[PATCH v3] xfrm: Reset secpath in xfrm failure

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Reported-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- Changes in v2: - Add fixes tag. Changes in v3: - Add out_reset label to remove duplicate secpath_reset() calls. net/ipv4/es

Re: [PATCH v2] xfrm: Reset secpath in xfrm failure

On Wed, Mar 06, 2019 at 02:31:25PM -0800, Eric Dumazet wrote: > > > On 03/06/2019 01:55 PM, Myungho Jung wrote: > > In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated > > without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would > >

[PATCH v2] xfrm: Reset secpath in xfrm failure

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Reported-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- Changes in v2: - Add fixes tag. net/ipv4/esp4_offload.c | 9 +++-- net/ipv6/esp6_offload.c | 9 +++-- 2 files changed, 14

Re: [PATCH] xfrm: Reset secpath in xfrm failure

On Wed, Mar 06, 2019 at 12:35:43PM +0100, Steffen Klassert wrote: > On Wed, Mar 06, 2019 at 04:33:08PM +0900, Myungho Jung wrote: > > In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated > > without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] woul

[PATCH] xfrm: Reset secpath in xfrm failure

ted-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/ipv4/esp4_offload.c | 9 +++-- net/ipv6/esp6_offload.c | 9 +++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index 8756e0

Re: [PATCH v3 0/2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Wed, Feb 06, 2019 at 08:06:54AM +0100, Marcel Holtmann wrote: > Hi Myungho, > > >>> tiocmget() and tiocmset() operations are optional and some tty drivers > >>> like pty miss the operations. Add NULL checks to prevent from > >>> dereference. >

Re: [PATCH v3 0/2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Tue, Feb 05, 2019 at 02:55:50PM +0100, Marcel Holtmann wrote: > Hi Myungho, > > > tiocmget() and tiocmset() operations are optional and some tty drivers > > like pty miss the operations. Add NULL checks to prevent from > > dereference. > > > > Myungho Ju

[PATCH v3 2/2] Bluetooth: hci_ldisc: Add NULL check for tiocmget() and tiocmset() in hci_uart_set_flow_control()

tiocmget() or tiocmset() operations are optional. Just return from hci_uart_set_flow_control() if tiocmget() or tiocmset() operation is NULL. Fixes: 2a973dfada2b ("hci_uart: Add new line discipline enhancements") Cc: # 4.2 Signed-off-by: Myungho Jung --- Changes in v2: - Remove br

[PATCH v3 1/2] Bluetooth: hci_ath: Add NULL check for tiocmget() and tiocmset() in ath_setup()

tiocmget() and tiocmset() operations are optional so they are not guaranteed to be set. Return ENODEV in ath_setup() if tty driver doesn't support the operations. Fixes: 4c876c0edbdc ("hci_uart: Add Atheros support for address config") Cc: # 4.1 Signed-off-by: Myungho Jung --

[PATCH v3 0/2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

tiocmget() and tiocmset() operations are optional and some tty drivers like pty miss the operations. Add NULL checks to prevent from dereference. Myungho Jung (2): Bluetooth: hci_ath: Add NULL check for tiocmget() and tiocmset() in ath_setup() Bluetooth: hci_ldisc: Add NULL check for

Re: [PATCH v2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Mon, Feb 04, 2019 at 10:22:16AM +0100, Johan Hovold wrote: > On Mon, Feb 04, 2019 at 01:04:37AM -0800, Myungho Jung wrote: > > On Sun, Feb 03, 2019 at 11:29:00PM -0800, Myungho Jung wrote: > > > On Sun, Feb 03, 2019 at 11:53:23AM +0100, Johan Hovold wrote: > > > >

Re: [PATCH v2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Sun, Feb 03, 2019 at 11:29:00PM -0800, Myungho Jung wrote: > On Sun, Feb 03, 2019 at 11:53:23AM +0100, Johan Hovold wrote: > > On Sat, Feb 02, 2019 at 10:38:24PM -0800, Myungho Jung wrote: > > > On Thu, Jan 31, 2019 at 04:40:00PM +0100, Johan Hovold wrote: > > > >

Re: [PATCH v2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Sun, Feb 03, 2019 at 11:53:23AM +0100, Johan Hovold wrote: > On Sat, Feb 02, 2019 at 10:38:24PM -0800, Myungho Jung wrote: > > On Thu, Jan 31, 2019 at 04:40:00PM +0100, Johan Hovold wrote: > > > On Tue, Jan 29, 2019 at 09:39:28PM -0800, Myungho Jung wrote: > > >

Re: [PATCH v2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Thu, Jan 31, 2019 at 04:40:00PM +0100, Johan Hovold wrote: > On Tue, Jan 29, 2019 at 09:39:28PM -0800, Myungho Jung wrote: > > tiocmget() and tiocmset() operations are optional and some tty drivers > > like pty miss the operations. We need NULL check to prevent from

[PATCH] Bluetooth: hci_ldisc: Add NULL check for tty set_termios operation

set_termios should not be NULL so return EOPNOTSUPP if tty driver does not support the operation. Reported-by: syzbot+a950165cbb86bdd02...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ldisc.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff

Re: [PATCH v2] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()

rted-by: syzbot+a950165cbb86bdd02...@syzkaller.appspotmail.com > > Signed-off-by: Myungho Jung > > --- > > drivers/bluetooth/hci_ldisc.c | 27 ++- > > 1 file changed, 22 insertions(+), 5 deletions(-) > > > > diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/blueto

[PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket

from socket and setting to NULL in hci_sock_dev_event(), hci_dev_put(hdev) is unexpectedly called twice. This is resolved by referencing hdev from socket after bt_sock_unlink() in hci_sock_release(). Reported-by: syzbot+fdc3f4efff43b...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung

[PATCH v2] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()

tty_set_termios() should be called with slave side of pty driver. So, If tty driver is pty master, it needs to be switched to ->link. Reported-by: syzbot+a950165cbb86bdd02...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ldisc.c |

Re: [PATCH] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()

On Wed, Jan 30, 2019 at 11:07:38AM +0100, Johan Hovold wrote: > On Sun, Jan 27, 2019 at 10:53:02PM -0800, Myungho Jung wrote: > > tty_set_termios() should be called with slave side of pty driver. So, If > > tty driver is pty master, it needs to be switched to ->link. > >

Re: [PATCH] Bluetooth: Add NULL check for tiocmget() and tiocmset()

On Wed, Jan 30, 2019 at 10:59:38AM +0100, Johan Hovold wrote: > On Sun, Jan 27, 2019 at 10:59:13PM -0800, Myungho Jung wrote: > > tiocmget() and tiocmset() operations are optional and some tty drivers > > like pty miss the operations. We need NULL check before referencing > >

[PATCH v2] Bluetooth: Add NULL check for tiocmget() and tiocmset()

tiocmget() and tiocmset() operations are optional and some tty drivers like pty miss the operations. We need NULL check to prevent from dereference. Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ath.c | 6 ++ drivers/bluetooth/hci_ldisc.c | 4 2 files changed, 10 insertions

[PATCH] Bluetooth: Add NULL check for tiocmget() and tiocmset()

tiocmget() and tiocmset() operations are optional and some tty drivers like pty miss the operations. We need NULL check before referencing them. Reported-by: syzbot+a950165cbb86bdd02...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ath.c | 13

[PATCH] Bluetooth: hci_uart: Switch pty driver to slave side in tty_set_termios()

tty_set_termios() should be called with slave side of pty driver. So, If tty driver is pty master, it needs to be switched to ->link. Reported-by: syzbot+a950165cbb86bdd02...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ldisc.c | 20 +++-

[PATCH] Bluetooth: hci_ldisc: Fix for pty driver

bot+a950165cbb86bdd02...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_ldisc.c | 76 +-- 1 file changed, 46 insertions(+), 30 deletions(-) diff --git a/drivers/bluetooth/hci_ldisc.c b/drivers/bluetooth/hci_ldisc.c index fbf7b4df23ab..169dde91b

[PATCH] Bluetooth: hci_uart: Check if socket buffer is ERR_PTR in h4_recv_buf()

h4_recv_buf(). Reported-by: syzbot+017a32f149406df32...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/h4_recv.h | 4 drivers/bluetooth/hci_h4.c | 4 2 files changed, 8 insertions(+) diff --git a/drivers/bluetooth/h4_recv.h b/drivers/bluetooth/h4_recv.h

Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()

On Sat, Jan 19, 2019 at 12:19:20AM -0800, Myungho Jung wrote: > On Fri, Jan 18, 2019 at 10:19:41AM +0100, Marcel Holtmann wrote: > > Hi Myungho, > > > > > In h4_recv(), if h4_recv_buf() returns error and h4_recv() is > > > asynchronously called again before set

Re: [PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()

return value in a local variable > > before writing to rx_skb. > > > > Reported-by: syzbot+017a32f149406df32...@syzkaller.appspotmail.com > > Signed-off-by: Myungho Jung > > --- > > drivers/bluetooth/hci_h4.c | 11 +++ > > 1 file changed, 7 insertions(+),

Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive()

On Mon, Jan 14, 2019 at 09:37:25PM +0100, Ilya Dryomov wrote: > On Thu, Jan 3, 2019 at 4:50 AM Myungho Jung wrote: > > I reproduced on vm using syzkaller utils and verified the fix by syzbot. > > Hi Myungho, > > I think this might be a better fix: > > diff --git a

[PATCH] Bluetooth: hci_uart: Add a local variable to store the result of h4_recv_buf()

...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/bluetooth/hci_h4.c | 11 +++ 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/bluetooth/hci_h4.c b/drivers/bluetooth/hci_h4.c index fb97a3bf069b..fa30ec9cebd4 100644 --- a/drivers/bluetooth/hci_h4.c +++ b/drivers/bluetooth

[PATCH v2] RDMA/cma: Rollback source IP address if failing to acquire device

cma_cancel_operation(). Revert to the previous IP address if acquiring device fails. Reported-by: syzbot+f3ce716af730c8f96...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/infiniband/core/cma.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/drivers

Re: [PATCH] RDMA/cma: Rollback source IP address if failing to acquire device

On Wed, Jan 09, 2019 at 01:28:34PM +, Parav Pandit wrote: > > > > -Original Message- > > From: linux-rdma-ow...@vger.kernel.org > ow...@vger.kernel.org> On Behalf Of Myungho Jung > > Sent: Friday, January 4, 2019 12:46 AM > > To: Doug Ledfor

[PATCH v3] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 4 2 files changed, 16 insertions(+), 2 deletions

[PATCH] RDMA/cma: Rollback source IP address if failing to acquire device

cma_cancel_operation(). Revert to the previous IP address if acquiring device fails. Reported-by: syzbot+f3ce716af730c8f96...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- drivers/infiniband/core/cma.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/drivers

Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive()

On Wed, Jan 02, 2019 at 04:42:47PM +0100, Ilya Dryomov wrote: > On Thu, Dec 27, 2018 at 8:08 PM Myungho Jung wrote: > > > > con_flag_test_and_set() sets CON_FLAG_KEEPALIVE_PENDING and > > CON_FLAG_WRITE_PENDING flags without protection in ceph_con_keepalive(). > &g

[PATCH] libceph: protect pending flags in ceph_con_keepalive()

called before releasing the lock and store the condition to check after the critical section. Reported-by: syzbot+acdeb633f6211ccdf...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/ceph/messenger.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ceph

[PATCH v3] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 4 2 files changed, 16 insertions(+), 2 deletions

Re: [PATCH v2] net/smc: fix TCP fallback socket release

On Mon, Dec 17, 2018 at 03:58:58PM +0100, Ursula Braun wrote: > Hi Ursula, Thank you for your suggestion. I have a question on your comment. > > On 12/17/2018 06:21 AM, Myungho Jung wrote: > > clcsock can be released while kernel_accept() references it in TCP > > listen

[PATCH v2] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) diff

[PATCH] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 12 +++- net/smc/smc.h| 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff

[PATCH] fuse: Add bad inode check in fuse_destroy_inode()

pty() returns false in fuse_destroy_inode(). Add is_bad_inode() to check if make_bad_inode() was called. Reported-by: syzbot+b9c89b84423073226...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- fs/fuse/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/f

[PATCH] fs: fix utimensat to return correct error code

According to man utimensat(2), EACCES should be returned if the file is immutable and time values are null or UTIME_NOW. Testcase is utimesat01/LTP. Signed-off-by: Myungho Jung --- fs/attr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/attr.c b/fs/attr.c index 1353041

[PATCH v2] timer/sysclt: Restrict timer migration sysctl values to 0 and 1

timer_migration sysctl acts as a boolean switch, so the allowed values should be restricted to 0 and 1. Add the necessary extra fields to the sysctl table entry to enforce that. Testcase is ltp/runpwtests06. Signed-off-by: Myungho Jung --- Changes in v2: - Correct commit log kernel/sysctl.c

Re: [PATCH] timer: fix timer_migration to accept only 0 and 1

On Thu, Apr 20, 2017 at 07:45:49PM +0200, Thomas Gleixner wrote: > On Thu, 20 Apr 2017, Myungho Jung wrote: > > I understood. I'll resubmit the patch after fixing log. > > I recommend to check your inbox first. > > Thanks, > > tglx Yes, I confirmed a messag

Re: [PATCH] timer: fix timer_migration to accept only 0 and 1

On Thu, Apr 20, 2017 at 02:53:26PM +0200, Thomas Gleixner wrote: > On Wed, 19 Apr 2017, Myungho Jung wrote: > > > Error is not shown by setting invalid value to timer_migration. Valid > > values for timer_migration should be restricted to 0 and 1. Testcase for > > this

[tip:timers/core] timer/sysclt: Restrict timer migration sysctl values to 0 and 1

Commit-ID: b94bf594cf8ed67cdd0439e70fa939783471597a Gitweb: http://git.kernel.org/tip/b94bf594cf8ed67cdd0439e70fa939783471597a Author: Myungho Jung AuthorDate: Wed, 19 Apr 2017 15:24:50 -0700 Committer: Thomas Gleixner CommitDate: Thu, 20 Apr 2017 14:56:59 +0200 timer/sysclt: Restrict

[PATCH] timer: fix timer_migration to accept only 0 and 1

Error is not shown by setting invalid value to timer_migration. Valid values for timer_migration should be restricted to 0 and 1. Testcase for this bug is ltp/runpwtests06. Signed-off-by: Myungho Jung --- kernel/sysctl.c | 2 ++ kernel/time/timer.c | 2 +- 2 files changed, 3 insertions