March 2025 - Linux-stable-mirror

[PATCH v3 1/2] regulator: dummy: force synchronous probing

by Christian Eggers

Sometimes I get a NULL pointer dereference at boot time in kobject_get() with the following call stack: anatop_regulator_probe() devm_regulator_register() regulator_register() regulator_resolve_supply() kobject_get() By placing some extra BUG_ON() statements I could verify that this is raised because probing of the 'dummy' regulator driver is not completed ('dummy_regulator_rdev' is still NULL). In the JTAG debugger I can see that dummy_regulator_probe() and anatop_regulator_probe() can be run by different kernel threads (kworker/u4:*). I haven't further investigated whether this can be changed or if there are other possibilities to force synchronization between these two probe routines. On the other hand I don't expect much boot time penalty by probing the 'dummy' regulator synchronously. Cc: stable(a)vger.kernel.org Fixes: 259b93b21a9f ("regulator: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in 4.14") Signed-off-by: Christian Eggers <ceggers(a)arri.de> --- v2: - no changes v3: - no changes drivers/regulator/dummy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/regulator/dummy.c b/drivers/regulator/dummy.c index 5b9b9e4e762d..9f59889129ab 100644 --- a/drivers/regulator/dummy.c +++ b/drivers/regulator/dummy.c @@ -60,7 +60,7 @@ static struct platform_driver dummy_regulator_driver = { .probe = dummy_regulator_probe, .driver = { .name = "reg-dummy", - .probe_type = PROBE_PREFER_ASYNCHRONOUS, + .probe_type = PROBE_FORCE_SYNCHRONOUS, }, }; -- 2.44.1

6 months

1
0
0 0

[PATCH] media: v4l2-dev: fix error handling in __video_register_device()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_register() says, 'NOTE: _Never_ directly free @dev after calling this function, even if it returned an error! Always use put_device() to give up the reference initialized in this function instead.' Found by code review. Cc: stable(a)vger.kernel.org Fixes: baa057e29b58 ("media: v4l2-dev: use pr_foo() for printing messages") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/media/v4l2-core/v4l2-dev.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/media/v4l2-core/v4l2-dev.c b/drivers/media/v4l2-core/v4l2-dev.c index 5bcaeeba4d09..1619614e96bf 100644 --- a/drivers/media/v4l2-core/v4l2-dev.c +++ b/drivers/media/v4l2-core/v4l2-dev.c @@ -1060,6 +1060,7 @@ int __video_register_device(struct video_device *vdev, if (ret < 0) { mutex_unlock(&videodev_lock); pr_err("%s: device_register failed\n", __func__); + put_device(&vdev->dev); goto cleanup; } /* Register the release callback that will be called when the last -- 2.25.1

6 months

2
1
0 0

[PATCH] [SCSI] iscsi: fix error handling in iscsi_add_session()

by Ma Ke

Once device_add() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8434aa8b6fe5 ("[SCSI] iscsi: break up session creation into two stages") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/scsi/scsi_transport_iscsi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c index 9c347c64c315..74333e182612 100644 --- a/drivers/scsi/scsi_transport_iscsi.c +++ b/drivers/scsi/scsi_transport_iscsi.c @@ -2114,6 +2114,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id) release_dev: device_del(&session->dev); release_ida: + put_device(&session->dev); if (session->ida_used) ida_free(&iscsi_sess_ida, session->target_id); destroy_wq: -- 2.25.1

6 months

2
1
0 0

[PATCH] Bluetooth: fix error handling in hci_register_dev()

by Ma Ke

Once device_add() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 54506918059a ("Bluetooth: Move SMP initialization after HCI init") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/bluetooth/hci_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c index e7ec12437c8b..c03fd16d3c46 100644 --- a/net/bluetooth/hci_core.c +++ b/net/bluetooth/hci_core.c @@ -2641,6 +2641,7 @@ int hci_register_dev(struct hci_dev *hdev) return id; err_wqueue: + put_device(&hdev->dev); debugfs_remove_recursive(hdev->debugfs); destroy_workqueue(hdev->workqueue); destroy_workqueue(hdev->req_workqueue); -- 2.25.1

6 months

2
1
0 0

[PATCH] Input: fix error handling in input_register_device()

by Ma Ke

Once device_add() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 0cd587735205 ("Input: preallocate memory to hold event values") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/input/input.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/input/input.c b/drivers/input/input.c index c9e3ac64bcd0..2e70f346dadc 100644 --- a/drivers/input/input.c +++ b/drivers/input/input.c @@ -2424,6 +2424,7 @@ int input_register_device(struct input_dev *dev) err_device_del: device_del(&dev->dev); err_devres_free: + put_device(&dev->dev); devres_free(devres); return error; } -- 2.25.1

6 months

2
1
0 0

[PATCH] net-sysfs: fix error handling in netdev_register_kobject()

by Ma Ke

Once device_add() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 8ed633b9baf9 ("Revert "net-sysfs: Fix memory leak in netdev_register_kobject"") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- net/core/net-sysfs.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c index 07cb99b114bd..f443eacc9237 100644 --- a/net/core/net-sysfs.c +++ b/net/core/net-sysfs.c @@ -2169,6 +2169,7 @@ int netdev_register_kobject(struct net_device *ndev) error = device_add(dev); if (error) + put_device(dev); return error; error = register_queue_kobjects(ndev); -- 2.25.1

6 months

3
3
0 0

[PATCH] mtd: fix error handling in uif_init()

by Ma Ke

Once cdev_device_add() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 493cfaeaa0c9 ("mtd: utilize new cdev_device_add helper function") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/mtd/ubi/build.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index ef6a22f372f9..ca4c54cf9fd4 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -486,6 +486,7 @@ static int uif_init(struct ubi_device *ubi) kill_volumes(ubi); cdev_device_del(&ubi->cdev, &ubi->dev); out_unreg: + put_device(&ubi->dev); unregister_chrdev_region(ubi->cdev.dev, ubi->vtbl_slots + 1); ubi_err(ubi, "cannot initialize UBI %s, error %d", ubi->ubi_name, err); -- 2.25.1

6 months

2
1
0 0

[PATCH] [POWERPC] ps3: fix error handling in ps3_system_bus_device_register()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_register() says, 'NOTE: _Never_ directly free @dev after calling this function, even if it returned an error! Always use put_device() to give up the reference initialized in this function instead.' Found by code review. Cc: stable(a)vger.kernel.org Fixes: a3d4d6435b56 ("[POWERPC] ps3: add ps3 platform system bus support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- arch/powerpc/platforms/ps3/system-bus.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/arch/powerpc/platforms/ps3/system-bus.c b/arch/powerpc/platforms/ps3/system-bus.c index afbaabf182d0..c477d0ee523a 100644 --- a/arch/powerpc/platforms/ps3/system-bus.c +++ b/arch/powerpc/platforms/ps3/system-bus.c @@ -769,6 +769,9 @@ int ps3_system_bus_device_register(struct ps3_system_bus_device *dev) pr_debug("%s:%d add %s\n", __func__, __LINE__, dev_name(&dev->core)); result = device_register(&dev->core); + if (result) + put_device(&dev->core); + return result; } -- 2.25.1

6 months

2
1
0 0

[PATCH 6.6.y] zram: fix NULL pointer in comp_algorithm_show()

by jianqi.ren.cn＠windriver.com

From: Liu Shixin <liushixin2(a)huawei.com> [ Upstream commit f364cdeb38938f9d03061682b8ff3779dd1730e5 ] LTP reported a NULL pointer dereference as followed: CPU: 7 UID: 0 PID: 5995 Comm: cat Kdump: loaded Not tainted 6.12.0-rc6+ #3 Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 pstate: 40400005 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_strcmp+0x24/0x140 lr : zcomp_available_show+0x60/0x100 [zram] sp : ffff800088b93b90 x29: ffff800088b93b90 x28: 0000000000000001 x27: 0000000000400cc0 x26: 0000000000000ffe x25: ffff80007b3e2388 x24: 0000000000000000 x23: ffff80007b3e2390 x22: ffff0004041a9000 x21: ffff80007b3e2900 x20: 0000000000000000 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80007b3e2900 x9 : ffff80007b3cb280 x8 : 0101010101010101 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000040 x4 : 0000000000000000 x3 : 00656c722d6f7a6c x2 : 0000000000000000 x1 : ffff80007b3e2900 x0 : 0000000000000000 Call trace: __pi_strcmp+0x24/0x140 comp_algorithm_show+0x40/0x70 [zram] dev_attr_show+0x28/0x80 sysfs_kf_seq_show+0x90/0x140 kernfs_seq_show+0x34/0x48 seq_read_iter+0x1d4/0x4e8 kernfs_fop_read_iter+0x40/0x58 new_sync_read+0x9c/0x168 vfs_read+0x1a8/0x1f8 ksys_read+0x74/0x108 __arm64_sys_read+0x24/0x38 invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0xc8/0xf0 do_el0_svc+0x24/0x38 el0_svc+0x38/0x138 el0t_64_sync_handler+0xc0/0xc8 el0t_64_sync+0x188/0x190 The zram->comp_algs[ZRAM_PRIMARY_COMP] can be NULL in zram_add() if comp_algorithm_set() has not been called. User can access the zram device by sysfs after device_add_disk(), so there is a time window to trigger the NULL pointer dereference. Move it ahead device_add_disk() to make sure when user can access the zram device, it is ready. comp_algorithm_set() is protected by zram->init_lock in other places and no such problem. Link: https://lkml.kernel.org/r/20241108100147.3776123-1-liushixin2@huawei.com Fixes: 7ac07a26dea7 ("zram: preparation for multi-zcomp support") Signed-off-by: Liu Shixin <liushixin2(a)huawei.com> Reviewed-by: Sergey Senozhatsky <senozhatsky(a)chromium.org> Cc: Jens Axboe <axboe(a)kernel.dk> Cc: Minchan Kim <minchan(a)kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> [This fix does not backport zram_comp_params_reset which was introduced after v6.6, in commit f2bac7ad187d ("zram: introduce zcomp_params structure")] Signed-off-by: Jianqi Ren <jianqi.ren.cn(a)windriver.com> Signed-off-by: He Zhe <zhe.he(a)windriver.com> --- Verified the build test --- drivers/block/zram/zram_drv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/block/zram/zram_drv.c b/drivers/block/zram/zram_drv.c index b73038ad86f7..44cf0e51d7db 100644 --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -2247,6 +2247,8 @@ static int zram_add(void) zram->disk->private_data = zram; snprintf(zram->disk->disk_name, 16, "zram%d", device_id); + comp_algorithm_set(zram, ZRAM_PRIMARY_COMP, default_compressor); + /* Actual capacity set using sysfs (/sys/block/zram<id>/disksize */ set_capacity(zram->disk, 0); /* zram devices sort of resembles non-rotational disks */ @@ -2281,8 +2283,6 @@ static int zram_add(void) if (ret) goto out_cleanup_disk; - comp_algorithm_set(zram, ZRAM_PRIMARY_COMP, default_compressor); - zram_debugfs_register(zram); pr_info("Added device: %s\n", zram->disk->disk_name); return device_id; -- 2.25.1

6 months

2
1
0 0

[PATCH 5.15.y] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super

by Miguel García

From: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> commit 91a4b1ee78cb ("fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super") This patch is a backport and fixes an UBSAN warning about shift-out-of-bounds in ntfs_fill_super() function of the NTFS3 driver. The original code incorrectly calculated MFT record size, causing undefined behavior when performing bit shifts with values that exceed type limits. The fix has been verified by executing the syzkaller reproducer test case. After applying this patch, the system successfully handles the test case without kernel panic or UBSAN warnings. Bug: https://syzkaller.appspot.com/bug?extid=010986becd65dbf9464b Reported-by: syzbot+010986becd65dbf9464b(a)syzkaller.appspotmail.com Cc: <stable(a)vger.kernel.org> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Miguel Garcia Roman <miguelgarciaroman8(a)gmail.com> (cherry picked from commit 91a4b1ee78cb100b19b70f077c247f211110348f) --- fs/ntfs3/ntfs_fs.h | 2 ++ fs/ntfs3/super.c | 63 +++++++++++++++++++++++++++++++++++----------- 2 files changed, 50 insertions(+), 15 deletions(-) diff --git a/fs/ntfs3/ntfs_fs.h b/fs/ntfs3/ntfs_fs.h index 7b46926e920c..c5ef0e0cdf59 100644 --- a/fs/ntfs3/ntfs_fs.h +++ b/fs/ntfs3/ntfs_fs.h @@ -43,9 +43,11 @@ enum utf16_endian; #define MINUS_ONE_T ((size_t)(-1)) /* Biggest MFT / smallest cluster */ #define MAXIMUM_BYTES_PER_MFT 4096 +#define MAXIMUM_SHIFT_BYTES_PER_MFT 12 #define NTFS_BLOCKS_PER_MFT_RECORD (MAXIMUM_BYTES_PER_MFT / 512) #define MAXIMUM_BYTES_PER_INDEX 4096 +#define MAXIMUM_SHIFT_BYTES_PER_INDEX 12 #define NTFS_BLOCKS_PER_INODE (MAXIMUM_BYTES_PER_INDEX / 512) /* NTFS specific error code when fixup failed. */ diff --git a/fs/ntfs3/super.c b/fs/ntfs3/super.c index 78b086527331..abab388e413f 100644 --- a/fs/ntfs3/super.c +++ b/fs/ntfs3/super.c @@ -680,7 +680,7 @@ static u32 true_sectors_per_clst(const struct NTFS_BOOT *boot) * ntfs_init_from_boot - Init internal info from on-disk boot sector. */ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, - u64 dev_size) + u64 dev_size) { struct ntfs_sb_info *sbi = sb->s_fs_info; int err; @@ -705,12 +705,12 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, /* 0x55AA is not mandaroty. Thanks Maxim Suhanov*/ /*if (0x55 != boot->boot_magic[0] || 0xAA != boot->boot_magic[1]) - * goto out; + * goto out; */ boot_sector_size = (u32)boot->bytes_per_sector[1] << 8; if (boot->bytes_per_sector[0] || boot_sector_size < SECTOR_SIZE || - !is_power_of_2(boot_sector_size)) { + !is_power_of_2(boot_sector_size)) { goto out; } @@ -733,15 +733,49 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, /* Check MFT record size. */ if ((boot->record_size < 0 && - SECTOR_SIZE > (2U << (-boot->record_size))) || - (boot->record_size >= 0 && !is_power_of_2(boot->record_size))) { + SECTOR_SIZE > (2U << (-boot->record_size))) || + (boot->record_size >= 0 && !is_power_of_2(boot->record_size))) { + goto out; + } + + /* Calculate cluster size */ + sbi->cluster_size = boot_sector_size * sct_per_clst; + sbi->cluster_bits = blksize_bits(sbi->cluster_size); + + if (boot->record_size >= 0) { + record_size = (u32)boot->record_size << sbi->cluster_bits; + } else if (-boot->record_size <= MAXIMUM_SHIFT_BYTES_PER_MFT) { + record_size = 1u << (-boot->record_size); + } else { + ntfs_err(sb, "%s: invalid record size %d.", "NTFS", + boot->record_size); + goto out; + } + + sbi->record_size = record_size; + sbi->record_bits = blksize_bits(record_size); + sbi->attr_size_tr = (5 * record_size >> 4); // ~320 bytes + + if (record_size > MAXIMUM_BYTES_PER_MFT) { + ntfs_err(sb, "Unsupported bytes per MFT record %u.", + record_size); + goto out; + } + + if (boot->index_size >= 0) { + sbi->index_size = (u32)boot->index_size << sbi->cluster_bits; + } else if (-boot->index_size <= MAXIMUM_SHIFT_BYTES_PER_INDEX) { + sbi->index_size = 1u << (-boot->index_size); + } else { + ntfs_err(sb, "%s: invalid index size %d.", "NTFS", + boot->index_size); goto out; } /* Check index record size. */ if ((boot->index_size < 0 && - SECTOR_SIZE > (2U << (-boot->index_size))) || - (boot->index_size >= 0 && !is_power_of_2(boot->index_size))) { + SECTOR_SIZE > (2U << (-boot->index_size))) || + (boot->index_size >= 0 && !is_power_of_2(boot->index_size))) { goto out; } @@ -762,9 +796,6 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, dev_size += sector_size - 1; } - sbi->cluster_size = boot_sector_size * sct_per_clst; - sbi->cluster_bits = blksize_bits(sbi->cluster_size); - sbi->mft.lbo = mlcn << sbi->cluster_bits; sbi->mft.lbo2 = mlcn2 << sbi->cluster_bits; @@ -785,9 +816,9 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, sbi->cluster_mask = sbi->cluster_size - 1; sbi->cluster_mask_inv = ~(u64)sbi->cluster_mask; sbi->record_size = record_size = boot->record_size < 0 - ? 1 << (-boot->record_size) - : (u32)boot->record_size - << sbi->cluster_bits; + ? 1 << (-boot->record_size) + : (u32)boot->record_size + << sbi->cluster_bits; if (record_size > MAXIMUM_BYTES_PER_MFT || record_size < SECTOR_SIZE) goto out; @@ -801,8 +832,8 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, ALIGN(sizeof(enum ATTR_TYPE), 8); sbi->index_size = boot->index_size < 0 - ? 1u << (-boot->index_size) - : (u32)boot->index_size << sbi->cluster_bits; + ? 1u << (-boot->index_size) + : (u32)boot->index_size << sbi->cluster_bits; sbi->volume.ser_num = le64_to_cpu(boot->serial_num); @@ -879,6 +910,8 @@ static int ntfs_init_from_boot(struct super_block *sb, u32 sector_size, return err; } + + /* * ntfs_fill_super - Try to mount. */ -- 2.34.1

6 months

4
7
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2025