From: Sasha Levin Date: Sat, 1 Aug 2020 01:07:03 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.7.13~74 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c338cee66b4e4fe157541e0868ea299c3802d653;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/ath9k-release-allocated-buffer-if-timed-out.patch b/queue-4.19/ath9k-release-allocated-buffer-if-timed-out.patch new file mode 100644 index 00000000000..1aa094f1945 --- /dev/null +++ b/queue-4.19/ath9k-release-allocated-buffer-if-timed-out.patch @@ -0,0 +1,34 @@ +From f6f956a9cb349cebb5f0f669e5928e694ade162d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2019 13:59:30 -0500 +Subject: ath9k: release allocated buffer if timed out + +From: Navid Emamdoost + +[ Upstream commit 728c1e2a05e4b5fc52fab3421dce772a806612a2 ] + +In ath9k_wmi_cmd, the allocated network buffer needs to be released +if timeout happens. Otherwise memory will be leaked. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index e7a3127395be9..066677bb83eb0 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -339,6 +339,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); + mutex_unlock(&wmi->op_mutex); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +-- +2.25.1 + diff --git a/queue-4.19/ath9k_htc-release-allocated-buffer-if-timed-out.patch b/queue-4.19/ath9k_htc-release-allocated-buffer-if-timed-out.patch new file mode 100644 index 00000000000..7eaa131f7a0 --- /dev/null +++ b/queue-4.19/ath9k_htc-release-allocated-buffer-if-timed-out.patch @@ -0,0 +1,51 @@ +From 46936aff0e5262377eb5e69f1475a5e74e45ac18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Sep 2019 13:26:03 -0500 +Subject: ath9k_htc: release allocated buffer if timed out + +From: Navid Emamdoost + +[ Upstream commit 853acf7caf10b828102d92d05b5c101666a6142b ] + +In htc_config_pipe_credits, htc_setup_complete, and htc_connect_service +if time out happens, the allocated buffer needs to be released. +Otherwise there will be memory leak. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Kalle Valo +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index d2e062eaf5614..f705f0e1cb5be 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -173,6 +173,7 @@ static int htc_config_pipe_credits(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC credit config timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -208,6 +209,7 @@ static int htc_setup_complete(struct htc_target *target) + time_left = wait_for_completion_timeout(&target->cmd_wait, HZ); + if (!time_left) { + dev_err(target->dev, "HTC start timeout\n"); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +@@ -280,6 +282,7 @@ int htc_connect_service(struct htc_target *target, + if (!time_left) { + dev_err(target->dev, "Service connection timeout for: %d\n", + service_connreq->service_id); ++ kfree_skb(skb); + return -ETIMEDOUT; + } + +-- +2.25.1 + diff --git a/queue-4.19/btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch b/queue-4.19/btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch new file mode 100644 index 00000000000..f49fc47ab6b --- /dev/null +++ b/queue-4.19/btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch @@ -0,0 +1,88 @@ +From babdf0382ed8dea85804debeaf0756528368a665 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Sep 2019 13:08:52 +0100 +Subject: Btrfs: fix selftests failure due to uninitialized i_mode in test + inodes + +From: Filipe Manana + +[ Upstream commit 9f7fec0ba89108b9385f1b9fb167861224912a4a ] + +Some of the self tests create a test inode, setup some extents and then do +calls to btrfs_get_extent() to test that the corresponding extent maps +exist and are correct. However btrfs_get_extent(), since the 5.2 merge +window, now errors out when it finds a regular or prealloc extent for an +inode that does not correspond to a regular file (its ->i_mode is not +S_IFREG). This causes the self tests to fail sometimes, specially when +KASAN, slub_debug and page poisoning are enabled: + + $ modprobe btrfs + modprobe: ERROR: could not insert 'btrfs': Invalid argument + + $ dmesg + [ 9414.691648] Btrfs loaded, crc32c=crc32c-intel, debug=on, assert=on, integrity-checker=on, ref-verify=on + [ 9414.692655] BTRFS: selftest: sectorsize: 4096 nodesize: 4096 + [ 9414.692658] BTRFS: selftest: running btrfs free space cache tests + [ 9414.692918] BTRFS: selftest: running extent only tests + [ 9414.693061] BTRFS: selftest: running bitmap only tests + [ 9414.693366] BTRFS: selftest: running bitmap and extent tests + [ 9414.696455] BTRFS: selftest: running space stealing from bitmap to extent tests + [ 9414.697131] BTRFS: selftest: running extent buffer operation tests + [ 9414.697133] BTRFS: selftest: running btrfs_split_item tests + [ 9414.697564] BTRFS: selftest: running extent I/O tests + [ 9414.697583] BTRFS: selftest: running find delalloc tests + [ 9415.081125] BTRFS: selftest: running find_first_clear_extent_bit test + [ 9415.081278] BTRFS: selftest: running extent buffer bitmap tests + [ 9415.124192] BTRFS: selftest: running inode tests + [ 9415.124195] BTRFS: selftest: running btrfs_get_extent tests + [ 9415.127909] BTRFS: selftest: running hole first btrfs_get_extent test + [ 9415.128343] BTRFS critical (device (efault)): regular/prealloc extent found for non-regular inode 256 + [ 9415.131428] BTRFS: selftest: fs/btrfs/tests/inode-tests.c:904 expected a real extent, got 0 + +This happens because the test inodes are created without ever initializing +the i_mode field of the inode, and neither VFS's new_inode() nor the btrfs +callback btrfs_alloc_inode() initialize the i_mode. Initialization of the +i_mode is done through the various callbacks used by the VFS to create +new inodes (regular files, directories, symlinks, tmpfiles, etc), which +all call btrfs_new_inode() which in turn calls inode_init_owner(), which +sets the inode's i_mode. Since the tests only uses new_inode() to create +the test inodes, the i_mode was never initialized. + +This always happens on a VM I used with kasan, slub_debug and many other +debug facilities enabled. It also happened to someone who reported this +on bugzilla (on a 5.3-rc). + +Fix this by setting i_mode to S_IFREG at btrfs_new_test_inode(). + +Fixes: 6bf9e4bd6a2778 ("btrfs: inode: Verify inode mode to avoid NULL pointer dereference") +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204397 +Signed-off-by: Filipe Manana +Reviewed-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/tests/btrfs-tests.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/tests/btrfs-tests.c b/fs/btrfs/tests/btrfs-tests.c +index 2eec1dd3803af..82d874b104383 100644 +--- a/fs/btrfs/tests/btrfs-tests.c ++++ b/fs/btrfs/tests/btrfs-tests.c +@@ -38,7 +38,13 @@ static struct file_system_type test_type = { + + struct inode *btrfs_new_test_inode(void) + { +- return new_inode(test_mnt->mnt_sb); ++ struct inode *inode; ++ ++ inode = new_inode(test_mnt->mnt_sb); ++ if (inode) ++ inode_init_owner(inode, NULL, S_IFREG); ++ ++ return inode; + } + + static int btrfs_init_test_fs(void) +-- +2.25.1 + diff --git a/queue-4.19/btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch b/queue-4.19/btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch new file mode 100644 index 00000000000..e1c50c202bb --- /dev/null +++ b/queue-4.19/btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch @@ -0,0 +1,201 @@ +From 67f373e725841a1873ef6bc03616db110496b9e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Mar 2019 13:55:11 +0800 +Subject: btrfs: inode: Verify inode mode to avoid NULL pointer dereference + +From: Qu Wenruo + +[ Upstream commit 6bf9e4bd6a277840d3fe8c5d5d530a1fbd3db592 ] + +[BUG] +When accessing a file on a crafted image, btrfs can crash in block layer: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + PGD 136501067 P4D 136501067 PUD 124519067 PMD 0 + CPU: 3 PID: 0 Comm: swapper/3 Not tainted 5.0.0-rc8-default #252 + RIP: 0010:end_bio_extent_readpage+0x144/0x700 + Call Trace: + + blk_update_request+0x8f/0x350 + blk_mq_end_request+0x1a/0x120 + blk_done_softirq+0x99/0xc0 + __do_softirq+0xc7/0x467 + irq_exit+0xd1/0xe0 + call_function_single_interrupt+0xf/0x20 + + RIP: 0010:default_idle+0x1e/0x170 + +[CAUSE] +The crafted image has a tricky corruption, the INODE_ITEM has a +different type against its parent dir: + + item 20 key (268 INODE_ITEM 0) itemoff 2808 itemsize 160 + generation 13 transid 13 size 1048576 nbytes 1048576 + block group 0 mode 121644 links 1 uid 0 gid 0 rdev 0 + sequence 9 flags 0x0(none) + +This mode number 0120000 means it's a symlink. + +But the dir item think it's still a regular file: + + item 8 key (264 DIR_INDEX 5) itemoff 3707 itemsize 32 + location key (268 INODE_ITEM 0) type FILE + transid 13 data_len 0 name_len 2 + name: f4 + item 40 key (264 DIR_ITEM 51821248) itemoff 1573 itemsize 32 + location key (268 INODE_ITEM 0) type FILE + transid 13 data_len 0 name_len 2 + name: f4 + +For symlink, we don't set BTRFS_I(inode)->io_tree.ops and leave it +empty, as symlink is only designed to have inlined extent, all handled +by tree block read. Thus no need to trigger btrfs_submit_bio_hook() for +inline file extent. + +However end_bio_extent_readpage() expects tree->ops populated, as it's +reading regular data extent. This causes NULL pointer dereference. + +[FIX] +This patch fixes the problem in two ways: + +- Verify inode mode against its dir item when looking up inode + So in btrfs_lookup_dentry() if we find inode mode mismatch with dir + item, we error out so that corrupted inode will not be accessed. + +- Verify inode mode when getting extent mapping + Only regular file should have regular or preallocated extent. + If we found regular/preallocated file extent for symlink or + the rest, we error out before submitting the read bio. + +With this fix that crafted image can be rejected gracefully: + + BTRFS critical (device loop0): inode mode mismatch with dir: inode mode=0121644 btrfs type=7 dir type=1 + +Reported-by: Yoon Jungyeon +Link: https://bugzilla.kernel.org/show_bug.cgi?id=202763 +Reviewed-by: Nikolay Borisov +Signed-off-by: Qu Wenruo +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/inode.c | 41 +++++++++++++++++++++++++++++------- + fs/btrfs/tests/inode-tests.c | 1 + + 2 files changed, 34 insertions(+), 8 deletions(-) + +diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c +index 8dd2702ce859e..7befb7c12bd32 100644 +--- a/fs/btrfs/inode.c ++++ b/fs/btrfs/inode.c +@@ -5553,12 +5553,14 @@ no_delete: + } + + /* +- * this returns the key found in the dir entry in the location pointer. ++ * Return the key found in the dir entry in the location pointer, fill @type ++ * with BTRFS_FT_*, and return 0. ++ * + * If no dir entries were found, returns -ENOENT. + * If found a corrupted location in dir entry, returns -EUCLEAN. + */ + static int btrfs_inode_by_name(struct inode *dir, struct dentry *dentry, +- struct btrfs_key *location) ++ struct btrfs_key *location, u8 *type) + { + const char *name = dentry->d_name.name; + int namelen = dentry->d_name.len; +@@ -5591,6 +5593,8 @@ static int btrfs_inode_by_name(struct inode *dir, struct dentry *dentry, + __func__, name, btrfs_ino(BTRFS_I(dir)), + location->objectid, location->type, location->offset); + } ++ if (!ret) ++ *type = btrfs_dir_type(path->nodes[0], di); + out: + btrfs_free_path(path); + return ret; +@@ -5826,6 +5830,11 @@ static struct inode *new_simple_dir(struct super_block *s, + return inode; + } + ++static inline u8 btrfs_inode_type(struct inode *inode) ++{ ++ return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT]; ++} ++ + struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry) + { + struct btrfs_fs_info *fs_info = btrfs_sb(dir->i_sb); +@@ -5833,18 +5842,31 @@ struct inode *btrfs_lookup_dentry(struct inode *dir, struct dentry *dentry) + struct btrfs_root *root = BTRFS_I(dir)->root; + struct btrfs_root *sub_root = root; + struct btrfs_key location; ++ u8 di_type = 0; + int index; + int ret = 0; + + if (dentry->d_name.len > BTRFS_NAME_LEN) + return ERR_PTR(-ENAMETOOLONG); + +- ret = btrfs_inode_by_name(dir, dentry, &location); ++ ret = btrfs_inode_by_name(dir, dentry, &location, &di_type); + if (ret < 0) + return ERR_PTR(ret); + + if (location.type == BTRFS_INODE_ITEM_KEY) { + inode = btrfs_iget(dir->i_sb, &location, root, NULL); ++ if (IS_ERR(inode)) ++ return inode; ++ ++ /* Do extra check against inode mode with di_type */ ++ if (btrfs_inode_type(inode) != di_type) { ++ btrfs_crit(fs_info, ++"inode mode mismatch with dir: inode mode=0%o btrfs type=%u dir type=%u", ++ inode->i_mode, btrfs_inode_type(inode), ++ di_type); ++ iput(inode); ++ return ERR_PTR(-EUCLEAN); ++ } + return inode; + } + +@@ -6455,11 +6477,6 @@ fail: + return ERR_PTR(ret); + } + +-static inline u8 btrfs_inode_type(struct inode *inode) +-{ +- return btrfs_type_by_mode[(inode->i_mode & S_IFMT) >> S_SHIFT]; +-} +- + /* + * utility function to add 'inode' into 'parent_inode' with + * a give name and a given sequence number. +@@ -6993,6 +7010,14 @@ struct extent_map *btrfs_get_extent(struct btrfs_inode *inode, + extent_start = found_key.offset; + if (found_type == BTRFS_FILE_EXTENT_REG || + found_type == BTRFS_FILE_EXTENT_PREALLOC) { ++ /* Only regular file could have regular/prealloc extent */ ++ if (!S_ISREG(inode->vfs_inode.i_mode)) { ++ ret = -EUCLEAN; ++ btrfs_crit(fs_info, ++ "regular/prealloc extent found for non-regular inode %llu", ++ btrfs_ino(inode)); ++ goto out; ++ } + extent_end = extent_start + + btrfs_file_extent_num_bytes(leaf, item); + +diff --git a/fs/btrfs/tests/inode-tests.c b/fs/btrfs/tests/inode-tests.c +index 64043f0288206..648633aae968c 100644 +--- a/fs/btrfs/tests/inode-tests.c ++++ b/fs/btrfs/tests/inode-tests.c +@@ -232,6 +232,7 @@ static noinline int test_btrfs_get_extent(u32 sectorsize, u32 nodesize) + return ret; + } + ++ inode->i_mode = S_IFREG; + BTRFS_I(inode)->location.type = BTRFS_INODE_ITEM_KEY; + BTRFS_I(inode)->location.objectid = BTRFS_FIRST_FREE_OBJECTID; + BTRFS_I(inode)->location.offset = 0; +-- +2.25.1 + diff --git a/queue-4.19/crypto-ccp-release-all-allocated-memory-if-sha-type-.patch b/queue-4.19/crypto-ccp-release-all-allocated-memory-if-sha-type-.patch new file mode 100644 index 00000000000..5be820f5dfd --- /dev/null +++ b/queue-4.19/crypto-ccp-release-all-allocated-memory-if-sha-type-.patch @@ -0,0 +1,41 @@ +From dfcf3b61cec9325917d0ba4ee7a3797375136a28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Sep 2019 11:04:48 -0500 +Subject: crypto: ccp - Release all allocated memory if sha type is invalid + +From: Navid Emamdoost + +[ Upstream commit 128c66429247add5128c03dc1e144ca56f05a4e2 ] + +Release all allocated memory if sha type is invalid: +In ccp_run_sha_cmd, if the type of sha is invalid, the allocated +hmac_buf should be released. + +v2: fix the goto. + +Signed-off-by: Navid Emamdoost +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ccp/ccp-ops.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/ccp/ccp-ops.c b/drivers/crypto/ccp/ccp-ops.c +index 330853a2702f0..43b74cf0787e1 100644 +--- a/drivers/crypto/ccp/ccp-ops.c ++++ b/drivers/crypto/ccp/ccp-ops.c +@@ -1783,8 +1783,9 @@ ccp_run_sha_cmd(struct ccp_cmd_queue *cmd_q, struct ccp_cmd *cmd) + LSB_ITEM_SIZE); + break; + default: ++ kfree(hmac_buf); + ret = -EINVAL; +- goto e_ctx; ++ goto e_data; + } + + memset(&hmac_cmd, 0, sizeof(hmac_cmd)); +-- +2.25.1 + diff --git a/queue-4.19/drm-amd-display-prevent-memory-leak.patch b/queue-4.19/drm-amd-display-prevent-memory-leak.patch new file mode 100644 index 00000000000..be5187a1b50 --- /dev/null +++ b/queue-4.19/drm-amd-display-prevent-memory-leak.patch @@ -0,0 +1,87 @@ +From de824356ed66133a70577daf9c3b8fa99788339a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Sep 2019 23:23:56 -0500 +Subject: drm/amd/display: prevent memory leak + +From: Navid Emamdoost + +[ Upstream commit 104c307147ad379617472dd91a5bcb368d72bd6d ] + +In dcn*_create_resource_pool the allocated memory should be released if +construct pool fails. + +Reviewed-by: Harry Wentland +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c | 1 + + drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c | 1 + + drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c | 1 + + drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c | 1 + + drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c | 1 + + 5 files changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c b/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c +index 3f76e6019546f..5a2f29bd35082 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dce100/dce100_resource.c +@@ -1001,6 +1001,7 @@ struct resource_pool *dce100_create_resource_pool( + if (construct(num_virtual_links, dc, pool)) + return &pool->base; + ++ kfree(pool); + BREAK_TO_DEBUGGER(); + return NULL; + } +diff --git a/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c b/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c +index e5e9e92521e91..17d936c260d97 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dce110/dce110_resource.c +@@ -1344,6 +1344,7 @@ struct resource_pool *dce110_create_resource_pool( + if (construct(num_virtual_links, dc, pool, asic_id)) + return &pool->base; + ++ kfree(pool); + BREAK_TO_DEBUGGER(); + return NULL; + } +diff --git a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c +index 288129343c778..71adab8bf31b1 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dce112/dce112_resource.c +@@ -1287,6 +1287,7 @@ struct resource_pool *dce112_create_resource_pool( + if (construct(num_virtual_links, dc, pool)) + return &pool->base; + ++ kfree(pool); + BREAK_TO_DEBUGGER(); + return NULL; + } +diff --git a/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c b/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c +index d43f37d99c7d9..f0f2ce6da8278 100644 +--- a/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dce120/dce120_resource.c +@@ -1076,6 +1076,7 @@ struct resource_pool *dce120_create_resource_pool( + if (construct(num_virtual_links, dc, pool)) + return &pool->base; + ++ kfree(pool); + BREAK_TO_DEBUGGER(); + return NULL; + } +diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c +index 6b44ed3697a4f..e6d5568811400 100644 +--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c ++++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_resource.c +@@ -1361,6 +1361,7 @@ struct resource_pool *dcn10_create_resource_pool( + if (construct(num_virtual_links, dc, pool)) + return &pool->base; + ++ kfree(pool); + BREAK_TO_DEBUGGER(); + return NULL; + } +-- +2.25.1 + diff --git a/queue-4.19/drm-amdgpu-fix-multiple-memory-leaks-in-acp_hw_init.patch b/queue-4.19/drm-amdgpu-fix-multiple-memory-leaks-in-acp_hw_init.patch new file mode 100644 index 00000000000..f65dc4f8dbf --- /dev/null +++ b/queue-4.19/drm-amdgpu-fix-multiple-memory-leaks-in-acp_hw_init.patch @@ -0,0 +1,126 @@ +From d8865bd6f6d01bfe5d4760e691122327c984f1a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Oct 2019 22:46:07 -0500 +Subject: drm/amdgpu: fix multiple memory leaks in acp_hw_init +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Navid Emamdoost + +[ Upstream commit 57be09c6e8747bf48704136d9e3f92bfb93f5725 ] + +In acp_hw_init there are some allocations that needs to be released in +case of failure: + +1- adev->acp.acp_genpd should be released if any allocation attemp for +adev->acp.acp_cell, adev->acp.acp_res or i2s_pdata fails. +2- all of those allocations should be released if +mfd_add_hotplug_devices or pm_genpd_add_device fail. +3- Release is needed in case of time out values expire. + +Reviewed-by: Christian König +Signed-off-by: Navid Emamdoost +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c | 34 ++++++++++++++++--------- + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c +index 71efcf38f11be..94cd8a2610912 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acp.c +@@ -276,7 +276,7 @@ static int acp_hw_init(void *handle) + u32 val = 0; + u32 count = 0; + struct device *dev; +- struct i2s_platform_data *i2s_pdata; ++ struct i2s_platform_data *i2s_pdata = NULL; + + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + +@@ -317,20 +317,21 @@ static int acp_hw_init(void *handle) + adev->acp.acp_cell = kcalloc(ACP_DEVS, sizeof(struct mfd_cell), + GFP_KERNEL); + +- if (adev->acp.acp_cell == NULL) +- return -ENOMEM; ++ if (adev->acp.acp_cell == NULL) { ++ r = -ENOMEM; ++ goto failure; ++ } + + adev->acp.acp_res = kcalloc(5, sizeof(struct resource), GFP_KERNEL); + if (adev->acp.acp_res == NULL) { +- kfree(adev->acp.acp_cell); +- return -ENOMEM; ++ r = -ENOMEM; ++ goto failure; + } + + i2s_pdata = kcalloc(3, sizeof(struct i2s_platform_data), GFP_KERNEL); + if (i2s_pdata == NULL) { +- kfree(adev->acp.acp_res); +- kfree(adev->acp.acp_cell); +- return -ENOMEM; ++ r = -ENOMEM; ++ goto failure; + } + + switch (adev->asic_type) { +@@ -427,7 +428,7 @@ static int acp_hw_init(void *handle) + r = mfd_add_hotplug_devices(adev->acp.parent, adev->acp.acp_cell, + ACP_DEVS); + if (r) +- return r; ++ goto failure; + + if (adev->asic_type != CHIP_STONEY) { + for (i = 0; i < ACP_DEVS ; i++) { +@@ -435,7 +436,7 @@ static int acp_hw_init(void *handle) + r = pm_genpd_add_device(&adev->acp.acp_genpd->gpd, dev); + if (r) { + dev_err(dev, "Failed to add dev to genpd\n"); +- return r; ++ goto failure; + } + } + } +@@ -454,7 +455,8 @@ static int acp_hw_init(void *handle) + break; + if (--count == 0) { + dev_err(&adev->pdev->dev, "Failed to reset ACP\n"); +- return -ETIMEDOUT; ++ r = -ETIMEDOUT; ++ goto failure; + } + udelay(100); + } +@@ -471,7 +473,8 @@ static int acp_hw_init(void *handle) + break; + if (--count == 0) { + dev_err(&adev->pdev->dev, "Failed to reset ACP\n"); +- return -ETIMEDOUT; ++ r = -ETIMEDOUT; ++ goto failure; + } + udelay(100); + } +@@ -480,6 +483,13 @@ static int acp_hw_init(void *handle) + val &= ~ACP_SOFT_RESET__SoftResetAud_MASK; + cgs_write_register(adev->acp.cgs_device, mmACP_SOFT_RESET, val); + return 0; ++ ++failure: ++ kfree(i2s_pdata); ++ kfree(adev->acp.acp_res); ++ kfree(adev->acp.acp_cell); ++ kfree(adev->acp.acp_genpd); ++ return r; + } + + /** +-- +2.25.1 + diff --git a/queue-4.19/iio-imu-adis16400-fix-memory-leak.patch b/queue-4.19/iio-imu-adis16400-fix-memory-leak.patch new file mode 100644 index 00000000000..88f4f536ad7 --- /dev/null +++ b/queue-4.19/iio-imu-adis16400-fix-memory-leak.patch @@ -0,0 +1,38 @@ +From 418cc5175b544aa1b6221d8eaf362e0959ce38fa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 19:14:12 -0400 +Subject: iio: imu: adis16400: fix memory leak + +[ Upstream commit 9c0530e898f384c5d279bfcebd8bb17af1105873 ] + +In adis_update_scan_mode_burst, if adis->buffer allocation fails release +the adis->xfer. + +Signed-off-by: Navid Emamdoost +Reviewed-by: Alexandru Ardelean +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/adis16400_buffer.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/iio/imu/adis16400_buffer.c b/drivers/iio/imu/adis16400_buffer.c +index e70a5339acb19..3fc11aec98b95 100644 +--- a/drivers/iio/imu/adis16400_buffer.c ++++ b/drivers/iio/imu/adis16400_buffer.c +@@ -38,8 +38,11 @@ int adis16400_update_scan_mode(struct iio_dev *indio_dev, + return -ENOMEM; + + adis->buffer = kzalloc(burst_length + sizeof(u16), GFP_KERNEL); +- if (!adis->buffer) ++ if (!adis->buffer) { ++ kfree(adis->xfer); ++ adis->xfer = NULL; + return -ENOMEM; ++ } + + tx = adis->buffer + burst_length; + tx[0] = ADIS_READ_REG(ADIS16400_GLOB_CMD); +-- +2.25.1 + diff --git a/queue-4.19/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch b/queue-4.19/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch new file mode 100644 index 00000000000..5d74f071233 --- /dev/null +++ b/queue-4.19/media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch @@ -0,0 +1,40 @@ +From 12d5a440edc09b4c7f300f30992b521cfaba28b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Sep 2019 12:02:41 -0300 +Subject: media: rc: prevent memory leak in cx23888_ir_probe + +From: Navid Emamdoost + +[ Upstream commit a7b2df76b42bdd026e3106cf2ba97db41345a177 ] + +In cx23888_ir_probe if kfifo_alloc fails the allocated memory for state +should be released. + +Signed-off-by: Navid Emamdoost +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx23885/cx23888-ir.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/cx23885/cx23888-ir.c b/drivers/media/pci/cx23885/cx23888-ir.c +index 00329f668b590..5177479d13d38 100644 +--- a/drivers/media/pci/cx23885/cx23888-ir.c ++++ b/drivers/media/pci/cx23885/cx23888-ir.c +@@ -1178,8 +1178,11 @@ int cx23888_ir_probe(struct cx23885_dev *dev) + return -ENOMEM; + + spin_lock_init(&state->rx_kfifo_lock); +- if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, GFP_KERNEL)) ++ if (kfifo_alloc(&state->rx_kfifo, CX23888_IR_RX_KFIFO_SIZE, ++ GFP_KERNEL)) { ++ kfree(state); + return -ENOMEM; ++ } + + state->dev = dev; + sd = &state->sd; +-- +2.25.1 + diff --git a/queue-4.19/sctp-implement-memory-accounting-on-tx-path.patch b/queue-4.19/sctp-implement-memory-accounting-on-tx-path.patch new file mode 100644 index 00000000000..e69476e211e --- /dev/null +++ b/queue-4.19/sctp-implement-memory-accounting-on-tx-path.patch @@ -0,0 +1,63 @@ +From f5079e99b18fd55638e08573e796c91a5ecb5e0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Apr 2019 17:15:06 +0800 +Subject: sctp: implement memory accounting on tx path + +From: Xin Long + +[ Upstream commit 1033990ac5b2ab6cee93734cb6d301aa3a35bcaa ] + +Now when sending packets, sk_mem_charge() and sk_mem_uncharge() have been +used to set sk_forward_alloc. We just need to call sk_wmem_schedule() to +check if the allocated should be raised, and call sk_mem_reclaim() to +check if the allocated should be reduced when it's under memory pressure. + +If sk_wmem_schedule() returns false, which means no memory is allowed to +allocate, it will block and wait for memory to become available. + +Note different from tcp, sctp wait_for_buf happens before allocating any +skb, so memory accounting check is done with the whole msg_len before it +too. + +Reported-by: Matteo Croce +Tested-by: Matteo Croce +Acked-by: Neil Horman +Acked-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/socket.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/net/sctp/socket.c b/net/sctp/socket.c +index c93be3ba5df29..df4a7d7c5ec04 100644 +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -1931,7 +1931,10 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, + if (sctp_wspace(asoc) < (int)msg_len) + sctp_prsctp_prune(asoc, sinfo, msg_len - sctp_wspace(asoc)); + +- if (sctp_wspace(asoc) <= 0) { ++ if (sk_under_memory_pressure(sk)) ++ sk_mem_reclaim(sk); ++ ++ if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) { + timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + if (err) +@@ -8515,7 +8518,10 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + goto do_error; + if (signal_pending(current)) + goto do_interrupted; +- if ((int)msg_len <= sctp_wspace(asoc)) ++ if (sk_under_memory_pressure(sk)) ++ sk_mem_reclaim(sk); ++ if ((int)msg_len <= sctp_wspace(asoc) && ++ sk_wmem_schedule(sk, msg_len)) + break; + + /* Let another process have a go. Since we are going +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..2da2013c6db --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,11 @@ +crypto-ccp-release-all-allocated-memory-if-sha-type-.patch +media-rc-prevent-memory-leak-in-cx23888_ir_probe.patch +iio-imu-adis16400-fix-memory-leak.patch +drm-amdgpu-fix-multiple-memory-leaks-in-acp_hw_init.patch +tracing-have-error-path-in-predicate_parse-free-its-.patch +ath9k_htc-release-allocated-buffer-if-timed-out.patch +ath9k-release-allocated-buffer-if-timed-out.patch +drm-amd-display-prevent-memory-leak.patch +btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch +sctp-implement-memory-accounting-on-tx-path.patch +btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch diff --git a/queue-4.19/tracing-have-error-path-in-predicate_parse-free-its-.patch b/queue-4.19/tracing-have-error-path-in-predicate_parse-free-its-.patch new file mode 100644 index 00000000000..62213dce5fe --- /dev/null +++ b/queue-4.19/tracing-have-error-path-in-predicate_parse-free-its-.patch @@ -0,0 +1,42 @@ +From 15d09aec508088201071bd25a60a65a1eec65ae5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Sep 2019 17:57:59 -0500 +Subject: tracing: Have error path in predicate_parse() free its allocated + memory + +From: Navid Emamdoost + +[ Upstream commit 96c5c6e6a5b6db592acae039fed54b5c8844cd35 ] + +In predicate_parse, there is an error path that is not going to +out_free instead it returns directly which leads to a memory leak. + +Link: http://lkml.kernel.org/r/20190920225800.3870-1-navid.emamdoost@gmail.com + +Signed-off-by: Navid Emamdoost +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + kernel/trace/trace_events_filter.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c +index b949c3917c679..9be3d1d1fcb47 100644 +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -451,8 +451,10 @@ predicate_parse(const char *str, int nr_parens, int nr_preds, + + switch (*next) { + case '(': /* #2 */ +- if (top - op_stack > nr_parens) +- return ERR_PTR(-EINVAL); ++ if (top - op_stack > nr_parens) { ++ ret = -EINVAL; ++ goto out_free; ++ } + *(++top) = invert; + continue; + case '!': /* #3 */ +-- +2.25.1 +