From: Greg Kroah-Hartman Date: Sun, 9 Feb 2020 21:03:34 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.19.103~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1039ae231d3c23afb35b5794780e71055e2a3c48;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch mfd-bd70528-fix-hour-register-mask.patch mfd-da9062-fix-watchdog-compatible-string.patch mfd-rn5t618-mark-adc-control-register-volatile.patch ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch ubifs-fix-memory-leak-from-c-sup_node.patch virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch --- diff --git a/queue-5.4/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch b/queue-5.4/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch new file mode 100644 index 00000000000..90f5b0bd87d --- /dev/null +++ b/queue-5.4/asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch @@ -0,0 +1,136 @@ +From 15adb20f64c302b31e10ad50f22bb224052ce1df Mon Sep 17 00:00:00 2001 +From: Cezary Rojewski +Date: Wed, 22 Jan 2020 19:12:54 +0100 +Subject: ASoC: Intel: skl_hda_dsp_common: Fix global-out-of-bounds bug + +From: Cezary Rojewski + +commit 15adb20f64c302b31e10ad50f22bb224052ce1df upstream. + +Definitions for idisp snd_soc_dai_links within skl_hda_dsp_common are +missing platform component. Add it to address following bug reported by +KASAN: + +[ 10.538502] BUG: KASAN: global-out-of-bounds in skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538509] Write of size 8 at addr ffffffffc0606840 by task systemd-udevd/299 +(...) +[ 10.538519] Call Trace: +[ 10.538524] dump_stack+0x62/0x95 +[ 10.538528] print_address_description+0x2f5/0x3b0 +[ 10.538532] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538535] __kasan_report+0x134/0x191 +[ 10.538538] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538542] ? skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538544] kasan_report+0x12/0x20 +[ 10.538546] __asan_store8+0x57/0x90 +[ 10.538550] skl_hda_audio_probe+0x13a/0x2b0 [snd_soc_skl_hda_dsp] +[ 10.538553] platform_drv_probe+0x51/0xb0 +[ 10.538556] really_probe+0x311/0x600 +[ 10.538559] driver_probe_device+0x87/0x1b0 +[ 10.538562] device_driver_attach+0x8f/0xa0 +[ 10.538565] ? device_driver_attach+0xa0/0xa0 +[ 10.538567] __driver_attach+0x102/0x1a0 +[ 10.538569] ? device_driver_attach+0xa0/0xa0 +[ 10.538572] bus_for_each_dev+0xe8/0x160 +[ 10.538574] ? subsys_dev_iter_exit+0x10/0x10 +[ 10.538577] ? preempt_count_sub+0x18/0xc0 +[ 10.538580] ? _raw_write_unlock+0x1f/0x40 +[ 10.538582] driver_attach+0x2b/0x30 +[ 10.538585] bus_add_driver+0x251/0x340 +[ 10.538588] driver_register+0xd3/0x1c0 +[ 10.538590] __platform_driver_register+0x6c/0x80 +[ 10.538592] ? 0xffffffffc03e8000 +[ 10.538595] skl_hda_audio_init+0x1c/0x1000 [snd_soc_skl_hda_dsp] +[ 10.538598] do_one_initcall+0xd0/0x36a +[ 10.538600] ? trace_event_raw_event_initcall_finish+0x160/0x160 +[ 10.538602] ? kasan_unpoison_shadow+0x36/0x50 +[ 10.538605] ? __kasan_kmalloc+0xcc/0xe0 +[ 10.538607] ? kasan_unpoison_shadow+0x36/0x50 +[ 10.538609] ? kasan_poison_shadow+0x2f/0x40 +[ 10.538612] ? __asan_register_globals+0x65/0x80 +[ 10.538615] do_init_module+0xf9/0x36f +[ 10.538619] load_module+0x398e/0x4590 +[ 10.538625] ? module_frob_arch_sections+0x20/0x20 +[ 10.538628] ? __kasan_check_write+0x14/0x20 +[ 10.538630] ? kernel_read+0x9a/0xc0 +[ 10.538632] ? __kasan_check_write+0x14/0x20 +[ 10.538634] ? kernel_read_file+0x1d3/0x3c0 +[ 10.538638] ? cap_capable+0xca/0x110 +[ 10.538642] __do_sys_finit_module+0x190/0x1d0 +[ 10.538644] ? __do_sys_finit_module+0x190/0x1d0 +[ 10.538646] ? __x64_sys_init_module+0x50/0x50 +[ 10.538649] ? expand_files+0x380/0x380 +[ 10.538652] ? __kasan_check_write+0x14/0x20 +[ 10.538654] ? fput_many+0x20/0xc0 +[ 10.538658] __x64_sys_finit_module+0x43/0x50 +[ 10.538660] do_syscall_64+0xce/0x700 +[ 10.538662] ? syscall_return_slowpath+0x230/0x230 +[ 10.538665] ? __do_page_fault+0x51e/0x640 +[ 10.538668] ? __kasan_check_read+0x11/0x20 +[ 10.538670] ? prepare_exit_to_usermode+0xc7/0x200 +[ 10.538673] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: a78959f407e6 ("ASoC: Intel: skl_hda_dsp_common: use modern dai_link style") +Signed-off-by: Cezary Rojewski +Reviewed-by: Kai Vehmanen +Link: https://lore.kernel.org/r/20200122181254.22801-1-cezary.rojewski@intel.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/intel/boards/skl_hda_dsp_common.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/sound/soc/intel/boards/skl_hda_dsp_common.c ++++ b/sound/soc/intel/boards/skl_hda_dsp_common.c +@@ -38,16 +38,19 @@ int skl_hda_hdmi_add_pcm(struct snd_soc_ + return 0; + } + +-SND_SOC_DAILINK_DEFS(idisp1, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin")), ++SND_SOC_DAILINK_DEF(idisp1_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp1 Pin"))); ++SND_SOC_DAILINK_DEF(idisp1_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi1"))); + +-SND_SOC_DAILINK_DEFS(idisp2, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin")), ++SND_SOC_DAILINK_DEF(idisp2_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp2 Pin"))); ++SND_SOC_DAILINK_DEF(idisp2_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi2"))); + +-SND_SOC_DAILINK_DEFS(idisp3, +- DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin")), ++SND_SOC_DAILINK_DEF(idisp3_cpu, ++ DAILINK_COMP_ARRAY(COMP_CPU("iDisp3 Pin"))); ++SND_SOC_DAILINK_DEF(idisp3_codec, + DAILINK_COMP_ARRAY(COMP_CODEC("ehdaudio0D2", "intel-hdmi-hifi3"))); + + SND_SOC_DAILINK_DEF(analog_cpu, +@@ -80,21 +83,21 @@ struct snd_soc_dai_link skl_hda_be_dai_l + .id = 1, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp1), ++ SND_SOC_DAILINK_REG(idisp1_cpu, idisp1_codec, platform), + }, + { + .name = "iDisp2", + .id = 2, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp2), ++ SND_SOC_DAILINK_REG(idisp2_cpu, idisp2_codec, platform), + }, + { + .name = "iDisp3", + .id = 3, + .dpcm_playback = 1, + .no_pcm = 1, +- SND_SOC_DAILINK_REG(idisp3), ++ SND_SOC_DAILINK_REG(idisp3_cpu, idisp3_codec, platform), + }, + { + .name = "Analog Playback and Capture", diff --git a/queue-5.4/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch b/queue-5.4/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch new file mode 100644 index 00000000000..69e8c6636cc --- /dev/null +++ b/queue-5.4/asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch @@ -0,0 +1,43 @@ +From e19ecbf105b236a6334fab64d8fd5437b12ee019 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Fri, 20 Dec 2019 17:44:50 +0100 +Subject: ASoC: sgtl5000: Fix VDDA and VDDIO comparison + +From: Marek Vasut + +commit e19ecbf105b236a6334fab64d8fd5437b12ee019 upstream. + +Comparing the voltage of VDDA and VDDIO to determine whether or not to +enable VDDC manual override is insufficient. This is a problem in case +the VDDA is supplied from different regulator than VDDIO, while both +report the same voltage to the regulator framework. In that case where +VDDA and VDDIO is supplied by different regulators, the VDDC manual +override must not be applied. + +Fixes: b6319b061ba2 ("ASoC: sgtl5000: Fix charge pump source assignment") +Signed-off-by: Marek Vasut +Cc: Fabio Estevam +Cc: Igor Opaniuk +Cc: Marcel Ziswiler +Cc: Mark Brown +Cc: Oleksandr Suvorov +Link: https://lore.kernel.org/r/20191220164450.1395038-2-marex@denx.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/sgtl5000.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -1344,7 +1344,8 @@ static int sgtl5000_set_power_regs(struc + * if vddio == vdda the source of charge pump should be + * assigned manually to VDDIO + */ +- if (vddio == vdda) { ++ if (regulator_is_equal(sgtl5000->supplies[VDDA].consumer, ++ sgtl5000->supplies[VDDIO].consumer)) { + lreg_ctrl |= SGTL5000_VDDC_ASSN_OVRD; + lreg_ctrl |= SGTL5000_VDDC_MAN_ASSN_VDDIO << + SGTL5000_VDDC_MAN_ASSN_SHIFT; diff --git a/queue-5.4/mfd-bd70528-fix-hour-register-mask.patch b/queue-5.4/mfd-bd70528-fix-hour-register-mask.patch new file mode 100644 index 00000000000..7f75ff3e63e --- /dev/null +++ b/queue-5.4/mfd-bd70528-fix-hour-register-mask.patch @@ -0,0 +1,35 @@ +From 6c883472e1c11cb05561b6dd0c28bb037c2bf2de Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Mon, 20 Jan 2020 15:45:11 +0200 +Subject: mfd: bd70528: Fix hour register mask + +From: Matti Vaittinen + +commit 6c883472e1c11cb05561b6dd0c28bb037c2bf2de upstream. + +When RTC is used in 24H mode (and it is by this driver) the maximum +hour value is 24 in BCD. This occupies bits [5:0] - which means +correct mask for HOUR register is 0x3f not 0x1f. Fix the mask + +Fixes: 32a4a4ebf768 ("rtc: bd70528: Initial support for ROHM bd70528 RTC") + +Signed-off-by: Matti Vaittinen +Acked-by: Alexandre Belloni +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mfd/rohm-bd70528.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mfd/rohm-bd70528.h ++++ b/include/linux/mfd/rohm-bd70528.h +@@ -317,7 +317,7 @@ enum { + #define BD70528_MASK_RTC_MINUTE 0x7f + #define BD70528_MASK_RTC_HOUR_24H 0x80 + #define BD70528_MASK_RTC_HOUR_PM 0x20 +-#define BD70528_MASK_RTC_HOUR 0x1f ++#define BD70528_MASK_RTC_HOUR 0x3f + #define BD70528_MASK_RTC_DAY 0x3f + #define BD70528_MASK_RTC_WEEK 0x07 + #define BD70528_MASK_RTC_MONTH 0x1f diff --git a/queue-5.4/mfd-da9062-fix-watchdog-compatible-string.patch b/queue-5.4/mfd-da9062-fix-watchdog-compatible-string.patch new file mode 100644 index 00000000000..58dab93920b --- /dev/null +++ b/queue-5.4/mfd-da9062-fix-watchdog-compatible-string.patch @@ -0,0 +1,35 @@ +From 1112ba02ff1190ca9c15a912f9269e54b46d2d82 Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Wed, 8 Jan 2020 10:57:02 +0100 +Subject: mfd: da9062: Fix watchdog compatible string + +From: Marco Felsch + +commit 1112ba02ff1190ca9c15a912f9269e54b46d2d82 upstream. + +The watchdog driver compatible is "dlg,da9062-watchdog" and not +"dlg,da9062-wdt". Therefore the mfd-core can't populate the of_node and +fwnode. As result the watchdog driver can't parse the devicetree. + +Fixes: 9b40b030c4ad ("mfd: da9062: Supply core driver") +Signed-off-by: Marco Felsch +Acked-by: Guenter Roeck +Reviewed-by: Adam Thomson +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/da9062-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mfd/da9062-core.c ++++ b/drivers/mfd/da9062-core.c +@@ -248,7 +248,7 @@ static const struct mfd_cell da9062_devs + .name = "da9062-watchdog", + .num_resources = ARRAY_SIZE(da9062_wdt_resources), + .resources = da9062_wdt_resources, +- .of_compatible = "dlg,da9062-wdt", ++ .of_compatible = "dlg,da9062-watchdog", + }, + { + .name = "da9062-thermal", diff --git a/queue-5.4/mfd-rn5t618-mark-adc-control-register-volatile.patch b/queue-5.4/mfd-rn5t618-mark-adc-control-register-volatile.patch new file mode 100644 index 00000000000..feada6ef12d --- /dev/null +++ b/queue-5.4/mfd-rn5t618-mark-adc-control-register-volatile.patch @@ -0,0 +1,30 @@ +From 2f3dc25c0118de03a00ddc88b61f7216854f534d Mon Sep 17 00:00:00 2001 +From: Andreas Kemnade +Date: Fri, 17 Jan 2020 22:59:22 +0100 +Subject: mfd: rn5t618: Mark ADC control register volatile + +From: Andreas Kemnade + +commit 2f3dc25c0118de03a00ddc88b61f7216854f534d upstream. + +There is a bit which gets cleared after conversion. + +Fixes: 9bb9e29c78f8 ("mfd: Add Ricoh RN5T618 PMIC core driver") +Signed-off-by: Andreas Kemnade +Signed-off-by: Lee Jones +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/rn5t618.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/rn5t618.c ++++ b/drivers/mfd/rn5t618.c +@@ -26,6 +26,7 @@ static bool rn5t618_volatile_reg(struct + case RN5T618_WATCHDOGCNT: + case RN5T618_DCIRQ: + case RN5T618_ILIMDATAH ... RN5T618_AIN0DATAL: ++ case RN5T618_ADCCNT3: + case RN5T618_IR_ADC1 ... RN5T618_IR_ADC3: + case RN5T618_IR_GPR: + case RN5T618_IR_GPF: diff --git a/queue-5.4/series b/queue-5.4/series index cd7c5be1832..d09615e8783 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -253,3 +253,13 @@ ib-core-fix-odp-get-user-pages-flow.patch nfsd-fix-delay-timer-on-32-bit-architectures.patch nfsd-fix-jiffies-time_t-mixup-in-lru-list.patch nfsd-return-the-correct-number-of-bytes-written-to-the-file.patch +virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch +virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch +ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch +ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch +ubifs-fix-memory-leak-from-c-sup_node.patch +asoc-sgtl5000-fix-vdda-and-vddio-comparison.patch +asoc-intel-skl_hda_dsp_common-fix-global-out-of-bounds-bug.patch +mfd-da9062-fix-watchdog-compatible-string.patch +mfd-rn5t618-mark-adc-control-register-volatile.patch +mfd-bd70528-fix-hour-register-mask.patch diff --git a/queue-5.4/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch b/queue-5.4/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch new file mode 100644 index 00000000000..6228462ed5b --- /dev/null +++ b/queue-5.4/ubi-fastmap-fix-inverted-logic-in-seen-selfcheck.patch @@ -0,0 +1,34 @@ +From ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 23 Oct 2019 11:58:12 +0200 +Subject: ubi: fastmap: Fix inverted logic in seen selfcheck + +From: Sascha Hauer + +commit ef5aafb6e4e9942a28cd300bdcda21ce6cbaf045 upstream. + +set_seen() sets the bit corresponding to the PEB number in the bitmap, +so when self_check_seen() wants to find PEBs that haven't been seen we +have to print the PEBs that have their bit cleared, not the ones which +have it set. + +Fixes: 5d71afb00840 ("ubi: Use bitmaps in Fastmap self-check code") +Signed-off-by: Sascha Hauer +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -64,7 +64,7 @@ static int self_check_seen(struct ubi_de + return 0; + + for (pnum = 0; pnum < ubi->peb_count; pnum++) { +- if (test_bit(pnum, seen) && ubi->lookuptbl[pnum]) { ++ if (!test_bit(pnum, seen) && ubi->lookuptbl[pnum]) { + ubi_err(ubi, "self-check failed for PEB %d, fastmap didn't see it", pnum); + ret = -EINVAL; + } diff --git a/queue-5.4/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch b/queue-5.4/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch new file mode 100644 index 00000000000..ebdde2c2747 --- /dev/null +++ b/queue-5.4/ubi-fix-an-error-pointer-dereference-in-error-handling-code.patch @@ -0,0 +1,97 @@ +From 5d3805af279c93ef49a64701f35254676d709622 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Mon, 13 Jan 2020 16:23:46 +0300 +Subject: ubi: Fix an error pointer dereference in error handling code + +From: Dan Carpenter + +commit 5d3805af279c93ef49a64701f35254676d709622 upstream. + +If "seen_pebs = init_seen(ubi);" fails then "seen_pebs" is an error pointer +and we try to kfree() it which results in an Oops. + +This patch re-arranges the error handling so now it only frees things +which have been allocated successfully. + +Fixes: daef3dd1f0ae ("UBI: Fastmap: Add self check to detect absent PEBs") +Signed-off-by: Dan Carpenter +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -1137,7 +1137,7 @@ static int ubi_write_fastmap(struct ubi_ + struct rb_node *tmp_rb; + int ret, i, j, free_peb_count, used_peb_count, vol_count; + int scrub_peb_count, erase_peb_count; +- unsigned long *seen_pebs = NULL; ++ unsigned long *seen_pebs; + + fm_raw = ubi->fm_buf; + memset(ubi->fm_buf, 0, ubi->fm_size); +@@ -1151,7 +1151,7 @@ static int ubi_write_fastmap(struct ubi_ + dvbuf = new_fm_vbuf(ubi, UBI_FM_DATA_VOLUME_ID); + if (!dvbuf) { + ret = -ENOMEM; +- goto out_kfree; ++ goto out_free_avbuf; + } + + avhdr = ubi_get_vid_hdr(avbuf); +@@ -1160,7 +1160,7 @@ static int ubi_write_fastmap(struct ubi_ + seen_pebs = init_seen(ubi); + if (IS_ERR(seen_pebs)) { + ret = PTR_ERR(seen_pebs); +- goto out_kfree; ++ goto out_free_dvbuf; + } + + spin_lock(&ubi->volumes_lock); +@@ -1328,7 +1328,7 @@ static int ubi_write_fastmap(struct ubi_ + ret = ubi_io_write_vid_hdr(ubi, new_fm->e[0]->pnum, avbuf); + if (ret) { + ubi_err(ubi, "unable to write vid_hdr to fastmap SB!"); +- goto out_kfree; ++ goto out_free_seen; + } + + for (i = 0; i < new_fm->used_blocks; i++) { +@@ -1350,7 +1350,7 @@ static int ubi_write_fastmap(struct ubi_ + if (ret) { + ubi_err(ubi, "unable to write vid_hdr to PEB %i!", + new_fm->e[i]->pnum); +- goto out_kfree; ++ goto out_free_seen; + } + } + +@@ -1360,7 +1360,7 @@ static int ubi_write_fastmap(struct ubi_ + if (ret) { + ubi_err(ubi, "unable to write fastmap to PEB %i!", + new_fm->e[i]->pnum); +- goto out_kfree; ++ goto out_free_seen; + } + } + +@@ -1370,10 +1370,13 @@ static int ubi_write_fastmap(struct ubi_ + ret = self_check_seen(ubi, seen_pebs); + dbg_bld("fastmap written!"); + +-out_kfree: +- ubi_free_vid_buf(avbuf); +- ubi_free_vid_buf(dvbuf); ++out_free_seen: + free_seen(seen_pebs); ++out_free_dvbuf: ++ ubi_free_vid_buf(dvbuf); ++out_free_avbuf: ++ ubi_free_vid_buf(avbuf); ++ + out: + return ret; + } diff --git a/queue-5.4/ubifs-fix-memory-leak-from-c-sup_node.patch b/queue-5.4/ubifs-fix-memory-leak-from-c-sup_node.patch new file mode 100644 index 00000000000..6a5a91a638a --- /dev/null +++ b/queue-5.4/ubifs-fix-memory-leak-from-c-sup_node.patch @@ -0,0 +1,56 @@ +From ff90bdfb206e49c8b418811efbdd0c77380fa8c2 Mon Sep 17 00:00:00 2001 +From: Quanyang Wang +Date: Tue, 14 Jan 2020 13:43:11 +0800 +Subject: ubifs: Fix memory leak from c->sup_node + +From: Quanyang Wang + +commit ff90bdfb206e49c8b418811efbdd0c77380fa8c2 upstream. + +The c->sup_node is allocated in function ubifs_read_sb_node but +is not freed. This will cause memory leak as below: + +unreferenced object 0xbc9ce000 (size 4096): + comm "mount", pid 500, jiffies 4294952946 (age 315.820s) + hex dump (first 32 bytes): + 31 18 10 06 06 7b f1 11 02 00 00 00 00 00 00 00 1....{.......... + 00 10 00 00 06 00 00 00 00 00 00 00 08 00 00 00 ................ + backtrace: + [] ubifs_read_superblock+0x48/0xebc + [] ubifs_mount+0x974/0x1420 + [<8589ecc3>] legacy_get_tree+0x2c/0x50 + [<5f1fb889>] vfs_get_tree+0x28/0xfc + [] do_mount+0x4f8/0x748 + [<4151f538>] ksys_mount+0x78/0xa0 + [] ret_fast_syscall+0x0/0x54 + [<1cc40005>] 0x7ea02790 + +Free it in ubifs_umount and in the error path of mount_ubifs. + +Fixes: fd6150051bec ("ubifs: Store read superblock node") +Signed-off-by: Quanyang Wang +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ubifs/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/ubifs/super.c ++++ b/fs/ubifs/super.c +@@ -1599,6 +1599,7 @@ out_free: + vfree(c->ileb_buf); + vfree(c->sbuf); + kfree(c->bottom_up_buf); ++ kfree(c->sup_node); + ubifs_debugging_exit(c); + return err; + } +@@ -1641,6 +1642,7 @@ static void ubifs_umount(struct ubifs_in + vfree(c->ileb_buf); + vfree(c->sbuf); + kfree(c->bottom_up_buf); ++ kfree(c->sup_node); + ubifs_debugging_exit(c); + } + diff --git a/queue-5.4/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch b/queue-5.4/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch new file mode 100644 index 00000000000..d162e3f8cd1 --- /dev/null +++ b/queue-5.4/virtio-balloon-fix-memory-leak-when-unloading-while-hinting-is-in-progress.patch @@ -0,0 +1,39 @@ +From 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 5 Feb 2020 17:34:00 +0100 +Subject: virtio-balloon: Fix memory leak when unloading while hinting is in progress + +From: David Hildenbrand + +commit 6c22dc61c76b7e7d355f1697ba0ecf26d1334ba6 upstream. + +When unloading the driver while hinting is in progress, we will not +release the free page blocks back to MM, resulting in a memory leak. + +Fixes: 86a559787e6f ("virtio-balloon: VIRTIO_BALLOON_F_FREE_PAGE_HINT") +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Wei Wang +Cc: Liang Li +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200205163402.42627-2-david@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -967,6 +967,10 @@ static void remove_common(struct virtio_ + leak_balloon(vb, vb->num_pages); + update_balloon_size(vb); + ++ /* There might be free pages that are being reported: release them. */ ++ if (virtio_has_feature(vb->vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) ++ return_free_pages_to_mm(vb, ULONG_MAX); ++ + /* Now we reset the device so we can clean up the queues. */ + vb->vdev->config->reset(vb->vdev); + diff --git a/queue-5.4/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch b/queue-5.4/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch new file mode 100644 index 00000000000..af928bd5128 --- /dev/null +++ b/queue-5.4/virtio_balloon-fix-memory-leaks-on-errors-in-virtballoon_probe.patch @@ -0,0 +1,66 @@ +From 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Wed, 5 Feb 2020 17:34:01 +0100 +Subject: virtio_balloon: Fix memory leaks on errors in virtballoon_probe() + +From: David Hildenbrand + +commit 1ad6f58ea9364b0a5d8ae06249653ac9304a8578 upstream. + +We forget to put the inode and unmount the kernfs used for compaction. + +Fixes: 71994620bb25 ("virtio_balloon: replace oom notifier with shrinker") +Cc: "Michael S. Tsirkin" +Cc: Jason Wang +Cc: Wei Wang +Cc: Liang Li +Signed-off-by: David Hildenbrand +Link: https://lore.kernel.org/r/20200205163402.42627-3-david@redhat.com +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -900,8 +900,7 @@ static int virtballoon_probe(struct virt + vb->vb_dev_info.inode = alloc_anon_inode(balloon_mnt->mnt_sb); + if (IS_ERR(vb->vb_dev_info.inode)) { + err = PTR_ERR(vb->vb_dev_info.inode); +- kern_unmount(balloon_mnt); +- goto out_del_vqs; ++ goto out_kern_unmount; + } + vb->vb_dev_info.inode->i_mapping->a_ops = &balloon_aops; + #endif +@@ -912,13 +911,13 @@ static int virtballoon_probe(struct virt + */ + if (virtqueue_get_vring_size(vb->free_page_vq) < 2) { + err = -ENOSPC; +- goto out_del_vqs; ++ goto out_iput; + } + vb->balloon_wq = alloc_workqueue("balloon-wq", + WQ_FREEZABLE | WQ_CPU_INTENSIVE, 0); + if (!vb->balloon_wq) { + err = -ENOMEM; +- goto out_del_vqs; ++ goto out_iput; + } + INIT_WORK(&vb->report_free_page_work, report_free_page_func); + vb->cmd_id_received_cache = VIRTIO_BALLOON_CMD_ID_STOP; +@@ -952,6 +951,12 @@ static int virtballoon_probe(struct virt + out_del_balloon_wq: + if (virtio_has_feature(vdev, VIRTIO_BALLOON_F_FREE_PAGE_HINT)) + destroy_workqueue(vb->balloon_wq); ++out_iput: ++#ifdef CONFIG_BALLOON_COMPACTION ++ iput(vb->vb_dev_info.inode); ++out_kern_unmount: ++ kern_unmount(balloon_mnt); ++#endif + out_del_vqs: + vdev->config->del_vqs(vdev); + out_free_vb: