From: Greg Kroah-Hartman Date: Fri, 7 Feb 2020 09:44:04 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.103~104 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a72ade2b9d8698bf58dca29c8a4da3fdfc4729fe;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch power-supply-ltc2941-battery-gauge-fix-use-after-free.patch scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch --- diff --git a/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch b/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch new file mode 100644 index 00000000000..e8ea5598ee9 --- /dev/null +++ b/queue-4.4/crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch @@ -0,0 +1,39 @@ +From 7db3b61b6bba4310f454588c2ca6faf2958ad79f Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Fri, 6 Dec 2019 13:55:17 +0800 +Subject: crypto: api - Check spawn->alg under lock in crypto_drop_spawn + +From: Herbert Xu + +commit 7db3b61b6bba4310f454588c2ca6faf2958ad79f upstream. + +We need to check whether spawn->alg is NULL under lock as otherwise +the algorithm could be removed from under us after we have checked +it and found it to be non-NULL. This could cause us to remove the +spawn from a non-existent list. + +Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...") +Cc: +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/algapi.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/crypto/algapi.c ++++ b/crypto/algapi.c +@@ -653,11 +653,9 @@ EXPORT_SYMBOL_GPL(crypto_grab_spawn); + + void crypto_drop_spawn(struct crypto_spawn *spawn) + { +- if (!spawn->alg) +- return; +- + down_write(&crypto_alg_sem); +- list_del(&spawn->list); ++ if (spawn->alg) ++ list_del(&spawn->list); + up_write(&crypto_alg_sem); + } + EXPORT_SYMBOL_GPL(crypto_drop_spawn); diff --git a/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch b/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch new file mode 100644 index 00000000000..ec7727619e1 --- /dev/null +++ b/queue-4.4/power-supply-ltc2941-battery-gauge-fix-use-after-free.patch @@ -0,0 +1,41 @@ +From a60ec78d306c6548d4adbc7918b587a723c555cc Mon Sep 17 00:00:00 2001 +From: Sven Van Asbroeck +Date: Thu, 19 Sep 2019 11:11:37 -0400 +Subject: power: supply: ltc2941-battery-gauge: fix use-after-free + +From: Sven Van Asbroeck + +commit a60ec78d306c6548d4adbc7918b587a723c555cc upstream. + +This driver's remove path calls cancel_delayed_work(). +However, that function does not wait until the work function +finishes. This could mean that the work function is still +running after the driver's remove function has finished, +which would result in a use-after-free. + +Fix by calling cancel_delayed_work_sync(), which ensures that +that the work is properly cancelled, no longer running, and +unable to re-schedule itself. + +This issue was detected with the help of Coccinelle. + +Cc: stable +Signed-off-by: Sven Van Asbroeck +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/ltc2941-battery-gauge.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/ltc2941-battery-gauge.c ++++ b/drivers/power/ltc2941-battery-gauge.c +@@ -364,7 +364,7 @@ static int ltc294x_i2c_remove(struct i2c + { + struct ltc294x_info *info = i2c_get_clientdata(client); + +- cancel_delayed_work(&info->work); ++ cancel_delayed_work_sync(&info->work); + power_supply_unregister(info->supply); + return 0; + } diff --git a/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch b/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch new file mode 100644 index 00000000000..2fe6edcf641 --- /dev/null +++ b/queue-4.4/scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch @@ -0,0 +1,37 @@ +From 641e0efddcbde52461e017136acd3ce7f2ef0c14 Mon Sep 17 00:00:00 2001 +From: Quinn Tran +Date: Tue, 17 Dec 2019 14:06:16 -0800 +Subject: scsi: qla2xxx: Fix mtcp dump collection failure + +From: Quinn Tran + +commit 641e0efddcbde52461e017136acd3ce7f2ef0c14 upstream. + +MTCP dump failed due to MB Reg 10 was picking garbage data from stack +memory. + +Fixes: 81178772b636a ("[SCSI] qla2xxx: Implemetation of mctp.") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191217220617.28084-14-hmadhani@marvell.com +Signed-off-by: Quinn Tran +Signed-off-by: Himanshu Madhani +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_mbx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_mbx.c ++++ b/drivers/scsi/qla2xxx/qla_mbx.c +@@ -5455,9 +5455,8 @@ qla2x00_dump_mctp_data(scsi_qla_host_t * + mcp->mb[7] = LSW(MSD(req_dma)); + mcp->mb[8] = MSW(addr); + /* Setting RAM ID to valid */ +- mcp->mb[10] |= BIT_7; + /* For MCTP RAM ID is 0x40 */ +- mcp->mb[10] |= 0x40; ++ mcp->mb[10] = BIT_7 | 0x40; + + mcp->out_mb |= MBX_10|MBX_8|MBX_7|MBX_6|MBX_5|MBX_4|MBX_3|MBX_2|MBX_1| + MBX_0; diff --git a/queue-4.4/series b/queue-4.4/series index 2da13ff9403..c6e566cc503 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -18,3 +18,6 @@ lib-test_kasan.c-fix-memory-leak-in-kmalloc_oob_krealloc_more.patch powerpc-pseries-advance-pfn-if-section-is-not-present-in-lmb_is_removable.patch mmc-spi-toggle-spi-polarity-do-not-hardcode-it.patch pci-keystone-fix-link-training-retries-initiation.patch +crypto-api-check-spawn-alg-under-lock-in-crypto_drop_spawn.patch +scsi-qla2xxx-fix-mtcp-dump-collection-failure.patch +power-supply-ltc2941-battery-gauge-fix-use-after-free.patch