FAILED: patch "[PATCH] ALSA: ac97: fix a double free in" failed to apply to 6.12-stable tree
The patch below does not apply to the 6.12-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
To reproduce the conflict and resubmit, you may use the following commands:
git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-6.12.y git checkout FETCH_HEAD git cherry-pick -x 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f # <resolve conflicts, build, test, etc.> git commit -s git send-email --to 'stable@vger.kernel.org' --in-reply-to '2026011238-subduing-rural-1bbc@gregkh' --subject-prefix 'PATCH 6.12.y' HEAD^..
Possible dependencies:
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f Mon Sep 17 00:00:00 2001 From: Haoxiang Li lihaoxiang@isrc.iscas.ac.cn Date: Sat, 20 Dec 2025 00:28:45 +0800 Subject: [PATCH] ALSA: ac97: fix a double free in snd_ac97_controller_register()
If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup.
Found by code review.
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li lihaoxiang@isrc.iscas.ac.cn Link: https://patch.msgid.link/20251219162845.657525-1-lihaoxiang@isrc.iscas.ac.cn Signed-off-by: Takashi Iwai tiwai@suse.de
diff --git a/sound/ac97/bus.c b/sound/ac97/bus.c index f4254703d29f..bb9b795e0226 100644 --- a/sound/ac97/bus.c +++ b/sound/ac97/bus.c @@ -298,6 +298,7 @@ static void ac97_adapter_release(struct device *dev) idr_remove(&ac97_adapter_idr, ac97_ctrl->nr); dev_dbg(&ac97_ctrl->adap, "adapter unregistered by %s\n", dev_name(ac97_ctrl->parent)); + kfree(ac97_ctrl); }
static const struct device_type ac97_adapter_type = { @@ -319,7 +320,9 @@ static int ac97_add_adapter(struct ac97_controller *ac97_ctrl) ret = device_register(&ac97_ctrl->adap); if (ret) put_device(&ac97_ctrl->adap); - } + } else + kfree(ac97_ctrl); + if (!ret) { list_add(&ac97_ctrl->controllers, &ac97_controllers); dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n", @@ -361,14 +364,11 @@ struct ac97_controller *snd_ac97_controller_register( ret = ac97_add_adapter(ac97_ctrl);
if (ret) - goto err; + return ERR_PTR(ret); ac97_bus_reset(ac97_ctrl); ac97_bus_scan(ac97_ctrl);
return ac97_ctrl; -err: - kfree(ac97_ctrl); - return ERR_PTR(ret); } EXPORT_SYMBOL_GPL(snd_ac97_controller_register);
From: Takashi Iwai tiwai@suse.de
[ Upstream commit c07824a14d99c10edd4ec4c389d219af336ecf20 ]
Replace the manual mutex lock/unlock pairs with guard() for code simplification.
Only code refactoring, and no behavior change.
Signed-off-by: Takashi Iwai tiwai@suse.de Link: https://patch.msgid.link/20250829151335.7342-18-tiwai@suse.de Stable-dep-of: 830988b6cf19 ("ALSA: ac97: fix a double free in snd_ac97_controller_register()") Signed-off-by: Sasha Levin sashal@kernel.org --- sound/ac97/bus.c | 22 +++++++++------------- 1 file changed, 9 insertions(+), 13 deletions(-)
diff --git a/sound/ac97/bus.c b/sound/ac97/bus.c index 96d4d7eb879f3..bdd18b50a8f19 100644 --- a/sound/ac97/bus.c +++ b/sound/ac97/bus.c @@ -241,10 +241,9 @@ static ssize_t cold_reset_store(struct device *dev, { struct ac97_controller *ac97_ctrl;
- mutex_lock(&ac97_controllers_mutex); + guard(mutex)(&ac97_controllers_mutex); ac97_ctrl = to_ac97_controller(dev); ac97_ctrl->ops->reset(ac97_ctrl); - mutex_unlock(&ac97_controllers_mutex); return len; } static DEVICE_ATTR_WO(cold_reset); @@ -258,10 +257,9 @@ static ssize_t warm_reset_store(struct device *dev, if (!dev) return -ENODEV;
- mutex_lock(&ac97_controllers_mutex); + guard(mutex)(&ac97_controllers_mutex); ac97_ctrl = to_ac97_controller(dev); ac97_ctrl->ops->warm_reset(ac97_ctrl); - mutex_unlock(&ac97_controllers_mutex); return len; } static DEVICE_ATTR_WO(warm_reset); @@ -284,10 +282,10 @@ static const struct attribute_group *ac97_adapter_groups[] = {
static void ac97_del_adapter(struct ac97_controller *ac97_ctrl) { - mutex_lock(&ac97_controllers_mutex); - ac97_ctrl_codecs_unregister(ac97_ctrl); - list_del(&ac97_ctrl->controllers); - mutex_unlock(&ac97_controllers_mutex); + scoped_guard(mutex, &ac97_controllers_mutex) { + ac97_ctrl_codecs_unregister(ac97_ctrl); + list_del(&ac97_ctrl->controllers); + }
device_unregister(&ac97_ctrl->adap); } @@ -311,7 +309,7 @@ static int ac97_add_adapter(struct ac97_controller *ac97_ctrl) { int ret;
- mutex_lock(&ac97_controllers_mutex); + guard(mutex)(&ac97_controllers_mutex); ret = idr_alloc(&ac97_adapter_idr, ac97_ctrl, 0, 0, GFP_KERNEL); ac97_ctrl->nr = ret; if (ret >= 0) { @@ -322,13 +320,11 @@ static int ac97_add_adapter(struct ac97_controller *ac97_ctrl) if (ret) put_device(&ac97_ctrl->adap); } - if (!ret) + if (!ret) { list_add(&ac97_ctrl->controllers, &ac97_controllers); - mutex_unlock(&ac97_controllers_mutex); - - if (!ret) dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n", dev_name(ac97_ctrl->parent)); + } return ret; }
From: Haoxiang Li lihaoxiang@isrc.iscas.ac.cn
[ Upstream commit 830988b6cf197e6dcffdfe2008c5738e6c6c3c0f ]
If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup.
Found by code review.
Fixes: 74426fbff66e ("ALSA: ac97: add an ac97 bus") Cc: stable@vger.kernel.org Signed-off-by: Haoxiang Li lihaoxiang@isrc.iscas.ac.cn Link: https://patch.msgid.link/20251219162845.657525-1-lihaoxiang@isrc.iscas.ac.cn Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/ac97/bus.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/sound/ac97/bus.c b/sound/ac97/bus.c index bdd18b50a8f19..bb401cf6b9afe 100644 --- a/sound/ac97/bus.c +++ b/sound/ac97/bus.c @@ -298,6 +298,7 @@ static void ac97_adapter_release(struct device *dev) idr_remove(&ac97_adapter_idr, ac97_ctrl->nr); dev_dbg(&ac97_ctrl->adap, "adapter unregistered by %s\n", dev_name(ac97_ctrl->parent)); + kfree(ac97_ctrl); }
static const struct device_type ac97_adapter_type = { @@ -319,7 +320,9 @@ static int ac97_add_adapter(struct ac97_controller *ac97_ctrl) ret = device_register(&ac97_ctrl->adap); if (ret) put_device(&ac97_ctrl->adap); - } + } else + kfree(ac97_ctrl); + if (!ret) { list_add(&ac97_ctrl->controllers, &ac97_controllers); dev_dbg(&ac97_ctrl->adap, "adapter registered by %s\n", @@ -360,14 +363,11 @@ struct ac97_controller *snd_ac97_controller_register( ret = ac97_add_adapter(ac97_ctrl);
if (ret) - goto err; + return ERR_PTR(ret); ac97_bus_reset(ac97_ctrl); ac97_bus_scan(ac97_ctrl);
return ac97_ctrl; -err: - kfree(ac97_ctrl); - return ERR_PTR(ret); } EXPORT_SYMBOL_GPL(snd_ac97_controller_register);
linux-stable-mirror@lists.linaro.org
-
gregkh@linuxfoundation.org -
Sasha Levin