* [PATCH 4.4 027/114] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
2022-01-24 18:41 6% [PATCH 4.4 000/114] 4.4.300-rc1 review Greg Kroah-Hartman
@ 2022-01-24 18:42 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-24 18:42 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Alex Deucher, Sasha Levin
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit b220110e4cd442156f36e1d9b4914bb9e87b0d00 ]
In amdgpu_connector_lcd_native_mode(), the return value of
drm_mode_duplicate() is assigned to mode, and there is a dereference
of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
pointer dereference on failure of drm_mode_duplicate().
Fix this bug add a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index e1d4115bd6732..80e3b41294e5f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -404,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
native_mode->vdisplay != 0 &&
native_mode->clock != 0) {
mode = drm_mode_duplicate(dev, native_mode);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
drm_mode_set_name(mode);
@@ -418,6 +421,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
* simpler.
*/
mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
}
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH 4.4 000/114] 4.4.300-rc1 review
@ 2022-01-24 18:41 6% Greg Kroah-Hartman
2022-01-24 18:42 6% ` [PATCH 4.4 027/114] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() Greg Kroah-Hartman
0 siblings, 1 reply; 200+ results
From: Greg Kroah-Hartman @ 2022-01-24 18:41 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
stable
This is the start of the stable review cycle for the 4.4.300 release.
There are 114 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 26 Jan 2022 18:39:11 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.300-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.300-rc1
Miaoqian Lin <linmq006@gmail.com>
lib82596: Fix IRQ check in sni_82596_probe
Sergey Shtylyov <s.shtylyov@omp.ru>
bcmgenet: add WOL IRQ check
Kevin Bracey <kevin@bracey.fi>
net_sched: restore "mpu xxx" handling
Tudor Ambarus <tudor.ambarus@microchip.com>
dmaengine: at_xdmac: Fix at_xdmac_lld struct definition
Tudor Ambarus <tudor.ambarus@microchip.com>
dmaengine: at_xdmac: Fix lld view setting
Tudor Ambarus <tudor.ambarus@microchip.com>
dmaengine: at_xdmac: Print debug message after realeasing the lock
Tudor Ambarus <tudor.ambarus@microchip.com>
dmaengine: at_xdmac: Don't start transactions at tx_submit level
Eric Dumazet <edumazet@google.com>
netns: add schedule point in ops_exit_list()
Robert Hancock <robert.hancock@calian.com>
net: axienet: fix number of TX ring slots for available check
Robert Hancock <robert.hancock@calian.com>
net: axienet: Wait for PhyRstCmplt after core reset
Eric Dumazet <edumazet@google.com>
af_unix: annote lockless accesses to unix_tot_inflight & gc_in_progress
Miaoqian Lin <linmq006@gmail.com>
parisc: pdc_stable: Fix memory leak in pdcs_register_pathentries
Tobias Waldekranz <tobias@waldekranz.com>
net/fsl: xgmac_mdio: Fix incorrect iounmap when removing module
Tobias Waldekranz <tobias@waldekranz.com>
powerpc/fsl/dts: Enable WA for erratum A-009885 on fman3l MDIO buses
Theodore Ts'o <tytso@mit.edu>
ext4: don't use the orphan list when migrating an inode
Ye Bin <yebin10@huawei.com>
ext4: Fix BUG_ON in ext4_bread when write quota data
Luís Henriques <lhenriques@suse.de>
ext4: set csum seed in tmp inode while migrating to extents
Petr Cvachoucek <cvachoucek@gmail.com>
ubifs: Error path in ubifs_remount_rw() seems to wrongly free write buffers
Yauhen Kharuzhy <jekhor@gmail.com>
power: bq25890: Enable continuous conversion for ADC at charging
Christoph Hellwig <hch@lst.de>
scsi: sr: Don't use GFP_DMA
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
MIPS: Octeon: Fix build errors using clang
Lakshmi Sowjanya D <lakshmi.sowjanya.d@intel.com>
i2c: designware-pci: Fix to change data types of hcnt and lcnt parameters
Takashi Iwai <tiwai@suse.de>
ALSA: seq: Set upper limit of processed events
Christophe Leroy <christophe.leroy@csgroup.eu>
w1: Misuse of get_user()/put_user() reported by sparse
Joakim Tjernlund <joakim.tjernlund@infinera.com>
i2c: mpc: Correct I2C reset procedure
Michael Ellerman <mpe@ellerman.id.au>
powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING
Heiner Kallweit <hkallweit1@gmail.com>
i2c: i801: Don't silently correct invalid transfer size
Julia Lawall <Julia.Lawall@lip6.fr>
powerpc/btext: add missing of_node_put
Julia Lawall <Julia.Lawall@lip6.fr>
powerpc/cell: add missing of_node_put
Julia Lawall <Julia.Lawall@lip6.fr>
powerpc/powernv: add missing of_node_put
Julia Lawall <Julia.Lawall@lip6.fr>
powerpc/6xx: add missing of_node_put
John David Anglin <dave.anglin@bell.net>
parisc: Avoid calling faulthandler_disabled() twice
Lukas Wunner <lukas@wunner.de>
serial: core: Keep mctrl register state and cached copy in sync
Lukas Wunner <lukas@wunner.de>
serial: pl010: Drop CR register reset on set_termios
Joe Thornber <ejt@redhat.com>
dm space map common: add bounds check to sm_ll_lookup_bitmap()
Joe Thornber <ejt@redhat.com>
dm btree: add a defensive bounds check to insert_at()
Florian Fainelli <f.fainelli@gmail.com>
net: mdio: Demote probed message to debug print
Josef Bacik <josef@toxicpanda.com>
btrfs: remove BUG_ON(!eie) in find_parent_nodes
Josef Bacik <josef@toxicpanda.com>
btrfs: remove BUG_ON() in find_parent_nodes()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Executer: Fix the REFCLASS_REFOF case in acpi_ex_opcode_1A_0T_1R()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPICA: Utilities: Avoid deleting the same object twice in a row
Randy Dunlap <rdunlap@infradead.org>
um: registers: Rename function names to avoid conflicts and build problems
Zekun Shen <bruceshenzk@gmail.com>
ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream
Kai-Heng Feng <kai.heng.feng@canonical.com>
usb: hub: Add delay for SuperSpeed hub resume to let links transit to U0
Zhou Qingyang <zhou1615@umn.edu>
media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
Sean Young <sean@mess.org>
media: igorplugusb: receiver overflow should be reported
Suresh Kumar <surkumar@redhat.com>
net: bonding: debug: avoid printing debug logs when bond is not notifying peers
Johannes Berg <johannes.berg@intel.com>
iwlwifi: mvm: synchronize with FW after multicast commands
Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
media: m920x: don't use stack on USB reads
Zhou Qingyang <zhou1615@umn.edu>
media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
Xiongwei Song <sxwjean@gmail.com>
floppy: Add max size check for user space request
Zekun Shen <bruceshenzk@gmail.com>
mwifiex: Fix skb_over_panic in mwifiex_usb_recv()
Chengfeng Ye <cyeaa@connect.ust.hk>
HSI: core: Fix return freed object in hsi_new_client
Zheyu Ma <zheyuma97@gmail.com>
media: b2c2: Add missing check in flexcop_pci_isr:
Pavankumar Kondeti <quic_pkondeti@quicinc.com>
usb: gadget: f_fs: Use stream_open() for endpoint files
Zekun Shen <bruceshenzk@gmail.com>
ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply
Alexander Aring <aahringo@redhat.com>
fs: dlm: filter user dlm messages for kernel locks
Wei Yongjun <weiyongjun1@huawei.com>
Bluetooth: Fix debugfs entry leak in hci_register_dev()
Kamal Heib <kamalheib1@gmail.com>
RDMA/cxgb4: Set queue pair state when being queried
Randy Dunlap <rdunlap@infradead.org>
mips: bcm63xx: add support for clk_set_parent()
Randy Dunlap <rdunlap@infradead.org>
mips: lantiq: add support for clk_set_parent()
Wei Yongjun <weiyongjun1@huawei.com>
misc: lattice-ecp3-config: Fix task hung when firmware load failed
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: samsung: idma: Check of ioremap return value
Arnd Bergmann <arnd@arndb.de>
dmaengine: pxa/mmp: stop referencing config->slave_id
Avihai Horon <avihaih@nvidia.com>
RDMA/core: Let ib_find_gid() continue search even after empty entry
Jiasheng Jiang <jiasheng@iscas.ac.cn>
uio: uio_dmem_genirq: Catch the Exception
Kees Cook <keescook@chromium.org>
char/mwave: Adjust io port register size
Bixuan Cui <cuibixuan@linux.alibaba.com>
ALSA: oss: fix compile error when OSS_DEBUG is enabled
Peiwei Hu <jlu.hpw@foxmail.com>
powerpc/prom_init: Fix improper check of prom_getprop()
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Add missing rwsem around snd_ctl_remove() calls
Takashi Iwai <tiwai@suse.de>
ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls
Takashi Iwai <tiwai@suse.de>
ALSA: jack: Add missing rwsem around snd_ctl_remove() calls
Jan Kara <jack@suse.cz>
ext4: avoid trim error on fs with small groups
Pavel Skripkin <paskripkin@gmail.com>
net: mcs7830: handle usb read errors properly
Dominik Brodowski <linux@dominikbrodowski.net>
pcmcia: fix setting of kthread task states
Jiasheng Jiang <jiasheng@iscas.ac.cn>
can: xilinx_can: xcan_probe(): check for error irq
Marc Kleine-Budde <mkl@pengutronix.de>
can: softing: softing_startstop(): fix set but not used variable warning
Miaoqian Lin <linmq006@gmail.com>
spi: spi-meson-spifc: Add missing pm_runtime_disable() in meson_spifc_probe
Eric Dumazet <edumazet@google.com>
ppp: ensure minimum packet size in ppp_write()
Zhou Qingyang <zhou1615@umn.edu>
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
Zhou Qingyang <zhou1615@umn.edu>
pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
Wei Yongjun <weiyongjun1@huawei.com>
usb: ftdi-elan: fix memory leak on device disconnect
Wang Hai <wanghai38@huawei.com>
media: msi001: fix possible null-ptr-deref in msi001_probe()
Zhou Qingyang <zhou1615@umn.edu>
media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
Zhou Qingyang <zhou1615@umn.edu>
media: dib8000: Fix a memleak in dib8000_init()
Tasos Sahanidis <tasos@tasossah.com>
floppy: Fix hang in watchdog when disk is ejected
Lino Sanfilippo <LinoSanfilippo@gmx.de>
serial: amba-pl011: do not request memory region twice
Zhou Qingyang <zhou1615@umn.edu>
drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
arm64: dts: qcom: msm8916: fix MMC controller aliases
Florian Westphal <fw@strlen.de>
netfilter: bridge: add support for pppoe filtering
Tudor Ambarus <tudor.ambarus@microchip.com>
tty: serial: atmel: Call dma_async_issue_pending()
Tudor Ambarus <tudor.ambarus@microchip.com>
tty: serial: atmel: Check return code of dmaengine_submit()
Chengfeng Ye <cyeaa@connect.ust.hk>
crypto: qce - fix uaf on qce_ahash_register_one
Pavel Skripkin <paskripkin@gmail.com>
Bluetooth: stop proccessing malicious adv data
Wang Hai <wanghai38@huawei.com>
Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails
Yifeng Li <tomli@tomli.me>
PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller
Johan Hovold <johan@kernel.org>
can: softing_cs: softingcs_probe(): fix memleak on registration failure
Johan Hovold <johan@kernel.org>
media: stk1160: fix control-message timeouts
Johan Hovold <johan@kernel.org>
media: pvrusb2: fix control-message timeouts
Michael Kuron <michael.kuron@gmail.com>
media: dib0700: fix undefined behavior in tuner shutdown
Johan Hovold <johan@kernel.org>
media: em28xx: fix control-message timeouts
Johan Hovold <johan@kernel.org>
media: mceusb: fix control-message timeouts
Mateusz Jończyk <mat.jonczyk@o2.pl>
rtc: cmos: take rtc_lock while reading from CMOS
Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind()
Jann Horn <jannh@google.com>
HID: uhid: Fix worker destroying device without any protection
Larry Finger <Larry.Finger@lwfinger.net>
rtlwifi: rtl8192cu: Fix WARNING when calling local_irq_restore() with interrupts enabled
Johan Hovold <johan@kernel.org>
media: uvcvideo: fix division by zero at stream start
Nathan Chancellor <nathan@kernel.org>
drm/i915: Avoid bitwise vs logical OR warning in snb_wm_latency_quirk()
Brian Silverman <brian.silverman@bluerivertech.com>
can: gs_usb: gs_can_start_xmit(): zero-initialize hf->{flags,reserved}
Marc Kleine-Budde <mkl@pengutronix.de>
can: gs_usb: fix use of uninitialized variable, detach device on reception of invalid USB data
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
mfd: intel-lpss: Fix too early PM enablement in the ACPI ->probe()
Alan Stern <stern@rowland.harvard.edu>
USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status
Alan Stern <stern@rowland.harvard.edu>
USB: core: Fix bug in resuming hub's handling of wakeup requests
Johan Hovold <johan@kernel.org>
Bluetooth: bfusb: fix division by zero in send path
-------------
Diffstat:
Makefile | 4 +--
arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 +--
arch/mips/bcm63xx/clk.c | 6 ++++
arch/mips/include/asm/octeon/cvmx-bootinfo.h | 4 +--
arch/mips/lantiq/clk.c | 6 ++++
arch/parisc/kernel/traps.c | 2 +-
arch/powerpc/boot/dts/fsl/qoriq-fman3l-0.dtsi | 2 ++
arch/powerpc/kernel/btext.c | 4 ++-
arch/powerpc/kernel/prom_init.c | 2 +-
arch/powerpc/kernel/smp.c | 2 ++
arch/powerpc/platforms/cell/iommu.c | 1 +
arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 1 +
arch/powerpc/platforms/powernv/opal-lpc.c | 1 +
arch/um/include/shared/registers.h | 4 +--
arch/um/os-Linux/registers.c | 4 +--
arch/um/os-Linux/start_up.c | 2 +-
arch/x86/um/syscalls_64.c | 3 +-
drivers/acpi/acpica/exoparg1.c | 3 +-
drivers/acpi/acpica/utdelete.c | 1 +
drivers/block/floppy.c | 6 ++--
drivers/bluetooth/bfusb.c | 3 ++
drivers/char/mwave/3780i.h | 2 +-
drivers/crypto/qce/sha.c | 2 +-
drivers/dma/at_xdmac.c | 32 ++++++++++------------
drivers/dma/mmp_pdma.c | 6 ----
drivers/dma/pxa_dma.c | 7 -----
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++
drivers/gpu/drm/i915/intel_pm.c | 6 ++--
drivers/hid/uhid.c | 29 +++++++++++++++++---
drivers/hsi/hsi.c | 1 +
drivers/i2c/busses/i2c-designware-pcidrv.c | 8 +++---
drivers/i2c/busses/i2c-i801.c | 15 ++++------
drivers/i2c/busses/i2c-mpc.c | 23 ++++++++++------
drivers/infiniband/core/device.c | 3 +-
drivers/infiniband/hw/cxgb4/qp.c | 1 +
drivers/md/persistent-data/dm-btree.c | 8 ++++--
drivers/md/persistent-data/dm-space-map-common.c | 5 ++++
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/dvb-frontends/dib8000.c | 4 ++-
drivers/media/pci/b2c2/flexcop-pci.c | 3 ++
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++-
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++-
drivers/media/pci/saa7146/mxb.c | 8 +++++-
drivers/media/rc/igorplugusb.c | 4 ++-
drivers/media/rc/mceusb.c | 8 +++---
drivers/media/tuners/msi001.c | 7 +++++
drivers/media/usb/dvb-usb/dib0700_core.c | 2 --
drivers/media/usb/dvb-usb/m920x.c | 12 +++++++-
drivers/media/usb/em28xx/em28xx-core.c | 4 +--
drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 8 +++---
drivers/media/usb/stk1160/stk1160-core.c | 4 +--
drivers/media/usb/uvc/uvc_video.c | 4 +++
drivers/mfd/intel-lpss-acpi.c | 7 ++++-
drivers/misc/lattice-ecp3-config.c | 12 ++++----
drivers/net/bonding/bond_main.c | 6 ++--
drivers/net/can/softing/softing_cs.c | 2 +-
drivers/net/can/softing/softing_fw.c | 11 ++++----
drivers/net/can/usb/gs_usb.c | 5 +++-
drivers/net/can/xilinx_can.c | 7 ++++-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 10 ++++---
drivers/net/ethernet/freescale/xgmac_mdio.c | 3 +-
drivers/net/ethernet/i825xx/sni_82596.c | 3 +-
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 14 ++++++++--
drivers/net/phy/mdio_bus.c | 2 +-
drivers/net/ppp/ppp_generic.c | 7 ++++-
drivers/net/usb/mcs7830.c | 12 ++++++--
drivers/net/wireless/ath/ar5523/ar5523.c | 4 +++
drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++
drivers/net/wireless/iwlwifi/mvm/mac80211.c | 17 ++++++++++++
drivers/net/wireless/mwifiex/usb.c | 3 +-
.../net/wireless/realtek/rtlwifi/rtl8192cu/hw.c | 1 +
drivers/parisc/pdc_stable.c | 4 ++-
drivers/pci/quirks.c | 3 ++
drivers/pcmcia/cs.c | 8 ++----
drivers/pcmcia/rsrc_nonstatic.c | 6 ++++
drivers/power/bq25890_charger.c | 4 +--
drivers/rtc/rtc-cmos.c | 3 ++
drivers/scsi/sr.c | 2 +-
drivers/scsi/sr_vendor.c | 4 +--
drivers/spi/spi-meson-spifc.c | 1 +
drivers/tty/serial/amba-pl010.c | 3 --
drivers/tty/serial/amba-pl011.c | 27 ++----------------
drivers/tty/serial/atmel_serial.c | 14 ++++++++++
drivers/tty/serial/serial_core.c | 3 +-
drivers/uio/uio_dmem_genirq.c | 6 +++-
drivers/usb/core/hcd.c | 9 +++++-
drivers/usb/core/hub.c | 7 +++--
drivers/usb/gadget/function/f_fs.c | 4 +--
drivers/usb/misc/ftdi-elan.c | 1 +
drivers/w1/slaves/w1_ds28e04.c | 26 ++++--------------
fs/btrfs/backref.c | 21 +++++++++++---
fs/dlm/lock.c | 9 ++++++
fs/ext4/ioctl.c | 2 --
fs/ext4/mballoc.c | 8 ++++++
fs/ext4/migrate.c | 23 ++++++++--------
fs/ext4/super.c | 2 +-
fs/ubifs/super.c | 1 -
include/net/sch_generic.h | 5 ++++
net/bluetooth/cmtp/core.c | 4 +--
net/bluetooth/hci_core.c | 1 +
net/bluetooth/hci_event.c | 8 +++++-
net/bridge/br_netfilter_hooks.c | 7 ++---
net/core/net_namespace.c | 4 ++-
net/nfc/llcp_sock.c | 5 ++++
net/sched/sch_generic.c | 1 +
net/unix/garbage.c | 14 ++++++++--
net/unix/scm.c | 6 ++--
sound/core/jack.c | 3 ++
sound/core/oss/pcm_oss.c | 2 +-
sound/core/pcm.c | 6 +++-
sound/core/seq/seq_queue.c | 14 ++++++++--
sound/pci/hda/hda_codec.c | 3 ++
sound/soc/samsung/idma.c | 2 ++
113 files changed, 485 insertions(+), 238 deletions(-)
^ permalink raw reply [relevance 6%]
* [PATCH] media: bttv: Fix a NULL pointer dereference in bttv_overlay()
@ 2022-01-24 17:26 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:26 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Zhen Lei, Laurent Pinchart,
Arnd Bergmann, Robert Fitzsimons, linux-media, linux-kernel
In bttv_overlay(), the return value of videobuf_sg_alloc() is assigned
to variable new and there is a dereference of it after that. the return
value of videobuf_sg_alloc() could be NULL on failure of allocation,
which could lead to a NULL pointer dereference.
Fix this bug by adding a NULL check of new.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 7c018804c090 ("V4L/DVB (7197): bttv: Fix overlay divide error")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/bt8xx/bttv-driver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
index 6338f98d845d..5aa46593ddc6 100644
--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2552,6 +2552,8 @@ static int bttv_overlay(struct file *file, void *f, unsigned int on)
if (on) {
fh->ov.tvnorm = btv->tvnorm;
new = videobuf_sg_alloc(sizeof(*new));
+ if (!new)
+ return -ENOMEM;
new->crop = btv->crop[!!fh->do_crop].rect;
bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new);
} else {
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] scsi: mpt3sas: FIx a NULL pointer dereference bug in mpt3sas_transport_port_add()
@ 2022-01-24 17:21 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:21 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Sathya Prakash, Sreekanth Reddy, Suganath Prabu Subramani,
James E.J. Bottomley, Martin K. Petersen, Nagalakshmi Nandigama,
James Bottomley, MPT-FusionLinux.pdl, linux-scsi, linux-kernel
In mpt3sas_transport_port_add(), sas_end_device_alloc() is assigned to rphy
and there is a dereference of it. sas_end_device_alloc() could return NULL
on failure of allocation, which could introduce a NULL pointer dereference
bug.
The same as sas_expander_alloc().
Fix this bug by adding a NULL check of rphy.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: f92363d12359 ("mpt3sas: add new driver supporting 12GB SAS")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/scsi/mpt3sas/mpt3sas_transport.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_transport.c b/drivers/scsi/mpt3sas/mpt3sas_transport.c
index 0681daee6c14..1caa929cf8bc 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_transport.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_transport.c
@@ -823,6 +823,11 @@ mpt3sas_transport_port_add(struct MPT3SAS_ADAPTER *ioc, u16 handle,
hba_port->sas_address =
mpt3sas_port->remote_identify.sas_address;
}
+ if (!rphy) {
+ ioc_err(ioc, "failure at %s:%d/%s()!\n",
+ __FILE__, __LINE__, __func__);
+ goto out_fail;
+ }
rphy->identify = mpt3sas_port->remote_identify;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats()
@ 2022-01-24 17:20 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:20 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Benoit Parrot, Mauro Carvalho Chehab, Hans Verkuil,
Laurent Pinchart, linux-media, linux-kernel
In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to fw and there
is a dereference of it after that, which could lead to NULL pointer
dereference on failure of devm_kzalloc().
Fix this bug by adding a NULL check of ctx->active_fmt.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
--
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/platform/ti-vpe/cal-video.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/ti-vpe/cal-video.c b/drivers/media/platform/ti-vpe/cal-video.c
index 7799da1cc261..3e936a2ca36c 100644
--- a/drivers/media/platform/ti-vpe/cal-video.c
+++ b/drivers/media/platform/ti-vpe/cal-video.c
@@ -823,6 +823,9 @@ static int cal_ctx_v4l2_init_formats(struct cal_ctx *ctx)
/* Enumerate sub device formats and enable all matching local formats */
ctx->active_fmt = devm_kcalloc(ctx->cal->dev, cal_num_formats,
sizeof(*ctx->active_fmt), GFP_KERNEL);
+ if (!ctx->active_fmt)
+ return -ENOMEM;
+
ctx->num_active_fmt = 0;
for (j = 0, i = 0; ; ++j) {
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: saa7134: Fix a NULL pointer dereference in saa7134_initdev()
@ 2022-01-24 17:19 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:19 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Hans Verkuil, Tasos Sahanidis,
Yang Yingliang, Christophe JAILLET, linux-media, linux-kernel
In saa7134_initdev(), the return value of vdev_init() is assigned to
dev->video_dev and there is a dereference of it after that. The return
value of vdev_init() will be NULL on the failure allocation, which could
lead to NULL pointer dereference.
The same as dev->vbi_dev.
Fix this bug by adding a NULL check of dev->video_dev and dev->vbi_dev.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: a9622391acb ("V4L/DVB (6792): Fix VBI support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/saa7134/saa7134-core.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/media/pci/saa7134/saa7134-core.c b/drivers/media/pci/saa7134/saa7134-core.c
index 96328b0af164..0de0b00540b6 100644
--- a/drivers/media/pci/saa7134/saa7134-core.c
+++ b/drivers/media/pci/saa7134/saa7134-core.c
@@ -1202,6 +1202,11 @@ static int saa7134_initdev(struct pci_dev *pci_dev,
pr_info("%s: Overlay support disabled.\n", dev->name);
dev->video_dev = vdev_init(dev,&saa7134_video_template,"video");
+ if (!dev->video_dev) {
+ err = -ENOMEM;
+ goto err_unregister_video;
+ }
+
dev->video_dev->ctrl_handler = &dev->ctrl_handler;
dev->video_dev->lock = &dev->lock;
dev->video_dev->queue = &dev->video_vbq;
@@ -1224,6 +1229,11 @@ static int saa7134_initdev(struct pci_dev *pci_dev,
dev->name, video_device_node_name(dev->video_dev));
dev->vbi_dev = vdev_init(dev, &saa7134_video_template, "vbi");
+ if (!dev->vbi_dev) {
+ err = -ENOMEM;
+ goto err_unregister_video;
+ }
+
dev->vbi_dev->ctrl_handler = &dev->ctrl_handler;
dev->vbi_dev->lock = &dev->lock;
dev->vbi_dev->queue = &dev->vbi_vbq;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: mtk-vcodec: media: mtk-vcodec: Fix a NULL pointer dereference in mtk_vcodec_fw_vpu_init()
@ 2022-01-24 17:15 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Tiffany Lin, Andrew-CT Chen, Mauro Carvalho Chehab,
Matthias Brugger, Hans Verkuil, Alexandre Courbot, linux-media,
linux-arm-kernel, linux-mediatek, linux-kernel
In mtk_vcodec_fw_vpu_init(), devm_kzalloc() is assigned to fw and there is
a dereference of it right after that, which could lead to NULL pointer
dereference on failure of devm_kzalloc().
Fix this bug by adding a NULL check of fw.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 46233e91fa24 ("media: mtk-vcodec: move firmware implementations into their own files")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
index cd27f637dbe7..33ae88a9f9da 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_vpu.c
@@ -102,6 +102,9 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_vpu_init(struct mtk_vcodec_dev *dev,
vpu_wdt_reg_handler(fw_pdev, mtk_vcodec_vpu_reset_handler, dev, rst_id);
fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL);
+ if (!fw)
+ return ERR_PTR(-ENOMEM);
+
fw->type = VPU;
fw->ops = &mtk_vcodec_vpu_msg;
fw->pdev = fw_pdev;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: pci: cx23855-video.c: Fix a NULL pointer dereference in cx23885_video_register()
@ 2022-01-24 17:16 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:16 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Hans Verkuil, linux-media, linux-kernel
In cx23885_video_register(), the return value of cx23885_vdev_init() is
assigned to dev->video_dev and there is a dereference of it after that.
the return value of cx23885_vdev_init() could be NULL on failure of
allocation, which could lead to a NULL pointer dereference.
the same as dev->vbi_dev.
Fix this bug by adding a NULL check of dev->video_dev and dev->vbi_dev.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 453afdd9ce33 ("[media] cx23885: convert to vb2")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/cx23885/cx23885-video.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/media/pci/cx23885/cx23885-video.c b/drivers/media/pci/cx23885/cx23885-video.c
index a380e0920a21..1b95109eff8c 100644
--- a/drivers/media/pci/cx23885/cx23885-video.c
+++ b/drivers/media/pci/cx23885/cx23885-video.c
@@ -1353,6 +1353,11 @@ int cx23885_video_register(struct cx23885_dev *dev)
/* register Video device */
dev->video_dev = cx23885_vdev_init(dev, dev->pci,
&cx23885_video_template, "video");
+ if (!dev->video_dev) {
+ err = -ENOMEM;
+ goto fail_unreg;
+ }
+
dev->video_dev->queue = &dev->vb2_vidq;
dev->video_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_AUDIO | V4L2_CAP_VIDEO_CAPTURE;
@@ -1381,6 +1386,11 @@ int cx23885_video_register(struct cx23885_dev *dev)
/* register VBI device */
dev->vbi_dev = cx23885_vdev_init(dev, dev->pci,
&cx23885_vbi_template, "vbi");
+ if (!dev->vbi_dev) {
+ err = -ENOMEM;
+ goto fail_unreg;
+ }
+
dev->vbi_dev->queue = &dev->vb2_vbiq;
dev->vbi_dev->device_caps = V4L2_CAP_READWRITE | V4L2_CAP_STREAMING |
V4L2_CAP_AUDIO | V4L2_CAP_VBI_CAPTURE;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: mtk-vcodec: Fix a NULL pointer dereference in mtk_vcodec_fw_scp_init()
@ 2022-01-24 17:07 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:07 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Tiffany Lin, Andrew-CT Chen, Mauro Carvalho Chehab,
Matthias Brugger, Alexandre Courbot, Hans Verkuil, linux-media,
linux-arm-kernel, linux-mediatek, linux-kernel
In mtk_vcodec_fw_scp_init(), devm_kzalloc() is assigned to fw and there is
a dereference of it right after that, which could lead to NULL pointer
dereference on failure of devm_kzalloc().
Fix this bug by adding a NULL check of fw.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 46233e91fa24 ("media: mtk-vcodec: move firmware implementations into their own files")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_scp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_scp.c b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_scp.c
index d8e66b645bd8..aa36bee51d01 100644
--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_scp.c
+++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_fw_scp.c
@@ -65,6 +65,9 @@ struct mtk_vcodec_fw *mtk_vcodec_fw_scp_init(struct mtk_vcodec_dev *dev)
}
fw = devm_kzalloc(&dev->plat_dev->dev, sizeof(*fw), GFP_KERNEL);
+ if (!fw)
+ return ERR_PTR(-ENOMEM);
+
fw->type = SCP;
fw->ops = &mtk_vcodec_rproc_msg;
fw->scp = scp;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: media/pci: Fix a NULL pointer dereference in cx23885_417_register()
@ 2022-01-24 17:06 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:06 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Hans Verkuil, linux-media, linux-kernel
In cx23885_417_register(), the return value of cx23885_video_dev_alloc()
is assigned to dev->v4l_device() and there is a dereference of it after
that. the return value of cx23885_video_dev_alloc() could be NULL on
failure of allocation, which could lead to a NULL pointer dereference.
Fix this bug by adding a NULL check of dev->v4l_device.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 453afdd9ce33 ("[media] cx23885: convert to vb2")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/cx23885/cx23885-417.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/pci/cx23885/cx23885-417.c b/drivers/media/pci/cx23885/cx23885-417.c
index 434677bd4ad1..fcc9c1117ed1 100644
--- a/drivers/media/pci/cx23885/cx23885-417.c
+++ b/drivers/media/pci/cx23885/cx23885-417.c
@@ -1521,6 +1521,8 @@ int cx23885_417_register(struct cx23885_dev *dev)
/* Allocate and initialize V4L video device */
dev->v4l_device = cx23885_video_dev_alloc(tsport,
dev->pci, &cx23885_mpeg_template, "mpeg");
+ if (!dev->v4l_device)
+ return -ENOMEM;
q = &dev->vb2_mpegq;
q->type = V4L2_BUF_TYPE_VIDEO_CAPTURE;
q->io_modes = VB2_MMAP | VB2_USERPTR | VB2_DMABUF | VB2_READ;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] media: bttv: Fix a NULL pointer dereference in setup_window_lock()
@ 2022-01-24 17:05 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:05 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Zhen Lei, Arnd Bergmann,
Hans Verkuil, Michael Schimek, linux-media, linux-kernel
In setup_window_lock(), the return value of videobuf_sg_alloc() is
assigned to variable new and there is a dereference of it after
that. the return value of videobuf_sg_alloc() could be NULL on
failure of allocation, which could lead to a NULL pointer dereference.
Fix this bug by adding a NULL check of new.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: e5bd0260e7d3 ("V4L/DVB (5077): Bttv cropping support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/bt8xx/bttv-driver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
index 8cc9bec43688..6338f98d845d 100644
--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2182,6 +2182,8 @@ static int setup_window_lock(struct bttv_fh *fh, struct bttv *btv,
struct bttv_buffer *new;
new = videobuf_sg_alloc(sizeof(*new));
+ if (!new)
+ return -ENOMEM;
new->crop = btv->crop[!!fh->do_crop].rect;
bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new);
retval = bttv_switch_overlay(btv,fh,new);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: bttv: Fix a NULL pointer dereference in bttv_s_fbuf()
@ 2022-01-24 17:04 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:04 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Zhen Lei, Laurent Pinchart,
Arnd Bergmann, Douglas Schilling Landgraf, linux-media,
linux-kernel
In bttv_s_fbuf(), the return value of videobuf_sg_alloc() is assigned
to variable new and there is a dereference of it after that. the return
value of videobuf_sg_alloc() could be NULL on failure of allocation,
which could lead to a NULL pointer dereference.
Fix this bug by adding a NULL check of new.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code
Fixes: 402aa76aa5e5 ("V4L/DVB (6911): Converted bttv to use video_ioctl2")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/media/pci/bt8xx/bttv-driver.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c
index 5aa46593ddc6..c0664cffb881 100644
--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2627,6 +2627,8 @@ static int bttv_s_fbuf(struct file *file, void *f,
struct bttv_buffer *new;
new = videobuf_sg_alloc(sizeof(*new));
+ if (!new)
+ return -ENOMEM;
new->crop = btv->crop[!!fh->do_crop].rect;
bttv_overlay_risc(btv, &fh->ov, fh->ovfmt, new);
retval = bttv_switch_overlay(btv, fh, new);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] ACPI / tables: Fix a NULL pointer dereference in acpi_table_initrd_scan()
@ 2022-01-24 17:02 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 17:02 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Rafael J. Wysocki, Len Brown, Lv Zheng, linux-acpi, linux-kernel
In acpi_table_initrd_scan(), the return value of acpi_os_map_memory()
is assigned to table and there is a dereference of it after that.
acpi_os_map_memory() will return NULL on failure, which may lead to NULL
pointer dereference.
Fix this bug by adding a NULL check of table.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 5ae74f2cc2f1 ("ACPI / tables: Move table override mechanisms to tables.c")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/acpi/tables.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 8b10c192ed32..356e08c4015b 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -755,6 +755,9 @@ static void __init acpi_table_initrd_scan(void)
while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
table = acpi_os_map_memory(acpi_tables_addr + table_offset,
ACPI_HEADER_SIZE);
+ if (!table)
+ return;
+
if (table_offset + table->length > all_tables_size) {
acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
WARN_ON(1);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] brcmfmac: Fix a NULL pointer dereference in brcmf_of_probe()
@ 2022-01-24 16:50 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:50 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Arend van Spriel, Franky Lin, Hante Meuleman,
Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo,
David S. Miller, Jakub Kicinski, Len Baker, Gustavo A. R. Silva,
Shawn Guo, Hans deGoede, Matthias Brugger, linux-wireless,
brcm80211-dev-list.pdl, SHA-cyfmac-dev-list, netdev,
linux-kernel
In brcmf_of_probe(), the return value of devm_kzalloc() is assigned to
board_type and there is a dereference of it in strcpy() right after
that. devm_kzalloc() could return NULL on failure of allocation, which
could lead to NULL pointer dereference.
Fix this bug by adding a NULL check of board_type.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code
Fixes: 29e354ebeeec ("brcmfmac: Transform compatible string for FW loading")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
index 513c7e6421b2..535e8ddeab8d 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
@@ -80,6 +80,8 @@ void brcmf_of_probe(struct device *dev, enum brcmf_bus_type bus_type,
/* get rid of '/' in the compatible string to be able to find the FW */
len = strlen(tmp) + 1;
board_type = devm_kzalloc(dev, len, GFP_KERNEL);
+ if (!board_type)
+ return;
strscpy(board_type, tmp, len);
for (i = 0; i < board_type[i]; i++) {
if (board_type[i] == '/')
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl()
@ 2022-01-24 16:58 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:58 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Ben Skeggs, Karol Herbst, Lyude Paul, David Airlie,
Daniel Vetter, dri-devel, nouveau, linux-kernel
In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly
passed to memcpy(), which could lead to undefined behavior on failure
of kmalloc().
Fix this bug by using kmemdup() instead of kmalloc()+memcpy().
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
index 667fa016496e..a6ea89a5d51a 100644
--- a/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
+++ b/drivers/gpu/drm/nouveau/nvkm/subdev/acr/hsfw.c
@@ -142,11 +142,12 @@ nvkm_acr_hsfw_load_bl(struct nvkm_acr *acr, const char *name, int ver,
hsfw->imem_size = desc->code_size;
hsfw->imem_tag = desc->start_tag;
- hsfw->imem = kmalloc(desc->code_size, GFP_KERNEL);
- memcpy(hsfw->imem, data + desc->code_off, desc->code_size);
-
+ hsfw->imem = kmemdup(data + desc->code_off, desc->code_size, GFP_KERNEL);
nvkm_firmware_put(fw);
- return 0;
+ if (!hsfw->imem)
+ return -ENOMEM;
+ else
+ return 0;
}
int
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
@ 2022-01-24 16:57 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:57 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Harry Wentland, Leo Li, Rodrigo Siqueira, Alex Deucher,
Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Nicholas Kazlauskas, Qingqing Zhuo, Jude Shih, Aurabindo Pillai,
Nikola Cornij, Wayne Lin, Roman Li, Tony Cheng, amd-gfx,
dri-devel, linux-kernel
In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode()
is assigned to mode and is passed to drm_mode_probed_add() directly after
that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and
there is a dereference of it in list_add_tail() without recoveries, which
could lead to NULL pointer dereference on failure of
amdgpu_dm_create_common_mode().
Fix this by adding a NULL check of mode.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 7f9773f8dab6..9ad94186b146 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -8143,6 +8143,9 @@ static void amdgpu_dm_connector_add_common_modes(struct drm_encoder *encoder,
mode = amdgpu_dm_create_common_mode(encoder,
common_modes[i].name, common_modes[i].w,
common_modes[i].h);
+ if (!mode)
+ continue;
+
drm_mode_probed_add(connector, mode);
amdgpu_dm_connector->num_modes++;
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] drm/amd/display/dc/calcs/dce_calcs: Fix a memleak in calculate_bandwidth()
@ 2022-01-24 16:55 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:55 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Harry Wentland, Leo Li, Rodrigo Siqueira, Alex Deucher,
Christian König, Pan, Xinhui, David Airlie, Daniel Vetter,
Lee Jones, Mario Kleiner, amd-gfx, dri-devel, linux-kernel
In calculate_bandwidth(), the tag free_sclk and free_yclk are reversed,
which could lead to a memory leak of yclk.
Fix this bug by changing the location of free_sclk and free_yclk.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2be8989d0fc2 ("drm/amd/display/dc/calcs/dce_calcs: Move some large variables from the stack to the heap")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/gpu/drm/amd/display/dc/calcs/dce_calcs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/calcs/dce_calcs.c b/drivers/gpu/drm/amd/display/dc/calcs/dce_calcs.c
index ff5bb152ef49..e6ef36de0825 100644
--- a/drivers/gpu/drm/amd/display/dc/calcs/dce_calcs.c
+++ b/drivers/gpu/drm/amd/display/dc/calcs/dce_calcs.c
@@ -2033,10 +2033,10 @@ static void calculate_bandwidth(
kfree(surface_type);
free_tiling_mode:
kfree(tiling_mode);
-free_yclk:
- kfree(yclk);
free_sclk:
kfree(sclk);
+free_yclk:
+ kfree(yclk);
}
/*******************************************************************************
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] brcmfmac: Fix a wild pointer dereference bug in brcmf_chip_recognition()
@ 2022-01-24 16:48 17% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:48 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Arend van Spriel, Franky Lin, Hante Meuleman,
Chi-hsien Lin, Wright Feng, Chung-hsien Hsu, Kalle Valo,
David S. Miller, Jakub Kicinski, Pieter-Paul Giesberts,
Angus Ainslie, Daniel (Deognyoun) Kim, John W. Linville,
linux-wireless, brcm80211-dev-list.pdl, SHA-cyfmac-dev-list,
netdev, linux-kernel
In brcmf_chip_recognition(), the return value of brcmf_chip_add_core()
is assigned to core and is passed to brcmf_chip_sb_corerev(). In
brcmf_chip_sb_corerev(), there exists dereference of core without check.
the return value of brcmf_chip_add_core() could be ERR_PTR on failure of
allocation, which could lead to a NULL pointer dereference bug.
Fix this bug by adding IS_ERR check for every variable core.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code
Fixes: cb7cf7be9eba ("brcmfmac: make chip related functions host interface independent")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
.../net/wireless/broadcom/brcm80211/brcmfmac/chip.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
index 1ee49f9e325d..4d91cb107cd7 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
@@ -986,18 +986,28 @@ static int brcmf_chip_recognition(struct brcmf_chip_priv *ci)
core = brcmf_chip_add_core(ci, BCMA_CORE_CHIPCOMMON,
SI_ENUM_BASE_DEFAULT, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_SDIO_DEV,
BCM4329_CORE_BUS_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_INTERNAL_MEM,
BCM4329_CORE_SOCRAM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_ARM_CM3,
BCM4329_CORE_ARM_BASE, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
brcmf_chip_sb_corerev(ci, core);
core = brcmf_chip_add_core(ci, BCMA_CORE_80211, 0x18001000, 0);
+ if (IS_ERR(core))
+ return PTR_ERR(core);
brcmf_chip_sb_corerev(ci, core);
} else if (socitype == SOCI_AI) {
ci->iscoreup = brcmf_chip_ai_iscoreup;
--
2.25.1
^ permalink raw reply related [relevance 17%]
* [PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init()
@ 2022-01-24 16:53 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:53 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Dinh Nguyen, Michael Turquette, Stephen Boyd, linux-clk,
linux-kernel
In socfpga_gate_init(), when ops fails, socfpga_clk is not released or
passed out, which could lead to a memleak.
Fix this bug by adding a kfree of socfpga_clk on the failure path of ops.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/clk/socfpga/clk-gate.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
index 53d6e3ec4309..0ca5e0000925 100644
--- a/drivers/clk/socfpga/clk-gate.c
+++ b/drivers/clk/socfpga/clk-gate.c
@@ -188,8 +188,10 @@ void __init socfpga_gate_init(struct device_node *node)
return;
ops = kmemdup(&gateclk_ops, sizeof(gateclk_ops), GFP_KERNEL);
- if (WARN_ON(!ops))
+ if (WARN_ON(!ops)) {
+ kfree(socfpga_clk);
return;
+ }
rc = of_property_read_u32_array(node, "clk-gate", clk_gate, 2);
if (rc)
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] clk: imx: Fix a NULL pointer dereference in imx_register_uart_clocks()
@ 2022-01-24 16:52 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:52 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Abel Vesa, Michael Turquette, Stephen Boyd, Shawn Guo,
Sascha Hauer, Pengutronix Kernel Team, Fabio Estevam,
NXP Linux Team, Adam Ford, linux-clk, linux-arm-kernel,
linux-kernel
In imx_register_uart_clocks(), the global variable imx_uart_clocks is
assigned by kcalloc() and there is a dereference of in the next for loop,
which could introduce a NULL pointer dereference on failure of kcalloc().
Fix this by adding a NULL check of imx_uart_clocks.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 379c9a24cc23 ("clk: imx: Fix reparenting of UARTs not associated with stdout")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/clk/imx/clk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/imx/clk.c b/drivers/clk/imx/clk.c
index 7cc669934253..99249ab361d2 100644
--- a/drivers/clk/imx/clk.c
+++ b/drivers/clk/imx/clk.c
@@ -173,6 +173,8 @@ void imx_register_uart_clocks(unsigned int clk_count)
int i;
imx_uart_clocks = kcalloc(clk_count, sizeof(struct clk *), GFP_KERNEL);
+ if (!imx_uart_clocks)
+ return;
if (!of_stdout)
return;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe()
@ 2022-01-24 16:45 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:45 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Damien Le Moal, Alexander Shiyan,
Bartlomiej Zolnierkiewicz, Jens Axboe, linux-ide, linux-kernel
In __pata_platform_probe(), devm_kzalloc() is assigned to ap->ops and
there is a dereference of it right after that, which could introduce a
NULL pointer dereference bug.
Fix this by adding a NULL check of ap->ops.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: f3d5e4f18dba ("ata: pata_of_platform: Allow to use 16-bit wide data transfer")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/ata/pata_platform.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/ata/pata_platform.c b/drivers/ata/pata_platform.c
index 028329428b75..021ef9cbcbc1 100644
--- a/drivers/ata/pata_platform.c
+++ b/drivers/ata/pata_platform.c
@@ -128,6 +128,8 @@ int __pata_platform_probe(struct device *dev, struct resource *io_res,
ap = host->ports[0];
ap->ops = devm_kzalloc(dev, sizeof(*ap->ops), GFP_KERNEL);
+ if (ap->ops)
+ return -ENOMEM;
ap->ops->inherits = &ata_sff_port_ops;
ap->ops->cable_detect = ata_cable_unknown;
ap->ops->set_mode = pata_platform_set_mode;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] ACPI / tables: Fix a NULL pointer dereference in acpi_table_initrd_override()
@ 2022-01-24 16:42 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:42 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Rafael J. Wysocki, Len Brown, Lv Zheng, linux-acpi, linux-kernel
In acpi_table_initrd_override(), the return value of acpi_os_map_memory()
is assigned to table and there is a dereference of it after that.
acpi_os_map_memory() will return NULL on failure, which may lead to NULL
pointer dereference.
Fix this bug by adding a NULL check of table.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 5ae74f2cc2f1 ("ACPI / tables: Move table override mechanisms to tables.c")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/acpi/tables.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/acpi/tables.c b/drivers/acpi/tables.c
index 0741a4933f62..8b10c192ed32 100644
--- a/drivers/acpi/tables.c
+++ b/drivers/acpi/tables.c
@@ -696,6 +696,10 @@ acpi_table_initrd_override(struct acpi_table_header *existing_table,
while (table_offset + ACPI_HEADER_SIZE <= all_tables_size) {
table = acpi_os_map_memory(acpi_tables_addr + table_offset,
ACPI_HEADER_SIZE);
+ if (!table) {
+ return AE_NO_MEMORY;
+ }
+
if (table_offset + table->length > all_tables_size) {
acpi_os_unmap_memory(table, ACPI_HEADER_SIZE);
WARN_ON(1);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] ACPI: OSL: Fix a NULL pointer dereference in extlog_init().
@ 2022-01-24 16:41 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:41 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Rafael J. Wysocki, Len Brown, Lv Zheng, linux-acpi, linux-kernel
In extlog_init(), acpi_os_map_iomem() is assigned to extlog_l1_hdr and
there is a dereference of it through l1_head. on the failure of
acpi_os_map_iomem(), the return value of it could be NULL, which may
introduce a NULL pointer dereference.
Fix this bug by adding a NULL check of extlog_l1_hdr.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: a238317ce818 ("ACPI: Clean up acpi_os_map/unmap_memory() to eliminate __iomem.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/acpi/acpi_extlog.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/acpi/acpi_extlog.c b/drivers/acpi/acpi_extlog.c
index 72f1fb77abcd..2187ac23d3d4 100644
--- a/drivers/acpi/acpi_extlog.c
+++ b/drivers/acpi/acpi_extlog.c
@@ -239,6 +239,12 @@ static int __init extlog_init(void)
}
extlog_l1_hdr = acpi_os_map_iomem(l1_dirbase, l1_hdr_size);
+ if (!extlog_l1_hdr) {
+ rc = -ENOMEM;
+ release_mem_region(l1_dirbase, l1_hdr_size);
+ goto err;
+ }
+
l1_head = (struct extlog_l1_head *)extlog_l1_hdr;
l1_size = l1_head->total_len;
l1_percpu_entry = l1_head->entries;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] bcache: Fix a NULL or wild pointer dereference in btree_gc_rewrite_node()
@ 2022-01-24 16:47 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:47 UTC (permalink / raw)
To: zhou1615; +Cc: kjlu, Coly Li, Kent Overstreet, linux-bcache, linux-kernel
In btree_gc_rewrite_node(), btree_node_alloc_replacement() is assigned to
n and return error code or NULL on failure. n is passed to
bch_btree_node_write_sync() and there is a dereference of it in
bch_btree_node_write_sync() without checks, which may lead to wild
pointer dereference or NULL pointer dereference depending on n.
Fix this bug by adding IS_ERR_OR_NULL check of n.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ("bcache: Rework btree cache reserve handling")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/md/bcache/btree.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/md/bcache/btree.c b/drivers/md/bcache/btree.c
index 88c573eeb598..06d42292e86c 100644
--- a/drivers/md/bcache/btree.c
+++ b/drivers/md/bcache/btree.c
@@ -1504,6 +1504,8 @@ static int btree_gc_rewrite_node(struct btree *b, struct btree_op *op,
return 0;
n = btree_node_alloc_replacement(replace, NULL);
+ if (IS_ERR_OR_NULL(n))
+ return 0;
/* recheck reserve after allocating replacement node */
if (btree_check_reserve(b, NULL)) {
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] ACPICA: Linuxize: Fix a NULL pointer dereference in acpi_db_convert_to_package()
@ 2022-01-24 16:40 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 16:40 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Robert Moore, Rafael J. Wysocki, Len Brown, Lv Zheng,
linux-acpi, devel, linux-kernel
In acpi_db_convert_to_package(), the variable elements is assigned by
ACPI_ALLOCATE_ZEROED() and passes its address to
acpi_db_convert_to_object(). In that function we may have a dereference
of elements without checks. ACPI_ALLOCATE_ZEROED() would return NULL on
failure, which may lead to NULL pointer dereference.
Fix this bug by adding a NULL check of elements.
This bug was found by a static analyzer.
Builds with 'make allyesconfig' show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 995751025572 ("ACPICA: Linuxize: Export debugger files to Linux")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/acpi/acpica/dbconvert.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c
index 2b84ac093698..8dbab6932049 100644
--- a/drivers/acpi/acpica/dbconvert.c
+++ b/drivers/acpi/acpica/dbconvert.c
@@ -174,6 +174,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object)
elements =
ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS *
sizeof(union acpi_object));
+ if (!elements)
+ return (AE_NO_MEMORY);
this = string;
for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) {
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH v2] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb()
2021-12-03 10:53 0% ` Johan Hovold
@ 2022-01-24 12:12 19% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-24 12:12 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Felipe Balbi, Greg Kroah-Hartman, Johan Hovold,
Nadezda Lutovinova, Yu Xu, linux-usb, linux-kernel
In mv_u3d_req_to_trb(), mv_u3d_build_trb_one() is assigned to trb and
there is a dereference of it in mv_u3d_req_to_trb(), which could lead
to a NULL pointer dereference on failure of mv_u3d_build_trb_one().
Fix this bug by adding a check of trb.
This bug was found by a static analyzer.
Builds with CONFIG_USB_MV_U3D=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3d4eb9dfa3e8 ("usb: gadget: mv: Add USB 3.0 device driver for Marvell PXA2128 chip.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Changes in v2:
- Remove unnecessary error message
drivers/usb/gadget/udc/mv_u3d_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
index a1057ddfbda3..4573233f2835 100644
--- a/drivers/usb/gadget/udc/mv_u3d_core.c
+++ b/drivers/usb/gadget/udc/mv_u3d_core.c
@@ -417,6 +417,9 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req)
*/
if (length <= (unsigned)MV_U3D_EP_MAX_LENGTH_TRANSFER) {
trb = mv_u3d_build_trb_one(req, &count, &dma);
+ if (!trb)
+ return -ENOMEM;
+
list_add_tail(&trb->trb_list, &req->trb_list);
req->trb_head = trb;
req->trb_count = 1;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH 5.16 19/28] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
@ 2022-01-18 16:06 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-18 16:06 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiushi Wu, Kees Cook, Johan Hovold,
Michael S. Tsirkin
From: Johan Hovold <johan@kernel.org>
commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream.
Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
a kobject leak in the file registration helper by properly calling
kobject_put() for the entry in case registration of the object fails
(e.g. due to a name collision).
This would however result in a NULL pointer dereference when the
release function tries to remove the never added entry from the
fw_cfg_entry_cache list.
Fix this by moving the list-removal out of the release function.
Note that the offending commit was one of the benign looking umn.edu
fixes which was reviewed but not reverted. [1][2]
[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
Cc: stable@vger.kernel.org # 5.8
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/qemu_fw_cfg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(v
struct fw_cfg_sysfs_entry *entry, *next;
list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
- /* will end up invoking fw_cfg_sysfs_cache_delist()
- * via each object's release() method (i.e. destructor)
- */
+ fw_cfg_sysfs_cache_delist(entry);
kobject_put(&entry->kobj);
}
}
@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(s
{
struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
- fw_cfg_sysfs_cache_delist(entry);
kfree(entry);
}
^ permalink raw reply [relevance 6%]
* [PATCH 5.15 17/28] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
@ 2022-01-18 16:06 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-18 16:06 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiushi Wu, Kees Cook, Johan Hovold,
Michael S. Tsirkin
From: Johan Hovold <johan@kernel.org>
commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream.
Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
a kobject leak in the file registration helper by properly calling
kobject_put() for the entry in case registration of the object fails
(e.g. due to a name collision).
This would however result in a NULL pointer dereference when the
release function tries to remove the never added entry from the
fw_cfg_entry_cache list.
Fix this by moving the list-removal out of the release function.
Note that the offending commit was one of the benign looking umn.edu
fixes which was reviewed but not reverted. [1][2]
[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
Cc: stable@vger.kernel.org # 5.8
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/qemu_fw_cfg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(v
struct fw_cfg_sysfs_entry *entry, *next;
list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
- /* will end up invoking fw_cfg_sysfs_cache_delist()
- * via each object's release() method (i.e. destructor)
- */
+ fw_cfg_sysfs_cache_delist(entry);
kobject_put(&entry->kobj);
}
}
@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(s
{
struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
- fw_cfg_sysfs_cache_delist(entry);
kfree(entry);
}
^ permalink raw reply [relevance 6%]
* [PATCH 5.10 14/23] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
@ 2022-01-18 16:05 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-18 16:05 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiushi Wu, Kees Cook, Johan Hovold,
Michael S. Tsirkin
From: Johan Hovold <johan@kernel.org>
commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream.
Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
a kobject leak in the file registration helper by properly calling
kobject_put() for the entry in case registration of the object fails
(e.g. due to a name collision).
This would however result in a NULL pointer dereference when the
release function tries to remove the never added entry from the
fw_cfg_entry_cache list.
Fix this by moving the list-removal out of the release function.
Note that the offending commit was one of the benign looking umn.edu
fixes which was reviewed but not reverted. [1][2]
[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
Cc: stable@vger.kernel.org # 5.8
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/qemu_fw_cfg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(v
struct fw_cfg_sysfs_entry *entry, *next;
list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
- /* will end up invoking fw_cfg_sysfs_cache_delist()
- * via each object's release() method (i.e. destructor)
- */
+ fw_cfg_sysfs_cache_delist(entry);
kobject_put(&entry->kobj);
}
}
@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(s
{
struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
- fw_cfg_sysfs_cache_delist(entry);
kfree(entry);
}
^ permalink raw reply [relevance 6%]
* [PATCH 5.4 10/15] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
@ 2022-01-18 16:05 6% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-18 16:05 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Qiushi Wu, Kees Cook, Johan Hovold,
Michael S. Tsirkin
From: Johan Hovold <johan@kernel.org>
commit d3e305592d69e21e36b76d24ca3c01971a2d09be upstream.
Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
a kobject leak in the file registration helper by properly calling
kobject_put() for the entry in case registration of the object fails
(e.g. due to a name collision).
This would however result in a NULL pointer dereference when the
release function tries to remove the never added entry from the
fw_cfg_entry_cache list.
Fix this by moving the list-removal out of the release function.
Note that the offending commit was one of the benign looking umn.edu
fixes which was reviewed but not reverted. [1][2]
[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
Cc: stable@vger.kernel.org # 5.8
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/qemu_fw_cfg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -385,9 +385,7 @@ static void fw_cfg_sysfs_cache_cleanup(v
struct fw_cfg_sysfs_entry *entry, *next;
list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
- /* will end up invoking fw_cfg_sysfs_cache_delist()
- * via each object's release() method (i.e. destructor)
- */
+ fw_cfg_sysfs_cache_delist(entry);
kobject_put(&entry->kobj);
}
}
@@ -445,7 +443,6 @@ static void fw_cfg_sysfs_release_entry(s
{
struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
- fw_cfg_sysfs_cache_delist(entry);
kfree(entry);
}
^ permalink raw reply [relevance 6%]
* [PATCH AUTOSEL 4.19 31/59] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:46 6% ` [PATCH AUTOSEL 4.19 18/59] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:46 7% ` Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index d4987fd05d05f..d91bd32bd1f04 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 8c56d4c37a525..3513b1a6fcee9 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 4.4 16/29] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 3:08 6% ` [PATCH AUTOSEL 4.4 10/29] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 3:08 7% ` Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 3:08 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index df1e8c975cd82..6d0a0b08853b4 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 343cd75fcd8d1..f09f311a316f5 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 4.4 10/29] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 3:08 6% ` Sasha Levin
2022-01-18 3:08 7% ` [PATCH AUTOSEL 4.4 16/29] media: saa7146: hexium_gemini: " Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 3:08 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 214396b1ca73c..2f3b4e01ff289 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 4.14 25/56] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:48 6% ` Sasha Levin
2022-01-18 2:48 7% ` [PATCH AUTOSEL 4.14 34/56] media: saa7146: hexium_gemini: " Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index cb71653a66694..908de2f768441 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 5.4 26/73] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:43 6% ` Sasha Levin
2022-01-18 2:44 7% ` [PATCH AUTOSEL 5.4 41/73] media: saa7146: hexium_gemini: " Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:43 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index bf5e55348f159..31388597386aa 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 5.4 41/73] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:43 6% ` [PATCH AUTOSEL 5.4 26/73] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:44 7% ` Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:44 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index aabb830e74689..4b332ea986168 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -525,7 +525,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index f962269306707..86d4e2abed82a 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 5.10 069/116] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:38 6% ` [PATCH AUTOSEL 5.10 047/116] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:39 7% ` Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:39 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index d6531874faa65..8047e305f3d01 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -523,7 +523,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 2214c74bbbf15..3947701cd6c7e 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 5.10 047/116] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:38 6% ` Sasha Levin
2022-01-18 2:39 7% ` [PATCH AUTOSEL 5.10 069/116] media: saa7146: hexium_gemini: " Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:38 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 39d14c179d229..2eb4bee16b71f 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 4.14 34/56] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:48 6% ` [PATCH AUTOSEL 4.14 25/56] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:48 7% ` Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:48 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index 930d2c94d5d30..2c9365a39270a 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index a527d86b93a77..7f498aebb4112 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 4.19 18/59] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:46 6% ` Sasha Levin
2022-01-18 2:46 7% ` [PATCH AUTOSEL 4.19 31/59] media: saa7146: hexium_gemini: " Sasha Levin
1 sibling, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:46 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index a794f9e5f9908..b88aa1feb7df2 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -367,10 +367,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 5.15 116/188] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:30 6% ` [PATCH AUTOSEL 5.15 085/188] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:30 5% ` [PATCH AUTOSEL 5.15 111/188] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
@ 2022-01-18 2:30 7% ` Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index baf5772c52a96..be32159777142 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -521,7 +521,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 2214c74bbbf15..3947701cd6c7e 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* [PATCH AUTOSEL 5.15 085/188] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:30 6% ` Sasha Levin
2022-01-18 2:30 5% ` [PATCH AUTOSEL 5.15 111/188] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
2022-01-18 2:30 7% ` [PATCH AUTOSEL 5.15 116/188] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 39d14c179d229..2eb4bee16b71f 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 5.15 111/188] drm/amdkfd: Fix error handling in svm_range_add
2022-01-18 2:30 6% ` [PATCH AUTOSEL 5.15 085/188] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:30 5% ` Sasha Levin
2022-01-18 2:30 7% ` [PATCH AUTOSEL 5.15 116/188] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:30 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Felix Kuehling, Zhou Qingyang, Philip Yang, Alex Deucher,
Sasha Levin, christian.koenig, Xinhui.Pan, airlied, daniel,
amd-gfx, dri-devel
From: Felix Kuehling <Felix.Kuehling@amd.com>
[ Upstream commit 726be40607264b180a2b336c81e1dcff941de618 ]
Add null-pointer check after the last svm_range_new call. This was
originally reported by Zhou Qingyang <zhou1615@umn.edu> based on a
static analyzer.
To avoid duplicating the unwinding code from svm_range_handle_overlap,
I merged the two functions into one.
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Philip Yang <Philip.Yang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 138 ++++++++++-----------------
1 file changed, 49 insertions(+), 89 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index 5a674235ae41a..830809b694dd9 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -936,7 +936,7 @@ svm_range_split(struct svm_range *prange, uint64_t start, uint64_t last,
}
static int
-svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
+svm_range_split_tail(struct svm_range *prange,
uint64_t new_last, struct list_head *insert_list)
{
struct svm_range *tail;
@@ -948,7 +948,7 @@ svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
}
static int
-svm_range_split_head(struct svm_range *prange, struct svm_range *new,
+svm_range_split_head(struct svm_range *prange,
uint64_t new_start, struct list_head *insert_list)
{
struct svm_range *head;
@@ -1755,49 +1755,54 @@ static struct svm_range *svm_range_clone(struct svm_range *old)
}
/**
- * svm_range_handle_overlap - split overlap ranges
- * @svms: svm range list header
- * @new: range added with this attributes
- * @start: range added start address, in pages
- * @last: range last address, in pages
- * @update_list: output, the ranges attributes are updated. For set_attr, this
- * will do validation and map to GPUs. For unmap, this will be
- * removed and unmap from GPUs
- * @insert_list: output, the ranges will be inserted into svms, attributes are
- * not changes. For set_attr, this will add into svms.
- * @remove_list:output, the ranges will be removed from svms
- * @left: the remaining range after overlap, For set_attr, this will be added
- * as new range.
+ * svm_range_add - add svm range and handle overlap
+ * @p: the range add to this process svms
+ * @start: page size aligned
+ * @size: page size aligned
+ * @nattr: number of attributes
+ * @attrs: array of attributes
+ * @update_list: output, the ranges need validate and update GPU mapping
+ * @insert_list: output, the ranges need insert to svms
+ * @remove_list: output, the ranges are replaced and need remove from svms
*
- * Total have 5 overlap cases.
+ * Check if the virtual address range has overlap with any existing ranges,
+ * split partly overlapping ranges and add new ranges in the gaps. All changes
+ * should be applied to the range_list and interval tree transactionally. If
+ * any range split or allocation fails, the entire update fails. Therefore any
+ * existing overlapping svm_ranges are cloned and the original svm_ranges left
+ * unchanged.
*
- * This function handles overlap of an address interval with existing
- * struct svm_ranges for applying new attributes. This may require
- * splitting existing struct svm_ranges. All changes should be applied to
- * the range_list and interval tree transactionally. If any split operation
- * fails, the entire update fails. Therefore the existing overlapping
- * svm_ranges are cloned and the original svm_ranges left unchanged. If the
- * transaction succeeds, the modified clones are added and the originals
- * freed. Otherwise the clones are removed and the old svm_ranges remain.
+ * If the transaction succeeds, the caller can update and insert clones and
+ * new ranges, then free the originals.
*
- * Context: The caller must hold svms->lock
+ * Otherwise the caller can free the clones and new ranges, while the old
+ * svm_ranges remain unchanged.
+ *
+ * Context: Process context, caller must hold svms->lock
+ *
+ * Return:
+ * 0 - OK, otherwise error code
*/
static int
-svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
- unsigned long start, unsigned long last,
- struct list_head *update_list,
- struct list_head *insert_list,
- struct list_head *remove_list,
- unsigned long *left)
+svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
+ uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
+ struct list_head *update_list, struct list_head *insert_list,
+ struct list_head *remove_list)
{
+ unsigned long last = start + size - 1UL;
+ struct svm_range_list *svms = &p->svms;
struct interval_tree_node *node;
+ struct svm_range new = {0};
struct svm_range *prange;
struct svm_range *tmp;
int r = 0;
+ pr_debug("svms 0x%p [0x%llx 0x%lx]\n", &p->svms, start, last);
+
INIT_LIST_HEAD(update_list);
INIT_LIST_HEAD(insert_list);
INIT_LIST_HEAD(remove_list);
+ svm_range_apply_attrs(p, &new, nattr, attrs);
node = interval_tree_iter_first(&svms->objects, start, last);
while (node) {
@@ -1825,14 +1830,14 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
if (node->start < start) {
pr_debug("change old range start\n");
- r = svm_range_split_head(prange, new, start,
+ r = svm_range_split_head(prange, start,
insert_list);
if (r)
goto out;
}
if (node->last > last) {
pr_debug("change old range last\n");
- r = svm_range_split_tail(prange, new, last,
+ r = svm_range_split_tail(prange, last,
insert_list);
if (r)
goto out;
@@ -1844,7 +1849,7 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
prange = old;
}
- if (!svm_range_is_same_attrs(prange, new))
+ if (!svm_range_is_same_attrs(prange, &new))
list_add(&prange->update_list, update_list);
/* insert a new node if needed */
@@ -1864,8 +1869,16 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
start = next_start;
}
- if (left && start <= last)
- *left = last - start + 1;
+ /* add a final range at the end if needed */
+ if (start <= last) {
+ prange = svm_range_new(svms, start, last);
+ if (!prange) {
+ r = -ENOMEM;
+ goto out;
+ }
+ list_add(&prange->insert_list, insert_list);
+ list_add(&prange->update_list, update_list);
+ }
out:
if (r)
@@ -2693,59 +2706,6 @@ svm_range_is_valid(struct mm_struct *mm, uint64_t start, uint64_t size)
return true;
}
-/**
- * svm_range_add - add svm range and handle overlap
- * @p: the range add to this process svms
- * @start: page size aligned
- * @size: page size aligned
- * @nattr: number of attributes
- * @attrs: array of attributes
- * @update_list: output, the ranges need validate and update GPU mapping
- * @insert_list: output, the ranges need insert to svms
- * @remove_list: output, the ranges are replaced and need remove from svms
- *
- * Check if the virtual address range has overlap with the registered ranges,
- * split the overlapped range, copy and adjust pages address and vram nodes in
- * old and new ranges.
- *
- * Context: Process context, caller must hold svms->lock
- *
- * Return:
- * 0 - OK, otherwise error code
- */
-static int
-svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
- uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
- struct list_head *update_list, struct list_head *insert_list,
- struct list_head *remove_list)
-{
- uint64_t last = start + size - 1UL;
- struct svm_range_list *svms;
- struct svm_range new = {0};
- struct svm_range *prange;
- unsigned long left = 0;
- int r = 0;
-
- pr_debug("svms 0x%p [0x%llx 0x%llx]\n", &p->svms, start, last);
-
- svm_range_apply_attrs(p, &new, nattr, attrs);
-
- svms = &p->svms;
-
- r = svm_range_handle_overlap(svms, &new, start, last, update_list,
- insert_list, remove_list, &left);
- if (r)
- return r;
-
- if (left) {
- prange = svm_range_new(svms, last - left + 1, last);
- list_add(&prange->insert_list, insert_list);
- list_add(&prange->update_list, update_list);
- }
-
- return 0;
-}
-
/**
* svm_range_best_prefetch_location - decide the best prefetch location
* @prange: svm range structure
--
2.34.1
^ permalink raw reply related [relevance 5%]
* [PATCH AUTOSEL 5.16 130/217] drm/amdkfd: Fix error handling in svm_range_add
2022-01-18 2:17 6% ` [PATCH AUTOSEL 5.16 099/217] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
@ 2022-01-18 2:18 5% ` Sasha Levin
2022-01-18 2:18 7% ` [PATCH AUTOSEL 5.16 136/217] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:18 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Felix Kuehling, Zhou Qingyang, Philip Yang, Alex Deucher,
Sasha Levin, christian.koenig, Xinhui.Pan, airlied, daniel,
amd-gfx, dri-devel
From: Felix Kuehling <Felix.Kuehling@amd.com>
[ Upstream commit 726be40607264b180a2b336c81e1dcff941de618 ]
Add null-pointer check after the last svm_range_new call. This was
originally reported by Zhou Qingyang <zhou1615@umn.edu> based on a
static analyzer.
To avoid duplicating the unwinding code from svm_range_handle_overlap,
I merged the two functions into one.
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Cc: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Philip Yang <Philip.Yang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 138 ++++++++++-----------------
1 file changed, 49 insertions(+), 89 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index 3cb4681c5f539..c0b8f4ff80b8a 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -943,7 +943,7 @@ svm_range_split(struct svm_range *prange, uint64_t start, uint64_t last,
}
static int
-svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
+svm_range_split_tail(struct svm_range *prange,
uint64_t new_last, struct list_head *insert_list)
{
struct svm_range *tail;
@@ -955,7 +955,7 @@ svm_range_split_tail(struct svm_range *prange, struct svm_range *new,
}
static int
-svm_range_split_head(struct svm_range *prange, struct svm_range *new,
+svm_range_split_head(struct svm_range *prange,
uint64_t new_start, struct list_head *insert_list)
{
struct svm_range *head;
@@ -1764,49 +1764,54 @@ static struct svm_range *svm_range_clone(struct svm_range *old)
}
/**
- * svm_range_handle_overlap - split overlap ranges
- * @svms: svm range list header
- * @new: range added with this attributes
- * @start: range added start address, in pages
- * @last: range last address, in pages
- * @update_list: output, the ranges attributes are updated. For set_attr, this
- * will do validation and map to GPUs. For unmap, this will be
- * removed and unmap from GPUs
- * @insert_list: output, the ranges will be inserted into svms, attributes are
- * not changes. For set_attr, this will add into svms.
- * @remove_list:output, the ranges will be removed from svms
- * @left: the remaining range after overlap, For set_attr, this will be added
- * as new range.
+ * svm_range_add - add svm range and handle overlap
+ * @p: the range add to this process svms
+ * @start: page size aligned
+ * @size: page size aligned
+ * @nattr: number of attributes
+ * @attrs: array of attributes
+ * @update_list: output, the ranges need validate and update GPU mapping
+ * @insert_list: output, the ranges need insert to svms
+ * @remove_list: output, the ranges are replaced and need remove from svms
*
- * Total have 5 overlap cases.
+ * Check if the virtual address range has overlap with any existing ranges,
+ * split partly overlapping ranges and add new ranges in the gaps. All changes
+ * should be applied to the range_list and interval tree transactionally. If
+ * any range split or allocation fails, the entire update fails. Therefore any
+ * existing overlapping svm_ranges are cloned and the original svm_ranges left
+ * unchanged.
*
- * This function handles overlap of an address interval with existing
- * struct svm_ranges for applying new attributes. This may require
- * splitting existing struct svm_ranges. All changes should be applied to
- * the range_list and interval tree transactionally. If any split operation
- * fails, the entire update fails. Therefore the existing overlapping
- * svm_ranges are cloned and the original svm_ranges left unchanged. If the
- * transaction succeeds, the modified clones are added and the originals
- * freed. Otherwise the clones are removed and the old svm_ranges remain.
+ * If the transaction succeeds, the caller can update and insert clones and
+ * new ranges, then free the originals.
*
- * Context: The caller must hold svms->lock
+ * Otherwise the caller can free the clones and new ranges, while the old
+ * svm_ranges remain unchanged.
+ *
+ * Context: Process context, caller must hold svms->lock
+ *
+ * Return:
+ * 0 - OK, otherwise error code
*/
static int
-svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
- unsigned long start, unsigned long last,
- struct list_head *update_list,
- struct list_head *insert_list,
- struct list_head *remove_list,
- unsigned long *left)
+svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
+ uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
+ struct list_head *update_list, struct list_head *insert_list,
+ struct list_head *remove_list)
{
+ unsigned long last = start + size - 1UL;
+ struct svm_range_list *svms = &p->svms;
struct interval_tree_node *node;
+ struct svm_range new = {0};
struct svm_range *prange;
struct svm_range *tmp;
int r = 0;
+ pr_debug("svms 0x%p [0x%llx 0x%lx]\n", &p->svms, start, last);
+
INIT_LIST_HEAD(update_list);
INIT_LIST_HEAD(insert_list);
INIT_LIST_HEAD(remove_list);
+ svm_range_apply_attrs(p, &new, nattr, attrs);
node = interval_tree_iter_first(&svms->objects, start, last);
while (node) {
@@ -1834,14 +1839,14 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
if (node->start < start) {
pr_debug("change old range start\n");
- r = svm_range_split_head(prange, new, start,
+ r = svm_range_split_head(prange, start,
insert_list);
if (r)
goto out;
}
if (node->last > last) {
pr_debug("change old range last\n");
- r = svm_range_split_tail(prange, new, last,
+ r = svm_range_split_tail(prange, last,
insert_list);
if (r)
goto out;
@@ -1853,7 +1858,7 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
prange = old;
}
- if (!svm_range_is_same_attrs(prange, new))
+ if (!svm_range_is_same_attrs(prange, &new))
list_add(&prange->update_list, update_list);
/* insert a new node if needed */
@@ -1873,8 +1878,16 @@ svm_range_handle_overlap(struct svm_range_list *svms, struct svm_range *new,
start = next_start;
}
- if (left && start <= last)
- *left = last - start + 1;
+ /* add a final range at the end if needed */
+ if (start <= last) {
+ prange = svm_range_new(svms, start, last);
+ if (!prange) {
+ r = -ENOMEM;
+ goto out;
+ }
+ list_add(&prange->insert_list, insert_list);
+ list_add(&prange->update_list, update_list);
+ }
out:
if (r)
@@ -2894,59 +2907,6 @@ svm_range_is_valid(struct kfd_process *p, uint64_t start, uint64_t size)
NULL);
}
-/**
- * svm_range_add - add svm range and handle overlap
- * @p: the range add to this process svms
- * @start: page size aligned
- * @size: page size aligned
- * @nattr: number of attributes
- * @attrs: array of attributes
- * @update_list: output, the ranges need validate and update GPU mapping
- * @insert_list: output, the ranges need insert to svms
- * @remove_list: output, the ranges are replaced and need remove from svms
- *
- * Check if the virtual address range has overlap with the registered ranges,
- * split the overlapped range, copy and adjust pages address and vram nodes in
- * old and new ranges.
- *
- * Context: Process context, caller must hold svms->lock
- *
- * Return:
- * 0 - OK, otherwise error code
- */
-static int
-svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
- uint32_t nattr, struct kfd_ioctl_svm_attribute *attrs,
- struct list_head *update_list, struct list_head *insert_list,
- struct list_head *remove_list)
-{
- uint64_t last = start + size - 1UL;
- struct svm_range_list *svms;
- struct svm_range new = {0};
- struct svm_range *prange;
- unsigned long left = 0;
- int r = 0;
-
- pr_debug("svms 0x%p [0x%llx 0x%llx]\n", &p->svms, start, last);
-
- svm_range_apply_attrs(p, &new, nattr, attrs);
-
- svms = &p->svms;
-
- r = svm_range_handle_overlap(svms, &new, start, last, update_list,
- insert_list, remove_list, &left);
- if (r)
- return r;
-
- if (left) {
- prange = svm_range_new(svms, last - left + 1, last);
- list_add(&prange->insert_list, insert_list);
- list_add(&prange->update_list, update_list);
- }
-
- return 0;
-}
-
/**
* svm_range_best_prefetch_location - decide the best prefetch location
* @prange: svm range structure
--
2.34.1
^ permalink raw reply related [relevance 5%]
* [PATCH AUTOSEL 5.16 099/217] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2022-01-18 2:17 6% ` Sasha Levin
2022-01-18 2:18 5% ` [PATCH AUTOSEL 5.16 130/217] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
2022-01-18 2:18 7% ` [PATCH AUTOSEL 5.16 136/217] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:17 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin,
hverkuil, mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 39d14c179d229..2eb4bee16b71f 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.34.1
^ permalink raw reply related [relevance 6%]
* [PATCH AUTOSEL 5.16 136/217] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2022-01-18 2:17 6% ` [PATCH AUTOSEL 5.16 099/217] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:18 5% ` [PATCH AUTOSEL 5.16 130/217] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
@ 2022-01-18 2:18 7% ` Sasha Levin
2 siblings, 0 replies; 200+ results
From: Sasha Levin @ 2022-01-18 2:18 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zhou Qingyang, Mauro Carvalho Chehab, Sasha Levin, hverkuil,
mchehab, linux-media
From: Zhou Qingyang <zhou1615@umn.edu>
[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ]
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index baf5772c52a96..be32159777142 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -521,7 +521,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 2214c74bbbf15..3947701cd6c7e 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.34.1
^ permalink raw reply related [relevance 7%]
* Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
[not found] ` <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
@ 2022-01-12 8:57 7% ` Neil Armstrong
0 siblings, 0 replies; 200+ results
From: Neil Armstrong @ 2022-01-12 8:57 UTC (permalink / raw)
To: Qingyang Zhou, Hans Verkuil
Cc: Kangjie Lu, Mauro Carvalho Chehab, Greg Kroah-Hartman,
Kevin Hilman, Jerome Brunet, Martin Blumenstingl, Maxime Jourdan,
linux-media, linux-amlogic, linux-staging, linux-arm-kernel,
linux-kernel
Hi,
On 11/01/2022 14:03, Qingyang Zhou wrote:
> Hi Hans:
>
> Here I certify that this is an origin patch I wrote. I did not copy Neil's patch, and I did not know his patch.
>
> Neil, please post your original patch here, so everyone can see both patches.
>
> Yours
> Zhou Qingyang.
>
> On Tue, Jan 11, 2022 at 5:16 PM Hans Verkuil <hverkuil-cisco@xs4all.nl <mailto:hverkuil-cisco@xs4all.nl>> wrote:
>
> Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
> name on it. Not nice.
>
> Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
>
> Regards,
>
> Hans
>
> On 15/12/2021 04:35, Zhou Qingyang wrote:
> > In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> > to a NULL pointer dereference on failure of kzalloc().
> >
> > Fix this bug by adding a NULL check of new_ts.
> >
> > This bug was found by a static analyzer[1].
> >
> > Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu <mailto:zhou1615@umn.edu>>
> > ---
> >
> > [1] The analysis employs differential checking to identify inconsistent
> > security operations (e.g., checks or kfrees) between two code paths and
> > confirms that the inconsistent operations are not recovered in the
> > current function or the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Changes in v3:
> > - Change the description of patch
> > - Turn the return type from 'void' to 'int'
> > - Check the return value in the caller 'esparser_queue()'
> >
> > Changes in v2:
> > - Delete dev_err() message
> >
> > drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> > drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> > drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> > 3 files changed, 14 insertions(+), 5 deletions(-)
> >
> > diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> > index db7022707ff8..095100a50da8 100644
> > --- a/drivers/staging/media/meson/vdec/esparser.c
> > +++ b/drivers/staging/media/meson/vdec/esparser.c
> > @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
> >
> > offset = esparser_get_offset(sess);
> >
> > - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> > + if (!ret) {
> > + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> > + return ret;
> > + }
> > +
> > dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> > vb->timestamp, payload_size, offset, vbuf->flags);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > index b9125c295d1d..06fd66539797 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> > }
> > EXPORT_SYMBOL_GPL(amvdec_set_canvases);
> >
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> > {
> > struct amvdec_timestamp *new_ts;
> > unsigned long flags;
> >
> > new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> > + if (!new_ts)
> > + return -ENOMEM;
> > +
> > new_ts->ts = ts;
> > new_ts->tc = tc;
> > new_ts->offset = offset;
> > @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > spin_lock_irqsave(&sess->ts_spinlock, flags);
> > list_add_tail(&new_ts->list, &sess->timestamps);
> > spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> > + return 0;
> > }
> > EXPORT_SYMBOL_GPL(amvdec_add_ts);
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > index 88137d15aa3a..4bf3e61d081b 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> > @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> > * @offset: offset in the VIFIFO where the associated packet was written
> > * @flags: the vb2_v4l2_buffer flags
> > */
> > -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > - struct v4l2_timecode tc, u32 offset, u32 flags);
> > +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > + struct v4l2_timecode tc, u32 offset, u32 flags);
> > void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
> >
> > /**
>
Let's inspect:
I posted a probable solution the 09/12/2021 in a reply to 20211209085840.2081024-1-jiasheng@iscas.ac.cn :
===================><=============================
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..df733eff9ac7 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -328,7 +328,11 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
offset = esparser_get_offset(sess);
- amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ if (ret) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return ret;
+ }
dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
vb->timestamp, payload_size, offset, vbuf->flags);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..593b2ccbece2 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -227,13 +227,15 @@ int amvdec_set_canvases(struct amvdec_session *sess,
}
EXPORT_SYMBOL_GPL(amvdec_set_canvases);
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
{
struct amvdec_timestamp *new_ts;
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return -ENOMEM;
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
index 88137d15aa3a..4bf3e61d081b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.h
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
@@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
* @offset: offset in the VIFIFO where the associated packet was written
* @flags: the vb2_v4l2_buffer flags
*/
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 flags);
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 flags);
void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
===================><=============================
Then the patches were sent:
- 20211210015620.2143555-1-jiasheng@iscas.ac.cn on 10/12/2021
- 20211215033535.40422-1-zhou1615@umn.edu on 15/12/2021
They are extremely close but not similar, mostly indenting differs.
Both patches have the missing final "return 0" in amvdec_add_ts which is missing in my proposal.
But only 20211210015620.2143555-1-jiasheng@iscas.ac.cn has the correct "if (ret)" in esparser_queue().
Patch 20211215033535.40422-1-zhou1615@umn.ed has a wrong "if (!ret)".
But when comparing, 20211215033535.40422-1-zhou1615@umn.edu is an almost exact copy of my proposal, minus the fixes and the bogus return check.
To be honest, there is a limited way to fix this, it's probable 20211215033535.40422-1-zhou1615@umn.edu was written independently from
my proposal since there is a bug return check, and 20211210015620.2143555-1-jiasheng@iscas.ac.cn was rewritten from my proposal.
Since 20211215033535.40422-1-zhou1615@umn.ed has a bogus return check, it should be naked.
I'll only ask 20211210015620.2143555-1-jiasheng@iscas.ac.cn to be resent with a "Suggested-by" and indentation fixed like my proposal.
Neil
^ permalink raw reply related [relevance 7%]
* Re: [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
2021-12-15 3:35 16% ` [PATCH v3] " Zhou Qingyang
@ 2022-01-11 9:16 0% ` Hans Verkuil
[not found] ` <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
0 siblings, 1 reply; 200+ results
From: Hans Verkuil @ 2022-01-11 9:16 UTC (permalink / raw)
To: Zhou Qingyang, Neil Armstrong
Cc: kjlu, Mauro Carvalho Chehab, Greg Kroah-Hartman, Kevin Hilman,
Jerome Brunet, Martin Blumenstingl, Maxime Jourdan, linux-media,
linux-amlogic, linux-staging, linux-arm-kernel, linux-kernel
Zhou Qingyang, this is exactly the patch Neil wrote, except you just stuck your
name on it. Not nice.
Neil, can you post your patch with your own Signed-off-by, then I'll take that one.
Regards,
Hans
On 15/12/2021 04:35, Zhou Qingyang wrote:
> In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> to a NULL pointer dereference on failure of kzalloc().
>
> Fix this bug by adding a NULL check of new_ts.
>
> This bug was found by a static analyzer[1].
>
> Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
>
> [1] The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths and
> confirms that the inconsistent operations are not recovered in the
> current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Changes in v3:
> - Change the description of patch
> - Turn the return type from 'void' to 'int'
> - Check the return value in the caller 'esparser_queue()'
>
> Changes in v2:
> - Delete dev_err() message
>
> drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
> drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
> drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
> 3 files changed, 14 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
> index db7022707ff8..095100a50da8 100644
> --- a/drivers/staging/media/meson/vdec/esparser.c
> +++ b/drivers/staging/media/meson/vdec/esparser.c
> @@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
>
> offset = esparser_get_offset(sess);
>
> - amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> + ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
> + if (!ret) {
> + v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
> + return ret;
> + }
> +
> dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
> vb->timestamp, payload_size, offset, vbuf->flags);
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> index b9125c295d1d..06fd66539797 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> @@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
> }
> EXPORT_SYMBOL_GPL(amvdec_set_canvases);
>
> -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> - struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> + struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
> {
> struct amvdec_timestamp *new_ts;
> unsigned long flags;
>
> new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> + if (!new_ts)
> + return -ENOMEM;
> +
> new_ts->ts = ts;
> new_ts->tc = tc;
> new_ts->offset = offset;
> @@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> spin_lock_irqsave(&sess->ts_spinlock, flags);
> list_add_tail(&new_ts->list, &sess->timestamps);
> spin_unlock_irqrestore(&sess->ts_spinlock, flags);
> + return 0;
> }
> EXPORT_SYMBOL_GPL(amvdec_add_ts);
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
> index 88137d15aa3a..4bf3e61d081b 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.h
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
> @@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
> * @offset: offset in the VIFIFO where the associated packet was written
> * @flags: the vb2_v4l2_buffer flags
> */
> -void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> - struct v4l2_timecode tc, u32 offset, u32 flags);
> +int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> + struct v4l2_timecode tc, u32 offset, u32 flags);
> void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
>
> /**
^ permalink raw reply [relevance 0%]
* [PATCH v3] clk: x86: Fix a wild pointer dereference in fch_clk_probe()
@ 2022-01-11 5:10 16% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-11 5:10 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Mario Limonciello,
Ajit Kumar Pandey, Rafael J. Wysocki, Akshu Agrawal, linux-clk,
linux-kernel
In fch_clk_probe(), the return value of clk_hw_register_mux() is
assigned to hws[ST_CLK_MUX] and there is a dereference of it in
fch_clk_probe(), which could lead to a wild pointer dereference on
failure of clk_hw_register_mux().
Fix this bug by adding a check of hws[ST_CLK_MUX].
This bug was found by a static analyzer.
Builds with CONFIG_X86_AMD_PLATFORM_DEVICE=y show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: 19fe87fd854a ("clk: x86: Support RV architecture")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Changes in v3:
- Rebase this based on clk-next.
Changes in v2:
- Add error check to every register function calls.
- Add error handling logic to every error path.
- Turn clk_hw_register_mux to devm_clk_hw_register_mux.
- Add error check of clk_set_parent().
drivers/clk/x86/clk-fch.c | 69 ++++++++++++++++++++++++++++++++++-----
1 file changed, 61 insertions(+), 8 deletions(-)
diff --git a/drivers/clk/x86/clk-fch.c b/drivers/clk/x86/clk-fch.c
index fdc060e75839..bb0ed6b2a126 100644
--- a/drivers/clk/x86/clk-fch.c
+++ b/drivers/clk/x86/clk-fch.c
@@ -46,6 +46,7 @@ static int fch_clk_probe(struct platform_device *pdev)
{
struct fch_clk_data *fch_data;
struct pci_dev *rdev;
+ int ret;
fch_data = dev_get_platdata(&pdev->dev);
if (!fch_data || !fch_data->base)
@@ -60,36 +61,88 @@ static int fch_clk_probe(struct platform_device *pdev)
if (pci_match_id(fch_pci_ids, rdev)) {
hws[ST_CLK_48M] = clk_hw_register_fixed_rate(NULL, "clk48MHz",
NULL, 0, 48000000);
+ if (IS_ERR(hws[ST_CLK_48M])) {
+ ret = PTR_ERR(hws[ST_CLK_48M]);
+ goto err_st_clk_48m;
+ }
+
hws[ST_CLK_25M] = clk_hw_register_fixed_rate(NULL, "clk25MHz",
NULL, 0, 25000000);
+ if (IS_ERR(hws[ST_CLK_25M])) {
+ ret = PTR_ERR(hws[ST_CLK_25M]);
+ goto err_st_clk_25m;
+ }
- hws[ST_CLK_MUX] = clk_hw_register_mux(NULL, "oscout1_mux",
+ hws[ST_CLK_MUX] = devm_clk_hw_register_mux(NULL, "oscout1_mux",
clk_oscout1_parents, ARRAY_SIZE(clk_oscout1_parents),
0, fch_data->base + CLKDRVSTR2, OSCOUT1CLK25MHZ, 3, 0,
NULL);
+ if (IS_ERR(hws[ST_CLK_MUX])) {
+ ret = PTR_ERR(hws[ST_CLK_MUX]);
+ goto err_st_clk_mux;
+ }
- clk_set_parent(hws[ST_CLK_MUX]->clk, hws[ST_CLK_48M]->clk);
+ ret = clk_set_parent(hws[ST_CLK_MUX]->clk, hws[ST_CLK_48M]->clk);
+ if (ret)
+ goto err_clk_set_parent;
hws[ST_CLK_GATE] = clk_hw_register_gate(NULL, "oscout1",
"oscout1_mux", 0, fch_data->base + MISCCLKCNTL1,
OSCCLKENB, CLK_GATE_SET_TO_DISABLE, NULL);
-
- devm_clk_hw_register_clkdev(&pdev->dev, hws[ST_CLK_GATE],
- fch_data->name, NULL);
+ if (IS_ERR(hws[ST_CLK_GATE])) {
+ ret = PTR_ERR(hws[ST_CLK_GATE]);
+ goto err_st_clk_gate;
+ }
+
+ ret = devm_clk_hw_register_clkdev(&pdev->dev, hws[ST_CLK_GATE],
+ fch_data->name, NULL);
+ if (ret)
+ goto err_register_st_clk_gate;
} else {
hws[CLK_48M_FIXED] = clk_hw_register_fixed_rate(NULL, "clk48MHz",
NULL, 0, 48000000);
+ if (IS_ERR(hws[CLK_48M_FIXED])) {
+ ret = PTR_ERR(hws[CLK_48M_FIXED]);
+ goto err_clk_48m_fixed;
+ }
hws[CLK_GATE_FIXED] = clk_hw_register_gate(NULL, "oscout1",
"clk48MHz", 0, fch_data->base + MISCCLKCNTL1,
OSCCLKENB, 0, NULL);
-
- devm_clk_hw_register_clkdev(&pdev->dev, hws[CLK_GATE_FIXED],
- fch_data->name, NULL);
+ if (IS_ERR(hws[CLK_GATE_FIXED])) {
+ ret = PTR_ERR(hws[CLK_GATE_FIXED]);
+ goto err_clk_gate_fixed;
+ }
+
+ ret = devm_clk_hw_register_clkdev(&pdev->dev, hws[CLK_GATE_FIXED],
+ fch_data->name, NULL);
+ if (ret)
+ goto err_register_gate_fixed;
}
pci_dev_put(rdev);
return 0;
+
+err_register_st_clk_gate:
+ clk_hw_unregister_gate(hws[ST_CLK_GATE]);
+err_st_clk_gate:
+err_clk_set_parent:
+ clk_hw_unregister_mux(hws[ST_CLK_MUX]);
+err_st_clk_mux:
+ clk_hw_unregister_fixed_rate(hws[ST_CLK_25M]);
+err_st_clk_25m:
+ clk_hw_unregister_fixed_rate(hws[ST_CLK_48M]);
+err_st_clk_48m:
+ pci_dev_put(rdev);
+ return ret;
+
+err_register_gate_fixed:
+ clk_hw_unregister_gate(hws[CLK_GATE_FIXED]);
+err_clk_gate_fixed:
+ clk_hw_unregister_fixed_rate(hws[CLK_48M_FIXED]);
+err_clk_48m_fixed:
+ pci_dev_put(rdev);
+ return ret;
}
static int fch_clk_remove(struct platform_device *pdev)
--
2.25.1
^ permalink raw reply related [relevance 16%]
* [PATCH v2] clk: x86: Fix a wild pointer dereference in fch_clk_probe()
[not found] <20220107015744.22C22C36AE3@smtp.kernel.org>
@ 2022-01-07 7:15 17% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2022-01-07 7:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Akshu Agrawal,
Rafael J. Wysocki, linux-clk, linux-kernel
In fch_clk_probe(), the return value of clk_hw_register_mux() is
assigned to hws[ST_CLK_MUX] and there is a dereference of it in
fch_clk_probe(), which could lead to a wild pointer dereference on
failure of clk_hw_register_mux().
Fix this bug by adding a check of hws[ST_CLK_MUX].
This bug was found by a static analyzer.
Builds with CONFIG_X86_AMD_PLATFORM_DEVICE=y show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: 19fe87fd854a ("clk: x86: Support RV architecture")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Changes in v2:
- Add error check to every register function calls.
- Add error handling logic to every error path.
- Turn clk_hw_register_mux to devm_clk_hw_register_mux.
- Add error check of clk_set_parent().
drivers/clk/x86/clk-fch.c | 53 ++++++++++++++++++++++++++++++++++++---
1 file changed, 49 insertions(+), 4 deletions(-)
diff --git a/drivers/clk/x86/clk-fch.c b/drivers/clk/x86/clk-fch.c
index 8f7c5142b0f0..47754761b19c 100644
--- a/drivers/clk/x86/clk-fch.c
+++ b/drivers/clk/x86/clk-fch.c
@@ -36,6 +36,7 @@ static struct clk_hw *hws[ST_MAX_CLKS];
static int fch_clk_probe(struct platform_device *pdev)
{
struct fch_clk_data *fch_data;
+ int ret;
fch_data = dev_get_platdata(&pdev->dev);
if (!fch_data || !fch_data->base)
@@ -44,35 +45,79 @@ static int fch_clk_probe(struct platform_device *pdev)
if (!fch_data->is_rv) {
hws[ST_CLK_48M] = clk_hw_register_fixed_rate(NULL, "clk48MHz",
NULL, 0, 48000000);
+ if (IS_ERR(hws[ST_CLK_48M]))
+ return PTR_ERR(hws[ST_CLK_48M]);
+
hws[ST_CLK_25M] = clk_hw_register_fixed_rate(NULL, "clk25MHz",
NULL, 0, 25000000);
+ if (IS_ERR(hws[ST_CLK_25M])) {
+ ret = PTR_ERR(hws[ST_CLK_25M]);
+ goto err_st_clk_25m;
+ }
- hws[ST_CLK_MUX] = clk_hw_register_mux(NULL, "oscout1_mux",
+ hws[ST_CLK_MUX] = devm_clk_hw_register_mux(NULL, "oscout1_mux",
clk_oscout1_parents, ARRAY_SIZE(clk_oscout1_parents),
0, fch_data->base + CLKDRVSTR2, OSCOUT1CLK25MHZ, 3, 0,
NULL);
+ if (IS_ERR(hws[ST_CLK_MUX])) {
+ ret = PTR_ERR(hws[ST_CLK_MUX]);
+ goto err_st_clk_mux;
+ }
- clk_set_parent(hws[ST_CLK_MUX]->clk, hws[ST_CLK_48M]->clk);
+ ret = clk_set_parent(hws[ST_CLK_MUX]->clk, hws[ST_CLK_48M]->clk);
+ if (ret)
+ goto err_clk_set_parent;
hws[ST_CLK_GATE] = clk_hw_register_gate(NULL, "oscout1",
"oscout1_mux", 0, fch_data->base + MISCCLKCNTL1,
OSCCLKENB, CLK_GATE_SET_TO_DISABLE, NULL);
+ if (IS_ERR(hws[ST_CLK_GATE])) {
+ ret = PTR_ERR(hws[ST_CLK_GATE]);
+ goto err_st_clk_gate;
+ }
- devm_clk_hw_register_clkdev(&pdev->dev, hws[ST_CLK_GATE],
+ ret = devm_clk_hw_register_clkdev(&pdev->dev, hws[ST_CLK_GATE],
"oscout1", NULL);
+ if (ret)
+ goto err_register_st_clk_gate;
} else {
hws[RV_CLK_48M] = clk_hw_register_fixed_rate(NULL, "clk48MHz",
NULL, 0, 48000000);
+ if (IS_ERR(hws[RV_CLK_48M]))
+ return PTR_ERR(hws[RV_CLK_48M]);
hws[RV_CLK_GATE] = clk_hw_register_gate(NULL, "oscout1",
"clk48MHz", 0, fch_data->base + MISCCLKCNTL1,
OSCCLKENB, CLK_GATE_SET_TO_DISABLE, NULL);
+ if (IS_ERR(hws[RV_CLK_GATE])) {
+ ret = PTR_ERR(hws[RV_CLK_GATE]);
+ goto err_rv_clk_gate;
+ }
- devm_clk_hw_register_clkdev(&pdev->dev, hws[RV_CLK_GATE],
+ ret = devm_clk_hw_register_clkdev(&pdev->dev, hws[RV_CLK_GATE],
"oscout1", NULL);
+ if (ret)
+ goto err_register_rv_clk_gate;
}
return 0;
+
+err_register_st_clk_gate:
+ clk_hw_unregister_gate(hws[ST_CLK_GATE]);
+err_st_clk_gate:
+err_clk_set_parent:
+ clk_hw_unregister_mux(hws[ST_CLK_MUX]);
+err_st_clk_mux:
+ clk_hw_unregister_fixed_rate(hws[ST_CLK_25M]);
+err_st_clk_25m:
+ clk_hw_unregister_fixed_rate(hws[ST_CLK_48M]);
+ return ret;
+
+err_register_rv_clk_gate:
+ clk_hw_unregister_gate(hws[RV_CLK_GATE]);
+err_rv_clk_gate:
+ clk_hw_unregister_fixed_rate(hws[RV_CLK_48M]);
+ return ret;
}
static int fch_clk_remove(struct platform_device *pdev)
--
2.25.1
^ permalink raw reply related [relevance 17%]
* Re: [PATCH] drm: bridge: cdns-mhdp8546: Fix a NULL pointer dereference in cdns_mhdp_atomic_enable()
2021-11-30 13:11 18% [PATCH] drm: bridge: cdns-mhdp8546: Fix a NULL pointer dereference in cdns_mhdp_atomic_enable() Zhou Qingyang
@ 2022-01-04 14:17 5% ` Robert Foss
0 siblings, 0 replies; 200+ results
From: Robert Foss @ 2022-01-04 14:17 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Andrzej Hajda, Neil Armstrong, Laurent Pinchart,
Jonas Karlman, Jernej Skrabec, David Airlie, Daniel Vetter,
Dave Airlie, Lyude Paul, Thierry Reding, Parshuram Thombare,
Julia Lawall, Jiapeng Chong, Yu Kuai, Tomi Valkeinen,
Quentin Schulz, Yuti Amonkar, Swapnil Jakhade, dri-devel,
linux-kernel
Hey Zhou,
Thanks for submitting this patch.
On Tue, 30 Nov 2021 at 14:11, Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate()
> is assigned to mhdp_state->current_mode and used in drm_mode_set_name().
> There is a dereference of it in drm_mode_set_name(), which could lead
> to a NULL pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mhdp_state->current_mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_CDNS_MHDP8546=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> index 5530fbf64f1e..347fbecf76a4 100644
> --- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> +++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
> @@ -2040,6 +2040,11 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
> mhdp_state = to_cdns_mhdp_bridge_state(new_state);
>
> mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode);
> + if (!mhdp_state->current_mode) {
> + ret = -ENOMEM;
> + goto out;
> + }
> +
This appears to be a problem that is handled in other drivers, but the
solution here does strike me as good.
The out-label will schedule modeset_retry_work to be executed if
ret==-ENOMEM. If drm_mode_duplicate() fails, we've had a memory
allocation issue, and failing is probably the correct solution here.
However cdns_mhdp_atomic_enable() does allow for signalling failures.
> drm_mode_set_name(mhdp_state->current_mode);
>
> dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name);
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* Re: [PATCH] virt: acrn: fix memory leak in acrn_dev_ioctl()
2022-01-04 8:53 18% [PATCH] virt: acrn: fix memory leak " Zhou Qingyang
@ 2022-01-04 10:18 0% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2022-01-04 10:18 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Fei Li, Shuo Liu, Zhi Wang, Reinette Chatre, linux-kernel
On Tue, Jan 04, 2022 at 04:53:21PM +0800, Zhou Qingyang wrote:
> In acrn_dev_ioctl(), cpu_regs is not released or passed out on several
> error paths which could lead to memory leak bug.
>
> Fix this bug by adding kfree of cpu_regs on error paths.
>
> This bug was found by a static analyzer.
>
> Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 2ad2aaee1bc9 ("virt: acrn: Introduce an ioctl to set vCPU registers state")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths
> and confirms that the inconsistent operations are not recovered in
> the current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
Then why have all of those researchers put their reviewed-by on this
change?
Note that your university is still in many kernel maintainer's
ignore-list (myself included, I dug this up as I saw Fei's response.)
Please work with your administration and the process that is currently
happening in order to give you all the needed training so you will not
keep causing these types of basic errors that keep your patches from
being accepted.
*plonk*
greg k-h
^ permalink raw reply [relevance 0%]
* [PATCH] virt: acrn: fix memory leak in acrn_dev_ioctl()
@ 2022-01-04 8:53 18% Zhou Qingyang
2022-01-04 10:18 0% ` Greg Kroah-Hartman
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2022-01-04 8:53 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Fei Li, Greg Kroah-Hartman, Shuo Liu, Zhi Wang,
Reinette Chatre, linux-kernel
In acrn_dev_ioctl(), cpu_regs is not released or passed out on several
error paths which could lead to memory leak bug.
Fix this bug by adding kfree of cpu_regs on error paths.
This bug was found by a static analyzer.
Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2ad2aaee1bc9 ("virt: acrn: Introduce an ioctl to set vCPU registers state")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/virt/acrn/hsm.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
index 5419794fccf1..1eb0a17aadde 100644
--- a/drivers/virt/acrn/hsm.c
+++ b/drivers/virt/acrn/hsm.c
@@ -182,21 +182,29 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
return PTR_ERR(cpu_regs);
for (i = 0; i < ARRAY_SIZE(cpu_regs->reserved); i++)
- if (cpu_regs->reserved[i])
- return -EINVAL;
+ if (cpu_regs->reserved[i]) {
+ kfree(cpu_regs);
+ return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_32); i++)
- if (cpu_regs->vcpu_regs.reserved_32[i])
- return -EINVAL;
+ if (cpu_regs->vcpu_regs.reserved_32[i]) {
+ kfree(cpu_regs);
+ return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_64); i++)
- if (cpu_regs->vcpu_regs.reserved_64[i])
- return -EINVAL;
+ if (cpu_regs->vcpu_regs.reserved_64[i]) {
+ kfree(cpu_regs);
+ return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.gdt.reserved); i++)
if (cpu_regs->vcpu_regs.gdt.reserved[i] |
- cpu_regs->vcpu_regs.idt.reserved[i])
- return -EINVAL;
+ cpu_regs->vcpu_regs.idt.reserved[i]) {
+ kfree(cpu_regs);
+ return -EINVAL;
+ }
ret = hcall_set_vcpu_regs(vm->vmid, virt_to_phys(cpu_regs));
if (ret < 0)
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 7:37 0% ` Greg KH
2022-01-04 8:01 0% ` Li Fei1
@ 2022-01-04 8:09 0% ` Li Fei1
1 sibling, 0 replies; 200+ results
From: Li Fei1 @ 2022-01-04 8:09 UTC (permalink / raw)
To: zhou1615, kjlu, reinette.chatre, zhi.a.wang, gregkh,
linux-kernel, fei1.li
On Tue, Jan 04, 2022 at 08:37:27AM +0100, Greg KH wrote:
> On Tue, Jan 04, 2022 at 11:50:33AM +0800, Li Fei1 wrote:
> > On Tue, Jan 04, 2022 at 11:45:01AM +0800, Zhou Qingyang wrote:
> > > In acrn_dev_ioctl(), vm_param is not released or passed out on the
> > > error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> > > which could lead to a memory leak.
> > >
> > > Fix this bug by adding a kfree of vm_param on the error path.
> > >
> > > This bug was found by a static analyzer.
> > >
> > > Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> > > and our static analyzer no longer warns about this code.
> > >
> > > Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> > > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > > ---
> > > The analysis employs differential checking to identify inconsistent
> > > security operations (e.g., checks or kfrees) between two code paths
> > > and confirms that the inconsistent operations are not recovered in
> > > the current function or the callers, so they constitute bugs.
> > >
> > > Note that, as a bug found by static analysis, it can be a false
> > > positive or hard to trigger. Multiple researchers have cross-reviewed
> > > the bug.
> > >
> > > Changes in v2:
> > > - Fix the same bug in ACRN_IOCTL_SET_VCPU_REGS.
Hi Qingyang
I think the "Changes in v2" was not fixes the code in commit "9c5137aedd11 virt: acrn: Introduce VM management interfaces", but in commit 2ad2aaee1bc9 "virt: acrn: Introduce an ioctl to set vCPU registers state".
Would you please to split this patch into two and please replace “...” with "..." in your commit message.
Thanks.
> > >
> >
> > Signed-off-by: Fei Li <fei1.li@intel.com>
Please ignore my "Signed-off" here. Sorry.
>
> For the multiple obvious reasons (not the least being you didn't even
> run it through our normal testing scripts), I am not going to take this
> change, sorry.
>
> Fei, please be more careful in the future.
>
> greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 7:37 0% ` Greg KH
@ 2022-01-04 8:01 0% ` Li Fei1
2022-01-04 8:09 0% ` Li Fei1
1 sibling, 0 replies; 200+ results
From: Li Fei1 @ 2022-01-04 8:01 UTC (permalink / raw)
To: Greg KH
Cc: zhou1615, kjlu, reinette.chatre, zhi.a.wang, linux-kernel, fei1.li
On Tue, Jan 04, 2022 at 08:37:27AM +0100, Greg KH wrote:
> On Tue, Jan 04, 2022 at 11:50:33AM +0800, Li Fei1 wrote:
> > On Tue, Jan 04, 2022 at 11:45:01AM +0800, Zhou Qingyang wrote:
> > > In acrn_dev_ioctl(), vm_param is not released or passed out on the
> > > error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> > > which could lead to a memory leak.
> > >
> > > Fix this bug by adding a kfree of vm_param on the error path.
> > >
> > > This bug was found by a static analyzer.
> > >
> > > Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> > > and our static analyzer no longer warns about this code.
> > >
> > > Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> > > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > > ---
> > > The analysis employs differential checking to identify inconsistent
> > > security operations (e.g., checks or kfrees) between two code paths
> > > and confirms that the inconsistent operations are not recovered in
> > > the current function or the callers, so they constitute bugs.
> > >
> > > Note that, as a bug found by static analysis, it can be a false
> > > positive or hard to trigger. Multiple researchers have cross-reviewed
> > > the bug.
> > >
> > > Changes in v2:
> > > - Fix the same bug in ACRN_IOCTL_SET_VCPU_REGS.
> > >
> >
> > Signed-off-by: Fei Li <fei1.li@intel.com>
>
> For the multiple obvious reasons (not the least being you didn't even
> run it through our normal testing scripts), I am not going to take this
> change, sorry.
>
> Fei, please be more careful in the future.
>
Hi Greg
Thanks for your kind reminder. I will.
> greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 3:50 0% ` Li Fei1
@ 2022-01-04 7:37 0% ` Greg KH
2022-01-04 8:01 0% ` Li Fei1
2022-01-04 8:09 0% ` Li Fei1
0 siblings, 2 replies; 200+ results
From: Greg KH @ 2022-01-04 7:37 UTC (permalink / raw)
To: Li Fei1; +Cc: Zhou Qingyang, kjlu, reinette.chatre, zhi.a.wang, linux-kernel
On Tue, Jan 04, 2022 at 11:50:33AM +0800, Li Fei1 wrote:
> On Tue, Jan 04, 2022 at 11:45:01AM +0800, Zhou Qingyang wrote:
> > In acrn_dev_ioctl(), vm_param is not released or passed out on the
> > error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> > which could lead to a memory leak.
> >
> > Fix this bug by adding a kfree of vm_param on the error path.
> >
> > This bug was found by a static analyzer.
> >
> > Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > ---
> > The analysis employs differential checking to identify inconsistent
> > security operations (e.g., checks or kfrees) between two code paths
> > and confirms that the inconsistent operations are not recovered in
> > the current function or the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Changes in v2:
> > - Fix the same bug in ACRN_IOCTL_SET_VCPU_REGS.
> >
>
> Signed-off-by: Fei Li <fei1.li@intel.com>
For the multiple obvious reasons (not the least being you didn't even
run it through our normal testing scripts), I am not going to take this
change, sorry.
Fei, please be more careful in the future.
greg k-h
^ permalink raw reply [relevance 0%]
* Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 3:45 17% ` Zhou Qingyang
@ 2022-01-04 3:50 0% ` Li Fei1
2022-01-04 7:37 0% ` Greg KH
0 siblings, 1 reply; 200+ results
From: Li Fei1 @ 2022-01-04 3:50 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, gregkh, reinette.chatre, zhi.a.wang, linux-kernel, fei1.li
On Tue, Jan 04, 2022 at 11:45:01AM +0800, Zhou Qingyang wrote:
> In acrn_dev_ioctl(), vm_param is not released or passed out on the
> error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> which could lead to a memory leak.
>
> Fix this bug by adding a kfree of vm_param on the error path.
>
> This bug was found by a static analyzer.
>
> Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths
> and confirms that the inconsistent operations are not recovered in
> the current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Changes in v2:
> - Fix the same bug in ACRN_IOCTL_SET_VCPU_REGS.
>
Signed-off-by: Fei Li <fei1.li@intel.com>
Thanks a lot.
> drivers/virt/acrn/hsm.c | 24 +++++++++++++++++-------
> 1 file changed, 17 insertions(+), 7 deletions(-)
>
> diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
> index 5419794fccf1..7a8f722f431c 100644
> --- a/drivers/virt/acrn/hsm.c
> +++ b/drivers/virt/acrn/hsm.c
> @@ -136,9 +136,11 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
> if (IS_ERR(vm_param))
> return PTR_ERR(vm_param);
>
> - if ((vm_param->reserved0 | vm_param->reserved1) != 0)
> - return -EINVAL;
> -
> + if ((vm_param->reserved0 | vm_param->reserved1) != 0) {
> + ret = -EINVAL;
> + kfree(vm_param);
> + break;
> + }
> vm = acrn_vm_create(vm, vm_param);
> if (!vm) {
> ret = -EINVAL;
> @@ -182,21 +184,29 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
> return PTR_ERR(cpu_regs);
>
> for (i = 0; i < ARRAY_SIZE(cpu_regs->reserved); i++)
> - if (cpu_regs->reserved[i])
> + if (cpu_regs->reserved[i]) {
> + kfree(cpu_regs);
> return -EINVAL;
> + }
>
> for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_32); i++)
> - if (cpu_regs->vcpu_regs.reserved_32[i])
> + if (cpu_regs->vcpu_regs.reserved_32[i]) {
> + kfree(cpu_regs);
> return -EINVAL;
> + }
>
> for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_64); i++)
> - if (cpu_regs->vcpu_regs.reserved_64[i])
> + if (cpu_regs->vcpu_regs.reserved_64[i]) {
> + kfree(cpu_regs);
> return -EINVAL;
> + }
>
> for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.gdt.reserved); i++)
> if (cpu_regs->vcpu_regs.gdt.reserved[i] |
> - cpu_regs->vcpu_regs.idt.reserved[i])
> + cpu_regs->vcpu_regs.idt.reserved[i]) {
> + kfree(cpu_regs);
> return -EINVAL;
> + }
>
> ret = hcall_set_vcpu_regs(vm->vmid, virt_to_phys(cpu_regs));
> if (ret < 0)
> --
> 2.25.1
>
^ permalink raw reply [relevance 0%]
* [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 2:47 0% ` Li Fei1
@ 2022-01-04 3:45 17% ` Zhou Qingyang
2022-01-04 3:50 0% ` Li Fei1
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2022-01-04 3:45 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Fei Li, Greg Kroah-Hartman, Reinette Chatre, Zhi Wang,
Shuo Liu, linux-kernel
In acrn_dev_ioctl(), vm_param is not released or passed out on the
error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
which could lead to a memory leak.
Fix this bug by adding a kfree of vm_param on the error path.
This bug was found by a static analyzer.
Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Changes in v2:
- Fix the same bug in ACRN_IOCTL_SET_VCPU_REGS.
drivers/virt/acrn/hsm.c | 24 +++++++++++++++++-------
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
index 5419794fccf1..7a8f722f431c 100644
--- a/drivers/virt/acrn/hsm.c
+++ b/drivers/virt/acrn/hsm.c
@@ -136,9 +136,11 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
if (IS_ERR(vm_param))
return PTR_ERR(vm_param);
- if ((vm_param->reserved0 | vm_param->reserved1) != 0)
- return -EINVAL;
-
+ if ((vm_param->reserved0 | vm_param->reserved1) != 0) {
+ ret = -EINVAL;
+ kfree(vm_param);
+ break;
+ }
vm = acrn_vm_create(vm, vm_param);
if (!vm) {
ret = -EINVAL;
@@ -182,21 +184,29 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
return PTR_ERR(cpu_regs);
for (i = 0; i < ARRAY_SIZE(cpu_regs->reserved); i++)
- if (cpu_regs->reserved[i])
+ if (cpu_regs->reserved[i]) {
+ kfree(cpu_regs);
return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_32); i++)
- if (cpu_regs->vcpu_regs.reserved_32[i])
+ if (cpu_regs->vcpu_regs.reserved_32[i]) {
+ kfree(cpu_regs);
return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.reserved_64); i++)
- if (cpu_regs->vcpu_regs.reserved_64[i])
+ if (cpu_regs->vcpu_regs.reserved_64[i]) {
+ kfree(cpu_regs);
return -EINVAL;
+ }
for (i = 0; i < ARRAY_SIZE(cpu_regs->vcpu_regs.gdt.reserved); i++)
if (cpu_regs->vcpu_regs.gdt.reserved[i] |
- cpu_regs->vcpu_regs.idt.reserved[i])
+ cpu_regs->vcpu_regs.idt.reserved[i]) {
+ kfree(cpu_regs);
return -EINVAL;
+ }
ret = hcall_set_vcpu_regs(vm->vmid, virt_to_phys(cpu_regs));
if (ret < 0)
--
2.25.1
^ permalink raw reply related [relevance 17%]
* Re: [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
2022-01-04 2:34 19% [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl() Zhou Qingyang
@ 2022-01-04 2:47 0% ` Li Fei1
2022-01-04 3:45 17% ` Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Li Fei1 @ 2022-01-04 2:47 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, reinette.chatre, zhi.a.wang, gregkh, linux-kernel, fei1.li
On Tue, Jan 04, 2022 at 10:34:39AM +0800, Zhou Qingyang wrote:
> In acrn_dev_ioctl(), vm_param is not released or passed out on the
> error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
> which could lead to a memory leak.
>
> Fix this bug by adding a kfree of vm_param on the error path.
>
> This bug was found by a static analyzer.
>
> Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> The analysis employs differential checking to identify inconsistent
> security operations (e.g., checks or kfrees) between two code paths
> and confirms that the inconsistent operations are not recovered in
> the current function or the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
Hi Qingyang
Thanks a lot to fix this issue. Would you please to help to fix the same issue
in ACRN_IOCTL_SET_VCPU_REGS case ?
> drivers/virt/acrn/hsm.c | 8 +++++---
> 1 file changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
> index 5419794fccf1..205f4c637556 100644
> --- a/drivers/virt/acrn/hsm.c
> +++ b/drivers/virt/acrn/hsm.c
> @@ -136,9 +136,11 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
> if (IS_ERR(vm_param))
> return PTR_ERR(vm_param);
>
> - if ((vm_param->reserved0 | vm_param->reserved1) != 0)
> - return -EINVAL;
> -
> + if ((vm_param->reserved0 | vm_param->reserved1) != 0) {
> + ret = -EINVAL;
> + kfree(vm_param);
> + break;
> + }
> vm = acrn_vm_create(vm, vm_param);
> if (!vm) {
> ret = -EINVAL;
> --
> 2.25.1
>
^ permalink raw reply [relevance 0%]
* [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl()
@ 2022-01-04 2:34 19% Zhou Qingyang
2022-01-04 2:47 0% ` Li Fei1
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2022-01-04 2:34 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Fei Li, Reinette Chatre, Zhi Wang, Greg Kroah-Hartman,
Shuo Liu, linux-kernel
In acrn_dev_ioctl(), vm_param is not released or passed out on the
error path of "if ((vm_param->reserved0 | vm_param->reserved1) != 0)",
which could lead to a memory leak.
Fix this bug by adding a kfree of vm_param on the error path.
This bug was found by a static analyzer.
Builds with CONFIG_ACRN_GUEST=y, CONFIG_ACRN_HSM=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 9c5137aedd11 (“9c5137aedd11 virt: acrn: Introduce VM management interfaces”)
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths
and confirms that the inconsistent operations are not recovered in
the current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
drivers/virt/acrn/hsm.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/virt/acrn/hsm.c b/drivers/virt/acrn/hsm.c
index 5419794fccf1..205f4c637556 100644
--- a/drivers/virt/acrn/hsm.c
+++ b/drivers/virt/acrn/hsm.c
@@ -136,9 +136,11 @@ static long acrn_dev_ioctl(struct file *filp, unsigned int cmd,
if (IS_ERR(vm_param))
return PTR_ERR(vm_param);
- if ((vm_param->reserved0 | vm_param->reserved1) != 0)
- return -EINVAL;
-
+ if ((vm_param->reserved0 | vm_param->reserved1) != 0) {
+ ret = -EINVAL;
+ kfree(vm_param);
+ break;
+ }
vm = acrn_vm_create(vm, vm_param);
if (!vm) {
ret = -EINVAL;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* Re: [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
2021-11-30 16:59 19% [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() Zhou Qingyang
@ 2022-01-02 17:46 0% ` Dominik Brodowski
0 siblings, 0 replies; 200+ results
From: Dominik Brodowski @ 2022-01-02 17:46 UTC (permalink / raw)
To: Zhou Qingyang; +Cc: kjlu, Lee Jones, linux-kernel
Am Wed, Dec 01, 2021 at 12:59:23AM +0800 schrieb Zhou Qingyang:
> In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to
> res and used in pci_bus_alloc_resource(). There is a dereference of res
> in pci_bus_alloc_resource(), which could lead to a NULL pointer
> dereference on failure of pcmcia_make_resource().
>
> Fix this bug by adding a check of res.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with ONFIG_PCCARD_NONSTATIC=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Although pcmcica_make_resource() will not fail, as the requested size is so
small: Applied to pcmcia-next.
Thanks,
Dominik
^ permalink raw reply [relevance 0%]
* Re: [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
2021-11-30 18:11 19% [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() Zhou Qingyang
@ 2022-01-02 17:47 0% ` Dominik Brodowski
0 siblings, 0 replies; 200+ results
From: Dominik Brodowski @ 2022-01-02 17:47 UTC (permalink / raw)
To: Zhou Qingyang; +Cc: kjlu, Lee Jones, linux-kernel
Am Wed, Dec 01, 2021 at 02:11:40AM +0800 schrieb Zhou Qingyang:
> In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to
> res and used in pci_bus_alloc_resource(). There a dereference of res
> in pci_bus_alloc_resource(), which could lead to a NULL pointer
> dereference on failure of pcmcia_make_resource().
>
> Fix this bug by adding a check of res.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Same caveat as before, but applied nonetheless.
Thanks,
Dominik
^ permalink raw reply [relevance 0%]
* [PATCH v3] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
2021-12-14 13:46 5% ` Mauro Carvalho Chehab
2021-12-14 14:16 5% ` Greg Kroah-Hartman
@ 2021-12-15 3:35 16% ` Zhou Qingyang
2022-01-11 9:16 0% ` Hans Verkuil
1 sibling, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-15 3:35 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Neil Armstrong, Mauro Carvalho Chehab, Greg Kroah-Hartman,
Kevin Hilman, Jerome Brunet, Martin Blumenstingl, Maxime Jourdan,
Hans Verkuil, linux-media, linux-amlogic, linux-staging,
linux-arm-kernel, linux-kernel
In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
to a NULL pointer dereference on failure of kzalloc().
Fix this bug by adding a NULL check of new_ts.
This bug was found by a static analyzer[1].
Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
[1] The analysis employs differential checking to identify inconsistent
security operations (e.g., checks or kfrees) between two code paths and
confirms that the inconsistent operations are not recovered in the
current function or the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Changes in v3:
- Change the description of patch
- Turn the return type from 'void' to 'int'
- Check the return value in the caller 'esparser_queue()'
Changes in v2:
- Delete dev_err() message
drivers/staging/media/meson/vdec/esparser.c | 7 ++++++-
drivers/staging/media/meson/vdec/vdec_helpers.c | 8 ++++++--
drivers/staging/media/meson/vdec/vdec_helpers.h | 4 ++--
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/media/meson/vdec/esparser.c b/drivers/staging/media/meson/vdec/esparser.c
index db7022707ff8..095100a50da8 100644
--- a/drivers/staging/media/meson/vdec/esparser.c
+++ b/drivers/staging/media/meson/vdec/esparser.c
@@ -328,7 +328,12 @@ esparser_queue(struct amvdec_session *sess, struct vb2_v4l2_buffer *vbuf)
offset = esparser_get_offset(sess);
- amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ ret = amvdec_add_ts(sess, vb->timestamp, vbuf->timecode, offset, vbuf->flags);
+ if (!ret) {
+ v4l2_m2m_buf_done(vbuf, VB2_BUF_STATE_ERROR);
+ return ret;
+ }
+
dev_dbg(core->dev, "esparser: ts = %llu pld_size = %u offset = %08X flags = %08X\n",
vb->timestamp, payload_size, offset, vbuf->flags);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..06fd66539797 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -227,13 +227,16 @@ int amvdec_set_canvases(struct amvdec_session *sess,
}
EXPORT_SYMBOL_GPL(amvdec_set_canvases);
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 vbuf_flags)
{
struct amvdec_timestamp *new_ts;
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return -ENOMEM;
+
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
@@ -242,6 +245,7 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
spin_lock_irqsave(&sess->ts_spinlock, flags);
list_add_tail(&new_ts->list, &sess->timestamps);
spin_unlock_irqrestore(&sess->ts_spinlock, flags);
+ return 0;
}
EXPORT_SYMBOL_GPL(amvdec_add_ts);
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.h b/drivers/staging/media/meson/vdec/vdec_helpers.h
index 88137d15aa3a..4bf3e61d081b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.h
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.h
@@ -56,8 +56,8 @@ void amvdec_dst_buf_done_offset(struct amvdec_session *sess,
* @offset: offset in the VIFIFO where the associated packet was written
* @flags: the vb2_v4l2_buffer flags
*/
-void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
- struct v4l2_timecode tc, u32 offset, u32 flags);
+int amvdec_add_ts(struct amvdec_session *sess, u64 ts,
+ struct v4l2_timecode tc, u32 offset, u32 flags);
void amvdec_remove_ts(struct amvdec_session *sess, u64 ts);
/**
--
2.25.1
^ permalink raw reply related [relevance 16%]
* Re: [PATCH v2] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
2021-12-02 15:53 18% ` [PATCH v2] " Zhou Qingyang
@ 2021-12-14 15:31 7% ` Kalle Valo
0 siblings, 0 replies; 200+ results
From: Kalle Valo @ 2021-12-14 15:31 UTC (permalink / raw)
To: Zhou Qingyang
Cc: zhou1615, kjlu, Kalle Valo, David S. Miller, Jakub Kicinski,
Pradeep Kumar Chitrapu, Shashidhar Lakkavalli, Ganesh Sesetti,
kbuild test robot, John Crispin, ath11k, linux-wireless, netdev,
linux-kernel
Zhou Qingyang <zhou1615@umn.edu> wrote:
> In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
> used in memcpy(), which may lead to a NULL pointer dereference on
> failure of kzalloc().
>
> Fix this bug by adding a check of arg.extraie.ptr.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_ATH11K=m show no new warnings, and our static
> analyzer no longer warns about this code.
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Patch applied to ath-next branch of ath.git, thanks.
eccd25136386 ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
--
https://patchwork.kernel.org/project/linux-wireless/patch/20211202155348.71315-1-zhou1615@umn.edu/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
^ permalink raw reply [relevance 7%]
* Re: [PATCH v2] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
2021-12-14 13:46 5% ` Mauro Carvalho Chehab
@ 2021-12-14 14:16 5% ` Greg Kroah-Hartman
2021-12-15 3:35 16% ` [PATCH v3] " Zhou Qingyang
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-14 14:16 UTC (permalink / raw)
To: Mauro Carvalho Chehab
Cc: Zhou Qingyang, kjlu, Neil Armstrong, Kevin Hilman, Jerome Brunet,
Martin Blumenstingl, Hans Verkuil, Maxime Jourdan, linux-media,
linux-amlogic, linux-staging, linux-arm-kernel, linux-kernel
On Tue, Dec 14, 2021 at 02:46:13PM +0100, Mauro Carvalho Chehab wrote:
> Em Fri, 3 Dec 2021 00:03:57 +0800
> Zhou Qingyang <zhou1615@umn.edu> escreveu:
>
> > In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> > to a NULL pointer dereference on failure of kzalloc().
> >
> > I fix this bug by adding a NULL check of new_ts.
> >
> > This bug was found by a static analyzer. The analysis employs
> > differential checking to identify inconsistent security operations
> > (e.g., checks or kfrees) between two code paths and confirms that the
> > inconsistent operations are not recovered in the current function or
> > the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > ---
> > Changes in v2:
> > - Delete dev_err() message
> >
> > drivers/staging/media/meson/vdec/vdec_helpers.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > index b9125c295d1d..ac60514c475b 100644
> > --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> > +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> > @@ -234,6 +234,9 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> > unsigned long flags;
> >
> > new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> > + if (!new_ts)
> > + return;
> > +
> > new_ts->ts = ts;
> > new_ts->tc = tc;
> > new_ts->offset = offset;
>
> I don't think this change is ok. Sure, it needs to check if
> kzalloc() fails, but it should return -ENOMEM and the caller
> should check if it returns an error. So, I would expect
> that this patch would also touch the caller function at
> drivers/staging/media/meson/vdec/esparser.c.
This is why umn.edu emails still are in my black-hole :(
^ permalink raw reply [relevance 5%]
* Re: [PATCH v2] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
2021-12-02 16:03 18% ` [PATCH v2] " Zhou Qingyang
2021-12-03 13:30 0% ` Dan Carpenter
@ 2021-12-14 13:46 5% ` Mauro Carvalho Chehab
2021-12-14 14:16 5% ` Greg Kroah-Hartman
2021-12-15 3:35 16% ` [PATCH v3] " Zhou Qingyang
1 sibling, 2 replies; 200+ results
From: Mauro Carvalho Chehab @ 2021-12-14 13:46 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Neil Armstrong, Greg Kroah-Hartman, Kevin Hilman,
Jerome Brunet, Martin Blumenstingl, Hans Verkuil, Maxime Jourdan,
linux-media, linux-amlogic, linux-staging, linux-arm-kernel,
linux-kernel
Em Fri, 3 Dec 2021 00:03:57 +0800
Zhou Qingyang <zhou1615@umn.edu> escreveu:
> In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> to a NULL pointer dereference on failure of kzalloc().
>
> I fix this bug by adding a NULL check of new_ts.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v2:
> - Delete dev_err() message
>
> drivers/staging/media/meson/vdec/vdec_helpers.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
> index b9125c295d1d..ac60514c475b 100644
> --- a/drivers/staging/media/meson/vdec/vdec_helpers.c
> +++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
> @@ -234,6 +234,9 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
> unsigned long flags;
>
> new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
> + if (!new_ts)
> + return;
> +
> new_ts->ts = ts;
> new_ts->tc = tc;
> new_ts->offset = offset;
I don't think this change is ok. Sure, it needs to check if
kzalloc() fails, but it should return -ENOMEM and the caller
should check if it returns an error. So, I would expect
that this patch would also touch the caller function at
drivers/staging/media/meson/vdec/esparser.c.
Regards,
Mauro
Thanks,
Mauro
^ permalink raw reply [relevance 5%]
* Re: [PATCH] drm/amdkfd: Fix a wild pointer dereference in svm_range_add()
[not found] ` <CA+Cm_xSm8O_0M2Ng9mvDUKwYaCxkZU+M7AZ=9aU26WTFELC-2w@mail.gmail.com>
@ 2021-12-08 0:54 0% ` Felix Kuehling
0 siblings, 0 replies; 200+ results
From: Felix Kuehling @ 2021-12-08 0:54 UTC (permalink / raw)
To: Qingyang Zhou
Cc: philip yang, Kangjie Lu, Alex Deucher, Christian König, Pan,
Xinhui, David Airlie, Daniel Vetter, Alex Sierra, Philip Yang,
amd-gfx, dri-devel, linux-kernel
On 2021-11-30 12:49 p.m., Qingyang Zhou wrote:
> Dear Felix:
>
> This patch is not auto-generated, and as a matter of fact, it is
> requested by the Linux Community.
>
> As you can see from my email address, I am a researcher from the
> University of Minnesota, and because of the unpleasant event that
> happened in April, all the patches from our university must contain
> enough information for the Linux Community to verify. Still I feel so
> sorry to take up your time.
Hi Qingyang,
Sorry for the late response. I was about to apply your patch when I
realized that it's not unwinding things correctly in the new failure
case. I think I'll refactor svm_range_add and svm_range_handle_overlap a
bit to make sure the unwinding is handled correctly and only needs to be
done in one place instead of two.
I'll copy you on the final patch.
Regards,
Felix
>
> yours sincerely,
> zhou qingyang.
>
>
> On Wed, Dec 1, 2021 at 1:35 AM Felix Kuehling <felix.kuehling@amd.com
> <mailto:felix.kuehling@amd.com>> wrote:
>
> Am 2021-11-30 um 11:51 a.m. schrieb philip yang:
> >
> >
> > On 2021-11-30 6:26 a.m., Zhou Qingyang wrote:
> >> In svm_range_add(), the return value of svm_range_new() is assigned
> >> to prange and &prange->insert_list is used in list_add(). There
> is a
> >> a dereference of &prange->insert_list in list_add(), which
> could lead
> >> to a wild pointer dereference on failure of vm_range_new() if
> >> CONFIG_DEBUG_LIST is unset in .config file.
> >>
> >> Fix this bug by adding a check of prange.
> >>
> >> This bug was found by a static analyzer. The analysis employs
> >> differential checking to identify inconsistent security operations
> >> (e.g., checks or kfrees) between two code paths and confirms
> that the
> >> inconsistent operations are not recovered in the current
> function or
> >> the callers, so they constitute bugs.
> >>
> >> Note that, as a bug found by static analysis, it can be a false
> >> positive or hard to trigger. Multiple researchers have
> cross-reviewed
> >> the bug.
> >>
> >> Builds with CONFIG_DRM_AMDGPU=m, CONFIG_HSA_AMD=y, and
> >> CONFIG_HSA_AMD_SVM=y show no new warnings, and our static
> analyzer no
> >> longer warns about this code.
> >>
> >> Fixes: 42de677f7999 ("drm/amdkfd: register svm range")
> >> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu
> <mailto:zhou1615@umn.edu>>
> > Reviewed-by: Philip Yang <Philip.Yang@amd.com
> <mailto:Philip.Yang@amd.com>>
>
> The patch looks good to me. It's an obvious bug and definitely not a
> false positive. The patch description is a bit verbose. Is this
> auto-generated output from the static checker? It could be
> replaced with
> something more concise. Especially the comment about this possibly
> being
> a false positive should not be in the final submission.
>
> Regards,
> Felix
>
>
> >> ---
> >> drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> index 58b89b53ebe6..e40c2211901d 100644
> >> --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
> >> @@ -2940,6 +2940,9 @@ svm_range_add(struct kfd_process *p,
> uint64_t start, uint64_t size,
> >>
> >> if (left) {
> >> prange = svm_range_new(svms, last - left + 1, last);
> >> + if (!prange)
> >> + return -ENOMEM;
> >> +
> >> list_add(&prange->insert_list, insert_list);
> >> list_add(&prange->update_list, update_list);
> >> }
>
^ permalink raw reply [relevance 0%]
* [PATCH 5.10 000/125] 5.10.84-rc2 review
@ 2021-12-07 8:18 3% Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-07 8:18 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 5.10.84 release.
There are 125 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 09 Dec 2021 08:09:22 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.84-rc2.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.84-rc2
Wei Yongjun <weiyongjun1@huawei.com>
ipmi: msghandler: Make symbol 'remove_work_wq' static
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
net/tls: Fix authentication failure in CCM mode
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Mordechay Goodstein <mordechay.goodstein@intel.com>
iwlwifi: mvm: retry init flow if failed
Lukas Wunner <lukas@wunner.de>
serial: 8250: Fix RTS modem control while in rs485 mode
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: rewrite pericom_do_set_divisor()
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Patrik John <patrik.john@u-blox.com>
serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Feng Tang <feng.tang@intel.com>
x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
Feng Tang <feng.tang@intel.com>
x86/tsc: Add a timer to make sure TSC_adjust is always checked
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Ole Ernst <olebowle@gmx.com>
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry()
Juergen Gross <jgross@suse.com>
x86/pv: Switch SWAPGS to ALTERNATIVE
Qais Yousef <qais.yousef@arm.com>
sched/uclamp: Fix rq->uclamp_max not set on first enqueue
Lai Jiangshan <laijs@linux.alibaba.com>
x86/xen: Add xenpv_restore_regs_and_return_to_usermode()
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Use the correct fence macro after swapgs in kernel CR3
Michael Sterritt <sterritt@google.com>
x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword
Dan Carpenter <dan.carpenter@oracle.com>
KVM: VMX: Set failure code in prepare_vmcs02()
Like Xu <likexu@tencent.com>
KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Remove warn trace message.
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Fix statistics logic for production hardware
Sameer Saurabh <ssaurabh@marvell.com>
Remove Half duplex mode speed capabilities.
Nikita Danilov <ndanilov@aquantia.com>
atlantic: Add missing DIDs and fix 115c.
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Fix to display FW bundle version instead of FW mac version.
Nikita Danilov <ndanilov@aquantia.com>
atlatnic: enable Nbase-t speeds with base-t
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Increase delay for fw transactions
Rob Clark <robdclark@chromium.org>
drm/msm: Do hw_init() before capturing GPU state
Douglas Anderson <dianders@chromium.org>
drm/msm/a6xx: Allocate enough space for GMU registers
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Dust Li <dust.li@linux.alibaba.com>
net/smc: fix wrong list_del in smc_lgr_cleanup_early
Eric Dumazet <edumazet@google.com>
ipv4: convert fib_num_tclassid_users to atomic_t
Eric Dumazet <edumazet@google.com>
net: annotate data-races on txq->xmit_lock_owner
Dongliang Mu <mudongliangabcd@gmail.com>
dpaa2-eth: destroy workqueue at the end of remove function
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: marvell: mvpp2: Fix the computation of shared CPUs
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: intel-dsp-config: add quirk for CML devices based on ES8336 codec
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in AHUB
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in ADMAIF
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in ADMAIF
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode
Li Zhijian <lizhijian@cn.fujitsu.com>
selftests: net: Correct case name
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Mark Rutland <mark.rutland@arm.com>
arm64: ftrace: add missing BTIs
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Paolo Abeni <pabeni@redhat.com>
tcp: fix page frag corruption on page fault
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Aaro Koskinen <aaro.koskinen@iki.fi>
i2c: cbus-gpio: set atomic transfer callback
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: stop dma transfer in case of NACK
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: recover the bus on access timeout
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: flush TX FIFO upon transfer errors
Gustavo A. R. Silva <gustavoars@kernel.org>
wireguard: ratelimiter: use kvcalloc() instead of kvzalloc()
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: drop handshakes if queue lock is contended
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: use ring buffer for incoming handshakes
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: device: reset peer src endpoint when netns exits
Li Zhijian <lizhijian@cn.fujitsu.com>
wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: actually test for routing loops
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: allowedips: add missing __rcu annotation to satisfy sparse
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: increase default dmesg log size
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing/histograms: String compares should not care about signed values
Lai Jiangshan <laijs@linux.alibaba.com>
KVM: X86: Use vcpu->arch.walk_mmu for kvm_mmu_invlpg()
Catalin Marinas <catalin.marinas@arm.com>
KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 to 1
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Use a stable condition around all VT-d PI paths
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST
Sean Christopherson <seanjc@google.com>
KVM: Disallow user memslot with size that exceeds "unsigned long"
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
drm/amd/display: Allow DSC on supported MST branch devices
msizanoen1 <msizanoen@qtmlabs.xyz>
ipv6: fix memory leak in fib6_rule_suppress
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: move pseudo-MMIO to prevent MIO overlap
Xiongfeng Wang <wangxiongfeng2@huawei.com>
cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
ipmi: Move remove_work to dedicated workqueue
Stanislaw Gruszka <stf_xl@wp.pl>
rt2x00: do not mark device gone on EPROTO errors during start
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Mario Limonciello <mario.limonciello@amd.com>
ACPI: Add stubs for wakeup handler functions
Wen Gu <guwen@linux.alibaba.com>
net/smc: Avoid warning of possible recursive locking
Ian Rogers <irogers@google.com>
perf report: Fix memory leaks around perf_tip()
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
German Gomez <german.gomez@arm.com>
perf inject: Fix ARM SPE handling
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Jordy Zomer <jordy@pwning.systems>
ipv6: check return value of ipv6_skip_exthdr
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mario Limonciello <mario.limonciello@amd.com>
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
Bernard Zhao <bernard@vivo.com>
drm/amd/amdgpu: fix potential memleak
shaoyunl <shaoyun.liu@amd.com>
drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
Jimmy Wang <jimmy221b@163.com>
platform/x86: thinkpad_acpi: Add support for dual fan control
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Zekun Shen <bruceshenzk@gmail.com>
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Wen Gu <guwen@linux.alibaba.com>
net/smc: Transfer remaining wait queue entries during fallback
Xing Song <xing.song@mediatek.com>
mac80211: do not access the IV when it was stripped
Julian Braha <julianbraha@gmail.com>
drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
Alexey Kardashevskiy <aik@ozlabs.ru>
powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for persistent memory"
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix length of holes reported at end-of-file
Bob Peterson <rpeterso@redhat.com>
gfs2: release iopen glock early in evict
Miklos Szeredi <mszeredi@redhat.com>
ovl: fix deadlock in splice write
Miklos Szeredi <mszeredi@redhat.com>
ovl: simplify file splice
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/include/asm/kvm_arm.h | 4 +-
arch/arm64/kernel/entry-ftrace.S | 6 +
arch/parisc/Makefile | 5 +
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 24 +-
arch/powerpc/platforms/pseries/iommu.c | 9 -
arch/s390/include/asm/pci_io.h | 7 +-
arch/s390/kernel/setup.c | 3 -
arch/x86/entry/entry_64.S | 45 ++--
arch/x86/include/asm/irqflags.h | 20 +-
arch/x86/include/asm/paravirt.h | 20 --
arch/x86/include/asm/paravirt_types.h | 2 -
arch/x86/kernel/asm-offsets_64.c | 1 -
arch/x86/kernel/paravirt.c | 1 -
arch/x86/kernel/paravirt_patch.c | 3 -
arch/x86/kernel/sev-es.c | 57 ++--
arch/x86/kernel/tsc.c | 28 +-
arch/x86/kernel/tsc_sync.c | 41 +++
arch/x86/kvm/mmu/mmu.c | 2 +-
arch/x86/kvm/svm/pmu.c | 2 +-
arch/x86/kvm/vmx/nested.c | 4 +-
arch/x86/kvm/vmx/posted_intr.c | 20 +-
arch/x86/kvm/vmx/vmx.c | 23 +-
arch/x86/realmode/init.c | 12 +-
arch/x86/xen/enlighten_pv.c | 3 -
arch/x86/xen/xen-asm.S | 20 ++
drivers/ata/ahci.c | 1 +
drivers/ata/sata_fsl.c | 20 +-
drivers/char/ipmi/ipmi_msghandler.c | 13 +-
drivers/cpufreq/cpufreq.c | 9 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 1 +
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 5 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 4 +-
drivers/gpu/drm/msm/msm_debugfs.c | 1 +
drivers/gpu/drm/sun4i/Kconfig | 1 +
drivers/i2c/busses/i2c-cbus-gpio.c | 5 +-
drivers/i2c/busses/i2c-stm32f7.c | 31 ++-
drivers/net/ethernet/aquantia/atlantic/aq_common.h | 27 +-
drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 10 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 7 +-
drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 3 -
.../aquantia/atlantic/hw_atl/hw_atl_utils.c | 25 +-
.../aquantia/atlantic/hw_atl/hw_atl_utils_fw2x.c | 3 -
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 22 +-
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.h | 2 +
.../aquantia/atlantic/hw_atl2/hw_atl2_utils.h | 38 ++-
.../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 110 ++++++--
drivers/net/ethernet/dec/tulip/de4x5.c | 34 ++-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/vrf.c | 2 +
drivers/net/wireguard/allowedips.c | 2 +-
drivers/net/wireguard/device.c | 39 +--
drivers/net/wireguard/device.h | 9 +-
drivers/net/wireguard/queueing.c | 6 +-
drivers/net/wireguard/queueing.h | 2 +-
drivers/net/wireguard/ratelimiter.c | 4 +-
drivers/net/wireguard/receive.c | 39 +--
drivers/net/wireguard/socket.c | 2 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 22 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 +-
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 4 +-
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 3 +
drivers/platform/x86/thinkpad_acpi.c | 13 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/thermal/thermal_core.c | 2 +
drivers/tty/serial/8250/8250_pci.c | 39 ++-
drivers/tty/serial/8250/8250_port.c | 7 -
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial-tegra.c | 4 +-
drivers/tty/serial/serial_core.c | 18 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci-ring.c | 21 +-
drivers/usb/typec/tcpm/tcpm.c | 4 -
drivers/video/console/vgacon.c | 14 +-
fs/btrfs/disk-io.c | 14 +-
fs/file.c | 4 +
fs/gfs2/bmap.c | 2 +-
fs/gfs2/super.c | 14 +-
fs/nfs/nfs42proc.c | 5 +-
fs/overlayfs/file.c | 59 ++--
include/linux/acpi.h | 9 +
include/linux/kprobes.h | 2 +
include/linux/netdevice.h | 19 +-
include/linux/siphash.h | 14 +-
include/net/dst_cache.h | 11 +
include/net/fib_rules.h | 4 +-
include/net/ip_fib.h | 2 +-
include/net/netns/ipv4.h | 2 +-
include/net/sock.h | 13 +-
kernel/kprobes.c | 3 +
kernel/sched/core.c | 2 +-
kernel/trace/trace_events_hist.c | 2 +-
lib/siphash.c | 12 +-
net/can/j1939/transport.c | 6 +
net/core/dev.c | 5 +-
net/core/dst_cache.c | 19 ++
net/core/fib_rules.c | 2 +-
net/ipv4/devinet.c | 2 +-
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/fib_rules.c | 5 +-
net/ipv4/fib_semantics.c | 4 +-
net/ipv6/esp6.c | 6 +
net/ipv6/fib6_rules.c | 4 +-
net/mac80211/rx.c | 3 +-
net/mpls/af_mpls.c | 68 +++--
net/rds/tcp.c | 2 +-
net/rxrpc/conn_client.c | 14 +-
net/rxrpc/peer_object.c | 14 +-
net/smc/af_smc.c | 14 +
net/smc/smc_close.c | 8 +-
net/smc/smc_core.c | 7 +-
net/tls/tls_sw.c | 4 +-
sound/hda/intel-dsp-config.c | 10 +
sound/soc/tegra/tegra186_dspk.c | 181 ++++++++++---
sound/soc/tegra/tegra210_admaif.c | 140 +++++++---
sound/soc/tegra/tegra210_ahub.c | 11 +-
sound/soc/tegra/tegra210_dmic.c | 184 ++++++++++---
sound/soc/tegra/tegra210_i2s.c | 296 ++++++++++++++++-----
tools/perf/builtin-report.c | 15 +-
tools/perf/ui/hist.c | 28 +-
tools/perf/util/arm-spe.c | 15 ++
tools/perf/util/hist.h | 1 -
tools/perf/util/util.c | 14 +-
tools/perf/util/util.h | 2 +-
tools/testing/selftests/net/fcnal-test.sh | 4 +-
tools/testing/selftests/wireguard/netns.sh | 30 ++-
.../testing/selftests/wireguard/qemu/debug.config | 2 +-
.../testing/selftests/wireguard/qemu/kernel.config | 1 +
virt/kvm/kvm_main.c | 3 +-
142 files changed, 1729 insertions(+), 684 deletions(-)
^ permalink raw reply [relevance 3%]
* [PATCH 5.15 193/207] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
2021-12-06 14:54 4% [PATCH 5.15 000/207] 5.15.7-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2021-12-06 14:56 7% ` [PATCH 5.15 131/207] octeontx2-af: Fix a memleak bug in rvu_mbox_init() Greg Kroah-Hartman
@ 2021-12-06 14:57 7% ` Greg Kroah-Hartman
3 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:57 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pawel Laszczak, Peter Chen, Zhou Qingyang
From: Zhou Qingyang <zhou1615@umn.edu>
commit 37307f7020ab38dde0892a578249bf63d00bca64 upstream.
In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
and there is a dereference of it in cdnsp_endpoint_init(), which could
lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
Fix this bug by adding a check of pep->ring.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Cc: stable <stable@vger.kernel.org>
Acked-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130172700.206650-1-zhou1615@umn.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-mem.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/cdns3/cdnsp-mem.c
+++ b/drivers/usb/cdns3/cdnsp-mem.c
@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_dev
/* Set up the endpoint ring. */
pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
+ if (!pep->ring)
+ return -ENOMEM;
+
pep->skip = false;
/* Fill the endpoint context */
^ permalink raw reply [relevance 7%]
* [PATCH 5.15 105/207] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:54 4% [PATCH 5.15 000/207] 5.15.7-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:55 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.15 111/207] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
` (2 subsequent siblings)
3 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:55 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1077,8 +1077,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 5.15 000/207] 5.15.7-rc1 review
@ 2021-12-06 14:54 4% Greg Kroah-Hartman
2021-12-06 14:55 7% ` [PATCH 5.15 105/207] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
` (3 more replies)
0 siblings, 4 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:54 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 5.15.7 release.
There are 207 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.7-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.15.7-rc1
Wei Yongjun <weiyongjun1@huawei.com>
ipmi: msghandler: Make symbol 'remove_work_wq' static
Johan Hovold <johan@kernel.org>
serial: liteuart: fix minor-number leak on probe errors
Johan Hovold <johan@kernel.org>
serial: liteuart: fix use-after-free and memleak on unbind
Ilia Sergachev <silia@ethz.ch>
serial: liteuart: Fix NULL pointer dereference in ->remove()
Lukas Wunner <lukas@wunner.de>
serial: 8250: Fix RTS modem control while in rs485 mode
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: rewrite pericom_do_set_divisor()
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Patrik John <patrik.john@u-blox.com>
serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Feng Tang <feng.tang@intel.com>
x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
Feng Tang <feng.tang@intel.com>
x86/tsc: Add a timer to make sure TSC_adjust is always checked
Zhou Qingyang <zhou1615@umn.edu>
usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
Frank Li <Frank.Li@nxp.com>
usb: cdns3: gadget: fix new urb never complete if ep cancel previous requests
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Ole Ernst <olebowle@gmx.com>
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Al Cooper <alcooperx@gmail.com>
serial: 8250_bcm7271: UART errors after resuming from S2
Tariq Toukan <tariqt@nvidia.com>
net/mlx5e: Sync TIR params updates against concurrent create/modify
Khalid Manaa <khalidm@nvidia.com>
net/mlx5e: Rename TIR lro functions to TIR packet merge functions
Ben Ben-Ishay <benishay@nvidia.com>
net/mlx5e: Rename lro_timeout to packet_merge_timeout
Sean Christopherson <seanjc@google.com>
KVM: x86/mmu: Remove spurious TLB flushes in TDP MMU zap collapsible path
David Matlack <dmatlack@google.com>
KVM: x86/mmu: Rename slot_handle_leaf to slot_handle_level_4k
Sean Christopherson <seanjc@google.com>
KVM: SEV: Return appropriate error codes if SEV-ES scratch setup fails
Qais Yousef <qais.yousef@arm.com>
sched/uclamp: Fix rq->uclamp_max not set on first enqueue
Andrew Halaney <ahalaney@redhat.com>
preempt/dynamic: Fix setup_preempt_mode() return value
Lai Jiangshan <laijs@linux.alibaba.com>
x86/xen: Add xenpv_restore_regs_and_return_to_usermode()
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Use the correct fence macro after swapgs in kernel CR3
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry()
Michael Sterritt <sterritt@google.com>
x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword
Jens Axboe <axboe@kernel.dk>
io-wq: don't retry task_work creation failure on fatal conditions
José Roberto de Souza <jose.souza@intel.com>
Revert "drm/i915: Implement Wa_1508744258"
Matt Johnston <matt@codeconstruct.com.au>
mctp: Don't let RTM_DELROUTE delete local routes
Dan Carpenter <dan.carpenter@oracle.com>
KVM: VMX: Set failure code in prepare_vmcs02()
Like Xu <likexu@tencent.com>
KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
Dmytro Linkin <dlinkin@nvidia.com>
net/mlx5: E-Switch, Check group pointer before reading bw_share value
Mark Bloch <mbloch@nvidia.com>
net/mlx5: E-Switch, fix single FDB creation on BlueField
Dmytro Linkin <dlinkin@nvidia.com>
net/mlx5: E-switch, Respect BW share of the new group
Moshe Shemesh <moshe@nvidia.com>
net/mlx5: Move MODIFY_RQT command to ignore list in internal error state
Raed Salem <raeds@nvidia.com>
net/mlx5e: Fix missing IPsec statistics on uplink representor
Paolo Bonzini <pbonzini@redhat.com>
KVM: SEV: initialize regions_list of a mirror VM
Lai Jiangshan <laijs@linux.alibaba.com>
KVM: X86: Fix when shadow_root_level=5 && guest root_level<4
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
iwlwifi: Fix memory leaks in error handling path
Nicolas Frattaroli <frattaroli.nicolas@gmail.com>
ASoC: rk817: Add module alias for rk817-codec
Rob Clark <robdclark@chromium.org>
drm/msm: Restore error return on invalid fence
Rob Clark <robdclark@chromium.org>
drm/msm: Fix wait_fence submitqueue leak
Douglas Anderson <dianders@chromium.org>
drm/msm: Fix mmap to include VM_IO and VM_DONTDUMP
Rob Clark <robdclark@chromium.org>
drm/msm/devfreq: Fix OPP refcnt leak
Hou Wenlong <houwenlong93@linux.alibaba.com>
KVM: x86/mmu: Pass parameter flush as false in kvm_tdp_mmu_zap_collapsible_sptes()
Hou Wenlong <houwenlong93@linux.alibaba.com>
KVM: x86/mmu: Skip tlb flush if it has been done in zap_gfn_range()
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Remove warn trace message.
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Fix statistics logic for production hardware
Sameer Saurabh <ssaurabh@marvell.com>
Remove Half duplex mode speed capabilities.
Nikita Danilov <ndanilov@aquantia.com>
atlantic: Add missing DIDs and fix 115c.
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Fix to display FW bundle version instead of FW mac version.
Nikita Danilov <ndanilov@aquantia.com>
atlatnic: enable Nbase-t speeds with base-t
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Increase delay for fw transactions
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Fix previous HVS commit wait
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Don't duplicate pending commit
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Clear the HVS FIFO commit pointer once done
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Add missing drm_crtc_commit_put
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Fix return code check
Maxime Ripard <maxime@cerno.tech>
drm/vc4: kms: Wait for the commit before increasing our clock rate
Rob Clark <robdclark@chromium.org>
drm/msm: Do hw_init() before capturing GPU state
Douglas Anderson <dianders@chromium.org>
drm/msm/a6xx: Allocate enough space for GMU registers
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Dust Li <dust.li@linux.alibaba.com>
net/smc: fix wrong list_del in smc_lgr_cleanup_early
Eric Dumazet <edumazet@google.com>
ipv4: convert fib_num_tclassid_users to atomic_t
Eric Dumazet <edumazet@google.com>
net: annotate data-races on txq->xmit_lock_owner
Zhou Qingyang <zhou1615@umn.edu>
octeontx2-af: Fix a memleak bug in rvu_mbox_init()
Dongliang Mu <mudongliangabcd@gmail.com>
dpaa2-eth: destroy workqueue at the end of remove function
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: marvell: mvpp2: Fix the computation of shared CPUs
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Vincent Whitchurch <vincent.whitchurch@axis.com>
net: stmmac: Avoid DMA_CHAN_CONTROL write if no Split Header support
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: intel-dsp-config: add quirk for CML devices based on ES8336 codec
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in AHUB
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in ADMAIF
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in ADMAIF
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode
Florian Fainelli <f.fainelli@gmail.com>
net: dsa: b53: Add SPI ID table
Li Zhijian <lizhijian@cn.fujitsu.com>
selftests: net: Correct case name
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Raed Salem <raeds@nvidia.com>
net/mlx5e: IPsec: Fix Software parser inner l3 type setting in case of encapsulation
Łukasz Bartosik <lb@semihalf.com>
iwlwifi: fix warnings produced by kernel debug options
Mark Rutland <mark.rutland@arm.com>
arm64: ftrace: add missing BTIs
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Paolo Abeni <pabeni@redhat.com>
tcp: fix page frag corruption on page fault
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Aaro Koskinen <aaro.koskinen@iki.fi>
i2c: cbus-gpio: set atomic transfer callback
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: stop dma transfer in case of NACK
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: recover the bus on access timeout
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: flush TX FIFO upon transfer errors
Gustavo A. R. Silva <gustavoars@kernel.org>
wireguard: ratelimiter: use kvcalloc() instead of kvzalloc()
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: drop handshakes if queue lock is contended
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: use ring buffer for incoming handshakes
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: device: reset peer src endpoint when netns exits
Li Zhijian <lizhijian@cn.fujitsu.com>
wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: actually test for routing loops
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: allowedips: add missing __rcu annotation to satisfy sparse
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: increase default dmesg log size
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Link in pcs_get_state() if AN is bypassed
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Fix inband AN for 2500base-x on 88E6393X family
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Add fix for erratum 5.2 of 88E6393X family
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Save power by disabling SerDes trasmitter and receiver
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Drop unnecessary check in mv88e6393x_serdes_erratum_4_6()
Marek Behún <kabel@kernel.org>
net: dsa: mv88e6xxx: Fix application of erratum 4.8 for 88E6393X
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing/histograms: String compares should not care about signed values
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: check PIR even for vCPUs with disabled APICv
Lai Jiangshan <laijs@linux.alibaba.com>
KVM: X86: Use vcpu->arch.walk_mmu for kvm_mmu_invlpg()
Catalin Marinas <catalin.marinas@arm.com>
KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 to 1
Paolo Bonzini <pbonzini@redhat.com>
KVM: MMU: shadow nested paging does not have PKU
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Use a stable condition around all VT-d PI paths
Paolo Bonzini <pbonzini@redhat.com>
KVM: VMX: prepare sync_pir_to_irr for running with APICv disabled
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Abide to KVM_REQ_TLB_FLUSH_GUEST request on nested vmentry/vmexit
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Emulate guest TLB flush on nested VM-Enter with new vpid12
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: ignore APICv if LAPIC is not enabled
Sean Christopherson <seanjc@google.com>
KVM: Ensure local memslot copies operate on up-to-date arch-specific data
Ben Gardon <bgardon@google.com>
KVM: x86/mmu: Fix TLB flush range when handling disconnected pt
Sean Christopherson <seanjc@google.com>
KVM: Disallow user memslot with size that exceeds "unsigned long"
Paolo Bonzini <pbonzini@redhat.com>
KVM: fix avic_set_running for preemptable kernels
Lyude Paul <lyude@redhat.com>
drm/i915/dp: Perform 30ms delay after source OUI write
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
drm/amd/display: Allow DSC on supported MST branch devices
msizanoen1 <msizanoen@qtmlabs.xyz>
ipv6: fix memory leak in fib6_rule_suppress
Adrian Hunter <adrian.hunter@intel.com>
scsi: ufs: ufs-pci: Add support for Intel ADL
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix non-recovery of remote ports following an unsolicited LOGO
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: move pseudo-MMIO to prevent MIO overlap
Guangming <Guangming.Cao@mediatek.com>
dma-buf: system_heap: Use 'for_each_sgtable_sg' in pages free flow
Mordechay Goodstein <mordechay.goodstein@intel.com>
iwlwifi: mvm: retry init flow if failed
Xiongfeng Wang <wangxiongfeng2@huawei.com>
cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
ipmi: Move remove_work to dedicated workqueue
Stanislaw Gruszka <stf_xl@wp.pl>
rt2x00: do not mark device gone on EPROTO errors during start
Stefan Binding <sbinding@opensource.cirrus.com>
ALSA: hda/cs8409: Set PMSG_ON earlier inside cs8409 driver
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
net/tls: Fix authentication failure in CCM mode
Mario Limonciello <mario.limonciello@amd.com>
ACPI: Add stubs for wakeup handler functions
Wen Gu <guwen@linux.alibaba.com>
net/smc: Avoid warning of possible recursive locking
Nikita Yushchenko <nikita.yushchenko@virtuozzo.com>
tracing: Don't use out-of-sync va_list in event printing
Ian Rogers <irogers@google.com>
perf report: Fix memory leaks around perf_tip()
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
German Gomez <german.gomez@arm.com>
perf inject: Fix ARM SPE handling
Namhyung Kim <namhyung@kernel.org>
perf sort: Fix the 'p_stage_cyc' sort key behavior
Namhyung Kim <namhyung@kernel.org>
perf sort: Fix the 'ins_lat' sort key behavior
Namhyung Kim <namhyung@kernel.org>
perf sort: Fix the 'weight' sort key behavior
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Jordy Zomer <jordy@pwning.systems>
ipv6: check return value of ipv6_skip_exthdr
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mario Limonciello <mario.limonciello@amd.com>
ata: libahci: Adjust behavior when StorageD3Enable _DSD is set
Mario Limonciello <mario.limonciello@amd.com>
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
Bernard Zhao <bernard@vivo.com>
drm/amd/amdgpu: fix potential memleak
shaoyunl <shaoyun.liu@amd.com>
drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again
Lijo Lazar <lijo.lazar@amd.com>
drm/amd/pm: Remove artificial freq level on Navi1x
Aaron Ma <aaron.ma@canonical.com>
net: usb: r8152: Add MAC passthrough support for more Lenovo Docks
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Filipe Manana <fdmanana@suse.com>
btrfs: silence lockdep when reading chunk tree during mount
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
Jimmy Wang <jimmy221b@163.com>
platform/x86: thinkpad_acpi: Add support for dual fan control
Thomas Weißschuh <linux@weissschuh.net>
platform/x86: dell-wmi-descriptor: disable by default
Julian Braha <julianbraha@gmail.com>
pinctrl: qcom: fix unmet dependencies on GPIOLIB for GPIOLIB_IRQCHIP
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Zekun Shen <bruceshenzk@gmail.com>
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Wen Gu <guwen@linux.alibaba.com>
net/smc: Transfer remaining wait queue entries during fallback
Sean Christopherson <seanjc@google.com>
x86/hyperv: Move required MSRs check to initial platform probing
Felix Fietkau <nbd@nbd.name>
mac80211: fix throughput LED trigger
Xing Song <xing.song@mediatek.com>
mac80211: do not access the IV when it was stripped
Julian Braha <julianbraha@gmail.com>
drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
Alexey Kardashevskiy <aik@ozlabs.ru>
powerpc/pseries/ddw: Do not try direct mapping with persistent memory and one window
Alexey Kardashevskiy <aik@ozlabs.ru>
powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for persistent memory"
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix length of holes reported at end-of-file
Bob Peterson <rpeterso@redhat.com>
gfs2: release iopen glock early in evict
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Don't start stream for capture at prepare
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Switch back to non-latency mode at a later point
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Less restriction for low-latency playback mode
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix packet size calculation regression
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Avoid killing in-flight URBs during draining
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Improved lowlatency playback support
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Add spinlock to stop_urbs()
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Check available frames for the next packet size
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Disable low-latency mode for implicit feedback sync
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Disable low-latency playback for free-wheel mode
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Rename early_playback_start flag with lowlatency_playback
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Restrict rates for the shared clocks
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/include/asm/kvm_arm.h | 4 +-
arch/arm64/kernel/entry-ftrace.S | 6 +
arch/parisc/Makefile | 5 +
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 30 +--
arch/powerpc/platforms/pseries/iommu.c | 15 +-
arch/s390/include/asm/pci_io.h | 7 +-
arch/s390/kernel/setup.c | 3 -
arch/x86/entry/entry_64.S | 35 ++-
arch/x86/hyperv/hv_init.c | 9 +-
arch/x86/kernel/cpu/mshyperv.c | 20 +-
arch/x86/kernel/sev.c | 57 ++--
arch/x86/kernel/tsc.c | 28 +-
arch/x86/kernel/tsc_sync.c | 41 +++
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/mmu/mmu.c | 37 +--
arch/x86/kvm/mmu/tdp_mmu.c | 36 +--
arch/x86/kvm/mmu/tdp_mmu.h | 5 +-
arch/x86/kvm/svm/avic.c | 16 +-
arch/x86/kvm/svm/pmu.c | 2 +-
arch/x86/kvm/svm/sev.c | 31 ++-
arch/x86/kvm/svm/svm.c | 1 -
arch/x86/kvm/vmx/nested.c | 49 ++--
arch/x86/kvm/vmx/posted_intr.c | 20 +-
arch/x86/kvm/vmx/vmx.c | 62 +++--
arch/x86/kvm/x86.c | 46 +++-
arch/x86/kvm/x86.h | 7 +-
arch/x86/realmode/init.c | 12 +-
arch/x86/xen/xen-asm.S | 20 ++
drivers/ata/ahci.c | 1 +
drivers/ata/libahci.c | 15 ++
drivers/ata/sata_fsl.c | 20 +-
drivers/char/ipmi/ipmi_msghandler.c | 13 +-
drivers/cpufreq/cpufreq.c | 9 +-
drivers/dma-buf/heaps/system_heap.c | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 1 +
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 5 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 +-
drivers/gpu/drm/amd/pm/swsmu/smu11/navi10_ppt.c | 13 +-
drivers/gpu/drm/i915/display/intel_display_types.h | 3 +
drivers/gpu/drm/i915/display/intel_dp.c | 11 +
drivers/gpu/drm/i915/display/intel_dp.h | 2 +
.../gpu/drm/i915/display/intel_dp_aux_backlight.c | 5 +
drivers/gpu/drm/i915/gt/intel_workarounds.c | 7 -
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 4 +-
drivers/gpu/drm/msm/msm_debugfs.c | 1 +
drivers/gpu/drm/msm/msm_drv.c | 49 ++--
drivers/gpu/drm/msm/msm_gem.c | 3 +-
drivers/gpu/drm/msm/msm_gem_submit.c | 1 +
drivers/gpu/drm/msm/msm_gpu.h | 3 +
drivers/gpu/drm/msm/msm_gpu_devfreq.c | 5 +
drivers/gpu/drm/sun4i/Kconfig | 1 +
drivers/gpu/drm/vc4/vc4_kms.c | 40 ++-
drivers/i2c/busses/i2c-cbus-gpio.c | 5 +-
drivers/i2c/busses/i2c-stm32f7.c | 31 ++-
drivers/net/dsa/b53/b53_spi.c | 14 +
drivers/net/dsa/mv88e6xxx/serdes.c | 252 +++++++++++++++---
drivers/net/dsa/mv88e6xxx/serdes.h | 4 +
drivers/net/ethernet/aquantia/atlantic/aq_common.h | 27 +-
drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 10 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 7 +-
drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 3 -
.../aquantia/atlantic/hw_atl/hw_atl_utils.c | 25 +-
.../aquantia/atlantic/hw_atl/hw_atl_utils_fw2x.c | 3 -
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 22 +-
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.h | 2 +
.../aquantia/atlantic/hw_atl2/hw_atl2_utils.h | 38 ++-
.../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 110 ++++++--
drivers/net/ethernet/dec/tulip/de4x5.c | 34 ++-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +-
drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en.h | 14 +-
.../net/ethernet/mellanox/mlx5/core/en/params.c | 21 +-
.../net/ethernet/mellanox/mlx5/core/en/params.h | 6 -
drivers/net/ethernet/mellanox/mlx5/core/en/rss.c | 23 +-
drivers/net/ethernet/mellanox/mlx5/core/en/rss.h | 7 +-
.../net/ethernet/mellanox/mlx5/core/en/rx_res.c | 66 ++++-
.../net/ethernet/mellanox/mlx5/core/en/rx_res.h | 11 +-
drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 16 +-
drivers/net/ethernet/mellanox/mlx5/core/en/tir.h | 6 +-
.../mellanox/mlx5/core/en_accel/ipsec_rxtx.c | 2 +-
.../ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 24 +-
.../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 4 +-
.../ethernet/mellanox/mlx5/core/en_fs_ethtool.c | 6 +-
drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 46 ++--
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 9 +-
drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c | 4 +-
.../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 1 +
.../net/ethernet/mellanox/mlx5/core/ipoib/ipoib.c | 7 +-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 11 +-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/usb/r8152.c | 9 +-
drivers/net/vrf.c | 2 +
drivers/net/wireguard/allowedips.c | 2 +-
drivers/net/wireguard/device.c | 39 +--
drivers/net/wireguard/device.h | 9 +-
drivers/net/wireguard/queueing.c | 6 +-
drivers/net/wireguard/queueing.h | 2 +-
drivers/net/wireguard/ratelimiter.c | 4 +-
drivers/net/wireguard/receive.c | 39 +--
drivers/net/wireguard/socket.c | 2 +-
drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 6 +
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 22 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 +-
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 5 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 4 +-
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 3 +
drivers/pinctrl/qcom/Kconfig | 2 +
drivers/platform/x86/dell/Kconfig | 2 +-
drivers/platform/x86/thinkpad_acpi.c | 13 +-
drivers/scsi/lpfc/lpfc_els.c | 9 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/scsi/ufs/ufshcd-pci.c | 18 ++
drivers/thermal/thermal_core.c | 2 +
drivers/tty/serial/8250/8250_bcm7271.c | 13 +
drivers/tty/serial/8250/8250_pci.c | 39 ++-
drivers/tty/serial/8250/8250_port.c | 7 -
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/liteuart.c | 20 +-
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial-tegra.c | 4 +-
drivers/tty/serial/serial_core.c | 18 +-
drivers/usb/cdns3/cdns3-gadget.c | 20 +-
drivers/usb/cdns3/cdnsp-mem.c | 3 +
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci-ring.c | 21 +-
drivers/usb/typec/tcpm/tcpm.c | 4 -
drivers/video/console/vgacon.c | 14 +-
fs/btrfs/disk-io.c | 14 +-
fs/btrfs/volumes.c | 18 +-
fs/file.c | 4 +
fs/gfs2/bmap.c | 2 +-
fs/gfs2/super.c | 14 +-
fs/io-wq.c | 7 +
include/linux/acpi.h | 9 +
include/linux/kprobes.h | 2 +
include/linux/mlx5/mlx5_ifc.h | 8 +-
include/linux/netdevice.h | 19 +-
include/linux/siphash.h | 14 +-
include/net/dst_cache.h | 11 +
include/net/fib_rules.h | 4 +-
include/net/ip_fib.h | 2 +-
include/net/netns/ipv4.h | 2 +-
include/net/sock.h | 13 +-
kernel/kprobes.c | 3 +
kernel/sched/core.c | 6 +-
kernel/trace/trace.c | 12 +
kernel/trace/trace_events_hist.c | 2 +-
lib/siphash.c | 12 +-
net/core/dev.c | 5 +-
net/core/dst_cache.c | 19 ++
net/core/fib_rules.c | 2 +-
net/ipv4/devinet.c | 2 +-
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/fib_rules.c | 5 +-
net/ipv4/fib_semantics.c | 4 +-
net/ipv6/esp6.c | 6 +
net/ipv6/fib6_rules.c | 4 +-
net/mac80211/led.h | 8 +-
net/mac80211/rx.c | 10 +-
net/mac80211/tx.c | 34 ++-
net/mctp/route.c | 9 +-
net/mpls/af_mpls.c | 68 +++--
net/rds/tcp.c | 2 +-
net/rxrpc/conn_client.c | 14 +-
net/rxrpc/peer_object.c | 14 +-
net/smc/af_smc.c | 14 +
net/smc/smc_close.c | 8 +-
net/smc/smc_core.c | 7 +-
net/tls/tls_sw.c | 4 +-
sound/hda/intel-dsp-config.c | 10 +
sound/pci/hda/hda_local.h | 9 +
sound/pci/hda/patch_cs8409.c | 5 +
sound/soc/codecs/rk817_codec.c | 1 +
sound/soc/tegra/tegra186_dspk.c | 181 ++++++++++---
sound/soc/tegra/tegra210_admaif.c | 140 +++++++---
sound/soc/tegra/tegra210_ahub.c | 11 +-
sound/soc/tegra/tegra210_dmic.c | 184 ++++++++++---
sound/soc/tegra/tegra210_i2s.c | 296 ++++++++++++++++-----
sound/usb/card.h | 10 +-
sound/usb/endpoint.c | 223 +++++++++++-----
sound/usb/endpoint.h | 13 +-
sound/usb/pcm.c | 165 +++++++++---
tools/perf/builtin-report.c | 15 +-
tools/perf/ui/hist.c | 28 +-
tools/perf/util/arm-spe.c | 15 ++
tools/perf/util/hist.c | 23 +-
tools/perf/util/hist.h | 1 -
tools/perf/util/sort.c | 52 ++--
tools/perf/util/sort.h | 6 +-
tools/perf/util/util.c | 14 +-
tools/perf/util/util.h | 2 +-
tools/testing/selftests/net/fcnal-test.sh | 4 +-
tools/testing/selftests/wireguard/netns.sh | 30 ++-
.../testing/selftests/wireguard/qemu/debug.config | 2 +-
.../testing/selftests/wireguard/qemu/kernel.config | 1 +
virt/kvm/kvm_main.c | 50 ++--
207 files changed, 2854 insertions(+), 1215 deletions(-)
^ permalink raw reply [relevance 4%]
* [PATCH 5.15 131/207] octeontx2-af: Fix a memleak bug in rvu_mbox_init()
2021-12-06 14:54 4% [PATCH 5.15 000/207] 5.15.7-rc1 review Greg Kroah-Hartman
2021-12-06 14:55 7% ` [PATCH 5.15 105/207] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.15 111/207] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:57 7% ` [PATCH 5.15 193/207] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() Greg Kroah-Hartman
3 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e07a097b4986afb8f925d0bb32612e1d3e88ce15 upstream.
In rvu_mbox_init(), mbox_regions is not freed or passed out
under the switch-default region, which could lead to a memory leak.
Fix this bug by changing 'return err' to 'goto free_regions'.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_OCTEONTX2_AF=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 98c561116360 (“octeontx2-af: cn10k: Add mbox support for CN10K platform”)
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130165039.192426-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -2281,7 +2281,7 @@ static int rvu_mbox_init(struct rvu *rvu
goto free_regions;
break;
default:
- return err;
+ goto free_regions;
}
mw->mbox_wq = alloc_workqueue(name,
^ permalink raw reply [relevance 7%]
* [PATCH 5.15 111/207] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-12-06 14:54 4% [PATCH 5.15 000/207] 5.15.7-rc1 review Greg Kroah-Hartman
2021-12-06 14:55 7% ` [PATCH 5.15 105/207] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.15 131/207] octeontx2-af: Fix a memleak bug in rvu_mbox_init() Greg Kroah-Hartman
2021-12-06 14:57 7% ` [PATCH 5.15 193/207] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() Greg Kroah-Hartman
3 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Leon Romanovsky,
Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2286,9 +2286,14 @@ int mlx4_en_try_alloc_resources(struct m
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
^ permalink raw reply [relevance 7%]
* [PATCH 5.10 000/130] 5.10.84-rc1 review
@ 2021-12-06 14:55 3% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 067/130] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 071/130] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
0 siblings, 2 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:55 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 5.10.84 release.
There are 130 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.84-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.84-rc1
Wei Yongjun <weiyongjun1@huawei.com>
ipmi: msghandler: Make symbol 'remove_work_wq' static
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
net/tls: Fix authentication failure in CCM mode
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Mordechay Goodstein <mordechay.goodstein@intel.com>
iwlwifi: mvm: retry init flow if failed
Lukas Wunner <lukas@wunner.de>
serial: 8250: Fix RTS modem control while in rs485 mode
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: rewrite pericom_do_set_divisor()
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Patrik John <patrik.john@u-blox.com>
serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Feng Tang <feng.tang@intel.com>
x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
Feng Tang <feng.tang@intel.com>
x86/tsc: Add a timer to make sure TSC_adjust is always checked
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Ole Ernst <olebowle@gmx.com>
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Add a fence for kernel entry SWAPGS in paranoid_entry()
Juergen Gross <jgross@suse.com>
x86/pv: Switch SWAPGS to ALTERNATIVE
Qais Yousef <qais.yousef@arm.com>
sched/uclamp: Fix rq->uclamp_max not set on first enqueue
Lai Jiangshan <laijs@linux.alibaba.com>
x86/xen: Add xenpv_restore_regs_and_return_to_usermode()
Lai Jiangshan <laijs@linux.alibaba.com>
x86/entry: Use the correct fence macro after swapgs in kernel CR3
Michael Sterritt <sterritt@google.com>
x86/sev: Fix SEV-ES INS/OUTS instructions for word, dword, and qword
Dan Carpenter <dan.carpenter@oracle.com>
KVM: VMX: Set failure code in prepare_vmcs02()
Like Xu <likexu@tencent.com>
KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Remove warn trace message.
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Fix statistics logic for production hardware
Sameer Saurabh <ssaurabh@marvell.com>
Remove Half duplex mode speed capabilities.
Nikita Danilov <ndanilov@aquantia.com>
atlantic: Add missing DIDs and fix 115c.
Sameer Saurabh <ssaurabh@marvell.com>
atlantic: Fix to display FW bundle version instead of FW mac version.
Nikita Danilov <ndanilov@aquantia.com>
atlatnic: enable Nbase-t speeds with base-t
Dmitry Bogdanov <dbezrukov@marvell.com>
atlantic: Increase delay for fw transactions
Rob Clark <robdclark@chromium.org>
drm/msm: Do hw_init() before capturing GPU state
Douglas Anderson <dianders@chromium.org>
drm/msm/a6xx: Allocate enough space for GMU registers
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Dust Li <dust.li@linux.alibaba.com>
net/smc: fix wrong list_del in smc_lgr_cleanup_early
Eric Dumazet <edumazet@google.com>
ipv4: convert fib_num_tclassid_users to atomic_t
Eric Dumazet <edumazet@google.com>
net: annotate data-races on txq->xmit_lock_owner
Dongliang Mu <mudongliangabcd@gmail.com>
dpaa2-eth: destroy workqueue at the end of remove function
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: marvell: mvpp2: Fix the computation of shared CPUs
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ALSA: intel-dsp-config: add quirk for CML devices based on ES8336 codec
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle()
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in AHUB
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix kcontrol put callback in ADMAIF
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DSPK
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in DMIC
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in I2S
Sameer Pujar <spujar@nvidia.com>
ASoC: tegra: Fix wrong value type in ADMAIF
Lorenzo Bianconi <lorenzo@kernel.org>
mt76: mt7915: fix NULL pointer dereference in mt7915_get_phy_mode
Li Zhijian <lizhijian@cn.fujitsu.com>
selftests: net: Correct case name
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Mark Rutland <mark.rutland@arm.com>
arm64: ftrace: add missing BTIs
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Paolo Abeni <pabeni@redhat.com>
tcp: fix page frag corruption on page fault
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Aaro Koskinen <aaro.koskinen@iki.fi>
i2c: cbus-gpio: set atomic transfer callback
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: stop dma transfer in case of NACK
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: recover the bus on access timeout
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: flush TX FIFO upon transfer errors
Gustavo A. R. Silva <gustavoars@kernel.org>
wireguard: ratelimiter: use kvcalloc() instead of kvzalloc()
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: drop handshakes if queue lock is contended
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: receive: use ring buffer for incoming handshakes
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: device: reset peer src endpoint when netns exits
Li Zhijian <lizhijian@cn.fujitsu.com>
wireguard: selftests: rename DEBUG_PI_LIST to DEBUG_PLIST
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: actually test for routing loops
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: allowedips: add missing __rcu annotation to satisfy sparse
Jason A. Donenfeld <Jason@zx2c4.com>
wireguard: selftests: increase default dmesg log size
Yifan Zhang <yifan1.zhang@amd.com>
drm/amdkfd: fix boot failure when iommu is disabled in Picasso.
Yifan Zhang <yifan1.zhang@amd.com>
drm/amdgpu: init iommu after amdkfd device init
James Zhu <James.Zhu@amd.com>
drm/amdgpu: move iommu_resume before ip init/resume
James Zhu <James.Zhu@amd.com>
drm/amdgpu: add amdgpu_amdkfd_resume_iommu
James Zhu <James.Zhu@amd.com>
drm/amdkfd: separate kfd_iommu_resume from kfd_resume
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing/histograms: String compares should not care about signed values
Lai Jiangshan <laijs@linux.alibaba.com>
KVM: X86: Use vcpu->arch.walk_mmu for kvm_mmu_invlpg()
Catalin Marinas <catalin.marinas@arm.com>
KVM: arm64: Avoid setting the upper 32 bits of TCR_EL2 and CPTR_EL2 to 1
Paolo Bonzini <pbonzini@redhat.com>
KVM: x86: Use a stable condition around all VT-d PI paths
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Flush current VPID (L1 vs. L2) for KVM_REQ_TLB_FLUSH_GUEST
Sean Christopherson <seanjc@google.com>
KVM: Disallow user memslot with size that exceeds "unsigned long"
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
drm/amd/display: Allow DSC on supported MST branch devices
msizanoen1 <msizanoen@qtmlabs.xyz>
ipv6: fix memory leak in fib6_rule_suppress
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: move pseudo-MMIO to prevent MIO overlap
Xiongfeng Wang <wangxiongfeng2@huawei.com>
cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
ipmi: Move remove_work to dedicated workqueue
Stanislaw Gruszka <stf_xl@wp.pl>
rt2x00: do not mark device gone on EPROTO errors during start
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Mario Limonciello <mario.limonciello@amd.com>
ACPI: Add stubs for wakeup handler functions
Wen Gu <guwen@linux.alibaba.com>
net/smc: Avoid warning of possible recursive locking
Ian Rogers <irogers@google.com>
perf report: Fix memory leaks around perf_tip()
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
German Gomez <german.gomez@arm.com>
perf inject: Fix ARM SPE handling
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Jordy Zomer <jordy@pwning.systems>
ipv6: check return value of ipv6_skip_exthdr
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mario Limonciello <mario.limonciello@amd.com>
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
Bernard Zhao <bernard@vivo.com>
drm/amd/amdgpu: fix potential memleak
shaoyunl <shaoyun.liu@amd.com>
drm/amd/amdkfd: Fix kernel panic when reset failed and been triggered again
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
Jimmy Wang <jimmy221b@163.com>
platform/x86: thinkpad_acpi: Add support for dual fan control
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Zekun Shen <bruceshenzk@gmail.com>
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Wen Gu <guwen@linux.alibaba.com>
net/smc: Transfer remaining wait queue entries during fallback
Xing Song <xing.song@mediatek.com>
mac80211: do not access the IV when it was stripped
Julian Braha <julianbraha@gmail.com>
drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
Alexey Kardashevskiy <aik@ozlabs.ru>
powerpc/pseries/ddw: Revert "Extend upper limit for huge DMA window for persistent memory"
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix length of holes reported at end-of-file
Bob Peterson <rpeterso@redhat.com>
gfs2: release iopen glock early in evict
Miklos Szeredi <mszeredi@redhat.com>
ovl: fix deadlock in splice write
Miklos Szeredi <mszeredi@redhat.com>
ovl: simplify file splice
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/include/asm/kvm_arm.h | 4 +-
arch/arm64/kernel/entry-ftrace.S | 6 +
arch/parisc/Makefile | 5 +
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 24 +-
arch/powerpc/platforms/pseries/iommu.c | 9 -
arch/s390/include/asm/pci_io.h | 7 +-
arch/s390/kernel/setup.c | 3 -
arch/x86/entry/entry_64.S | 45 ++--
arch/x86/include/asm/irqflags.h | 20 +-
arch/x86/include/asm/paravirt.h | 20 --
arch/x86/include/asm/paravirt_types.h | 2 -
arch/x86/kernel/asm-offsets_64.c | 1 -
arch/x86/kernel/paravirt.c | 1 -
arch/x86/kernel/paravirt_patch.c | 3 -
arch/x86/kernel/sev-es.c | 57 ++--
arch/x86/kernel/tsc.c | 28 +-
arch/x86/kernel/tsc_sync.c | 41 +++
arch/x86/kvm/mmu/mmu.c | 2 +-
arch/x86/kvm/svm/pmu.c | 2 +-
arch/x86/kvm/vmx/nested.c | 4 +-
arch/x86/kvm/vmx/posted_intr.c | 20 +-
arch/x86/kvm/vmx/vmx.c | 23 +-
arch/x86/realmode/init.c | 12 +-
arch/x86/xen/enlighten_pv.c | 3 -
arch/x86/xen/xen-asm.S | 20 ++
drivers/ata/ahci.c | 1 +
drivers/ata/sata_fsl.c | 20 +-
drivers/char/ipmi/ipmi_msghandler.c | 13 +-
drivers/cpufreq/cpufreq.c | 9 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 10 +
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 8 +
drivers/gpu/drm/amd/amdgpu/amdgpu_xgmi.c | 1 +
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 15 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 5 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 20 +-
drivers/gpu/drm/msm/adreno/a6xx_gpu_state.c | 4 +-
drivers/gpu/drm/msm/msm_debugfs.c | 1 +
drivers/gpu/drm/sun4i/Kconfig | 1 +
drivers/i2c/busses/i2c-cbus-gpio.c | 5 +-
drivers/i2c/busses/i2c-stm32f7.c | 31 ++-
drivers/net/ethernet/aquantia/atlantic/aq_common.h | 27 +-
drivers/net/ethernet/aquantia/atlantic/aq_hw.h | 2 +
drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 10 +-
.../net/ethernet/aquantia/atlantic/aq_pci_func.c | 7 +-
drivers/net/ethernet/aquantia/atlantic/aq_vec.c | 3 -
.../aquantia/atlantic/hw_atl/hw_atl_utils.c | 25 +-
.../aquantia/atlantic/hw_atl/hw_atl_utils_fw2x.c | 3 -
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.c | 22 +-
.../ethernet/aquantia/atlantic/hw_atl2/hw_atl2.h | 2 +
.../aquantia/atlantic/hw_atl2/hw_atl2_utils.h | 38 ++-
.../aquantia/atlantic/hw_atl2/hw_atl2_utils_fw.c | 110 ++++++--
drivers/net/ethernet/dec/tulip/de4x5.c | 34 ++-
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 2 +
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/vrf.c | 2 +
drivers/net/wireguard/allowedips.c | 2 +-
drivers/net/wireguard/device.c | 39 +--
drivers/net/wireguard/device.h | 9 +-
drivers/net/wireguard/queueing.c | 6 +-
drivers/net/wireguard/queueing.h | 2 +-
drivers/net/wireguard/ratelimiter.c | 4 +-
drivers/net/wireguard/receive.c | 39 +--
drivers/net/wireguard/socket.c | 2 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 22 +-
drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 +-
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 4 +-
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 3 +
drivers/platform/x86/thinkpad_acpi.c | 13 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/thermal/thermal_core.c | 2 +
drivers/tty/serial/8250/8250_pci.c | 39 ++-
drivers/tty/serial/8250/8250_port.c | 7 -
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial-tegra.c | 4 +-
drivers/tty/serial/serial_core.c | 18 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci-ring.c | 21 +-
drivers/usb/typec/tcpm/tcpm.c | 4 -
drivers/video/console/vgacon.c | 14 +-
fs/btrfs/disk-io.c | 14 +-
fs/file.c | 4 +
fs/gfs2/bmap.c | 2 +-
fs/gfs2/super.c | 14 +-
fs/nfs/nfs42proc.c | 5 +-
fs/overlayfs/file.c | 59 ++--
include/linux/acpi.h | 9 +
include/linux/kprobes.h | 2 +
include/linux/netdevice.h | 19 +-
include/linux/siphash.h | 14 +-
include/net/dst_cache.h | 11 +
include/net/fib_rules.h | 4 +-
include/net/ip_fib.h | 2 +-
include/net/netns/ipv4.h | 2 +-
include/net/sock.h | 13 +-
kernel/kprobes.c | 3 +
kernel/sched/core.c | 2 +-
kernel/trace/trace_events_hist.c | 2 +-
lib/siphash.c | 12 +-
net/can/j1939/transport.c | 6 +
net/core/dev.c | 5 +-
net/core/dst_cache.c | 19 ++
net/core/fib_rules.c | 2 +-
net/ipv4/devinet.c | 2 +-
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/fib_rules.c | 5 +-
net/ipv4/fib_semantics.c | 4 +-
net/ipv6/esp6.c | 6 +
net/ipv6/fib6_rules.c | 4 +-
net/mac80211/rx.c | 3 +-
net/mpls/af_mpls.c | 68 +++--
net/rds/tcp.c | 2 +-
net/rxrpc/conn_client.c | 14 +-
net/rxrpc/peer_object.c | 14 +-
net/smc/af_smc.c | 14 +
net/smc/smc_close.c | 8 +-
net/smc/smc_core.c | 7 +-
net/tls/tls_sw.c | 4 +-
sound/hda/intel-dsp-config.c | 10 +
sound/soc/tegra/tegra186_dspk.c | 181 ++++++++++---
sound/soc/tegra/tegra210_admaif.c | 140 +++++++---
sound/soc/tegra/tegra210_ahub.c | 11 +-
sound/soc/tegra/tegra210_dmic.c | 184 ++++++++++---
sound/soc/tegra/tegra210_i2s.c | 296 ++++++++++++++++-----
tools/perf/builtin-report.c | 15 +-
tools/perf/ui/hist.c | 28 +-
tools/perf/util/arm-spe.c | 15 ++
tools/perf/util/hist.h | 1 -
tools/perf/util/util.c | 14 +-
tools/perf/util/util.h | 2 +-
tools/testing/selftests/net/fcnal-test.sh | 4 +-
tools/testing/selftests/wireguard/netns.sh | 30 ++-
.../testing/selftests/wireguard/qemu/debug.config | 2 +-
.../testing/selftests/wireguard/qemu/kernel.config | 1 +
virt/kvm/kvm_main.c | 3 +-
146 files changed, 1760 insertions(+), 688 deletions(-)
^ permalink raw reply [relevance 3%]
* [PATCH 5.10 071/130] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-12-06 14:55 3% [PATCH 5.10 000/130] 5.10.84-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 067/130] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Leon Romanovsky,
Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2276,9 +2276,14 @@ int mlx4_en_try_alloc_resources(struct m
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
^ permalink raw reply [relevance 7%]
* [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:56 4% [PATCH 5.4 00/70] 5.4.164-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1079,8 +1079,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 5.10 067/130] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:55 3% [PATCH 5.10 000/130] 5.10.84-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 071/130] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1077,8 +1077,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 5.4 00/70] 5.4.164-rc1 review
@ 2021-12-06 14:56 4% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
0 siblings, 2 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 5.4.164 release.
There are 70 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.164-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.4.164-rc1
Wei Yongjun <weiyongjun1@huawei.com>
ipmi: msghandler: Make symbol 'remove_work_wq' static
Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
net/tls: Fix authentication failure in CCM mode
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Mordechay Goodstein <mordechay.goodstein@intel.com>
iwlwifi: mvm: retry init flow if failed
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: rewrite pericom_do_set_divisor()
Jay Dolan <jay.dolan@accesio.com>
serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Feng Tang <feng.tang@intel.com>
x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
Feng Tang <feng.tang@intel.com>
x86/tsc: Add a timer to make sure TSC_adjust is always checked
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Ole Ernst <olebowle@gmx.com>
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Qais Yousef <qais.yousef@arm.com>
sched/uclamp: Fix rq->uclamp_max not set on first enqueue
Like Xu <likexu@tencent.com>
KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
msizanoen1 <msizanoen@qtmlabs.xyz>
ipv6: fix memory leak in fib6_rule_suppress
Rob Clark <robdclark@chromium.org>
drm/msm: Do hw_init() before capturing GPU state
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Eric Dumazet <edumazet@google.com>
ipv4: convert fib_num_tclassid_users to atomic_t
Eric Dumazet <edumazet@google.com>
net: annotate data-races on txq->xmit_lock_owner
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: marvell: mvpp2: Fix the computation of shared CPUs
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
Li Zhijian <lizhijian@cn.fujitsu.com>
selftests: net: Correct case name
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Aaro Koskinen <aaro.koskinen@iki.fi>
i2c: cbus-gpio: set atomic transfer callback
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: stop dma transfer in case of NACK
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: recover the bus on access timeout
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: flush TX FIFO upon transfer errors
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: move pseudo-MMIO to prevent MIO overlap
Xiongfeng Wang <wangxiongfeng2@huawei.com>
cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
ipmi: Move remove_work to dedicated workqueue
Stanislaw Gruszka <stf_xl@wp.pl>
rt2x00: do not mark device gone on EPROTO errors during start
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Wen Gu <guwen@linux.alibaba.com>
net/smc: Avoid warning of possible recursive locking
Ian Rogers <irogers@google.com>
perf report: Fix memory leaks around perf_tip()
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mario Limonciello <mario.limonciello@amd.com>
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Zekun Shen <bruceshenzk@gmail.com>
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Wen Gu <guwen@linux.alibaba.com>
net/smc: Transfer remaining wait queue entries during fallback
Xing Song <xing.song@mediatek.com>
mac80211: do not access the IV when it was stripped
Julian Braha <julianbraha@gmail.com>
drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix length of holes reported at end-of-file
Zhang Changzhong <zhangchangzhong@huawei.com>
can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
Russell King <rmk+kernel@armlinux.org.uk>
arm64: dts: mcbin: support 2W SFP modules
Geert Uytterhoeven <geert+renesas@glider.be>
of: clk: Make <linux/of_clk.h> self-contained
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
-------------
Diffstat:
Makefile | 4 +-
arch/arm64/boot/dts/marvell/armada-8040-mcbin.dtsi | 3 +
arch/parisc/Makefile | 5 ++
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 24 ++------
arch/s390/include/asm/pci_io.h | 7 ++-
arch/s390/kernel/setup.c | 3 -
arch/x86/kernel/tsc.c | 28 +++++++--
arch/x86/kernel/tsc_sync.c | 41 +++++++++++++
arch/x86/kvm/pmu_amd.c | 2 +-
arch/x86/realmode/init.c | 12 +++-
drivers/ata/ahci.c | 1 +
drivers/ata/sata_fsl.c | 20 ++++---
drivers/char/ipmi/ipmi_msghandler.c | 13 ++++-
drivers/cpufreq/cpufreq.c | 9 ++-
drivers/gpu/drm/msm/msm_debugfs.c | 1 +
drivers/gpu/drm/sun4i/Kconfig | 1 +
drivers/i2c/busses/i2c-cbus-gpio.c | 5 +-
drivers/i2c/busses/i2c-stm32f7.c | 31 +++++++++-
.../aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++++
drivers/net/ethernet/dec/tulip/de4x5.c | 34 ++++++-----
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 ++
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 2 +-
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 ++-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +++-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/vrf.c | 2 +
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 22 ++++---
drivers/net/wireless/intel/iwlwifi/iwl-drv.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 24 +++++++-
drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 3 +
drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 3 +
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 3 +
drivers/platform/x86/thinkpad_acpi.c | 12 ----
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/thermal/thermal_core.c | 2 +
drivers/tty/serial/8250/8250_pci.c | 39 ++++++++-----
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial_core.c | 13 ++++-
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci-ring.c | 21 ++++---
drivers/usb/typec/tcpm/tcpm.c | 4 --
drivers/video/console/vgacon.c | 14 +++--
fs/btrfs/disk-io.c | 14 ++++-
fs/file.c | 4 ++
fs/gfs2/bmap.c | 2 +-
fs/nfs/nfs42proc.c | 5 +-
include/linux/kprobes.h | 2 +
include/linux/netdevice.h | 19 ++++--
include/linux/of_clk.h | 3 +
include/linux/siphash.h | 14 ++---
include/net/fib_rules.h | 2 +-
include/net/ip_fib.h | 2 +-
include/net/netns/ipv4.h | 2 +-
kernel/kprobes.c | 3 +
kernel/sched/core.c | 2 +-
lib/siphash.c | 12 ++--
net/can/j1939/transport.c | 6 ++
net/core/dev.c | 5 +-
net/core/fib_rules.c | 2 +-
net/ipv4/devinet.c | 2 +-
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/fib_rules.c | 6 +-
net/ipv4/fib_semantics.c | 4 +-
net/ipv6/fib6_rules.c | 5 +-
net/mac80211/rx.c | 3 +-
net/mpls/af_mpls.c | 68 +++++++++++++++++-----
net/rds/tcp.c | 2 +-
net/rxrpc/peer_object.c | 14 +++--
net/smc/af_smc.c | 14 +++++
net/smc/smc_close.c | 8 ++-
net/tls/tls_sw.c | 4 +-
tools/perf/builtin-report.c | 15 +++--
tools/perf/ui/hist.c | 28 ++++-----
tools/perf/util/hist.h | 1 -
tools/perf/util/util.c | 14 ++---
tools/perf/util/util.h | 2 +-
tools/testing/selftests/net/fcnal-test.sh | 4 +-
80 files changed, 532 insertions(+), 225 deletions(-)
^ permalink raw reply [relevance 4%]
* [PATCH 4.19 00/48] 4.19.220-rc1 review
@ 2021-12-06 14:56 5% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 27/48] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 30/48] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
0 siblings, 2 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 4.19.220 release.
There are 48 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.220-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.19.220-rc1
Wei Yongjun <weiyongjun1@huawei.com>
ipmi: msghandler: Make symbol 'remove_work_wq' static
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Ole Ernst <olebowle@gmx.com>
USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Rob Clark <robdclark@chromium.org>
drm/msm: Do hw_init() before capturing GPU state
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Eric Dumazet <edumazet@google.com>
net: annotate data-races on txq->xmit_lock_owner
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Eiichi Tsukata <eiichi.tsukata@nutanix.com>
rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: stop dma transfer in case of NACK
Alain Volmat <alain.volmat@foss.st.com>
i2c: stm32f7: recover the bus on access timeout
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Jens Axboe <axboe@kernel.dk>
fs: add fget_many() and fput_many()
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
ipmi: Move remove_work to dedicated workqueue
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mario Limonciello <mario.limonciello@amd.com>
ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Zekun Shen <bruceshenzk@gmail.com>
atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix length of holes reported at end-of-file
Geert Uytterhoeven <geert+renesas@glider.be>
of: clk: Make <linux/of_clk.h> self-contained
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
shm: extend forced shm destroy to support objects from several IPC nses
-------------
Diffstat:
Makefile | 4 +-
arch/parisc/Makefile | 5 +
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 24 +--
arch/s390/kernel/setup.c | 3 -
arch/x86/realmode/init.c | 12 +-
drivers/ata/ahci.c | 1 +
drivers/ata/sata_fsl.c | 20 ++-
drivers/char/ipmi/ipmi_msghandler.c | 13 +-
drivers/gpu/drm/msm/msm_debugfs.c | 1 +
drivers/i2c/busses/i2c-stm32f7.c | 11 +-
.../aquantia/atlantic/hw_atl/hw_atl_utils.c | 10 ++
drivers/net/ethernet/dec/tulip/de4x5.c | 34 ++--
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/vrf.c | 2 +
drivers/platform/x86/thinkpad_acpi.c | 12 --
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/thermal/thermal_core.c | 2 +
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial_core.c | 13 +-
drivers/usb/core/quirks.c | 3 +
drivers/usb/host/xhci-ring.c | 21 ++-
drivers/usb/typec/tcpm.c | 4 -
drivers/video/console/vgacon.c | 14 +-
fs/btrfs/disk-io.c | 14 +-
fs/file.c | 19 ++-
fs/file_table.c | 9 +-
fs/gfs2/bmap.c | 2 +-
fs/nfs/nfs42proc.c | 5 +-
include/linux/file.h | 2 +
include/linux/fs.h | 4 +-
include/linux/ipc_namespace.h | 15 ++
include/linux/kprobes.h | 2 +
include/linux/netdevice.h | 19 ++-
include/linux/of_clk.h | 3 +
include/linux/sched/task.h | 2 +-
include/linux/siphash.h | 14 +-
ipc/shm.c | 189 ++++++++++++++++-----
kernel/kprobes.c | 3 +
lib/siphash.c | 12 +-
net/core/dev.c | 5 +-
net/ipv4/devinet.c | 2 +-
net/mpls/af_mpls.c | 68 ++++++--
net/rds/tcp.c | 2 +-
net/rxrpc/peer_object.c | 14 +-
net/smc/smc_close.c | 8 +-
tools/perf/ui/hist.c | 28 +--
tools/perf/util/hist.h | 1 -
53 files changed, 481 insertions(+), 208 deletions(-)
^ permalink raw reply [relevance 5%]
* [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-12-06 14:56 4% [PATCH 5.4 00/70] 5.4.164-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Leon Romanovsky,
Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2281,9 +2281,14 @@ int mlx4_en_try_alloc_resources(struct m
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
^ permalink raw reply [relevance 7%]
* [PATCH 4.19 27/48] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:56 5% [PATCH 4.19 00/48] 4.19.220-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 30/48] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1079,8 +1079,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* Re: [PATCH] scsi: libsas: Fix a NULL pointer dereference in sas_ex_discover_expander()
2021-11-30 17:16 18% [PATCH] scsi: libsas: Fix a NULL pointer dereference in sas_ex_discover_expander() Zhou Qingyang
@ 2021-12-06 15:09 0% ` John Garry
0 siblings, 0 replies; 200+ results
From: John Garry @ 2021-12-06 15:09 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, James E.J. Bottomley, Martin K. Petersen, Jason Yan,
Himanshu Madhani, Jack Wang, Luo Jiaxing, Bart Van Assche,
James Bottomley, linux-scsi, linux-kernel
On 30/11/2021 17:16, Zhou Qingyang wrote:
I'd have "scsi: libsas: Improve error handling in
sas_ex_discover_expander()"
> In sas_ex_discover_expander(), sas_port_alloc() is assigned to phy->port
"sas_port_alloc() is assigned to phy->port" - the function is not assigned
> and used in sas_port_add(). sas_port_add() further passes phy->port to
> list_empty(), and there is a dereference of it in list_empty(), which
> could lead to a NULL pointer dereference on failure of
> sas_port_alloc().
>
> This patch imitates the same error-handling logic in
> sas_ex_discover_end_dev().
git grep 'This patch' Documentation/process/submitting-patches.rst
>
> Fix this bug by adding checks for phy->port and sas_port_add().
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
Who are these researchers?
>
> Builds with CONFIG_SCSI_SAS_LIBSAS=m show no new warnings,
> and our static analyzer no longer warns about this code.
This is all implied by sending the patch in the first place
>
> Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
personally I don't think that this is a fix - the code is old and
already had BUG_ON()
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/scsi/libsas/sas_expander.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
> index c2150a818423..7530b1773d6b 100644
> --- a/drivers/scsi/libsas/sas_expander.c
> +++ b/drivers/scsi/libsas/sas_expander.c
> @@ -957,9 +957,16 @@ static struct domain_device *sas_ex_discover_expander(
> return NULL;
>
> phy->port = sas_port_alloc(&parent->rphy->dev, phy_id);
> - /* FIXME: better error handling */
> - BUG_ON(sas_port_add(phy->port) != 0);
> + if (unlikely(!phy->port)) {
no need for unlikely() - this is not fastpath
> + sas_put_device(child);
> + return NULL;
> + }
>
> + if (sas_port_add(phy->port) != 0) {
> + sas_port_free(phy->port);
> + sas_put_device(child);
better have a goto error now as we're replicting code, including what is
already there for the sas_discover_expander() failure error path
> + return NULL;
> + }
>
> switch (phy->attached_dev_type) {
> case SAS_EDGE_EXPANDER_DEVICE:
>
^ permalink raw reply [relevance 0%]
* [PATCH 4.19 30/48] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-12-06 14:56 5% [PATCH 4.19 00/48] 4.19.220-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 27/48] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Leon Romanovsky,
Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2282,9 +2282,14 @@ int mlx4_en_try_alloc_resources(struct m
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
^ permalink raw reply [relevance 7%]
* [PATCH 4.14 093/106] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-12-06 14:55 4% [PATCH 4.14 000/106] 4.14.257-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 090/106] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Leon Romanovsky,
Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit addad7643142f500080417dd7272f49b7a185570 upstream.
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Link: https://lore.kernel.org/r/20211130164438.190591-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2283,9 +2283,14 @@ int mlx4_en_try_alloc_resources(struct m
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
^ permalink raw reply [relevance 7%]
* [PATCH 4.14 090/106] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:55 4% [PATCH 4.14 000/106] 4.14.257-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 093/106] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
1 sibling, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1078,8 +1078,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 4.14 000/106] 4.14.257-rc1 review
@ 2021-12-06 14:55 4% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 090/106] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 093/106] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
0 siblings, 2 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:55 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 4.14.257 release.
There are 106 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.257-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.14.257-rc1
Helge Deller <deller@gmx.de>
parisc: Mark cr16 CPU clocksource unstable on all SMP machines
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Joerg Roedel <jroedel@suse.de>
x86/64/mm: Map all kernel memory into trampoline_pgd
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: Fix commad ring abort, write all 64 bits to CRCR register.
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Helge Deller <deller@gmx.de>
parisc: Fix KBUILD_IMAGE for self-extracting kernel
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Keep smc_close_final rc during active close
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Sven Schuchmann <schuchmann@schleissheimer.de>
net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available
Zhou Qingyang <zhou1615@umn.edu>
net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Benjamin Poirier <bpoirier@nvidia.com>
net: mpls: Fix notifications when deleting a device
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Jens Axboe <axboe@kernel.dk>
fs: add fget_many() and fput_many()
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Ian Rogers <irogers@google.com>
perf hist: Fix memory leak of a perf_hpp_fmt
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Wang Yugui <wangyugui@e16-tech.com>
btrfs: check-integrity: fix a warning on write caching disabled disk
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Mike Kravetz <mike.kravetz@oracle.com>
hugetlb: take PMD sharing into account when flushing tlb/caches
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
ipc: WARN if trying to remove ipc object which is absent
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
shm: extend forced shm destroy to support objects from several IPC nses
Juergen Gross <jgross@suse.com>
tty: hvc: replace BUG_ON() with negative return value
Juergen Gross <jgross@suse.com>
xen/netfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/netfront: disentangle tx_skb_freelist
Juergen Gross <jgross@suse.com>
xen/netfront: don't read data from request on the ring page
Juergen Gross <jgross@suse.com>
xen/netfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen/blkfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/blkfront: don't take local copy of a request from the ring page
Juergen Gross <jgross@suse.com>
xen/blkfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen: sync include/xen/interface/io/ring.h with Xen's newest version
Miklos Szeredi <mszeredi@redhat.com>
fuse: release pipe buf after last use
Lin Ma <linma@zju.edu.cn>
NFC: add NCI_UNREG flag to eliminate the race
David Hildenbrand <david@redhat.com>
proc/vmcore: fix clearing user buffer by properly using clear_user()
Nadav Amit <namit@vmware.com>
hugetlbfs: flush TLBs correctly after huge_pmd_unshare
Marek Behún <marek.behun@nic.cz>
arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function
Miquel Raynal <miquel.raynal@bootlin.com>
arm64: dts: marvell: armada-37xx: declare PCIe reset pin
Marek Behún <kabel@kernel.org>
pinctrl: armada-37xx: Correct PWM pins definitions
Gregory CLEMENT <gregory.clement@bootlin.com>
pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup
Marek Behún <marek.behun@nic.cz>
pinctrl: armada-37xx: Correct mpp definitions
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix checking for link up via LTSSM state
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix link training
Frederick Lawler <fred@fredlawl.com>
PCI: Add PCI_EXP_LNKCTL2_TLS* macros
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix PCIe Max Payload Size setting
Pali Rohár <pali@kernel.org>
PCI: aardvark: Configure PCIe resources from 'ranges' DT property
Evan Wang <xswang@marvell.com>
PCI: aardvark: Remove PCIe outbound window configuration
Pali Rohár <pali@kernel.org>
PCI: aardvark: Update comment about disabling link training
Pali Rohár <pali@kernel.org>
PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link()
Pali Rohár <pali@kernel.org>
PCI: aardvark: Fix compilation on s390
Pali Rohár <pali@kernel.org>
PCI: aardvark: Don't touch PCIe registers if no card connected
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
PCI: aardvark: Introduce an advk_pcie_valid_device() helper
Pali Rohár <pali@kernel.org>
PCI: aardvark: Indicate error in 'val' when config read fails
Pali Rohár <pali@kernel.org>
PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros
Pali Rohár <pali@kernel.org>
PCI: aardvark: Issue PERST via GPIO
Marek Behún <marek.behun@nic.cz>
PCI: aardvark: Improve link training
Pali Rohár <pali@kernel.org>
PCI: aardvark: Train link immediately after enabling training
Remi Pommarel <repk@triplefau.lt>
PCI: aardvark: Wait for endpoint to be ready before training link
Wen Yang <wen.yang99@zte.com.cn>
PCI: aardvark: Fix a leaked reference by adding missing of_node_put()
Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
PCI: aardvark: Fix I/O space page leak
David Hildenbrand <david@redhat.com>
s390/mm: validate VMA in PGSTE manipulation functions
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Check pid filtering when creating events
Stefano Garzarella <sgarzare@redhat.com>
vhost/vsock: fix incorrect used length reported to the guest
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Don't call clcsock shutdown twice when smc shutdown
Huang Pei <huangpei@loongson.cn>
MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
Eric Dumazet <edumazet@google.com>
tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
PM: hibernate: use correct mode for swsusp_close()
Tony Lu <tonylu@linux.alibaba.com>
net/smc: Ensure the active closing peer first closes clcsock
Eric Dumazet <edumazet@google.com>
ipv6: fix typos in __ip6_finish_output()
Dan Carpenter <dan.carpenter@oracle.com>
drm/vc4: fix error code in vc4_create_object()
Sreekanth Reddy <sreekanth.reddy@broadcom.com>
scsi: mpt3sas: Fix kernel panic during drive powercycle test
Takashi Iwai <tiwai@suse.de>
ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv42: Don't fail clone() unless the OP_CLONE operation failed
Alexander Aring <aahringo@redhat.com>
net: ieee802154: handle iftypes as u32
Takashi Iwai <tiwai@suse.de>
ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
Florian Fainelli <f.fainelli@gmail.com>
ARM: dts: BCM5301X: Add interrupt properties to GPIO node
Florian Fainelli <f.fainelli@gmail.com>
ARM: dts: BCM5301X: Fix I2C controller interrupt
yangxingwu <xingwu.yang@gmail.com>
netfilter: ipvs: Fix reuse connection if RS weight is 0
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Fix pid filtering when triggers are attached
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: detect uninitialized xenbus in xenbus_init
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: don't continue xenstore initialization in case of errors
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix page stealing
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
Jason Gerecke <killertofu@gmail.com>
HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: cec: copy sequence field for the reply
Takashi Iwai <tiwai@suse.de>
ALSA: ctxfi: Fix out-of-range access
Todd Kjos <tkjos@google.com>
binder: fix test regression due to sender_euid change
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix locking issues with address0_mutex
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix usb enumeration issue due to address0 race
Mingjie Zhang <superzmj@fibocom.com>
USB: serial: option: add Fibocom FM101-GL variants
Daniele Palmas <dnlplm@gmail.com>
USB: serial: option: add Telit LE910S1 0x9200 composition
-------------
Diffstat:
.../pinctrl/marvell,armada-37xx-pinctrl.txt | 26 +-
Documentation/networking/ipvs-sysctl.txt | 3 +-
Makefile | 4 +-
arch/arm/boot/dts/bcm5301x.dtsi | 4 +-
arch/arm/include/asm/tlb.h | 8 +
arch/arm/mach-socfpga/core.h | 2 +-
arch/arm/mach-socfpga/platsmp.c | 8 +-
arch/arm64/boot/dts/marvell/armada-3720-db.dts | 3 +
.../boot/dts/marvell/armada-3720-espressobin.dts | 3 +
arch/arm64/boot/dts/marvell/armada-37xx.dtsi | 9 +
arch/ia64/include/asm/tlb.h | 10 +
arch/mips/Kconfig | 2 +-
arch/parisc/Makefile | 5 +
arch/parisc/install.sh | 1 +
arch/parisc/kernel/time.c | 24 +-
arch/s390/include/asm/tlb.h | 14 +
arch/s390/kernel/setup.c | 3 -
arch/s390/mm/pgtable.c | 13 +
arch/sh/include/asm/tlb.h | 10 +
arch/um/include/asm/tlb.h | 12 +
arch/x86/realmode/init.c | 12 +-
drivers/android/binder.c | 2 +-
drivers/ata/sata_fsl.c | 20 +-
drivers/block/xen-blkfront.c | 126 ++++--
drivers/gpu/drm/vc4/vc4_bo.c | 2 +-
drivers/hid/wacom_wac.c | 8 +-
drivers/hid/wacom_wac.h | 1 +
drivers/media/cec/cec-adap.c | 1 +
drivers/net/ethernet/dec/tulip/de4x5.c | 34 +-
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +-
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/usb/lan78xx.c | 2 +-
drivers/net/vrf.c | 2 +
drivers/net/xen-netfront.c | 257 +++++++-----
drivers/pci/host/pci-aardvark.c | 463 +++++++++++++++++----
drivers/pinctrl/mvebu/pinctrl-armada-37xx.c | 28 +-
drivers/platform/x86/thinkpad_acpi.c | 12 -
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 +-
drivers/staging/typec/tcpm.c | 4 -
drivers/thermal/thermal_core.c | 2 +
drivers/tty/hvc/hvc_xen.c | 17 +-
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial_core.c | 13 +-
drivers/usb/core/hub.c | 23 +-
drivers/usb/host/xhci-ring.c | 21 +-
drivers/usb/serial/option.c | 5 +
drivers/vhost/vsock.c | 2 +-
drivers/video/console/vgacon.c | 14 +-
drivers/xen/xenbus/xenbus_probe.c | 27 +-
fs/btrfs/disk-io.c | 14 +-
fs/file.c | 19 +-
fs/file_table.c | 9 +-
fs/fuse/dev.c | 14 +-
fs/nfs/nfs42proc.c | 5 +-
fs/nfs/nfs42xdr.c | 3 +-
fs/proc/vmcore.c | 15 +-
include/asm-generic/tlb.h | 2 +
include/linux/file.h | 2 +
include/linux/fs.h | 4 +-
include/linux/ipc_namespace.h | 15 +
include/linux/kprobes.h | 2 +
include/linux/sched/task.h | 2 +-
include/linux/shm.h | 13 +-
include/linux/siphash.h | 14 +-
include/net/nfc/nci_core.h | 1 +
include/net/nl802154.h | 7 +-
include/uapi/linux/pci_regs.h | 5 +
include/xen/interface/io/ring.h | 293 +++++++------
ipc/shm.c | 176 ++++++--
ipc/util.c | 6 +-
kernel/kprobes.c | 3 +
kernel/power/hibernate.c | 6 +-
kernel/trace/trace.h | 24 +-
kernel/trace/trace_events.c | 7 +
lib/siphash.c | 12 +-
mm/hugetlb.c | 72 +++-
mm/memory.c | 10 +
net/ipv4/devinet.c | 2 +-
net/ipv4/tcp_cubic.c | 5 +-
net/ipv6/ip6_output.c | 2 +-
net/mpls/af_mpls.c | 68 ++-
net/netfilter/ipvs/ip_vs_core.c | 8 +-
net/nfc/nci/core.c | 19 +-
net/rds/tcp.c | 2 +-
net/smc/af_smc.c | 8 +-
net/smc/smc_close.c | 10 +
sound/pci/ctxfi/ctamixer.c | 14 +-
sound/pci/ctxfi/ctdaio.c | 16 +-
sound/pci/ctxfi/ctresource.c | 7 +-
sound/pci/ctxfi/ctresource.h | 4 +-
sound/pci/ctxfi/ctsrc.c | 7 +-
sound/soc/soc-topology.c | 3 +
tools/perf/ui/hist.c | 28 +-
tools/perf/util/hist.h | 1 -
99 files changed, 1591 insertions(+), 670 deletions(-)
^ permalink raw reply [relevance 4%]
* [PATCH 4.9 55/62] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:55 3% [PATCH 4.9 00/62] 4.9.292-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1078,8 +1078,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 4.9 00/62] 4.9.292-rc1 review
@ 2021-12-06 14:55 3% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.9 55/62] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
0 siblings, 1 reply; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:55 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 4.9.292 release.
There are 62 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.292-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.9.292-rc1
Johan Hovold <johan@kernel.org>
serial: core: fix transmit-buffer reset and memleak
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
William Kucharski <william.kucharski@oracle.com>
net/rds: correct socket tunable error in rds_tcp_tune()
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Jens Axboe <axboe@kernel.dk>
fs: add fget_many() and fput_many()
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Stephen Suryaputra <ssuryaextr@gmail.com>
vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Teng Qi <starmiku1207184332@gmail.com>
ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port()
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>
thermal: core: Reset previous low and high trip during thermal zone init
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Mike Kravetz <mike.kravetz@oracle.com>
hugetlb: take PMD sharing into account when flushing tlb/caches
Benjamin Coddington <bcodding@redhat.com>
NFSv42: Fix pagecache invalidation after COPY/CLONE
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
shm: extend forced shm destroy to support objects from several IPC nses
Juergen Gross <jgross@suse.com>
tty: hvc: replace BUG_ON() with negative return value
Juergen Gross <jgross@suse.com>
xen/netfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/netfront: disentangle tx_skb_freelist
Juergen Gross <jgross@suse.com>
xen/netfront: don't read data from request on the ring page
Juergen Gross <jgross@suse.com>
xen/netfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen/blkfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/blkfront: don't take local copy of a request from the ring page
Juergen Gross <jgross@suse.com>
xen/blkfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen: sync include/xen/interface/io/ring.h with Xen's newest version
Miklos Szeredi <mszeredi@redhat.com>
fuse: release pipe buf after last use
Lin Ma <linma@zju.edu.cn>
NFC: add NCI_UNREG flag to eliminate the race
David Hildenbrand <david@redhat.com>
proc/vmcore: fix clearing user buffer by properly using clear_user()
Stefano Garzarella <sgarzare@redhat.com>
vhost/vsock: fix incorrect used length reported to the guest
Nadav Amit <namit@vmware.com>
hugetlbfs: flush TLBs correctly after huge_pmd_unshare
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Check pid filtering when creating events
Eric Dumazet <edumazet@google.com>
tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
Thomas Zeitlhofer <thomas.zeitlhofer+lkml@ze-it.at>
PM: hibernate: use correct mode for swsusp_close()
Dan Carpenter <dan.carpenter@oracle.com>
drm/vc4: fix error code in vc4_create_object()
Sreekanth Reddy <sreekanth.reddy@broadcom.com>
scsi: mpt3sas: Fix kernel panic during drive powercycle test
Takashi Iwai <tiwai@suse.de>
ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv42: Don't fail clone() unless the OP_CLONE operation failed
Alexander Aring <aahringo@redhat.com>
net: ieee802154: handle iftypes as u32
Takashi Iwai <tiwai@suse.de>
ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
Florian Fainelli <f.fainelli@gmail.com>
ARM: dts: BCM5301X: Add interrupt properties to GPIO node
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Fix pid filtering when triggers are attached
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: detect uninitialized xenbus in xenbus_init
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: don't continue xenstore initialization in case of errors
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix page stealing
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
Takashi Iwai <tiwai@suse.de>
ALSA: ctxfi: Fix out-of-range access
Todd Kjos <tkjos@google.com>
binder: fix test regression due to sender_euid change
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix locking issues with address0_mutex
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix usb enumeration issue due to address0 race
Mingjie Zhang <superzmj@fibocom.com>
USB: serial: option: add Fibocom FM101-GL variants
Daniele Palmas <dnlplm@gmail.com>
USB: serial: option: add Telit LE910S1 0x9200 composition
Lee Jones <lee.jones@linaro.org>
staging: ion: Prevent incorrect reference counting behavour
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/bcm5301x.dtsi | 2 +
arch/arm/include/asm/tlb.h | 8 +
arch/arm/mach-socfpga/core.h | 2 +-
arch/arm/mach-socfpga/platsmp.c | 8 +-
arch/ia64/include/asm/tlb.h | 10 +
arch/parisc/install.sh | 1 +
arch/s390/include/asm/tlb.h | 14 ++
arch/s390/kernel/setup.c | 3 -
arch/sh/include/asm/tlb.h | 10 +
arch/um/include/asm/tlb.h | 12 +
drivers/android/binder.c | 2 +-
drivers/ata/sata_fsl.c | 20 +-
drivers/block/xen-blkfront.c | 126 ++++++----
drivers/gpu/drm/vc4/vc4_bo.c | 2 +-
drivers/net/ethernet/dec/tulip/de4x5.c | 34 +--
drivers/net/ethernet/hisilicon/hns/hns_dsaf_misc.c | 4 +
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/vrf.c | 2 +
drivers/net/xen-netfront.c | 257 +++++++++++++--------
drivers/platform/x86/thinkpad_acpi.c | 12 -
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/staging/android/ion/ion.c | 6 +
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 +-
drivers/thermal/thermal_core.c | 2 +
drivers/tty/hvc/hvc_xen.c | 17 +-
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/tty/serial/serial_core.c | 13 +-
drivers/usb/core/hub.c | 23 +-
drivers/usb/serial/option.c | 5 +
drivers/vhost/vsock.c | 2 +-
drivers/video/console/vgacon.c | 14 +-
drivers/xen/xenbus/xenbus_probe.c | 27 ++-
fs/file.c | 19 +-
fs/file_table.c | 9 +-
fs/fuse/dev.c | 14 +-
fs/nfs/nfs42proc.c | 5 +-
fs/nfs/nfs42xdr.c | 3 +-
fs/proc/vmcore.c | 15 +-
include/asm-generic/tlb.h | 2 +
include/linux/file.h | 2 +
include/linux/fs.h | 4 +-
include/linux/ipc_namespace.h | 15 ++
include/linux/kprobes.h | 2 +
include/linux/sched.h | 2 +-
include/linux/shm.h | 13 +-
include/linux/siphash.h | 14 +-
include/net/nfc/nci_core.h | 1 +
include/net/nl802154.h | 7 +-
include/xen/interface/io/ring.h | 257 ++++++++++-----------
ipc/shm.c | 176 ++++++++++----
kernel/kprobes.c | 3 +
kernel/power/hibernate.c | 6 +-
kernel/trace/trace.h | 24 +-
kernel/trace/trace_events.c | 7 +
lib/siphash.c | 12 +-
mm/hugetlb.c | 72 +++++-
mm/memory.c | 16 ++
net/ipv4/devinet.c | 2 +-
net/ipv4/tcp_cubic.c | 5 +-
net/nfc/nci/core.c | 19 +-
net/rds/tcp.c | 2 +-
sound/pci/ctxfi/ctamixer.c | 14 +-
sound/pci/ctxfi/ctdaio.c | 16 +-
sound/pci/ctxfi/ctresource.c | 7 +-
sound/pci/ctxfi/ctresource.h | 4 +-
sound/pci/ctxfi/ctsrc.c | 7 +-
sound/soc/soc-topology.c | 3 +
71 files changed, 967 insertions(+), 481 deletions(-)
^ permalink raw reply [relevance 3%]
* [PATCH 4.4 47/52] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
2021-12-06 14:55 3% [PATCH 4.4 00/52] 4.4.294-rc1 review Greg Kroah-Hartman
@ 2021-12-06 14:56 7% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:56 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhou Qingyang, Jakub Kicinski
From: Zhou Qingyang <zhou1615@umn.edu>
commit e2dabc4f7e7b60299c20a36d6a7b24ed9bf8e572 upstream.
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Link: https://lore.kernel.org/r/20211130110848.109026-1-zhou1615@umn.edu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1076,8 +1076,14 @@ static int qlcnic_83xx_add_rings(struct
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
^ permalink raw reply [relevance 7%]
* [PATCH 4.4 00/52] 4.4.294-rc1 review
@ 2021-12-06 14:55 3% Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.4 47/52] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
0 siblings, 1 reply; 200+ results
From: Greg Kroah-Hartman @ 2021-12-06 14:55 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, stable
This is the start of the stable review cycle for the 4.4.294 release.
There are 52 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 08 Dec 2021 14:55:37 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.294-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.4.294-rc1
Pierre Gondois <Pierre.Gondois@arm.com>
serial: pl011: Add ACPI SBSA UART match id
Sven Eckelmann <sven@narfation.org>
tty: serial: msm_serial: Deactivate RX DMA for polling support
Maciej W. Rozycki <macro@orcam.me.uk>
vgacon: Propagate console boot parameters before calling `vc_resize'
Helge Deller <deller@gmx.de>
parisc: Fix "make install" on newer debian releases
Arnd Bergmann <arnd@arndb.de>
siphash: use _unaligned version by default
Zhou Qingyang <zhou1615@umn.edu>
net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
Randy Dunlap <rdunlap@infradead.org>
natsemi: xtensa: fix section mismatch warnings
Linus Torvalds <torvalds@linux-foundation.org>
fget: check that the fd still exists after getting a ref to it
Jens Axboe <axboe@kernel.dk>
fs: add fget_many() and fput_many()
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
Baokun Li <libaokun1@huawei.com>
sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
Masami Hiramatsu <mhiramat@kernel.org>
kprobes: Limit max data_size of the kretprobe instances
Teng Qi <starmiku1207184332@gmail.com>
net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
zhangyue <zhangyue1@kylinos.cn>
net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: Unblock session then wake up error handler
Vasily Gorbik <gor@linux.ibm.com>
s390/setup: avoid using memblock_enforce_memory_limit
Slark Xiao <slark_xiao@163.com>
platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
liuguoqiang <liuguoqiang@uniontech.com>
net: return correct error code
Mike Kravetz <mike.kravetz@oracle.com>
hugetlb: take PMD sharing into account when flushing tlb/caches
Juergen Gross <jgross@suse.com>
tty: hvc: replace BUG_ON() with negative return value
Juergen Gross <jgross@suse.com>
xen/netfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/netfront: disentangle tx_skb_freelist
Juergen Gross <jgross@suse.com>
xen/netfront: don't read data from request on the ring page
Juergen Gross <jgross@suse.com>
xen/netfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen/blkfront: don't trust the backend response data blindly
Juergen Gross <jgross@suse.com>
xen/blkfront: don't take local copy of a request from the ring page
Juergen Gross <jgross@suse.com>
xen/blkfront: read response from backend only once
Juergen Gross <jgross@suse.com>
xen: sync include/xen/interface/io/ring.h with Xen's newest version
Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
shm: extend forced shm destroy to support objects from several IPC nses
Miklos Szeredi <mszeredi@redhat.com>
fuse: release pipe buf after last use
Miklos Szeredi <mszeredi@redhat.com>
fuse: fix page stealing
Lin Ma <linma@zju.edu.cn>
NFC: add NCI_UNREG flag to eliminate the race
David Hildenbrand <david@redhat.com>
proc/vmcore: fix clearing user buffer by properly using clear_user()
Nadav Amit <namit@vmware.com>
hugetlbfs: flush TLBs correctly after huge_pmd_unshare
Steven Rostedt (VMware) <rostedt@goodmis.org>
tracing: Check pid filtering when creating events
Eric Dumazet <edumazet@google.com>
tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
Sreekanth Reddy <sreekanth.reddy@broadcom.com>
scsi: mpt3sas: Fix kernel panic during drive powercycle test
Takashi Iwai <tiwai@suse.de>
ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
Trond Myklebust <trond.myklebust@hammerspace.com>
NFSv42: Don't fail clone() unless the OP_CLONE operation failed
Alexander Aring <aahringo@redhat.com>
net: ieee802154: handle iftypes as u32
Takashi Iwai <tiwai@suse.de>
ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
Florian Fainelli <f.fainelli@gmail.com>
ARM: dts: BCM5301X: Add interrupt properties to GPIO node
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: detect uninitialized xenbus in xenbus_init
Stefano Stabellini <stefano.stabellini@xilinx.com>
xen: don't continue xenstore initialization in case of errors
Dan Carpenter <dan.carpenter@oracle.com>
staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
Takashi Iwai <tiwai@suse.de>
ALSA: ctxfi: Fix out-of-range access
Todd Kjos <tkjos@google.com>
binder: fix test regression due to sender_euid change
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix locking issues with address0_mutex
Mathias Nyman <mathias.nyman@linux.intel.com>
usb: hub: Fix usb enumeration issue due to address0 race
Mingjie Zhang <superzmj@fibocom.com>
USB: serial: option: add Fibocom FM101-GL variants
Daniele Palmas <dnlplm@gmail.com>
USB: serial: option: add Telit LE910S1 0x9200 composition
Lee Jones <lee.jones@linaro.org>
staging: ion: Prevent incorrect reference counting behavour
-------------
Diffstat:
Makefile | 4 +-
arch/arm/boot/dts/bcm5301x.dtsi | 2 +
arch/arm/include/asm/tlb.h | 8 +
arch/arm/mach-socfpga/core.h | 2 +-
arch/arm/mach-socfpga/platsmp.c | 8 +-
arch/ia64/include/asm/tlb.h | 10 +
arch/parisc/install.sh | 1 +
arch/s390/include/asm/tlb.h | 13 ++
arch/s390/kernel/setup.c | 3 -
arch/sh/include/asm/tlb.h | 10 +
arch/um/include/asm/tlb.h | 12 +
drivers/android/binder.c | 2 +-
drivers/ata/sata_fsl.c | 20 +-
drivers/block/xen-blkfront.c | 126 +++++++---
drivers/net/ethernet/dec/tulip/de4x5.c | 34 +--
drivers/net/ethernet/natsemi/xtsonic.c | 2 +-
.../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 +-
drivers/net/xen-netfront.c | 257 +++++++++++++--------
drivers/platform/x86/thinkpad_acpi.c | 12 -
drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +-
drivers/scsi/scsi_transport_iscsi.c | 6 +-
drivers/staging/android/ion/ion.c | 6 +
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 +-
drivers/tty/hvc/hvc_xen.c | 17 +-
drivers/tty/serial/amba-pl011.c | 1 +
drivers/tty/serial/msm_serial.c | 3 +
drivers/usb/core/hub.c | 23 +-
drivers/usb/serial/option.c | 5 +
drivers/video/console/vgacon.c | 14 +-
drivers/xen/xenbus/xenbus_probe.c | 27 ++-
fs/file.c | 19 +-
fs/file_table.c | 9 +-
fs/fuse/dev.c | 10 +-
fs/nfs/nfs42xdr.c | 3 +-
fs/proc/vmcore.c | 15 +-
include/asm-generic/tlb.h | 7 +
include/linux/file.h | 2 +
include/linux/fs.h | 4 +-
include/linux/ipc_namespace.h | 15 ++
include/linux/kprobes.h | 2 +
include/linux/sched.h | 2 +-
include/linux/shm.h | 13 +-
include/linux/siphash.h | 14 +-
include/net/nfc/nci_core.h | 1 +
include/net/nl802154.h | 7 +-
include/xen/interface/io/ring.h | 257 ++++++++++-----------
ipc/shm.c | 176 ++++++++++----
kernel/kprobes.c | 3 +
kernel/trace/trace_events.c | 7 +
lib/siphash.c | 12 +-
mm/hugetlb.c | 58 ++++-
net/ipv4/devinet.c | 2 +-
net/ipv4/tcp_cubic.c | 5 +-
net/nfc/nci/core.c | 19 +-
sound/pci/ctxfi/ctamixer.c | 14 +-
sound/pci/ctxfi/ctdaio.c | 16 +-
sound/pci/ctxfi/ctresource.c | 7 +-
sound/pci/ctxfi/ctresource.h | 4 +-
sound/pci/ctxfi/ctsrc.c | 7 +-
sound/soc/soc-topology.c | 3 +
60 files changed, 894 insertions(+), 462 deletions(-)
^ permalink raw reply [relevance 3%]
* [PATCH v2] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2021-12-02 13:34 0% ` Hans Verkuil
@ 2021-12-03 15:40 18% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-03 15:40 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Hans Verkuil, Mauro Carvalho Chehab, linux-media, linux-kernel
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Add i2c_del_adapter in hexium_attach()
- Change 'return -1' to 'return -ENOMEM' in saa7146_vv_init
drivers/media/common/saa7146/saa7146_fops.c | 2 +-
drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c
index baf5772c52a9..be3215977714 100644
--- a/drivers/media/common/saa7146/saa7146_fops.c
+++ b/drivers/media/common/saa7146/saa7146_fops.c
@@ -521,7 +521,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv)
ERR("out of memory. aborting.\n");
kfree(vv);
v4l2_ctrl_handler_free(hdl);
- return -1;
+ return -ENOMEM;
}
saa7146_video_uops.init(dev,vv);
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 2214c74bbbf1..3947701cd6c7 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ i2c_del_adapter(&hexium->i2c_adapter);
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH v2] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes()
2021-12-02 10:11 5% ` Patrik Jakobsson
@ 2021-12-03 15:33 18% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-03 15:33 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Dave Airlie,
Alan Cox, dri-devel, linux-kernel
In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode and used in drm_mode_probed_add().
drm_mode_probed_add() passes mode->head to list_add_tail().
list_add_tail() will further call __list_add() and there is a
dereference of mode->head in __list_add(), which could lead to a wild
pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a checking of mode
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Use dev_err and return instead of returning error code.
drivers/gpu/drm/gma500/cdv_intel_lvds.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
index 9e1cdb11023c..581fc8315631 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
@@ -310,6 +310,11 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector)
if (mode_dev->panel_fixed_mode != NULL) {
struct drm_display_mode *mode =
drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
+ if (!mode) {
+ dev_err(dev->dev, "drm_mode_duplicate() failed.\n");
+ return 0;
+ }
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH v2] drm/radeon/radeon_connectors: Fix a NULL pointer dereference in radeon_fp_native_mode()
2021-12-01 20:04 5% ` Alex Deucher
@ 2021-12-03 15:23 18% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-03 15:23 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, Dave Airlie, amd-gfx, dri-devel,
linux-kernel
In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is
assigned to mode and there is a dereference of it in
radeon_fp_native_mode(), which could lead to a NULL pointer
dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: d2efdf6d6f42 ("drm/radeon/kms: add cvt mode if we only have lvds w/h and no edid (v4)")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Add a similar check in else clause
drivers/gpu/drm/radeon/radeon_connectors.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 607ad5620bd9..7953830cc8b5 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -473,6 +473,9 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
native_mode->vdisplay != 0 &&
native_mode->clock != 0) {
mode = drm_mode_duplicate(dev, native_mode);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
drm_mode_set_name(mode);
@@ -487,6 +490,9 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
* simpler.
*/
mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH v2] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
2021-12-02 16:03 18% ` [PATCH v2] " Zhou Qingyang
@ 2021-12-03 13:30 0% ` Dan Carpenter
2021-12-14 13:46 5% ` Mauro Carvalho Chehab
1 sibling, 0 replies; 200+ results
From: Dan Carpenter @ 2021-12-03 13:30 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Neil Armstrong, Mauro Carvalho Chehab, Greg Kroah-Hartman,
Kevin Hilman, Jerome Brunet, Martin Blumenstingl, Hans Verkuil,
Maxime Jourdan, linux-media, linux-amlogic, linux-staging,
linux-arm-kernel, linux-kernel
On Fri, Dec 03, 2021 at 12:03:57AM +0800, Zhou Qingyang wrote:
> In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
> to a NULL pointer dereference on failure of kzalloc().
>
> I fix this bug by adding a NULL check of new_ts.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
^^^
Thanks. Next time put the meta commentary about how the bug was found
and the QC process under the the --- cut off line. We don't need to
have that drama stored in the permanent git log.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
regards,
dan carpenter
^ permalink raw reply [relevance 0%]
* Re: [PATCH] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb()
2021-11-30 17:29 19% [PATCH] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb() Zhou Qingyang
@ 2021-12-03 10:53 0% ` Johan Hovold
2022-01-24 12:12 19% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Johan Hovold @ 2021-12-03 10:53 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Felipe Balbi, Greg Kroah-Hartman, Nadezda Lutovinova,
Yu Xu, linux-usb, linux-kernel
On Wed, Dec 01, 2021 at 01:29:17AM +0800, Zhou Qingyang wrote:
> In mv_u3d_req_to_trb(), mv_u3d_build_trb_one() is assigned to trb and
> there is a dereference of it in mv_u3d_req_to_trb(), which could lead
> to a NULL pointer dereference on failure of mv_u3d_build_trb_one().
>
> Fix this bug by adding a check of trb.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_USB_MV_U3D=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 3d4eb9dfa3e8 ("usb: gadget: mv: Add USB 3.0 device driver for Marvell PXA2128 chip.")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/usb/gadget/udc/mv_u3d_core.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
> index a1057ddfbda3..e90ef4046a9d 100644
> --- a/drivers/usb/gadget/udc/mv_u3d_core.c
> +++ b/drivers/usb/gadget/udc/mv_u3d_core.c
> @@ -417,6 +417,12 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req)
> */
> if (length <= (unsigned)MV_U3D_EP_MAX_LENGTH_TRANSFER) {
> trb = mv_u3d_build_trb_one(req, &count, &dma);
> + if (!trb) {
> + dev_err(u3d->dev, "%s, mv_u3d_build_trb_one fail\n",
> + __func__);
This looks correct, but the error message isn't needed as failures would
already have been logged by the helper (allocator).
> + return -ENOMEM;
> + }
> +
> list_add_tail(&trb->trb_list, &req->trb_list);
> req->trb_head = trb;
> req->trb_count = 1;
Johan
^ permalink raw reply [relevance 0%]
* [PATCH v2] drm/gma500/psb_intel_lvds: Fix a wild pointer dereference in psb_intel_lvds_get_modes()
2021-12-02 10:09 5% ` Patrik Jakobsson
@ 2021-12-03 3:55 18% ` Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-03 3:55 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Dave Airlie,
Alan Cox, dri-devel, linux-kernel
In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode and used in drm_mode_probed_add().
drm_mode_probed_add() passes mode->head to list_add_tail().
list_add_tail() will further call __list_add() and there is a
dereference of mode->head in __list_add(), which could lead to a wild
pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 89c78134cc54 ("gma500: Add Poulsbo support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Use dev_err and return 0 instead of returning error code.
drivers/gpu/drm/gma500/psb_intel_lvds.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
index ac97e0d3c7dd..3b3aa8fba6c9 100644
--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -505,6 +505,11 @@ static int psb_intel_lvds_get_modes(struct drm_connector *connector)
if (mode_dev->panel_fixed_mode != NULL) {
struct drm_display_mode *mode =
drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
+ if (!mode) {
+ dev_err(dev->dev, "drm_mode_duplicate() allocation error\n");
+ return 0;
+ }
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH v5] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-12-01 15:15 0% ` Christian König
@ 2021-12-02 17:13 0% ` Alex Deucher
0 siblings, 0 replies; 200+ results
From: Alex Deucher @ 2021-12-02 17:13 UTC (permalink / raw)
To: Christian König
Cc: Zhou Qingyang, David Airlie, Pan, Xinhui, Kangjie Lu, LKML,
amd-gfx list, Maling list - DRI developers, Alex Deucher
Applied. Thanks!
Alex
On Wed, Dec 1, 2021 at 10:16 AM Christian König
<christian.koenig@amd.com> wrote:
>
> Am 01.12.21 um 16:13 schrieb Zhou Qingyang:
> > In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> > vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> > radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> > which could lead to a NULL pointer dereference on failure of
> > radeon_vm_bo_add().
> >
> > Fix this bug by adding a check of vm->ib_bo_va.
> >
> > This bug was found by a static analyzer. The analysis employs
> > differential checking to identify inconsistent security operations
> > (e.g., checks or kfrees) between two code paths and confirms that the
> > inconsistent operations are not recovered in the current function or
> > the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Builds with CONFIG_DRM_RADEON=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > ---
> > Changes in v5:
> > - Use conditions to avoid unnecessary initialization
> >
> > Changes in v4:
> > - Initialize the variables to silence warning
> >
> > Changes in v3:
> > - Fix the bug that good case will also be freed
> > - Improve code style
> >
> > Changes in v2:
> > - Improve the error handling into goto style
> >
> > drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++-------------
> > 1 file changed, 20 insertions(+), 16 deletions(-)
> >
> > diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> > index 482fb0ae6cb5..66aee48fd09d 100644
> > --- a/drivers/gpu/drm/radeon/radeon_kms.c
> > +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> > @@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
> > int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> > {
> > struct radeon_device *rdev = dev->dev_private;
> > + struct radeon_fpriv *fpriv;
> > + struct radeon_vm *vm;
> > int r;
> >
> > file_priv->driver_priv = NULL;
> > @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> >
> > /* new gpu have virtual address space support */
> > if (rdev->family >= CHIP_CAYMAN) {
> > - struct radeon_fpriv *fpriv;
> > - struct radeon_vm *vm;
> >
> > fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
> > if (unlikely(!fpriv)) {
> > @@ -672,35 +672,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> > if (rdev->accel_working) {
> > vm = &fpriv->vm;
> > r = radeon_vm_init(rdev, vm);
> > - if (r) {
> > - kfree(fpriv);
> > - goto out_suspend;
> > - }
> > + if (r)
> > + goto out_fpriv;
> >
> > r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
> > - if (r) {
> > - radeon_vm_fini(rdev, vm);
> > - kfree(fpriv);
> > - goto out_suspend;
> > - }
> > + if (r)
> > + goto out_vm_fini;
> >
> > /* map the ib pool buffer read only into
> > * virtual address space */
> > vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> > rdev->ring_tmp_bo.bo);
> > + if (!vm->ib_bo_va) {
> > + r = -ENOMEM;
> > + goto out_vm_fini;
> > + }
> > +
> > r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> > RADEON_VA_IB_OFFSET,
> > RADEON_VM_PAGE_READABLE |
> > RADEON_VM_PAGE_SNOOPED);
> > - if (r) {
> > - radeon_vm_fini(rdev, vm);
> > - kfree(fpriv);
> > - goto out_suspend;
> > - }
> > + if (r)
> > + goto out_vm_fini;
> > }
> > file_priv->driver_priv = fpriv;
> > }
> >
> > + if (!r)
>
> I think that test is unecessary now, maybe double check.
>
> Either way patch Reviewed-by: Christian König
> <christian.koenig@amd.com>. Alex will probably pick it up now.
>
> Thanks for the help,
> Christian.
>
> > + goto out_suspend;
> > +
> > +out_vm_fini:
> > + radeon_vm_fini(rdev, vm);
> > +out_fpriv:
> > + kfree(fpriv);
> > out_suspend:
> > pm_runtime_mark_last_busy(dev->dev);
> > pm_runtime_put_autosuspend(dev->dev);
>
^ permalink raw reply [relevance 0%]
* Re: [PATCH v2] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
2021-12-02 16:17 18% ` [PATCH v2] drm/amdgpu: Fix " Zhou Qingyang
@ 2021-12-02 17:10 5% ` Alex Deucher
0 siblings, 0 replies; 200+ results
From: Alex Deucher @ 2021-12-02 17:10 UTC (permalink / raw)
To: Zhou Qingyang
Cc: Jammy Zhou, David Airlie, Maling list - DRI developers, Pan,
Xinhui, Kangjie Lu, LKML, hongao, amd-gfx list, Alex Deucher,
Christian König
Applied. Thanks!
Alex
On Thu, Dec 2, 2021 at 11:17 AM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In amdgpu_connector_lcd_native_mode(), the return value of
> drm_mode_duplicate() is assigned to mode, and there is a dereference
> of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
> pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug add a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
> our static analyzer no longer warns about this code.
>
> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v2:
> - Fix the similar bug in else clause
>
> drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> index 0de66f59adb8..df1f9b88a53f 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> @@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
> native_mode->vdisplay != 0 &&
> native_mode->clock != 0) {
> mode = drm_mode_duplicate(dev, native_mode);
> + if (!mode)
> + return NULL;
> +
> mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
> drm_mode_set_name(mode);
>
> @@ -401,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
> * simpler.
> */
> mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
> + if (!mode)
> + return NULL;
> +
> mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
> DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
> }
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* [PATCH v2] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
2021-12-01 20:03 5% ` Alex Deucher
@ 2021-12-02 16:17 18% ` Zhou Qingyang
2021-12-02 17:10 5% ` Alex Deucher
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-02 16:17 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, hongao, Jammy Zhou, amd-gfx,
dri-devel, linux-kernel
In amdgpu_connector_lcd_native_mode(), the return value of
drm_mode_duplicate() is assigned to mode, and there is a dereference
of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
pointer dereference on failure of drm_mode_duplicate().
Fix this bug add a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Fix the similar bug in else clause
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 0de66f59adb8..df1f9b88a53f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
native_mode->vdisplay != 0 &&
native_mode->clock != 0) {
mode = drm_mode_duplicate(dev, native_mode);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
drm_mode_set_name(mode);
@@ -401,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
* simpler.
*/
mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name);
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH v2] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
@ 2021-12-02 16:03 18% ` Zhou Qingyang
2021-12-03 13:30 0% ` Dan Carpenter
2021-12-14 13:46 5% ` Mauro Carvalho Chehab
0 siblings, 2 replies; 200+ results
From: Zhou Qingyang @ 2021-12-02 16:03 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Neil Armstrong, Mauro Carvalho Chehab, Greg Kroah-Hartman,
Kevin Hilman, Jerome Brunet, Martin Blumenstingl, Hans Verkuil,
Maxime Jourdan, linux-media, linux-amlogic, linux-staging,
linux-arm-kernel, linux-kernel
In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
to a NULL pointer dereference on failure of kzalloc().
I fix this bug by adding a NULL check of new_ts.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Delete dev_err() message
drivers/staging/media/meson/vdec/vdec_helpers.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..ac60514c475b 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -234,6 +234,9 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts)
+ return;
+
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH v2] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
2021-12-01 17:22 0% ` Jeff Johnson
@ 2021-12-02 15:53 18% ` Zhou Qingyang
2021-12-14 15:31 7% ` Kalle Valo
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-02 15:53 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Kalle Valo, David S. Miller, Jakub Kicinski,
Pradeep Kumar Chitrapu, Shashidhar Lakkavalli, Ganesh Sesetti,
kbuild test robot, John Crispin, ath11k, linux-wireless, netdev,
linux-kernel
In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
used in memcpy(), which may lead to a NULL pointer dereference on
failure of kzalloc().
Fix this bug by adding a check of arg.extraie.ptr.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_ATH11K=m show no new warnings, and our static
analyzer no longer warns about this code.
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Use kmemdup() instead of kzalloc()
drivers/net/wireless/ath/ath11k/mac.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 1cc55602787b..dcefe444e7e3 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -3237,9 +3237,12 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw,
arg.scan_id = ATH11K_SCAN_ID;
if (req->ie_len) {
+ arg.extraie.ptr = kmemdup(req->ie, req->ie_len, GFP_KERNEL);
+ if (!arg.extraie.ptr) {
+ ret = -ENOMEM;
+ goto exit;
+ }
arg.extraie.len = req->ie_len;
- arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL);
- memcpy(arg.extraie.ptr, req->ie, req->ie_len);
}
if (req->n_ssids) {
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
2021-11-30 16:15 19% [PATCH] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Zhou Qingyang
@ 2021-12-02 13:34 0% ` Hans Verkuil
2021-12-03 15:40 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Hans Verkuil @ 2021-12-02 13:34 UTC (permalink / raw)
To: Zhou Qingyang; +Cc: kjlu, Mauro Carvalho Chehab, linux-media, linux-kernel
On 30/11/2021 17:15, Zhou Qingyang wrote:
> In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
> a new memory for dev->vv_data. saa7146_vv_release() will be called on
> failure of saa7146_register_device(). There is a dereference of
> dev->vv_data in saa7146_vv_release(), which could lead to a NULL
> pointer dereference on failure of saa7146_vv_init().
>
> Fix this bug by adding a check of saa7146_vv_init().
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/media/pci/saa7146/hexium_gemini.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
> index 2214c74bbbf1..549b1ddc59b5 100644
> --- a/drivers/media/pci/saa7146/hexium_gemini.c
> +++ b/drivers/media/pci/saa7146/hexium_gemini.c
> @@ -284,7 +284,11 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
> hexium_set_input(hexium, 0);
> hexium->cur_input = 0;
>
> - saa7146_vv_init(dev, &vv_data);
> + ret = saa7146_vv_init(dev, &vv_data);
> + if (ret) {
> + kfree(hexium);
You need to call i2c_del_adapter(&hexium->i2c_adapter); as well.
Also, saa7146_vv_init() needs be fixed since it can return -1: that should
be -ENOMEM. Otherwise a -1 error code could be returned here, that's not
what you want.
Regards,
Hans
> + return ret;
> + }
>
> vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
> vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
>
^ permalink raw reply [relevance 0%]
* Re: [PATCH] media: vidtv: Fix a wild pointer dereference in vidtv_channel_pmt_match_sections()
2021-11-30 16:39 18% [PATCH] media: vidtv: Fix a wild pointer dereference in vidtv_channel_pmt_match_sections() Zhou Qingyang
@ 2021-12-02 13:42 0% ` Hans Verkuil
0 siblings, 0 replies; 200+ results
From: Hans Verkuil @ 2021-12-02 13:42 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Daniel W. S. Almeida, Mauro Carvalho Chehab, linux-media,
linux-kernel
On 30/11/2021 17:39, Zhou Qingyang wrote:
> In vidtv_channel_pmt_match_sections(), vidtv_psi_pmt_stream_init() is
> assigned to tail and &tail->descriptor is used in
> vidtv_psi_desc_assign(). There is a dereference of &tail->descriptor
> in vidtv_psi_desc_assign(), which could lead to a wild pointer
> dereference onfailure of vidtv_psi_pmt_stream_init().
onfailure -> on failure
>
> Fix this bug by adding a check of tail.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DVB_VIDTV=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/media/test-drivers/vidtv/vidtv_channel.c | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
> index 7838e6272712..f2faa5504642 100644
> --- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
> +++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
> @@ -318,6 +318,10 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
> struct vidtv_psi_table_pmt_stream *s = NULL;
> struct vidtv_channel *cur_chnl = channels;
> struct vidtv_psi_desc *desc = NULL;
> + struct vidtv_mux *m = container_of(&channels,
> + struct vidtv_mux,
> + channels);
> +
> u16 e_pid; /* elementary stream pid */
> u16 curr_id;
> u32 j;
> @@ -341,6 +345,13 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
> tail = vidtv_psi_pmt_stream_init(tail,
> s->type,
> e_pid);
> +
> + if (!tail) {
> + vidtv_psi_pmt_stream_destroy(head);
I honestly can't tell if this is the right thing to do.
Daniel, can you take a look at this?
> + dev_warn_ratelimited(m->dev,
> + "No enough memory for vidtv_psi_pmt_stream_init");
No -> Not
Add newline at the end of the string.
> + return;
> + }
>
> if (!head)
> head = tail;
>
Regards,
Hans
^ permalink raw reply [relevance 0%]
* Re: [PATCH] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes()
2021-11-30 13:26 19% [PATCH] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes() Zhou Qingyang
@ 2021-12-02 10:11 5% ` Patrik Jakobsson
2021-12-03 15:33 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Patrik Jakobsson @ 2021-12-02 10:11 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, David Airlie, Daniel Vetter, Dave Airlie, Alan Cox,
dri-devel, linux-kernel
On Tue, Nov 30, 2021 at 2:26 PM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
> is assigned to mode and used in drm_mode_probed_add().
> drm_mode_probed_add() passes mode->head to list_add_tail().
> list_add_tail() will further call __list_add() and there is a
> dereference of mode->head in __list_add(), which could lead to a wild
> pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a checking of mode
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_GMA500=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
> index 9e1cdb11023c..56aec41ebb1a 100644
> --- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c
> +++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
> @@ -310,6 +310,9 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector)
> if (mode_dev->panel_fixed_mode != NULL) {
> struct drm_display_mode *mode =
> drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
> + if (!mode)
> + return -ENOMEM;
> +
Same problem here as in the other patches.
> drm_mode_probed_add(connector, mode);
> return 1;
> }
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* Re: [PATCH] drm/gma500/psb_intel_lvds: Fix a wild pointer dereference in psb_intel_lvds_get_modes()
2021-11-30 13:29 19% [PATCH] drm/gma500/psb_intel_lvds: Fix a wild pointer dereference in psb_intel_lvds_get_modes() Zhou Qingyang
@ 2021-12-02 10:09 5% ` Patrik Jakobsson
2021-12-03 3:55 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Patrik Jakobsson @ 2021-12-02 10:09 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, David Airlie, Daniel Vetter, Alan Cox, Dave Airlie,
dri-devel, linux-kernel
On Tue, Nov 30, 2021 at 2:30 PM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
> is assigned to mode and used in drm_mode_probed_add().
> drm_mode_probed_add() passes mode->head to list_add_tail().
> list_add_tail() will further call __list_add() and there is a
> dereference of mode->head in __list_add(), which could lead to a wild
> pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_GMA500=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 89c78134cc54 ("gma500: Add Poulsbo support")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
> index ac97e0d3c7dd..da928189be91 100644
> --- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
> +++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
> @@ -505,6 +505,9 @@ static int psb_intel_lvds_get_modes(struct drm_connector *connector)
> if (mode_dev->panel_fixed_mode != NULL) {
> struct drm_display_mode *mode =
> drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
> + if (!mode)
> + return -ENOMEM;
> +
Hi, Zhou.
psb_intel_lvds_get_modes() implements .get_modes in struct
drm_connector_helper_funcs. It should return the number of added modes
and not an error code.
-Patrik
> drm_mode_probed_add(connector, mode);
> return 1;
> }
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* Re: [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-12-01 21:15 0% ` Liviu Dudau
@ 2021-12-02 9:39 0% ` Steven Price
0 siblings, 0 replies; 200+ results
From: Steven Price @ 2021-12-02 9:39 UTC (permalink / raw)
To: Liviu Dudau
Cc: Zhou Qingyang, David Airlie, kjlu, linux-kernel, dri-devel,
James (Qian) Wang, Mihail Atanassov
On 01/12/2021 21:15, Liviu Dudau wrote:
> On Wed, Dec 01, 2021 at 03:44:03PM +0000, Steven Price wrote:
>> On 30/11/2021 14:25, Zhou Qingyang wrote:
>>> In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
>>> formats and used in drm_universal_plane_init().
>>> drm_universal_plane_init() passes formats to
>>> __drm_universal_plane_init(). __drm_universal_plane_init() further
>>> passes formats to memcpy() as src parameter, which could lead to an
>>> undefined behavior bug on failure of komeda_get_layer_fourcc_list().
>>>
>>> Fix this bug by adding a check of formats.
>>>
>>> This bug was found by a static analyzer. The analysis employs
>>> differential checking to identify inconsistent security operations
>>> (e.g., checks or kfrees) between two code paths and confirms that the
>>> inconsistent operations are not recovered in the current function or
>>> the callers, so they constitute bugs.
>>>
>>> Note that, as a bug found by static analysis, it can be a false
>>> positive or hard to trigger. Multiple researchers have cross-reviewed
>>> the bug.
>>>
>>> Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
>>> and our static analyzer no longer warns about this code.
>>>
>>> Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
>>> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
>>> ---
>>> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>>
>>> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
>>> index d63d83800a8a..dd3f17e970dd 100644
>>> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
>>> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
>>> @@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
>>>
>>> formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
>>> layer->layer_type, &n_formats);
>>> + if (!formats) {
>>> + err = -ENOMEM;
>>> + goto cleanup;
>>> + }
>>
>> If this executes it will cause undefined behaviour...
>>
>> The cleanup code calls komeda_plane_destroy() which calls
>> drm_plane_cleanup() which does (amongst other things) a
>> list_del(&plane->head). But the plane hasn't been put on a list yet as
>> that's done in drm_universal_plane_init().
>>
>> So in this case we simple want to do:
>>
>> if (!formats) {
>> kfree(kplane);
>> return -ENOMEM;
>> }
>
> Zhou has already posted v2 that contains this fix.
Sorry, for some reason Zhou's patch appeared twice on the list and I
hadn't spotted your reply to the other version. My mistake.
>>
>> Note that without this 'fix' a NULL return from
>> komeda_get_layer_fourcc_list() would leave n_formats==0, so while the
>> NULL pointer is passed into memcpy() it is also passed a length of 0.
>> Which I believe is safe.
>>
>> However while looking at this function...
>>
>>>
>>> err = drm_universal_plane_init(&kms->base, plane,
>>> get_possible_crtcs(kms, c->pipeline),
>>>
>>
>> This call to drm_universal_plane_init() can fail early before
>> plane->head has been initialised. In which case the following:
>>
>>> komeda_put_fourcc_list(formats);
>>>
>>> if (err)
>>> goto cleanup;
>>
>> commits the exact same sin and would cause a similar NULL dereference in
>> drm_plane_cleanup().
>
> I will come up with a patch for this case and post it to the list tomorrow.
Great, thanks for taking a look - I'm afraid I couldn't see an obvious fix.
Regards,
Steven
^ permalink raw reply [relevance 0%]
* Re: [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-12-01 15:44 0% ` Steven Price
@ 2021-12-01 21:15 0% ` Liviu Dudau
2021-12-02 9:39 0% ` Steven Price
0 siblings, 1 reply; 200+ results
From: Liviu Dudau @ 2021-12-01 21:15 UTC (permalink / raw)
To: Steven Price
Cc: Zhou Qingyang, David Airlie, kjlu, linux-kernel, dri-devel,
James (Qian) Wang, Mihail Atanassov
On Wed, Dec 01, 2021 at 03:44:03PM +0000, Steven Price wrote:
> On 30/11/2021 14:25, Zhou Qingyang wrote:
> > In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
> > formats and used in drm_universal_plane_init().
> > drm_universal_plane_init() passes formats to
> > __drm_universal_plane_init(). __drm_universal_plane_init() further
> > passes formats to memcpy() as src parameter, which could lead to an
> > undefined behavior bug on failure of komeda_get_layer_fourcc_list().
> >
> > Fix this bug by adding a check of formats.
> >
> > This bug was found by a static analyzer. The analysis employs
> > differential checking to identify inconsistent security operations
> > (e.g., checks or kfrees) between two code paths and confirms that the
> > inconsistent operations are not recovered in the current function or
> > the callers, so they constitute bugs.
> >
> > Note that, as a bug found by static analysis, it can be a false
> > positive or hard to trigger. Multiple researchers have cross-reviewed
> > the bug.
> >
> > Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
> > and our static analyzer no longer warns about this code.
> >
> > Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
> > Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> > ---
> > drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> > index d63d83800a8a..dd3f17e970dd 100644
> > --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> > +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> > @@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
> >
> > formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
> > layer->layer_type, &n_formats);
> > + if (!formats) {
> > + err = -ENOMEM;
> > + goto cleanup;
> > + }
>
> If this executes it will cause undefined behaviour...
>
> The cleanup code calls komeda_plane_destroy() which calls
> drm_plane_cleanup() which does (amongst other things) a
> list_del(&plane->head). But the plane hasn't been put on a list yet as
> that's done in drm_universal_plane_init().
>
> So in this case we simple want to do:
>
> if (!formats) {
> kfree(kplane);
> return -ENOMEM;
> }
Zhou has already posted v2 that contains this fix.
>
> Note that without this 'fix' a NULL return from
> komeda_get_layer_fourcc_list() would leave n_formats==0, so while the
> NULL pointer is passed into memcpy() it is also passed a length of 0.
> Which I believe is safe.
>
> However while looking at this function...
>
> >
> > err = drm_universal_plane_init(&kms->base, plane,
> > get_possible_crtcs(kms, c->pipeline),
> >
>
> This call to drm_universal_plane_init() can fail early before
> plane->head has been initialised. In which case the following:
>
> > komeda_put_fourcc_list(formats);
> >
> > if (err)
> > goto cleanup;
>
> commits the exact same sin and would cause a similar NULL dereference in
> drm_plane_cleanup().
I will come up with a patch for this case and post it to the list tomorrow.
Best regards,
Liviu
>
> Steve
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
^ permalink raw reply [relevance 0%]
* Re: [PATCH] drm/radeon/radeon_connectors: Fix a NULL pointer dereference in radeon_fp_native_mode()
2021-11-30 14:48 19% [PATCH] drm/radeon/radeon_connectors: Fix a NULL pointer dereference in radeon_fp_native_mode() Zhou Qingyang
@ 2021-12-01 20:04 5% ` Alex Deucher
2021-12-03 15:23 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Alex Deucher @ 2021-12-01 20:04 UTC (permalink / raw)
To: Zhou Qingyang
Cc: David Airlie, Pan, Xinhui, Kangjie Lu, LKML, amd-gfx list,
Maling list - DRI developers, Alex Deucher, Dave Airlie,
Christian König
On Tue, Nov 30, 2021 at 9:49 AM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is
> assigned to mode and there is a dereference of it in
> radeon_fp_native_mode(), which could lead to a NULL pointer
> dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: d2efdf6d6f42 ("drm/radeon/kms: add cvt mode if we only have lvds w/h and no edid (v4)")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/radeon/radeon_connectors.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
> index 607ad5620bd9..49f187614f96 100644
> --- a/drivers/gpu/drm/radeon/radeon_connectors.c
> +++ b/drivers/gpu/drm/radeon/radeon_connectors.c
> @@ -473,6 +473,9 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
> native_mode->vdisplay != 0 &&
> native_mode->clock != 0) {
> mode = drm_mode_duplicate(dev, native_mode);
> + if (!mode)
> + return NULL;
> +
The else if clause needs a similar check. Care to fix that up as well?
Alex
> mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
> drm_mode_set_name(mode);
>
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* Re: [PATCH] fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
2021-11-30 11:18 19% [PATCH] fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() Zhou Qingyang
@ 2021-12-01 20:03 5% ` Alex Deucher
2021-12-02 16:17 18% ` [PATCH v2] drm/amdgpu: Fix " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Alex Deucher @ 2021-12-01 20:03 UTC (permalink / raw)
To: Zhou Qingyang
Cc: Jammy Zhou, David Airlie, Maling list - DRI developers, Pan,
Xinhui, Kangjie Lu, LKML, hongao, amd-gfx list, Alex Deucher,
Christian König
On Tue, Nov 30, 2021 at 6:24 AM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In amdgpu_connector_lcd_native_mode(), the return value of
> drm_mode_duplicate() is assigned to mode, and there is a dereference
> of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
> pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug add a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
> our static analyzer no longer warns about this code.
>
> Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> index 0de66f59adb8..0170aa84c5e6 100644
> --- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
> @@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
> native_mode->vdisplay != 0 &&
> native_mode->clock != 0) {
> mode = drm_mode_duplicate(dev, native_mode);
> + if (!mode)
> + return NULL;
> +
The else if clause needs a similar check. Care to fix that up as well?
Alex
> mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
> drm_mode_set_name(mode);
>
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* Re: [PATCH] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
2021-11-30 8:43 18% [PATCH] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan() Zhou Qingyang
@ 2021-12-01 17:22 0% ` Jeff Johnson
2021-12-02 15:53 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Jeff Johnson @ 2021-12-01 17:22 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Kalle Valo, David S. Miller, Jakub Kicinski,
Manikanta Pubbisetty, Shashidhar Lakkavalli,
Govindaraj Saminathan, Vasanthakumar Thiagarajan,
Pradeep Kumar Chitrapu, ath11k, linux-wireless, netdev,
linux-kernel
On 11/30/2021 12:43 AM, Zhou Qingyang wrote:
> In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
> used in memcpy(), which may lead to a NULL pointer dereference on
> failure of kzalloc().
>
> Fix this bug by adding a check of arg.extraie.ptr.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_ATH11K=m show no new warnings, and our static
> analyzer no longer warns about this code.
>
> Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/net/wireless/ath/ath11k/mac.c | 7 ++++++-
> 1 file changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
> index 1cc55602787b..095f1f9b7611 100644
> --- a/drivers/net/wireless/ath/ath11k/mac.c
> +++ b/drivers/net/wireless/ath/ath11k/mac.c
> @@ -3237,8 +3237,13 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw,
> arg.scan_id = ATH11K_SCAN_ID;
>
> if (req->ie_len) {
> - arg.extraie.len = req->ie_len;
> arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL);
Your patch looks good, but since you are touching this code IMO this
should be changed to kmemdup() and we should remove the memcpy() below.
> + if (!arg.extraie.ptr) {
> + ret = -ENOMEM;
> + goto exit;
> + }
> +
> + arg.extraie.len = req->ie_len;
> memcpy(arg.extraie.ptr, req->ie, req->ie_len);
> }
>
>
^ permalink raw reply [relevance 0%]
* Re: [PATCH v2] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes()
2021-12-01 15:29 18% ` [PATCH v2] " Zhou Qingyang
@ 2021-12-01 15:57 5% ` Patrik Jakobsson
0 siblings, 0 replies; 200+ results
From: Patrik Jakobsson @ 2021-12-01 15:57 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, David Airlie, Daniel Vetter, Dave Airlie, Alan Cox,
Zhao Yakui, dri-devel, linux-kernel
On Wed, Dec 1, 2021 at 4:29 PM Zhou Qingyang <zhou1615@umn.edu> wrote:
>
> In cdv_intel_dp_get_modes(), the third return value of
> drm_mode_duplicate() is assigned to mode and used in
> drm_mode_probed_add(). drm_mode_probed_add() passes mode->head to
> list_add_tail(). list_add_tail() will further call __list_add() and
> there is a dereference of mode->head in __list_add(), which could lead
> to a wild pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
Is it really necessary to explain what the static analyzer does and
that it can be faulty in every single patch?
"This bug was found by a static analyzer" is enough for me.
> Builds with CONFIG_DRM_GMA500=m show no new warnings,
> and our static analyzer no longer warns about this code.
I assume all patches to be at least compile tested before submitted,
so if you didn't actually run this code on hardware it's better to
replace the above with:
"Only compile tested".
-Patrik
>
> Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in V2:
> - Instead of returning -ENOMEM, this patch returns 0
> - Use DRM_DEBUG_KMS to report the failure of drm_mode_duplicate()
>
> drivers/gpu/drm/gma500/cdv_intel_dp.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
> index ba6ad1466374..bf47db488b7b 100644
> --- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
> +++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
> @@ -1773,6 +1773,11 @@ static int cdv_intel_dp_get_modes(struct drm_connector *connector)
> if (intel_dp->panel_fixed_mode != NULL) {
> struct drm_display_mode *mode;
> mode = drm_mode_duplicate(dev, intel_dp->panel_fixed_mode);
> + if (!mode) {
> + DRM_DEBUG_KMS("Failure in drm_mode_duplicate()\n");
> + return 0;
> + }
> +
> drm_mode_probed_add(connector, mode);
> return 1;
> }
> --
> 2.25.1
>
^ permalink raw reply [relevance 5%]
* [PATCH] drm/nouveau/dispnv04: Fix a NULL pointer dereference in nv17_tv_get_ld_modes()
@ 2021-12-01 15:45 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-01 15:45 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Ben Skeggs, David Airlie, Daniel Vetter, Francisco Jerez,
dri-devel, nouveau, linux-kernel
In nv17_tv_get_ld_modes(), drm_mode_duplicate() is assigned to mode
and there is a dereference of it in nv17_tv_get_ld_modes(). which could
lead to a NULL pointer dereference on failure of
drm_mode_duplicate().
Fix this bug by adding a check of mode.
As the return value of .get_modes() can not be negative, this patch
does not directly return error code, but uses NV_INFO to report and
returns n.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_NOUVEAU=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: f24342375927 ("drm/nouveau: Break some long lines in the TV-out code.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
index 6fe103fd60e9..598180a403ab 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -208,6 +208,11 @@ static int nv17_tv_get_ld_modes(struct drm_encoder *encoder,
struct drm_display_mode *mode;
mode = drm_mode_duplicate(encoder->dev, tv_mode);
+ if (!mode) {
+ NV_INFO(nouveau_drm(encoder->dev),
+ "failure in drm_mode_duplicate\n");
+ return n;
+ }
mode->clock = tv_norm->tv_enc_mode.vrefresh *
mode->htotal / 1000 *
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-11-30 14:25 19% [PATCH] " Zhou Qingyang
@ 2021-12-01 15:44 0% ` Steven Price
2021-12-01 21:15 0% ` Liviu Dudau
0 siblings, 1 reply; 200+ results
From: Steven Price @ 2021-12-01 15:44 UTC (permalink / raw)
To: Zhou Qingyang
Cc: David Airlie, kjlu, Liviu Dudau, linux-kernel, dri-devel,
James (Qian) Wang, Mihail Atanassov
On 30/11/2021 14:25, Zhou Qingyang wrote:
> In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
> formats and used in drm_universal_plane_init().
> drm_universal_plane_init() passes formats to
> __drm_universal_plane_init(). __drm_universal_plane_init() further
> passes formats to memcpy() as src parameter, which could lead to an
> undefined behavior bug on failure of komeda_get_layer_fourcc_list().
>
> Fix this bug by adding a check of formats.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> index d63d83800a8a..dd3f17e970dd 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> @@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
>
> formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
> layer->layer_type, &n_formats);
> + if (!formats) {
> + err = -ENOMEM;
> + goto cleanup;
> + }
If this executes it will cause undefined behaviour...
The cleanup code calls komeda_plane_destroy() which calls
drm_plane_cleanup() which does (amongst other things) a
list_del(&plane->head). But the plane hasn't been put on a list yet as
that's done in drm_universal_plane_init().
So in this case we simple want to do:
if (!formats) {
kfree(kplane);
return -ENOMEM;
}
Note that without this 'fix' a NULL return from
komeda_get_layer_fourcc_list() would leave n_formats==0, so while the
NULL pointer is passed into memcpy() it is also passed a length of 0.
Which I believe is safe.
However while looking at this function...
>
> err = drm_universal_plane_init(&kms->base, plane,
> get_possible_crtcs(kms, c->pipeline),
>
This call to drm_universal_plane_init() can fail early before
plane->head has been initialised. In which case the following:
> komeda_put_fourcc_list(formats);
>
> if (err)
> goto cleanup;
commits the exact same sin and would cause a similar NULL dereference in
drm_plane_cleanup().
Steve
^ permalink raw reply [relevance 0%]
* [PATCH v2] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes()
2021-11-30 16:22 0% ` Ville Syrjälä
@ 2021-12-01 15:29 18% ` Zhou Qingyang
2021-12-01 15:57 5% ` Patrik Jakobsson
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-01 15:29 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Dave Airlie,
Alan Cox, Zhao Yakui, dri-devel, linux-kernel
In cdv_intel_dp_get_modes(), the third return value of
drm_mode_duplicate() is assigned to mode and used in
drm_mode_probed_add(). drm_mode_probed_add() passes mode->head to
list_add_tail(). list_add_tail() will further call __list_add() and
there is a dereference of mode->head in __list_add(), which could lead
to a wild pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in V2:
- Instead of returning -ENOMEM, this patch returns 0
- Use DRM_DEBUG_KMS to report the failure of drm_mode_duplicate()
drivers/gpu/drm/gma500/cdv_intel_dp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
index ba6ad1466374..bf47db488b7b 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
@@ -1773,6 +1773,11 @@ static int cdv_intel_dp_get_modes(struct drm_connector *connector)
if (intel_dp->panel_fixed_mode != NULL) {
struct drm_display_mode *mode;
mode = drm_mode_duplicate(dev, intel_dp->panel_fixed_mode);
+ if (!mode) {
+ DRM_DEBUG_KMS("Failure in drm_mode_duplicate()\n");
+ return 0;
+ }
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH v5] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-12-01 15:13 17% ` [PATCH v5] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() Zhou Qingyang
@ 2021-12-01 15:15 0% ` Christian König
2021-12-02 17:13 0% ` Alex Deucher
0 siblings, 1 reply; 200+ results
From: Christian König @ 2021-12-01 15:15 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Alex Deucher, Pan, Xinhui, David Airlie, Daniel Vetter,
amd-gfx, dri-devel, linux-kernel
Am 01.12.21 um 16:13 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v5:
> - Use conditions to avoid unnecessary initialization
>
> Changes in v4:
> - Initialize the variables to silence warning
>
> Changes in v3:
> - Fix the bug that good case will also be freed
> - Improve code style
>
> Changes in v2:
> - Improve the error handling into goto style
>
> drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..66aee48fd09d 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
> int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> {
> struct radeon_device *rdev = dev->dev_private;
> + struct radeon_fpriv *fpriv;
> + struct radeon_vm *vm;
> int r;
>
> file_priv->driver_priv = NULL;
> @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>
> /* new gpu have virtual address space support */
> if (rdev->family >= CHIP_CAYMAN) {
> - struct radeon_fpriv *fpriv;
> - struct radeon_vm *vm;
>
> fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
> if (unlikely(!fpriv)) {
> @@ -672,35 +672,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> if (rdev->accel_working) {
> vm = &fpriv->vm;
> r = radeon_vm_init(rdev, vm);
> - if (r) {
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_fpriv;
>
> r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
>
> /* map the ib pool buffer read only into
> * virtual address space */
> vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> rdev->ring_tmp_bo.bo);
> + if (!vm->ib_bo_va) {
> + r = -ENOMEM;
> + goto out_vm_fini;
> + }
> +
> r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> RADEON_VA_IB_OFFSET,
> RADEON_VM_PAGE_READABLE |
> RADEON_VM_PAGE_SNOOPED);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
> }
> file_priv->driver_priv = fpriv;
> }
>
> + if (!r)
I think that test is unecessary now, maybe double check.
Either way patch Reviewed-by: Christian König
<christian.koenig@amd.com>. Alex will probably pick it up now.
Thanks for the help,
Christian.
> + goto out_suspend;
> +
> +out_vm_fini:
> + radeon_vm_fini(rdev, vm);
> +out_fpriv:
> + kfree(fpriv);
> out_suspend:
> pm_runtime_mark_last_busy(dev->dev);
> pm_runtime_put_autosuspend(dev->dev);
^ permalink raw reply [relevance 0%]
* [PATCH v5] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
[not found] <e2685075-fbc5-6f36-907f-76b6f76a59ce@amd.com>
@ 2021-12-01 15:13 17% ` Zhou Qingyang
2021-12-01 15:15 0% ` Christian König
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-01 15:13 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, amd-gfx, dri-devel, linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v5:
- Use conditions to avoid unnecessary initialization
Changes in v4:
- Initialize the variables to silence warning
Changes in v3:
- Fix the bug that good case will also be freed
- Improve code style
Changes in v2:
- Improve the error handling into goto style
drivers/gpu/drm/radeon/radeon_kms.c | 36 ++++++++++++++++-------------
1 file changed, 20 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..66aee48fd09d 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
{
struct radeon_device *rdev = dev->dev_private;
+ struct radeon_fpriv *fpriv;
+ struct radeon_vm *vm;
int r;
file_priv->driver_priv = NULL;
@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
/* new gpu have virtual address space support */
if (rdev->family >= CHIP_CAYMAN) {
- struct radeon_fpriv *fpriv;
- struct radeon_vm *vm;
fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
if (unlikely(!fpriv)) {
@@ -672,35 +672,39 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
if (rdev->accel_working) {
vm = &fpriv->vm;
r = radeon_vm_init(rdev, vm);
- if (r) {
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_fpriv;
r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
/* map the ib pool buffer read only into
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ goto out_vm_fini;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
RADEON_VM_PAGE_SNOOPED);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
}
file_priv->driver_priv = fpriv;
}
+ if (!r)
+ goto out_suspend;
+
+out_vm_fini:
+ radeon_vm_fini(rdev, vm);
+out_fpriv:
+ kfree(fpriv);
out_suspend:
pm_runtime_mark_last_busy(dev->dev);
pm_runtime_put_autosuspend(dev->dev);
--
2.25.1
^ permalink raw reply related [relevance 17%]
* Re: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
2021-12-01 7:39 0% ` Pawel Laszczak
@ 2021-12-01 14:16 0% ` Peter Chen
0 siblings, 0 replies; 200+ results
From: Peter Chen @ 2021-12-01 14:16 UTC (permalink / raw)
To: Pawel Laszczak
Cc: Zhou Qingyang, kjlu, Greg Kroah-Hartman, linux-usb, linux-kernel
On 21-12-01 07:39:05, Pawel Laszczak wrote:
> Only fixed Peter Chen address email:
> peter.chen@nxp.com doesn't exist, should be peter.chen@kernel.org
>
> >-----Original Message-----
> >From: Pawel Laszczak
> >Sent: Wednesday, December 1, 2021 8:28 AM
> >To: Zhou Qingyang <zhou1615@umn.edu>
> >Cc: kjlu@umn.edu; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Peter Chen <peter.chen@nxp.com>; linux-
> >usb@vger.kernel.org; linux-kernel@vger.kernel.org
> >Subject: RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
> >
> >>
> >>In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
> >>and there is a dereference of it in cdnsp_endpoint_init(), which could
> >>lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
> >>
> >>Fix this bug by adding a check of pep->ring.
> >>
> >>This bug was found by a static analyzer. The analysis employs
> >>differential checking to identify inconsistent security operations
> >>(e.g., checks or kfrees) between two code paths and confirms that the
> >>inconsistent operations are not recovered in the current function or
> >>the callers, so they constitute bugs.
> >>
> >>Note that, as a bug found by static analysis, it can be a false
> >>positive or hard to trigger. Multiple researchers have cross-reviewed
> >>the bug.
> >>
> >>Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
> >>and our static analyzer no longer warns about this code.
> >>
> >>Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
> >>Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> >>---
> >> drivers/usb/cdns3/cdnsp-mem.c | 3 +++
> >> 1 file changed, 3 insertions(+)
> >>
> >>diff --git a/drivers/usb/cdns3/cdnsp-mem.c b/drivers/usb/cdns3/cdnsp-mem.c
> >>index ad9aee3f1e39..97866bfb2da9 100644
> >>--- a/drivers/usb/cdns3/cdnsp-mem.c
> >>+++ b/drivers/usb/cdns3/cdnsp-mem.c
> >>@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_device *pdev,
> >>
> >> /* Set up the endpoint ring. */
> >> pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
> >>+ if (!pep->ring)
> >>+ return -ENOMEM;
> >>+
> >> pep->skip = false;
> >>
> >> /* Fill the endpoint context */
> >>--
> >>2.25.1
> >
> >
> >Acked-by: Pawel Laszczak <pawell@cadence.com>
Acked-by: Peter Chen <peter.chen@kernel.org>
> >
> >--
> >
> >Thanks,
> >Pawel Laszczak
--
Thanks,
Peter Chen
^ permalink raw reply [relevance 0%]
* [PATCH 0/4] firmware: qemu_fw_cfg: misc bug fixes
@ 2021-12-01 13:25 7% Johan Hovold
2021-12-01 13:25 6% ` [PATCH 1/4] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Johan Hovold
0 siblings, 1 reply; 200+ results
From: Johan Hovold @ 2021-12-01 13:25 UTC (permalink / raw)
To: Gabriel Somlo, Michael S. Tsirkin
Cc: Greg Kroah-Hartman, Kees Cook, qemu-devel, linux-kernel, Johan Hovold
When searching for the latest umn.edu patches I stumbled upon a recently
submitted fix for a bug purportedly introduced by umn.edu:
https://lore.kernel.org/r/YaZc4LbX5hrJDnec@hovoldconsulting.com
The patch in question is obviously bogus, but a closer look at the
function in question revealed a number of other bugs, including one that
was indeed introduced by umn.edu but that was missed during the
(re-)review.
Included is also a related clean up.
Johan
Johan Hovold (4):
firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
firmware: qemu_fw_cfg: fix kobject leak in probe error path
firmware: qemu_fw_cfg: fix sysfs information leak
firmware: qemu_fw_cfg: remove sysfs entries explicitly
drivers/firmware/qemu_fw_cfg.c | 21 +++++++++------------
1 file changed, 9 insertions(+), 12 deletions(-)
--
2.32.0
^ permalink raw reply [relevance 7%]
* [PATCH 1/4] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries
2021-12-01 13:25 7% [PATCH 0/4] firmware: qemu_fw_cfg: misc bug fixes Johan Hovold
@ 2021-12-01 13:25 6% ` Johan Hovold
0 siblings, 0 replies; 200+ results
From: Johan Hovold @ 2021-12-01 13:25 UTC (permalink / raw)
To: Gabriel Somlo, Michael S. Tsirkin
Cc: Greg Kroah-Hartman, Kees Cook, qemu-devel, linux-kernel,
Johan Hovold, stable, Qiushi Wu
Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"
a kobject leak in the file registration helper by properly calling
kobject_put() for the entry in case registration of the object fails
(e.g. due to a name collision).
This would however result in a NULL pointer dereference when the
release function tries to remove the never added entry from the
fw_cfg_entry_cache list.
Fix this by moving the list-removal out of the release function.
Note that the offending commit was one of the benign looking umn.edu
fixes which was reviewed but not reverted. [1][2]
[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook
[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com
Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")
Cc: stable@vger.kernel.org # 5.8
Cc: Qiushi Wu <wu000273@umn.edu>
Cc: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
---
drivers/firmware/qemu_fw_cfg.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c
index 172c751a4f6c..a9c64ebfc49a 100644
--- a/drivers/firmware/qemu_fw_cfg.c
+++ b/drivers/firmware/qemu_fw_cfg.c
@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(void)
struct fw_cfg_sysfs_entry *entry, *next;
list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {
- /* will end up invoking fw_cfg_sysfs_cache_delist()
- * via each object's release() method (i.e. destructor)
- */
+ fw_cfg_sysfs_cache_delist(entry);
kobject_put(&entry->kobj);
}
}
@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(struct kobject *kobj)
{
struct fw_cfg_sysfs_entry *entry = to_entry(kobj);
- fw_cfg_sysfs_cache_delist(entry);
kfree(entry);
}
--
2.32.0
^ permalink raw reply related [relevance 6%]
* Re: [PATCH v2] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-12-01 3:37 18% ` [PATCH v2] " Zhou Qingyang
@ 2021-12-01 13:28 0% ` Liviu Dudau
0 siblings, 0 replies; 200+ results
From: Liviu Dudau @ 2021-12-01 13:28 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, James (Qian) Wang, Mihail Atanassov, Brian Starkey,
David Airlie, Daniel Vetter, dri-devel, linux-kernel
On Wed, Dec 01, 2021 at 11:37:03AM +0800, Zhou Qingyang wrote:
> In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
> formats and used in drm_universal_plane_init().
> drm_universal_plane_init() passes formats to
> __drm_universal_plane_init(). __drm_universal_plane_init() further
> passes formats to memcpy() as src parameter, which could lead to an
> undefined behavior bug on failure of komeda_get_layer_fourcc_list().
>
> Fix this bug by adding a check of formats.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Thanks for the fix!
Reviewed-by: Liviu Dudau <liviu.dudau@arm.com>
Best regards,
Liviu
> ---
> Changes in v2
> - Use kfree and return instead of using 'goto'
>
> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> index d63d83800a8a..aa193c58f4bf 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> @@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
>
> formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
> layer->layer_type, &n_formats);
> + if (!formats) {
> + kfree(kplane);
> + return -ENOMEM;
> + }
>
> err = drm_universal_plane_init(&kms->base, plane,
> get_possible_crtcs(kms, c->pipeline),
> --
> 2.25.1
>
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
^ permalink raw reply [relevance 0%]
* Re: [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_top_probe()
2021-11-30 17:36 18% [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_top_probe() Zhou Qingyang
@ 2021-12-01 9:33 0% ` miles.chen
0 siblings, 0 replies; 200+ results
From: miles.chen @ 2021-12-01 9:33 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, linux-arm-kernel, linux-clk, linux-kernel, linux-mediatek,
matthias.bgg, miles.chen, mturquette, sboyd, wendell.lin
Hi Qingyang,
> Fix this bug by adding a check of clk_data.
>
> Another way to fix this bug is to add a check of clk_data in
> mtk_clk_register_muxes(), which may solve many similar bugs but could
> cause potential problems to previously correct cases as the API is changed.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_COMMON_CLK_MT6779=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
>
thanks,
Reviewed-by: Miles Chen <miles.chen@mediatek.com>
^ permalink raw reply [relevance 0%]
* Re: [PATCH] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
2021-11-30 16:44 18% [PATCH] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Zhou Qingyang
@ 2021-12-01 9:27 0% ` Leon Romanovsky
0 siblings, 0 replies; 200+ results
From: Leon Romanovsky @ 2021-12-01 9:27 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Tariq Toukan, David S. Miller, Jakub Kicinski,
Eugenia Emantayev, netdev, linux-rdma, linux-kernel
On Wed, Dec 01, 2021 at 12:44:38AM +0800, Zhou Qingyang wrote:
> In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
> tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
> After that mlx4_en_alloc_resources() is called and there is a dereference
> of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
> a use after free problem on failure of mlx4_en_copy_priv().
>
> Fix this bug by adding a check of mlx4_en_copy_priv()
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_MLX4_EN=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
Thanks,
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
^ permalink raw reply [relevance 0%]
* RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
2021-12-01 7:28 0% ` Pawel Laszczak
@ 2021-12-01 7:39 0% ` Pawel Laszczak
2021-12-01 14:16 0% ` Peter Chen
0 siblings, 1 reply; 200+ results
From: Pawel Laszczak @ 2021-12-01 7:39 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Greg Kroah-Hartman, peter.chen, linux-usb, linux-kernel
Only fixed Peter Chen address email:
peter.chen@nxp.com doesn't exist, should be peter.chen@kernel.org
>-----Original Message-----
>From: Pawel Laszczak
>Sent: Wednesday, December 1, 2021 8:28 AM
>To: Zhou Qingyang <zhou1615@umn.edu>
>Cc: kjlu@umn.edu; Greg Kroah-Hartman <gregkh@linuxfoundation.org>; Peter Chen <peter.chen@nxp.com>; linux-
>usb@vger.kernel.org; linux-kernel@vger.kernel.org
>Subject: RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
>
>>
>>In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
>>and there is a dereference of it in cdnsp_endpoint_init(), which could
>>lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
>>
>>Fix this bug by adding a check of pep->ring.
>>
>>This bug was found by a static analyzer. The analysis employs
>>differential checking to identify inconsistent security operations
>>(e.g., checks or kfrees) between two code paths and confirms that the
>>inconsistent operations are not recovered in the current function or
>>the callers, so they constitute bugs.
>>
>>Note that, as a bug found by static analysis, it can be a false
>>positive or hard to trigger. Multiple researchers have cross-reviewed
>>the bug.
>>
>>Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
>>and our static analyzer no longer warns about this code.
>>
>>Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
>>Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
>>---
>> drivers/usb/cdns3/cdnsp-mem.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>>diff --git a/drivers/usb/cdns3/cdnsp-mem.c b/drivers/usb/cdns3/cdnsp-mem.c
>>index ad9aee3f1e39..97866bfb2da9 100644
>>--- a/drivers/usb/cdns3/cdnsp-mem.c
>>+++ b/drivers/usb/cdns3/cdnsp-mem.c
>>@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_device *pdev,
>>
>> /* Set up the endpoint ring. */
>> pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
>>+ if (!pep->ring)
>>+ return -ENOMEM;
>>+
>> pep->skip = false;
>>
>> /* Fill the endpoint context */
>>--
>>2.25.1
>
>
>Acked-by: Pawel Laszczak <pawell@cadence.com>
>
>--
>
>Thanks,
>Pawel Laszczak
^ permalink raw reply [relevance 0%]
* RE: [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
2021-11-30 17:27 19% [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() Zhou Qingyang
@ 2021-12-01 7:28 0% ` Pawel Laszczak
2021-12-01 7:39 0% ` Pawel Laszczak
0 siblings, 1 reply; 200+ results
From: Pawel Laszczak @ 2021-12-01 7:28 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Greg Kroah-Hartman, Peter Chen, linux-usb, linux-kernel
>
>In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
>and there is a dereference of it in cdnsp_endpoint_init(), which could
>lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
>
>Fix this bug by adding a check of pep->ring.
>
>This bug was found by a static analyzer. The analysis employs
>differential checking to identify inconsistent security operations
>(e.g., checks or kfrees) between two code paths and confirms that the
>inconsistent operations are not recovered in the current function or
>the callers, so they constitute bugs.
>
>Note that, as a bug found by static analysis, it can be a false
>positive or hard to trigger. Multiple researchers have cross-reviewed
>the bug.
>
>Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
>and our static analyzer no longer warns about this code.
>
>Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
>Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
>---
> drivers/usb/cdns3/cdnsp-mem.c | 3 +++
> 1 file changed, 3 insertions(+)
>
>diff --git a/drivers/usb/cdns3/cdnsp-mem.c b/drivers/usb/cdns3/cdnsp-mem.c
>index ad9aee3f1e39..97866bfb2da9 100644
>--- a/drivers/usb/cdns3/cdnsp-mem.c
>+++ b/drivers/usb/cdns3/cdnsp-mem.c
>@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_device *pdev,
>
> /* Set up the endpoint ring. */
> pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
>+ if (!pep->ring)
>+ return -ENOMEM;
>+
> pep->skip = false;
>
> /* Fill the endpoint context */
>--
>2.25.1
Acked-by: Pawel Laszczak <pawell@cadence.com>
--
Thanks,
Pawel Laszczak
^ permalink raw reply [relevance 0%]
* Re: [PATCH v4] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-12-01 3:22 17% ` [PATCH v4] " Zhou Qingyang
@ 2021-12-01 7:20 0% ` Christian König
0 siblings, 0 replies; 200+ results
From: Christian König @ 2021-12-01 7:20 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, kernel test robot, Alex Deucher, Pan, Xinhui, David Airlie,
Daniel Vetter, amd-gfx, dri-devel, linux-kernel
Am 01.12.21 um 04:22 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Reported-by: kernel test robot <lkp@intel.com>
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v2:
> - Initialize the variables to silence warning
What warning do you get? Double checking the code that shouldn't be
necessary and is usually rather frowned upon.
Thanks,
Christian.
>
> Changes in v3:
> - Fix the bug that good case will also be freed
> - Improve code style
>
> Changes in v2:
> - Improve the error handling into goto style
>
> drivers/gpu/drm/radeon/radeon_kms.c | 37 ++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..9d0f840286a1 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -648,7 +648,9 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
> int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> {
> struct radeon_device *rdev = dev->dev_private;
> - int r;
> + struct radeon_fpriv *fpriv = NULL;
> + struct radeon_vm *vm = NULL;
> + int r = 0;
>
> file_priv->driver_priv = NULL;
>
> @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>
> /* new gpu have virtual address space support */
> if (rdev->family >= CHIP_CAYMAN) {
> - struct radeon_fpriv *fpriv;
> - struct radeon_vm *vm;
>
> fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
> if (unlikely(!fpriv)) {
> @@ -672,35 +672,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> if (rdev->accel_working) {
> vm = &fpriv->vm;
> r = radeon_vm_init(rdev, vm);
> - if (r) {
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_fpriv;
>
> r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
>
> /* map the ib pool buffer read only into
> * virtual address space */
> vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> rdev->ring_tmp_bo.bo);
> + if (!vm->ib_bo_va) {
> + r = -ENOMEM;
> + goto out_vm_fini;
> + }
> +
> r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> RADEON_VA_IB_OFFSET,
> RADEON_VM_PAGE_READABLE |
> RADEON_VM_PAGE_SNOOPED);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
> }
> file_priv->driver_priv = fpriv;
> }
>
> +out_vm_fini:
> + if (r)
> + radeon_vm_fini(rdev, vm);
> +out_fpriv:
> + if (r)
> + kfree(fpriv);
> out_suspend:
> pm_runtime_mark_last_busy(dev->dev);
> pm_runtime_put_autosuspend(dev->dev);
^ permalink raw reply [relevance 0%]
* Re: [PATCH v3] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:57 17% ` [PATCH v3] " Zhou Qingyang
2021-12-01 3:22 17% ` [PATCH v4] " Zhou Qingyang
@ 2021-12-01 6:57 0% ` Christian König
1 sibling, 0 replies; 200+ results
From: Christian König @ 2021-12-01 6:57 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Alex Deucher, Pan, Xinhui, David Airlie, Daniel Vetter,
amd-gfx, dri-devel, linux-kernel
Am 30.11.21 um 16:57 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
Reviewed-by: Christian König <christian.koenig@amd.com>
> ---
> Changes in v3:
> - Fix the bug that good case will also be freed
> - Improve code style
>
> Changes in v2:
> - Improve the error handling into goto style
>
> drivers/gpu/drm/radeon/radeon_kms.c | 35 ++++++++++++++++-------------
> 1 file changed, 19 insertions(+), 16 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..439f4d1fdd65 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
> int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> {
> struct radeon_device *rdev = dev->dev_private;
> + struct radeon_fpriv *fpriv;
> + struct radeon_vm *vm;
> int r;
>
> file_priv->driver_priv = NULL;
> @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>
> /* new gpu have virtual address space support */
> if (rdev->family >= CHIP_CAYMAN) {
> - struct radeon_fpriv *fpriv;
> - struct radeon_vm *vm;
>
> fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
> if (unlikely(!fpriv)) {
> @@ -672,35 +672,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> if (rdev->accel_working) {
> vm = &fpriv->vm;
> r = radeon_vm_init(rdev, vm);
> - if (r) {
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_fpriv;
>
> r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
>
> /* map the ib pool buffer read only into
> * virtual address space */
> vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> rdev->ring_tmp_bo.bo);
> + if (!vm->ib_bo_va) {
> + r = -ENOMEM;
> + goto out_vm_fini;
> + }
> +
> r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> RADEON_VA_IB_OFFSET,
> RADEON_VM_PAGE_READABLE |
> RADEON_VM_PAGE_SNOOPED);
> - if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> - }
> + if (r)
> + goto out_vm_fini;
> }
> file_priv->driver_priv = fpriv;
> }
>
> +out_vm_fini:
> + if (r)
> + radeon_vm_fini(rdev, vm);
> +out_fpriv:
> + if (r)
> + kfree(fpriv);
> out_suspend:
> pm_runtime_mark_last_busy(dev->dev);
> pm_runtime_put_autosuspend(dev->dev);
^ permalink raw reply [relevance 0%]
* Re: [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup()
2021-11-30 17:10 19% [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup() Zhou Qingyang
2021-11-30 18:13 0% ` James Bottomley
@ 2021-12-01 6:41 0% ` Hannes Reinecke
1 sibling, 0 replies; 200+ results
From: Hannes Reinecke @ 2021-12-01 6:41 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, James E.J. Bottomley, Martin K. Petersen,
Johannes Thumshirn, linux-scsi, linux-kernel
On 11/30/21 6:10 PM, Zhou Qingyang wrote:
> In fc_lport_ptp_setup(), fc_rport_create() is assigned to
> lport->ptp_rdata and there is a dereference of in fc_lport_ptp_setup(),
> which could lead to a NULL pointer dereference on failure of
> fc_rport_create().
>
> Fix this bug by adding a check of fc_rport_create().
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_LIBFC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 2580064b5ec6 ("scsi: libfc: Replace ->rport_create callback with function call")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/scsi/libfc/fc_lport.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
> index 19cd4a95d354..5cd716afb711 100644
> --- a/drivers/scsi/libfc/fc_lport.c
> +++ b/drivers/scsi/libfc/fc_lport.c
> @@ -241,6 +241,13 @@ static void fc_lport_ptp_setup(struct fc_lport *lport,
> }
> mutex_lock(&lport->disc.disc_mutex);
> lport->ptp_rdata = fc_rport_create(lport, remote_fid);
> + if (!lport->ptp_rdata) {
> + mutex_unlock(&lport->disc.disc_mutex);
> + printk(KERN_WARNING "libfc: Failed to allocate for the port (%6.6x)\n",
> + remote_fid);
> + return;
> + }
> +
> kref_get(&lport->ptp_rdata->kref);
> lport->ptp_rdata->ids.port_name = remote_wwpn;
> lport->ptp_rdata->ids.node_name = remote_wwnn;
>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Cheers,
Hannes
--
Dr. Hannes Reinecke Kernel Storage Architect
hare@suse.de +49 911 74053 688
SUSE Software Solutions GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), Geschäftsführer: Felix Imendörffer
^ permalink raw reply [relevance 0%]
* [PATCH v2] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-11-30 18:17 0% ` Liviu Dudau
@ 2021-12-01 3:37 18% ` Zhou Qingyang
2021-12-01 13:28 0% ` Liviu Dudau
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-01 3:37 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, James (Qian) Wang, Liviu Dudau, Mihail Atanassov,
Brian Starkey, David Airlie, Daniel Vetter, dri-devel,
linux-kernel
In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
formats and used in drm_universal_plane_init().
drm_universal_plane_init() passes formats to
__drm_universal_plane_init(). __drm_universal_plane_init() further
passes formats to memcpy() as src parameter, which could lead to an
undefined behavior bug on failure of komeda_get_layer_fourcc_list().
Fix this bug by adding a check of formats.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2
- Use kfree and return instead of using 'goto'
drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
index d63d83800a8a..aa193c58f4bf 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
@@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
layer->layer_type, &n_formats);
+ if (!formats) {
+ kfree(kplane);
+ return -ENOMEM;
+ }
err = drm_universal_plane_init(&kms->base, plane,
get_possible_crtcs(kms, c->pipeline),
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH v4] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
@ 2021-12-01 3:23 17% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-12-01 3:23 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, kernel test robot, Alex Deucher, Christian König, Pan,
Xinhui, David Airlie, Daniel Vetter, amd-gfx, dri-devel,
linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v4:
- Initialize the variables to silence warning
Changes in v3:
- Fix the bug that good case will also be freed
- Improve code style
Changes in v2:
- Improve the error handling into goto style
drivers/gpu/drm/radeon/radeon_kms.c | 37 ++++++++++++++++-------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..9d0f840286a1 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -648,7 +648,9 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
{
struct radeon_device *rdev = dev->dev_private;
- int r;
+ struct radeon_fpriv *fpriv = NULL;
+ struct radeon_vm *vm = NULL;
+ int r = 0;
file_priv->driver_priv = NULL;
@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
/* new gpu have virtual address space support */
if (rdev->family >= CHIP_CAYMAN) {
- struct radeon_fpriv *fpriv;
- struct radeon_vm *vm;
fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
if (unlikely(!fpriv)) {
@@ -672,35 +672,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
if (rdev->accel_working) {
vm = &fpriv->vm;
r = radeon_vm_init(rdev, vm);
- if (r) {
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_fpriv;
r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
/* map the ib pool buffer read only into
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ goto out_vm_fini;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
RADEON_VM_PAGE_SNOOPED);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
}
file_priv->driver_priv = fpriv;
}
+out_vm_fini:
+ if (r)
+ radeon_vm_fini(rdev, vm);
+out_fpriv:
+ if (r)
+ kfree(fpriv);
out_suspend:
pm_runtime_mark_last_busy(dev->dev);
pm_runtime_put_autosuspend(dev->dev);
--
2.25.1
^ permalink raw reply related [relevance 17%]
* [PATCH v4] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:57 17% ` [PATCH v3] " Zhou Qingyang
@ 2021-12-01 3:22 17% ` Zhou Qingyang
2021-12-01 7:20 0% ` Christian König
2021-12-01 6:57 0% ` [PATCH v3] " Christian König
1 sibling, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-12-01 3:22 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, kernel test robot, Alex Deucher, Christian König, Pan,
Xinhui, David Airlie, Daniel Vetter, amd-gfx, dri-devel,
linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Initialize the variables to silence warning
Changes in v3:
- Fix the bug that good case will also be freed
- Improve code style
Changes in v2:
- Improve the error handling into goto style
drivers/gpu/drm/radeon/radeon_kms.c | 37 ++++++++++++++++-------------
1 file changed, 20 insertions(+), 17 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..9d0f840286a1 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -648,7 +648,9 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
{
struct radeon_device *rdev = dev->dev_private;
- int r;
+ struct radeon_fpriv *fpriv = NULL;
+ struct radeon_vm *vm = NULL;
+ int r = 0;
file_priv->driver_priv = NULL;
@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
/* new gpu have virtual address space support */
if (rdev->family >= CHIP_CAYMAN) {
- struct radeon_fpriv *fpriv;
- struct radeon_vm *vm;
fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
if (unlikely(!fpriv)) {
@@ -672,35 +672,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
if (rdev->accel_working) {
vm = &fpriv->vm;
r = radeon_vm_init(rdev, vm);
- if (r) {
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_fpriv;
r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
/* map the ib pool buffer read only into
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ goto out_vm_fini;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
RADEON_VM_PAGE_SNOOPED);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
}
file_priv->driver_priv = fpriv;
}
+out_vm_fini:
+ if (r)
+ radeon_vm_fini(rdev, vm);
+out_fpriv:
+ if (r)
+ kfree(fpriv);
out_suspend:
pm_runtime_mark_last_busy(dev->dev);
pm_runtime_put_autosuspend(dev->dev);
--
2.25.1
^ permalink raw reply related [relevance 17%]
* Re: [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
2021-11-30 14:23 19% [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add() Zhou Qingyang
@ 2021-11-30 18:17 0% ` Liviu Dudau
2021-12-01 3:37 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Liviu Dudau @ 2021-11-30 18:17 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, James (Qian) Wang, Mihail Atanassov, Brian Starkey,
David Airlie, Daniel Vetter, dri-devel, linux-kernel
Hi Zhou,
On Tue, Nov 30, 2021 at 10:23:01PM +0800, Zhou Qingyang wrote:
> In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
> formats and used in drm_universal_plane_init().
> drm_universal_plane_init() passes formats to
> __drm_universal_plane_init(). __drm_universal_plane_init() further
> passes formats to memcpy() as src parameter, which could lead to an
> undefined behavior bug on failure of komeda_get_layer_fourcc_list().
>
> Fix this bug by adding a check of formats.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
If multiple researchers have cross-reviewed the bug how many have reviewed the fix?
I'm asking because there is a problem with the fix ....
>
> Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> index d63d83800a8a..dd3f17e970dd 100644
> --- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> +++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
> @@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
>
> formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
> layer->layer_type, &n_formats);
> + if (!formats) {
> + err = -ENOMEM;
> + goto cleanup;
If you go to cleanup here it is too early, as the plane variable has not been
initialised by the drm_universal_plane_init(), so komeda_plane_destroy() will crash.
The correct fix here is to free the kplane allocation and then return -ENOMEM.
> + }
>
> err = drm_universal_plane_init(&kms->base, plane,
> get_possible_crtcs(kms, c->pipeline),
> --
> 2.25.1
>
Best regards,
Liviu
--
====================
| I would like to |
| fix the world, |
| but they're not |
| giving me the |
\ source code! /
---------------
¯\_(ツ)_/¯
^ permalink raw reply [relevance 0%]
* [PATCH] clk: mediatek: mt7629: Fix a NULL pointer dereference in mtk_topckgen_init()
@ 2021-11-30 18:15 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 18:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Ryder Lee, Wenzhen Yu, Rob Herring, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_topckgen_init(), mtk_alloc_clk_data() is assigned to clk_data
and used in clk_prepare_enable(). There is dereference of clk_data
in clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
clk_prepare_enable(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7629=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3b5e748615e7 ("clk: mediatek: add clock support for MT7629 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7629.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7629.c b/drivers/clk/mediatek/clk-mt7629.c
index 856929f94ebd..f791e53b812a 100644
--- a/drivers/clk/mediatek/clk-mt7629.c
+++ b/drivers/clk/mediatek/clk-mt7629.c
@@ -580,6 +580,8 @@ static int mtk_topckgen_init(struct platform_device *pdev)
return PTR_ERR(base);
clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_fixed_clks(top_fixed_clks, ARRAY_SIZE(top_fixed_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup()
2021-11-30 17:10 19% [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup() Zhou Qingyang
@ 2021-11-30 18:13 0% ` James Bottomley
2021-12-01 6:41 0% ` Hannes Reinecke
1 sibling, 0 replies; 200+ results
From: James Bottomley @ 2021-11-30 18:13 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Hannes Reinecke, Martin K. Petersen, Johannes Thumshirn,
linux-scsi, linux-kernel
On Wed, 2021-12-01 at 01:10 +0800, Zhou Qingyang wrote:
> In fc_lport_ptp_setup(), fc_rport_create() is assigned to
> lport->ptp_rdata and there is a dereference of in
> fc_lport_ptp_setup(),
> which could lead to a NULL pointer dereference on failure of
> fc_rport_create().
>
> Fix this bug by adding a check of fc_rport_create().
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_LIBFC=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: 2580064b5ec6 ("scsi: libfc: Replace ->rport_create callback
> with function call")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/scsi/libfc/fc_lport.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/scsi/libfc/fc_lport.c
> b/drivers/scsi/libfc/fc_lport.c
> index 19cd4a95d354..5cd716afb711 100644
> --- a/drivers/scsi/libfc/fc_lport.c
> +++ b/drivers/scsi/libfc/fc_lport.c
> @@ -241,6 +241,13 @@ static void fc_lport_ptp_setup(struct fc_lport
> *lport,
> }
> mutex_lock(&lport->disc.disc_mutex);
> lport->ptp_rdata = fc_rport_create(lport, remote_fid);
> + if (!lport->ptp_rdata) {
> + mutex_unlock(&lport->disc.disc_mutex);
> + printk(KERN_WARNING "libfc: Failed to allocate for the
> port (%6.6x)\n",
> + remote_fid);
> + return;
> + }
> +
This really doesn't look like a good idea. Most GFP_KERNEL allocations
aren't going to fail unless the kernel is about to wedge anyway under
reclaim pressure. fc_lport_ptp_setup is assumed to succeed if it
returns, there's no error handling, so the kernel would now continue in
an unexpected state if it recovers from the reclaim issue.
The kmalloc failure will have printed a message anyway and the oops
trace from the NULL deref would identify the location if it's relevant
and likely kill the iscsi daemon, so setting up a time bomb for someone
else really doesn't look to be improving the code.
James
^ permalink raw reply [relevance 0%]
* [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_topckgen_init()
@ 2021-11-30 18:13 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 18:13 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Sean Wang, Chen Zhong, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_topckgen_init(), mtk_alloc_clk_data() is assigned to clk_data
and used in clk_prepare_enable(). There is dereference of clk_data
in clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7622=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2fc0a509e4ee ("clk: mediatek: add clock support for MT7622 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7622.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7622.c b/drivers/clk/mediatek/clk-mt7622.c
index e89acef5768f..4968b227b4ab 100644
--- a/drivers/clk/mediatek/clk-mt7622.c
+++ b/drivers/clk/mediatek/clk-mt7622.c
@@ -620,6 +620,8 @@ static int mtk_topckgen_init(struct platform_device *pdev)
return PTR_ERR(base);
clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_fixed_clks(top_fixed_clks, ARRAY_SIZE(top_fixed_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region()
@ 2021-11-30 18:11 19% Zhou Qingyang
2022-01-02 17:47 0% ` Dominik Brodowski
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 18:11 UTC (permalink / raw)
To: zhou1615; +Cc: kjlu, Dominik Brodowski, Lee Jones, linux-kernel
In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to
res and used in pci_bus_alloc_resource(). There a dereference of res
in pci_bus_alloc_resource(), which could lead to a NULL pointer
dereference on failure of pcmcia_make_resource().
Fix this bug by adding a check of res.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/pcmcia/rsrc_nonstatic.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
index 4f5e1a46ebe4..43ae6bd84499 100644
--- a/drivers/pcmcia/rsrc_nonstatic.c
+++ b/drivers/pcmcia/rsrc_nonstatic.c
@@ -812,6 +812,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num,
unsigned long min, max;
int ret, i, j;
+ if (!res)
+ return NULL;
+
low = low || !(s->features & SS_CAP_PAGE_REGS);
data.mask = align - 1;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] clk: mediatek: mt8135: Fix a NULL pointer dereference in mtk_topckgen_init()
@ 2021-11-30 18:02 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 18:02 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Henry Chen, Sascha Hauer, James Liao, linux-clk,
linux-arm-kernel, linux-mediatek, linux-kernel
In mtk_topckgen_init(), mtk_alloc_clk_data() is assigned to clk_data
and used in clk_prepare_enable(). There is dereference of clk_data
in clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
clk_prepare_enable(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is
changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8135=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: a8aede794843 ("clk: mediatek: Add basic clocks for Mediatek MT8135.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8135.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt8135.c b/drivers/clk/mediatek/clk-mt8135.c
index b4e20bd7680e..556153379c3d 100644
--- a/drivers/clk/mediatek/clk-mt8135.c
+++ b/drivers/clk/mediatek/clk-mt8135.c
@@ -526,6 +526,11 @@ static void __init mtk_topckgen_init(struct device_node *node)
}
clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
mtk_clk_register_factors(root_clk_alias, ARRAY_SIZE(root_clk_alias), clk_data);
mtk_clk_register_factors(top_divs, ARRAY_SIZE(top_divs), clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt7629: Fix a NULL pointer dereference in mtk_pericfg_init()
@ 2021-11-30 18:00 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 18:00 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Wenzhen Yu, Rob Herring, Ryder Lee, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_pericfg_init(), mtk_alloc_clk_data() is assigned to clk_data
and used in clk_prepare_enable(). There is dereference of clk_data
in clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
clk_prepare_enable(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7629=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3b5e748615e7 ("clk: mediatek: add clock support for MT7629 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7629.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7629.c b/drivers/clk/mediatek/clk-mt7629.c
index 30fe4b9b9fda..856929f94ebd 100644
--- a/drivers/clk/mediatek/clk-mt7629.c
+++ b/drivers/clk/mediatek/clk-mt7629.c
@@ -628,6 +628,8 @@ static int mtk_pericfg_init(struct platform_device *pdev)
return PTR_ERR(base);
clk_data = mtk_alloc_clk_data(CLK_PERI_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_gates(node, peri_clks, ARRAY_SIZE(peri_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_pericfg_init()
@ 2021-11-30 17:58 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:58 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Sean Wang, Chen Zhong, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_pericfg_init(), mtk_alloc_clk_data() is assigned to clk_data
and used in clk_prepare_enable(). There is dereference of clk_data
in clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
clk_prepare_enable(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7622=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2fc0a509e4ee ("clk: mediatek: add clock support for MT7622 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7622.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7622.c b/drivers/clk/mediatek/clk-mt7622.c
index 3a389fa915c1..e89acef5768f 100644
--- a/drivers/clk/mediatek/clk-mt7622.c
+++ b/drivers/clk/mediatek/clk-mt7622.c
@@ -702,6 +702,8 @@ static int mtk_pericfg_init(struct platform_device *pdev)
return PTR_ERR(base);
clk_data = mtk_alloc_clk_data(CLK_PERI_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_gates(node, peri_clks, ARRAY_SIZE(peri_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_top_probe()
@ 2021-11-30 17:36 18% Zhou Qingyang
2021-12-01 9:33 0% ` miles.chen
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:36 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Miles Chen, mtk01761, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In clk_mt6779_top_probe(), mtk_alloc_clk_data() is assigned to clk_data
and used in mtk_clk_register_muxes(). There is dereference of clk_data
in mtk_clk_register_muxes(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_muxes(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT6779=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt6779.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt6779.c b/drivers/clk/mediatek/clk-mt6779.c
index f22bf4025f55..fb43d23b715b 100644
--- a/drivers/clk/mediatek/clk-mt6779.c
+++ b/drivers/clk/mediatek/clk-mt6779.c
@@ -1239,6 +1239,8 @@ static int clk_mt6779_top_probe(struct platform_device *pdev)
return PTR_ERR(base);
clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_fixed_clks(top_fixed_clks, ARRAY_SIZE(top_fixed_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] drm/amdkfd: Fix a wild pointer dereference in svm_range_add()
[not found] ` <b78771ca-2ca2-a369-b67f-dc479eb87d90@amd.com>
@ 2021-11-30 17:35 0% ` Felix Kuehling
[not found] ` <CA+Cm_xSm8O_0M2Ng9mvDUKwYaCxkZU+M7AZ=9aU26WTFELC-2w@mail.gmail.com>
0 siblings, 1 reply; 200+ results
From: Felix Kuehling @ 2021-11-30 17:35 UTC (permalink / raw)
To: philip yang, Zhou Qingyang
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, Alex Sierra, Philip Yang, amd-gfx,
dri-devel, linux-kernel
Am 2021-11-30 um 11:51 a.m. schrieb philip yang:
>
>
> On 2021-11-30 6:26 a.m., Zhou Qingyang wrote:
>> In svm_range_add(), the return value of svm_range_new() is assigned
>> to prange and &prange->insert_list is used in list_add(). There is a
>> a dereference of &prange->insert_list in list_add(), which could lead
>> to a wild pointer dereference on failure of vm_range_new() if
>> CONFIG_DEBUG_LIST is unset in .config file.
>>
>> Fix this bug by adding a check of prange.
>>
>> This bug was found by a static analyzer. The analysis employs
>> differential checking to identify inconsistent security operations
>> (e.g., checks or kfrees) between two code paths and confirms that the
>> inconsistent operations are not recovered in the current function or
>> the callers, so they constitute bugs.
>>
>> Note that, as a bug found by static analysis, it can be a false
>> positive or hard to trigger. Multiple researchers have cross-reviewed
>> the bug.
>>
>> Builds with CONFIG_DRM_AMDGPU=m, CONFIG_HSA_AMD=y, and
>> CONFIG_HSA_AMD_SVM=y show no new warnings, and our static analyzer no
>> longer warns about this code.
>>
>> Fixes: 42de677f7999 ("drm/amdkfd: register svm range")
>> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> Reviewed-by: Philip Yang <Philip.Yang@amd.com>
The patch looks good to me. It's an obvious bug and definitely not a
false positive. The patch description is a bit verbose. Is this
auto-generated output from the static checker? It could be replaced with
something more concise. Especially the comment about this possibly being
a false positive should not be in the final submission.
Regards,
Felix
>> ---
>> drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
>> 1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
>> index 58b89b53ebe6..e40c2211901d 100644
>> --- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
>> +++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
>> @@ -2940,6 +2940,9 @@ svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
>>
>> if (left) {
>> prange = svm_range_new(svms, last - left + 1, last);
>> + if (!prange)
>> + return -ENOMEM;
>> +
>> list_add(&prange->insert_list, insert_list);
>> list_add(&prange->update_list, update_list);
>> }
^ permalink raw reply [relevance 0%]
* [PATCH] clk: mediatek: mt6765: Fix a NULL pointer dereference in clk_mt6765_top_probe()
@ 2021-11-30 17:34 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:34 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Mars Cheng, Macpaul Lin, Owen Chen, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In clk_mt6765_top_probe(), mtk_alloc_clk_data() is assigned to clk_data
and used in mtk_clk_register_muxes(). There is dereference of clk_data
in mtk_clk_register_muxes(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_muxes(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT6765=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 1aca9939bf72 ("clk: mediatek: Add MT6765 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt6765.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt6765.c b/drivers/clk/mediatek/clk-mt6765.c
index 5f723906675b..26d367d0e189 100644
--- a/drivers/clk/mediatek/clk-mt6765.c
+++ b/drivers/clk/mediatek/clk-mt6765.c
@@ -822,6 +822,10 @@ static int clk_mt6765_top_probe(struct platform_device *pdev)
}
clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!clk_data) {
+ pr_err("%s(): mtk_alloc_clk_data failed\n", __func__);
+ return -ENOMEM;
+ }
mtk_clk_register_fixed_clks(fixed_clks, ARRAY_SIZE(fixed_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt2712: Fix a NULL pointer dereference in clk_mt2712_top_init_early()
@ 2021-11-30 17:32 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:32 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
weiyi.lu, linux-clk, linux-kernel, linux-arm-kernel,
linux-mediatek
In clk_mt2712_top_init_early(), mtk_alloc_clk_data() is assigned to
top_clk_data and there is a dereference of it in
clk_mt2712_top_init_early() which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of top_clk_data.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT2712=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: e2f744a82d72 ("clk: mediatek: Add MT2712 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt2712.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt2712.c b/drivers/clk/mediatek/clk-mt2712.c
index 08ef56f68c7a..9050927d2d5d 100644
--- a/drivers/clk/mediatek/clk-mt2712.c
+++ b/drivers/clk/mediatek/clk-mt2712.c
@@ -1286,6 +1286,11 @@ static void clk_mt2712_top_init_early(struct device_node *node)
if (!top_clk_data) {
top_clk_data = mtk_alloc_clk_data(CLK_TOP_NR_CLK);
+ if (!top_clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
for (i = 0; i < CLK_TOP_NR_CLK; i++)
top_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb()
@ 2021-11-30 17:29 19% Zhou Qingyang
2021-12-03 10:53 0% ` Johan Hovold
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:29 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Felipe Balbi, Greg Kroah-Hartman, Johan Hovold,
Nadezda Lutovinova, Yu Xu, linux-usb, linux-kernel
In mv_u3d_req_to_trb(), mv_u3d_build_trb_one() is assigned to trb and
there is a dereference of it in mv_u3d_req_to_trb(), which could lead
to a NULL pointer dereference on failure of mv_u3d_build_trb_one().
Fix this bug by adding a check of trb.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_USB_MV_U3D=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3d4eb9dfa3e8 ("usb: gadget: mv: Add USB 3.0 device driver for Marvell PXA2128 chip.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/usb/gadget/udc/mv_u3d_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c
index a1057ddfbda3..e90ef4046a9d 100644
--- a/drivers/usb/gadget/udc/mv_u3d_core.c
+++ b/drivers/usb/gadget/udc/mv_u3d_core.c
@@ -417,6 +417,12 @@ static int mv_u3d_req_to_trb(struct mv_u3d_req *req)
*/
if (length <= (unsigned)MV_U3D_EP_MAX_LENGTH_TRANSFER) {
trb = mv_u3d_build_trb_one(req, &count, &dma);
+ if (!trb) {
+ dev_err(u3d->dev, "%s, mv_u3d_build_trb_one fail\n",
+ __func__);
+ return -ENOMEM;
+ }
+
list_add_tail(&trb->trb_list, &req->trb_list);
req->trb_head = trb;
req->trb_count = 1;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init()
@ 2021-11-30 17:27 19% Zhou Qingyang
2021-12-01 7:28 0% ` Pawel Laszczak
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:27 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Pawel Laszczak, Greg Kroah-Hartman, Peter Chen, linux-usb,
linux-kernel
In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ring
and there is a dereference of it in cdnsp_endpoint_init(), which could
lead to a NULL pointer dereference on failure of cdnsp_ring_alloc().
Fix this bug by adding a check of pep->ring.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_USB_CDNSP_GADGET=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/usb/cdns3/cdnsp-mem.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/usb/cdns3/cdnsp-mem.c b/drivers/usb/cdns3/cdnsp-mem.c
index ad9aee3f1e39..97866bfb2da9 100644
--- a/drivers/usb/cdns3/cdnsp-mem.c
+++ b/drivers/usb/cdns3/cdnsp-mem.c
@@ -987,6 +987,9 @@ int cdnsp_endpoint_init(struct cdnsp_device *pdev,
/* Set up the endpoint ring. */
pep->ring = cdnsp_ring_alloc(pdev, 2, ring_type, max_packet, mem_flags);
+ if (!pep->ring)
+ return -ENOMEM;
+
pep->skip = false;
/* Fill the endpoint context */
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op()
@ 2021-11-30 17:22 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:22 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mark Brown, Michal Simek, Naga Sureshkumar Relli,
linux-spi, linux-arm-kernel, linux-kernel
In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),
which could lead to a NULL pointer dereference on failure of
kzalloc().
Fix this bug by adding a check of tmpbuf.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/spi/spi-zynq-qspi.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c
index cfa222c9bd5e..78f31b61a2aa 100644
--- a/drivers/spi/spi-zynq-qspi.c
+++ b/drivers/spi/spi-zynq-qspi.c
@@ -570,6 +570,9 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem,
if (op->dummy.nbytes) {
tmpbuf = kzalloc(op->dummy.nbytes, GFP_KERNEL);
+ if (!tmpbuf)
+ return -ENOMEM;
+
memset(tmpbuf, 0xff, op->dummy.nbytes);
reinit_completion(&xqspi->data_completion);
xqspi->txbuf = tmpbuf;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] scsi: virtio_scsi: Fix a NULL pointer dereference in virtscsi_rescan_hotunplug()
@ 2021-11-30 17:19 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:19 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael S. Tsirkin, Jason Wang, Paolo Bonzini,
Stefan Hajnoczi, James E.J. Bottomley, Martin K. Petersen,
Matt Lupfer, virtualization, linux-scsi, linux-kernel
In virtscsi_rescan_hotunplug(), kmalloc() is directly used in memset(),
which could lead to a NULL pointer dereference on failure of
kmalloc().
Fix this bug by adding a check of inq_result.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_SCSI_VIRTIO=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 5ff843721467 ("scsi: virtio_scsi: unplug LUNs when events missed")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/scsi/virtio_scsi.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/virtio_scsi.c b/drivers/scsi/virtio_scsi.c
index 28e1d98ae102..5309f2a3a4cb 100644
--- a/drivers/scsi/virtio_scsi.c
+++ b/drivers/scsi/virtio_scsi.c
@@ -337,7 +337,11 @@ static void virtscsi_rescan_hotunplug(struct virtio_scsi *vscsi)
unsigned char scsi_cmd[MAX_COMMAND_SIZE];
int result, inquiry_len, inq_result_len = 256;
char *inq_result = kmalloc(inq_result_len, GFP_KERNEL);
-
+ if (!inq_result) {
+ pr_err("%s:no enough memory for inq_result\n",
+ __func__);
+ return;
+ }
shost_for_each_device(sdev, shost) {
inquiry_len = sdev->inquiry_len ? sdev->inquiry_len : 36;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] scsi: libsas: Fix a NULL pointer dereference in sas_ex_discover_expander()
@ 2021-11-30 17:16 18% Zhou Qingyang
2021-12-06 15:09 0% ` John Garry
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:16 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, James E.J. Bottomley, Martin K. Petersen, John Garry,
Jason Yan, Himanshu Madhani, Jack Wang, Luo Jiaxing,
Bart Van Assche, James Bottomley, linux-scsi, linux-kernel
In sas_ex_discover_expander(), sas_port_alloc() is assigned to phy->port
and used in sas_port_add(). sas_port_add() further passes phy->port to
list_empty(), and there is a dereference of it in list_empty(), which
could lead to a NULL pointer dereference on failure of
sas_port_alloc().
This patch imitates the same error-handling logic in
sas_ex_discover_end_dev().
Fix this bug by adding checks for phy->port and sas_port_add().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_SCSI_SAS_LIBSAS=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/scsi/libsas/sas_expander.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c
index c2150a818423..7530b1773d6b 100644
--- a/drivers/scsi/libsas/sas_expander.c
+++ b/drivers/scsi/libsas/sas_expander.c
@@ -957,9 +957,16 @@ static struct domain_device *sas_ex_discover_expander(
return NULL;
phy->port = sas_port_alloc(&parent->rphy->dev, phy_id);
- /* FIXME: better error handling */
- BUG_ON(sas_port_add(phy->port) != 0);
+ if (unlikely(!phy->port)) {
+ sas_put_device(child);
+ return NULL;
+ }
+ if (sas_port_add(phy->port) != 0) {
+ sas_port_free(phy->port);
+ sas_put_device(child);
+ return NULL;
+ }
switch (phy->attached_dev_type) {
case SAS_EDGE_EXPANDER_DEVICE:
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup()
@ 2021-11-30 17:10 19% Zhou Qingyang
2021-11-30 18:13 0% ` James Bottomley
2021-12-01 6:41 0% ` Hannes Reinecke
0 siblings, 2 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 17:10 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Hannes Reinecke, James E.J. Bottomley, Martin K. Petersen,
Johannes Thumshirn, linux-scsi, linux-kernel
In fc_lport_ptp_setup(), fc_rport_create() is assigned to
lport->ptp_rdata and there is a dereference of in fc_lport_ptp_setup(),
which could lead to a NULL pointer dereference on failure of
fc_rport_create().
Fix this bug by adding a check of fc_rport_create().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_LIBFC=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 2580064b5ec6 ("scsi: libfc: Replace ->rport_create callback with function call")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/scsi/libfc/fc_lport.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/scsi/libfc/fc_lport.c b/drivers/scsi/libfc/fc_lport.c
index 19cd4a95d354..5cd716afb711 100644
--- a/drivers/scsi/libfc/fc_lport.c
+++ b/drivers/scsi/libfc/fc_lport.c
@@ -241,6 +241,13 @@ static void fc_lport_ptp_setup(struct fc_lport *lport,
}
mutex_lock(&lport->disc.disc_mutex);
lport->ptp_rdata = fc_rport_create(lport, remote_fid);
+ if (!lport->ptp_rdata) {
+ mutex_unlock(&lport->disc.disc_mutex);
+ printk(KERN_WARNING "libfc: Failed to allocate for the port (%6.6x)\n",
+ remote_fid);
+ return;
+ }
+
kref_get(&lport->ptp_rdata->kref);
lport->ptp_rdata->ids.port_name = remote_wwpn;
lport->ptp_rdata->ids.node_name = remote_wwnn;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region()
@ 2021-11-30 16:59 19% Zhou Qingyang
2022-01-02 17:46 0% ` Dominik Brodowski
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:59 UTC (permalink / raw)
To: zhou1615; +Cc: kjlu, Dominik Brodowski, Lee Jones, linux-kernel
In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to
res and used in pci_bus_alloc_resource(). There is a dereference of res
in pci_bus_alloc_resource(), which could lead to a NULL pointer
dereference on failure of pcmcia_make_resource().
Fix this bug by adding a check of res.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with ONFIG_PCCARD_NONSTATIC=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/pcmcia/rsrc_nonstatic.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c
index bb15a8bdbaab..4f5e1a46ebe4 100644
--- a/drivers/pcmcia/rsrc_nonstatic.c
+++ b/drivers/pcmcia/rsrc_nonstatic.c
@@ -689,6 +689,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s,
struct pcmcia_align_data data;
unsigned long min = base;
int ret;
+
+ if (!res)
+ return NULL;
data.mask = align - 1;
data.offset = base & data.mask;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
@ 2021-11-30 16:44 18% Zhou Qingyang
2021-12-01 9:27 0% ` Leon Romanovsky
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:44 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Tariq Toukan, David S. Miller, Jakub Kicinski,
Eugenia Emantayev, netdev, linux-rdma, linux-kernel
In mlx4_en_try_alloc_resources(), mlx4_en_copy_priv() is called and
tmp->tx_cq will be freed on the error path of mlx4_en_copy_priv().
After that mlx4_en_alloc_resources() is called and there is a dereference
of &tmp->tx_cq[t][i] in mlx4_en_alloc_resources(), which could lead to
a use after free problem on failure of mlx4_en_copy_priv().
Fix this bug by adding a check of mlx4_en_copy_priv()
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_MLX4_EN=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ec25bc04ed8e ("net/mlx4_en: Add resilience in low memory systems")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
index 3f6d5c384637..f1c10f2bda78 100644
--- a/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
+++ b/drivers/net/ethernet/mellanox/mlx4/en_netdev.c
@@ -2286,9 +2286,14 @@ int mlx4_en_try_alloc_resources(struct mlx4_en_priv *priv,
bool carry_xdp_prog)
{
struct bpf_prog *xdp_prog;
- int i, t;
+ int i, t, ret;
- mlx4_en_copy_priv(tmp, priv, prof);
+ ret = mlx4_en_copy_priv(tmp, priv, prof);
+ if (ret) {
+ en_warn(priv, "%s: mlx4_en_copy_priv() failed, return\n",
+ __func__);
+ return ret;
+ }
if (mlx4_en_alloc_resources(tmp)) {
en_warn(priv,
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] octeontx2-af: Fix a memleak bug in rvu_mbox_init()
@ 2021-11-30 16:50 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:50 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Sunil Goutham, Linu Cherian, Geetha sowjanya, Jerin Jacob,
hariprasad, Subbaraya Sundeep, David S. Miller, Jakub Kicinski,
netdev, linux-kernel
In rvu_mbox_init(), mbox_regions is not freed or passed out
under the switch-default region, which could lead to a memory leak.
Fix this bug by changing 'return err' to 'goto free_regions'.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_OCTEONTX2_AF=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 98c561116360 (“octeontx2-af: cn10k: Add mbox support for CN10K platform”)
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/net/ethernet/marvell/octeontx2/af/rvu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
index cb56e171ddd4..3ca6b942ebe2 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu.c
@@ -2341,7 +2341,7 @@ static int rvu_mbox_init(struct rvu *rvu, struct mbox_wq_info *mw,
goto free_regions;
break;
default:
- return err;
+ goto free_regions;
}
mw->mbox_wq = alloc_workqueue(name,
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] media: vidtv: Fix a wild pointer dereference in vidtv_channel_pmt_match_sections()
@ 2021-11-30 16:39 18% Zhou Qingyang
2021-12-02 13:42 0% ` Hans Verkuil
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:39 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Daniel W. S. Almeida, Mauro Carvalho Chehab, linux-media,
linux-kernel
In vidtv_channel_pmt_match_sections(), vidtv_psi_pmt_stream_init() is
assigned to tail and &tail->descriptor is used in
vidtv_psi_desc_assign(). There is a dereference of &tail->descriptor
in vidtv_psi_desc_assign(), which could lead to a wild pointer
dereference onfailure of vidtv_psi_pmt_stream_init().
Fix this bug by adding a check of tail.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DVB_VIDTV=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/media/test-drivers/vidtv/vidtv_channel.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/media/test-drivers/vidtv/vidtv_channel.c b/drivers/media/test-drivers/vidtv/vidtv_channel.c
index 7838e6272712..f2faa5504642 100644
--- a/drivers/media/test-drivers/vidtv/vidtv_channel.c
+++ b/drivers/media/test-drivers/vidtv/vidtv_channel.c
@@ -318,6 +318,10 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
struct vidtv_psi_table_pmt_stream *s = NULL;
struct vidtv_channel *cur_chnl = channels;
struct vidtv_psi_desc *desc = NULL;
+ struct vidtv_mux *m = container_of(&channels,
+ struct vidtv_mux,
+ channels);
+
u16 e_pid; /* elementary stream pid */
u16 curr_id;
u32 j;
@@ -341,6 +345,13 @@ vidtv_channel_pmt_match_sections(struct vidtv_channel *channels,
tail = vidtv_psi_pmt_stream_init(tail,
s->type,
e_pid);
+
+ if (!tail) {
+ vidtv_psi_pmt_stream_destroy(head);
+ dev_warn_ratelimited(m->dev,
+ "No enough memory for vidtv_psi_pmt_stream_init");
+ return;
+ }
if (!head)
head = tail;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach()
@ 2021-11-30 16:34 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:34 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Hans Verkuil, Mauro Carvalho Chehab, linux-media, linux-kernel
In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a
new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of mxb_probe(dev). There is a dereference of dev->vv_data
in saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_MXB=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/media/pci/saa7146/mxb.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c
index 73fc901ecf3d..bf0b9b0914cd 100644
--- a/drivers/media/pci/saa7146/mxb.c
+++ b/drivers/media/pci/saa7146/mxb.c
@@ -683,10 +683,16 @@ static struct saa7146_ext_vv vv_data;
static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct mxb *mxb;
+ int ret;
DEB_EE("dev:%p\n", dev);
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ ERR("Error in saa7146_vv_init()");
+ return ret;
+ }
+
if (mxb_probe(dev)) {
saa7146_vv_release(dev);
return -1;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach()
@ 2021-11-30 16:25 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:25 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Hans Verkuil, Mauro Carvalho Chehab, linux-media, linux-kernel
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release()
will be called and there is a dereference of dev->vv_data in
saa7146_vv_release(), which could lead to a NULL pointer dereference
on failure of saa7146_vv_init() according to the following logic.
Both hexium_attach() and hexium_detach() are callback functions of
the variable 'extension', so there exists a possible call chain directly
from hexium_attach() to hexium_detach():
hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data
| in saa7146_vv_init().
|
|
hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release()
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c
index 39d14c179d22..2eb4bee16b71 100644
--- a/drivers/media/pci/saa7146/hexium_orion.c
+++ b/drivers/media/pci/saa7146/hexium_orion.c
@@ -355,10 +355,16 @@ static struct saa7146_ext_vv vv_data;
static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info)
{
struct hexium *hexium = (struct hexium *) dev->ext_priv;
+ int ret;
DEB_EE("\n");
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ pr_err("Error in saa7146_vv_init()\n");
+ return ret;
+ }
+
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
vv_data.vid_ops.vidioc_s_input = vidioc_s_input;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* Re: [PATCH] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes()
2021-11-30 13:23 19% [PATCH] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes() Zhou Qingyang
@ 2021-11-30 16:22 0% ` Ville Syrjälä
2021-12-01 15:29 18% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Ville Syrjälä @ 2021-11-30 16:22 UTC (permalink / raw)
To: Zhou Qingyang
Cc: David Airlie, kjlu, linux-kernel, Zhao Yakui, dri-devel,
Dave Airlie, Alan Cox
On Tue, Nov 30, 2021 at 09:23:28PM +0800, Zhou Qingyang wrote:
> In cdv_intel_dp_get_modes(), the third return value of
> drm_mode_duplicate() is assigned to mode and used in
> drm_mode_probed_add(). drm_mode_probed_add() passes mode->head to
> list_add_tail(). list_add_tail() will further call __list_add() and
> there is a dereference of mode->head in __list_add(), which could lead
> to a wild pointer dereference on failure of drm_mode_duplicate().
>
> Fix this bug by adding a check of mode.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_GMA500=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/gma500/cdv_intel_dp.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
> index ba6ad1466374..b389008965a9 100644
> --- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
> +++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
> @@ -1773,6 +1773,9 @@ static int cdv_intel_dp_get_modes(struct drm_connector *connector)
> if (intel_dp->panel_fixed_mode != NULL) {
> struct drm_display_mode *mode;
> mode = drm_mode_duplicate(dev, intel_dp->panel_fixed_mode);
> + if (!mode)
> + return -ENOMEM;
.get_modes() isn't supposed to return negative values.
> +
> drm_mode_probed_add(connector, mode);
> return 1;
> }
> --
> 2.25.1
--
Ville Syrjälä
Intel
^ permalink raw reply [relevance 0%]
* [PATCH] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts()
@ 2021-11-30 16:12 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:12 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Neil Armstrong, Mauro Carvalho Chehab, Greg Kroah-Hartman,
Kevin Hilman, Jerome Brunet, Martin Blumenstingl, Hans Verkuil,
Maxime Jourdan, linux-media, linux-amlogic, linux-staging,
linux-arm-kernel, linux-kernel
In amvdec_add_ts(), there is a dereference of kzalloc(), which could lead
to a NULL pointer dereference on failure of kzalloc().
I fix this bug by adding a NULL check of new_ts.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_MESON_VDEC=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/staging/media/meson/vdec/vdec_helpers.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/staging/media/meson/vdec/vdec_helpers.c b/drivers/staging/media/meson/vdec/vdec_helpers.c
index b9125c295d1d..41297c2f8f9a 100644
--- a/drivers/staging/media/meson/vdec/vdec_helpers.c
+++ b/drivers/staging/media/meson/vdec/vdec_helpers.c
@@ -234,6 +234,11 @@ void amvdec_add_ts(struct amvdec_session *sess, u64 ts,
unsigned long flags;
new_ts = kzalloc(sizeof(*new_ts), GFP_KERNEL);
+ if (!new_ts) {
+ dev_err(sess->core->dev_dec,
+ "No enough memory in %s\n", __func__);
+ return;
+ }
new_ts->ts = ts;
new_ts->tc = tc;
new_ts->offset = offset;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach()
@ 2021-11-30 16:15 19% Zhou Qingyang
2021-12-02 13:34 0% ` Hans Verkuil
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 16:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Hans Verkuil, Mauro Carvalho Chehab, linux-media, linux-kernel
In hexium_attach(dev, info), saa7146_vv_init() is called to allocate
a new memory for dev->vv_data. saa7146_vv_release() will be called on
failure of saa7146_register_device(). There is a dereference of
dev->vv_data in saa7146_vv_release(), which could lead to a NULL
pointer dereference on failure of saa7146_vv_init().
Fix this bug by adding a check of saa7146_vv_init().
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings,
and our static analyzer no longer warns about this code.
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/media/pci/saa7146/hexium_gemini.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c
index 2214c74bbbf1..549b1ddc59b5 100644
--- a/drivers/media/pci/saa7146/hexium_gemini.c
+++ b/drivers/media/pci/saa7146/hexium_gemini.c
@@ -284,7 +284,11 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d
hexium_set_input(hexium, 0);
hexium->cur_input = 0;
- saa7146_vv_init(dev, &vv_data);
+ ret = saa7146_vv_init(dev, &vv_data);
+ if (ret) {
+ kfree(hexium);
+ return ret;
+ }
vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input;
vv_data.vid_ops.vidioc_g_input = vidioc_g_input;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH v3] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:37 0% ` Christian König
@ 2021-11-30 15:57 17% ` Zhou Qingyang
2021-12-01 3:22 17% ` [PATCH v4] " Zhou Qingyang
2021-12-01 6:57 0% ` [PATCH v3] " Christian König
0 siblings, 2 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 15:57 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, amd-gfx, dri-devel, linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v3:
- Fix the bug that good case will also be freed
- Improve code style
Changes in v2:
- Improve the error handling into goto style
drivers/gpu/drm/radeon/radeon_kms.c | 35 ++++++++++++++++-------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..439f4d1fdd65 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -648,6 +648,8 @@ void radeon_driver_lastclose_kms(struct drm_device *dev)
int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
{
struct radeon_device *rdev = dev->dev_private;
+ struct radeon_fpriv *fpriv;
+ struct radeon_vm *vm;
int r;
file_priv->driver_priv = NULL;
@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
/* new gpu have virtual address space support */
if (rdev->family >= CHIP_CAYMAN) {
- struct radeon_fpriv *fpriv;
- struct radeon_vm *vm;
fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
if (unlikely(!fpriv)) {
@@ -672,35 +672,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
if (rdev->accel_working) {
vm = &fpriv->vm;
r = radeon_vm_init(rdev, vm);
- if (r) {
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_fpriv;
r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
/* map the ib pool buffer read only into
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ goto out_vm_fini;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
RADEON_VM_PAGE_SNOOPED);
- if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
- }
+ if (r)
+ goto out_vm_fini;
}
file_priv->driver_priv = fpriv;
}
+out_vm_fini:
+ if (r)
+ radeon_vm_fini(rdev, vm);
+out_fpriv:
+ if (r)
+ kfree(fpriv);
out_suspend:
pm_runtime_mark_last_busy(dev->dev);
pm_runtime_put_autosuspend(dev->dev);
--
2.25.1
^ permalink raw reply related [relevance 17%]
* [PATCH] media: dib8000: Fix a memleak in dib8000_init()
@ 2021-11-30 15:38 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 15:38 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Mauro Carvalho Chehab, Patrick Boettcher, Olivier Grenie,
linux-media, linux-kernel
In dib8000_init(), the variable fe is not freed or passed out on the
failure of dib8000_identify(&state->i2c), which could lead to a memleak.
Fix this bug by adding a kfree of fe in the error path.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DVB_DIB8000=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/media/dvb-frontends/dib8000.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c
index bb02354a48b8..d67f2dd997d0 100644
--- a/drivers/media/dvb-frontends/dib8000.c
+++ b/drivers/media/dvb-frontends/dib8000.c
@@ -4473,8 +4473,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad
state->timf_default = cfg->pll->timf;
- if (dib8000_identify(&state->i2c) == 0)
+ if (dib8000_identify(&state->i2c) == 0) {
+ kfree(fe);
goto error;
+ }
dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* Re: [PATCH v2] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:33 17% ` [PATCH v2] " Zhou Qingyang
@ 2021-11-30 15:37 0% ` Christian König
2021-11-30 15:57 17% ` [PATCH v3] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Christian König @ 2021-11-30 15:37 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Alex Deucher, Pan, Xinhui, David Airlie, Daniel Vetter,
amd-gfx, dri-devel, linux-kernel
Am 30.11.21 um 16:33 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> Changes in v2:
> - Improve the error handling into goto style
>
> drivers/gpu/drm/radeon/radeon_kms.c | 24 ++++++++++++++----------
> 1 file changed, 14 insertions(+), 10 deletions(-)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..e49a9d160e52 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -649,6 +649,8 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> {
> struct radeon_device *rdev = dev->dev_private;
> int r;
> + struct radeon_fpriv *fpriv;
> + struct radeon_vm *vm;
Please keep variables like "i" or "r" declared last.
>
> file_priv->driver_priv = NULL;
>
> @@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
>
> /* new gpu have virtual address space support */
> if (rdev->family >= CHIP_CAYMAN) {
> - struct radeon_fpriv *fpriv;
> - struct radeon_vm *vm;
>
> fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
> if (unlikely(!fpriv)) {
> @@ -673,34 +673,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> vm = &fpriv->vm;
> r = radeon_vm_init(rdev, vm);
> if (r) {
> - kfree(fpriv);
> - goto out_suspend;
> + goto out_fpriv;
> }
>
> r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
> if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> + goto out_vm_fini;
> }
>
> /* map the ib pool buffer read only into
> * virtual address space */
> vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> rdev->ring_tmp_bo.bo);
> + if (!vm->ib_bo_va) {
> + r = -ENOMEM;
> + goto out_vm_fini;
> + }
> +
> r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> RADEON_VA_IB_OFFSET,
> RADEON_VM_PAGE_READABLE |
> RADEON_VM_PAGE_SNOOPED);
> if (r) {
> - radeon_vm_fini(rdev, vm);
> - kfree(fpriv);
> - goto out_suspend;
> + goto out_vm_fini;
> }
> }
> file_priv->driver_priv = fpriv;
> }
>
That here won't work.
> +out_vm_fini:
> + radeon_vm_fini(rdev, vm);
> +out_fpriv:
> + kfree(fpriv);
You are finishing the VM and freeing up the memory in the good case now
as well.
Christian.
> out_suspend:
> pm_runtime_mark_last_busy(dev->dev);
> pm_runtime_put_autosuspend(dev->dev);
^ permalink raw reply [relevance 0%]
* [PATCH v2] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:11 0% ` Christian König
@ 2021-11-30 15:33 17% ` Zhou Qingyang
2021-11-30 15:37 0% ` Christian König
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 15:33 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, amd-gfx, dri-devel, linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
Changes in v2:
- Improve the error handling into goto style
drivers/gpu/drm/radeon/radeon_kms.c | 24 ++++++++++++++----------
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..e49a9d160e52 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -649,6 +649,8 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
{
struct radeon_device *rdev = dev->dev_private;
int r;
+ struct radeon_fpriv *fpriv;
+ struct radeon_vm *vm;
file_priv->driver_priv = NULL;
@@ -660,8 +662,6 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
/* new gpu have virtual address space support */
if (rdev->family >= CHIP_CAYMAN) {
- struct radeon_fpriv *fpriv;
- struct radeon_vm *vm;
fpriv = kzalloc(sizeof(*fpriv), GFP_KERNEL);
if (unlikely(!fpriv)) {
@@ -673,34 +673,38 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
vm = &fpriv->vm;
r = radeon_vm_init(rdev, vm);
if (r) {
- kfree(fpriv);
- goto out_suspend;
+ goto out_fpriv;
}
r = radeon_bo_reserve(rdev->ring_tmp_bo.bo, false);
if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
+ goto out_vm_fini;
}
/* map the ib pool buffer read only into
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ goto out_vm_fini;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
RADEON_VM_PAGE_SNOOPED);
if (r) {
- radeon_vm_fini(rdev, vm);
- kfree(fpriv);
- goto out_suspend;
+ goto out_vm_fini;
}
}
file_priv->driver_priv = fpriv;
}
+out_vm_fini:
+ radeon_vm_fini(rdev, vm);
+out_fpriv:
+ kfree(fpriv);
out_suspend:
pm_runtime_mark_last_busy(dev->dev);
pm_runtime_put_autosuspend(dev->dev);
--
2.25.1
^ permalink raw reply related [relevance 17%]
* Re: [PATCH] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
2021-11-30 15:04 19% [PATCH] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() Zhou Qingyang
@ 2021-11-30 15:11 0% ` Christian König
2021-11-30 15:33 17% ` [PATCH v2] " Zhou Qingyang
0 siblings, 1 reply; 200+ results
From: Christian König @ 2021-11-30 15:11 UTC (permalink / raw)
To: Zhou Qingyang
Cc: kjlu, Alex Deucher, Pan, Xinhui, David Airlie, Daniel Vetter,
amd-gfx, dri-devel, linux-kernel
Am 30.11.21 um 16:04 schrieb Zhou Qingyang:
> In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
> vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
> radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
> which could lead to a NULL pointer dereference on failure of
> radeon_vm_bo_add().
>
> Fix this bug by adding a check of vm->ib_bo_va.
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_RADEON=m show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/radeon/radeon_kms.c | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
> index 482fb0ae6cb5..ead015c055fb 100644
> --- a/drivers/gpu/drm/radeon/radeon_kms.c
> +++ b/drivers/gpu/drm/radeon/radeon_kms.c
> @@ -688,6 +688,13 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
> * virtual address space */
> vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
> rdev->ring_tmp_bo.bo);
> + if (!vm->ib_bo_va) {
> + r = -ENOMEM;
> + radeon_vm_fini(rdev, vm);
> + kfree(fpriv);
> + goto out_suspend;
> + }
> +
Impressive catch for an automated checker.
Please improve the error handling into goto style since we now add the
fourth instance of the same error handling code. Apart from that looks
good to me.
Thanks,
Christian.
> r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
> RADEON_VA_IB_OFFSET,
> RADEON_VM_PAGE_READABLE |
^ permalink raw reply [relevance 0%]
* [PATCH] drm/selftests/test-drm_dp_mst_helper: A memleak in sideband_msg_req_encode_decode()
@ 2021-11-30 15:08 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 15:08 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, David Airlie, Daniel Vetter, Lee Jones, dri-devel, linux-kernel
In test-drm_dp_mst_helper.c file, if the initialization of
txmsg fails in sideband_msg_req_encode_decode(),
this function will directly return false and forget to free
the variable out, which will lead to a possible memory leak.
Although this bug is not serious as it belongs to testing code, it is
better to be fixed to avoid unexpected behavior in testing.
I fix this bug by changing 'return false' to 'goto out'.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
we build kernel with CONFIG_DRM_DEBUG_SELFTEST=m and show no warnings.
Also our static analyzer no longer warns.
Fixes: 09234b88ef55 ( "drm/selftests/test-drm_dp_mst_helper: Move 'sideband_msg_req_encode_decode' onto the heap")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c b/drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c
index 6b4759ed6bfd..e74cea9dafc6 100644
--- a/drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c
+++ b/drivers/gpu/drm/selftests/test-drm_dp_mst_helper.c
@@ -132,7 +132,7 @@ sideband_msg_req_encode_decode(struct drm_dp_sideband_msg_req_body *in)
txmsg = kzalloc(sizeof(*txmsg), GFP_KERNEL);
if (!txmsg)
- return false;
+ goto out;
drm_dp_encode_sideband_req(in, txmsg);
ret = drm_dp_decode_sideband_req(txmsg, out);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms()
@ 2021-11-30 15:04 19% Zhou Qingyang
2021-11-30 15:11 0% ` Christian König
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 15:04 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, amd-gfx, dri-devel, linux-kernel
In radeon_driver_open_kms(), radeon_vm_bo_add() is assigned to
vm->ib_bo_va and passes and used in radeon_vm_bo_set_addr(). In
radeon_vm_bo_set_addr(), there is a dereference of vm->ib_bo_va,
which could lead to a NULL pointer dereference on failure of
radeon_vm_bo_add().
Fix this bug by adding a check of vm->ib_bo_va.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: cc9e67e3d700 ("drm/radeon: fix VM IB handling")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/radeon/radeon_kms.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c
index 482fb0ae6cb5..ead015c055fb 100644
--- a/drivers/gpu/drm/radeon/radeon_kms.c
+++ b/drivers/gpu/drm/radeon/radeon_kms.c
@@ -688,6 +688,13 @@ int radeon_driver_open_kms(struct drm_device *dev, struct drm_file *file_priv)
* virtual address space */
vm->ib_bo_va = radeon_vm_bo_add(rdev, vm,
rdev->ring_tmp_bo.bo);
+ if (!vm->ib_bo_va) {
+ r = -ENOMEM;
+ radeon_vm_fini(rdev, vm);
+ kfree(fpriv);
+ goto out_suspend;
+ }
+
r = radeon_vm_bo_set_addr(rdev, vm->ib_bo_va,
RADEON_VA_IB_OFFSET,
RADEON_VM_PAGE_READABLE |
--
2.25.1
^ permalink raw reply related [relevance 19%]
* Re: [Intel-gfx] [PATCH] drm/i915/gem: Fix a NULL pointer dereference in igt_request_rewind()
2021-11-30 14:15 17% [PATCH] drm/i915/gem: Fix a NULL pointer dereference in igt_request_rewind() Zhou Qingyang
@ 2021-11-30 14:58 0% ` Tvrtko Ursulin
0 siblings, 0 replies; 200+ results
From: Tvrtko Ursulin @ 2021-11-30 14:58 UTC (permalink / raw)
To: Zhou Qingyang
Cc: Lucas De Marchi, dri-devel, David Airlie, intel-gfx, kjlu,
linux-kernel, Chris Wilson, Matthew Auld, Zhihao Cheng
On 30/11/2021 14:15, Zhou Qingyang wrote:
> In igt_request_rewind(), mock_context(i915, "A") is assigned to ctx[0]
> and used in i915_gem_context_get_engine(). There is a dereference
> of ctx[0] in i915_gem_context_get_engine(), which could lead to a NULL
> pointer dereference on failure of mock_context(i915, "A") .
>
> So as mock_context(i915, "B").
>
> Although this bug is not serious for it belongs to testing code, it is
> better to be fixed to avoid unexpected failure in testing.
>
> Fix this bugs by adding checks about ctx[0] and ctx[1].
>
> This bug was found by a static analyzer. The analysis employs
> differential checking to identify inconsistent security operations
> (e.g., checks or kfrees) between two code paths and confirms that the
> inconsistent operations are not recovered in the current function or
> the callers, so they constitute bugs.
>
> Note that, as a bug found by static analysis, it can be a false
> positive or hard to trigger. Multiple researchers have cross-reviewed
> the bug.
>
> Builds with CONFIG_DRM_I915_SELFTEST=y show no new warnings,
> and our static analyzer no longer warns about this code.
>
> Fixes: ca883c304f54 ("drm/i915/selftests: Pass intel_context to mock_request")
I think it is this one instead:
591c0fb85d1c ("drm/i915: Exercise request cancellation using a mock selftest")
Fix looks correct so:
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Thanks for the patch!
Regards,
Tvrtko
P.S.
Although Fixes: is probably a bit over the top since it is selftests only so I'll probably drop it while applying.
> Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
> ---
> drivers/gpu/drm/i915/selftests/i915_request.c | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
> index d67710d10615..d6fc7b892793 100644
> --- a/drivers/gpu/drm/i915/selftests/i915_request.c
> +++ b/drivers/gpu/drm/i915/selftests/i915_request.c
> @@ -209,6 +209,10 @@ static int igt_request_rewind(void *arg)
> int err = -EINVAL;
>
> ctx[0] = mock_context(i915, "A");
> + if (!ctx[0]) {
> + err = -ENOMEM;
> + goto err_ctx_0;
> + }
>
> ce = i915_gem_context_get_engine(ctx[0], RCS0);
> GEM_BUG_ON(IS_ERR(ce));
> @@ -223,6 +227,10 @@ static int igt_request_rewind(void *arg)
> i915_request_add(request);
>
> ctx[1] = mock_context(i915, "B");
> + if (!ctx[1]) {
> + err = -ENOMEM;
> + goto err_ctx_1;
> + }
>
> ce = i915_gem_context_get_engine(ctx[1], RCS0);
> GEM_BUG_ON(IS_ERR(ce));
> @@ -261,9 +269,11 @@ static int igt_request_rewind(void *arg)
> i915_request_put(vip);
> err_context_1:
> mock_context_close(ctx[1]);
> +err_ctx_1:
> i915_request_put(request);
> err_context_0:
> mock_context_close(ctx[0]);
> +err_ctx_0:
> mock_device_flush(i915);
> return err;
> }
>
^ permalink raw reply [relevance 0%]
* [PATCH] drm/radeon/radeon_connectors: Fix a NULL pointer dereference in radeon_fp_native_mode()
@ 2021-11-30 14:48 19% Zhou Qingyang
2021-12-01 20:04 5% ` Alex Deucher
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:48 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, Dave Airlie, amd-gfx, dri-devel,
linux-kernel
In radeon_fp_native_mode(), the return value of drm_mode_duplicate() is
assigned to mode and there is a dereference of it in
radeon_fp_native_mode(), which could lead to a NULL pointer
dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_RADEON=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: d2efdf6d6f42 ("drm/radeon/kms: add cvt mode if we only have lvds w/h and no edid (v4)")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/radeon/radeon_connectors.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c
index 607ad5620bd9..49f187614f96 100644
--- a/drivers/gpu/drm/radeon/radeon_connectors.c
+++ b/drivers/gpu/drm/radeon/radeon_connectors.c
@@ -473,6 +473,9 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode
native_mode->vdisplay != 0 &&
native_mode->clock != 0) {
mode = drm_mode_duplicate(dev, native_mode);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
drm_mode_set_name(mode);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/panel/panel-tpo-tpg110: Fix a NULL pointer dereference in tpg110_get_modes()
@ 2021-11-30 14:45 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:45 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Linus Walleij, Thierry Reding, Sam Ravnborg, David Airlie,
Daniel Vetter, Laurent Pinchart, dri-devel, linux-kernel
In tpg110_get_modes(), the return value of drm_mode_duplicate() is
assigned to mode and there is a dereference of it in tpg110_get_modes(),
which could lead to a NULL pointer dereference on failure of
drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_PANEL_TPO_TPG110=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: aa6c43644bc5 ("drm/panel: drop drm_device from drm_panel")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/panel/panel-tpo-tpg110.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/panel/panel-tpo-tpg110.c b/drivers/gpu/drm/panel/panel-tpo-tpg110.c
index e3791dad6830..ab4b84c1e243 100644
--- a/drivers/gpu/drm/panel/panel-tpo-tpg110.c
+++ b/drivers/gpu/drm/panel/panel-tpo-tpg110.c
@@ -379,6 +379,9 @@ static int tpg110_get_modes(struct drm_panel *panel,
connector->display_info.bus_flags = tpg->panel_mode->bus_flags;
mode = drm_mode_duplicate(connector->dev, &tpg->panel_mode->mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_set_name(mode);
mode->type = DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/panel: Fix a NULL pointer dereference in versatile_panel_get_modes()
@ 2021-11-30 14:36 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:36 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Linus Walleij, Thierry Reding, Sam Ravnborg, David Airlie,
Daniel Vetter, Laurent Pinchart, dri-devel, linux-kernel
In versatile_panel_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode and there is a dereference of it in
versatile_panel_get_modes(), which could lead to a NULL pointer
dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_PANEL_ARM_VERSATILE=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: aa6c43644bc5 ("drm/panel: drop drm_device from drm_panel")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/panel/panel-arm-versatile.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/panel/panel-arm-versatile.c b/drivers/gpu/drm/panel/panel-arm-versatile.c
index abb0788843c6..5e73083c09a2 100644
--- a/drivers/gpu/drm/panel/panel-arm-versatile.c
+++ b/drivers/gpu/drm/panel/panel-arm-versatile.c
@@ -267,6 +267,9 @@ static int versatile_panel_get_modes(struct drm_panel *panel,
connector->display_info.bus_flags = vpanel->panel_type->bus_flags;
mode = drm_mode_duplicate(connector->dev, &vpanel->panel_type->mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_set_name(mode);
mode->type = DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED;
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/nouveau/dispnv04: Fix a NULL pointer dereference in nv17_tv_get_hd_modes()
@ 2021-11-30 14:34 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:34 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Ben Skeggs, David Airlie, Daniel Vetter, Dave Airlie,
dri-devel, nouveau, linux-kernel
In nv17_tv_get_hd_modes(), the return value of drm_mode_duplicate() is
assigned to mode and there is a dereference of it in
nv17_tv_get_hd_modes(), which could lead to a NULL pointer dereference
on failure of drm_mode_duplicate().
Fix this bug add a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_NOUVEAU=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/nouveau/dispnv04/tvnv17.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
index be28e7bd7490..6fe103fd60e9 100644
--- a/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
+++ b/drivers/gpu/drm/nouveau/dispnv04/tvnv17.c
@@ -257,6 +257,9 @@ static int nv17_tv_get_hd_modes(struct drm_encoder *encoder,
if (modes[i].hdisplay == output_mode->hdisplay &&
modes[i].vdisplay == output_mode->vdisplay) {
mode = drm_mode_duplicate(encoder->dev, output_mode);
+ if (!mode)
+ return -ENOMEM;
+
mode->type |= DRM_MODE_TYPE_PREFERRED;
} else {
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/nouveau: Fix a wild pointer dereference in nouveau_connector_get_modes()
@ 2021-11-30 14:30 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:30 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Ben Skeggs, David Airlie, Daniel Vetter, Dave Airlie,
dri-devel, nouveau, linux-kernel
In nouveau_connector_get_modes(), the return value of
drm_mode_duplicate()is assigned to mode and used in
drm_mode_probed_add(). drm_mode_probed_add() passes mode->head to
list_add_tail(). list_add_tail() will further call __list_add() and
there is a dereference of mode->head in __list_add(), which could lead
to a wild pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_NOUVEAU=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/nouveau/nouveau_connector.c b/drivers/gpu/drm/nouveau/nouveau_connector.c
index 22b83a6577eb..d960b42724de 100644
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -977,6 +977,9 @@ nouveau_connector_get_modes(struct drm_connector *connector)
struct drm_display_mode *mode;
mode = drm_mode_duplicate(dev, nv_connector->native_mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_probed_add(connector, mode);
ret = 1;
}
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
@ 2021-11-30 14:25 19% Zhou Qingyang
2021-12-01 15:44 0% ` Steven Price
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:25 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, James (Qian) Wang, Liviu Dudau, Mihail Atanassov,
Brian Starkey, David Airlie, Daniel Vetter, dri-devel,
linux-kernel
In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
formats and used in drm_universal_plane_init().
drm_universal_plane_init() passes formats to
__drm_universal_plane_init(). __drm_universal_plane_init() further
passes formats to memcpy() as src parameter, which could lead to an
undefined behavior bug on failure of komeda_get_layer_fourcc_list().
Fix this bug by adding a check of formats.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
index d63d83800a8a..dd3f17e970dd 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
@@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
layer->layer_type, &n_formats);
+ if (!formats) {
+ err = -ENOMEM;
+ goto cleanup;
+ }
err = drm_universal_plane_init(&kms->base, plane,
get_possible_crtcs(kms, c->pipeline),
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add()
@ 2021-11-30 14:23 19% Zhou Qingyang
2021-11-30 18:17 0% ` Liviu Dudau
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:23 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, James (Qian) Wang, Liviu Dudau, Mihail Atanassov,
Brian Starkey, David Airlie, Daniel Vetter, dri-devel,
linux-kernel
In komeda_plane_add(), komeda_get_layer_fourcc_list() is assigned to
formats and used in drm_universal_plane_init().
drm_universal_plane_init() passes formats to
__drm_universal_plane_init(). __drm_universal_plane_init() further
passes formats to memcpy() as src parameter, which could lead to an
undefined behavior bug on failure of komeda_get_layer_fourcc_list().
Fix this bug by adding a check of formats.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_KOMEDA=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 61f1c4a8ab75 ("drm/komeda: Attach komeda_dev to DRM-KMS")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/arm/display/komeda/komeda_plane.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
index d63d83800a8a..dd3f17e970dd 100644
--- a/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
+++ b/drivers/gpu/drm/arm/display/komeda/komeda_plane.c
@@ -265,6 +265,10 @@ static int komeda_plane_add(struct komeda_kms_dev *kms,
formats = komeda_get_layer_fourcc_list(&mdev->fmt_tbl,
layer->layer_type, &n_formats);
+ if (!formats) {
+ err = -ENOMEM;
+ goto cleanup;
+ }
err = drm_universal_plane_init(&kms->base, plane,
get_possible_crtcs(kms, c->pipeline),
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/i915/gem: Fix a NULL pointer dereference in igt_request_rewind()
@ 2021-11-30 14:15 17% Zhou Qingyang
2021-11-30 14:58 0% ` [Intel-gfx] " Tvrtko Ursulin
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 14:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Jani Nikula, Joonas Lahtinen, Rodrigo Vivi, David Airlie,
Daniel Vetter, Tvrtko Ursulin, Chris Wilson, Mika Kuoppala,
John Harrison, Zhihao Cheng, Lucas De Marchi, Matthew Brost,
Maarten Lankhorst, Matthew Auld, intel-gfx, dri-devel,
linux-kernel
In igt_request_rewind(), mock_context(i915, "A") is assigned to ctx[0]
and used in i915_gem_context_get_engine(). There is a dereference
of ctx[0] in i915_gem_context_get_engine(), which could lead to a NULL
pointer dereference on failure of mock_context(i915, "A") .
So as mock_context(i915, "B").
Although this bug is not serious for it belongs to testing code, it is
better to be fixed to avoid unexpected failure in testing.
Fix this bugs by adding checks about ctx[0] and ctx[1].
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_I915_SELFTEST=y show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: ca883c304f54 ("drm/i915/selftests: Pass intel_context to mock_request")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/i915/selftests/i915_request.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/gpu/drm/i915/selftests/i915_request.c b/drivers/gpu/drm/i915/selftests/i915_request.c
index d67710d10615..d6fc7b892793 100644
--- a/drivers/gpu/drm/i915/selftests/i915_request.c
+++ b/drivers/gpu/drm/i915/selftests/i915_request.c
@@ -209,6 +209,10 @@ static int igt_request_rewind(void *arg)
int err = -EINVAL;
ctx[0] = mock_context(i915, "A");
+ if (!ctx[0]) {
+ err = -ENOMEM;
+ goto err_ctx_0;
+ }
ce = i915_gem_context_get_engine(ctx[0], RCS0);
GEM_BUG_ON(IS_ERR(ce));
@@ -223,6 +227,10 @@ static int igt_request_rewind(void *arg)
i915_request_add(request);
ctx[1] = mock_context(i915, "B");
+ if (!ctx[1]) {
+ err = -ENOMEM;
+ goto err_ctx_1;
+ }
ce = i915_gem_context_get_engine(ctx[1], RCS0);
GEM_BUG_ON(IS_ERR(ce));
@@ -261,9 +269,11 @@ static int igt_request_rewind(void *arg)
i915_request_put(vip);
err_context_1:
mock_context_close(ctx[1]);
+err_ctx_1:
i915_request_put(request);
err_context_0:
mock_context_close(ctx[0]);
+err_ctx_0:
mock_device_flush(i915);
return err;
}
--
2.25.1
^ permalink raw reply related [relevance 17%]
* [PATCH] drm/gma500/psb_intel_lvds: Fix a wild pointer dereference in psb_intel_lvds_get_modes()
@ 2021-11-30 13:29 19% Zhou Qingyang
2021-12-02 10:09 5% ` Patrik Jakobsson
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 13:29 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Alan Cox,
Dave Airlie, dri-devel, linux-kernel
In psb_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode and used in drm_mode_probed_add().
drm_mode_probed_add() passes mode->head to list_add_tail().
list_add_tail() will further call __list_add() and there is a
dereference of mode->head in __list_add(), which could lead to a wild
pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 89c78134cc54 ("gma500: Add Poulsbo support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/gma500/psb_intel_lvds.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/gma500/psb_intel_lvds.c b/drivers/gpu/drm/gma500/psb_intel_lvds.c
index ac97e0d3c7dd..da928189be91 100644
--- a/drivers/gpu/drm/gma500/psb_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/psb_intel_lvds.c
@@ -505,6 +505,9 @@ static int psb_intel_lvds_get_modes(struct drm_connector *connector)
if (mode_dev->panel_fixed_mode != NULL) {
struct drm_display_mode *mode =
drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes()
@ 2021-11-30 13:26 19% Zhou Qingyang
2021-12-02 10:11 5% ` Patrik Jakobsson
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 13:26 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Dave Airlie,
Alan Cox, dri-devel, linux-kernel
In cdv_intel_lvds_get_modes(), the return value of drm_mode_duplicate()
is assigned to mode and used in drm_mode_probed_add().
drm_mode_probed_add() passes mode->head to list_add_tail().
list_add_tail() will further call __list_add() and there is a
dereference of mode->head in __list_add(), which could lead to a wild
pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a checking of mode
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 6a227d5fd6c4 ("gma500: Add support for Cedarview")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/gma500/cdv_intel_lvds.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_lvds.c b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
index 9e1cdb11023c..56aec41ebb1a 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_lvds.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_lvds.c
@@ -310,6 +310,9 @@ static int cdv_intel_lvds_get_modes(struct drm_connector *connector)
if (mode_dev->panel_fixed_mode != NULL) {
struct drm_display_mode *mode =
drm_mode_duplicate(dev, mode_dev->panel_fixed_mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes()
@ 2021-11-30 13:23 19% Zhou Qingyang
2021-11-30 16:22 0% ` Ville Syrjälä
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 13:23 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Patrik Jakobsson, David Airlie, Daniel Vetter, Zhao Yakui,
Alan Cox, Dave Airlie, dri-devel, linux-kernel
In cdv_intel_dp_get_modes(), the third return value of
drm_mode_duplicate() is assigned to mode and used in
drm_mode_probed_add(). drm_mode_probed_add() passes mode->head to
list_add_tail(). list_add_tail() will further call __list_add() and
there is a dereference of mode->head in __list_add(), which could lead
to a wild pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_GMA500=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: d112a8163f83 ("gma500/cdv: Add eDP support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/gma500/cdv_intel_dp.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c
index ba6ad1466374..b389008965a9 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c
@@ -1773,6 +1773,9 @@ static int cdv_intel_dp_get_modes(struct drm_connector *connector)
if (intel_dp->panel_fixed_mode != NULL) {
struct drm_display_mode *mode;
mode = drm_mode_duplicate(dev, intel_dp->panel_fixed_mode);
+ if (!mode)
+ return -ENOMEM;
+
drm_mode_probed_add(connector, mode);
return 1;
}
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] drm/ch7006: Fix a wild pointer dereference in ch7006_encoder_get_modes()
@ 2021-11-30 13:19 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 13:19 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, David Airlie, Daniel Vetter, Ben Skeggs, Dave Airlie,
dri-devel, linux-kernel
In ch7006_encoder_get_modes(), the return value of drm_mode_duplicate()
is directly used in drm_mode_probed_add(). drm_mode_probed_add() will
pass &mode->head to list_add_tail(). list_add_tail() will further
call __list_add() and there is a dereference of mode->head in
__list_add(), which could case a wild pointer dereference on failure
of drm_mode_duplicate().
Fix this bug by separating drm_mode_duplicate() from
drm_mode_probed_add() and adding a check of it.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_I2C_CH7006=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: 6ee738610f41 ("drm/nouveau: Add DRM driver for NVIDIA GPUs")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/i2c/ch7006_drv.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i2c/ch7006_drv.c b/drivers/gpu/drm/i2c/ch7006_drv.c
index b91e48d2190d..1207646562eb 100644
--- a/drivers/gpu/drm/i2c/ch7006_drv.c
+++ b/drivers/gpu/drm/i2c/ch7006_drv.c
@@ -227,6 +227,7 @@ static int ch7006_encoder_get_modes(struct drm_encoder *encoder,
{
struct ch7006_priv *priv = to_ch7006_priv(encoder);
const struct ch7006_mode *mode;
+ struct drm_display_mode *dup_mode;
int n = 0;
for (mode = ch7006_modes; mode->mode.clock; mode++) {
@@ -234,8 +235,11 @@ static int ch7006_encoder_get_modes(struct drm_encoder *encoder,
~mode->valid_norms & 1<<priv->norm)
continue;
- drm_mode_probed_add(connector,
- drm_mode_duplicate(encoder->dev, &mode->mode));
+ dup_mode = drm_mode_duplicate(encoder->dev, &mode->mode);
+ if (!dup_mode)
+ return -ENOMEM;
+
+ drm_mode_probed_add(connector, dup_mode);
n++;
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] drm: bridge: cdns-mhdp8546: Fix a NULL pointer dereference in cdns_mhdp_atomic_enable()
@ 2021-11-30 13:11 18% Zhou Qingyang
2022-01-04 14:17 5% ` Robert Foss
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 13:11 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Andrzej Hajda, Neil Armstrong, Robert Foss,
Laurent Pinchart, Jonas Karlman, Jernej Skrabec, David Airlie,
Daniel Vetter, Dave Airlie, Lyude Paul, Thierry Reding,
Parshuram Thombare, Julia Lawall, Jiapeng Chong, Yu Kuai,
Tomi Valkeinen, Quentin Schulz, Yuti Amonkar, Swapnil Jakhade,
dri-devel, linux-kernel
In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate()
is assigned to mhdp_state->current_mode and used in drm_mode_set_name().
There is a dereference of it in drm_mode_set_name(), which could lead
to a NULL pointer dereference on failure of drm_mode_duplicate().
Fix this bug by adding a check of mhdp_state->current_mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_CDNS_MHDP8546=m show no new warnings,
and our static analyzer no longer warns about this code.
Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP bridge")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index 5530fbf64f1e..347fbecf76a4 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2040,6 +2040,11 @@ static void cdns_mhdp_atomic_enable(struct drm_bridge *bridge,
mhdp_state = to_cdns_mhdp_bridge_state(new_state);
mhdp_state->current_mode = drm_mode_duplicate(bridge->dev, mode);
+ if (!mhdp_state->current_mode) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
drm_mode_set_name(mhdp_state->current_mode);
dev_dbg(mhdp->dev, "%s: Enabling mode %s\n", __func__, mode->name);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] drm/amdkfd: Fix a wild pointer dereference in svm_range_add()
@ 2021-11-30 11:26 18% Zhou Qingyang
[not found] ` <b78771ca-2ca2-a369-b67f-dc479eb87d90@amd.com>
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 11:26 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Felix Kuehling, Alex Deucher, Christian König, Pan,
Xinhui, David Airlie, Daniel Vetter, Alex Sierra, Philip Yang,
amd-gfx, dri-devel, linux-kernel
In svm_range_add(), the return value of svm_range_new() is assigned
to prange and &prange->insert_list is used in list_add(). There is a
a dereference of &prange->insert_list in list_add(), which could lead
to a wild pointer dereference on failure of vm_range_new() if
CONFIG_DEBUG_LIST is unset in .config file.
Fix this bug by adding a check of prange.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_AMDGPU=m, CONFIG_HSA_AMD=y, and
CONFIG_HSA_AMD_SVM=y show no new warnings, and our static analyzer no
longer warns about this code.
Fixes: 42de677f7999 ("drm/amdkfd: register svm range")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/amd/amdkfd/kfd_svm.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
index 58b89b53ebe6..e40c2211901d 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_svm.c
@@ -2940,6 +2940,9 @@ svm_range_add(struct kfd_process *p, uint64_t start, uint64_t size,
if (left) {
prange = svm_range_new(svms, last - left + 1, last);
+ if (!prange)
+ return -ENOMEM;
+
list_add(&prange->insert_list, insert_list);
list_add(&prange->update_list, update_list);
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode()
@ 2021-11-30 11:18 19% Zhou Qingyang
2021-12-01 20:03 5% ` Alex Deucher
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 11:18 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Alex Deucher, Christian König, Pan, Xinhui,
David Airlie, Daniel Vetter, hongao, Jammy Zhou, amd-gfx,
dri-devel, linux-kernel
In amdgpu_connector_lcd_native_mode(), the return value of
drm_mode_duplicate() is assigned to mode, and there is a dereference
of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL
pointer dereference on failure of drm_mode_duplicate().
Fix this bug add a check of mode.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
index 0de66f59adb8..0170aa84c5e6 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c
@@ -387,6 +387,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder)
native_mode->vdisplay != 0 &&
native_mode->clock != 0) {
mode = drm_mode_duplicate(dev, native_mode);
+ if (!mode)
+ return NULL;
+
mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER;
drm_mode_set_name(mode);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] clk: x86: Fix a wild pointer dereference in fch_clk_probe()
@ 2021-11-30 11:15 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 11:15 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Akshu Agrawal,
Rafael J. Wysocki, linux-clk, linux-kernel
In fch_clk_probe(), the return value of clk_hw_register_mux() is
assigned to hws[ST_CLK_MUX] and there is a dereference of it in
fch_clk_probe(), which could lead to a wild pointer dereference on
failure of clk_hw_register_mux().
Fix this bug by adding a check of hws[ST_CLK_MUX].
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_X86_AMD_PLATFORM_DEVICE=y show no new warnings, and
our static analyzer no longer warns about this code.
Fixes: 19fe87fd854a ("clk: x86: Support RV architecture")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/x86/clk-fch.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/x86/clk-fch.c b/drivers/clk/x86/clk-fch.c
index 8f7c5142b0f0..1539ee59c04a 100644
--- a/drivers/clk/x86/clk-fch.c
+++ b/drivers/clk/x86/clk-fch.c
@@ -51,6 +51,8 @@ static int fch_clk_probe(struct platform_device *pdev)
clk_oscout1_parents, ARRAY_SIZE(clk_oscout1_parents),
0, fch_data->base + CLKDRVSTR2, OSCOUT1CLK25MHZ, 3, 0,
NULL);
+ if (IS_ERR(hws[ST_CLK_MUX]))
+ return PTR_ERR(hws[ST_CLK_MUX]);
clk_set_parent(hws[ST_CLK_MUX]->clk, hws[ST_CLK_48M]->clk);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] clk: mediatek: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
@ 2021-11-30 11:08 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 11:08 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Shahed Shaikh, Manish Chopra, GR-Linux-NIC-Dev,
David S. Miller, Jakub Kicinski, Matthias Brugger,
Sucheta Chakraborty, Sritej Velaga, Sony Chacko,
Anirban Chakraborty, netdev, linux-kernel, linux-arm-kernel,
linux-mediatek
In qlcnic_83xx_add_rings(), the indirect function of
ahw->hw_ops->alloc_mbx_args will be called to allocate memory for
cmd.req.arg, and there is a dereference of it in qlcnic_83xx_add_rings(),
which could lead to a NULL pointer dereference on failure of the
indirect function like qlcnic_83xx_alloc_mbx_args().
Fix this bug by adding a check of alloc_mbx_args(), this patch
imitates the logic of mbx_cmd()'s failure handling.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_QLCNIC=m show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 7f9664525f9c ("qlcnic: 83xx memory map and HW access routine")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
index d51bac7ba5af..bd0607680329 100644
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
@@ -1077,8 +1077,14 @@ static int qlcnic_83xx_add_rings(struct qlcnic_adapter *adapter)
sds_mbx_size = sizeof(struct qlcnic_sds_mbx);
context_id = recv_ctx->context_id;
num_sds = adapter->drv_sds_rings - QLCNIC_MAX_SDS_RINGS;
- ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
- QLCNIC_CMD_ADD_RCV_RINGS);
+ err = ahw->hw_ops->alloc_mbx_args(&cmd, adapter,
+ QLCNIC_CMD_ADD_RCV_RINGS);
+ if (err) {
+ dev_err(&adapter->pdev->dev,
+ "Failed to alloc mbx args %d\n", err);
+ return err;
+ }
+
cmd.req.arg[1] = 0 | (num_sds << 8) | (context_id << 16);
/* set up status rings, mbx 2-81 */
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt8516: Fix a NULL pointer dereference in mtk_apmixedsys_init()
@ 2021-11-30 11:04 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 11:04 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Fabien Parent, linux-clk, linux-arm-kernel, linux-mediatek,
linux-kernel
In mtk_apmixedsys_init(), the return value of mtk_alloc_clk_data() is
assigned to clk_data and used in mtk_clk_register_plls(). There is a
dereference of clk_data in mtk_clk_register_plls(), which could
lead to a NULL pointer dereference on failure of
mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8516=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: db077febb774 ("clk: mediatek: add clock driver for MT8516")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8516.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt8516.c b/drivers/clk/mediatek/clk-mt8516.c
index 9d4261ecc760..1f209f569f3d 100644
--- a/drivers/clk/mediatek/clk-mt8516.c
+++ b/drivers/clk/mediatek/clk-mt8516.c
@@ -797,6 +797,11 @@ static void __init mtk_apmixedsys_init(struct device_node *node)
}
clk_data = mtk_alloc_clk_data(CLK_APMIXED_NR_CLK);
+ if (!clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt8183: Fix a NULL pointer dereference in clk_mt8183_apmixed_probe()
@ 2021-11-30 10:14 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 10:14 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Nicolas Boichat, Weiyi Lu, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In clk_mt8183_apmixed_probe(), the return value of
mtk_alloc_clk_data() is assigned to clk_data and used in
mtk_clk_register_plls(). There is a dereference of clk_data in
mtk_clk_register_plls(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8183=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: acddfc2c261b ("clk: mediatek: Add MT8183 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8183.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt8183.c b/drivers/clk/mediatek/clk-mt8183.c
index 5046852eb0fd..9eca62186ec5 100644
--- a/drivers/clk/mediatek/clk-mt8183.c
+++ b/drivers/clk/mediatek/clk-mt8183.c
@@ -1158,6 +1158,8 @@ static int clk_mt8183_apmixed_probe(struct platform_device *pdev)
struct device_node *node = pdev->dev.of_node;
clk_data = mtk_alloc_clk_data(CLK_APMIXED_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt8173: Fix a NULL pointer dereference in mtk_infrasys_init()
@ 2021-11-30 10:06 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 10:06 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Pi-Cheng Chen, Sean Wang, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_infrasys_init(),the return value of mtk_alloc_clk_data() is
assigned to clk_data and used in mtk_clk_register_cpumuxes(). There is a
dereference of clk_data in mtk_clk_register_cpumuxes(), which could lead
to a NULL pointer dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_cpumuxes(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8173=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 567bf2ed86d1 ("clk: mediatek: export cpu multiplexer clock for MT8173 SoCs")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8173.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt8173.c b/drivers/clk/mediatek/clk-mt8173.c
index 8f898ac476c0..a350e5c637af 100644
--- a/drivers/clk/mediatek/clk-mt8173.c
+++ b/drivers/clk/mediatek/clk-mt8173.c
@@ -868,6 +868,11 @@ static void __init mtk_infrasys_init(struct device_node *node)
int r;
clk_data = mtk_alloc_clk_data(CLK_INFRA_NR_CLK);
+ if (!clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
mtk_clk_register_gates(node, infra_clks, ARRAY_SIZE(infra_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt8167: Fix a NULL pointer dereference in mtk_apmixedsys_init()
@ 2021-11-30 9:57 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:57 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Fabien Parent, linux-clk, linux-arm-kernel, linux-mediatek,
linux-kernel
In mtk_apmixedsys_init(), the return value of mtk_alloc_clk_data() is
assigned to clk_data and used in mtk_clk_register_plls(). There is a
dereference of clk_data in mtk_clk_register_plls(), which could lead
to a NULL pointer dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8167=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: a68224832118 ("clk: mediatek: Add MT8167 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8167.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt8167.c b/drivers/clk/mediatek/clk-mt8167.c
index e5ea10e31799..7b18b751487f 100644
--- a/drivers/clk/mediatek/clk-mt8167.c
+++ b/drivers/clk/mediatek/clk-mt8167.c
@@ -1047,6 +1047,11 @@ static void __init mtk_apmixedsys_init(struct device_node *node)
}
clk_data = mtk_alloc_clk_data(MT8167_CLK_APMIXED_NR_CLK);
+ if (!clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
mtk_clk_register_dividers(apmixed_adj_divs, ARRAY_SIZE(apmixed_adj_divs),
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt8135: Fix a NULL pointer dereference in mtk_infrasys_init()
@ 2021-11-30 9:54 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:54 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
James Liao, Henry Chen, Sascha Hauer, linux-clk,
linux-arm-kernel, linux-mediatek, linux-kernel
In mtk_infrasys_init(), the return value of mtk_alloc_clk_data() is
assigned to clk_data, and there is a dereference of it in the parameter
of clk_prepare_enable(), which could lead to a NULL pointer dereference
on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
clk_prepare_enable(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT8135=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: a8aede794843 ("clk: mediatek: Add basic clocks for Mediatek MT8135.")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt8135.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/mediatek/clk-mt8135.c b/drivers/clk/mediatek/clk-mt8135.c
index 9b4b645aea99..b4e20bd7680e 100644
--- a/drivers/clk/mediatek/clk-mt8135.c
+++ b/drivers/clk/mediatek/clk-mt8135.c
@@ -547,7 +547,11 @@ static void __init mtk_infrasys_init(struct device_node *node)
int r;
clk_data = mtk_alloc_clk_data(CLK_INFRA_NR_CLK);
-
+ if (!clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
mtk_clk_register_gates(node, infra_clks, ARRAY_SIZE(infra_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt7629: Fix a NULL pointer dereference in mtk_infrasys_init()
@ 2021-11-30 9:51 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:51 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Ryder Lee, Rob Herring, Wenzhen Yu, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_infrasys_init(), the return value of mtk_alloc_clk_data() is
assigned to clk_data and used in mtk_clk_register_cpumuxes(). There is a
dereference of clk_data in mtk_clk_register_cpumuxes(), which could lead
to a NULL pointer dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_cpumuxes(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7629=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 3b5e748615e7 ("clk: mediatek: add clock support for MT7629 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7629.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7629.c b/drivers/clk/mediatek/clk-mt7629.c
index a0ee079670c7..30fe4b9b9fda 100644
--- a/drivers/clk/mediatek/clk-mt7629.c
+++ b/drivers/clk/mediatek/clk-mt7629.c
@@ -603,6 +603,8 @@ static int mtk_infrasys_init(struct platform_device *pdev)
struct clk_onecell_data *clk_data;
clk_data = mtk_alloc_clk_data(CLK_INFRA_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_gates(node, infra_clks, ARRAY_SIZE(infra_clks),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_infrasys_init()
@ 2021-11-30 9:34 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:34 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Sean Wang, Chen Zhong, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_infrasys_init(), the return value of mtk_alloc_clk_data() is
assigned to clk_data and used in mtk_clk_register_cpumuxes(). There is a
dereference of clk_data in mtk_clk_register_cpumuxes(), which could lead
to a NULL pointer dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_cpumuxes(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT7622=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 2fc0a509e4ee ("clk: mediatek: add clock support for MT7622 SoC")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt7622.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt7622.c b/drivers/clk/mediatek/clk-mt7622.c
index ef5947e15c75..3a389fa915c1 100644
--- a/drivers/clk/mediatek/clk-mt7622.c
+++ b/drivers/clk/mediatek/clk-mt7622.c
@@ -653,6 +653,8 @@ static int mtk_infrasys_init(struct platform_device *pdev)
mtk_clk_register_gates(node, infra_clks, ARRAY_SIZE(infra_clks),
clk_data);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_cpumuxes(node, infra_muxes, ARRAY_SIZE(infra_muxes),
clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt6797: Fix a NULL pointer dereference in mtk_infrasys_init_early()
@ 2021-11-30 9:27 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:27 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Kevin-CW Chen, Mars Cheng, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In mtk_infrasys_init_early(), mtk_alloc_clk_data() is assigned to
clk_data, and there is a dereference of it in
mtk_infrasys_init_early(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of infra_clk_data.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT6796=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 96596aa06628 ("clk: mediatek: add clk support for MT6797")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt6797.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt6797.c b/drivers/clk/mediatek/clk-mt6797.c
index 428eb24ffec5..184b283b6926 100644
--- a/drivers/clk/mediatek/clk-mt6797.c
+++ b/drivers/clk/mediatek/clk-mt6797.c
@@ -563,6 +563,11 @@ static void mtk_infrasys_init_early(struct device_node *node)
if (!infra_clk_data) {
infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR);
+ if (!infra_clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
for (i = 0; i < CLK_INFRA_NR; i++)
infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_apmixed_probe()
@ 2021-11-30 9:24 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:24 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Miles Chen, mtk01761, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In clk_mt6779_apmixed_probe(), the return value of
mtk_alloc_clk_data() is assigned to clk_data and used in
mtk_clk_register_plls(). There is a dereference of clk_data in
mtk_clk_register_plls(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT6779=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 710774e04861 ("clk: mediatek: Add MT6779 clock support)
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt6779.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt6779.c b/drivers/clk/mediatek/clk-mt6779.c
index 9825385c9f94..f22bf4025f55 100644
--- a/drivers/clk/mediatek/clk-mt6779.c
+++ b/drivers/clk/mediatek/clk-mt6779.c
@@ -1217,6 +1217,8 @@ static int clk_mt6779_apmixed_probe(struct platform_device *pdev)
struct device_node *node = pdev->dev.of_node;
clk_data = mtk_alloc_clk_data(CLK_APMIXED_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt6765: Fix a NULL pointer dereference in clk_mt6765_apmixed_probe()
@ 2021-11-30 9:17 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:17 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Mars Cheng, Macpaul Lin, Owen Chen, linux-clk, linux-arm-kernel,
linux-mediatek, linux-kernel
In clk_mt6765_apmixed_probe(), the return value of
mtk_alloc_clk_data() is assigned to clk_data and used in
mtk_clk_register_plls(). There is a dereference of clk_data in
mtk_clk_register_plls(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT6765=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: 1aca9939bf72 ("clk: mediatek: Add MT6765 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt6765.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt6765.c b/drivers/clk/mediatek/clk-mt6765.c
index d77ea5aff292..5f723906675b 100644
--- a/drivers/clk/mediatek/clk-mt6765.c
+++ b/drivers/clk/mediatek/clk-mt6765.c
@@ -785,6 +785,8 @@ static int clk_mt6765_apmixed_probe(struct platform_device *pdev)
}
clk_data = mtk_alloc_clk_data(CLK_APMIXED_NR_CLK);
+ if (!clk_data)
+ return -ENOMEM;
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt2712: Fix a NULL pointer dereference in clk_mt2712_apmixed_probe()
@ 2021-11-30 9:02 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 9:02 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
weiyi.lu, linux-clk, linux-kernel, linux-arm-kernel,
linux-mediatek
In clk_mt2712_apmixed_probe(), the return value of
mtk_alloc_clk_data() is assigned to clk_data and used in
mtk_clk_register_plls(). There is a dereference of clk_data in
mtk_clk_register_plls(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of clk_data.
Another way to fix this bug is to add a check of clk_data in
mtk_clk_register_plls(), which may solve many similar bugs but could
cause potential problems to previously correct cases as the API is changed.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT2712=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: e2f744a82d72 ("clk: mediatek: Add MT2712 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt2712.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt2712.c b/drivers/clk/mediatek/clk-mt2712.c
index a3bd9a107209..08ef56f68c7a 100644
--- a/drivers/clk/mediatek/clk-mt2712.c
+++ b/drivers/clk/mediatek/clk-mt2712.c
@@ -1266,6 +1266,8 @@ static int clk_mt2712_apmixed_probe(struct platform_device *pdev)
clk_data = mtk_alloc_clk_data(CLK_APMIXED_NR_CLK);
mtk_clk_register_plls(node, plls, ARRAY_SIZE(plls), clk_data);
+ if (!clk_data)
+ return -ENOMEM;
r = of_clk_add_provider(node, of_clk_src_onecell_get, clk_data);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] clk: mediatek: mt2701: Fix a NULL pointer dereference in mtk_infrasys_init_early()
@ 2021-11-30 8:54 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 8:54 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Michael Turquette, Stephen Boyd, Matthias Brugger,
Shunli Wang, Erin Lo, James Liao, linux-clk, linux-kernel,
linux-arm-kernel, linux-mediatek
In mtk_infrasys_init_early(), the return value of mtk_alloc_clk_data()
is assigned to infra_clk_data and there is a dereference of it in
mtk_infrasys_init_early(), which could lead to a NULL pointer
dereference on failure of mtk_alloc_clk_data().
Fix this bug by adding a check of infra_clk_data.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_COMMON_CLK_MT2701=y show no new warnings, and our
static analyzer no longer warns about this code.
Fixes: e9862118272a ("clk: mediatek: Add MT2701 clock support")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/clk/mediatek/clk-mt2701.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/clk/mediatek/clk-mt2701.c b/drivers/clk/mediatek/clk-mt2701.c
index 695be0f77427..9ba30089cb9a 100644
--- a/drivers/clk/mediatek/clk-mt2701.c
+++ b/drivers/clk/mediatek/clk-mt2701.c
@@ -742,6 +742,11 @@ static void __init mtk_infrasys_init_early(struct device_node *node)
if (!infra_clk_data) {
infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR);
+ if (!infra_clk_data) {
+ pr_err("%s(): could not register clock provider: %d\n",
+ __func__, -ENOMEM);
+ return;
+ }
for (i = 0; i < CLK_INFRA_NR; i++)
infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER);
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] bcache: Fix a NULL pointer dereference in detached_dev_do_request()
@ 2021-11-30 8:51 18% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 8:51 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Coly Li, Kent Overstreet, Hannes Reinecke, Michael Lyle,
Tang Junhui, Jens Axboe, linux-bcache, linux-kernel
In detached_dev_do_request(), the return value of kzalloc() is
assigned to ddip, and there is a dereference of it in
detached_dev_do_request(), which could lead to a NULL pointer
dereference on failure of kzalloc().
Fix this bug by adding a check of ddip. This patch imitates the
failure-handling logic in cached_dev_submit_bio().
Note that we found the fixing of the bug hard, as the return value of
the callers is void and we cannot pass an error status upstream.
Please adivce if there is a better way for fixing.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it might be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_BCACHE=m show no new warnings, and our static
analyzer no longer warns about this code.
Fixes: bc082a55d25c ("bcache: fix inaccurate io state for detached bcache devices")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/md/bcache/request.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
index d15aae6c51c1..3a17925c734b 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -1107,6 +1107,11 @@ static void detached_dev_do_request(struct bcache_device *d, struct bio *bio,
* which would call closure_get(&dc->disk.cl)
*/
ddip = kzalloc(sizeof(struct detached_dev_io_private), GFP_NOIO);
+ if (!ddip) {
+ bio->bi_status = BLK_STS_RESOURCE;
+ bio_endio(bio);
+ return;
+ }
ddip->d = d;
/* Count on the bcache device */
ddip->orig_bdev = orig_bdev;
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan()
@ 2021-11-30 8:43 18% Zhou Qingyang
2021-12-01 17:22 0% ` Jeff Johnson
0 siblings, 1 reply; 200+ results
From: Zhou Qingyang @ 2021-11-30 8:43 UTC (permalink / raw)
To: zhou1615
Cc: kjlu, Kalle Valo, David S. Miller, Jakub Kicinski,
Manikanta Pubbisetty, Shashidhar Lakkavalli,
Govindaraj Saminathan, Vasanthakumar Thiagarajan,
Pradeep Kumar Chitrapu, ath11k, linux-wireless, netdev,
linux-kernel
In ath11k_mac_op_hw_scan(), the return value of kzalloc() is directly
used in memcpy(), which may lead to a NULL pointer dereference on
failure of kzalloc().
Fix this bug by adding a check of arg.extraie.ptr.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Builds with CONFIG_ATH11K=m show no new warnings, and our static
analyzer no longer warns about this code.
Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
drivers/net/wireless/ath/ath11k/mac.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
index 1cc55602787b..095f1f9b7611 100644
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
@@ -3237,8 +3237,13 @@ static int ath11k_mac_op_hw_scan(struct ieee80211_hw *hw,
arg.scan_id = ATH11K_SCAN_ID;
if (req->ie_len) {
- arg.extraie.len = req->ie_len;
arg.extraie.ptr = kzalloc(req->ie_len, GFP_KERNEL);
+ if (!arg.extraie.ptr) {
+ ret = -ENOMEM;
+ goto exit;
+ }
+
+ arg.extraie.len = req->ie_len;
memcpy(arg.extraie.ptr, req->ie, req->ie_len);
}
--
2.25.1
^ permalink raw reply related [relevance 18%]
* [PATCH] ARM: sa1100: Fix a wild pointer dereference in sa11xx_clk_init()
@ 2021-11-30 8:34 19% Zhou Qingyang
0 siblings, 0 replies; 200+ results
From: Zhou Qingyang @ 2021-11-30 8:34 UTC (permalink / raw)
To: zhou1615; +Cc: kjlu, Russell King, linux-arm-kernel, linux-kernel
In sa11xx_clk_init(), the return value of clk_hw_register_mux() is
assigned to hw, and there is a dereference of it in sa11xx_clk_init().
clk_hw_register_mux() is a wrapper of __clk_hw_register_mux(), which
could return a ERR_PTR on error, and lead to a wild pointer dereference.
Fix this bug by adding a return value check.
This bug was found by a static analyzer. The analysis employs
differential checking to identify inconsistent security operations
(e.g., checks or kfrees) between two code paths and confirms that the
inconsistent operations are not recovered in the current function or
the callers, so they constitute bugs.
Note that, as a bug found by static analysis, it can be a false
positive or hard to trigger. Multiple researchers have cross-reviewed
the bug.
Since I do not have a sa1100 machine, I can not actually evaluate this
patch.
Fixes: d6c8204659eb ("ARM: sa1100: convert to common clock framework")
Signed-off-by: Zhou Qingyang <zhou1615@umn.edu>
---
arch/arm/mach-sa1100/clock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/mach-sa1100/clock.c b/arch/arm/mach-sa1100/clock.c
index e8691921c69a..5b4d8e556ad2 100644
--- a/arch/arm/mach-sa1100/clock.c
+++ b/arch/arm/mach-sa1100/clock.c
@@ -127,6 +127,9 @@ int __init sa11xx_clk_init(void)
ARRAY_SIZE(clk_tucr_parents), 0,
(void __iomem *)&TUCR, FShft(TUCR_TSEL),
FAlnMsk(TUCR_TSEL), 0, &tucr_lock);
+ if (IS_ERR(hw))
+ return PTR_ERR(hw);
+
clk_set_rate(hw->clk, 3686400);
hw = kzalloc(sizeof(*hw), GFP_KERNEL);
--
2.25.1
^ permalink raw reply related [relevance 19%]
* [PATCH 5.13 024/104] NIU: fix incorrect error return, missed in previous revert
@ 2021-08-02 13:44 5% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-08-02 13:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Shannon Nelson,
David S. Miller, Paul Jakma
From: Paul Jakma <paul@jakma.org>
commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream.
Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect
change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears
to be a normal path - treating it as an error and return -EINVAL was
breaking VPD_SCAN and causing the driver to fail to load.
Fix, so my Neptune card works again.
Cc: Kangjie Lu <kjlu@umn.edu>
Cc: Shannon Nelson <shannon.lee.nelson@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"')
Signed-off-by: Paul Jakma <paul@jakma.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/sun/niu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu
err = niu_pci_vpd_scan_props(np, here, end);
if (err < 0)
return err;
+ /* ret == 1 is not an error */
if (err == 1)
- return -EINVAL;
+ return 0;
}
return 0;
}
^ permalink raw reply [relevance 5%]
* [PATCH 5.10 21/67] NIU: fix incorrect error return, missed in previous revert
@ 2021-08-02 13:44 5% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-08-02 13:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Shannon Nelson,
David S. Miller, Paul Jakma
From: Paul Jakma <paul@jakma.org>
commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream.
Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect
change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears
to be a normal path - treating it as an error and return -EINVAL was
breaking VPD_SCAN and causing the driver to fail to load.
Fix, so my Neptune card works again.
Cc: Kangjie Lu <kjlu@umn.edu>
Cc: Shannon Nelson <shannon.lee.nelson@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"')
Signed-off-by: Paul Jakma <paul@jakma.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/sun/niu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu
err = niu_pci_vpd_scan_props(np, here, end);
if (err < 0)
return err;
+ /* ret == 1 is not an error */
if (err == 1)
- return -EINVAL;
+ return 0;
}
return 0;
}
^ permalink raw reply [relevance 5%]
* [PATCH 5.4 17/40] NIU: fix incorrect error return, missed in previous revert
@ 2021-08-02 13:44 5% ` Greg Kroah-Hartman
0 siblings, 0 replies; 200+ results
From: Greg Kroah-Hartman @ 2021-08-02 13:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Kangjie Lu, Shannon Nelson,
David S. Miller, Paul Jakma
From: Paul Jakma <paul@jakma.org>
commit 15bbf8bb4d4ab87108ecf5f4155ec8ffa3c141d6 upstream.
Commit 7930742d6, reverting 26fd962, missed out on reverting an incorrect
change to a return value. The niu_pci_vpd_scan_props(..) == 1 case appears
to be a normal path - treating it as an error and return -EINVAL was
breaking VPD_SCAN and causing the driver to fail to load.
Fix, so my Neptune card works again.
Cc: Kangjie Lu <kjlu@umn.edu>
Cc: Shannon Nelson <shannon.lee.nelson@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>
Fixes: 7930742d ('Revert "niu: fix missing checks of niu_pci_eeprom_read"')
Signed-off-by: Paul Jakma <paul@jakma.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/sun/niu.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/sun/niu.c
+++ b/drivers/net/ethernet/sun/niu.c
@@ -8191,8 +8191,9 @@ static int niu_pci_vpd_fetch(struct niu
err = niu_pci_vpd_scan_props(np, here, end);
if (err < 0)
return err;
+ /* ret == 1 is not an error */
if (err == 1)
- return -EINVAL;
+ return 0;
}
return 0;
}
^ permalink raw reply [relevance 5%]
Results 201-400 of ~5000 next (older) | prev (newer) | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2021-08-02 13:43 [PATCH 5.13 000/104] 5.13.8-rc1 review Greg Kroah-Hartman
2021-08-02 13:44 5% ` [PATCH 5.13 024/104] NIU: fix incorrect error return, missed in previous revert Greg Kroah-Hartman
2021-08-02 13:44 [PATCH 5.10 00/67] 5.10.56-rc1 review Greg Kroah-Hartman
2021-08-02 13:44 5% ` [PATCH 5.10 21/67] NIU: fix incorrect error return, missed in previous revert Greg Kroah-Hartman
2021-08-02 13:44 [PATCH 5.4 00/40] 5.4.138-rc1 review Greg Kroah-Hartman
2021-08-02 13:44 5% ` [PATCH 5.4 17/40] NIU: fix incorrect error return, missed in previous revert Greg Kroah-Hartman
2021-11-30 8:34 19% [PATCH] ARM: sa1100: Fix a wild pointer dereference in sa11xx_clk_init() Zhou Qingyang
2021-11-30 8:43 18% [PATCH] ath11k: Fix a NULL pointer dereference in ath11k_mac_op_hw_scan() Zhou Qingyang
2021-12-01 17:22 0% ` Jeff Johnson
2021-12-02 15:53 18% ` [PATCH v2] " Zhou Qingyang
2021-12-14 15:31 7% ` Kalle Valo
2021-11-30 8:51 18% [PATCH] bcache: Fix a NULL pointer dereference in detached_dev_do_request() Zhou Qingyang
2021-11-30 8:54 18% [PATCH] clk: mediatek: mt2701: Fix a NULL pointer dereference in mtk_infrasys_init_early() Zhou Qingyang
2021-11-30 9:02 18% [PATCH] clk: mediatek: mt2712: Fix a NULL pointer dereference in clk_mt2712_apmixed_probe() Zhou Qingyang
2021-11-30 9:17 18% [PATCH] clk: mediatek: mt6765: Fix a NULL pointer dereference in clk_mt6765_apmixed_probe() Zhou Qingyang
2021-11-30 9:24 18% [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_apmixed_probe() Zhou Qingyang
2021-11-30 9:27 19% [PATCH] clk: mediatek: mt6797: Fix a NULL pointer dereference in mtk_infrasys_init_early() Zhou Qingyang
2021-11-30 9:34 18% [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_infrasys_init() Zhou Qingyang
2021-11-30 9:51 18% [PATCH] clk: mediatek: mt7629: " Zhou Qingyang
2021-11-30 9:54 18% [PATCH] clk: mediatek: mt8135: " Zhou Qingyang
2021-11-30 9:57 18% [PATCH] clk: mediatek: mt8167: Fix a NULL pointer dereference in mtk_apmixedsys_init() Zhou Qingyang
2021-11-30 10:06 18% [PATCH] clk: mediatek: mt8173: Fix a NULL pointer dereference in mtk_infrasys_init() Zhou Qingyang
2021-11-30 10:14 18% [PATCH] clk: mediatek: mt8183: Fix a NULL pointer dereference in clk_mt8183_apmixed_probe() Zhou Qingyang
2021-11-30 11:04 18% [PATCH] clk: mediatek: mt8516: Fix a NULL pointer dereference in mtk_apmixedsys_init() Zhou Qingyang
2021-11-30 11:08 18% [PATCH] clk: mediatek: net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Zhou Qingyang
2021-11-30 11:15 19% [PATCH] clk: x86: Fix a wild pointer dereference in fch_clk_probe() Zhou Qingyang
2021-11-30 11:18 19% [PATCH] fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() Zhou Qingyang
2021-12-01 20:03 5% ` Alex Deucher
2021-12-02 16:17 18% ` [PATCH v2] drm/amdgpu: Fix " Zhou Qingyang
2021-12-02 17:10 5% ` Alex Deucher
2021-11-30 11:26 18% [PATCH] drm/amdkfd: Fix a wild pointer dereference in svm_range_add() Zhou Qingyang
[not found] ` <b78771ca-2ca2-a369-b67f-dc479eb87d90@amd.com>
2021-11-30 17:35 0% ` Felix Kuehling
[not found] ` <CA+Cm_xSm8O_0M2Ng9mvDUKwYaCxkZU+M7AZ=9aU26WTFELC-2w@mail.gmail.com>
2021-12-08 0:54 0% ` Felix Kuehling
2021-11-30 13:11 18% [PATCH] drm: bridge: cdns-mhdp8546: Fix a NULL pointer dereference in cdns_mhdp_atomic_enable() Zhou Qingyang
2022-01-04 14:17 5% ` Robert Foss
2021-11-30 13:19 18% [PATCH] drm/ch7006: Fix a wild pointer dereference in ch7006_encoder_get_modes() Zhou Qingyang
2021-11-30 13:23 19% [PATCH] drm/gma500/cdv: Fix a wild pointer dereference in cdv_intel_dp_get_modes() Zhou Qingyang
2021-11-30 16:22 0% ` Ville Syrjälä
2021-12-01 15:29 18% ` [PATCH v2] " Zhou Qingyang
2021-12-01 15:57 5% ` Patrik Jakobsson
2021-11-30 13:26 19% [PATCH] drm/gma500/cdv_intel_lvds: Fix a wild pointer dereference in cdv_intel_lvds_get_modes() Zhou Qingyang
2021-12-02 10:11 5% ` Patrik Jakobsson
2021-12-03 15:33 18% ` [PATCH v2] " Zhou Qingyang
2021-11-30 13:29 19% [PATCH] drm/gma500/psb_intel_lvds: Fix a wild pointer dereference in psb_intel_lvds_get_modes() Zhou Qingyang
2021-12-02 10:09 5% ` Patrik Jakobsson
2021-12-03 3:55 18% ` [PATCH v2] " Zhou Qingyang
2021-11-30 14:15 17% [PATCH] drm/i915/gem: Fix a NULL pointer dereference in igt_request_rewind() Zhou Qingyang
2021-11-30 14:58 0% ` [Intel-gfx] " Tvrtko Ursulin
2021-11-30 14:23 19% [PATCH] drm/komeda: Fix an undefined behavior bug in komeda_plane_add() Zhou Qingyang
2021-11-30 18:17 0% ` Liviu Dudau
2021-12-01 3:37 18% ` [PATCH v2] " Zhou Qingyang
2021-12-01 13:28 0% ` Liviu Dudau
2021-11-30 14:25 19% [PATCH] " Zhou Qingyang
2021-12-01 15:44 0% ` Steven Price
2021-12-01 21:15 0% ` Liviu Dudau
2021-12-02 9:39 0% ` Steven Price
2021-11-30 14:30 19% [PATCH] drm/nouveau: Fix a wild pointer dereference in nouveau_connector_get_modes() Zhou Qingyang
2021-11-30 14:34 19% [PATCH] drm/nouveau/dispnv04: Fix a NULL pointer dereference in nv17_tv_get_hd_modes() Zhou Qingyang
2021-11-30 14:36 19% [PATCH] drm/panel: Fix a NULL pointer dereference in versatile_panel_get_modes() Zhou Qingyang
2021-11-30 14:45 19% [PATCH] drm/panel/panel-tpo-tpg110: Fix a NULL pointer dereference in tpg110_get_modes() Zhou Qingyang
2021-11-30 14:48 19% [PATCH] drm/radeon/radeon_connectors: Fix a NULL pointer dereference in radeon_fp_native_mode() Zhou Qingyang
2021-12-01 20:04 5% ` Alex Deucher
2021-12-03 15:23 18% ` [PATCH v2] " Zhou Qingyang
2021-11-30 15:04 19% [PATCH] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() Zhou Qingyang
2021-11-30 15:11 0% ` Christian König
2021-11-30 15:33 17% ` [PATCH v2] " Zhou Qingyang
2021-11-30 15:37 0% ` Christian König
2021-11-30 15:57 17% ` [PATCH v3] " Zhou Qingyang
2021-12-01 3:22 17% ` [PATCH v4] " Zhou Qingyang
2021-12-01 7:20 0% ` Christian König
2021-12-01 6:57 0% ` [PATCH v3] " Christian König
2021-11-30 15:08 19% [PATCH] drm/selftests/test-drm_dp_mst_helper: A memleak in sideband_msg_req_encode_decode() Zhou Qingyang
2021-11-30 15:38 19% [PATCH] media: dib8000: Fix a memleak in dib8000_init() Zhou Qingyang
2021-11-30 16:12 18% [PATCH] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts() Zhou Qingyang
2021-11-30 16:15 19% [PATCH] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Zhou Qingyang
2021-12-02 13:34 0% ` Hans Verkuil
2021-12-03 15:40 18% ` [PATCH v2] " Zhou Qingyang
2021-11-30 16:25 18% [PATCH] media: saa7146: hexium_orion: " Zhou Qingyang
2021-11-30 16:34 18% [PATCH] media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() Zhou Qingyang
2021-11-30 16:39 18% [PATCH] media: vidtv: Fix a wild pointer dereference in vidtv_channel_pmt_match_sections() Zhou Qingyang
2021-12-02 13:42 0% ` Hans Verkuil
2021-11-30 16:44 18% [PATCH] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Zhou Qingyang
2021-12-01 9:27 0% ` Leon Romanovsky
2021-11-30 16:50 19% [PATCH] octeontx2-af: Fix a memleak bug in rvu_mbox_init() Zhou Qingyang
2021-11-30 16:59 19% [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in __nonstatic_find_io_region() Zhou Qingyang
2022-01-02 17:46 0% ` Dominik Brodowski
2021-11-30 17:10 19% [PATCH] scsi: libfc: Fix a NULL pointer dereference in fc_lport_ptp_setup() Zhou Qingyang
2021-11-30 18:13 0% ` James Bottomley
2021-12-01 6:41 0% ` Hannes Reinecke
2021-11-30 17:16 18% [PATCH] scsi: libsas: Fix a NULL pointer dereference in sas_ex_discover_expander() Zhou Qingyang
2021-12-06 15:09 0% ` John Garry
2021-11-30 17:19 19% [PATCH] scsi: virtio_scsi: Fix a NULL pointer dereference in virtscsi_rescan_hotunplug() Zhou Qingyang
2021-11-30 17:22 19% [PATCH] spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() Zhou Qingyang
2021-11-30 17:27 19% [PATCH] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() Zhou Qingyang
2021-12-01 7:28 0% ` Pawel Laszczak
2021-12-01 7:39 0% ` Pawel Laszczak
2021-12-01 14:16 0% ` Peter Chen
2021-11-30 17:29 19% [PATCH] usb: gadget: mv_u3d: Fix a NULL pointer dereference in mv_u3d_req_to_trb() Zhou Qingyang
2021-12-03 10:53 0% ` Johan Hovold
2022-01-24 12:12 19% ` [PATCH v2] " Zhou Qingyang
2021-11-30 17:32 19% [PATCH] clk: mediatek: mt2712: Fix a NULL pointer dereference in clk_mt2712_top_init_early() Zhou Qingyang
2021-11-30 17:34 18% [PATCH] clk: mediatek: mt6765: Fix a NULL pointer dereference in clk_mt6765_top_probe() Zhou Qingyang
2021-11-30 17:36 18% [PATCH] clk: mediatek: mt6779: Fix a NULL pointer dereference in clk_mt6779_top_probe() Zhou Qingyang
2021-12-01 9:33 0% ` miles.chen
2021-11-30 17:58 18% [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_pericfg_init() Zhou Qingyang
2021-11-30 18:00 18% [PATCH] clk: mediatek: mt7629: " Zhou Qingyang
2021-11-30 18:02 18% [PATCH] clk: mediatek: mt8135: Fix a NULL pointer dereference in mtk_topckgen_init() Zhou Qingyang
2021-11-30 18:11 19% [PATCH] pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in nonstatic_find_mem_region() Zhou Qingyang
2022-01-02 17:47 0% ` Dominik Brodowski
2021-11-30 18:13 19% [PATCH] clk: mediatek: mt7622: Fix a NULL pointer dereference in mtk_topckgen_init() Zhou Qingyang
2021-11-30 18:15 18% [PATCH] clk: mediatek: mt7629: " Zhou Qingyang
2021-12-01 3:23 17% [PATCH v4] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() Zhou Qingyang
2021-12-01 8:41 [PATCH] media: meson: vdec: Fix a NULL pointer dereference in amvdec_add_ts() Dan Carpenter
2021-12-02 16:03 18% ` [PATCH v2] " Zhou Qingyang
2021-12-03 13:30 0% ` Dan Carpenter
2021-12-14 13:46 5% ` Mauro Carvalho Chehab
2021-12-14 14:16 5% ` Greg Kroah-Hartman
2021-12-15 3:35 16% ` [PATCH v3] " Zhou Qingyang
2022-01-11 9:16 0% ` Hans Verkuil
[not found] ` <CA+Cm_xSOv5NnW5GXcKKGi8bQSvT45iH6=65YJk3EG6uW0c5_Vw@mail.gmail.com>
2022-01-12 8:57 7% ` Neil Armstrong
2021-12-01 13:25 7% [PATCH 0/4] firmware: qemu_fw_cfg: misc bug fixes Johan Hovold
2021-12-01 13:25 6% ` [PATCH 1/4] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Johan Hovold
[not found] <e2685075-fbc5-6f36-907f-76b6f76a59ce@amd.com>
2021-12-01 15:13 17% ` [PATCH v5] drm/radeon/radeon_kms: Fix a NULL pointer dereference in radeon_driver_open_kms() Zhou Qingyang
2021-12-01 15:15 0% ` Christian König
2021-12-02 17:13 0% ` Alex Deucher
2021-12-01 15:45 18% [PATCH] drm/nouveau/dispnv04: Fix a NULL pointer dereference in nv17_tv_get_ld_modes() Zhou Qingyang
2021-12-06 14:54 4% [PATCH 5.15 000/207] 5.15.7-rc1 review Greg Kroah-Hartman
2021-12-06 14:55 7% ` [PATCH 5.15 105/207] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.15 111/207] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.15 131/207] octeontx2-af: Fix a memleak bug in rvu_mbox_init() Greg Kroah-Hartman
2021-12-06 14:57 7% ` [PATCH 5.15 193/207] usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() Greg Kroah-Hartman
2021-12-06 14:55 4% [PATCH 4.14 000/106] 4.14.257-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 090/106] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.14 093/106] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:55 3% [PATCH 5.10 000/130] 5.10.84-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 067/130] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.10 071/130] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:55 3% [PATCH 4.9 00/62] 4.9.292-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.9 55/62] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:55 3% [PATCH 4.4 00/52] 4.4.294-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.4 47/52] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 4% [PATCH 5.4 00/70] 5.4.164-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 37/70] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 5.4 40/70] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-06 14:56 5% [PATCH 4.19 00/48] 4.19.220-rc1 review Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 27/48] net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() Greg Kroah-Hartman
2021-12-06 14:56 7% ` [PATCH 4.19 30/48] net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() Greg Kroah-Hartman
2021-12-07 8:18 3% [PATCH 5.10 000/125] 5.10.84-rc2 review Greg Kroah-Hartman
2022-01-04 2:34 19% [PATCH] virt: acrn: fix a memory leak bug in acrn_dev_ioctl() Zhou Qingyang
2022-01-04 2:47 0% ` Li Fei1
2022-01-04 3:45 17% ` Zhou Qingyang
2022-01-04 3:50 0% ` Li Fei1
2022-01-04 7:37 0% ` Greg KH
2022-01-04 8:01 0% ` Li Fei1
2022-01-04 8:09 0% ` Li Fei1
2022-01-04 8:53 18% [PATCH] virt: acrn: fix memory leak " Zhou Qingyang
2022-01-04 10:18 0% ` Greg Kroah-Hartman
[not found] <20220107015744.22C22C36AE3@smtp.kernel.org>
2022-01-07 7:15 17% ` [PATCH v2] clk: x86: Fix a wild pointer dereference in fch_clk_probe() Zhou Qingyang
2022-01-11 5:10 16% [PATCH v3] " Zhou Qingyang
2022-01-18 2:16 [PATCH AUTOSEL 5.16 001/217] Bluetooth: hci_sock: purge socket queues in the destruct() callback Sasha Levin
2022-01-18 2:17 6% ` [PATCH AUTOSEL 5.16 099/217] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:18 5% ` [PATCH AUTOSEL 5.16 130/217] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
2022-01-18 2:18 7% ` [PATCH AUTOSEL 5.16 136/217] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:28 [PATCH AUTOSEL 5.15 001/188] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 2:30 6% ` [PATCH AUTOSEL 5.15 085/188] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:30 5% ` [PATCH AUTOSEL 5.15 111/188] drm/amdkfd: Fix error handling in svm_range_add Sasha Levin
2022-01-18 2:30 7% ` [PATCH AUTOSEL 5.15 116/188] media: saa7146: hexium_gemini: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:38 [PATCH AUTOSEL 5.10 001/116] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 2:38 6% ` [PATCH AUTOSEL 5.10 047/116] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:39 7% ` [PATCH AUTOSEL 5.10 069/116] media: saa7146: hexium_gemini: " Sasha Levin
2022-01-18 2:43 [PATCH AUTOSEL 5.4 01/73] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 2:43 6% ` [PATCH AUTOSEL 5.4 26/73] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:44 7% ` [PATCH AUTOSEL 5.4 41/73] media: saa7146: hexium_gemini: " Sasha Levin
2022-01-18 2:46 [PATCH AUTOSEL 4.19 01/59] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 2:46 6% ` [PATCH AUTOSEL 4.19 18/59] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:46 7% ` [PATCH AUTOSEL 4.19 31/59] media: saa7146: hexium_gemini: " Sasha Levin
2022-01-18 2:48 [PATCH AUTOSEL 4.14 01/56] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 2:48 6% ` [PATCH AUTOSEL 4.14 25/56] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 2:48 7% ` [PATCH AUTOSEL 4.14 34/56] media: saa7146: hexium_gemini: " Sasha Levin
2022-01-18 3:07 [PATCH AUTOSEL 4.4 01/29] Bluetooth: Fix debugfs entry leak in hci_register_dev() Sasha Levin
2022-01-18 3:08 6% ` [PATCH AUTOSEL 4.4 10/29] media: saa7146: hexium_orion: Fix a NULL pointer dereference in hexium_attach() Sasha Levin
2022-01-18 3:08 7% ` [PATCH AUTOSEL 4.4 16/29] media: saa7146: hexium_gemini: " Sasha Levin
2022-01-18 16:05 [PATCH 5.4 00/15] 5.4.173-rc1 review Greg Kroah-Hartman
2022-01-18 16:05 6% ` [PATCH 5.4 10/15] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Greg Kroah-Hartman
2022-01-18 16:05 [PATCH 5.10 00/23] 5.10.93-rc1 review Greg Kroah-Hartman
2022-01-18 16:05 6% ` [PATCH 5.10 14/23] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Greg Kroah-Hartman
2022-01-18 16:05 [PATCH 5.15 00/28] 5.15.16-rc1 review Greg Kroah-Hartman
2022-01-18 16:06 6% ` [PATCH 5.15 17/28] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Greg Kroah-Hartman
2022-01-18 16:05 [PATCH 5.16 00/28] 5.16.2-rc1 review Greg Kroah-Hartman
2022-01-18 16:06 6% ` [PATCH 5.16 19/28] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries Greg Kroah-Hartman
2022-01-24 16:40 19% [PATCH] ACPICA: Linuxize: Fix a NULL pointer dereference in acpi_db_convert_to_package() Zhou Qingyang
2022-01-24 16:41 19% [PATCH] ACPI: OSL: Fix a NULL pointer dereference in extlog_init() Zhou Qingyang
2022-01-24 16:42 19% [PATCH] ACPI / tables: Fix a NULL pointer dereference in acpi_table_initrd_override() Zhou Qingyang
2022-01-24 16:45 19% [PATCH] ata: pata_platform: Fix a NULL pointer dereference in __pata_platform_probe() Zhou Qingyang
2022-01-24 16:47 19% [PATCH] bcache: Fix a NULL or wild pointer dereference in btree_gc_rewrite_node() Zhou Qingyang
2022-01-24 16:48 17% [PATCH] brcmfmac: Fix a wild pointer dereference bug in brcmf_chip_recognition() Zhou Qingyang
2022-01-24 16:50 18% [PATCH] brcmfmac: Fix a NULL pointer dereference in brcmf_of_probe() Zhou Qingyang
2022-01-24 16:52 18% [PATCH] clk: imx: Fix a NULL pointer dereference in imx_register_uart_clocks() Zhou Qingyang
2022-01-24 16:53 19% [PATCH] clk: socfpga: Fix a memory leak bug in socfpga_gate_init() Zhou Qingyang
2022-01-24 16:55 18% [PATCH] drm/amd/display/dc/calcs/dce_calcs: Fix a memleak in calculate_bandwidth() Zhou Qingyang
2022-01-24 16:57 18% [PATCH] drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() Zhou Qingyang
2022-01-24 16:58 18% [PATCH] drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() Zhou Qingyang
2022-01-24 17:02 19% [PATCH] ACPI / tables: Fix a NULL pointer dereference in acpi_table_initrd_scan() Zhou Qingyang
2022-01-24 17:04 18% [PATCH] media: bttv: Fix a NULL pointer dereference in bttv_s_fbuf() Zhou Qingyang
2022-01-24 17:05 18% [PATCH] media: bttv: Fix a NULL pointer dereference in setup_window_lock() Zhou Qingyang
2022-01-24 17:06 19% [PATCH] media: media/pci: Fix a NULL pointer dereference in cx23885_417_register() Zhou Qingyang
2022-01-24 17:07 18% [PATCH] media: mtk-vcodec: Fix a NULL pointer dereference in mtk_vcodec_fw_scp_init() Zhou Qingyang
2022-01-24 17:15 18% [PATCH] media: mtk-vcodec: media: mtk-vcodec: Fix a NULL pointer dereference in mtk_vcodec_fw_vpu_init() Zhou Qingyang
2022-01-24 17:16 18% [PATCH] media: pci: cx23855-video.c: Fix a NULL pointer dereference in cx23885_video_register() Zhou Qingyang
2022-01-24 17:19 18% [PATCH] media: saa7134: Fix a NULL pointer dereference in saa7134_initdev() Zhou Qingyang
2022-01-24 17:20 18% [PATCH] media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats() Zhou Qingyang
2022-01-24 17:21 18% [PATCH] scsi: mpt3sas: FIx a NULL pointer dereference bug in mpt3sas_transport_port_add() Zhou Qingyang
2022-01-24 17:26 18% [PATCH] media: bttv: Fix a NULL pointer dereference in bttv_overlay() Zhou Qingyang
2022-01-24 18:41 6% [PATCH 4.4 000/114] 4.4.300-rc1 review Greg Kroah-Hartman
2022-01-24 18:42 6% ` [PATCH 4.4 027/114] drm/amdgpu: Fix a NULL pointer dereference in amdgpu_connector_lcd_native_mode() Greg Kroah-Hartman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).