The dst entry should be released if no neighbour is found. Goto label
free_dst to fix the issue. Besides, the check of ndev against NULL is
redundant.
Signed-off-by: Pan Bian
---
.../net/ethernet/chelsio/inline_crypto/chtls/chtls_cm.c| 7 +++
1 file changed, 3 insertions(+), 4 deletions
Goto to the label put_dev instead of the label error to fix potential
resource leak on path that the target index is invalid.
Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index")
Signed-off-by: Pan Bian
---
net/nfc/rawsock.c | 2 +-
1 file changed, 1 inser
Put the device to avoid resource leak on path that the polling flag is
invalid.
Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's
already stopped")
Signed-off-by: Pan Bian
---
net/nfc/netlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/nfc/
Call hci_dev_put() to decrement reference count of HCI device hdev if
fails to duplicate memory.
Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt")
Signed-off-by: Pan Bian
---
net/bluetooth/a2mp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net
Put the device node dn before return error code on failure path.
Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus")
Signed-off-by: Pan Bian
---
drivers/net/dsa/bcm_sf2.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/dsa/b
Instead of directly return, goto the error handling label to free
allocated page.
Fixes: 5f29458b77d5 ("net/mlx5e: Support dump callback in TX reporter")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/mellanox/mlx5/core/en/health.c | 2 +-
1 file changed, 1 insertion(+), 1 deletio
Jump to the label done to decrement the reference count of HCI device
hdev on path that the Inquiry procedure is interrupted.
Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage")
Signed-off-by: Pan Bian
---
net/bluetooth/hci_core.c | 6 --
1 file changed, 4 insert
Put file f if inode_storage_ptr() returns NULL.
Fixes: 8ea636848aca ("bpf: Implement bpf_local_storage for inodes")
Acked-by: KP Singh
Signed-off-by: Pan Bian
---
kernel/bpf/bpf_inode_storage.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/
Also decrement the reference count of child device on error path.
Fixes: 3e782985cb3c ("net: ethernet: fec: Allow configuration of MDIO bus
speed")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/freescale/fec_main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
di
Remove the config data when rate setting fails.
Fixes: 9efc9b2b04c7 ("net: stmmac: Add dwmac-intel-plat for GBE driver")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/stmicro/stmmac/dwmac-intel-plat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/d
On the error path, it should goto the error handling label to free
allocated memory rather than directly return.
Fixes: 6328a126896e ("net: systemport: Manage Wake-on-LAN clock")
Signed-off-by: Pan Bian
---
drivers/net/ethernet/broadcom/bcmsysport.c | 6 --
1 file changed, 4
entry is released via usb_put_urb just after calling usb_submit_urb.
However, entry is used if the submission fails, resulting in a use after
free bug. The patch fixes this.
Signed-off-by: Pan Bian
---
drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++-
1 file changed, 2 insertions
cfg80211_put_bss.
Signed-off-by: Pan Bian
---
drivers/net/wireless/marvell/mwifiex/scan.c | 18 ++
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c
b/drivers/net/wireless/marvell/mwifiex/scan.c
index 8e483b0..dfe2cf0 100644
--- a
ead of sc->iq_no.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
b/drivers/net/ethernet/cavium/liquidio/lio_vf_rep.c
index ea9859e..de610
ata->state.skb may point to a freed memory chunk. To fix this, the
patch sets skb to NULL after dev_kfree_skb(skb).
Signed-off-by: Pan Bian
---
drivers/net/ethernet/synopsys/dwc-xlgmac-net.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/synopsys/dwc-xlgmac-net.c
b/drive
point to a freed memory chunk. To fix this, the patch sets skb to NULL
after dev_kfree_skb(skb).
Signed-off-by: Pan Bian
---
V2: correct the commit log
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dr
The buffer skb is freed via dev_kfree_skb in a loop. skb may be used
again in the next iteration, resulting in a use-after-free bug. To fix
this, the patch set skb to NULL after dev_kfree_skb(skb).
Signed-off-by: Pan Bian
---
drivers/net/ethernet/amd/xgbe/xgbe-drv.c | 2 ++
1 file changed, 2
The net device ndev is freed via free_netdev when failing to register
the device. The control flow then jumps to the error handling code
block. ndev is used and freed again. Resulting in a use-after-free bug.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/hisilicon/hip04_eth.c | 4 +---
1
skb is freed via dev_kfree_skb_any, however, skb->len is read then. This
may result in a use-after-free bug.
Fixes: e6161d64263 ("rapidio/rionet: rework driver initialization and removal")
Signed-off-by: Pan Bian
---
drivers/net/rionet.c | 2 +-
1 file changed, 1 insertion(+
e call to __ceph_monc_got_map.
Fixes: 82dcabad750 ("libceph: revamp subs code, switch to SUBSCRIBE2 protocol")
Signed-off-by: Pan Bian
---
V2: correct the format of the tag Fixes
---
net/ceph/mon_client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ceph/mon_
s the unexpected call to nfc_put_device.
Signed-off-by: Pan Bian
---
net/nfc/netlink.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/net/nfc/netlink.c b/net/nfc/netlink.c
index 376181c..e1f2057 100644
--- a/net/nfc/netlink.c
+++ b/net/nfc/netlink.c
@@ -1107,7 +1107,6 @@ stati
e call
to __ceph_monc_got_map.
Fixes: 82dcabad750("libceph: revamp subs code, switch to SUBSCRIBE2
protocol")
Signed-off-by: Pan Bian
---
net/ceph/mon_client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
index 18deb3d..05ef5
("netfilter: ipset: Fix set:list type crash when
flush/dump set in parallel")
Signed-off-by: Pan Bian
---
net/netfilter/ipset/ip_set_list_set.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipset/ip_set_list_set.c
b/net/netfilter/ipset/ip_set_list_set.c
ind
Function devm_gpiod_get_optional() returns an ERR_PTR on failure. Its
return value should not be validated by a NULL check. Instead, use IS_ERR.
Signed-off-by: Pan Bian
---
drivers/net/dsa/lan9303-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/dsa/lan9303
unexpected.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 3652063..e771926 100644
--- a/drivers
unexpected.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/hisilicon/hns/hns_enet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_enet.c
b/drivers/net/ethernet/hisilicon/hns/hns_enet.c
index 3652063..e771926 100644
--- a/drivers
The function netdev_priv() returns the private data of the device. The
memory to store the private data is allocated in alloc_netdev() and is
released in netdev_free(). Calling kfree() on the return value of
netdev_priv() after netdev_free() results in a double free bug.
Signed-off-by: Pan Bian
-off-by: Pan Bian
---
net/9p/trans_xen.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 6ad3e04..c548781 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -389,7 +389,7 @@ static int xen_9pfs_front_probe(struct xenbus_device
s for options
transfers")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index f8c81f1..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/t
s for
options transfers")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index f8c81f1..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
In function team_nl_send_port_list_get(), pointer skb keeps the return
value of nlmsg_new(). When the call to genlmsg_put() fails, the memory
is not freed. This will result in a memory leak bug. This patch fixes
it.
Fixes: fbd69cda90e7 ("team: fix memory leak")
Signed-off-by
emory leak")
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
index dd3a2e9..85c0124 100644
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2361,8 +2361,10
From: Pan Bian
Function create_singlethread_workqueue() will return a NULL pointer if
there is no enough memory, and its return value should be validated
before using. However, in function rndis_wlan_bind(), its return value
is not checked. This may cause NULL dereference bugs. This patch fixes
From: Pan Bian
Function create_singlethread_workqueue() will return a NULL pointer if
there is no enough memory, and its return value should be validated
before using. However, in function rndis_wlan_bind(), its return value
is not checked. This may cause NULL dereference bugs. This patch fixes
From: Pan Bian
Function alloc_workqueue() will return a NULL pointer if there is no
enough memory, and its return value should be validated before using.
However, in function if_spi_probe(), its return value is not checked.
This may result in a NULL dereference bug. This patch fixes the bug
From: Pan Bian
Function pci_find_ext_capability() may return 0, which is an invalid
address. In function qlcnic_sriov_virtid_fn(), its return value is used
without validation. This may result in invalid memory access bugs. This
patch fixes the bug.
Signed-off-by: Pan Bian
---
drivers/net
From: Pan Bian
Function platform_get_irq() will return a negative value on errors.
However, in function bcmgenet_probe(), 0 is considered as a flag of
error. This patch fixes the bug by checking whether the return value of
platform_get_irq() is less than 0.
Signed-off-by: Pan Bian
---
drivers
From: Pan Bian
In function pc300_pci_init_one(), on the ioremap error path, function
pc300_pci_remove_one() is called to free the allocated memory. However,
the path is not terminated, and the freed memory will be used later,
resulting in use-after-free bugs. This path fixes the bug.
Signed-off
In function team_nl_send_options_get(), pointer skb keeps the return
value of function nlmsg_new(). When the call to genlmsg_put() fails, the
control flow directly returns and does not free skb. This will result in
a memory leak bug. This patch fixes it.
Signed-off-by: Pan Bian
---
drivers/net
In function team_nl_send_port_list_get(), pointer skb keeps the return
value of nlmsg_new(). When the call to genlmsg_put() fails, the memory
is not freed. This will result in a memory leak bug. This patch fixes
it.
Signed-off-by: Pan Bian
---
drivers/net/team/team.c | 4 +++-
1 file changed, 3
: Pan Bian
---
net/tipc/node.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/tipc/node.c b/net/tipc/node.c
index 4512e83..568e48d 100644
--- a/net/tipc/node.c
+++ b/net/tipc/node.c
@@ -2098,6 +2098,8 @@ int tipc_nl_node_get_monitor(struct sk_buff *skb, struct
genl_info *info)
int
Function alloc_skb() will return a NULL pointer if there is no enough
memory. However, in function mt7601u_mcu_msg_alloc(), its return value
is not validated before it is used. This patch fixes it.
Signed-off-by: Pan Bian
---
drivers/net/wireless/mediatek/mt7601u/mcu.c | 10 --
1 file
-off-by: Pan Bian
---
net/openvswitch/datapath.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
index 9c62b63..34c0fbd 100644
--- a/net/openvswitch/datapath.c
+++ b/net/openvswitch/datapath.c
@@ -489,7 +489,8
Function nla_nest_start() may return a NULL pointer on error. However,
in function lwtunnel_fill_encap(), the return value of nla_nest_start()
is not validated before it is used. This patch checks the return value
of nla_nest_start() against NULL.
Signed-off-by: Pan Bian
---
net/core/lwtunnel.c
bug.cgi?id=188671
Signed-off-by: Pan Bian
---
drivers/net/wireless/intersil/orinoco/wext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intersil/orinoco/wext.c
b/drivers/net/wireless/intersil/orinoco/wext.c
index 1d4dae4..fee57ea 100644
--- a/drivers/ne
From: Pan Bian
When calling dma_mapping_error(), the value of return variable rc is 0.
And when the call returns an unexpected value, rc is not set to a
negative errno. Thus, it will return 0 on the error path, and its
callers cannot detect the bug. This patch fixes the bug, assigning
"-E
From: Pan Bian
Macro BNX2X_ALLOC_AND_SET(arr, lbl, func) calls kmalloc() to allocate
memory, and jumps to label "lbl" if the allocation fails. Label "lbl"
first cleans memory and then returns variable rc. Before calling the
macro, the value of variable rc is 0. Because 0
From: Pan Bian
In function hfc4s8s_probe(), the value of return variable err should be
negative on failures. However, when the call to request_region() returns
NULL, the value of err is 0. This patch fixes the bug, assigning
"-EBUSY" to err on the path that request_region() fails.
From: Pan Bian
Macro BNX2X_ALLOC_AND_SET(arr, lbl, func) calls kmalloc() to allocate
memory, and jumps to label "lbl" if the allocation fails. Label "lbl"
first cleans memory and then returns variable rc. Before calling the
macro, the value of variable rc is 0. Because 0
From: Pan Bian
In function hfc4s8s_probe(), the value of return variable err should be
negative on failures. However, when the call to request_region() returns
NULL, the value of err is 0. This patch fixes the bug, assiging
"-EBUSY" to err on the path that request_region() fails.
From: Pan Bian
Marco BNX2X_ALLOC_AND_SET(arr, lbl, func) calls kmalloc() to allocate
memory, and jumps to label "lbl" if the allocation fails. Label "lbl"
first cleans memory and then returns variable rc. Before calling the
macro, the value of variable rc is 0. Because 0
From: Pan Bian
Marco BNX2X_ALLOC_AND_SET(arr, lbl, func) calls kmalloc() to allocate
memory, and jumps to label "lbl" if the allocation fails. Label "lbl"
first cleans memory and then returns variable rc. Before calling the
macro, the value of variable rc is 0. Because 0
From: Pan Bian
When the call to qlcnic_alloc_mbx_args() fails, returning variable "err"
seems improper. With reference to the context, returing variable
"config" may be better.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=189101
Signed-off-by: Pan Bian
---
From: Pan Bian
When calling dma_mapping_error(), the value of return variable rc is 0.
And when the call returns an unexpected value, rc is not set to a
negative errno. Thus, it will return 0 on the error path, and its
callers cannot detect the bug. This patch fixes the bug, assigning
"-E
From: Pan Bian
It returns variable "error" when ioremap_nocache() returns a NULL
pointer. The value of "error" is 0 then, which will mislead the callers
to believe that there is no error. This patch fixes the bug, returning
"-ENOMEM".
Bugzilla: https://bugzilla.ker
From: Pan Bian
When the calls to kzalloc() fail, the value of return variable ret may
be 0. 0 means success in this context. This patch fixes the bug,
assigning "-ENOMEM" to ret before calling kzalloc().
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188971
Signed-off-by
From: Pan Bian
In function hfc4s8s_probe(), the value of return variable err should be
negative on failures. However, when the call to request_region() returns
NULL, the value of err is 0. This patch fixes the bug, assiging
"-ENOMEM" to err on the path that request_region() fails.
lla: https://bugzilla.kernel.org/show_bug.cgi?id=188751
Signed-off-by: Pan Bian
---
net/caif/caif_socket.c | 5 +
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c
index aa209b1..92cbbd2 100644
--- a/net/caif/caif_socket.c
+++ b/net/caif/cai
From: PanBian
Hello Sergei,
On Sat, Dec 03, 2016 at 04:17:51PM +0300, Sergei Shtylyov wrote:
> Hello.
>
> On 12/3/2016 2:18 PM, Pan Bian wrote:
>
> >In function caif_sktinit_module(), the check of the return value of
> >sock_register() seems ineffective. This patch f
().
Thanks!
Best regards,
Pan
On Sat, Dec 03, 2016 at 02:53:07PM +0100, Lino Sanfilippo wrote:
> Hi,
>
> On 03.12.2016 14:24, Pan Bian wrote:
> > From: Pan Bian
> >
> > In function typhoon_init_one(), returns the value of variable err on
> > errors. However,
From: Pan Bian
In function dcbnl_cee_fill(), returns the value of variable err on
errors. However, on some error paths (e.g. nla put fails), its value may
be 0. It may be better to explicitly set a negative errno to variable
err before returning.
Bugzilla: https://bugzilla.kernel.org
From: Pan Bian
In function typhoon_init_one(), returns the value of variable err on
errors. However, on some error paths, variable err is not set to a
negative errno. This patch assigns "-EIO" to err on those paths.
Signed-off-by: Pan Bian
---
drivers/net/ethernet/3com/typhoon.c
?id=188791
Signed-off-by: Pan Bian
---
drivers/atm/lanai.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c
index ce43ae3..445505d 100644
--- a/drivers/atm/lanai.c
+++ b/drivers/atm/lanai.c
@@ -2143,6 +2143,7 @@ static int lanai_dev_open(struct atm_d
In function caif_sktinit_module(), the check of the return value of
sock_register() seems ineffective. This patch fixes it.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188751
Signed-off-by: Pan Bian
---
net/caif/caif_socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion
Function br_sysfs_addbr() does not set error code when the call
kobject_create_and_add() returns a NULL pointer. It may be better to
return "-ENOMEM" when kobject_create_and_add() fails.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188781
Signed-off-by: Pan Bian
---
o ret when usb_alloc_urb() returns a NULL pointer.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188771
Signed-off-by: Pan Bian
---
drivers/net/usb/lan78xx.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/lan78xx.c b/drivers/net/usb/lan78xx.c
index db558b8..f33460c 10
stack memory to user sapce, resulting in stack information
leak. To avoid the bug, this patch returns variable ret (which takes
the return value of lbs_cmd_with_response()) instead of 0.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188451
Signed-off-by: Pan Bian
---
drivers/net/wireless
bug.cgi?id=188671
Signed-off-by: Pan Bian
---
drivers/net/wireless/intersil/orinoco/wext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intersil/orinoco/wext.c
b/drivers/net/wireless/intersil/orinoco/wext.c
index 1d4dae4..fee57ea 100644
--- a/drivers/ne
bug.cgi?id=188671
Signed-off-by: Pan Bian
---
drivers/net/wireless/intersil/orinoco/wext.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intersil/orinoco/wext.c
b/drivers/net/wireless/intersil/orinoco/wext.c
index 1d4dae4..fee57ea 100644
--- a/drivers/ne
Function bnxt_hwrm_stat_ctx_alloc() always returns 0, even if the call
to _hwrm_send_message() fails. It may be better to propagate the errors
to the caller of bnxt_hwrm_stat_ctx_alloc().
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188661
Signed-off-by: Pan Bian
---
drivers/net
70 matches
Mail list logo
