Object out is not released on path that no VMA instance found. The root
cause is jumping to an unexpected label on the error path.
Fixes: a47e788c2310 ("drm/i915/selftests: Exercise CS TLB invalidation")
Signed-off-by: Pan Bian
---
drivers/gpu/drm/i915/selftests/i915_gem_gtt.c | 2
The dst entry should be released if no neighbour is found. Goto label
free_dst to fix the issue. Besides, the check of ndev against NULL is
redundant.
Signed-off-by: Pan Bian
---
.../net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c| 7 +++
1 file changed, 3 insertions(+), 4 deletions
Goto to the label put_dev instead of the label error to fix potential
resource leak on path that the target index is invalid.
Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index")
Signed-off-by: Pan Bian
---
net/nfc/rawsock.c | 2 +-
1 file changed, 1 inser
Put the device to avoid resource leak on path that the polling flag is
invalid.
Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's
already stopped")
Signed-off-by: Pan Bian
---
net/nfc/netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/nfc/
Put parent device node parent_np if there is no enough memory.
Fixes: aed6f3cadc86 ("reset: berlin: convert to a platform driver")
Signed-off-by: Pan Bian
---
drivers/reset/reset-berlin.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/reset/reset-
t;bus: qcom: add EBI2 driver")
Signed-off-by: Pan Bian
---
drivers/bus/qcom-ebi2.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/bus/qcom-ebi2.c b/drivers/bus/qcom-ebi2.c
index 03ddcf426887..0b8f53a688b8 100644
--- a/drivers/bus/qcom-ebi2.c
+++ b/drivers/bus/q
Call hci_dev_put() to decrement reference count of HCI device hdev if
fails to duplicate memory.
Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt")
Signed-off-by: Pan Bian
---
net/bluetooth/a2mp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net
The allocated page is not released if error occurs in
nvm_submit_io_sync_raw(). __free_page() is moved ealier to avoid
possible memory leak issue.
Fixes: aff3fb18f957 ("lightnvm: move bad block and chunk state logic to core")
Signed-off-by: Pan Bian
---
drivers/lightnvm/core.c | 3 +
Put the device node dn before return error code on failure path.
Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus")
Signed-off-by: Pan Bian
---
drivers/net/dsa/bcm_sf2.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/b
be dropped manually.
Fixes: 5a7c81547c1d ("memory: ti-aemif: introduce AEMIF driver")
Signed-off-by: Pan Bian
---
drivers/memory/ti-aemif.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/memory/ti-aemif.c b/drivers/memory/ti-aemif.c
index 15
Put the child node np when it fails to get or register device.
Signed-off-by: Pan Bian
---
drivers/mtd/spi-nor/controllers/hisi-sfc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/spi-nor/controllers/hisi-sfc.c
b/drivers/mtd/spi-nor/controllers/hisi-sfc.c
Instead of directly return, goto the error handling label to free
allocated page.
Fixes: 5f29458b77d5 ("net/mlx5e: Support dump callback in TX reporter")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/mellanox/mlx5/core/en/health.c | 2 +-
1 file changed, 1 insertion(+), 1 deletio
Jump to the label done to decrement the reference count of HCI device
hdev on path that the Inquiry procedure is interrupted.
Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage")
Signed-off-by: Pan Bian
---
net/bluetooth/hci_core.c | 6 --
1 file changed, 4 insert
Call of_node_put() to drop references of regulators_np and reg_np before
returning error code.
Fixes: 9ae5cc75ceaa ("regulator: s5m8767: Pass descriptor instead of GPIO
number")
Signed-off-by: Pan Bian
---
drivers/regulator/s5m8767.c | 7 +--
1 file changed, 5 insertions(+), 2
Put file f if inode_storage_ptr() returns NULL.
Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Acked-by: KP Singh
Signed-off-by: Pan Bian
---
kernel/bpf/bpf_inode_storage.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/
Put tlink before returning error code.
Fixes: 8ceb98437946 ("CIFS: Move rename to ops struct")
Signed-off-by: Pan Bian
---
fs/cifs/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/cifs/inode.c b/fs/cifs/inode.c
index a83b3a8ffaac..9c31b6178638 10064
Also decrement the reference count of child device on error path.
Fixes: 3e782985cb3c ("net: ethernet: fec: Allow configuration of MDIO bus
speed")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/freescale/fec_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
di
Remove the config data when rate setting fails.
Fixes: 9efc9b2b04c7 ("net: stmmac: Add dwmac-intel-plat for GBE driver")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/d
Drop the reference of the child node sen_child before goto out of
the loop.
Signed-off-by: Pan Bian
---
drivers/thermal/sprd_thermal.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/thermal/sprd_thermal.c b/drivers/thermal/sprd_thermal.c
index 3682edb2f466..e843f10167b8 100644
Also drop the reference count of the node on error path.
Fixes: 508f610648b9 ("PCI: xilinx-cpm: Add Versal CPM Root Port driver")
Signed-off-by: Pan Bian
---
drivers/pci/controller/pcie-xilinx-cpm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/pci/controller/pcie-xilin
Decrements the reference count of device node and its child node.
Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem")
Signed-off-by: Pan Bian
---
drivers/regulator/axp20x-regulator.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git
Put DRM device on initialization failure path rather than directly
return error code.
Fixes: a67d5088ceb8 ("drm/imx: drop explicit drm_mode_config_cleanup")
Signed-off-by: Pan Bian
---
drivers/gpu/drm/imx/imx-drm-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
The reference count of the old buffer head should be decremented on path
that fails to get the new buffer head.
Fixes: 6b4657667ba0 ("fs/affs: add rename exchange")
Signed-off-by: Pan Bian
---
fs/affs/namei.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/af
On the error path, it should goto the error handling label to free
allocated memory rather than directly return.
Fixes: 6328a126896e ("net: systemport: Manage Wake-on-LAN clock")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/broadcom/bcmsysport.c | 6 --
1 file changed, 4
Free the request rq before returning error code.
Fixes: 972248e9111e ("scsi: bsg-lib: handle bidi requests without block layer
help")
Signed-off-by: Pan Bian
---
block/bsg.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/block/bsg.c b/block/bsg.c
index d7
Stop inode updating before returning the error code.
Fixes: aa75f4d3daae ("ext4: main fast-commit commit path")
Signed-off-by: Pan Bian
---
fs/ext4/inode.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index c173c8405856..64
Release the buffer header before returning error code.
Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading
corrupted filesystem")
Signed-off-by: Pan Bian
---
fs/isofs/dir.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/isofs/dir.c b/fs/isofs/d
The reference to iloc.bh has been dropped in ext4_mark_iloc_dirty.
However, the reference is dropped again if error occurs during
ext4_handle_dirty_metadata, which may result in use-after-free bugs.
Fixes: fb265c9cb49e("ext4: add ext4_sb_bread() to disambiguate ENOMEM
cases")
Signed-o
_device. This patch fixes these issues.
Signed-off-by: Pan Bian
---
drivers/hwtracing/stm/core.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/hwtracing/stm/core.c b/drivers/hwtracing/stm/core.c
index c7ba8ac..cfb5c4d 100644
--- a/drivers/hwtracing/stm/core.
The memory allocated in the function iio_dummy_evgen_create is not
released if it fails to add the evgen device to device hierarchy. This
may result in a memory leak bug.
Signed-off-by: Pan Bian
---
drivers/iio/dummy/iio_dummy_evgen.c | 5 -
1 file changed, 4 insertions(+), 1 deletion
In the function that creates a CSROW object, the object is not released
when failing to add the device to device hierarchy. This may result in a
memory leak bug.
Signed-off-by: Pan Bian
---
drivers/edac/edac_mc_sysfs.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a
The RMI4 function structure has been released in rmi_register_function
if error occurs. However, it will be released again in the function
rmi_create_function, which may result in a double-free bug.
Signed-off-by: Pan Bian
---
drivers/input/rmi4/rmi_driver.c | 6 +-
1 file changed, 1
ned-off-by: Pan Bian
---
drivers/fsi/fsi-core.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/fsi/fsi-core.c b/drivers/fsi/fsi-core.c
index 2c31563..2bb6625 100644
--- a/drivers/fsi/fsi-core.c
+++ b/drivers/fsi/fsi-core.c
@@ -1056,8 +1056,7 @@ static int fsi_slave_i
There are two issues in the error handling code. First, if ID allocation
fails, the reference count of carrier is decremented, which has
not been incremented yet. Second, if device_add fails, the allocated ID
will not be released. This patches fixes them.
Signed-off-by: Pan Bian
---
drivers/mcb
owever, after put_device, host is used and released
again. Resulting in a use-after-free bug.
Fixes: 1ed21719448("mmc: core: fix error path in mmc_host_alloc")
Signed-off-by: Pan Bian
---
drivers/mmc/core/host.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/drivers/mmc/core/host.c b/
/messaging capabilities")
Signed-off-by: Pan Bian
---
drivers/mtd/ubi/kapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/ubi/kapi.c b/drivers/mtd/ubi/kapi.c
index e9e9ecb..0b8f0c4 100644
--- a/drivers/mtd/ubi/kapi.c
+++ b/drivers/mtd/ubi/kapi.c
@@ -227,9 +
The MTD device reference is dropped via put_mtd_device, however its
field ->index is read and passed to ubi_msg. To fix this, the patch
moves the reference dropping after calling ubi_msg.
Signed-off-by: Pan Bian
---
drivers/mtd/ubi/build.c | 2 +-
1 file changed, 1 insertion(+), 1 delet
pci_device->revision is read after dropping pci_device reference via
pci_dev_put, which may result in use-after-free bugs. To fix this, the
patch reads ->revision before dropping reference.
Signed-off-by: Pan Bian
---
drivers/ata/pata_sis.c | 4 +++-
drivers/ata/pata_sl82c105.c | 4 +
The function sis_find_family drops lpc_bridge reference via pci_dev_put,
however, after that, field lpc_bridge->revision is read. This may result
in a use after free bug. The patch moves the put operation after the
condition check.
Signed-off-by: Pan Bian
---
drivers/ide/sis5513.c | 3 ++-
The function xfs_alloc_get_freelist calls xfs_perag_put to drop the
reference. However, pag->pagf_btreeblks is read and write after the
put operation. This patch moves the put operation late.
Signed-off-by: Pan Bian
---
V2: correct the commit log
---
fs/xfs/libxfs/xfs_alloc.c | 2 +-
1 f
The function frees qf_inode via iput but then pass qf_inode to
lockdep_set_quota_inode on the failure path. This may result in a
use-after-free bug. The patch frees df_inode only when it is never used.
Signed-off-by: Pan Bian
Fixes: daf647d2dd5("ext4: add lockdep annotations for i_dat
ing and putting the page.
Signed-off-by: Pan Bian
---
fs/nilfs2/gcinode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c
index aa3c328..a24bb29 100644
--- a/fs/nilfs2/gcinode.c
+++ b/fs/nilfs2/gcinode.c
@@ -73,10 +73,8 @@
. The patch sets bh1 and bh2 to NULL after their
reference counts are decreased.
Signed-off-by: Pan Bian
---
fs/qnx6/inode.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c
index 4aeb26b..e8a8536 100644
--- a/fs/qnx6/inode.c
+++ b/fs/qnx6/inode.c
@@ -405,12
The function autofs_expire_run calls dput(dentry) to drop the reference
count of dentry. However, dentry is read via autofs_dentry_ino(dentry)
after that. This may result in a use-free-bug. The patch drops the
reference count of dentry only when it is never used.
Signed-off-by: Pan Bian
---
fs
-off-by: Pan Bian
---
fs/freevxfs/vxfs_bmap.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/freevxfs/vxfs_bmap.c b/fs/freevxfs/vxfs_bmap.c
index 1fd41cf..136e5d1 100644
--- a/fs/freevxfs/vxfs_bmap.c
+++ b/fs/freevxfs/vxfs_bmap.c
@@ -150,6 +150,7 @@ vxfs_bmap_indir(struct inode *ip, long
The function ext2_xattr_set calls brelse(bh) to drop the reference count
of bh. After that, bh may be freed. However, following brelse(bh),
it reads bh->b_data via macro HDR(bh). This may result in a
use-after-free bug. This patch moves brelse(bh) after reading field.
Signed-off-by: Pan B
After calling dput(new_dentry), new_dentry is passed to fsnotify_move.
This may result in a use-after-free bug. This patch moves the put
operation late.
Fixes: da1ce0670c14("vfs: add cross-rename")
Signed-off-by: Pan Bian
---
V2: correct the fixes commit information
---
fs/namei.c
The function hfs_bmap_free frees node via hfs_bnode_put(node).
However, it then reads node->this when dumping error message on an error
path, which may result in a use-after-free bug. This patch frees node
only when it is never used.
Signed-off-by: Pan Bian
---
fs/hfsplus/btree.c | 3 ++-
The function xfs_alloc_get_freelist calls xfs_perag_put to drop the
reference. In this case, pag may be released. However,
pag->pagf_btreeblks is read and write after the put operation. This may
result in a use-after-free bug. This patch moves the put operation late.
Signed-off-by: Pan B
After calling dput(new_dentry), new_dentry is passed to fsnotify_move.
This may result in a use-after-free bug. This patch moves the put
operation late.
Fixes: 49d31c2f389a("dentry name snapshots")
Signed-off-by: Pan Bian
---
fs/namei.c | 2 +-
1 file changed, 1 insertion(+),
The function hfs_bmap_free frees node via hfs_bnode_put(node). However,
it then reads node->this when dumping error message on an error path,
which may result in a use-after-free bug. This patch frees node only
when it is never used.
Fixes: a1185ffa2fc("HFS rewrite")
Signed-off
s to pr_")
Signed-off-by: Pan Bian
---
fs/hfs/btree.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c
index 98b96ff..19017d2 100644
--- a/fs/hfs/btree.c
+++ b/fs/hfs/btree.c
@@ -338,13 +338,14 @@ void hfs_bmap_free(struct hf
try with its parent obtained before
dropping the reference.
Fixes: a056cc8934c("exportfs: stop retrying once we race with
rename/remove")
Signed-off-by: Pan Bian
---
V2: get rid of the comment
---
fs/exportfs/expfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git
try with its parent obtained before
dropping the reference.
Fixes: a056cc8934c("exportfs: stop retrying once we race with
rename/remove")
Signed-off-by: Pan Bian
---
fs/exportfs/expfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exportfs/expfs.c b/fs/exportfs/
kfree() is incorrectly used to free the memory chunk allocated by
memstick_alloc_host(). Instead, memstick_free_host() should be used.
Fixes: 60fdd931d577("memstick: add support for JMicron jmb38x ...")
Signed-off-by: Pan Bian
---
drivers/memstick/host/jmb38x_ms.c | 2 +-
1 file
The memory chunk allocated by hid_allocate_device() should be released
by hid_destroy_device(), not kfree().
Fixes: 0b28cb4bcb1("HID: intel-ish-hid: ISH HID client driver")
Signed-off-by: Pan Bian
---
drivers/hid/intel-ish-hid/ishtp-hid.c | 2 +-
1 file changed, 1 insertion(+),
Commit-ID: 89c5a2d34bda58319e3075e8e7dd727ea25a435c
Gitweb: https://git.kernel.org/tip/89c5a2d34bda58319e3075e8e7dd727ea25a435c
Author: Pan Bian
AuthorDate: Wed, 6 Dec 2017 09:50:09 +
Committer: Ingo Molnar
CommitDate: Wed, 6 Dec 2017 19:32:08 +0100
efi/esrt: Use memunmap
validate the
return value of platform_get_irq_byname().
Signed-off-by: Pan Bian
---
drivers/iio/adc/cpcap-adc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/iio/adc/cpcap-adc.c b/drivers/iio/adc/cpcap-adc.c
index 6e419d5..f153e026 100644
--- a/drivers/iio/adc/cpca
ate the return
value of platform_get_irq_byname().
Signed-off-by: Pan Bian
---
drivers/power/supply/cpcap-charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/supply/cpcap-charger.c
b/drivers/power/supply/cpcap-charger.c
index 11a0763..e4905be 100644
--- a/dri
Function devm_gpiod_get_optional() returns an ERR_PTR on failure. Its
return value should not be validated by a NULL check. Instead, use IS_ERR.
Signed-off-by: Pan Bian
---
drivers/net/dsa/lan9303-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/lan9303
In function advansys_eisa_probe(), data->host[i] holds the return value
of scsi_host_alloc(). The memory allocated by scsi_host_alloc() should
be deallocated with scsi_host_put(), not kfree().
Signed-off-by: Pan Bian
---
drivers/scsi/advansys.c | 4 ++--
1 file changed, 2 insertions(+)
unexpected.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 3652063..e771926 100644
--- a/drivers
In function advansys_eisa_probe(), data->host[i] holds the return value
of scsi_host_alloc(). The memory allocated by scsi_host_alloc() should
be deallocated with scsi_host_put(), not kfree().
Signed-off-by: Pan Bian
---
drivers/scsi/advansys.c | 4 ++--
1 file changed, 2 insertions(+)
The remapping result of memremap should be freed with memunmap, not
kfree.
Signed-off-by: Pan Bian
---
drivers/firmware/efi/esrt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/firmware/efi/esrt.c b/drivers/firmware/efi/esrt.c
index bd7ed3c..3ef7001 100644
--- a
unexpected.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 3652063..e771926 100644
--- a/drivers
The function netdev_priv() returns the private data of the device. The
memory to store the private data is allocated in alloc_netdev() and is
released in netdev_free(). Calling kfree() on the return value of
netdev_priv() after netdev_free() results in a double free bug.
Signed-off-by: Pan Bian
Memory allocated by kmem_cache_alloc() should not be deallocated with
kfree(). Use kmem_cache_free() instead.
Signed-off-by: Pan Bian
---
drivers/mtd/ubi/fastmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/ubi/fastmap.c b/drivers/mtd/ubi/fastmap.c
index
The function kunmap_atomatic() is called on the same variable twice,
i.e. pt->v. In the second call, its parameter should be variable v
rather than pt->v.
Signed-off-by: Pan Bian
---
drivers/gpu/drm/gma500/mmu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/g
In functions vpd_sections_init() and vpd_section_init(), iounmap() is
used to unmap memory. However, in these cases, memunmap() should be
used.
Signed-off-by: Pan Bian
---
V2: change error label err_iounmap to err_memunmap
V3: add changes from V1 to V2
---
drivers/firmware/google/vpd.c | 10
dropped.
Signed-off-by: Pan Bian
---
kernel/kexec_file.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 9f48f44..94eeb38 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -627,7 +627,7 @@ static int
In functions vpd_sections_init() and vpd_section_init(), iounmap() is
used to unmap memory. However, in these cases, memunmap() should be
used.
Signed-off-by: Pan Bian
---
drivers/firmware/google/vpd.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers
Function of_clk_get() returns an ERR_PTR on failures. In file
mtk_mdp_commp.c, its return value is checked against NULL. Such checks
cannot prevent from accessing bad memory. This patch replaces the NULL
checks with IS_ERR checks.
Signed-off-by: Pan Bian
---
drivers/media/platform/mtk-mdp
The return value of dma_map_single() should be checked by
dma_mapping_error(). However, in function flctl_dma_fifo0_transfer(), its
return value is checked against NULL, which could result in failures.
Signed-off-by: Pan Bian
---
drivers/mtd/nand/sh_flctl.c | 2 +-
1 file changed, 1 insertion
The return value of dma_map_single() should be checked by
dma_mapping_error(). However, in function qla26xx_dport_diagnostics(), its
return value is checked against NULL, which could result in failures.
Signed-off-by: Pan Bian
---
drivers/scsi/qla2xxx/qla_mbx.c | 2 +-
1 file changed, 1
The return value of dma_map_single() should be checked by
dma_mapping_error(). However, in function ccp_init_dm_workarea(), its
return value is checked against NULL, which could result in failures.
Signed-off-by: Pan Bian
---
drivers/crypto/ccp/ccp-ops.c | 2 +-
1 file changed, 1 insertion
-off-by: Pan Bian
---
net/9p/trans_xen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 6ad3e04..c548781 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -389,7 +389,7 @@ static int xen_9pfs_front_probe(struct xenbus_device
Function devm_ioremap() will return a NULL pointer on failure. However,
in function mxs_lradc_ts_probe(), its return value is checked with
IS_ERR(), which cannot detect the exceptional case.
Signed-off-by: Pan Bian
---
drivers/input/touchscreen/mxs-lradc-ts.c | 4 ++--
1 file changed, 2
In functions vpd_sections_init() and vpd_section_init(), iounmap() is
used to unmap memory. However, in these cases, memunmap() is better.
Signed-off-by: Pan Bian
---
drivers/firmware/google/vpd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/firmware/google
In function kexec_calculate_store_digests(), kfree() is used to free
memory allocated by crypto_alloc_shash(). It is better to use function
crypto_free_shash(), which also zeroizes the memory to be freed.
Signed-off-by: Pan Bian
---
kernel/kexec_file.c | 2 +-
1 file changed, 1 insertion(+), 1
In function xfs_test_remount_options(), kfree() is used to free memory
allocated by kmem_zalloc(). But it is better to use kmem_free().
Signed-off-by: Pan Bian
---
fs/xfs/xfs_super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
The return value of scsi_host_alloc() should be released by
scsi_host_put(). However, in function mvs_pci_init(), kfree()
is used. This patch replaces kfree() with scsi_host_put() to avoid
possible memory leaks.
Signed-off-by: Pan Bian
---
drivers/scsi/mvsas/mv_init.c | 4 ++--
1 file changed
shost again, resulting in a double free bug. This patch removes
scsi_host_put() from pm8001_free() and explicitly calls scsi_host_put()
to release Scsi_Host in need.
Signed-off-by: Pan Bian
---
drivers/scsi/pm8001/pm8001_init.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff
Return value of scsi_host_alloc() should be released with
scsi_host_put() rather than kfree().
Signed-off-by: Pan Bian
---
drivers/scsi/hisi_sas/hisi_sas_main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/scsi/hisi_sas/hisi_sas_main.c
b/drivers/scsi
s for options
transfers")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index f8c81f1..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/t
s for
options transfers")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index f8c81f1..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
From: Pan Bian
Function radeon_fence_emit() returns -ENOMEM if there is no enough
memory. And in this case, function radeon_ring_unlock_undo() rather than
function radeon_ring_unlock_commit() should be called. However, in
function radeon_test_create_and_emit_fence(), the return value of
From: Pan Bian
Function radeon_ring_lock() returns an errno on failure, and its return
value should be validated. However, in functions r420_cp_errata_init()
and r420_cp_errata_fini(), its return value is not checked. This patch
adds the checks.
Signed-off-by: Pan Bian
---
drivers/gpu/drm
Function devm_kzalloc() will return a NULL pointer. However, in function
isp1704_charger_probe(), the return value of devm_kzalloc() is directly
used without validation. This may result in a bad memory access bug.
Signed-off-by: Pan Bian
---
drivers/power/supply/isp1704_charger.c | 4
1
In function team_nl_send_port_list_get(), pointer skb keeps the return
value of nlmsg_new(). When the call to genlmsg_put() fails, the memory
is not freed. This will result in a memory leak bug. This patch fixes
it.
Fixes: fbd69cda90e7 ("team: fix memory leak")
Signed-off-by
emory leak")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index dd3a2e9..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2361,8 +2361,10
From: Pan Bian
Function create_singlethread_workqueue() will return a NULL pointer if
there is no enough memory, and its return value should be validated
before using. However, in function rndis_wlan_bind(), its return value
is not checked. This may cause NULL dereference bugs. This patch fixes
Function devm_kzalloc() will return a NULL pointer. However, in function
isp1704_charger_probe(), the return value of devm_kzalloc() is directly
used without validation. This may result in a bad memory access bug.
Signed-off-by: Pan Bian
---
drivers/power/supply/isp1704_charger.c | 2 ++
1 file
From: Pan Bian
Function pci_find_ext_capability() will returns 0 on failure, and its
return value should be checked before it is used. However, in function
pcie_port_enable_msix(), its return value is not checked. This patch
adds the check.
Signed-off-by: Pan Bian
---
drivers/pci/pcie
From: Pan Bian
Function radeon_fence_emit() returns -ENOMEM if there is no enough
memory. And in this case, function radeon_ring_unlock_undo() rather than
function radeon_ring_unlock_commit() should be called. However, in
function radeon_test_create_and_emit_fence(), the return value of
From: Pan Bian
Function radeon_ring_lock() returns an errno on failure, and its return
value should be validated. However, in functions r420_cp_errata_init()
and r420_cp_errata_fini(), its return value is not checked. This patch
adds the checks.
Signed-off-by: Pan Bian
---
drivers/gpu/drm
From: Pan Bian
Function create_singlethread_workqueue() will return a NULL pointer if
there is no enough memory, and its return value should be validated
before using. However, in function rndis_wlan_bind(), its return value
is not checked. This may cause NULL dereference bugs. This patch fixes
From: Pan Bian
Function alloc_workqueue() will return a NULL pointer if there is no
enough memory, and its return value should be validated before using.
However, in function if_spi_probe(), its return value is not checked.
This may result in a NULL dereference bug. This patch fixes the bug
From: Pan Bian
In functions cx25840_initialize(), cx231xx_initialize(), and
cx23885_initialize(), the return value of create_singlethread_workqueue()
is used without validation. This may result in NULL dereference and cause
kernel crash. This patch fixes it.
Signed-off-by: Pan Bian
From: Pan Bian
Function devm_ioremap() will return a NULL pointer if it fails to remap
IO address, and its return value should be validated before it is used.
However, in function gemini_rtc_probe(), its return value is not
checked. This may result in bad memory access bugs on future access,
e.g
From: Pan Bian
unction devm_regmap_init_i2c() returns an ERR_PTR on errors, and its
return value should be checked before it is dereferenced. However, in
function intel_soc_pmic_i2c_probe(), the return value of function
devm_regmap_init_i2c() is used without validation. This patch fixes it
1 - 100 of 205 matches
Mail list logo
