- Kernel - mailweb.openeuler.org

完成任务，获得荣誉，openEuler 社区的这项比赛有点逆天！
by Marketing openEuler 27 May '21

27 May '21

先说比赛规则独立开发者参赛 *做题得分* *每周结算* 这是任务打榜赛不满足？来看一下*特性命题赛*？独立开发者组队参赛区域赛、半决赛、总决赛过五关斩六将谁可以独占鳌头？你将是*社区贡献者* *你的 ID* 会被铭刻在社区还有*“一”点奖金* [image: WechatIMG16.jpeg]

1 0

[PATCH kernel-4.19] arm/ras: Report ARM processor information to userspace
by Yang Yingliang 27 May '21

27 May '21

From: Shenwei Luo <luoshengwei(a)huawei.com> kunpeng inclusion category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=45 CVE: NA The ARM processor error section includes several ARM processor error information, several ARM processor context information and several vendor specific error information structures. Report all of these information to userspace via perf i/f. Shengwei Luo: backport for openEuler 20.xx kernel. V2: report severity info to userspace V1: fix the error in the original patch. Ensure all info to be parsed correctly. Original-Author: Jason Tian <jason(a)os.amperecomputing.com> Signed-off-by: Gong Chen <chengong15(a)huawei.com> Signed-off-by: Shengwei Luo <luoshengwei(a)huawei.com> Cc: Chen Wei <chenwei68(a)huawei.com> Reviewed-by: Xiongfeng Wang <wangxiongfeng2(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- arch/arm64/kernel/ras.c | 5 +++-- drivers/acpi/apei/ghes.c | 6 +++--- drivers/ras/ras.c | 40 ++++++++++++++++++++++++++++++++++-- include/acpi/ghes.h | 2 +- include/linux/ras.h | 4 ++-- include/ras/ras_event.h | 44 +++++++++++++++++++++++++++++++++++----- 6 files changed, 86 insertions(+), 15 deletions(-) diff --git a/arch/arm64/kernel/ras.c b/arch/arm64/kernel/ras.c index 0414289b0707c..181e609e1cd4c 100644 --- a/arch/arm64/kernel/ras.c +++ b/arch/arm64/kernel/ras.c @@ -118,13 +118,14 @@ void sea_notify_process(void) } } -void ghes_arm_process_error(struct ghes *ghes, struct cper_sec_proc_arm *err) +void ghes_arm_process_error(struct ghes *ghes, + struct cper_sec_proc_arm *err, int sec_sev) { int i; bool info_saved = false; struct cper_arm_err_info *err_info; - log_arm_hw_error(err); + log_arm_hw_error(err, sec_sev); if ((ghes->generic->notify.type != ACPI_HEST_NOTIFY_SEA) || (ghes->estatus->error_severity != CPER_SEV_RECOVERABLE)) diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c index e2704619e7015..e807e8f74d1e0 100644 --- a/drivers/acpi/apei/ghes.c +++ b/drivers/acpi/apei/ghes.c @@ -465,9 +465,9 @@ static void ghes_handle_aer(struct acpi_hest_generic_data *gdata) } void __weak ghes_arm_process_error(struct ghes *ghes, - struct cper_sec_proc_arm *err) + struct cper_sec_proc_arm *err, int sec_sev) { - log_arm_hw_error(err); + log_arm_hw_error(err, sec_sev); } static void ghes_do_proc(struct ghes *ghes, @@ -510,7 +510,7 @@ static void ghes_do_proc(struct ghes *ghes, else if (guid_equal(sec_type, &CPER_SEC_PROC_ARM)) { struct cper_sec_proc_arm *err = acpi_hest_get_payload(gdata); - ghes_arm_process_error(ghes, err); + ghes_arm_process_error(ghes, err, sec_sev); } else if (guid_equal(sec_type, &CPER_SEC_TS_CORE)) { blocking_notifier_call_chain(&ghes_ts_err_chain, 0, acpi_hest_get_payload(gdata)); diff --git a/drivers/ras/ras.c b/drivers/ras/ras.c index 3f38907320dcc..9302ed7f42588 100644 --- a/drivers/ras/ras.c +++ b/drivers/ras/ras.c @@ -21,9 +21,45 @@ void log_non_standard_event(const uuid_le *sec_type, const uuid_le *fru_id, trace_non_standard_event(sec_type, fru_id, fru_text, sev, err, len); } -void log_arm_hw_error(struct cper_sec_proc_arm *err) +void log_arm_hw_error(struct cper_sec_proc_arm *err, const u8 sev) { - trace_arm_event(err); + u32 pei_len; + u32 ctx_len = 0; + u32 vsei_len; + u8 *pei_err; + u8 *ctx_err; + u8 *ven_err_data; + struct cper_arm_err_info *err_info; + struct cper_arm_ctx_info *ctx_info; + int n, sz; + + pei_len = sizeof(struct cper_arm_err_info) * err->err_info_num; + pei_err = (u8 *)err + sizeof(struct cper_sec_proc_arm); + + err_info = (struct cper_arm_err_info *)(err + 1); + ctx_info = (struct cper_arm_ctx_info *)(err_info + err->err_info_num); + ctx_err = (u8 *)ctx_info; + for (n = 0; n < err->context_info_num; n++) { + sz = sizeof(struct cper_arm_ctx_info) + ctx_info->size; + ctx_info = (struct cper_arm_ctx_info *)((long)ctx_info + sz); + ctx_len += sz; + } + + vsei_len = err->section_length - (sizeof(struct cper_sec_proc_arm) + + pei_len + ctx_len); + if (vsei_len < 0) { + printk(FW_BUG + "section length: %d\n", err->section_length); + printk(FW_BUG + "section length is too small\n"); + pr_warn(FW_BUG + "firmware-generated error record is incorrect\n"); + vsei_len = 0; + } + ven_err_data = (u8 *)ctx_info; + + trace_arm_event(err, pei_err, pei_len, ctx_err, ctx_len, + ven_err_data, vsei_len, sev); } static int __init ras_init(void) diff --git a/include/acpi/ghes.h b/include/acpi/ghes.h index 4c536a2638df7..9aaeaaa3d1a7f 100644 --- a/include/acpi/ghes.h +++ b/include/acpi/ghes.h @@ -124,7 +124,7 @@ int ghes_notify_sea(void); static inline int ghes_notify_sea(void) { return -ENOENT; } #endif extern void ghes_arm_process_error(struct ghes *ghes, - struct cper_sec_proc_arm *err); + struct cper_sec_proc_arm *err, int sec_sev); struct ghes_mem_err { int notify_type; diff --git a/include/linux/ras.h b/include/linux/ras.h index 7c3debb47c87a..3431b4a5fa42d 100644 --- a/include/linux/ras.h +++ b/include/linux/ras.h @@ -29,7 +29,7 @@ static inline int cec_add_elem(u64 pfn) { return -ENODEV; } void log_non_standard_event(const guid_t *sec_type, const guid_t *fru_id, const char *fru_text, const u8 sev, const u8 *err, const u32 len); -void log_arm_hw_error(struct cper_sec_proc_arm *err); +void log_arm_hw_error(struct cper_sec_proc_arm *err, const u8 sev); #else static inline void log_non_standard_event(const guid_t *sec_type, @@ -37,7 +37,7 @@ log_non_standard_event(const guid_t *sec_type, const u8 sev, const u8 *err, const u32 len) { return; } static inline void -log_arm_hw_error(struct cper_sec_proc_arm *err) { return; } +log_arm_hw_error(struct cper_sec_proc_arm *err, const u8 sev) { return; } #endif #endif /* __RAS_H__ */ diff --git a/include/ras/ras_event.h b/include/ras/ras_event.h index a0794632fd01a..7c8cb123ba32d 100644 --- a/include/ras/ras_event.h +++ b/include/ras/ras_event.h @@ -168,11 +168,23 @@ TRACE_EVENT(mc_event, * This event is generated when hardware detects an ARM processor error * has occurred. UEFI 2.6 spec section N.2.4.4. */ +#define APEIL "ARM Processor Err Info data len" +#define APEID "ARM Processor Err Info raw data" +#define APECIL "ARM Processor Err Context Info data len" +#define APECID "ARM Processor Err Context Info raw data" +#define VSEIL "Vendor Specific Err Info data len" +#define VSEID "Vendor Specific Err Info raw data" TRACE_EVENT(arm_event, - TP_PROTO(const struct cper_sec_proc_arm *proc), + TP_PROTO(const struct cper_sec_proc_arm *proc, const u8 *pei_err, + const u32 pei_len, + const u8 *ctx_err, + const u32 ctx_len, + const u8 *oem, + const u32 oem_len, + u8 sev), - TP_ARGS(proc), + TP_ARGS(proc, pei_err, pei_len, ctx_err, ctx_len, oem, oem_len, sev), TP_STRUCT__entry( __field(u64, mpidr) @@ -180,6 +192,13 @@ TRACE_EVENT(arm_event, __field(u32, running_state) __field(u32, psci_state) __field(u8, affinity) + __field(u32, pei_len) + __dynamic_array(u8, buf, pei_len) + __field(u32, ctx_len) + __dynamic_array(u8, buf1, ctx_len) + __field(u32, oem_len) + __dynamic_array(u8, buf2, oem_len) + __field(u8, sev) ), TP_fast_assign( @@ -199,12 +218,27 @@ TRACE_EVENT(arm_event, __entry->running_state = ~0; __entry->psci_state = ~0; } + __entry->pei_len = pei_len; + memcpy(__get_dynamic_array(buf), pei_err, pei_len); + __entry->ctx_len = ctx_len; + memcpy(__get_dynamic_array(buf1), ctx_err, ctx_len); + __entry->oem_len = oem_len; + memcpy(__get_dynamic_array(buf2), oem, oem_len); + __entry->sev = sev; ), - TP_printk("affinity level: %d; MPIDR: %016llx; MIDR: %016llx; " - "running state: %d; PSCI state: %d", + TP_printk("error: %d; affinity level: %d; MPIDR: %016llx; MIDR: %016llx; " + "running state: %d; PSCI state: %d; " + "%s: %d; %s: %s; %s: %d; %s: %s; %s: %d; %s: %s", + __entry->sev, __entry->affinity, __entry->mpidr, __entry->midr, - __entry->running_state, __entry->psci_state) + __entry->running_state, __entry->psci_state, + APEIL, __entry->pei_len, APEID, + __print_hex(__get_dynamic_array(buf), __entry->pei_len), + APECIL, __entry->ctx_len, APECID, + __print_hex(__get_dynamic_array(buf1), __entry->ctx_len), + VSEIL, __entry->oem_len, VSEID, + __print_hex(__get_dynamic_array(buf2), __entry->oem_len)) ); /* -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS] io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers
by Yang Yingliang 27 May '21

27 May '21

From: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> mainline inclusion from mainline-v5.13-rc1 commit d1f82808877bb10d3deee7cf3374a4eb3fb582db category: bugfix bugzilla: NA CVE: CVE-2021-3491 -------------------------------- Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS. Truncate those lengths when doing io_add_buffers, so buffer addresses still use the uncapped length. Also, take the chance and change struct io_buffer len member to __u32, so it matches struct io_provide_buffer len member. This fixes CVE-2021-3491, also reported as ZDI-CAN-13546. Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") Reported-by: Billy Jheng Bing-Jhong (@st424204) Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/io_uring.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index 02ebfc46228a9..f661231cdfad6 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -216,7 +216,7 @@ struct fixed_file_data { struct io_buffer { struct list_head list; __u64 addr; - __s32 len; + __u32 len; __u16 bid; }; @@ -3523,7 +3523,7 @@ static int io_add_buffers(struct io_provide_buf *pbuf, struct io_buffer **head) break; buf->addr = addr; - buf->len = pbuf->len; + buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT); buf->bid = bid; addr += pbuf->len; bid++; -- 2.25.1

1 0

【Meeting Notice】openEuler kernel 技术分享第六期 & 双周例会 Time: 2021-05-28 14:00-18:00
by Meeting Book 27 May '21

27 May '21

1 0

【Meeting Notice】openEuler kernel 技术分享第六期 & 双周例会 Time: 2021-05-28 14:00-18:00
by Meeting Book 27 May '21

27 May '21

2 3

Re: kernel@openeuler.org post from justcaca@126.com requires approval
by Xie XiuQi 26 May '21

26 May '21

Hi, Thanks for your patch. 请先注册一下 kernel 邮件列表，不然邮件列表服务器会拦截非相关的邮件。可以从下面链接注册，并确认。需要确认后，才注册成功。 https://mailweb.openeuler.org/postorius/lists/kernel.openeuler.org/ 另外，你明天有时间吗，明天下午 kernel sig 的例会，可以讲一下这个补丁场景和解决的问题吗？谢谢 On 2021/5/26 15:58, kernel-owner(a)openeuler.org wrote: > As list administrator, your authorization is requested for the > following mailing list posting: > > List: kernel(a)openeuler.org > From: justcaca(a)126.com > Subject: [PATCH] 4.19: PTP_KVM support for arm/arm64 > > The message is being held because: > > The message is not from a list member > > At your convenience, visit your dashboard to approve or deny the > request. >

2 2

[PATCH openEuler-1.0-LTS] fuse: update attr_version counter on fuse_notify_inval_inode()
by Yang Yingliang 26 May '21

26 May '21

From: Miklos Szeredi <mszeredi(a)redhat.com> mainline inclusion from mainline-v5.8-rc1 commit 5ddd9ced9aef6cfa76af27d384c17c9e2d610ce8 category: bugfix bugzilla: 37636 CVE: NA ------------------------------------------------- A GETATTR request can race with FUSE_NOTIFY_INVAL_INODE, resulting in the attribute cache being updated with stale information after the invalidation. Fix this by bumping the attribute version in fuse_reverse_inval_inode(). Reported-by: Krzysztof Rusek <rusek(a)9livesdata.com> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> Conflict: fs/fuse/inode.c a. commit f15ecfef058d ("fuse: Introduce fi->lock to protect write related fields") is not backported, 'fi->lock' do not exist. b. commit 4510d86fbbb3 ("fuse: Convert fc->attr_version into atomic64_t") is not backported, 'fc->lock' is needed to read 'fc->attr_version'. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/fuse/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 821597c618843..e245e0d405046 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -334,6 +334,8 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid, int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, loff_t offset, loff_t len) { + struct fuse_conn *fc = get_fuse_conn_super(sb); + struct fuse_inode *fi; struct inode *inode; pgoff_t pg_start; pgoff_t pg_end; @@ -342,6 +344,11 @@ int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, if (!inode) return -ENOENT; + fi = get_fuse_inode(inode); + spin_lock(&fc->lock); + fi->attr_version = ++fc->attr_version; + spin_unlock(&fc->lock); + fuse_invalidate_attr(inode); forget_all_cached_acls(inode); if (offset >= 0) { -- 2.25.1

1 0

[PATCH kernel-4.19] fuse: update attr_version counter on fuse_notify_inval_inode()
by Yang Yingliang 26 May '21

26 May '21

From: Miklos Szeredi <mszeredi(a)redhat.com> mainline inclusion from mainline-v5.8-rc1 commit 5ddd9ced9aef6cfa76af27d384c17c9e2d610ce8 category: bugfix bugzilla: 37636 CVE: NA ------------------------------------------------- A GETATTR request can race with FUSE_NOTIFY_INVAL_INODE, resulting in the attribute cache being updated with stale information after the invalidation. Fix this by bumping the attribute version in fuse_reverse_inval_inode(). Reported-by: Krzysztof Rusek <rusek(a)9livesdata.com> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> Conflict: fs/fuse/inode.c a. commit f15ecfef058d ("fuse: Introduce fi->lock to protect write related fields") is not backported, 'fi->lock' do not exist. b. commit 4510d86fbbb3 ("fuse: Convert fc->attr_version into atomic64_t") is not backported, 'fc->lock' is needed to read 'fc->attr_version'. Signed-off-by: Yu Kuai <yukuai3(a)huawei.com> Reviewed-by: Zhang Yi <yi.zhang(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- fs/fuse/inode.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/fuse/inode.c b/fs/fuse/inode.c index 821597c618843..e245e0d405046 100644 --- a/fs/fuse/inode.c +++ b/fs/fuse/inode.c @@ -334,6 +334,8 @@ struct inode *fuse_iget(struct super_block *sb, u64 nodeid, int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, loff_t offset, loff_t len) { + struct fuse_conn *fc = get_fuse_conn_super(sb); + struct fuse_inode *fi; struct inode *inode; pgoff_t pg_start; pgoff_t pg_end; @@ -342,6 +344,11 @@ int fuse_reverse_inval_inode(struct super_block *sb, u64 nodeid, if (!inode) return -ENOENT; + fi = get_fuse_inode(inode); + spin_lock(&fc->lock); + fi->attr_version = ++fc->attr_version; + spin_unlock(&fc->lock); + fuse_invalidate_attr(inode); forget_all_cached_acls(inode); if (offset >= 0) { -- 2.25.1

1 0

[PATCH kernel-4.19] alinux: random: speed up the initialization of module
by Yang Yingliang 26 May '21

26 May '21

From: Xingjun Liu <xingjun.lxj(a)alibaba-inc.com> anolis inclusion from anolis_master commit 7afda44c8a9e043f8f16dcc57dd8ef615522e2c8 category: performance bugzilla: NA CVE: NA --------------------------- alinux: random: speed up the initialization of module During the module initialization phase, entropy will be added to entropy pool for every interrupt, the change should speed up initialization of the random module. Before optimization: [ 22.180236] random: crng init done After optimization: [ 1.474832] random: crng init done Signed-off-by: Xingjun Liu <xingjun.lxj(a)alibaba-inc.com> Reviewed-by: Liu Jiang <gerry(a)linux.alibaba.com> Reviewed-by: Caspar Zhang <caspar(a)linux.alibaba.com> Reviewed-by: Jia Zhang <zhang.jia(a)linux.alibaba.com> Reviewed-by: Yang Shi <yang.shi(a)linux.alibaba.com> Reviewed-by: Liu Bo <bo.liu(a)linux.alibaba.com> Signed-off-by: Chen Jialong <chenjialong(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Reviewed-by: Ziyuan Hu <huziyuan(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/char/random.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/char/random.c b/drivers/char/random.c index 347d9e1f65798..72d47ac06af97 100644 --- a/drivers/char/random.c +++ b/drivers/char/random.c @@ -1274,7 +1274,8 @@ void add_interrupt_randomness(int irq, int irq_flags) } if ((fast_pool->count < 64) && - !time_after(now, fast_pool->last + HZ)) + !time_after(now, fast_pool->last + HZ) && + crng_ready()) return; r = &input_pool; -- 2.25.1

1 0

[PATCH openEuler-1.0-LTS 1/4] net/nfc: fix use-after-free llcp_sock_bind/connect
by Yang Yingliang 26 May '21

26 May '21

From: Or Cohen <orcohen(a)paloaltonetworks.com> stable inclusion from linux-4.19.191 commit 48fba458fe54cc2a980a05c13e6c19b8b2cfb610 CVE: CVE-2021-23134 -------------------------------- commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") fixed a refcount leak bug in bind/connect but introduced a use-after-free if the same local is assigned to 2 different sockets. This can be triggered by the following simple program: int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); addr.sa_family = AF_NFC; addr.nfc_protocol = NFC_PROTO_NFC_DEP; bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) close(sock1); close(sock2); Fix this by assigning NULL to llcp_sock->local after calling nfc_llcp_local_put. This addresses CVE-2021-23134. Reported-by: Or Cohen <orcohen(a)paloaltonetworks.com> Reported-by: Nadav Markus <nmarkus(a)paloaltonetworks.com> Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") Signed-off-by: Or Cohen <orcohen(a)paloaltonetworks.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> Reviewed-by: Xiu Jianfeng <xiujianfeng(a)huawei.com> Reviewed-by: Yue Haibing <yuehaibing(a)huawei.com> Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- net/nfc/llcp_sock.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c index bc269e83e1e55..59de4f54dd18c 100644 --- a/net/nfc/llcp_sock.c +++ b/net/nfc/llcp_sock.c @@ -121,12 +121,14 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) GFP_KERNEL); if (!llcp_sock->service_name) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; kfree(llcp_sock->service_name); llcp_sock->service_name = NULL; ret = -EADDRINUSE; @@ -721,6 +723,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, llcp_sock->ssap = nfc_llcp_get_local_ssap(local); if (llcp_sock->ssap == LLCP_SAP_MAX) { nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; ret = -ENOMEM; goto put_dev; } @@ -759,6 +762,7 @@ static int llcp_sock_connect(struct socket *sock, struct sockaddr *_addr, sock_unlink: nfc_llcp_put_ssap(local, llcp_sock->ssap); nfc_llcp_local_put(llcp_sock->local); + llcp_sock->local = NULL; nfc_llcp_sock_unlink(&local->connecting_sockets, sk); kfree(llcp_sock->service_name); -- 2.25.1

1 3