memory leak in ext4_multi_mount_protect

I look forward to hearing your perspective on this patch :) With regards, Pavel Skripkin

Re: [PATCH] net: mac802154: fix WARNING in ieee802154_del_device

Hi! On Mon, 2021-04-12 at 07:45 -0400, Alexander Aring wrote: > Hi, > > On Mon, 12 Apr 2021 at 06:58, Pavel Skripkin > wrote: > > > > syzbot reported WARNING in ieee802154_del_device. The problem > > was in uninitialized mutex. In case of NL802154_IFTYPE_MONITOR

[PATCH] net: mac802154: fix WARNING in ieee802154_del_device

syzbot reported WARNING in ieee802154_del_device. The problem was in uninitialized mutex. In case of NL802154_IFTYPE_MONITOR mutex won't be initialized, but ieee802154_del_device() accessing it. Reported-by: syzbot+bf8b5834b7ec22948...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin

Re: [PATCH] net: fix shift-out-of-bounds in nl802154_new_interface

On Tue, 2021-04-06 at 08:21 -0400, Alexander Aring wrote: > Hi, > > On Mon, 5 Apr 2021 at 15:58, Pavel Skripkin > wrote: > > > > syzbot reported shift-out-of-bounds in nl802154_new_interface. > > The problem was in signed representation of enum nl802154_iftype

[PATCH] net: fix shift-out-of-bounds in nl802154_new_interface

of this type will be represented as signed integer. type = nla_get_u32(info->attrs[NL802154_ATTR_IFTYPE]); u32 will be casted to signed, which can cause negative value type. Reported-by: syzbot+7bf7b22759195c9a2...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- net/ieee802154/nl802

Re: [PATCH v2] net: mac802154: Fix general protection fault

Hi! On Sun, 2021-04-04 at 20:43 -0400, Alexander Aring wrote: > Hi, > > On Thu, 4 Mar 2021 at 10:25, Pavel Skripkin > wrote: > > > > syzbot found general protection fault in crypto_destroy_tfm()[1]. > > It was caused by wrong clean up loop in llsec_key_alloc(

Re: [PATCH] net: netlink: fix error check in genl_family_rcv_msg_doit

Hi! On Sat, 2021-04-03 at 18:26 +0200, Johannes Berg wrote: > On Sat, 2021-04-03 at 15:13 +0000, Pavel Skripkin wrote: > > genl_family_rcv_msg_attrs_parse() can return NULL > > pointer: > > > > if (!ops->maxattr) > > return NULL; >

[PATCH] net: fix NULL ptr dereference in nl802154_del_llsec_key

328/0x580 net/netlink/genetlink.c:800 Reported-by: syzbot+ac5c11d2959a8b3c4...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- net/ieee802154/nl802154.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c in

[PATCH] net: netlink: fix error check in genl_family_rcv_msg_doit

genl_family_rcv_msg_attrs_parse() can return NULL pointer: if (!ops->maxattr) return NULL; But this condition doesn't cause an error in genl_family_rcv_msg_doit Signed-off-by: Pavel Skripkin --- net/netlink/genetlink.c | 2 ++ 1 file changed, 2 insertions(+) d

[PATCH] drivers: net: fix memory leak in peak_usb_create_dev

can_usb_core.c:851 [inline] [1] [<c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949 Reported-by: syzbot+91adee8d9ebb9193d...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/net/can/usb/peak_usb/pcan_usb_core.c | 6 +- 1 file

[PATCH] drivers: net: fix memory leak in atusb_probe

[] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2] [] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1] Reported-by: syzbot+28a246747e0a46512...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/net/ieee802154/atusb.c | 1 + 1 file changed, 1

Memory leak in ath9k_hif_usb_dealloc_tx_urbs()

t;urb). Can You explain please, I believe this will help me or somebody to fix this ussue :) With regards, Pavel Skripkin

Re: [PATCH] wireless/nl80211.c: fix uninitialized variable

is message because you are subscribed to the Google > Groups "syzkaller" group. > To unsubscribe from this group and stop receiving emails from it, send > an email to syzkaller+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/syzkaller/CAM1DhOjWgN_0GVBeX%2Bpf%2B9mk_ysaN9pF4agAFUNEkzhxpFR4%3Dw%40mail.gmail.com > . With regards, Pavel Skripkin

[PATCH] usb: dvb-usb: fix memory leak in dvb_usb_adapter_init

adapter_exit() relies on it: for (n = 0; n < d->num_adapters_initialized; n++) So, allocated objects won't be freed. Signed-off-by: Pavel Skripkin Reported-by: syzbot+3c2be7424cea3b932...@syzkaller.appspotmail.com --- drivers/media/usb/dvb-usb/dvb-usb-init.c | 20

Re: [PATCH] tty: fix memory leak in vc_deallocate

Hi! On Sun, 2021-03-28 at 10:45 +0200, Greg KH wrote: > On Sun, Mar 28, 2021 at 12:44:43AM +0300, Pavel Skripkin wrote: > > syzbot reported memory leak in tty/vt. > > The problem was in VT_DISALLOCATE ioctl cmd. > > After allocating unimap with PIO_UNIMAP it wasn't > &g

[PATCH] tty: fix memory leak in vc_deallocate

syzbot reported memory leak in tty/vt. The problem was in VT_DISALLOCATE ioctl cmd. After allocating unimap with PIO_UNIMAP it wasn't freed via VT_DISALLOCATE, but vc_cons[currcons].d was zeroed. Signed-off-by: Pavel Skripkin Reported-by: syzbot+bcc922b19ccc64240...@syzkaller.appspotmail.com

[PATCH v2] media: usb: fix memory leak in em28xx_dvb_init

[inline] [] em28xx_alloc_urbs+0x102/0x550 drivers/media/usb/em28xx/em28xx-core.c:930 [2] [] em28xx_dvb_init drivers/media/usb/em28xx/em28xx-dvb.c:1517 [inline] [1] Reported-by: syzbot+889397c820fa56adf...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/media/usb

Re: [PATCH] media: usb: fix memory leak in em28xx_dvb_init

Hi! On Sat, 2021-03-27 at 11:01 +0200, Andy Shevchenko wrote: > > > On Saturday, March 27, 2021, Pavel Skripkin > wrote: > > syzbot reported memory leak in em28xx_dvb_init()[1] > > The problem was in wrong error handling after > > em28xx_alloc_urbs()[2] > >

[PATCH] media: usb: fix memory leak in em28xx_dvb_init

/workqueue.c:2426 [] kthread+0x178/0x1b0 kernel/kthread.c:292 [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Reported-by: syzbot+889397c820fa56adf...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/media/usb/em28xx/em28xx-dvb.c | 1 + 1 file changed, 1 insertion

Re: [PATCH v2] media: sq905.c: fix uninitialized variable

etval = ctx.status; ... if (actual_length) *actual_length = urb->actual_length; I believe, that this info might be useful. Im not sure about it, i didn't found any examples of this log and have no idea how to reproduce it, it's just my thoughts. Maybe, one of the maintainers will correct me -- With regards, Pavel Skripkin

Re: [PATCH] drivers/media/usb/gspca/stv06xx: fix memory leak

Hi! Thanks for the review. On Tue, 2021-03-23 at 17:13 +0100, Mauro Carvalho Chehab wrote: > Em Sat, 27 Feb 2021 02:37:31 +0300 > Pavel Skripkin escreveu: > > > Syzbot reported memory leak in hdcs_probe_1x00()[1]. > > hdcs_probe_1x00() allocates memory for struct hdcs,

Re: [PATCH] media: sq905.c: fix uninitialized variable

Hi! On Fri, 2021-03-26 at 08:40 +0100, Dmitry Vyukov wrote: > On Fri, Mar 26, 2021 at 8:24 AM Pavel Skripkin > wrote: > > > > Hi! > > > > On Fri, 2021-03-26 at 08:14 +0100, 'Dmitry Vyukov' via syzkaller > > wrote: > > > On Fri, Mar 2

Re: [PATCH] media: sq905.c: fix uninitialized variable

, I already send patch for that, but it was marked as obsoleted. -- With regards, Pavel Skripkin

[PATCH] media: usb: fix uninit-value in sq905_read_data

sybot reported uninit value in sq905_read_data(). The problem was in the error conditions in usb_bulk_msg() before act_len initialization. Reported-by: syzbot+a4e309017a5f3a24c...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/media/usb/gspca/sq905.c | 2 +- 1 file changed

[PATCH next 2/2] sound: usb: fix use after free in usb_audio_disconnect

The problem was in wrong "if" placement. chip->quirk_type is freed in snd_card_free_when_closed(), but inside if statement it's accesed. Fixes: 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend()" Signed-off-by: Pavel Skripkin

[PATCH next 1/2] sound: usb: fix NULL ptr dereference in usb_audio_probe

e USB autosuspend properly in setup_disable_autosuspend()") Signed-off-by: Pavel Skripkin --- sound/usb/card.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sound/usb/card.c b/sound/usb/card.c index 08c794883299..3fd1743513b5 100644 --- a/sound/usb/card.c +++ b/sound/

[PATCH next 0/2] fixes for sound: usb:

This small patch series fixes 2 errors from commit 9799110825db ("ALSA: usb-audio: Disable USB autosuspend properly in setup_disable_autosuspend()"). One of them was reported by syzbot, but second one appeared while testing fixes for the first one. Pavel Skripkin (2): sound: usb: fi

[PATCH v2] net: mac802154: Fix general protection fault

net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Pavel Skripkin Reported-by: syzbot+9ec037722d2603a9f...@syzkaller.appspotmail.com

Re: [PATCH] net: mac802154: Fix null pointer dereference

Hi, thanks for your reply! On Wed, 2021-03-03 at 21:40 -0500, Alexander Aring wrote: > Hi, > > On Wed, 3 Mar 2021 at 11:28, Pavel Skripkin > wrote: > > syzbot found general protection fault in crypto_destroy_tfm()[1]. > > It was caused by wrong clean up loop in llsec

[PATCH] net: mac802154: Fix null pointer dereference

/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Pavel Skripkin Reported-by: syzbot+12cf5fbfdeba210a8...@syzkaller.appspotmail.com --- net

[PATCH] usb: serial: io_edgeport: fix memory leak in edge_startup

sysbot found memory leak in edge_startup(). The problem was that when an error was received from the usb_submit_urb(), nothing was cleaned up. Reported-by: syzbot+59f777bdcbdd7eea5...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- drivers/usb/serial/io_edgeport.c | 26

[PATCH] drivers/media/usb: fix memory leak in zr364xx_probe

syzbot reported memory leak in zr364xx_probe()[1]. The problem was in invalid error handling order. All error conditions rigth after v4l2_ctrl_handler_init() must call v4l2_ctrl_handler_free(). Reported-by: syzbot+efe9aefc31ae1e6f7...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin

Re: [PATCH] net/core/skbuff.c: __netdev_alloc_skb fix when len is greater than KMALLOC_MAX_SIZE

Hi, thanks for your reply! On Mon, 2021-03-01 at 14:09 +0100, Eric Dumazet wrote: > > On 2/26/21 8:11 PM, Pavel Skripkin wrote: > > syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= > > MAX_ORDER. > > It was caused by __netdev_alloc_skb(), which doesn'

[PATCH v4] net/qrtr: fix __netdev_alloc_skb call

:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+80dccaee7c6630fa9...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- net/qrtr/qrtr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index b34358282f37..82d2eb8c21d1 100

[PATCH v4] net/qrtr: fix __netdev_alloc_skb call

Re: [PATCH v3] net/core/skbuff: fix passing wrong size to __alloc_skb

> From: Pavel Skripkin > Date: Sun, 28 Feb 2021 22:28:13 +0300 > > > Hi, thanks for reply! > > > > > From: Pavel Skripkin > > > Date: Sat, 27 Feb 2021 20:51:14 +0300 > > > > > > Hi, > > > > > > > syzbot found

Re: [PATCH v3] net/core/skbuff: fix passing wrong size to __alloc_skb

Hi, thanks for reply! > From: Pavel Skripkin > Date: Sat, 27 Feb 2021 20:51:14 +0300 > > Hi, > > > syzbot found WARNING in __alloc_pages_nodemask()[1] when order >= > > MAX_ORDER. > > It was caused by __netdev_alloc_skb(), which doesn't check len > >

[PATCH v3] net/core/skbuff: fix passing wrong size to __alloc_skb

7c6630fa9...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin --- Changes from v3: * Removed Change-Id and extra tabs in net/core/skbuff.c Changes from v2: * Added length check to __napi_alloc_skb * Added unlikely() in checks Change from v1: * Added length check to __netdev_alloc_skb ---

[PATCH v2] net/core/skbuff: fix passing wrong size to __alloc_skb

7c6630fa9...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Change-Id: I480a6d6f818a4c0a387db0cd3f230b68a7daeb16 --- net/core/skbuff.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 785daff48030..a35ba145a060 100644 --- a/net/core/skbuf

[PATCH v2] net/core/skbuff: fix passing wrong size to __alloc_skb

7c6630fa9...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Change-Id: I480a6d6f818a4c0a387db0cd3f230b68a7daeb16 --- net/core/skbuff.c | 6 ++ 1 file changed, 6 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 785daff48030..a35ba145a060 100644 --- a/net/core/skbuf

[PATCH] drivers/media/usb/gspca/stv06xx: fix memory leak

return ret; } Reported-by: syzbot+e7f4c64a4248a0340...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Change-Id: Ia198671177ee346de61780813025110c7c491d7a --- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/driv

[PATCH] drivers/media/usb/gspca/stv06xx: fix memory leak

return ret; } Reported-by: syzbot+e7f4c64a4248a0340...@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Change-Id: Ia198671177ee346de61780813025110c7c491d7a --- drivers/media/usb/gspca/stv06xx/stv06xx_hdcs.c | 12 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/driv

[PATCH] net/core/skbuff.c: __netdev_alloc_skb fix when len is greater than KMALLOC_MAX_SIZE

om Signed-off-by: Pavel Skripkin Change-Id: I480a6d6f818a4c0a387db0cd3f230b68a7daeb16 --- net/core/skbuff.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 785daff48030..dc28c8f7bf5f 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -443