4.9-stable patches

added patches:
	platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized-pointer.patch

diff --git a/queue-4.9/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized-pointer.patch b/queue-4.9/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized-pointer.patch
new file mode 100644 (file)
index 0000000..543ac96
--- /dev/null
+++ b/queue-4.9/platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized-pointer.patch
@@ -0,0 +1,61 @@
+From 98e2630284ab741804bd0713e932e725466f2f84 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Sat, 30 Mar 2019 00:17:12 +0000
+Subject: platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 98e2630284ab741804bd0713e932e725466f2f84 upstream.
+
+Currently the kfree of output.pointer can be potentially freeing
+an uninitalized pointer in the case where out_data is NULL. Fix this
+by reworking the case where out_data is not-null to perform the
+ACPI status check and also the kfree of outpoint.pointer in one block
+and hence ensuring the pointer is only freed when it has been used.
+
+Also replace the if (ptr != NULL) idiom with just if (ptr).
+
+Fixes: ff0e9f26288d ("platform/x86: alienware-wmi: Correct a memory leak")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/platform/x86/alienware-wmi.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/platform/x86/alienware-wmi.c
++++ b/drivers/platform/x86/alienware-wmi.c
+@@ -504,23 +504,23 @@ static acpi_status alienware_wmax_comman
+ 
+       input.length = (acpi_size) sizeof(*in_args);
+       input.pointer = in_args;
+-      if (out_data != NULL) {
++      if (out_data) {
+               output.length = ACPI_ALLOCATE_BUFFER;
+               output.pointer = NULL;
+               status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1,
+                                            command, &input, &output);
+-      } else
++              if (ACPI_SUCCESS(status)) {
++                      obj = (union acpi_object *)output.pointer;
++                      if (obj && obj->type == ACPI_TYPE_INTEGER)
++                              *out_data = (u32)obj->integer.value;
++              }
++              kfree(output.pointer);
++      } else {
+               status = wmi_evaluate_method(WMAX_CONTROL_GUID, 1,
+                                            command, &input, NULL);
+-
+-      if (ACPI_SUCCESS(status) && out_data != NULL) {
+-              obj = (union acpi_object *)output.pointer;
+-              if (obj && obj->type == ACPI_TYPE_INTEGER)
+-                      *out_data = (u32) obj->integer.value;
+       }
+-      kfree(output.pointer);
+-      return status;
+ 
++      return status;
+ }
+ 
+ /*

diff --git a/queue-4.9/series b/queue-4.9/series
index 923e4efbe6940acccc3b0ace33e4d802d2c0e7b3..af846df5464b1be3debb3167aa39520dcbcbdcc8 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -51,3 +51,4 @@ dmaengine-tegra210-adma-fix-an-error-handling-path-in-tegra_adma_probe.patch
 l2tp-device-mtu-setup-tunnel-socket-needs-a-lock.patch
 x86-uaccess-ubsan-fix-ubsan-vs.-smap.patch
 ubsan-build-ubsan.c-more-conservatively.patch
+platform-x86-alienware-wmi-fix-kfree-on-potentially-uninitialized-pointer.patch