From: Greg Kroah-Hartman Date: Wed, 4 Jan 2023 14:46:48 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v6.1.4~46 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=03430e8384c6f70684dab3a51d7d93da454c4665;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: crypto-n2-add-missing-hash-statesize.patch device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch drm-connector-send-hotplug-uevent-on-connector-cleanup.patch drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch parisc-led-fix-potential-null-ptr-deref-in-start_task.patch pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch pci-sysfs-fix-double-free-in-error-path.patch --- diff --git a/queue-4.14/crypto-n2-add-missing-hash-statesize.patch b/queue-4.14/crypto-n2-add-missing-hash-statesize.patch new file mode 100644 index 00000000000..a0d8f7e0a2b --- /dev/null +++ b/queue-4.14/crypto-n2-add-missing-hash-statesize.patch @@ -0,0 +1,74 @@ +From 76a4e874593543a2dff91d249c95bac728df2774 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Thu, 6 Oct 2022 04:34:19 +0000 +Subject: crypto: n2 - add missing hash statesize + +From: Corentin Labbe + +commit 76a4e874593543a2dff91d249c95bac728df2774 upstream. + +Add missing statesize to hash templates. +This is mandatory otherwise no algorithms can be registered as the core +requires statesize to be set. + +CC: stable@kernel.org # 4.3+ +Reported-by: Rolf Eike Beer +Tested-by: Rolf Eike Beer +Fixes: 0a625fd2abaa ("crypto: n2 - Add Niagara2 crypto driver") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/n2_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/crypto/n2_core.c ++++ b/drivers/crypto/n2_core.c +@@ -1276,6 +1276,7 @@ struct n2_hash_tmpl { + const u32 *hash_init; + u8 hw_op_hashsz; + u8 digest_size; ++ u8 statesize; + u8 block_size; + u8 auth_type; + u8 hmac_type; +@@ -1307,6 +1308,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_MD5, + .hw_op_hashsz = MD5_DIGEST_SIZE, + .digest_size = MD5_DIGEST_SIZE, ++ .statesize = sizeof(struct md5_state), + .block_size = MD5_HMAC_BLOCK_SIZE }, + { .name = "sha1", + .hash_zero = sha1_zero_message_hash, +@@ -1315,6 +1317,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA1, + .hw_op_hashsz = SHA1_DIGEST_SIZE, + .digest_size = SHA1_DIGEST_SIZE, ++ .statesize = sizeof(struct sha1_state), + .block_size = SHA1_BLOCK_SIZE }, + { .name = "sha256", + .hash_zero = sha256_zero_message_hash, +@@ -1323,6 +1326,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_HMAC_SHA256, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA256_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA256_BLOCK_SIZE }, + { .name = "sha224", + .hash_zero = sha224_zero_message_hash, +@@ -1331,6 +1335,7 @@ static const struct n2_hash_tmpl hash_tm + .hmac_type = AUTH_TYPE_RESERVED, + .hw_op_hashsz = SHA256_DIGEST_SIZE, + .digest_size = SHA224_DIGEST_SIZE, ++ .statesize = sizeof(struct sha256_state), + .block_size = SHA224_BLOCK_SIZE }, + }; + #define NUM_HASH_TMPLS ARRAY_SIZE(hash_tmpls) +@@ -1470,6 +1475,7 @@ static int __n2_register_one_ahash(const + + halg = &ahash->halg; + halg->digestsize = tmpl->digest_size; ++ halg->statesize = tmpl->statesize; + + base = &halg->base; + snprintf(base->cra_name, CRYPTO_MAX_ALG_NAME, "%s", tmpl->name); diff --git a/queue-4.14/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch b/queue-4.14/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch new file mode 100644 index 00000000000..09a6a5384d2 --- /dev/null +++ b/queue-4.14/device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch @@ -0,0 +1,95 @@ +From e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f Mon Sep 17 00:00:00 2001 +From: Wang Weiyang +Date: Tue, 25 Oct 2022 19:31:01 +0800 +Subject: device_cgroup: Roll back to original exceptions after copy failure + +From: Wang Weiyang + +commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream. + +When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's +exceptions will be cleaned and A's behavior is changed to +DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's +whitelist. If copy failure occurs, just return leaving A to grant +permissions to all devices. And A may grant more permissions than +parent. + +Backup A's whitelist and recover original exceptions after copy +failure. + +Cc: stable@vger.kernel.org +Fixes: 4cef7299b478 ("device_cgroup: add proper checking when changing default behavior") +Signed-off-by: Wang Weiyang +Reviewed-by: Aristeu Rozanski +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman +--- + security/device_cgroup.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/security/device_cgroup.c ++++ b/security/device_cgroup.c +@@ -88,6 +88,17 @@ free_and_exit: + return -ENOMEM; + } + ++static void dev_exceptions_move(struct list_head *dest, struct list_head *orig) ++{ ++ struct dev_exception_item *ex, *tmp; ++ ++ lockdep_assert_held(&devcgroup_mutex); ++ ++ list_for_each_entry_safe(ex, tmp, orig, list) { ++ list_move_tail(&ex->list, dest); ++ } ++} ++ + /* + * called under devcgroup_mutex + */ +@@ -609,11 +620,13 @@ static int devcgroup_update_access(struc + int count, rc = 0; + struct dev_exception_item ex; + struct dev_cgroup *parent = css_to_devcgroup(devcgroup->css.parent); ++ struct dev_cgroup tmp_devcgrp; + + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + + memset(&ex, 0, sizeof(ex)); ++ memset(&tmp_devcgrp, 0, sizeof(tmp_devcgrp)); + b = buffer; + + switch (*b) { +@@ -625,15 +638,27 @@ static int devcgroup_update_access(struc + + if (!may_allow_all(parent)) + return -EPERM; +- dev_exception_clean(devcgroup); +- devcgroup->behavior = DEVCG_DEFAULT_ALLOW; +- if (!parent) ++ if (!parent) { ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(devcgroup); + break; ++ } + ++ INIT_LIST_HEAD(&tmp_devcgrp.exceptions); ++ rc = dev_exceptions_copy(&tmp_devcgrp.exceptions, ++ &devcgroup->exceptions); ++ if (rc) ++ return rc; ++ dev_exception_clean(devcgroup); + rc = dev_exceptions_copy(&devcgroup->exceptions, + &parent->exceptions); +- if (rc) ++ if (rc) { ++ dev_exceptions_move(&devcgroup->exceptions, ++ &tmp_devcgrp.exceptions); + return rc; ++ } ++ devcgroup->behavior = DEVCG_DEFAULT_ALLOW; ++ dev_exception_clean(&tmp_devcgrp); + break; + case DEVCG_DENY: + if (css_has_online_children(&devcgroup->css)) diff --git a/queue-4.14/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch b/queue-4.14/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch new file mode 100644 index 00000000000..6f3318df8ac --- /dev/null +++ b/queue-4.14/drm-connector-send-hotplug-uevent-on-connector-cleanup.patch @@ -0,0 +1,59 @@ +From 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc Mon Sep 17 00:00:00 2001 +From: Simon Ser +Date: Mon, 17 Oct 2022 15:32:01 +0000 +Subject: drm/connector: send hotplug uevent on connector cleanup +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Simon Ser + +commit 6fdc2d490ea1369d17afd7e6eb66fecc5b7209bc upstream. + +A typical DP-MST unplug removes a KMS connector. However care must +be taken to properly synchronize with user-space. The expected +sequence of events is the following: + +1. The kernel notices that the DP-MST port is gone. +2. The kernel marks the connector as disconnected, then sends a + uevent to make user-space re-scan the connector list. +3. User-space notices the connector goes from connected to disconnected, + disables it. +4. Kernel handles the IOCTL disabling the connector. On success, + the very last reference to the struct drm_connector is dropped and + drm_connector_cleanup() is called. +5. The connector is removed from the list, and a uevent is sent to tell + user-space that the connector disappeared. + +The very last step was missing. As a result, user-space thought the +connector still existed and could try to disable it again. Since the +kernel no longer knows about the connector, that would end up with +EINVAL and confused user-space. + +Fix this by sending a hotplug uevent from drm_connector_cleanup(). + +Signed-off-by: Simon Ser +Cc: stable@vger.kernel.org +Cc: Daniel Vetter +Cc: Lyude Paul +Cc: Jonas Ådahl +Tested-by: Jonas Ådahl +Reviewed-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/20221017153150.60675-2-contact@emersion.fr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/drm_connector.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_connector.c ++++ b/drivers/gpu/drm/drm_connector.c +@@ -352,6 +352,9 @@ void drm_connector_cleanup(struct drm_co + mutex_destroy(&connector->mutex); + + memset(connector, 0, sizeof(*connector)); ++ ++ if (dev->registered) ++ drm_sysfs_hotplug_event(dev); + } + EXPORT_SYMBOL(drm_connector_cleanup); + diff --git a/queue-4.14/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch b/queue-4.14/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch new file mode 100644 index 00000000000..50d0568e01f --- /dev/null +++ b/queue-4.14/drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch @@ -0,0 +1,37 @@ +From 4cf949c7fafe21e085a4ee386bb2dade9067316e Mon Sep 17 00:00:00 2001 +From: Zack Rusin +Date: Tue, 25 Oct 2022 23:19:35 -0400 +Subject: drm/vmwgfx: Validate the box size for the snooped cursor + +From: Zack Rusin + +commit 4cf949c7fafe21e085a4ee386bb2dade9067316e upstream. + +Invalid userspace dma surface copies could potentially overflow +the memcpy from the surface to the snooped image leading to crashes. +To fix it the dimensions of the copybox have to be validated +against the expected size of the snooped cursor. + +Signed-off-by: Zack Rusin +Fixes: 2ac863719e51 ("vmwgfx: Snoop DMA transfers with non-covering sizes") +Cc: # v3.2+ +Reviewed-by: Michael Banack +Reviewed-by: Martin Krastev +Link: https://patchwork.freedesktop.org/patch/msgid/20221026031936.1004280-1-zack@kde.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -179,7 +179,8 @@ void vmw_kms_cursor_snoop(struct vmw_sur + if (cmd->dma.guest.ptr.offset % PAGE_SIZE || + box->x != 0 || box->y != 0 || box->z != 0 || + box->srcx != 0 || box->srcy != 0 || box->srcz != 0 || +- box->d != 1 || box_count != 1) { ++ box->d != 1 || box_count != 1 || ++ box->w > 64 || box->h > 64) { + /* TODO handle none page aligned offsets */ + /* TODO handle more dst & src != 0 */ + /* TODO handle more then one copy */ diff --git a/queue-4.14/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch b/queue-4.14/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch new file mode 100644 index 00000000000..1ff6e2d19c1 --- /dev/null +++ b/queue-4.14/ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch @@ -0,0 +1,39 @@ +From 11220db412edae8dba58853238f53258268bdb88 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 3 Nov 2022 00:09:49 +0800 +Subject: ima: Fix a potential NULL pointer access in ima_restore_measurement_list + +From: Huaxin Lu + +commit 11220db412edae8dba58853238f53258268bdb88 upstream. + +In restore_template_fmt, when kstrdup fails, a non-NULL value will still be +returned, which causes a NULL pointer access in template_desc_init_fields. + +Fixes: c7d09367702e ("ima: support restoring multiple template formats") +Cc: stable@kernel.org +Co-developed-by: Jiaming Li +Signed-off-by: Jiaming Li +Signed-off-by: Huaxin Lu +Reviewed-by: Stefan Berger +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman +--- + security/integrity/ima/ima_template.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -266,8 +266,11 @@ static struct ima_template_desc *restore + + template_desc->name = ""; + template_desc->fmt = kstrdup(template_name, GFP_KERNEL); +- if (!template_desc->fmt) ++ if (!template_desc->fmt) { ++ kfree(template_desc); ++ template_desc = NULL; + goto out; ++ } + + spin_lock(&template_list); + list_add_tail_rcu(&template_desc->list, &defined_templates); diff --git a/queue-4.14/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch b/queue-4.14/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch new file mode 100644 index 00000000000..8f1be945508 --- /dev/null +++ b/queue-4.14/iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch @@ -0,0 +1,45 @@ +From 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf Mon Sep 17 00:00:00 2001 +From: Kim Phillips +Date: Mon, 19 Sep 2022 10:56:37 -0500 +Subject: iommu/amd: Fix ivrs_acpihid cmdline parsing code + +From: Kim Phillips + +commit 5f18e9f8868c6d4eae71678e7ebd4977b7d8c8cf upstream. + +The second (UID) strcmp in acpi_dev_hid_uid_match considers +"0" and "00" different, which can prevent device registration. + +Have the AMD IOMMU driver's ivrs_acpihid parsing code remove +any leading zeroes to make the UID strcmp succeed. Now users +can safely specify "AMDxxxxx:00" or "AMDxxxxx:0" and expect +the same behaviour. + +Fixes: ca3bf5d47cec ("iommu/amd: Introduces ivrs_acpihid kernel parameter") +Signed-off-by: Kim Phillips +Cc: stable@vger.kernel.org +Cc: Suravee Suthikulpanit +Cc: Joerg Roedel +Link: https://lore.kernel.org/r/20220919155638.391481-1-kim.phillips@amd.com +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iommu/amd_iommu_init.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/iommu/amd_iommu_init.c ++++ b/drivers/iommu/amd_iommu_init.c +@@ -2919,6 +2919,13 @@ static int __init parse_ivrs_acpihid(cha + return 1; + } + ++ /* ++ * Ignore leading zeroes after ':', so e.g., AMDI0095:00 ++ * will match AMDI0095:0 in the second strcmp in acpi_dev_hid_uid_match ++ */ ++ while (*uid == '0' && *(uid + 1)) ++ uid++; ++ + i = early_acpihid_map_size++; + memcpy(early_acpihid_map[i].hid, hid, strlen(hid)); + memcpy(early_acpihid_map[i].uid, uid, strlen(uid)); diff --git a/queue-4.14/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch b/queue-4.14/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch new file mode 100644 index 00000000000..11cf32b5998 --- /dev/null +++ b/queue-4.14/parisc-led-fix-potential-null-ptr-deref-in-start_task.patch @@ -0,0 +1,42 @@ +From 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 Mon Sep 17 00:00:00 2001 +From: Shang XiaoJing +Date: Thu, 17 Nov 2022 10:45:14 +0800 +Subject: parisc: led: Fix potential null-ptr-deref in start_task() + +From: Shang XiaoJing + +commit 41f563ab3c33698bdfc3403c7c2e6c94e73681e4 upstream. + +start_task() calls create_singlethread_workqueue() and not checked the +ret value, which may return NULL. And a null-ptr-deref may happen: + +start_task() + create_singlethread_workqueue() # failed, led_wq is NULL + queue_delayed_work() + queue_delayed_work_on() + __queue_delayed_work() # warning here, but continue + __queue_work() # access wq->flags, null-ptr-deref + +Check the ret value and return -ENOMEM if it is NULL. + +Fixes: 3499495205a6 ("[PARISC] Use work queue in LED/LCD driver instead of tasklet.") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Cc: +Signed-off-by: Greg Kroah-Hartman +--- + drivers/parisc/led.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -141,6 +141,9 @@ static int start_task(void) + + /* Create the work queue and queue the LED task */ + led_wq = create_singlethread_workqueue("led_wq"); ++ if (!led_wq) ++ return -ENOMEM; ++ + queue_delayed_work(led_wq, &led_task, 0); + + return 0; diff --git a/queue-4.14/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch b/queue-4.14/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch new file mode 100644 index 00000000000..6e0b50e6402 --- /dev/null +++ b/queue-4.14/pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch @@ -0,0 +1,59 @@ +From 98b04dd0b4577894520493d96bc4623387767445 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Wed, 26 Oct 2022 02:11:21 -0400 +Subject: PCI: Fix pci_device_is_present() for VFs by checking PF + +From: Michael S. Tsirkin + +commit 98b04dd0b4577894520493d96bc4623387767445 upstream. + +pci_device_is_present() previously didn't work for VFs because it reads the +Vendor and Device ID, which are 0xffff for VFs, which looks like they +aren't present. Check the PF instead. + +Wei Gong reported that if virtio I/O is in progress when the driver is +unbound or "0" is written to /sys/.../sriov_numvfs, the virtio I/O +operation hangs, which may result in output like this: + + task:bash state:D stack: 0 pid: 1773 ppid: 1241 flags:0x00004002 + Call Trace: + schedule+0x4f/0xc0 + blk_mq_freeze_queue_wait+0x69/0xa0 + blk_mq_freeze_queue+0x1b/0x20 + blk_cleanup_queue+0x3d/0xd0 + virtblk_remove+0x3c/0xb0 [virtio_blk] + virtio_dev_remove+0x4b/0x80 + ... + device_unregister+0x1b/0x60 + unregister_virtio_device+0x18/0x30 + virtio_pci_remove+0x41/0x80 + pci_device_remove+0x3e/0xb0 + +This happened because pci_device_is_present(VF) returned "false" in +virtio_pci_remove(), so it called virtio_break_device(). The broken vq +meant that vring_interrupt() skipped the vq.callback() that would have +completed the virtio I/O operation via virtblk_done(). + +[bhelgaas: commit log, simplify to always use pci_physfn(), add stable tag] +Link: https://lore.kernel.org/r/20221026060912.173250-1-mst@redhat.com +Reported-by: Wei Gong +Tested-by: Wei Gong +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -5166,6 +5166,8 @@ bool pci_device_is_present(struct pci_de + { + u32 v; + ++ /* Check PF if pdev is a VF, since VF Vendor/Device IDs are 0xffff */ ++ pdev = pci_physfn(pdev); + if (pci_dev_is_disconnected(pdev)) + return false; + return pci_bus_read_dev_vendor_id(pdev->bus, pdev->devfn, &v, 0); diff --git a/queue-4.14/pci-sysfs-fix-double-free-in-error-path.patch b/queue-4.14/pci-sysfs-fix-double-free-in-error-path.patch new file mode 100644 index 00000000000..412137af769 --- /dev/null +++ b/queue-4.14/pci-sysfs-fix-double-free-in-error-path.patch @@ -0,0 +1,58 @@ +From aa382ffa705bea9931ec92b6f3c70e1fdb372195 Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Tue, 8 Nov 2022 17:05:59 -0600 +Subject: PCI/sysfs: Fix double free in error path + +From: Sascha Hauer + +commit aa382ffa705bea9931ec92b6f3c70e1fdb372195 upstream. + +When pci_create_attr() fails, pci_remove_resource_files() is called which +will iterate over the res_attr[_wc] arrays and frees every non NULL entry. +To avoid a double free here set the array entry only after it's clear we +successfully initialized it. + +Fixes: b562ec8f74e4 ("PCI: Don't leak memory if sysfs_create_bin_file() fails") +Link: https://lore.kernel.org/r/20221007070735.GX986@pengutronix.de/ +Signed-off-by: Sascha Hauer +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/pci-sysfs.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -1313,11 +1313,9 @@ static int pci_create_attr(struct pci_de + + sysfs_bin_attr_init(res_attr); + if (write_combine) { +- pdev->res_attr_wc[num] = res_attr; + sprintf(res_attr_name, "resource%d_wc", num); + res_attr->mmap = pci_mmap_resource_wc; + } else { +- pdev->res_attr[num] = res_attr; + sprintf(res_attr_name, "resource%d", num); + if (pci_resource_flags(pdev, num) & IORESOURCE_IO) { + res_attr->read = pci_read_resource_io; +@@ -1333,10 +1331,17 @@ static int pci_create_attr(struct pci_de + res_attr->size = pci_resource_len(pdev, num); + res_attr->private = (void *)(unsigned long)num; + retval = sysfs_create_bin_file(&pdev->dev.kobj, res_attr); +- if (retval) ++ if (retval) { + kfree(res_attr); ++ return retval; ++ } ++ ++ if (write_combine) ++ pdev->res_attr_wc[num] = res_attr; ++ else ++ pdev->res_attr[num] = res_attr; + +- return retval; ++ return 0; + } + + /** diff --git a/queue-4.14/series b/queue-4.14/series index c6b4affb341..ccad3a6cae0 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -285,3 +285,12 @@ arm-9256-1-nwfpe-avoid-compiler-generated-__aeabi_uldivmod.patch media-dvb-core-fix-double-free-in-dvb_register_device.patch media-dvb-core-fix-uaf-due-to-refcount-races-at-releasing.patch cifs-fix-confusing-debug-message.patch +ima-fix-a-potential-null-pointer-access-in-ima_restore_measurement_list.patch +pci-fix-pci_device_is_present-for-vfs-by-checking-pf.patch +pci-sysfs-fix-double-free-in-error-path.patch +crypto-n2-add-missing-hash-statesize.patch +iommu-amd-fix-ivrs_acpihid-cmdline-parsing-code.patch +parisc-led-fix-potential-null-ptr-deref-in-start_task.patch +device_cgroup-roll-back-to-original-exceptions-after-copy-failure.patch +drm-connector-send-hotplug-uevent-on-connector-cleanup.patch +drm-vmwgfx-validate-the-box-size-for-the-snooped-cursor.patch