Protect access to fore200e->available_cell_rate with rate_mtx lock to
prevent potential data race.
In this case, since the update depends on a prior read, a data race
could lead to a wrong fore200e.available_cell_rate value.
The field fore200e.available_cell_rate is generally protected by the lock
fore200e.rate_mtx when accessed. In all other read and write cases, this
field is consistently protected by the lock, except for this case and
during initialization.
This potential bug was detected by our experimental static analysis tool,
which analyzes locking APIs and paired functions to identify data races
and atomicity violations.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable(a)vger.kernel.org
Signed-off-by: Gui-Dong Han <hanguidong02(a)gmail.com>
Reviewed-by: Simon Horman <horms(a)kernel.org>
---
v2:
* Added a description of the data race hazard in fore200e_open(), as
suggested by Jakub Kicinski and Simon Horman.
REPOST:
* Reposting v2 as it seems to have been overlooked.
---
drivers/atm/fore200e.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c
index 4fea1149e003..f62e38571440 100644
--- a/drivers/atm/fore200e.c
+++ b/drivers/atm/fore200e.c
@@ -1374,7 +1374,9 @@ fore200e_open(struct atm_vcc *vcc)
vcc->dev_data = NULL;
+ mutex_lock(&fore200e->rate_mtx);
fore200e->available_cell_rate += vcc->qos.txtp.max_pcr;
+ mutex_unlock(&fore200e->rate_mtx);
kfree(fore200e_vcc);
return -EINVAL;
--
2.34.1
Hi Greg, Sasha,
This batch contains backported fixes for 5.10 -stable.
The following list shows the backported patch:
1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
This only includes the flowtable chunk because chain cannot be updated
in this kernel version.
Please, apply,
Thanks
Pablo Neira Ayuso (1):
netfilter: nf_tables: reject duplicate device on updates
net/netfilter/nf_tables_api.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.47.3
Hi Greg, Sasha,
This batch contains backported fixes for 5.15 -stable.
The following list shows the backported patch:
1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
This only includes the flowtable chunk because chain cannot be updated
in this kernel version.
Please, apply,
Thanks
Pablo Neira Ayuso (1):
netfilter: nf_tables: reject duplicate device on updates
net/netfilter/nf_tables_api.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.47.3
Hi Greg, Sasha,
This batch contains backported fixes for 6.1 -stable.
The following list shows the backported patch:
1) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
This only includes the flowtable chunk because chain cannot be updated
in this kernel version.
Please, apply,
Thanks
Pablo Neira Ayuso (1):
netfilter: nf_tables: reject duplicate device on updates
net/netfilter/nf_tables_api.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--
2.47.3
Hi Greg, Sasha,
This batch contains backported fixes for 6.12 -stable.
The following list shows the backported patches:
1) Partial revert of commit dbe85d3115c7e6b5124c8b028f4f602856ea51dd
in -stable 6.12, this patch does not exist upstream. This unbreaks
old nft userspace binaries which cannot parse this shortened deletion
event.
2) cf5fb87fcdaa ("netfilter: nf_tables: reject duplicate device on updates")
Please, apply,
Thanks.
Pablo Neira Ayuso (2):
Revert "netfilter: nf_tables: Reintroduce shortened deletion notifications"
netfilter: nf_tables: reject duplicate device on updates
net/netfilter/nf_tables_api.c | 66 +++++++++++++++++------------------
1 file changed, 32 insertions(+), 34 deletions(-)
--
2.47.3
nvkm_falcon_fw::boot is allocated, but no one frees it. This causes a
kmemleak warning.
Make sure this data is deallocated.
Fixes: 2541626cfb79 ("drm/nouveau/acr: use common falcon HS FW code for ACR FWs")
Signed-off-by: Nam Cao <namcao(a)linutronix.de>
Cc: stable(a)vger.kernel.org
---
drivers/gpu/drm/nouveau/nvkm/falcon/fw.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
index cac6d64ab67d..4e8b3f1c7e25 100644
--- a/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/falcon/fw.c
@@ -159,6 +159,8 @@ nvkm_falcon_fw_dtor(struct nvkm_falcon_fw *fw)
nvkm_memory_unref(&fw->inst);
nvkm_falcon_fw_dtor_sigs(fw);
nvkm_firmware_dtor(&fw->fw);
+ kfree(fw->boot);
+ fw->boot = NULL;
}
static const struct nvkm_firmware_func
--
2.51.0
When obtaining the ISP1301 I2C client through the device tree, the
driver does not release the device reference in the probe failure path
or in the remove function. This could cause a reference count leak,
which may prevent the device from being properly unbound or freed,
leading to resource leakage.
Fix this by storing whether the client was obtained via device tree
and only releasing the reference in that case.
Found by code review.
Cc: stable(a)vger.kernel.org
Fixes: 73108aa90cbf ("USB: ohci-nxp: Use isp1301 driver")
Signed-off-by: Ma Ke <make24(a)iscas.ac.cn>
---
Changes in v2:
- only released the device reference when the ISP1301 client was obtained through device tree, not in the non-DT case where the global variable is used;
- removed unnecessary NULL checks as suggested by reviewer.
---
drivers/usb/host/ohci-nxp.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/host/ohci-nxp.c b/drivers/usb/host/ohci-nxp.c
index 24d5a1dc5056..081b8c7f21a0 100644
--- a/drivers/usb/host/ohci-nxp.c
+++ b/drivers/usb/host/ohci-nxp.c
@@ -50,6 +50,7 @@ static const char hcd_name[] = "ohci-nxp";
static struct hc_driver __read_mostly ohci_nxp_hc_driver;
static struct i2c_client *isp1301_i2c_client;
+static bool isp1301_using_dt;
static void isp1301_configure_lpc32xx(void)
{
@@ -161,6 +162,7 @@ static int ohci_hcd_nxp_probe(struct platform_device *pdev)
} else {
isp1301_node = NULL;
}
+ isp1301_using_dt = (isp1301_node != NULL);
isp1301_i2c_client = isp1301_get_client(isp1301_node);
of_node_put(isp1301_node);
@@ -223,6 +225,8 @@ static int ohci_hcd_nxp_probe(struct platform_device *pdev)
fail_resource:
usb_put_hcd(hcd);
fail_disable:
+ if (isp1301_using_dt)
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
return ret;
}
@@ -234,6 +238,8 @@ static void ohci_hcd_nxp_remove(struct platform_device *pdev)
usb_remove_hcd(hcd);
ohci_nxp_stop_hc();
usb_put_hcd(hcd);
+ if (isp1301_using_dt)
+ put_device(&isp1301_i2c_client->dev);
isp1301_i2c_client = NULL;
}
--
2.17.1