Fixes for 4.19

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch b/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
new file mode 100644 (file)
index 0000000..cd48c6f
--- /dev/null
+++ b/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
@@ -0,0 +1,54 @@
+From 07834dd54f8c73ce02dd45d9020fd6af86256f13 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 21:06:59 +0800
+Subject: atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ]
+
+atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
+reference of atm_dev with increased refcount or NULL if fails.
+
+The refcount leaks issues occur in two error handling paths. If
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
+returns 0 without decreasing the refcount kept by a local variable,
+resulting in refcount leaks.
+
+Fix the issue by adding atm_dev_put() before returning 0 both when
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
+
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/atmtcp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
+index afebeb1c3e1e9..723bad1201cc5 100644
+--- a/drivers/atm/atmtcp.c
++++ b/drivers/atm/atmtcp.c
+@@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf)
+               return -EMEDIUMTYPE;
+       }
+       dev_data = PRIV(dev);
+-      if (!dev_data->persist) return 0;
++      if (!dev_data->persist) {
++              atm_dev_put(dev);
++              return 0;
++      }
+       dev_data->persist = 0;
+-      if (PRIV(dev)->vcc) return 0;
++      if (PRIV(dev)->vcc) {
++              atm_dev_put(dev);
++              return 0;
++      }
+       kfree(dev_data);
+       atm_dev_put(dev);
+       atm_dev_deregister(dev);
+-- 
+2.25.1
+

diff --git a/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch b/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch
new file mode 100644 (file)
index 0000000..e9df40b
--- /dev/null
+++ b/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch
@@ -0,0 +1,50 @@
+From 16a1d90310617189e93968cf1fc97226e6a4c31e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 17:13:53 -0400
+Subject: cfg80211: check vendor command doit pointer before use
+
+From: Julian Squires <julian@cipht.net>
+
+[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ]
+
+In the case where a vendor command does not implement doit, and has no
+flags set, doit would not be validated and a NULL pointer dereference
+would occur, for example when invoking the vendor command via iw.
+
+I encountered this while developing new vendor commands.  Perhaps in
+practice it is advisable to always implement doit along with dumpit,
+but it seems reasonable to me to always check doit anyway, not just
+when NEED_WDEV.
+
+Signed-off-by: Julian Squires <julian@cipht.net>
+Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index 0221849b72180..996b68b48a878 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -12392,13 +12392,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
+                               if (!wdev_running(wdev))
+                                       return -ENETDOWN;
+                       }
+-
+-                      if (!vcmd->doit)
+-                              return -EOPNOTSUPP;
+               } else {
+                       wdev = NULL;
+               }
+ 
++              if (!vcmd->doit)
++                      return -EOPNOTSUPP;
++
+               if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
+                       data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+                       len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+-- 
+2.25.1
+

diff --git a/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch b/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch
new file mode 100644 (file)
index 0000000..b4e2d76
--- /dev/null
+++ b/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch
@@ -0,0 +1,109 @@
+From eab50cea00ac68ba8607f4941b52e96431a12de1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 19 Jan 2020 15:29:22 -0800
+Subject: Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23)
+
+From: Dexuan Cui <decui@microsoft.com>
+
+[ Upstream commit ddc9d357b991838c2d975e8d7e4e9db26f37a7ff ]
+
+When a Linux hv_sock app tries to connect to a Service GUID on which no
+host app is listening, a recent host (RS3+) sends a
+CHANNELMSG_TL_CONNECT_RESULT (23) message to Linux and this triggers such
+a warning:
+
+unknown msgtype=23
+WARNING: CPU: 2 PID: 0 at drivers/hv/vmbus_drv.c:1031 vmbus_on_msg_dpc
+
+Actually Linux can safely ignore the message because the Linux app's
+connect() will time out in 2 seconds: see VSOCK_DEFAULT_CONNECT_TIMEOUT
+and vsock_stream_connect(). We don't bother to make use of the message
+because: 1) it's only supported on recent hosts; 2) a non-trivial effort
+is required to use the message in Linux, but the benefit is small.
+
+So, let's not see the warning by silently ignoring the message.
+
+Signed-off-by: Dexuan Cui <decui@microsoft.com>
+Reviewed-by: Michael Kelley <mikelley@microsoft.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hv/channel_mgmt.c | 21 +++++++--------------
+ drivers/hv/vmbus_drv.c    |  4 ++++
+ include/linux/hyperv.h    |  2 ++
+ 3 files changed, 13 insertions(+), 14 deletions(-)
+
+diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c
+index 3bf1f9ef8ea25..c83361a8e2033 100644
+--- a/drivers/hv/channel_mgmt.c
++++ b/drivers/hv/channel_mgmt.c
+@@ -1249,6 +1249,8 @@ channel_message_table[CHANNELMSG_COUNT] = {
+       { CHANNELMSG_19,                        0, NULL },
+       { CHANNELMSG_20,                        0, NULL },
+       { CHANNELMSG_TL_CONNECT_REQUEST,        0, NULL },
++      { CHANNELMSG_22,                        0, NULL },
++      { CHANNELMSG_TL_CONNECT_RESULT,         0, NULL },
+ };
+ 
+ /*
+@@ -1260,25 +1262,16 @@ void vmbus_onmessage(void *context)
+ {
+       struct hv_message *msg = context;
+       struct vmbus_channel_message_header *hdr;
+-      int size;
+ 
+       hdr = (struct vmbus_channel_message_header *)msg->u.payload;
+-      size = msg->header.payload_size;
+ 
+       trace_vmbus_on_message(hdr);
+ 
+-      if (hdr->msgtype >= CHANNELMSG_COUNT) {
+-              pr_err("Received invalid channel message type %d size %d\n",
+-                         hdr->msgtype, size);
+-              print_hex_dump_bytes("", DUMP_PREFIX_NONE,
+-                                   (unsigned char *)msg->u.payload, size);
+-              return;
+-      }
+-
+-      if (channel_message_table[hdr->msgtype].message_handler)
+-              channel_message_table[hdr->msgtype].message_handler(hdr);
+-      else
+-              pr_err("Unhandled channel message type %d\n", hdr->msgtype);
++      /*
++       * vmbus_on_msg_dpc() makes sure the hdr->msgtype here can not go
++       * out of bound and the message_handler pointer can not be NULL.
++       */
++      channel_message_table[hdr->msgtype].message_handler(hdr);
+ }
+ 
+ /*
+diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
+index fb22b72fd535a..0699c60188895 100644
+--- a/drivers/hv/vmbus_drv.c
++++ b/drivers/hv/vmbus_drv.c
+@@ -939,6 +939,10 @@ void vmbus_on_msg_dpc(unsigned long data)
+       }
+ 
+       entry = &channel_message_table[hdr->msgtype];
++
++      if (!entry->message_handler)
++              goto msg_handled;
++
+       if (entry->handler_type == VMHT_BLOCKING) {
+               ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC);
+               if (ctx == NULL)
+diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h
+index c43e694fef7dd..35461d49d3aee 100644
+--- a/include/linux/hyperv.h
++++ b/include/linux/hyperv.h
+@@ -428,6 +428,8 @@ enum vmbus_channel_message_type {
+       CHANNELMSG_19                           = 19,
+       CHANNELMSG_20                           = 20,
+       CHANNELMSG_TL_CONNECT_REQUEST           = 21,
++      CHANNELMSG_22                           = 22,
++      CHANNELMSG_TL_CONNECT_RESULT            = 23,
+       CHANNELMSG_COUNT
+ };
+ 
+-- 
+2.25.1
+

diff --git a/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch b/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
new file mode 100644 (file)
index 0000000..29328b5
--- /dev/null
+++ b/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
@@ -0,0 +1,33 @@
+From 631aa7449775ebad4f807b3856271283fe55fee0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 17:01:39 +1000
+Subject: drm/nouveau/fbcon: fix module unload when fbcon init has failed for
+ some reason
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ]
+
+Stale pointer was tripping up the unload path.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index 0f64c0a1d4b30..fef38ea146a2a 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -599,6 +599,7 @@ fini:
+       drm_fb_helper_fini(&fbcon->helper);
+ free:
+       kfree(fbcon);
++      drm->fbcon = NULL;
+       return ret;
+ }
+ 
+-- 
+2.25.1
+

diff --git a/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch b/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
new file mode 100644 (file)
index 0000000..3d2f76e
--- /dev/null
+++ b/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
@@ -0,0 +1,33 @@
+From f4d56524bad0804fde879dcbaa3db745ad829448 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 17:02:48 +1000
+Subject: drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ]
+
+This is tripping up the format modifier patches.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index fef38ea146a2a..406cb99af7f21 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -315,7 +315,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper,
+       struct nouveau_framebuffer *fb;
+       struct nouveau_channel *chan;
+       struct nouveau_bo *nvbo;
+-      struct drm_mode_fb_cmd2 mode_cmd;
++      struct drm_mode_fb_cmd2 mode_cmd = {};
+       int ret;
+ 
+       mode_cmd.width = sizes->surface_width;
+-- 
+2.25.1
+

diff --git a/queue-4.19/firmware-fix-a-reference-count-leak.patch b/queue-4.19/firmware-fix-a-reference-count-leak.patch
new file mode 100644 (file)
index 0000000..d749301
--- /dev/null
+++ b/queue-4.19/firmware-fix-a-reference-count-leak.patch
@@ -0,0 +1,51 @@
+From dc291342512b2463fff81de0121544caddbe3047 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 13 Jun 2020 14:05:33 -0500
+Subject: firmware: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+[ Upstream commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b ]
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+Callback function fw_cfg_sysfs_release_entry() in kobject_put()
+can handle the pointer "entry" properly.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/qemu_fw_cfg.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c
+index 039e0f91dba8f..6945c3c966375 100644
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -605,8 +605,10 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f)
+       /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+       err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+                                  fw_cfg_sel_ko, "%d", entry->select);
+-      if (err)
+-              goto err_register;
++      if (err) {
++              kobject_put(&entry->kobj);
++              return err;
++      }
+ 
+       /* add raw binary content access */
+       err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+@@ -622,7 +624,6 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f)
+ 
+ err_add_raw:
+       kobject_del(&entry->kobj);
+-err_register:
+       kfree(entry);
+       return err;
+ }
+-- 
+2.25.1
+

diff --git a/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch b/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch
new file mode 100644 (file)
index 0000000..66a710a
--- /dev/null
+++ b/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch
@@ -0,0 +1,34 @@
+From 62f515262ac1ee6f140675b0ad16ab4399e8643a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 21:50:53 +0200
+Subject: i2c: slave: add sanity check when unregistering
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ]
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alain Volmat <alain.volmat@st.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-slave.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
+index 88959c8580ce0..f2e7e373ee478 100644
+--- a/drivers/i2c/i2c-core-slave.c
++++ b/drivers/i2c/i2c-core-slave.c
+@@ -62,6 +62,9 @@ int i2c_slave_unregister(struct i2c_client *client)
+ {
+       int ret;
+ 
++      if (IS_ERR_OR_NULL(client))
++              return -EINVAL;
++
+       if (!client->adapter->algo->unreg_slave) {
+               dev_err(&client->dev, "%s: not supported by adapter\n", __func__);
+               return -EOPNOTSUPP;
+-- 
+2.25.1
+

diff --git a/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch b/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch
new file mode 100644 (file)
index 0000000..6976229
--- /dev/null
+++ b/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch
@@ -0,0 +1,38 @@
+From 1b6d099d68b4a61bc5eb04a0fd5dfc31beb449ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 25 Jul 2020 21:50:52 +0200
+Subject: i2c: slave: improve sanity check when registering
+
+From: Wolfram Sang <wsa+renesas@sang-engineering.com>
+
+[ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ]
+
+Add check for ERR_PTR and simplify code while here.
+
+Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
+Reviewed-by: Alain Volmat <alain.volmat@st.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/i2c/i2c-core-slave.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c
+index 47a9f70a24a97..88959c8580ce0 100644
+--- a/drivers/i2c/i2c-core-slave.c
++++ b/drivers/i2c/i2c-core-slave.c
+@@ -22,10 +22,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb)
+ {
+       int ret;
+ 
+-      if (!client || !slave_cb) {
+-              WARN(1, "insufficient data\n");
++      if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n"))
+               return -EINVAL;
+-      }
+ 
+       if (!(client->flags & I2C_CLIENT_SLAVE))
+               dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n",
+-- 
+2.25.1
+

diff --git a/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch b/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch
new file mode 100644 (file)
index 0000000..6b3fea1
--- /dev/null
+++ b/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch
@@ -0,0 +1,92 @@
+From 6d6925059a03b5ef7041c8eb79321fa316a9ef4c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 15:39:06 -0700
+Subject: igb: reinit_locked() should be called with rtnl_lock
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+[ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ]
+
+We observed two panics involving races with igb_reset_task.
+The first panic is caused by this race condition:
+
+       kworker                 reboot -f
+
+       igb_reset_task
+       igb_reinit_locked
+       igb_down
+       napi_synchronize
+                               __igb_shutdown
+                               igb_clear_interrupt_scheme
+                               igb_free_q_vectors
+                               igb_free_q_vector
+                               adapter->q_vector[v_idx] = NULL;
+       napi_disable
+       Panics trying to access
+       adapter->q_vector[v_idx].napi_state
+
+The second panic (a divide error) is caused by this race:
+
+kworker                reboot -f       tx packet
+
+igb_reset_task
+               __igb_shutdown
+               rtnl_lock()
+               ...
+               igb_clear_interrupt_scheme
+               igb_free_q_vectors
+               adapter->num_tx_queues = 0
+               ...
+               rtnl_unlock()
+rtnl_lock()
+igb_reinit_locked
+igb_down
+igb_up
+netif_tx_start_all_queues
+                               dev_hard_start_xmit
+                               igb_xmit_frame
+                               igb_tx_queue_mapping
+                               Panics on
+                               r_idx % adapter->num_tx_queues
+
+This commit applies to igb_reset_task the same changes that
+were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch
+adds support for DCB to the kernel and ixgbe driver"),
+commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with
+rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in
+reset subtask").
+
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 36db874f3c928..d85eb80d82497 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -6226,9 +6226,18 @@ static void igb_reset_task(struct work_struct *work)
+       struct igb_adapter *adapter;
+       adapter = container_of(work, struct igb_adapter, reset_task);
+ 
++      rtnl_lock();
++      /* If we're already down or resetting, just bail */
++      if (test_bit(__IGB_DOWN, &adapter->state) ||
++          test_bit(__IGB_RESETTING, &adapter->state)) {
++              rtnl_unlock();
++              return;
++      }
++
+       igb_dump(adapter);
+       netdev_err(adapter->netdev, "Reset adapter\n");
+       igb_reinit_locked(adapter);
++      rtnl_unlock();
+ }
+ 
+ /**
+-- 
+2.25.1
+

diff --git a/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch b/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch
new file mode 100644 (file)
index 0000000..be331c8
--- /dev/null
+++ b/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch
@@ -0,0 +1,70 @@
+From ba09f86ca9c64b5f9e33e1a1288c5009f4fdee88 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 10:57:22 +0200
+Subject: net/9p: validate fds in p9_fd_open
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ]
+
+p9_fd_open just fgets file descriptors passed in from userspace, but
+doesn't verify that they are valid for read or writing.  This gets
+cought down in the VFS when actually attempting a read or write, but
+a new warning added in linux-next upsets syzcaller.
+
+Fix this by just verifying the fds early on.
+
+Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de
+Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+[Dominique: amend goto as per Doug Nazar's review]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index d28c2cc9618fa..b6dcb40fa8a7d 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -831,20 +831,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
+               return -ENOMEM;
+ 
+       ts->rd = fget(rfd);
++      if (!ts->rd)
++              goto out_free_ts;
++      if (!(ts->rd->f_mode & FMODE_READ))
++              goto out_put_rd;
+       ts->wr = fget(wfd);
+-      if (!ts->rd || !ts->wr) {
+-              if (ts->rd)
+-                      fput(ts->rd);
+-              if (ts->wr)
+-                      fput(ts->wr);
+-              kfree(ts);
+-              return -EIO;
+-      }
++      if (!ts->wr)
++              goto out_put_rd;
++      if (!(ts->wr->f_mode & FMODE_WRITE))
++              goto out_put_wr;
+ 
+       client->trans = ts;
+       client->status = Connected;
+ 
+       return 0;
++
++out_put_wr:
++      fput(ts->wr);
++out_put_rd:
++      fput(ts->rd);
++out_free_ts:
++      kfree(ts);
++      return -EIO;
+ }
+ 
+ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+-- 
+2.25.1
+

diff --git a/queue-4.19/series b/queue-4.19/series
index 7866ad4670e621db76cd7c0b97c1cc3447fed91a..7d2a785751d83a1a0a84b4e5f255a300ec94f2e4 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -16,3 +16,15 @@ leds-wm831x-status-fix-use-after-free-on-unbind.patch
 leds-da903x-fix-use-after-free-on-unbind.patch
 leds-lm3533-fix-use-after-free-on-unbind.patch
 leds-88pm860x-fix-use-after-free-on-unbind.patch
+net-9p-validate-fds-in-p9_fd_open.patch
+drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
+drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch
+i2c-slave-improve-sanity-check-when-registering.patch
+i2c-slave-add-sanity-check-when-unregistering.patch
+usb-hso-check-for-return-value-in-hso_serial_common_.patch
+firmware-fix-a-reference-count-leak.patch
+cfg80211-check-vendor-command-doit-pointer-before-us.patch
+igb-reinit_locked-should-be-called-with-rtnl_lock.patch
+atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
+tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
+drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch

diff --git a/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch b/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
new file mode 100644 (file)
index 0000000..8e80d29
--- /dev/null
+++ b/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
@@ -0,0 +1,72 @@
+From bb53b6c57d4b670107a8ec0318669cc4b6b6f265 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 11:02:36 -0400
+Subject: tools lib traceevent: Fix memory leak in process_dynamic_array_len
+
+From: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+
+[ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ]
+
+I compiled with AddressSanitizer and I had these memory leaks while I
+was using the tep_parse_format function:
+
+    Direct leak of 28 byte(s) in 4 object(s) allocated from:
+        #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
+        #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985
+        #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140
+        #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206
+        #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291
+        #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299
+        #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849
+        #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161
+        #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207
+        #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786
+        #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285
+        #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369
+        #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335
+        #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389
+        #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431
+        #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251
+        #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284
+        #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593
+        #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727
+        #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048
+        #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127
+        #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152
+        #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252
+        #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347
+        #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461
+        #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673
+        #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+
+The token variable in the process_dynamic_array_len function is
+allocated in the read_expect_type function, but is not freed before
+calling the read_token function.
+
+Free the token variable before calling read_token in order to plug the
+leak.
+
+Signed-off-by: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/event-parse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 382e476629fb1..c0fcc8af2a3ef 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2766,6 +2766,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg,
+       if (read_expected(EVENT_DELIM, ")") < 0)
+               goto out_err;
+ 
++      free_token(token);
+       type = read_token(&token);
+       *tok = token;
+ 
+-- 
+2.25.1
+

diff --git a/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch b/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch
new file mode 100644 (file)
index 0000000..697fb1f
--- /dev/null
+++ b/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch
@@ -0,0 +1,53 @@
+From eec2c64678fb909e6e33b8b7d961e7a9ed450de6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 27 Jul 2020 23:42:17 -0700
+Subject: usb: hso: check for return value in hso_serial_common_create()
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+[ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ]
+
+in case of an error tty_register_device_attr() returns ERR_PTR(),
+add IS_ERR() check
+
+Reported-and-tested-by: syzbot+67b2bd0e34f952d0321e@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/hso.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
+index 61b9d33681484..bff268b4a9a46 100644
+--- a/drivers/net/usb/hso.c
++++ b/drivers/net/usb/hso.c
+@@ -2274,12 +2274,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs,
+ 
+       minor = get_free_serial_index();
+       if (minor < 0)
+-              goto exit;
++              goto exit2;
+ 
+       /* register our minor number */
+       serial->parent->dev = tty_port_register_device_attr(&serial->port,
+                       tty_drv, minor, &serial->parent->interface->dev,
+                       serial->parent, hso_serial_dev_groups);
++      if (IS_ERR(serial->parent->dev))
++              goto exit2;
+ 
+       /* fill in specific data for later use */
+       serial->minor = minor;
+@@ -2324,6 +2326,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs,
+       return 0;
+ exit:
+       hso_serial_tty_unregister(serial);
++exit2:
+       hso_serial_common_free(serial);
+       return -1;
+ }
+-- 
+2.25.1
+