[PATCH v3] xfrm: Reset secpath in xfrm failure

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Reported-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- Changes in v2: - Add fixes tag. Changes in v3: - Add out_reset label to remove duplicate secpath_reset() calls. net/ipv4/es

Re: [PATCH v2] xfrm: Reset secpath in xfrm failure

On Wed, Mar 06, 2019 at 02:31:25PM -0800, Eric Dumazet wrote: > > > On 03/06/2019 01:55 PM, Myungho Jung wrote: > > In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated > > without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] would > >

[PATCH v2] xfrm: Reset secpath in xfrm failure

Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Reported-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- Changes in v2: - Add fixes tag. net/ipv4/esp4_offload.c | 9 +++-- net/ipv6/esp6_offload.c | 9 +++-- 2 files changed, 14

Re: [PATCH] xfrm: Reset secpath in xfrm failure

On Wed, Mar 06, 2019 at 12:35:43PM +0100, Steffen Klassert wrote: > On Wed, Mar 06, 2019 at 04:33:08PM +0900, Myungho Jung wrote: > > In esp4_gro_receive() and esp6_gro_receive(), secpath can be allocated > > without adding xfrm state to xvec. Then, sp->xvec[sp->len - 1] woul

[PATCH] xfrm: Reset secpath in xfrm failure

ted-by: syzbot+b69368fd933c6c592...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/ipv4/esp4_offload.c | 9 +++-- net/ipv6/esp6_offload.c | 9 +++-- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/net/ipv4/esp4_offload.c b/net/ipv4/esp4_offload.c index 8756e0

[PATCH] Bluetooth: Fix decrementing reference count twice in releasing socket

from socket and setting to NULL in hci_sock_dev_event(), hci_dev_put(hdev) is unexpectedly called twice. This is resolved by referencing hdev from socket after bt_sock_unlink() in hci_sock_release(). Reported-by: syzbot+fdc3f4efff43b...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung

Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive()

On Mon, Jan 14, 2019 at 09:37:25PM +0100, Ilya Dryomov wrote: > On Thu, Jan 3, 2019 at 4:50 AM Myungho Jung wrote: > > I reproduced on vm using syzkaller utils and verified the fix by syzbot. > > Hi Myungho, > > I think this might be a better fix: > > diff --git a

[PATCH v3] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 4 2 files changed, 16 insertions(+), 2 deletions

Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive()

On Wed, Jan 02, 2019 at 04:42:47PM +0100, Ilya Dryomov wrote: > On Thu, Dec 27, 2018 at 8:08 PM Myungho Jung wrote: > > > > con_flag_test_and_set() sets CON_FLAG_KEEPALIVE_PENDING and > > CON_FLAG_WRITE_PENDING flags without protection in ceph_con_keepalive(). > &g

[PATCH] libceph: protect pending flags in ceph_con_keepalive()

called before releasing the lock and store the condition to check after the critical section. Reported-by: syzbot+acdeb633f6211ccdf...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/ceph/messenger.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ceph

[PATCH v3] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 4 2 files changed, 16 insertions(+), 2 deletions

Re: [PATCH v2] net/smc: fix TCP fallback socket release

On Mon, Dec 17, 2018 at 03:58:58PM +0100, Ursula Braun wrote: > Hi Ursula, Thank you for your suggestion. I have a question on your comment. > > On 12/17/2018 06:21 AM, Myungho Jung wrote: > > clcsock can be released while kernel_accept() references it in TCP > > listen

[PATCH v2] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 14 -- net/smc/smc.h| 2 ++ 2 files changed, 14 insertions(+), 2 deletions(-) diff

[PATCH] net/smc: fix TCP fallback socket release

smc_release(). Reported-by: syzbot+0bf2e01269f1274b4...@syzkaller.appspotmail.com Reported-by: syzbot+e3132895630f95730...@syzkaller.appspotmail.com Signed-off-by: Myungho Jung --- net/smc/af_smc.c | 12 +++- net/smc/smc.h| 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff

[PATCH v3] net: core: Prevent from dereferencing null pointer when releasing SKB

Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung --- Changes in v2: - Correct category in subject Changes in v3: - Fix typo in subject net/core/dev.c | 3 +++ 1 file

Re: [PATCH v2] net: core: Prevent from dereferencing null pointer when

On Mon, Apr 24, 2017 at 09:44:50PM -0400, David Miller wrote: > From: Myungho Jung > Date: Mon, 24 Apr 2017 18:00:52 -0700 > > > On Mon, Apr 24, 2017 at 12:02:35PM -0400, David Miller wrote: > >> From: Myungho Jung > >> Date: Thu, 20 Apr 2017 16:59:20 -0700 >

Re: [PATCH v2] net: core: Prevent from dereferencing null pointer when

On Mon, Apr 24, 2017 at 06:10:32PM -0700, Eric Dumazet wrote: > On Mon, Apr 24, 2017 at 6:00 PM, Myungho Jung wrote: > > On Mon, Apr 24, 2017 at 12:02:35PM -0400, David Miller wrote: > >> From: Myungho Jung > >> Date: Thu, 20 Apr 2017 16:59:20 -0700 > >

Re: [PATCH v2] net: core: Prevent from dereferencing null pointer when

On Mon, Apr 24, 2017 at 12:02:35PM -0400, David Miller wrote: > From: Myungho Jung > Date: Thu, 20 Apr 2017 16:59:20 -0700 > > > Added NULL check to make __dev_kfree_skb_irq consistent with kfree > > family of functions. > > > > Link: https://bugzilla.

[PATCH v2] net: core: Prevent from dereferencing null pointer when

Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung --- Changes in v2: - Correct category in subject net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a

Re: [PATCH] p54: Prevent from dereferencing null pointer when releasing SKB

On Thu, Apr 20, 2017 at 04:03:43PM -0700, Greg Rose wrote: > On Thu, 2017-04-20 at 11:25 -0700, Myungho Jung wrote: > > Added NULL check to make __dev_kfree_skb_irq consistent with kfree > > family of functions. > > > > Link: https://bugzilla.kernel.org/show_bug.cgi?id

[PATCH] p54: Prevent from dereferencing null pointer when releasing SKB

Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung --- net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/dev.c b/net/core/dev.c index 7869ae3

[PATCH] p54: Prevent from dereferencing null pointer when releasing SKB

Added NULL check to make __dev_kfree_skb_irq consistent with kfree family of functions. Link: https://bugzilla.kernel.org/show_bug.cgi?id=195289 Signed-off-by: Myungho Jung --- net/core/dev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/core/dev.c b/net/core/dev.c index 7869ae3

Re: [PATCH] p54: add null pointer check before releasing socket buffer

On Mon, Apr 10, 2017 at 02:12:54PM +0200, Christian Lamparter wrote: > (Added linux-wireless, since this is a wireless driver) > > On Sunday, April 9, 2017 10:23:20 PM CEST Myungho Jung wrote: > > Kernel panic is caused by trying to dereference null pointer. Check if > >

[PATCH] p54: add null pointer check before releasing socket buffer

Kernel panic is caused by trying to dereference null pointer. Check if the pointer is null before freeing space. Signed-off-by: Myungho Jung --- drivers/net/wireless/intersil/p54/txrx.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intersil/p54