--- /dev/null
+From 50c88007e95e15dd6518f5b5b00f5e7c5d375fdd Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 29 Jul 2020 21:06:59 +0800
+Subject: atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
+
+From: Xin Xiong <xiongx18@fudan.edu.cn>
+
+[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ]
+
+atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
+reference of atm_dev with increased refcount or NULL if fails.
+
+The refcount leaks issues occur in two error handling paths. If
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
+returns 0 without decreasing the refcount kept by a local variable,
+resulting in refcount leaks.
+
+Fix the issue by adding atm_dev_put() before returning 0 both when
+dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
+
+Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
+Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
+Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/atm/atmtcp.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
+index 480fa6ffbc090..04fca6db273ef 100644
+--- a/drivers/atm/atmtcp.c
++++ b/drivers/atm/atmtcp.c
+@@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf)
+ return -EMEDIUMTYPE;
+ }
+ dev_data = PRIV(dev);
+- if (!dev_data->persist) return 0;
++ if (!dev_data->persist) {
++ atm_dev_put(dev);
++ return 0;
++ }
+ dev_data->persist = 0;
+- if (PRIV(dev)->vcc) return 0;
++ if (PRIV(dev)->vcc) {
++ atm_dev_put(dev);
++ return 0;
++ }
+ kfree(dev_data);
+ atm_dev_put(dev);
+ atm_dev_deregister(dev);
+--
+2.25.1
+
--- /dev/null
+From 8bee74555468d383832490a6bca6ee8191ab2ced Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 6 Jul 2020 17:13:53 -0400
+Subject: cfg80211: check vendor command doit pointer before use
+
+From: Julian Squires <julian@cipht.net>
+
+[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ]
+
+In the case where a vendor command does not implement doit, and has no
+flags set, doit would not be validated and a NULL pointer dereference
+would occur, for example when invoking the vendor command via iw.
+
+I encountered this while developing new vendor commands. Perhaps in
+practice it is advisable to always implement doit along with dumpit,
+but it seems reasonable to me to always check doit anyway, not just
+when NEED_WDEV.
+
+Signed-off-by: Julian Squires <julian@cipht.net>
+Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/wireless/nl80211.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
+index c6c168f20b0f2..55de35c4434a8 100644
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -10180,13 +10180,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info)
+ if (!wdev->netdev && !wdev->p2p_started)
+ return -ENETDOWN;
+ }
+-
+- if (!vcmd->doit)
+- return -EOPNOTSUPP;
+ } else {
+ wdev = NULL;
+ }
+
++ if (!vcmd->doit)
++ return -EOPNOTSUPP;
++
+ if (info->attrs[NL80211_ATTR_VENDOR_DATA]) {
+ data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+ len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]);
+--
+2.25.1
+
--- /dev/null
+From 4176dc029705044ec6452a41ffe3084d6c951adc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 24 Jul 2020 17:01:39 +1000
+Subject: drm/nouveau/fbcon: fix module unload when fbcon init has failed for
+ some reason
+
+From: Ben Skeggs <bskeggs@redhat.com>
+
+[ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ]
+
+Stale pointer was tripping up the unload path.
+
+Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+index 343476d157266..edb3a23ded5d5 100644
+--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c
++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c
+@@ -566,6 +566,7 @@ fini:
+ drm_fb_helper_fini(&fbcon->helper);
+ free:
+ kfree(fbcon);
++ drm->fbcon = NULL;
+ return ret;
+ }
+
+--
+2.25.1
+
--- /dev/null
+From 8ee93114cd6442881937f4c91363ad24f76e377f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 2 Jul 2020 15:39:06 -0700
+Subject: igb: reinit_locked() should be called with rtnl_lock
+
+From: Francesco Ruggeri <fruggeri@arista.com>
+
+[ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ]
+
+We observed two panics involving races with igb_reset_task.
+The first panic is caused by this race condition:
+
+ kworker reboot -f
+
+ igb_reset_task
+ igb_reinit_locked
+ igb_down
+ napi_synchronize
+ __igb_shutdown
+ igb_clear_interrupt_scheme
+ igb_free_q_vectors
+ igb_free_q_vector
+ adapter->q_vector[v_idx] = NULL;
+ napi_disable
+ Panics trying to access
+ adapter->q_vector[v_idx].napi_state
+
+The second panic (a divide error) is caused by this race:
+
+kworker reboot -f tx packet
+
+igb_reset_task
+ __igb_shutdown
+ rtnl_lock()
+ ...
+ igb_clear_interrupt_scheme
+ igb_free_q_vectors
+ adapter->num_tx_queues = 0
+ ...
+ rtnl_unlock()
+rtnl_lock()
+igb_reinit_locked
+igb_down
+igb_up
+netif_tx_start_all_queues
+ dev_hard_start_xmit
+ igb_xmit_frame
+ igb_tx_queue_mapping
+ Panics on
+ r_idx % adapter->num_tx_queues
+
+This commit applies to igb_reset_task the same changes that
+were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch
+adds support for DCB to the kernel and ixgbe driver"),
+commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with
+rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in
+reset subtask").
+
+Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
+Tested-by: Aaron Brown <aaron.f.brown@intel.com>
+Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
+index 426abfce1c3ff..a4aa4d10ca700 100644
+--- a/drivers/net/ethernet/intel/igb/igb_main.c
++++ b/drivers/net/ethernet/intel/igb/igb_main.c
+@@ -5137,9 +5137,18 @@ static void igb_reset_task(struct work_struct *work)
+ struct igb_adapter *adapter;
+ adapter = container_of(work, struct igb_adapter, reset_task);
+
++ rtnl_lock();
++ /* If we're already down or resetting, just bail */
++ if (test_bit(__IGB_DOWN, &adapter->state) ||
++ test_bit(__IGB_RESETTING, &adapter->state)) {
++ rtnl_unlock();
++ return;
++ }
++
+ igb_dump(adapter);
+ netdev_err(adapter->netdev, "Reset adapter\n");
+ igb_reinit_locked(adapter);
++ rtnl_unlock();
+ }
+
+ /**
+--
+2.25.1
+
--- /dev/null
+From 351d043ed345f6c048c34ce23da077e9dfbe791c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 10 Jul 2020 10:57:22 +0200
+Subject: net/9p: validate fds in p9_fd_open
+
+From: Christoph Hellwig <hch@lst.de>
+
+[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ]
+
+p9_fd_open just fgets file descriptors passed in from userspace, but
+doesn't verify that they are valid for read or writing. This gets
+cought down in the VFS when actually attempting a read or write, but
+a new warning added in linux-next upsets syzcaller.
+
+Fix this by just verifying the fds early on.
+
+Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de
+Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+[Dominique: amend goto as per Doug Nazar's review]
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/9p/trans_fd.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
+index 2f68ffda3715b..eab058f93ec97 100644
+--- a/net/9p/trans_fd.c
++++ b/net/9p/trans_fd.c
+@@ -793,20 +793,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd)
+ return -ENOMEM;
+
+ ts->rd = fget(rfd);
++ if (!ts->rd)
++ goto out_free_ts;
++ if (!(ts->rd->f_mode & FMODE_READ))
++ goto out_put_rd;
+ ts->wr = fget(wfd);
+- if (!ts->rd || !ts->wr) {
+- if (ts->rd)
+- fput(ts->rd);
+- if (ts->wr)
+- fput(ts->wr);
+- kfree(ts);
+- return -EIO;
+- }
++ if (!ts->wr)
++ goto out_put_rd;
++ if (!(ts->wr->f_mode & FMODE_WRITE))
++ goto out_put_wr;
+
+ client->trans = ts;
+ client->status = Connected;
+
+ return 0;
++
++out_put_wr:
++ fput(ts->wr);
++out_put_rd:
++ fput(ts->rd);
++out_free_ts:
++ kfree(ts);
++ return -EIO;
+ }
+
+ static int p9_socket_open(struct p9_client *client, struct socket *csocket)
+--
+2.25.1
+
bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch
vgacon-fix-for-missing-check-in-scrollback-handling.patch
mtd-properly-check-all-write-ioctls-for-permissions.patch
+net-9p-validate-fds-in-p9_fd_open.patch
+drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch
+cfg80211-check-vendor-command-doit-pointer-before-us.patch
+igb-reinit_locked-should-be-called-with-rtnl_lock.patch
+atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch
+tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch
--- /dev/null
+From a386ad3e9effa8d491fe8580734589f4a52613a0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 30 Jul 2020 11:02:36 -0400
+Subject: tools lib traceevent: Fix memory leak in process_dynamic_array_len
+
+From: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+
+[ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ]
+
+I compiled with AddressSanitizer and I had these memory leaks while I
+was using the tep_parse_format function:
+
+ Direct leak of 28 byte(s) in 4 object(s) allocated from:
+ #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
+ #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985
+ #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140
+ #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206
+ #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291
+ #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299
+ #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849
+ #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161
+ #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207
+ #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786
+ #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285
+ #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369
+ #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335
+ #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389
+ #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431
+ #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251
+ #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284
+ #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593
+ #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727
+ #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048
+ #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127
+ #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152
+ #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252
+ #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347
+ #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461
+ #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673
+ #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
+
+The token variable in the process_dynamic_array_len function is
+allocated in the read_expect_type function, but is not freed before
+calling the read_token function.
+
+Free the token variable before calling read_token in order to plug the
+leak.
+
+Signed-off-by: Philippe Duplessis-Guindon <pduplessis@efficios.com>
+Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/lib/traceevent/event-parse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c
+index 9954b069b3ca2..86455408c7e12 100644
+--- a/tools/lib/traceevent/event-parse.c
++++ b/tools/lib/traceevent/event-parse.c
+@@ -2752,6 +2752,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg,
+ if (read_expected(EVENT_DELIM, ")") < 0)
+ goto out_err;
+
++ free_token(token);
+ type = read_token(&token);
+ *tok = token;
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
