[PATCH] appletalk: Fix potential NULL pointer dereference in unregister_snap_client

From: YueHaibing register_snap_client may return NULL, all the callers check it, but only print a warning. This will result in NULL pointer dereference in unregister_snap_client and other places. It has always been used like this since v2.6 Reported-by: Dan Carpenter Signed-off-by: YueHaibing

[PATCH] clocksource: cadence_ttc: fix memory leak in ttc_setup_clockevent

From: YueHaibing Add the missing kfree() in ttc_setup_clockevent() to free the mem before error return. Fixes: 70504f311d4b ("clocksource/drivers/cadence_ttc: Convert init function to return error") Signed-off-by: YueHaibing --- drivers/clocksource/timer-cadence-ttc.c | 1 + 1 file changed,

[PATCH] can: af_can: Fix possible NULL pointer dereference in can_exit

From: YueHaibing Syzkaller report this: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN PTI CPU: 0 PID: 9400 Comm: syz-executor.0 Tainted: G C5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),

[PATCH v2] appletalk: Correctly check return value of register_snap_client

From: YueHaibing register_snap_client may return NULL, all the callers check it, but only print a warning. This will result in NULL pointer dereference in unregister_snap_client and other places. It has always been used like this since v2.6 Reported-by: Dan Carpenter Signed-off-by: YueHaibing

[PATCH] media: cpia2: Fix use-after-free in cpia2_exit

From: YueHaibing Syzkaller report this: BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 Read of size 8 at addr 8881f59a6b70 by task syz-executor.0/8363 CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX +

[PATCH] ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit

From: YueHaibing Syzkaller report this: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN PTI CPU: 0 PID: 4492 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH] ray_cs: use remove_proc_subtree to simplify procfs code

From: YueHaibing Use remove_proc_subtree to remove the whole subtree Signed-off-by: YueHaibing --- drivers/net/wireless/ray_cs.c | 6 +- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/net/wireless/ray_cs.c b/drivers/net/wireless/ray_cs.c index d561659..ee4d810 100644

[PATCH] ray_cs: Check return value of pcmcia_register_driver

From: YueHaibing init_ray_cs does not check value of pcmcia_register_driver, if it fails, there maybe cause a NULL pointer dereference in exit_ray_cs. Signed-off-by: YueHaibing --- drivers/net/wireless/ray_cs.c | 2 ++ 1 file changed, 2 insertions(+) diff --git

[PATCH] appletalk: Correctly handle return value of register_snap_client

From: YueHaibing register_snap_client may return NULL, all the callers check it, but only print a warning. This will result in NULL pointer dereference in unregister_snap_client and other places. It has always been used like this since v2.6 Reported-by: Dan Carpenter Signed-off-by: YueHaibing

[PATCH] media: serial_ir: Fix use-after-free in serial_ir_init_module

From: YueHaibing Syzkaller report this: BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 Read of size 8 at addr 8881dc7ae030 by task syz-executor.0/6249 CPU: 1 PID: 6249 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX +

[PATCH] proc/sysctl: Fix NULL pointer dereference in put_links

From: YueHaibing Syzkaller report this: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN PTI CPU: 1 PID: 5373 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH -next] RDMA/hns: Use GFP_ATOMIC in hns_roce_v2_modify_qp

From: YueHaibing In commit 0425e3e6e0c7, hns_roce_v2_modify_qp called inside spinlock which using GFP_KERNEL, it may sleep with holding the spinlock, so we should use GFP_ATOMIC instead. Fixes: 0425e3e6e0c7 ("RDMA/hns: Support flush cqe for hip08 in kernel space") Signed-off-by: YueHaibing ---

[PATCH] net-sysfs: Fix mem leak in netdev_register_kobject

From: YueHaibing syzkaller report this: BUG: memory leak unreferenced object 0x88837a71a500 (size 256): comm "syz-executor.2", pid 9770, jiffies 4297825125 (age 17.843s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .N.. ff ff ff ff ff ff

[PATCH net-next] drivers: net: Remove unnecessary semicolon

From: YueHaibing drivers/net/dsa/mt7530.c:649:3-4: Unneeded semicolon drivers/net/ethernet/cisco/enic/enic_clsf.c:35:2-3: Unneeded semicolon drivers/net/ethernet/faraday/ftgmac100.c:1640:2-3: Unneeded semicolon drivers/net/ethernet/mediatek/mtk_eth_soc.c:229:2-3: Unneeded semicolon

[PATCH v2 2/2] appletalk: Fix use-after-free in atalk_proc_exit

From: YueHaibing KASAN report this: BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806 CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX +

[PATCH v2 1/2] appletalk: use remove_proc_subtree to simplify procfs code

From: YueHaibing Use remove_proc_subtree to remove the whole subtree on cleanup.Also do some cleanup. Signed-off-by: YueHaibing --- net/appletalk/atalk_proc.c | 56 ++ 1 file changed, 17 insertions(+), 39 deletions(-) diff --git

[PATCH v2 0/2] appletalk: small cleanup and bugfix

From: YueHaibing v2: - Add cover letter log This patch series mainly fix a use-after-free bug in atalk_proc_exit. patch 1 use remove_proc_subtree helper to simplify atalk_proc fs code, also some other cleanup. patch 2 add proper error cleanup path in atalk_init to fix the issue, which based on

[PATCH -next] fbdev: omap2: omapfb: trivial code cleanup

From: YueHaibing After commit 60d2fa0dad06 ("fbdev: omap2: no need to check return value of debugfs_create functions"), there are corner code need to be cleaned. Signed-off-by: YueHaibing --- drivers/video/fbdev/omap2/omapfb/dss/core.c | 3 --- 1 file changed, 3 deletions(-) diff --git

[PATCH 2/2] appletalk: Fix use-after-free in atalk_proc_exit

From: YueHaibing KASAN report this: BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806 CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX +

[PATCH 1/2] appletalk: use remove_proc_subtree to simplify procfs code

From: YueHaibing Use remove_proc_subtree to remove the whole subtree on cleanup.Also do some cleanup. Signed-off-by: YueHaibing --- net/appletalk/atalk_proc.c | 56 ++ 1 file changed, 17 insertions(+), 39 deletions(-) diff --git

[PATCH 0/2] appletalk: A cleanup and bugfix

From: YueHaibing YueHaibing (2): appletalk: use remove_proc_subtree to simplify procfs code appletalk: Fix use-after-free in atalk_proc_exit include/linux/atalk.h| 2 +- net/appletalk/atalk_proc.c | 58 +--- net/appletalk/ddp.c

[PATCH] drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure

From: YueHaibing pm_runtime_get_sync returns negative on failure. Fixes: eaeb9010bb4b ("drm/nouveau/debugfs: Wake up GPU before doing any reclocking") Signed-off-by: YueHaibing --- drivers/gpu/drm/nouveau/nouveau_debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git

[PATCH] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH v3] xfrm: policy: Fix possible user after free in __xfrm_policy_unlink

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH v2] xfrm: policy: Fix possible user after free in __xfrm_policy_unlink

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH] xfrm: policy: Fix possible user after free in __xfrm_policy_unlink

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH v2] appletalk: Fix use-after-free in atalk_proc_exit

From: YueHaibing KASAN report this: BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806 CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX +

[PATCH v2 -next] appletalk: use remove_proc_subtree to simplify procfs code

From: YueHaibing Use remove_proc_subtree to remove the whole subtree on cleanup.Also do some cleanup. Signed-off-by: YueHaibing --- net/appletalk/atalk_proc.c | 56 ++ 1 file changed, 17 insertions(+), 39 deletions(-) diff --git

[PATCH -next] appletalk: use remove_proc_subtree to simplify procfs code

From: YueHaibing Use remove_proc_subtree to remove the whole subtree on cleanup.Also do some cleanup. Signed-off-by: YueHaibing --- net/appletalk/atalk_proc.c | 56 ++ 1 file changed, 17 insertions(+), 39 deletions(-) diff --git

[PATCH] appletalk: Fix use-after-free in atalk_proc_exit

From: YueHaibing KASAN report this: BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71 Read of size 8 at addr 8881f41fe5b0 by task syz-executor.0/2806 CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX +

[PATCH -next] habanalabs: goya: Make some functions static

From: YueHaibing Fixes the following sparse warnings: drivers/misc/habanalabs/goya/goya.c:1233:5: warning: symbol 'goya_init_cpu_queues' was not declared. Should it be static? drivers/misc/habanalabs/goya/goya.c:2914:5: warning: symbol 'goya_suspend' was not declared. Should it be static?

[PATCH -next] media: rockchip-vpu: Remove duplicated include from rockchip_vpu_drv.c

From: YueHaibing Remove duplicated include. Signed-off-by: YueHaibing --- drivers/staging/media/rockchip/vpu/rockchip_vpu_drv.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/staging/media/rockchip/vpu/rockchip_vpu_drv.c b/drivers/staging/media/rockchip/vpu/rockchip_vpu_drv.c

[PATCH -next] staging: rtl8723bs: Remove duplicated include from drv_types.h

From: YueHaibing Remove duplicated include. Signed-off-by: YueHaibing --- drivers/staging/rtl8723bs/include/drv_types.h | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/staging/rtl8723bs/include/drv_types.h b/drivers/staging/rtl8723bs/include/drv_types.h index 062fda9..bafb2c3

[PATCH v2] xfrm: correctly check policy index in verify_newpolicy_info

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH] xfrm: correctly check policy index in verify_newpolicy_info

From: YueHaibing UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH] cfg80211: reg: Fix use-after-free in call_crda

From: YueHaibing KASAN report this: BUG: KASAN: use-after-free in kobject_uevent_env+0xedb/0xf20 lib/kobject_uevent.c:474 Read of size 8 at addr 8881e52d5dc0 by task kworker/0:2/1066 CPU: 0 PID: 1066 Comm: kworker/0:2 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX +

[PATCH] net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails

From: YueHaibing KASAN report this: BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc] Read of size 3 at addr by task syz-executor.0/5401 CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS

[PATCH net-next] kcm: Remove unnecessary SLAB_PANIC for kmem_cache_create() in kcm_init

From: YueHaibing There has check NULL on kmem_cache_create on failure in kcm_init, no need use SLAB_PANIC to panic the system. Signed-off-by: YueHaibing --- net/kcm/kcmsock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c index

[PATCH] scsi: qedi: Fix global-out-of-bounds bug in qedi dbg function

From: YueHaibing KASAN report this: BUG: KASAN: global-out-of-bounds in qedi_dbg_err+0xda/0x330 [qedi] Read of size 31 at addr c12b0ae0 by task syz-executor.0/2429 CPU: 0 PID: 2429 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),

[PATCH -next] scsi: megaraid_sas: Remove a bunch of set but not used variables

From: YueHaibing Fixes gcc '-Wunused-but-set-variable' warning: drivers/scsi/megaraid/megaraid_sas_fusion.c: In function 'wait_and_poll': drivers/scsi/megaraid/megaraid_sas_fusion.c:936:25: warning: variable 'fusion' set but not used [-Wunused-but-set-variable]

[PATCH] mdio_bus: Fix use-after-free on device_register fails

From: YueHaibing KASAN has found use-after-free in fixed_mdio_bus_init, commit 0c692d07842a ("drivers/net/phy/mdio_bus.c: call put_device on device_register() failure") call put_device() while device_register() fails,give up the last reference to the device and allow mdiobus_release to be

[PATCH v3 -next] tpm: Fix the type of the return value in calc_tpm2_event_size()

calc_tpm2_event_size() has an invalid signature because it returns a 'size_t' where as its signature says that it returns 'int'. Cc: Fixes: 4d23cc323cdb ("tpm: add securityfs support for TPM 2.0 firmware event log") Suggested-by: Jarkko Sakkinen Signed-off-by: Yue Haibing --- v3: f

[PATCH] ufs: remove set but not used variable 'usb3'

Fixes gcc '-Wunused-but-set-variable' warning: fs/ufs/super.c: In function 'ufs_statfs': fs/ufs/super.c:1409:32: warning: variable 'usb3' set but not used [-Wunused-but-set-variable] struct ufs_super_block_third *usb3; ^ Signed-off-by: Yue Haibing --- fs/ufs

[PATCH] ufs: remove set but not used variable 'usb3'

Fixes gcc '-Wunused-but-set-variable' warning: fs/ufs/super.c: In function 'ufs_statfs': fs/ufs/super.c:1409:32: warning: variable 'usb3' set but not used [-Wunused-but-set-variable] struct ufs_super_block_third *usb3; ^ Signed-off-by: Yue Haibing --- fs/ufs

<    1   2