There is otherwise a risk of a null pointer dereference.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/pci/hotplug/cpqphp_ctrl.c | 10 ++
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/pci/hotplug/cpqphp_ctrl.c
b/drivers/pci/hotplug/cpqphp_
We should check mode_config_initialized flag in amdgpu_hotplug_work_func.
See commit 7f98ca454ad3 ("drm/radeon: fix hotplug race at startup") for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_irq.c | 3 +++
1 file changed, 3 ins
sc_cmd->sense_buffer is not guaranteed to be allocated so we need to
sc_cmd->check if the pointer is NULL before trying to copy anything into it.
See commit 16a611154dc1 ("scsi: qedf: Check if sense buffer has been allocated
during completion") for details.
Signed-off-by: Yo
We leak the allocated out_skb in case pfkey_xfrm_policy2msg() fails.
Fix this by freeing it on error.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
net/key/af_key.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 4af1e1d..ec414f6
of these attributes.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
net/nfc/netlink.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 04a8e47..89d885d 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -923,7
ef4b4856593f ("iio:core: Fix bug in length of event info_mask and
catch unhandled bits set in masks.") for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/iio/industrialio-core.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/iio/industrialio-core
There is a missing check between kmsg->msg_controllen and cmlen,
which can possibly lead to overflow.
This bug is similar to vulnerability that was fixed in commit 6900317f5eff
("net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds").
Signed-off-by: Young
If vpif_probe() fails on v4l2_device_register() and vpif_probe_complete(),
then memory allocated at initialize_vpif() for global vpif_obj.dev[i]
become unreleased.
The patch adds deallocation of vpif_obj.dev[i] on the error path.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers
If vpif_probe() fails on v4l2_device_register() and vpif_probe_complete(),
then memory allocated at initialize_vpif() for global vpif_obj.dev[i]
become unreleased.
The patch adds deallocation of vpif_obj.dev[i] on the error path.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers
Clearing the IFF_ALLMULTI flag on a down interface could cause an allmulti
overflow on the underlying interface.
Attempting the set IFF_ALLMULTI on the underlying interface would cause an
error and the log message:
"allmulti touches root, set allmulti failed."
Signed-off-by: Young Xi
frame pointer.
See commit 1b15ec7a7427 ("ARM: 7912/1: check stack pointer in get_wchan")
for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
arch/unicore32/kernel/process.c | 7 +--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/arch/unicore32/kernel/
fig. To fix it, check pctl->eint before accessing the member.
See commit 5f591543a937 ("pinctrl: mt7622: fix a kernel panic when pio
don't work as EINT controller") for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/pinctrl/mediatek/pinctrl-mtk-commo
of it.
This vulnerability is similar to CVE-2017-9074.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
net/ipv6/mip6.c | 24 ++--
1 file changed, 14 insertions(+), 10 deletions(-)
diff --git a/net/ipv6/mip6.c b/net/ipv6/mip6.c
index 64f0f7b..30ed1c5 100644
--- a/ne
If vpif_probe() fails on vpif_probe_complete(), then memory
allocated at initialize_vpif() for global vpif_obj.dev[i]
become unreleased.
The patch adds deallocation of vpif_obj.dev[i] on the error path.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/media/platform/d
D_l1hw().
To fix these bugs, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in HFCD_l1hw(), to protect the
access to cs->tx_skb.
See commit 7418e6520f22 ("isdn: hisax: hfc_pci: Fix a possible concurrency
use-after-free bug in HFCPCI_l1hw()") for details.
S
To fix these bugs, the calls to spin_lock_irqsave() and
spin_unlock_irqrestore() are added in HFCPCI_l1hw(), to protect the
access to cs->tx_skb.
See commit 7418e6520f22 ("isdn: hisax: hfc_pci: Fix a possible concurrency
use-after-free bug in HFCPCI_l1hw()") for details.
Signed-off-by:
= 1, then there is an access in line2.
And another access is occurred in line 12.
This would lead to out-of-bound access.
Therefore, in the patch we check that the available data length is
larger enough to pase both TCP option code and size.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
net/ipv4/tcp_in
ser
with sufficient privileges (usually "video" group) may generate either
local DoS or privilege escalation.
See commit 194b3da873fd ("agp: fix arbitrary kernel memory writes")
for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/char/agp/amd64-agp.c | 3 ++-
dev in
xxx_i2c_irq_thread_fn function.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/nfc/microread/i2c.c | 19 +++
drivers/nfc/pn544/i2c.c | 16
2 files changed, 15 insertions(+), 20 deletions(-)
diff --git a/drivers/nfc/microread/i2c.c b/drivers/nfc/micror
platform_get_resource() may fail and return NULL, so we should
better check it's return value to avoid a NULL pointer dereference
a bit later in the code.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/pinctrl/bcm/pinctrl-ns2-mux.c | 2 ++
1 file changed, 2 insertions(+)
diff
ticks so that
they are offset if the period has changed.
See commit 3581fe0ef37c ("ARM: 7556/1: perf: fix updated event period in
response to PERF_EVENT_IOC_PERIOD") for details.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
arch/sparc/kernel/perf_event.c | 4
1
The bytes_compl and pkts_compl pointers passed to ef4_dequeue_buffers
cannot be NULL. Add a paranoid warning to check this condition and fix
the one case where they were NULL.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/net/ethernet/sfc/falcon/tx.c | 5 -
1 file chan
Fix a null pointer deference by acpi_driver_data() if device is
null (dereference before check). We should only set cdev and check
this is OK after we are sure device is not null.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/platform/x86/intel_menlow.c | 8 ++--
1 file c
set.
This vulnerability is similar to CVE-2011-1771.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/virt/vboxguest/vboxguest_linux.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/virt/vboxguest/vboxguest_linux.c
b/drivers/virt/vboxguest/vboxgues
In dvb_init(), dev->dvb is allocated by kzalloc.
Therefore, it must be freed being set to NULL.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/media/usb/cx231xx/cx231xx-dvb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/media/usb/cx231xx/cx231xx-dvb.c
b/driv
eached to step 3) and if perf tries to read userspace
regs, kernel oops.
Fix it by setting abi to PERF_SAMPLE_REGS_ABI_NONE when userspace
pt_regs are not set.
See commit bf05fc25f268 ("powerpc/perf: Fix oops when kthread execs
user process") for details.
Signed-off-by: Young Xiao <
There is no deallocation of fusb300->ep[i] elements, allocated at
fusb300_probe.
The patch adds deallocation of fusb300->ep array elements.
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/usb/gadget/udc/fusb300_udc.c | 5 +
1 file changed, 5 insertions(+)
diff --g
This patch fixes corner case when (fp + 4) overflows unsigned long,
for example: fp = 0x -> fp + 4 == 3.
Copy from commit 3abb6671a9c0 ("ARM: 7913/1: fix framepointer check in
unwind_frame").
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
arch/unicore32/kern
The next call to ixgbevf_update_itr will continue to dynamically
update ITR.
Copy from commit bdbeefe8ea8c ("ixgbe: fix possible divide by zero in
ixgbe_update_itr")
Signed-off-by: Young Xiao <92siuy...@gmail.com>
---
drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +++
1
29 matches
Mail list logo