From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 5 Mar 2022 13:51:05 +0000 (+0100)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.305~63
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccb4ed61218bc86777706a6d93bc3ac0a15154d9;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	firmware-fix-a-reference-count-leak.patch
	firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
---

diff --git a/queue-4.9/firmware-fix-a-reference-count-leak.patch b/queue-4.9/firmware-fix-a-reference-count-leak.patch
new file mode 100644
index 00000000000..33ba0c6b850
--- /dev/null
+++ b/queue-4.9/firmware-fix-a-reference-count-leak.patch
@@ -0,0 +1,48 @@
+From foo@baz Sat Mar  5 02:48:58 PM CET 2022
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Sat, 13 Jun 2020 14:05:33 -0500
+Subject: firmware: Fix a reference count leak.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b upstream.
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object.
+Callback function fw_cfg_sysfs_release_entry() in kobject_put()
+can handle the pointer "entry" properly.
+
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -461,8 +461,10 @@ static int fw_cfg_register_file(const st
+ 	/* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+ 	err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+ 				   fw_cfg_sel_ko, "%d", entry->f.select);
+-	if (err)
+-		goto err_register;
++	if (err) {
++		kobject_put(&entry->kobj);
++		return err;
++	}
+ 
+ 	/* add raw binary content access */
+ 	err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+@@ -478,7 +480,6 @@ static int fw_cfg_register_file(const st
+ 
+ err_add_raw:
+ 	kobject_del(&entry->kobj);
+-err_register:
+ 	kfree(entry);
+ 	return err;
+ }
diff --git a/queue-4.9/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch b/queue-4.9/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
new file mode 100644
index 00000000000..537128ada97
--- /dev/null
+++ b/queue-4.9/firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch
@@ -0,0 +1,69 @@
+From foo@baz Sat Mar  5 02:48:58 PM CET 2022
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 1 Dec 2021 14:25:26 +0100
+Subject: firmware: qemu_fw_cfg: fix kobject leak in probe error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47a1db8e797da01a1309bf42e0c0d771d4e4d4f3 upstream.
+
+An initialised kobject must be freed using kobject_put() to avoid
+leaking associated resources (e.g. the object name).
+
+Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
+the leak in the first error path of the file registration helper but
+left the second one unchanged. This "fix" would however result in a NULL
+pointer dereference due to the release function also removing the never
+added entry from the fw_cfg_entry_cache list. This has now been
+addressed.
+
+Fix the remaining kobject leak by restoring the common error path and
+adding the missing kobject_put().
+
+Fixes: 75f3e8e47f38 ("firmware: introduce sysfs driver for QEMU's fw_cfg device")
+Cc: stable@vger.kernel.org      # 4.6
+Cc: Gabriel Somlo <somlo@cmu.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211201132528.30025-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[sudip: adjust context]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/qemu_fw_cfg.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/drivers/firmware/qemu_fw_cfg.c
++++ b/drivers/firmware/qemu_fw_cfg.c
+@@ -461,15 +461,13 @@ static int fw_cfg_register_file(const st
+ 	/* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */
+ 	err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype,
+ 				   fw_cfg_sel_ko, "%d", entry->f.select);
+-	if (err) {
+-		kobject_put(&entry->kobj);
+-		return err;
+-	}
++	if (err)
++		goto err_put_entry;
+ 
+ 	/* add raw binary content access */
+ 	err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw);
+ 	if (err)
+-		goto err_add_raw;
++		goto err_del_entry;
+ 
+ 	/* try adding "/sys/firmware/qemu_fw_cfg/by_name/" symlink */
+ 	fw_cfg_build_symlink(fw_cfg_fname_kset, &entry->kobj, entry->f.name);
+@@ -478,9 +476,10 @@ static int fw_cfg_register_file(const st
+ 	fw_cfg_sysfs_cache_enlist(entry);
+ 	return 0;
+ 
+-err_add_raw:
++err_del_entry:
+ 	kobject_del(&entry->kobj);
+-	kfree(entry);
++err_put_entry:
++	kobject_put(&entry->kobj);
+ 	return err;
+ }
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 044d17b20ae..0036ec502ed 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -14,3 +14,5 @@ xfrm-fix-mtu-regression.patch
 netfilter-nf_queue-don-t-assume-sk-is-full-socket.patch
 netfilter-nf_queue-fix-possible-use-after-free.patch
 net-dcb-flush-lingering-app-table-entries-for-unregistered-devices.patch
+firmware-fix-a-reference-count-leak.patch
+firmware-qemu_fw_cfg-fix-kobject-leak-in-probe-error-path.patch