patch input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch loop-set-pf_memalloc_noio-for-the-worker-thread.patch mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch sound-fix-a-memory-leak-bug.patch usb-iowarrior-fix-deadlock-on-disconnect.patch usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch --- diff --git a/queue-4.14/crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch b/queue-4.14/crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch new file mode 100644 index 00000000000..0092f00a6f5 --- /dev/null +++ b/queue-4.14/crypto-ccp-fix-oops-by-properly-managing-allocated-structures.patch @@ -0,0 +1,39 @@ +From 25e44338321af545ab34243a6081c3f0fc6107d0 Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Tue, 30 Jul 2019 16:05:22 +0000 +Subject: crypto: ccp - Fix oops by properly managing allocated structures + +From: Gary R Hook + +commit 25e44338321af545ab34243a6081c3f0fc6107d0 upstream. + +A plaintext or ciphertext length of 0 is allowed in AES, in which case +no encryption occurs. Ensure that we don't clean up data structures +that were never allocated. + +Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs") +Cc: +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-ops.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -841,11 +841,11 @@ e_tag: + ccp_dm_free(&final_wa); + + e_dst: +- if (aes->src_len && !in_place) ++ if (ilen > 0 && !in_place) + ccp_free_data(&dst, cmd_q); + + e_src: +- if (aes->src_len) ++ if (ilen > 0) + ccp_free_data(&src, cmd_q); + + e_aad: diff --git a/queue-4.14/crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch b/queue-4.14/crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch new file mode 100644 index 00000000000..5d8717d5ad6 --- /dev/null +++ b/queue-4.14/crypto-ccp-ignore-tag-length-when-decrypting-gcm-ciphertext.patch @@ -0,0 +1,34 @@ +From e2664ecbb2f26225ac6646876f2899558ffb2604 Mon Sep 17 00:00:00 2001 +From: Gary R Hook +Date: Tue, 30 Jul 2019 16:05:26 +0000 +Subject: crypto: ccp - Ignore tag length when decrypting GCM ciphertext + +From: Gary R Hook + +commit e2664ecbb2f26225ac6646876f2899558ffb2604 upstream. + +AES GCM input buffers for decryption contain AAD+CTEXT+TAG. Only +decrypt the ciphertext, and use the tag for comparison. + +Fixes: 36cf515b9bbe2 ("crypto: ccp - Enable support for AES GCM on v5 CCPs") +Cc: +Signed-off-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-ops.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -752,8 +752,7 @@ static int ccp_run_aes_gcm_cmd(struct cc + while (src.sg_wa.bytes_left) { + ccp_prepare_data(&src, &dst, &op, AES_BLOCK_SIZE, true); + if (!src.sg_wa.bytes_left) { +- unsigned int nbytes = aes->src_len +- % AES_BLOCK_SIZE; ++ unsigned int nbytes = ilen % AES_BLOCK_SIZE; + + if (nbytes) { + op.eom = 1; diff --git a/queue-4.14/iio-adc-max9611-fix-misuse-of-genmask-macro.patch b/queue-4.14/iio-adc-max9611-fix-misuse-of-genmask-macro.patch new file mode 100644 index 00000000000..6df9a90530e --- /dev/null +++ b/queue-4.14/iio-adc-max9611-fix-misuse-of-genmask-macro.patch @@ -0,0 +1,32 @@ +From ae8cc91a7d85e018c0c267f580820b2bb558cd48 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Tue, 9 Jul 2019 22:04:17 -0700 +Subject: iio: adc: max9611: Fix misuse of GENMASK macro + +From: Joe Perches + +commit ae8cc91a7d85e018c0c267f580820b2bb558cd48 upstream. + +Arguments are supposed to be ordered high then low. + +Signed-off-by: Joe Perches +Fixes: 69780a3bbc0b ("iio: adc: Add Maxim max9611 ADC driver") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/max9611.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/max9611.c ++++ b/drivers/iio/adc/max9611.c +@@ -86,7 +86,7 @@ + #define MAX9611_TEMP_MAX_POS 0x7f80 + #define MAX9611_TEMP_MAX_NEG 0xff80 + #define MAX9611_TEMP_MIN_NEG 0xd980 +-#define MAX9611_TEMP_MASK GENMASK(7, 15) ++#define MAX9611_TEMP_MASK GENMASK(15, 7) + #define MAX9611_TEMP_SHIFT 0x07 + #define MAX9611_TEMP_RAW(_r) ((_r) >> MAX9611_TEMP_SHIFT) + #define MAX9611_TEMP_SCALE_NUM 1000000 diff --git a/queue-4.14/input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch b/queue-4.14/input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch new file mode 100644 index 00000000000..48ee2fd5bf2 --- /dev/null +++ b/queue-4.14/input-synaptics-enable-rmi-mode-for-hp-spectre-x360.patch @@ -0,0 +1,33 @@ +From 25f8c834e2a6871920cc1ca113f02fb301d007c3 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Fri, 12 Jul 2019 11:37:17 -0700 +Subject: Input: synaptics - enable RMI mode for HP Spectre X360 + +From: Dmitry Torokhov + +commit 25f8c834e2a6871920cc1ca113f02fb301d007c3 upstream. + +The 2016 kabylake HP Spectre X360 (model number 13-w013dx) works much better +with psmouse.synaptics_intertouch=1 kernel parameter, so let's enable RMI4 +mode automatically. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204115 +Reported-by: Nate Graham +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/synaptics.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/mouse/synaptics.c ++++ b/drivers/input/mouse/synaptics.c +@@ -185,6 +185,7 @@ static const char * const smbus_pnp_ids[ + "LEN2055", /* E580 */ + "SYN3052", /* HP EliteBook 840 G4 */ + "SYN3221", /* HP 15-ay000 */ ++ "SYN323d", /* HP Spectre X360 13-w013dx */ + NULL + }; + diff --git a/queue-4.14/loop-set-pf_memalloc_noio-for-the-worker-thread.patch b/queue-4.14/loop-set-pf_memalloc_noio-for-the-worker-thread.patch new file mode 100644 index 00000000000..14e7556835e --- /dev/null +++ b/queue-4.14/loop-set-pf_memalloc_noio-for-the-worker-thread.patch @@ -0,0 +1,82 @@ +From d0a255e795ab976481565f6ac178314b34fbf891 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 8 Aug 2019 11:17:01 -0400 +Subject: loop: set PF_MEMALLOC_NOIO for the worker thread + +From: Mikulas Patocka + +commit d0a255e795ab976481565f6ac178314b34fbf891 upstream. + +A deadlock with this stacktrace was observed. + +The loop thread does a GFP_KERNEL allocation, it calls into dm-bufio +shrinker and the shrinker depends on I/O completion in the dm-bufio +subsystem. + +In order to fix the deadlock (and other similar ones), we set the flag +PF_MEMALLOC_NOIO at loop thread entry. + +PID: 474 TASK: ffff8813e11f4600 CPU: 10 COMMAND: "kswapd0" + #0 [ffff8813dedfb938] __schedule at ffffffff8173f405 + #1 [ffff8813dedfb990] schedule at ffffffff8173fa27 + #2 [ffff8813dedfb9b0] schedule_timeout at ffffffff81742fec + #3 [ffff8813dedfba60] io_schedule_timeout at ffffffff8173f186 + #4 [ffff8813dedfbaa0] bit_wait_io at ffffffff8174034f + #5 [ffff8813dedfbac0] __wait_on_bit at ffffffff8173fec8 + #6 [ffff8813dedfbb10] out_of_line_wait_on_bit at ffffffff8173ff81 + #7 [ffff8813dedfbb90] __make_buffer_clean at ffffffffa038736f [dm_bufio] + #8 [ffff8813dedfbbb0] __try_evict_buffer at ffffffffa0387bb8 [dm_bufio] + #9 [ffff8813dedfbbd0] dm_bufio_shrink_scan at ffffffffa0387cc3 [dm_bufio] + #10 [ffff8813dedfbc40] shrink_slab at ffffffff811a87ce + #11 [ffff8813dedfbd30] shrink_zone at ffffffff811ad778 + #12 [ffff8813dedfbdc0] kswapd at ffffffff811ae92f + #13 [ffff8813dedfbec0] kthread at ffffffff810a8428 + #14 [ffff8813dedfbf50] ret_from_fork at ffffffff81745242 + + PID: 14127 TASK: ffff881455749c00 CPU: 11 COMMAND: "loop1" + #0 [ffff88272f5af228] __schedule at ffffffff8173f405 + #1 [ffff88272f5af280] schedule at ffffffff8173fa27 + #2 [ffff88272f5af2a0] schedule_preempt_disabled at ffffffff8173fd5e + #3 [ffff88272f5af2b0] __mutex_lock_slowpath at ffffffff81741fb5 + #4 [ffff88272f5af330] mutex_lock at ffffffff81742133 + #5 [ffff88272f5af350] dm_bufio_shrink_count at ffffffffa03865f9 [dm_bufio] + #6 [ffff88272f5af380] shrink_slab at ffffffff811a86bd + #7 [ffff88272f5af470] shrink_zone at ffffffff811ad778 + #8 [ffff88272f5af500] do_try_to_free_pages at ffffffff811adb34 + #9 [ffff88272f5af590] try_to_free_pages at ffffffff811adef8 + #10 [ffff88272f5af610] __alloc_pages_nodemask at ffffffff811a09c3 + #11 [ffff88272f5af710] alloc_pages_current at ffffffff811e8b71 + #12 [ffff88272f5af760] new_slab at ffffffff811f4523 + #13 [ffff88272f5af7b0] __slab_alloc at ffffffff8173a1b5 + #14 [ffff88272f5af880] kmem_cache_alloc at ffffffff811f484b + #15 [ffff88272f5af8d0] do_blockdev_direct_IO at ffffffff812535b3 + #16 [ffff88272f5afb00] __blockdev_direct_IO at ffffffff81255dc3 + #17 [ffff88272f5afb30] xfs_vm_direct_IO at ffffffffa01fe3fc [xfs] + #18 [ffff88272f5afb90] generic_file_read_iter at ffffffff81198994 + #19 [ffff88272f5afc50] __dta_xfs_file_read_iter_2398 at ffffffffa020c970 [xfs] + #20 [ffff88272f5afcc0] lo_rw_aio at ffffffffa0377042 [loop] + #21 [ffff88272f5afd70] loop_queue_work at ffffffffa0377c3b [loop] + #22 [ffff88272f5afe60] kthread_worker_fn at ffffffff810a8a0c + #23 [ffff88272f5afec0] kthread at ffffffff810a8428 + #24 [ffff88272f5aff50] ret_from_fork at ffffffff81745242 + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -857,7 +857,7 @@ static void loop_unprepare_queue(struct + + static int loop_kthread_worker_fn(void *worker_ptr) + { +- current->flags |= PF_LESS_THROTTLE; ++ current->flags |= PF_LESS_THROTTLE | PF_MEMALLOC_NOIO; + return kthread_worker_fn(worker_ptr); + } + diff --git a/queue-4.14/mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch b/queue-4.14/mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch new file mode 100644 index 00000000000..7fad437b857 --- /dev/null +++ b/queue-4.14/mmc-cavium-add-the-missing-dma-unmap-when-the-dma-has-finished.patch @@ -0,0 +1,71 @@ +From b803974a86039913d5280add083d730b2b9ed8ec Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Fri, 26 Jul 2019 10:30:49 +0800 +Subject: mmc: cavium: Add the missing dma unmap when the dma has finished. + +From: Kevin Hao + +commit b803974a86039913d5280add083d730b2b9ed8ec upstream. + +This fixes the below calltrace when the CONFIG_DMA_API_DEBUG is enabled. + DMA-API: thunderx_mmc 0000:01:01.4: cpu touching an active dma mapped cacheline [cln=0x000000002fdf9800] + WARNING: CPU: 21 PID: 1 at kernel/dma/debug.c:596 debug_dma_assert_idle+0x1f8/0x270 + Modules linked in: + CPU: 21 PID: 1 Comm: init Not tainted 5.3.0-rc1-next-20190725-yocto-standard+ #64 + Hardware name: Marvell OcteonTX CN96XX board (DT) + pstate: 80400009 (Nzcv daif +PAN -UAO) + pc : debug_dma_assert_idle+0x1f8/0x270 + lr : debug_dma_assert_idle+0x1f8/0x270 + sp : ffff0000113cfc10 + x29: ffff0000113cfc10 x28: 0000ffff8c880000 + x27: ffff800bc72a0000 x26: ffff000010ff8000 + x25: ffff000010ff8940 x24: ffff000010ff8968 + x23: 0000000000000000 x22: ffff000010e83700 + x21: ffff000010ea2000 x20: ffff000010e835c8 + x19: ffff800bc2c73300 x18: ffffffffffffffff + x17: 0000000000000000 x16: 0000000000000000 + x15: ffff000010e835c8 x14: 6d20616d64206576 + x13: 69746361206e6120 x12: 676e696863756f74 + x11: 20757063203a342e x10: 31303a31303a3030 + x9 : 303020636d6d5f78 x8 : 3230303030303030 + x7 : 00000000000002fd x6 : ffff000010fd57d0 + x5 : 0000000000000000 x4 : ffff0000106c5210 + x3 : 00000000ffffffff x2 : 0000800bee9c0000 + x1 : 57d5843f4aa62800 x0 : 0000000000000000 + Call trace: + debug_dma_assert_idle+0x1f8/0x270 + wp_page_copy+0xb0/0x688 + do_wp_page+0xa8/0x5b8 + __handle_mm_fault+0x600/0xd00 + handle_mm_fault+0x118/0x1e8 + do_page_fault+0x200/0x500 + do_mem_abort+0x50/0xb0 + el0_da+0x20/0x24 + ---[ end trace a005534bd23e109f ]--- + DMA-API: Mapped at: + debug_dma_map_sg+0x94/0x350 + cvm_mmc_request+0x3c4/0x988 + __mmc_start_request+0x9c/0x1f8 + mmc_start_request+0x7c/0xb0 + mmc_blk_mq_issue_rq+0x5c4/0x7b8 + +Signed-off-by: Kevin Hao +Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/cavium.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mmc/host/cavium.c ++++ b/drivers/mmc/host/cavium.c +@@ -374,6 +374,7 @@ static int finish_dma_single(struct cvm_ + { + data->bytes_xfered = data->blocks * data->blksz; + data->error = 0; ++ dma_unmap_sg(host->dev, data->sg, data->sg_len, get_dma_dir(data)); + return 1; + } + diff --git a/queue-4.14/mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch b/queue-4.14/mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch new file mode 100644 index 00000000000..f18e96e6b32 --- /dev/null +++ b/queue-4.14/mmc-cavium-set-the-correct-dma-max-segment-size-for-mmc_host.patch @@ -0,0 +1,80 @@ +From fa25eba6993b3750f417baabba169afaba076178 Mon Sep 17 00:00:00 2001 +From: Kevin Hao +Date: Fri, 26 Jul 2019 10:30:48 +0800 +Subject: mmc: cavium: Set the correct dma max segment size for mmc_host + +From: Kevin Hao + +commit fa25eba6993b3750f417baabba169afaba076178 upstream. + +We have set the mmc_host.max_seg_size to 8M, but the dma max segment +size of PCI device is set to 64K by default in function pci_device_add(). +The mmc_host.max_seg_size is used to set the max segment size of +the blk queue. Then this mismatch will trigger a calltrace like below +when a bigger than 64K segment request arrives at mmc dev. So we should +consider the limitation of the cvm_mmc_host when setting the +mmc_host.max_seg_size. + DMA-API: thunderx_mmc 0000:01:01.4: mapping sg segment longer than device claims to support [len=131072] [max=65536] + WARNING: CPU: 6 PID: 238 at kernel/dma/debug.c:1221 debug_dma_map_sg+0x2b8/0x350 + Modules linked in: + CPU: 6 PID: 238 Comm: kworker/6:1H Not tainted 5.3.0-rc1-next-20190724-yocto-standard+ #62 + Hardware name: Marvell OcteonTX CN96XX board (DT) + Workqueue: kblockd blk_mq_run_work_fn + pstate: 80c00009 (Nzcv daif +PAN +UAO) + pc : debug_dma_map_sg+0x2b8/0x350 + lr : debug_dma_map_sg+0x2b8/0x350 + sp : ffff00001770f9e0 + x29: ffff00001770f9e0 x28: ffffffff00000000 + x27: 00000000ffffffff x26: ffff800bc2c73180 + x25: ffff000010e83700 x24: 0000000000000002 + x23: 0000000000000001 x22: 0000000000000001 + x21: 0000000000000000 x20: ffff800bc48ba0b0 + x19: ffff800bc97e8c00 x18: ffffffffffffffff + x17: 0000000000000000 x16: 0000000000000000 + x15: ffff000010e835c8 x14: 6874207265676e6f + x13: 6c20746e656d6765 x12: 7320677320676e69 + x11: 7070616d203a342e x10: 31303a31303a3030 + x9 : 303020636d6d5f78 x8 : 35363d78616d5b20 + x7 : 00000000000002fd x6 : ffff000010fd57dc + x5 : 0000000000000000 x4 : ffff0000106c61f0 + x3 : 00000000ffffffff x2 : 0000800bee060000 + x1 : 7010678df3041a00 x0 : 0000000000000000 + Call trace: + debug_dma_map_sg+0x2b8/0x350 + cvm_mmc_request+0x3c4/0x988 + __mmc_start_request+0x9c/0x1f8 + mmc_start_request+0x7c/0xb0 + mmc_blk_mq_issue_rq+0x5c4/0x7b8 + mmc_mq_queue_rq+0x11c/0x278 + blk_mq_dispatch_rq_list+0xb0/0x568 + blk_mq_do_dispatch_sched+0x6c/0x108 + blk_mq_sched_dispatch_requests+0x110/0x1b8 + __blk_mq_run_hw_queue+0xb0/0x118 + blk_mq_run_work_fn+0x28/0x38 + process_one_work+0x210/0x490 + worker_thread+0x48/0x458 + kthread+0x130/0x138 + ret_from_fork+0x10/0x1c + +Signed-off-by: Kevin Hao +Fixes: ba3869ff32e4 ("mmc: cavium: Add core MMC driver for Cavium SOCs") +Cc: stable@vger.kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/cavium.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/cavium.c ++++ b/drivers/mmc/host/cavium.c +@@ -1046,7 +1046,8 @@ int cvm_mmc_of_slot_probe(struct device + mmc->max_segs = 1; + + /* DMA size field can address up to 8 MB */ +- mmc->max_seg_size = 8 * 1024 * 1024; ++ mmc->max_seg_size = min_t(unsigned int, 8 * 1024 * 1024, ++ dma_get_max_seg_size(host->dev)); + mmc->max_req_size = mmc->max_seg_size; + /* External DMA is in 512 byte blocks */ + mmc->max_blk_size = 512; diff --git a/queue-4.14/sound-fix-a-memory-leak-bug.patch b/queue-4.14/sound-fix-a-memory-leak-bug.patch new file mode 100644 index 00000000000..bcc066b25cf --- /dev/null +++ b/queue-4.14/sound-fix-a-memory-leak-bug.patch @@ -0,0 +1,39 @@ +From c7cd7c748a3250ca33509f9235efab9c803aca09 Mon Sep 17 00:00:00 2001 +From: Wenwen Wang +Date: Thu, 8 Aug 2019 00:15:21 -0500 +Subject: sound: fix a memory leak bug + +From: Wenwen Wang + +commit c7cd7c748a3250ca33509f9235efab9c803aca09 upstream. + +In sound_insert_unit(), the controlling structure 's' is allocated through +kmalloc(). Then it is added to the sound driver list by invoking +__sound_insert_unit(). Later on, if __register_chrdev() fails, 's' is +removed from the list through __sound_remove_unit(). If 'index' is not less +than 0, -EBUSY is returned to indicate the error. However, 's' is not +deallocated on this execution path, leading to a memory leak bug. + +To fix the above issue, free 's' before -EBUSY is returned. + +Signed-off-by: Wenwen Wang +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/sound_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/sound_core.c ++++ b/sound/sound_core.c +@@ -287,7 +287,8 @@ retry: + goto retry; + } + spin_unlock(&sound_loader_lock); +- return -EBUSY; ++ r = -EBUSY; ++ goto fail; + } + } + diff --git a/queue-4.14/usb-iowarrior-fix-deadlock-on-disconnect.patch b/queue-4.14/usb-iowarrior-fix-deadlock-on-disconnect.patch new file mode 100644 index 00000000000..436d0379aa1 --- /dev/null +++ b/queue-4.14/usb-iowarrior-fix-deadlock-on-disconnect.patch @@ -0,0 +1,50 @@ +From c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 8 Aug 2019 11:27:28 +0200 +Subject: usb: iowarrior: fix deadlock on disconnect + +From: Oliver Neukum + +commit c468a8aa790e0dfe0a7f8a39db282d39c2c00b46 upstream. + +We have to drop the mutex before we close() upon disconnect() +as close() needs the lock. This is safe to do by dropping the +mutex as intfdata is already set to NULL, so open() will fail. + +Fixes: 03f36e885fc26 ("USB: open disconnect race in iowarrior") +Reported-by: syzbot+a64a382964bf6c71a9c0@syzkaller.appspotmail.com +Cc: stable +Signed-off-by: Oliver Neukum +Link: https://lore.kernel.org/r/20190808092728.23417-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -870,19 +870,20 @@ static void iowarrior_disconnect(struct + dev = usb_get_intfdata(interface); + mutex_lock(&iowarrior_open_disc_lock); + usb_set_intfdata(interface, NULL); ++ /* prevent device read, write and ioctl */ ++ dev->present = 0; + + minor = dev->minor; ++ mutex_unlock(&iowarrior_open_disc_lock); ++ /* give back our minor - this will call close() locks need to be dropped at this point*/ + +- /* give back our minor */ + usb_deregister_dev(interface, &iowarrior_class); + + mutex_lock(&dev->mutex); + + /* prevent device read, write and ioctl */ +- dev->present = 0; + + mutex_unlock(&dev->mutex); +- mutex_unlock(&iowarrior_open_disc_lock); + + if (dev->opened) { + /* There is a process that holds a filedescriptor to the device , diff --git a/queue-4.14/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch b/queue-4.14/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch new file mode 100644 index 00000000000..3fe84eb9d03 --- /dev/null +++ b/queue-4.14/usb-usbfs-fix-double-free-of-usb-memory-upon-submiturb-error.patch @@ -0,0 +1,34 @@ +From c43f28dfdc4654e738aa6d3fd08a105b2bee758d Mon Sep 17 00:00:00 2001 +From: Gavin Li +Date: Sun, 4 Aug 2019 16:50:44 -0700 +Subject: usb: usbfs: fix double-free of usb memory upon submiturb error + +From: Gavin Li + +commit c43f28dfdc4654e738aa6d3fd08a105b2bee758d upstream. + +Upon an error within proc_do_submiturb(), dec_usb_memory_use_count() +gets called once by the error handling tail and again by free_async(). +Remove the first call. + +Signed-off-by: Gavin Li +Acked-by: Alan Stern +Cc: stable +Link: https://lore.kernel.org/r/20190804235044.22327-1-gavinli@thegavinli.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1811,8 +1811,6 @@ static int proc_do_submiturb(struct usb_ + return 0; + + error: +- if (as && as->usbm) +- dec_usb_memory_use_count(as->usbm, &as->usbm->urb_use_count); + kfree(isopkt); + kfree(dr); + if (as)