4.14-stable patches

added patches:
	firmware-fix-a-reference-count-leak.patch
	firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch

diff --git a/queue-4.14/firmware-fix-a-reference-count-leak.patch b/queue-4.14/firmware-fix-a-reference-count-leak.patch
new file mode 100644 (file)
index 0000000..0ecf791
--- /dev/null
+++ b/queue-4.14/firmware-fix-a-reference-count-leak.patch
@@ -0,0 +1,48 @@
+From foo@baz Sat Mar  5 02:48:53 PM CET 2022
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Sat, 13 Jun 2020 14:05:33 -0500
+Subject: firmware: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b upstream.
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+Callback function fw_cfg_sysfs_release_entry() in kobject_put()
+can handle the pointer "entry" properly.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -461,8 +461,10 @@ static int fw_cfg_register_file(const st
+       /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+       err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+                                  fw_cfg_sel_ko, "%d", entry->f.select);
+-      if (err)
+-              goto err_register;
++      if (err) {
++              kobject_put(&entry->kobj);
++              return err;
++      }
+ 
+       /* add raw binary content access */
+       err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+@@ -478,7 +480,6 @@ static int fw_cfg_register_file(const st
+ 
+ err_add_raw:
+       kobject_del(&entry->kobj);
+-err_register:
+       kfree(entry);
+       return err;
+ }

diff --git a/queue-4.14/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch b/queue-4.14/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
new file mode 100644 (file)
index 0000000..88de0ae
--- /dev/null
+++ b/queue-4.14/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
@@ -0,0 +1,69 @@
+From foo@baz Sat Mar  5 02:48:53 PM CET 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 1 Dec 2021 14:25:26 +0100
+Subject: firmware: qemu_fw_cfg: fix kobject leak in probe error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 upstream.
+
+An initialised kobject must be freed using kobject_put() to avoid
+leaking associated resources (e.g. the object name).
+
+Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
+the leak in the first error path of the file registration helper but
+left the second one unchanged. This "fix" would however result in a NULL
+pointer dereference due to the release function also removing the never
+added entry from the fw_cfg_entry_cache list. This has now been
+addressed.
+
+Fix the remaining kobject leak by restoring the common error path and
+adding the missing kobject_put().
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Cc: stable@vger.kernel.org      # 4.6
+Cc: Gabriel Somlo <somlo@cmu.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -461,15 +461,13 @@ static int fw_cfg_register_file(const st
+       /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+       err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+                                  fw_cfg_sel_ko, "%d", entry->f.select);
+-      if (err) {
+-              kobject_put(&entry->kobj);
+-              return err;
+-      }
++      if (err)
++              goto err_put_entry;
+ 
+       /* add raw binary content access */
+       err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+       if (err)
+-              goto err_add_raw;
++              goto err_del_entry;
+ 
+       /* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */
+       fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->f.name);
+@@ -478,9 +476,10 @@ static int fw_cfg_register_file(const st
+       fw_cfg_sysfs_cache_enlist(entry);
+       return 0;
+ 
+-err_add_raw:
++err_del_entry:
+       kobject_del(&entry->kobj);
+-      kfree(entry);
++err_put_entry:
++      kobject_put(&entry->kobj);
+       return err;
+ }
+ 

diff --git a/queue-4.14/series b/queue-4.14/series
index e8115f935fad10b1fa287cc74345e065c526059e..e1108b6fc83a81eea0075fe667e00f71fdc66e61 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -23,3 +23,5 @@ batman-adv-don-t-expect-inter-netns-unique-iflink-indices.patch
 net-dcb-flush-lingering-app-table-entries-for-unregistered-devices.patch
 net-smc-fix-unexpected-smc_clc_decl_err_regrmb-error-generated-by-client.patch
 net-smc-fix-unexpected-smc_clc_decl_err_regrmb-error-cause-by-server.patch
+firmware-fix-a-reference-count-leak.patch
+firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch