From 303cbf0f940e0cb2e9692d91cd998700026eee77 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 24 May 2021 11:00:17 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-line6-fix-racy-initialization-of-line6-midi.patch cifs-fix-memory-leak-in-smb2_copychunk_range.patch --- ...ix-racy-initialization-of-line6-midi.patch | 85 +++++++++++++++++++ ...-memory-leak-in-smb2_copychunk_range.patch | 36 ++++++++ queue-4.9/series | 2 + 3 files changed, 123 insertions(+) create mode 100644 queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch create mode 100644 queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch diff --git a/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch b/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch new file mode 100644 index 00000000000..427f5acf3c1 --- /dev/null +++ b/queue-4.9/alsa-line6-fix-racy-initialization-of-line6-midi.patch @@ -0,0 +1,85 @@ +From 05ca447630334c323c9e2b788b61133ab75d60d3 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 18 May 2021 10:39:39 +0200 +Subject: ALSA: line6: Fix racy initialization of LINE6 MIDI + +From: Takashi Iwai + +commit 05ca447630334c323c9e2b788b61133ab75d60d3 upstream. + +The initialization of MIDI devices that are found on some LINE6 +drivers are currently done in a racy way; namely, the MIDI buffer +instance is allocated and initialized in each private_init callback +while the communication with the interface is already started via +line6_init_cap_control() call before that point. This may lead to +Oops in line6_data_received() when a spurious event is received, as +reported by syzkaller. + +This patch moves the MIDI initialization to line6_init_cap_control() +as well instead of the too-lately-called private_init for avoiding the +race. Also this reduces slightly more lines, so it's a win-win +change. + +Reported-by: syzbot+0d2b3feb0a2887862e06@syzkallerlkml..appspotmail.com +Link: https://lore.kernel.org/r/000000000000a4be9405c28520de@google.com +Link: https://lore.kernel.org/r/20210517132725.GA50495@hyeyoo +Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com> +Cc: +Link: https://lore.kernel.org/r/20210518083939.1927-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/driver.c | 4 ++++ + sound/usb/line6/pod.c | 5 ----- + sound/usb/line6/variax.c | 6 ------ + 3 files changed, 4 insertions(+), 11 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -687,6 +687,10 @@ static int line6_init_cap_control(struct + line6->buffer_message = kmalloc(LINE6_MIDI_MESSAGE_MAXLEN, GFP_KERNEL); + if (!line6->buffer_message) + return -ENOMEM; ++ ++ ret = line6_init_midi(line6); ++ if (ret < 0) ++ return ret; + } else { + ret = line6_hwdep_init(line6); + if (ret < 0) +--- a/sound/usb/line6/pod.c ++++ b/sound/usb/line6/pod.c +@@ -421,11 +421,6 @@ static int pod_init(struct usb_line6 *li + if (err < 0) + return err; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(line6); +- if (err < 0) +- return err; +- + /* initialize PCM subsystem: */ + err = line6_init_pcm(line6, &pod_pcm_properties); + if (err < 0) +--- a/sound/usb/line6/variax.c ++++ b/sound/usb/line6/variax.c +@@ -217,7 +217,6 @@ static int variax_init(struct usb_line6 + const struct usb_device_id *id) + { + struct usb_line6_variax *variax = (struct usb_line6_variax *) line6; +- int err; + + line6->process_message = line6_variax_process_message; + line6->disconnect = line6_variax_disconnect; +@@ -233,11 +232,6 @@ static int variax_init(struct usb_line6 + if (variax->buffer_activate == NULL) + return -ENOMEM; + +- /* initialize MIDI subsystem: */ +- err = line6_init_midi(&variax->line6); +- if (err < 0) +- return err; +- + /* initiate startup procedure: */ + variax_startup1(variax); + return 0; diff --git a/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch b/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch new file mode 100644 index 00000000000..bfe7f69abb9 --- /dev/null +++ b/queue-4.9/cifs-fix-memory-leak-in-smb2_copychunk_range.patch @@ -0,0 +1,36 @@ +From d201d7631ca170b038e7f8921120d05eec70d7c5 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 19 May 2021 08:40:11 +1000 +Subject: cifs: fix memory leak in smb2_copychunk_range + +From: Ronnie Sahlberg + +commit d201d7631ca170b038e7f8921120d05eec70d7c5 upstream. + +When using smb2_copychunk_range() for large ranges we will +run through several iterations of a loop calling SMB2_ioctl() +but never actually free the returned buffer except for the final +iteration. +This leads to memory leaks everytime a large copychunk is requested. + +Fixes: 9bf0c9cd4314 ("CIFS: Fix SMB2/SMB3 Copy offload support (refcopy) for large files") +Cc: +Reviewed-by: Aurelien Aptel +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -629,6 +629,8 @@ smb2_clone_range(const unsigned int xid, + cpu_to_le32(min_t(u32, len, tcon->max_bytes_chunk)); + + /* Request server copy to target from src identified by key */ ++ kfree(retbuf); ++ retbuf = NULL; + rc = SMB2_ioctl(xid, tcon, trgtfile->fid.persistent_fid, + trgtfile->fid.volatile_fid, FSCTL_SRV_COPYCHUNK_WRITE, + true /* is_fsctl */, (char *)pcchunk, diff --git a/queue-4.9/series b/queue-4.9/series index bdb5cfa436a..a8c8e98d44d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,5 @@ openrisc-fix-a-memory-leak.patch rdma-rxe-clear-all-qp-fields-if-creation-failed.patch scsi-qla2xxx-fix-error-return-code-in-qla82xx_write_.patch ptrace-make-ptrace-fail-if-the-tracee-changed-its-pi.patch +cifs-fix-memory-leak-in-smb2_copychunk_range.patch +alsa-line6-fix-racy-initialization-of-line6-midi.patch -- 2.47.3