- Linux-stable-mirror - lists.linaro.org

[PATCH] powerpc/flipper-pic: Fix device node reference leak in flipper_pic_init

by Miaoqian Lin

The flipper_pic_init() function calls of_get_parent() which increases the device node reference count, but fails to call of_node_put() to balance the reference count. Add calls to of_node_put() in all paths to fix the leak. Found via static analysis. Fixes: 028ee972f032 ("powerpc: gamecube/wii: flipper interrupt controller support") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- arch/powerpc/platforms/embedded6xx/flipper-pic.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/platforms/embedded6xx/flipper-pic.c b/arch/powerpc/platforms/embedded6xx/flipper-pic.c index 91a8f0a7086e..cf6f795c8d76 100644 --- a/arch/powerpc/platforms/embedded6xx/flipper-pic.c +++ b/arch/powerpc/platforms/embedded6xx/flipper-pic.c @@ -135,13 +135,13 @@ static struct irq_domain * __init flipper_pic_init(struct device_node *np) } if (!of_device_is_compatible(pi, "nintendo,flipper-pi")) { pr_err("unexpected parent compatible\n"); - goto out; + goto out_put_node; } retval = of_address_to_resource(pi, 0, &res); if (retval) { pr_err("no io memory range found\n"); - goto out; + goto out_put_node; } io_base = ioremap(res.start, resource_size(&res)); @@ -154,9 +154,12 @@ static struct irq_domain * __init flipper_pic_init(struct device_node *np) &flipper_irq_domain_ops, io_base); if (!irq_domain) { pr_err("failed to allocate irq_domain\n"); + of_node_put(pi); return NULL; } +out_put_node: + of_node_put(pi); out: return irq_domain; } -- 2.39.5 (Apple Git-154)

2 weeks

2
1
0 0

[PATCH] soc: imx: gpc: fix reference count leak in imx_gpc_remove

by Miaoqian Lin

of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 721cabf6c660 ("soc: imx: move PGC handling to a new GPC driver") Cc: stable(a)vger.kernel.org Signed-off-by: Miaoqian Lin <linmq006(a)gmail.com> --- drivers/pmdomain/imx/gpc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pmdomain/imx/gpc.c b/drivers/pmdomain/imx/gpc.c index 33991f3c6b55..a34b260274f7 100644 --- a/drivers/pmdomain/imx/gpc.c +++ b/drivers/pmdomain/imx/gpc.c @@ -536,6 +536,8 @@ static void imx_gpc_remove(struct platform_device *pdev) return; } } + + of_node_put(pgc_node); } static struct platform_driver imx_gpc_driver = { -- 2.39.5 (Apple Git-154)

2 weeks

2
1
0 0

[PATCH] x86/CPU/AMD: Add missing terminator for zen5_rdseed_microcode

by Mario Limonciello

Running x86_match_min_microcode_rev() on a Zen5 CPU trips up KASAN for an out of bounds access. Cc: stable(a)vger.kernel.org Fixes: 607b9fb2ce248 ("x86/CPU/AMD: Add RDSEED fix for Zen5") Signed-off-by: Mario Limonciello <mario.limonciello(a)amd.com> --- arch/x86/kernel/cpu/amd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c index 8e36964a7721..2ba9f2d42d8c 100644 --- a/arch/x86/kernel/cpu/amd.c +++ b/arch/x86/kernel/cpu/amd.c @@ -1038,6 +1038,7 @@ static void init_amd_zen4(struct cpuinfo_x86 *c) static const struct x86_cpu_id zen5_rdseed_microcode[] = { ZEN_MODEL_STEP_UCODE(0x1a, 0x02, 0x1, 0x0b00215a), ZEN_MODEL_STEP_UCODE(0x1a, 0x11, 0x0, 0x0b101054), + {}, }; static void init_amd_zen5(struct cpuinfo_x86 *c) -- 2.51.2

2 weeks

2
1
0 0

For stable: mfd: kempld-core: Don't replace resources provided by ACPI

by Michael Brunner

Mainline patch information (included since v6.9): mfd: kempld-core: Don't replace resources provided by ACPI commit 87bfb48f34192eb29a0a644e7a82fb7ab507cbd8 This patch fixes an issue with the ACPI handling of the kempld driver, that can lead to issues ranging from messed up /proc/ioports resource listing up to non booting systems. It is already included mainline since v6.9, but nevertheless it would also apply to earlier kernels starting with v5.10. Please consider to add it to the supported LTS trees in the affected range (v5.10, v5.15, v6.1 and v6.6). Many thanks, Michael Brunner

2 weeks

1
0
0 0

[PATCH v2] phy: Fix error handling in tegra_xusb_pad_init

by Ma Ke

If device_add() fails, do not use device_unregister() for error handling. device_unregister() consists two functions: device_del() and put_device(). device_unregister() should only be called after device_add() succeeded because device_del() undoes what device_add() does if successful. As comment of device_add() says, 'if device_add() succeeds, you should call device_del() when you want to get rid of it. If device_add() has not succeeded, use only put_device() to drop the reference count'. In tegra_xusb_pad_init(), both dev_set_name() and device_add() may fail. In either case, we should only use put_device(). After device_initialize(), the device has a reference count of 1. If dev_set_name() fails, device_add() has not been called. If device_add() fails, it has already cleaned up after itself. device_unregister() would incorrectly call device_del() when device_add() was never successful. Therefore, change both error paths to use put_device() instead of device_unregister(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: 53d2a715c240 ("phy: Add Tegra XUSB pad controller support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- Changes in v2: - modified the Fixes tag; - modified the patch description. --- drivers/phy/tegra/xusb.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/phy/tegra/xusb.c b/drivers/phy/tegra/xusb.c index c89df95aa6ca..d89493d68699 100644 --- a/drivers/phy/tegra/xusb.c +++ b/drivers/phy/tegra/xusb.c @@ -171,16 +171,16 @@ int tegra_xusb_pad_init(struct tegra_xusb_pad *pad, err = dev_set_name(&pad->dev, "%s", pad->soc->name); if (err < 0) - goto unregister; + goto put_device; err = device_add(&pad->dev); if (err < 0) - goto unregister; + goto put_device; return 0; -unregister: - device_unregister(&pad->dev); +put_device: + put_device(&pad->dev); return err; } -- 2.17.1

2 weeks

3
2
0 0

Inquiry from Varelt SRL Company Sales Order

by VARELT IMPORT SRL

2 weeks

1
0
0 0

[PATCH 6.6.y] Revert "perf dso: Add missed dso__put to dso__load_kcore"

by jingxian.li

This reverts commit e5de9ea7796e79f3cd082624f788cc3442bff2a8. The patch introduced `map__zput(new_node->map)` in the kcore load path, causing a segmentation fault when running `perf c2c report`. The issue arises because `maps__merge_in` directly modifies and inserts the caller's `new_map`, causing it to be freed prematurely while still referenced by kmaps. Later branchs (6.12, 6.15, 6.16) are not affected because they use a different merge approach with a lazily sorted array, which avoids modifying the original `new_map`. Fixes: e5de9ea7796e ("perf dso: Add missed dso__put to dso__load_kcore") Signed-off-by: jingxian.li <jingxian.li(a)shopee.com> --- tools/perf/util/symbol.c | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c index 4f0bbebcb6d6..ea24f21aafc3 100644 --- a/tools/perf/util/symbol.c +++ b/tools/perf/util/symbol.c @@ -1366,7 +1366,6 @@ static int dso__load_kcore(struct dso *dso, struct map *map, goto out_err; } } - map__zput(new_node->map); free(new_node); } -- 2.43.0

2 weeks

2
1
0 0

[PATCH] EDAC/igen6: Fix error handling in igen6_edac driver

by Ma Ke

The igen6_edac driver fails to release reference for non-primary memory controllers during both error handling and normal shutdown. After device_initialize() is called in igen6_register_mci(), missing put_device() calls in error paths and igen6_unregister_mcis() cause reference count leaks, resulting in memory leaks and improper device cleanup. Found by code review. Cc: stable(a)vger.kernel.org Fixes: 10590a9d4f23 ("EDAC/igen6: Add EDAC driver for Intel client SoCs using IBECC") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/edac/igen6_edac.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/edac/igen6_edac.c b/drivers/edac/igen6_edac.c index 2fc59f9eed69..ee2f00b204bb 100644 --- a/drivers/edac/igen6_edac.c +++ b/drivers/edac/igen6_edac.c @@ -1300,6 +1300,8 @@ static int igen6_register_mci(int mc, void __iomem *window, struct pci_dev *pdev imc->mci = mci; return 0; fail3: + if (mc != 0) + put_device(&imc->dev); mci->pvt_info = NULL; kfree(mci->ctl_name); fail2: @@ -1326,6 +1328,8 @@ static void igen6_unregister_mcis(void) kfree(mci->ctl_name); mci->pvt_info = NULL; edac_mc_free(mci); + if (imc->mc != 0) + put_device(&imc->dev); iounmap(imc->window); } } -- 2.17.1

2 weeks

2
1
0 0

[PATCH] dccp: validate incoming Reset/Close/CloseReq in DCCP_REQUESTING

by Yizhou Zhao

DCCP sockets in DCCP_REQUESTING state do not check the sequence number or acknowledgment number for incoming Reset, CloseReq, and Close packets. As a result, an attacker can send a spoofed Reset packet while the client is in the requesting state. The client will accept the packet without any verification before receiving the reply from server and immediately close the connection, causing a denial of service (DoS) attack. The vulnerability makes the attacker able to drop the pending connection for a specific 5-tuple. Moreover, an off-path attacker with modestly higher outbound bandwidth can continually inject forged control packets to the victim client and prevent connection establishment to a given destination port on a server, causing a port-level DoS. This patch moves the processing of Reset, Close, and CloseReq packets into dccp_rcv_request_sent_state_process() and validates the ack number before accepting them. This patch should be applied to stable versions *only* before Linux 6.16, since DCCP implementation is removed in Linux 6.16. Affected versions include: - 3.1-3.19 - 4.0-4.20 - 5.0-5.19 - 6.0-6.15 We tested it on Ubuntu 24.04 LTS (Linux 6.8) and it worked as expected. Fixes: c0c2015056d7b ("dccp: Clean up slow-path input processing") Signed-off-by: Yizhou Zhao <zhaoyz24(a)mails.tsinghua.edu.cn> --- net/dccp/input.c | 54 ++++++++++++++++++++++++++++-------------------- 1 file changed, 32 insertions(+), 22 deletions(-) diff --git a/net/dccp/input.c b/net/dccp/input.c index 2cbb757a8..0b1ffb044 100644 --- a/net/dccp/input.c +++ b/net/dccp/input.c @@ -397,21 +397,22 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, * / * Response processing continues in Step 10; Reset * processing continues in Step 9 * / */ + struct dccp_sock *dp = dccp_sk(sk); + + if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, + dp->dccps_awl, dp->dccps_awh)) { + dccp_pr_debug("invalid ackno: S.AWL=%llu, " + "P.ackno=%llu, S.AWH=%llu\n", + (unsigned long long)dp->dccps_awl, + (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, + (unsigned long long)dp->dccps_awh); + goto out_invalid_packet; + } + if (dh->dccph_type == DCCP_PKT_RESPONSE) { const struct inet_connection_sock *icsk = inet_csk(sk); - struct dccp_sock *dp = dccp_sk(sk); - long tstamp = dccp_timestamp(); - - if (!between48(DCCP_SKB_CB(skb)->dccpd_ack_seq, - dp->dccps_awl, dp->dccps_awh)) { - dccp_pr_debug("invalid ackno: S.AWL=%llu, " - "P.ackno=%llu, S.AWH=%llu\n", - (unsigned long long)dp->dccps_awl, - (unsigned long long)DCCP_SKB_CB(skb)->dccpd_ack_seq, - (unsigned long long)dp->dccps_awh); - goto out_invalid_packet; - } + long tstamp = dccp_timestamp(); /* * If option processing (Step 8) failed, return 1 here so that * dccp_v4_do_rcv() sends a Reset. The Reset code depends on @@ -496,6 +497,13 @@ static int dccp_rcv_request_sent_state_process(struct sock *sk, } dccp_send_ack(sk); return -1; + } else if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); + return 0; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { + return dccp_rcv_closereq(sk, skb); + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { + return dccp_rcv_close(sk, skb); } out_invalid_packet: @@ -658,17 +666,19 @@ int dccp_rcv_state_process(struct sock *sk, struct sk_buff *skb, * Set TIMEWAIT timer * Drop packet and return */ - if (dh->dccph_type == DCCP_PKT_RESET) { - dccp_rcv_reset(sk, skb); - return 0; - } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ - if (dccp_rcv_closereq(sk, skb)) - return 0; - goto discard; - } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ - if (dccp_rcv_close(sk, skb)) + if (sk->sk_state != DCCP_REQUESTING) { + if (dh->dccph_type == DCCP_PKT_RESET) { + dccp_rcv_reset(sk, skb); return 0; - goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSEREQ) { /* Step 13 */ + if (dccp_rcv_closereq(sk, skb)) + return 0; + goto discard; + } else if (dh->dccph_type == DCCP_PKT_CLOSE) { /* Step 14 */ + if (dccp_rcv_close(sk, skb)) + return 0; + goto discard; + } } switch (sk->sk_state) { -- 2.34.1

2 weeks

2
3
0 0

[PATCH] EDAC/ie31200: Fix error handling in ie31200_register_mci

by Ma Ke

When mc > 0, ie31200_register_mci() initializes priv->dev but fails to call put_device() on it in the error path, causing a memory leak. Add proper put_device() call for priv->dev in the error handling path to balance device_initialize(). Found by code review. Cc: stable(a)vger.kernel.org Fixes: d0742284ec6d ("EDAC/ie31200: Add Intel Raptor Lake-S SoCs support") Signed-off-by: Ma Ke <make24(a)iscas.ac.cn> --- drivers/edac/ie31200_edac.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/edac/ie31200_edac.c b/drivers/edac/ie31200_edac.c index 5a080ab65476..a5a4bb24b72a 100644 --- a/drivers/edac/ie31200_edac.c +++ b/drivers/edac/ie31200_edac.c @@ -528,6 +528,8 @@ static int ie31200_register_mci(struct pci_dev *pdev, struct res_config *cfg, in fail_unmap: iounmap(window); fail_free: + if (mc > 0) + put_device(&priv->dev); edac_mc_free(mci); return ret; } -- 2.17.1

2 weeks

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror