--- /dev/null
+From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 15 Jan 2025 21:28:17 +0300
+Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream.
+
+msi_db_mask is of type 'u64', still the standard 'int' arithmetic is
+performed to compute its value.
+
+While most of the ntb_hw drivers actually don't utilize the higher 32
+bits of the doorbell mask now, this may be the case for Switchtec - see
+switchtec_ntb_init_db().
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE static
+analysis tool.
+
+Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport")
+Cc: stable@vger.kernel.org
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Reviewed-by: Dave Jiang <dave.jiang@intel.com>
+Signed-off-by: Jon Mason <jdmason@kudzu.us>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ntb/ntb_transport.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/ntb/ntb_transport.c
++++ b/drivers/ntb/ntb_transport.c
+@@ -1340,7 +1340,7 @@ static int ntb_transport_probe(struct nt
+ qp_count = ilog2(qp_bitmap);
+ if (nt->use_msi) {
+ qp_count -= 1;
+- nt->msi_db_mask = 1 << qp_count;
++ nt->msi_db_mask = BIT_ULL(qp_count);
+ ntb_db_clear_mask(ndev, nt->msi_db_mask);
+ }
+
--- /dev/null
+From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:59 +0800
+Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream.
+
+In irq_of_parse_and_map(), refcount of device node @oirq.np was got
+by successful of_irq_parse_one() invocation, but it does not put the
+refcount before return, so causes @oirq.np refcount leakage.
+
+Fix by putting @oirq.np refcount before return.
+
+Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -36,11 +36,15 @@
+ unsigned int irq_of_parse_and_map(struct device_node *dev, int index)
+ {
+ struct of_phandle_args oirq;
++ unsigned int ret;
+
+ if (of_irq_parse_one(dev, index, &oirq))
+ return 0;
+
+- return irq_create_of_mapping(&oirq);
++ ret = irq_create_of_mapping(&oirq);
++ of_node_put(oirq.np);
++
++ return ret;
+ }
+ EXPORT_SYMBOL_GPL(irq_of_parse_and_map);
+
--- /dev/null
+From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:58:58 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_count()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream.
+
+of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful
+invocation of the later will get device node @irq.np refcount, but the
+former does not put the refcount before next iteration invocation, hence
+causes device node refcount leakages.
+
+Fix by putting @irq.np refcount before the next iteration invocation.
+
+Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -443,8 +443,10 @@ int of_irq_count(struct device_node *dev
+ struct of_phandle_args irq;
+ int nr = 0;
+
+- while (of_irq_parse_one(dev, nr, &irq) == 0)
++ while (of_irq_parse_one(dev, nr, &irq) == 0) {
++ of_node_put(irq.np);
+ nr++;
++ }
+
+ return nr;
+ }
--- /dev/null
+From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Sun, 9 Feb 2025 20:59:00 +0800
+Subject: of/irq: Fix device node refcount leakages in of_irq_init()
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream.
+
+of_irq_init() will leak interrupt controller device node refcounts
+in two places as explained below:
+
+1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when
+ suffers @desc->irq_init_cb() failure.
+2) Leak refcount of @desc->interrupt_parent when cleans up list
+ @intc_desc_list in the end.
+
+Refcounts of both @desc->dev and @desc->interrupt_parent were got in
+the first loop, but of_irq_init() does not put them before kfree(@desc)
+in places mentioned above, so causes refcount leakages.
+
+Fix by putting refcounts involved before kfree(@desc).
+
+Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put")
+Fixes: c71a54b08201 ("of/irq: introduce of_irq_init")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com
+Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/of/irq.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/of/irq.c
++++ b/drivers/of/irq.c
+@@ -555,6 +555,8 @@ void __init of_irq_init(const struct of_
+ desc->interrupt_parent);
+ if (ret) {
+ of_node_clear_flag(desc->dev, OF_POPULATED);
++ of_node_put(desc->interrupt_parent);
++ of_node_put(desc->dev);
+ kfree(desc);
+ continue;
+ }
+@@ -585,6 +587,7 @@ void __init of_irq_init(const struct of_
+ err:
+ list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) {
+ list_del(&desc->list);
++ of_node_put(desc->interrupt_parent);
+ of_node_put(desc->dev);
+ kfree(desc);
+ }
--- /dev/null
+From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001
+From: Ma Ke <make24@iscas.ac.cn>
+Date: Sun, 2 Feb 2025 14:23:57 +0800
+Subject: PCI: Fix reference leak in pci_alloc_child_bus()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ma Ke <make24@iscas.ac.cn>
+
+commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream.
+
+If device_register(&child->dev) fails, call put_device() to explicitly
+release child->dev, per the comment at device_register().
+
+Found by code review.
+
+Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn
+Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible")
+Signed-off-by: Ma Ke <make24@iscas.ac.cn>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pci/probe.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/pci/probe.c
++++ b/drivers/pci/probe.c
+@@ -1041,7 +1041,10 @@ static struct pci_bus *pci_alloc_child_b
+ add_dev:
+ pci_set_bus_msi_domain(child);
+ ret = device_register(&child->dev);
+- WARN_ON(ret < 0);
++ if (WARN_ON(ret < 0)) {
++ put_device(&child->dev);
++ return NULL;
++ }
+
+ pcibios_add_bus(child);
+
dm-integrity-set-ti-error-on-memory-allocation-failure.patch
ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch
gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch
+ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch
+of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch
+of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch
+pci-fix-reference-leak-in-pci_alloc_child_bus.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
