--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 21 Aug 2019 20:00:02 +0200
+Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream.
+
+I forgot to release the allocated object at the early error path in
+line6_init_pcm(). For addressing it, slightly shuffle the code so
+that the PCM destructor (pcm->private_free) is assigned properly
+before all error paths.
+
+Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 4.4: adjust context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/pcm.c | 18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -523,6 +523,15 @@ int line6_init_pcm(struct usb_line6 *lin
+ line6pcm->volume_monitor = 255;
+ line6pcm->line6 = line6;
+
++ spin_lock_init(&line6pcm->out.lock);
++ spin_lock_init(&line6pcm->in.lock);
++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
++
++ line6->line6pcm = line6pcm;
++
++ pcm->private_data = line6pcm;
++ pcm->private_free = line6_cleanup_pcm;
++
+ /* Read and write buffers are sized identically, so choose minimum */
+ line6pcm->max_packet_size = min(
+ usb_maxpacket(line6->usbdev,
+@@ -535,15 +544,6 @@ int line6_init_pcm(struct usb_line6 *lin
+ return -EINVAL;
+ }
+
+- spin_lock_init(&line6pcm->out.lock);
+- spin_lock_init(&line6pcm->in.lock);
+- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD;
+-
+- line6->line6pcm = line6pcm;
+-
+- pcm->private_data = line6pcm;
+- pcm->private_free = line6_cleanup_pcm;
+-
+ err = line6_create_audio_out_urbs(line6pcm);
+ if (err < 0)
+ return err;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 2 Jul 2019 20:07:21 +0200
+Subject: ALSA: line6: Fix write on zero-sized buffer
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 3450121997ce872eb7f1248417225827ea249710 upstream.
+
+LINE6 drivers allocate the buffers based on the value returned from
+usb_maxpacket() calls. The manipulated device may return zero for
+this, and this results in the kmalloc() with zero size (and it may
+succeed) while the other part of the driver code writes the packet
+data with the fixed size -- which eventually overwrites.
+
+This patch adds a simple sanity check for the invalid buffer size for
+avoiding that problem.
+
+Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+[bwh: Backported to 4.4: Driver doesn't support asymmetrical packet
+ sizes, so only check snd_line6_pcm::max_packet_size]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/usb/line6/pcm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/usb/line6/pcm.c
++++ b/sound/usb/line6/pcm.c
+@@ -529,6 +529,11 @@ int line6_init_pcm(struct usb_line6 *lin
+ usb_rcvisocpipe(line6->usbdev, ep_read), 0),
+ usb_maxpacket(line6->usbdev,
+ usb_sndisocpipe(line6->usbdev, ep_write), 1));
++ if (!line6pcm->max_packet_size) {
++ dev_err(line6pcm->line6->ifcdev,
++ "cannot get proper max packet size\n");
++ return -EINVAL;
++ }
+
+ spin_lock_init(&line6pcm->out.lock);
+ spin_lock_init(&line6pcm->in.lock);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Dedy Lansky <dlansky@codeaurora.org>
+Date: Sun, 29 Jul 2018 14:59:16 +0300
+Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function
+
+From: Dedy Lansky <dlansky@codeaurora.org>
+
+commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream.
+
+Make ieee80211_send_layer2_update() a common function so other drivers
+can re-use it.
+
+Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[bwh: Backported to 4.4 as dependency of commit 3e493173b784
+ "mac80211: Do not send Layer 2 Update frame before authorization":
+ - Retain type-casting of skb_put() return value
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/cfg80211.h | 11 +++++++++++
+ net/mac80211/cfg.c | 48 ++----------------------------------------------
+ net/wireless/util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 58 insertions(+), 46 deletions(-)
+
+--- a/include/net/cfg80211.h
++++ b/include/net/cfg80211.h
+@@ -3856,6 +3856,17 @@ const u8 *cfg80211_find_vendor_ie(unsign
+ const u8 *ies, int len);
+
+ /**
++ * cfg80211_send_layer2_update - send layer 2 update frame
++ *
++ * @dev: network device
++ * @addr: STA MAC address
++ *
++ * Wireless drivers can use this function to update forwarding tables in bridge
++ * devices upon STA association.
++ */
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr);
++
++/**
+ * DOC: Regulatory enforcement infrastructure
+ *
+ * TODO
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -875,50 +875,6 @@ static int ieee80211_stop_ap(struct wiph
+ return 0;
+ }
+
+-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
+-struct iapp_layer2_update {
+- u8 da[ETH_ALEN]; /* broadcast */
+- u8 sa[ETH_ALEN]; /* STA addr */
+- __be16 len; /* 6 */
+- u8 dsap; /* 0 */
+- u8 ssap; /* 0 */
+- u8 control;
+- u8 xid_info[3];
+-} __packed;
+-
+-static void ieee80211_send_layer2_update(struct sta_info *sta)
+-{
+- struct iapp_layer2_update *msg;
+- struct sk_buff *skb;
+-
+- /* Send Level 2 Update Frame to update forwarding tables in layer 2
+- * bridge devices */
+-
+- skb = dev_alloc_skb(sizeof(*msg));
+- if (!skb)
+- return;
+- msg = (struct iapp_layer2_update *)skb_put(skb, sizeof(*msg));
+-
+- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
+- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
+-
+- eth_broadcast_addr(msg->da);
+- memcpy(msg->sa, sta->sta.addr, ETH_ALEN);
+- msg->len = htons(6);
+- msg->dsap = 0;
+- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
+- msg->control = 0xaf; /* XID response lsb.1111F101.
+- * F=0 (no poll command; unsolicited frame) */
+- msg->xid_info[0] = 0x81; /* XID format identifier */
+- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
+- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
+-
+- skb->dev = sta->sdata->dev;
+- skb->protocol = eth_type_trans(skb, sta->sdata->dev);
+- memset(skb->cb, 0, sizeof(skb->cb));
+- netif_rx_ni(skb);
+-}
+-
+ static int sta_apply_auth_flags(struct ieee80211_local *local,
+ struct sta_info *sta,
+ u32 mask, u32 set)
+@@ -1258,7 +1214,7 @@ static int ieee80211_add_station(struct
+ }
+
+ if (layer2_update)
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+
+ rcu_read_unlock();
+
+@@ -1367,7 +1323,7 @@ static int ieee80211_change_station(stru
+ atomic_inc(&sta->sdata->bss->num_mcast_sta);
+ }
+
+- ieee80211_send_layer2_update(sta);
++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -1814,3 +1814,48 @@ EXPORT_SYMBOL(rfc1042_header);
+ const unsigned char bridge_tunnel_header[] __aligned(2) =
+ { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 };
+ EXPORT_SYMBOL(bridge_tunnel_header);
++
++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */
++struct iapp_layer2_update {
++ u8 da[ETH_ALEN]; /* broadcast */
++ u8 sa[ETH_ALEN]; /* STA addr */
++ __be16 len; /* 6 */
++ u8 dsap; /* 0 */
++ u8 ssap; /* 0 */
++ u8 control;
++ u8 xid_info[3];
++} __packed;
++
++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr)
++{
++ struct iapp_layer2_update *msg;
++ struct sk_buff *skb;
++
++ /* Send Level 2 Update Frame to update forwarding tables in layer 2
++ * bridge devices */
++
++ skb = dev_alloc_skb(sizeof(*msg));
++ if (!skb)
++ return;
++ msg = (struct iapp_layer2_update *)skb_put(skb, sizeof(*msg));
++
++ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID)
++ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */
++
++ eth_broadcast_addr(msg->da);
++ ether_addr_copy(msg->sa, addr);
++ msg->len = htons(6);
++ msg->dsap = 0;
++ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */
++ msg->control = 0xaf; /* XID response lsb.1111F101.
++ * F=0 (no poll command; unsolicited frame) */
++ msg->xid_info[0] = 0x81; /* XID format identifier */
++ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
++ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
++
++ skb->dev = dev;
++ skb->protocol = eth_type_trans(skb, dev);
++ memset(skb->cb, 0, sizeof(skb->cb));
++ netif_rx_ni(skb);
++}
++EXPORT_SYMBOL(cfg80211_send_layer2_update);
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Mon, 1 Apr 2019 09:35:54 +0800
+Subject: dccp: Fix memleak in __feat_register_sp
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream.
+
+If dccp_feat_push_change fails, we forget free the mem
+which is alloced by kmemdup in dccp_feat_clone_sp_val.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values")
+Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/dccp/feat.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/dccp/feat.c
++++ b/net/dccp/feat.c
+@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis
+ if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+ return -ENOMEM;
+
+- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) {
++ kfree(fval.sp.vec);
++ return -ENOMEM;
++ }
++
++ return 0;
+ }
+
+ /**
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Thu, 7 Nov 2019 21:43:41 -0500
+Subject: ext4: add more paranoia checking in ext4_expand_extra_isize handling
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream.
+
+It's possible to specify a non-zero s_want_extra_isize via debugging
+option, and this can cause bad things(tm) to happen when using a file
+system with an inode size of 128 bytes.
+
+Add better checking when the file system is mounted, as well as when
+we are actually doing the trying to do the inode expansion.
+
+Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu
+Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com
+Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com
+Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[bwh: Backported to 4.4: adjust context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/inode.c | 15 +++++++++++++++
+ fs/ext4/super.c | 20 ++++++++++++--------
+ 2 files changed, 27 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/inode.c
++++ b/fs/ext4/inode.c
+@@ -5189,10 +5189,25 @@ static int ext4_expand_extra_isize(struc
+ {
+ struct ext4_inode *raw_inode;
+ struct ext4_xattr_ibody_header *header;
++ unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb);
++ struct ext4_inode_info *ei = EXT4_I(inode);
+
+ if (EXT4_I(inode)->i_extra_isize >= new_extra_isize)
+ return 0;
+
++ /* this was checked at iget time, but double check for good measure */
++ if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) ||
++ (ei->i_extra_isize & 3)) {
++ EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)",
++ ei->i_extra_isize,
++ EXT4_INODE_SIZE(inode->i_sb));
++ return -EFSCORRUPTED;
++ }
++ if ((new_extra_isize < ei->i_extra_isize) ||
++ (new_extra_isize < 4) ||
++ (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE))
++ return -EINVAL; /* Should never happen */
++
+ raw_inode = ext4_raw_inode(&iloc);
+
+ header = IHDR(inode, raw_inode);
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3173,11 +3173,15 @@ static void ext4_clamp_want_extra_isize(
+ {
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+ struct ext4_super_block *es = sbi->s_es;
++ unsigned def_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
+
+- /* determine the minimum size of new large inodes, if present */
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
++ if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) {
++ sbi->s_want_extra_isize = 0;
++ return;
++ }
++ if (sbi->s_want_extra_isize < 4) {
++ sbi->s_want_extra_isize = def_extra_isize;
+ if (ext4_has_feature_extra_isize(sb)) {
+ if (sbi->s_want_extra_isize <
+ le16_to_cpu(es->s_want_extra_isize))
+@@ -3190,10 +3194,10 @@ static void ext4_clamp_want_extra_isize(
+ }
+ }
+ /* Check if enough inode space is available */
+- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
++ if ((sbi->s_want_extra_isize > sbi->s_inode_size) ||
++ (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
++ sbi->s_inode_size)) {
++ sbi->s_want_extra_isize = def_extra_isize;
+ ext4_msg(sb, KERN_INFO,
+ "required extra inode space not available");
+ }
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Barret Rhoden <brho@google.com>
+Date: Thu, 25 Apr 2019 11:55:50 -0400
+Subject: ext4: fix use-after-free race with debug_want_extra_isize
+
+From: Barret Rhoden <brho@google.com>
+
+commit 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 upstream.
+
+When remounting with debug_want_extra_isize, we were not performing the
+same checks that we do during a normal mount. That allowed us to set a
+value for s_want_extra_isize that reached outside the s_inode_size.
+
+Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions")
+Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com
+Reviewed-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Barret Rhoden <brho@google.com>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+[bwh: Backported to 4.4: The debug_want_extra_isize mount option is not
+ supported]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/super.c | 56 +++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 33 insertions(+), 23 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -3169,6 +3169,36 @@ int ext4_calculate_overhead(struct super
+ return 0;
+ }
+
++static void ext4_clamp_want_extra_isize(struct super_block *sb)
++{
++ struct ext4_sb_info *sbi = EXT4_SB(sb);
++ struct ext4_super_block *es = sbi->s_es;
++
++ /* determine the minimum size of new large inodes, if present */
++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ if (ext4_has_feature_extra_isize(sb)) {
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_want_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_want_extra_isize);
++ if (sbi->s_want_extra_isize <
++ le16_to_cpu(es->s_min_extra_isize))
++ sbi->s_want_extra_isize =
++ le16_to_cpu(es->s_min_extra_isize);
++ }
++ }
++ /* Check if enough inode space is available */
++ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
++ sbi->s_inode_size) {
++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
++ EXT4_GOOD_OLD_INODE_SIZE;
++ ext4_msg(sb, KERN_INFO,
++ "required extra inode space not available");
++ }
++}
++
+ static void ext4_set_resv_clusters(struct super_block *sb)
+ {
+ ext4_fsblk_t resv_clusters;
+@@ -3991,29 +4021,7 @@ no_journal:
+ if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY))
+ sb->s_flags |= MS_RDONLY;
+
+- /* determine the minimum size of new large inodes, if present */
+- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- if (ext4_has_feature_extra_isize(sb)) {
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_want_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_want_extra_isize);
+- if (sbi->s_want_extra_isize <
+- le16_to_cpu(es->s_min_extra_isize))
+- sbi->s_want_extra_isize =
+- le16_to_cpu(es->s_min_extra_isize);
+- }
+- }
+- /* Check if enough inode space is available */
+- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize >
+- sbi->s_inode_size) {
+- sbi->s_want_extra_isize = sizeof(struct ext4_inode) -
+- EXT4_GOOD_OLD_INODE_SIZE;
+- ext4_msg(sb, KERN_INFO, "required extra inode space not"
+- "available");
+- }
++ ext4_clamp_want_extra_isize(sb);
+
+ ext4_set_resv_clusters(sb);
+
+@@ -4766,6 +4774,8 @@ static int ext4_remount(struct super_blo
+ goto restore_opts;
+ }
+
++ ext4_clamp_want_extra_isize(sb);
++
+ if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^
+ test_opt(sb, JOURNAL_CHECKSUM)) {
+ ext4_msg(sb, KERN_ERR, "changing journal_checksum "
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Jouni Malinen <jouni@codeaurora.org>
+Date: Wed, 11 Sep 2019 16:03:05 +0300
+Subject: mac80211: Do not send Layer 2 Update frame before authorization
+
+From: Jouni Malinen <jouni@codeaurora.org>
+
+commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream.
+
+The Layer 2 Update frame is used to update bridges when a station roams
+to another AP even if that STA does not transmit any frames after the
+reassociation. This behavior was described in IEEE Std 802.11F-2003 as
+something that would happen based on MLME-ASSOCIATE.indication, i.e.,
+before completing 4-way handshake. However, this IEEE trial-use
+recommended practice document was published before RSN (IEEE Std
+802.11i-2004) and as such, did not consider RSN use cases. Furthermore,
+IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been
+maintained amd should not be used anymore.
+
+Sending out the Layer 2 Update frame immediately after association is
+fine for open networks (and also when using SAE, FT protocol, or FILS
+authentication when the station is actually authenticated by the time
+association completes). However, it is not appropriate for cases where
+RSN is used with PSK or EAP authentication since the station is actually
+fully authenticated only once the 4-way handshake completes after
+authentication and attackers might be able to use the unauthenticated
+triggering of Layer 2 Update frame transmission to disrupt bridge
+behavior.
+
+Fix this by postponing transmission of the Layer 2 Update frame from
+station entry addition to the point when the station entry is marked
+authorized. Similarly, send out the VLAN binding update only if the STA
+entry has already been authorized.
+
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 4.4: adjust context]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c | 11 +++--------
+ net/mac80211/sta_info.c | 4 ++++
+ 2 files changed, 7 insertions(+), 8 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1150,7 +1150,6 @@ static int ieee80211_add_station(struct
+ struct sta_info *sta;
+ struct ieee80211_sub_if_data *sdata;
+ int err;
+- int layer2_update;
+
+ if (params->vlan) {
+ sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
+@@ -1204,18 +1203,12 @@ static int ieee80211_add_station(struct
+ test_sta_flag(sta, WLAN_STA_ASSOC))
+ rate_control_rate_init(sta);
+
+- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
+- sdata->vif.type == NL80211_IFTYPE_AP;
+-
+ err = sta_info_insert_rcu(sta);
+ if (err) {
+ rcu_read_unlock();
+ return err;
+ }
+
+- if (layer2_update)
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
+-
+ rcu_read_unlock();
+
+ return 0;
+@@ -1323,7 +1316,9 @@ static int ieee80211_change_station(stru
+ atomic_inc(&sta->sdata->bss->num_mcast_sta);
+ }
+
+- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr);
++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED)
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
+ }
+
+ err = sta_apply_parameters(local, sta, params);
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -1775,6 +1775,10 @@ int sta_info_move_state(struct sta_info
+ set_bit(WLAN_STA_AUTHORIZED, &sta->_flags);
+ ieee80211_check_fast_xmit(sta);
+ }
++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN ||
++ sta->sdata->vif.type == NL80211_IFTYPE_AP)
++ cfg80211_send_layer2_update(sta->sdata->dev,
++ sta->sta.addr);
+ break;
+ default:
+ break;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Vandana BN <bnvandana@gmail.com>
+Date: Wed, 22 May 2019 04:34:15 -0400
+Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap
+
+From: Vandana BN <bnvandana@gmail.com>
+
+commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream.
+
+SyzKaller hit the null pointer deref while reading from uninitialized
+udev->product in zr364xx_vidioc_querycap().
+
+==================================================================
+BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
+include/linux/compiler.h:274
+Read of size 1 at addr 0000000000000000 by task v4l_id/5287
+
+CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
+Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe8/0x16e lib/dump_stack.c:113
+ kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
+ read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
+ strscpy+0x8a/0x280 lib/string.c:207
+ zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
+ v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
+ __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
+ video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
+ v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
+ vfs_ioctl fs/ioctl.c:46 [inline]
+ file_ioctl fs/ioctl.c:509 [inline]
+ do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
+ ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
+ __do_sys_ioctl fs/ioctl.c:720 [inline]
+ __se_sys_ioctl fs/ioctl.c:718 [inline]
+ __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
+ do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x7f3b56d8b347
+Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
+ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
+ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
+RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
+RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
+RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
+R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
+==================================================================
+
+For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
+
+The fix is to check for NULL before strscpy() and copy empty string, if
+product is NULL
+
+Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
+Signed-off-by: Vandana BN <bnvandana@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+[bwh: Backported to 4.4: This function uses strlcpy() instead of strscpy()]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -711,7 +711,8 @@ static int zr364xx_vidioc_querycap(struc
+ struct zr364xx_camera *cam = video_drvdata(file);
+
+ strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver));
+- strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
++ if (cam->udev->product)
++ strlcpy(cap->card, cam->udev->product, sizeof(cap->card));
+ strlcpy(cap->bus_info, dev_name(&cam->udev->dev),
+ sizeof(cap->bus_info));
+ cap->device_caps = V4L2_CAP_VIDEO_CAPTURE |
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Igor Redko <redkoi@virtuozzo.com>
+Date: Thu, 17 Mar 2016 14:19:05 -0700
+Subject: mm/page_alloc.c: calculate 'available' memory in a separate function
+
+From: Igor Redko <redkoi@virtuozzo.com>
+
+commit d02bd27bd33dd7e8d22594cd568b81be0cb584cd upstream.
+
+Add a new field, VIRTIO_BALLOON_S_AVAIL, to virtio_balloon memory
+statistics protocol, corresponding to 'Available' in /proc/meminfo.
+
+It indicates to the hypervisor how big the balloon can be inflated
+without pushing the guest system to swap. This metric would be very
+useful in VM orchestration software to improve memory management of
+different VMs under overcommit.
+
+This patch (of 2):
+
+Factor out calculation of the available memory counter into a separate
+exportable function, in order to be able to use it in other parts of the
+kernel.
+
+In particular, it appears a relevant metric to report to the hypervisor
+via virtio-balloon statistics interface (in a followup patch).
+
+Signed-off-by: Igor Redko <redkoi@virtuozzo.com>
+Signed-off-by: Denis V. Lunev <den@openvz.org>
+Reviewed-by: Roman Kagan <rkagan@virtuozzo.com>
+Cc: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+[bwh: Backported to 4.4 as dependency of commit a1078e821b60
+ "xen: let alloc_xenballooned_pages() fail if not enough memory free"]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/meminfo.c | 31 +------------------------------
+ include/linux/mm.h | 1 +
+ mm/page_alloc.c | 43 +++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 45 insertions(+), 30 deletions(-)
+
+--- a/fs/proc/meminfo.c
++++ b/fs/proc/meminfo.c
+@@ -29,10 +29,7 @@ static int meminfo_proc_show(struct seq_
+ unsigned long committed;
+ long cached;
+ long available;
+- unsigned long pagecache;
+- unsigned long wmark_low = 0;
+ unsigned long pages[NR_LRU_LISTS];
+- struct zone *zone;
+ int lru;
+
+ /*
+@@ -51,33 +48,7 @@ static int meminfo_proc_show(struct seq_
+ for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
+ pages[lru] = global_page_state(NR_LRU_BASE + lru);
+
+- for_each_zone(zone)
+- wmark_low += zone->watermark[WMARK_LOW];
+-
+- /*
+- * Estimate the amount of memory available for userspace allocations,
+- * without causing swapping.
+- */
+- available = i.freeram - totalreserve_pages;
+-
+- /*
+- * Not all the page cache can be freed, otherwise the system will
+- * start swapping. Assume at least half of the page cache, or the
+- * low watermark worth of cache, needs to stay.
+- */
+- pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
+- pagecache -= min(pagecache / 2, wmark_low);
+- available += pagecache;
+-
+- /*
+- * Part of the reclaimable slab consists of items that are in use,
+- * and cannot be freed. Cap this estimate at the low watermark.
+- */
+- available += global_page_state(NR_SLAB_RECLAIMABLE) -
+- min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
+-
+- if (available < 0)
+- available = 0;
++ available = si_mem_available();
+
+ /*
+ * Tagged format, for easy grepping and expansion.
+--- a/include/linux/mm.h
++++ b/include/linux/mm.h
+@@ -1802,6 +1802,7 @@ extern int __meminit init_per_zone_wmark
+ extern void mem_init(void);
+ extern void __init mmap_init(void);
+ extern void show_mem(unsigned int flags);
++extern long si_mem_available(void);
+ extern void si_meminfo(struct sysinfo * val);
+ extern void si_meminfo_node(struct sysinfo *val, int nid);
+
+--- a/mm/page_alloc.c
++++ b/mm/page_alloc.c
+@@ -3650,6 +3650,49 @@ static inline void show_node(struct zone
+ printk("Node %d ", zone_to_nid(zone));
+ }
+
++long si_mem_available(void)
++{
++ long available;
++ unsigned long pagecache;
++ unsigned long wmark_low = 0;
++ unsigned long pages[NR_LRU_LISTS];
++ struct zone *zone;
++ int lru;
++
++ for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
++ pages[lru] = global_page_state(NR_LRU_BASE + lru);
++
++ for_each_zone(zone)
++ wmark_low += zone->watermark[WMARK_LOW];
++
++ /*
++ * Estimate the amount of memory available for userspace allocations,
++ * without causing swapping.
++ */
++ available = global_page_state(NR_FREE_PAGES) - totalreserve_pages;
++
++ /*
++ * Not all the page cache can be freed, otherwise the system will
++ * start swapping. Assume at least half of the page cache, or the
++ * low watermark worth of cache, needs to stay.
++ */
++ pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE];
++ pagecache -= min(pagecache / 2, wmark_low);
++ available += pagecache;
++
++ /*
++ * Part of the reclaimable slab consists of items that are in use,
++ * and cannot be freed. Cap this estimate at the low watermark.
++ */
++ available += global_page_state(NR_SLAB_RECLAIMABLE) -
++ min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low);
++
++ if (available < 0)
++ available = 0;
++ return available;
++}
++EXPORT_SYMBOL_GPL(si_mem_available);
++
+ void si_meminfo(struct sysinfo *val)
+ {
+ val->totalram = totalram_pages;
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 20 May 2019 10:44:21 -0400
+Subject: p54usb: Fix race between disconnect and firmware loading
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream.
+
+The syzbot fuzzer found a bug in the p54 USB wireless driver. The
+issue involves a race between disconnect and the firmware-loader
+callback routine, and it has several aspects.
+
+One big problem is that when the firmware can't be loaded, the
+callback routine tries to unbind the driver from the USB _device_ (by
+calling device_release_driver) instead of from the USB _interface_ to
+which it is actually bound (by calling usb_driver_release_interface).
+
+The race involves access to the private data structure. The driver's
+disconnect handler waits for a completion that is signalled by the
+firmware-loader callback routine. As soon as the completion is
+signalled, you have to assume that the private data structure may have
+been deallocated by the disconnect handler -- even if the firmware was
+loaded without errors. However, the callback routine does access the
+private data several times after that point.
+
+Another problem is that, in order to ensure that the USB device
+structure hasn't been freed when the callback routine runs, the driver
+takes a reference to it. This isn't good enough any more, because now
+that the callback routine calls usb_driver_release_interface, it has
+to ensure that the interface structure hasn't been freed.
+
+Finally, the driver takes an unnecessary reference to the USB device
+structure in the probe function and drops the reference in the
+disconnect handler. This extra reference doesn't accomplish anything,
+because the USB core already guarantees that a device structure won't
+be deallocated while a driver is still bound to any of its interfaces.
+
+To fix these problems, this patch makes the following changes:
+
+ Call usb_driver_release_interface() rather than
+ device_release_driver().
+
+ Don't signal the completion until after the important
+ information has been copied out of the private data structure,
+ and don't refer to the private data at all thereafter.
+
+ Lock udev (the interface's parent) before unbinding the driver
+ instead of locking udev->parent.
+
+ During the firmware loading process, take a reference to the
+ USB interface instead of the USB device.
+
+ Don't take an unnecessary reference to the device during probe
+ (and then don't drop it during disconnect).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+[bwh: Backported to 4.4: adjust filename]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/p54/p54usb.c | 43 +++++++++++++++-----------------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+--- a/drivers/net/wireless/p54/p54usb.c
++++ b/drivers/net/wireless/p54/p54usb.c
+@@ -33,6 +33,8 @@ MODULE_ALIAS("prism54usb");
+ MODULE_FIRMWARE("isl3886usb");
+ MODULE_FIRMWARE("isl3887usb");
+
++static struct usb_driver p54u_driver;
++
+ /*
+ * Note:
+ *
+@@ -921,9 +923,9 @@ static void p54u_load_firmware_cb(const
+ {
+ struct p54u_priv *priv = context;
+ struct usb_device *udev = priv->udev;
++ struct usb_interface *intf = priv->intf;
+ int err;
+
+- complete(&priv->fw_wait_load);
+ if (firmware) {
+ priv->fw = firmware;
+ err = p54u_start_ops(priv);
+@@ -932,26 +934,22 @@ static void p54u_load_firmware_cb(const
+ dev_err(&udev->dev, "Firmware not found.\n");
+ }
+
+- if (err) {
+- struct device *parent = priv->udev->dev.parent;
+-
+- dev_err(&udev->dev, "failed to initialize device (%d)\n", err);
+-
+- if (parent)
+- device_lock(parent);
++ complete(&priv->fw_wait_load);
++ /*
++ * At this point p54u_disconnect may have already freed
++ * the "priv" context. Do not use it anymore!
++ */
++ priv = NULL;
+
+- device_release_driver(&udev->dev);
+- /*
+- * At this point p54u_disconnect has already freed
+- * the "priv" context. Do not use it anymore!
+- */
+- priv = NULL;
++ if (err) {
++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err);
+
+- if (parent)
+- device_unlock(parent);
++ usb_lock_device(udev);
++ usb_driver_release_interface(&p54u_driver, intf);
++ usb_unlock_device(udev);
+ }
+
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ static int p54u_load_firmware(struct ieee80211_hw *dev,
+@@ -972,14 +970,14 @@ static int p54u_load_firmware(struct iee
+ dev_info(&priv->udev->dev, "Loading firmware file %s\n",
+ p54u_fwlist[i].fw);
+
+- usb_get_dev(udev);
++ usb_get_intf(intf);
+ err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw,
+ device, GFP_KERNEL, priv,
+ p54u_load_firmware_cb);
+ if (err) {
+ dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s "
+ "(%d)!\n", p54u_fwlist[i].fw, err);
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ return err;
+@@ -1011,8 +1009,6 @@ static int p54u_probe(struct usb_interfa
+ skb_queue_head_init(&priv->rx_queue);
+ init_usb_anchor(&priv->submitted);
+
+- usb_get_dev(udev);
+-
+ /* really lazy and simple way of figuring out if we're a 3887 */
+ /* TODO: should just stick the identification in the device table */
+ i = intf->altsetting->desc.bNumEndpoints;
+@@ -1053,10 +1049,8 @@ static int p54u_probe(struct usb_interfa
+ priv->upload_fw = p54u_upload_firmware_net2280;
+ }
+ err = p54u_load_firmware(dev, intf);
+- if (err) {
+- usb_put_dev(udev);
++ if (err)
+ p54_free_common(dev);
+- }
+ return err;
+ }
+
+@@ -1072,7 +1066,6 @@ static void p54u_disconnect(struct usb_i
+ wait_for_completion(&priv->fw_wait_load);
+ p54_unregister_common(dev);
+
+- usb_put_dev(interface_to_usbdev(intf));
+ release_firmware(priv->fw);
+ p54_free_common(dev);
+ }
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Date: Tue, 15 May 2018 14:34:30 +0530
+Subject: rsi: add fix for crash during assertions
+
+From: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+
+commit abd39c6ded9db53aa44c2540092bdd5fb6590fa8 upstream.
+
+Observed crash in some scenarios when assertion has occurred,
+this is because hw structure is freed and is tried to get
+accessed in some functions where null check is already
+present. So, avoided the crash by making the hw to NULL after
+freeing.
+
+Signed-off-by: Sanjay Konduri <sanjay.konduri@redpinesignals.com>
+Signed-off-by: Sushant Kumar Mishra <sushant.mishra@redpinesignals.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c
++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c
+@@ -199,6 +199,7 @@ void rsi_mac80211_detach(struct rsi_hw *
+ ieee80211_stop_queues(hw);
+ ieee80211_unregister_hw(hw);
+ ieee80211_free_hw(hw);
++ adapter->hw = NULL;
+ }
+
+ rsi_remove_dbgfs(adapter);
hidraw-return-epollout-from-hidraw_poll.patch
hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch
hid-hidraw-uhid-always-report-epollout.patch
+rsi-add-fix-for-crash-during-assertions.patch
+cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch
+mac80211-do-not-send-layer-2-update-frame-before-authorization.patch
+media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch
+p54usb-fix-race-between-disconnect-and-firmware-loading.patch
+alsa-line6-fix-write-on-zero-sized-buffer.patch
+alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch
+mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch
+xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch
+wimax-i2400-fix-memory-leak.patch
+wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch
+ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch
+ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch
+dccp-fix-memleak-in-__feat_register_sp.patch
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Fri, 25 Oct 2019 23:53:30 -0500
+Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 6f3ef5c25cc762687a7341c18cbea5af54461407 upstream.
+
+In the implementation of i2400m_op_rfkill_sw_toggle() the allocated
+buffer for cmd should be released before returning. The
+documentation for i2400m_msg_to_dev() says when it returns the buffer
+can be reused. Meaning cmd should be released in either case. Move
+kfree(cmd) before return to be reached by all execution paths.
+
+Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak")
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
+- kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
+ d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n",
+ wimax_dev, state, result);
++ kfree(cmd);
+ return result;
+ }
+
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Tue, 10 Sep 2019 18:01:40 -0500
+Subject: wimax: i2400: fix memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit 2507e6ab7a9a440773be476141a255934468c5ef upstream.
+
+In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with
+skb response.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wimax/i2400m/op-rfkill.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wimax/i2400m/op-rfkill.c
++++ b/drivers/net/wimax/i2400m/op-rfkill.c
+@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi
+ "%d\n", result);
+ result = 0;
+ error_cmd:
++ kfree(cmd);
+ kfree_skb(ack_skb);
+ error_msg_to_dev:
+ error_alloc:
--- /dev/null
+From foo@baz Wed 15 Jan 2020 03:59:57 PM CET
+From: Juergen Gross <jgross@suse.com>
+Date: Wed, 19 Jun 2019 11:00:56 +0200
+Subject: xen: let alloc_xenballooned_pages() fail if not enough memory free
+
+From: Juergen Gross <jgross@suse.com>
+
+commit a1078e821b605813b63bf6bca414a85f804d5c66 upstream.
+
+Instead of trying to allocate pages with GFP_USER in
+add_ballooned_pages() check the available free memory via
+si_mem_available(). GFP_USER is far less limiting memory exhaustion
+than the test via si_mem_available().
+
+This will avoid dom0 running out of memory due to excessive foreign
+page mappings especially on ARM and on x86 in PVH mode, as those don't
+have a pre-ballooned area which can be used for foreign mappings.
+
+As the normal ballooning suffers from the same problem don't balloon
+down more than si_mem_available() pages in one iteration. At the same
+time limit the default maximum number of retries.
+
+This is part of XSA-300.
+
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/xen/balloon.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/xen/balloon.c
++++ b/drivers/xen/balloon.c
+@@ -584,8 +584,15 @@ static void balloon_process(struct work_
+ state = reserve_additional_memory();
+ }
+
+- if (credit < 0)
+- state = decrease_reservation(-credit, GFP_BALLOON);
++ if (credit < 0) {
++ long n_pages;
++
++ n_pages = min(-credit, si_mem_available());
++ state = decrease_reservation(n_pages, GFP_BALLOON);
++ if (state == BP_DONE && n_pages != -credit &&
++ n_pages < totalreserve_pages)
++ state = BP_EAGAIN;
++ }
+
+ state = update_schedule(state);
+
+@@ -624,6 +631,9 @@ static int add_ballooned_pages(int nr_pa
+ }
+ }
+
++ if (si_mem_available() < nr_pages)
++ return -ENOMEM;
++
+ st = decrease_reservation(nr_pages, GFP_USER);
+ if (st != BP_DONE)
+ return -ENOMEM;
+@@ -747,7 +757,7 @@ static int __init balloon_init(void)
+ balloon_stats.schedule_delay = 1;
+ balloon_stats.max_schedule_delay = 32;
+ balloon_stats.retry_count = 1;
+- balloon_stats.max_retry_count = RETRY_UNLIMITED;
++ balloon_stats.max_retry_count = 4;
+
+ #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG
+ set_online_page_callback(&xen_online_page);
projects / thirdparty / kernel / stable-queue.git / commitdiff
