Linux-stable-mirror

linux-stable-mirror@lists.linaro.org

266 participants
124088 discussions

[PATCH] sfc: Add error handling for devlink_info_serial_number_put()

by Wentao Liang

In efx_devlink_info_board_cfg(), the return value of devlink_info_serial_number_put() needs to be checked. This could result in silent failures if the function failed. Add error checking for efx_devlink_info_board_cfg() and propagate any errors immediately to ensure proper error handling and prevents silent failures. Fixes: 14743ddd2495 ("sfc: add devlink info support for ef100") Cc: stable(a)vger.kernel.org # v6.3+ Signed-off-by: Wentao Liang <vulab(a)iscas.ac.cn> --- drivers/net/ethernet/sfc/efx_devlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/net/ethernet/sfc/efx_devlink.c b/drivers/net/ethernet/sfc/efx_devlink.c index 3cd750820fdd..17279bbd81d5 100644 --- a/drivers/net/ethernet/sfc/efx_devlink.c +++ b/drivers/net/ethernet/sfc/efx_devlink.c @@ -581,12 +581,14 @@ static int efx_devlink_info_board_cfg(struct efx_nic *efx, { char sn[EFX_MAX_SERIALNUM_LEN]; u8 mac_address[ETH_ALEN]; - int rc; + int rc, err; rc = efx_mcdi_get_board_cfg(efx, (u8 *)mac_address, NULL, NULL); if (!rc) { snprintf(sn, EFX_MAX_SERIALNUM_LEN, "%pm", mac_address); - devlink_info_serial_number_put(req, sn); + err = devlink_info_serial_number_put(req, sn); + if (err) + return err; } return rc; } -- 2.42.0.windows.2

9 months, 1 week

[PATCH v3] x86/xen: fix balloon target initialization for PVH dom0

by Roger Pau Monne

PVH dom0 re-uses logic from PV dom0, in which RAM ranges not assigned to dom0 are re-used as scratch memory to map foreign and grant pages. Such logic relies on reporting those unpopulated ranges as RAM to Linux, and mark them as reserved. This way Linux creates the underlying page structures required for metadata management. Such approach works fine on PV because the initial balloon target is calculated using specific Xen data, that doesn't take into account the memory type changes described above. However on HVM and PVH the initial balloon target is calculated using get_num_physpages(), and that function does take into account the unpopulated RAM regions used as scratch space for remote domain mappings. This leads to PVH dom0 having an incorrect initial balloon target, which causes malfunction (excessive memory freeing) of the balloon driver if the dom0 memory target is later adjusted from the toolstack. Fix this by using xen_released_pages to account for any pages that are part of the memory map, but are already unpopulated when the balloon driver is initialized. This accounts for any regions used for scratch remote mappings. Note on x86 xen_released_pages definition is moved to enlighten.c so it's uniformly available for all Xen-enabled builds. Take the opportunity to unify PV with PVH/HVM guests regarding the usage of get_num_physpages(), as that avoids having to add different logic for PV vs PVH in both balloon_add_regions() and arch_xen_unpopulated_init(). Much like a6aa4eb994ee, the code in this changeset should have been part of 38620fc4e893. Fixes: a6aa4eb994ee ('xen/x86: add extra pages to unpopulated-alloc if available') Signed-off-by: Roger Pau Monné <roger.pau(a)citrix.com> Reviewed-by: Juergen Gross <jgross(a)suse.com> Cc: stable(a)vger.kernel.org --- Changes since v2: - For x86: Move xen_released_pages definition from setup.c (PV specific) to enlighten.c (shared between all guest modes). Changes since v1: - Replace BUG_ON() with a WARN and failure to initialize the balloon driver. --- arch/x86/xen/enlighten.c | 10 ++++++++++ arch/x86/xen/setup.c | 3 --- drivers/xen/balloon.c | 34 ++++++++++++++++++++++++---------- 3 files changed, 34 insertions(+), 13 deletions(-) diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c index 43dcd8c7badc..1b7710bd0d05 100644 --- a/arch/x86/xen/enlighten.c +++ b/arch/x86/xen/enlighten.c @@ -70,6 +70,9 @@ EXPORT_SYMBOL(xen_start_flags); */ struct shared_info *HYPERVISOR_shared_info = &xen_dummy_shared_info; +/* Number of pages released from the initial allocation. */ +unsigned long xen_released_pages; + static __ref void xen_get_vendor(void) { init_cpu_devs(); @@ -466,6 +469,13 @@ int __init arch_xen_unpopulated_init(struct resource **res) xen_free_unpopulated_pages(1, &pg); } + /* + * Account for the region being in the physmap but unpopulated. + * The value in xen_released_pages is used by the balloon + * driver to know how much of the physmap is unpopulated and + * set an accurate initial memory target. + */ + xen_released_pages += xen_extra_mem[i].n_pfns; /* Zero so region is not also added to the balloon driver. */ xen_extra_mem[i].n_pfns = 0; } diff --git a/arch/x86/xen/setup.c b/arch/x86/xen/setup.c index c3db71d96c43..3823e52aef52 100644 --- a/arch/x86/xen/setup.c +++ b/arch/x86/xen/setup.c @@ -37,9 +37,6 @@ #define GB(x) ((uint64_t)(x) * 1024 * 1024 * 1024) -/* Number of pages released from the initial allocation. */ -unsigned long xen_released_pages; - /* Memory map would allow PCI passthrough. */ bool xen_pv_pci_possible; diff --git a/drivers/xen/balloon.c b/drivers/xen/balloon.c index 163f7f1d70f1..ee165f4f7fe6 100644 --- a/drivers/xen/balloon.c +++ b/drivers/xen/balloon.c @@ -675,7 +675,7 @@ void xen_free_ballooned_pages(unsigned int nr_pages, struct page **pages) } EXPORT_SYMBOL(xen_free_ballooned_pages); -static void __init balloon_add_regions(void) +static int __init balloon_add_regions(void) { unsigned long start_pfn, pages; unsigned long pfn, extra_pfn_end; @@ -698,26 +698,38 @@ static void __init balloon_add_regions(void) for (pfn = start_pfn; pfn < extra_pfn_end; pfn++) balloon_append(pfn_to_page(pfn)); - balloon_stats.total_pages += extra_pfn_end - start_pfn; + /* + * Extra regions are accounted for in the physmap, but need + * decreasing from current_pages to balloon down the initial + * allocation, because they are already accounted for in + * total_pages. + */ + if (extra_pfn_end - start_pfn >= balloon_stats.current_pages) { + WARN(1, "Extra pages underflow current target"); + return -ERANGE; + } + balloon_stats.current_pages -= extra_pfn_end - start_pfn; } + + return 0; } static int __init balloon_init(void) { struct task_struct *task; + int rc; if (!xen_domain()) return -ENODEV; pr_info("Initialising balloon driver\n"); -#ifdef CONFIG_XEN_PV - balloon_stats.current_pages = xen_pv_domain() - ? min(xen_start_info->nr_pages - xen_released_pages, max_pfn) - : get_num_physpages(); -#else - balloon_stats.current_pages = get_num_physpages(); -#endif + if (xen_released_pages >= get_num_physpages()) { + WARN(1, "Released pages underflow current target"); + return -ERANGE; + } + + balloon_stats.current_pages = get_num_physpages() - xen_released_pages; balloon_stats.target_pages = balloon_stats.current_pages; balloon_stats.balloon_low = 0; balloon_stats.balloon_high = 0; @@ -734,7 +746,9 @@ static int __init balloon_init(void) register_sysctl_init("xen/balloon", balloon_table); #endif - balloon_add_regions(); + rc = balloon_add_regions(); + if (rc) + return rc; task = kthread_run(balloon_thread, NULL, "xen-balloon"); if (IS_ERR(task)) { -- 2.48.1

9 months, 1 week

Linux 6.14.1

by Greg Kroah-Hartman

I'm announcing the release of the 6.14.1 kernel. All users of the 6.14 kernel series must upgrade. The updated 6.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.14.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/counter/microchip-tcb-capture.c | 19 +++ drivers/counter/stm32-lptimer-cnt.c | 24 +++-- drivers/hid/hid-plantronics.c | 144 +++++++++++++----------------- drivers/memstick/host/rtsx_usb_ms.c | 1 drivers/net/usb/qmi_wwan.c | 2 drivers/net/usb/usbnet.c | 21 +++- drivers/tty/serial/8250/8250_dma.c | 2 drivers/tty/serial/8250/8250_pci.c | 46 +++++++++ drivers/tty/serial/fsl_lpuart.c | 17 +++ drivers/tty/serial/stm32-usart.c | 4 drivers/usb/host/xhci-ring.c | 4 drivers/usb/host/xhci.h | 13 ++ kernel/cgroup/rstat.c | 29 ++---- net/atm/mpc.c | 2 net/ipv6/netfilter/nf_socket_ipv6.c | 23 ++++ sound/pci/hda/patch_realtek.c | 2 sound/usb/mixer_quirks.c | 51 ++++++++++ tools/perf/Documentation/intel-hybrid.txt | 12 +- tools/perf/Documentation/perf-list.txt | 2 tools/perf/arch/x86/util/iostat.c | 2 tools/perf/builtin-stat.c | 2 tools/perf/util/mem-events.c | 2 tools/perf/util/pmu.c | 4 24 files changed, 303 insertions(+), 127 deletions(-) Abel Wu (1): cgroup/rstat: Fix forceidle time in cpu.stat Andres Traumann (1): ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA Cameron Williams (2): tty: serial: 8250: Add some more device IDs tty: serial: 8250: Add Brainboxes XC devices Cheick Traore (1): serial: stm32: do not deassert RS485 RTS GPIO prematurely Dhruv Deshpande (1): ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Dominique Martinet (1): net: usb: usbnet: restore usb%d name exception for local mac addresses Fabio Porcedda (2): net: usb: qmi_wwan: add Telit Cinterion FN990B composition net: usb: qmi_wwan: add Telit Cinterion FE990B composition Fabrice Gasnier (1): counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman (2): perf tools: Fix up some comments and code to properly use the event_source bus Linux 6.14.1 John Keeping (1): serial: 8250_dma: terminate correct DMA in tx_dma_flush() Luo Qiu (1): memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Maxim Mikityanskiy (1): netfilter: socket: Lookup orig tuple for IPv6 SNAT Michal Pecio (2): usb: xhci: Don't skip on Stopped - Length Invalid usb: xhci: Apply the link chain quirk on NEC isoc endpoints Minjoong Kim (1): atm: Fix NULL pointer dereference Sherry Sun (1): tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Terry Junge (2): ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names HID: hid-plantronics: Add mic mute mapping and generalize quirks William Breathitt Gray (1): counter: microchip-tcb-capture: Fix undefined counter channel state on probe

9 months, 1 week

Linux 6.13.10

by Greg Kroah-Hartman

I'm announcing the release of the 6.13.10 kernel. All users of the 6.13 kernel series must upgrade. The updated 6.13.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.13.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/counter/microchip-tcb-capture.c | 19 +++ drivers/counter/stm32-lptimer-cnt.c | 24 +++-- drivers/hid/hid-plantronics.c | 144 +++++++++++++----------------- drivers/memstick/host/rtsx_usb_ms.c | 1 drivers/net/usb/qmi_wwan.c | 2 drivers/net/usb/usbnet.c | 21 +++- drivers/tty/serial/8250/8250_dma.c | 2 drivers/tty/serial/8250/8250_pci.c | 46 +++++++++ drivers/tty/serial/fsl_lpuart.c | 17 +++ drivers/tty/serial/stm32-usart.c | 4 drivers/usb/host/xhci-ring.c | 4 drivers/usb/host/xhci.h | 13 ++ fs/bcachefs/fs-ioctl.c | 6 - fs/nfsd/nfs4recover.c | 1 kernel/cgroup/rstat.c | 29 ++---- net/atm/mpc.c | 2 net/ipv6/netfilter/nf_socket_ipv6.c | 23 ++++ sound/pci/hda/patch_realtek.c | 2 sound/usb/mixer_quirks.c | 51 ++++++++++ tools/perf/Documentation/intel-hybrid.txt | 12 +- tools/perf/Documentation/perf-list.txt | 2 tools/perf/arch/x86/util/iostat.c | 2 tools/perf/builtin-stat.c | 2 tools/perf/util/mem-events.c | 2 tools/perf/util/pmu.c | 4 26 files changed, 307 insertions(+), 130 deletions(-) Abel Wu (1): cgroup/rstat: Fix forceidle time in cpu.stat Andres Traumann (1): ALSA: hda/realtek: Bass speaker fixup for ASUS UM5606KA Cameron Williams (2): tty: serial: 8250: Add some more device IDs tty: serial: 8250: Add Brainboxes XC devices Cheick Traore (1): serial: stm32: do not deassert RS485 RTS GPIO prematurely Dhruv Deshpande (1): ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Dominique Martinet (1): net: usb: usbnet: restore usb%d name exception for local mac addresses Fabio Porcedda (2): net: usb: qmi_wwan: add Telit Cinterion FN990B composition net: usb: qmi_wwan: add Telit Cinterion FE990B composition Fabrice Gasnier (1): counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman (2): perf tools: Fix up some comments and code to properly use the event_source bus Linux 6.13.10 John Keeping (1): serial: 8250_dma: terminate correct DMA in tx_dma_flush() Kent Overstreet (1): bcachefs: bch2_ioctl_subvolume_destroy() fixes Luo Qiu (1): memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Maxim Mikityanskiy (1): netfilter: socket: Lookup orig tuple for IPv6 SNAT Michal Pecio (2): usb: xhci: Don't skip on Stopped - Length Invalid usb: xhci: Apply the link chain quirk on NEC isoc endpoints Minjoong Kim (1): atm: Fix NULL pointer dereference Scott Mayhew (1): nfsd: fix legacy client tracking initialization Sherry Sun (1): tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Terry Junge (2): ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names HID: hid-plantronics: Add mic mute mapping and generalize quirks William Breathitt Gray (1): counter: microchip-tcb-capture: Fix undefined counter channel state on probe

9 months, 1 week

Linux 6.12.22

by Greg Kroah-Hartman

I'm announcing the release of the 6.12.22 kernel. All users of the 6.12 kernel series must upgrade. The updated 6.12.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.12.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/counter/microchip-tcb-capture.c | 19 ++ drivers/counter/stm32-lptimer-cnt.c | 24 ++- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 -- drivers/hid/hid-plantronics.c | 144 ++++++++++------------ drivers/memstick/host/rtsx_usb_ms.c | 1 drivers/net/usb/qmi_wwan.c | 2 drivers/net/usb/usbnet.c | 21 ++- drivers/tty/serial/8250/8250_dma.c | 2 drivers/tty/serial/8250/8250_pci.c | 46 +++++++ drivers/tty/serial/fsl_lpuart.c | 17 ++ drivers/tty/serial/stm32-usart.c | 4 drivers/usb/host/xhci-ring.c | 4 drivers/usb/host/xhci.h | 13 + fs/bcachefs/fs-ioctl.c | 6 fs/nfsd/nfs4recover.c | 1 net/atm/mpc.c | 2 net/ipv6/netfilter/nf_socket_ipv6.c | 23 +++ sound/pci/hda/patch_realtek.c | 1 sound/usb/mixer_quirks.c | 51 +++++++ tools/perf/Documentation/intel-hybrid.txt | 12 - tools/perf/Documentation/perf-list.txt | 2 tools/perf/arch/x86/util/iostat.c | 2 tools/perf/builtin-stat.c | 2 tools/perf/util/mem-events.c | 2 tools/perf/util/pmu.c | 4 26 files changed, 297 insertions(+), 126 deletions(-) Cameron Williams (2): tty: serial: 8250: Add some more device IDs tty: serial: 8250: Add Brainboxes XC devices Cheick Traore (1): serial: stm32: do not deassert RS485 RTS GPIO prematurely Dhruv Deshpande (1): ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Dominique Martinet (1): net: usb: usbnet: restore usb%d name exception for local mac addresses Fabio Porcedda (2): net: usb: qmi_wwan: add Telit Cinterion FN990B composition net: usb: qmi_wwan: add Telit Cinterion FE990B composition Fabrice Gasnier (1): counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman (2): perf tools: Fix up some comments and code to properly use the event_source bus Linux 6.12.22 John Keeping (1): serial: 8250_dma: terminate correct DMA in tx_dma_flush() Kent Overstreet (1): bcachefs: bch2_ioctl_subvolume_destroy() fixes Luo Qiu (1): memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Maxim Mikityanskiy (1): netfilter: socket: Lookup orig tuple for IPv6 SNAT Michal Pecio (2): usb: xhci: Don't skip on Stopped - Length Invalid usb: xhci: Apply the link chain quirk on NEC isoc endpoints Minjoong Kim (1): atm: Fix NULL pointer dereference Scott Mayhew (1): nfsd: fix legacy client tracking initialization Sherry Sun (1): tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Terry Junge (2): ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names HID: hid-plantronics: Add mic mute mapping and generalize quirks Wayne Lin (1): drm/amd/display: Don't write DP_MSTM_CTRL after LT William Breathitt Gray (1): counter: microchip-tcb-capture: Fix undefined counter channel state on probe

9 months, 1 week

Linux 6.6.86

by Greg Kroah-Hartman

I'm announcing the release of the 6.6.86 kernel. All users of the 6.6 kernel series must upgrade. The updated 6.6.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-6.6.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/mm/fault.c | 8 drivers/counter/microchip-tcb-capture.c | 19 ++ drivers/counter/stm32-lptimer-cnt.c | 24 +- drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 16 - drivers/gpu/drm/amd/display/dc/dcn315/dcn315_resource.c | 2 drivers/gpu/drm/display/drm_dp_mst_topology.c | 36 +++- drivers/hid/hid-plantronics.c | 144 +++++++--------- drivers/memstick/host/rtsx_usb_ms.c | 1 drivers/net/usb/qmi_wwan.c | 2 drivers/net/usb/usbnet.c | 21 +- drivers/reset/starfive/reset-starfive-jh71x0.c | 3 drivers/tty/serial/8250/8250_dma.c | 2 drivers/tty/serial/8250/8250_pci.c | 46 +++++ drivers/tty/serial/fsl_lpuart.c | 17 + drivers/ufs/host/ufs-qcom.c | 4 drivers/usb/gadget/function/uvc_v4l2.c | 12 + include/drm/display/drm_dp_mst_helper.h | 2 mm/page_alloc.c | 14 + net/atm/mpc.c | 2 net/ipv6/netfilter/nf_socket_ipv6.c | 23 ++ sound/pci/hda/patch_realtek.c | 1 sound/usb/mixer_quirks.c | 51 +++++ 23 files changed, 339 insertions(+), 113 deletions(-) Abhishek Tamboli (1): usb: gadget: uvc: Fix ERR_PTR dereference in uvc_v4l2.c Alex Hung (1): drm/amd/display: Check denominator crb_pipes before used Cameron Williams (2): tty: serial: 8250: Add some more device IDs tty: serial: 8250: Add Brainboxes XC devices Changhuang Liang (1): reset: starfive: jh71x0: Fix accessing the empty member on JH7110 SoC Dhruv Deshpande (1): ALSA: hda/realtek: Support mute LED on HP Laptop 15s-du3xxx Dominique Martinet (1): net: usb: usbnet: restore usb%d name exception for local mac addresses Fabio Porcedda (2): net: usb: qmi_wwan: add Telit Cinterion FN990B composition net: usb: qmi_wwan: add Telit Cinterion FE990B composition Fabrice Gasnier (1): counter: stm32-lptimer-cnt: fix error handling when enabling Greg Kroah-Hartman (1): Linux 6.6.86 Imre Deak (2): drm/dp_mst: Factor out function to queue a topology probe work drm/dp_mst: Add a helper to queue a topology probe John Keeping (1): serial: 8250_dma: terminate correct DMA in tx_dma_flush() Kees Cook (2): ARM: 9350/1: fault: Implement copy_from_kernel_nofault_allowed() ARM: 9351/1: fault: Add "cut here" line for prefetch aborts Kirill A. Shutemov (1): mm/page_alloc: fix memory accept before watermarks gets initialized Luo Qiu (1): memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove Manivannan Sadhasivam (1): scsi: ufs: qcom: Only free platform MSIs when ESI is enabled Maxim Mikityanskiy (1): netfilter: socket: Lookup orig tuple for IPv6 SNAT Minjoong Kim (1): atm: Fix NULL pointer dereference Sherry Sun (1): tty: serial: fsl_lpuart: disable transmitter before changing RS485 related registers Terry Junge (2): ALSA: usb-audio: Add quirk for Plantronics headsets to fix control names HID: hid-plantronics: Add mic mute mapping and generalize quirks Wayne Lin (1): drm/amd/display: Don't write DP_MSTM_CTRL after LT William Breathitt Gray (1): counter: microchip-tcb-capture: Fix undefined counter channel state on probe Yanjun Yang (1): ARM: Remove address checking for MMUless devices

9 months, 1 week

[PATCH v5 RESEND] [ARM] fix reference leak in locomo_init_one_child()

by Ma Ke

Once device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. As comment of device_register() says, 'NOTE: _Never_ directly free @dev after calling this function, even if it returned an error! Always use put_device() to give up the reference initialized in this function instead.' Found by code review. Cc: stable(a)vger.kernel.org Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v5: - modified the bug description as suggestions; Changes in v4: - deleted the redundant initialization; Changes in v3: - modified the patch as suggestions; Changes in v2: - modified the patch as suggestions. --- arch/arm/common/locomo.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/arch/arm/common/locomo.c b/arch/arm/common/locomo.c index cb6ef449b987..45106066a17f 100644 --- a/arch/arm/common/locomo.c +++ b/arch/arm/common/locomo.c @@ -223,10 +223,8 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) int ret; dev = kzalloc(sizeof(struct locomo_dev), GFP_KERNEL); - if (!dev) { - ret = -ENOMEM; - goto out; - } + if (!dev) + return -ENOMEM; /* * If the parent device has a DMA mask associated with it, @@ -254,10 +252,9 @@ locomo_init_one_child(struct locomo *lchip, struct locomo_dev_info *info) NO_IRQ : lchip->irq_base + info->irq[0]; ret = device_register(&dev->dev); - if (ret) { - out: - kfree(dev); - } + if (ret) + put_device(&dev->dev); + return ret; } -- 2.25.1

9 months, 1 week

[PATCH 5.10/5.15] Input: pegasus-notetaker - check pipe type when probing

by Vasiliy Kovalev

From: Soumya Negi <soumya.negi97(a)gmail.com> commit b3d80fd27a3c2d8715a40cbf876139b56195f162 upstream. Fix WARNING in pegasus_open/usb_submit_urb [1] Warning raised because pegasus_driver submits transfer request for bogus URB (pipe type does not match endpoint type). Add sanity check at probe time for pipe value extracted from endpoint descriptor. Probe will fail if sanity check fails. Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver") Reported-and-tested-by: syzbot+04ee0cb4caccaed12d78(a)syzkaller.appspotmail.com Signed-off-by: Soumya Negi <soumya.negi97(a)gmail.com> Link: https://lore.kernel.org/r/20230404074145.11523-1-soumya.negi97@gmail.com Signed-off-by: Dmitry Torokhov <dmitry.torokhov(a)gmail.com> [1] Link: https://syzkaller.appspot.com/bug?id=bbc107584dcf3262253ce93183e51f3612aaeb… [ kovalev: Added the "Fixes" tag and moved the link to the Syzbot report. ] Signed-off-by: Vasiliy Kovalev <kovalev(a)altlinux.org> --- drivers/input/tablet/pegasus_notetaker.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/input/tablet/pegasus_notetaker.c b/drivers/input/tablet/pegasus_notetaker.c index 749edbdb7ffa49..e79621fd84af39 100644 --- a/drivers/input/tablet/pegasus_notetaker.c +++ b/drivers/input/tablet/pegasus_notetaker.c @@ -296,6 +296,12 @@ static int pegasus_probe(struct usb_interface *intf, pegasus->intf = intf; pipe = usb_rcvintpipe(dev, endpoint->bEndpointAddress); + /* Sanity check that pipe's type matches endpoint's type */ + if (usb_pipe_type_check(dev, pipe)) { + error = -EINVAL; + goto err_free_mem; + } + pegasus->data_len = usb_maxpacket(dev, pipe, usb_pipeout(pipe)); pegasus->data = usb_alloc_coherent(dev, pegasus->data_len, GFP_KERNEL, -- 2.42.2

9 months, 1 week

[PATCH RESEND] sparc: fix error handling in scan_one_device()

by Ma Ke

Once of_device_register() failed, we should call put_device() to decrement reference count for cleanup. Or it could cause memory leak. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. Found by code review. Cc: stable(a)vger.kernel.org Fixes: cf44bbc26cf1 ("[SPARC]: Beginnings of generic of_device framework.") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- arch/sparc/kernel/of_device_64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/sparc/kernel/of_device_64.c b/arch/sparc/kernel/of_device_64.c index f98c2901f335..4272746d7166 100644 --- a/arch/sparc/kernel/of_device_64.c +++ b/arch/sparc/kernel/of_device_64.c @@ -677,7 +677,7 @@ static struct platform_device * __init scan_one_device(struct device_node *dp, if (of_device_register(op)) { printk("%pOF: Could not register of device.\n", dp); - kfree(op); + put_device(&op->dev); op = NULL; } -- 2.25.1

9 months, 1 week

[PATCH] sctp: check transport existence before processing a send primitive

by Ricardo Cañuelo Navarro

sctp_sendmsg() re-uses associations and transports when possible by doing a lookup based on the socket endpoint and the message destination address, and then sctp_sendmsg_to_asoc() sets the selected transport in all the message chunks to be sent. There's a possible race condition if another thread triggers the removal of that selected transport, for instance, by explicitly unbinding an address with setsockopt(SCTP_SOCKOPT_BINDX_REM), after the chunks have been set up and before the message is sent. This causes the access to the transport data in sctp_outq_select_transport(), when the association outqueue is flushed, to do a use-after-free read. This patch addresses this scenario by checking if the transport still exists right after the chunks to be sent are set up to use it and before proceeding to sending them. If the transport was freed since it was found, the send is aborted. The reason to add the check here is that once the transport is assigned to the chunks, deleting that transport is safe, since it will also set chunk->transport to NULL in the affected chunks. This scenario is correctly handled already, see Fixes below. The bug was found by a private syzbot instance (see the error report [1] and the C reproducer that triggers it [2]). Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-fr… [1] Link: https://people.igalia.com/rcn/kernel_logs/20250402__KASAN_slab-use-after-fr… [2] Cc: stable(a)vger.kernel.org Fixes: df132eff4638 ("sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer") Signed-off-by: Ricardo Cañuelo Navarro <rcn(a)igalia.com> --- net/sctp/socket.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 36ee34f483d703ffcfe5ca9e6cc554fba24c75ef..9c5ff44fa73cae6a6a04790800cc33dfa08a8da9 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -1787,17 +1787,24 @@ static int sctp_sendmsg_check_sflags(struct sctp_association *asoc, return 1; } +static union sctp_addr *sctp_sendmsg_get_daddr(struct sock *sk, + const struct msghdr *msg, + struct sctp_cmsgs *cmsgs); + static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, struct msghdr *msg, size_t msg_len, struct sctp_transport *transport, struct sctp_sndrcvinfo *sinfo) { + struct sctp_transport *aux_transport = NULL; struct sock *sk = asoc->base.sk; + struct sctp_endpoint *ep = sctp_sk(sk)->ep; struct sctp_sock *sp = sctp_sk(sk); struct net *net = sock_net(sk); struct sctp_datamsg *datamsg; bool wait_connect = false; struct sctp_chunk *chunk; + union sctp_addr *daddr; long timeo; int err; @@ -1869,6 +1876,15 @@ static int sctp_sendmsg_to_asoc(struct sctp_association *asoc, sctp_set_owner_w(chunk); chunk->transport = transport; } + /* Fail if transport was deleted after lookup in sctp_sendmsg() */ + daddr = sctp_sendmsg_get_daddr(sk, msg, NULL); + if (daddr) { + sctp_endpoint_lookup_assoc(ep, daddr, &aux_transport); + if (!aux_transport || aux_transport != transport) { + sctp_datamsg_free(datamsg); + goto err; + } + } err = sctp_primitive_SEND(net, asoc, datamsg); if (err) { --- base-commit: 38fec10eb60d687e30c8c6b5420d86e8149f7557 change-id: 20250402-kasan_slab-use-after-free_read_in_sctp_outq_select_transport-46c9c30bcb7d

9 months, 1 week

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror