From d6c57ae70007cfe8c59b8fc1918a18c71e14066c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 21 May 2022 16:30:03 +0200 Subject: [PATCH] 4.9-stable patches added patches: drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch perf-fix-sys_perf_event_open-race-against-self.patch --- ...le-memory-leak-in-fetch_monitor_name.patch | 32 +++++++++ ...ys_perf_event_open-race-against-self.patch | 68 +++++++++++++++++++ queue-4.9/series | 2 + 3 files changed, 102 insertions(+) create mode 100644 queue-4.9/drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch create mode 100644 queue-4.9/perf-fix-sys_perf_event_open-race-against-self.patch diff --git a/queue-4.9/drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch b/queue-4.9/drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch new file mode 100644 index 00000000000..5d63d766ee6 --- /dev/null +++ b/queue-4.9/drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch @@ -0,0 +1,32 @@ +From 6e03b13cc7d9427c2c77feed1549191015615202 Mon Sep 17 00:00:00 2001 +From: Hangyu Hua +Date: Mon, 16 May 2022 11:20:42 +0800 +Subject: drm/dp/mst: fix a possible memory leak in fetch_monitor_name() + +From: Hangyu Hua + +commit 6e03b13cc7d9427c2c77feed1549191015615202 upstream. + +drm_dp_mst_get_edid call kmemdup to create mst_edid. So mst_edid need to be +freed after use. + +Signed-off-by: Hangyu Hua +Reviewed-by: Lyude Paul +Signed-off-by: Lyude Paul +Cc: stable@vger.kernel.org +Link: https://patchwork.freedesktop.org/patch/msgid/20220516032042.13166-1-hbh25y@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2830,6 +2830,7 @@ static void fetch_monitor_name(struct dr + + mst_edid = drm_dp_mst_get_edid(port->connector, mgr, port); + drm_edid_get_monitor_name(mst_edid, name, namelen); ++ kfree(mst_edid); + } + + /** diff --git a/queue-4.9/perf-fix-sys_perf_event_open-race-against-self.patch b/queue-4.9/perf-fix-sys_perf_event_open-race-against-self.patch new file mode 100644 index 00000000000..1c56d6ac260 --- /dev/null +++ b/queue-4.9/perf-fix-sys_perf_event_open-race-against-self.patch @@ -0,0 +1,68 @@ +From 3ac6487e584a1eb54071dbe1212e05b884136704 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 20 May 2022 20:38:06 +0200 +Subject: perf: Fix sys_perf_event_open() race against self + +From: Peter Zijlstra + +commit 3ac6487e584a1eb54071dbe1212e05b884136704 upstream. + +Norbert reported that it's possible to race sys_perf_event_open() such +that the looser ends up in another context from the group leader, +triggering many WARNs. + +The move_group case checks for races against itself, but the +!move_group case doesn't, seemingly relying on the previous +group_leader->ctx == ctx check. However, that check is racy due to not +holding any locks at that time. + +Therefore, re-check the result after acquiring locks and bailing +if they no longer match. + +Additionally, clarify the not_move_group case from the +move_group-vs-move_group race. + +Fixes: f63a8daa5812 ("perf: Fix event->ctx locking") +Reported-by: Norbert Slusarek +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/events/core.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -9903,6 +9903,9 @@ SYSCALL_DEFINE5(perf_event_open, + * Do not allow to attach to a group in a different task + * or CPU context. If we're moving SW events, we'll fix + * this up later, so allow that. ++ * ++ * Racy, not holding group_leader->ctx->mutex, see comment with ++ * perf_event_ctx_lock(). + */ + if (!move_group && group_leader->ctx != ctx) + goto err_context; +@@ -9952,11 +9955,22 @@ SYSCALL_DEFINE5(perf_event_open, + } else { + perf_event_ctx_unlock(group_leader, gctx); + move_group = 0; ++ goto not_move_group; + } + } + } else { + mutex_lock(&ctx->mutex); ++ ++ /* ++ * Now that we hold ctx->lock, (re)validate group_leader->ctx == ctx, ++ * see the group_leader && !move_group test earlier. ++ */ ++ if (group_leader && group_leader->ctx != ctx) { ++ err = -EINVAL; ++ goto err_locked; ++ } + } ++not_move_group: + + if (ctx->task == TASK_TOMBSTONE) { + err = -ESRCH; diff --git a/queue-4.9/series b/queue-4.9/series index 720a19ac70e..ce33a2c9a75 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -8,3 +8,5 @@ mmc-core-specify-timeouts-for-bkops-and-cache_flush-for-emmc.patch mmc-block-use-generic_cmd6_time-when-modifying-inand_cmd38_arg_ext_csd.patch mmc-core-default-to-generic_cmd6_time-as-timeout-in-__mmc_switch.patch alsa-wavefront-proper-check-of-get_user-error.patch +perf-fix-sys_perf_event_open-race-against-self.patch +drm-dp-mst-fix-a-possible-memory-leak-in-fetch_monitor_name.patch -- 2.47.3