--- /dev/null
+From f6f956a9cb349cebb5f0f669e5928e694ade162d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2019 13:59:30 -0500
+Subject: ath9k: release allocated buffer if timed out
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 728c1e2a05e4b5fc52fab3421dce772a806612a2 ]
+
+In ath9k_wmi_cmd, the allocated network buffer needs to be released
+if timeout happens. Otherwise memory will be leaked.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/wmi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
+index e7a3127395be9..066677bb83eb0 100644
+--- a/drivers/net/wireless/ath/ath9k/wmi.c
++++ b/drivers/net/wireless/ath/ath9k/wmi.c
+@@ -339,6 +339,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
+ ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n",
+ wmi_cmd_to_name(cmd_id));
+ mutex_unlock(&wmi->op_mutex);
++ kfree_skb(skb);
+ return -ETIMEDOUT;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 46936aff0e5262377eb5e69f1475a5e74e45ac18 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 6 Sep 2019 13:26:03 -0500
+Subject: ath9k_htc: release allocated buffer if timed out
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 853acf7caf10b828102d92d05b5c101666a6142b ]
+
+In htc_config_pipe_credits, htc_setup_complete, and htc_connect_service
+if time out happens, the allocated buffer needs to be released.
+Otherwise there will be memory leak.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
+index d2e062eaf5614..f705f0e1cb5be 100644
+--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
+@@ -173,6 +173,7 @@ static int htc_config_pipe_credits(struct htc_target *target)
+ time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
+ if (!time_left) {
+ dev_err(target->dev, "HTC credit config timeout\n");
++ kfree_skb(skb);
+ return -ETIMEDOUT;
+ }
+
+@@ -208,6 +209,7 @@ static int htc_setup_complete(struct htc_target *target)
+ time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
+ if (!time_left) {
+ dev_err(target->dev, "HTC start timeout\n");
++ kfree_skb(skb);
+ return -ETIMEDOUT;
+ }
+
+@@ -280,6 +282,7 @@ int htc_connect_service(struct htc_target *target,
+ if (!time_left) {
+ dev_err(target->dev, "Service connection timeout for: %d\n",
+ service_connreq->service_id);
++ kfree_skb(skb);
+ return -ETIMEDOUT;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From babdf0382ed8dea85804debeaf0756528368a665 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 18 Sep 2019 13:08:52 +0100
+Subject: Btrfs: fix selftests failure due to uninitialized i_mode in test
+ inodes
+
+From: Filipe Manana <fdmanana@suse.com>
+
+[ Upstream commit 9f7fec0ba89108b9385f1b9fb167861224912a4a ]
+
+Some of the self tests create a test inode, setup some extents and then do
+calls to btrfs_get_extent() to test that the corresponding extent maps
+exist and are correct. However btrfs_get_extent(), since the 5.2 merge
+window, now errors out when it finds a regular or prealloc extent for an
+inode that does not correspond to a regular file (its ->i_mode is not
+S_IFREG). This causes the self tests to fail sometimes, specially when
+KASAN, slub_debug and page poisoning are enabled:
+
+ $ modprobe btrfs
+ modprobe: ERROR: could not insert 'btrfs': Invalid argument
+
+ $ dmesg
+ [ 9414.691648] Btrfs loaded, crc32c=crc32c-intel, debug=on, assert=on, integrity-checker=on, ref-verify=on
+ [ 9414.692655] BTRFS: selftest: sectorsize: 4096 nodesize: 4096
+ [ 9414.692658] BTRFS: selftest: running btrfs free space cache tests
+ [ 9414.692918] BTRFS: selftest: running extent only tests
+ [ 9414.693061] BTRFS: selftest: running bitmap only tests
+ [ 9414.693366] BTRFS: selftest: running bitmap and extent tests
+ [ 9414.696455] BTRFS: selftest: running space stealing from bitmap to extent tests
+ [ 9414.697131] BTRFS: selftest: running extent buffer operation tests
+ [ 9414.697133] BTRFS: selftest: running btrfs_split_item tests
+ [ 9414.697564] BTRFS: selftest: running extent I/O tests
+ [ 9414.697583] BTRFS: selftest: running find delalloc tests
+ [ 9415.081125] BTRFS: selftest: running find_first_clear_extent_bit test
+ [ 9415.081278] BTRFS: selftest: running extent buffer bitmap tests
+ [ 9415.124192] BTRFS: selftest: running inode tests
+ [ 9415.124195] BTRFS: selftest: running btrfs_get_extent tests
+ [ 9415.127909] BTRFS: selftest: running hole first btrfs_get_extent test
+ [ 9415.128343] BTRFS critical (device (efault)): regular/prealloc extent found for non-regular inode 256
+ [ 9415.131428] BTRFS: selftest: fs/btrfs/tests/inode-tests.c:904 expected a real extent, got 0
+
+This happens because the test inodes are created without ever initializing
+the i_mode field of the inode, and neither VFS's new_inode() nor the btrfs
+callback btrfs_alloc_inode() initialize the i_mode. Initialization of the
+i_mode is done through the various callbacks used by the VFS to create
+new inodes (regular files, directories, symlinks, tmpfiles, etc), which
+all call btrfs_new_inode() which in turn calls inode_init_owner(), which
+sets the inode's i_mode. Since the tests only uses new_inode() to create
+the test inodes, the i_mode was never initialized.
+
+This always happens on a VM I used with kasan, slub_debug and many other
+debug facilities enabled. It also happened to someone who reported this
+on bugzilla (on a 5.3-rc).
+
+Fix this by setting i_mode to S_IFREG at btrfs_new_test_inode().
+
+Fixes: 6bf9e4bd6a2778 ("btrfs: inode: Verify inode mode to avoid NULL pointer dereference")
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204397
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/tests/btrfs-tests.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/fs/btrfs/tests/btrfs-tests.c b/fs/btrfs/tests/btrfs-tests.c
+index 2eec1dd3803af..82d874b104383 100644
+--- a/fs/btrfs/tests/btrfs-tests.c
++++ b/fs/btrfs/tests/btrfs-tests.c
+@@ -38,7 +38,13 @@ static struct file_system_type test_type = {
+
+ struct inode *btrfs_new_test_inode(void)
+ {
+- return new_inode(test_mnt->mnt_sb);
++ struct inode *inode;
++
++ inode = new_inode(test_mnt->mnt_sb);
++ if (inode)
++ inode_init_owner(inode, NULL, S_IFREG);
++
++ return inode;
+ }
+
+ static int btrfs_init_test_fs(void)
+--
+2.25.1
+
--- /dev/null
+From 67f373e725841a1873ef6bc03616db110496b9e1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 13 Mar 2019 13:55:11 +0800
+Subject: btrfs: inode: Verify inode mode to avoid NULL pointer dereference
+
+From: Qu Wenruo <wqu@suse.com>
+
+[ Upstream commit 6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592 ]
+
+[BUG]
+When accessing a file on a crafted image, btrfs can crash in block layer:
+
+ BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
+ PGD 136501067 P4D 136501067 PUD 124519067 PMD 0
+ CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.0.0-rc8-default #252
+ RIP: 0010:end_bio_extent_readpage+0x144/0x700
+ Call Trace:
+ <IRQ>
+ blk_update_request+0x8f/0x350
+ blk_mq_end_request+0x1a/0x120
+ blk_done_softirq+0x99/0xc0
+ __do_softirq+0xc7/0x467
+ irq_exit+0xd1/0xe0
+ call_function_single_interrupt+0xf/0x20
+ </IRQ>
+ RIP: 0010:default_idle+0x1e/0x170
+
+[CAUSE]
+The crafted image has a tricky corruption, the INODE_ITEM has a
+different type against its parent dir:
+
+ item 20 key (268 INODE_ITEM 0) itemoff 2808 itemsize 160
+ generation 13 transid 13 size 1048576 nbytes 1048576
+ block group 0 mode 121644 links 1 uid 0 gid 0 rdev 0
+ sequence 9 flags 0x0(none)
+
+This mode number 0120000 means it's a symlink.
+
+But the dir item think it's still a regular file:
+
+ item 8 key (264 DIR_INDEX 5) itemoff 3707 itemsize 32
+ location key (268 INODE_ITEM 0) type FILE
+ transid 13 data_len 0 name_len 2
+ name: f4
+ item 40 key (264 DIR_ITEM 51821248) itemoff 1573 itemsize 32
+ location key (268 INODE_ITEM 0) type FILE
+ transid 13 data_len 0 name_len 2
+ name: f4
+
+For symlink, we don't set BTRFS_I(inode)->io_tree.ops and leave it
+empty, as symlink is only designed to have inlined extent, all handled
+by tree block read. Thus no need to trigger btrfs_submit_bio_hook() for
+inline file extent.
+
+However end_bio_extent_readpage() expects tree->ops populated, as it's
+reading regular data extent. This causes NULL pointer dereference.
+
+[FIX]
+This patch fixes the problem in two ways:
+
+- Verify inode mode against its dir item when looking up inode
+ So in btrfs_lookup_dentry() if we find inode mode mismatch with dir
+ item, we error out so that corrupted inode will not be accessed.
+
+- Verify inode mode when getting extent mapping
+ Only regular file should have regular or preallocated extent.
+ If we found regular/preallocated file extent for symlink or
+ the rest, we error out before submitting the read bio.
+
+With this fix that crafted image can be rejected gracefully:
+
+ BTRFS critical (device loop0): inode mode mismatch with dir: inode mode=0121644 btrfs type=7 dir type=1
+
+Reported-by: Yoon Jungyeon <jungyeon@gatech.edu>
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=202763
+Reviewed-by: Nikolay Borisov <nborisov@suse.com>
+Signed-off-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/btrfs/inode.c | 41 +++++++++++++++++++++++++++++-------
+ fs/btrfs/tests/inode-tests.c | 1 +
+ 2 files changed, 34 insertions(+), 8 deletions(-)
+
+diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
+index 8dd2702ce859e..7befb7c12bd32 100644
+--- a/fs/btrfs/inode.c
++++ b/fs/btrfs/inode.c
+@@ -5553,12 +5553,14 @@ no_delete:
+ }
+
+ /*
+- * this returns the key found in the dir entry in the location pointer.
++ * Return the key found in the dir entry in the location pointer, fill @type
++ * with BTRFS_FT_*, and return 0.
++ *
+ * If no dir entries were found, returns -ENOENT.
+ * If found a corrupted location in dir entry, returns -EUCLEAN.
+ */
+ static int btrfs_inode_by_name(struct inode *dir, struct dentry *dentry,
+- struct btrfs_key *location)
++ struct btrfs_key *location, u8 *type)
+ {
+ const char *name = dentry->d_name.name;
+ int namelen = dentry->d_name.len;
+@@ -5591,6 +5593,8 @@ static int btrfs_inode_by_name(struct inode *dir, struct dentry *dentry,
+ __func__, name, btrfs_ino(BTRFS_I(dir)),
+ location->objectid, location->type, location->offset);
+ }
++ if (!ret)
++ *type = btrfs_dir_type(path->nodes[0], di);
+ out:
+ btrfs_free_path(path);
+ return ret;
+@@ -5826,6 +5830,11 @@ static struct inode *new_simple_dir(struct super_block *s,
+ return inode;
+ }
+
++static inline u8 btrfs_inode_type(struct inode *inode)
++{
++ return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT];
++}
++
+ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
+ {
+ struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb);
+@@ -5833,18 +5842,31 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry)
+ struct btrfs_root *root = BTRFS_I(dir)->root;
+ struct btrfs_root *sub_root = root;
+ struct btrfs_key location;
++ u8 di_type = 0;
+ int index;
+ int ret = 0;
+
+ if (dentry->d_name.len > BTRFS_NAME_LEN)
+ return ERR_PTR(-ENAMETOOLONG);
+
+- ret = btrfs_inode_by_name(dir, dentry, &location);
++ ret = btrfs_inode_by_name(dir, dentry, &location, &di_type);
+ if (ret < 0)
+ return ERR_PTR(ret);
+
+ if (location.type == BTRFS_INODE_ITEM_KEY) {
+ inode = btrfs_iget(dir->i_sb, &location, root, NULL);
++ if (IS_ERR(inode))
++ return inode;
++
++ /* Do extra check against inode mode with di_type */
++ if (btrfs_inode_type(inode) != di_type) {
++ btrfs_crit(fs_info,
++"inode mode mismatch with dir: inode mode=0%o btrfs type=%u dir type=%u",
++ inode->i_mode, btrfs_inode_type(inode),
++ di_type);
++ iput(inode);
++ return ERR_PTR(-EUCLEAN);
++ }
+ return inode;
+ }
+
+@@ -6455,11 +6477,6 @@ fail:
+ return ERR_PTR(ret);
+ }
+
+-static inline u8 btrfs_inode_type(struct inode *inode)
+-{
+- return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT];
+-}
+-
+ /*
+ * utility function to add 'inode' into 'parent_inode' with
+ * a give name and a given sequence number.
+@@ -6993,6 +7010,14 @@ struct extent_map *btrfs_get_extent(struct btrfs_inode *inode,
+ extent_start = found_key.offset;
+ if (found_type == BTRFS_FILE_EXTENT_REG ||
+ found_type == BTRFS_FILE_EXTENT_PREALLOC) {
++ /* Only regular file could have regular/prealloc extent */
++ if (!S_ISREG(inode->vfs_inode.i_mode)) {
++ ret = -EUCLEAN;
++ btrfs_crit(fs_info,
++ "regular/prealloc extent found for non-regular inode %llu",
++ btrfs_ino(inode));
++ goto out;
++ }
+ extent_end = extent_start +
+ btrfs_file_extent_num_bytes(leaf, item);
+
+diff --git a/fs/btrfs/tests/inode-tests.c b/fs/btrfs/tests/inode-tests.c
+index 64043f0288206..648633aae968c 100644
+--- a/fs/btrfs/tests/inode-tests.c
++++ b/fs/btrfs/tests/inode-tests.c
+@@ -232,6 +232,7 @@ static noinline int test_btrfs_get_extent(u32 sectorsize, u32 nodesize)
+ return ret;
+ }
+
++ inode->i_mode = S_IFREG;
+ BTRFS_I(inode)->location.type = BTRFS_INODE_ITEM_KEY;
+ BTRFS_I(inode)->location.objectid = BTRFS_FIRST_FREE_OBJECTID;
+ BTRFS_I(inode)->location.offset = 0;
+--
+2.25.1
+
--- /dev/null
+From dfcf3b61cec9325917d0ba4ee7a3797375136a28 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 Sep 2019 11:04:48 -0500
+Subject: crypto: ccp - Release all allocated memory if sha type is invalid
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 128c66429247add5128c03dc1e144ca56f05a4e2 ]
+
+Release all allocated memory if sha type is invalid:
+In ccp_run_sha_cmd, if the type of sha is invalid, the allocated
+hmac_buf should be released.
+
+v2: fix the goto.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Acked-by: Gary R Hook <gary.hook@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/crypto/ccp/ccp-ops.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c
+index 330853a2702f0..43b74cf0787e1 100644
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd)
+ LSB_ITEM_SIZE);
+ break;
+ default:
++ kfree(hmac_buf);
+ ret = -EINVAL;
+- goto e_ctx;
++ goto e_data;
+ }
+
+ memset(&hmac_cmd, 0, sizeof(hmac_cmd));
+--
+2.25.1
+
--- /dev/null
+From de824356ed66133a70577daf9c3b8fa99788339a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 Sep 2019 23:23:56 -0500
+Subject: drm/amd/display: prevent memory leak
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 104c307147ad379617472dd91a5bcb368d72bd6d ]
+
+In dcn*_create_resource_pool the allocated memory should be released if
+construct pool fails.
+
+Reviewed-by: Harry Wentland <harry.wentland@amd.com>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c | 1 +
+ drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c | 1 +
+ 5 files changed, 5 insertions(+)
+
+diff --git a/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c b/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c
+index 3f76e6019546f..5a2f29bd35082 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c
+@@ -1001,6 +1001,7 @@ struct resource_pool *dce100_create_resource_pool(
+ if (construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c
+index e5e9e92521e91..17d936c260d97 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c
+@@ -1344,6 +1344,7 @@ struct resource_pool *dce110_create_resource_pool(
+ if (construct(num_virtual_links, dc, pool, asic_id))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c
+index 288129343c778..71adab8bf31b1 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c
+@@ -1287,6 +1287,7 @@ struct resource_pool *dce112_create_resource_pool(
+ if (construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c b/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
+index d43f37d99c7d9..f0f2ce6da8278 100644
+--- a/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c
+@@ -1076,6 +1076,7 @@ struct resource_pool *dce120_create_resource_pool(
+ if (construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
+index 6b44ed3697a4f..e6d5568811400 100644
+--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c
+@@ -1361,6 +1361,7 @@ struct resource_pool *dcn10_create_resource_pool(
+ if (construct(num_virtual_links, dc, pool))
+ return &pool->base;
+
++ kfree(pool);
+ BREAK_TO_DEBUGGER();
+ return NULL;
+ }
+--
+2.25.1
+
--- /dev/null
+From d8865bd6f6d01bfe5d4760e691122327c984f1a8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Oct 2019 22:46:07 -0500
+Subject: drm/amdgpu: fix multiple memory leaks in acp_hw_init
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 57be09c6e8747bf48704136d9e3f92bfb93f5725 ]
+
+In acp_hw_init there are some allocations that needs to be released in
+case of failure:
+
+1- adev->acp.acp_genpd should be released if any allocation attemp for
+adev->acp.acp_cell, adev->acp.acp_res or i2s_pdata fails.
+2- all of those allocations should be released if
+mfd_add_hotplug_devices or pm_genpd_add_device fail.
+3- Release is needed in case of time out values expire.
+
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 34 ++++++++++++++++---------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+index 71efcf38f11be..94cd8a2610912 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c
+@@ -276,7 +276,7 @@ static int acp_hw_init(void *handle)
+ u32 val = 0;
+ u32 count = 0;
+ struct device *dev;
+- struct i2s_platform_data *i2s_pdata;
++ struct i2s_platform_data *i2s_pdata = NULL;
+
+ struct amdgpu_device *adev = (struct amdgpu_device *)handle;
+
+@@ -317,20 +317,21 @@ static int acp_hw_init(void *handle)
+ adev->acp.acp_cell = kcalloc(ACP_DEVS, sizeof(struct mfd_cell),
+ GFP_KERNEL);
+
+- if (adev->acp.acp_cell == NULL)
+- return -ENOMEM;
++ if (adev->acp.acp_cell == NULL) {
++ r = -ENOMEM;
++ goto failure;
++ }
+
+ adev->acp.acp_res = kcalloc(5, sizeof(struct resource), GFP_KERNEL);
+ if (adev->acp.acp_res == NULL) {
+- kfree(adev->acp.acp_cell);
+- return -ENOMEM;
++ r = -ENOMEM;
++ goto failure;
+ }
+
+ i2s_pdata = kcalloc(3, sizeof(struct i2s_platform_data), GFP_KERNEL);
+ if (i2s_pdata == NULL) {
+- kfree(adev->acp.acp_res);
+- kfree(adev->acp.acp_cell);
+- return -ENOMEM;
++ r = -ENOMEM;
++ goto failure;
+ }
+
+ switch (adev->asic_type) {
+@@ -427,7 +428,7 @@ static int acp_hw_init(void *handle)
+ r = mfd_add_hotplug_devices(adev->acp.parent, adev->acp.acp_cell,
+ ACP_DEVS);
+ if (r)
+- return r;
++ goto failure;
+
+ if (adev->asic_type != CHIP_STONEY) {
+ for (i = 0; i < ACP_DEVS ; i++) {
+@@ -435,7 +436,7 @@ static int acp_hw_init(void *handle)
+ r = pm_genpd_add_device(&adev->acp.acp_genpd->gpd, dev);
+ if (r) {
+ dev_err(dev, "Failed to add dev to genpd\n");
+- return r;
++ goto failure;
+ }
+ }
+ }
+@@ -454,7 +455,8 @@ static int acp_hw_init(void *handle)
+ break;
+ if (--count == 0) {
+ dev_err(&adev->pdev->dev, "Failed to reset ACP\n");
+- return -ETIMEDOUT;
++ r = -ETIMEDOUT;
++ goto failure;
+ }
+ udelay(100);
+ }
+@@ -471,7 +473,8 @@ static int acp_hw_init(void *handle)
+ break;
+ if (--count == 0) {
+ dev_err(&adev->pdev->dev, "Failed to reset ACP\n");
+- return -ETIMEDOUT;
++ r = -ETIMEDOUT;
++ goto failure;
+ }
+ udelay(100);
+ }
+@@ -480,6 +483,13 @@ static int acp_hw_init(void *handle)
+ val &= ~ACP_SOFT_RESET__SoftResetAud_MASK;
+ cgs_write_register(adev->acp.cgs_device, mmACP_SOFT_RESET, val);
+ return 0;
++
++failure:
++ kfree(i2s_pdata);
++ kfree(adev->acp.acp_res);
++ kfree(adev->acp.acp_cell);
++ kfree(adev->acp.acp_genpd);
++ return r;
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 418cc5175b544aa1b6221d8eaf362e0959ce38fa Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 19:14:12 -0400
+Subject: iio: imu: adis16400: fix memory leak
+
+[ Upstream commit 9c0530e898f384c5d279bfcebd8bb17af1105873 ]
+
+In adis_update_scan_mode_burst, if adis->buffer allocation fails release
+the adis->xfer.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/adis16400_buffer.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/iio/imu/adis16400_buffer.c b/drivers/iio/imu/adis16400_buffer.c
+index e70a5339acb19..3fc11aec98b95 100644
+--- a/drivers/iio/imu/adis16400_buffer.c
++++ b/drivers/iio/imu/adis16400_buffer.c
+@@ -38,8 +38,11 @@ int adis16400_update_scan_mode(struct iio_dev *indio_dev,
+ return -ENOMEM;
+
+ adis->buffer = kzalloc(burst_length + sizeof(u16), GFP_KERNEL);
+- if (!adis->buffer)
++ if (!adis->buffer) {
++ kfree(adis->xfer);
++ adis->xfer = NULL;
+ return -ENOMEM;
++ }
+
+ tx = adis->buffer + burst_length;
+ tx[0] = ADIS_READ_REG(ADIS16400_GLOB_CMD);
+--
+2.25.1
+
--- /dev/null
+From 12d5a440edc09b4c7f300f30992b521cfaba28b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Sep 2019 12:02:41 -0300
+Subject: media: rc: prevent memory leak in cx23888_ir_probe
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit a7b2df76b42bdd026e3106cf2ba97db41345a177 ]
+
+In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state
+should be released.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c
+index 00329f668b590..5177479d13d38 100644
+--- a/drivers/media/pci/cx23885/cx23888-ir.c
++++ b/drivers/media/pci/cx23885/cx23888-ir.c
+@@ -1178,8 +1178,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev)
+ return -ENOMEM;
+
+ spin_lock_init(&state->rx_kfifo_lock);
+- if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL))
++ if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE,
++ GFP_KERNEL)) {
++ kfree(state);
+ return -ENOMEM;
++ }
+
+ state->dev = dev;
+ sd = &state->sd;
+--
+2.25.1
+
--- /dev/null
+From f5079e99b18fd55638e08573e796c91a5ecb5e0a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 15 Apr 2019 17:15:06 +0800
+Subject: sctp: implement memory accounting on tx path
+
+From: Xin Long <lucien.xin@gmail.com>
+
+[ Upstream commit 1033990ac5b2ab6cee93734cb6d301aa3a35bcaa ]
+
+Now when sending packets, sk_mem_charge() and sk_mem_uncharge() have been
+used to set sk_forward_alloc. We just need to call sk_wmem_schedule() to
+check if the allocated should be raised, and call sk_mem_reclaim() to
+check if the allocated should be reduced when it's under memory pressure.
+
+If sk_wmem_schedule() returns false, which means no memory is allowed to
+allocate, it will block and wait for memory to become available.
+
+Note different from tcp, sctp wait_for_buf happens before allocating any
+skb, so memory accounting check is done with the whole msg_len before it
+too.
+
+Reported-by: Matteo Croce <mcroce@redhat.com>
+Tested-by: Matteo Croce <mcroce@redhat.com>
+Acked-by: Neil Horman <nhorman@tuxdriver.com>
+Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/sctp/socket.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/net/sctp/socket.c b/net/sctp/socket.c
+index c93be3ba5df29..df4a7d7c5ec04 100644
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -1931,7 +1931,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc,
+ if (sctp_wspace(asoc) < (int)msg_len)
+ sctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc));
+
+- if (sctp_wspace(asoc) <= 0) {
++ if (sk_under_memory_pressure(sk))
++ sk_mem_reclaim(sk);
++
++ if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {
+ timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
+ err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
+ if (err)
+@@ -8515,7 +8518,10 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
+ goto do_error;
+ if (signal_pending(current))
+ goto do_interrupted;
+- if ((int)msg_len <= sctp_wspace(asoc))
++ if (sk_under_memory_pressure(sk))
++ sk_mem_reclaim(sk);
++ if ((int)msg_len <= sctp_wspace(asoc) &&
++ sk_wmem_schedule(sk, msg_len))
+ break;
+
+ /* Let another process have a go. Since we are going
+--
+2.25.1
+
--- /dev/null
+crypto-ccp-release-all-allocated-memory-if-sha-type-.patch
+media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch
+iio-imu-adis16400-fix-memory-leak.patch
+drm-amdgpu-fix-multiple-memory-leaks-in-acp_hw_init.patch
+tracing-have-error-path-in-predicate_parse-free-its-.patch
+ath9k_htc-release-allocated-buffer-if-timed-out.patch
+ath9k-release-allocated-buffer-if-timed-out.patch
+drm-amd-display-prevent-memory-leak.patch
+btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch
+sctp-implement-memory-accounting-on-tx-path.patch
+btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch
--- /dev/null
+From 15d09aec508088201071bd25a60a65a1eec65ae5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 20 Sep 2019 17:57:59 -0500
+Subject: tracing: Have error path in predicate_parse() free its allocated
+ memory
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+[ Upstream commit 96c5c6e6a5b6db592acae039fed54b5c8844cd35 ]
+
+In predicate_parse, there is an error path that is not going to
+out_free instead it returns directly which leads to a memory leak.
+
+Link: http://lkml.kernel.org/r/20190920225800.3870-1-navid.emamdoost@gmail.com
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/trace/trace_events_filter.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c
+index b949c3917c679..9be3d1d1fcb47 100644
+--- a/kernel/trace/trace_events_filter.c
++++ b/kernel/trace/trace_events_filter.c
+@@ -451,8 +451,10 @@ predicate_parse(const char *str, int nr_parens, int nr_preds,
+
+ switch (*next) {
+ case '(': /* #2 */
+- if (top - op_stack > nr_parens)
+- return ERR_PTR(-EINVAL);
++ if (top - op_stack > nr_parens) {
++ ret = -EINVAL;
++ goto out_free;
++ }
+ *(++top) = invert;
+ continue;
+ case '!': /* #3 */
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
