Hi Björn,
On Thu, Dec 17, 2020 at 08:12:26AM +0100, Björn Töpel wrote:
> On 2020-12-16 19:11, Peilin Ye wrote:
> > I have tested the following diff locally against syzbot's reproducer,
> > and sent a patch to it [1] for testing. I will send a real patch here
> > tomorro
`pool->{f,c}q`, causing a memory leak. Move
`xskq_destroy(pool->{f,c}q)` from xp_release_deferred() to xp_destroy().
Also, since xskq_destroy() already does null check, I think it's
unnecessary to do it again here?
Thanks,
Peilin Ye
[1]
https://syzkaller.appspot.com/bug?id=fea808dfe3c6dfdd6ba9778becbffe0b14e91294
> > Cc: sta...@vger.kernel.org
> > Fixes: 2f010b55884e ("Bluetooth: Add support for handling LE Direct
> > Advertising Report events")
> > Reported-and-tested-by:
> > syzbot+24ebd650e20bd263c...@syzkaller.appspotmail.com
> > Link: https://syzka
oduce communication groups")
Reported-and-tested-by: syzbot+f95d90c454864b3b5...@syzkaller.appspotmail.com
Cc: Hillf Danton
Link:
https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff
Signed-off-by: Peilin Ye
---
Change in v2:
- let tipc_group_add_to_tree() ret
On Sat, Sep 12, 2020 at 06:23:36PM -0700, David Miller wrote:
> From: Peilin Ye
> Date: Sat, 12 Sep 2020 06:22:30 -0400
>
> > @@ -291,10 +291,11 @@ static void tipc_group_add_to_tree(struct tipc_group
> > *grp,
> > else if (key > nkey)
> >
oduce communication groups")
Reported-and-tested-by: syzbot+f95d90c454864b3b5...@syzkaller.appspotmail.com
Cc: Hillf Danton
Link:
https://syzkaller.appspot.com/bug?id=048390604fe1b60df34150265479202f10e13aff
Signed-off-by: Peilin Ye
---
Decoded syzbot reproducer in pseudo-C:
fd
vents")
Reported-and-tested-by: syzbot+24ebd650e20bd263c...@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01
Signed-off-by: Peilin Ye
---
Change in v2:
- add "Cc: stable@" tag.
net/bluetooth/hci_event.c | 12 +---
1 file changed
do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.
Reported-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com
Link:
https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
Suggested-by: Julian Anastasov
Signed-off-by: Peilin Ye
On Tue, Aug 11, 2020 at 09:58:46AM +0300, Julian Anastasov wrote:
>
> Hello,
>
> On Tue, 11 Aug 2020, Peilin Ye wrote:
>
> > On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote:
> > > On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye wrote:
> > > >
On Mon, Aug 10, 2020 at 08:57:19PM -0700, Cong Wang wrote:
> On Mon, Aug 10, 2020 at 3:10 PM Peilin Ye wrote:
> >
> > do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
> > zero. Fix it.
>
> Which exact 'cmd' is it here?
>
> I
do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is
zero. Fix it.
Reported-and-tested-by: syzbot+23b5f9e7caf61d9a3...@syzkaller.appspotmail.com
Link:
https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2
Signed-off-by: Peilin Ye
---
net/netfilter
Prevent amp_read_loc_assoc_final_data() from dereferencing `mgr` as NULL.
Reported-and-tested-by: syzbot+f4fb0eaafdb51c32a...@syzkaller.appspotmail.com
Fixes: 9495b2ee757f ("Bluetooth: AMP: Process Chan Selected event")
Signed-off-by: Peilin Ye
---
net/bluetooth/amp.c | 3 +++
1 file
t for handling LE Direct Advertising
Report events")
Link: https://syzkaller.appspot.com/bug?extid=24ebd650e20bd263ca01
Signed-off-by: Peilin Ye
---
I moved the initialization of `ev` out of the loop and restructured the
function a bit, since otherwise the check would look like:
if (!n
On Mon, Aug 03, 2020 at 03:10:38PM -0700, David Miller wrote:
> From: Peilin Ye
> Date: Fri, 31 Jul 2020 00:48:38 -0400
>
> > ovs_ct_put_key() is potentially copying uninitialized kernel stack memory
> > into socket buffers, since the compiler may leave a 3-byte hole at t
: add SMC-D diag support")
Suggested-by: Dan Carpenter
Signed-off-by: Peilin Ye
---
Reference: https://lwn.net/Articles/417989/
$ pahole -C "smcd_diag_dmbinfo" net/smc/smc_diag.o
struct smcd_diag_dmbinfo {
__u32 linkid; /* 0 4
: 9dd7f8907c37 ("openvswitch: Add original direction conntrack tuple to
sw_flow_key.")
Suggested-by: Dan Carpenter
Signed-off-by: Peilin Ye
---
Reference: https://lwn.net/Articles/417989/
$ pahole -C "ovs_key_ct_tuple_ipv4" net/openvswitch/conntrack.o
struct ovs_key_ct_tuple_i
by using
memset() instead.
Cc: sta...@vger.kernel.org
Fixes: f037590fff30 ("rds: fix a leak of kernel memory")
Fixes: bdbe6fbc6a2f ("RDS: recv.c")
Suggested-by: Dan Carpenter
Signed-off-by: Peilin Ye
---
Note: the "real" copy_to_user() happens in put_cmsg(), where
`
On Tue, Jul 28, 2020 at 12:53:59PM +0200, Daniel Borkmann wrote:
> On 7/28/20 7:36 AM, Peilin Ye wrote:
> > xsk_getsockopt() is copying uninitialized stack memory to userspace when
> > `extra_stats` is `false`. Fix it.
> >
> > Fixes: 8aa5a33578e9 ("xsk: Add new st
xsk_getsockopt() is copying uninitialized stack memory to userspace when
`extra_stats` is `false`. Fix it.
Fixes: 8aa5a33578e9 ("xsk: Add new statistics")
Suggested-by: Dan Carpenter
Signed-off-by: Peilin Ye
---
Doing `= {};` is sufficient since currently `struct xdp_statistics` is
On Mon, Jul 27, 2020 at 10:07:20PM -0700, Song Liu wrote:
> On Mon, Jul 27, 2020 at 7:30 PM Peilin Ye wrote:
> >
> > xsk_getsockopt() is copying uninitialized stack memory to userspace when
> > `extra_stats` is `false`. Fix it by initializing `stats` with mems
xsk_getsockopt() is copying uninitialized stack memory to userspace when
`extra_stats` is `false`. Fix it by initializing `stats` with memset().
Cc: sta...@vger.kernel.org
Fixes: 8aa5a33578e9 ("xsk: Add new statistics")
Suggested-by: Dan Carpenter
Signed-off-by: Peilin Ye
---
net/xdp
On Thu, Jul 23, 2020 at 06:50:58PM +0300, Dan Carpenter wrote:
> On Thu, Jul 23, 2020 at 11:13:55AM -0400, Peilin Ye wrote:
> > On Thu, Jul 23, 2020 at 05:28:15PM +0300, Dan Carpenter wrote:
> > > On Wed, Jul 22, 2020 at 11:19:01AM -0400, Peilin Ye wrote:
> > > >
On Wed, Jul 22, 2020 at 05:57:14PM -0700, David Miller wrote:
> From: Peilin Ye
> Date: Wed, 22 Jul 2020 11:19:01 -0400
>
> > Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
> > ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_n
On Thu, Jul 23, 2020 at 05:28:15PM +0300, Dan Carpenter wrote:
> On Wed, Jul 22, 2020 at 11:19:01AM -0400, Peilin Ye wrote:
> > Checks on `addr_len` and `fsa->fsa_ax25.sax25_ndigis` are insufficient.
> > ax25_connect() can go out of bounds when `fsa->fsa_ax25.sax25_ndigis`
izeof(struct full_sockaddr_ax25)`
Signed-off-by: Peilin Ye
---
net/ax25/af_ax25.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index ef5bf116157a..0862fe49d434 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -1509,7 +1509,8 @
2228ed975b0a...@syzkaller.appspotmail.com
Link:
https://syzkaller.appspot.com/bug?id=55ef9d629f3b3d7d70b69558015b63b48d01af66
Signed-off-by: Peilin Ye
---
net/ax25/af_ax25.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index fd91cd34f25e..ef5bf11
Prevent __btf_resolve_helper_id() from dereferencing `btf_vmlinux`
as NULL. This patch fixes the following syzbot bug:
https://syzkaller.appspot.com/bug?id=f823224ada908fa5c207902a5a62065e53ca0fcc
Reported-by: syzbot+ee09bda7017345f1f...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
Prevent __btf_resolve_helper_id() from dereferencing `btf_vmlinux`
as NULL. This patch fixes the following syzbot bug:
https://syzkaller.appspot.com/bug?id=5edd146856fd513747c1992442732e5a0e9ba355
Reported-by: syzbot+ee09bda7017345f1f...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
Prevent __btf_resolve_helper_id() from dereferencing `btf_vmlinux`
as NULL. This patch fixes the following syzbot bug:
https://syzkaller.appspot.com/bug?id=5edd146856fd513747c1992442732e5a0e9ba355
Reported-by: syzbot+ee09bda7017345f1f...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
bot+03e343dbccf82a524...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
---
net/qrtr/tun.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/qrtr/tun.c b/net/qrtr/tun.c
index 15ce9b642b25..5465e94ba8e5 100644
--- a/net/qrtr/tun.c
+++ b/net/qrtr/tun.c
@@ -80,6 +80,9 @@ static ssiz
Check `num_rsp` before using it as for-loop counter. Add `unlock` label.
Cc: sta...@vger.kernel.org
Signed-off-by: Peilin Ye
---
net/bluetooth/hci_event.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 8b3736c83b8e
Check `num_rsp` before using it as for-loop counter.
Cc: sta...@vger.kernel.org
Signed-off-by: Peilin Ye
---
net/bluetooth/hci_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 03a0759f2fc2..8b3736c83b8e
-by: syzbot+d8489a79b781849b9...@syzkaller.appspotmail.com
Cc: sta...@vger.kernel.org
Signed-off-by: Peilin Ye
---
Change in v3:
- Minimum `skb->len` requirement was 1 byte inaccurate since `info`
starts from `skb->data + 1`. Fix it.
Changes in v2:
- Use `skb->len` instea
-by: syzbot+d8489a79b781849b9...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
---
Changes in v2:
- Use `skb->len` instead of `skb->truesize` as the length limit.
- Leave `num_rsp` as of type `int`.
net/bluetooth/hci_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
Reported-by: syzbot+d8489a79b781849b9...@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye
---
net/bluetooth/hci_event.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 03a0759f2fc2
35 matches
Mail list logo
