4.9-stable patches

added patches:
	alsa-timer-fix-master-timer-notification.patch
	ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch
	net-caif-add-proper-error-handling.patch
	net-caif-added-cfserl_release-function.patch
	net-caif-fix-memory-leak-in-caif_device_notify.patch
	net-caif-fix-memory-leak-in-cfusbl_device_notify.patch
	net-kcm-fix-memory-leak-in-kcm_sendmsg.patch

diff --git a/queue-4.9/alsa-timer-fix-master-timer-notification.patch b/queue-4.9/alsa-timer-fix-master-timer-notification.patch
new file mode 100644 (file)
index 0000000..b22b32a
--- /dev/null
+++ b/queue-4.9/alsa-timer-fix-master-timer-notification.patch
@@ -0,0 +1,39 @@
+From 9c1fe96bded935369f8340c2ac2e9e189f697d5d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 Jun 2021 13:38:23 +0200
+Subject: ALSA: timer: Fix master timer notification
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream.
+
+snd_timer_notify1() calls the notification to each slave for a master
+event, but it passes a wrong event number.  It should be +10 offset,
+corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with
++100 offset.  Casually this was spotted by UBSAN check via syzkaller.
+
+Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com
+Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -488,9 +488,10 @@ static void snd_timer_notify1(struct snd
+               return;
+       if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
+               return;
++      event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */
+       list_for_each_entry(ts, &ti->slave_active_head, active_list)
+               if (ts->ccallback)
+-                      ts->ccallback(ts, event + 100, &tstamp, resolution);
++                      ts->ccallback(ts, event, &tstamp, resolution);
+ }
+ 
+ /* start/continue a master timer */

diff --git a/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch b/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch
new file mode 100644 (file)
index 0000000..42df2ff
--- /dev/null
+++ b/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch
@@ -0,0 +1,112 @@
+From 082cd4ec240b8734a82a89ffb890216ac98fec68 Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Thu, 6 May 2021 22:10:42 +0800
+Subject: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream.
+
+We got follow bug_on when run fsstress with injecting IO fault:
+[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!
+[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP
+......
+[130747.334329] Call trace:
+[130747.334553]  ext4_es_cache_extent+0x150/0x168 [ext4]
+[130747.334975]  ext4_cache_extents+0x64/0xe8 [ext4]
+[130747.335368]  ext4_find_extent+0x300/0x330 [ext4]
+[130747.335759]  ext4_ext_map_blocks+0x74/0x1178 [ext4]
+[130747.336179]  ext4_map_blocks+0x2f4/0x5f0 [ext4]
+[130747.336567]  ext4_mpage_readpages+0x4a8/0x7a8 [ext4]
+[130747.336995]  ext4_readpage+0x54/0x100 [ext4]
+[130747.337359]  generic_file_buffered_read+0x410/0xae8
+[130747.337767]  generic_file_read_iter+0x114/0x190
+[130747.338152]  ext4_file_read_iter+0x5c/0x140 [ext4]
+[130747.338556]  __vfs_read+0x11c/0x188
+[130747.338851]  vfs_read+0x94/0x150
+[130747.339110]  ksys_read+0x74/0xf0
+
+This patch's modification is according to Jan Kara's suggestion in:
+https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/
+"I see. Now I understand your patch. Honestly, seeing how fragile is trying
+to fix extent tree after split has failed in the middle, I would probably
+go even further and make sure we fix the tree properly in case of ENOSPC
+and EDQUOT (those are easily user triggerable).  Anything else indicates a
+HW problem or fs corruption so I'd rather leave the extent tree as is and
+don't try to fix it (which also means we will not create overlapping
+extents)."
+
+Cc: stable@kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c |   43 +++++++++++++++++++++++--------------------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3274,7 +3274,10 @@ static int ext4_split_extent_at(handle_t
+               ext4_ext_mark_unwritten(ex2);
+ 
+       err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
+-      if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) {
++      if (err != -ENOSPC && err != -EDQUOT)
++              goto out;
++
++      if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
+               if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
+                       if (split_flag & EXT4_EXT_DATA_VALID1) {
+                               err = ext4_ext_zeroout(inode, ex2);
+@@ -3300,30 +3303,30 @@ static int ext4_split_extent_at(handle_t
+                                             ext4_ext_pblock(&orig_ex));
+               }
+ 
+-              if (err)
+-                      goto fix_extent_len;
+-              /* update the extent length and mark as initialized */
+-              ex->ee_len = cpu_to_le16(ee_len);
+-              ext4_ext_try_to_merge(handle, inode, path, ex);
+-              err = ext4_ext_dirty(handle, inode, path + path->p_depth);
+-              if (err)
+-                      goto fix_extent_len;
+-
+-              /* update extent status tree */
+-              err = ext4_zeroout_es(inode, &zero_ex);
+-
+-              goto out;
+-      } else if (err)
+-              goto fix_extent_len;
+-
+-out:
+-      ext4_ext_show_leaf(inode, path);
+-      return err;
++              if (!err) {
++                      /* update the extent length and mark as initialized */
++                      ex->ee_len = cpu_to_le16(ee_len);
++                      ext4_ext_try_to_merge(handle, inode, path, ex);
++                      err = ext4_ext_dirty(handle, inode, path + path->p_depth);
++                      if (!err)
++                              /* update extent status tree */
++                              err = ext4_zeroout_es(inode, &zero_ex);
++                      /* If we failed at this point, we don't know in which
++                       * state the extent tree exactly is so don't try to fix
++                       * length of the original extent as it may do even more
++                       * damage.
++                       */
++                      goto out;
++              }
++      }
+ 
+ fix_extent_len:
+       ex->ee_len = orig_ex.ee_len;
+       ext4_ext_dirty(handle, inode, path + path->p_depth);
+       return err;
++out:
++      ext4_ext_show_leaf(inode, path);
++      return err;
+ }
+ 
+ /*

diff --git a/queue-4.9/net-caif-add-proper-error-handling.patch b/queue-4.9/net-caif-add-proper-error-handling.patch
new file mode 100644 (file)
index 0000000..208ad6b
--- /dev/null
+++ b/queue-4.9/net-caif-add-proper-error-handling.patch
@@ -0,0 +1,152 @@
+From a2805dca5107d5603f4bbc027e81e20d93476e96 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:38:51 +0300
+Subject: net: caif: add proper error handling
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream.
+
+caif_enroll_dev() can fail in some cases. Ingnoring
+these cases can lead to memory leak due to not assigning
+link_support pointer to anywhere.
+
+Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/caif/caif_dev.h |    2 +-
+ include/net/caif/cfcnfg.h   |    2 +-
+ net/caif/caif_dev.c         |    8 +++++---
+ net/caif/cfcnfg.c           |   16 +++++++++++-----
+ 4 files changed, 18 insertions(+), 10 deletions(-)
+
+--- a/include/net/caif/caif_dev.h
++++ b/include/net/caif/caif_dev.h
+@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad
+  * The link_support layer is used to add any Link Layer specific
+  * framing.
+  */
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+                       struct cflayer *link_support, int head_room,
+                       struct cflayer **layer, int (**rcv_func)(
+                               struct sk_buff *, struct net_device *,
+--- a/include/net/caif/cfcnfg.h
++++ b/include/net/caif/cfcnfg.h
+@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg);
+  * @fcs:      Specify if checksum is used in CAIF Framing Layer.
+  * @head_room:        Head space needed by link specific protocol.
+  */
+-void
++int
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
+                    struct net_device *dev, struct cflayer *phy_layer,
+                    enum cfcnfg_phy_preference pref,
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_devi
+       caifd_put(caifd);
+ }
+ 
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+                    struct cflayer *link_support, int head_room,
+                    struct cflayer **layer,
+                    int (**rcv_func)(struct sk_buff *, struct net_device *,
+@@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device *
+       enum cfcnfg_phy_preference pref;
+       struct cfcnfg *cfg = get_cfcnfg(dev_net(dev));
+       struct caif_device_entry_list *caifdevs;
++      int res;
+ 
+       caifdevs = caif_device_list(dev_net(dev));
+       caifd = caif_device_alloc(dev);
+       if (!caifd)
+-              return;
++              return -ENOMEM;
+       *layer = &caifd->layer;
+       spin_lock_init(&caifd->flow_lock);
+ 
+@@ -340,7 +341,7 @@ void caif_enroll_dev(struct net_device *
+               sizeof(caifd->layer.name) - 1);
+       caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0;
+       caifd->layer.transmit = transmit;
+-      cfcnfg_add_phy_layer(cfg,
++      res = cfcnfg_add_phy_layer(cfg,
+                               dev,
+                               &caifd->layer,
+                               pref,
+@@ -350,6 +351,7 @@ void caif_enroll_dev(struct net_device *
+       mutex_unlock(&caifdevs->lock);
+       if (rcv_func)
+               *rcv_func = receive;
++      return res;
+ }
+ EXPORT_SYMBOL(caif_enroll_dev);
+ 
+--- a/net/caif/cfcnfg.c
++++ b/net/caif/cfcnfg.c
+@@ -455,7 +455,7 @@ unlock:
+       rcu_read_unlock();
+ }
+ 
+-void
++int
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
+                    struct net_device *dev, struct cflayer *phy_layer,
+                    enum cfcnfg_phy_preference pref,
+@@ -464,7 +464,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
+ {
+       struct cflayer *frml;
+       struct cfcnfg_phyinfo *phyinfo = NULL;
+-      int i;
++      int i, res = 0;
+       u8 phyid;
+ 
+       mutex_lock(&cnfg->lock);
+@@ -478,12 +478,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
+                       goto got_phyid;
+       }
+       pr_warn("Too many CAIF Link Layers (max 6)\n");
++      res = -EEXIST;
+       goto out;
+ 
+ got_phyid:
+       phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
+-      if (!phyinfo)
++      if (!phyinfo) {
++              res = -ENOMEM;
+               goto out_err;
++      }
+ 
+       phy_layer->id = phyid;
+       phyinfo->pref = pref;
+@@ -497,8 +500,10 @@ got_phyid:
+ 
+       frml = cffrml_create(phyid, fcs);
+ 
+-      if (!frml)
++      if (!frml) {
++              res = -ENOMEM;
+               goto out_err;
++      }
+       phyinfo->frm_layer = frml;
+       layer_set_up(frml, cnfg->mux);
+ 
+@@ -516,11 +521,12 @@ got_phyid:
+       list_add_rcu(&phyinfo->node, &cnfg->phys);
+ out:
+       mutex_unlock(&cnfg->lock);
+-      return;
++      return res;
+ 
+ out_err:
+       kfree(phyinfo);
+       mutex_unlock(&cnfg->lock);
++      return res;
+ }
+ EXPORT_SYMBOL(cfcnfg_add_phy_layer);
+ 

diff --git a/queue-4.9/net-caif-added-cfserl_release-function.patch b/queue-4.9/net-caif-added-cfserl_release-function.patch
new file mode 100644 (file)
index 0000000..113cf4e
--- /dev/null
+++ b/queue-4.9/net-caif-added-cfserl_release-function.patch
@@ -0,0 +1,42 @@
+From bce130e7f392ddde8cfcb09927808ebd5f9c8669 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:38:12 +0300
+Subject: net: caif: added cfserl_release function
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream.
+
+Added cfserl_release() function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/caif/cfserl.h |    1 +
+ net/caif/cfserl.c         |    5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/include/net/caif/cfserl.h
++++ b/include/net/caif/cfserl.h
+@@ -9,4 +9,5 @@
+ #include <net/caif/caif_layer.h>
+ 
+ struct cflayer *cfserl_create(int instance, bool use_stx);
++void cfserl_release(struct cflayer *layer);
+ #endif
+--- a/net/caif/cfserl.c
++++ b/net/caif/cfserl.c
+@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye
+ static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
+                          int phyid);
+ 
++void cfserl_release(struct cflayer *layer)
++{
++      kfree(layer);
++}
++
+ struct cflayer *cfserl_create(int instance, bool use_stx)
+ {
+       struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC);

diff --git a/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch b/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch
new file mode 100644 (file)
index 0000000..9f1893c
--- /dev/null
+++ b/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch
@@ -0,0 +1,46 @@
+From b53558a950a89824938e9811eddfc8efcd94e1bb Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:39:11 +0300
+Subject: net: caif: fix memory leak in caif_device_notify
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream.
+
+In case of caif_enroll_dev() fail, allocated
+link_support won't be assigned to the corresponding
+structure. So simply free allocated pointer in case
+of error
+
+Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -366,6 +366,7 @@ static int caif_device_notify(struct not
+       struct cflayer *layer, *link_support;
+       int head_room = 0;
+       struct caif_device_entry_list *caifdevs;
++      int res;
+ 
+       cfg = get_cfcnfg(dev_net(dev));
+       caifdevs = caif_device_list(dev_net(dev));
+@@ -391,8 +392,10 @@ static int caif_device_notify(struct not
+                               break;
+                       }
+               }
+-              caif_enroll_dev(dev, caifdev, link_support, head_room,
++              res = caif_enroll_dev(dev, caifdev, link_support, head_room,
+                               &layer, NULL);
++              if (res)
++                      cfserl_release(link_support);
+               caifdev->flowctrl = dev_flowctrl;
+               break;
+ 

diff --git a/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch b/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch
new file mode 100644 (file)
index 0000000..bc903f9
--- /dev/null
+++ b/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch
@@ -0,0 +1,68 @@
+From 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:39:35 +0300
+Subject: net: caif: fix memory leak in cfusbl_device_notify
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream.
+
+In case of caif_enroll_dev() fail, allocated
+link_support won't be assigned to the corresponding
+structure. So simply free allocated pointer in case
+of error.
+
+Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_usb.c |   14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_usb.c
++++ b/net/caif/caif_usb.c
+@@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int
+       return (struct cflayer *) this;
+ }
+ 
++static void cfusbl_release(struct cflayer *layer)
++{
++      kfree(layer);
++}
++
+ static struct packet_type caif_usb_type __read_mostly = {
+       .type = cpu_to_be16(ETH_P_802_EX1),
+ };
+@@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct n
+       struct cflayer *layer, *link_support;
+       struct usbnet *usbnet;
+       struct usb_device *usbdev;
++      int res;
+ 
+       /* Check whether we have a NCM device, and find its VID/PID. */
+       if (!(dev->dev.parent && dev->dev.parent->driver &&
+@@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct n
+       if (dev->num_tx_queues > 1)
+               pr_warn("USB device uses more than one tx queue\n");
+ 
+-      caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
++      res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
+                       &layer, &caif_usb_type.func);
++      if (res)
++              goto err;
++
+       if (!pack_added)
+               dev_add_pack(&caif_usb_type);
+       pack_added = true;
+@@ -181,6 +190,9 @@ static int cfusbl_device_notify(struct n
+       layer->name[sizeof(layer->name) - 1] = 0;
+ 
+       return 0;
++err:
++      cfusbl_release(link_support);
++      return res;
+ }
+ 
+ static struct notifier_block caif_device_notifier = {

diff --git a/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch b/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch
new file mode 100644 (file)
index 0000000..889d711
--- /dev/null
+++ b/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch
@@ -0,0 +1,52 @@
+From c47cc304990a2813995b1a92bbc11d0bb9a19ea9 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Wed, 2 Jun 2021 22:26:40 +0300
+Subject: net: kcm: fix memory leak in kcm_sendmsg
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c47cc304990a2813995b1a92bbc11d0bb9a19ea9 upstream.
+
+Syzbot reported memory leak in kcm_sendmsg()[1].
+The problem was in non-freed frag_list in case of error.
+
+In the while loop:
+
+       if (head == skb)
+               skb_shinfo(head)->frag_list = tskb;
+       else
+               skb->next = tskb;
+
+frag_list filled with skbs, but nothing was freeing them.
+
+backtrace:
+  [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198
+  [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline]
+  [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1]
+  [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline]
+  [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672
+
+Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/kcm/kcmsock.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1065,6 +1065,11 @@ out_error:
+               goto partial_message;
+       }
+ 
++      if (skb_has_frag_list(head)) {
++              kfree_skb_list(skb_shinfo(head)->frag_list);
++              skb_shinfo(head)->frag_list = NULL;
++      }
++
+       if (head != kcm->seq_skb)
+               kfree_skb(head);
+ 

diff --git a/queue-4.9/series b/queue-4.9/series
index 0428320440cf9f0070aa1ea0aa56719b36fcff52..b4d8b365b5465f2e20904e8235e3872f62351399 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -12,3 +12,10 @@ ieee802154-fix-error-return-code-in-ieee802154_add_i.patch
 ieee802154-fix-error-return-code-in-ieee802154_llsec.patch
 bluetooth-fix-the-erroneous-flush_work-order.patch
 bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
+net-kcm-fix-memory-leak-in-kcm_sendmsg.patch
+net-caif-added-cfserl_release-function.patch
+net-caif-add-proper-error-handling.patch
+net-caif-fix-memory-leak-in-caif_device_notify.patch
+net-caif-fix-memory-leak-in-cfusbl_device_notify.patch
+alsa-timer-fix-master-timer-notification.patch
+ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch