Re: [PATCH -next] mm/page_alloc: remove duplicated include from page_alloc.c
Hey, Matthew Thanks for your advice towards hulk robot. We'd like to improve the capbility of hulk robot whole the time. This patch is just a small cleanup reported by hulk robot, But the robot can do more than this. For example, it finds crucial and useful bugs as well. As for 'Untangle the mass of header includes' you mentioned, could you please offer more details? Because I didn't find pagemap.h in net/ipv4/tcp.c in -next like what you said. 在 2021/3/26 11:42, Matthew Wilcox 写道: On Fri, Mar 26, 2021 at 10:55:42AM +0800, Qinglang Miao wrote: Remove duplicated include. Reported-by: Hulk Robot Signed-off-by: Qinglang Miao can't you make hulk robot do something useful, like untangle the mass of header includes? For example, in -next, net/ipv4/tcp.c has a dependency on pagemap.h. Why? .
[PATCH -next] mm/page_alloc: remove duplicated include from page_alloc.c
Remove duplicated include. Reported-by: Hulk Robot Signed-off-by: Qinglang Miao --- mm/page_alloc.c | 1 - 1 file changed, 1 deletion(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index c53fe4fa10bf..e51826c87a0b 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -72,7 +72,6 @@ #include #include #include -#include #include #include
[PATCH v2] ACPI: configfs: add missing check after configfs_register_default_group
A list_add corruption is reported by Hulk Robot like this:
==
list_add corruption.
Call Trace:
link_obj+0xc0/0x1c0
link_group+0x21/0x140
configfs_register_subsystem+0xdb/0x380
acpi_configfs_init+0x25/0x1000 [acpi_configfs]
do_one_initcall+0x149/0x820
do_init_module+0x1ef/0x720
load_module+0x35c8/0x4380
__do_sys_finit_module+0x10d/0x1a0
do_syscall_64+0x34/0x80
It's because of the missing check after configfs_register_default_group,
where configfs_unregister_subsystem should be called once failure.
Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs")
Reported-by: Hulk Robot
Suggested-by: Hanjun Guo
Signed-off-by: Qinglang Miao
---
v1->v2: fix 'register' to 'unregister' which is typo.
drivers/acpi/acpi_configfs.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index cf91f4910..3a14859db 100644
--- a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c
@@ -268,7 +268,12 @@ static int __init acpi_configfs_init(void)
acpi_table_group = configfs_register_default_group(root, "table",
_tables_type);
- return PTR_ERR_OR_ZERO(acpi_table_group);
+ if (IS_ERR(acpi_table_group)) {
+ configfs_unregister_subsystem(_configfs);
+ return PTR_ERR(acpi_table_group);
+ }
+
+ return 0;
}
module_init(acpi_configfs_init);
--
2.23.0
[PATCH] can: mcp251xfd: fix wrong check in mcp251xfd_handle_rxif_one
If alloc_canfd_skb returns NULL, 'cfg' is an uninitialized
variable, so we should check 'skb' rather than 'cfd' after
calling alloc_canfd_skb(priv->ndev, ).
Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI
CAN")
Signed-off-by: Qinglang Miao
---
drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
index 77129d5f4..792d55ba4 100644
--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
@@ -1492,7 +1492,7 @@ mcp251xfd_handle_rxif_one(struct mcp251xfd_priv *priv,
else
skb = alloc_can_skb(priv->ndev, (struct can_frame **));
- if (!cfd) {
+ if (!skb) {
stats->rx_dropped++;
return 0;
}
--
2.23.0
[PATCH] ACPI: configfs: add missing check after configfs_register_default_group
A list_add corruption is reported by Hulk Robot like this:
==
list_add corruption.
Call Trace:
link_obj+0xc0/0x1c0
link_group+0x21/0x140
configfs_register_subsystem+0xdb/0x380
acpi_configfs_init+0x25/0x1000 [acpi_configfs]
do_one_initcall+0x149/0x820
do_init_module+0x1ef/0x720
load_module+0x35c8/0x4380
__do_sys_finit_module+0x10d/0x1a0
do_syscall_64+0x34/0x80
It's because of the missing check after configfs_register_default_group,
where configfs_unregister_subsystem should be called once failure.
Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/acpi/acpi_configfs.c | 7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/acpi_configfs.c b/drivers/acpi/acpi_configfs.c
index cf91f4910..25512ab0e 100644
--- a/drivers/acpi/acpi_configfs.c
+++ b/drivers/acpi/acpi_configfs.c
@@ -268,7 +268,12 @@ static int __init acpi_configfs_init(void)
acpi_table_group = configfs_register_default_group(root, "table",
_tables_type);
- return PTR_ERR_OR_ZERO(acpi_table_group);
+ if (IS_ERR(acpi_table_group)) {
+ configfs_register_subsystem(_configfs);
+ return PTR_ERR(acpi_table_group);
+ }
+
+ return 0;
}
module_init(acpi_configfs_init);
--
2.23.0
Re: [v2] net: qrtr: fix null pointer dereference in qrtr_ns_remove
在 2021/1/6 16:09, Markus Elfring 写道: A null-ptr-deref bug is reported by Hulk Robot like this: Can it be clearer to use the term “null pointer dereference” for the final commit message? This advice is too detailed for 'null-ptr-deref' is known as a general phrase This key word was provided already by the referenced KASAN report. Yep, you're right. 'null-ptr-deref' is not really proper here. like 'use-after-free' for kernel developer, I think. I suggest to reconsider the use of abbreviations at some places. > Fix it by making … Would you like to replace this wording by the tag “Fixes”? Sorry, I didn't get your words. 'Fix it by' follows the solution I propose to specify the desired adjustments without such a prefix in the change description. Sorry, I can understand what you means, but I still disagree with this one, for: 1. 'Fix it by' is everywhere in kernel commit message. 2. I think adding it or not makes no change for understanding. 3. I'm not sure this is an official proposal. In fact, I do considered using 'Fixes' on this one, Thanks for such information. but it's hard to tell which specific commit brought this null pointer dereference. This aspect is unfortunate here. > Regards, Markus . Thanks anyway, I shall pay more attention to commit message. ;D
Re: [PATCH v2] net: qrtr: fix null pointer dereference in qrtr_ns_remove
Hi Markus, I'd like to take some of your advice in this patch, but I noticed that this one has been applied. Some of your advice would be considered kindly on my future work. Thanks. 在 2021/1/5 21:14, Markus Elfring 写道: A null-ptr-deref bug is reported by Hulk Robot like this: Can it be clearer to use the term “null pointer dereference” for the final commit message? This advice is too detailed for 'null-ptr-deref' is known as a general phrase like 'use-after-free' for kernel developer, I think.> -- I suggest to choose an other character for drawing such a text line. It's an acceptable advice, thanks. Fix it by making … Would you like to replace this wording by the tag “Fixes”? Sorry, I didn't get your words. 'Fix it by' follows the solution 'Fixes' follows the commit which brought the problem. In fact, I do considered using 'Fixes' on this one, but it's hard to tell which specific commit brought this null pointer dereference. Will an other imperative wording variant be helpful for this change description? … +++ b/net/qrtr/qrtr.c @@ -1287,13 +1287,19 @@ static int __init qrtr_proto_init(void) … +err_sock: + sock_unregister(qrtr_family.family); +err_proto: + proto_unregister(_proto); return rc; } Would it be clearer to use the labels “unregister_sock” and “unregister_proto”? In fact, The reason I use 'err_sock' rather than 'unregister_sock' is to keep same in 'net/qrtr/ns.c'. I agree with you that “unregister_sock” is better in normal case. Regards, Markus .
Re: [PATCH] net: qrtr: fix null-ptr-deref in qrtr_ns_remove
I sent a v2 on this one because of the redundant braces in
qrtr_proto_init, sorry for the noise.
在 2021/1/5 10:40, Qinglang Miao 写道:
A null-ptr-deref bug is reported by Hulk Robot like this:
--
KASAN: null-ptr-deref in range [0x0128-0x012f]
Call Trace:
qrtr_ns_remove+0x22/0x40 [ns]
qrtr_proto_fini+0xa/0x31 [qrtr]
__x64_sys_delete_module+0x337/0x4e0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
--
When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
has been destroyed.
Fix it by making qrtr_ns_init have a return value and adding a check in
qrtr_proto_init.
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
net/qrtr/ns.c | 7 ---
net/qrtr/qrtr.c | 14 +++---
net/qrtr/qrtr.h | 2 +-
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 56aaf8cb6..8d00dfe81 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -755,7 +755,7 @@ static void qrtr_ns_data_ready(struct sock *sk)
queue_work(qrtr_ns.workqueue, _ns.work);
}
-void qrtr_ns_init(void)
+int qrtr_ns_init(void)
{
struct sockaddr_qrtr sq;
int ret;
@@ -766,7 +766,7 @@ void qrtr_ns_init(void)
ret = sock_create_kern(_net, AF_QIPCRTR, SOCK_DGRAM,
PF_QIPCRTR, _ns.sock);
if (ret < 0)
- return;
+ return ret;
ret = kernel_getsockname(qrtr_ns.sock, (struct sockaddr *));
if (ret < 0) {
@@ -797,12 +797,13 @@ void qrtr_ns_init(void)
if (ret < 0)
goto err_wq;
- return;
+ return 0;
err_wq:
destroy_workqueue(qrtr_ns.workqueue);
err_sock:
sock_release(qrtr_ns.sock);
+ return ret;
}
EXPORT_SYMBOL_GPL(qrtr_ns_init);
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index f4ab3ca6d..95533e451 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -1288,12 +1288,20 @@ static int __init qrtr_proto_init(void)
rc = sock_register(_family);
if (rc) {
- proto_unregister(_proto);
- return rc;
+ goto err_proto;
}
- qrtr_ns_init();
+ rc = qrtr_ns_init();
+ if (rc) {
+ goto err_sock;
+ } >
+ return 0;
+
+err_sock:
+ sock_unregister(qrtr_family.family);
+err_proto:
+ proto_unregister(_proto);
return rc;
}
postcore_initcall(qrtr_proto_init);
diff --git a/net/qrtr/qrtr.h b/net/qrtr/qrtr.h
index dc2b67f17..3f2d28696 100644
--- a/net/qrtr/qrtr.h
+++ b/net/qrtr/qrtr.h
@@ -29,7 +29,7 @@ void qrtr_endpoint_unregister(struct qrtr_endpoint *ep);
int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len);
-void qrtr_ns_init(void);
+int qrtr_ns_init(void);
void qrtr_ns_remove(void);
[PATCH v2] net: qrtr: fix null-ptr-deref in qrtr_ns_remove
A null-ptr-deref bug is reported by Hulk Robot like this:
--
KASAN: null-ptr-deref in range [0x0128-0x012f]
Call Trace:
qrtr_ns_remove+0x22/0x40 [ns]
qrtr_proto_fini+0xa/0x31 [qrtr]
__x64_sys_delete_module+0x337/0x4e0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
--
When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
has been destroyed.
Fix it by making qrtr_ns_init have a return value and adding a check in
qrtr_proto_init.
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
v1->v2: remove redundant braces for single statement blocks.
net/qrtr/ns.c | 7 ---
net/qrtr/qrtr.c | 16 +++-
net/qrtr/qrtr.h | 2 +-
3 files changed, 16 insertions(+), 9 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 56aaf8cb6..8d00dfe81 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -755,7 +755,7 @@ static void qrtr_ns_data_ready(struct sock *sk)
queue_work(qrtr_ns.workqueue, _ns.work);
}
-void qrtr_ns_init(void)
+int qrtr_ns_init(void)
{
struct sockaddr_qrtr sq;
int ret;
@@ -766,7 +766,7 @@ void qrtr_ns_init(void)
ret = sock_create_kern(_net, AF_QIPCRTR, SOCK_DGRAM,
PF_QIPCRTR, _ns.sock);
if (ret < 0)
- return;
+ return ret;
ret = kernel_getsockname(qrtr_ns.sock, (struct sockaddr *));
if (ret < 0) {
@@ -797,12 +797,13 @@ void qrtr_ns_init(void)
if (ret < 0)
goto err_wq;
- return;
+ return 0;
err_wq:
destroy_workqueue(qrtr_ns.workqueue);
err_sock:
sock_release(qrtr_ns.sock);
+ return ret;
}
EXPORT_SYMBOL_GPL(qrtr_ns_init);
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index f4ab3ca6d..b34358282 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -1287,13 +1287,19 @@ static int __init qrtr_proto_init(void)
return rc;
rc = sock_register(_family);
- if (rc) {
- proto_unregister(_proto);
- return rc;
- }
+ if (rc)
+ goto err_proto;
- qrtr_ns_init();
+ rc = qrtr_ns_init();
+ if (rc)
+ goto err_sock;
+ return 0;
+
+err_sock:
+ sock_unregister(qrtr_family.family);
+err_proto:
+ proto_unregister(_proto);
return rc;
}
postcore_initcall(qrtr_proto_init);
diff --git a/net/qrtr/qrtr.h b/net/qrtr/qrtr.h
index dc2b67f17..3f2d28696 100644
--- a/net/qrtr/qrtr.h
+++ b/net/qrtr/qrtr.h
@@ -29,7 +29,7 @@ void qrtr_endpoint_unregister(struct qrtr_endpoint *ep);
int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len);
-void qrtr_ns_init(void);
+int qrtr_ns_init(void);
void qrtr_ns_remove(void);
--
2.23.0
[PATCH] net: qrtr: fix null-ptr-deref in qrtr_ns_remove
A null-ptr-deref bug is reported by Hulk Robot like this:
--
KASAN: null-ptr-deref in range [0x0128-0x012f]
Call Trace:
qrtr_ns_remove+0x22/0x40 [ns]
qrtr_proto_fini+0xa/0x31 [qrtr]
__x64_sys_delete_module+0x337/0x4e0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
--
When qrtr_ns_init fails in qrtr_proto_init, qrtr_ns_remove which would
be called later on would raise a null-ptr-deref because qrtr_ns.workqueue
has been destroyed.
Fix it by making qrtr_ns_init have a return value and adding a check in
qrtr_proto_init.
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
net/qrtr/ns.c | 7 ---
net/qrtr/qrtr.c | 14 +++---
net/qrtr/qrtr.h | 2 +-
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/net/qrtr/ns.c b/net/qrtr/ns.c
index 56aaf8cb6..8d00dfe81 100644
--- a/net/qrtr/ns.c
+++ b/net/qrtr/ns.c
@@ -755,7 +755,7 @@ static void qrtr_ns_data_ready(struct sock *sk)
queue_work(qrtr_ns.workqueue, _ns.work);
}
-void qrtr_ns_init(void)
+int qrtr_ns_init(void)
{
struct sockaddr_qrtr sq;
int ret;
@@ -766,7 +766,7 @@ void qrtr_ns_init(void)
ret = sock_create_kern(_net, AF_QIPCRTR, SOCK_DGRAM,
PF_QIPCRTR, _ns.sock);
if (ret < 0)
- return;
+ return ret;
ret = kernel_getsockname(qrtr_ns.sock, (struct sockaddr *));
if (ret < 0) {
@@ -797,12 +797,13 @@ void qrtr_ns_init(void)
if (ret < 0)
goto err_wq;
- return;
+ return 0;
err_wq:
destroy_workqueue(qrtr_ns.workqueue);
err_sock:
sock_release(qrtr_ns.sock);
+ return ret;
}
EXPORT_SYMBOL_GPL(qrtr_ns_init);
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c
index f4ab3ca6d..95533e451 100644
--- a/net/qrtr/qrtr.c
+++ b/net/qrtr/qrtr.c
@@ -1288,12 +1288,20 @@ static int __init qrtr_proto_init(void)
rc = sock_register(_family);
if (rc) {
- proto_unregister(_proto);
- return rc;
+ goto err_proto;
}
- qrtr_ns_init();
+ rc = qrtr_ns_init();
+ if (rc) {
+ goto err_sock;
+ }
+ return 0;
+
+err_sock:
+ sock_unregister(qrtr_family.family);
+err_proto:
+ proto_unregister(_proto);
return rc;
}
postcore_initcall(qrtr_proto_init);
diff --git a/net/qrtr/qrtr.h b/net/qrtr/qrtr.h
index dc2b67f17..3f2d28696 100644
--- a/net/qrtr/qrtr.h
+++ b/net/qrtr/qrtr.h
@@ -29,7 +29,7 @@ void qrtr_endpoint_unregister(struct qrtr_endpoint *ep);
int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len);
-void qrtr_ns_init(void);
+int qrtr_ns_init(void);
void qrtr_ns_remove(void);
--
2.23.0
Re: [PATCH] PCI: fix use-after-free in pci_register_host_bridge
在 2020/12/11 23:46, Rob Herring 写道:
On Fri, Nov 20, 2020 at 03:48:48PM +0800, Qinglang Miao wrote:
When put_device(>dev) being called, kfree(bridge) is inside
of release function, so the following device_del would cause a
use-after-free bug.
Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
That commit did have some problems, but this patch doesn't apply to that
commit. See commits 1b54ae8327a4 and 9885440b16b8.
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/pci/probe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 4289030b0..82292e87e 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -991,8 +991,8 @@ static int pci_register_host_bridge(struct pci_host_bridge
*bridge)
return 0;
unregister:
- put_device(>dev);
device_del(>dev);
+ put_device(>dev);
I don't think this is right.
Let's look at pci_register_host_bridge() with only the relevant
sections:
static int pci_register_host_bridge(struct pci_host_bridge *bridge)
{
...
err = device_add(>dev);
if (err) {
put_device(>dev);
goto free;
}
bus->bridge = get_device(>dev);
...
if (err)
goto unregister;
...
return 0;
unregister:
put_device(>dev);
device_del(>dev);
free:
kfree(bus);
return err;
}
The documentation for device_add says this:
* Rule of thumb is: if device_add() succeeds, you should call
* device_del() when you want to get rid of it. If device_add() has
* *not* succeeded, use *only* put_device() to drop the reference
* count.
The put_device at the end is to balance the get_device after device_add.
It will *only* decrement the use count. Then we call device_del as the
documentation says.
Rob
.
Hi, Rob
Your words make sence to me: the code is *logicly* correct here and
won't raise a use-after-free bug. I do hold a misunderstanding of this
one, sorry for that ~
But I still think this patch should be reconsidered:
The kdoc of device_unregister explicitly mentions the possibility that
other refs might continue to exist after device_unregister was called,
and *del_device* is first part of it.
By the way, 'del_device() called before put_device()' is everywhere in
kernel code, like device_unregister(), pci_destroy_dev() or
switchtec_pci_remove()
In fact, I can't find another place in kernel code looks like:
put_device(x);
device_del(x);
So I guess put_device() ought to be the last time we touch the object
(I don't find evidence strong enough in kdoc to prove this) and putting
put_device after device_del is a more natural logic.
Qinglang
.
[PATCH v2] cgroup: Fix memory leak when parsing multiple source parameters
A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.
unreferenced object 0x888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak
backtrace:
[<3e5023ec>] kmemdup_nul+0x2d/0xa0
[<377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<0f750198>] path_mount+0xee1/0x1820
[<04756de2>] do_mount+0xea/0x100
[<94cafb0a>] __x64_sys_mount+0x14b/0x1f0
Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.
Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
v1->v2: fix compile problems caused by superfluous LF in err message.
kernel/cgroup/cgroup-v1.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..32596fdbc 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct
fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, );
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not
supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0
[PATCH] cgroup: Fix memory leak when parsing multiple source parameters
A memory leak is found in cgroup1_parse_param() when multiple source
parameters overwrite fc->source in the fs_context struct without free.
unreferenced object 0x888100d930e0 (size 16):
comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
hex dump (first 16 bytes):
74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak
backtrace:
[<3e5023ec>] kmemdup_nul+0x2d/0xa0
[<377dbdaa>] vfs_parse_fs_string+0xc0/0x150
[<cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
[<0f750198>] path_mount+0xee1/0x1820
[<04756de2>] do_mount+0xea/0x100
[<94cafb0a>] __x64_sys_mount+0x14b/0x1f0
Fix this bug by permitting a single source parameter and rejecting with
an error all subsequent ones.
Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
kernel/cgroup/cgroup-v1.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 191c329e4..1fd7d3d18 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -908,6 +908,9 @@ int cgroup1_parse_param(struct fs_context *fc, struct
fs_parameter *param)
opt = fs_parse(fc, cgroup1_fs_parameters, param, );
if (opt == -ENOPARAM) {
if (strcmp(param->key, "source") == 0) {
+ if (fc->source)
+ return invalf(fc, "Multiple sources not
+ supported");
fc->source = param->string;
param->string = NULL;
return 0;
--
2.23.0
[PATCH] drm/v3d: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions v3d_get_param_ioctl and v3d_job_init.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 57692c94dcbe ("drm/v3d: Introduce a new DRM driver for Broadcom V3D
V3.x+")
Fixes: 935f3d88434b ("drm/v3d: Make sure the GPU is on when measuring clocks.")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/v3d/v3d_debugfs.c | 4 ++--
drivers/gpu/drm/v3d/v3d_gem.c | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/v3d/v3d_debugfs.c
b/drivers/gpu/drm/v3d/v3d_debugfs.c
index e76b24bb8..91ceed774 100644
--- a/drivers/gpu/drm/v3d/v3d_debugfs.c
+++ b/drivers/gpu/drm/v3d/v3d_debugfs.c
@@ -132,7 +132,7 @@ static int v3d_v3d_debugfs_ident(struct seq_file *m, void
*unused)
u32 ident0, ident1, ident2, ident3, cores;
int ret, core;
- ret = pm_runtime_get_sync(v3d->drm.dev);
+ ret = pm_runtime_resume_and_get(v3d->drm.dev);
if (ret < 0)
return ret;
@@ -219,7 +219,7 @@ static int v3d_measure_clock(struct seq_file *m, void
*unused)
int measure_ms = 1000;
int ret;
- ret = pm_runtime_get_sync(v3d->drm.dev);
+ ret = pm_runtime_resume_and_get(v3d->drm.dev);
if (ret < 0)
return ret;
diff --git a/drivers/gpu/drm/v3d/v3d_gem.c b/drivers/gpu/drm/v3d/v3d_gem.c
index 182c58652..765683569 100644
--- a/drivers/gpu/drm/v3d/v3d_gem.c
+++ b/drivers/gpu/drm/v3d/v3d_gem.c
@@ -439,7 +439,7 @@ v3d_job_init(struct v3d_dev *v3d, struct drm_file
*file_priv,
job->v3d = v3d;
job->free = free;
- ret = pm_runtime_get_sync(v3d->drm.dev);
+ ret = pm_runtime_resume_and_get(v3d->drm.dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] drm/tegra: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in these tegra functions.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: fd67e9c6ed5a ("drm/tegra: Do not implement runtime PM")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/tegra/dc.c | 2 +-
drivers/gpu/drm/tegra/dsi.c | 2 +-
drivers/gpu/drm/tegra/hdmi.c | 2 +-
drivers/gpu/drm/tegra/hub.c | 2 +-
drivers/gpu/drm/tegra/sor.c | 2 +-
drivers/gpu/drm/tegra/vic.c | 2 +-
6 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
index 424ad60b4..b2c8c68b7 100644
--- a/drivers/gpu/drm/tegra/dc.c
+++ b/drivers/gpu/drm/tegra/dc.c
@@ -2184,7 +2184,7 @@ static int tegra_dc_runtime_resume(struct host1x_client
*client)
struct device *dev = client->dev;
int err;
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get runtime PM: %d\n", err);
return err;
diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
index 5691ef1b0..f46d377f0 100644
--- a/drivers/gpu/drm/tegra/dsi.c
+++ b/drivers/gpu/drm/tegra/dsi.c
@@ -,7 +,7 @@ static int tegra_dsi_runtime_resume(struct host1x_client
*client)
struct device *dev = client->dev;
int err;
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get runtime PM: %d\n", err);
return err;
diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c
index d09a24931..e5d2a4026 100644
--- a/drivers/gpu/drm/tegra/hdmi.c
+++ b/drivers/gpu/drm/tegra/hdmi.c
@@ -1510,7 +1510,7 @@ static int tegra_hdmi_runtime_resume(struct host1x_client
*client)
struct device *dev = client->dev;
int err;
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get runtime PM: %d\n", err);
return err;
diff --git a/drivers/gpu/drm/tegra/hub.c b/drivers/gpu/drm/tegra/hub.c
index 22a03f7ff..5ce771cba 100644
--- a/drivers/gpu/drm/tegra/hub.c
+++ b/drivers/gpu/drm/tegra/hub.c
@@ -789,7 +789,7 @@ static int tegra_display_hub_runtime_resume(struct
host1x_client *client)
unsigned int i;
int err;
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get runtime PM: %d\n", err);
return err;
diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
index e88a17c29..fa1272155 100644
--- a/drivers/gpu/drm/tegra/sor.c
+++ b/drivers/gpu/drm/tegra/sor.c
@@ -3214,7 +3214,7 @@ static int tegra_sor_runtime_resume(struct host1x_client
*client)
struct device *dev = client->dev;
int err;
- err = pm_runtime_get_sync(dev);
+ err = pm_runtime_resume_and_get(dev);
if (err < 0) {
dev_err(dev, "failed to get runtime PM: %d\n", err);
return err;
diff --git a/drivers/gpu/drm/tegra/vic.c b/drivers/gpu/drm/tegra/vic.c
index ade56b860..b77f72630 100644
--- a/drivers/gpu/drm/tegra/vic.c
+++ b/drivers/gpu/drm/tegra/vic.c
@@ -314,7 +314,7 @@ static int vic_open_channel(struct tegra_drm_client *client,
struct vic *vic = to_vic(client);
int err;
- err = pm_runtime_get_sync(vic->dev);
+ err = pm_runtime_resume_and_get(vic->dev);
if (err < 0)
return err;
--
2.23.0
[PATCH 1/3] drm/rockchip: cdn-dp: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in cdn_dp_clk_enable.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: efe0220fc2d2 ("drm/rockchip: cdn-dp: Fix error handling")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c
b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index a4a45daf9..9b4406191 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -98,7 +98,7 @@ static int cdn_dp_clk_enable(struct cdn_dp_device *dp)
goto err_core_clk;
}
- ret = pm_runtime_get_sync(dp->dev);
+ ret = pm_runtime_resume_and_get(dp->dev);
if (ret < 0) {
DRM_DEV_ERROR(dp->dev, "cannot get pm runtime %d\n", ret);
goto err_pm_runtime_get;
--
2.23.0
[PATCH 2/3] drm/rockchip: vop: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions vop_enable and vop_enable.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 5e570373c015 ("drm/rockchip: vop: Enable pm domain before vop_initial")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
index c80f7d9fd..006988a6e 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
@@ -587,7 +587,7 @@ static int vop_enable(struct drm_crtc *crtc, struct
drm_crtc_state *old_state)
struct vop *vop = to_vop(crtc);
int ret, i;
- ret = pm_runtime_get_sync(vop->dev);
+ ret = pm_runtime_resume_and_get(vop->dev);
if (ret < 0) {
DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
return ret;
@@ -1908,7 +1908,7 @@ static int vop_initial(struct vop *vop)
return PTR_ERR(vop->dclk);
}
- ret = pm_runtime_get_sync(vop->dev);
+ ret = pm_runtime_resume_and_get(vop->dev);
if (ret < 0) {
DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
return ret;
--
2.23.0
[PATCH 3/3] drm/rockchip: lvds: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions rk3288_lvds_poweron and px30_lvds_poweron.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/rockchip_lvds.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c
b/drivers/gpu/drm/rockchip/rockchip_lvds.c
index f292c6a6e..c3b1ac484 100644
--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
+++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
@@ -145,7 +145,7 @@ static int rk3288_lvds_poweron(struct rockchip_lvds *lvds)
DRM_DEV_ERROR(lvds->dev, "failed to enable lvds pclk %d\n",
ret);
return ret;
}
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
clk_disable(lvds->pclk);
@@ -329,7 +329,7 @@ static int px30_lvds_poweron(struct rockchip_lvds *lvds)
{
int ret;
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
return ret;
--
2.23.0
[PATCH 0/3] drm/rockchip: fix reference leak when pm_runtime_get_sync fails
pm_runtime_get_sync will increment the PM reference count
even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
BTW, pm_runtime_resume_and_get is introduced in v5.10-rc5 as
dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get
to dealwith usage counter")
Qinglang Miao (3):
drm/rockchip: cdn-dp: fix reference leak when pm_runtime_get_sync
fails
drm/rockchip: vop: fix reference leak when pm_runtime_get_sync fails
drm/rockchip: lvds: fix reference leak when pm_runtime_get_sync fails
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
drivers/gpu/drm/rockchip/rockchip_lvds.c| 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
--
2.23.0
[PATCH 2/8] i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions img_i2c_xfer and img_i2c_init.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 93222bd9b966 ("i2c: img-scb: Add runtime PM")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-img-scb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-img-scb.c b/drivers/i2c/busses/i2c-img-scb.c
index 98a89301e..8e987945e 100644
--- a/drivers/i2c/busses/i2c-img-scb.c
+++ b/drivers/i2c/busses/i2c-img-scb.c
@@ -1057,7 +1057,7 @@ static int img_i2c_xfer(struct i2c_adapter *adap, struct
i2c_msg *msgs,
atomic = true;
}
- ret = pm_runtime_get_sync(adap->dev.parent);
+ ret = pm_runtime_resume_and_get(adap->dev.parent);
if (ret < 0)
return ret;
@@ -1158,7 +1158,7 @@ static int img_i2c_init(struct img_i2c *i2c)
u32 rev;
int ret;
- ret = pm_runtime_get_sync(i2c->adap.dev.parent);
+ ret = pm_runtime_resume_and_get(i2c->adap.dev.parent);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 8/8] i2c: xiic: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in xiic_xfer and xiic_i2c_remove.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 10b17004a74c ("i2c: xiic: Fix the clocking across bind unbind")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-xiic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c
index 087b29519..2a8568b97 100644
--- a/drivers/i2c/busses/i2c-xiic.c
+++ b/drivers/i2c/busses/i2c-xiic.c
@@ -706,7 +706,7 @@ static int xiic_xfer(struct i2c_adapter *adap, struct
i2c_msg *msgs, int num)
dev_dbg(adap->dev.parent, "%s entry SR: 0x%x\n", __func__,
xiic_getreg8(i2c, XIIC_SR_REG_OFFSET));
- err = pm_runtime_get_sync(i2c->dev);
+ err = pm_runtime_resume_and_get(i2c->dev);
if (err < 0)
return err;
@@ -873,7 +873,7 @@ static int xiic_i2c_remove(struct platform_device *pdev)
/* remove adapter & data */
i2c_del_adapter(>adap);
- ret = pm_runtime_get_sync(i2c->dev);
+ ret = pm_runtime_resume_and_get(i2c->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 6/8] i2c: sprd: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in sprd_i2c_master_xfer() and sprd_i2c_remove().
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 8b9ec0719834 ("i2c: Add Spreadtrum I2C controller driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-sprd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-sprd.c b/drivers/i2c/busses/i2c-sprd.c
index 19cda6742..103b1a852 100644
--- a/drivers/i2c/busses/i2c-sprd.c
+++ b/drivers/i2c/busses/i2c-sprd.c
@@ -284,7 +284,7 @@ static int sprd_i2c_master_xfer(struct i2c_adapter
*i2c_adap,
struct sprd_i2c *i2c_dev = i2c_adap->algo_data;
int im, ret;
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
@@ -570,7 +570,7 @@ static int sprd_i2c_remove(struct platform_device *pdev)
struct sprd_i2c *i2c_dev = platform_get_drvdata(pdev);
int ret;
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 7/8] i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in these stm32f7_i2c_xx serious functions.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: ea6dd25deeb5 ("i2c: stm32f7: add PM_SLEEP suspend/resume support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-stm32f7.c | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/i2c/busses/i2c-stm32f7.c b/drivers/i2c/busses/i2c-stm32f7.c
index f41f51a17..72fd5bdd6 100644
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -1643,7 +1643,7 @@ static int stm32f7_i2c_xfer(struct i2c_adapter *i2c_adap,
i2c_dev->msg_id = 0;
f7_msg->smbus = false;
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
@@ -1689,7 +1689,7 @@ static int stm32f7_i2c_smbus_xfer(struct i2c_adapter
*adapter, u16 addr,
f7_msg->read_write = read_write;
f7_msg->smbus = true;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
@@ -1790,7 +1790,7 @@ static int stm32f7_i2c_reg_slave(struct i2c_client *slave)
if (ret)
return ret;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
@@ -1871,7 +1871,7 @@ static int stm32f7_i2c_unreg_slave(struct i2c_client
*slave)
WARN_ON(!i2c_dev->slave[id]);
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
@@ -2268,7 +2268,7 @@ static int stm32f7_i2c_regs_backup(struct stm32f7_i2c_dev
*i2c_dev)
int ret;
struct stm32f7_i2c_regs *backup_regs = _dev->backup_regs;
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
@@ -2290,7 +2290,7 @@ static int stm32f7_i2c_regs_restore(struct
stm32f7_i2c_dev *i2c_dev)
int ret;
struct stm32f7_i2c_regs *backup_regs = _dev->backup_regs;
- ret = pm_runtime_get_sync(i2c_dev->dev);
+ ret = pm_runtime_resume_and_get(i2c_dev->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 3/8] i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in lpi2c_imx_master_enable.
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 13d6eb20fc79 ("i2c: imx-lpi2c: add runtime pm support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-imx-lpi2c.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/busses/i2c-imx-lpi2c.c
b/drivers/i2c/busses/i2c-imx-lpi2c.c
index 9db6ccded..8b9ba055c 100644
--- a/drivers/i2c/busses/i2c-imx-lpi2c.c
+++ b/drivers/i2c/busses/i2c-imx-lpi2c.c
@@ -259,7 +259,7 @@ static int lpi2c_imx_master_enable(struct lpi2c_imx_struct
*lpi2c_imx)
unsigned int temp;
int ret;
- ret = pm_runtime_get_sync(lpi2c_imx->adapter.dev.parent);
+ ret = pm_runtime_resume_and_get(lpi2c_imx->adapter.dev.parent);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 5/8] i2c: omap: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in omap_i2c_probe() and omap_i2c_remove().
However, pm_runtime_get_sync will increment the PM reference
count even failed. Forgetting to putting operation will result
in a reference leak here. I Replace it with pm_runtime_resume_and_get
to keep usage counter balanced.
What's more, error path 'err_free_mem' seems not like a proper
name any more. So I change the name to err_disable_pm and move
pm_runtime_disable below, for pm_runtime of 'pdev->dev' should
be disabled when pm_runtime_resume_and_get fails.
Fixes: 3b0fb97c8dc4 ("I2C: OMAP: Handle error check for pm runtime")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-omap.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-omap.c b/drivers/i2c/busses/i2c-omap.c
index 12ac4212a..d4f6c6d60 100644
--- a/drivers/i2c/busses/i2c-omap.c
+++ b/drivers/i2c/busses/i2c-omap.c
@@ -1404,9 +1404,9 @@ omap_i2c_probe(struct platform_device *pdev)
pm_runtime_set_autosuspend_delay(omap->dev, OMAP_I2C_PM_TIMEOUT);
pm_runtime_use_autosuspend(omap->dev);
- r = pm_runtime_get_sync(omap->dev);
+ r = pm_runtime_resume_and_get(omap->dev);
if (r < 0)
- goto err_free_mem;
+ goto err_disable_pm;
/*
* Read the Rev hi bit-[15:14] ie scheme this is 1 indicates ver2.
@@ -1513,8 +1513,8 @@ omap_i2c_probe(struct platform_device *pdev)
omap_i2c_write_reg(omap, OMAP_I2C_CON_REG, 0);
pm_runtime_dont_use_autosuspend(omap->dev);
pm_runtime_put_sync(omap->dev);
+err_disable_pm:
pm_runtime_disable(>dev);
-err_free_mem:
return r;
}
@@ -1525,7 +1525,7 @@ static int omap_i2c_remove(struct platform_device *pdev)
int ret;
i2c_del_adapter(>adapter);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 4/8] i2c: imx: fix reference leak when pm_runtime_get_sync fails
In i2c_imx_xfer() and i2c_imx_remove(), the pm reference count
is not expected to be incremented on return.
However, pm_runtime_get_sync will increment pm reference count
even failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 3a5ee18d2a32 ("i2c: imx: implement master_xfer_atomic callback")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-imx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-imx.c b/drivers/i2c/busses/i2c-imx.c
index c98529c76..93d2069da 100644
--- a/drivers/i2c/busses/i2c-imx.c
+++ b/drivers/i2c/busses/i2c-imx.c
@@ -1008,7 +1008,7 @@ static int i2c_imx_xfer(struct i2c_adapter *adapter,
struct imx_i2c_struct *i2c_imx = i2c_get_adapdata(adapter);
int result;
- result = pm_runtime_get_sync(i2c_imx->adapter.dev.parent);
+ result = pm_runtime_resume_and_get(i2c_imx->adapter.dev.parent);
if (result < 0)
return result;
@@ -1252,7 +1252,7 @@ static int i2c_imx_remove(struct platform_device *pdev)
struct imx_i2c_struct *i2c_imx = platform_get_drvdata(pdev);
int irq, ret;
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 1/8] i2c: cadence: fix reference leak when pm_runtime_get_sync fails
The PM reference count is not expected to be incremented on
return in functions cdns_i2c_master_xfer and cdns_reg_slave.
However, pm_runtime_get_sync will increment pm usage counter
even failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 7fa32329ca03 ("i2c: cadence: Move to sensible power management")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/i2c/busses/i2c-cadence.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c
index e4b7f2a95..e8eae8725 100644
--- a/drivers/i2c/busses/i2c-cadence.c
+++ b/drivers/i2c/busses/i2c-cadence.c
@@ -789,7 +789,7 @@ static int cdns_i2c_master_xfer(struct i2c_adapter *adap,
struct i2c_msg *msgs,
bool change_role = false;
#endif
- ret = pm_runtime_get_sync(id->dev);
+ ret = pm_runtime_resume_and_get(id->dev);
if (ret < 0)
return ret;
@@ -911,7 +911,7 @@ static int cdns_reg_slave(struct i2c_client *slave)
if (slave->flags & I2C_CLIENT_TEN)
return -EAFNOSUPPORT;
- ret = pm_runtime_get_sync(id->dev);
+ ret = pm_runtime_resume_and_get(id->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 0/8] i2c: fix reference leak when pm_runtime_get_sync fails
pm_runtime_get_sync will increment the PM reference count
even failed. Forgetting to putting operation will result
in a reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
BTW, pm_runtime_resume_and_get is introduced in v5.10-rc5 as
dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get
to dealwith usage counter")
Qinglang Miao (8):
i2c: cadence: fix reference leak when pm_runtime_get_sync fails
i2c: img-scb: fix reference leak when pm_runtime_get_sync fails
i2c: imx-lpi2c: fix reference leak when pm_runtime_get_sync fails
i2c: imx: fix reference leak when pm_runtime_get_sync fails
i2c: omap: fix reference leak when pm_runtime_get_sync fails
i2c: sprd: fix reference leak when pm_runtime_get_sync fails
i2c: stm32f7: fix reference leak when pm_runtime_get_sync fails
i2c: xiic: fix reference leak when pm_runtime_get_sync fails
drivers/i2c/busses/i2c-cadence.c | 4 ++--
drivers/i2c/busses/i2c-img-scb.c | 4 ++--
drivers/i2c/busses/i2c-imx-lpi2c.c | 2 +-
drivers/i2c/busses/i2c-imx.c | 4 ++--
drivers/i2c/busses/i2c-omap.c | 8
drivers/i2c/busses/i2c-sprd.c | 4 ++--
drivers/i2c/busses/i2c-stm32f7.c | 12 ++--
drivers/i2c/busses/i2c-xiic.c | 4 ++--
8 files changed, 21 insertions(+), 21 deletions(-)
--
2.23.0
Re: [PATCH] s390: cio: fix two use-after-free bugs in device.c
在 2020/11/20 15:55, Cornelia Huck 写道:
On Fri, 20 Nov 2020 15:48:49 +0800
Qinglang Miao wrote:
put_device calls release function which do kfree() inside.
So following use of sch would cause use-after-free bugs.
Fix these by simply adjusting the position of put_device.
Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Fixes: 74bd0d859dc3 ("s390/cio: fix unlocked access of online member")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/cio/device.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d50..69492417b 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct
ccw_device *cdev)
struct io_subchannel_private *io_priv = to_io_private(sch);
set_io_private(sch, NULL);
- put_device(>dev);
- put_device(>dev);
dma_free_coherent(>dev, sizeof(*io_priv->dma_area),
io_priv->dma_area, io_priv->dma_area_dma);
+ put_device(>dev);
+ put_device(>dev);
That change looks reasonable.
kfree(io_priv);
}
@@ -1774,8 +1774,8 @@ static int ccw_device_remove(struct device *dev)
ret, cdev->private->dev_id.ssid,
cdev->private->dev_id.devno);
/* Give up reference obtained in ccw_device_set_online(). */
- put_device(>dev);
spin_lock_irq(cdev->ccwlock);
+ put_device(>dev);
As the comment above states, the put_device() gives up the reference
obtained in ccw_device_set_online(). There's at least one more
reference remaining (held by the caller of the remove function). Moving
the put_device() does not fix anything here.
Hi, Cornelia
Sorry for the delayed reply.
Your suggestion is reasonable, there is a mistake in this patch for I
didn't notice that there would be at least one more reference remaining.
So I sent a new patch only to move put_device after dma_free_coherent. I
put the link as below:
https://lore.kernel.org/lkml/20201201063150.82128-1-miaoqingl...@huawei.com/
Thanks!
}
ccw_device_set_timeout(cdev, 0);
cdev->drv = NULL;
.
[PATCH] s390: cio: fix use-after-free in ccw_device_destroy_console
put_device calls release function which do kfree() inside.
So following use of sch would cause use-after-free bugs.
Fix these by simply adjusting the position of put_device.
Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Reported-by: Hulk Robot
Suggested-by: Cornelia Huck
Signed-off-by: Qinglang Miao
---
This patch is indeed a v2 of older one. Considering that the
patch's name has changed, I think a normal prefix 'PATCH' is
better.
drivers/s390/cio/device.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d50..33280ca18 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct
ccw_device *cdev)
struct io_subchannel_private *io_priv = to_io_private(sch);
set_io_private(sch, NULL);
- put_device(>dev);
- put_device(>dev);
dma_free_coherent(>dev, sizeof(*io_priv->dma_area),
io_priv->dma_area, io_priv->dma_area_dma);
+ put_device(>dev);
+ put_device(>dev);
kfree(io_priv);
}
--
2.23.0
Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
在 2020/11/27 17:21, Steffen Maier 写道:
On 11/26/20 4:12 PM, Benjamin Block wrote:
On Thu, Nov 26, 2020 at 08:07:32PM +0800, Qinglang Miao wrote:
在 2020/11/26 17:42, Benjamin Block 写道:
On Thu, Nov 26, 2020 at 09:13:53AM +0100, Cornelia Huck wrote:
On Thu, 26 Nov 2020 09:27:41 +0800
Qinglang Miao wrote:
在 2020/11/26 1:06, Benjamin Block 写道:
On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote:
Let's go by example. If we assume the reference count of `unit->dev` is
R, and the function starts with R = 1 (otherwise the deivce would've
been freed already), we get:
int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
{
struct zfcp_unit *unit;
struct scsi_device *sdev;
write_lock_irq(>unit_list_lock);
// unit->dev (R = 1)
unit = _zfcp_unit_find(port, fcp_lun);
// get_device(>dev)
// unit->dev (R = 2)
if (unit)
list_del(>list);
write_unlock_irq(>unit_list_lock);
if (!unit)
return -EINVAL;
sdev = zfcp_unit_sdev(unit);
if (sdev) {
scsi_remove_device(sdev);
scsi_device_put(sdev);
}
// unit->dev (R = 2)
put_device(>dev);
// unit->dev (R = 1)
device_unregister(>dev);
// unit->dev (R = 0)
return 0;
}
If we now apply this patch, we'd end up with R = 1 after
`device_unregister()`, and the device would not be properly removed.
If you still think that's wrong, then you'll need to better explain
why.
Hi Banjamin and Cornelia,
Your replies make me reliaze that I've been holding a mistake
understanding
of put_device() as well as reference count.
Thanks for you two's patient explanation !!
BTW, should I send a v2 on these two patches to move the position of
put_device()?
Feel free to do so.
I think having the `put_device()` call after `device_unregister()` in
both `zfcp_unit_remove()` and `zfcp_sysfs_port_remove_store()` is more
natural, because it ought to be the last time we touch the object in
both functions.
If you move put_device(), you could add a comment like we did here to
explain which (hidden) get_device is undone:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/s390/scsi?id=ef4021fe5fd77ced0323cede27979d80a56211ca
("scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only
sdevs)")
So in this patch it could be:
put_device(>dev); /* undo _zfcp_unit_find() */
And in the other patch it could be:
put_device(>dev); /* undo zfcp_get_port_by_wwpn() */
Then it would be clearer next time somebody looks at the code.
Hi, Steffen
Sorry I didn't notice this mail when I sent a patch to move put_device,
you suggestion sounds resonable to me, so I send a v2 to add comments.
Thanks.
Especially for the other patch on zfcp_sysfs_port_remove_store() moving
the put_device(>dev) to at least *after* the call of
zfcp_erp_port_shutdown(port, 0, "syprs_1") would make the code cleaner
to me. Along the idead of passing the port to zfcp_erp_port_shutdown
with the reference we got from zfcp_get_port_by_wwpn(). That said, the
current code is of course still correct as we currently have the port
ref of the earlier device_register so passing the port to
zfcp_erp_port_shutdown() is safe.
If we wanted to make the gets and puts nicely nested, then we could move
the puts to just before the device_unregister, but that's bike shedding:
device_register() --+
get_device() --+ |
put_device() --+ |
device_unregister() --+
Benjamin's suggested move location works for me, too. After all, the
kdoc of device_unregister explicitly mentions the possibility that other
refs might continue to exist after device_unregister was called:
device_register() --+
get_device() -|--+
device_unregister() --+ |
put_device() +
Glad to know your opinions, I'd like to take this one on my patch.
[PATCH v2] scsi: zfcp: move the position of put_device
Have the `put_device()` call after `device_unregister()` in both `zfcp_unit_remove()` and `zfcp_sysfs_port_remove_store()` to make it more natural, for put_device() ought to be the last time we touch the object in both functions. And add comments after put_device to make codes clearer. Suggested-by: Steffen Maier Suggested-by: Benjamin Block Signed-off-by: Qinglang Miao --- v2: add comments after put_device as Steffen suggested. drivers/s390/scsi/zfcp_sysfs.c | 4 ++-- drivers/s390/scsi/zfcp_unit.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c index 8d9662e8b..ef6d35a37 100644 --- a/drivers/s390/scsi/zfcp_sysfs.c +++ b/drivers/s390/scsi/zfcp_sysfs.c @@ -327,10 +327,10 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, list_del(>list); write_unlock_irq(>port_list_lock); - put_device(>dev); - zfcp_erp_port_shutdown(port, 0, "syprs_1"); device_unregister(>dev); + + put_device(>dev); /* undo zfcp_get_port_by_wwpn() */ out: zfcp_ccw_adapter_put(adapter); return retval ? retval : (ssize_t) count; diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c index e67bf7388..59333f025 100644 --- a/drivers/s390/scsi/zfcp_unit.c +++ b/drivers/s390/scsi/zfcp_unit.c @@ -255,9 +255,9 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun) scsi_device_put(sdev); } - put_device(>dev); - device_unregister(>dev); + put_device(>dev); /* undo _zfcp_unit_find() */ + return 0; } -- 2.23.0
Re: [PATCH] gpio: zynq: fix reference leak in zynq_gpio functions
在 2020/12/1 0:44, Bartosz Golaszewski 写道:
On Fri, Nov 27, 2020 at 10:40 AM Qinglang Miao wrote:
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage
counter")
Is this upstream yet?
Bartosz
.
Yep, it's introduced in v5.10-rc5
[PATCH 2/3] drm/rockchip: vop: fix reference leak when pm_runtime_get_sync fails
pm_runtime_get_sync will increment pm usage counter even
failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: 5e570373c015 ("drm/rockchip: vop: Enable pm domain before vop_initial")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
index c80f7d9fd..006988a6e 100644
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
@@ -587,7 +587,7 @@ static int vop_enable(struct drm_crtc *crtc, struct
drm_crtc_state *old_state)
struct vop *vop = to_vop(crtc);
int ret, i;
- ret = pm_runtime_get_sync(vop->dev);
+ ret = pm_runtime_resume_and_get(vop->dev);
if (ret < 0) {
DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
return ret;
@@ -1908,7 +1908,7 @@ static int vop_initial(struct vop *vop)
return PTR_ERR(vop->dclk);
}
- ret = pm_runtime_get_sync(vop->dev);
+ ret = pm_runtime_resume_and_get(vop->dev);
if (ret < 0) {
DRM_DEV_ERROR(vop->dev, "failed to get pm runtime: %d\n", ret);
return ret;
--
2.23.0
[PATCH 0/3] drm/rockchip: fix reference leak of pm_runtime_get_sync
Replace pm_runtime_get_sync with pm_runtime_resume_and_get to keep usage counter balanced. Qinglang Miao (3): drm/rockchip: cdn-dp: fix reference leak when pm_runtime_get_sync fails drm/rockchip: vop: fix reference leak when pm_runtime_get_sync fails drm/rockchip: lvds: fix reference leak when pm_runtime_get_sync fails drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +- drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++-- drivers/gpu/drm/rockchip/rockchip_lvds.c| 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) -- 2.23.0
[PATCH 3/3] drm/rockchip: lvds: fix reference leak when pm_runtime_get_sync fails
pm_runtime_get_sync will increment pm usage counter even
failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/rockchip_lvds.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/rockchip/rockchip_lvds.c
b/drivers/gpu/drm/rockchip/rockchip_lvds.c
index f292c6a6e..c3b1ac484 100644
--- a/drivers/gpu/drm/rockchip/rockchip_lvds.c
+++ b/drivers/gpu/drm/rockchip/rockchip_lvds.c
@@ -145,7 +145,7 @@ static int rk3288_lvds_poweron(struct rockchip_lvds *lvds)
DRM_DEV_ERROR(lvds->dev, "failed to enable lvds pclk %d\n",
ret);
return ret;
}
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
clk_disable(lvds->pclk);
@@ -329,7 +329,7 @@ static int px30_lvds_poweron(struct rockchip_lvds *lvds)
{
int ret;
- ret = pm_runtime_get_sync(lvds->dev);
+ ret = pm_runtime_resume_and_get(lvds->dev);
if (ret < 0) {
DRM_DEV_ERROR(lvds->dev, "failed to get pm runtime: %d\n", ret);
return ret;
--
2.23.0
[PATCH 1/3] drm/rockchip: cdn-dp: fix reference leak when pm_runtime_get_sync fails
pm_runtime_get_sync will increment pm usage counter even
failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced.
Fixes: efe0220fc2d2 ("drm/rockchip: cdn-dp: Fix error handling")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rockchip/cdn-dp-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c
b/drivers/gpu/drm/rockchip/cdn-dp-core.c
index a4a45daf9..9b4406191 100644
--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c
+++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c
@@ -98,7 +98,7 @@ static int cdn_dp_clk_enable(struct cdn_dp_device *dp)
goto err_core_clk;
}
- ret = pm_runtime_get_sync(dp->dev);
+ ret = pm_runtime_resume_and_get(dp->dev);
if (ret < 0) {
DRM_DEV_ERROR(dp->dev, "cannot get pm runtime %d\n", ret);
goto err_pm_runtime_get;
--
2.23.0
Re: [PATCH] hwrng: exynos - fix reference leak in exynos_trng_probe
在 2020/11/27 22:26, Lukasz Stelmach 写道:
It was <2020-11-27 pią 17:44>, when Qinglang Miao wrote:
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage
counter")
Fixes: 6cd225cc5d8a ("hwrng: exynos - add Samsung Exynos True RNG driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/char/hw_random/exynos-trng.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/exynos-trng.c
b/drivers/char/hw_random/exynos-trng.c
index 8e1fe3f8d..666246bc8 100644
--- a/drivers/char/hw_random/exynos-trng.c
+++ b/drivers/char/hw_random/exynos-trng.c
@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
return PTR_ERR(trng->mem);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
dev_err(>dev, "Could not get runtime PM.\n");
goto err_pm_get;
Thanks. I suppose you may use the new function exynos_trng_resume(),
remove everything and leave only
return pm_runtime_resume_and_get(dev);
Hi, Lukasz
I sent a v2 on this one.
But I'm not really sure about what does 'remove everything' mean. for
example, should I remove exynos_trng_resume in this patch?
Thanks.
Re: [PATCH] hwrng: exynos - fix reference leak in exynos_trng_probe
在 2020/11/27 17:44, Krzysztof Kozlowski 写道:
On Fri, Nov 27, 2020 at 05:44:46PM +0800, Qinglang Miao wrote:
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with usage
counter")
Do not put such dependencies into the commit message - it does not bring
useful information to the history. Store it under '---' separator.
Fixes: 6cd225cc5d8a ("hwrng: exynos - add Samsung Exynos True RNG driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/char/hw_random/exynos-trng.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/exynos-trng.c
b/drivers/char/hw_random/exynos-trng.c
index 8e1fe3f8d..666246bc8 100644
--- a/drivers/char/hw_random/exynos-trng.c
+++ b/drivers/char/hw_random/exynos-trng.c
@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
return PTR_ERR(trng->mem);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
This cannot be applied. Fix it by replacing err_clock label with this
one. >
Best regards,
Krzysztof
.
Hi Krzysztof,
I realize that there's a mistake in this patch through your reply.
There's two way to fix this one:
1) replace err_pm_get with err_clock label when pm_runtime_get_sync fails.
2) replace pm_runtime_get_sync with pm_runtime_resume_and_get and remove
redundant label(err_clock).
I take 2) on v2 for it makes codes more clearer in a way.
Thanks.
[PATCH v2] hwrng: exynos - fix reference leak in exynos_trng_probe
pm_runtime_get_sync will increment pm usage counter even
failed. Forgetting to putting operation will result in a
reference leak here.
Replace it with pm_runtime_resume_and_get to keep usage
counter balanced. I remove err_clock label at the same.
Fixes: 6cd225cc5d8a ("hwrng: exynos - add Samsung Exynos True RNG driver")
Reported-by: Hulk Robot
Suggested-by: Lukasz Stelmach
Signed-off-by: Qinglang Miao
---
v2: remobe useless label as Lukasz suggested.
drivers/char/hw_random/exynos-trng.c | 9 +++--
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/char/hw_random/exynos-trng.c
b/drivers/char/hw_random/exynos-trng.c
index 8e1fe3f8d..ffebb72e4 100644
--- a/drivers/char/hw_random/exynos-trng.c
+++ b/drivers/char/hw_random/exynos-trng.c
@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
return PTR_ERR(trng->mem);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
dev_err(>dev, "Could not get runtime PM.\n");
goto err_pm_get;
@@ -142,13 +142,13 @@ static int exynos_trng_probe(struct platform_device *pdev)
if (IS_ERR(trng->clk)) {
ret = PTR_ERR(trng->clk);
dev_err(>dev, "Could not get clock.\n");
- goto err_clock;
+ goto err_pm_get;
}
ret = clk_prepare_enable(trng->clk);
if (ret) {
dev_err(>dev, "Could not enable the clk.\n");
- goto err_clock;
+ goto err_pm_get;
}
ret = devm_hwrng_register(>dev, >rng);
@@ -164,9 +164,6 @@ static int exynos_trng_probe(struct platform_device *pdev)
err_register:
clk_disable_unprepare(trng->clk);
-err_clock:
- pm_runtime_put_sync(>dev);
-
err_pm_get:
pm_runtime_disable(>dev);
--
2.23.0
Re: [PATCH] drm/panfrost: fix reference leak in panfrost_job_hw_submit
在 2020/11/27 18:06, Steven Price 写道:
On 27/11/2020 09:44, Qinglang Miao wrote:
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal
with usage counter")
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/panfrost/panfrost_job.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c
b/drivers/gpu/drm/panfrost/panfrost_job.c
index 30e7b7196..04cf3bb67 100644
--- a/drivers/gpu/drm/panfrost/panfrost_job.c
+++ b/drivers/gpu/drm/panfrost/panfrost_job.c
@@ -147,7 +147,7 @@ static void panfrost_job_hw_submit(struct
panfrost_job *job, int js)
panfrost_devfreq_record_busy(>pfdevfreq);
- ret = pm_runtime_get_sync(pfdev->dev);
+ ret = pm_runtime_resume_and_get(pfdev->dev);
Sorry, but in this case this change isn't correct.
panfrost_job_hw_submit() is expected to be unbalanced (the PM reference
count is expected to be incremented on return).
In the case where pm_runtime_get_sync() fails, the job will eventually
timeout, and there's a corresponding pm_runtime_put_noidle() in
panfrost_reset().
Potentially this could be handled better (e.g. without waiting for the
timeout to occur), but equally this isn't something we expect to happen
in normal operation).
Steve
Sorry, I didn't notice the pm_runtime_put_noidle() in
panfrost_job_timedout() before.
Thanks for your reply.
if (ret < 0)
return;
.
[PATCH] scsi: zfcp: move the position of put_device
Have the `put_device()` call after `device_unregister()` in both `zfcp_unit_remove()` and `zfcp_sysfs_port_remove_store()` to make it more natural, for put_device() ought to be the last time we touch the object in both functions. Suggested-by: Benjamin Block Signed-off-by: Qinglang Miao --- drivers/s390/scsi/zfcp_sysfs.c | 4 ++-- drivers/s390/scsi/zfcp_unit.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c index 8d9662e8b..edfeed4ba 100644 --- a/drivers/s390/scsi/zfcp_sysfs.c +++ b/drivers/s390/scsi/zfcp_sysfs.c @@ -327,10 +327,10 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, list_del(>list); write_unlock_irq(>port_list_lock); - put_device(>dev); - zfcp_erp_port_shutdown(port, 0, "syprs_1"); device_unregister(>dev); + + put_device(>dev); out: zfcp_ccw_adapter_put(adapter); return retval ? retval : (ssize_t) count; diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c index e67bf7388..4ee355ae1 100644 --- a/drivers/s390/scsi/zfcp_unit.c +++ b/drivers/s390/scsi/zfcp_unit.c @@ -255,9 +255,9 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun) scsi_device_put(sdev); } - put_device(>dev); - device_unregister(>dev); + put_device(>dev); + return 0; } -- 2.23.0
[PATCH] scsi: zfcp: move the position of put_device
Have the `put_device()` call after `device_unregister()` in both `zfcp_unit_remove()` and `zfcp_sysfs_port_remove_store()` to make it more natural, for put_device() ought to be the last time we touch the object in both functions. Suggested-by: Benjamin Block Signed-off-by: Qinglang Miao --- drivers/s390/scsi/zfcp_sysfs.c | 4 ++-- drivers/s390/scsi/zfcp_unit.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c index 8d9662e8b..edfeed4ba 100644 --- a/drivers/s390/scsi/zfcp_sysfs.c +++ b/drivers/s390/scsi/zfcp_sysfs.c @@ -327,10 +327,10 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device *dev, list_del(>list); write_unlock_irq(>port_list_lock); - put_device(>dev); - zfcp_erp_port_shutdown(port, 0, "syprs_1"); device_unregister(>dev); + + put_device(>dev); out: zfcp_ccw_adapter_put(adapter); return retval ? retval : (ssize_t) count; diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c index e67bf7388..4ee355ae1 100644 --- a/drivers/s390/scsi/zfcp_unit.c +++ b/drivers/s390/scsi/zfcp_unit.c @@ -255,9 +255,9 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun) scsi_device_put(sdev); } - put_device(>dev); - device_unregister(>dev); + put_device(>dev); + return 0; } -- 2.23.0
Re: [PATCH 2/3] powerpc/pseries/hotplug-cpu: fix memleak in dlpar_cpu_add_by_count
在 2020/11/30 9:51, Michael Ellerman 写道:
Qinglang Miao writes:
kfree(cpu_drcs) should be called when it fails to perform
of_find_node_by_path("/cpus") in dlpar_cpu_add_by_count,
otherwise there would be a memleak.
In fact, the patch a0ff72f9f5a7 ought to remove kfree in
find_dlpar_cpus_to_add rather than dlpar_cpu_add_by_count.
I guess there might be a mistake when apply that one.
Fixes: a0ff72f9f5a7 ("powerpc/pseries/hotplug-cpu: Remove double free in error
path")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
arch/powerpc/platforms/pseries/hotplug-cpu.c | 1 +
1 file changed, 1 insertion(+)
This is already fixed in my next by:
a40fdaf1420d ("Revert "powerpc/pseries/hotplug-cpu: Remove double free in error
path"")
cheers'Revert' sounds resonable to this one, glad to know that.
diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c
b/arch/powerpc/platforms/pseries/hotplug-cpu.c
index f2837e33b..4bb1c9f2b 100644
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -743,6 +743,7 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add)
parent = of_find_node_by_path("/cpus");
if (!parent) {
pr_warn("Could not find CPU root node in device tree\n");
+ kfree(cpu_drcs);
return -1;
}
--
2.23.0
.
[PATCH 1/3] dm ioctl: fix error return code in target_message
Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.
Fixes: 2ca4c92f58f9 ("dm ioctl: prevent empty message")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/md/dm-ioctl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
index cd0478d44..5e306bba4 100644
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1600,6 +1600,7 @@ static int target_message(struct file *filp, struct
dm_ioctl *param, size_t para
if (!argc) {
DMWARN("Empty message received.");
+ r = -EINVAL;
goto out_argv;
}
--
2.23.0
[PATCH 3/3] media: xilinx: fix error return code in xvip_graph_init
Fix to return a negative error code(-ENODEV) from the error
handling case instead of 0, as done elsewhere in this function.
Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/media/platform/xilinx/xilinx-vipp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c
b/drivers/media/platform/xilinx/xilinx-vipp.c
index cc2856efe..9cab2f77f 100644
--- a/drivers/media/platform/xilinx/xilinx-vipp.c
+++ b/drivers/media/platform/xilinx/xilinx-vipp.c
@@ -525,6 +525,7 @@ static int xvip_graph_init(struct xvip_composite_device
*xdev)
if (list_empty(>notifier.asd_list)) {
dev_err(xdev->dev, "no subdev found in graph\n");
+ ret = -ENODEV;
goto done;
}
--
2.23.0
[PATCH 2/3] powerpc/pseries/hotplug-cpu: fix memleak in dlpar_cpu_add_by_count
kfree(cpu_drcs) should be called when it fails to perform
of_find_node_by_path("/cpus") in dlpar_cpu_add_by_count,
otherwise there would be a memleak.
In fact, the patch a0ff72f9f5a7 ought to remove kfree in
find_dlpar_cpus_to_add rather than dlpar_cpu_add_by_count.
I guess there might be a mistake when apply that one.
Fixes: a0ff72f9f5a7 ("powerpc/pseries/hotplug-cpu: Remove double free in error
path")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
arch/powerpc/platforms/pseries/hotplug-cpu.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c
b/arch/powerpc/platforms/pseries/hotplug-cpu.c
index f2837e33b..4bb1c9f2b 100644
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -743,6 +743,7 @@ static int dlpar_cpu_add_by_count(u32 cpus_to_add)
parent = of_find_node_by_path("/cpus");
if (!parent) {
pr_warn("Could not find CPU root node in device tree\n");
+ kfree(cpu_drcs);
return -1;
}
--
2.23.0
[PATCH 1/3] crypto: sun4i - fix reference leak in sun4i-ss
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c | 2 +-
drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c | 2 +-
drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c | 2 +-
drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
index b72de8939..d0d6671c1 100644
--- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c
@@ -504,7 +504,7 @@ int sun4i_ss_cipher_init(struct crypto_tfm *tfm)
crypto_skcipher_reqsize(op->fallback_tfm));
- err = pm_runtime_get_sync(op->ss->dev);
+ err = pm_runtime_resume_and_get(op->ss->dev);
if (err < 0)
goto error_pm;
diff --git a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c
b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c
index a2b67f7f8..19fd03185 100644
--- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c
+++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c
@@ -413,7 +413,7 @@ static int sun4i_ss_probe(struct platform_device *pdev)
* this info could be useful
*/
- err = pm_runtime_get_sync(ss->dev);
+ err = pm_runtime_resume_and_get(ss->dev);
if (err < 0)
goto error_pm;
diff --git a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c
b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c
index 1dff48558..fac21fc1e 100644
--- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c
+++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c
@@ -27,7 +27,7 @@ int sun4i_hash_crainit(struct crypto_tfm *tfm)
algt = container_of(alg, struct sun4i_ss_alg_template, alg.hash);
op->ss = algt->ss;
- err = pm_runtime_get_sync(op->ss->dev);
+ err = pm_runtime_resume_and_get(op->ss->dev);
if (err < 0)
return err;
diff --git a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
index 729aafdbe..848937463 100644
--- a/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
+++ b/drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c
@@ -28,7 +28,7 @@ int sun4i_ss_prng_generate(struct crypto_rng *tfm, const u8
*src,
algt = container_of(alg, struct sun4i_ss_alg_template, alg.rng);
ss = algt->ss;
- err = pm_runtime_get_sync(ss->dev);
+ err = pm_runtime_resume_and_get(ss->dev);
if (err < 0)
return err;
--
2.23.0
[PATCH 2/3] crypto: sun8i - fix reference leak in sun8i-ce
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
index 158422ff5..00194d1d9 100644
--- a/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
+++ b/drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c
@@ -932,7 +932,7 @@ static int sun8i_ce_probe(struct platform_device *pdev)
if (err)
goto error_alg;
- err = pm_runtime_get_sync(ce->dev);
+ err = pm_runtime_resume_and_get(ce->dev);
if (err < 0)
goto error_alg;
--
2.23.0
[PATCH 3/3] crypto: sun8i - fix reference leak in sun8i-ss
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +-
drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
index ed2a69f82..7c355bc2f 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c
@@ -351,7 +351,7 @@ int sun8i_ss_cipher_init(struct crypto_tfm *tfm)
op->enginectx.op.prepare_request = NULL;
op->enginectx.op.unprepare_request = NULL;
- err = pm_runtime_get_sync(op->ss->dev);
+ err = pm_runtime_resume_and_get(op->ss->dev);
if (err < 0) {
dev_err(op->ss->dev, "pm error %d\n", err);
goto error_pm;
diff --git a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
index e0ddc6847..80e89066d 100644
--- a/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
+++ b/drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c
@@ -753,7 +753,7 @@ static int sun8i_ss_probe(struct platform_device *pdev)
if (err)
goto error_alg;
- err = pm_runtime_get_sync(ss->dev);
+ err = pm_runtime_resume_and_get(ss->dev);
if (err < 0)
goto error_alg;
--
2.23.0
[PATCH 0/3] crypto: sun - fix reference leak
pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in a reference leak here. Use pm_runtime_resume_and_get to fix it. Qinglang Miao (3): crypto: sun4i - fix reference leak in sun4i-ss crypto: sun8i - fix reference leak in sun8i-ce crypto: sun8i - fix reference leak in sun8i-ss drivers/crypto/allwinner/sun4i-ss/sun4i-ss-cipher.c | 2 +- drivers/crypto/allwinner/sun4i-ss/sun4i-ss-core.c | 2 +- drivers/crypto/allwinner/sun4i-ss/sun4i-ss-hash.c | 2 +- drivers/crypto/allwinner/sun4i-ss/sun4i-ss-prng.c | 2 +- drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c | 2 +- drivers/crypto/allwinner/sun8i-ss/sun8i-ss-cipher.c | 2 +- drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) -- 2.23.0
[PATCH 1/2] crypto: stm32/cryp - fix reference leak in stm32_cryp_remove
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 65f9aa36ee47 ("crypto: stm32/cryp - Add power management support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/stm32/stm32-cryp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/stm32/stm32-cryp.c
b/drivers/crypto/stm32/stm32-cryp.c
index 2670c3033..7f3b84973 100644
--- a/drivers/crypto/stm32/stm32-cryp.c
+++ b/drivers/crypto/stm32/stm32-cryp.c
@@ -2043,7 +2043,7 @@ static int stm32_cryp_remove(struct platform_device *pdev)
if (!cryp)
return -ENODEV;
- ret = pm_runtime_get_sync(cryp->dev);
+ ret = pm_runtime_resume_and_get(cryp->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 0/2] crypto: stm32 - fix reference leak
pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in a reference leak here. Use pm_runtime_resume_and_get to fix it. Qinglang Miao (2): crypto: stm32/cryp - fix reference leak in stm32_cryp_remove crypto: stm32/hash - fix reference leak in stm32_hash_remove drivers/crypto/stm32/stm32-cryp.c | 2 +- drivers/crypto/stm32/stm32-hash.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) -- 2.23.0
[PATCH 2/2] crypto: stm32/hash - fix reference leak in stm32_hash_remove
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 8b4d566de6a5 ("crypto: stm32/hash - Add power management support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/stm32/stm32-hash.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/stm32/stm32-hash.c
b/drivers/crypto/stm32/stm32-hash.c
index e3e25278a..16bb52836 100644
--- a/drivers/crypto/stm32/stm32-hash.c
+++ b/drivers/crypto/stm32/stm32-hash.c
@@ -1565,7 +1565,7 @@ static int stm32_hash_remove(struct platform_device *pdev)
if (!hdev)
return -ENODEV;
- ret = pm_runtime_get_sync(hdev->dev);
+ ret = pm_runtime_resume_and_get(hdev->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] dmaengine: tegra-apb: fix reference leak in tegra_dma_issue_pending and tegra_dma_synchronize
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 84a3f375eea9 ("dmaengine: tegra-apb: Keep clock enabled only during of
DMA transfer")
Fixes: 664475cffb8c ("dmaengine: tegra-apb: Ensure that clock is enabled during
of DMA synchronization")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/tegra20-apb-dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/tegra20-apb-dma.c b/drivers/dma/tegra20-apb-dma.c
index 71827d9b0..b7260749e 100644
--- a/drivers/dma/tegra20-apb-dma.c
+++ b/drivers/dma/tegra20-apb-dma.c
@@ -723,7 +723,7 @@ static void tegra_dma_issue_pending(struct dma_chan *dc)
goto end;
}
if (!tdc->busy) {
- err = pm_runtime_get_sync(tdc->tdma->dev);
+ err = pm_runtime_resume_and_get(tdc->tdma->dev);
if (err < 0) {
dev_err(tdc2dev(tdc), "Failed to enable DMA\n");
goto end;
@@ -818,7 +818,7 @@ static void tegra_dma_synchronize(struct dma_chan *dc)
struct tegra_dma_channel *tdc = to_tegra_dma_chan(dc);
int err;
- err = pm_runtime_get_sync(tdc->tdma->dev);
+ err = pm_runtime_resume_and_get(tdc->tdma->dev);
if (err < 0) {
dev_err(tdc2dev(tdc), "Failed to synchronize DMA: %d\n", err);
return;
--
2.23.0
[PATCH 3/3] dmaengine: stm32-mdma: fix reference leak in stm32-mdma
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 7cb819c856d9 ("dmaengine: stm32-mdma: add suspend/resume power
management support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/stm32-mdma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/stm32-mdma.c b/drivers/dma/stm32-mdma.c
index 08cfbfab8..9d4739237 100644
--- a/drivers/dma/stm32-mdma.c
+++ b/drivers/dma/stm32-mdma.c
@@ -1448,7 +1448,7 @@ static int stm32_mdma_alloc_chan_resources(struct
dma_chan *c)
return -ENOMEM;
}
- ret = pm_runtime_get_sync(dmadev->ddev.dev);
+ ret = pm_runtime_resume_and_get(dmadev->ddev.dev);
if (ret < 0)
return ret;
@@ -1714,7 +1714,7 @@ static int stm32_mdma_pm_suspend(struct device *dev)
u32 ccr, id;
int ret;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 2/3] dmaengine: stm32-dmamux: fix reference leak in stm32_dmamux
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: f65c2e14b096 ("dmaengine: stm32-dmamux: add suspend/resume power
management support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/stm32-dmamux.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/dma/stm32-dmamux.c b/drivers/dma/stm32-dmamux.c
index a10ccd964..bddd3b23f 100644
--- a/drivers/dma/stm32-dmamux.c
+++ b/drivers/dma/stm32-dmamux.c
@@ -137,7 +137,7 @@ static void *stm32_dmamux_route_allocate(struct
of_phandle_args *dma_spec,
/* Set dma request */
spin_lock_irqsave(>lock, flags);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
spin_unlock_irqrestore(>lock, flags);
goto error;
@@ -336,7 +336,7 @@ static int stm32_dmamux_suspend(struct device *dev)
struct stm32_dmamux_data *stm32_dmamux = platform_get_drvdata(pdev);
int i, ret;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
@@ -361,7 +361,7 @@ static int stm32_dmamux_resume(struct device *dev)
if (ret < 0)
return ret;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH 0/3] dmaengine: stm32: fix reference leak
pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in a reference leak here. Use pm_runtime_resume_and_get to fix it. Qinglang Miao (3): dmaengine: stm32-dma: fix reference leak in stm32_dma dmaengine: stm32-dmamux: fix reference leak in stm32_dmamux dmaengine: stm32-mdma: fix reference leak in stm32-mdma drivers/dma/stm32-dma.c| 4 ++-- drivers/dma/stm32-dmamux.c | 6 +++--- drivers/dma/stm32-mdma.c | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) -- 2.23.0
[PATCH 1/3] dmaengine: stm32-dma: fix reference leak in stm32_dma
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 05f8740a0e6f ("dmaengine: stm32-dma: add suspend/resume power management
support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/stm32-dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/stm32-dma.c b/drivers/dma/stm32-dma.c
index d0055d2f0..1150aa90e 100644
--- a/drivers/dma/stm32-dma.c
+++ b/drivers/dma/stm32-dma.c
@@ -1187,7 +1187,7 @@ static int stm32_dma_alloc_chan_resources(struct dma_chan
*c)
chan->config_init = false;
- ret = pm_runtime_get_sync(dmadev->ddev.dev);
+ ret = pm_runtime_resume_and_get(dmadev->ddev.dev);
if (ret < 0)
return ret;
@@ -1455,7 +1455,7 @@ static int stm32_dma_suspend(struct device *dev)
struct stm32_dma_device *dmadev = dev_get_drvdata(dev);
int id, ret, scr;
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] dmaengine: sprd: fix reference leak in sprd_dma_probe and sprd_dma_remove
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 9b3b8171f7f4 ("dmaengine: sprd: Add Spreadtrum DMA driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/sprd-dma.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/sprd-dma.c b/drivers/dma/sprd-dma.c
index 0ef5ca81b..65dde392f 100644
--- a/drivers/dma/sprd-dma.c
+++ b/drivers/dma/sprd-dma.c
@@ -1203,7 +1203,7 @@ static int sprd_dma_probe(struct platform_device *pdev)
pm_runtime_set_active(>dev);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
goto err_rpm;
@@ -1238,7 +1238,7 @@ static int sprd_dma_remove(struct platform_device *pdev)
struct sprd_dma_chn *c, *cn;
int ret;
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] drm/panfrost: fix reference leak in panfrost_job_hw_submit
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/panfrost/panfrost_job.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panfrost/panfrost_job.c
b/drivers/gpu/drm/panfrost/panfrost_job.c
index 30e7b7196..04cf3bb67 100644
--- a/drivers/gpu/drm/panfrost/panfrost_job.c
+++ b/drivers/gpu/drm/panfrost/panfrost_job.c
@@ -147,7 +147,7 @@ static void panfrost_job_hw_submit(struct panfrost_job
*job, int js)
panfrost_devfreq_record_busy(>pfdevfreq);
- ret = pm_runtime_get_sync(pfdev->dev);
+ ret = pm_runtime_resume_and_get(pfdev->dev);
if (ret < 0)
return;
--
2.23.0
[PATCH] drm/mediatek: fix reference leak in mtk_crtc_ddp_hw_init
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/mediatek/mtk_drm_crtc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
index ac0385721..dfd5ed15a 100644
--- a/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_crtc.c
@@ -274,7 +274,7 @@ static int mtk_crtc_ddp_hw_init(struct mtk_drm_crtc
*mtk_crtc)
drm_connector_list_iter_end(_iter);
}
- ret = pm_runtime_get_sync(crtc->dev->dev);
+ ret = pm_runtime_resume_and_get(crtc->dev->dev);
if (ret < 0) {
DRM_ERROR("Failed to enable power domain: %d\n", ret);
return ret;
--
2.23.0
[PATCH] drm/lima: fix reference leak in lima_pm_busy
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 50de2e9ebbc0 ("drm/lima: enable runtime pm")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/lima/lima_sched.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/lima/lima_sched.c
b/drivers/gpu/drm/lima/lima_sched.c
index dc6df9e9a..f6e7a88a5 100644
--- a/drivers/gpu/drm/lima/lima_sched.c
+++ b/drivers/gpu/drm/lima/lima_sched.c
@@ -200,7 +200,7 @@ static int lima_pm_busy(struct lima_device *ldev)
int ret;
/* resume GPU if it has been suspended by runtime PM */
- ret = pm_runtime_get_sync(ldev->dev);
+ ret = pm_runtime_resume_and_get(ldev->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] gpio: zynq: fix reference leak in zynq_gpio functions
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: c2df3de0d07e ("gpio: zynq: properly support runtime PM for GPIO used as
interrupts")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpio/gpio-zynq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
index 0b5a17ab9..3521c1dc3 100644
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -574,7 +574,7 @@ static int zynq_gpio_irq_reqres(struct irq_data *d)
struct gpio_chip *chip = irq_data_get_irq_chip_data(d);
int ret;
- ret = pm_runtime_get_sync(chip->parent);
+ ret = pm_runtime_resume_and_get(chip->parent);
if (ret < 0)
return ret;
@@ -942,7 +942,7 @@ static int zynq_gpio_probe(struct platform_device *pdev)
pm_runtime_set_active(>dev);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
goto err_pm_dis;
--
2.23.0
[PATCH] drm/bridge: cdns: fix reference leak in cdns_dsi_transfer
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/bridge/cdns-dsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/cdns-dsi.c
b/drivers/gpu/drm/bridge/cdns-dsi.c
index 76373e31d..b31281f76 100644
--- a/drivers/gpu/drm/bridge/cdns-dsi.c
+++ b/drivers/gpu/drm/bridge/cdns-dsi.c
@@ -1028,7 +1028,7 @@ static ssize_t cdns_dsi_transfer(struct mipi_dsi_host
*host,
struct mipi_dsi_packet packet;
int ret, i, tx_len, rx_len;
- ret = pm_runtime_get_sync(host->dev);
+ ret = pm_runtime_resume_and_get(host->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] hwrng: exynos - fix reference leak in exynos_trng_probe
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 6cd225cc5d8a ("hwrng: exynos - add Samsung Exynos True RNG driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/char/hw_random/exynos-trng.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/hw_random/exynos-trng.c
b/drivers/char/hw_random/exynos-trng.c
index 8e1fe3f8d..666246bc8 100644
--- a/drivers/char/hw_random/exynos-trng.c
+++ b/drivers/char/hw_random/exynos-trng.c
@@ -132,7 +132,7 @@ static int exynos_trng_probe(struct platform_device *pdev)
return PTR_ERR(trng->mem);
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
dev_err(>dev, "Could not get runtime PM.\n");
goto err_pm_get;
--
2.23.0
[PATCH] drm: rcar-du: fix reference leak in amdgpu_debugfs_gfxoff_read
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: e08e934d6c28 ("drm: rcar-du: Add support for CMM")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
index 2d125b8b1..05de69a97 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
@@ -1096,7 +1096,7 @@ static ssize_t amdgpu_debugfs_gfxoff_read(struct file *f,
char __user *buf,
if (size & 0x3 || *pos & 0x3)
return -EINVAL;
- r = pm_runtime_get_sync(adev_to_drm(adev)->dev);
+ r = pm_runtime_resume_and_get(adev_to_drm(adev)->dev);
if (r < 0)
return r;
--
2.23.0
[PATCH] drm: rcar-du: fix reference leak in rcar_cmm_enable
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: e08e934d6c28 ("drm: rcar-du: Add support for CMM")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/rcar-du/rcar_cmm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/rcar-du/rcar_cmm.c
b/drivers/gpu/drm/rcar-du/rcar_cmm.c
index c578095b0..382d53f8a 100644
--- a/drivers/gpu/drm/rcar-du/rcar_cmm.c
+++ b/drivers/gpu/drm/rcar-du/rcar_cmm.c
@@ -122,7 +122,7 @@ int rcar_cmm_enable(struct platform_device *pdev)
{
int ret;
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] drm: bridge: cdns-mhdp8546: fix reference leak in cdns_mhdp_probe
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: fb43aa0acdfd ("drm: bridge: Add support for Cadence MHDP8546 DPI/DP
bridge")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
index d0c65610e..3ee515d21 100644
--- a/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
+++ b/drivers/gpu/drm/bridge/cadence/cdns-mhdp8546-core.c
@@ -2369,7 +2369,7 @@ static int cdns_mhdp_probe(struct platform_device *pdev)
clk_prepare_enable(clk);
pm_runtime_enable(dev);
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0) {
dev_err(dev, "pm_runtime_get_sync failed\n");
pm_runtime_disable(dev);
--
2.23.0
[PATCH] dmaengine: usb-mac: fix reference leak in usb_dmac_probe
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 0c1c8ff32fa2 ("dmaengine: usb-dmac: Add Renesas USB DMA Controller
(USB-DMAC) driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/sh/usb-dmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/sh/usb-dmac.c b/drivers/dma/sh/usb-dmac.c
index 8f7ceb698..2a6c8fd88 100644
--- a/drivers/dma/sh/usb-dmac.c
+++ b/drivers/dma/sh/usb-dmac.c
@@ -796,7 +796,7 @@ static int usb_dmac_probe(struct platform_device *pdev)
/* Enable runtime PM and initialize the device. */
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
dev_err(>dev, "runtime PM get sync failed (%d)\n", ret);
goto error_pm;
--
2.23.0
[PATCH] dmaengine: zynqmp_dma: fix reference leak in zynqmp_dma_alloc_chan_resources
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 64c6f7da8c2c ("dmaengine: zynqmp_dma: Add runtime pm support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/xilinx/zynqmp_dma.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/xilinx/zynqmp_dma.c b/drivers/dma/xilinx/zynqmp_dma.c
index d8419565b..5fecf5aa6 100644
--- a/drivers/dma/xilinx/zynqmp_dma.c
+++ b/drivers/dma/xilinx/zynqmp_dma.c
@@ -468,7 +468,7 @@ static int zynqmp_dma_alloc_chan_resources(struct dma_chan
*dchan)
struct zynqmp_dma_desc_sw *desc;
int i, ret;
- ret = pm_runtime_get_sync(chan->dev);
+ ret = pm_runtime_resume_and_get(chan->dev);
if (ret < 0)
return ret;
--
2.23.0
[PATCH] dmaengine: rcar-dmac: fix reference leak in rcar_dmac_probe
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 87244fe5abdf ("dmaengine: rcar-dmac: Add Renesas R-Car Gen2 DMA
Controller (DMAC) driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/dma/sh/rcar-dmac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c
index a57705356..991a7b5da 100644
--- a/drivers/dma/sh/rcar-dmac.c
+++ b/drivers/dma/sh/rcar-dmac.c
@@ -1874,7 +1874,7 @@ static int rcar_dmac_probe(struct platform_device *pdev)
/* Enable runtime PM and initialize the device. */
pm_runtime_enable(>dev);
- ret = pm_runtime_get_sync(>dev);
+ ret = pm_runtime_resume_and_get(>dev);
if (ret < 0) {
dev_err(>dev, "runtime PM get sync failed (%d)\n", ret);
return ret;
--
2.23.0
[PATCH] crypto: sa2ul - fix reference leak in sa_ul_probe()
pm_runtime_get_sync will increment pm usage counter even it
failed. Forgetting to putting operation will result in a
reference leak here.
A new function pm_runtime_resume_and_get is introduced in
[0] to keep usage counter balanced. So We fix the reference
leak by replacing it with new funtion.
[0] dd8088d5a896 ("PM: runtime: Add pm_runtime_resume_and_get to deal with
usage counter")
Fixes: 7694b6ca649f ("crypto: sa2ul - Add crypto driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/crypto/sa2ul.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/sa2ul.c b/drivers/crypto/sa2ul.c
index eda93fab9..39d56ab12 100644
--- a/drivers/crypto/sa2ul.c
+++ b/drivers/crypto/sa2ul.c
@@ -2345,7 +2345,7 @@ static int sa_ul_probe(struct platform_device *pdev)
dev_set_drvdata(sa_k3_dev, dev_data);
pm_runtime_enable(dev);
- ret = pm_runtime_get_sync(dev);
+ ret = pm_runtime_resume_and_get(dev);
if (ret < 0) {
dev_err(>dev, "%s: failed to get sync: %d\n", __func__,
ret);
--
2.23.0
[PATCH] drm/dev: Fix NULL pointer dereference in drm_minor_alloc
KASAN: null-ptr-deref in range [0x0030-0x0037]
CPU: 0 PID: 18491 Comm: syz-executor.0 Tainted: G C 5.10.0-rc4+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1
04/01/2014
RIP: 0010:kobject_put+0x2f/0x140
Call Trace:
put_device+0x20/0x40
drm_minor_alloc_release+0x60/0xe0 [drm]
drm_managed_release+0x1b6/0x440 [drm]
drm_dev_init+0x50b/0x8e0 [drm]
__devm_drm_dev_alloc+0x50/0x160 [drm]
vgem_init+0x15c/0x1000 [vgem]
do_one_initcall+0x149/0x7e0
do_init_module+0x1ef/0x700
load_module+0x3467/0x4140
__do_sys_finit_module+0x10d/0x1a0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
kfree(minor->kdev) in put_device would raise a null-ptr-deref bug when
minor->kdev is null or error pointer. So do check before put_device in
drm_minor_alloc_release and prohibit minor->kdev becoming an error pointer.
Fixes: f96306f9892b ("drm: manage drm_minor cleanup with drmm_")
Signed-off-by: Qinglang Miao
---
drivers/gpu/drm/drm_drv.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
index cd162d406..c253d3cd4 100644
--- a/drivers/gpu/drm/drm_drv.c
+++ b/drivers/gpu/drm/drm_drv.c
@@ -100,7 +100,8 @@ static void drm_minor_alloc_release(struct drm_device *dev,
void *data)
WARN_ON(dev != minor->dev);
- put_device(minor->kdev);
+ if (minor->kdev)
+ put_device(minor->kdev);
spin_lock_irqsave(_minor_lock, flags);
idr_remove(_minors_idr, minor->index);
@@ -140,8 +141,11 @@ static int drm_minor_alloc(struct drm_device *dev,
unsigned int type)
return r;
minor->kdev = drm_sysfs_minor_alloc(minor);
- if (IS_ERR(minor->kdev))
- return PTR_ERR(minor->kdev);
+ if (IS_ERR(minor->kdev)) {
+ r = PTR_ERR(minor->kdev);
+ minor->kdev = NULL;
+ return r;
+ }
*drm_minor_get_slot(dev, type) = minor;
return 0;
--
2.23.0
Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
在 2020/11/26 17:42, Benjamin Block 写道:
On Thu, Nov 26, 2020 at 09:13:53AM +0100, Cornelia Huck wrote:
On Thu, 26 Nov 2020 09:27:41 +0800
Qinglang Miao wrote:
在 2020/11/26 1:06, Benjamin Block 写道:
On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote:
kfree(port) is called in put_device(>dev) so that following
use would cause use-after-free bug.
The former put_device is redundant for device_unregister contains
put_device already. So just remove it to fix this.
Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/scsi/zfcp_unit.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c
index e67bf7388..664b77853 100644
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
scsi_device_put(sdev);
}
- put_device(>dev);
-
device_unregister(>dev);
>> return 0;
Same as in the other mail for `zfcp_sysfs_port_remove_store()`. We
explicitly get a new ref in `_zfcp_unit_find()`, so we also need to put
that away again.
Sorry, Benjamin, I don't think so, because device_unregister calls
put_device inside.
It seem's that another put_device before or after device_unregister is
useless and even might cause an use-after-free.
The issue here (and in the other patches that I had commented on) is
that the references have different origins. device_register() acquires
a reference, and that reference is given up when you call
device_unregister(). However, the code here grabs an extra reference,
and it of course has to give it up again when it no longer needs it.
This is something that is not that easy to spot by an automated check,
I guess?
Indeed.
I do think the two patches for zfcp have merit, but not by simply
removing the put_device(), but by moving it.
For this patch in particular, I'd think the "proper logic" would be to
move the `put_device()` to after the `device_unregister()`:
device_unregister(>dev);
put_device(>dev);
return 0;
As Cornelia pointed out, the extra `get_device()` we do in
`_zfcp_unit_find()` needs to be reversed, otherwise we have a dangling
reference and probably some sort of memory-/resource-leak.
Let's go by example. If we assume the reference count of `unit->dev` is
R, and the function starts with R = 1 (otherwise the deivce would've
been freed already), we get:
int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
{
struct zfcp_unit *unit;
struct scsi_device *sdev;
write_lock_irq(>unit_list_lock);
// unit->dev (R = 1)
unit = _zfcp_unit_find(port, fcp_lun);
// get_device(>dev)
// unit->dev (R = 2)
if (unit)
list_del(>list);
write_unlock_irq(>unit_list_lock);
if (!unit)
return -EINVAL;
sdev = zfcp_unit_sdev(unit);
if (sdev) {
scsi_remove_device(sdev);
scsi_device_put(sdev);
}
// unit->dev (R = 2)
put_device(>dev);
// unit->dev (R = 1)
device_unregister(>dev);
// unit->dev (R = 0)
return 0;
}
If we now apply this patch, we'd end up with R = 1 after
`device_unregister()`, and the device would not be properly removed.
If you still think that's wrong, then you'll need to better explain why.
Hi Banjamin and Cornelia,
Your replies make me reliaze that I've been holding a mistake
understanding of put_device() as well as reference count.
Thanks for you two's patient explanation !!
BTW, should I send a v2 on these two patches to move the position of
put_device()?
Re: [PATCH] xfs: check the return value of krealloc() in xfs_uuid_mount
在 2020/11/26 10:16, Gao Xiang 写道:
Hi Qinglang,
On Thu, Nov 26, 2020 at 09:21:11AM +0800, Qinglang Miao wrote:
在 2020/11/25 23:55, Eric Sandeen 写道:
On 11/25/20 12:50 AM, Qinglang Miao wrote:
krealloc() may fail to expand the memory space.
Even with __GFP_NOFAIL?
* ``GFP_KERNEL | __GFP_NOFAIL`` - overrides the default allocator behavior
and all allocation requests will loop endlessly until they succeed.
This might be really dangerous especially for larger orders.
Add sanity checks to it,
and WARN() if that really happened.
As aside, there is no WARN added in this patch for a memory failure.
Fixes: 771915c4f688 ("xfs: remove kmem_realloc()")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
fs/xfs/xfs_mount.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index 150ee5cb8..c07f48c32 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -80,9 +80,13 @@ xfs_uuid_mount(
}
if (hole < 0) {
- xfs_uuid_table = krealloc(xfs_uuid_table,
+ uuid_t *if_xfs_uuid_table;
+ if_xfs_uuid_table = krealloc(xfs_uuid_table,
(xfs_uuid_table_size + 1) * sizeof(*xfs_uuid_table),
GFP_KERNEL | __GFP_NOFAIL);
+ if (!if_xfs_uuid_table)
+ goto out_duplicate;
And this would emit "Filesystem has duplicate UUID" which is not correct.
But anyway, the __GFP_NOFAIL in the call makes this all moot AFAICT.
-Eric
Hi Eric,
Sorry for neglecting __GFP_NOFAIL symbol, and I would add a WARN in memory
failure next time.
Sorry about my limited knowledge, but why it needs a WARN here since
I think it will never fail if __GFP_NOFAIL is added (no ?).
'next time' means next time when I send patches related to memory
failure, not on this one. Sorry for making confusing to you.
I'm not sure if Hulk CI is completely broken or not on this, also if
such CI can now generate trivial patch (?) since the subject, commit
message and even the variable name is quite similiar to
https://lore.kernel.org/linux-xfs/20201124104531.561-2-thunder.leiz...@huawei.com
in a day.
And it'd be better to look into the code before sending patches...
Yeah.. I should pay more attension.
Thanks,
Gao Xiang >
Thanks for your advice~
Thanks for your advice!
.
Re: [PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
在 2020/11/26 1:06, Benjamin Block 写道:
On Fri, Nov 20, 2020 at 03:48:54PM +0800, Qinglang Miao wrote:
kfree(port) is called in put_device(>dev) so that following
use would cause use-after-free bug.
The former put_device is redundant for device_unregister contains
put_device already. So just remove it to fix this.
Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/scsi/zfcp_unit.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c
index e67bf7388..664b77853 100644
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
scsi_device_put(sdev);
}
- put_device(>dev);
-
device_unregister(>dev);
>> return 0;
Same as in the other mail for `zfcp_sysfs_port_remove_store()`. We
explicitly get a new ref in `_zfcp_unit_find()`, so we also need to put
that away again.
Sorry, Benjamin, I don't think so, because device_unregister calls
put_device inside.
It seem's that another put_device before or after device_unregister is
useless and even might cause an use-after-free.
Re: [PATCH] xfs: check the return value of krealloc() in xfs_uuid_mount
在 2020/11/25 23:55, Eric Sandeen 写道:
On 11/25/20 12:50 AM, Qinglang Miao wrote:
krealloc() may fail to expand the memory space.
Even with __GFP_NOFAIL?
* ``GFP_KERNEL | __GFP_NOFAIL`` - overrides the default allocator behavior
and all allocation requests will loop endlessly until they succeed.
This might be really dangerous especially for larger orders.
Add sanity checks to it,
and WARN() if that really happened.
As aside, there is no WARN added in this patch for a memory failure.
Fixes: 771915c4f688 ("xfs: remove kmem_realloc()")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
fs/xfs/xfs_mount.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index 150ee5cb8..c07f48c32 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -80,9 +80,13 @@ xfs_uuid_mount(
}
if (hole < 0) {
- xfs_uuid_table = krealloc(xfs_uuid_table,
+ uuid_t *if_xfs_uuid_table;
+ if_xfs_uuid_table = krealloc(xfs_uuid_table,
(xfs_uuid_table_size + 1) * sizeof(*xfs_uuid_table),
GFP_KERNEL | __GFP_NOFAIL);
+ if (!if_xfs_uuid_table)
+ goto out_duplicate;
And this would emit "Filesystem has duplicate UUID" which is not correct.
But anyway, the __GFP_NOFAIL in the call makes this all moot AFAICT.
-Eric
Hi Eric,
Sorry for neglecting __GFP_NOFAIL symbol, and I would add a WARN in
memory failure next time.
Thanks for your advice!
+ xfs_uuid_table = if_xfs_uuid_table;
hole = xfs_uuid_table_size++;
}
xfs_uuid_table[hole] = *uuid;
.
Re: [PATCH] fpga: dfl: add missing platform_device_put in build_info_create_dev
在 2020/11/25 18:06, Wu, Hao 写道:
Subject: [PATCH] fpga: dfl: add missing platform_device_put in
build_info_create_dev
platform_device_put is missing when it fails to set fdev->id. Set
a temp value to do sanity check.
will this case be covered already by build_info_free()?
Hao
Yes, you're right Hao.
build_info_create_dev is performed in parse_feature_list which follows
build_info_free.
So please ignore this patch.
Thanks!
Fixes: 543be3d8c999 ("fpga: add device feature list support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/fpga/dfl.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
index b450870b7..8958f0860 100644
--- a/drivers/fpga/dfl.c
+++ b/drivers/fpga/dfl.c
@@ -877,10 +877,13 @@ build_info_create_dev(struct
build_feature_devs_info *binfo,
INIT_LIST_HEAD(>sub_features);
- fdev->id = dfl_id_alloc(type, >dev);
- if (fdev->id < 0)
- return fdev->id;
+ int tmp_id = dfl_id_alloc(type, >dev);
+ if (tmp_id < 0) {
+ platform_device_put(fdev);
+ return tmp_id;
+ }
+ fdev->id = tmp_id;
fdev->dev.parent = >cdev->region->dev;
fdev->dev.devt = dfl_get_devt(dfl_devs[type].devt_type, fdev->id);
--
2.23.0
.
[PATCH] soc: qcom: pdr: Fix error return code in pdr_register_listener
Fix to return the error code -EREMOTEIO from pdr_register_listener
rather than 0.
Fixes: fbe639b44a82 ("soc: qcom: Introduce Protection Domain Restart helpers")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/soc/qcom/pdr_interface.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/soc/qcom/pdr_interface.c b/drivers/soc/qcom/pdr_interface.c
index 088dc99f7..3da12ec2a 100644
--- a/drivers/soc/qcom/pdr_interface.c
+++ b/drivers/soc/qcom/pdr_interface.c
@@ -153,6 +153,7 @@ static int pdr_register_listener(struct pdr_handle *pdr,
if (resp.resp.result != QMI_RESULT_SUCCESS_V01) {
pr_err("PDR: %s register listener failed: 0x%x\n",
pds->service_path, resp.resp.error);
+ ret = -EREMOTEIO;
return ret;
}
--
2.23.0
[PATCH] soundwire: Fix error return code in sdw_compute_port_params
Fix to return the error code -EINVAL in sdw_compute_port_params
instead of 0.
Fixes: 9026118f20e2 ("soundwire: Add generic bandwidth allocation algorithm")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/soundwire/generic_bandwidth_allocation.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/soundwire/generic_bandwidth_allocation.c
b/drivers/soundwire/generic_bandwidth_allocation.c
index 0bdef38c9..ad857ac62 100644
--- a/drivers/soundwire/generic_bandwidth_allocation.c
+++ b/drivers/soundwire/generic_bandwidth_allocation.c
@@ -283,8 +283,10 @@ static int sdw_compute_port_params(struct sdw_bus *bus)
if (ret < 0)
return ret;
- if (group.count == 0)
+ if (group.count == 0) {
+ ret = -EINVAL;
goto out;
+ }
params = kcalloc(group.count, sizeof(*params), GFP_KERNEL);
if (!params) {
--
2.23.0
[PATCH] platform/x86: dell-smbios-base: Fix error return code in dell_smbios_init
Fix to return the error code -ENODEV when fails to init wmi and
smm.
Fixes: 41e36f2f85af ("platform/x86: dell-smbios: Link all dell-smbios-* modules
together")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/platform/x86/dell-smbios-base.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/platform/x86/dell-smbios-base.c
b/drivers/platform/x86/dell-smbios-base.c
index 2e2cd5659..3a1dbf199 100644
--- a/drivers/platform/x86/dell-smbios-base.c
+++ b/drivers/platform/x86/dell-smbios-base.c
@@ -594,6 +594,7 @@ static int __init dell_smbios_init(void)
if (wmi && smm) {
pr_err("No SMBIOS backends available (wmi: %d, smm: %d)\n",
wmi, smm);
+ ret = -ENODEV;
goto fail_create_group;
}
--
2.23.0
[PATCH] fpga: dfl: add missing platform_device_put in build_info_create_dev
platform_device_put is missing when it fails to set fdev->id. Set
a temp value to do sanity check.
Fixes: 543be3d8c999 ("fpga: add device feature list support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/fpga/dfl.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/fpga/dfl.c b/drivers/fpga/dfl.c
index b450870b7..8958f0860 100644
--- a/drivers/fpga/dfl.c
+++ b/drivers/fpga/dfl.c
@@ -877,10 +877,13 @@ build_info_create_dev(struct build_feature_devs_info
*binfo,
INIT_LIST_HEAD(>sub_features);
- fdev->id = dfl_id_alloc(type, >dev);
- if (fdev->id < 0)
- return fdev->id;
+ int tmp_id = dfl_id_alloc(type, >dev);
+ if (tmp_id < 0) {
+ platform_device_put(fdev);
+ return tmp_id;
+ }
+ fdev->id = tmp_id;
fdev->dev.parent = >cdev->region->dev;
fdev->dev.devt = dfl_get_devt(dfl_devs[type].devt_type, fdev->id);
--
2.23.0
[PATCH] xfs: check the return value of krealloc() in xfs_uuid_mount
krealloc() may fail to expand the memory space. Add sanity checks to it,
and WARN() if that really happened.
Fixes: 771915c4f688 ("xfs: remove kmem_realloc()")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
fs/xfs/xfs_mount.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_mount.c b/fs/xfs/xfs_mount.c
index 150ee5cb8..c07f48c32 100644
--- a/fs/xfs/xfs_mount.c
+++ b/fs/xfs/xfs_mount.c
@@ -80,9 +80,13 @@ xfs_uuid_mount(
}
if (hole < 0) {
- xfs_uuid_table = krealloc(xfs_uuid_table,
+ uuid_t *if_xfs_uuid_table;
+ if_xfs_uuid_table = krealloc(xfs_uuid_table,
(xfs_uuid_table_size + 1) * sizeof(*xfs_uuid_table),
GFP_KERNEL | __GFP_NOFAIL);
+ if (!if_xfs_uuid_table)
+ goto out_duplicate;
+ xfs_uuid_table = if_xfs_uuid_table;
hole = xfs_uuid_table_size++;
}
xfs_uuid_table[hole] = *uuid;
--
2.23.0
[PATCH] scsi: aic94xx: Fix error return code in asd_process_ms
Fix to return the error code -EINVAL when size == 0 after
asd_find_flash_de instead of zero.
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/scsi/aic94xx/aic94xx_sds.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/aic94xx/aic94xx_sds.c
b/drivers/scsi/aic94xx/aic94xx_sds.c
index 105adba55..3aad00458 100644
--- a/drivers/scsi/aic94xx/aic94xx_sds.c
+++ b/drivers/scsi/aic94xx/aic94xx_sds.c
@@ -860,8 +860,10 @@ static int asd_process_ms(struct asd_ha_struct *asd_ha,
goto out;
}
- if (size == 0)
+ if (size == 0) {
+ err = -EINVAL;
goto out;
+ }
err = -ENOMEM;
manuf_sec = kmalloc(size, GFP_KERNEL);
@@ -989,8 +991,10 @@ static int asd_process_ctrl_a_user(struct asd_ha_struct
*asd_ha,
goto out_process;
}
- if (size == 0)
+ if (size == 0) {
+ err = -EINVAL;
goto out;
+ }
err = -ENOMEM;
el = kmalloc(size, GFP_KERNEL);
--
2.23.0
[PATCH] s390: cmf: fix use-after-free in enable_cmf
kfree(cdev) is called in put_device in the error branch. So that
device_unlock(>dev) would raise a use-after-free bug. In fact,
there's no need to call device_unlock after put_device.
Fix it by adding simply return after put_device.
Fixes: a6ef15652d26 ("s390/cio: fix use after free in cmb processing")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/cio/cmf.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/s390/cio/cmf.c b/drivers/s390/cio/cmf.c
index 72dd2471e..e95ca476f 100644
--- a/drivers/s390/cio/cmf.c
+++ b/drivers/s390/cio/cmf.c
@@ -1149,9 +1149,12 @@ int enable_cmf(struct ccw_device *cdev)
sysfs_remove_group(>dev.kobj, cmbops->attr_group);
cmbops->free(cdev);
}
+
out:
- if (ret)
+ if (ret) {
put_device(>dev);
+ return ret;
+ }
out_unlock:
device_unlock(>dev);
return ret;
--
2.23.0
[PATCH] PCI: fix use-after-free in pci_register_host_bridge
When put_device(>dev) being called, kfree(bridge) is inside
of release function, so the following device_del would cause a
use-after-free bug.
Fixes: 37d6a0a6f470 ("PCI: Add pci_register_host_bridge() interface")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/pci/probe.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 4289030b0..82292e87e 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -991,8 +991,8 @@ static int pci_register_host_bridge(struct pci_host_bridge
*bridge)
return 0;
unregister:
- put_device(>dev);
device_del(>dev);
+ put_device(>dev);
free:
kfree(bus);
--
2.23.0
[PATCH] memstick: fix a double-free bug in memstick_check
kfree(host->card) has been called in put_device so that
another kfree would raise cause a double-free bug.
Fixes: 0193383a5833 ("memstick: core: fix device_register() error handling")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/memstick/core/memstick.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/memstick/core/memstick.c b/drivers/memstick/core/memstick.c
index ef03d6faf..12bc3f5a6 100644
--- a/drivers/memstick/core/memstick.c
+++ b/drivers/memstick/core/memstick.c
@@ -468,7 +468,6 @@ static void memstick_check(struct work_struct *work)
host->card = card;
if (device_register(>dev)) {
put_device(>dev);
- kfree(host->card);
host->card = NULL;
}
} else
--
2.23.0
[PATCH] s390: cio: fix two use-after-free bugs in device.c
put_device calls release function which do kfree() inside.
So following use of sch would cause use-after-free bugs.
Fix these by simply adjusting the position of put_device.
Fixes: 37db8985b211 ("s390/cio: add basic protected virtualization support")
Fixes: 74bd0d859dc3 ("s390/cio: fix unlocked access of online member")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/cio/device.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/s390/cio/device.c b/drivers/s390/cio/device.c
index b29fe8d50..69492417b 100644
--- a/drivers/s390/cio/device.c
+++ b/drivers/s390/cio/device.c
@@ -1664,10 +1664,10 @@ void __init ccw_device_destroy_console(struct
ccw_device *cdev)
struct io_subchannel_private *io_priv = to_io_private(sch);
set_io_private(sch, NULL);
- put_device(>dev);
- put_device(>dev);
dma_free_coherent(>dev, sizeof(*io_priv->dma_area),
io_priv->dma_area, io_priv->dma_area_dma);
+ put_device(>dev);
+ put_device(>dev);
kfree(io_priv);
}
@@ -1774,8 +1774,8 @@ static int ccw_device_remove(struct device *dev)
ret, cdev->private->dev_id.ssid,
cdev->private->dev_id.devno);
/* Give up reference obtained in ccw_device_set_online(). */
- put_device(>dev);
spin_lock_irq(cdev->ccwlock);
+ put_device(>dev);
}
ccw_device_set_timeout(cdev, 0);
cdev->drv = NULL;
--
2.23.0
[PATCH] scsi: zfcp: fix use-after-free in zfcp_unit_remove
kfree(port) is called in put_device(>dev) so that following
use would cause use-after-free bug.
The former put_device is redundant for device_unregister contains
put_device already. So just remove it to fix this.
Fixes: 86bdf218a717 ("[SCSI] zfcp: cleanup unit sysfs attribute usage")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/scsi/zfcp_unit.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_unit.c b/drivers/s390/scsi/zfcp_unit.c
index e67bf7388..664b77853 100644
--- a/drivers/s390/scsi/zfcp_unit.c
+++ b/drivers/s390/scsi/zfcp_unit.c
@@ -255,8 +255,6 @@ int zfcp_unit_remove(struct zfcp_port *port, u64 fcp_lun)
scsi_device_put(sdev);
}
- put_device(>dev);
-
device_unregister(>dev);
return 0;
--
2.23.0
[PATCH] scsi: zfcp: fix use-after-free in zfcp_sysfs_port_remove_store
kfree(port) is called in put_device(>dev) so that following
use would cause use-after-free bug.
the former put_device is redundant for device_unregister contains
put_device already. So just remove it to fix this.
Fixes: 83d4e1c33d93 ("[SCSI] zfcp: cleanup port sysfs attribute usage")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/s390/scsi/zfcp_sysfs.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/s390/scsi/zfcp_sysfs.c b/drivers/s390/scsi/zfcp_sysfs.c
index 8d9662e8b..06285e452 100644
--- a/drivers/s390/scsi/zfcp_sysfs.c
+++ b/drivers/s390/scsi/zfcp_sysfs.c
@@ -327,8 +327,6 @@ static ssize_t zfcp_sysfs_port_remove_store(struct device
*dev,
list_del(>list);
write_unlock_irq(>port_list_lock);
- put_device(>dev);
-
zfcp_erp_port_shutdown(port, 0, "syprs_1");
device_unregister(>dev);
out:
--
2.23.0
[PATCH] mips: cdmm: fix use-after-free in mips_cdmm_bus_discover
kfree(dev) has been called inside put_device so anther
kfree would cause a use-after-free bug/
Fixes: 8286ae03308c ("MIPS: Add CDMM bus support")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/bus/mips_cdmm.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/bus/mips_cdmm.c b/drivers/bus/mips_cdmm.c
index 9f7ed1fcd..e43786c67 100644
--- a/drivers/bus/mips_cdmm.c
+++ b/drivers/bus/mips_cdmm.c
@@ -561,7 +561,6 @@ static void mips_cdmm_bus_discover(struct mips_cdmm_bus
*bus)
ret = device_register(>dev);
if (ret) {
put_device(>dev);
- kfree(dev);
}
}
}
--
2.23.0
[PATCH] scsi: iscsi: fix inappropriate use of put_device
kfree(conn) is called inside put_device(>dev) so that
another one would cause use-after-free. Besides, device_unregister
should be used here rather than put_device.
Fixes: f3c893e3dbb5 ("scsi: iscsi: Fail session and connection on transport
registration failure")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/scsi/scsi_transport_iscsi.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_transport_iscsi.c
b/drivers/scsi/scsi_transport_iscsi.c
index 2eb3e4f93..2e68c0a87 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -2313,7 +2313,9 @@ iscsi_create_conn(struct iscsi_cls_session *session, int
dd_size, uint32_t cid)
return conn;
release_conn_ref:
- put_device(>dev);
+ device_unregister(>dev);
+ put_device(>dev);
+ return NULL;
release_parent_ref:
put_device(>dev);
free_conn:
--
2.23.0
[PATCH] drivers: visorbus: fix use-after free bugs
kfree(dev) is called in put_device(>device) so that following
use would cause use-after-free bug.
There are two inappropriate use of put_device:
1. In create_visor_device, put dev_err before put_device to fix this.
2. In remove_visor_device, the former put_device is redundant because
device_unregister contains put_device already.
Fixes: 93d3ad90c2d4 ("drivers: visorbus: move driver out of staging")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/visorbus/visorbus_main.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/visorbus/visorbus_main.c b/drivers/visorbus/visorbus_main.c
index 152fd29f0..031349baf 100644
--- a/drivers/visorbus/visorbus_main.c
+++ b/drivers/visorbus/visorbus_main.c
@@ -695,15 +695,14 @@ int create_visor_device(struct visor_device *dev)
return 0;
err_put:
- put_device(>device);
dev_err(>device, "Creating visor device failed. %d\n", err);
+ put_device(>device);
return err;
}
void remove_visor_device(struct visor_device *dev)
{
list_del(>list_all);
- put_device(>device);
if (dev->pending_msg_hdr)
visorbus_response(dev, 0, CONTROLVM_DEVICE_DESTROY);
device_unregister(>device);
--
2.23.0
Re: [PATCH] leds: lp50xx: add missing fwnode_handle_put in error handling case
在 2020/11/11 21:27, Dan Murphy 写道:
Hello
On 11/10/20 9:21 PM, Qinglang Miao wrote:
Fix to goto child_out to do fwnode_handle_put(child)
from the error handling case rather than simply return,
as done elsewhere in this function.
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB
LED driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/leds/leds-lp50xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
index 5fb4f24aeb2e..49a997b2c781 100644
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -488,7 +488,7 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
mc_led_info = devm_kcalloc(priv->dev, LP50XX_LEDS_PER_MODULE,
sizeof(*mc_led_info), GFP_KERNEL);
if (!mc_led_info)
- return -ENOMEM;
+ goto child_out;
Thanks for the patch.
Need to set ret = -ENOMEM; then do child_out so the error is reported
properly
Dan
.
Hi Dan,
I've sent v2 on this fix, setting ret as well.
Thanks!
[PATCH] stm class: Fix a double vfree in stm_register_device()
While testing stm, stm_register_device() caused a vfree issue:
-
Trying to vfree() nonexistent vm area (ad30ebb6)
Call Trace:
__vfree+0x41/0xe0
vfree+0x5f/0xa0
stm_register_device+0x4b1/0x660 [stm_core]
dummy_stm_init+0x248/0x360 [dummy_stm]
do_one_initcall+0x149/0x7e0
do_init_module+0x1ef/0x700
load_module+0x3467/0x4140
__do_sys_finit_module+0x10d/0x1a0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
-
This is because put_device(>dev) calls stm_device_release,
which would call vfree(stm) inside, so there's no need to do
vfree again.
Fix this problem by simply return err after put_device().
Fixes: b5e2ced9bf81 ("stm class: Use vmalloc for the master map")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/hwtracing/stm/core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index 2712e699b..80b7c81d5 100644
--- a/drivers/hwtracing/stm/core.c
+++ b/drivers/hwtracing/stm/core.c
@@ -915,6 +915,8 @@ int stm_register_device(struct device *parent, struct
stm_data *stm_data,
/* matches device_initialize() above */
put_device(>dev);
+
+ return err;
err_free:
vfree(stm);
--
2.23.0
[PATCH] ipmi: msghandler: Suppress suspicious RCU usage warning
while running ipmi, ipmi_smi_watcher_register() caused
a suspicious RCU usage warning.
-
=
WARNING: suspicious RCU usage
5.10.0-rc3+ #1 Not tainted
-
drivers/char/ipmi/ipmi_msghandler.c:750 RCU-list traversed in non-reader
section!!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
2 locks held by syz-executor.0/4254:
stack backtrace:
CPU: 0 PID: 4254 Comm: syz-executor.0 Not tainted 5.10.0-rc3+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/
01/2014
Call Trace:
dump_stack+0x19d/0x200
ipmi_smi_watcher_register+0x2d3/0x340 [ipmi_msghandler]
acpi_ipmi_init+0xb1/0x1000 [acpi_ipmi]
do_one_initcall+0x149/0x7e0
do_init_module+0x1ef/0x700
load_module+0x3467/0x4140
__do_sys_finit_module+0x10d/0x1a0
do_syscall_64+0x34/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x468ded
-
It is safe because smi_watchers_mutex is locked and srcu_read_lock
has been used, so simply pass lockdep_is_held() to the
list_for_each_entry_rcu() to suppress this warning.
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/char/ipmi/ipmi_msghandler.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/char/ipmi/ipmi_msghandler.c
b/drivers/char/ipmi/ipmi_msghandler.c
index 8774a3b8f..c44ad1846 100644
--- a/drivers/char/ipmi/ipmi_msghandler.c
+++ b/drivers/char/ipmi/ipmi_msghandler.c
@@ -747,7 +747,8 @@ int ipmi_smi_watcher_register(struct ipmi_smi_watcher
*watcher)
list_add(>link, _watchers);
index = srcu_read_lock(_interfaces_srcu);
- list_for_each_entry_rcu(intf, _interfaces, link) {
+ list_for_each_entry_rcu(intf, _interfaces, link,
+ lockdep_is_held(_watchers_mutex)) {
int intf_num = READ_ONCE(intf->intf_num);
if (intf_num == -1)
--
2.23.0
[PATCH v2] leds: lp50xx: add missing fwnode_handle_put in error handling case
Fix to set ret and goto child_out for fwnode_handle_put(child)
in the error handling case rather than simply return, as done
elsewhere in this function.
Fixes: 242b81170fb8 ("leds: lp50xx: Add the LP50XX family of the RGB LED
driver")
Reported-by: Hulk Robot
Suggested-by: Pavel Machek
Signed-off-by: Qinglang Miao
---
v2: forget to set ret on v1
drivers/leds/leds-lp50xx.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/leds/leds-lp50xx.c b/drivers/leds/leds-lp50xx.c
index 5fb4f24ae..f13117eed 100644
--- a/drivers/leds/leds-lp50xx.c
+++ b/drivers/leds/leds-lp50xx.c
@@ -487,8 +487,10 @@ static int lp50xx_probe_dt(struct lp50xx *priv)
*/
mc_led_info = devm_kcalloc(priv->dev, LP50XX_LEDS_PER_MODULE,
sizeof(*mc_led_info), GFP_KERNEL);
- if (!mc_led_info)
- return -ENOMEM;
+ if (!mc_led_info) {
+ ret = -ENOMEM;
+ goto child_out;
+ }
fwnode_for_each_child_node(child, led_node) {
ret = fwnode_property_read_u32(led_node, "color",
--
2.23.0
[PATCH] net: cw1200: fix missing destroy_workqueue() on error in cw1200_init_common
Add the missing destroy_workqueue() before return from
cw1200_init_common in the error handling case.
Fixes:a910e4a94f69 ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN
chipsets")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
drivers/net/wireless/st/cw1200/main.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/st/cw1200/main.c
b/drivers/net/wireless/st/cw1200/main.c
index f7fe56aff..326b1cc1d 100644
--- a/drivers/net/wireless/st/cw1200/main.c
+++ b/drivers/net/wireless/st/cw1200/main.c
@@ -381,6 +381,7 @@ static struct ieee80211_hw *cw1200_init_common(const u8
*macaddr,
CW1200_LINK_ID_MAX,
cw1200_skb_dtor,
priv)) {
+ destroy_workqueue(priv->workqueue);
ieee80211_free_hw(hw);
return NULL;
}
@@ -392,6 +393,7 @@ static struct ieee80211_hw *cw1200_init_common(const u8
*macaddr,
for (; i > 0; i--)
cw1200_queue_deinit(>tx_queue[i - 1]);
cw1200_queue_stats_deinit(>tx_queue_stats);
+ destroy_workqueue(priv->workqueue);
ieee80211_free_hw(hw);
return NULL;
}
--
2.23.0
[PATCH] samples: vfio-mdev: fix return value of error branch in mdpy_fb_probe()
pci_release_regions() should be called in these error branches, so
I set ret and use goto err_release_regions intead of simply return
-EINVAL.
Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver")
Reported-by: Hulk Robot
Signed-off-by: Qinglang Miao
---
samples/vfio-mdev/mdpy-fb.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c
index 21dbf63d6..c944a6697 100644
--- a/samples/vfio-mdev/mdpy-fb.c
+++ b/samples/vfio-mdev/mdpy-fb.c
@@ -117,15 +117,18 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
if (format != DRM_FORMAT_XRGB) {
pci_err(pdev, "format mismatch (0x%x != 0x%x)\n",
format, DRM_FORMAT_XRGB);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_release_regions;
}
if (width < 100 || width > 1) {
pci_err(pdev, "width (%d) out of range\n", width);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_release_regions;
}
if (height < 100 || height > 1) {
pci_err(pdev, "height (%d) out of range\n", height);
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_release_regions;
}
pci_info(pdev, "mdpy found: %dx%d framebuffer\n",
width, height);
--
2.23.0
