4.9-stable patches

added patches:
	alsa-line6-fix-racy-initialization-of-line6-midi.patch
	cifs-fix-memory-leak-in-smb2_copychunk_range.patch

diff --git a/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch b/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch
new file mode 100644 (file)
index 0000000..427f5ac
--- /dev/null
+++ b/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch
@@ -0,0 +1,85 @@
+From 05ca447630334c323c9e2b788b61133ab75d60d3 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 18 May 2021 10:39:39 +0200
+Subject: ALSA: line6: Fix racy initialization of LINE6 MIDI
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream.
+
+The initialization of MIDI devices that are found on some LINE6
+drivers are currently done in a racy way; namely, the MIDI buffer
+instance is allocated and initialized in each private_init callback
+while the communication with the interface is already started via
+line6_init_cap_control() call before that point.  This may lead to
+Oops in line6_data_received() when a spurious event is received, as
+reported by syzkaller.
+
+This patch moves the MIDI initialization to line6_init_cap_control()
+as well instead of the too-lately-called private_init for avoiding the
+race.  Also this reduces slightly more lines, so it's a win-win
+change.
+
+Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com
+Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com
+Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo
+Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/driver.c |    4 ++++
+ sound/usb/line6/pod.c    |    5 -----
+ sound/usb/line6/variax.c |    6 ------
+ 3 files changed, 4 insertions(+), 11 deletions(-)
+
+--- a/sound/usb/line6/driver.c
++++ b/sound/usb/line6/driver.c
+@@ -687,6 +687,10 @@ static int line6_init_cap_control(struct
+               line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL);
+               if (!line6->buffer_message)
+                       return -ENOMEM;
++
++              ret = line6_init_midi(line6);
++              if (ret < 0)
++                      return ret;
+       } else {
+               ret = line6_hwdep_init(line6);
+               if (ret < 0)
+--- a/sound/usb/line6/pod.c
++++ b/sound/usb/line6/pod.c
+@@ -421,11 +421,6 @@ static int pod_init(struct usb_line6 *li
+       if (err < 0)
+               return err;
+ 
+-      /* initialize MIDI subsystem: */
+-      err = line6_init_midi(line6);
+-      if (err < 0)
+-              return err;
+-
+       /* initialize PCM subsystem: */
+       err = line6_init_pcm(line6, &pod_pcm_properties);
+       if (err < 0)
+--- a/sound/usb/line6/variax.c
++++ b/sound/usb/line6/variax.c
+@@ -217,7 +217,6 @@ static int variax_init(struct usb_line6
+                      const struct usb_device_id *id)
+ {
+       struct usb_line6_variax *variax = (struct usb_line6_variax *) line6;
+-      int err;
+ 
+       line6->process_message = line6_variax_process_message;
+       line6->disconnect = line6_variax_disconnect;
+@@ -233,11 +232,6 @@ static int variax_init(struct usb_line6
+       if (variax->buffer_activate == NULL)
+               return -ENOMEM;
+ 
+-      /* initialize MIDI subsystem: */
+-      err = line6_init_midi(&variax->line6);
+-      if (err < 0)
+-              return err;
+-
+       /* initiate startup procedure: */
+       variax_startup1(variax);
+       return 0;

diff --git a/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch b/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch
new file mode 100644 (file)
index 0000000..bfe7f69
--- /dev/null
+++ b/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch
@@ -0,0 +1,36 @@
+From d201d7631ca170b038e7f8921120d05eec70d7c5 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 19 May 2021 08:40:11 +1000
+Subject: cifs: fix memory leak in smb2_copychunk_range
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit d201d7631ca170b038e7f8921120d05eec70d7c5 upstream.
+
+When using smb2_copychunk_range() for large ranges we will
+run through several iterations of a loop calling SMB2_ioctl()
+but never actually free the returned buffer except for the final
+iteration.
+This leads to memory leaks everytime a large copychunk is requested.
+
+Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/smb2ops.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -629,6 +629,8 @@ smb2_clone_range(const unsigned int xid,
+                       cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk));
+ 
+               /* Request server copy to target from src identified by key */
++              kfree(retbuf);
++              retbuf = NULL;
+               rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid,
+                       trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE,
+                       true /* is_fsctl */, (char *)pcchunk,

diff --git a/queue-4.9/series b/queue-4.9/series
index bdb5cfa436ab3f209a5bbe81d81020ff5f541e2c..a8c8e98d44dd940757055f17399f15183efb7b6c 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -2,3 +2,5 @@ openrisc-fix-a-memory-leak.patch
 rdma-rxe-clear-all-qp-fields-if-creation-failed.patch
 scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch
 ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch
+cifs-fix-memory-leak-in-smb2_copychunk_range.patch
+alsa-line6-fix-racy-initialization-of-line6-midi.patch