From 3a973803bb2761c96bce1094f656cbca7a034704 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 15 Jan 2020 16:03:57 +0100 Subject: [PATCH] 4.4-stable patches added patches: alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch alsa-line6-fix-write-on-zero-sized-buffer.patch cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch dccp-fix-memleak-in-__feat_register_sp.patch ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch mac80211-do-not-send-layer-2-update-frame-before-authorization.patch media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch p54usb-fix-race-between-disconnect-and-firmware-loading.patch rsi-add-fix-for-crash-during-assertions.patch wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch wimax-i2400-fix-memory-leak.patch xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch --- ...ry-leak-at-line6_init_pcm-error-path.patch | 57 ++++++ ...line6-fix-write-on-zero-sized-buffer.patch | 42 +++++ ...send_layer2_update-a-public-function.patch | 168 +++++++++++++++++ ...cp-fix-memleak-in-__feat_register_sp.patch | 39 ++++ ...-in-ext4_expand_extra_isize-handling.patch | 94 ++++++++++ ...ree-race-with-debug_want_extra_isize.patch | 105 +++++++++++ ...-2-update-frame-before-authorization.patch | 98 ++++++++++ ...eref-read-in-zr364xx_vidioc_querycap.patch | 80 ++++++++ ...ilable-memory-in-a-separate-function.patch | 152 +++++++++++++++ ...ween-disconnect-and-firmware-loading.patch | 174 ++++++++++++++++++ ...-add-fix-for-crash-during-assertions.patch | 34 ++++ queue-4.4/series | 14 ++ ...y-leak-in-i2400m_op_rfkill_sw_toggle.patch | 40 ++++ queue-4.4/wimax-i2400-fix-memory-leak.patch | 30 +++ ...pages-fail-if-not-enough-memory-free.patch | 70 +++++++ 15 files changed, 1197 insertions(+) create mode 100644 queue-4.4/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch create mode 100644 queue-4.4/alsa-line6-fix-write-on-zero-sized-buffer.patch create mode 100644 queue-4.4/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch create mode 100644 queue-4.4/dccp-fix-memleak-in-__feat_register_sp.patch create mode 100644 queue-4.4/ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch create mode 100644 queue-4.4/ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch create mode 100644 queue-4.4/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch create mode 100644 queue-4.4/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch create mode 100644 queue-4.4/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch create mode 100644 queue-4.4/p54usb-fix-race-between-disconnect-and-firmware-loading.patch create mode 100644 queue-4.4/rsi-add-fix-for-crash-during-assertions.patch create mode 100644 queue-4.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch create mode 100644 queue-4.4/wimax-i2400-fix-memory-leak.patch create mode 100644 queue-4.4/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch diff --git a/queue-4.4/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch b/queue-4.4/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch new file mode 100644 index 00000000000..99a08151abe --- /dev/null +++ b/queue-4.4/alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch @@ -0,0 +1,57 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Takashi Iwai +Date: Wed, 21 Aug 2019 20:00:02 +0200 +Subject: ALSA: line6: Fix memory leak at line6_init_pcm() error path + +From: Takashi Iwai + +commit 1bc8d18c75fef3b478dbdfef722aae09e2a9fde7 upstream. + +I forgot to release the allocated object at the early error path in +line6_init_pcm(). For addressing it, slightly shuffle the code so +that the PCM destructor (pcm->private_free) is assigned properly +before all error paths. + +Fixes: 3450121997ce ("ALSA: line6: Fix write on zero-sized buffer") +Signed-off-by: Takashi Iwai +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/pcm.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -523,6 +523,15 @@ int line6_init_pcm(struct usb_line6 *lin + line6pcm->volume_monitor = 255; + line6pcm->line6 = line6; + ++ spin_lock_init(&line6pcm->out.lock); ++ spin_lock_init(&line6pcm->in.lock); ++ line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; ++ ++ line6->line6pcm = line6pcm; ++ ++ pcm->private_data = line6pcm; ++ pcm->private_free = line6_cleanup_pcm; ++ + /* Read and write buffers are sized identically, so choose minimum */ + line6pcm->max_packet_size = min( + usb_maxpacket(line6->usbdev, +@@ -535,15 +544,6 @@ int line6_init_pcm(struct usb_line6 *lin + return -EINVAL; + } + +- spin_lock_init(&line6pcm->out.lock); +- spin_lock_init(&line6pcm->in.lock); +- line6pcm->impulse_period = LINE6_IMPULSE_DEFAULT_PERIOD; +- +- line6->line6pcm = line6pcm; +- +- pcm->private_data = line6pcm; +- pcm->private_free = line6_cleanup_pcm; +- + err = line6_create_audio_out_urbs(line6pcm); + if (err < 0) + return err; diff --git a/queue-4.4/alsa-line6-fix-write-on-zero-sized-buffer.patch b/queue-4.4/alsa-line6-fix-write-on-zero-sized-buffer.patch new file mode 100644 index 00000000000..d8f79f38338 --- /dev/null +++ b/queue-4.4/alsa-line6-fix-write-on-zero-sized-buffer.patch @@ -0,0 +1,42 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Takashi Iwai +Date: Tue, 2 Jul 2019 20:07:21 +0200 +Subject: ALSA: line6: Fix write on zero-sized buffer + +From: Takashi Iwai + +commit 3450121997ce872eb7f1248417225827ea249710 upstream. + +LINE6 drivers allocate the buffers based on the value returned from +usb_maxpacket() calls. The manipulated device may return zero for +this, and this results in the kmalloc() with zero size (and it may +succeed) while the other part of the driver code writes the packet +data with the fixed size -- which eventually overwrites. + +This patch adds a simple sanity check for the invalid buffer size for +avoiding that problem. + +Reported-by: syzbot+219f00fb49874dcaea17@syzkaller.appspotmail.com +Signed-off-by: Takashi Iwai +[bwh: Backported to 4.4: Driver doesn't support asymmetrical packet + sizes, so only check snd_line6_pcm::max_packet_size] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/line6/pcm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/usb/line6/pcm.c ++++ b/sound/usb/line6/pcm.c +@@ -529,6 +529,11 @@ int line6_init_pcm(struct usb_line6 *lin + usb_rcvisocpipe(line6->usbdev, ep_read), 0), + usb_maxpacket(line6->usbdev, + usb_sndisocpipe(line6->usbdev, ep_write), 1)); ++ if (!line6pcm->max_packet_size) { ++ dev_err(line6pcm->line6->ifcdev, ++ "cannot get proper max packet size\n"); ++ return -EINVAL; ++ } + + spin_lock_init(&line6pcm->out.lock); + spin_lock_init(&line6pcm->in.lock); diff --git a/queue-4.4/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch b/queue-4.4/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch new file mode 100644 index 00000000000..47559b64d87 --- /dev/null +++ b/queue-4.4/cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch @@ -0,0 +1,168 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Dedy Lansky +Date: Sun, 29 Jul 2018 14:59:16 +0300 +Subject: cfg80211/mac80211: make ieee80211_send_layer2_update a public function + +From: Dedy Lansky + +commit 30ca1aa536211f5ac3de0173513a7a99a98a97f3 upstream. + +Make ieee80211_send_layer2_update() a common function so other drivers +can re-use it. + +Signed-off-by: Dedy Lansky +Signed-off-by: Johannes Berg +[bwh: Backported to 4.4 as dependency of commit 3e493173b784 + "mac80211: Do not send Layer 2 Update frame before authorization": + - Retain type-casting of skb_put() return value + - Adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + include/net/cfg80211.h | 11 +++++++++++ + net/mac80211/cfg.c | 48 ++---------------------------------------------- + net/wireless/util.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 58 insertions(+), 46 deletions(-) + +--- a/include/net/cfg80211.h ++++ b/include/net/cfg80211.h +@@ -3856,6 +3856,17 @@ const u8 *cfg80211_find_vendor_ie(unsign + const u8 *ies, int len); + + /** ++ * cfg80211_send_layer2_update - send layer 2 update frame ++ * ++ * @dev: network device ++ * @addr: STA MAC address ++ * ++ * Wireless drivers can use this function to update forwarding tables in bridge ++ * devices upon STA association. ++ */ ++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr); ++ ++/** + * DOC: Regulatory enforcement infrastructure + * + * TODO +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -875,50 +875,6 @@ static int ieee80211_stop_ap(struct wiph + return 0; + } + +-/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ +-struct iapp_layer2_update { +- u8 da[ETH_ALEN]; /* broadcast */ +- u8 sa[ETH_ALEN]; /* STA addr */ +- __be16 len; /* 6 */ +- u8 dsap; /* 0 */ +- u8 ssap; /* 0 */ +- u8 control; +- u8 xid_info[3]; +-} __packed; +- +-static void ieee80211_send_layer2_update(struct sta_info *sta) +-{ +- struct iapp_layer2_update *msg; +- struct sk_buff *skb; +- +- /* Send Level 2 Update Frame to update forwarding tables in layer 2 +- * bridge devices */ +- +- skb = dev_alloc_skb(sizeof(*msg)); +- if (!skb) +- return; +- msg = (struct iapp_layer2_update *)skb_put(skb, sizeof(*msg)); +- +- /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) +- * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ +- +- eth_broadcast_addr(msg->da); +- memcpy(msg->sa, sta->sta.addr, ETH_ALEN); +- msg->len = htons(6); +- msg->dsap = 0; +- msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */ +- msg->control = 0xaf; /* XID response lsb.1111F101. +- * F=0 (no poll command; unsolicited frame) */ +- msg->xid_info[0] = 0x81; /* XID format identifier */ +- msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ +- msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */ +- +- skb->dev = sta->sdata->dev; +- skb->protocol = eth_type_trans(skb, sta->sdata->dev); +- memset(skb->cb, 0, sizeof(skb->cb)); +- netif_rx_ni(skb); +-} +- + static int sta_apply_auth_flags(struct ieee80211_local *local, + struct sta_info *sta, + u32 mask, u32 set) +@@ -1258,7 +1214,7 @@ static int ieee80211_add_station(struct + } + + if (layer2_update) +- ieee80211_send_layer2_update(sta); ++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + + rcu_read_unlock(); + +@@ -1367,7 +1323,7 @@ static int ieee80211_change_station(stru + atomic_inc(&sta->sdata->bss->num_mcast_sta); + } + +- ieee80211_send_layer2_update(sta); ++ cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); + } + + err = sta_apply_parameters(local, sta, params); +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -1814,3 +1814,48 @@ EXPORT_SYMBOL(rfc1042_header); + const unsigned char bridge_tunnel_header[] __aligned(2) = + { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0xf8 }; + EXPORT_SYMBOL(bridge_tunnel_header); ++ ++/* Layer 2 Update frame (802.2 Type 1 LLC XID Update response) */ ++struct iapp_layer2_update { ++ u8 da[ETH_ALEN]; /* broadcast */ ++ u8 sa[ETH_ALEN]; /* STA addr */ ++ __be16 len; /* 6 */ ++ u8 dsap; /* 0 */ ++ u8 ssap; /* 0 */ ++ u8 control; ++ u8 xid_info[3]; ++} __packed; ++ ++void cfg80211_send_layer2_update(struct net_device *dev, const u8 *addr) ++{ ++ struct iapp_layer2_update *msg; ++ struct sk_buff *skb; ++ ++ /* Send Level 2 Update Frame to update forwarding tables in layer 2 ++ * bridge devices */ ++ ++ skb = dev_alloc_skb(sizeof(*msg)); ++ if (!skb) ++ return; ++ msg = (struct iapp_layer2_update *)skb_put(skb, sizeof(*msg)); ++ ++ /* 802.2 Type 1 Logical Link Control (LLC) Exchange Identifier (XID) ++ * Update response frame; IEEE Std 802.2-1998, 5.4.1.2.1 */ ++ ++ eth_broadcast_addr(msg->da); ++ ether_addr_copy(msg->sa, addr); ++ msg->len = htons(6); ++ msg->dsap = 0; ++ msg->ssap = 0x01; /* NULL LSAP, CR Bit: Response */ ++ msg->control = 0xaf; /* XID response lsb.1111F101. ++ * F=0 (no poll command; unsolicited frame) */ ++ msg->xid_info[0] = 0x81; /* XID format identifier */ ++ msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */ ++ msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */ ++ ++ skb->dev = dev; ++ skb->protocol = eth_type_trans(skb, dev); ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ netif_rx_ni(skb); ++} ++EXPORT_SYMBOL(cfg80211_send_layer2_update); diff --git a/queue-4.4/dccp-fix-memleak-in-__feat_register_sp.patch b/queue-4.4/dccp-fix-memleak-in-__feat_register_sp.patch new file mode 100644 index 00000000000..7430bf372bc --- /dev/null +++ b/queue-4.4/dccp-fix-memleak-in-__feat_register_sp.patch @@ -0,0 +1,39 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: YueHaibing +Date: Mon, 1 Apr 2019 09:35:54 +0800 +Subject: dccp: Fix memleak in __feat_register_sp + +From: YueHaibing + +commit 1d3ff0950e2b40dc861b1739029649d03f591820 upstream. + +If dccp_feat_push_change fails, we forget free the mem +which is alloced by kmemdup in dccp_feat_clone_sp_val. + +Reported-by: Hulk Robot +Fixes: e8ef967a54f4 ("dccp: Registration routines for changing feature values") +Reviewed-by: Mukesh Ojha +Signed-off-by: YueHaibing +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/feat.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/dccp/feat.c ++++ b/net/dccp/feat.c +@@ -738,7 +738,12 @@ static int __feat_register_sp(struct lis + if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len)) + return -ENOMEM; + +- return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval); ++ if (dccp_feat_push_change(fn, feat, is_local, mandatory, &fval)) { ++ kfree(fval.sp.vec); ++ return -ENOMEM; ++ } ++ ++ return 0; + } + + /** diff --git a/queue-4.4/ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch b/queue-4.4/ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch new file mode 100644 index 00000000000..3b808b318cd --- /dev/null +++ b/queue-4.4/ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch @@ -0,0 +1,94 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Theodore Ts'o +Date: Thu, 7 Nov 2019 21:43:41 -0500 +Subject: ext4: add more paranoia checking in ext4_expand_extra_isize handling + +From: Theodore Ts'o + +commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream. + +It's possible to specify a non-zero s_want_extra_isize via debugging +option, and this can cause bad things(tm) to happen when using a file +system with an inode size of 128 bytes. + +Add better checking when the file system is mounted, as well as when +we are actually doing the trying to do the inode expansion. + +Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu +Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com +Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com +Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com +Signed-off-by: Theodore Ts'o +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/inode.c | 15 +++++++++++++++ + fs/ext4/super.c | 20 ++++++++++++-------- + 2 files changed, 27 insertions(+), 8 deletions(-) + +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -5189,10 +5189,25 @@ static int ext4_expand_extra_isize(struc + { + struct ext4_inode *raw_inode; + struct ext4_xattr_ibody_header *header; ++ unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb); ++ struct ext4_inode_info *ei = EXT4_I(inode); + + if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) + return 0; + ++ /* this was checked at iget time, but double check for good measure */ ++ if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) || ++ (ei->i_extra_isize & 3)) { ++ EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)", ++ ei->i_extra_isize, ++ EXT4_INODE_SIZE(inode->i_sb)); ++ return -EFSCORRUPTED; ++ } ++ if ((new_extra_isize < ei->i_extra_isize) || ++ (new_extra_isize < 4) || ++ (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE)) ++ return -EINVAL; /* Should never happen */ ++ + raw_inode = ext4_raw_inode(&iloc); + + header = IHDR(inode, raw_inode); +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3173,11 +3173,15 @@ static void ext4_clamp_want_extra_isize( + { + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; ++ unsigned def_extra_isize = sizeof(struct ext4_inode) - ++ EXT4_GOOD_OLD_INODE_SIZE; + +- /* determine the minimum size of new large inodes, if present */ +- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; ++ if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) { ++ sbi->s_want_extra_isize = 0; ++ return; ++ } ++ if (sbi->s_want_extra_isize < 4) { ++ sbi->s_want_extra_isize = def_extra_isize; + if (ext4_has_feature_extra_isize(sb)) { + if (sbi->s_want_extra_isize < + le16_to_cpu(es->s_want_extra_isize)) +@@ -3190,10 +3194,10 @@ static void ext4_clamp_want_extra_isize( + } + } + /* Check if enough inode space is available */ +- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > +- sbi->s_inode_size) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; ++ if ((sbi->s_want_extra_isize > sbi->s_inode_size) || ++ (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > ++ sbi->s_inode_size)) { ++ sbi->s_want_extra_isize = def_extra_isize; + ext4_msg(sb, KERN_INFO, + "required extra inode space not available"); + } diff --git a/queue-4.4/ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch b/queue-4.4/ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch new file mode 100644 index 00000000000..9b5a06f9d04 --- /dev/null +++ b/queue-4.4/ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch @@ -0,0 +1,105 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Barret Rhoden +Date: Thu, 25 Apr 2019 11:55:50 -0400 +Subject: ext4: fix use-after-free race with debug_want_extra_isize + +From: Barret Rhoden + +commit 7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7 upstream. + +When remounting with debug_want_extra_isize, we were not performing the +same checks that we do during a normal mount. That allowed us to set a +value for s_want_extra_isize that reached outside the s_inode_size. + +Fixes: e2b911c53584 ("ext4: clean up feature test macros with predicate functions") +Reported-by: syzbot+f584efa0ac7213c226b7@syzkaller.appspotmail.com +Reviewed-by: Jan Kara +Signed-off-by: Barret Rhoden +Signed-off-by: Theodore Ts'o +[bwh: Backported to 4.4: The debug_want_extra_isize mount option is not + supported] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/super.c | 56 +++++++++++++++++++++++++++++++++----------------------- + 1 file changed, 33 insertions(+), 23 deletions(-) + +--- a/fs/ext4/super.c ++++ b/fs/ext4/super.c +@@ -3169,6 +3169,36 @@ int ext4_calculate_overhead(struct super + return 0; + } + ++static void ext4_clamp_want_extra_isize(struct super_block *sb) ++{ ++ struct ext4_sb_info *sbi = EXT4_SB(sb); ++ struct ext4_super_block *es = sbi->s_es; ++ ++ /* determine the minimum size of new large inodes, if present */ ++ if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { ++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) - ++ EXT4_GOOD_OLD_INODE_SIZE; ++ if (ext4_has_feature_extra_isize(sb)) { ++ if (sbi->s_want_extra_isize < ++ le16_to_cpu(es->s_want_extra_isize)) ++ sbi->s_want_extra_isize = ++ le16_to_cpu(es->s_want_extra_isize); ++ if (sbi->s_want_extra_isize < ++ le16_to_cpu(es->s_min_extra_isize)) ++ sbi->s_want_extra_isize = ++ le16_to_cpu(es->s_min_extra_isize); ++ } ++ } ++ /* Check if enough inode space is available */ ++ if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > ++ sbi->s_inode_size) { ++ sbi->s_want_extra_isize = sizeof(struct ext4_inode) - ++ EXT4_GOOD_OLD_INODE_SIZE; ++ ext4_msg(sb, KERN_INFO, ++ "required extra inode space not available"); ++ } ++} ++ + static void ext4_set_resv_clusters(struct super_block *sb) + { + ext4_fsblk_t resv_clusters; +@@ -3991,29 +4021,7 @@ no_journal: + if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY)) + sb->s_flags |= MS_RDONLY; + +- /* determine the minimum size of new large inodes, if present */ +- if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; +- if (ext4_has_feature_extra_isize(sb)) { +- if (sbi->s_want_extra_isize < +- le16_to_cpu(es->s_want_extra_isize)) +- sbi->s_want_extra_isize = +- le16_to_cpu(es->s_want_extra_isize); +- if (sbi->s_want_extra_isize < +- le16_to_cpu(es->s_min_extra_isize)) +- sbi->s_want_extra_isize = +- le16_to_cpu(es->s_min_extra_isize); +- } +- } +- /* Check if enough inode space is available */ +- if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > +- sbi->s_inode_size) { +- sbi->s_want_extra_isize = sizeof(struct ext4_inode) - +- EXT4_GOOD_OLD_INODE_SIZE; +- ext4_msg(sb, KERN_INFO, "required extra inode space not" +- "available"); +- } ++ ext4_clamp_want_extra_isize(sb); + + ext4_set_resv_clusters(sb); + +@@ -4766,6 +4774,8 @@ static int ext4_remount(struct super_blo + goto restore_opts; + } + ++ ext4_clamp_want_extra_isize(sb); ++ + if ((old_opts.s_mount_opt & EXT4_MOUNT_JOURNAL_CHECKSUM) ^ + test_opt(sb, JOURNAL_CHECKSUM)) { + ext4_msg(sb, KERN_ERR, "changing journal_checksum " diff --git a/queue-4.4/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch b/queue-4.4/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch new file mode 100644 index 00000000000..57eefea0ae6 --- /dev/null +++ b/queue-4.4/mac80211-do-not-send-layer-2-update-frame-before-authorization.patch @@ -0,0 +1,98 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Jouni Malinen +Date: Wed, 11 Sep 2019 16:03:05 +0300 +Subject: mac80211: Do not send Layer 2 Update frame before authorization + +From: Jouni Malinen + +commit 3e493173b7841259a08c5c8e5cbe90adb349da7e upstream. + +The Layer 2 Update frame is used to update bridges when a station roams +to another AP even if that STA does not transmit any frames after the +reassociation. This behavior was described in IEEE Std 802.11F-2003 as +something that would happen based on MLME-ASSOCIATE.indication, i.e., +before completing 4-way handshake. However, this IEEE trial-use +recommended practice document was published before RSN (IEEE Std +802.11i-2004) and as such, did not consider RSN use cases. Furthermore, +IEEE Std 802.11F-2003 was withdrawn in 2006 and as such, has not been +maintained amd should not be used anymore. + +Sending out the Layer 2 Update frame immediately after association is +fine for open networks (and also when using SAE, FT protocol, or FILS +authentication when the station is actually authenticated by the time +association completes). However, it is not appropriate for cases where +RSN is used with PSK or EAP authentication since the station is actually +fully authenticated only once the 4-way handshake completes after +authentication and attackers might be able to use the unauthenticated +triggering of Layer 2 Update frame transmission to disrupt bridge +behavior. + +Fix this by postponing transmission of the Layer 2 Update frame from +station entry addition to the point when the station entry is marked +authorized. Similarly, send out the VLAN binding update only if the STA +entry has already been authorized. + +Signed-off-by: Jouni Malinen +Reviewed-by: Johannes Berg +Signed-off-by: David S. Miller +[bwh: Backported to 4.4: adjust context] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 11 +++-------- + net/mac80211/sta_info.c | 4 ++++ + 2 files changed, 7 insertions(+), 8 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1150,7 +1150,6 @@ static int ieee80211_add_station(struct + struct sta_info *sta; + struct ieee80211_sub_if_data *sdata; + int err; +- int layer2_update; + + if (params->vlan) { + sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan); +@@ -1204,18 +1203,12 @@ static int ieee80211_add_station(struct + test_sta_flag(sta, WLAN_STA_ASSOC)) + rate_control_rate_init(sta); + +- layer2_update = sdata->vif.type == NL80211_IFTYPE_AP_VLAN || +- sdata->vif.type == NL80211_IFTYPE_AP; +- + err = sta_info_insert_rcu(sta); + if (err) { + rcu_read_unlock(); + return err; + } + +- if (layer2_update) +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); +- + rcu_read_unlock(); + + return 0; +@@ -1323,7 +1316,9 @@ static int ieee80211_change_station(stru + atomic_inc(&sta->sdata->bss->num_mcast_sta); + } + +- cfg80211_send_layer2_update(sta->sdata->dev, sta->sta.addr); ++ if (sta->sta_state == IEEE80211_STA_AUTHORIZED) ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); + } + + err = sta_apply_parameters(local, sta, params); +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -1775,6 +1775,10 @@ int sta_info_move_state(struct sta_info + set_bit(WLAN_STA_AUTHORIZED, &sta->_flags); + ieee80211_check_fast_xmit(sta); + } ++ if (sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN || ++ sta->sdata->vif.type == NL80211_IFTYPE_AP) ++ cfg80211_send_layer2_update(sta->sdata->dev, ++ sta->sta.addr); + break; + default: + break; diff --git a/queue-4.4/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch b/queue-4.4/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch new file mode 100644 index 00000000000..42d5cb08e03 --- /dev/null +++ b/queue-4.4/media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch @@ -0,0 +1,80 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Vandana BN +Date: Wed, 22 May 2019 04:34:15 -0400 +Subject: media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap + +From: Vandana BN + +commit 5d2e73a5f80a5b5aff3caf1ec6d39b5b3f54b26e upstream. + +SyzKaller hit the null pointer deref while reading from uninitialized +udev->product in zr364xx_vidioc_querycap(). + +================================================================== +BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20 +include/linux/compiler.h:274 +Read of size 1 at addr 0000000000000000 by task v4l_id/5287 + +CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe8/0x16e lib/dump_stack.c:113 + kasan_report.cold+0x5/0x3c mm/kasan/report.c:321 + read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274 + strscpy+0x8a/0x280 lib/string.c:207 + zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706 + v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062 + __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874 + video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056 + v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:509 [inline] + do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696 + ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713 + __do_sys_ioctl fs/ioctl.c:720 [inline] + __se_sys_ioctl fs/ioctl.c:718 [inline] + __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718 + do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x7f3b56d8b347 +Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff +ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64 +RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347 +RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884 +R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000 +================================================================== + +For this device udev->product is not initialized and accessing it causes a NULL pointer deref. + +The fix is to check for NULL before strscpy() and copy empty string, if +product is NULL + +Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com +Signed-off-by: Vandana BN +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +[bwh: Backported to 4.4: This function uses strlcpy() instead of strscpy()] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/zr364xx/zr364xx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -711,7 +711,8 @@ static int zr364xx_vidioc_querycap(struc + struct zr364xx_camera *cam = video_drvdata(file); + + strlcpy(cap->driver, DRIVER_DESC, sizeof(cap->driver)); +- strlcpy(cap->card, cam->udev->product, sizeof(cap->card)); ++ if (cam->udev->product) ++ strlcpy(cap->card, cam->udev->product, sizeof(cap->card)); + strlcpy(cap->bus_info, dev_name(&cam->udev->dev), + sizeof(cap->bus_info)); + cap->device_caps = V4L2_CAP_VIDEO_CAPTURE | diff --git a/queue-4.4/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch b/queue-4.4/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch new file mode 100644 index 00000000000..450c19524fd --- /dev/null +++ b/queue-4.4/mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch @@ -0,0 +1,152 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Igor Redko +Date: Thu, 17 Mar 2016 14:19:05 -0700 +Subject: mm/page_alloc.c: calculate 'available' memory in a separate function + +From: Igor Redko + +commit d02bd27bd33dd7e8d22594cd568b81be0cb584cd upstream. + +Add a new field, VIRTIO_BALLOON_S_AVAIL, to virtio_balloon memory +statistics protocol, corresponding to 'Available' in /proc/meminfo. + +It indicates to the hypervisor how big the balloon can be inflated +without pushing the guest system to swap. This metric would be very +useful in VM orchestration software to improve memory management of +different VMs under overcommit. + +This patch (of 2): + +Factor out calculation of the available memory counter into a separate +exportable function, in order to be able to use it in other parts of the +kernel. + +In particular, it appears a relevant metric to report to the hypervisor +via virtio-balloon statistics interface (in a followup patch). + +Signed-off-by: Igor Redko +Signed-off-by: Denis V. Lunev +Reviewed-by: Roman Kagan +Cc: Michael S. Tsirkin +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +[bwh: Backported to 4.4 as dependency of commit a1078e821b60 + "xen: let alloc_xenballooned_pages() fail if not enough memory free"] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/meminfo.c | 31 +------------------------------ + include/linux/mm.h | 1 + + mm/page_alloc.c | 43 +++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 45 insertions(+), 30 deletions(-) + +--- a/fs/proc/meminfo.c ++++ b/fs/proc/meminfo.c +@@ -29,10 +29,7 @@ static int meminfo_proc_show(struct seq_ + unsigned long committed; + long cached; + long available; +- unsigned long pagecache; +- unsigned long wmark_low = 0; + unsigned long pages[NR_LRU_LISTS]; +- struct zone *zone; + int lru; + + /* +@@ -51,33 +48,7 @@ static int meminfo_proc_show(struct seq_ + for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++) + pages[lru] = global_page_state(NR_LRU_BASE + lru); + +- for_each_zone(zone) +- wmark_low += zone->watermark[WMARK_LOW]; +- +- /* +- * Estimate the amount of memory available for userspace allocations, +- * without causing swapping. +- */ +- available = i.freeram - totalreserve_pages; +- +- /* +- * Not all the page cache can be freed, otherwise the system will +- * start swapping. Assume at least half of the page cache, or the +- * low watermark worth of cache, needs to stay. +- */ +- pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE]; +- pagecache -= min(pagecache / 2, wmark_low); +- available += pagecache; +- +- /* +- * Part of the reclaimable slab consists of items that are in use, +- * and cannot be freed. Cap this estimate at the low watermark. +- */ +- available += global_page_state(NR_SLAB_RECLAIMABLE) - +- min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low); +- +- if (available < 0) +- available = 0; ++ available = si_mem_available(); + + /* + * Tagged format, for easy grepping and expansion. +--- a/include/linux/mm.h ++++ b/include/linux/mm.h +@@ -1802,6 +1802,7 @@ extern int __meminit init_per_zone_wmark + extern void mem_init(void); + extern void __init mmap_init(void); + extern void show_mem(unsigned int flags); ++extern long si_mem_available(void); + extern void si_meminfo(struct sysinfo * val); + extern void si_meminfo_node(struct sysinfo *val, int nid); + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -3650,6 +3650,49 @@ static inline void show_node(struct zone + printk("Node %d ", zone_to_nid(zone)); + } + ++long si_mem_available(void) ++{ ++ long available; ++ unsigned long pagecache; ++ unsigned long wmark_low = 0; ++ unsigned long pages[NR_LRU_LISTS]; ++ struct zone *zone; ++ int lru; ++ ++ for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++) ++ pages[lru] = global_page_state(NR_LRU_BASE + lru); ++ ++ for_each_zone(zone) ++ wmark_low += zone->watermark[WMARK_LOW]; ++ ++ /* ++ * Estimate the amount of memory available for userspace allocations, ++ * without causing swapping. ++ */ ++ available = global_page_state(NR_FREE_PAGES) - totalreserve_pages; ++ ++ /* ++ * Not all the page cache can be freed, otherwise the system will ++ * start swapping. Assume at least half of the page cache, or the ++ * low watermark worth of cache, needs to stay. ++ */ ++ pagecache = pages[LRU_ACTIVE_FILE] + pages[LRU_INACTIVE_FILE]; ++ pagecache -= min(pagecache / 2, wmark_low); ++ available += pagecache; ++ ++ /* ++ * Part of the reclaimable slab consists of items that are in use, ++ * and cannot be freed. Cap this estimate at the low watermark. ++ */ ++ available += global_page_state(NR_SLAB_RECLAIMABLE) - ++ min(global_page_state(NR_SLAB_RECLAIMABLE) / 2, wmark_low); ++ ++ if (available < 0) ++ available = 0; ++ return available; ++} ++EXPORT_SYMBOL_GPL(si_mem_available); ++ + void si_meminfo(struct sysinfo *val) + { + val->totalram = totalram_pages; diff --git a/queue-4.4/p54usb-fix-race-between-disconnect-and-firmware-loading.patch b/queue-4.4/p54usb-fix-race-between-disconnect-and-firmware-loading.patch new file mode 100644 index 00000000000..936617c382f --- /dev/null +++ b/queue-4.4/p54usb-fix-race-between-disconnect-and-firmware-loading.patch @@ -0,0 +1,174 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Alan Stern +Date: Mon, 20 May 2019 10:44:21 -0400 +Subject: p54usb: Fix race between disconnect and firmware loading + +From: Alan Stern + +commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream. + +The syzbot fuzzer found a bug in the p54 USB wireless driver. The +issue involves a race between disconnect and the firmware-loader +callback routine, and it has several aspects. + +One big problem is that when the firmware can't be loaded, the +callback routine tries to unbind the driver from the USB _device_ (by +calling device_release_driver) instead of from the USB _interface_ to +which it is actually bound (by calling usb_driver_release_interface). + +The race involves access to the private data structure. The driver's +disconnect handler waits for a completion that is signalled by the +firmware-loader callback routine. As soon as the completion is +signalled, you have to assume that the private data structure may have +been deallocated by the disconnect handler -- even if the firmware was +loaded without errors. However, the callback routine does access the +private data several times after that point. + +Another problem is that, in order to ensure that the USB device +structure hasn't been freed when the callback routine runs, the driver +takes a reference to it. This isn't good enough any more, because now +that the callback routine calls usb_driver_release_interface, it has +to ensure that the interface structure hasn't been freed. + +Finally, the driver takes an unnecessary reference to the USB device +structure in the probe function and drops the reference in the +disconnect handler. This extra reference doesn't accomplish anything, +because the USB core already guarantees that a device structure won't +be deallocated while a driver is still bound to any of its interfaces. + +To fix these problems, this patch makes the following changes: + + Call usb_driver_release_interface() rather than + device_release_driver(). + + Don't signal the completion until after the important + information has been copied out of the private data structure, + and don't refer to the private data at all thereafter. + + Lock udev (the interface's parent) before unbinding the driver + instead of locking udev->parent. + + During the firmware loading process, take a reference to the + USB interface instead of the USB device. + + Don't take an unnecessary reference to the device during probe + (and then don't drop it during disconnect). + +Signed-off-by: Alan Stern +Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +[bwh: Backported to 4.4: adjust filename] +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/p54/p54usb.c | 43 +++++++++++++++----------------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +--- a/drivers/net/wireless/p54/p54usb.c ++++ b/drivers/net/wireless/p54/p54usb.c +@@ -33,6 +33,8 @@ MODULE_ALIAS("prism54usb"); + MODULE_FIRMWARE("isl3886usb"); + MODULE_FIRMWARE("isl3887usb"); + ++static struct usb_driver p54u_driver; ++ + /* + * Note: + * +@@ -921,9 +923,9 @@ static void p54u_load_firmware_cb(const + { + struct p54u_priv *priv = context; + struct usb_device *udev = priv->udev; ++ struct usb_interface *intf = priv->intf; + int err; + +- complete(&priv->fw_wait_load); + if (firmware) { + priv->fw = firmware; + err = p54u_start_ops(priv); +@@ -932,26 +934,22 @@ static void p54u_load_firmware_cb(const + dev_err(&udev->dev, "Firmware not found.\n"); + } + +- if (err) { +- struct device *parent = priv->udev->dev.parent; +- +- dev_err(&udev->dev, "failed to initialize device (%d)\n", err); +- +- if (parent) +- device_lock(parent); ++ complete(&priv->fw_wait_load); ++ /* ++ * At this point p54u_disconnect may have already freed ++ * the "priv" context. Do not use it anymore! ++ */ ++ priv = NULL; + +- device_release_driver(&udev->dev); +- /* +- * At this point p54u_disconnect has already freed +- * the "priv" context. Do not use it anymore! +- */ +- priv = NULL; ++ if (err) { ++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err); + +- if (parent) +- device_unlock(parent); ++ usb_lock_device(udev); ++ usb_driver_release_interface(&p54u_driver, intf); ++ usb_unlock_device(udev); + } + +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + static int p54u_load_firmware(struct ieee80211_hw *dev, +@@ -972,14 +970,14 @@ static int p54u_load_firmware(struct iee + dev_info(&priv->udev->dev, "Loading firmware file %s\n", + p54u_fwlist[i].fw); + +- usb_get_dev(udev); ++ usb_get_intf(intf); + err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw, + device, GFP_KERNEL, priv, + p54u_load_firmware_cb); + if (err) { + dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s " + "(%d)!\n", p54u_fwlist[i].fw, err); +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + return err; +@@ -1011,8 +1009,6 @@ static int p54u_probe(struct usb_interfa + skb_queue_head_init(&priv->rx_queue); + init_usb_anchor(&priv->submitted); + +- usb_get_dev(udev); +- + /* really lazy and simple way of figuring out if we're a 3887 */ + /* TODO: should just stick the identification in the device table */ + i = intf->altsetting->desc.bNumEndpoints; +@@ -1053,10 +1049,8 @@ static int p54u_probe(struct usb_interfa + priv->upload_fw = p54u_upload_firmware_net2280; + } + err = p54u_load_firmware(dev, intf); +- if (err) { +- usb_put_dev(udev); ++ if (err) + p54_free_common(dev); +- } + return err; + } + +@@ -1072,7 +1066,6 @@ static void p54u_disconnect(struct usb_i + wait_for_completion(&priv->fw_wait_load); + p54_unregister_common(dev); + +- usb_put_dev(interface_to_usbdev(intf)); + release_firmware(priv->fw); + p54_free_common(dev); + } diff --git a/queue-4.4/rsi-add-fix-for-crash-during-assertions.patch b/queue-4.4/rsi-add-fix-for-crash-during-assertions.patch new file mode 100644 index 00000000000..e3c3d64013b --- /dev/null +++ b/queue-4.4/rsi-add-fix-for-crash-during-assertions.patch @@ -0,0 +1,34 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Sanjay Konduri +Date: Tue, 15 May 2018 14:34:30 +0530 +Subject: rsi: add fix for crash during assertions + +From: Sanjay Konduri + +commit abd39c6ded9db53aa44c2540092bdd5fb6590fa8 upstream. + +Observed crash in some scenarios when assertion has occurred, +this is because hw structure is freed and is tried to get +accessed in some functions where null check is already +present. So, avoided the crash by making the hw to NULL after +freeing. + +Signed-off-by: Sanjay Konduri +Signed-off-by: Sushant Kumar Mishra +Signed-off-by: Kalle Valo +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rsi/rsi_91x_mac80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rsi/rsi_91x_mac80211.c ++++ b/drivers/net/wireless/rsi/rsi_91x_mac80211.c +@@ -199,6 +199,7 @@ void rsi_mac80211_detach(struct rsi_hw * + ieee80211_stop_queues(hw); + ieee80211_unregister_hw(hw); + ieee80211_free_hw(hw); ++ adapter->hw = NULL; + } + + rsi_remove_dbgfs(adapter); diff --git a/queue-4.4/series b/queue-4.4/series index 4d1cfae346e..d520c477a2e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,3 +1,17 @@ hidraw-return-epollout-from-hidraw_poll.patch hid-hidraw-fix-returning-epollout-from-hidraw_poll.patch hid-hidraw-uhid-always-report-epollout.patch +rsi-add-fix-for-crash-during-assertions.patch +cfg80211-mac80211-make-ieee80211_send_layer2_update-a-public-function.patch +mac80211-do-not-send-layer-2-update-frame-before-authorization.patch +media-usb-zr364xx-fix-kasan-null-ptr-deref-read-in-zr364xx_vidioc_querycap.patch +p54usb-fix-race-between-disconnect-and-firmware-loading.patch +alsa-line6-fix-write-on-zero-sized-buffer.patch +alsa-line6-fix-memory-leak-at-line6_init_pcm-error-path.patch +mm-page_alloc.c-calculate-available-memory-in-a-separate-function.patch +xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch +wimax-i2400-fix-memory-leak.patch +wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch +ext4-fix-use-after-free-race-with-debug_want_extra_isize.patch +ext4-add-more-paranoia-checking-in-ext4_expand_extra_isize-handling.patch +dccp-fix-memleak-in-__feat_register_sp.patch diff --git a/queue-4.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch b/queue-4.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch new file mode 100644 index 00000000000..524e8cf8953 --- /dev/null +++ b/queue-4.4/wimax-i2400-fix-memory-leak-in-i2400m_op_rfkill_sw_toggle.patch @@ -0,0 +1,40 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Navid Emamdoost +Date: Fri, 25 Oct 2019 23:53:30 -0500 +Subject: wimax: i2400: Fix memory leak in i2400m_op_rfkill_sw_toggle + +From: Navid Emamdoost + +commit 6f3ef5c25cc762687a7341c18cbea5af54461407 upstream. + +In the implementation of i2400m_op_rfkill_sw_toggle() the allocated +buffer for cmd should be released before returning. The +documentation for i2400m_msg_to_dev() says when it returns the buffer +can be reused. Meaning cmd should be released in either case. Move +kfree(cmd) before return to be reached by all execution paths. + +Fixes: 2507e6ab7a9a ("wimax: i2400: fix memory leak") +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -142,12 +142,12 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: +- kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: + d_fnend(4, dev, "(wimax_dev %p state %d) = %d\n", + wimax_dev, state, result); ++ kfree(cmd); + return result; + } + diff --git a/queue-4.4/wimax-i2400-fix-memory-leak.patch b/queue-4.4/wimax-i2400-fix-memory-leak.patch new file mode 100644 index 00000000000..68fa49e0acb --- /dev/null +++ b/queue-4.4/wimax-i2400-fix-memory-leak.patch @@ -0,0 +1,30 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Navid Emamdoost +Date: Tue, 10 Sep 2019 18:01:40 -0500 +Subject: wimax: i2400: fix memory leak + +From: Navid Emamdoost + +commit 2507e6ab7a9a440773be476141a255934468c5ef upstream. + +In i2400m_op_rfkill_sw_toggle cmd buffer should be released along with +skb response. + +Signed-off-by: Navid Emamdoost +Signed-off-by: David S. Miller +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wimax/i2400m/op-rfkill.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wimax/i2400m/op-rfkill.c ++++ b/drivers/net/wimax/i2400m/op-rfkill.c +@@ -142,6 +142,7 @@ int i2400m_op_rfkill_sw_toggle(struct wi + "%d\n", result); + result = 0; + error_cmd: ++ kfree(cmd); + kfree_skb(ack_skb); + error_msg_to_dev: + error_alloc: diff --git a/queue-4.4/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch b/queue-4.4/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch new file mode 100644 index 00000000000..7c1bb252af0 --- /dev/null +++ b/queue-4.4/xen-let-alloc_xenballooned_pages-fail-if-not-enough-memory-free.patch @@ -0,0 +1,70 @@ +From foo@baz Wed 15 Jan 2020 03:59:57 PM CET +From: Juergen Gross +Date: Wed, 19 Jun 2019 11:00:56 +0200 +Subject: xen: let alloc_xenballooned_pages() fail if not enough memory free + +From: Juergen Gross + +commit a1078e821b605813b63bf6bca414a85f804d5c66 upstream. + +Instead of trying to allocate pages with GFP_USER in +add_ballooned_pages() check the available free memory via +si_mem_available(). GFP_USER is far less limiting memory exhaustion +than the test via si_mem_available(). + +This will avoid dom0 running out of memory due to excessive foreign +page mappings especially on ARM and on x86 in PVH mode, as those don't +have a pre-ballooned area which can be used for foreign mappings. + +As the normal ballooning suffers from the same problem don't balloon +down more than si_mem_available() pages in one iteration. At the same +time limit the default maximum number of retries. + +This is part of XSA-300. + +Signed-off-by: Juergen Gross +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/balloon.c | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -584,8 +584,15 @@ static void balloon_process(struct work_ + state = reserve_additional_memory(); + } + +- if (credit < 0) +- state = decrease_reservation(-credit, GFP_BALLOON); ++ if (credit < 0) { ++ long n_pages; ++ ++ n_pages = min(-credit, si_mem_available()); ++ state = decrease_reservation(n_pages, GFP_BALLOON); ++ if (state == BP_DONE && n_pages != -credit && ++ n_pages < totalreserve_pages) ++ state = BP_EAGAIN; ++ } + + state = update_schedule(state); + +@@ -624,6 +631,9 @@ static int add_ballooned_pages(int nr_pa + } + } + ++ if (si_mem_available() < nr_pages) ++ return -ENOMEM; ++ + st = decrease_reservation(nr_pages, GFP_USER); + if (st != BP_DONE) + return -ENOMEM; +@@ -747,7 +757,7 @@ static int __init balloon_init(void) + balloon_stats.schedule_delay = 1; + balloon_stats.max_schedule_delay = 32; + balloon_stats.retry_count = 1; +- balloon_stats.max_retry_count = RETRY_UNLIMITED; ++ balloon_stats.max_retry_count = 4; + + #ifdef CONFIG_XEN_BALLOON_MEMORY_HOTPLUG + set_online_page_callback(&xen_online_page); -- 2.47.3