From: Eric-Terminal <ericterminal@gmail.com>
To: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
Cc: Borislav Petkov <bp@alien8.de>, Tony Luck <tony.luck@intel.com>,
linux-edac@vger.kernel.org, linux-kernel@vger.kernel.org,
Yufan Chen <ericterminal@gmail.com>
Subject: [PATCH v2] EDAC/versalnet: Fix resource leaks and NULL derefs in init_versalnet()
Date: Thu, 26 Feb 2026 19:29:07 +0800 [thread overview]
Message-ID: <20260226112907.76971-1-ericterminal@gmail.com> (raw)
In-Reply-To: <DS2PR12MB9821250527F466180B16ACE38172A@DS2PR12MB9821.namprd12.prod.outlook.com>
From: Yufan Chen <ericterminal@gmail.com>
init_versalnet() has several bugs in its error handling. kzalloc() and
kmalloc() return values are used without NULL checks, causing a NULL
pointer dereference when allocation fails. The cleanup loop uses
while (i--) which skips the current failing index, leaking the
resources already allocated for that slot. edac_mc_del_mc() is called
unconditionally during unwind, even for controllers that were never
registered with edac_mc_add_mc(). Also, sprintf() is used instead of
snprintf() on a fixed-size buffer.
Fix by adding NULL checks for dev and name allocations, replacing
while (i--) with for (j = i; j >= 0; j--) to include the failing
index, tracking successful edac_mc_add_mc() calls with a bool array,
and switching to snprintf().
Signed-off-by: Yufan Chen <ericterminal@gmail.com>
Reviewed-by: Shubhrajyoti Datta <shubhrajyoti.datta@amd.com>
---
v2: Correct Signed-off-by name and add Reviewed-by tag. Fix commit message formatting.
drivers/edac/versalnet_edac.c | 29 ++++++++++++++++++++++++-----
1 file changed, 24 insertions(+), 5 deletions(-)
diff --git a/drivers/edac/versalnet_edac.c b/drivers/edac/versalnet_edac.c
index 1a1092793..128e9cd5f 100644
--- a/drivers/edac/versalnet_edac.c
+++ b/drivers/edac/versalnet_edac.c
@@ -764,11 +764,12 @@ static int init_versalnet(struct mc_priv *priv, struct platform_device *pdev)
{
u32 num_chans, rank, dwidth, config;
struct edac_mc_layer layers[2];
+ bool mc_added[NUM_CONTROLLERS] = { };
struct mem_ctl_info *mci;
struct device *dev;
enum dev_type dt;
char *name;
- int rc, i;
+ int rc, i, j;
for (i = 0; i < NUM_CONTROLLERS; i++) {
config = priv->adec[CONF + i * ADEC_NUM];
@@ -813,11 +814,25 @@ static int init_versalnet(struct mc_priv *priv, struct platform_device *pdev)
priv->dwidth = dt;
dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (!dev) {
+ rc = -ENOMEM;
+ goto err_alloc;
+ }
+
dev->release = versal_edac_release;
name = kmalloc(32, GFP_KERNEL);
- sprintf(name, "versal-net-ddrmc5-edac-%d", i);
+ if (!name) {
+ kfree(dev);
+ rc = -ENOMEM;
+ goto err_alloc;
+ }
+
+ snprintf(name, 32, "versal-net-ddrmc5-edac-%d", i);
dev->init_name = name;
rc = device_register(dev);
+ kfree(name);
+ if (rc)
+ put_device(dev);
if (rc)
goto err_alloc;
@@ -831,21 +846,25 @@ static int init_versalnet(struct mc_priv *priv, struct platform_device *pdev)
edac_printk(KERN_ERR, EDAC_MC, "Failed to register MC%d with EDAC core\n", i);
goto err_alloc;
}
+
+ mc_added[i] = true;
}
return 0;
err_alloc:
- while (i--) {
- mci = priv->mci[i];
+ for (j = i; j >= 0; j--) {
+ mci = priv->mci[j];
if (!mci)
continue;
if (mci->pdev) {
device_unregister(mci->pdev);
- edac_mc_del_mc(mci->pdev);
+ if (mc_added[j])
+ edac_mc_del_mc(mci->pdev);
}
edac_mc_free(mci);
+ priv->mci[j] = NULL;
}
return rc;
--
2.47.3
next prev parent reply other threads:[~2026-02-26 11:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-21 7:16 [PATCH] EDAC/versalnet: Fix resource leaks and NULL derefs in init_versalnet() Eric-Terminal
2026-02-22 2:44 ` Borislav Petkov
[not found] ` <CAKNPVZA36XvT7R+QWTOTvAeQNA-sZfnG-h5jV3FnKvKOxqiGtA@mail.gmail.com>
[not found] ` <FE3C5380-E82B-4EC8-B1C0-16026CEEF8A2@alien8.de>
2026-02-22 10:39 ` Eric-Terminal
2026-02-23 13:47 ` Borislav Petkov
2026-02-23 14:58 ` Eric_Terminal
2026-02-26 6:54 ` Datta, Shubhrajyoti
2026-02-26 11:29 ` Eric-Terminal [this message]
2026-02-26 12:59 ` [PATCH v2] " Borislav Petkov
2026-02-26 16:52 ` Datta, Shubhrajyoti
2026-02-22 10:48 ` [PATCH] " Eric_Terminal
2026-02-23 8:54 ` Borislav Petkov
2026-02-23 10:08 ` Eric_Terminal
2026-02-23 10:40 ` Borislav Petkov
2026-02-23 10:52 ` Eric_Terminal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260226112907.76971-1-ericterminal@gmail.com \
--to=ericterminal@gmail.com \
--cc=bp@alien8.de \
--cc=linux-edac@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=shubhrajyoti.datta@amd.com \
--cc=tony.luck@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.