--- /dev/null
+From 15adb20f64c302b31e10ad50f22bb224052ce1df Mon Sep 17 00:00:00 2001
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+Date: Wed, 22 Jan 2020 19:12:54 +0100
+Subject: ASoC: Intel: skl_hda_dsp_common: Fix global-out-of-bounds bug
+
+From: Cezary Rojewski <cezary.rojewski@intel.com>
+
+commit 15adb20f64c302b31e10ad50f22bb224052ce1df upstream.
+
+Definitions for idisp snd_soc_dai_links within skl_hda_dsp_common are
+missing platform component. Add it to address following bug reported by
+KASAN:
+
+[ 10.538502] BUG: KASAN: global-out-of-bounds in skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
+[ 10.538509] Write of size 8 at addr ffffffffc0606840 by task systemd-udevd/299
+(...)
+[ 10.538519] Call Trace:
+[ 10.538524] dump_stack+0x62/0x95
+[ 10.538528] print_address_description+0x2f5/0x3b0
+[ 10.538532] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
+[ 10.538535] __kasan_report+0x134/0x191
+[ 10.538538] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
+[ 10.538542] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
+[ 10.538544] kasan_report+0x12/0x20
+[ 10.538546] __asan_store8+0x57/0x90
+[ 10.538550] skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp]
+[ 10.538553] platform_drv_probe+0x51/0xb0
+[ 10.538556] really_probe+0x311/0x600
+[ 10.538559] driver_probe_device+0x87/0x1b0
+[ 10.538562] device_driver_attach+0x8f/0xa0
+[ 10.538565] ? device_driver_attach+0xa0/0xa0
+[ 10.538567] __driver_attach+0x102/0x1a0
+[ 10.538569] ? device_driver_attach+0xa0/0xa0
+[ 10.538572] bus_for_each_dev+0xe8/0x160
+[ 10.538574] ? subsys_dev_iter_exit+0x10/0x10
+[ 10.538577] ? preempt_count_sub+0x18/0xc0
+[ 10.538580] ? _raw_write_unlock+0x1f/0x40
+[ 10.538582] driver_attach+0x2b/0x30
+[ 10.538585] bus_add_driver+0x251/0x340
+[ 10.538588] driver_register+0xd3/0x1c0
+[ 10.538590] __platform_driver_register+0x6c/0x80
+[ 10.538592] ? 0xffffffffc03e8000
+[ 10.538595] skl_hda_audio_init+0x1c/0x1000 [snd_soc_skl_hda_dsp]
+[ 10.538598] do_one_initcall+0xd0/0x36a
+[ 10.538600] ? trace_event_raw_event_initcall_finish+0x160/0x160
+[ 10.538602] ? kasan_unpoison_shadow+0x36/0x50
+[ 10.538605] ? __kasan_kmalloc+0xcc/0xe0
+[ 10.538607] ? kasan_unpoison_shadow+0x36/0x50
+[ 10.538609] ? kasan_poison_shadow+0x2f/0x40
+[ 10.538612] ? __asan_register_globals+0x65/0x80
+[ 10.538615] do_init_module+0xf9/0x36f
+[ 10.538619] load_module+0x398e/0x4590
+[ 10.538625] ? module_frob_arch_sections+0x20/0x20
+[ 10.538628] ? __kasan_check_write+0x14/0x20
+[ 10.538630] ? kernel_read+0x9a/0xc0
+[ 10.538632] ? __kasan_check_write+0x14/0x20
+[ 10.538634] ? kernel_read_file+0x1d3/0x3c0
+[ 10.538638] ? cap_capable+0xca/0x110
+[ 10.538642] __do_sys_finit_module+0x190/0x1d0
+[ 10.538644] ? __do_sys_finit_module+0x190/0x1d0
+[ 10.538646] ? __x64_sys_init_module+0x50/0x50
+[ 10.538649] ? expand_files+0x380/0x380
+[ 10.538652] ? __kasan_check_write+0x14/0x20
+[ 10.538654] ? fput_many+0x20/0xc0
+[ 10.538658] __x64_sys_finit_module+0x43/0x50
+[ 10.538660] do_syscall_64+0xce/0x700
+[ 10.538662] ? syscall_return_slowpath+0x230/0x230
+[ 10.538665] ? __do_page_fault+0x51e/0x640
+[ 10.538668] ? __kasan_check_read+0x11/0x20
+[ 10.538670] ? prepare_exit_to_usermode+0xc7/0x200
+[ 10.538673] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Fixes: a78959f407e6 ("ASoC: Intel: skl_hda_dsp_common: use modern dai_link style")
+Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
+Reviewed-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Link: https://lore.kernel.org/r/20200122181254.22801-1-cezary.rojewski@intel.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/intel/boards/skl_hda_dsp_common.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/sound/soc/intel/boards/skl_hda_dsp_common.c
++++ b/sound/soc/intel/boards/skl_hda_dsp_common.c
+@@ -38,16 +38,19 @@ int skl_hda_hdmi_add_pcm(struct snd_soc_
+ return 0;
+ }
+
+-SND_SOC_DAILINK_DEFS(idisp1,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")),
++SND_SOC_DAILINK_DEF(idisp1_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")));
++SND_SOC_DAILINK_DEF(idisp1_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi1")));
+
+-SND_SOC_DAILINK_DEFS(idisp2,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")),
++SND_SOC_DAILINK_DEF(idisp2_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")));
++SND_SOC_DAILINK_DEF(idisp2_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi2")));
+
+-SND_SOC_DAILINK_DEFS(idisp3,
+- DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")),
++SND_SOC_DAILINK_DEF(idisp3_cpu,
++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")));
++SND_SOC_DAILINK_DEF(idisp3_codec,
+ DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi3")));
+
+ SND_SOC_DAILINK_DEF(analog_cpu,
+@@ -80,21 +83,21 @@ struct snd_soc_dai_link skl_hda_be_dai_l
+ .id = 1,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp1),
++ SND_SOC_DAILINK_REG(idisp1_cpu, idisp1_codec, platform),
+ },
+ {
+ .name = "iDisp2",
+ .id = 2,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp2),
++ SND_SOC_DAILINK_REG(idisp2_cpu, idisp2_codec, platform),
+ },
+ {
+ .name = "iDisp3",
+ .id = 3,
+ .dpcm_playback = 1,
+ .no_pcm = 1,
+- SND_SOC_DAILINK_REG(idisp3),
++ SND_SOC_DAILINK_REG(idisp3_cpu, idisp3_codec, platform),
+ },
+ {
+ .name = "Analog Playback and Capture",
--- /dev/null
+From e19ecbf105b236a6334fab64d8fd5437b12ee019 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Fri, 20 Dec 2019 17:44:50 +0100
+Subject: ASoC: sgtl5000: Fix VDDA and VDDIO comparison
+
+From: Marek Vasut <marex@denx.de>
+
+commit e19ecbf105b236a6334fab64d8fd5437b12ee019 upstream.
+
+Comparing the voltage of VDDA and VDDIO to determine whether or not to
+enable VDDC manual override is insufficient. This is a problem in case
+the VDDA is supplied from different regulator than VDDIO, while both
+report the same voltage to the regulator framework. In that case where
+VDDA and VDDIO is supplied by different regulators, the VDDC manual
+override must not be applied.
+
+Fixes: b6319b061ba2 ("ASoC: sgtl5000: Fix charge pump source assignment")
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Igor Opaniuk <igor.opaniuk@toradex.com>
+Cc: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Cc: Mark Brown <broonie@kernel.org>
+Cc: Oleksandr Suvorov <oleksandr.suvorov@toradex.com>
+Link: https://lore.kernel.org/r/20191220164450.1395038-2-marex@denx.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/codecs/sgtl5000.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/soc/codecs/sgtl5000.c
++++ b/sound/soc/codecs/sgtl5000.c
+@@ -1344,7 +1344,8 @@ static int sgtl5000_set_power_regs(struc
+ * if vddio == vdda the source of charge pump should be
+ * assigned manually to VDDIO
+ */
+- if (vddio == vdda) {
++ if (regulator_is_equal(sgtl5000->supplies[VDDA].consumer,
++ sgtl5000->supplies[VDDIO].consumer)) {
+ lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD;
+ lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO <<
+ SGTL5000_VDDC_MAN_ASSN_SHIFT;
--- /dev/null
+From 6c883472e1c11cb05561b6dd0c28bb037c2bf2de Mon Sep 17 00:00:00 2001
+From: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+Date: Mon, 20 Jan 2020 15:45:11 +0200
+Subject: mfd: bd70528: Fix hour register mask
+
+From: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+
+commit 6c883472e1c11cb05561b6dd0c28bb037c2bf2de upstream.
+
+When RTC is used in 24H mode (and it is by this driver) the maximum
+hour value is 24 in BCD. This occupies bits [5:0] - which means
+correct mask for HOUR register is 0x3f not 0x1f. Fix the mask
+
+Fixes: 32a4a4ebf768 ("rtc: bd70528: Initial support for ROHM bd70528 RTC")
+
+Signed-off-by: Matti Vaittinen <matti.vaittinen@fi.rohmeurope.com>
+Acked-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/mfd/rohm-bd70528.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/mfd/rohm-bd70528.h
++++ b/include/linux/mfd/rohm-bd70528.h
+@@ -317,7 +317,7 @@ enum {
+ #define BD70528_MASK_RTC_MINUTE 0x7f
+ #define BD70528_MASK_RTC_HOUR_24H 0x80
+ #define BD70528_MASK_RTC_HOUR_PM 0x20
+-#define BD70528_MASK_RTC_HOUR 0x1f
++#define BD70528_MASK_RTC_HOUR 0x3f
+ #define BD70528_MASK_RTC_DAY 0x3f
+ #define BD70528_MASK_RTC_WEEK 0x07
+ #define BD70528_MASK_RTC_MONTH 0x1f
--- /dev/null
+From 1112ba02ff1190ca9c15a912f9269e54b46d2d82 Mon Sep 17 00:00:00 2001
+From: Marco Felsch <m.felsch@pengutronix.de>
+Date: Wed, 8 Jan 2020 10:57:02 +0100
+Subject: mfd: da9062: Fix watchdog compatible string
+
+From: Marco Felsch <m.felsch@pengutronix.de>
+
+commit 1112ba02ff1190ca9c15a912f9269e54b46d2d82 upstream.
+
+The watchdog driver compatible is "dlg,da9062-watchdog" and not
+"dlg,da9062-wdt". Therefore the mfd-core can't populate the of_node and
+fwnode. As result the watchdog driver can't parse the devicetree.
+
+Fixes: 9b40b030c4ad ("mfd: da9062: Supply core driver")
+Signed-off-by: Marco Felsch <m.felsch@pengutronix.de>
+Acked-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/da9062-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mfd/da9062-core.c
++++ b/drivers/mfd/da9062-core.c
+@@ -248,7 +248,7 @@ static const struct mfd_cell da9062_devs
+ .name = "da9062-watchdog",
+ .num_resources = ARRAY_SIZE(da9062_wdt_resources),
+ .resources = da9062_wdt_resources,
+- .of_compatible = "dlg,da9062-wdt",
++ .of_compatible = "dlg,da9062-watchdog",
+ },
+ {
+ .name = "da9062-thermal",
--- /dev/null
+From 2f3dc25c0118de03a00ddc88b61f7216854f534d Mon Sep 17 00:00:00 2001
+From: Andreas Kemnade <andreas@kemnade.info>
+Date: Fri, 17 Jan 2020 22:59:22 +0100
+Subject: mfd: rn5t618: Mark ADC control register volatile
+
+From: Andreas Kemnade <andreas@kemnade.info>
+
+commit 2f3dc25c0118de03a00ddc88b61f7216854f534d upstream.
+
+There is a bit which gets cleared after conversion.
+
+Fixes: 9bb9e29c78f8 ("mfd: Add Ricoh RN5T618 PMIC core driver")
+Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/rn5t618.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/rn5t618.c
++++ b/drivers/mfd/rn5t618.c
+@@ -26,6 +26,7 @@ static bool rn5t618_volatile_reg(struct
+ case RN5T618_WATCHDOGCNT:
+ case RN5T618_DCIRQ:
+ case RN5T618_ILIMDATAH ... RN5T618_AIN0DATAL:
++ case RN5T618_ADCCNT3:
+ case RN5T618_IR_ADC1 ... RN5T618_IR_ADC3:
+ case RN5T618_IR_GPR:
+ case RN5T618_IR_GPF:
nfsd-fix-delay-timer-on-32-bit-architectures.patch
nfsd-fix-jiffies-time_t-mixup-in-lru-list.patch
nfsd-return-the-correct-number-of-bytes-written-to-the-file.patch
+virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch
+virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch
+ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch
+ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch
+ubifs-fix-memory-leak-from-c-sup_node.patch
+asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch
+asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch
+mfd-da9062-fix-watchdog-compatible-string.patch
+mfd-rn5t618-mark-adc-control-register-volatile.patch
+mfd-bd70528-fix-hour-register-mask.patch
--- /dev/null
+From ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 Mon Sep 17 00:00:00 2001
+From: Sascha Hauer <s.hauer@pengutronix.de>
+Date: Wed, 23 Oct 2019 11:58:12 +0200
+Subject: ubi: fastmap: Fix inverted logic in seen selfcheck
+
+From: Sascha Hauer <s.hauer@pengutronix.de>
+
+commit ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 upstream.
+
+set_seen() sets the bit corresponding to the PEB number in the bitmap,
+so when self_check_seen() wants to find PEBs that haven't been seen we
+have to print the PEBs that have their bit cleared, not the ones which
+have it set.
+
+Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code")
+Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/fastmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -64,7 +64,7 @@ static int self_check_seen(struct ubi_de
+ return 0;
+
+ for (pnum = 0; pnum < ubi->peb_count; pnum++) {
+- if (test_bit(pnum, seen) && ubi->lookuptbl[pnum]) {
++ if (!test_bit(pnum, seen) && ubi->lookuptbl[pnum]) {
+ ubi_err(ubi, "self-check failed for PEB %d, fastmap didn't see it", pnum);
+ ret = -EINVAL;
+ }
--- /dev/null
+From 5d3805af279c93ef49a64701f35254676d709622 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 13 Jan 2020 16:23:46 +0300
+Subject: ubi: Fix an error pointer dereference in error handling code
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 5d3805af279c93ef49a64701f35254676d709622 upstream.
+
+If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer
+and we try to kfree() it which results in an Oops.
+
+This patch re-arranges the error handling so now it only frees things
+which have been allocated successfully.
+
+Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/ubi/fastmap.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+--- a/drivers/mtd/ubi/fastmap.c
++++ b/drivers/mtd/ubi/fastmap.c
+@@ -1137,7 +1137,7 @@ static int ubi_write_fastmap(struct ubi_
+ struct rb_node *tmp_rb;
+ int ret, i, j, free_peb_count, used_peb_count, vol_count;
+ int scrub_peb_count, erase_peb_count;
+- unsigned long *seen_pebs = NULL;
++ unsigned long *seen_pebs;
+
+ fm_raw = ubi->fm_buf;
+ memset(ubi->fm_buf, 0, ubi->fm_size);
+@@ -1151,7 +1151,7 @@ static int ubi_write_fastmap(struct ubi_
+ dvbuf = new_fm_vbuf(ubi, UBI_FM_DATA_VOLUME_ID);
+ if (!dvbuf) {
+ ret = -ENOMEM;
+- goto out_kfree;
++ goto out_free_avbuf;
+ }
+
+ avhdr = ubi_get_vid_hdr(avbuf);
+@@ -1160,7 +1160,7 @@ static int ubi_write_fastmap(struct ubi_
+ seen_pebs = init_seen(ubi);
+ if (IS_ERR(seen_pebs)) {
+ ret = PTR_ERR(seen_pebs);
+- goto out_kfree;
++ goto out_free_dvbuf;
+ }
+
+ spin_lock(&ubi->volumes_lock);
+@@ -1328,7 +1328,7 @@ static int ubi_write_fastmap(struct ubi_
+ ret = ubi_io_write_vid_hdr(ubi, new_fm->e[0]->pnum, avbuf);
+ if (ret) {
+ ubi_err(ubi, "unable to write vid_hdr to fastmap SB!");
+- goto out_kfree;
++ goto out_free_seen;
+ }
+
+ for (i = 0; i < new_fm->used_blocks; i++) {
+@@ -1350,7 +1350,7 @@ static int ubi_write_fastmap(struct ubi_
+ if (ret) {
+ ubi_err(ubi, "unable to write vid_hdr to PEB %i!",
+ new_fm->e[i]->pnum);
+- goto out_kfree;
++ goto out_free_seen;
+ }
+ }
+
+@@ -1360,7 +1360,7 @@ static int ubi_write_fastmap(struct ubi_
+ if (ret) {
+ ubi_err(ubi, "unable to write fastmap to PEB %i!",
+ new_fm->e[i]->pnum);
+- goto out_kfree;
++ goto out_free_seen;
+ }
+ }
+
+@@ -1370,10 +1370,13 @@ static int ubi_write_fastmap(struct ubi_
+ ret = self_check_seen(ubi, seen_pebs);
+ dbg_bld("fastmap written!");
+
+-out_kfree:
+- ubi_free_vid_buf(avbuf);
+- ubi_free_vid_buf(dvbuf);
++out_free_seen:
+ free_seen(seen_pebs);
++out_free_dvbuf:
++ ubi_free_vid_buf(dvbuf);
++out_free_avbuf:
++ ubi_free_vid_buf(avbuf);
++
+ out:
+ return ret;
+ }
--- /dev/null
+From ff90bdfb206e49c8b418811efbdd0c77380fa8c2 Mon Sep 17 00:00:00 2001
+From: Quanyang Wang <quanyang.wang@windriver.com>
+Date: Tue, 14 Jan 2020 13:43:11 +0800
+Subject: ubifs: Fix memory leak from c->sup_node
+
+From: Quanyang Wang <quanyang.wang@windriver.com>
+
+commit ff90bdfb206e49c8b418811efbdd0c77380fa8c2 upstream.
+
+The c->sup_node is allocated in function ubifs_read_sb_node but
+is not freed. This will cause memory leak as below:
+
+unreferenced object 0xbc9ce000 (size 4096):
+ comm "mount", pid 500, jiffies 4294952946 (age 315.820s)
+ hex dump (first 32 bytes):
+ 31 18 10 06 06 7b f1 11 02 00 00 00 00 00 00 00 1....{..........
+ 00 10 00 00 06 00 00 00 00 00 00 00 08 00 00 00 ................
+ backtrace:
+ [<d1c503cd>] ubifs_read_superblock+0x48/0xebc
+ [<a20e14bd>] ubifs_mount+0x974/0x1420
+ [<8589ecc3>] legacy_get_tree+0x2c/0x50
+ [<5f1fb889>] vfs_get_tree+0x28/0xfc
+ [<bbfc7939>] do_mount+0x4f8/0x748
+ [<4151f538>] ksys_mount+0x78/0xa0
+ [<d59910a9>] ret_fast_syscall+0x0/0x54
+ [<1cc40005>] 0x7ea02790
+
+Free it in ubifs_umount and in the error path of mount_ubifs.
+
+Fixes: fd6150051bec ("ubifs: Store read superblock node")
+Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ubifs/super.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/ubifs/super.c
++++ b/fs/ubifs/super.c
+@@ -1599,6 +1599,7 @@ out_free:
+ vfree(c->ileb_buf);
+ vfree(c->sbuf);
+ kfree(c->bottom_up_buf);
++ kfree(c->sup_node);
+ ubifs_debugging_exit(c);
+ return err;
+ }
+@@ -1641,6 +1642,7 @@ static void ubifs_umount(struct ubifs_in
+ vfree(c->ileb_buf);
+ vfree(c->sbuf);
+ kfree(c->bottom_up_buf);
++ kfree(c->sup_node);
+ ubifs_debugging_exit(c);
+ }
+
--- /dev/null
+From 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 5 Feb 2020 17:34:00 +0100
+Subject: virtio-balloon: Fix memory leak when unloading while hinting is in progress
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 upstream.
+
+When unloading the driver while hinting is in progress, we will not
+release the free page blocks back to MM, resulting in a memory leak.
+
+Fixes: 86a559787e6f ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT")
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Wei Wang <wei.w.wang@intel.com>
+Cc: Liang Li <liang.z.li@intel.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Link: https://lore.kernel.org/r/20200205163402.42627-2-david@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -967,6 +967,10 @@ static void remove_common(struct virtio_
+ leak_balloon(vb, vb->num_pages);
+ update_balloon_size(vb);
+
++ /* There might be free pages that are being reported: release them. */
++ if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT))
++ return_free_pages_to_mm(vb, ULONG_MAX);
++
+ /* Now we reset the device so we can clean up the queues. */
+ vb->vdev->config->reset(vb->vdev);
+
--- /dev/null
+From 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Wed, 5 Feb 2020 17:34:01 +0100
+Subject: virtio_balloon: Fix memory leaks on errors in virtballoon_probe()
+
+From: David Hildenbrand <david@redhat.com>
+
+commit 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 upstream.
+
+We forget to put the inode and unmount the kernfs used for compaction.
+
+Fixes: 71994620bb25 ("virtio_balloon: replace oom notifier with shrinker")
+Cc: "Michael S. Tsirkin" <mst@redhat.com>
+Cc: Jason Wang <jasowang@redhat.com>
+Cc: Wei Wang <wei.w.wang@intel.com>
+Cc: Liang Li <liang.z.li@intel.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Link: https://lore.kernel.org/r/20200205163402.42627-3-david@redhat.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -900,8 +900,7 @@ static int virtballoon_probe(struct virt
+ vb->vb_dev_info.inode = alloc_anon_inode(balloon_mnt->mnt_sb);
+ if (IS_ERR(vb->vb_dev_info.inode)) {
+ err = PTR_ERR(vb->vb_dev_info.inode);
+- kern_unmount(balloon_mnt);
+- goto out_del_vqs;
++ goto out_kern_unmount;
+ }
+ vb->vb_dev_info.inode->i_mapping->a_ops = &balloon_aops;
+ #endif
+@@ -912,13 +911,13 @@ static int virtballoon_probe(struct virt
+ */
+ if (virtqueue_get_vring_size(vb->free_page_vq) < 2) {
+ err = -ENOSPC;
+- goto out_del_vqs;
++ goto out_iput;
+ }
+ vb->balloon_wq = alloc_workqueue("balloon-wq",
+ WQ_FREEZABLE | WQ_CPU_INTENSIVE, 0);
+ if (!vb->balloon_wq) {
+ err = -ENOMEM;
+- goto out_del_vqs;
++ goto out_iput;
+ }
+ INIT_WORK(&vb->report_free_page_work, report_free_page_func);
+ vb->cmd_id_received_cache = VIRTIO_BALLOON_CMD_ID_STOP;
+@@ -952,6 +951,12 @@ static int virtballoon_probe(struct virt
+ out_del_balloon_wq:
+ if (virtio_has_feature(vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT))
+ destroy_workqueue(vb->balloon_wq);
++out_iput:
++#ifdef CONFIG_BALLOON_COMPACTION
++ iput(vb->vb_dev_info.inode);
++out_kern_unmount:
++ kern_unmount(balloon_mnt);
++#endif
+ out_del_vqs:
+ vdev->config->del_vqs(vdev);
+ out_free_vb:
projects / thirdparty / kernel / stable-queue.git / commitdiff
