Vulnerabilities

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> gpio: mockup: fix NULL pointer dereference when removing debugfs<br /> <br /> We now remove the device&amp;#39;s debugfs entries when unbinding the driver.<br /> This now causes a NULL-pointer dereference on module exit because the<br /> platform devices are unregistered *after* the global debugfs directory<br /> has been recursively removed. Fix it by unregistering the devices first.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> fsdax: Fix infinite loop in dax_iomap_rw()<br /> <br /> I got an infinite loop and a WARNING report when executing a tail command<br /> in virtiofs.<br /> <br /> WARNING: CPU: 10 PID: 964 at fs/iomap/iter.c:34 iomap_iter+0x3a2/0x3d0<br /> Modules linked in:<br /> CPU: 10 PID: 964 Comm: tail Not tainted 5.19.0-rc7<br /> Call Trace:<br /> <br /> dax_iomap_rw+0xea/0x620<br /> ? __this_cpu_preempt_check+0x13/0x20<br /> fuse_dax_read_iter+0x47/0x80<br /> fuse_file_read_iter+0xae/0xd0<br /> new_sync_read+0xfe/0x180<br /> ? 0xffffffff81000000<br /> vfs_read+0x14d/0x1a0<br /> ksys_read+0x6d/0xf0<br /> __x64_sys_read+0x1a/0x20<br /> do_syscall_64+0x3b/0x90<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> The tail command will call read() with a count of 0. In this case,<br /> iomap_iter() will report this WARNING, and always return 1 which casuing<br /> the infinite loop in dax_iomap_rw().<br /> <br /> Fixing by checking count whether is 0 in dax_iomap_rw().

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth &gt; 0<br /> <br /> When walking through an inode extents, the ext4_ext_binsearch_idx() function<br /> assumes that the extent header has been previously validated. However, there<br /> are no checks that verify that the number of entries (eh-&gt;eh_entries) is<br /> non-zero when depth is &gt; 0. And this will lead to problems because the<br /> EXT_FIRST_INDEX() and EXT_LAST_INDEX() will return garbage and result in this:<br /> <br /> [ 135.245946] ------------[ cut here ]------------<br /> [ 135.247579] kernel BUG at fs/ext4/extents.c:2258!<br /> [ 135.249045] invalid opcode: 0000 [#1] PREEMPT SMP<br /> [ 135.250320] CPU: 2 PID: 238 Comm: tmp118 Not tainted 5.19.0-rc8+ #4<br /> [ 135.252067] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014<br /> [ 135.255065] RIP: 0010:ext4_ext_map_blocks+0xc20/0xcb0<br /> [ 135.256475] Code:<br /> [ 135.261433] RSP: 0018:ffffc900005939f8 EFLAGS: 00010246<br /> [ 135.262847] RAX: 0000000000000024 RBX: ffffc90000593b70 RCX: 0000000000000023<br /> [ 135.264765] RDX: ffff8880038e5f10 RSI: 0000000000000003 RDI: ffff8880046e922c<br /> [ 135.266670] RBP: ffff8880046e9348 R08: 0000000000000001 R09: ffff888002ca580c<br /> [ 135.268576] R10: 0000000000002602 R11: 0000000000000000 R12: 0000000000000024<br /> [ 135.270477] R13: 0000000000000000 R14: 0000000000000024 R15: 0000000000000000<br /> [ 135.272394] FS: 00007fdabdc56740(0000) GS:ffff88807dd00000(0000) knlGS:0000000000000000<br /> [ 135.274510] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 135.276075] CR2: 00007ffc26bd4f00 CR3: 0000000006261004 CR4: 0000000000170ea0<br /> [ 135.277952] Call Trace:<br /> [ 135.278635] <br /> [ 135.279247] ? preempt_count_add+0x6d/0xa0<br /> [ 135.280358] ? percpu_counter_add_batch+0x55/0xb0<br /> [ 135.281612] ? _raw_read_unlock+0x18/0x30<br /> [ 135.282704] ext4_map_blocks+0x294/0x5a0<br /> [ 135.283745] ? xa_load+0x6f/0xa0<br /> [ 135.284562] ext4_mpage_readpages+0x3d6/0x770<br /> [ 135.285646] read_pages+0x67/0x1d0<br /> [ 135.286492] ? folio_add_lru+0x51/0x80<br /> [ 135.287441] page_cache_ra_unbounded+0x124/0x170<br /> [ 135.288510] filemap_get_pages+0x23d/0x5a0<br /> [ 135.289457] ? path_openat+0xa72/0xdd0<br /> [ 135.290332] filemap_read+0xbf/0x300<br /> [ 135.291158] ? _raw_spin_lock_irqsave+0x17/0x40<br /> [ 135.292192] new_sync_read+0x103/0x170<br /> [ 135.293014] vfs_read+0x15d/0x180<br /> [ 135.293745] ksys_read+0xa1/0xe0<br /> [ 135.294461] do_syscall_64+0x3c/0x80<br /> [ 135.295284] entry_SYSCALL_64_after_hwframe+0x46/0xb0<br /> <br /> This patch simply adds an extra check in __ext4_ext_check(), verifying that<br /> eh_entries is not 0 when eh_depth is &gt; 0.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> i2c: mlxbf: prevent stack overflow in mlxbf_i2c_smbus_start_transaction()<br /> <br /> memcpy() is called in a loop while &amp;#39;operation-&gt;length&amp;#39; upper bound<br /> is not checked and &amp;#39;data_idx&amp;#39; also increments.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500: Fix WARN_ON(lock-&gt;magic != lock) error<br /> <br /> psb_gem_unpin() calls dma_resv_lock() but the underlying ww_mutex<br /> gets destroyed by drm_gem_object_release() move the<br /> drm_gem_object_release() call in psb_gem_free_object() to after<br /> the unpin to fix the below warning:<br /> <br /> [ 79.693962] ------------[ cut here ]------------<br /> [ 79.693992] DEBUG_LOCKS_WARN_ON(lock-&gt;magic != lock)<br /> [ 79.694015] WARNING: CPU: 0 PID: 240 at kernel/locking/mutex.c:582 __ww_mutex_lock.constprop.0+0x569/0xfb0<br /> [ 79.694052] Modules linked in: rfcomm snd_seq_dummy snd_hrtimer qrtr bnep ath9k ath9k_common ath9k_hw snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_codec_hdmi snd_hda_intel ath3k snd_intel_dspcfg mac80211 snd_intel_sdw_acpi btusb snd_hda_codec btrtl btbcm btintel btmtk bluetooth at24 snd_hda_core snd_hwdep uvcvideo snd_seq libarc4 videobuf2_vmalloc ath videobuf2_memops videobuf2_v4l2 videobuf2_common snd_seq_device videodev acer_wmi intel_powerclamp coretemp mc snd_pcm joydev sparse_keymap ecdh_generic pcspkr wmi_bmof cfg80211 i2c_i801 i2c_smbus snd_timer snd r8169 rfkill lpc_ich soundcore acpi_cpufreq zram rtsx_pci_sdmmc mmc_core serio_raw rtsx_pci gma500_gfx(E) video wmi ip6_tables ip_tables i2c_dev fuse<br /> [ 79.694436] CPU: 0 PID: 240 Comm: plymouthd Tainted: G W E 6.0.0-rc3+ #490<br /> [ 79.694457] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013<br /> [ 79.694469] RIP: 0010:__ww_mutex_lock.constprop.0+0x569/0xfb0<br /> [ 79.694496] Code: ff 85 c0 0f 84 15 fb ff ff 8b 05 ca 3c 11 01 85 c0 0f 85 07 fb ff ff 48 c7 c6 30 cb 84 aa 48 c7 c7 a3 e1 82 aa e8 ac 29 f8 ff 0b e9 ed fa ff ff e8 5b 83 8a ff 85 c0 74 10 44 8b 0d 98 3c 11<br /> [ 79.694513] RSP: 0018:ffffad1dc048bbe0 EFLAGS: 00010282<br /> [ 79.694623] RAX: 0000000000000028 RBX: 0000000000000000 RCX: 0000000000000000<br /> [ 79.694636] RDX: 0000000000000001 RSI: ffffffffaa8b0ffc RDI: 00000000ffffffff<br /> [ 79.694650] RBP: ffffad1dc048bc80 R08: 0000000000000000 R09: ffffad1dc048ba90<br /> [ 79.694662] R10: 0000000000000003 R11: ffffffffaad62fe8 R12: ffff9ff302103138<br /> [ 79.694675] R13: ffff9ff306ec8000 R14: ffff9ff307779078 R15: ffff9ff3014c0270<br /> [ 79.694690] FS: 00007ff1cccf1740(0000) GS:ffff9ff3bc200000(0000) knlGS:0000000000000000<br /> [ 79.694705] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 79.694719] CR2: 0000559ecbcb4420 CR3: 0000000013210000 CR4: 00000000000006f0<br /> [ 79.694734] Call Trace:<br /> [ 79.694749] <br /> [ 79.694761] ? __schedule+0x47f/0x1670<br /> [ 79.694796] ? psb_gem_unpin+0x27/0x1a0 [gma500_gfx]<br /> [ 79.694830] ? lock_is_held_type+0xe3/0x140<br /> [ 79.694864] ? ww_mutex_lock+0x38/0xa0<br /> [ 79.694885] ? __cond_resched+0x1c/0x30<br /> [ 79.694902] ww_mutex_lock+0x38/0xa0<br /> [ 79.694925] psb_gem_unpin+0x27/0x1a0 [gma500_gfx]<br /> [ 79.694964] psb_gem_unpin+0x199/0x1a0 [gma500_gfx]<br /> [ 79.694996] drm_gem_object_release_handle+0x50/0x60<br /> [ 79.695020] ? drm_gem_object_handle_put_unlocked+0xf0/0xf0<br /> [ 79.695042] idr_for_each+0x4b/0xb0<br /> [ 79.695066] ? _raw_spin_unlock_irqrestore+0x30/0x60<br /> [ 79.695095] drm_gem_release+0x1c/0x30<br /> [ 79.695118] drm_file_free.part.0+0x1ea/0x260<br /> [ 79.695150] drm_release+0x6a/0x120<br /> [ 79.695175] __fput+0x9f/0x260<br /> [ 79.695203] task_work_run+0x59/0xa0<br /> [ 79.695227] do_exit+0x387/0xbe0<br /> [ 79.695250] ? seqcount_lockdep_reader_access.constprop.0+0x82/0x90<br /> [ 79.695275] ? lockdep_hardirqs_on+0x7d/0x100<br /> [ 79.695304] do_group_exit+0x33/0xb0<br /> [ 79.695331] __x64_sys_exit_group+0x14/0x20<br /> [ 79.695353] do_syscall_64+0x58/0x80<br /> [ 79.695376] ? up_read+0x17/0x20<br /> [ 79.695401] ? lock_is_held_type+0xe3/0x140<br /> [ 79.695429] ? asm_exc_page_fault+0x22/0x30<br /> [ 79.695450] ? lockdep_hardirqs_on+0x7d/0x100<br /> [ 79.695473] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 79.695493] RIP: 0033:0x7ff1ccefe3f1<br /> [ 79.695516] Code: Unable to access opcode bytes at RIP 0x7ff1ccefe3c7.<br /> [ 79.695607] RSP: 002b:00007ffed4413378 EFLAGS: <br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> drm/gma500: Fix BUG: sleeping function called from invalid context errors<br /> <br /> gma_crtc_page_flip() was holding the event_lock spinlock while calling<br /> crtc_funcs-&gt;mode_set_base() which takes ww_mutex.<br /> <br /> The only reason to hold event_lock is to clear gma_crtc-&gt;page_flip_event<br /> on mode_set_base() errors.<br /> <br /> Instead unlock it after setting gma_crtc-&gt;page_flip_event and on<br /> errors re-take the lock and clear gma_crtc-&gt;page_flip_event it<br /> it is still set.<br /> <br /> This fixes the following WARN/stacktrace:<br /> <br /> [ 512.122953] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:870<br /> [ 512.123004] in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 1253, name: gnome-shell<br /> [ 512.123031] preempt_count: 1, expected: 0<br /> [ 512.123048] RCU nest depth: 0, expected: 0<br /> [ 512.123066] INFO: lockdep is turned off.<br /> [ 512.123080] irq event stamp: 0<br /> [ 512.123094] hardirqs last enabled at (0): [] 0x0<br /> [ 512.123134] hardirqs last disabled at (0): [] copy_process+0x9fc/0x1de0<br /> [ 512.123176] softirqs last enabled at (0): [] copy_process+0x9fc/0x1de0<br /> [ 512.123207] softirqs last disabled at (0): [] 0x0<br /> [ 512.123233] Preemption disabled at:<br /> [ 512.123241] [] 0x0<br /> [ 512.123275] CPU: 3 PID: 1253 Comm: gnome-shell Tainted: G W 5.19.0+ #1<br /> [ 512.123304] Hardware name: Packard Bell dot s/SJE01_CT, BIOS V1.10 07/23/2013<br /> [ 512.123323] Call Trace:<br /> [ 512.123346] <br /> [ 512.123370] dump_stack_lvl+0x5b/0x77<br /> [ 512.123412] __might_resched.cold+0xff/0x13a<br /> [ 512.123458] ww_mutex_lock+0x1e/0xa0<br /> [ 512.123495] psb_gem_pin+0x2c/0x150 [gma500_gfx]<br /> [ 512.123601] gma_pipe_set_base+0x76/0x240 [gma500_gfx]<br /> [ 512.123708] gma_crtc_page_flip+0x95/0x130 [gma500_gfx]<br /> [ 512.123808] drm_mode_page_flip_ioctl+0x57d/0x5d0<br /> [ 512.123897] ? drm_mode_cursor2_ioctl+0x10/0x10<br /> [ 512.123936] drm_ioctl_kernel+0xa1/0x150<br /> [ 512.123984] drm_ioctl+0x21f/0x420<br /> [ 512.124025] ? drm_mode_cursor2_ioctl+0x10/0x10<br /> [ 512.124070] ? rcu_read_lock_bh_held+0xb/0x60<br /> [ 512.124104] ? lock_release+0x1ef/0x2d0<br /> [ 512.124161] __x64_sys_ioctl+0x8d/0xd0<br /> [ 512.124203] do_syscall_64+0x58/0x80<br /> [ 512.124239] ? do_syscall_64+0x67/0x80<br /> [ 512.124267] ? trace_hardirqs_on_prepare+0x55/0xe0<br /> [ 512.124300] ? do_syscall_64+0x67/0x80<br /> [ 512.124340] ? rcu_read_lock_sched_held+0x10/0x80<br /> [ 512.124377] entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> [ 512.124411] RIP: 0033:0x7fcc4a70740f<br /> [ 512.124442] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 c2 3d 00 f0 ff ff 77 18 48 8b 44 24 18 64 48 2b 04 25 28 00 00<br /> [ 512.124470] RSP: 002b:00007ffda73f5390 EFLAGS: 00000246 ORIG_RAX: 0000000000000010<br /> [ 512.124503] RAX: ffffffffffffffda RBX: 000055cc9e474500 RCX: 00007fcc4a70740f<br /> [ 512.124524] RDX: 00007ffda73f5420 RSI: 00000000c01864b0 RDI: 0000000000000009<br /> [ 512.124544] RBP: 00007ffda73f5420 R08: 000055cc9c0b0cb0 R09: 0000000000000034<br /> [ 512.124564] R10: 0000000000000000 R11: 0000000000000246 R12: 00000000c01864b0<br /> [ 512.124584] R13: 0000000000000009 R14: 000055cc9df484d0 R15: 000055cc9af5d0c0<br /> [ 512.124647]

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup<br /> <br /> Fix Oops in dasd_alias_get_start_dev() function caused by the pavgroup<br /> pointer being NULL.<br /> <br /> The pavgroup pointer is checked on the entrance of the function but<br /> without the lcu-&gt;lock being held. Therefore there is a race window<br /> between dasd_alias_get_start_dev() and _lcu_update() which sets<br /> pavgroup to NULL with the lcu-&gt;lock held.<br /> <br /> Fix by checking the pavgroup pointer with lcu-&gt;lock held.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bnxt: prevent skb UAF after handing over to PTP worker<br /> <br /> When reading the timestamp is required bnxt_tx_int() hands<br /> over the ownership of the completed skb to the PTP worker.<br /> The skb should not be used afterwards, as the worker may<br /> run before the rest of our code and free the skb, leading<br /> to a use-after-free.<br /> <br /> Since dev_kfree_skb_any() accepts NULL make the loss of<br /> ownership more obvious and set skb to NULL.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> cgroup: cgroup_get_from_id() must check the looked-up kn is a directory<br /> <br /> cgroup has to be one kernfs dir, otherwise kernel panic is caused,<br /> especially cgroup id is provide from userspace.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: sched: fix possible refcount leak in tc_new_tfilter()<br /> <br /> tfilter_put need to be called to put the refount got by tp-&gt;ops-&gt;get to<br /> avoid possible refcount leak when chain-&gt;tmplt_ops != NULL and<br /> chain-&gt;tmplt_ops != tp-&gt;ops.

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bonding: fix NULL deref in bond_rr_gen_slave_id<br /> <br /> Fix a NULL dereference of the struct bonding.rr_tx_counter member because<br /> if a bond is initially created with an initial mode != zero (Round Robin)<br /> the memory required for the counter is never created and when the mode is<br /> changed there is never any attempt to verify the memory is allocated upon<br /> switching modes.<br /> <br /> This causes the following Oops on an aarch64 machine:<br /> [ 334.686773] Unable to handle kernel paging request at virtual address ffff2c91ac905000<br /> [ 334.694703] Mem abort info:<br /> [ 334.697486] ESR = 0x0000000096000004<br /> [ 334.701234] EC = 0x25: DABT (current EL), IL = 32 bits<br /> [ 334.706536] SET = 0, FnV = 0<br /> [ 334.709579] EA = 0, S1PTW = 0<br /> [ 334.712719] FSC = 0x04: level 0 translation fault<br /> [ 334.717586] Data abort info:<br /> [ 334.720454] ISV = 0, ISS = 0x00000004<br /> [ 334.724288] CM = 0, WnR = 0<br /> [ 334.727244] swapper pgtable: 4k pages, 48-bit VAs, pgdp=000008044d662000<br /> [ 334.733944] [ffff2c91ac905000] pgd=0000000000000000, p4d=0000000000000000<br /> [ 334.740734] Internal error: Oops: 96000004 [#1] SMP<br /> [ 334.745602] Modules linked in: bonding tls veth rfkill sunrpc arm_spe_pmu vfat fat acpi_ipmi ipmi_ssif ixgbe igb i40e mdio ipmi_devintf ipmi_msghandler arm_cmn arm_dsu_pmu cppc_cpufreq acpi_tad fuse zram crct10dif_ce ast ghash_ce sbsa_gwdt nvme drm_vram_helper drm_ttm_helper nvme_core ttm xgene_hwmon<br /> [ 334.772217] CPU: 7 PID: 2214 Comm: ping Not tainted 6.0.0-rc4-00133-g64ae13ed4784 #4<br /> [ 334.779950] Hardware name: GIGABYTE R272-P31-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021<br /> [ 334.789244] pstate: 60400009 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)<br /> [ 334.796196] pc : bond_rr_gen_slave_id+0x40/0x124 [bonding]<br /> [ 334.801691] lr : bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]<br /> [ 334.807962] sp : ffff8000221733e0<br /> [ 334.811265] x29: ffff8000221733e0 x28: ffffdbac8572d198 x27: ffff80002217357c<br /> [ 334.818392] x26: 000000000000002a x25: ffffdbacb33ee000 x24: ffff07ff980fa000<br /> [ 334.825519] x23: ffffdbacb2e398ba x22: ffff07ff98102000 x21: ffff07ff981029c0<br /> [ 334.832646] x20: 0000000000000001 x19: ffff07ff981029c0 x18: 0000000000000014<br /> [ 334.839773] x17: 0000000000000000 x16: ffffdbacb1004364 x15: 0000aaaabe2f5a62<br /> [ 334.846899] x14: ffff07ff8e55d968 x13: ffff07ff8e55db30 x12: 0000000000000000<br /> [ 334.854026] x11: ffffdbacb21532e8 x10: 0000000000000001 x9 : ffffdbac857178ec<br /> [ 334.861153] x8 : ffff07ff9f6e5a28 x7 : 0000000000000000 x6 : 000000007c2b3742<br /> [ 334.868279] x5 : ffff2c91ac905000 x4 : ffff2c91ac905000 x3 : ffff07ff9f554400<br /> [ 334.875406] x2 : ffff2c91ac905000 x1 : 0000000000000001 x0 : ffff07ff981029c0<br /> [ 334.882532] Call trace:<br /> [ 334.884967] bond_rr_gen_slave_id+0x40/0x124 [bonding]<br /> [ 334.890109] bond_xmit_roundrobin_slave_get+0x38/0xdc [bonding]<br /> [ 334.896033] __bond_start_xmit+0x128/0x3a0 [bonding]<br /> [ 334.901001] bond_start_xmit+0x54/0xb0 [bonding]<br /> [ 334.905622] dev_hard_start_xmit+0xb4/0x220<br /> [ 334.909798] __dev_queue_xmit+0x1a0/0x720<br /> [ 334.913799] arp_xmit+0x3c/0xbc<br /> [ 334.916932] arp_send_dst+0x98/0xd0<br /> [ 334.920410] arp_solicit+0xe8/0x230<br /> [ 334.923888] neigh_probe+0x60/0xb0<br /> [ 334.927279] __neigh_event_send+0x3b0/0x470<br /> [ 334.931453] neigh_resolve_output+0x70/0x90<br /> [ 334.935626] ip_finish_output2+0x158/0x514<br /> [ 334.939714] __ip_finish_output+0xac/0x1a4<br /> [ 334.943800] ip_finish_output+0x40/0xfc<br /> [ 334.947626] ip_output+0xf8/0x1a4<br /> [ 334.950931] ip_send_skb+0x5c/0x100<br /> [ 334.954410] ip_push_pending_frames+0x3c/0x60<br /> [ 334.958758] raw_sendmsg+0x458/0x6d0<br /> [ 334.962325] inet_sendmsg+0x50/0x80<br /> [ 334.965805] sock_sendmsg+0x60/0x6c<br /> [ 334.969286] __sys_sendto+0xc8/0x134<br /> [ 334.972853] __arm64_sys_sendto+0x34/0x4c<br /> ---truncated---

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ebtables: fix memory leak when blob is malformed<br /> <br /> The bug fix was incomplete, it "replaced" crash with a memory leak.<br /> The old code had an assignment to "ret" embedded into the conditional,<br /> restore this.