On Sun, Nov 4, 2018 at 8:05 PM Sudeep Dutt wrote:
>
> On Thu, 2018-10-18 at 14:46 -0500, Wenwen Wang wrote:
> > In _scif_prog_signal(), a DMA pool is allocated if the MIC Coprocessor is
> > not X100, i.e., the boolean variable 'x100' is false. This DMA pool will be
e.,
scif_cb_arg, to store the arguments required by the call back function. A
variable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/sci
18 at 3:31 PM, Peter Rosin wrote:
> On 2018-05-10 13:17, Wolfram Sang wrote:
>> On Sat, May 05, 2018 at 07:57:10AM -0500, Wenwen Wang wrote:
>>> In i2c_smbus_xfer_emulated(), there are two buffers: msgbuf0 and msgbuf1,
>>> which are used to save a series of messages, as me
Thanks for your suggestion, David! I will revise the patch and resubmit it.
Wenwen
On Fri, May 11, 2018 at 2:50 PM, David Miller wrote:
> From: Wenwen Wang
> Date: Sat, 5 May 2018 14:32:46 -0500
>
>> To avoid such issues, this patch adds a check after the second copy in
y() to set a wrong key or other
issues.
This patch reuses the data copied in the first try so as to ensure these
checks will not be bypassed.
Signed-off-by: Wenwen Wang
---
drivers/crypto/chelsio/chtls/chtls_main.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/
to an invalid number.
This way, the user can bypass the verification process of the adapter
number and inject inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang
---
d
On Mon, May 7, 2018 at 12:13 AM, Douglas Gilbert wrote:
> On 2018-05-05 11:21 PM, Wenwen Wang wrote:
>>
>> In sg_write(), the opcode of the command is firstly copied from the
>> userspace pointer 'buf' and saved to the kernel variable 'opcode', using
>
espectively.
However, this buffer is not freed after it is used, which can cause a
memory leak bug.
This patch simply frees the buffer 'gd.cd_info' in exit_gdrom() to fix the
above issue.
Signed-off-by: Wenwen Wang
---
drivers/cdrom/gdrom.c | 1 +
1 file changed, 1 insertion(+)
diff -
ck because
'codec' is greater than 2. However, since 'codec' will be updated in the
following execution when 'chip->in_sdin_init' is not zero, this check will
be meaningless and the execution should continue, instead of returning the
error code EIO.
This patch avoids
hen freeing up the DMA pool because of the
modified device address.
This patch avoids the above issue by using the variable 'src' (with
necessary calculation) to free up the DMA pool.
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/scif_fence.c | 2 +-
1 file changed, 1 inser
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 8:47 AM Wenwen Wang wrote:
>
> In msc_data_sz(), the 'valid_dw' field of the msc block descriptor 'bdesc'
> is firstly checked to see whether the descriptor has a valid data width. If
>
Hello,
Can anyone confirm this bug? Thanks!
Wenwen
On Fri, Oct 19, 2018 at 9:12 AM Wenwen Wang wrote:
>
> In dvb_audio_write(), the first byte of the user-space buffer 'buf' is
> firstly copied and checked to see whether this is a TS packet, which always
> starts with 0x
Hello,
Could you please apply this patch? Thanks!
Wenwen
On Wed, Oct 17, 2018 at 2:18 PM Wenwen Wang wrote:
>
> In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> the user-space buffer 'arg' is copied to the kernel object 'op' and the
> &
On Mon, Oct 29, 2018 at 4:32 PM Alex Williamson
wrote:
>
> On Mon, 29 Oct 2018 13:56:54 -0500
> Wenwen Wang wrote:
>
> > Hello,
> >
> > Could you please apply this patch? Thanks!
>
> I'd like to see testing and/or review from David or Alexey since I also
rocess, 'hdr' is then used to rewrite the header in
'req->response' after memcpy(). This way, the above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/ctl.c | 39 ++-
1 file changed, 22 insertions(+), 17 deletions
On Mon, Oct 8, 2018 at 1:47 PM Alex Williamson
wrote:
>
> On Mon, 8 Oct 2018 13:06:20 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object &
t only copies from
'err.type' to 'err.mask', which is exactly required by the
VFIO_EEH_PE_INJECT_ERR op.
This patch also adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Sig
On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 09:32:04 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the kernel object &
This patch adds a 4-byte reserved field in the structure
vfio_eeh_pe_op to make sure that the u64 fields in the structure
vfio_eeh_pe_err are 8-byte aligned.
Signed-off-by: Wenwen Wang
---
include/uapi/linux/vfio.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/uapi/linux/vfio.h b
On Wed, Oct 17, 2018 at 2:05 PM Alex Williamson
wrote:
>
> On Wed, 17 Oct 2018 12:58:26 -0500
> Wenwen Wang wrote:
>
> > On Wed, Oct 17, 2018 at 10:45 AM Alex Williamson
> > wrote:
> > >
> > > On Wed, 17 Oct 2018 09:32:04 -0500
only copies from
'err.type' to 'err.mask', which is exactly required by the
VFIO_EEH_PE_INJECT_ERR op.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/d
rm_get_resource().
Signed-off-by: Wenwen Wang
---
drivers/media/platform/davinci/isif.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/platform/davinci/isif.c
b/drivers/media/platform/davinci/isif.c
index f924e76..340f821 100644
--- a/drivers/media/platfor
ned in the first copy, i.e., 'req_len', an error code EINVAL will be
returned after the buffer 'ureq' is freed.
Signed-off-by: Wenwen Wang
---
drivers/s390/net/qeth_core_main.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/s390/net/qeth_core_main.c
b/driver
this case, the fields of 'op', except the field 'err', are actually not
used. That is, the second copy has a redundant part. Therefore, for both
performance and security reasons, the redundant part of the second copy
should be removed.
This patch removes such a part in the seco
On Mon, Oct 8, 2018 at 11:43 AM Alex Williamson
wrote:
>
> Hi,
>
> On Sun, 7 Oct 2018 09:44:25 -0500
> Wenwen Wang wrote:
>
> > In vfio_spapr_iommu_eeh_ioctl(), if the ioctl command is VFIO_EEH_PE_OP,
> > the user-space buffer 'arg' is copied to the ke
copy. It only copies from
'err.type' to 'err.mask', which is exactly required by the
VFIO_EEH_PE_INJECT_ERR op.
Signed-off-by: Wenwen Wang
---
drivers/vfio/vfio_spapr_eeh.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/vfio/vfio_spapr_eeh.c b/d
of the entry.
This patch rewrites the header of each entry after the second copy, using
the value acquired in the first copy. Through this way, the above issue can
be avoided.
Signed-off-by: Wenwen Wang
---
drivers/firmware/google/coreboot_table.c | 1 +
1 file changed, 1 insertion(+)
diff --git a
e.,
scif_cb_arg, to store the arguments required by the call back function. A
variable 'cb_arg' is allocated in _scif_prog_signal() to pass the
arguments. 'cb_arg' will be freed after dma_pool_free() in
scif_prog_signal_cb().
Signed-off-by: Wenwen Wang
---
drivers/misc/mic/scif/sc
valid_dw' field to a local variable and then
performs the check and the calculation on the local variable to avoid the
above issue.
Signed-off-by: Wenwen Wang
---
drivers/hwtracing/intel_th/msu.h | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/hwtracing/intel_th/
urity risk.
This patch adds a necessary check after the second read to make sure the
descriptor type is CHAMELEON_DTYPE_GENERAL. Otherwise, an error code EINVAL
will be returned.
Signed-off-by: Wenwen Wang
---
drivers/mcb/mcb-parse.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/m
On Thu, Oct 18, 2018 at 4:13 AM Mika Westerberg
wrote:
>
> Hi Wenwen,
>
> On Wed, Oct 17, 2018 at 09:00:29AM -0500, Wenwen Wang wrote:
> > In tb_cfg_copy(), the header of the received control package, which is in
> > the buffer 'pkg->buffer', is firstly
ore
req->copy(). By doing so, the attacker can inject malicious data, which can
cause undefined behavior of the kernel and introduce potential security
risk.
This patch allocates a new buffer 'buf' to hold the data in 'pkg->buffer'.
By performing the checking and cop
the check
and the calculation on the copied version to fix the above issue. This
patch also rewrites the header in 'req->response + offset' using the
copied header to avoid a potential inconsistency issue.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/icm.c | 11 +++---
x27; and
then performs the check and copy using 'desc_flags'. Through this way, the
above issue can be avoided.
Signed-off-by: Wenwen Wang
---
drivers/thunderbolt/nhi.c | 7 ---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/thunderbolt/nhi.c b/drivers/thun
check and supply uncompleted frame, which can cause undefined
behavior of the kernel and introduce potential security risk.
This patch firstly copies the flag into a local variable 'desc_flags' and
then performs the check and copy using 'desc_flags'. Through this way, the
above issue ca
to a local variable if
it is verified to be a valid CQE in t4_next_hw_cqe(). Also, the local
variable will be used for the copy in create_read_req_ceq().
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/cxgb4/cq.c | 8 +---
drivers/infiniband/hw/cxgb4/t4.h | 4 ++--
2 files changed, 7
On Sat, Oct 20, 2018 at 6:41 PM Steve Wise wrote:
>
> Hey Wenwen,
>
> > Subject: [PATCH] iw_cxgb4: fix a missing-check bug
> >
> > In c4iw_flush_hw_cq, the next CQE is acquired through t4_next_hw_cqe(). In
> > t4_next_hw_cqe(), the CQE, i.e., 'cq->queue[cq->cidx]', is checked to see
> > whether it
On Mon, Oct 22, 2018 at 3:04 AM Mika Westerberg
wrote:
>
> Hi,
>
> On Sat, Oct 20, 2018 at 12:55:51PM -0500, Wenwen Wang wrote:
> > In tb_ctl_rx_callback(), the checksum of the received control packet is
> > calculated on 'pkg->buffer' through tb_crc() and s
cted, i.e., LOV_USER_MAGIC_V3, an error code will be
returned: -EINVAL.
Signed-off-by: Wenwen Wang
---
drivers/staging/lustre/lustre/llite/dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/lustre/lustre/llite/dir.c
b/drivers/staging/lustre/lustre/llite/dir.c
index d10
as null pointer
dereference.
This patch saves the pointer returned by the first invocation and removes
the second invocation. If the returned pointer is not NULL, the memory
content is copied according to the original code.
Signed-off-by: Wenwen Wang
---
drivers/staging/media/atomisp/pci
On Sun, Apr 29, 2018 at 8:20 AM, Greg Kroah-Hartman
wrote:
> On Sat, Apr 28, 2018 at 04:04:25PM +, Dilger, Andreas wrote:
>> On Apr 27, 2018, at 17:45, Wenwen Wang wrote:
>> > [PATCH] staging: luster: llite: fix potential missing-check bug when
>> > copying lumv
&
tually
copied to user-space. This inconsistent data may also cause undefined
behaviors based on how ops->get_rxnfc() is implemented.
This patch re-verifies the flow_type field of "info" after the second copy.
If the value is not as expected, an error code will be returned.
Signed-
er msgbuf1 with 0 to avoid undefined
behaviors or security issues.
Signed-off-by: Wenwen Wang
---
drivers/i2c/i2c-core-smbus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
index b5aec33..0fcca75 100644
--- a/drivers/
tually
copied to user-space. This inconsistent data may also cause undefined
behaviors based on how ops->get_rxnfc() is implemented.
This patch simply re-verifies the flow_type field of "info" after the
second copy. If the value is not as expected, an error code will be
returne
On Mon, Apr 30, 2018 at 5:38 PM, Dilger, Andreas
wrote:
> On Apr 29, 2018, at 07:20, Greg Kroah-Hartman
> wrote:
>>
>> On Sat, Apr 28, 2018 at 04:04:25PM +, Dilger, Andreas wrote:
>>> On Apr 27, 2018, at 17:45, Wenwen Wang wrote:
>>>> [PATCH] stagin
cted, i.e., LOV_USER_MAGIC_V3, an error code will be
returned: -EINVAL.
Signed-off-by: Wenwen Wang
---
drivers/staging/lustre/lustre/llite/dir.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/lustre/lustre/llite/dir.c
b/drivers/staging/lustre/lustre/llite/dir.c
index d10
ication to
l->backlog[imp].len (if imp is TIPC_SYSTEM_IMPORTANCE) to avoid such
security issues. An error code will be returned if an unexpected value of
l->backlog[imp].len is generated.
Signed-off-by: Wenwen Wang
---
net/tipc/link.c | 5 +
1 file changed, 5 insertions(+)
diff --git a
the expected range. If it is not, an error code -EINVAL will be returned.
Signed-off-by: Wenwen Wang
---
net/sctp/socket.c | 21 ++---
1 file changed, 10 insertions(+), 11 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 80835ac..2beb601 100644
--- a/n
er msgbuf1 with 0 to avoid undefined
behaviors or security issues.
Signed-off-by: Wenwen Wang
---
drivers/i2c/i2c-core-smbus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-core-smbus.c b/drivers/i2c/i2c-core-smbus.c
index b5aec33..0fcca75 100644
--- a/drivers/
as null pointer
dereference.
This patch saves the pointer returned by the first invocation and removes
the second invocation. If the returned pointer is not NULL, the memory
content is copied according to the original code.
Signed-off-by: Wenwen Wang
---
drivers/staging/media/atomisp/pci
Hi Marcelo,
I guess I worked on an old version of the kernel. I will re-submit the
patch. Sorry :(
Wenwen
On Wed, May 2, 2018 at 6:23 PM, Marcelo Ricardo Leitner
wrote:
> Hi Wenwen,
>
> On Wed, May 02, 2018 at 05:12:45PM -0500, Wenwen Wang wrote:
>> In sctp_setsockopt_maxseg
the expected range. If it is not, an error code -EINVAL will be returned.
Signed-off-by: Wenwen Wang
---
net/sctp/socket.c | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 80835ac..03e1cc3 100644
--- a/n
On Wed, May 2, 2018 at 8:24 PM, Marcelo Ricardo Leitner
wrote:
> On Wed, May 02, 2018 at 08:15:45PM -0500, Wenwen Wang wrote:
>> In sctp_setsockopt_maxseg(), the integer 'val' is compared against min_len
>> and max_len to check whether it is in the appropriate range.
On Tue, Apr 16, 2019 at 2:23 AM Ingo Molnar wrote:
>
>
> * Wenwen Wang wrote:
>
> > In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
> > found through pirq_find_routing_table(). If the table is not found and
> > 'CONFIG_PCI_BIO
ion, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which can lead to
a memory leak bug.
To fix this issue, this patch frees the allocated table if it is not used.
Signed-off-by: Wenwen Wang
---
arch/x86/pci/irq.c | 10 -
On Tue, Apr 16, 2019 at 3:33 PM Thomas Gleixner wrote:
>
> On Tue, 16 Apr 2019, Wenwen Wang wrote:
>
> > In pcibios_irq_init(), the PCI IRQ routing table 'pirq_table' is firstly
> > found through pirq_find_routing_table(). If the table is not found and
> > &#
ion, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which is a memory
leak bug.
To fix this issue, free the allocated table if it is not used.
Signed-off-by: Wenwen Wang
---
arch/x86/pci/irq.c | 10 --
1 file changed
On Wed, Apr 17, 2019 at 12:58 AM Ingo Molnar wrote:
>
>
> * Wenwen Wang wrote:
>
> > On Tue, Apr 16, 2019 at 3:33 PM Thomas Gleixner wrote:
> > >
> > > On Tue, 16 Apr 2019, Wenwen Wang wrote:
> > >
> > > > In pcibios_irq_init(), the PC
ion, if the I/O APIC is used, this table is actually not used.
However, in that case, the allocated table is not freed, which is a memory
leak bug.
To fix this issue, free the allocated table if it is not used.
Signed-off-by: Wenwen Wang
Acked-by: Thomas Gleixner
---
arch/x86/pci/irq.c | 1
In nfs4_try_migration(), if nfs4_begin_drain_session() fails, the
previously allocated 'page' and 'locations' are not deallocated, leading to
memory leaks. To fix this issue, go to the 'out' label to free 'page' and
'locations' before returning t
On Mon, Aug 19, 2019 at 5:23 PM Bjorn Helgaas wrote:
>
> The subject line should give a clue about where the leak is, e.g.,
>
> ACPI / PCI: fix acpi_pci_irq_enable() memory leak
>
> On Thu, Aug 15, 2019 at 11:33:22PM -0500, Wenwen Wang wrote:
> > In acpi_pci_irq_enable
Fixes: e237a5518425 ("x86/ACPI/PCI: Recognize that Interrupt Line 255 means
"not connected"")
Signed-off-by: Wenwen Wang
---
drivers/acpi/pci_irq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/pci_irq.c b/drivers/acpi/pci_irq.c
index d2
On Thu, Aug 15, 2019 at 4:51 PM David Miller wrote:
>
> From: Wenwen Wang
> Date: Thu, 15 Aug 2019 16:46:05 -0400
>
> > On Thu, Aug 15, 2019 at 4:42 PM David Miller wrote:
> >>
> >> From: Wenwen Wang
> >> Date: Thu, 15 Aug 2019 16:03:39 -0400
>
In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' and
'rx_old' are not deallocated, leading to memory leaks. To fix this issue,
move the free statements to the outside of the if() statement.
Signed-off-by: Wenwen Wang
---
drivers/net/ether
On Tue, Aug 13, 2019 at 6:46 AM Sudarsana Reddy Kalluru
wrote:
>
> > -Original Message-
> > From: Wenwen Wang
> > Sent: Tuesday, August 13, 2019 3:35 PM
> > To: Wenwen Wang
> > Cc: Ariel Elior ; GR-everest-linux-l2 > l...@marvell.com>; David
If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
memory leaks. To fix this issue, introduce the label 'err4' to perform the
cleanup work before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/ethernet/qlogic/qed/qed_main.c | 4 +++-
1 file
this execution path, leading to a memory
leak bug.
Signed-off-by: Wenwen Wang
---
drivers/net/usb/usbnet.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c
index 72514c4..f17fafa 100644
--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/
, leading to a memory
leak bug. To fix this issue, free 'dev->partial_data' before returning the
error.
Signed-off-by: Wenwen Wang
---
drivers/net/usb/cx82310_eth.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/usb/cx82310_eth.c b/drivers/net/u
, leading to a memory leak bug.
Signed-off-by: Wenwen Wang
---
drivers/net/hyperv/rndis_filter.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/hyperv/rndis_filter.c
b/drivers/net/hyperv/rndis_filter.c
index 317dbe9..ed35085 100644
--- a/drivers/net/hyperv/rndis_filter.c
+++ b/dri
fix this issue, free
'options_orig' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/wimax/i2400m/fw.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
index e9fc168..6b36f6d 100644
--- a
On Thu, Aug 15, 2019 at 3:34 PM David Miller wrote:
>
> From: Wenwen Wang
> Date: Tue, 13 Aug 2019 20:33:45 -0500
>
> > In pch_gbe_set_ringparam(), if netif_running() returns false, 'tx_old' and
> > 'rx_old' are not deallocated, leading to memory
On Thu, Aug 15, 2019 at 2:45 PM Liam R. Howlett wrote:
>
> * Wenwen Wang [190815 14:05]:
> > In i2400m_barker_db_init(), 'options_orig' is allocated through kstrdup()
> > to hold the original command line options. Then, the options are parsed.
> > However, if
fix this issue, free
'options_orig' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/wimax/i2400m/fw.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wimax/i2400m/fw.c b/drivers/net/wimax/i2400m/fw.c
index e9fc168..489cba9 100644
--- a
On Thu, Aug 15, 2019 at 4:42 PM David Miller wrote:
>
> From: Wenwen Wang
> Date: Thu, 15 Aug 2019 16:03:39 -0400
>
> > On Thu, Aug 15, 2019 at 3:34 PM David Miller wrote:
> >>
> >> From: Wenwen Wang
> >> Date: Tue, 13 Aug 2019 20:33:45 -05
y regions before
returning the error.
Signed-off-by: Wenwen Wang
---
drivers/net/wireless/cisco/airo.c | 11 +--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/cisco/airo.c
b/drivers/net/wireless/cisco/airo.c
index 9342ffb..f43c065 100644
--- a/drivers
In acpi_pci_irq_enable(), 'entry' is allocated by invoking
acpi_pci_irq_lookup(). However, it is not deallocated if
acpi_pci_irq_valid() returns false, leading to a memory leak. To fix this
issue, free 'entry' before returning 0.
Signed-off-by: Wenwen Wang
---
drivers/acpi/p
In cm_write(), 'buf' is allocated through kzalloc(). In the following
execution, if an error occurs, 'buf' is not deallocated, leading to memory
leaks. To fix this issue, free 'buf' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/acpi/custom_meth
nts' before returning
the error.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/dma-crossbar.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c
index ad2f0a4..f255056 100644
--- a/drivers/dma/ti/dma-cross
On Fri, Aug 16, 2019 at 2:42 AM Peter Ujfalusi wrote:
>
>
>
> On 16/08/2019 9.23, Wenwen Wang wrote:
> > In ti_dra7_xbar_probe(), 'rsv_events' is allocated through kcalloc(). Then
> > of_property_read_u32_array() is invoked to search for the property.
nts' before returning
the error.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/dma-crossbar.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/ti/dma-crossbar.c b/drivers/dma/ti/dma-crossbar.c
index ad2f0a4..f255056 100644
--- a/drivers/dma/ti/dma-cross
If devm_request_irq() fails to disable all interrupts, no cleanup is
performed before retuning the error. To fix this issue, invoke
omap_dma_free() to do the cleanup.
Signed-off-by: Wenwen Wang
---
drivers/dma/ti/omap-dma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a
In ata_init(), 'ata_force_tbl' is allocated through kcalloc() in
ata_parse_force_param(). However, it is not deallocated if
ata_attach_transport() fails, leading to a memory leak bug. To fix this
issue, free 'ata_force_tbl' before go to the 'err_out' labe
In submit_urbs(), 'cam->sbuf[i].data' is allocated through kmalloc_array().
However, it is not deallocated if the following allocation for urbs fails.
To fix this issue, free 'cam->sbuf[i].data' if usb_alloc_urb() fails.
Signed-off-by: Wenwen Wang
---
drivers/media
In cx231xx_load_firmware(), 'p_buffer' is allocated through vmalloc() to
hold the firmware. However, after the usage, it is not deallocated, leading
to a memory leak bug.
Signed-off-by: Wenwen Wang
---
drivers/media/usb/cx231xx/cx231xx-417.c | 1 +
1 file changed, 1 insertion(+)
di
In dib7000pc_detection(), 'tx' and 'rx' are allocated through kzalloc()
respectively. However, if DiB7000PC is detected, they are not deallocated,
leading to memory leaks. To fix this issue, create a label to free 'tx' and
'rx' before returning from t
In cx24117_load_firmware(), 'buf' is allocated through kmalloc() to hold
the firmware. However, if i2c_transfer() fails, it is not deallocated,
leading to a memory leak bug.
Signed-off-by: Wenwen Wang
---
drivers/media/dvb-frontends/cx24117.c | 4 +++-
1 file changed, 3 insert
his issue, free 'dvbdev->entity' before
returning -ENOMEM.
Signed-off-by: Wenwen Wang
---
drivers/media/dvb-core/dvbdev.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
index a3393cd..7557fbf 100644
If saa7146_register_device(), no cleanup is executed, leading to
memory/resource leaks. To fix this issue, perform necessary cleanup work
before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/media/pci/saa7146/hexium_gemini.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a
If saa7146_register_device() fails, no cleanup is executed, leading to
memory/resource leaks. To fix this issue, perform necessary cleanup work
before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/media/pci/saa7146/hexium_gemini.c | 3 +++
1 file changed, 3 insertions(+)
diff
In fdp1_open(), 'ctx' is allocated through kzalloc(). However, it is not
deallocated if v4l2_ctrl_new_std() fails, leading to a memory leak bug. To
fix this issue, free 'ctx' before going to the 'done' label.
Signed-off-by: Wenwen Wang
---
drivers/media/plat
If an error occurs in this function, no cleanup is executed, leading to
memory/resource leaks. To fix this issue, introduce two labels to perform
the cleanup work.
Signed-off-by: Wenwen Wang
---
drivers/media/platform/ti-vpe/vpdma.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions
In nand_scan_bbt(), a temporary buffer 'buf' is allocated through
vmalloc(). However, if check_create() fails, 'buf' is not deallocated,
leading to a memory leak bug. To fix this issue, free 'buf' before
returning the error.
Signed-off-by: Wenwen Wang
---
drive
ue,
free 'this->verify_buf' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/mtd/nand/onenand/onenand_base.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/mtd/nand/onenand/onenand_base.c
b/drivers/mtd/nand/onenand/onenand_base.c
index e082d63..77bd32
fix this issue, free
them before returning -EIO.
Signed-off-by: Wenwen Wang
---
drivers/mtd/sm_ftl.c | 5 -
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
index dfc47a4..4744bf9 100644
--- a/drivers/mtd/sm_ftl.c
+++ b/drivers/mtd/sm_ftl.c
@
In spi_nor_parse_4bait(), 'dwords' is allocated through kmalloc(). However,
it is not deallocated in the following execution if spi_nor_read_sfdp()
fails, leading to a memory leak. To fix this issue, free 'dwords' before
returning the error.
Signed-off-by: Wenwen Wang
---
In fault_opcodes_write(), 'data' is allocated through kcalloc(). However,
it is not deallocated in the following execution if an error occurs,
leading to memory leaks. To fix this issue, introduce the 'free_data' label
to free 'data' before returning the erro
In fault_opcodes_read(), 'data' is not deallocated if debugfs_file_get()
fails, leading to a memory leak. To fix this bug, introduce the 'free_data'
label to free 'data' before returning the error.
Signed-off-by: Wenwen Wang
---
drivers/infiniband/hw/hfi1/faul
In mlx4_ib_alloc_pv_bufs(), 'tun_qp->tx_ring' is allocated through
kcalloc(). However, it is not always deallocated in the following execution
if an error occurs, leading to memory leaks. To fix this issue, free
'tun_qp->tx_ring' whenever an error occurs.
Signed-off-by:
In nand_scan_bbt(), a temporary buffer 'buf' is allocated through
vmalloc(). However, if check_create() fails, 'buf' is not deallocated,
leading to a memory leak bug. To fix this issue, free 'buf' before
returning the error.
Signed-off-by: Wenwen Wang
---
driver
On Mon, Aug 19, 2019 at 2:03 AM wrote:
>
>
>
> On 08/18/2019 08:39 PM, Wenwen Wang wrote:
> > In spi_nor_parse_4bait(), 'dwords' is allocated through kmalloc(). However,
> > it is not deallocated in the following execution if spi_nor_read_sfdp()
> > fail
1 - 100 of 187 matches
Mail list logo
