Created
June 13, 2023 05:35
-
-
Save dvyukov/578aba253735e331376a27452a3c2c0b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
git shortlog --grep 'Reported-.*\(syzbot\|syzkaller\)' --author=penguin-kernel --author=mudongliangabcd --author=paskripkin --author=asml.silence --author=johannes.berg | |
Dongliang Mu (23): | |
NFC: nci: fix memory leak in nci_allocate_device | |
misc/uss720: fix memory leak in uss720_probe | |
ALSA: control led: fix memory leak in snd_ctl_led_register | |
media: dvd_usb: memory leak in cinergyt2_fe_attach | |
ieee802154: hwsim: Fix memory leak in hwsim_add_one | |
usb: hso: fix error handling code of hso_create_net_device | |
netfilter: nf_tables: fix audit memory leak in nf_tables_commit | |
usb: hso: fix error handling code of hso_create_net_device | |
media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init | |
media: em28xx: fix memory leak in em28xx_init_dev | |
HID: elo: fix memory leak in elo_probe | |
media: em28xx: initialize refcount before kref_get | |
media: hdpvr: initialize dev->worker at hdpvr_register_videodev | |
btrfs: don't access possibly stale fs_info data in device_list_add | |
ntfs: add sanity check on allocation size | |
HID: bigben: fix slab-out-of-bounds Write in bigben_probe | |
f2fs: remove WARN_ON in f2fs_is_valid_blkaddr | |
rtlwifi: Use pr_warn instead of WARN_ONCE | |
media: pvrusb2: fix memory leak in pvr_probe | |
media: airspy: fix memory leak in airspy probe | |
usb: idmouse: fix an uninit-value in idmouse_open | |
fs: jfs: fix shift-out-of-bounds in dbAllocAG | |
fs: hfsplus: fix UAF issue in hfsplus_put_super | |
Johannes Berg (37): | |
mac80211_hwsim: validate number of different channels | |
cfg80211: check dev_set_name() return value | |
mac80211_hwsim: don't use WQ_MEM_RECLAIM | |
cfg80211: limit wiphy names to 128 bytes | |
mac80211_hwsim: require at least one channel | |
mac80211_hwsim: check that n_limits makes sense | |
nl80211: fix NLA_POLICY_NESTED() arguments | |
mac80211_hwsim: calculate if_combination.max_interfaces | |
mac80211: don't attempt to rename ERR_PTR() debugfs dirs | |
cfg80211: check for set_wiphy_params | |
cfg80211: fix debugfs rename crash | |
cfg80211: regulatory: reject invalid hints | |
netlink: policy: correct validation type check | |
mac80211: fix use of skb payload instead of header | |
mac80211: always wind down STA state | |
mac80211: free sta in sta_info_insert_finish() on errors | |
wext: fix NULL-ptr-dereference with cfg80211's lack of commit() | |
mac80211: pause TX while changing interface type | |
virt_wifi: fix deadlock on RTNL | |
nl80211: call cfg80211_dev_rename() under RTNL | |
wext: call cfg80211_change_iface() with wiphy lock held | |
cfg80211: call cfg80211_destroy_ifaces() with wiphy lock held | |
cfg80211: fix netdev registration deadlock | |
nl80211: fix beacon head validation | |
bonding: init notify_work earlier to avoid uninitialized use | |
netlink: disable IRQs for netlink_lock_table() | |
mac80211: remove warning in ieee80211_get_sband() | |
mac80211_hwsim: drop pending frames on stop | |
mac80211: fix deadlock in AP/VLAN handling | |
mac80211-hwsim: fix late beacon hrtimer handling | |
cfg80211: always free wiphy specific regdomain | |
mac80211: track only QoS data frames for admission control | |
mac80211: validate extended element ID is present | |
mac80211: fix locking in ieee80211_start_ap error path | |
wifi: mac80211: properly skip link info driver update | |
wifi: cfg80211: handle IBSS in channel switch | |
wifi: nl80211: hold wdev mutex for tid config | |
Pavel Begunkov (35): | |
io_uring: fix files cancellation | |
io_uring: fix double io_uring free | |
io_uring: dont kill fasync under completion_lock | |
io_uring: fix null-deref in io_disable_sqo_submit | |
io_uring: do sqo disable on install_fd error | |
io_uring: fix false positive sqo warning on flush | |
io_uring: fix uring_flush in exit_files() warning | |
io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE | |
io_uring: fix list corruption for splice file_get | |
io_uring: fix sqo ownership false positive warning | |
io_uring: fix inconsistent lock state | |
io_uring: unpark SQPOLL thread for cancelation | |
io_uring: clear request count when freeing caches | |
io_uring: fix __tctx_task_work() ctx race | |
io_uring: do ctx sqd ejection in a clear context | |
io_uring: handle setup-failed ctx in kill_timeouts | |
io_uring: fix unchecked error in switch_start() | |
io_uring: fix link timeout refs | |
io_uring: fix ltout double free on completion race | |
io_uring: don't modify req->poll for rw | |
io_uring: fix false WARN_ONCE | |
io_uring: fix io_drain_req() | |
io_uring: remove double poll entry on arm failure | |
io_uring: fix io_try_cancel_userdata race for iowq | |
io_uring: fix queueing half-created requests | |
io_uring: reexpand under-reexpanded iters | |
io-wq: remove worker to owner tw dependency | |
io_uring: fail cancellation for EXITING tasks | |
io_uring: fix link traversal locking | |
io_uring: fix UAF due to missing POLLFREE handling | |
io_uring: don't miss setting REQ_F_DOUBLE_POLL | |
io_uring/net: fix UAF in io_sendrecv_fail() | |
io_uring/net: fix cleanup double free free_iov init | |
io_uring: fix fdinfo sqe offsets calculation | |
io_uring: lock overflowing for IOPOLL | |
Pavel Skripkin (69): | |
net/qrtr: fix __netdev_alloc_skb call | |
ALSA: usb-audio: fix NULL ptr dereference in usb_audio_probe | |
USB: serial: io_edgeport: fix memory leak in edge_startup | |
media: drivers/media/usb: fix memory leak in zr364xx_probe | |
tty: fix memory leak in vc_deallocate | |
drivers: net: fix memory leak in atusb_probe | |
drivers: net: fix memory leak in peak_usb_create_dev | |
net: mac802154: Fix general protection fault | |
media: dvb-usb: fix memory leak in dvb_usb_adapter_init | |
reiserfs: add check for invalid 1st journal block | |
media: cpia2: fix memory leak in cpia2_usb_probe | |
media: dvb-usb: fix wrong definition | |
net: usb: fix memory leak in smsc75xx_bind | |
media: zr364xx: fix memory leak in zr364xx_start_readpipe | |
net: kcm: fix memory leak in kcm_sendmsg | |
net: caif: fix memory leak in caif_device_notify | |
revert "net: kcm: fix memory leak in kcm_sendmsg" | |
net: rds: fix memory leak in rds_recvmsg | |
net: caif: fix memory leak in ldisc_open | |
net: qrtr: fix OOB Read in qrtr_endpoint_post | |
can: mcba_usb: fix memory leak in mcba_usb | |
ext4: fix memory leak in ext4_fill_super | |
jfs: fix GPF in diFree | |
net: sched: fix warning in tcindex_alloc_perfect_hash | |
net: xfrm: fix memory leak in xfrm_user_rcv_msg | |
net: sched: fix memory leak in tcindex_partial_destroy_work | |
net: qrtr: fix memory leaks | |
net: llc: fix skb_over_panic | |
staging: rtl8712: error handling refactoring | |
net: cipso: fix warnings in netlbl_cipsov4_add_std | |
net: xfrm: fix shift-out-of-bounce | |
net: pegasus: fix uninit-value in get_interrupt_interval | |
netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex | |
udmabuf: fix general protection fault in udmabuf_create | |
net: 6pack: fix slab-out-of-bounds in decode_data | |
block: nbd: add sanity check for first_minor | |
net: asix: fix uninit value bugs | |
Bluetooth: add timeout sanity check to hci_inquiry | |
profiling: fix shift-out-of-bounds bugs | |
net: xfrm: fix shift-out-of-bounds in xfrm_get_default | |
Bluetooth: hci_uart: fix GPF in h5_recv | |
media: em28xx: add missing em28xx_close_extension | |
media: dvb-usb: fix ununit-value in az6027_rc_query | |
media: mxl111sf: change mutex_init() location | |
Revert "net: mdiobus: Fix memory leak in __mdiobus_register" | |
phy: mdio: fix memory leak | |
staging: rtl8712: fix use-after-free in rtl8712_dl_fw | |
ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume | |
net: batman-adv: fix error handling | |
Bluetooth: stop proccessing malicious adv data | |
RDMA: Fix use-after-free in rxe_queue_cleanup | |
asix: fix uninit-value in asix_mdio_read() | |
Input: appletouch - initialize work before device registration | |
i2c: validate user data in compat ioctl | |
mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh | |
net: mcs7830: handle usb read errors properly | |
udmabuf: validate ubuf->pagecount | |
ath9k_htc: fix uninit value bugs | |
net: asix: add proper error handling of usb read errors | |
HID: hid-thrustmaster: fix OOB read in thrustmaster_interrupts | |
NFC: port100: fix use-after-free in port100_send_complete | |
Input: aiptek - properly check endpoint type | |
Bluetooth: hci_uart: add missing NULL check in h5_enqueue | |
jfs: fix divide error in dbNextAG | |
can: mcba_usb: properly check endpoint type | |
video: fbdev: udlfb: properly check endpoint type | |
media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init | |
ath9k: fix use-after-free in ath9k_hif_usb_rx_cb | |
fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr | |
Tetsuo Handa (115): | |
mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed. | |
block/loop: fix deadlock after loop_set_status | |
commoncap: Handle memory allocation failure. | |
mm,vmscan: Allow preallocating memory for register_shrinker(). | |
tty: Avoid possible error pointer dereference at tty_ldisc_restore(). | |
tty: Don't call panic() at tty_ldisc_init() | |
tty: Use __GFP_NOFAIL for tty_ldisc_get() | |
bdi: wake up concurrent wb_shutdown() callers. | |
bdi: Fix use after free bug in debugfs_remove() | |
loop: remember whether sysfs_create_group() was done | |
x86/kexec: Avoid double free_page() upon do_kexec_load() failure | |
driver core: Don't ignore class_dir_create_and_add() failure. | |
hfsplus: stop workqueue when fill_super() failed | |
PM / hibernate: Fix oops at snapshot_write() | |
fuse: don't keep dead fuse_conn at fuse_fill_super(). | |
n_tty: Fix stall at n_tty_receive_char_special(). | |
n_tty: Access echo_* variables carefully. | |
net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. | |
hfsplus: don't return 0 when fill_super() failed | |
selinux: Add __GFP_NOWARN to allocation at str_read() | |
bfs: add sanity check at bfs_fill_super() | |
block/loop: Use global lock for ioctl() operation. | |
loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() | |
gpu/drm: Fix lock held when returning to user space. | |
drm/vkms: Fix flush_work() without INIT_WORK(). | |
block: pass no-op callback to INIT_WORK(). | |
staging: android: ashmem: Don't call fallocate() with ashmem_mutex held. | |
fs/open.c: allow opening only regular files during execve() | |
kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. | |
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. | |
net/rds: Check address length before reading address family | |
tomoyo: Add a kernel config option for fuzzing testing. | |
staging: android: ion: Bail out upon SIGKILL when allocating memory. | |
nfsd: fix dentry leak upon mkdir failure. | |
/dev/mem: Bail out upon SIGKILL. | |
kexec: bail out upon SIGKILL when allocating memory. | |
tomoyo: Don't use nifty names on sockets. | |
tomoyo: Use atomic_t for statistics counter | |
pipe: Fix pipe_full() test in opipe_prep(). | |
vt: Reject zero-sized screen buffer size. | |
binder: Don't use mmput() from shrinker function. | |
driver core: Fix probe_count imbalance in really_probe() | |
fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins. | |
fbmem: pull fbcon_update_vcs() out of fb_set_var() | |
vt: defer kfree() of vc_screenbuf in vc_do_resize() | |
mwifiex: don't call del_timer_sync() on uninitialized timer | |
tipc: fix shutdown() of connectionless socket | |
video: fbdev: fix OOB read in vga_8planes_imageblit() | |
fbcon: Fix user font detection test at fbcon_resize(). | |
vt_ioctl: make VT_RESIZEX behave like VT_RESIZE | |
USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). | |
tomoyo: ignore data race while checking quota | |
pstore: Fix warning in pstore_kill_sb() | |
Bluetooth: initialize skb_queue_head at l2cap_chan_create() | |
reiserfs: update reiserfs_xattrs_initialized() condition | |
batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field | |
ttyprintk: Add TTY hangup callback. | |
smackfs: restrict bytes count in smk_set_cipso() | |
tty: vt: always invoke vc->vc_sw->con_resize callback | |
can: bcm/raw/isotp: use per module netdevice notifier | |
Bluetooth: defer cleanup of resources in hci_unregister_dev() | |
Bluetooth: defer cleanup of resources in hci_unregister_dev() | |
loop: reduce the loop_ctl_mutex scope | |
fbmem: don't allow too huge resolutions | |
block: genhd: fix double kfree() in __alloc_disk_node() | |
smackfs: use __GFP_NOFAIL for smk_cipso_doi() | |
smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi | |
loop: don't hold lo_mutex during __loop_clr_fd() | |
loop: make autoclear operation asynchronous | |
tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous | |
ath9k_htc: fix NULL pointer dereference at ath9k_htc_rxep() | |
ath9k_htc: fix NULL pointer dereference at ath9k_htc_tx_get_packet() | |
loop: revert "make autoclear operation asynchronous" | |
net: rds: acquire refcount on TCP sockets | |
media: imon: reorganize serialization | |
wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop() | |
tty: vt: initialize unicode screen buffer | |
PM: hibernate: defer device probing when resuming from hibernation | |
wifi: mac80211: do not abuse fq.lock in ieee80211_do_stop() | |
mm: shrinkers: fix double kfree on shrinker name | |
mm: memcontrol: fix potential oom_lock recursion deadlock | |
mtd: core: check partition before dereference | |
Bluetooth: don't try to cancel uninitialized works at mgmt_index_removed() | |
cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all() | |
Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor() | |
Bluetooth: hci_sync: fix double mgmt_pending_free() in remove_adv_monitor() | |
Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag | |
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() | |
tty: n_gsm: initialize more members at gsm_alloc_mux() | |
bpf: add missing percpu_counter_destroy() in htab_map_alloc() | |
Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() | |
Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() | |
Bluetooth: use hdev->workqueue when queuing hdev->{cmd,ncmd}_timer works | |
Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure | |
open: always initialize ownership fields | |
netfilter: nf_tables: fix nft_counters_enabled underflow at nf_tables_addchain() | |
btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer | |
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() | |
net/ieee802154: reject zero-sized raw_sendmsg() | |
net/ieee802154: don't warn zero-sized raw_sendmsg() | |
9p/trans_fd: always use O_NONBLOCK read/write | |
NFSD: unregister shrinker when nfsd_init_net() fails | |
Revert "cpumask: fix checking valid cpu range". | |
Input: iforce - invert valid length check when fetching device IDs | |
f2fs: initialize locks earlier in f2fs_fill_super() | |
fs/ntfs3: Use __GFP_NOWARN allocation at wnd_init() | |
fs/ntfs3: Use __GFP_NOWARN allocation at ntfs_fill_super() | |
fbdev: fbcon: release buffer when fbcon_do_set_font() failed | |
fs/ntfs3: don't hold ni_lock when calling truncate_setsize() | |
RDMA/siw: Remove namespace check from siw_netdev_event() | |
nilfs2: initialize "struct nilfs_binfo_dat"->bi_pad field | |
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() | |
cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex | |
mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock | |
debugobjects: Don't wake up kswapd from fill_pool() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment