From: Greg Kroah-Hartman Date: Tue, 8 Jun 2021 12:30:31 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.4.272~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=38f027a4804a2b84a8a41dae929ddbf913baf6c0;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-timer-fix-master-timer-notification.patch ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch net-caif-add-proper-error-handling.patch net-caif-added-cfserl_release-function.patch net-caif-fix-memory-leak-in-caif_device_notify.patch net-caif-fix-memory-leak-in-cfusbl_device_notify.patch net-kcm-fix-memory-leak-in-kcm_sendmsg.patch --- diff --git a/queue-4.9/alsa-timer-fix-master-timer-notification.patch b/queue-4.9/alsa-timer-fix-master-timer-notification.patch new file mode 100644 index 00000000000..b22b32afffa --- /dev/null +++ b/queue-4.9/alsa-timer-fix-master-timer-notification.patch @@ -0,0 +1,39 @@ +From 9c1fe96bded935369f8340c2ac2e9e189f697d5d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 2 Jun 2021 13:38:23 +0200 +Subject: ALSA: timer: Fix master timer notification + +From: Takashi Iwai + +commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream. + +snd_timer_notify1() calls the notification to each slave for a master +event, but it passes a wrong event number. It should be +10 offset, +corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with ++100 offset. Casually this was spotted by UBSAN check via syzkaller. + +Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com +Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -488,9 +488,10 @@ static void snd_timer_notify1(struct snd + return; + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) + return; ++ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ + list_for_each_entry(ts, &ti->slave_active_head, active_list) + if (ts->ccallback) +- ts->ccallback(ts, event + 100, &tstamp, resolution); ++ ts->ccallback(ts, event, &tstamp, resolution); + } + + /* start/continue a master timer */ diff --git a/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch b/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch new file mode 100644 index 00000000000..42df2ff49f2 --- /dev/null +++ b/queue-4.9/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch @@ -0,0 +1,112 @@ +From 082cd4ec240b8734a82a89ffb890216ac98fec68 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 6 May 2021 22:10:42 +0800 +Subject: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed + +From: Ye Bin + +commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream. + +We got follow bug_on when run fsstress with injecting IO fault: +[130747.323114] kernel BUG at fs/ext4/extents_status.c:762! +[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP +...... +[130747.334329] Call trace: +[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] +[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] +[130747.335368] ext4_find_extent+0x300/0x330 [ext4] +[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] +[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] +[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] +[130747.336995] ext4_readpage+0x54/0x100 [ext4] +[130747.337359] generic_file_buffered_read+0x410/0xae8 +[130747.337767] generic_file_read_iter+0x114/0x190 +[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] +[130747.338556] __vfs_read+0x11c/0x188 +[130747.338851] vfs_read+0x94/0x150 +[130747.339110] ksys_read+0x74/0xf0 + +This patch's modification is according to Jan Kara's suggestion in: +https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ +"I see. Now I understand your patch. Honestly, seeing how fragile is trying +to fix extent tree after split has failed in the middle, I would probably +go even further and make sure we fix the tree properly in case of ENOSPC +and EDQUOT (those are easily user triggerable). Anything else indicates a +HW problem or fs corruption so I'd rather leave the extent tree as is and +don't try to fix it (which also means we will not create overlapping +extents)." + +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 43 +++++++++++++++++++++++-------------------- + 1 file changed, 23 insertions(+), 20 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3274,7 +3274,10 @@ static int ext4_split_extent_at(handle_t + ext4_ext_mark_unwritten(ex2); + + err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags); +- if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) { ++ if (err != -ENOSPC && err != -EDQUOT) ++ goto out; ++ ++ if (EXT4_EXT_MAY_ZEROOUT & split_flag) { + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { + if (split_flag & EXT4_EXT_DATA_VALID1) { + err = ext4_ext_zeroout(inode, ex2); +@@ -3300,30 +3303,30 @@ static int ext4_split_extent_at(handle_t + ext4_ext_pblock(&orig_ex)); + } + +- if (err) +- goto fix_extent_len; +- /* update the extent length and mark as initialized */ +- ex->ee_len = cpu_to_le16(ee_len); +- ext4_ext_try_to_merge(handle, inode, path, ex); +- err = ext4_ext_dirty(handle, inode, path + path->p_depth); +- if (err) +- goto fix_extent_len; +- +- /* update extent status tree */ +- err = ext4_zeroout_es(inode, &zero_ex); +- +- goto out; +- } else if (err) +- goto fix_extent_len; +- +-out: +- ext4_ext_show_leaf(inode, path); +- return err; ++ if (!err) { ++ /* update the extent length and mark as initialized */ ++ ex->ee_len = cpu_to_le16(ee_len); ++ ext4_ext_try_to_merge(handle, inode, path, ex); ++ err = ext4_ext_dirty(handle, inode, path + path->p_depth); ++ if (!err) ++ /* update extent status tree */ ++ err = ext4_zeroout_es(inode, &zero_ex); ++ /* If we failed at this point, we don't know in which ++ * state the extent tree exactly is so don't try to fix ++ * length of the original extent as it may do even more ++ * damage. ++ */ ++ goto out; ++ } ++ } + + fix_extent_len: + ex->ee_len = orig_ex.ee_len; + ext4_ext_dirty(handle, inode, path + path->p_depth); + return err; ++out: ++ ext4_ext_show_leaf(inode, path); ++ return err; + } + + /* diff --git a/queue-4.9/net-caif-add-proper-error-handling.patch b/queue-4.9/net-caif-add-proper-error-handling.patch new file mode 100644 index 00000000000..208ad6b795d --- /dev/null +++ b/queue-4.9/net-caif-add-proper-error-handling.patch @@ -0,0 +1,152 @@ +From a2805dca5107d5603f4bbc027e81e20d93476e96 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:38:51 +0300 +Subject: net: caif: add proper error handling + +From: Pavel Skripkin + +commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream. + +caif_enroll_dev() can fail in some cases. Ingnoring +these cases can lead to memory leak due to not assigning +link_support pointer to anywhere. + +Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/caif/caif_dev.h | 2 +- + include/net/caif/cfcnfg.h | 2 +- + net/caif/caif_dev.c | 8 +++++--- + net/caif/cfcnfg.c | 16 +++++++++++----- + 4 files changed, 18 insertions(+), 10 deletions(-) + +--- a/include/net/caif/caif_dev.h ++++ b/include/net/caif/caif_dev.h +@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad + * The link_support layer is used to add any Link Layer specific + * framing. + */ +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, + struct cflayer *link_support, int head_room, + struct cflayer **layer, int (**rcv_func)( + struct sk_buff *, struct net_device *, +--- a/include/net/caif/cfcnfg.h ++++ b/include/net/caif/cfcnfg.h +@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg); + * @fcs: Specify if checksum is used in CAIF Framing Layer. + * @head_room: Head space needed by link specific protocol. + */ +-void ++int + cfcnfg_add_phy_layer(struct cfcnfg *cnfg, + struct net_device *dev, struct cflayer *phy_layer, + enum cfcnfg_phy_preference pref, +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_devi + caifd_put(caifd); + } + +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, + struct cflayer *link_support, int head_room, + struct cflayer **layer, + int (**rcv_func)(struct sk_buff *, struct net_device *, +@@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device * + enum cfcnfg_phy_preference pref; + struct cfcnfg *cfg = get_cfcnfg(dev_net(dev)); + struct caif_device_entry_list *caifdevs; ++ int res; + + caifdevs = caif_device_list(dev_net(dev)); + caifd = caif_device_alloc(dev); + if (!caifd) +- return; ++ return -ENOMEM; + *layer = &caifd->layer; + spin_lock_init(&caifd->flow_lock); + +@@ -340,7 +341,7 @@ void caif_enroll_dev(struct net_device * + sizeof(caifd->layer.name) - 1); + caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0; + caifd->layer.transmit = transmit; +- cfcnfg_add_phy_layer(cfg, ++ res = cfcnfg_add_phy_layer(cfg, + dev, + &caifd->layer, + pref, +@@ -350,6 +351,7 @@ void caif_enroll_dev(struct net_device * + mutex_unlock(&caifdevs->lock); + if (rcv_func) + *rcv_func = receive; ++ return res; + } + EXPORT_SYMBOL(caif_enroll_dev); + +--- a/net/caif/cfcnfg.c ++++ b/net/caif/cfcnfg.c +@@ -455,7 +455,7 @@ unlock: + rcu_read_unlock(); + } + +-void ++int + cfcnfg_add_phy_layer(struct cfcnfg *cnfg, + struct net_device *dev, struct cflayer *phy_layer, + enum cfcnfg_phy_preference pref, +@@ -464,7 +464,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg + { + struct cflayer *frml; + struct cfcnfg_phyinfo *phyinfo = NULL; +- int i; ++ int i, res = 0; + u8 phyid; + + mutex_lock(&cnfg->lock); +@@ -478,12 +478,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg + goto got_phyid; + } + pr_warn("Too many CAIF Link Layers (max 6)\n"); ++ res = -EEXIST; + goto out; + + got_phyid: + phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC); +- if (!phyinfo) ++ if (!phyinfo) { ++ res = -ENOMEM; + goto out_err; ++ } + + phy_layer->id = phyid; + phyinfo->pref = pref; +@@ -497,8 +500,10 @@ got_phyid: + + frml = cffrml_create(phyid, fcs); + +- if (!frml) ++ if (!frml) { ++ res = -ENOMEM; + goto out_err; ++ } + phyinfo->frm_layer = frml; + layer_set_up(frml, cnfg->mux); + +@@ -516,11 +521,12 @@ got_phyid: + list_add_rcu(&phyinfo->node, &cnfg->phys); + out: + mutex_unlock(&cnfg->lock); +- return; ++ return res; + + out_err: + kfree(phyinfo); + mutex_unlock(&cnfg->lock); ++ return res; + } + EXPORT_SYMBOL(cfcnfg_add_phy_layer); + diff --git a/queue-4.9/net-caif-added-cfserl_release-function.patch b/queue-4.9/net-caif-added-cfserl_release-function.patch new file mode 100644 index 00000000000..113cf4ec852 --- /dev/null +++ b/queue-4.9/net-caif-added-cfserl_release-function.patch @@ -0,0 +1,42 @@ +From bce130e7f392ddde8cfcb09927808ebd5f9c8669 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:38:12 +0300 +Subject: net: caif: added cfserl_release function + +From: Pavel Skripkin + +commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream. + +Added cfserl_release() function. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/caif/cfserl.h | 1 + + net/caif/cfserl.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/include/net/caif/cfserl.h ++++ b/include/net/caif/cfserl.h +@@ -9,4 +9,5 @@ + #include + + struct cflayer *cfserl_create(int instance, bool use_stx); ++void cfserl_release(struct cflayer *layer); + #endif +--- a/net/caif/cfserl.c ++++ b/net/caif/cfserl.c +@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye + static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl, + int phyid); + ++void cfserl_release(struct cflayer *layer) ++{ ++ kfree(layer); ++} ++ + struct cflayer *cfserl_create(int instance, bool use_stx) + { + struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC); diff --git a/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch b/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch new file mode 100644 index 00000000000..9f1893ceaec --- /dev/null +++ b/queue-4.9/net-caif-fix-memory-leak-in-caif_device_notify.patch @@ -0,0 +1,46 @@ +From b53558a950a89824938e9811eddfc8efcd94e1bb Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:39:11 +0300 +Subject: net: caif: fix memory leak in caif_device_notify + +From: Pavel Skripkin + +commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream. + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error + +Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -366,6 +366,7 @@ static int caif_device_notify(struct not + struct cflayer *layer, *link_support; + int head_room = 0; + struct caif_device_entry_list *caifdevs; ++ int res; + + cfg = get_cfcnfg(dev_net(dev)); + caifdevs = caif_device_list(dev_net(dev)); +@@ -391,8 +392,10 @@ static int caif_device_notify(struct not + break; + } + } +- caif_enroll_dev(dev, caifdev, link_support, head_room, ++ res = caif_enroll_dev(dev, caifdev, link_support, head_room, + &layer, NULL); ++ if (res) ++ cfserl_release(link_support); + caifdev->flowctrl = dev_flowctrl; + break; + diff --git a/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch b/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch new file mode 100644 index 00000000000..bc903f95be8 --- /dev/null +++ b/queue-4.9/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch @@ -0,0 +1,68 @@ +From 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:39:35 +0300 +Subject: net: caif: fix memory leak in cfusbl_device_notify + +From: Pavel Skripkin + +commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream. + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error. + +Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_usb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_usb.c ++++ b/net/caif/caif_usb.c +@@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int + return (struct cflayer *) this; + } + ++static void cfusbl_release(struct cflayer *layer) ++{ ++ kfree(layer); ++} ++ + static struct packet_type caif_usb_type __read_mostly = { + .type = cpu_to_be16(ETH_P_802_EX1), + }; +@@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct n + struct cflayer *layer, *link_support; + struct usbnet *usbnet; + struct usb_device *usbdev; ++ int res; + + /* Check whether we have a NCM device, and find its VID/PID. */ + if (!(dev->dev.parent && dev->dev.parent->driver && +@@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct n + if (dev->num_tx_queues > 1) + pr_warn("USB device uses more than one tx queue\n"); + +- caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, ++ res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, + &layer, &caif_usb_type.func); ++ if (res) ++ goto err; ++ + if (!pack_added) + dev_add_pack(&caif_usb_type); + pack_added = true; +@@ -181,6 +190,9 @@ static int cfusbl_device_notify(struct n + layer->name[sizeof(layer->name) - 1] = 0; + + return 0; ++err: ++ cfusbl_release(link_support); ++ return res; + } + + static struct notifier_block caif_device_notifier = { diff --git a/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch b/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch new file mode 100644 index 00000000000..889d7113d5e --- /dev/null +++ b/queue-4.9/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch @@ -0,0 +1,52 @@ +From c47cc304990a2813995b1a92bbc11d0bb9a19ea9 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 2 Jun 2021 22:26:40 +0300 +Subject: net: kcm: fix memory leak in kcm_sendmsg + +From: Pavel Skripkin + +commit c47cc304990a2813995b1a92bbc11d0bb9a19ea9 upstream. + +Syzbot reported memory leak in kcm_sendmsg()[1]. +The problem was in non-freed frag_list in case of error. + +In the while loop: + + if (head == skb) + skb_shinfo(head)->frag_list = tskb; + else + skb->next = tskb; + +frag_list filled with skbs, but nothing was freeing them. + +backtrace: + [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198 + [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline] + [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1] + [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672 + +Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/kcm/kcmsock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1065,6 +1065,11 @@ out_error: + goto partial_message; + } + ++ if (skb_has_frag_list(head)) { ++ kfree_skb_list(skb_shinfo(head)->frag_list); ++ skb_shinfo(head)->frag_list = NULL; ++ } ++ + if (head != kcm->seq_skb) + kfree_skb(head); + diff --git a/queue-4.9/series b/queue-4.9/series index 0428320440c..b4d8b365b54 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -12,3 +12,10 @@ ieee802154-fix-error-return-code-in-ieee802154_add_i.patch ieee802154-fix-error-return-code-in-ieee802154_llsec.patch bluetooth-fix-the-erroneous-flush_work-order.patch bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch +net-kcm-fix-memory-leak-in-kcm_sendmsg.patch +net-caif-added-cfserl_release-function.patch +net-caif-add-proper-error-handling.patch +net-caif-fix-memory-leak-in-caif_device_notify.patch +net-caif-fix-memory-leak-in-cfusbl_device_notify.patch +alsa-timer-fix-master-timer-notification.patch +ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch