[PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

coherent(). My patch sets txq->tfds to NULL after the first free to avoid the double free. Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code") Signed-off-by: Lv Yunlong --- drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 + 1 file changed, 1 inse

[PATCH] wireless: marvell: mwl8k: Fix a double Free in mwl8k_probe_hw

i)->dma_free_coherent(). My patch set txq->txd to NULL after the first free to avoid the double free. Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") Signed-off-by: Lv Yunlong --- drivers/net/wireless/marvell/mwl8k.c | 1 + 1 file changed, 1 insertion(+) diff --git a

[PATCH] net: broadcom: bcm4908enet: Fix a double free in bcm4908_enet_dma_alloc

it is freed in bcm4908_dma_alloc_buf_descs() to avoid the double free. Fixes: 4feffeadbcb2e ("net: broadcom: bcm4908enet: add BCM4908 controller driver") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/broadcom/bcm4908_enet.c | 1 + 1 file changed, 1 insertion(+) diff --git a/driv

[PATCH] net/rxrpc: Fix a use after free in rxrpc_input_packet

freed in skb_unshare() on error, my patch removes the rxrpc_eaten_skb() to avoid the uaf. Fixes: d0d5c0cd1e711 ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Signed-off-by: Lv Yunlong --- net/rxrpc/input.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a

[PATCH v2] net/rds: Fix a use after free in rds_message_map_pages

uot;) Signed-off-by: Lv Yunlong --- net/rds/message.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/rds/message.c b/net/rds/message.c index 071a261fdaab..799034e0f513 100644 --- a/net/rds/message.c +++ b/net/rds/message.c @@ -347,8 +347,9 @@ struct rds_message *rds_m

[PATCH] net/rds: Fix a use after free in rds_message_map_pages

In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch replaces ERR_CAST(rm->data.op_sg) to ERR_PTR(-ENOMEM) to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") S

[PATCH] ethernet: myri10ge: Fix a use after free in myri10ge_sw_tso

;next, my patch replaces seg->next to next. Fixes: 536577f36ff7a ("net: myri10ge: use skb_list_walk_safe helper for gso segments") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/driver

[PATCH] wireless: ath10k: Fix a use after free in ath10k_htc_send_bundle

0k: add htt TX bundle for sdio") Signed-off-by: Lv Yunlong --- drivers/net/wireless/ath/ath10k/htc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c index 0a37be6a7d33..fab398046a3f 100644 --- a/d

[PATCH] ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx

andling code") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/netronome/nfp/bpf/cmsg.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c b/drivers/net/ethernet/netronome/nfp/bpf/cmsg.c index 0e2db6ea79e9..2ec62c8d86e1 100644 --- a/drivers/net/e

[PATCH] wireless/marvell/mwifiex: Fix a double free in mwifiex_send_tdls_action_frame

(skb). My patch removes the redundant dev_kfree_skb_any(skb) when mwifiex_construct_tdls_action_frame() failed. Fixes: b23bce2965680 ("mwifiex: add tdls_mgmt handler support") Signed-off-by: Lv Yunlong --- drivers/net/wireless/marvell/mwifiex/tdls.c | 1 - 1 file changed, 1 deletion(-)

[PATCH] wireless: hostap: Fix a use after free in hostap_80211_rx

skb->len. As the new skb->len is returned by prism2_rx_80211(), my patch uses a variable len to repalce skb->len. According to another useage of prism2_rx_80211 in monitor_rx(). Signed-off-by: Lv Yunlong --- drivers/net/wireless/intersil/hostap/hostap_80211_rx.c | 4 ++-- 1 file c

[PATCH] ethernet/realtek/r8169: Fix a double free in rtl8169_start_xmit

is freed by dev_kfree_skb_any(skb) in the second time. My patch adds a new label inside the old err_dma_0 label to avoid the double free and renames the error labels to keep the origin function unchanged. Fixes: b8447abc4c8fb ("r8169: factor out rtl8169_tx_map") Signed-off-by:

[PATCH] drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit

() failed. Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit") Signed-off-by: Lv Yunlong --- drivers/net/wan/hdlc_fr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c index 07

[PATCH] net:tipc: Fix a double free in tipc_sk_mcast_rcv

inate race condition at multicast reception") Signed-off-by: Lv Yunlong --- net/tipc/socket.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index cebcc104dc70..022999e0202d 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -1265

[PATCH] net/mlx5: Fix a potential use after free in mlx5e_ktls_del_rx

o add return after freeing priv_rx? Fixes: b850bbff96512 ("net/mlx5e: kTLS, Use refcounts to free kTLS RX priv context") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/mellanox/mlx5/core/en_accel/ktls_rx.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers

[PATCH] net/rds: Fix a use after free in rds_message_map_pages

In rds_message_map_pages, rds_message_put() will free rm. Maybe store the value of rm->data.op_sg ahead of rds_message_put() is better. Otherwise other threads could allocate the freed chunk and may change the value of rm->data.op_sg. Signed-off-by: Lv Yunlong --- net/rds/message.c | 3

[PATCH] net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template

In qlcnic_83xx_get_minidump_template, fw_dump->tmpl_hdr was freed by vfree(). But unfortunately, it is used when extended is true. Fixes: 7061b2bdd620e ("qlogic: Deletion of unnecessary checks before two function calls") Signed-off-by: Lv Yunlong --- drivers/net/ethernet/