[PATCH v2] video: hyperv_fb: Fix a double free in hvfb_probe

set info->apertures to NULL. It is because that let framebuffer_release() handle freeing the memory flows the fbdev pattern, and less code overall. Signed-off-by: Lv Yunlong --- drivers/video/fbdev/hyperv_fb.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/drivers/video/fbdev/hyperv_fb

[PATCH] gpu/xen: Fix a use after free in xen_drm_drv_init

calls xen_drm_drv_fini(front_info) cause a use after free by drm_info = front_info->drm_info statement. My patch has done two things. First fixes the fail label which drm_info = kzalloc() failed and still free the drm_info. Second sets front_info->drm_info to NULL to avoid uaf. Signed-off-by

[PATCH] rapidio: Fix a use after free in mport_mm_close

In mport_mm_close, map is freed by kref_put(&map->ref,). But mutex_unlock(&map->md->buf_mutex) uses map later. Other thread could allocate the freed chunk and cause an unexpected result. My patch adds a variable buf_mutex to store the mutex before map is freed. Signed-o

[PATCH] scsi: fix a error refcount get in pcie_device_make_active

() ahead of pcie_device_put() to avoid uaf. Signed-off-by: Lv Yunlong --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c index ffca03064797..17061f54d616 100644

[PATCH] target: Fix a double put in transport_free_session

to put se_nacl. It may cause error in race. My patch sets se_nacl->dynamic_stop to false to avoid the double put. Signed-off-by: Lv Yunlong --- drivers/target/target_core_transport.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/target/target_core_transport.c

[PATCH] thunderbolt: Fix a double put in tb_cfg_read_raw

freed. Later in tb_cfg_read_raw before the err check, tb_cfg_request_put(req) is called again. It may cause error in race. My patch puts tb_cfg_request_put(req) after the err check finished to avoid unexpected result. Signed-off-by: Lv Yunlong --- drivers/thunderbolt/ctl.c | 4 ++-- 1 file changed

[PATCH] usb: Add data checks in usbtmc_disconnect

checks to avoid the data being put twice. It could cause errors in race. Signed-off-by: Lv Yunlong --- drivers/usb/class/usbtmc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 74d5a9c5238a..e0438cb46386 100644

[PATCH] fuse: Fix a potential double free in virtio_fs_get_tree

fialed. I think the statement if (fsc->s_fs_info) {kfree(fm);} is misplaced. My patch puts this statement in the correct palce to avoid double free. Signed-off-by: Lv Yunlong --- fs/fuse/virtio_fs.c | 10 ++ 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/fuse/virtio_fs

[PATCH] video/fbdev: Fix a double free in hvfb_probe

uble free. Signed-off-by: Lv Yunlong --- drivers/video/fbdev/hyperv_fb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c index c8b0ae676809..2fc9b507e73a 100644 --- a/drivers/video/fbdev/hyperv_fb.c +++ b/drivers/vi

[PATCH v2] usb: Add a lock when freeing data in usbtmc_disconnect

adds a lock to protect kref from changing in race. Signed-off-by: Lv Yunlong --- drivers/usb/class/usbtmc.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c index 74d5a9c5238a..44f1fcabbb1e 100644 --- a/drivers/usb/class/usbtmc.c

[PATCH] dma: Fix a double free in dma_async_device_register

local was freed in __dma_async_device_channel_register(). My patch sets chan->local to NULL when the callee failed to avoid double free. Fixes: d2fb0a0438384 ("dmaengine: break out channel registration") Signed-off-by: Lv Yunlong --- drivers/dma/dmaengine.c | 4 +++- 1 file changed, 3 insertions(+), 1 deleti

[PATCH] net/rds: Fix a use after free in rds_message_map_pages

In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch replaces ERR_CAST(rm->data.op_sg) to ERR_PTR(-ENOMEM) to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") S

[PATCH v2] dma: Fix a double free in dma_async_device_register

local was freed in __dma_async_device_channel_register(). My patch sets chan->local to NULL when the callee failed to avoid double free. Fixes: d2fb0a0438384 ("dmaengine: break out channel registration") Signed-off-by: Lv Yunlong --- drivers/dma/dmaengine.c | 1 + 1 file changed, 1 insertion(+) diff --git a/driver

[PATCH v2] net/rds: Fix a use after free in rds_message_map_pages

uot;) Signed-off-by: Lv Yunlong --- net/rds/message.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rds/message.c b/net/rds/message.c index 071a261fdaab..799034e0f513 100644 --- a/net/rds/message.c +++ b/net/rds/message.c @@ -347,8 +347,9 @@ struct rds_message *rds_m

[PATCH] dma: Fix a double free in dma_async_device_register

han->local to NULL after it is freed in __dma_async_device_channel_register(). Signed-off-by: Lv Yunlong --- drivers/dma/dmaengine.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/dma/dmaengine.c b/drivers/dma/dmaengine.c index fe6a460c4373..af3ee288bc11 100644 --- a/drivers/dma/d

[PATCH] firmware/dmi-sysfs: Fix a double free in dmi_sysfs_register_handle

ing entry->child twice. Signed-off-by: Lv Yunlong --- drivers/firmware/dmi-sysfs.c | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c index 8b8127fa8955..fd498f2037a8 100644 --- a/drivers/firmware/dmi-sysfs.c +++

[PATCH] infiniband: Fix a use after free in isert_connect_request

ib_device statement. My patch exchanges the callees order to free the device late. Signed-off-by: Lv Yunlong --- drivers/infiniband/ulp/isert/ib_isert.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/

[PATCH] net/mlx5: Fix a potential use after free in mlx5e_ktls_del_rx

o add return after freeing priv_rx? Fixes: b850bbff96512 ("net/mlx5e: kTLS, Use refcounts to free kTLS RX priv context") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers

[PATCH v2] infiniband: Fix a use after free in isert_connect_request

ib_device statement. This patch free the device in the correct order. Signed-off-by: Lv Yunlong --- drivers/infiniband/ulp/isert/ib_isert.c | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/drivers/infiniband/ulp/isert/ib_isert.c b/drivers/infiniband/

[PATCH] ethernet/realtek/r8169: Fix a double free in rtl8169_start_xmit

is freed by dev_kfree_skb_any(skb) in the second time. My patch adds a new label inside the old err_dma_0 label to avoid the double free and renames the error labels to keep the origin function unchanged. Fixes: b8447abc4c8fb ("r8169: factor out rtl8169_tx_map") Signed-off-by:

[PATCH] wireless: hostap: Fix a use after free in hostap_80211_rx

skb->len. As the new skb->len is returned by prism2_rx_80211(), my patch uses a variable len to repalce skb->len. According to another useage of prism2_rx_80211 in monitor_rx(). Signed-off-by: Lv Yunlong --- drivers/net/wireless/intersil/hostap/hostap_80211_rx.c | 4 ++-- 1 file c

[PATCH] wireless/marvell/mwifiex: Fix a double free in mwifiex_send_tdls_action_frame

(skb). My patch removes the redundant dev_kfree_skb_any(skb) when mwifiex_construct_tdls_action_frame() failed. Fixes: b23bce2965680 ("mwifiex: add tdls_mgmt handler support") Signed-off-by: Lv Yunlong --- drivers/net/wireless/marvell/mwifiex/tdls.c | 1 - 1 file changed, 1 deletion(-)

[PATCH] ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx

andling code") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c index 0e2db6ea79e9..2ec62c8d86e1 100644 --- a/drivers/net/e

[PATCH] wireless: ath10k: Fix a use after free in ath10k_htc_send_bundle

0k: add htt TX bundle for sdio") Signed-off-by: Lv Yunlong --- drivers/net/wireless/ath/ath10k/htc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c index 0a37be6a7d33..fab398046a3f 100644 --- a/d

[PATCH] ethernet: myri10ge: Fix a use after free in myri10ge_sw_tso

;next, my patch replaces seg->next to next. Fixes: 536577f36ff7a ("net: myri10ge: use skb_list_walk_safe helper for gso segments") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver

[PATCH] net:tipc: Fix a double free in tipc_sk_mcast_rcv

inate race condition at multicast reception") Signed-off-by: Lv Yunlong --- net/tipc/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index cebcc104dc70..022999e0202d 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1265

[PATCH] drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit

() failed. Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit") Signed-off-by: Lv Yunlong --- drivers/net/wan/hdlc_fr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c index 07

[PATCH] scsi/bnx2fc/bnx2fx_fcore: Fix a double free in bnx2fc_rcv

moving skb = tmp_skb in front of if(!tmp_err) goto err is a good solution, because freeing a NULL skb is safe. Fixes: 01a4cc4d0cd6a ("bnx2fc: do not add shared skbs to the fcoe_rx_list") Signed-off-by: Lv Yunlong --- drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 4 ++-- 1 file changed, 2 insert

[PATCH] net/rxrpc: Fix a use after free in rxrpc_input_packet

freed in skb_unshare() on error, my patch removes the rxrpc_eaten_skb() to avoid the uaf. Fixes: d0d5c0cd1e711 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Signed-off-by: Lv Yunlong --- net/rxrpc/input.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a

[PATCH] drbd: Fix a use after free in get_initial_state

patch lets skb_len = skb->len and return the skb_len to avoid the uaf. Fixes: a29728463b254 ("drbd: Backport the "events2" command") Signed-off-by: Lv Yunlong --- drivers/block/drbd/drbd_nl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/b

[PATCH v2] drbd: Fix a use after free in get_initial_state

patch converts the type of notify_initial_state_done() from void to int. So when errors occurs in notify_initial_state_done(), it can return an error code. My patch also use err propagate the error and avoid use the freed skb. Fixes: a29728463b254 ("drbd: Backport the "events2" comman

[PATCH] crypto: qat: Fix a double free in adf_create_ring

the first freed to avoid the double free. Fixes: a672a9dc872ec ("crypto: qat - Intel(R) QAT transport code") Signed-off-by: Lv Yunlong --- drivers/crypto/qat/qat_common/adf_transport.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/crypto/qat/qat_common/adf_transport.c b

[PATCH] net: broadcom: bcm4908enet: Fix a double free in bcm4908_enet_dma_alloc

it is freed in bcm4908_dma_alloc_buf_descs() to avoid the double free. Fixes: 4feffeadbcb2e ("net: broadcom: bcm4908enet: add BCM4908 controller driver") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/broadcom/bcm4908_enet.c | 1 + 1 file changed, 1 insertion(+) diff --git a/driv

[PATCH] wireless: marvell: mwl8k: Fix a double Free in mwl8k_probe_hw

i)->dma_free_coherent(). My patch set txq->txd to NULL after the first free to avoid the double free. Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") Signed-off-by: Lv Yunlong --- drivers/net/wireless/marvell/mwl8k.c | 1 + 1 file changed, 1 insertion(+) diff --git a

[PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

coherent(). My patch sets txq->tfds to NULL after the first free to avoid the double free. Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code") Signed-off-by: Lv Yunlong --- drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 + 1 file changed, 1 inse

[PATCH] mtd: nand: gpmi: Fix a double free in gpmi_nand_init

nand_init() error path") Signed-off-by: Lv Yunlong --- drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c index 3fa8c22d3f36..4d08e4ab5c1b 100644

[PATCH] scsi: be2iscsi: Fix a use after free in beiscsi_if_clr_ip

ce req->ip_params.ip_record.status to avoid the uaf. Signed-off-by: Lv Yunlong --- drivers/scsi/be2iscsi/be_mgmt.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/scsi/be2iscsi/be_mgmt.c b/drivers/scsi/be2iscsi/be_mgmt.c index 0d4928567265..b93b1a8c6c81 100644 --- a/drivers/scsi

[PATCH v2] greybus/operation: Drop reference when message has been sent

In gb_operation_response_send, get an extra reference before gb_message_send() with this comment "/* Reference will be dropped when message has been sent. */". Therefore, we should drop the got reference not only in the error branch, but also in the complete branch. Signed-off-by:

[PATCH] infiniband/core: Fix a use after free in cm_work_handler

n the last deref") Signed-off-by: Lv Yunlong --- drivers/infiniband/core/iwcm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/infiniband/core/iwcm.c b/drivers/infiniband/core/iwcm.c index da8adadf4755..cb6b4ac45e21 100644 --- a/drivers/infiniband/core/iwcm.c +++

[PATCH] infiniband/i40iw: Fix a use after free in i40iw_cm_event_handler

In the case of I40IW_CM_EVENT_ABORTED, i40iw_event_connect_error() could be called to free the event->cm_node. However, event->cm_node will be used after and cause use after free. It needs to add flags to inform that event->cm_node has been freed. Signed-off-by: Lv Yunlong ---

[PATCH] net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template

In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by vfree(). But unfortunately, it is used when extended is true. Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/

[PATCH] nvme/rdma: Fix a use after free in nvmet_rdma_write_data_done

In nvmet_rdma_write_data_done, rsp is recoverd by wc->wr_cqe and freed by nvmet_rdma_release_rsp(). But after that, pr_info() used the freed chunk's member object and could leak the freed chunk address with wc->wr_cqe by computing the offset. Signed-off-by: Lv Yunlong --- drivers/

[PATCH] scsi: Fix a use after free in pcie_device_make_active

evice support in slave alloc, target alloc a…") Signed-off-by: Lv Yunlong --- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c index ffca03064797..d39b5a1f4

[PATCH] scsi: Fix a double free in myrs_cleanup

In myrs_cleanup, cs->mmio_base will be freed twice by iounmap(). Fixes: 77266186397c6 ("scsi: myrs: Add Mylex RAID controller (SCSI interface)") Signed-off-by: Lv Yunlong --- drivers/scsi/myrs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/myr

[PATCH] scsi: Fix a use after free in st_open

In st_open, if STp->in_use is true, STp will be freed by scsi_tape_put(). However, STp is still used by DEBC_printk() after. It is better to DEBC_printk() before scsi_tape_put(). Signed-off-by: Lv Yunlong --- drivers/scsi/st.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --gi

[PATCH] lib/test_kmod: Fix a use after free in register_test_dev_kmod

In register_test_dev_kmod, it calls free_test_dev_kmod() to free test_dev. But free_test_dev_kmod() can't set the original pointer test_dev to NULL, because the test_dev was passed by it's value not reference. Signed-off-by: Lv Yunlong --- lib/test_kmod.c | 2 +- 1 file changed, 1

[PATCH] net/rds: Fix a use after free in rds_message_map_pages

In rds_message_map_pages, rds_message_put() will free rm. Maybe store the value of rm->data.op_sg ahead of rds_message_put() is better. Otherwise other threads could allocate the freed chunk and may change the value of rm->data.op_sg. Signed-off-by: Lv Yunlong --- net/rds/message.c | 3

[PATCH] usb/usbtmc: Remove a redundant kref_put in usbtmc_disconnect

|| !data->iin_urb) return; usb_kill_urb(data->iin_urb); kfree(data->iin_buffer); data->iin_buffer = NULL; usb_free_urb(data->iin_urb); data->iin_urb = NULL; kref_put(&data->kref, usbtmc_delete); } """

[PATCH] drivers/firmware: Fix double free in dmi_sysfs_register_handle

e will freed entry->child twice! Fixes: 925a1da7477fc ("firmware: Break out system_event_log in dmi-sysfs") Signed-off-by: Lv Yunlong --- drivers/firmware/dmi-sysfs.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c

[PATCH] firmware/efi: Fix a use after bug in efi_mem_reserve_persistent

In the for loop in efi_mem_reserve_persistent(), prsv = rsv->next use the unmapped rsv. Use the unmapped pages will cause segment fault. Fixes: 18df7577adae6 ("efi/memreserve: deal with memreserve entries in unmapped memory") Signed-off-by: Lv Yunlong --- drivers/firmware/efi/efi

[PATCH] greybus/operation: Drop reference when message has been set

In gb_operation_response_send, get an extra reference before gb_message_send() with this comment "/* Reference will be dropped when message has been sent. */". Therefore, we should drop the got reference not only in the error branch, but also in the complete branch. Signed-off-by:

[tip: efi/urgent] firmware/efi: Fix a use after bug in efi_mem_reserve_persistent

The following commit has been merged into the efi/urgent branch of tip: Commit-ID: 9ceee7d0841a8f7d7644021ba7d4cc1fbc7966e3 Gitweb: https://git.kernel.org/tip/9ceee7d0841a8f7d7644021ba7d4cc1fbc7966e3 Author:Lv Yunlong AuthorDate:Wed, 10 Mar 2021 00:31:27 -08:00 Committer