From 571a0d7633577295d2d57233eb1e318b0f3de324 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 13 Dec 2019 18:39:13 +0100 Subject: [PATCH] 4.19-stable patches added patches: series usb-gadget-configfs-fix-missing-spin_lock_init.patch usb-gadget-pch_udc-fix-use-after-free.patch --- queue-4.19/series | 2 ++ ...-configfs-fix-missing-spin_lock_init.patch | 35 +++++++++++++++++++ ...sb-gadget-pch_udc-fix-use-after-free.patch | 35 +++++++++++++++++++ 3 files changed, 72 insertions(+) create mode 100644 queue-4.19/series create mode 100644 queue-4.19/usb-gadget-configfs-fix-missing-spin_lock_init.patch create mode 100644 queue-4.19/usb-gadget-pch_udc-fix-use-after-free.patch diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..9b04749e51f --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,2 @@ +usb-gadget-configfs-fix-missing-spin_lock_init.patch +usb-gadget-pch_udc-fix-use-after-free.patch diff --git a/queue-4.19/usb-gadget-configfs-fix-missing-spin_lock_init.patch b/queue-4.19/usb-gadget-configfs-fix-missing-spin_lock_init.patch new file mode 100644 index 00000000000..76bad4729ce --- /dev/null +++ b/queue-4.19/usb-gadget-configfs-fix-missing-spin_lock_init.patch @@ -0,0 +1,35 @@ +From 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Wed, 30 Oct 2019 03:40:46 +0000 +Subject: usb: gadget: configfs: Fix missing spin_lock_init() + +From: Wei Yongjun + +commit 093edc2baad2c258b1f55d1ab9c63c2b5ae67e42 upstream. + +The driver allocates the spinlock but not initialize it. +Use spin_lock_init() on it to initialize it correctly. + +This is detected by Coccinelle semantic patch. + +Fixes: 1a1c851bbd70 ("usb: gadget: configfs: fix concurrent issue between composite APIs") +Signed-off-by: Wei Yongjun +Cc: stable +Reviewed-by: Peter Chen +Link: https://lore.kernel.org/r/20191030034046.188808-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1544,6 +1544,7 @@ static struct config_group *gadgets_make + gi->composite.resume = NULL; + gi->composite.max_speed = USB_SPEED_SUPER; + ++ spin_lock_init(&gi->spinlock); + mutex_init(&gi->lock); + INIT_LIST_HEAD(&gi->string_list); + INIT_LIST_HEAD(&gi->available_func); diff --git a/queue-4.19/usb-gadget-pch_udc-fix-use-after-free.patch b/queue-4.19/usb-gadget-pch_udc-fix-use-after-free.patch new file mode 100644 index 00000000000..33074b67555 --- /dev/null +++ b/queue-4.19/usb-gadget-pch_udc-fix-use-after-free.patch @@ -0,0 +1,35 @@ +From 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Wed, 6 Nov 2019 14:28:21 -0600 +Subject: usb: gadget: pch_udc: fix use after free + +From: Gustavo A. R. Silva + +commit 66d1b0c0580b7f1b1850ee4423f32ac42afa2e92 upstream. + +Remove pointer dereference after free. + +pci_pool_free doesn't care about contents of td. +It's just a void* for it + +Addresses-Coverity-ID: 1091173 ("Use after free") +Cc: stable@vger.kernel.org +Acked-by: Michal Nazarewicz +Signed-off-by: Gustavo A. R. Silva +Link: https://lore.kernel.org/r/20191106202821.GA20347@embeddedor +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/pch_udc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/udc/pch_udc.c ++++ b/drivers/usb/gadget/udc/pch_udc.c +@@ -1520,7 +1520,6 @@ static void pch_udc_free_dma_chain(struc + td = phys_to_virt(addr); + addr2 = (dma_addr_t)td->next; + dma_pool_free(dev->data_requests, td, addr); +- td->next = 0x00; + addr = addr2; + } + req->chain_len = 1; -- 2.47.3