1. Patchew
  2. linux
  3. View series

[PATCH] thunderbolt: debugfs: fix margining error counter buffer leak

raoxu posted 1 patch 4 days, 20 hours ago 
drivers/thunderbolt/debugfs.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
[PATCH] thunderbolt: debugfs: fix margining error counter buffer leak
Posted by raoxu 4 days, 20 hours ago 
From: Xu Rao <raoxu@uniontech.com>

When USB4 lane margining debugfs write support is enabled,
margining_error_counter_write() copies the user input with
validate_and_copy_from_user(). This allocates a temporary page that is
only needed while parsing the requested error counter mode.

The function currently returns without freeing that page. This leaks one
page per write to the error_counter debugfs file, including successful
writes and writes that later fail while taking the domain lock or because
software margining is not enabled.

Free the temporary page once parsing has completed, and also before
returning from the invalid-input path.

Fixes: 10904df3f20c ("thunderbolt: Improve software receiver lane margining")
Signed-off-by: Xu Rao <raoxu@uniontech.com>
---
 drivers/thunderbolt/debugfs.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/thunderbolt/debugfs.c b/drivers/thunderbolt/debugfs.c
index 042f6a0d0f7f..25f6ea6ea094 100644
--- a/drivers/thunderbolt/debugfs.c
+++ b/drivers/thunderbolt/debugfs.c
@@ -956,7 +956,9 @@ margining_error_counter_write(struct file *file, const char __user *user_buf,
 	else if (!strcmp(buf, "stop"))
 		error_counter = USB4_MARGIN_SW_ERROR_COUNTER_STOP;
 	else
-		return -EINVAL;
+		goto err_free;
+
+	free_page((unsigned long)buf);

 	scoped_cond_guard(mutex_intr, return -ERESTARTSYS, &tb->lock) {
 		if (!margining->software)
@@ -966,6 +968,10 @@ margining_error_counter_write(struct file *file, const char __user *user_buf,
 	}

 	return count;
+
+err_free:
+	free_page((unsigned long)buf);
+	return -EINVAL;
 }

 static int margining_error_counter_show(struct seq_file *s, void *not_used)
--
2.50.1
Re: [PATCH] thunderbolt: debugfs: fix margining error counter buffer leak
Posted by Mika Westerberg 4 days, 1 hour ago 
On Wed, Jun 03, 2026 at 05:59:57PM +0800, raoxu wrote:
> From: Xu Rao <raoxu@uniontech.com>
> 
> When USB4 lane margining debugfs write support is enabled,
> margining_error_counter_write() copies the user input with
> validate_and_copy_from_user(). This allocates a temporary page that is
> only needed while parsing the requested error counter mode.
> 
> The function currently returns without freeing that page. This leaks one
> page per write to the error_counter debugfs file, including successful
> writes and writes that later fail while taking the domain lock or because
> software margining is not enabled.
> 
> Free the temporary page once parsing has completed, and also before
> returning from the invalid-input path.
> 
> Fixes: 10904df3f20c ("thunderbolt: Improve software receiver lane margining")
> Signed-off-by: Xu Rao <raoxu@uniontech.com>

Applied to thunderbolt.git/next, thanks!

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.