4.4-stable patches

added patches:
	crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
	power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
	scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch

diff --git a/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch b/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
new file mode 100644 (file)
index 0000000..e8ea559
--- /dev/null
+++ b/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
@@ -0,0 +1,39 @@
+From 7db3b61b6bba4310f454588c2ca6faf2958ad79f Mon Sep 17 00:00:00 2001
+From: Herbert Xu <herbert@gondor.apana.org.au>
+Date: Fri, 6 Dec 2019 13:55:17 +0800
+Subject: crypto: api - Check spawn->alg under lock in crypto_drop_spawn
+
+From: Herbert Xu <herbert@gondor.apana.org.au>
+
+commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream.
+
+We need to check whether spawn->alg is NULL under lock as otherwise
+the algorithm could be removed from under us after we have checked
+it and found it to be non-NULL.  This could cause us to remove the
+spawn from a non-existent list.
+
+Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/algapi.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/crypto/algapi.c
++++ b/crypto/algapi.c
+@@ -653,11 +653,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn);
+ 
+ void crypto_drop_spawn(struct crypto_spawn *spawn)
+ {
+-      if (!spawn->alg)
+-              return;
+-
+       down_write(&crypto_alg_sem);
+-      list_del(&spawn->list);
++      if (spawn->alg)
++              list_del(&spawn->list);
+       up_write(&crypto_alg_sem);
+ }
+ EXPORT_SYMBOL_GPL(crypto_drop_spawn);

diff --git a/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch b/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
new file mode 100644 (file)
index 0000000..ec77276
--- /dev/null
+++ b/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch
@@ -0,0 +1,41 @@
+From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001
+From: Sven Van Asbroeck <thesven73@gmail.com>
+Date: Thu, 19 Sep 2019 11:11:37 -0400
+Subject: power: supply: ltc2941-battery-gauge: fix use-after-free
+
+From: Sven Van Asbroeck <thesven73@gmail.com>
+
+commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream.
+
+This driver's remove path calls cancel_delayed_work().
+However, that function does not wait until the work function
+finishes. This could mean that the work function is still
+running after the driver's remove function has finished,
+which would result in a use-after-free.
+
+Fix by calling cancel_delayed_work_sync(), which ensures that
+that the work is properly cancelled, no longer running, and
+unable to re-schedule itself.
+
+This issue was detected with the help of Coccinelle.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/power/ltc2941-battery-gauge.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/power/ltc2941-battery-gauge.c
++++ b/drivers/power/ltc2941-battery-gauge.c
+@@ -364,7 +364,7 @@ static int ltc294x_i2c_remove(struct i2c
+ {
+       struct ltc294x_info *info = i2c_get_clientdata(client);
+ 
+-      cancel_delayed_work(&info->work);
++      cancel_delayed_work_sync(&info->work);
+       power_supply_unregister(info->supply);
+       return 0;
+ }

diff --git a/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch b/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
new file mode 100644 (file)
index 0000000..2fe6edc
--- /dev/null
+++ b/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
@@ -0,0 +1,37 @@
+From 641e0efddcbde52461e017136acd3ce7f2ef0c14 Mon Sep 17 00:00:00 2001
+From: Quinn Tran <qutran@marvell.com>
+Date: Tue, 17 Dec 2019 14:06:16 -0800
+Subject: scsi: qla2xxx: Fix mtcp dump collection failure
+
+From: Quinn Tran <qutran@marvell.com>
+
+commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream.
+
+MTCP dump failed due to MB Reg 10 was picking garbage data from stack
+memory.
+
+Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.")
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com
+Signed-off-by: Quinn Tran <qutran@marvell.com>
+Signed-off-by: Himanshu Madhani <hmadhani@marvell.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/qla_mbx.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/scsi/qla2xxx/qla_mbx.c
++++ b/drivers/scsi/qla2xxx/qla_mbx.c
+@@ -5455,9 +5455,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t *
+       mcp->mb[7] = LSW(MSD(req_dma));
+       mcp->mb[8] = MSW(addr);
+       /* Setting RAM ID to valid */
+-      mcp->mb[10] |= BIT_7;
+       /* For MCTP RAM ID is 0x40 */
+-      mcp->mb[10] |= 0x40;
++      mcp->mb[10] = BIT_7 | 0x40;
+ 
+       mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1|
+           MBX_0;

diff --git a/queue-4.4/series b/queue-4.4/series
index 2da13ff94035f2f4111b45320e295e669af52ac6..c6e566cc5030bbd8a528a5bd9133e06520818d4b 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -18,3 +18,6 @@ lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch
 powerpc-pseries-advance-pfn-if-section-is-not-present-in-lmb_is_removable.patch
 mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch
 pci-keystone-fix-link-training-retries-initiation.patch
+crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch
+scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch
+power-supply-ltc2941-battery-gauge-fix-use-after-free.patch