Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.4/alsa-hda-fix-null-pointer-dereference-during-suspend.patch b/queue-5.4/alsa-hda-fix-null-pointer-dereference-during-suspend.patch
new file mode 100644 (file)
index 0000000..9b55da6
--- /dev/null
+++ b/queue-5.4/alsa-hda-fix-null-pointer-dereference-during-suspend.patch
@@ -0,0 +1,54 @@
+From f7c9e6d1ef564791c92b7b01cd948c4c89914b40 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 28 Jul 2020 16:10:11 -0700
+Subject: ALSA: hda: fix NULL pointer dereference during suspend
+
+From: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+
+[ Upstream commit 7fcd9bb5acd01250bcae1ecc0cb8b8d4bb5b7e63 ]
+
+When the ASoC card registration fails and the codec component driver
+never probes, the codec device is not initialized and therefore
+memory for codec->wcaps is not allocated. This results in a NULL pointer
+dereference when the codec driver suspend callback is invoked during
+system suspend. Fix this by returning without performing any actions
+during codec suspend/resume if the card was not registered successfully.
+
+Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com>
+Link: https://lore.kernel.org/r/20200728231011.1454066-1-ranjani.sridharan@linux.intel.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/pci/hda/hda_codec.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c
+index 07c03c32715a9..801abf0fc98b3 100644
+--- a/sound/pci/hda/hda_codec.c
++++ b/sound/pci/hda/hda_codec.c
+@@ -2924,6 +2924,10 @@ static int hda_codec_runtime_suspend(struct device *dev)
+       struct hda_codec *codec = dev_to_hda_codec(dev);
+       unsigned int state;
+ 
++      /* Nothing to do if card registration fails and the component driver never probes */
++      if (!codec->card)
++              return 0;
++
+       cancel_delayed_work_sync(&codec->jackpoll_work);
+       state = hda_call_codec_suspend(codec);
+       if (codec->link_down_at_suspend ||
+@@ -2938,6 +2942,10 @@ static int hda_codec_runtime_resume(struct device *dev)
+ {
+       struct hda_codec *codec = dev_to_hda_codec(dev);
+ 
++      /* Nothing to do if card registration fails and the component driver never probes */
++      if (!codec->card)
++              return 0;
++
+       codec_display_power(codec, true);
+       snd_hdac_codec_link_up(&codec->core);
+       hda_call_codec_resume(codec);
+-- 
+2.25.1
+

diff --git a/queue-5.4/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch b/queue-5.4/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
new file mode 100644 (file)
index 0000000..ccb7985
--- /dev/null
+++ b/queue-5.4/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
@@ -0,0 +1,54 @@
+From 6769c4bf2baefc65ffac091c88fb4c2daaca2714 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 21:06:59 +0800
+Subject: atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ]
+
+atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
+reference of atm_dev with increased refcount or NULL if fails.
+
+The refcount leaks issues occur in two error handling paths. If
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
+returns 0 without decreasing the refcount kept by a local variable,
+resulting in refcount leaks.
+
+Fix the issue by adding atm_dev_put() before returning 0 both when
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
+
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/atmtcp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
+index d9fd70280482c..7f814da3c2d06 100644
+--- a/drivers/atm/atmtcp.c
++++ b/drivers/atm/atmtcp.c
+@@ -433,9 +433,15 @@ static int atmtcp_remove_persistent(int itf)
+               return -EMEDIUMTYPE;
+       }
+       dev_data = PRIV(dev);
+-      if (!dev_data->persist) return 0;
++      if (!dev_data->persist) {
++              atm_dev_put(dev);
++              return 0;
++      }
+       dev_data->persist = 0;
+-      if (PRIV(dev)->vcc) return 0;
++      if (PRIV(dev)->vcc) {
++              atm_dev_put(dev);
++              return 0;
++      }
+       kfree(dev_data);
+       atm_dev_put(dev);
+       atm_dev_deregister(dev);
+-- 
+2.25.1
+

diff --git a/queue-5.4/cfg80211-check-vendor-command-doit-pointer-before-us.patch b/queue-5.4/cfg80211-check-vendor-command-doit-pointer-before-us.patch
new file mode 100644 (file)
index 0000000..bf9d0e7
--- /dev/null
+++ b/queue-5.4/cfg80211-check-vendor-command-doit-pointer-before-us.patch
@@ -0,0 +1,50 @@
+From 73d9409f952e2e90014512482319664837eee000 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 17:13:53 -0400
+Subject: cfg80211: check vendor command doit pointer before use
+
+From: Julian Squires <julian@cipht.net>
+
+[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ]
+
+In the case where a vendor command does not implement doit, and has no
+flags set, doit would not be validated and a NULL pointer dereference
+would occur, for example when invoking the vendor command via iw.
+
+I encountered this while developing new vendor commands.  Perhaps in
+practice it is advisable to always implement doit along with dumpit,
+but it seems reasonable to me to always check doit anyway, not just
+when NEED_WDEV.
+
+Signed-off-by: Julian Squires <julian@cipht.net>
+Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index a34bbca80f498..ec559dbad56ea 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12949,13 +12949,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
+                               if (!wdev_running(wdev))
+                                       return -ENETDOWN;
+                       }
+-
+-                      if (!vcmd->doit)
+-                              return -EOPNOTSUPP;
+               } else {
+                       wdev = NULL;
+               }
+ 
++              if (!vcmd->doit)
++                      return -EOPNOTSUPP;
++
+               if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
+                       data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+                       len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+-- 
+2.25.1
+

diff --git a/queue-5.4/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch b/queue-5.4/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch
new file mode 100644 (file)
index 0000000..c03f1ee
--- /dev/null
+++ b/queue-5.4/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch
@@ -0,0 +1,109 @@
+From 9ced8e363be797f93c8e9501cb4964ad887b58c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jan 2020 15:29:22 -0800
+Subject: Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit ddc9d357b991838c2d975e8d7e4e9db26f37a7ff ]
+
+When a Linux hv_sock app tries to connect to a Service GUID on which no
+host app is listening, a recent host (RS3+) sends a
+CHANNELMSG_TL_CONNECT_RESULT (23) message to Linux and this triggers such
+a warning:
+
+unknown msgtype=23
+WARNING: CPU: 2 PID: 0 at drivers/hv/vmbus_drv.c:1031 vmbus_on_msg_dpc
+
+Actually Linux can safely ignore the message because the Linux app's
+connect() will time out in 2 seconds: see VSOCK_DEFAULT_CONNECT_TIMEOUT
+and vsock_stream_connect(). We don't bother to make use of the message
+because: 1) it's only supported on recent hosts; 2) a non-trivial effort
+is required to use the message in Linux, but the benefit is small.
+
+So, let's not see the warning by silently ignoring the message.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 21 +++++++--------------
+ drivers/hv/vmbus_drv.c    |  4 ++++
+ include/linux/hyperv.h    |  2 ++
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index c8296d5e74c32..501c43c5851dc 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -1354,6 +1354,8 @@ channel_message_table[CHANNELMSG_COUNT] = {
+       { CHANNELMSG_19,                        0, NULL },
+       { CHANNELMSG_20,                        0, NULL },
+       { CHANNELMSG_TL_CONNECT_REQUEST,        0, NULL },
++      { CHANNELMSG_22,                        0, NULL },
++      { CHANNELMSG_TL_CONNECT_RESULT,         0, NULL },
+ };
+ 
+ /*
+@@ -1365,25 +1367,16 @@ void vmbus_onmessage(void *context)
+ {
+       struct hv_message *msg = context;
+       struct vmbus_channel_message_header *hdr;
+-      int size;
+ 
+       hdr = (struct vmbus_channel_message_header *)msg->u.payload;
+-      size = msg->header.payload_size;
+ 
+       trace_vmbus_on_message(hdr);
+ 
+-      if (hdr->msgtype >= CHANNELMSG_COUNT) {
+-              pr_err("Received invalid channel message type %d size %d\n",
+-                         hdr->msgtype, size);
+-              print_hex_dump_bytes("", DUMP_PREFIX_NONE,
+-                                   (unsigned char *)msg->u.payload, size);
+-              return;
+-      }
+-
+-      if (channel_message_table[hdr->msgtype].message_handler)
+-              channel_message_table[hdr->msgtype].message_handler(hdr);
+-      else
+-              pr_err("Unhandled channel message type %d\n", hdr->msgtype);
++      /*
++       * vmbus_on_msg_dpc() makes sure the hdr->msgtype here can not go
++       * out of bound and the message_handler pointer can not be NULL.
++       */
++      channel_message_table[hdr->msgtype].message_handler(hdr);
+ }
+ 
+ /*
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index 160ff640485be..24c38e44ed3bc 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -1073,6 +1073,10 @@ void vmbus_on_msg_dpc(unsigned long data)
+       }
+ 
+       entry = &channel_message_table[hdr->msgtype];
++
++      if (!entry->message_handler)
++              goto msg_handled;
++
+       if (entry->handler_type == VMHT_BLOCKING) {
+               ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC);
+               if (ctx == NULL)
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index b4a017093b697..67d9b5a374600 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -423,6 +423,8 @@ enum vmbus_channel_message_type {
+       CHANNELMSG_19                           = 19,
+       CHANNELMSG_20                           = 20,
+       CHANNELMSG_TL_CONNECT_REQUEST           = 21,
++      CHANNELMSG_22                           = 22,
++      CHANNELMSG_TL_CONNECT_RESULT            = 23,
+       CHANNELMSG_COUNT
+ };
+ 
+-- 
+2.25.1
+

diff --git a/queue-5.4/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch b/queue-5.4/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch
new file mode 100644 (file)
index 0000000..9bc42fe
--- /dev/null
+++ b/queue-5.4/drm-drm_fb_helper-fix-fbdev-with-sparc64.patch
@@ -0,0 +1,115 @@
+From c4ac9dc2a5e72dedec7e4e03d4de242ce9c5b79d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 21:30:16 +0200
+Subject: drm/drm_fb_helper: fix fbdev with sparc64
+
+From: Sam Ravnborg <sam@ravnborg.org>
+
+[ Upstream commit 2a1658bf922ffd9b7907e270a7d9cdc9643fc45d ]
+
+Recent kernels have been reported to panic using the bochs_drm
+framebuffer under qemu-system-sparc64 which was bisected to
+commit 7a0483ac4ffc ("drm/bochs: switch to generic drm fbdev emulation").
+
+The backtrace indicates that the shadow framebuffer copy in
+drm_fb_helper_dirty_blit_real() is trying to access the real
+framebuffer using a virtual address rather than use an IO access
+typically implemented using a physical (ASI_PHYS) access on SPARC.
+
+The fix is to replace the memcpy with memcpy_toio() from io.h.
+
+memcpy_toio() uses writeb() where the original fbdev code
+used sbus_memcpy_toio(). The latter uses sbus_writeb().
+
+The difference between writeb() and sbus_memcpy_toio() is
+that writeb() writes bytes in little-endian, where sbus_writeb() writes
+bytes in big-endian. As endian does not matter for byte writes they are
+the same. So we can safely use memcpy_toio() here.
+
+Note that this only fixes bochs, in general fbdev helpers still have
+issues with mixing up system memory and __iomem space. Fixing that will
+require a lot more work.
+
+v3:
+  - Improved changelog (Daniel)
+  - Added FIXME to fbdev_use_iomem (Daniel)
+
+v2:
+  - Added missing __iomem cast (kernel test robot)
+  - Made changelog readable and fix typos (Mark)
+  - Add flag to select iomem - and set it in the bochs driver
+
+Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
+Reported-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reported-by: kernel test robot <lkp@intel.com>
+Tested-by: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Mark Cave-Ayland <mark.cave-ayland@ilande.co.uk>
+Cc: Thomas Zimmermann <tzimmermann@suse.de>
+Cc: Gerd Hoffmann <kraxel@redhat.com>
+Cc: "David S. Miller" <davem@davemloft.net>
+Cc: sparclinux@vger.kernel.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20200709193016.291267-1-sam@ravnborg.org
+Link: https://patchwork.freedesktop.org/patch/msgid/20200725191012.GA434957@ravnborg.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/bochs/bochs_kms.c |  1 +
+ drivers/gpu/drm/drm_fb_helper.c   |  6 +++++-
+ include/drm/drm_mode_config.h     | 12 ++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/bochs/bochs_kms.c b/drivers/gpu/drm/bochs/bochs_kms.c
+index 02a9c1ed165bb..fa50ab2523d4b 100644
+--- a/drivers/gpu/drm/bochs/bochs_kms.c
++++ b/drivers/gpu/drm/bochs/bochs_kms.c
+@@ -194,6 +194,7 @@ int bochs_kms_init(struct bochs_device *bochs)
+       bochs->dev->mode_config.preferred_depth = 24;
+       bochs->dev->mode_config.prefer_shadow = 0;
+       bochs->dev->mode_config.prefer_shadow_fbdev = 1;
++      bochs->dev->mode_config.fbdev_use_iomem = true;
+       bochs->dev->mode_config.quirk_addfb_prefer_host_byte_order = true;
+ 
+       bochs->dev->mode_config.funcs = &bochs_mode_funcs;
+diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
+index 8d193a58363d4..6b8502bcf0fd3 100644
+--- a/drivers/gpu/drm/drm_fb_helper.c
++++ b/drivers/gpu/drm/drm_fb_helper.c
+@@ -390,7 +390,11 @@ static void drm_fb_helper_dirty_blit_real(struct drm_fb_helper *fb_helper,
+       unsigned int y;
+ 
+       for (y = clip->y1; y < clip->y2; y++) {
+-              memcpy(dst, src, len);
++              if (!fb_helper->dev->mode_config.fbdev_use_iomem)
++                      memcpy(dst, src, len);
++              else
++                      memcpy_toio((void __iomem *)dst, src, len);
++
+               src += fb->pitches[0];
+               dst += fb->pitches[0];
+       }
+diff --git a/include/drm/drm_mode_config.h b/include/drm/drm_mode_config.h
+index 3bcbe30339f04..198b9d0600081 100644
+--- a/include/drm/drm_mode_config.h
++++ b/include/drm/drm_mode_config.h
+@@ -865,6 +865,18 @@ struct drm_mode_config {
+        */
+       bool prefer_shadow_fbdev;
+ 
++      /**
++       * @fbdev_use_iomem:
++       *
++       * Set to true if framebuffer reside in iomem.
++       * When set to true memcpy_toio() is used when copying the framebuffer in
++       * drm_fb_helper.drm_fb_helper_dirty_blit_real().
++       *
++       * FIXME: This should be replaced with a per-mapping is_iomem
++       * flag (like ttm does), and then used everywhere in fbdev code.
++       */
++      bool fbdev_use_iomem;
++
+       /**
+        * @quirk_addfb_prefer_xbgr_30bpp:
+        *
+-- 
+2.25.1
+

diff --git a/queue-5.4/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch b/queue-5.4/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
new file mode 100644 (file)
index 0000000..9567d37
--- /dev/null
+++ b/queue-5.4/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
@@ -0,0 +1,33 @@
+From b3370adc6de57eb7a75c63fa2816c3cf919590cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 17:01:39 +1000
+Subject: drm/nouveau/fbcon: fix module unload when fbcon init has failed for
+ some reason
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ]
+
+Stale pointer was tripping up the unload path.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index f439f0a5b43a5..141cc89981240 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -592,6 +592,7 @@ fini:
+       drm_fb_helper_fini(&fbcon->helper);
+ free:
+       kfree(fbcon);
++      drm->fbcon = NULL;
+       return ret;
+ }
+ 
+-- 
+2.25.1
+

diff --git a/queue-5.4/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch b/queue-5.4/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
new file mode 100644 (file)
index 0000000..f12f42c
--- /dev/null
+++ b/queue-5.4/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
@@ -0,0 +1,33 @@
+From aa2393e51a6f04999153a8756d7712d921c91907 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 17:02:48 +1000
+Subject: drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ]
+
+This is tripping up the format modifier patches.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index 141cc89981240..5cf2381f667e2 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -315,7 +315,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper,
+       struct nouveau_framebuffer *fb;
+       struct nouveau_channel *chan;
+       struct nouveau_bo *nvbo;
+-      struct drm_mode_fb_cmd2 mode_cmd;
++      struct drm_mode_fb_cmd2 mode_cmd = {};
+       int ret;
+ 
+       mode_cmd.width = sizes->surface_width;
+-- 
+2.25.1
+

diff --git a/queue-5.4/firmware-fix-a-reference-count-leak.patch b/queue-5.4/firmware-fix-a-reference-count-leak.patch
new file mode 100644 (file)
index 0000000..b778c92
--- /dev/null
+++ b/queue-5.4/firmware-fix-a-reference-count-leak.patch
@@ -0,0 +1,51 @@
+From fb80a10a18384c444def22ceee8264d080697afb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 14:05:33 -0500
+Subject: firmware: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+Callback function fw_cfg_sysfs_release_entry() in kobject_put()
+can handle the pointer "entry" properly.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/qemu_fw_cfg.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c
+index 039e0f91dba8f..6945c3c966375 100644
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -605,8 +605,10 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f)
+       /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+       err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+                                  fw_cfg_sel_ko, "%d", entry->select);
+-      if (err)
+-              goto err_register;
++      if (err) {
++              kobject_put(&entry->kobj);
++              return err;
++      }
+ 
+       /* add raw binary content access */
+       err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+@@ -622,7 +624,6 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f)
+ 
+ err_add_raw:
+       kobject_del(&entry->kobj);
+-err_register:
+       kfree(entry);
+       return err;
+ }
+-- 
+2.25.1
+

diff --git a/queue-5.4/i2c-slave-add-sanity-check-when-unregistering.patch b/queue-5.4/i2c-slave-add-sanity-check-when-unregistering.patch
new file mode 100644 (file)
index 0000000..90b5b8e
--- /dev/null
+++ b/queue-5.4/i2c-slave-add-sanity-check-when-unregistering.patch
@@ -0,0 +1,34 @@
+From 95deb412264509e2205bdc9a7e9be06581866f48 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 21:50:53 +0200
+Subject: i2c: slave: add sanity check when unregistering
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ]
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alain Volmat <alain.volmat@st.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-slave.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
+index 549751347e6c7..1589179d5eb92 100644
+--- a/drivers/i2c/i2c-core-slave.c
++++ b/drivers/i2c/i2c-core-slave.c
+@@ -58,6 +58,9 @@ int i2c_slave_unregister(struct i2c_client *client)
+ {
+       int ret;
+ 
++      if (IS_ERR_OR_NULL(client))
++              return -EINVAL;
++
+       if (!client->adapter->algo->unreg_slave) {
+               dev_err(&client->dev, "%s: not supported by adapter\n", __func__);
+               return -EOPNOTSUPP;
+-- 
+2.25.1
+

diff --git a/queue-5.4/i2c-slave-improve-sanity-check-when-registering.patch b/queue-5.4/i2c-slave-improve-sanity-check-when-registering.patch
new file mode 100644 (file)
index 0000000..56921fa
--- /dev/null
+++ b/queue-5.4/i2c-slave-improve-sanity-check-when-registering.patch
@@ -0,0 +1,38 @@
+From 7cbe6793fa74ce64a4edfda4872eea97751baae4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 21:50:52 +0200
+Subject: i2c: slave: improve sanity check when registering
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ]
+
+Add check for ERR_PTR and simplify code while here.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alain Volmat <alain.volmat@st.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-slave.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
+index 5427f047faf06..549751347e6c7 100644
+--- a/drivers/i2c/i2c-core-slave.c
++++ b/drivers/i2c/i2c-core-slave.c
+@@ -18,10 +18,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb)
+ {
+       int ret;
+ 
+-      if (!client || !slave_cb) {
+-              WARN(1, "insufficient data\n");
++      if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n"))
+               return -EINVAL;
+-      }
+ 
+       if (!(client->flags & I2C_CLIENT_SLAVE))
+               dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n",
+-- 
+2.25.1
+

diff --git a/queue-5.4/igb-reinit_locked-should-be-called-with-rtnl_lock.patch b/queue-5.4/igb-reinit_locked-should-be-called-with-rtnl_lock.patch
new file mode 100644 (file)
index 0000000..aadb717
--- /dev/null
+++ b/queue-5.4/igb-reinit_locked-should-be-called-with-rtnl_lock.patch
@@ -0,0 +1,92 @@
+From dec53af2d822262fd11878e0639d407141eda5fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 15:39:06 -0700
+Subject: igb: reinit_locked() should be called with rtnl_lock
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+[ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ]
+
+We observed two panics involving races with igb_reset_task.
+The first panic is caused by this race condition:
+
+       kworker                 reboot -f
+
+       igb_reset_task
+       igb_reinit_locked
+       igb_down
+       napi_synchronize
+                               __igb_shutdown
+                               igb_clear_interrupt_scheme
+                               igb_free_q_vectors
+                               igb_free_q_vector
+                               adapter->q_vector[v_idx] = NULL;
+       napi_disable
+       Panics trying to access
+       adapter->q_vector[v_idx].napi_state
+
+The second panic (a divide error) is caused by this race:
+
+kworker                reboot -f       tx packet
+
+igb_reset_task
+               __igb_shutdown
+               rtnl_lock()
+               ...
+               igb_clear_interrupt_scheme
+               igb_free_q_vectors
+               adapter->num_tx_queues = 0
+               ...
+               rtnl_unlock()
+rtnl_lock()
+igb_reinit_locked
+igb_down
+igb_up
+netif_tx_start_all_queues
+                               dev_hard_start_xmit
+                               igb_xmit_frame
+                               igb_tx_queue_mapping
+                               Panics on
+                               r_idx % adapter->num_tx_queues
+
+This commit applies to igb_reset_task the same changes that
+were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch
+adds support for DCB to the kernel and ixgbe driver"),
+commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with
+rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in
+reset subtask").
+
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index ed7e667d7eb29..3e41b20ed8eb5 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6194,9 +6194,18 @@ static void igb_reset_task(struct work_struct *work)
+       struct igb_adapter *adapter;
+       adapter = container_of(work, struct igb_adapter, reset_task);
+ 
++      rtnl_lock();
++      /* If we're already down or resetting, just bail */
++      if (test_bit(__IGB_DOWN, &adapter->state) ||
++          test_bit(__IGB_RESETTING, &adapter->state)) {
++              rtnl_unlock();
++              return;
++      }
++
+       igb_dump(adapter);
+       netdev_err(adapter->netdev, "Reset adapter\n");
+       igb_reinit_locked(adapter);
++      rtnl_unlock();
+ }
+ 
+ /**
+-- 
+2.25.1
+

diff --git a/queue-5.4/net-9p-validate-fds-in-p9_fd_open.patch b/queue-5.4/net-9p-validate-fds-in-p9_fd_open.patch
new file mode 100644 (file)
index 0000000..4674615
--- /dev/null
+++ b/queue-5.4/net-9p-validate-fds-in-p9_fd_open.patch
@@ -0,0 +1,70 @@
+From 4227a047d086a85239709ccb3a741aaa913f433e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 10:57:22 +0200
+Subject: net/9p: validate fds in p9_fd_open
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ]
+
+p9_fd_open just fgets file descriptors passed in from userspace, but
+doesn't verify that they are valid for read or writing.  This gets
+cought down in the VFS when actually attempting a read or write, but
+a new warning added in linux-next upsets syzcaller.
+
+Fix this by just verifying the fds early on.
+
+Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de
+Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+[Dominique: amend goto as per Doug Nazar's review]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 3f67803123be2..12ecacf0c55fb 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -816,20 +816,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
+               return -ENOMEM;
+ 
+       ts->rd = fget(rfd);
++      if (!ts->rd)
++              goto out_free_ts;
++      if (!(ts->rd->f_mode & FMODE_READ))
++              goto out_put_rd;
+       ts->wr = fget(wfd);
+-      if (!ts->rd || !ts->wr) {
+-              if (ts->rd)
+-                      fput(ts->rd);
+-              if (ts->wr)
+-                      fput(ts->wr);
+-              kfree(ts);
+-              return -EIO;
+-      }
++      if (!ts->wr)
++              goto out_put_rd;
++      if (!(ts->wr->f_mode & FMODE_WRITE))
++              goto out_put_wr;
+ 
+       client->trans = ts;
+       client->status = Connected;
+ 
+       return 0;
++
++out_put_wr:
++      fput(ts->wr);
++out_put_rd:
++      fput(ts->rd);
++out_free_ts:
++      kfree(ts);
++      return -EIO;
+ }
+ 
+ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+-- 
+2.25.1
+

diff --git a/queue-5.4/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch b/queue-5.4/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch
new file mode 100644 (file)
index 0000000..2e817b7
--- /dev/null
+++ b/queue-5.4/net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch
@@ -0,0 +1,69 @@
+From 6fb662633a67fbb0800b5b17b2e2885ea8864273 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 23 Jul 2020 20:07:10 +0100
+Subject: net: ethernet: mtk_eth_soc: Always call mtk_gmac0_rgmii_adjust() for
+ mt7623
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: René van Dorst <opensource@vdorst.com>
+
+[ Upstream commit 19016d93bfc335f0c158c0d9e3b9d06c4dd53d39 ]
+
+Modify mtk_gmac0_rgmii_adjust() so it can always be called.
+mtk_gmac0_rgmii_adjust() sets-up the TRGMII clocks.
+
+Signed-off-by: René van Dorst <opensource@vdorst.com>
+Signed-off-By: David Woodhouse <dwmw2@infradead.org>
+Tested-by: Frank Wunderlich <frank-w@public-files.de>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index 997dc811382a4..be390c7e43b2f 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -171,11 +171,21 @@ static int mt7621_gmac0_rgmii_adjust(struct mtk_eth *eth,
+       return 0;
+ }
+ 
+-static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth, int speed)
++static void mtk_gmac0_rgmii_adjust(struct mtk_eth *eth,
++                                 phy_interface_t interface, int speed)
+ {
+       u32 val;
+       int ret;
+ 
++      if (interface == PHY_INTERFACE_MODE_TRGMII) {
++              mtk_w32(eth, TRGMII_MODE, INTF_MODE);
++              val = 500000000;
++              ret = clk_set_rate(eth->clks[MTK_CLK_TRGPLL], val);
++              if (ret)
++                      dev_err(eth->dev, "Failed to set trgmii pll: %d\n", ret);
++              return;
++      }
++
+       val = (speed == SPEED_1000) ?
+               INTF_MODE_RGMII_1000 : INTF_MODE_RGMII_10_100;
+       mtk_w32(eth, val, INTF_MODE);
+@@ -262,10 +272,9 @@ static void mtk_mac_config(struct phylink_config *config, unsigned int mode,
+                                                             state->interface))
+                                       goto err_phy;
+                       } else {
+-                              if (state->interface !=
+-                                  PHY_INTERFACE_MODE_TRGMII)
+-                                      mtk_gmac0_rgmii_adjust(mac->hw,
+-                                                             state->speed);
++                              mtk_gmac0_rgmii_adjust(mac->hw,
++                                                     state->interface,
++                                                     state->speed);
+ 
+                               /* mt7623_pad_clk_setup */
+                               for (i = 0 ; i < NUM_TRGMII_CTRL; i++)
+-- 
+2.25.1
+

diff --git a/queue-5.4/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch b/queue-5.4/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch
new file mode 100644 (file)
index 0000000..686139d
--- /dev/null
+++ b/queue-5.4/nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch
@@ -0,0 +1,51 @@
+From 736f24d665c777214f1802f2dbf8a90314856712 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 01:29:10 +0800
+Subject: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+[ Upstream commit 5611ec2b9814bc91f7b0a8d804c1fc152e2025d9 ]
+
+After commit 6e02318eaea5 ("nvme: add support for the Write Zeroes
+command"), SK hynix PC400 becomes very slow with the following error
+message:
+
+[  224.567695] blk_update_request: operation not supported error, dev nvme1n1, sector 499384320 op 0x9:(WRITE_ZEROES) flags 0x1000000 phys_seg 0 prio class 0]
+
+SK Hynix PC400 has a buggy firmware that treats NLB as max value instead
+of a range, so the NLB passed isn't a valid value to the firmware.
+
+According to SK hynix there are three commands are affected:
+- Write Zeroes
+- Compare
+- Write Uncorrectable
+
+Right now only Write Zeroes is implemented, so disable it completely on
+SK hynix PC400.
+
+BugLink: https://bugs.launchpad.net/bugs/1872383
+Cc: kyounghwan sohn <kyounghwan.sohn@sk.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/nvme/host/pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c
+index a13cae1901962..ee7669f23cff0 100644
+--- a/drivers/nvme/host/pci.c
++++ b/drivers/nvme/host/pci.c
+@@ -3140,6 +3140,8 @@ static const struct pci_device_id nvme_id_table[] = {
+       { PCI_DEVICE(0x1cc1, 0x8201),   /* ADATA SX8200PNP 512GB */
+               .driver_data = NVME_QUIRK_NO_DEEPEST_PS |
+                               NVME_QUIRK_IGNORE_DEV_SUBNQN, },
++      { PCI_DEVICE(0x1c5c, 0x1504),   /* SK Hynix PC400 */
++              .driver_data = NVME_QUIRK_DISABLE_WRITE_ZEROES, },
+       { PCI_DEVICE_CLASS(PCI_CLASS_STORAGE_EXPRESS, 0xffffff) },
+       { PCI_DEVICE(PCI_VENDOR_ID_APPLE, 0x2001),
+               .driver_data = NVME_QUIRK_SINGLE_VECTOR },
+-- 
+2.25.1
+

diff --git a/queue-5.4/series b/queue-5.4/series
index 55d95fcdd45c55728e757a90d005c65479aa8bb6..cca878780e39a031ad3134919df40db073344250 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -28,3 +28,19 @@ leds-lm36274-fix-use-after-free-on-unbind.patch
 leds-da903x-fix-use-after-free-on-unbind.patch
 leds-lm3533-fix-use-after-free-on-unbind.patch
 leds-88pm860x-fix-use-after-free-on-unbind.patch
+net-9p-validate-fds-in-p9_fd_open.patch
+drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
+drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
+nvme-pci-prevent-sk-hynix-pc400-from-using-write-zer.patch
+drm-drm_fb_helper-fix-fbdev-with-sparc64.patch
+i2c-slave-improve-sanity-check-when-registering.patch
+i2c-slave-add-sanity-check-when-unregistering.patch
+usb-hso-check-for-return-value-in-hso_serial_common_.patch
+net-ethernet-mtk_eth_soc-always-call-mtk_gmac0_rgmii.patch
+alsa-hda-fix-null-pointer-dereference-during-suspend.patch
+firmware-fix-a-reference-count-leak.patch
+cfg80211-check-vendor-command-doit-pointer-before-us.patch
+igb-reinit_locked-should-be-called-with-rtnl_lock.patch
+atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
+tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
+drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch

diff --git a/queue-5.4/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch b/queue-5.4/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
new file mode 100644 (file)
index 0000000..6673014
--- /dev/null
+++ b/queue-5.4/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
@@ -0,0 +1,72 @@
+From c19fcd225335dbb1581e1ea868444c74ef68c067 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 11:02:36 -0400
+Subject: tools lib traceevent: Fix memory leak in process_dynamic_array_len
+
+From: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+
+[ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ]
+
+I compiled with AddressSanitizer and I had these memory leaks while I
+was using the tep_parse_format function:
+
+    Direct leak of 28 byte(s) in 4 object(s) allocated from:
+        #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
+        #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985
+        #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140
+        #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206
+        #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291
+        #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299
+        #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849
+        #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161
+        #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207
+        #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786
+        #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285
+        #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369
+        #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335
+        #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389
+        #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431
+        #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251
+        #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284
+        #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593
+        #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727
+        #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048
+        #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127
+        #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152
+        #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252
+        #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347
+        #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461
+        #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673
+        #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+
+The token variable in the process_dynamic_array_len function is
+allocated in the read_expect_type function, but is not freed before
+calling the read_token function.
+
+Free the token variable before calling read_token in order to plug the
+leak.
+
+Signed-off-by: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/event-parse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 798284f511f16..4559a15e66570 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2861,6 +2861,7 @@ process_dynamic_array_len(struct tep_event *event, struct tep_print_arg *arg,
+       if (read_expected(TEP_EVENT_DELIM, ")") < 0)
+               goto out_err;
+ 
++      free_token(token);
+       type = read_token(&token);
+       *tok = token;
+ 
+-- 
+2.25.1
+

diff --git a/queue-5.4/usb-hso-check-for-return-value-in-hso_serial_common_.patch b/queue-5.4/usb-hso-check-for-return-value-in-hso_serial_common_.patch
new file mode 100644 (file)
index 0000000..2ee5fbf
--- /dev/null
+++ b/queue-5.4/usb-hso-check-for-return-value-in-hso_serial_common_.patch
@@ -0,0 +1,53 @@
+From 80e54569b02a310726382e11ac35b7b2b4891a9c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 23:42:17 -0700
+Subject: usb: hso: check for return value in hso_serial_common_create()
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ]
+
+in case of an error tty_register_device_attr() returns ERR_PTR(),
+add IS_ERR() check
+
+Reported-and-tested-by: syzbot+67b2bd0e34f952d0321e@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index 66a8b835aa94c..7449b97a3c89b 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2260,12 +2260,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs,
+ 
+       minor = get_free_serial_index();
+       if (minor < 0)
+-              goto exit;
++              goto exit2;
+ 
+       /* register our minor number */
+       serial->parent->dev = tty_port_register_device_attr(&serial->port,
+                       tty_drv, minor, &serial->parent->interface->dev,
+                       serial->parent, hso_serial_dev_groups);
++      if (IS_ERR(serial->parent->dev))
++              goto exit2;
+ 
+       /* fill in specific data for later use */
+       serial->minor = minor;
+@@ -2310,6 +2312,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs,
+       return 0;
+ exit:
+       hso_serial_tty_unregister(serial);
++exit2:
+       hso_serial_common_free(serial);
+       return -1;
+ }
+-- 
+2.25.1
+