From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2024 10:32:06 +0000 (+0200)
Subject: 5.15-stable patches
X-Git-Tag: v4.19.322~118
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=87f75627d7dea5c0334aea52bea6582161e0c9b9;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch
	irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch
	rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch
---

diff --git a/queue-5.15/ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch b/queue-5.15/ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch
new file mode 100644
index 00000000000..d5bc006a943
--- /dev/null
+++ b/queue-5.15/ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch
@@ -0,0 +1,41 @@
+From 284b75a3d83c7631586d98f6dede1d90f128f0db Mon Sep 17 00:00:00 2001
+From: Zheng Qixing <zhengqixing@huawei.com>
+Date: Thu, 22 Aug 2024 11:30:50 +0800
+Subject: ata: libata: Fix memory leak for error path in ata_host_alloc()
+
+From: Zheng Qixing <zhengqixing@huawei.com>
+
+commit 284b75a3d83c7631586d98f6dede1d90f128f0db upstream.
+
+In ata_host_alloc(), if devres_alloc() fails to allocate the device host
+resource data pointer, the already allocated ata_host structure is not
+freed before returning from the function. This results in a potential
+memory leak.
+
+Call kfree(host) before jumping to the error handling path to ensure
+that the ata_host structure is properly freed if devres_alloc() fails.
+
+Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>
+Reviewed-by: Yu Kuai <yukuai3@huawei.com>
+Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/libata-core.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/ata/libata-core.c
++++ b/drivers/ata/libata-core.c
+@@ -5454,8 +5454,10 @@ struct ata_host *ata_host_alloc(struct d
+ 	}
+ 
+ 	dr = devres_alloc(ata_devres_release, 0, GFP_KERNEL);
+-	if (!dr)
++	if (!dr) {
++		kfree(host);
+ 		goto err_out;
++	}
+ 
+ 	devres_add(dev, dr);
+ 	dev_set_drvdata(dev, host);
diff --git a/queue-5.15/irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch b/queue-5.15/irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch
new file mode 100644
index 00000000000..2da115f9857
--- /dev/null
+++ b/queue-5.15/irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch
@@ -0,0 +1,44 @@
+From c5af2c90ba5629f0424a8d315f75fb8d91713c3c Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Tue, 20 Aug 2024 17:28:43 +0800
+Subject: irqchip/gic-v2m: Fix refcount leak in gicv2m_of_init()
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit c5af2c90ba5629f0424a8d315f75fb8d91713c3c upstream.
+
+gicv2m_of_init() fails to perform an of_node_put() when
+of_address_to_resource() fails, leading to a refcount leak.
+
+Address this by moving the error handling path outside of the loop and
+making it common to all failure modes.
+
+Fixes: 4266ab1a8ff5 ("irqchip/gic-v2m: Refactor to prepare for ACPI support")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Reviewed-by: Marc Zyngier <maz@kernel.org>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20240820092843.1219933-1-make24@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v2m.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/irqchip/irq-gic-v2m.c
++++ b/drivers/irqchip/irq-gic-v2m.c
+@@ -439,12 +439,12 @@ static int __init gicv2m_of_init(struct
+ 
+ 		ret = gicv2m_init_one(&child->fwnode, spi_start, nr_spis,
+ 				      &res, 0);
+-		if (ret) {
+-			of_node_put(child);
++		if (ret)
+ 			break;
+-		}
+ 	}
+ 
++	if (ret && child)
++		of_node_put(child);
+ 	if (!ret)
+ 		ret = gicv2m_allocate_domains(parent);
+ 	if (ret)
diff --git a/queue-5.15/rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch b/queue-5.15/rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch
new file mode 100644
index 00000000000..ef541f06b79
--- /dev/null
+++ b/queue-5.15/rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch
@@ -0,0 +1,63 @@
+From d33d26036a0274b472299d7dcdaa5fb34329f91b Mon Sep 17 00:00:00 2001
+From: Roland Xu <mu001999@outlook.com>
+Date: Thu, 15 Aug 2024 10:58:13 +0800
+Subject: rtmutex: Drop rt_mutex::wait_lock before scheduling
+
+From: Roland Xu <mu001999@outlook.com>
+
+commit d33d26036a0274b472299d7dcdaa5fb34329f91b upstream.
+
+rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held.  In the
+good case it returns with the lock held and in the deadlock case it emits a
+warning and goes into an endless scheduling loop with the lock held, which
+triggers the 'scheduling in atomic' warning.
+
+Unlock rt_mutex::wait_lock in the dead lock case before issuing the warning
+and dropping into the schedule for ever loop.
+
+[ tglx: Moved unlock before the WARN(), removed the pointless comment,
+  	massaged changelog, added Fixes tag ]
+
+Fixes: 3d5c9340d194 ("rtmutex: Handle deadlock detection smarter")
+Signed-off-by: Roland Xu <mu001999@outlook.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/ME0P300MB063599BEF0743B8FA339C2CECC802@ME0P300MB0635.AUSP300.PROD.OUTLOOK.COM
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/locking/rtmutex.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/kernel/locking/rtmutex.c
++++ b/kernel/locking/rtmutex.c
+@@ -1613,6 +1613,7 @@ static int __sched rt_mutex_slowlock_blo
+ }
+ 
+ static void __sched rt_mutex_handle_deadlock(int res, int detect_deadlock,
++					     struct rt_mutex_base *lock,
+ 					     struct rt_mutex_waiter *w)
+ {
+ 	/*
+@@ -1625,10 +1626,10 @@ static void __sched rt_mutex_handle_dead
+ 	if (build_ww_mutex() && w->ww_ctx)
+ 		return;
+ 
+-	/*
+-	 * Yell loudly and stop the task right here.
+-	 */
++	raw_spin_unlock_irq(&lock->wait_lock);
++
+ 	WARN(1, "rtmutex deadlock detected\n");
++
+ 	while (1) {
+ 		set_current_state(TASK_INTERRUPTIBLE);
+ 		schedule();
+@@ -1680,7 +1681,7 @@ static int __sched __rt_mutex_slowlock(s
+ 	} else {
+ 		__set_current_state(TASK_RUNNING);
+ 		remove_waiter(lock, waiter);
+-		rt_mutex_handle_deadlock(ret, chwalk, waiter);
++		rt_mutex_handle_deadlock(ret, chwalk, lock, waiter);
+ 	}
+ 
+ 	/*
diff --git a/queue-5.15/series b/queue-5.15/series
index cffc379eaba..da5a83d9ded 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -67,3 +67,6 @@ kvm-svm-don-t-advertise-bus-lock-detect-to-guest-if-svm-support-is-missing.patch
 alsa-hda-conexant-add-pincfg-quirk-to-enable-top-speakers-on-sirius-devices.patch
 alsa-hda-realtek-add-patch-for-internal-mic-in-lenovo-v145.patch
 alsa-hda-realtek-support-mute-led-on-hp-laptop-14-dq2xxx.patch
+ata-libata-fix-memory-leak-for-error-path-in-ata_host_alloc.patch
+irqchip-gic-v2m-fix-refcount-leak-in-gicv2m_of_init.patch
+rtmutex-drop-rt_mutex-wait_lock-before-scheduling.patch