From 50aa75371afba2ea4cb0747936ff7e66d6fe6d4a Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 6 Oct 2019 18:57:27 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
	kexec-bail-out-upon-sigkill-when-allocating-memory.patch
	nfc-fix-attrs-checks-in-netlink-interface.patch
---
 ...eak-in-v9fs_cache_session_get_cookie.patch | 44 +++++++++++++++++
 ...-upon-sigkill-when-allocating-memory.patch | 41 ++++++++++++++++
 ...ix-attrs-checks-in-netlink-interface.patch | 49 +++++++++++++++++++
 queue-4.19/series                             |  3 ++
 4 files changed, 137 insertions(+)
 create mode 100644 queue-4.19/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
 create mode 100644 queue-4.19/kexec-bail-out-upon-sigkill-when-allocating-memory.patch
 create mode 100644 queue-4.19/nfc-fix-attrs-checks-in-netlink-interface.patch

diff --git a/queue-4.19/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch b/queue-4.19/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
new file mode 100644
index 00000000000..841559837fa
--- /dev/null
+++ b/queue-4.19/9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
@@ -0,0 +1,44 @@
+From 962a991c5de18452d6c429d99f3039387cf5cbb0 Mon Sep 17 00:00:00 2001
+From: Bharath Vedartham <linux.bhar@gmail.com>
+Date: Thu, 23 May 2019 01:15:19 +0530
+Subject: 9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie
+
+From: Bharath Vedartham <linux.bhar@gmail.com>
+
+commit 962a991c5de18452d6c429d99f3039387cf5cbb0 upstream.
+
+v9fs_cache_session_get_cookie assigns a random cachetag to v9ses->cachetag,
+if the cachetag is not assigned previously.
+
+v9fs_random_cachetag allocates memory to v9ses->cachetag with kmalloc and uses
+scnprintf to fill it up with a cachetag.
+
+But if scnprintf fails, v9ses->cachetag is not freed in the current
+code causing a memory leak.
+
+Fix this by freeing v9ses->cachetag it v9fs_random_cachetag fails.
+
+This was reported by syzbot, the link to the report is below:
+https://syzkaller.appspot.com/bug?id=f012bdf297a7a4c860c38a88b44fbee43fd9bbf3
+
+Link: http://lkml.kernel.org/r/20190522194519.GA5313@bharath12345-Inspiron-5559
+Reported-by: syzbot+3a030a73b6c1e9833815@syzkaller.appspotmail.com
+Signed-off-by: Bharath Vedartham <linux.bhar@gmail.com>
+Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/cache.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/9p/cache.c
++++ b/fs/9p/cache.c
+@@ -66,6 +66,8 @@ void v9fs_cache_session_get_cookie(struc
+ 	if (!v9ses->cachetag) {
+ 		if (v9fs_random_cachetag(v9ses) < 0) {
+ 			v9ses->fscache = NULL;
++			kfree(v9ses->cachetag);
++			v9ses->cachetag = NULL;
+ 			return;
+ 		}
+ 	}
diff --git a/queue-4.19/kexec-bail-out-upon-sigkill-when-allocating-memory.patch b/queue-4.19/kexec-bail-out-upon-sigkill-when-allocating-memory.patch
new file mode 100644
index 00000000000..3add54338e2
--- /dev/null
+++ b/queue-4.19/kexec-bail-out-upon-sigkill-when-allocating-memory.patch
@@ -0,0 +1,41 @@
+From 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Wed, 25 Sep 2019 16:47:33 -0700
+Subject: kexec: bail out upon SIGKILL when allocating memory.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 7c3a6aedcd6aae0a32a527e68669f7dd667492d1 upstream.
+
+syzbot found that a thread can stall for minutes inside kexec_load() after
+that thread was killed by SIGKILL [1].  It turned out that the reproducer
+was trying to allocate 2408MB of memory using kimage_alloc_page() from
+kimage_load_normal_segment().  Let's check for SIGKILL before doing memory
+allocation.
+
+[1] https://syzkaller.appspot.com/bug?id=a0e3436829698d5824231251fad9d8e998f94f5e
+
+Link: http://lkml.kernel.org/r/993c9185-d324-2640-d061-bed2dd18b1f7@I-love.SAKURA.ne.jp
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+8ab2d0f39fb79fe6ca40@syzkaller.appspotmail.com>
+Cc: Eric Biederman <ebiederm@xmission.com>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kexec_core.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/kexec_core.c
++++ b/kernel/kexec_core.c
+@@ -301,6 +301,8 @@ static struct page *kimage_alloc_pages(g
+ {
+ 	struct page *pages;
+ 
++	if (fatal_signal_pending(current))
++		return NULL;
+ 	pages = alloc_pages(gfp_mask & ~__GFP_ZERO, order);
+ 	if (pages) {
+ 		unsigned int count, i;
diff --git a/queue-4.19/nfc-fix-attrs-checks-in-netlink-interface.patch b/queue-4.19/nfc-fix-attrs-checks-in-netlink-interface.patch
new file mode 100644
index 00000000000..a75b274e3d7
--- /dev/null
+++ b/queue-4.19/nfc-fix-attrs-checks-in-netlink-interface.patch
@@ -0,0 +1,49 @@
+From 18917d51472fe3b126a3a8f756c6b18085eb8130 Mon Sep 17 00:00:00 2001
+From: Andrey Konovalov <andreyknvl@google.com>
+Date: Mon, 29 Jul 2019 16:35:01 +0300
+Subject: NFC: fix attrs checks in netlink interface
+
+From: Andrey Konovalov <andreyknvl@google.com>
+
+commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream.
+
+nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX
+attribute being present, but doesn't check whether it is actually
+provided by the user. Same goes for nfc_genl_fw_download() and
+NFC_ATTR_FIRMWARE_NAME.
+
+This patch adds appropriate checks.
+
+Found with syzkaller.
+
+Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -981,7 +981,8 @@ static int nfc_genl_dep_link_down(struct
+ 	int rc;
+ 	u32 idx;
+ 
+-	if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++	if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++	    !info->attrs[NFC_ATTR_TARGET_INDEX])
+ 		return -EINVAL;
+ 
+ 	idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
+@@ -1029,7 +1030,8 @@ static int nfc_genl_llc_get_params(struc
+ 	struct sk_buff *msg = NULL;
+ 	u32 idx;
+ 
+-	if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++	if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++	    !info->attrs[NFC_ATTR_FIRMWARE_NAME])
+ 		return -EINVAL;
+ 
+ 	idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
diff --git a/queue-4.19/series b/queue-4.19/series
index f00d468606b..581013ca584 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -101,3 +101,6 @@ soundwire-kconfig-fix-help-format.patch
 soundwire-fix-regmap-dependencies-and-align-with-oth.patch
 smack-don-t-ignore-other-bprm-unsafe-flags-if-lsm_unsafe_ptrace-is-set.patch
 smack-use-gfp_nofs-while-holding-inode_smack-smk_lock.patch
+nfc-fix-attrs-checks-in-netlink-interface.patch
+kexec-bail-out-upon-sigkill-when-allocating-memory.patch
+9p-cache.c-fix-memory-leak-in-v9fs_cache_session_get_cookie.patch
-- 
2.47.2