From: Sasha Levin Date: Fri, 7 Aug 2020 20:10:51 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.19.139~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ced89de5e5cacb48451d57bcd04576bc2897c553;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch b/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch new file mode 100644 index 00000000000..cd48c6f458f --- /dev/null +++ b/queue-4.19/atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch @@ -0,0 +1,54 @@ +From 07834dd54f8c73ce02dd45d9020fd6af86256f13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Jul 2020 21:06:59 +0800 +Subject: atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent + +From: Xin Xiong + +[ Upstream commit 51875dad43b44241b46a569493f1e4bfa0386d86 ] + +atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a +reference of atm_dev with increased refcount or NULL if fails. + +The refcount leaks issues occur in two error handling paths. If +dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function +returns 0 without decreasing the refcount kept by a local variable, +resulting in refcount leaks. + +Fix the issue by adding atm_dev_put() before returning 0 both when +dev_data->persist is zero or PRIV(dev)->vcc isn't NULL. + +Signed-off-by: Xin Xiong +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/atm/atmtcp.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c +index afebeb1c3e1e9..723bad1201cc5 100644 +--- a/drivers/atm/atmtcp.c ++++ b/drivers/atm/atmtcp.c +@@ -432,9 +432,15 @@ static int atmtcp_remove_persistent(int itf) + return -EMEDIUMTYPE; + } + dev_data = PRIV(dev); +- if (!dev_data->persist) return 0; ++ if (!dev_data->persist) { ++ atm_dev_put(dev); ++ return 0; ++ } + dev_data->persist = 0; +- if (PRIV(dev)->vcc) return 0; ++ if (PRIV(dev)->vcc) { ++ atm_dev_put(dev); ++ return 0; ++ } + kfree(dev_data); + atm_dev_put(dev); + atm_dev_deregister(dev); +-- +2.25.1 + diff --git a/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch b/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch new file mode 100644 index 00000000000..e9df40b9971 --- /dev/null +++ b/queue-4.19/cfg80211-check-vendor-command-doit-pointer-before-us.patch @@ -0,0 +1,50 @@ +From 16a1d90310617189e93968cf1fc97226e6a4c31e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jul 2020 17:13:53 -0400 +Subject: cfg80211: check vendor command doit pointer before use + +From: Julian Squires + +[ Upstream commit 4052d3d2e8f47a15053320bbcbe365d15610437d ] + +In the case where a vendor command does not implement doit, and has no +flags set, doit would not be validated and a NULL pointer dereference +would occur, for example when invoking the vendor command via iw. + +I encountered this while developing new vendor commands. Perhaps in +practice it is advisable to always implement doit along with dumpit, +but it seems reasonable to me to always check doit anyway, not just +when NEED_WDEV. + +Signed-off-by: Julian Squires +Link: https://lore.kernel.org/r/20200706211353.2366470-1-julian@cipht.net +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 0221849b72180..996b68b48a878 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -12392,13 +12392,13 @@ static int nl80211_vendor_cmd(struct sk_buff *skb, struct genl_info *info) + if (!wdev_running(wdev)) + return -ENETDOWN; + } +- +- if (!vcmd->doit) +- return -EOPNOTSUPP; + } else { + wdev = NULL; + } + ++ if (!vcmd->doit) ++ return -EOPNOTSUPP; ++ + if (info->attrs[NL80211_ATTR_VENDOR_DATA]) { + data = nla_data(info->attrs[NL80211_ATTR_VENDOR_DATA]); + len = nla_len(info->attrs[NL80211_ATTR_VENDOR_DATA]); +-- +2.25.1 + diff --git a/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch b/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch new file mode 100644 index 00000000000..b4e2d76d9da --- /dev/null +++ b/queue-4.19/drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch @@ -0,0 +1,109 @@ +From eab50cea00ac68ba8607f4941b52e96431a12de1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jan 2020 15:29:22 -0800 +Subject: Drivers: hv: vmbus: Ignore CHANNELMSG_TL_CONNECT_RESULT(23) + +From: Dexuan Cui + +[ Upstream commit ddc9d357b991838c2d975e8d7e4e9db26f37a7ff ] + +When a Linux hv_sock app tries to connect to a Service GUID on which no +host app is listening, a recent host (RS3+) sends a +CHANNELMSG_TL_CONNECT_RESULT (23) message to Linux and this triggers such +a warning: + +unknown msgtype=23 +WARNING: CPU: 2 PID: 0 at drivers/hv/vmbus_drv.c:1031 vmbus_on_msg_dpc + +Actually Linux can safely ignore the message because the Linux app's +connect() will time out in 2 seconds: see VSOCK_DEFAULT_CONNECT_TIMEOUT +and vsock_stream_connect(). We don't bother to make use of the message +because: 1) it's only supported on recent hosts; 2) a non-trivial effort +is required to use the message in Linux, but the benefit is small. + +So, let's not see the warning by silently ignoring the message. + +Signed-off-by: Dexuan Cui +Reviewed-by: Michael Kelley +Signed-off-by: Sasha Levin +--- + drivers/hv/channel_mgmt.c | 21 +++++++-------------- + drivers/hv/vmbus_drv.c | 4 ++++ + include/linux/hyperv.h | 2 ++ + 3 files changed, 13 insertions(+), 14 deletions(-) + +diff --git a/drivers/hv/channel_mgmt.c b/drivers/hv/channel_mgmt.c +index 3bf1f9ef8ea25..c83361a8e2033 100644 +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -1249,6 +1249,8 @@ channel_message_table[CHANNELMSG_COUNT] = { + { CHANNELMSG_19, 0, NULL }, + { CHANNELMSG_20, 0, NULL }, + { CHANNELMSG_TL_CONNECT_REQUEST, 0, NULL }, ++ { CHANNELMSG_22, 0, NULL }, ++ { CHANNELMSG_TL_CONNECT_RESULT, 0, NULL }, + }; + + /* +@@ -1260,25 +1262,16 @@ void vmbus_onmessage(void *context) + { + struct hv_message *msg = context; + struct vmbus_channel_message_header *hdr; +- int size; + + hdr = (struct vmbus_channel_message_header *)msg->u.payload; +- size = msg->header.payload_size; + + trace_vmbus_on_message(hdr); + +- if (hdr->msgtype >= CHANNELMSG_COUNT) { +- pr_err("Received invalid channel message type %d size %d\n", +- hdr->msgtype, size); +- print_hex_dump_bytes("", DUMP_PREFIX_NONE, +- (unsigned char *)msg->u.payload, size); +- return; +- } +- +- if (channel_message_table[hdr->msgtype].message_handler) +- channel_message_table[hdr->msgtype].message_handler(hdr); +- else +- pr_err("Unhandled channel message type %d\n", hdr->msgtype); ++ /* ++ * vmbus_on_msg_dpc() makes sure the hdr->msgtype here can not go ++ * out of bound and the message_handler pointer can not be NULL. ++ */ ++ channel_message_table[hdr->msgtype].message_handler(hdr); + } + + /* +diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c +index fb22b72fd535a..0699c60188895 100644 +--- a/drivers/hv/vmbus_drv.c ++++ b/drivers/hv/vmbus_drv.c +@@ -939,6 +939,10 @@ void vmbus_on_msg_dpc(unsigned long data) + } + + entry = &channel_message_table[hdr->msgtype]; ++ ++ if (!entry->message_handler) ++ goto msg_handled; ++ + if (entry->handler_type == VMHT_BLOCKING) { + ctx = kmalloc(sizeof(*ctx), GFP_ATOMIC); + if (ctx == NULL) +diff --git a/include/linux/hyperv.h b/include/linux/hyperv.h +index c43e694fef7dd..35461d49d3aee 100644 +--- a/include/linux/hyperv.h ++++ b/include/linux/hyperv.h +@@ -428,6 +428,8 @@ enum vmbus_channel_message_type { + CHANNELMSG_19 = 19, + CHANNELMSG_20 = 20, + CHANNELMSG_TL_CONNECT_REQUEST = 21, ++ CHANNELMSG_22 = 22, ++ CHANNELMSG_TL_CONNECT_RESULT = 23, + CHANNELMSG_COUNT + }; + +-- +2.25.1 + diff --git a/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch b/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch new file mode 100644 index 00000000000..29328b55508 --- /dev/null +++ b/queue-4.19/drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch @@ -0,0 +1,33 @@ +From 631aa7449775ebad4f807b3856271283fe55fee0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 17:01:39 +1000 +Subject: drm/nouveau/fbcon: fix module unload when fbcon init has failed for + some reason + +From: Ben Skeggs + +[ Upstream commit 498595abf5bd51f0ae074cec565d888778ea558f ] + +Stale pointer was tripping up the unload path. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index 0f64c0a1d4b30..fef38ea146a2a 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -599,6 +599,7 @@ fini: + drm_fb_helper_fini(&fbcon->helper); + free: + kfree(fbcon); ++ drm->fbcon = NULL; + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch b/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch new file mode 100644 index 00000000000..3d2f76ed1b2 --- /dev/null +++ b/queue-4.19/drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch @@ -0,0 +1,33 @@ +From f4d56524bad0804fde879dcbaa3db745ad829448 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 17:02:48 +1000 +Subject: drm/nouveau/fbcon: zero-initialise the mode_cmd2 structure + +From: Ben Skeggs + +[ Upstream commit 15fbc3b938534cc8eaac584a7b0c1183fc968b86 ] + +This is tripping up the format modifier patches. + +Signed-off-by: Ben Skeggs +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/nouveau/nouveau_fbcon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/nouveau/nouveau_fbcon.c b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +index fef38ea146a2a..406cb99af7f21 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_fbcon.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fbcon.c +@@ -315,7 +315,7 @@ nouveau_fbcon_create(struct drm_fb_helper *helper, + struct nouveau_framebuffer *fb; + struct nouveau_channel *chan; + struct nouveau_bo *nvbo; +- struct drm_mode_fb_cmd2 mode_cmd; ++ struct drm_mode_fb_cmd2 mode_cmd = {}; + int ret; + + mode_cmd.width = sizes->surface_width; +-- +2.25.1 + diff --git a/queue-4.19/firmware-fix-a-reference-count-leak.patch b/queue-4.19/firmware-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..d749301c2b5 --- /dev/null +++ b/queue-4.19/firmware-fix-a-reference-count-leak.patch @@ -0,0 +1,51 @@ +From dc291342512b2463fff81de0121544caddbe3047 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Jun 2020 14:05:33 -0500 +Subject: firmware: Fix a reference count leak. + +From: Qiushi Wu + +[ Upstream commit fe3c60684377d5ad9b0569b87ed3e26e12c8173b ] + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. +Callback function fw_cfg_sysfs_release_entry() in kobject_put() +can handle the pointer "entry" properly. + +Signed-off-by: Qiushi Wu +Link: https://lore.kernel.org/r/20200613190533.15712-1-wu000273@umn.edu +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Sasha Levin +--- + drivers/firmware/qemu_fw_cfg.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c +index 039e0f91dba8f..6945c3c966375 100644 +--- a/drivers/firmware/qemu_fw_cfg.c ++++ b/drivers/firmware/qemu_fw_cfg.c +@@ -605,8 +605,10 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + /* register entry under "/sys/firmware/qemu_fw_cfg/by_key/" */ + err = kobject_init_and_add(&entry->kobj, &fw_cfg_sysfs_entry_ktype, + fw_cfg_sel_ko, "%d", entry->select); +- if (err) +- goto err_register; ++ if (err) { ++ kobject_put(&entry->kobj); ++ return err; ++ } + + /* add raw binary content access */ + err = sysfs_create_bin_file(&entry->kobj, &fw_cfg_sysfs_attr_raw); +@@ -622,7 +624,6 @@ static int fw_cfg_register_file(const struct fw_cfg_file *f) + + err_add_raw: + kobject_del(&entry->kobj); +-err_register: + kfree(entry); + return err; + } +-- +2.25.1 + diff --git a/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch b/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch new file mode 100644 index 00000000000..66a710ae6ce --- /dev/null +++ b/queue-4.19/i2c-slave-add-sanity-check-when-unregistering.patch @@ -0,0 +1,34 @@ +From 62f515262ac1ee6f140675b0ad16ab4399e8643a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 21:50:53 +0200 +Subject: i2c: slave: add sanity check when unregistering + +From: Wolfram Sang + +[ Upstream commit 8808981baf96e1b3dea1f08461e4d958aa0dbde1 ] + +Signed-off-by: Wolfram Sang +Reviewed-by: Alain Volmat +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-slave.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c +index 88959c8580ce0..f2e7e373ee478 100644 +--- a/drivers/i2c/i2c-core-slave.c ++++ b/drivers/i2c/i2c-core-slave.c +@@ -62,6 +62,9 @@ int i2c_slave_unregister(struct i2c_client *client) + { + int ret; + ++ if (IS_ERR_OR_NULL(client)) ++ return -EINVAL; ++ + if (!client->adapter->algo->unreg_slave) { + dev_err(&client->dev, "%s: not supported by adapter\n", __func__); + return -EOPNOTSUPP; +-- +2.25.1 + diff --git a/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch b/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch new file mode 100644 index 00000000000..6976229bb0c --- /dev/null +++ b/queue-4.19/i2c-slave-improve-sanity-check-when-registering.patch @@ -0,0 +1,38 @@ +From 1b6d099d68b4a61bc5eb04a0fd5dfc31beb449ae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Jul 2020 21:50:52 +0200 +Subject: i2c: slave: improve sanity check when registering + +From: Wolfram Sang + +[ Upstream commit 1b1be3bf27b62f5abcf85c6f3214bdb9c7526685 ] + +Add check for ERR_PTR and simplify code while here. + +Signed-off-by: Wolfram Sang +Reviewed-by: Alain Volmat +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/i2c-core-slave.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/i2c/i2c-core-slave.c b/drivers/i2c/i2c-core-slave.c +index 47a9f70a24a97..88959c8580ce0 100644 +--- a/drivers/i2c/i2c-core-slave.c ++++ b/drivers/i2c/i2c-core-slave.c +@@ -22,10 +22,8 @@ int i2c_slave_register(struct i2c_client *client, i2c_slave_cb_t slave_cb) + { + int ret; + +- if (!client || !slave_cb) { +- WARN(1, "insufficient data\n"); ++ if (WARN(IS_ERR_OR_NULL(client) || !slave_cb, "insufficient data\n")) + return -EINVAL; +- } + + if (!(client->flags & I2C_CLIENT_SLAVE)) + dev_warn(&client->dev, "%s: client slave flag not set. You might see address collisions\n", +-- +2.25.1 + diff --git a/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch b/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch new file mode 100644 index 00000000000..6b3fea1dc91 --- /dev/null +++ b/queue-4.19/igb-reinit_locked-should-be-called-with-rtnl_lock.patch @@ -0,0 +1,92 @@ +From 6d6925059a03b5ef7041c8eb79321fa316a9ef4c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jul 2020 15:39:06 -0700 +Subject: igb: reinit_locked() should be called with rtnl_lock + +From: Francesco Ruggeri + +[ Upstream commit 024a8168b749db7a4aa40a5fbdfa04bf7e77c1c0 ] + +We observed two panics involving races with igb_reset_task. +The first panic is caused by this race condition: + + kworker reboot -f + + igb_reset_task + igb_reinit_locked + igb_down + napi_synchronize + __igb_shutdown + igb_clear_interrupt_scheme + igb_free_q_vectors + igb_free_q_vector + adapter->q_vector[v_idx] = NULL; + napi_disable + Panics trying to access + adapter->q_vector[v_idx].napi_state + +The second panic (a divide error) is caused by this race: + +kworker reboot -f tx packet + +igb_reset_task + __igb_shutdown + rtnl_lock() + ... + igb_clear_interrupt_scheme + igb_free_q_vectors + adapter->num_tx_queues = 0 + ... + rtnl_unlock() +rtnl_lock() +igb_reinit_locked +igb_down +igb_up +netif_tx_start_all_queues + dev_hard_start_xmit + igb_xmit_frame + igb_tx_queue_mapping + Panics on + r_idx % adapter->num_tx_queues + +This commit applies to igb_reset_task the same changes that +were applied to ixgbe in commit 2f90b8657ec9 ("ixgbe: this patch +adds support for DCB to the kernel and ixgbe driver"), +commit 8f4c5c9fb87a ("ixgbe: reinit_locked() should be called with +rtnl_lock") and commit 88adce4ea8f9 ("ixgbe: fix possible race in +reset subtask"). + +Signed-off-by: Francesco Ruggeri +Tested-by: Aaron Brown +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 36db874f3c928..d85eb80d82497 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -6226,9 +6226,18 @@ static void igb_reset_task(struct work_struct *work) + struct igb_adapter *adapter; + adapter = container_of(work, struct igb_adapter, reset_task); + ++ rtnl_lock(); ++ /* If we're already down or resetting, just bail */ ++ if (test_bit(__IGB_DOWN, &adapter->state) || ++ test_bit(__IGB_RESETTING, &adapter->state)) { ++ rtnl_unlock(); ++ return; ++ } ++ + igb_dump(adapter); + netdev_err(adapter->netdev, "Reset adapter\n"); + igb_reinit_locked(adapter); ++ rtnl_unlock(); + } + + /** +-- +2.25.1 + diff --git a/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch b/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch new file mode 100644 index 00000000000..be331c82f7a --- /dev/null +++ b/queue-4.19/net-9p-validate-fds-in-p9_fd_open.patch @@ -0,0 +1,70 @@ +From ba09f86ca9c64b5f9e33e1a1288c5009f4fdee88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jul 2020 10:57:22 +0200 +Subject: net/9p: validate fds in p9_fd_open + +From: Christoph Hellwig + +[ Upstream commit a39c46067c845a8a2d7144836e9468b7f072343e ] + +p9_fd_open just fgets file descriptors passed in from userspace, but +doesn't verify that they are valid for read or writing. This gets +cought down in the VFS when actually attempting a read or write, but +a new warning added in linux-next upsets syzcaller. + +Fix this by just verifying the fds early on. + +Link: http://lkml.kernel.org/r/20200710085722.435850-1-hch@lst.de +Reported-by: syzbot+e6f77e16ff68b2434a2c@syzkaller.appspotmail.com +Signed-off-by: Christoph Hellwig +[Dominique: amend goto as per Doug Nazar's review] +Signed-off-by: Dominique Martinet +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index d28c2cc9618fa..b6dcb40fa8a7d 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -831,20 +831,28 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) + return -ENOMEM; + + ts->rd = fget(rfd); ++ if (!ts->rd) ++ goto out_free_ts; ++ if (!(ts->rd->f_mode & FMODE_READ)) ++ goto out_put_rd; + ts->wr = fget(wfd); +- if (!ts->rd || !ts->wr) { +- if (ts->rd) +- fput(ts->rd); +- if (ts->wr) +- fput(ts->wr); +- kfree(ts); +- return -EIO; +- } ++ if (!ts->wr) ++ goto out_put_rd; ++ if (!(ts->wr->f_mode & FMODE_WRITE)) ++ goto out_put_wr; + + client->trans = ts; + client->status = Connected; + + return 0; ++ ++out_put_wr: ++ fput(ts->wr); ++out_put_rd: ++ fput(ts->rd); ++out_free_ts: ++ kfree(ts); ++ return -EIO; + } + + static int p9_socket_open(struct p9_client *client, struct socket *csocket) +-- +2.25.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 7866ad4670e..7d2a785751d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -16,3 +16,15 @@ leds-wm831x-status-fix-use-after-free-on-unbind.patch leds-da903x-fix-use-after-free-on-unbind.patch leds-lm3533-fix-use-after-free-on-unbind.patch leds-88pm860x-fix-use-after-free-on-unbind.patch +net-9p-validate-fds-in-p9_fd_open.patch +drm-nouveau-fbcon-fix-module-unload-when-fbcon-init-.patch +drm-nouveau-fbcon-zero-initialise-the-mode_cmd2-stru.patch +i2c-slave-improve-sanity-check-when-registering.patch +i2c-slave-add-sanity-check-when-unregistering.patch +usb-hso-check-for-return-value-in-hso_serial_common_.patch +firmware-fix-a-reference-count-leak.patch +cfg80211-check-vendor-command-doit-pointer-before-us.patch +igb-reinit_locked-should-be-called-with-rtnl_lock.patch +atm-fix-atm_dev-refcnt-leaks-in-atmtcp_remove_persis.patch +tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch +drivers-hv-vmbus-ignore-channelmsg_tl_connect_result.patch diff --git a/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch b/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch new file mode 100644 index 00000000000..8e80d29d13a --- /dev/null +++ b/queue-4.19/tools-lib-traceevent-fix-memory-leak-in-process_dyna.patch @@ -0,0 +1,72 @@ +From bb53b6c57d4b670107a8ec0318669cc4b6b6f265 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Jul 2020 11:02:36 -0400 +Subject: tools lib traceevent: Fix memory leak in process_dynamic_array_len + +From: Philippe Duplessis-Guindon + +[ Upstream commit e24c6447ccb7b1a01f9bf0aec94939e6450c0b4d ] + +I compiled with AddressSanitizer and I had these memory leaks while I +was using the tep_parse_format function: + + Direct leak of 28 byte(s) in 4 object(s) allocated from: + #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe) + #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985 + #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140 + #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206 + #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291 + #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299 + #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849 + #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161 + #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207 + #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786 + #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285 + #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369 + #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335 + #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389 + #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431 + #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251 + #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284 + #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593 + #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727 + #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048 + #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127 + #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152 + #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252 + #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347 + #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461 + #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673 + #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) + +The token variable in the process_dynamic_array_len function is +allocated in the read_expect_type function, but is not freed before +calling the read_token function. + +Free the token variable before calling read_token in order to plug the +leak. + +Signed-off-by: Philippe Duplessis-Guindon +Reviewed-by: Steven Rostedt (VMware) +Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/lib/traceevent/event-parse.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tools/lib/traceevent/event-parse.c b/tools/lib/traceevent/event-parse.c +index 382e476629fb1..c0fcc8af2a3ef 100644 +--- a/tools/lib/traceevent/event-parse.c ++++ b/tools/lib/traceevent/event-parse.c +@@ -2766,6 +2766,7 @@ process_dynamic_array_len(struct event_format *event, struct print_arg *arg, + if (read_expected(EVENT_DELIM, ")") < 0) + goto out_err; + ++ free_token(token); + type = read_token(&token); + *tok = token; + +-- +2.25.1 + diff --git a/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch b/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch new file mode 100644 index 00000000000..697fb1f9b48 --- /dev/null +++ b/queue-4.19/usb-hso-check-for-return-value-in-hso_serial_common_.patch @@ -0,0 +1,53 @@ +From eec2c64678fb909e6e33b8b7d961e7a9ed450de6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 23:42:17 -0700 +Subject: usb: hso: check for return value in hso_serial_common_create() + +From: Rustam Kovhaev + +[ Upstream commit e911e99a0770f760377c263bc7bac1b1593c6147 ] + +in case of an error tty_register_device_attr() returns ERR_PTR(), +add IS_ERR() check + +Reported-and-tested-by: syzbot+67b2bd0e34f952d0321e@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?extid=67b2bd0e34f952d0321e +Signed-off-by: Rustam Kovhaev +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/hso.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c +index 61b9d33681484..bff268b4a9a46 100644 +--- a/drivers/net/usb/hso.c ++++ b/drivers/net/usb/hso.c +@@ -2274,12 +2274,14 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + + minor = get_free_serial_index(); + if (minor < 0) +- goto exit; ++ goto exit2; + + /* register our minor number */ + serial->parent->dev = tty_port_register_device_attr(&serial->port, + tty_drv, minor, &serial->parent->interface->dev, + serial->parent, hso_serial_dev_groups); ++ if (IS_ERR(serial->parent->dev)) ++ goto exit2; + + /* fill in specific data for later use */ + serial->minor = minor; +@@ -2324,6 +2326,7 @@ static int hso_serial_common_create(struct hso_serial *serial, int num_urbs, + return 0; + exit: + hso_serial_tty_unregister(serial); ++exit2: + hso_serial_common_free(serial); + return -1; + } +-- +2.25.1 +