tly called in 2 places -
nl80211_del_key(), and cfg80211_validate_key_settings().
Reported-by: syzbot+49d4cab497c2142ee...@syzkaller.appspotmail.com
Tested-by: syzbot+49d4cab497c2142ee...@syzkaller.appspotmail.com
Suggested-by: Johannes Berg
Signed-off-by: Anant Thazhemadam
---
For the bug that w
On 01/12/20 5:36 pm, Johannes Berg wrote:
> On Tue, 2020-12-01 at 17:26 +0530, Anant Thazhemadam wrote:
>> On 01/12/20 3:30 pm, Johannes Berg wrote:
>>> On Tue, 2020-12-01 at 15:26 +0530, Anant Thazhemadam wrote:
>>>> Currently, it is assumed that key
On 01/12/20 3:30 pm, Johannes Berg wrote:
> On Tue, 2020-12-01 at 15:26 +0530, Anant Thazhemadam wrote:
>> Currently, it is assumed that key_idx values that are passed to
>> ieee80211_del_key() are all valid indexes as is, and no sanity checks
>> are performed for it.
>&g
-off-by: Anant Thazhemadam
---
net/mac80211/cfg.c | 24 +---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 7276e66ae435..d349e33134e6 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -516,12 +516,30
Hi,
I only recently browsed through the code, and had some queries regarding
the changes introduced by this commit.
On 21/11/18 3:43 pm, Igor Russkikh wrote:
> From: Dmitry Bezrukov
>
> Signed-off-by: Dmitry Bezrukov
> Signed-off-by: Igor Russkikh
> ---
> drivers/net/usb/aqc111.c | 47 +++
On 05/11/20 5:54 am, Jakub Kicinski wrote:
> On Mon, 2 Nov 2020 23:09:46 +0530 Anant Thazhemadam wrote:
>> Currently, __usbnet_{read|write}_cmd() use usb_control_msg().
>> However, this could lead to potential partial reads/writes being
>> considered valid, and since m
t;)
Reported-by: syzbot+9bcb0c9409066696d...@syzkaller.appspotmail.com
Tested-by: Anant Thazhemadam
Signed-off-by: Anant Thazhemadam
---
net/can/af_can.c | 19 ++-
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/net/can/af_can.c b/net/can/af_can.c
index ea29a6
romising the degree of detail provided in the
log messages.
Anant Thazhemadam (2):
can: af_can: prevent potential access of uninitialized member in
can_rcv()
can: af_can: prevent potential access of uninitialized member in
canfd_rcv()
net/can/af_can.c | 38 -
pr_warn_once")
Reported-by: syzbot+9bcb0c9409066696d...@syzkaller.appspotmail.com
Tested-by: Anant Thazhemadam
Signed-off-by: Anant Thazhemadam
---
This patch was locally tested using the reproducer and .config file
generated by syzbot.
net/can/af_can.c | 19 ++-
1 file changed, 14 in
done), and this can lead to
issues.
However, the new usb_control_msg_{send|recv}() APIs don't allow partial
reads and writes.
Using the new APIs also relaxes the return value checking that must
be done after usbnet_{read|write}_cmd() is called.
Signed-off-by: Anant Thazhemadam
---
Cha
On 02/11/20 3:10 pm, Oliver Neukum wrote:
> Am Sonntag, den 01.11.2020, 03:05 +0530 schrieb Anant Thazhemadam:
>> Currently, __usbnet_{read|write}_cmd() use usb_control_msg().
>> However, this could lead to potential partial reads/writes being
>> considered valid, and sinc
On 02-11-2020 12:40, Marc Kleine-Budde wrote:
> On 11/2/20 4:13 AM, Anant Thazhemadam wrote:
>> In canfd_rcv(), cfd->len is uninitialized when skb->len = 0, and this
>> uninitialized cfd->len is accessed nonetheless by pr_warn_once().
>>
>> Fix this uninitial
len's
condition is checked, and appropriately modify the log messages that
are generated as well.
In case either of the required conditions fail, the skb is freed and
NET_RX_DROP is returned, same as before.
Reported-by: syzbot+9bcb0c9409066696d...@syzkaller.appspotmail.com
Tested-by: Anant Th
done), and this can lead to
issues.
However, the new usb_control_msg_{send|recv}() APIs don't allow partial
reads and writes.
Using the new APIs also relaxes the return value checking that must
be done after usbnet_{read|write}_cmd() is called.
Signed-off-by: Anant Thazhemadam
---
Cha
On 01/11/20 2:41 am, Jakub Kicinski wrote:
> On Thu, 29 Oct 2020 18:52:56 +0530 Anant Thazhemadam wrote:
>> +return usb_control_msg_recv(dev->udev, 0,
>> + cmd, reqtype, value, index, data, size,
>> + USB_CTRL
On 29/10/20 6:52 pm, Anant Thazhemadam wrote:
> Currently, __usbnet_{read|write}_cmd() use usb_control_msg(),
> and thus consider potential partial reads/writes being done to
> be perfectly valid.
> Quite a few callers of usbnet_{read|write}_cmd() don't enforce
> checki
hat a complete read/write occurs.
However, the new usb_control_msg_{send|recv}() APIs don't allow partial
reads and writes.
Using the new APIs also relaxes the return value checking that must
be done after usbnet_{read|write}_cmd() is called.
Signed-off-by: Anant Thazhemadam
---
Cha
On 12-10-2020 13:29, Dominique Martinet wrote:
> Anant Thazhemadam wrote on Mon, Oct 12, 2020:
>> In p9_fd_create_unix, checking is performed to see if the addr (passed
>> as an argument) is NULL or not.
>> However, no check is performed to see if addr is a valid address
otmail.com
Signed-off-by: Anant Thazhemadam
---
net/9p/trans_fd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index c0762a302162..8f528e783a6c 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -1023,7 +1023,7 @@ p9_fd_create_u
fixes this problem, and copies the ethernet address
appropriately.
Fixes: f45a4248ea4c ("net: usb: rtl8150: set random MAC address when
set_ethernet_addr() fails")
Signed-off-by: Anant Thazhemadam
---
Changes in v2:
* Fixed the format of the Fixes tag
* Modified the commit
On 10/10/20 10:33 pm, Jakub Kicinski wrote:
> On Sat, 10 Oct 2020 12:26:23 +0530 Anant Thazhemadam wrote:
>> GPF_KERNEL
> You haven't even built this, let alone tested :/
I'm really sorry about this.
Turns out, my .config wasn't set generated by make allyesconfig, an
Hi,
On 10/10/20 10:29 pm, Jakub Kicinski wrote:
> On Sat, 10 Oct 2020 12:14:59 +0530 Anant Thazhemadam wrote:
>> get_registers() directly returns the return value of
>> usb_control_msg_recv() - 0 if successful, and negative error number
>> otherwise.
> Are you expectin
On 10/10/20 11:46 pm, Jakub Kicinski wrote:
> On Sat, 10 Oct 2020 23:34:51 +0530 Anant Thazhemadam wrote:
>> On 10/10/20 10:29 pm, Jakub Kicinski wrote:
>>> On Sat, 10 Oct 2020 12:14:59 +0530 Anant Thazhemadam wrote:
>>>> get_registers() direct
done), and this can lead to
issues.
However, the new usb_control_msg_{send|recv}() APIs don't allow partial
reads and writes.
Using the new APIs also relaxes the return value checking that must
be done after usbnet_{read|write}_cmd() is called.
Signed-off-by: Anant Thazhemadam
---
Sin
m MAC address when set_ethernet_addr() fails")
Signed-off-by: Anant Thazhemadam
---
drivers/net/usb/rtl8150.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/usb/rtl8150.c b/drivers/net/usb/rtl8150.c
index f020401adf04..bf8a60533f3e 100644
--- a/drivers/net/usb
value of key.idx after
nl80211_parse_key() is called and return -EINVAL if key.idx < 0.
Reported-by: syzbot+b1bb342d1d097516c...@syzkaller.appspotmail.com
Tested-by: syzbot+b1bb342d1d097516c...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
net/wireless/nl80211.c | 3 +++
1 f
-off-by: Anant Thazhemadam
---
Changes in v4:
* Use netdev_notice() instead of dev_warn() and update the
logged message to show the new random MAC as well
(Suggested by Joe Perches )
* Convert set_ethernet_addr()'s return type back to void.
Since
ec30de...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
drivers/net/team/team.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index 8c1e02752ff6..8986f3e4 100644
--- a/drivers/net/team/team.c
+++ b/drive
On 04/10/20 3:05 am, Joe Perches wrote:
> On Sun, 2020-10-04 at 02:49 +0530, Anant Thazhemadam wrote:
>> When get_registers() fails, in set_ethernet_addr(),the uninitialized
>> value of node_id gets copied as the address. This can be considered as
>> set_ethernet_
-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Tested-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Acked-by: Petko Manolov
Signed-off-by: Anant Thazhemadam
---
Changes in v3:
* Set a random MAC address to the device rather than making
the device not work
On 04/10/20 1:08 am, Joe Perches wrote:
> On Thu, 2020-10-01 at 13:02 +0530, Anant Thazhemadam wrote:
>> When get_registers() fails (which happens when usb_control_msg() fails)
>> in set_ethernet_addr(), the uninitialized value of node_id gets copied
>> as the addres
On 03-10-2020 04:08, David Miller wrote:
> From: Anant Thazhemadam
> Date: Fri, 2 Oct 2020 17:04:13 +0530
>
>> But this patch is about ensuring that an uninitialized variable's
>> value (whatever that may be) is not set as the ethernet address
>> blindly
On 02-10-2020 19:59, Petko Manolov wrote:
> On 20-10-02 17:35:25, Anant Thazhemadam wrote:
>> Yes, this clears things up for me. I'll see to it that this gets done in a
>> v3.
> If set_ethernet_addr() fail, don't return error, but use eth_hw_addr_random()
> in
On 02-10-2020 17:24, Greg KH wrote:
> On Fri, Oct 02, 2020 at 05:04:13PM +0530, Anant Thazhemadam wrote:
>> On 02/10/20 7:45 am, David Miller wrote:
>>> From: Anant Thazhemadam
>>> Date: Thu, 1 Oct 2020 13:02:20 +0530
>>>
>>>> When get_regis
On 02/10/20 7:45 am, David Miller wrote:
> From: Anant Thazhemadam
> Date: Thu, 1 Oct 2020 13:02:20 +0530
>
>> When get_registers() fails (which happens when usb_control_msg() fails)
>> in set_ethernet_addr(), the uninitialized value of node_id gets copied
>> as the
address being incorrectly set in this manner.
Reported-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Tested-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
Acked-by: Petko Manolov
---
Changes in v2:
* Modified condition checking
post-reordering of members gives us the following
stats.
/* size: 1280, cachelines: 20, members: 11 */
/* padding: 60 */
/* paddings: 2, sum paddings: 44 */
/* forced alignments: 2 */
Signed-off-by: Anant Thazhemadam
---
The complete analysis done by pahole can be
of the structure (virtnet_info)
* have more members stored in one cache line (as opposed to
unnecessarily crossing the cacheline boundary and spanning
different cachelines)
The analysis was performed using pahole.
These patches may be applied in any order.
Anant Thazhemadam (2):
net
members gives the following
stats.
/* size: 248, cachelines: 4, members: 25 */
/* padding: 3 */
/* paddings: 1, sum paddings: 4 */
/* last cacheline: 56 bytes */
Signed-off-by: Anant Thazhemadam
---
The complete analysis done by pahole can be found below.
Before the
On 29/09/20 2:17 pm, Petko Manolov wrote:
> On 20-09-29 13:50:28, Anant Thazhemadam wrote:
>> When get_registers() fails (which happens when usb_control_msg() fails)
>> in set_ethernet_addr(), the uninitialized value of node_id gets copied
>> as the address.
>>
>&g
A sample crash report can be found here.
https://syzkaller.appspot.com/text?tag=CrashReport&x=1748691190
The line where the bug seems to get triggered is,
if (!batadv_compare_eth(hard_iface->net_dev->dev_addr,
net_dev->dev_addr))
Looks like it goes through the list of
address being incorrectly set in this manner.
Reported-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Tested-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
drivers/net/usb/rtl8150.c | 24
1 file changed, 16
On 16/09/20 11:49 am, Petko Manolov wrote:
> On 20-09-16 10:35:40, Anant Thazhemadam wrote:
>> get_registers() copies whatever memory is written by the
>> usb_control_msg() call even if the underlying urb call ends up failing.
> Not true, memcpy() is only called if "ret&q
On 16/09/20 11:52 am, Greg KH wrote:
> On Wed, Sep 16, 2020 at 10:35:40AM +0530, Anant Thazhemadam wrote:
>> get_registers() copies whatever memory is written by the
>> usb_control_msg() call even if the underlying urb call ends up failing.
>>
>> If get_registers()
extid=abbc768b560c84d92fd3
Reported-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Tested-by: syzbot+abbc768b560c84d92...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
drivers/net/usb/rtl8150.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/dr
On 13/09/20 4:33 pm, Anant Thazhemadam wrote:
> The crash report indicated that there was a local variable;
> iovstack.i@__sys_sendmmsg created at:
> ___sys_sendmsg net/socket.c:2388 [inline]
> __sys_sendmmsg+0x6db/0xc90 net/socket.c:2480
>
> that was left uninitialized
I can assure you that when I said "I think", I meant it in an assertive manner,
and not an assumptive one, but I can understand how that could easily get lost
in translation.
I wouldn't have sent in the patch if I had caught the build warning, and once
again, my apologies for not fixing it sooner
ested-by: syzbot+09a5d591c1f98cf5e...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
Changes from v1:
* Fixed the build warning that v1 had introduced
net/socket.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/socket.c b/net/socket.c
index 0c0144604f81..1e6f9b5
On 13/09/20 11:43 am, Greg KH wrote:
> On Sun, Sep 13, 2020 at 11:26:39AM +0530, Anant Thazhemadam wrote:
>> The crash report showed that there was a local variable;
>>
>> iovstack.i@__sys_sendmmsg created at:
>> ___sys_sendmsg net/socket.c:2388 [inline]
>>
by passing an array of 0's as
a parameter while making the initial system call.
Reported-by: syzbot+09a5d591c1f98cf5e...@syzkaller.appspotmail.com
Tested-by: syzbot+09a5d591c1f98cf5e...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
net/socket.c | 1 +
1 file changed, 1 inse
On 11-09-2020 15:20, Dmitry Vyukov wrote:
> On Sat, Aug 8, 2020 at 8:56 AM syzbot
> wrote:
>> Hello,
>>
>> syzbot found the following issue on:
>>
>> HEAD commit:d6efb3ac Merge tag 'tty-5.9-rc1' of git://git.kernel.org/p..
>> git tree: upstream
>> console output: https://syzkaller.apps
On 09/09/20 5:03 am, Anant Thazhemadam wrote:
> Removing ARCH_QCOM, as a dependency for QRTR begins to give rise to
> issues with respect to maintaining reference count integrity and
> suspicious rcu usage.
>
> The bugs resolved by making QRTR dependent on ARCH_QCOM include
qrtr_ns_worker
Reported-by: syzbot+0f84f6eed90503da7...@syzkaller.appspotmail.com
Signed-off-by: Anant Thazhemadam
---
As I understand it, QRTR was initially dependent upon ARCH_QCOM, but was
removed since not all modems using IPC Router protocol required the
support provided for Qualcomm
53 matches
Mail list logo
