From: Greg Kroah-Hartman Date: Thu, 17 Apr 2025 13:56:41 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.12.24~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab11bb1097caf3e8ebe6790e00a97c897b36babd;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch pci-fix-reference-leak-in-pci_alloc_child_bus.patch --- diff --git a/queue-5.4/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch b/queue-5.4/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch new file mode 100644 index 0000000000..0add7067b0 --- /dev/null +++ b/queue-5.4/ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch @@ -0,0 +1,40 @@ +From fd5625fc86922f36bedee5846fefd647b7e72751 Mon Sep 17 00:00:00 2001 +From: Fedor Pchelkin +Date: Wed, 15 Jan 2025 21:28:17 +0300 +Subject: ntb: use 64-bit arithmetic for the MSI doorbell mask + +From: Fedor Pchelkin + +commit fd5625fc86922f36bedee5846fefd647b7e72751 upstream. + +msi_db_mask is of type 'u64', still the standard 'int' arithmetic is +performed to compute its value. + +While most of the ntb_hw drivers actually don't utilize the higher 32 +bits of the doorbell mask now, this may be the case for Switchtec - see +switchtec_ntb_init_db(). + +Found by Linux Verification Center (linuxtesting.org) with SVACE static +analysis tool. + +Fixes: 2b0569b3b7e6 ("NTB: Add MSI interrupt support to ntb_transport") +Cc: stable@vger.kernel.org +Signed-off-by: Fedor Pchelkin +Reviewed-by: Dave Jiang +Signed-off-by: Jon Mason +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ntb/ntb_transport.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ntb/ntb_transport.c ++++ b/drivers/ntb/ntb_transport.c +@@ -1340,7 +1340,7 @@ static int ntb_transport_probe(struct nt + qp_count = ilog2(qp_bitmap); + if (nt->use_msi) { + qp_count -= 1; +- nt->msi_db_mask = 1 << qp_count; ++ nt->msi_db_mask = BIT_ULL(qp_count); + ntb_db_clear_mask(ndev, nt->msi_db_mask); + } + diff --git a/queue-5.4/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch b/queue-5.4/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch new file mode 100644 index 0000000000..806a8cd1c3 --- /dev/null +++ b/queue-5.4/of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch @@ -0,0 +1,44 @@ +From 962a2805e47b933876ba0e4c488d9e89ced2dd29 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:59 +0800 +Subject: of/irq: Fix device node refcount leakage in API irq_of_parse_and_map() + +From: Zijun Hu + +commit 962a2805e47b933876ba0e4c488d9e89ced2dd29 upstream. + +In irq_of_parse_and_map(), refcount of device node @oirq.np was got +by successful of_irq_parse_one() invocation, but it does not put the +refcount before return, so causes @oirq.np refcount leakage. + +Fix by putting @oirq.np refcount before return. + +Fixes: e3873444990d ("of/irq: Move irq_of_parse_and_map() to common code") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-6-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -36,11 +36,15 @@ + unsigned int irq_of_parse_and_map(struct device_node *dev, int index) + { + struct of_phandle_args oirq; ++ unsigned int ret; + + if (of_irq_parse_one(dev, index, &oirq)) + return 0; + +- return irq_create_of_mapping(&oirq); ++ ret = irq_create_of_mapping(&oirq); ++ of_node_put(oirq.np); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(irq_of_parse_and_map); + diff --git a/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch b/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch new file mode 100644 index 0000000000..4de7db57d0 --- /dev/null +++ b/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch @@ -0,0 +1,40 @@ +From bbf71f44aaf241d853759a71de7e7ebcdb89be3d Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:58:58 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_count() + +From: Zijun Hu + +commit bbf71f44aaf241d853759a71de7e7ebcdb89be3d upstream. + +of_irq_count() invokes of_irq_parse_one() to count IRQs, and successful +invocation of the later will get device node @irq.np refcount, but the +former does not put the refcount before next iteration invocation, hence +causes device node refcount leakages. + +Fix by putting @irq.np refcount before the next iteration invocation. + +Fixes: 3da5278727a8 ("of/irq: Rework of_irq_count()") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-5-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -443,8 +443,10 @@ int of_irq_count(struct device_node *dev + struct of_phandle_args irq; + int nr = 0; + +- while (of_irq_parse_one(dev, nr, &irq) == 0) ++ while (of_irq_parse_one(dev, nr, &irq) == 0) { ++ of_node_put(irq.np); + nr++; ++ } + + return nr; + } diff --git a/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch b/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch new file mode 100644 index 0000000000..b998736315 --- /dev/null +++ b/queue-5.4/of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch @@ -0,0 +1,53 @@ +From 708124d9e6e7ac5ebf927830760679136b23fdf0 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Sun, 9 Feb 2025 20:59:00 +0800 +Subject: of/irq: Fix device node refcount leakages in of_irq_init() + +From: Zijun Hu + +commit 708124d9e6e7ac5ebf927830760679136b23fdf0 upstream. + +of_irq_init() will leak interrupt controller device node refcounts +in two places as explained below: + +1) Leak refcounts of both @desc->dev and @desc->interrupt_parent when + suffers @desc->irq_init_cb() failure. +2) Leak refcount of @desc->interrupt_parent when cleans up list + @intc_desc_list in the end. + +Refcounts of both @desc->dev and @desc->interrupt_parent were got in +the first loop, but of_irq_init() does not put them before kfree(@desc) +in places mentioned above, so causes refcount leakages. + +Fix by putting refcounts involved before kfree(@desc). + +Fixes: 8363ccb917c6 ("of/irq: add missing of_node_put") +Fixes: c71a54b08201 ("of/irq: introduce of_irq_init") +Cc: stable@vger.kernel.org +Signed-off-by: Zijun Hu +Link: https://lore.kernel.org/r/20250209-of_irq_fix-v2-7-93e3a2659aa7@quicinc.com +Signed-off-by: Rob Herring (Arm) +Signed-off-by: Greg Kroah-Hartman +--- + drivers/of/irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/of/irq.c ++++ b/drivers/of/irq.c +@@ -555,6 +555,8 @@ void __init of_irq_init(const struct of_ + desc->interrupt_parent); + if (ret) { + of_node_clear_flag(desc->dev, OF_POPULATED); ++ of_node_put(desc->interrupt_parent); ++ of_node_put(desc->dev); + kfree(desc); + continue; + } +@@ -585,6 +587,7 @@ void __init of_irq_init(const struct of_ + err: + list_for_each_entry_safe(desc, temp_desc, &intc_desc_list, list) { + list_del(&desc->list); ++ of_node_put(desc->interrupt_parent); + of_node_put(desc->dev); + kfree(desc); + } diff --git a/queue-5.4/pci-fix-reference-leak-in-pci_alloc_child_bus.patch b/queue-5.4/pci-fix-reference-leak-in-pci_alloc_child_bus.patch new file mode 100644 index 0000000000..cc536e7ce7 --- /dev/null +++ b/queue-5.4/pci-fix-reference-leak-in-pci_alloc_child_bus.patch @@ -0,0 +1,42 @@ +From 1f2768b6a3ee77a295106e3a5d68458064923ede Mon Sep 17 00:00:00 2001 +From: Ma Ke +Date: Sun, 2 Feb 2025 14:23:57 +0800 +Subject: PCI: Fix reference leak in pci_alloc_child_bus() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ma Ke + +commit 1f2768b6a3ee77a295106e3a5d68458064923ede upstream. + +If device_register(&child->dev) fails, call put_device() to explicitly +release child->dev, per the comment at device_register(). + +Found by code review. + +Link: https://lore.kernel.org/r/20250202062357.872971-1-make24@iscas.ac.cn +Fixes: 4f535093cf8f ("PCI: Put pci_dev in device tree as early as possible") +Signed-off-by: Ma Ke +Signed-off-by: Bjorn Helgaas +Reviewed-by: Ilpo Järvinen +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/probe.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -1041,7 +1041,10 @@ static struct pci_bus *pci_alloc_child_b + add_dev: + pci_set_bus_msi_domain(child); + ret = device_register(&child->dev); +- WARN_ON(ret < 0); ++ if (WARN_ON(ret < 0)) { ++ put_device(&child->dev); ++ return NULL; ++ } + + pcibios_add_bus(child); + diff --git a/queue-5.4/series b/queue-5.4/series index e3c0c18cbe..6cdb25f67f 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -71,3 +71,8 @@ crypto-ccp-fix-check-for-the-primary-asp-device.patch dm-integrity-set-ti-error-on-memory-allocation-failure.patch ftrace-add-cond_resched-to-ftrace_graph_set_hash.patch gpio-zynq-fix-wakeup-source-leaks-on-device-unbind.patch +ntb-use-64-bit-arithmetic-for-the-msi-doorbell-mask.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_count.patch +of-irq-fix-device-node-refcount-leakage-in-api-irq_of_parse_and_map.patch +of-irq-fix-device-node-refcount-leakages-in-of_irq_init.patch +pci-fix-reference-leak-in-pci_alloc_child_bus.patch