- Linux-stable-mirror - lists.linaro.org

[PATCH v2 1/2] media: mediatek: mdp: fix device leak on probe

by Johan Hovold

Make sure to drop the reference taken when looking up the VPU firmware device during probe on probe failure (e.g. probe deferral) and on driver unbind. Fixes: c8eb2d7e8202 ("[media] media: Add Mediatek MDP Driver") Cc: stable(a)vger.kernel.org # 4.10 Cc: Minghsiu Tsai <minghsiu.tsai(a)mediatek.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/media/platform/mediatek/mdp/mtk_mdp_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c index 80fdc6ff57e0..5c7dcf4090f4 100644 --- a/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c +++ b/drivers/media/platform/mediatek/mdp/mtk_mdp_core.c @@ -198,7 +198,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) VPU_RST_MDP); if (ret) { dev_err(&pdev->dev, "Failed to register reset handler\n"); - goto err_m2m_register; + goto err_put_vpu; } platform_set_drvdata(pdev, mdp); @@ -206,7 +206,7 @@ static int mtk_mdp_probe(struct platform_device *pdev) ret = vb2_dma_contig_set_max_seg_size(&pdev->dev, DMA_BIT_MASK(32)); if (ret) { dev_err(&pdev->dev, "Failed to set vb2 dma mag seg size\n"); - goto err_m2m_register; + goto err_put_vpu; } pm_runtime_enable(dev); @@ -214,6 +214,8 @@ static int mtk_mdp_probe(struct platform_device *pdev) return 0; +err_put_vpu: + put_device(&mdp->vpu_dev->dev); err_m2m_register: v4l2_device_unregister(&mdp->v4l2_dev); @@ -241,6 +243,7 @@ static void mtk_mdp_remove(struct platform_device *pdev) struct mtk_mdp_comp *comp, *comp_temp; pm_runtime_disable(&pdev->dev); + put_device(&mdp->vpu_dev->dev); vb2_dma_contig_clear_max_seg_size(&pdev->dev); mtk_mdp_unregister_m2m_device(mdp); v4l2_device_unregister(&mdp->v4l2_dev); -- 2.51.0

4 weeks, 1 day

1
0
0 0

[PATCH] drm/meson: Fix reference count leak in meson_encoder_dsi_probe

by Miaoqian Lin

The of_graph_get_remote_node() function returns a device node with its reference count incremented. The caller is responsible for calling of_node_put() to release this reference when done. Fixes: 42dcf15f901c ("drm/meson: add DSI encoder") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/gpu/drm/meson/meson_encoder_dsi.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/meson/meson_encoder_dsi.c b/drivers/gpu/drm/meson/meson_encoder_dsi.c index 6c6624f9ba24..01edf46e30d0 100644 --- a/drivers/gpu/drm/meson/meson_encoder_dsi.c +++ b/drivers/gpu/drm/meson/meson_encoder_dsi.c @@ -121,6 +121,7 @@ int meson_encoder_dsi_probe(struct meson_drm *priv) } meson_encoder_dsi->next_bridge = of_drm_find_bridge(remote); + of_node_put(remote); if (!meson_encoder_dsi->next_bridge) return dev_err_probe(priv->dev, -EPROBE_DEFER, "Failed to find DSI transceiver bridge\n"); -- 2.39.5 (Apple Git-154)

4 weeks, 1 day

2
1
0 0

[PATCH] soc: samsung: exynos-pmu: fix reference count leak in exynos_get_pmu_regmap_by_phandle

by Miaoqian Lin

The driver_find_device_by_of_node() function calls driver_find_device and returns a device with its reference count incremented. Add the missing put_device() call to release this reference after the device is used. Found via static analysis. Fixes: 0b7c6075022c ("soc: samsung: exynos-pmu: Add regmap support for SoCs that protect PMU regs") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/soc/samsung/exynos-pmu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/soc/samsung/exynos-pmu.c b/drivers/soc/samsung/exynos-pmu.c index 22c50ca2aa79..a53c1f882e1a 100644 --- a/drivers/soc/samsung/exynos-pmu.c +++ b/drivers/soc/samsung/exynos-pmu.c @@ -346,6 +346,7 @@ struct regmap *exynos_get_pmu_regmap_by_phandle(struct device_node *np, if (!dev) return ERR_PTR(-EPROBE_DEFER); + put_device(dev); return syscon_node_to_regmap(pmu_np); } EXPORT_SYMBOL_GPL(exynos_get_pmu_regmap_by_phandle); -- 2.39.5 (Apple Git-154)

4 weeks, 1 day

3
2
0 0

Hello

by Eric

4 weeks, 1 day

1
0
0 0

[PATCH] cpufreq: nforce2: fix reference count leak in nforce2

by Miaoqian Lin

There are two reference count leaks in this driver: 1. In nforce2_fsb_read(): pci_get_subsys() increases the reference count of the PCI device, but pci_dev_put() is never called to release it, thus leaking the reference. 2. In nforce2_detect_chipset(): pci_get_subsys() gets a reference to the nforce2_dev which is stored in a global variable, but the reference is never released when the module is unloaded. Fix both by: - Adding pci_dev_put(nforce2_sub5) in nforce2_fsb_read() after reading the configuration. - Adding pci_dev_put(nforce2_dev) in nforce2_exit() to release the global device reference. Found via static analysis. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/cpufreq/cpufreq-nforce2.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/cpufreq/cpufreq-nforce2.c b/drivers/cpufreq/cpufreq-nforce2.c index fedad1081973..fbbbe501cf2d 100644 --- a/drivers/cpufreq/cpufreq-nforce2.c +++ b/drivers/cpufreq/cpufreq-nforce2.c @@ -145,6 +145,8 @@ static unsigned int nforce2_fsb_read(int bootfsb) pci_read_config_dword(nforce2_sub5, NFORCE2_BOOTFSB, &fsb); fsb /= 1000000; + pci_dev_put(nforce2_sub5); + /* Check if PLL register is already set */ pci_read_config_byte(nforce2_dev, NFORCE2_PLLENABLE, (u8 *)&temp); @@ -426,6 +428,7 @@ static int __init nforce2_init(void) static void __exit nforce2_exit(void) { cpufreq_unregister_driver(&nforce2_driver); + pci_dev_put(nforce2_dev); } module_init(nforce2_init); -- 2.39.5 (Apple Git-154)

4 weeks, 1 day

2
1
0 0

[PATCH] net: phy: motorcomm: Fix the issue in the code regarding the incorrect use of time units

by Yi Cong

From: Yi Cong <yicong(a)kylinos.cn> Currently, NS (nanoseconds) is being used, but according to the datasheet, the correct unit should be PS (picoseconds). Fixes: 4869a146cd60 ("net: phy: Add BIT macro for Motorcomm yt8521/yt8531 gigabit ethernet phy") Cc: stable(a)vger.kernel.org Signed-off-by: Yi Cong <yicong(a)kylinos.cn> --- drivers/net/phy/motorcomm.c | 102 ++++++++++++++++++------------------ 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/drivers/net/phy/motorcomm.c b/drivers/net/phy/motorcomm.c index a3593e663059..81491c71e75b 100644 --- a/drivers/net/phy/motorcomm.c +++ b/drivers/net/phy/motorcomm.c @@ -171,7 +171,7 @@ * 1b1 enable 1.9ns rxc clock delay */ #define YT8521_CCR_RXC_DLY_EN BIT(8) -#define YT8521_CCR_RXC_DLY_1_900_NS 1900 +#define YT8521_CCR_RXC_DLY_1_900_PS 1900 #define YT8521_CCR_MODE_SEL_MASK (BIT(2) | BIT(1) | BIT(0)) #define YT8521_CCR_MODE_UTP_TO_RGMII 0 @@ -196,22 +196,22 @@ #define YT8521_RC1R_RX_DELAY_MASK GENMASK(13, 10) #define YT8521_RC1R_FE_TX_DELAY_MASK GENMASK(7, 4) #define YT8521_RC1R_GE_TX_DELAY_MASK GENMASK(3, 0) -#define YT8521_RC1R_RGMII_0_000_NS 0 -#define YT8521_RC1R_RGMII_0_150_NS 1 -#define YT8521_RC1R_RGMII_0_300_NS 2 -#define YT8521_RC1R_RGMII_0_450_NS 3 -#define YT8521_RC1R_RGMII_0_600_NS 4 -#define YT8521_RC1R_RGMII_0_750_NS 5 -#define YT8521_RC1R_RGMII_0_900_NS 6 -#define YT8521_RC1R_RGMII_1_050_NS 7 -#define YT8521_RC1R_RGMII_1_200_NS 8 -#define YT8521_RC1R_RGMII_1_350_NS 9 -#define YT8521_RC1R_RGMII_1_500_NS 10 -#define YT8521_RC1R_RGMII_1_650_NS 11 -#define YT8521_RC1R_RGMII_1_800_NS 12 -#define YT8521_RC1R_RGMII_1_950_NS 13 -#define YT8521_RC1R_RGMII_2_100_NS 14 -#define YT8521_RC1R_RGMII_2_250_NS 15 +#define YT8521_RC1R_RGMII_0_000_PS 0 +#define YT8521_RC1R_RGMII_0_150_PS 1 +#define YT8521_RC1R_RGMII_0_300_PS 2 +#define YT8521_RC1R_RGMII_0_450_PS 3 +#define YT8521_RC1R_RGMII_0_600_PS 4 +#define YT8521_RC1R_RGMII_0_750_PS 5 +#define YT8521_RC1R_RGMII_0_900_PS 6 +#define YT8521_RC1R_RGMII_1_050_PS 7 +#define YT8521_RC1R_RGMII_1_200_PS 8 +#define YT8521_RC1R_RGMII_1_350_PS 9 +#define YT8521_RC1R_RGMII_1_500_PS 10 +#define YT8521_RC1R_RGMII_1_650_PS 11 +#define YT8521_RC1R_RGMII_1_800_PS 12 +#define YT8521_RC1R_RGMII_1_950_PS 13 +#define YT8521_RC1R_RGMII_2_100_PS 14 +#define YT8521_RC1R_RGMII_2_250_PS 15 /* LED CONFIG */ #define YT8521_MAX_LEDS 3 @@ -800,40 +800,40 @@ struct ytphy_cfg_reg_map { static const struct ytphy_cfg_reg_map ytphy_rgmii_delays[] = { /* for tx delay / rx delay with YT8521_CCR_RXC_DLY_EN is not set. */ - { 0, YT8521_RC1R_RGMII_0_000_NS }, - { 150, YT8521_RC1R_RGMII_0_150_NS }, - { 300, YT8521_RC1R_RGMII_0_300_NS }, - { 450, YT8521_RC1R_RGMII_0_450_NS }, - { 600, YT8521_RC1R_RGMII_0_600_NS }, - { 750, YT8521_RC1R_RGMII_0_750_NS }, - { 900, YT8521_RC1R_RGMII_0_900_NS }, - { 1050, YT8521_RC1R_RGMII_1_050_NS }, - { 1200, YT8521_RC1R_RGMII_1_200_NS }, - { 1350, YT8521_RC1R_RGMII_1_350_NS }, - { 1500, YT8521_RC1R_RGMII_1_500_NS }, - { 1650, YT8521_RC1R_RGMII_1_650_NS }, - { 1800, YT8521_RC1R_RGMII_1_800_NS }, - { 1950, YT8521_RC1R_RGMII_1_950_NS }, /* default tx/rx delay */ - { 2100, YT8521_RC1R_RGMII_2_100_NS }, - { 2250, YT8521_RC1R_RGMII_2_250_NS }, + { 0, YT8521_RC1R_RGMII_0_000_PS }, + { 150, YT8521_RC1R_RGMII_0_150_PS }, + { 300, YT8521_RC1R_RGMII_0_300_PS }, + { 450, YT8521_RC1R_RGMII_0_450_PS }, + { 600, YT8521_RC1R_RGMII_0_600_PS }, + { 750, YT8521_RC1R_RGMII_0_750_PS }, + { 900, YT8521_RC1R_RGMII_0_900_PS }, + { 1050, YT8521_RC1R_RGMII_1_050_PS }, + { 1200, YT8521_RC1R_RGMII_1_200_PS }, + { 1350, YT8521_RC1R_RGMII_1_350_PS }, + { 1500, YT8521_RC1R_RGMII_1_500_PS }, + { 1650, YT8521_RC1R_RGMII_1_650_PS }, + { 1800, YT8521_RC1R_RGMII_1_800_PS }, + { 1950, YT8521_RC1R_RGMII_1_950_PS }, /* default tx/rx delay */ + { 2100, YT8521_RC1R_RGMII_2_100_PS }, + { 2250, YT8521_RC1R_RGMII_2_250_PS }, /* only for rx delay with YT8521_CCR_RXC_DLY_EN is set. */ - { 0 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_000_NS }, - { 150 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_150_NS }, - { 300 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_300_NS }, - { 450 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_450_NS }, - { 600 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_600_NS }, - { 750 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_750_NS }, - { 900 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_0_900_NS }, - { 1050 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_050_NS }, - { 1200 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_200_NS }, - { 1350 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_350_NS }, - { 1500 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_500_NS }, - { 1650 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_650_NS }, - { 1800 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_800_NS }, - { 1950 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_1_950_NS }, - { 2100 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_2_100_NS }, - { 2250 + YT8521_CCR_RXC_DLY_1_900_NS, YT8521_RC1R_RGMII_2_250_NS } + { 0 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_000_PS }, + { 150 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_150_PS }, + { 300 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_300_PS }, + { 450 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_450_PS }, + { 600 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_600_PS }, + { 750 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_750_PS }, + { 900 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_0_900_PS }, + { 1050 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_050_PS }, + { 1200 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_200_PS }, + { 1350 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_350_PS }, + { 1500 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_500_PS }, + { 1650 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_650_PS }, + { 1800 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_800_PS }, + { 1950 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_1_950_PS }, + { 2100 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_2_100_PS }, + { 2250 + YT8521_CCR_RXC_DLY_1_900_PS, YT8521_RC1R_RGMII_2_250_PS } }; static u32 ytphy_get_delay_reg_value(struct phy_device *phydev, @@ -890,10 +890,10 @@ static int ytphy_rgmii_clk_delay_config(struct phy_device *phydev) rx_reg = ytphy_get_delay_reg_value(phydev, "rx-internal-delay-ps", ytphy_rgmii_delays, tb_size, &rxc_dly_en, - YT8521_RC1R_RGMII_1_950_NS); + YT8521_RC1R_RGMII_1_950_PS); tx_reg = ytphy_get_delay_reg_value(phydev, "tx-internal-delay-ps", ytphy_rgmii_delays, tb_size, NULL, - YT8521_RC1R_RGMII_1_950_NS); + YT8521_RC1R_RGMII_1_950_PS); switch (phydev->interface) { case PHY_INTERFACE_MODE_RGMII: -- 2.25.1

4 weeks, 1 day

1
0
0 0

[PATCH] clk: rockchip: rk3588: Don't change PLL rates when setting dclk_vop2_src

by Heiko Stuebner

dclk_vop2_src currently has CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT flags set, which is vastly different than dclk_vop0_src or dclk_vop1_src, which have none of those. With these flags in dclk_vop2_src, actually setting the clock then results in a lot of other peripherals breaking, because setting the rate results in the PLL source getting changed: [ 14.898718] clk_core_set_rate_nolock: setting rate for dclk_vop2 to 152840000 [ 15.155017] clk_change_rate: setting rate for pll_gpll to 1680000000 [ clk adjusting every gpll user ] This includes possibly the other vops, i2s, spdif and even the uarts. Among other possible things, this breaks the uart console on a board I use. Sometimes it recovers later on, but there will be a big block of garbled output for a while at least. Shared PLLs should not be changed by individual users, so drop these flags from dclk_vop2_src and make the flags the same as on dclk_vop0 and dclk_vop1. Fixes: f1c506d152ff ("clk: rockchip: add clock controller for the RK3588") Cc: stable(a)vger.kernel.org Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> --- drivers/clk/rockchip/clk-rk3588.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/clk/rockchip/clk-rk3588.c b/drivers/clk/rockchip/clk-rk3588.c index 1694223f4f84..cf83242d1726 100644 --- a/drivers/clk/rockchip/clk-rk3588.c +++ b/drivers/clk/rockchip/clk-rk3588.c @@ -2094,7 +2094,7 @@ static struct rockchip_clk_branch rk3588_early_clk_branches[] __initdata = { COMPOSITE(DCLK_VOP1_SRC, "dclk_vop1_src", gpll_cpll_v0pll_aupll_p, 0, RK3588_CLKSEL_CON(111), 14, 2, MFLAGS, 9, 5, DFLAGS, RK3588_CLKGATE_CON(52), 11, GFLAGS), - COMPOSITE(DCLK_VOP2_SRC, "dclk_vop2_src", gpll_cpll_v0pll_aupll_p, CLK_SET_RATE_PARENT | CLK_SET_RATE_NO_REPARENT, + COMPOSITE(DCLK_VOP2_SRC, "dclk_vop2_src", gpll_cpll_v0pll_aupll_p, 0, RK3588_CLKSEL_CON(112), 5, 2, MFLAGS, 0, 5, DFLAGS, RK3588_CLKGATE_CON(52), 12, GFLAGS), COMPOSITE_NODIV(DCLK_VOP0, "dclk_vop0", dclk_vop0_p, -- 2.47.2

4 weeks, 1 day

5
8
0 0

[PATCH net 1/1] batman-adv: Release references to inactive interfaces

by Simon Wunderlich

From: Sven Eckelmann <sven(a)narfation.org> Trying to dump the originators or the neighbors via netlink for a meshif with an inactive primary interface is not allowed. The dump functions were checking this correctly but they didn't handle non-existing primary interfaces and existing _inactive_ interfaces differently. (Primary) batadv_hard_ifaces hold a references to a net_device. And accessing them is only allowed when either being in a RCU/spinlock protected section or when holding a valid reference to them. The netlink dump functions use the latter. But because the missing specific error handling for inactive primary interfaces, the reference was never dropped. This reference counting error was only detected when the interface should have been removed from the system: unregister_netdevice: waiting for batadv_slave_0 to become free. Usage count = 2 Cc: stable(a)vger.kernel.org Fixes: 6ecc4fd6c2f4 ("batman-adv: netlink: reduce duplicate code by returning interfaces") Reported-by: syzbot+881d65229ca4f9ae8c84(a)syzkaller.appspotmail.com Reported-by: Tetsuo Handa <penguin-kernel(a)i-love.sakura.ne.jp> Signed-off-by: Sven Eckelmann <sven(a)narfation.org> Signed-off-by: Simon Wunderlich <sw(a)simonwunderlich.de> --- net/batman-adv/originator.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/net/batman-adv/originator.c b/net/batman-adv/originator.c index a464ff96b9291..ed89d7fd1e7f4 100644 --- a/net/batman-adv/originator.c +++ b/net/batman-adv/originator.c @@ -764,11 +764,16 @@ int batadv_hardif_neigh_dump(struct sk_buff *msg, struct netlink_callback *cb) bat_priv = netdev_priv(mesh_iface); primary_if = batadv_primary_if_get_selected(bat_priv); - if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) { + if (!primary_if) { ret = -ENOENT; goto out_put_mesh_iface; } + if (primary_if->if_status != BATADV_IF_ACTIVE) { + ret = -ENOENT; + goto out_put_primary_if; + } + hard_iface = batadv_netlink_get_hardif(bat_priv, cb); if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) { ret = PTR_ERR(hard_iface); @@ -1333,11 +1338,16 @@ int batadv_orig_dump(struct sk_buff *msg, struct netlink_callback *cb) bat_priv = netdev_priv(mesh_iface); primary_if = batadv_primary_if_get_selected(bat_priv); - if (!primary_if || primary_if->if_status != BATADV_IF_ACTIVE) { + if (!primary_if) { ret = -ENOENT; goto out_put_mesh_iface; } + if (primary_if->if_status != BATADV_IF_ACTIVE) { + ret = -ENOENT; + goto out_put_primary_if; + } + hard_iface = batadv_netlink_get_hardif(bat_priv, cb); if (IS_ERR(hard_iface) && PTR_ERR(hard_iface) != -ENONET) { ret = PTR_ERR(hard_iface); -- 2.47.3

4 weeks, 1 day

2
1
0 0

[PATCH] riscv: Fix memory leak in module_frob_arch_sections()

by Miaoqian Lin

The current code directly overwrites the scratch pointer with the return value of kvrealloc(). If kvrealloc() fails and returns NULL, the original buffer becomes unreachable, causing a memory leak. Fix this by using a temporary variable to store kvrealloc()'s return value and only update the scratch pointer on success. Found via static anlaysis and this is similar to commit 42378a9ca553 ("bpf, verifier: Fix memory leak in array reallocation for stack state") Fixes: be17c0df6795 ("riscv: module: Optimize PLT/GOT entry counting") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- arch/riscv/kernel/module-sections.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/arch/riscv/kernel/module-sections.c b/arch/riscv/kernel/module-sections.c index 75551ac6504c..1675cbad8619 100644 --- a/arch/riscv/kernel/module-sections.c +++ b/arch/riscv/kernel/module-sections.c @@ -119,6 +119,7 @@ int module_frob_arch_sections(Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, unsigned int num_plts = 0; unsigned int num_gots = 0; Elf_Rela *scratch = NULL; + Elf_Rela *new_scratch; size_t scratch_size = 0; int i; @@ -168,9 +169,12 @@ int module_frob_arch_sections(Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, scratch_size_needed = (num_scratch_relas + num_relas) * sizeof(*scratch); if (scratch_size_needed > scratch_size) { scratch_size = scratch_size_needed; - scratch = kvrealloc(scratch, scratch_size, GFP_KERNEL); - if (!scratch) + new_scratch = kvrealloc(scratch, scratch_size, GFP_KERNEL); + if (!new_scratch) { + kvfree(scratch); return -ENOMEM; + } + scratch = new_scratch; } for (size_t j = 0; j < num_relas; j++) -- 2.39.5 (Apple Git-154)

1 month

2
1
0 0

[PATCH AUTOSEL 6.17-6.1] smb/server: fix possible memory leak in smb2_read()

by Sasha Levin

From: ZhangGuoDong <zhangguodong(a)kylinos.cn> [ Upstream commit 6fced056d2cc8d01b326e6fcfabaacb9850b71a4 ] Memory leak occurs when ksmbd_vfs_read() fails. Fix this by adding the missing kvfree(). Co-developed-by: ChenXiaoSong <chenxiaosong(a)kylinos.cn> Signed-off-by: ChenXiaoSong <chenxiaosong(a)kylinos.cn> Signed-off-by: ZhangGuoDong <zhangguodong(a)kylinos.cn> Acked-by: Namjae Jeon <linkinjeon(a)kernel.org> Signed-off-by: Steve French <stfrench(a)microsoft.com> Signed-off-by: Sasha Levin <sashal(a)kernel.org> --- LLM Generated explanations, may be completely bogus: ## **Backport Status: YES** ### **Extensive Analysis** Based on comprehensive semantic code analysis and repository examination, this commit **should be backported** to stable kernel trees. --- ## **1. Code Change Analysis** The commit adds a single line to fix a memory leak in `fs/smb/server/smb2pdu.c`: ```c nbytes = ksmbd_vfs_read(work, fp, length, &offset, aux_payload_buf); if (nbytes < 0) { + kvfree(aux_payload_buf); // <-- Added line err = nbytes; goto out; } ``` **What was wrong:** Memory allocated at line 6821 (`aux_payload_buf = kvzalloc(ALIGN(length, 8), KSMBD_DEFAULT_GFP)`) was not freed when `ksmbd_vfs_read()` fails, while all other error paths properly call `kvfree()`. --- ## **2. Semantic Analysis Tools Used** ### **Tool 1: mcp__semcode__find_function** - Located `smb2_read()` in `fs/smb/server/smb2pdu.c:6727-6895` - Confirmed it's an SMB2 protocol handler (169 lines, 24 function calls) - Return type: `int` (returns error codes) ### **Tool 2: mcp__semcode__find_callers** - Result: No direct function callers - However, cross-referenced with `smb2ops.c:183` showing `smb2_read` is registered as a handler: `[SMB2_READ_HE] = { .proc = smb2_read }` - **Conclusion:** This is a protocol handler invoked by the SMB2 message dispatcher, meaning it's **directly user-triggerable** via network requests ### **Tool 3: mcp__semcode__find_calls** - Analyzed `ksmbd_vfs_read()` dependencies - Found it can fail with multiple error codes: `-EISDIR`, `-EACCES`, `-EAGAIN`, plus any errors from `kernel_read()` - **All of these failure paths trigger the memory leak** ### **Tool 4: git blame & git log** - Bug introduced: commit `e2f34481b24db2` (2021-03-16) - **4 years old!** - Recent modification: commit `06a025448b572c` (2024-11-30) changed allocation to `ALIGN(length, 8)` but didn't fix the leak - Found 15+ similar "memory leak" fixes in ksmbd history, indicating active maintenance --- ## **3. Impact Scope Analysis** ### **User Exposure: CRITICAL** - **Protocol Handler:** Any SMB client can trigger this by sending SMB2 READ requests - **Network-facing:** ksmbd is a kernel SMB server exposed to network clients - **No authentication required to trigger:** The error path can be reached even with permission errors ### **Trigger Conditions (from VFS analysis):** 1. **-EISDIR**: Client tries to read a directory 2. **-EACCES**: Permission denied (no FILE_READ_DATA or FILE_EXECUTE access) 3. **-EAGAIN**: File is locked by another process 4. **kernel_read() failures**: Various VFS/filesystem errors All of these are **easily triggerable** by malicious or misbehaving clients. ### **Memory Leak Severity: HIGH** - **Allocation size:** `ALIGN(length, 8)` where `length` is client- controlled - **Maximum per leak:** Up to `SMB3_MAX_IOSIZE` = **8 MB** (from smb2pdu.h:28) - **Default size:** `SMB21_DEFAULT_IOSIZE` = **1 MB** (from smb2pdu.h:25) - **Attack scenario:** An attacker could repeatedly: 1. Send READ requests for locked files (triggers -EAGAIN) 2. Each failed request leaks up to 8MB 3. 100 requests = 800MB leaked 4. Can exhaust server memory leading to **DoS** --- ## **4. Regression Risk Analysis** ### **Risk Level: VERY LOW** - **Change size:** Single line addition - **Operation:** Adding missing cleanup (defensive programming) - **No behavior change:** Only affects error path that already returns failure - **Idempotent:** `kvfree()` is safe to call and simply frees allocated memory - **No dependencies:** No API changes or external impact --- ## **5. Stable Tree Compliance** | Criterion | Status | Evidence | |-----------|--------|----------| | Fixes important bug | ✅ YES | Memory leak leading to potential DoS | | Small and contained | ✅ YES | 1 line change, single function | | No new features | ✅ YES | Pure bug fix | | No architectural changes | ✅ YES | No structural modifications | | Low regression risk | ✅ YES | Minimal, defensive change | | Confined to subsystem | ✅ YES | Only affects ksmbd | | User-facing impact | ✅ YES | Affects all ksmbd users | --- ## **6. Comparison with Similar Commits** Recent ksmbd fixes in the repository show similar patterns: - `379510a815cb2`: "fix possible refcount leak in smb2_sess_setup()" - `5929e98f3bb76`: "fix potential double free on smb2_read_pipe() error path" - `e523a26c05672`: "fix passing freed memory 'aux_payload_buf'" - `809d50d36e71b`: "fix memory leak in smb2_lock()" **All these are typical stable tree backport candidates** with similar characteristics (small resource leak fixes). --- ## **7. Missing Stable Tags** **Notable:** The commit lacks explicit stable tree tags: - ❌ No `Cc: stable(a)vger.kernel.org` - ❌ No `Fixes:` tag pointing to the original buggy commit However, this doesn't diminish backport worthiness - the technical merits clearly justify backporting. --- ## **Conclusion** This commit is an **excellent candidate for backporting** because: 1. **Security concern:** Remote memory exhaustion DoS vector 2. **Long-standing bug:** Present since ksmbd's introduction (4+ years) 3. **Wide impact:** Affects all ksmbd deployments 4. **Minimal risk:** Single-line defensive fix 5. **Clear bug fix:** Unambiguous resource leak on error path 6. **Pattern consistency:** Matches other successfully backported ksmbd fixes **Recommendation:** Backport to all active stable trees where ksmbd exists (5.15+). fs/smb/server/smb2pdu.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/smb/server/smb2pdu.c b/fs/smb/server/smb2pdu.c index 287200d7c0764..409b85af82e1c 100644 --- a/fs/smb/server/smb2pdu.c +++ b/fs/smb/server/smb2pdu.c @@ -6826,6 +6826,7 @@ int smb2_read(struct ksmbd_work *work) nbytes = ksmbd_vfs_read(work, fp, length, &offset, aux_payload_buf); if (nbytes < 0) { + kvfree(aux_payload_buf); err = nbytes; goto out; } -- 2.51.0

1 month

1
25
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror