From 5b97c4457369e765fd04ce2a1d41daedefe323f2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Dec 2024 12:26:05 +0100 Subject: [PATCH] 6.11-stable patches added patches: alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch dm-cache-fix-warnings-about-duplicate-slab-caches.patch usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch --- ...nds-reads-when-finding-clock-sources.patch | 90 +++++++++ ...accesses-for-extigy-and-mbox-devices.patch | 105 ++++++++++ ...warnings-about-duplicate-slab-caches.patch | 182 ++++++++++++++++++ queue-6.11/series | 6 + ...lance-of-sehci-clk-handling-routines.patch | 50 +++++ ...k-fix-off-by-one-in-connector_status.patch | 43 +++++ ...roperly-released-in-xenbus_dev_probe.patch | 66 +++++++ 7 files changed, 542 insertions(+) create mode 100644 queue-6.11/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch create mode 100644 queue-6.11/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch create mode 100644 queue-6.11/dm-cache-fix-warnings-about-duplicate-slab-caches.patch create mode 100644 queue-6.11/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch create mode 100644 queue-6.11/usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch create mode 100644 queue-6.11/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch diff --git a/queue-6.11/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch b/queue-6.11/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch new file mode 100644 index 00000000000..e4af7f44566 --- /dev/null +++ b/queue-6.11/alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch @@ -0,0 +1,90 @@ +From a3dd4d63eeb452cfb064a13862fb376ab108f6a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 25 Nov 2024 15:46:16 +0100 +Subject: ALSA: usb-audio: Fix out of bounds reads when finding clock sources +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Takashi Iwai + +commit a3dd4d63eeb452cfb064a13862fb376ab108f6a6 upstream. + +The current USB-audio driver code doesn't check bLength of each +descriptor at traversing for clock descriptors. That is, when a +device provides a bogus descriptor with a shorter bLength, the driver +might hit out-of-bounds reads. + +For addressing it, this patch adds sanity checks to the validator +functions for the clock descriptor traversal. When the descriptor +length is shorter than expected, it's skipped in the loop. + +For the clock source and clock multiplier descriptors, we can just +check bLength against the sizeof() of each descriptor type. +OTOH, the clock selector descriptor of UAC2 and UAC3 has an array +of bNrInPins elements and two more fields at its tail, hence those +have to be checked in addition to the sizeof() check. + +Reported-by: Benoît Sevens +Cc: +Link: https://lore.kernel.org/20241121140613.3651-1-bsevens@google.com +Link: https://patch.msgid.link/20241125144629.20757-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/clock.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -36,6 +36,12 @@ union uac23_clock_multiplier_desc { + struct uac_clock_multiplier_descriptor v3; + }; + ++/* check whether the descriptor bLength has the minimal length */ ++#define DESC_LENGTH_CHECK(p, proto) \ ++ ((proto) == UAC_VERSION_3 ? \ ++ ((p)->v3.bLength >= sizeof((p)->v3)) : \ ++ ((p)->v2.bLength >= sizeof((p)->v2))) ++ + #define GET_VAL(p, proto, field) \ + ((proto) == UAC_VERSION_3 ? (p)->v3.field : (p)->v2.field) + +@@ -58,6 +64,8 @@ static bool validate_clock_source(void * + { + union uac23_clock_source_desc *cs = p; + ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; + return GET_VAL(cs, proto, bClockID) == id; + } + +@@ -65,13 +73,27 @@ static bool validate_clock_selector(void + { + union uac23_clock_selector_desc *cs = p; + +- return GET_VAL(cs, proto, bClockID) == id; ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; ++ if (GET_VAL(cs, proto, bClockID) != id) ++ return false; ++ /* additional length check for baCSourceID array (in bNrInPins size) ++ * and two more fields (which sizes depend on the protocol) ++ */ ++ if (proto == UAC_VERSION_3) ++ return cs->v3.bLength >= sizeof(cs->v3) + cs->v3.bNrInPins + ++ 4 /* bmControls */ + 2 /* wCSelectorDescrStr */; ++ else ++ return cs->v2.bLength >= sizeof(cs->v2) + cs->v2.bNrInPins + ++ 1 /* bmControls */ + 1 /* iClockSelector */; + } + + static bool validate_clock_multiplier(void *p, int id, int proto) + { + union uac23_clock_multiplier_desc *cs = p; + ++ if (!DESC_LENGTH_CHECK(cs, proto)) ++ return false; + return GET_VAL(cs, proto, bClockID) == id; + } + diff --git a/queue-6.11/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch b/queue-6.11/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch new file mode 100644 index 00000000000..6d2cb9b5f6b --- /dev/null +++ b/queue-6.11/alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch @@ -0,0 +1,105 @@ +From b909df18ce2a998afef81d58bbd1a05dc0788c40 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Beno=C3=AEt=20Sevens?= +Date: Wed, 20 Nov 2024 12:41:44 +0000 +Subject: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Sevens + +commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream. + +A bogus device can provide a bNumConfigurations value that exceeds the +initial value used in usb_get_configuration for allocating dev->config. + +This can lead to out-of-bounds accesses later, e.g. in +usb_destroy_configuration. + +Signed-off-by: Benoît Sevens +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable@kernel.org +Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -555,6 +555,7 @@ int snd_usb_create_quirk(struct snd_usb_ + static int snd_usb_extigy_boot_quirk(struct usb_device *dev, struct usb_interface *intf) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + + if (le16_to_cpu(get_cfg_desc(config)->wTotalLength) == EXTIGY_FIRMWARE_SIZE_OLD || +@@ -566,10 +567,14 @@ static int snd_usb_extigy_boot_quirk(str + if (err < 0) + dev_dbg(&dev->dev, "error sending boot message: %d\n", err); + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + err = usb_reset_configuration(dev); + if (err < 0) + dev_dbg(&dev->dev, "error usb_reset_configuration: %d\n", err); +@@ -901,6 +906,7 @@ static void mbox2_setup_48_24_magic(stru + static int snd_usb_mbox2_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + u8 bootresponse[0x12]; + int fwsize; +@@ -936,10 +942,14 @@ static int snd_usb_mbox2_boot_quirk(stru + dev_dbg(&dev->dev, "device initialised!\n"); + + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) +@@ -1249,6 +1259,7 @@ static void mbox3_setup_defaults(struct + static int snd_usb_mbox3_boot_quirk(struct usb_device *dev) + { + struct usb_host_config *config = dev->actconfig; ++ struct usb_device_descriptor new_device_descriptor; + int err; + int descriptor_size; + +@@ -1262,10 +1273,14 @@ static int snd_usb_mbox3_boot_quirk(stru + dev_dbg(&dev->dev, "MBOX3: device initialised!\n"); + + err = usb_get_descriptor(dev, USB_DT_DEVICE, 0, +- &dev->descriptor, sizeof(dev->descriptor)); +- config = dev->actconfig; ++ &new_device_descriptor, sizeof(new_device_descriptor)); + if (err < 0) + dev_dbg(&dev->dev, "MBOX3: error usb_get_descriptor: %d\n", err); ++ if (new_device_descriptor.bNumConfigurations > dev->descriptor.bNumConfigurations) ++ dev_dbg(&dev->dev, "MBOX3: error too large bNumConfigurations: %d\n", ++ new_device_descriptor.bNumConfigurations); ++ else ++ memcpy(&dev->descriptor, &new_device_descriptor, sizeof(dev->descriptor)); + + err = usb_reset_configuration(dev); + if (err < 0) diff --git a/queue-6.11/dm-cache-fix-warnings-about-duplicate-slab-caches.patch b/queue-6.11/dm-cache-fix-warnings-about-duplicate-slab-caches.patch new file mode 100644 index 00000000000..e5f47075790 --- /dev/null +++ b/queue-6.11/dm-cache-fix-warnings-about-duplicate-slab-caches.patch @@ -0,0 +1,182 @@ +From 346dbf1b1345476a6524512892cceb931bee3039 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 11 Nov 2024 16:51:02 +0100 +Subject: dm-cache: fix warnings about duplicate slab caches + +From: Mikulas Patocka + +commit 346dbf1b1345476a6524512892cceb931bee3039 upstream. + +The commit 4c39529663b9 adds a warning about duplicate cache names if +CONFIG_DEBUG_VM is selected. These warnings are triggered by the dm-cache +code. + +The dm-cache code allocates a slab cache for each device. This commit +changes it to allocate just one slab cache in the module init function. + +Signed-off-by: Mikulas Patocka +Fixes: 4c39529663b9 ("slab: Warn on duplicate cache names when DEBUG_VM=y") +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/dm-cache-background-tracker.c | 25 ++++++------------------- + drivers/md/dm-cache-background-tracker.h | 8 ++++++++ + drivers/md/dm-cache-target.c | 25 ++++++++++++++++++++----- + 3 files changed, 34 insertions(+), 24 deletions(-) + +--- a/drivers/md/dm-cache-background-tracker.c ++++ b/drivers/md/dm-cache-background-tracker.c +@@ -11,12 +11,6 @@ + + #define DM_MSG_PREFIX "dm-background-tracker" + +-struct bt_work { +- struct list_head list; +- struct rb_node node; +- struct policy_work work; +-}; +- + struct background_tracker { + unsigned int max_work; + atomic_t pending_promotes; +@@ -26,10 +20,10 @@ struct background_tracker { + struct list_head issued; + struct list_head queued; + struct rb_root pending; +- +- struct kmem_cache *work_cache; + }; + ++struct kmem_cache *btracker_work_cache = NULL; ++ + struct background_tracker *btracker_create(unsigned int max_work) + { + struct background_tracker *b = kmalloc(sizeof(*b), GFP_KERNEL); +@@ -48,12 +42,6 @@ struct background_tracker *btracker_crea + INIT_LIST_HEAD(&b->queued); + + b->pending = RB_ROOT; +- b->work_cache = KMEM_CACHE(bt_work, 0); +- if (!b->work_cache) { +- DMERR("couldn't create mempool for background work items"); +- kfree(b); +- b = NULL; +- } + + return b; + } +@@ -66,10 +54,9 @@ void btracker_destroy(struct background_ + BUG_ON(!list_empty(&b->issued)); + list_for_each_entry_safe (w, tmp, &b->queued, list) { + list_del(&w->list); +- kmem_cache_free(b->work_cache, w); ++ kmem_cache_free(btracker_work_cache, w); + } + +- kmem_cache_destroy(b->work_cache); + kfree(b); + } + EXPORT_SYMBOL_GPL(btracker_destroy); +@@ -180,7 +167,7 @@ static struct bt_work *alloc_work(struct + if (max_work_reached(b)) + return NULL; + +- return kmem_cache_alloc(b->work_cache, GFP_NOWAIT); ++ return kmem_cache_alloc(btracker_work_cache, GFP_NOWAIT); + } + + int btracker_queue(struct background_tracker *b, +@@ -203,7 +190,7 @@ int btracker_queue(struct background_tra + * There was a race, we'll just ignore this second + * bit of work for the same oblock. + */ +- kmem_cache_free(b->work_cache, w); ++ kmem_cache_free(btracker_work_cache, w); + return -EINVAL; + } + +@@ -244,7 +231,7 @@ void btracker_complete(struct background + update_stats(b, &w->work, -1); + rb_erase(&w->node, &b->pending); + list_del(&w->list); +- kmem_cache_free(b->work_cache, w); ++ kmem_cache_free(btracker_work_cache, w); + } + EXPORT_SYMBOL_GPL(btracker_complete); + +--- a/drivers/md/dm-cache-background-tracker.h ++++ b/drivers/md/dm-cache-background-tracker.h +@@ -26,6 +26,14 @@ + * protected with a spinlock. + */ + ++struct bt_work { ++ struct list_head list; ++ struct rb_node node; ++ struct policy_work work; ++}; ++ ++extern struct kmem_cache *btracker_work_cache; ++ + struct background_work; + struct background_tracker; + +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -10,6 +10,7 @@ + #include "dm-bio-record.h" + #include "dm-cache-metadata.h" + #include "dm-io-tracker.h" ++#include "dm-cache-background-tracker.h" + + #include + #include +@@ -2263,7 +2264,7 @@ static int parse_cache_args(struct cache + + /*----------------------------------------------------------------*/ + +-static struct kmem_cache *migration_cache; ++static struct kmem_cache *migration_cache = NULL; + + #define NOT_CORE_OPTION 1 + +@@ -3449,22 +3450,36 @@ static int __init dm_cache_init(void) + int r; + + migration_cache = KMEM_CACHE(dm_cache_migration, 0); +- if (!migration_cache) +- return -ENOMEM; ++ if (!migration_cache) { ++ r = -ENOMEM; ++ goto err; ++ } ++ ++ btracker_work_cache = kmem_cache_create("dm_cache_bt_work", ++ sizeof(struct bt_work), __alignof__(struct bt_work), 0, NULL); ++ if (!btracker_work_cache) { ++ r = -ENOMEM; ++ goto err; ++ } + + r = dm_register_target(&cache_target); + if (r) { +- kmem_cache_destroy(migration_cache); +- return r; ++ goto err; + } + + return 0; ++ ++err: ++ kmem_cache_destroy(migration_cache); ++ kmem_cache_destroy(btracker_work_cache); ++ return r; + } + + static void __exit dm_cache_exit(void) + { + dm_unregister_target(&cache_target); + kmem_cache_destroy(migration_cache); ++ kmem_cache_destroy(btracker_work_cache); + } + + module_init(dm_cache_init); diff --git a/queue-6.11/series b/queue-6.11/series index 458011375b1..2500e1a1a27 100644 --- a/queue-6.11/series +++ b/queue-6.11/series @@ -626,3 +626,9 @@ asoc-amd-yc-fix-for-enabling-dmic-on-acp6x-via-_dsd-.patch asoc-mediatek-check-num_codecs-is-not-zero-to-avoid-.patch s390-pci-fix-potential-double-remove-of-hotplug-slot.patch net_sched-sch_fq-don-t-follow-the-fast-path-if-tx-is-behind-now.patch +xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch +alsa-usb-audio-fix-potential-out-of-bound-accesses-for-extigy-and-mbox-devices.patch +alsa-usb-audio-fix-out-of-bounds-reads-when-finding-clock-sources.patch +usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch +usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch +dm-cache-fix-warnings-about-duplicate-slab-caches.patch diff --git a/queue-6.11/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch b/queue-6.11/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch new file mode 100644 index 00000000000..b448edc06c4 --- /dev/null +++ b/queue-6.11/usb-ehci-spear-fix-call-balance-of-sehci-clk-handling-routines.patch @@ -0,0 +1,50 @@ +From 40c974826734836402abfd44efbf04f63a2cc1c1 Mon Sep 17 00:00:00 2001 +From: Vitalii Mordan +Date: Fri, 15 Nov 2024 02:03:10 +0300 +Subject: usb: ehci-spear: fix call balance of sehci clk handling routines + +From: Vitalii Mordan + +commit 40c974826734836402abfd44efbf04f63a2cc1c1 upstream. + +If the clock sehci->clk was not enabled in spear_ehci_hcd_drv_probe, +it should not be disabled in any path. + +Conversely, if it was enabled in spear_ehci_hcd_drv_probe, it must be disabled +in all error paths to ensure proper cleanup. + +Found by Linux Verification Center (linuxtesting.org) with Klever. + +Fixes: 7675d6ba436f ("USB: EHCI: make ehci-spear a separate driver") +Cc: stable@vger.kernel.org +Signed-off-by: Vitalii Mordan +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20241114230310.432213-1-mordan@ispras.ru +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/ehci-spear.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ehci-spear.c ++++ b/drivers/usb/host/ehci-spear.c +@@ -105,7 +105,9 @@ static int spear_ehci_hcd_drv_probe(stru + /* registers start at offset 0x0 */ + hcd_to_ehci(hcd)->caps = hcd->regs; + +- clk_prepare_enable(sehci->clk); ++ retval = clk_prepare_enable(sehci->clk); ++ if (retval) ++ goto err_put_hcd; + retval = usb_add_hcd(hcd, irq, IRQF_SHARED); + if (retval) + goto err_stop_ehci; +@@ -130,8 +132,7 @@ static void spear_ehci_hcd_drv_remove(st + + usb_remove_hcd(hcd); + +- if (sehci->clk) +- clk_disable_unprepare(sehci->clk); ++ clk_disable_unprepare(sehci->clk); + usb_put_hcd(hcd); + } + diff --git a/queue-6.11/usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch b/queue-6.11/usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch new file mode 100644 index 00000000000..1efc78dca87 --- /dev/null +++ b/queue-6.11/usb-typec-ucsi-glink-fix-off-by-one-in-connector_status.patch @@ -0,0 +1,43 @@ +From 4a22918810980897393fa1776ea3877e4baf8cca Mon Sep 17 00:00:00 2001 +From: Dmitry Baryshkov +Date: Sat, 9 Nov 2024 02:04:14 +0200 +Subject: usb: typec: ucsi: glink: fix off-by-one in connector_status + +From: Dmitry Baryshkov + +commit 4a22918810980897393fa1776ea3877e4baf8cca upstream. + +UCSI connector's indices start from 1 up to 3, PMIC_GLINK_MAX_PORTS. +Correct the condition in the pmic_glink_ucsi_connector_status() +callback, fixing Type-C orientation reporting for the third USB-C +connector. + +Fixes: 76716fd5bf09 ("usb: typec: ucsi: glink: move GPIO reading into connector_status callback") +Cc: stable@vger.kernel.org +Reported-by: Abel Vesa +Reviewed-by: Neil Armstrong +Reviewed-by: Johan Hovold +Tested-by: Johan Hovold +Signed-off-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20241109-ucsi-glue-fixes-v2-1-8b21ff4f9fbe@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/ucsi/ucsi_glink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/typec/ucsi/ucsi_glink.c b/drivers/usb/typec/ucsi/ucsi_glink.c +index 3e4d88ab338e..2e12758000a7 100644 +--- a/drivers/usb/typec/ucsi/ucsi_glink.c ++++ b/drivers/usb/typec/ucsi/ucsi_glink.c +@@ -185,7 +185,7 @@ static void pmic_glink_ucsi_connector_status(struct ucsi_connector *con) + struct pmic_glink_ucsi *ucsi = ucsi_get_drvdata(con->ucsi); + int orientation; + +- if (con->num >= PMIC_GLINK_MAX_PORTS || ++ if (con->num > PMIC_GLINK_MAX_PORTS || + !ucsi->port_orientation[con->num - 1]) + return; + +-- +2.47.1 + diff --git a/queue-6.11/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch b/queue-6.11/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch new file mode 100644 index 00000000000..afb33316404 --- /dev/null +++ b/queue-6.11/xen-fix-the-issue-of-resource-not-being-properly-released-in-xenbus_dev_probe.patch @@ -0,0 +1,66 @@ +From afc545da381ba0c651b2658966ac737032676f01 Mon Sep 17 00:00:00 2001 +From: Qiu-ji Chen +Date: Tue, 5 Nov 2024 21:09:19 +0800 +Subject: xen: Fix the issue of resource not being properly released in xenbus_dev_probe() + +From: Qiu-ji Chen + +commit afc545da381ba0c651b2658966ac737032676f01 upstream. + +This patch fixes an issue in the function xenbus_dev_probe(). In the +xenbus_dev_probe() function, within the if (err) branch at line 313, the +program incorrectly returns err directly without releasing the resources +allocated by err = drv->probe(dev, id). As the return value is non-zero, +the upper layers assume the processing logic has failed. However, the probe +operation was performed earlier without a corresponding remove operation. +Since the probe actually allocates resources, failing to perform the remove +operation could lead to problems. + +To fix this issue, we followed the resource release logic of the +xenbus_dev_remove() function by adding a new block fail_remove before the +fail_put block. After entering the branch if (err) at line 313, the +function will use a goto statement to jump to the fail_remove block, +ensuring that the previously acquired resources are correctly released, +thus preventing the reference count leak. + +This bug was identified by an experimental static analysis tool developed +by our team. The tool specializes in analyzing reference count operations +and detecting potential issues where resources are not properly managed. +In this case, the tool flagged the missing release operation as a +potential problem, which led to the development of this patch. + +Fixes: 4bac07c993d0 ("xen: add the Xenbus sysfs and virtual device hotplug driver") +Cc: stable@vger.kernel.org +Signed-off-by: Qiu-ji Chen +Reviewed-by: Juergen Gross +Message-ID: <20241105130919.4621-1-chenqiuji666@gmail.com> +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/xenbus/xenbus_probe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/xen/xenbus/xenbus_probe.c ++++ b/drivers/xen/xenbus/xenbus_probe.c +@@ -313,7 +313,7 @@ int xenbus_dev_probe(struct device *_dev + if (err) { + dev_warn(&dev->dev, "watch_otherend on %s failed.\n", + dev->nodename); +- return err; ++ goto fail_remove; + } + + dev->spurious_threshold = 1; +@@ -322,6 +322,12 @@ int xenbus_dev_probe(struct device *_dev + dev->nodename); + + return 0; ++fail_remove: ++ if (drv->remove) { ++ down(&dev->reclaim_sem); ++ drv->remove(dev); ++ up(&dev->reclaim_sem); ++ } + fail_put: + module_put(drv->driver.owner); + fail: -- 2.47.3