August 2024 - Linux-stable-mirror

[PATCH] ice: Fix possible double free in error handling path

by Ma Ke

When auxiliary_device_add() returns error and then calls auxiliary_device_uninit(), callback function adev_release calls kfree(iadev). We shouldn't call kfree(iadev) again in the error handling path. Set 'iadev' to NULL. Cc: stable(a)vger.kernel.org Fixes: f9f5301e7e2d ("ice: Register auxiliary device to provide RDMA") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/net/ethernet/intel/ice/ice_idc.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/intel/ice/ice_idc.c b/drivers/net/ethernet/intel/ice/ice_idc.c index 145b27f2a4ce..5db05f54a80c 100644 --- a/drivers/net/ethernet/intel/ice/ice_idc.c +++ b/drivers/net/ethernet/intel/ice/ice_idc.c @@ -330,6 +330,7 @@ int ice_plug_aux_dev(struct ice_pf *pf) return ret; } + iadev = NULL; ret = auxiliary_device_add(adev); if (ret) { auxiliary_device_uninit(adev); -- 2.25.1

10 months

2
1
0 0

[PATCH] drm/amd/display: Add null check before access structs in dcn32_enable_phantom_plane

by Ma Ke

In dcn32_enable_phantom_plane, we should better check null pointer before accessing various structs. Cc: stable(a)vger.kernel.org Fixes: 235c67634230 ("drm/amd/display: add DCN32/321 specific files for Display Core") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c index 969658313fd6..1d1b40d22f42 100644 --- a/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c +++ b/drivers/gpu/drm/amd/display/dc/resource/dcn32/dcn32_resource.c @@ -1650,6 +1650,8 @@ static void dcn32_enable_phantom_plane(struct dc *dc, phantom_plane = prev_phantom_plane; else phantom_plane = dc_state_create_phantom_plane(dc, context, curr_pipe->plane_state); + if (!phantom_plane) + return; memcpy(&phantom_plane->address, &curr_pipe->plane_state->address, sizeof(phantom_plane->address)); memcpy(&phantom_plane->scaling_quality, &curr_pipe->plane_state->scaling_quality, -- 2.25.1

10 months

1
0
0 0

[PATCH 0/4] soc: versatile: fixes and compile test

by Krzysztof Kozlowski

Hi, Three fixes for unbinding and error paths. Enable also compile testing as cherry on top. Best regards, Krzysztof --- Krzysztof Kozlowski (4): soc: versatile: integrator: fix OF node leak in probe() error path soc: versatile: realview: fix memory leak during device remove soc: versatile: realview: fix soc_dev leak during device remove soc: versatile: enable compile testing drivers/soc/Makefile | 2 +- drivers/soc/versatile/Kconfig | 4 ++-- drivers/soc/versatile/soc-integrator.c | 1 + drivers/soc/versatile/soc-realview.c | 20 ++++++++++++++++---- 4 files changed, 20 insertions(+), 7 deletions(-) --- base-commit: 80a76294855640056006e29988f99d46438dcd2b change-id: 20240825-soc-dev-fixes-ec0889be8379 Best regards, -- Krzysztof Kozlowski <krzysztof.kozlowski(a)linaro.org>

10 months

2
3
0 0

[PATCH 5.10/5.15] net:rds: Fix possible deadlock in rds_message_put

by gerben＠altlinux.org

From: Allison Henderson <allison.henderson(a)oracle.com> commit f1acf1ac84d2ae97b7889b87223c1064df850069 upstream. Functions rds_still_queued and rds_clear_recv_queue lock a given socket in order to safely iterate over the incoming rds messages. However calling rds_inc_put while under this lock creates a potential deadlock. rds_inc_put may eventually call rds_message_purge, which will lock m_rs_lock. This is the incorrect locking order since m_rs_lock is meant to be locked before the socket. To fix this, we move the message item to a local list or variable that wont need rs_recv_lock protection. Then we can safely call rds_inc_put on any item stored locally after rs_recv_lock is released. Fixes: bdbe6fbc6a2f ("RDS: recv.c") Reported-by: syzbot+f9db6ff27b9bfdcfeca0(a)syzkaller.appspotmail.com Reported-by: syzbot+dcd73ff9291e6d34b3ab(a)syzkaller.appspotmail.com Signed-off-by: Allison Henderson <allison.henderson(a)oracle.com> Link: https://lore.kernel.org/r/20240209022854.200292-1-allison.henderson@oracle.… Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Denis Rastyogin <gerben(a)altlinux.org> --- net/rds/recv.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/net/rds/recv.c b/net/rds/recv.c index 967d115f97ef..f570d64367a4 100644 --- a/net/rds/recv.c +++ b/net/rds/recv.c @@ -424,6 +424,7 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, struct sock *sk = rds_rs_to_sk(rs); int ret = 0; unsigned long flags; + struct rds_incoming *to_drop = NULL; write_lock_irqsave(&rs->rs_recv_lock, flags); if (!list_empty(&inc->i_item)) { @@ -434,11 +435,14 @@ static int rds_still_queued(struct rds_sock *rs, struct rds_incoming *inc, -be32_to_cpu(inc->i_hdr.h_len), inc->i_hdr.h_dport); list_del_init(&inc->i_item); - rds_inc_put(inc); + to_drop = inc; } } write_unlock_irqrestore(&rs->rs_recv_lock, flags); + if (to_drop) + rds_inc_put(to_drop); + rdsdebug("inc %p rs %p still %d dropped %d\n", inc, rs, ret, drop); return ret; } @@ -761,16 +765,21 @@ void rds_clear_recv_queue(struct rds_sock *rs) struct sock *sk = rds_rs_to_sk(rs); struct rds_incoming *inc, *tmp; unsigned long flags; + LIST_HEAD(to_drop); write_lock_irqsave(&rs->rs_recv_lock, flags); list_for_each_entry_safe(inc, tmp, &rs->rs_recv_queue, i_item) { rds_recv_rcvbuf_delta(rs, sk, inc->i_conn->c_lcong, -be32_to_cpu(inc->i_hdr.h_len), inc->i_hdr.h_dport); + list_move(&inc->i_item, &to_drop); + } + write_unlock_irqrestore(&rs->rs_recv_lock, flags); + + list_for_each_entry_safe(inc, tmp, &to_drop, i_item) { list_del_init(&inc->i_item); rds_inc_put(inc); } - write_unlock_irqrestore(&rs->rs_recv_lock, flags); } /* -- 2.42.2

10 months

1
1
0 0