Skip to content

Instantly share code, notes, and snippets.

@invisiblek

invisiblek/-

Created February 9, 2017 04:51
Show Gist options
  • Save invisiblek/aba9a3664921619894caaa39c210582f to your computer and use it in GitHub Desktop.
Save invisiblek/aba9a3664921619894caaa39c210582f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
-
commit 367e64520dba1652d8f6d0ac1ebda3cab0f9e374 (tag: android-7.1.1_r0.30, aosp/android-msm-marlin-3.18-nougat-mr1.3)
Author: Andrew Chant <[email protected]>
Date: Tue Dec 6 17:03:07 2016 -0800
input: synaptics_dsx: remove update sysfs entries
Remove sysfs entrypoints to fw_update module.
Also fixes request_firmware firmware update path.
BUG: 32769717
Change-Id: Iab7ff456288a18be71636b84c8e3008390c0d872
Signed-off-by: Andrew Chant <[email protected]>
.../touchscreen/synaptics_dsx_htc_2.6/Kconfig | 10 ++++
.../synaptics_dsx_fw_update.c | 53 ++++++++++++++++++++--
2 files changed, 60 insertions(+), 3 deletions(-)
commit 1d6d364ee174676a225a77dc7ca8dac887199718
Author: Adrian Salido <[email protected]>
Date: Thu Dec 1 18:07:42 2016 -0800
fs/proc/array.c: make safe access to group_leader
As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()
Without this protection there is a possible use after free reported by
kasan instrumented kernel:
==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4
Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.
Signed-off-by: Adrian Salido <[email protected]>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Bug: 31495866
fs/proc/array.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
commit 773179468893965c2b81aa7ffe3722b6868ef749
Author: Andrew Chant <[email protected]>
Date: Fri Dec 2 21:56:40 2016 -0800
input: touchscreen: disable generic update i/f
Disable the generic touchscreen firmware update hook.
The generic touchscreen firmware update driver has
security flaws and is not necessary for Marlin touchscreen
firmware updates.
synaptics_dsx_htc_2.6 still attempts firmware updates
via request_firmware on boot with this disabled.
BUG: 32917445
BUG: 32919560
BUG: 32769717
Change-Id: I272a1d1aba16b53647f2dde9dc7ff8b306179b43
Signed-off-by: Andrew Chant <[email protected]>
drivers/input/touchscreen/Kconfig | 1 -
1 file changed, 1 deletion(-)
commit 123b90a61aa365d59a3621bcb49601a70d90ca04
Author: Siena Richard <[email protected]>
Date: Tue Oct 4 12:24:28 2016 -0700
drivers: soc: add size checks and update log messages
Add size checks to validate minimum size is met. Update log messages
to include only relevant information to ensure logs are accurate and
useful.
Bug: 31796345
Change-Id: Idf76a7d964ec6989a0474d49895e54103f17938b
CRs-fixed: 1073129
Signed-off-by: Siena Richard <[email protected]>
drivers/soc/qcom/qdsp6v2/voice_svc.c | 41 ++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 11 deletions(-)
commit 09b679d2ba35c87fcffe3d79cbea69e59102fe22
Author: Srinivas Girigowda <[email protected]>
Date: Tue Nov 22 14:15:37 2016 -0800
qcacld-2.0: wlan host driver upgrade to 4.4.25.027s_1
wlan host driver upgrade to 4.4.25.027s_1.
's' indicates security branch.
Change-Id: Iacc139ba3ce1ecb0fb8ef8b01424f5899889088e
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/MAC/inc/qwlan_version.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
commit 3f9a4ada777f9989acc1cf066dc810a9af3d888f
Author: Zhen Kong <[email protected]>
Date: Fri Nov 4 17:35:19 2016 -0700
qseecom: remove entry from qseecom_registered_app_list
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.
Bug: 31804432
Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
Signed-off-by: Zhen Kong <[email protected]>
drivers/misc/qseecom.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
commit 57ac3404a192eb697d7d7422cbb093837afbf2b2
Author: Srinivas Girigowda <[email protected]>
Date: Wed Nov 30 17:16:31 2016 -0800
qcacld-2.0: Avoid overflow of "set_bssid_hotlist" params
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
CRs-Fixed: 1095770
Bug: 33252788
Signed-off-by: Srinivas Girigowda <[email protected]>
.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 4 ++--
2 files changed, 18 insertions(+), 2 deletions(-)
commit f6080d05ac3b5cd554bd4a16b6b75da5c80c8665
Author: Srinivas Girigowda <[email protected]>
Date: Wed Nov 30 17:14:55 2016 -0800
qcacld-2.0: Avoid overflow of "significant change" params
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
CRs-Fixed: 1095009
Bug: 32872662
Signed-off-by: Srinivas Girigowda <[email protected]>
.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 6 +++---
2 files changed, 19 insertions(+), 3 deletions(-)
commit 4d955f6ccb4a0a7375f5cc71c6777ad6c58ce842
Author: Srinivas Girigowda <[email protected]>
Date: Mon Nov 28 21:39:40 2016 -0800
qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <[email protected]>
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++---
1 file changed, 37 insertions(+), 6 deletions(-)
commit a711b717cb18a45c1c6ba34ed459fa5abb1b30ff
Author: Srinivas Girigowda <[email protected]>
Date: Fri Nov 18 12:27:01 2016 -0800
qcacld-2.0: Avoid overflow of passpoint network list
Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.
Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059
Bug: 32450647
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
1 file changed, 9 insertions(+)
commit 6b526d4b9782cfaac960ae9edbd4cd7241b7457c
Author: Srinivas Girigowda <[email protected]>
Date: Fri Nov 18 12:26:37 2016 -0800
qcacld-2.0: Validate "set passpoint list" network count
Currently when processing the "set passpoint list" vendor command the
"number of networks" parameter is not limit checked. This value is
subsequently used to calculate the size of a buffer. Add a limit check
to ensure that an appropriately sized buffer is always allocated.
Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
CRs-Fixed: 1091940
Bug: 32879283
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 7 ++++++-
drivers/staging/qcacld-2.0/CORE/MAC/inc/sirApi.h | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
commit dd5e9a0d2bd9e41a681d678be3e757ae976e7ded
Author: Srinivas Girigowda <[email protected]>
Date: Wed Nov 16 12:37:21 2016 -0800
qcacld-2.0: Avoid overflow of EXTSCAN bucket list
Currently when processing an EXTSCAN vendor command the "num buckets"
attribute is limit checked and if it exceeds a MAX value then a
warning message is issued. But beyond that the "num buckets" attribute
is not used. Instead when the buckets are actually parsed the number
of buckets is calculated dynamically based upon the number of
attributes present in the request. Unfortunately when the bucket
attributes are parsed there is no check to make sure the number of
buckets processed does not exceed the MAX value, and as a result a
buffer overflow can occur. Address this issue by aborting the bucket
parsing once the expected number of records have been parsed.
Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
CRs-Fixed: 1087797
Bug: 32451104
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
commit aa6bff491238ef3e0c6795b39dde4fcd1d01c5c7
Author: Srinivas Girigowda <[email protected]>
Date: Wed Nov 16 12:36:53 2016 -0800
qcacld-2.0: Avoid overflow of EPNO network list
Currently when processing an EPNO vendor command the "num networks"
attribute is limit checked and if it exceeds a MAX value then it is
reset to that MAX value. This value is then used to calculate the size
of the buffer allocated to hold the internal representation of the
request. However later when the network attributes are parsed there is
no check to make sure the number of networks processed does not exceed
the (possibly modified) "num networks" used to allocate memory, and as
a result a buffer overflow can occur. Address this issue by aborting
the network parsing once "num networks" records have been parsed.
Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
CRs-Fixed: 1087807
Bug: 32451171
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
1 file changed, 9 insertions(+)
commit 4a52fddc89163fbc7c6f2a42234c899816808e37
Author: Srinivas Girigowda <[email protected]>
Date: Wed Nov 16 12:36:16 2016 -0800
qcacld-2.0: Properly parse PNO vendor command
Currently there is a single wlan_hdd_extscan_config_policy which
contains entries for both EXTSCAN and PNO attributes. However the
EXTSCAN and PNO attributes have separate and overlapping
assignments. Therefore one policy cannot be used by both types of
commands. In addition, when parsing nested PNO attributes the policy
is not used, and hence no checking is performed on the nested
data. This can result in a buffer overflow.
To address these issues introduce a new policy for PNO vendor
commands, and use that policy both when parsing the initial command
and when parsing the nested attributes. Furthermore add a zero length
SSID check to prevent underflow.
Change-Id: I92c8fc7ca1c44971502ea68b5486a2b3ae941cc5
CRs-Fixed: 1087209
Bug: 32454494
Signed-off-by: Srinivas Girigowda <[email protected]>
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 45 +++++++++++++++-------
1 file changed, 31 insertions(+), 14 deletions(-)
commit 1706cfc4daba827a882aed241031d2174f4bfd78
Author: Nick Desaulniers <[email protected]>
Date: Mon Dec 5 16:40:15 2016 -0800
Kconfig: msm: disable ultrasound driver
Bug: 31906415
Bug: 31906657
Bug: 32553868
Change-Id: Iab736a5d5622098c89c76dbe6b0b395652bbae57
Signed-off-by: Nick Desaulniers <[email protected]>
sound/soc/msm/Kconfig | 1 -
1 file changed, 1 deletion(-)
commit d740e7228bd1578ed01762998b2a86e7df56e608
Author: Andrew Chant <[email protected]>
Date: Fri Dec 2 20:49:26 2016 -0800
input: synaptics_dsx: reallocate buffer under lock.
Prevent concurrent usage & re-allocation of the wr_buf variable.
Based off patch by chengengjia <[email protected]>.
BUG: 33001936
Change-Id: I88d78e1ec0fc9e88b1e6824c06161b67d01136ec
Signed-off-by: Andrew Chant <[email protected]>
drivers/input/touchscreen/synaptics_dsx_htc_2.6/synaptics_dsx_i2c.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit 689ea150ab61cb193268d4b7f68de68acf207db4
Author: Jann Horn <[email protected]>
Date: Mon Nov 7 14:34:44 2016 -0800
BACKPORT: aio: mark AIO pseudo-fs noexec
This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set. Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.
I have tested the patch on my machine.
To test the behavior, compile and run this:
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/personality.h>
#include <linux/aio_abi.h>
#include <err.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/syscall.h>
int main(void) {
personality(READ_IMPLIES_EXEC);
aio_context_t ctx = 0;
if (syscall(__NR_io_setup, 1, &ctx))
err(1, "io_setup");
char cmd[1000];
sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
(int)getpid());
system(cmd);
return 0;
}
In the output, "rw-s" is good, "rwxs" is bad.
Signed-off-by: Jann Horn <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
(cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)
Bug: 31711619
Change-Id: Ib4ffd30b61f1d9ba629049f65a21afbf94e25cfd
fs/aio.c | 1 +
1 file changed, 1 insertion(+)
commit f630d79ddd3f3f60af2f6f849fe07fa29f738ad3
Author: Swetha Chikkaboraiah <[email protected]>
Date: Fri Dec 2 15:50:20 2016 -0800
qcom: scm: remove printing input arguments
scm_call2 is printing the input arguments if TZ ret value is < 0
leading to information leak. Remove printing input arguments.
Bug: 31704078
Change-Id: I21dd6d83fa979aed2c79ebb2c9c8de63a247dded
CRs-Fixed: 1076407
Signed-off-by: Swetha Chikkaboraiah <[email protected]>
drivers/soc/qcom/scm.c | 10 ++--------
1 file changed, 2 insertions(+), 8 deletions(-)
commit 226dafe7f6f62bcedd8b07ca9c21e654fb360dd5 (tag: android-7.1.1_r0.20, blek/cm-14.1, aosp/android-msm-marlin-3.18-nougat-mr1)
Merge: bd96fbf88cb5 6237296f142c
Author: Patrick Tjin <[email protected]>
Date: Wed Nov 16 23:04:45 2016 -0800
Merge branch 'android-msm-marlin-3.18-ndr-factoryrom' into android-msm-marlin-3.18-nyc-mr1
Security January 2017.1
Change-Id: I324316cdb5874580139d8ccac645bb4fba49842f
commit 6237296f142c5d17e80408707fb2ae0cedd5a280
Merge: c431eca5972e 0d37d64f02e1
Author: Patrick Tjin <[email protected]>
Date: Wed Nov 16 22:56:19 2016 -0800
Merge branch 'android-msm-marlin-3.18-ndr-factoryrom-security-next' into android-msm-marlin-3.18-ndr-factoryrom
Security January 2017.1
Change-Id: I9cb82b8e327421087933b1bdcd8a0395f19fb90f
commit 0d37d64f02e18a301867ae7684c3801bd99c5df2
Author: Martijn Coenen <[email protected]>
Date: Tue Nov 8 20:12:16 2016 +0100
Android: binder: check set_context_mgr permission on time.
Bug: 32394425
Change-Id: I860c6aab97850bff05a56e96cd3f4b41691bfd96
Signed-off-by: Martijn Coenen <[email protected]>
drivers/staging/android/binder.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit c803e696475443b54006d1268fc1b98ceedbdacf
Author: Steven Rostedt (Red Hat) <[email protected]>
Date: Fri May 13 09:34:12 2016 -0400
UPSTREAM: ring-buffer: Prevent overflow of size in ring_buffer_resize()
(Cherry picked from commit 59643d1535eb220668692a5359de22545af579f6)
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.
Here's the details:
# echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
tracing_entries_write() processes this and converts kb to bytes.
18014398509481980 << 10 = 18446744073709547520
and this is passed to ring_buffer_resize() as unsigned long size.
size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
BUF_PAGE_SIZE is 4080 and here
18446744073709547520 + 4080 - 1 = 18446744073709551599
where 18446744073709551599 is still smaller than 2^64
2^64 - 18446744073709551599 = 17
But now 18446744073709551599 / 4080 = 4521260802379792
and size = size * 4080 = 18446744073709551360
This is checked to make sure its still greater than 2 * 4080,
which it is.
Then we convert to the number of buffer pages needed.
nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
but this time size is 18446744073709551360 and
2^64 - (18446744073709551360 + 4080 - 1) = -3823
Thus it overflows and the resulting number is less than 4080, which makes
3823 / 4080 = 0
an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.
There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.
Cc: [email protected] # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <[email protected]>
Signed-off-by: Willy Tarreau <[email protected]>
Change-Id: I1147672317a3ad0fc995b1f32baaa050a7976ac4
Bug: 32659848
kernel/trace/ring_buffer.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
commit 2c5c1fd0d2a2a96fab750fa332cb703022c16c04
Author: John Dias <[email protected]>
Date: Wed Nov 9 11:03:57 2016 -0800
perf: don't leave group_entry on sibling list (use-after-free)
When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).
Bug: 32402548
Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <[email protected]>
kernel/events/core.c | 7 +++++++
1 file changed, 7 insertions(+)
commit 1083ab0d8ffab2207535e20a0e645a332ae67766
Author: Ecco Park <[email protected]>
Date: Fri Nov 4 10:42:48 2016 -0700
qcacld-2.0: Add check to Validate SSID length
prima to qcacld-2.0 propagation.
Validate ssid length before accessing the ssid
if the length exceeds max ssid length then return.
CRs-Fixed: 1059205
Bug: 32506333
Change-Id: I5b536863fbff34f3908cd5f462fbd7d9d2d78437
Signed-off-by: Ecco Park <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
commit 5f152221d508c641d1417f8569a4ade685f8a6e1
Author: Ecco Park <[email protected]>
Date: Wed Nov 2 10:12:02 2016 -0700
qcacld-2.0: Use heap memory for station_info instead of stack
From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.
So use heap memory for this struct instead.
CRs-Fixed: 1050323
Bug: 32506396
Change-Id: I12bb51839a7cf448e74dc5a6344f2809b808601c
Signed-off-by: Ecco Park <[email protected]>
.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c | 17 ++++++++++++-----
.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 18 ++++++++++++------
2 files changed, 24 insertions(+), 11 deletions(-)
commit 4dfe6e71e75c2c317930a8dc28b5973d8e79b867
Author: Srinivas Girigowda <[email protected]>
Date: Fri Oct 21 14:17:14 2016 -0700
qcacld-2.0: Fix hdd_ocb_config_new() signature
hdd_ocb_config_new() takes four "length" parameters, currently defined
to be of type 'int'. Since these are summed to calculate the size of a
dynamic memory allocation they must be non-negative so change them to
'uint32_t'.
Change-Id: Ie66bbb7c69aba92d9d846cb90628110b3bea8f74
CRs-Fixed: 1079596
Bug: 31750554
Signed-off-by: Srinivas Girigowda <[email protected]>
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_ocb.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
commit bc461d914a255c09b22532b09b0c56a0e0c34f47
Author: Kirill A. Shutemov <[email protected]>
Date: Mon Jul 6 23:18:37 2015 +0300
BACKPORT: mm: avoid setting up anonymous pages into file mapping
(cherry picked from commit 6b7339f4c31ad69c8e9c0b2859276e22cf72176d)
Reading page fault handler code I've noticed that under right
circumstances kernel would map anonymous pages into file mappings: if
the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
on ->mmap(), kernel would handle page fault to not populated pte with
do_anonymous_page().
Let's change page fault handler to use do_anonymous_page() only on
anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
shared.
For file mappings without vm_ops->fault() or shred VMA without vm_ops,
page fault on pte_none() entry would lead to SIGBUS.
Signed-off-by: Kirill A. Shutemov <[email protected]>
Acked-by: Oleg Nesterov <[email protected]>
Cc: Andrew Morton <[email protected]>
Cc: Willy Tarreau <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
Change-Id: I451f90075ddf0c3592543e4fe30eed4c38348d49
Bug: 32460277
mm/memory.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
commit 11ab3add6cfb1ef752ac38adf1b4bf15617772e9
Author: Andrew Chant <[email protected]>
Date: Tue Nov 8 15:19:32 2016 -0800
input: synaptics_dsx: add update bounds checks.
Firmware updates contain offsets that are parsed
by the kernel driver. Ensure all offsets are within
the bounds of the firmware update.
TESTED: Forced a firmware update by removing
same-firmware check. Firmware update succeeded.
Bug: 31525965
Bug: 31968442
Change-Id: I287f494d973868f6be28799bc2613ff2201b0717
Signed-off-by: Andrew Chant <[email protected]>
.../synaptics_dsx_fw_update.c | 183 +++++++++++++++++----
1 file changed, 154 insertions(+), 29 deletions(-)
commit 4faa6d2e9b53546823882d8889820ff9ce3c372f
Author: Siqi Lin <[email protected]>
Date: Wed Nov 2 16:51:08 2016 -0700
ALSA: info: Check for integer overflow in snd_info_entry_write()
snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.
Bug: 32510733
Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <[email protected]>
sound/core/info.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
commit d906945fc287f9df48b99349fea962b921d4d39e
Author: matt_huang <[email protected]>
Date: Mon Nov 7 16:22:57 2016 +0800
input: misc: fix security vulnerability
initialize the structure before using
Bug: 32591129
Change-Id: I9a3af40175d929009522f6c93005d82535c4ccc3
Signed-off-by: matt_huang <[email protected]>
drivers/input/misc/vl53L0/stmvl53l0_module.c | 2 ++
1 file changed, 2 insertions(+)
commit e6f77dc0b17942b56bc0e083652a1b6df01df8c3
Author: Biswajit Paul <[email protected]>
Date: Mon Oct 3 04:01:32 2016 -0700
msm: sensor: Adding mutex for actuator power down operations
Protecting operations performed during actuator powerdown
from race condition by adding mutex.
Bug: 31225246
CRs-Fixed: 1071891
Change-Id: I7d6b2e8878788615c02678a4a28d31dca0ed6bca
Signed-off-by: Sureshnaidu Laveti <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
Signed-off-by: Yueyao Zhu <[email protected]>
drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 2 ++
1 file changed, 2 insertions(+)
commit e9fde8664651a566df43c7439e27d59cc5d60460
Author: Daniel Rosenberg <[email protected]>
Date: Wed Nov 2 17:43:51 2016 -0700
ion: Fix use after free during ION_IOC_ALLOC
If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.
This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.
Bug: 31568617
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: Daniel Rosenberg <[email protected]>
drivers/staging/android/ion/ion.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
commit c431eca5972e7275e0116d883b1300ac894768cc
Merge: bbaed100bd63 ca44f392ff03
Author: Patrick Tjin <[email protected]>
Date: Fri Oct 21 19:47:49 2016 -0700
Merge branch 'android-msm-marlin-3.18-ndr-factoryrom-security-next' into android-msm-marlin-3.18-ndr-factoryrom
December 2016.1
commit bbaed100bd63575095c62586da9869f009a402d0
Author: Patrick Tjin <[email protected]>
Date: Fri Oct 21 09:24:49 2016 -0700
Revert "Revert "Revert "Revert "msm: kgsl: Clear the interrupt immediately""""
This reverts commit d90afe404775f3f98cd00c3784d18406a44ce004.
Change-Id: If7d35969258530727fbe9da59fa2b9c37e1ddb3b
drivers/gpu/msm/adreno.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
commit d90afe404775f3f98cd00c3784d18406a44ce004
Author: Patrick Tjin <[email protected]>
Date: Fri Oct 21 09:23:42 2016 -0700
Revert "Revert "Revert "msm: kgsl: Clear the interrupt immediately"""
This reverts commit a0ce33daf6946ce83de783e09066d0d5a879dabd.
Change-Id: I06f0d8cd4bffc3ff506bf63b3d5222fcc8298e2f
drivers/gpu/msm/adreno.c | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
commit d26bf5f68d503b27eadb5f137a2837eefe175c0c
Author: Linus Torvalds <[email protected]>
Date: Thu Oct 13 13:07:36 2016 -0700
CHROMIUM: UPSTREAM: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
BUG=chromium:657609
TEST=None
Change-Id: I42e448ecacad4781b460c4c989026307169ba1b5
Reported-and-tested-by: Phil "not Paul" Oester <[email protected]>
Acked-by: Hugh Dickins <[email protected]>
Reviewed-by: Michal Hocko <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: Oleg Nesterov <[email protected]>
Cc: Willy Tarreau <[email protected]>
Cc: Nick Piggin <[email protected]>
Cc: Greg Thelen <[email protected]>
Cc: [email protected]
Signed-off-by: Linus Torvalds <[email protected]>
(cherry picked from commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619)
Signed-off-by: Andrey Ulanov <[email protected]>
Reviewed-on: https://chromium-review.googlesource.com/401142
Reviewed-by: Guenter Roeck <[email protected]>
Bug: 32141528
include/linux/mm.h | 1 +
mm/gup.c | 14 ++++++++++++--
2 files changed, 13 insertions(+), 2 deletions(-)
commit ca44f392ff035b298e0ffe6f7edd0a408e07a67b
Author: Qidan He <[email protected]>
Date: Thu Oct 13 16:27:46 2016 -0700
net: ping: Fix stack buffer overflow in ping_common_sendmsg()
In ping_common_sendmsg(), when len < icmph_len, memcpy_fromiovec()
will access invalid memory because msg->msg_iov only has 1 element
and memcpy_fromiovec() attempts to increment it. KASAN report:
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[< inline >] print_address_description mm/kasan/report.c:147
[< inline >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[< inline >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[< inline >] __sock_sendmsg_nosec net/socket.c:624
[< inline >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[< inline >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
Memory state around the buggy address:
ffffffc071077c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffffc071077d00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
>ffffffc071077d80: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
^
ffffffc071077e00: 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
ffffffc071077e80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
Bug: 31349935
Change-Id: Ib7385fc26dfe7e07e9bab42a10ff65a37cbaab54
Signed-off-by: Siqi Lin <[email protected]>
net/ipv4/ping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit ca9844bf044701e439395b45e462a12b16992486
Author: Pat Tjin <[email protected]>
Date: Tue Oct 18 07:39:34 2016 +0000
Revert "net: ping: Fix stack buffer overflow in ping_common_sendmsg()"
This reverts commit 5442a0c99c8a33d22363f40543cbca68b4c8e113.
Change-Id: I6b1105014803f1e625ad1b0b22139e6f22ec231e
Bug: 31349935
net/ipv4/ping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 7e7cd02bc4cdb783bf4d9ca2d2fb33b0f72ee876
Author: Nick Desaulniers <[email protected]>
Date: Fri Oct 7 10:56:13 2016 -0700
binder: blacklist %p kptr_restrict
Bug: 31495231
Change-Id: Iebc150f6bc939b56e021424ee44fb30ce8d732fd
drivers/staging/android/binder.c | 36 ++++++++++++++++++------------------
1 file changed, 18 insertions(+), 18 deletions(-)
commit 629ed5b4a0e4a2b26e4f5affe2685b3ce71b65f7
Author: Nick Desaulniers <[email protected]>
Date: Fri Oct 7 11:51:15 2016 -0700
ion: blacklist %p kptr_restrict
Bug: 31494725
Change-Id: I10a0c2aae883dfaa6c235c38689a704064557008
drivers/staging/android/ion/ion.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit 1e91b0c12f1077e0df78a1c87014ef41aa398be1
Author: Nick Desaulniers <[email protected]>
Date: Fri Oct 7 13:54:56 2016 -0700
msm: mdss: blacklist %p kptr_restrict
Bug: 30148242
Change-Id: I7dde70a8998719daf4c3dd4495951995138fa6ec
drivers/video/msm/mdss/mdp3.c | 16 ++---
drivers/video/msm/mdss/mdp3_dma.c | 2 +-
drivers/video/msm/mdss/mdp3_ppp_hwio.c | 6 +-
drivers/video/msm/mdss/mdss_compat_utils.c | 18 ++---
drivers/video/msm/mdss/mdss_debug.c | 6 +-
drivers/video/msm/mdss/mdss_debug_xlog.c | 12 ++--
drivers/video/msm/mdss/mdss_dsi.c | 26 +++----
drivers/video/msm/mdss/mdss_dsi_clk.c | 6 +-
drivers/video/msm/mdss/mdss_dsi_host.c | 2 +-
drivers/video/msm/mdss/mdss_dsi_panel.c | 10 +--
drivers/video/msm/mdss/mdss_fb.c | 10 +--
drivers/video/msm/mdss/mdss_hdmi_tx.c | 6 +-
drivers/video/msm/mdss/mdss_mdp.c | 12 ++--
drivers/video/msm/mdss/mdss_mdp_debug.c | 2 +-
drivers/video/msm/mdss/mdss_mdp_intf_cmd.c | 6 +-
drivers/video/msm/mdss/mdss_mdp_intf_video.c | 10 +--
drivers/video/msm/mdss/mdss_mdp_layer.c | 4 +-
drivers/video/msm/mdss/mdss_mdp_overlay.c | 10 +--
drivers/video/msm/mdss/mdss_mdp_pipe.c | 2 +-
drivers/video/msm/mdss/mdss_mdp_pp.c | 72 ++++++++++----------
drivers/video/msm/mdss/mdss_mdp_pp_cache_config.c | 66 +++++++++---------
drivers/video/msm/mdss/mdss_mdp_pp_common.c | 4 +-
drivers/video/msm/mdss/mdss_mdp_pp_v1_7.c | 82 +++++++++++------------
drivers/video/msm/mdss/mdss_mdp_pp_v3.c | 34 +++++-----
drivers/video/msm/mdss/mdss_mdp_util.c | 6 +-
drivers/video/msm/mdss/mdss_util.c | 2 +-
drivers/video/msm/mdss/mhl3/mhl_linux_tx.c | 2 +-
drivers/video/msm/mdss/mhl3/mhl_supp.c | 12 ++--
drivers/video/msm/mdss/mhl3/platform.c | 6 +-
drivers/video/msm/mdss/mhl3/si_8620_drv.c | 4 +-
drivers/video/msm/mdss/mhl3/si_emsc_hid.c | 4 +-
drivers/video/msm/mdss/mhl3/si_mdt_inputdev.c | 24 +++----
drivers/video/msm/mdss/mhl3/si_mhl2_edid_3d.c | 26 +++----
33 files changed, 255 insertions(+), 255 deletions(-)
commit 45619caa55254946692bc80ccbd5a762e47b2762
Author: Haynes Mathew George <[email protected]>
Date: Wed Oct 5 14:59:39 2016 -0700
ASoC: msm: lock read/write when add/free audio ion memory
As read/write get access to ion memory region as well, it's
necessary to lock them when ion memory is about to be added/freed
to avoid racing cases.
Bug: 31252384
CRs-Fixed: 1071809
Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
Signed-off-by: Walter Yang <[email protected]>
Signed-off-by: Haynes Mathew George <[email protected]>
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
commit f9b53dfaa68cfbd496e725b83c6de0f776f9368f
Author: John Dias <[email protected]>
Date: Mon Oct 10 14:32:55 2016 -0700
BACKPORT: perf: Fix event->ctx locking
There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.
It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.
What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Paul E. McKenney <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Linus Torvalds <[email protected]>
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Ingo Molnar <[email protected]>
(cherry picked from commit f63a8daa5812afef4f06c962351687e1ff9ccb2b)
Bug: 30955111
Bug: 31095224
Change-Id: I5bab713034e960fad467637e98e914440de5666d
kernel/events/core.c | 244 +++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 207 insertions(+), 37 deletions(-)
commit a2b6ee9e28747233d363f59e7aa0b023b8b51be5
Author: John Dias <[email protected]>
Date: Mon Oct 10 14:44:30 2016 -0700
perf: protect group_leader from races that cause ctx double-free
When moving a group_leader perf event from a software-context
to a hardware-context, there's a race in checking and
updating that context. The existing locking solution
doesn't work; note that it tries to grab a lock inside
the group_leader's context object, which you can only
get at by going through a pointer that should be protected
from these races. To avoid that problem, and to produce
a simple solution, we can just use a lock per group_leader
to protect all checks on the group_leader's context.
The new lock is grabbed and released when no context locks
are held.
Bug: 30955111
Bug: 31095224
Change-Id: If37124c100ca6f4aa962559fba3bd5dbbec8e052
include/linux/perf_event.h | 6 ++++++
kernel/events/core.c | 15 +++++++++++++++
2 files changed, 21 insertions(+)
commit 8a950b2d64cec7b8022b7572c2d3d9221b2dbab2
Author: Min Chong <[email protected]>
Date: Thu Oct 13 09:53:23 2016 -0700
input: synaptics_dsx: add bounds checks for firmware id
A series of characters between '0' and '9' with a length more than
MAX_FIRMWARE_ID_LEN causes a heap buffer overflow. This is
mitigated by performing a bounds check.
Bug: 31911920
Signed-off-by: Mark Salyzyn <[email protected]>
Signed-off-by: Min Chong <[email protected]>
Change-Id: Iaefe92df2610153f2d3e2caa58322ae82cb5b7c2
.../synaptics_dsx_htc_2.6/synaptics_dsx_fw_update.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
commit f1ca98fe8121832658a0f58fbd73cdfd8e057a70
Author: Min Chong <[email protected]>
Date: Thu Oct 13 17:18:40 2016 -0700
netfilter: Change %p to %pK in debug messages
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 31796940
Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
Signed-off-by: Min Chong <[email protected]>
net/netfilter/nf_conntrack_core.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
commit a4c7c43865713e830eb0ca490d5f6e6a3887b11b
Author: Min Chong <[email protected]>
Date: Fri Oct 14 13:40:31 2016 -0700
usb: gadget: f_mbim: Change %p to %pK in debug messages
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 31802656
Change-Id: I74e83192e0379586469edba3c7579a1cd75cf3c0
Signed-off-by: Min Chong <[email protected]>
drivers/usb/gadget/function/f_mbim.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
commit 51b5da896f29c4ae2deb47a4913dd4430f599999
Author: Steve Pfetsch <[email protected]>
Date: Fri Oct 14 15:36:59 2016 -0700
drivers: video: Add bounds checking in fb_cmap_to_user
Verify that unsigned int value will not become negative before cast to
signed int.
Bug: 31651010
Change-Id: I548a200f678762042617f11100b6966a405a3920
drivers/video/fbdev/core/fbcmap.c | 3 +++
1 file changed, 3 insertions(+)
commit b99cd46839a8c2bfffa09c5d8cb425d5a2cfc047
Author: Tejun Heo <[email protected]>
Date: Wed May 25 11:48:25 2016 -0400
UPSTREAM: percpu: fix synchronization between chunk->map_extend_work and chunk destruction
(cherry picked from commit 4f996e234dad488e5d9ba0858bc1bae12eff82c3)
Atomic allocations can trigger async map extensions which is serviced
by chunk->map_extend_work. pcpu_balance_work which is responsible for
destroying idle chunks wasn't synchronizing properly against
chunk->map_extend_work and may end up freeing the chunk while the work
item is still in flight.
This patch fixes the bug by rolling async map extension operations
into pcpu_balance_work.
Signed-off-by: Tejun Heo <[email protected]>
Reported-and-tested-by: Alexei Starovoitov <[email protected]>
Reported-by: Vlastimil Babka <[email protected]>
Reported-by: Sasha Levin <[email protected]>
Cc: [email protected] # v3.18+
Fixes: 9c824b6a172c ("percpu: make sure chunk->map array has available space")
Change-Id: I8f4aaf7fe0bc0e9f353d41e0a7840c40d6a32117
Bug: 31596597
mm/percpu.c | 57 ++++++++++++++++++++++++++++++++++++---------------------
1 file changed, 36 insertions(+), 21 deletions(-)
commit 2777a837f89486aa4bc1fa2fc6e612c6627b5c94
Author: Tejun Heo <[email protected]>
Date: Wed May 25 11:48:25 2016 -0400
UPSTREAM: percpu: fix synchronization between synchronous map extension and chunk destruction
(cherry picked from commit 6710e594f71ccaad8101bc64321152af7cd9ea28)
For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.
This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.
Signed-off-by: Tejun Heo <[email protected]>
Reported-and-tested-by: Alexei Starovoitov <[email protected]>
Reported-by: Vlastimil Babka <[email protected]>
Reported-by: Sasha Levin <[email protected]>
Cc: [email protected] # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Change-Id: I8800962e658e78eac866fff4a4e00294c58a3dec
Bug: 31596597
mm/percpu.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
commit 1a7952a39e3923d172dd2c119a943f97773dd301
Author: Biswajit Paul <[email protected]>
Date: Wed Sep 14 07:03:44 2016 -0700
msm: sensor: validate the i2c table index before use
Verifying the i2c table index value before accessing
the i2c table to avoid memory corruption issues.
Bug: 30740545
CRs-Fixed: 1065916
Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
Signed-off-by: Sureshnaidu Laveti <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
.../platform/msm/camera_v2/sensor/actuator/msm_actuator.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
commit 5442a0c99c8a33d22363f40543cbca68b4c8e113
Author: Siqi Lin <[email protected]>
Date: Thu Oct 13 16:27:46 2016 -0700
net: ping: Fix stack buffer overflow in ping_common_sendmsg()
In ping_common_sendmsg(), when len < icmph_len, memcpy_fromiovec()
will access invalid memory because msg->msg_iov only has 1 element
and memcpy_fromiovec() attempts to increment it. KASAN report:
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[< inline >] print_address_description mm/kasan/report.c:147
[< inline >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[< inline >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[< inline >] __sock_sendmsg_nosec net/socket.c:624
[< inline >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[< inline >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
Memory state around the buggy address:
ffffffc071077c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffffc071077d00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
>ffffffc071077d80: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
^
ffffffc071077e00: 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
ffffffc071077e80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
Bug: 31349935
Change-Id: Ib7385fc26dfe7e07e9bab42a10ff65a37cbaab54
Signed-off-by: Siqi Lin <[email protected]>
net/ipv4/ping.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 3892a11f14ef25d956d007fbd0c27241332693d9
Author: Mark Rutland <[email protected]>
Date: Thu Jan 8 11:42:59 2015 +0000
UPSTREAM: arm64: make sys_call_table const
As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.
Signed-off-by: Mark Rutland <[email protected]>
Acked-by: Will Deacon <[email protected]>
Signed-off-by: Catalin Marinas <[email protected]>
Bug: 31660652
Signed-off-by: Jeff Vander Stoep <[email protected]>
(cherry picked from commit c623b33b4e9599c6ac5076f7db7369eb9869aa04)
Change-Id: I8c5aa13b8adfdb71e3c574a59e5bf63f8cee42c5
arch/arm64/kernel/sys.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit 23f8e8ca93a2a26ae28b030f11dc493b7f92a964
Author: Siqi Lin <[email protected]>
Date: Tue Oct 11 11:50:01 2016 -0700
msm: camera: Avoid exposing kernel addresses
Usage of %p exposes the kernel addresses, an easy target to
kernel write vulnerabilities. With this patch currently
%pK prints only Zeros as address. If you need actual address
echo 0 > /proc/sys/kernel/kptr_restrict
CRs-Fixed: 987011
Change-Id: I6c79f82376936fc646b723872a96a6694fe47cd9
Signed-off-by: Azam Sadiq Pasha Kapatrala Syed <[email protected]>
Signed-off-by: Siqi Lin <[email protected]>
Bug: 29464815
drivers/media/platform/msm/camera_v2/isp/msm_isp40.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit a0ce33daf6946ce83de783e09066d0d5a879dabd (tag: android-7.1.0_r0.3, aosp/android-msm-marlin-3.18-nougat-dr1)
Author: Pat Tjin <[email protected]>
Date: Wed Oct 12 22:12:51 2016 +0000
Revert "Revert "msm: kgsl: Clear the interrupt immediately""
This reverts commit 9236e1d0b9c407aa02fcbbac10267690f66ad56a.
Change-Id: Ifd7609c8077832850ad94e59d959f9411e2440c9
drivers/gpu/msm/adreno.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
commit 0a55e45c5749367b8c88d004b3d118bc57a39d5c
Merge: 9236e1d0b9c4 3c865718ebf0
Author: Patrick Tjin <[email protected]>
Date: Wed Oct 12 15:14:38 2016 -0700
Merge branch 'android-msm-marlin-3.18-ndr-factoryrom-security-next' into android-msm-marlin-3.18-ndr-factoryrom
November 2016.1
commit 9236e1d0b9c407aa02fcbbac10267690f66ad56a
Author: Pat Tjin <[email protected]>
Date: Wed Oct 12 22:03:27 2016 +0000
Revert "msm: kgsl: Clear the interrupt immediately"
This reverts commit e0bb388e6482492726a6d79ab67cc2e90dba1803.
Change-Id: I3f55515abd8a0a6c78e84893e56877ec0a1253aa
drivers/gpu/msm/adreno.c | 18 ++----------------
1 file changed, 2 insertions(+), 16 deletions(-)
commit e0bb388e6482492726a6d79ab67cc2e90dba1803
Author: Harshdeep Dhatt <[email protected]>
Date: Wed Oct 7 16:10:36 2015 -0600
msm: kgsl: Clear the interrupt immediately
Sometimes an interrupt from GPU is ignored while we
are still executing the previous interrupt. In order
to service any interrupt that was fired while executing
the interrupt handler, clear the interrupt register
immediately.
Also, clear the A5XX_INT_RBBM_AHB_ERROR bit not before
but after it's serviced in its respective handler. This
will avoid firing the main interrupt handler a second
time.
Change-Id: Ie6b5a511f5b3077adae7d464de437f2aa893b0c9
Signed-off-by: Harshdeep Dhatt <[email protected]>
(cherry picked from commit fb8021cee910b1eb5f0172d9a63c6a93921358bd)
drivers/gpu/msm/adreno.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
commit 594c8b47bbd4308502a4b99783b70376eecaea86
Author: Biswajit Paul <[email protected]>
Date: Tue Aug 23 14:41:47 2016 -0700
msm: camera: cpp: Add validation for v4l2 ioctl arguments
In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
_IOC_NONE, then the user-supplied argument arg is not checked
and an information disclosure is possible
Bug: 29464815
CRs-Fixed: 1042068
Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
Signed-off-by: Sunid Wilson <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
Signed-off-by: Siqi Lin <[email protected]>
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
commit 3c865718ebf0543a9e19331dceba7c1a2ee6782e
Author: Lars-Peter Clausen <[email protected]>
Date: Thu Apr 14 17:01:17 2016 +0200
BACKPORT: usb: gadget: f_fs: Fix use-after-free
(cherry picked from commit 38740a5b87d53ceb89eb2c970150f6e94e00373a)
When using asynchronous read or write operations on the USB endpoints the
issuer of the IO request is notified by calling the ki_complete() callback
of the submitted kiocb when the URB has been completed.
Calling this ki_complete() callback will free kiocb. Make sure that the
structure is no longer accessed beyond that point, otherwise undefined
behaviour might occur.
Fixes: 2e4c7553cd6f ("usb: gadget: f_fs: add aio support")
Cc: <[email protected]> # v3.15+
Signed-off-by: Lars-Peter Clausen <[email protected]>
Signed-off-by: Felipe Balbi <[email protected]>
Change-Id: I3c7b643f6440c4fb6160a57c1058523030b46a6c
Bug: 30950866
drivers/usb/gadget/function/f_fs.c | 1 -
1 file changed, 1 deletion(-)
commit f5c96a8c96615490b72357b1c0940196f7dde474
Author: Andrew Chant <[email protected]>
Date: Wed Sep 14 14:12:13 2016 -0700
input: touchscreen: Synaptics: prevent sysfs races
Concurrent sysfs calls can cause ugly race conditions.
Return EBUSY on concurrent sysfs calls, and prevent sysfs calls
during initial fw load.
Change-Id: Iec3db7f3fe9d33104319fd3e2bbf1d70ba68221b
Bug: 31252388
Signed-off-by: Andrew Chant <[email protected]>
.../synaptics_dsx_fw_update.c | 133 +++++++++++++++------
1 file changed, 99 insertions(+), 34 deletions(-)
commit f74716108d775b560e9abe5111cbbe6856805fed
Author: Praveen Chavan <[email protected]>
Date: Mon Aug 29 15:11:36 2016 -0700
msm: vidc: use %pK instead of %p which respects kptr_restrict sysctl.
Hide kernel pointers from unprivileged ussers by using %pK format-
specifier instead of %p. This respects the kptr_restrict sysctl
setting which is by default on. So by default %pK will print zeroes
as address. echo 1 to kptr_restrict to print proper kernel addresses.
Author: Abdulla Anam <[email protected]>
CRs-Fixed: 987018
Change-Id: I4772257a557c6730ecc0624cbc8e5614e893e9fd
Signed-off-by: Abdulla Anam <[email protected]>
Signed-off-by: Mishra Mahima <[email protected]>
Signed-off-by: Praveen Chavan <[email protected]>
Signed-off-by: Yueyao (Nathan) Zhu <[email protected]>
Bug: 30076504
.../msm/vidc/governors/msm_vidc_table_gov.c | 6 +-
.../media/platform/msm/vidc/hfi_packetization.c | 6 +-
.../media/platform/msm/vidc/hfi_response_handler.c | 6 +-
drivers/media/platform/msm/vidc/msm_smem.c | 32 +++---
drivers/media/platform/msm/vidc/msm_v4l2_vidc.c | 4 +-
drivers/media/platform/msm/vidc/msm_vdec.c | 34 +++---
drivers/media/platform/msm/vidc/msm_venc.c | 34 +++---
drivers/media/platform/msm/vidc/msm_vidc.c | 30 ++---
drivers/media/platform/msm/vidc/msm_vidc_common.c | 122 ++++++++++-----------
drivers/media/platform/msm/vidc/msm_vidc_dcvs.c | 16 +--
drivers/media/platform/msm/vidc/msm_vidc_debug.c | 21 ++--
.../media/platform/msm/vidc/msm_vidc_res_parse.c | 6 +-
drivers/media/platform/msm/vidc/venus_boot.c | 4 +-
drivers/media/platform/msm/vidc/venus_hfi.c | 52 ++++-----
drivers/media/platform/msm/vidc/vidc_hfi.c | 4 +-
drivers/media/platform/msm/vidc/vmem/vmem.c | 7 +-
16 files changed, 191 insertions(+), 193 deletions(-)
commit 5a54ca08ea924cdd4fa4da72ac0af2b9d68d215b
Author: Biswajit Paul <[email protected]>
Date: Tue Aug 16 12:46:12 2016 -0700
msm: crypto: Fix integer over flow check in qcrypto driver
Integer overflow check is invalid when ULONG_MAX is used,
as ULONG_MAX has typeof 'unsigned long', while req->assoclen,
req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
to use UINT_MAX instead of ULONG_MAX.
Bug: 30515053
CRs-fixed: 1050970
Change-Id: I3782ea7ed2eaacdcad15b34e047a4699bf4f9e4f
Signed-off-by: Zhen Kong <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
Signed-off-by: Yueyao (Nathan) Zhu <[email protected]>
drivers/crypto/msm/qcrypto.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit 358cae34fce9be2df94d35b4f772c9800b55c17a
Author: Peter Zijlstra <[email protected]>
Date: Tue Dec 15 13:49:05 2015 +0100
UPSTREAM: perf: Fix race in swevent hash
(cherry picked from commit 12ca6ad2e3a896256f086497a7c7406a547ee373)
There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.
Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.
When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.
Reported-by: Sasha Levin <[email protected]>
Tested-by: Sasha Levin <[email protected]>
Signed-off-by: Peter Zijlstra (Intel) <[email protected]>
Cc: Arnaldo Carvalho de Melo <[email protected]>
Cc: Frederic Weisbecker <[email protected]>
Cc: Jiri Olsa <[email protected]>
Cc: Linus Torvalds <[email protected]>
Cc: Peter Zijlstra <[email protected]>
Cc: Stephane Eranian <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Vince Weaver <[email protected]>
Signed-off-by: Ingo Molnar <[email protected]>
Change-Id: I4972ce74211b6504ff61325c4a4f7b088306d1f9
Bug: 30952077
Signed-off-by: Yueyao (Nathan) Zhu <[email protected]>
kernel/events/core.c | 20 +-------------------
1 file changed, 1 insertion(+), 19 deletions(-)
commit 99ee5e6cf33a3280e030c4b973b1492fae6ea930
Author: Biswajit Paul <[email protected]>
Date: Wed Aug 24 20:49:31 2016 +0530
msm: kgsl: Change %p to %pK in debug messages
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which evaluates whether
kptr_restrict is set.
Bug: 30228438
CRs-Fixed: 1052818
Change-Id: I0778e43e0a03852ca2944377256a7b401586a747
Signed-off-by: Divya Ponnusamy <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
Signed-off-by: Yueyao (Nathan) Zhu <[email protected]>
drivers/gpu/msm/adreno_debugfs.c | 2 +-
drivers/gpu/msm/kgsl.c | 5 ++---
drivers/gpu/msm/kgsl_cffdump.c | 7 -------
drivers/gpu/msm/kgsl_cmdbatch.c | 2 +-
drivers/gpu/msm/kgsl_iommu.c | 16 ++++++++--------
drivers/gpu/msm/kgsl_snapshot.c | 4 ----
6 files changed, 12 insertions(+), 24 deletions(-)
commit 505e48f32f1321ed7cf80d49dd5f31b16da445a8
Author: Nick Desaulniers <[email protected]>
Date: Mon Sep 12 15:47:42 2016 -0700
cgroup: prefer %pK to %p
Prevents leaking kernel pointers when using kptr_restrict.
Bug: 30149174
Change-Id: I0fa3cd8d4a0d9ea76d085bba6020f1eda073c09b
kernel/cgroup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
commit db109d43ca581031a1cea713c4073db30a1cd3b6
Author: Lukas Czerner <[email protected]>
Date: Sat Oct 17 22:57:06 2015 -0400
UPSTREAM: ext4: fix potential use after free in __ext4_journal_stop
There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <[email protected]>
Reviewed-by: Andreas Dilger <[email protected]>
Cc: [email protected]
Signed-off-by: Steve Pfetsch <[email protected]>
(cherry picked from commit 6934da9238da947628be83635e365df41064b09b)
Bug: 30952474
Change-Id: Ic8490cb55cb42ccb47c4dc6a819a3bc4fad6246f
fs/ext4/ext4_jbd2.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
commit dcd56c50f685c7b7430aa133a48709ba1e06e8de
Author: Phil Turnbull <[email protected]>
Date: Tue Feb 2 13:36:45 2016 -0500
BACKPORT: netfilter: nfnetlink: correctly validate length of batch messages
(cherry picked from commit c58d6c93680f28ac58984af61d0a7ebf4319c241)
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.
If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:
[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
[ 41.456431] Read of size 4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================
Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.
CAP_NET_ADMIN is required to trigger the bugs.
Fixes: 9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <[email protected]>
Signed-off-by: Pablo Neira Ayuso <[email protected]>
Change-Id: Id3e15c40cb464bf2791af907c235d8a316b2449c
Bug: 30947055
net/netfilter/nfnetlink.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
commit 71aa2fe9f64d1655a0c493c5b06eb94109c84aa6
Author: Calvin Owens <[email protected]>
Date: Fri Oct 30 16:57:00 2015 -0700
UPSTREAM: sg: Fix double-free when drives detach during SG_IO
(cherry picked from commit f3951a3709ff50990bf3e188c27d346792103432)
In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().
Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.
This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:
------------[ cut here ]------------
kernel BUG at block/blk-core.c:1420!
Call Trace:
[<ffffffff81281eab>] blk_put_request+0x5b/0x80
[<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
[<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
[<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
[<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
[<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
[<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
[<ffffffff81258967>] ? file_has_perm+0x97/0xb0
[<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
[<ffffffff81602afb>] tracesys+0xdd/0xe2
RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.
Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.
KASAN was extremely helpful in finding the root cause of this bug.
Signed-off-by: Calvin Owens <[email protected]>
Acked-by: Douglas Gilbert <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Change-Id: I905fb1e66eff9a919e5059934d5165acb6c39980
Bug: 30951599
drivers/scsi/sg.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
commit b8c7a3985f9a1992a326f5ea734c321b9e6c6690
Author: Karthikeyan Ramasubramanian <[email protected]>
Date: Tue Aug 16 11:24:00 2016 -0600
soc: qcom: smp2p: Fix kernel address leak
Change format string to %pK instead of %p in the debug statements. This
change fixes kernel address leaks from the usage of %p.
Bug: 30312054
CRs-Fixed: 1052825
Change-Id: Ib95f691919a2977f5436cd4c6ac4a002d70dd729
Signed-off-by: Chris Lew <[email protected]>
Signed-off-by: Karthikeyan Ramasubramanian <[email protected]>
drivers/gpio/gpio-msm-smp2p.c | 2 +-
drivers/soc/qcom/smp2p.c | 6 +++---
drivers/soc/qcom/smp2p_debug.c | 4 ++--
drivers/soc/qcom/smp2p_test_common.h | 5 +++--
4 files changed, 9 insertions(+), 8 deletions(-)
commit 702a4b9b994ecbc05df6df95c7c82b4559e17d15
Author: Jianqiang Zhao <[email protected]>
Date: Fri Jul 22 18:25:36 2016 +0800
msm: msm_bus: fix stack overflow bug
Bug: 30311977
Signed-off-by: Jianqiang Zhao <[email protected]>
Change-Id: I0b9390bcb2e51b4b0ff6e47727ea19f467777fd6
drivers/platform/msm/msm_bus/msm_bus_dbg_voter.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
commit d83ab1b2bb99aee8e688e147dc822487ef6229ea
Author: Mathias Krause <[email protected]>
Date: Thu May 5 16:22:26 2016 -0700
UPSTREAM: proc: prevent accessing /proc/<PID>/environ until it's ready
(cherry picked from commit 8148a73c9901a8794a50f950083c00ccf97d43b3)
If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.
Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero. It is, apparently, intentionally set last in create_*_tables().
This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.
The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <[email protected]>
Cc: Emese Revfy <[email protected]>
Cc: Pax Team <[email protected]>
Cc: Al Viro <[email protected]>
Cc: Mateusz Guzik <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Cyrill Gorcunov <[email protected]>
Cc: Jarod Wilson <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Change-Id: Ia2f58d48c15478ed4b6e237b63e704c70ff21e96
Bug: 30951939
fs/proc/base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
commit 0bd3b3f998850ce64eaf0d2c1ec2a858276e6e8f
Author: vivek mehta <[email protected]>
Date: Mon Aug 29 18:35:52 2016 -0700
misc: qcom: qdsp6v2: initialize wma_config_32
Not all memebers of wma_config_32 are set before they are used which
might lead to invalid values being passed and used. To fix this issue
initialize all member variables of struct wma_config_32 to 0 before
assigning specific values individually.
Bug: 30593266
Change-Id: Ibb082ce691625527e9a9ffd4978dea7ba4df9e84
Signed-off-by: Siena Richard <[email protected]>
Signed-off-by: vivek mehta <[email protected]>
Signed-off-by: Siqi Lin <[email protected]>
drivers/misc/qcom/qdsp6v2/audio_wma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
commit a1332745c86882d2c63efae34fb16af22d703dbe
Author: Biswajit Paul <[email protected]>
Date: Thu Sep 15 17:09:40 2016 -0700
msm: camera: cpp: Validate frame message before manipulating it.
CPP frame message is used to send all frame data
to Microcontroller. It is sent every frame. CPP kernel
driver has to add information to it before transfer it.
The message has to be validated before manipulations.
If it is not valid the message and corresponding frame
are discarded.
Bug: 30074605
CRs-Fixed: 1049826
Change-Id: I3e11ca7f6df4bb0d928512f81f3e3dc40fed791a
Signed-off-by: Rajakumar Govindaram <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
.../platform/msm/camera_v2/pproc/cpp/msm_cpp.c | 26 ++++++++++------------
1 file changed, 12 insertions(+), 14 deletions(-)
commit bcdcb0debe8665aff8e420022b647e9ca8ba61a1
Author: Biswajit Paul <[email protected]>
Date: Wed Sep 7 18:02:23 2016 +0530
ASoC: msm: Add Buffer overflow check
The overflow check is required to ensure that user space data
in kernel may not go beyond buffer boundary.
Bug: 28751152
CRs-Fixed: 1064411
Change-Id: I54c28a8942cf1a6a47a4e8272f3159b35d753ead
Signed-off-by: Karthik Reddy Katta <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
drivers/misc/qcom/qdsp6v2/audio_utils.c | 13 +++++++++++++
include/sound/q6asm-v2.h | 2 +-
sound/soc/msm/qdsp6v2/q6asm.c | 4 ++--
3 files changed, 16 insertions(+), 3 deletions(-)
commit 754ab71fbc75d356fca32e2c2b77bb0400c68ecb
Author: Yuan Lin <[email protected]>
Date: Fri Sep 16 14:44:13 2016 -0700
Revert "Asoc:msm:Added Buffer overflow check"
This patch caused a regression, replacing it with a new patch.
Bug: 28751152
This reverts commit 18ce8adb5a2c5ab4aa9c1a8a17d206119e64ce96.
drivers/misc/qcom/qdsp6v2/audio_utils.c | 7 +------
sound/soc/msm/qdsp6v2/q6asm.c | 4 ----
2 files changed, 1 insertion(+), 10 deletions(-)
commit e6c62bc60f98d2978b735a05d1d144211a092923
Author: Rainer Weikusat <[email protected]>
Date: Thu Feb 11 19:37:27 2016 +0000
UPSTREAM: af_unix: Guard against other == sk in unix_dgram_sendmsg
(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1)
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <[email protected]>
Signed-off-by: Rainer Weikusat <[email protected]>
Tested-by: Philipp Hahn <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue")
Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2
Signed-off-by: Amit Pundir <[email protected]>
Bug: 29119002
net/unix/af_unix.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
commit 95fc8266e58915548fa1df8460a3c4a9429a2b32
Author: Vegard Nossum <[email protected]>
Date: Fri Jul 29 10:40:31 2016 +0200
UPSTREAM: block: fix use-after-free in seq file
(cherry picked from commit 77da160530dd1dc94f6ae15a981f24e5f0021e84)
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Cc: [email protected]
Signed-off-by: Vegard Nossum <[email protected]>
Acked-by: Tejun Heo <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
Change-Id: I07b33f4b38341f60a37806cdd45b0a0c3ab4d84d
Bug: 30942273
Signed-off-by: Siqi Lin <[email protected]>
block/genhd.c | 1 +
1 file changed, 1 insertion(+)
commit da210a90a724bd3a5ff0e0fcda3d38b5f0b718bc
Author: vivek mehta <[email protected]>
Date: Fri Sep 9 15:33:40 2016 -0700
misc: qcom: qdsp6v2: initialize config_32
Not all members of config_32 are set before they are used which
might lead to invalid values being passed and used. To fix this issue
initialize all member variables of struct config_32 to 0 before
assigning specific values individually.
Bug: 30741851
Change-Id: Ifea3a6e8bf45481c65a4455ee64318304798fee2
Signed-off-by: vivek mehta <[email protected]>
drivers/misc/qcom/qdsp6v2/aac_in.c | 4 +++-
drivers/misc/qcom/qdsp6v2/amrnb_in.c | 5 ++++-
drivers/misc/qcom/qdsp6v2/amrwb_in.c | 2 ++
drivers/misc/qcom/qdsp6v2/audio_alac.c | 2 ++
drivers/misc/qcom/qdsp6v2/audio_amrwbplus.c | 4 ++++
drivers/misc/qcom/qdsp6v2/audio_ape.c | 2 ++
drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c | 2 ++
drivers/misc/qcom/qdsp6v2/audio_multi_aac.c | 2 ++
drivers/misc/qcom/qdsp6v2/audio_utils_aio.c | 1 +
drivers/misc/qcom/qdsp6v2/audio_wmapro.c | 2 ++
drivers/misc/qcom/qdsp6v2/evrc_in.c | 4 +++-
drivers/misc/qcom/qdsp6v2/qcelp_in.c | 4 +++-
12 files changed, 30 insertions(+), 4 deletions(-)
commit d3d4c8b432fbce5e441f6f62f2af59056d9ca3df
Author: Biswajit Paul <[email protected]>
Date: Wed Sep 7 12:53:43 2016 +0530
msm: camera: Restructure data handling to be more robust
Use dynamic array allocation instead of static array to
prevent stack overflow.
User-supplied number of bytes may result in integer overflow.
To fix this we check that the num_byte isn't above 8K size.
Bug: 30559423
CRs-Fixed: 1060554
Change-Id: I9b05b846e5cc3a62b1a0a67be529f09abc764796
Signed-off-by: VijayaKumar T M <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
.../msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 ++++
.../msm/camera_v2/sensor/io/msm_camera_qup_i2c.c | 39 ++++++++++++++++++++--
2 files changed, 43 insertions(+), 2 deletions(-)
commit fd30110abd9cac2fe630f1584911c4e725d1589c
Author: Biswajit Paul <[email protected]>
Date: Tue Sep 13 13:31:57 2016 -0700
msm: sensor: Avoid potential stack overflow
Add a check to validate the user input data is not
greater than expected stack buffer size to avoid out
of bounds array accesses
Bug: 30143904
CRs-Fixed: 1056307
Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
Signed-off-by: VijayaKumar T M <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c | 6 ++++++
1 file changed, 6 insertions(+)
commit d36033dffc0307902c1ff63d3cb6780e3491c108
Author: Biswajit Paul <[email protected]>
Date: Wed Aug 31 14:08:16 2016 +0530
qcedev: Validate Source and Destination addresses
Source and Destination addresses passed by user space apps/clients
are validated independent of type of operation to mitigate kernel
address space exploitation.
Bug: 30034511
CRs-Fixed: 1050538
Change-Id: I9ecb0103d7a73eedb2e0d1db1d5613b18dd77e59
Signed-off-by: AnilKumar Chimata <[email protected]>
Signed-off-by: Biswajit Paul <[email protected]>
drivers/crypto/msm/qcedev.c | 68 ++++++++++++++++++++-------------------------
1 file changed, 30 insertions(+), 38 deletions(-)
commit ce1b4b6fc8d4006885bd2f6af32498f140060e58
Author: Daniel Rosenberg <[email protected]>
Date: Fri Sep 9 15:32:34 2016 -0700
ion: Disable ION_HEAP_TYPE_SYSTEM_CONTIG
Bug: 30400942
Change-Id: I19fa5bf6e5c66b532b842180b2cf0ae04ddca337
Signed-off-by: Daniel Rosenberg <[email protected]>
drivers/staging/android/ion/ion_heap.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
commit b1e90ba0a333e58fada69a883c4e432351c34ee0
Author: vivek mehta <[email protected]>
Date: Mon Sep 12 17:22:18 2016 -0700
ASoC: msm: initialize the params array before using it
The params array is used without initialization, which may cause
security issues. Initialize it as all zero after the definition.
bug: 30902162
Change-Id: If462fe3d82f139d72547f82dc7eb564f83cb35bf
Signed-off-by: vivek mehta <[email protected]>
sound/soc/msm/qdsp6v2/msm-compr-q6-v2.c | 2 ++
1 file changed, 2 insertions(+)
commit d28dfeeca261ca4c0b74bf013ba43c2506d2ff67
Author: Patrick Tjin <[email protected]>
Date: Fri Sep 16 11:34:06 2016 -0700
arm64/configs: marlin: remove tuner support
Bug: 30946097
Change-Id: I2572d3e147ee75185155ec665f9925323dae73b5
arch/arm64/configs/marlin_defconfig | 2 --
1 file changed, 2 deletions(-)
commit 5f675641a3a5f0ff0e639476ea73d1a86672f2d9
Author: Dan Carpenter <[email protected]>
Date: Wed Feb 3 13:34:00 2016 -0200
UPSTREAM: [media] xc2028: unlock on error in xc2028_set_config()
We have to unlock before returning -ENOMEM.
Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
(cherry picked from commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d)
Bug: 30946097
Change-Id: I2d0bab35824d204a05de36e265c443938033eb81
drivers/media/tuners/tuner-xc2028.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
commit 8b364d1de97580364b7220a54a3fb700901a6b06
Author: Jerome Marchand <[email protected]>
Date: Wed Apr 6 14:06:48 2016 +0100
UPSTREAM: assoc_array: don't call compare_object() on a node
(cherry picked from commit 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2)
Changes since V1: fixed the description and added KASan warning.
In assoc_array_insert_into_terminal_node(), we call the
compare_object() method on all non-empty slots, even when they're
not leaves, passing a pointer to an unexpected structure to
compare_object(). Currently it causes an out-of-bound read access
in keyring_compare_object detected by KASan (see below). The issue
is easily reproduced with keyutils testsuite.
Only call compare_object() when the slot is a leave.
KASan warning:
==================================================================
BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
Read of size 8 by task keyctl/1655
=============================================================================
BUG kmalloc-192 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
___slab_alloc+0x563/0x5c0
__slab_alloc+0x51/0x90
kmem_cache_alloc_trace+0x263/0x300
assoc_array_insert+0xfd0/0x3a60
__key_link_begin+0xfc/0x270
key_create_or_update+0x459/0xaf0
SyS_add_key+0x1ba/0x350
entry_SYSCALL_64_fastpath+0x12/0x76
INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00 ...`............
Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff ...`.......`....
Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
CPU: 0 PID: 1655 Comm: keyctl Tainted: G B 4.5.0-rc4-kasan+ #291
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
Call Trace:
[<ffffffff81b60491>] dump_stack+0x85/0xc4
[<ffffffff815e2969>] print_trailer+0xf9/0x150
[<ffffffff815e9454>] object_err+0x34/0x40
[<ffffffff815ebe50>] kasan_report_error+0x230/0x550
[<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
[<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
[<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
[<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
[<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
[<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
[<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
[<ffffffff8199786c>] __key_link_begin+0xfc/0x270
[<ffffffff81993389>] key_create_or_update+0x459/0xaf0
[<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
[<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
[<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
[<ffffffff81534763>] ? memdup_user+0x53/0x80
[<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
[<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
[<ffffffff828bcf4e>] ? retint_user+0x18/0x23
[<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
[<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
[<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
Memory state around the buggy address:
ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
>ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
==================================================================
Signed-off-by: Jerome Marchand <[email protected]>
Signed-off-by: David Howells <[email protected]>
cc: [email protected]
Change-Id: I903935a221a5b9fb14cec14ef64bd2b6fa8eb222
Bug: 30513364
lib/assoc_array.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
commit f26bc352514b341149b6856531ed95fcca483fa0
Author: Benjamin Tissoires <[email protected]>
Date: Tue Jan 19 12:34:58 2016 +0100
UPSTREAM: HID: core: prevent out-of-bound readings
(cherry picked from commit 50220dead1650609206efe91f0cc116132d59b3f)
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Signed-off-by: Benjamin Tissoires <[email protected]>
Signed-off-by: Jiri Kosina <[email protected]>
Change-Id: Iaf25e882a6696884439d7091b5fbb0b350d893d3
Bug: 30951261
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
commit 7f350daadf5a87bb86a2f6a59cb32e11f95df82f
Author: Vladis Dronov <[email protected]>
Date: Thu Mar 31 12:05:43 2016 -0400
UPSTREAM: ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
(cherry picked from commit 836b34a935abc91e13e63053d0a83b24dfb5ea78)
create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.
This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.
Based on a patch by Takashi Iwai <[email protected]>
[Note for stable backports:
this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
code cleanup in create_fixed_stream_quirk()')]
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <[email protected]>
Cc: <[email protected]> # see the note above
Signed-off-by: Vladis Dronov <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Change-Id: I7073a17d8c99886d2f6ed7981892712ba7dd5873
Bug: 30952477
sound/usb/quirks.c | 4 ++++
sound/usb/stream.c | 6 +++++-
2 files changed, 9 insertions(+), 1 deletion(-)
commit ee8791a6c51a69a05cb39911cf1f75757d20e40e
Author: Takashi Iwai <[email protected]>
Date: Tue Mar 15 12:14:49 2016 +0100
BACKPORT: ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
(cherry picked from commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729)
Just a minor code cleanup: unify the error paths.
Signed-off-by: Takashi Iwai <[email protected]>
Change-Id: I8253a86235df2ac1258153c9e128fa158527567f
Bug: 30952477
sound/usb/quirks.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
commit 3ed9ac8b81d38f77b5e1adfaf04d89d8992f89d4
Author: Peter Hurley <[email protected]>
Date: Fri Nov 27 14:30:21 2015 -0500
UPSTREAM: tty: Prevent ldisc drivers from re-using stale tty fields
(cherry picked from commit dd42bf1197144ede075a9d4793123f7689e164bc)
Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].
Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.
[1]
commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
Author: Tilman Schmidt <[email protected]>
Date: Tue Jul 14 00:37:13 2015 +0200
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
[2] Report from Sasha Levin <[email protected]>
[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
...
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
Cc: Tilman Schmidt <[email protected]>
Cc: Sasha Levin <[email protected]>
Signed-off-by: Peter Hurley <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Change-Id: Ibed6feadfb9706d478f93feec3b240aecfc64af3
Bug: 30951112
drivers/tty/tty_ldisc.c | 7 +++++++
1 file changed, 7 insertions(+)
commit 2fd70548d5cf62237610f1100f0e926d0b109916
Author: Mauro Carvalho Chehab <[email protected]>
Date: Thu Jan 28 09:22:44 2016 -0200
UPSTREAM: [media] xc2028: avoid use after free
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
(cherry picked from commit 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18)
Bug: 30946097
Change-Id: I95d962c55c8c9b39d747cb326de263972331e8cd
drivers/media/tuners/tuner-xc2028.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
commit bc912ddcff771d0d7f6feeb64f3b65e785c1d1e0
Author: Eric Dumazet <[email protected]>
Date: Wed Aug 17 05:56:26 2016 -0700
UPSTREAM: tcp: fix use after free in tcp_xmit_retransmit_queue()
(cherry picked from commit bb1fceca22492109be12640d49f5ea5a544c6bb4)
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <[email protected]>
Signed-off-by: Eric Dumazet <[email protected]>
Cc: Ilpo Järvinen <[email protected]>
Cc: Yuchung Cheng <[email protected]>
Cc: Neal Cardwell <[email protected]>
Acked-by: Neal Cardwell <[email protected]>
Reviewed-by: Cong Wang <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Change-Id: I58bb02d6e4e399612e8580b9e02d11e661df82f5
Bug: 31183296
include/net/tcp.h | 2 ++
1 file changed, 2 insertions(+)
commit a41329dce2fef8359fdf4e94a736fd7b8f53d663
Author: Omar Sandoval <[email protected]>
Date: Fri Jul 1 00:39:35 2016 -0700
UPSTREAM: block: fix use-after-free in sys_ioprio_get()
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Cc: [email protected]
Reported-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Omar Sandoval <[email protected]>
Signed-off-by: Jens Axboe <[email protected]>
(cherry picked from commit 8ba8682107ee2ca3347354e018865d8e1967c5f4)
Bug: 30946378
Change-Id: Ib387abc9c64bcf45c6a5b9ea7439347f2b4a7f7f
block/ioprio.c | 2 ++
1 file changed, 2 insertions(+)
commit 895c4a66de92219859cf5939fefb0e4d6fbb1391 (tag: android-7.1.0_r0.2)
Author: Steve Pfetsch <[email protected]>
Date: Sat Sep 10 18:19:19 2016 -0700
msm: haptic: reduce haptic intensity except for calls and messages
Introduce a haptic duration threshold below which vibration intensity
is automatically reduced. The intensity of brief vibration is reduced
so that keyboard, touch, and fingerprint haptics are less audible. Add
sysfs nodes for accessing the threshold and the strong/light intensity
settings.
Bug: 31407746
Change-Id: Ib4704a38255f3171bb13fc2ecc0201940ffa8767
drivers/platform/msm/qpnp-haptic.c | 151 +++++++++++++++++++++++++++++++++++++
1 file changed, 151 insertions(+)
commit e62667b4a5ba40e93ff0926531a8ddef4bfedb35
Author: Steve Pfetsch <[email protected]>
Date: Sun Sep 11 01:51:21 2016 -0700
arm64: dts: marlin/sailfish: add default values for haptics
Add default values for vmax-strong-mv, vmax-light-mv, and
timeout-strong-threshold, which control the intensity of haptic
feedback and the length of pulse necessary to trigger strong
vibration.
Bug: 31407746
Change-Id: Ie0e22fea2591343b3006d5f2171ea0a6936e6233
arch/arm64/boot/dts/htc/msm8996-htc_marlin.dtsi | 3 +++
arch/arm64/boot/dts/htc/msm8996-htc_sailfish.dtsi | 3 +++
2 files changed, 6 insertions(+)
commit 3158ee49960462ca4f302c8f8409ad443cdf508e
Author: Yueyao (Nathan) Zhu <[email protected]>
Date: Fri Sep 9 20:16:17 2016 +0000
Revert "arm64: dts: marlin: modify USB2.0 phy settings"
This reverts commit b976b264087c32b713445d3804c713c3795d5e10.
Change-Id: I78a67c861daa881a90e98abf94a35da5582d4f4b
arch/arm64/boot/dts/htc/msm8996-htc_marlin.dtsi | 1 -
arch/arm64/boot/dts/htc/msm8996-htc_sailfish.dtsi | 1 -
2 files changed, 2 deletions(-)
commit b976b264087c32b713445d3804c713c3795d5e10
Author: Howard Yen <[email protected]>
Date: Mon Sep 5 20:38:25 2016 +0800
arm64: dts: marlin: modify USB2.0 phy settings
USB HS Reg 0x90=Val 0x03
Bug: 31206266
Change-Id: Ie07898c71ce5c9008ea423fb6f22f1ac6f9b9b56
Signed-off-by: Howard Yen <[email protected]>
arch/arm64/boot/dts/htc/msm8996-htc_marlin.dtsi | 1 +
arch/arm64/boot/dts/htc/msm8996-htc_sailfish.dtsi | 1 +
2 files changed, 2 insertions(+)
commit 19caf23b23230948729c48d5065887b85e439b54 (tag: android-7.1.0_r0.1)
Author: Tim Murray <[email protected]>
Date: Fri Sep 2 17:05:35 2016 -0700
trigger rebuild on build server
Change-Id: Ic2664f666436c752d96647861e9e968b0d3f210e
commit ad62b26e4592fe77243bf9daf5af6de11ffadbbe
Author: Tim Murray <[email protected]>
Date: Fri Sep 2 16:04:41 2016 -0700
lowmemorykiller: account for unevictable pages
lowmemorykiller was not taking into account unevictable pages when
deciding what level to kill. If significant amounts of memory were
pinned, this caused lowmemorykiller to effectively stop at a much higher
level than it should.
bug 31255977
Change-Id: I763ecbfef8c56d65bb8f6147ae810692bd81b6e2
drivers/staging/android/lowmemorykiller.c | 1 +
1 file changed, 1 insertion(+)
commit 96e033488266512fedc88cfbdb346b7d61a579fe
Author: vivek mehta <[email protected]>
Date: Tue Aug 30 19:42:30 2016 -0700
ASoC: wcd9335: Fix race during codec master clock (mclk) enablement
It is possible that codec master clock enablement could race from two
different execution contexts, causing the mclk to be not enabled at all.
This will result in failure of use cases that expect the clock to be
present. Fix this issue by making sure the race condition does not
occur during mclk enablement.
Bug: 30983442
Change-Id: Ie254b8876524956b816267eaaed205f65641c000
Signed-off-by: Bhalchandra Gajare <[email protected]>
Signed-off-by: vivek mehta <[email protected]>
sound/soc/codecs/wcd9335.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
commit 53dc26e43577b3ee67648c27ce5ea6193052f27a
Author: Naseer Ahmed <[email protected]>
Date: Fri Aug 26 18:00:43 2016 -0400
mdss: protect sysfs panel settings
VR low persistence mode sends DSI commands out-of-band through a
sysfs node instead of through HWC ಠ_ಠ.
Do not allow sysfs panel settings such as low persistence mode from
sending DSI commands when the panel is blank and do not blank the
device when a configuration update from sysfs is in progress.
Bug: 31036253
Change-Id: I5fb26a8b01ae144a87209a5d212b4ab6c1685565
Signed-off-by: Dhaval Patel <[email protected]>
Signed-off-by: Aravind Venkateswaran <[email protected]>
Signed-off-by: Naseer Ahmed <[email protected]>
drivers/video/msm/mdss/mdss_fb.c | 21 +++++++++++++++++++--
drivers/video/msm/mdss/mdss_fb.h | 1 +
2 files changed, 20 insertions(+), 2 deletions(-)
commit 149b99add8e08c1dc943e1ef945ce837325d431a
Author: Harshdeep Dhatt <[email protected]>
Date: Wed Jun 15 17:28:49 2016 -0600
msm: kgsl: Read HLSQ SP/TP registers through debug aperture
Use crash dumper to read HLSQ SP/TP registers through debug ahb
aperture during device snapshot.
Bug: 30907663
CRs-Fixed: 1019957
Change-Id: I3b18fd0d1eab28b6b3e5d314539cfbc15210f675
Signed-off-by: Harshdeep Dhatt <[email protected]>
Signed-off-by: Siqi Lin <[email protected]>
drivers/gpu/msm/adreno_a5xx_snapshot.c | 158 ++++++++++++++++++++++++---------
1 file changed, 117 insertions(+), 41 deletions(-)
commit 287d37e2e63549398bc248043572c4fda86e9733
Author: Al Viro <[email protected]>
Date: Fri Mar 20 17:41:43 2015 +0000
UPSTREAM: net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
(cherry pick from commit 4de930efc23b92ddf88ce91c405ee645fe6e27ea)
Cc: [email protected] # v3.19
Signed-off-by: Al Viro <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Bug: 28759139
Change-Id: I556eab62bc545f4382f93d0c721df342bbe76787
net/socket.c | 4 ++++
1 file changed, 4 insertions(+)
commit cd5b1e372ed3f4017bd555707d3271d208d0680a
Author: Kangjie Lu <[email protected]>
Date: Tue May 3 16:32:16 2016 -0400
UPSTREAM: USB: usbfs: fix potential infoleak in devio
(cherry pick from commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee)
The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.
Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Bug: 28619695
Change-Id: I170754d659d0891c075f85211b5e3970b114f097
drivers/usb/core/devio.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
commit 5fd212257c4f4f636c919817db9c2efaf900c4f8
Author: Kangjie Lu <[email protected]>
Date: Tue May 3 16:44:07 2016 -0400
UPSTREAM: ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
(cherry pick from commit cec8f96e49d9be372fdb0c3836dcf31ec71e457e)
The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Bug: 28980557
Change-Id: I963a8f5f7ae828787c655c9b89121d3844474513
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
commit 449ae3ff25d5bd229ccf1f63a94437c7c2813f97
Author: Kangjie Lu <[email protected]>
Date: Tue May 3 16:44:32 2016 -0400
UPSTREAM: ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
(cherry pick from commit e4ec8cc8039a7063e24204299b462bd1383184a5)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Bug: 28980217
Change-Id: I756d05a328a133c1c67132301434c6817be0a2a6
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
commit f893bc842a4bd2431ed355db86514f7e8e59b311
Author: Kangjie Lu <[email protected]>
Date: Tue May 3 16:44:20 2016 -0400
UPSTREAM: ALSA: timer: Fix leak in events via snd_timer_user_ccallback
(cherry pick from commit 9a47e9cff994f37f7f0dbd9ae23740d0f64f9fe6)
The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.
Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Bug: 28980217
Change-Id: I0ba03af4d0620bcbc7a808d083295b7c97aba56d
sound/core/timer.c | 1 +
1 file changed, 1 insertion(+)
commit e2699e56af139595b31473b4bc91403283f5b2f0
Author: Takashi Iwai <[email protected]>
Date: Wed Jan 13 17:48:01 2016 +0100
UPSTREAM: ALSA: timer: Fix race among timer ioctls
(cherry picked from commit af368027a49a751d6ff4ee9e3f9961f35bb4fede)
ALSA timer ioctls have an open race and this may lead to a
use-after-free of timer instance object. A simplistic fix is to make
each ioctl exclusive. We have already tread_sem for controlling the
tread, and extend this as a global mutex to be applied to each ioctl.
The downside is, of course, the worse concurrency. But these ioctls
aren't to be parallel accessible, in anyway, so it should be fine to
serialize there.
Reported-by: Dmitry Vyukov <[email protected]>
Tested-by: Dmitry Vyukov <[email protected]>
Cc: <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Change-Id: I1ac52f1cba5e7408fd88c8fc1c30ca2e83967ebb
Bug: 28694392
sound/core/timer.c | 32 +++++++++++++++++++-------------
1 file changed, 19 insertions(+), 13 deletions(-)
commit d6a8196911be4aee3f726dc7835e38ffe92e5797
Author: Praveen Chavan <[email protected]>
Date: Tue Aug 23 13:14:22 2016 -0700
msm: vidc: Compare ion_handles rather than fds
fd(s) cannot uniquely identify buffers queued by cross-process
clients. Use ion handles to compare and match already-mapped-
buffers irrespective of data or extradata planes.
Bug: 30969795
Change-Id: I591f18aa225cc6690bf423f2ae5bc7dafd4dad78
Signed-off-by: Praveen Chavan <[email protected]>
drivers/media/platform/msm/vidc/msm_vidc.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
commit d59da5ebb5cefbad89a7fc33bd514d858cb4bbae
Author: Ranjith Kagathi Ananda <[email protected]>
Date: Fri Jul 29 20:07:47 2016 +0530
msm:isp: add recovery method in case of pingpong mismatch.
restart the VFE in case of pingpong mismatch.
BUG=30866777
Change-Id: I38482aeb8d03c81a1ebe91ba895916fc5064e8aa
Signed-off-by: Alok Kediya <[email protected]>
Signed-off-by: Ranjith Kagathi Ananda <[email protected]>
drivers/media/platform/msm/camera_v2/isp/msm_isp.h | 2 +
.../platform/msm/camera_v2/isp/msm_isp_axi_util.c | 14 +++++-
.../msm/camera_v2/isp/msm_isp_stats_util.c | 2 +-
.../platform/msm/camera_v2/isp/msm_isp_util.c | 50 ++++++++++++++++++++++
.../platform/msm/camera_v2/isp/msm_isp_util.h | 1 +
5 files changed, 66 insertions(+), 3 deletions(-)
commit 8d7d5ab45fc3003befd6b6f992f5c7818996c5c1
Author: Ranjith Kagathi Ananda <[email protected]>
Date: Fri Jul 22 13:09:44 2016 -0700
msm: camera: isp: Fix an issue in ispif
The ispif hardware reset in the stramoff() is not correct.
The ispif hardware reset can only be done at the open/close
ispif node. This change is to remove the hardware reset during
the streamoff which causes the issue in the PIP use case.
BUG=30866777
Change-Id: I5a7428b7ac76c6b360d0a97c07473886170d8e65
Signed-off-by: Jing Zhou <[email protected]>
Signed-off-by: Ranjith Kagathi Ananda <[email protected]>
drivers/media/platform/msm/camera_v2/ispif/msm_ispif.c | 2 --
1 file changed, 2 deletions(-)
commit 2768e8234dc65722b707fbb71f065bb183e8204f
Author: Ranjith Kagathi Ananda <[email protected]>
Date: Mon May 2 12:42:56 2016 -0700
msm: camera: isp: Fix the preview split issue
This change fixes the preview split issue when overflow recovery
procedure is triggered in daul vfe case.The current procedure will
cause the vfe pipeline violation after the recovery. This causes
the WM between two VFE out of sync. The new procedure will eliminate
the pipeline violation so the split will never happen.
BUG=30866777
CRs-Fixed: 1018298
Change-Id: Ie30c5c3224a654a49af8b62bc17f94cc7a790430
Signed-off-by: Jing Zhou <[email protected]>
Signed-off-by: Ranjith Kagathi Ananda <[email protected]>
drivers/media/platform/msm/camera_v2/isp/msm_isp.h | 1 +
.../media/platform/msm/camera_v2/isp/msm_isp40.c | 28 ++--
.../media/platform/msm/camera_v2/isp/msm_isp44.c | 28 ++--
.../media/platform/msm/camera_v2/isp/msm_isp46.c | 32 +++--
.../media/platform/msm/camera_v2/isp/msm_isp47.c | 52 ++++---
.../platform/msm/camera_v2/isp/msm_isp_axi_util.c | 39 +++---
.../platform/msm/camera_v2/isp/msm_isp_util.c | 32 ++++-
.../media/platform/msm/camera_v2/ispif/msm_ispif.c | 151 +++------------------
8 files changed, 149 insertions(+), 214 deletions(-)
commit 75abb6903a74fc20420b5c932a8c664644fac9e9
Author: bradley_chen <[email protected]>
Date: Mon Jul 25 16:41:00 2016 +0800
platform:: qpnp-haptic: Correct logs printed condition
1. Correct VIB_ERR_LOG define form pr_error to pr_err.
2. Correct the log printed condition after writing QPNP_HAP_EN_CTL_REG
in qpnp_hap_mod_enable.
3. Change the log level to ERR if qpnp_hap_vmax_config failed
4. Change the log level to ERR and print only when sc_irq_count is not 0
in suspend adn resume function.
Bug: 30961838
Change-Id: I3266099a923722b3cd85c6a36fd3ec9410dc0824
Signed-off-by: bradley_chen <[email protected]>
drivers/platform/msm/qpnp-haptic.c | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)
commit 35de94b5b694e857fd0c6df8295992465741bfee
Author: Dennis Cagle <[email protected]>
Date: Fri Aug 19 12:11:42 2016 -0700
msm: ipa: fix potential race condition ioctls
There are potential race condition ioctls in
the IPA driver when it copies the actual
arguments from the user-space memory to the
IPA-driver. The fix is to add check on the 2nd
copy to make sure the same payload size is copied
to the pre-allocated kernel memory as in during
the 1st copy.
Change-Id: I5a440f89153518507acdf5dad42625503732e59a
Signed-off-by: Skylar Chang <[email protected]>
Signed-off-by: Dennis Cagle <[email protected]>
drivers/platform/msm/ipa/ipa_v2/ipa.c | 226 +++++++++++++++++++++++++-----
drivers/platform/msm/ipa/ipa_v3/ipa.c | 257 +++++++++++++++++++++++++++++-----
2 files changed, 411 insertions(+), 72 deletions(-)
commit 0e703cfaa8d16e93c1732be1abfb05df5db41704
Author: Arve Hjønnevåg <[email protected]>
Date: Fri Aug 12 16:04:28 2016 -0700
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Prevents leaking pointers between processes
BUG: 30768347
Change-Id: Id898076926f658a1b8b27a3ccb848756b36de4ca
Signed-off-by: Arve Hjønnevåg <[email protected]>
drivers/staging/android/binder.c | 5 +++++
1 file changed, 5 insertions(+)
commit 502298e0050705dd3f3d65f58dbd00a998f27a58
Author: Arve Hjønnevåg <[email protected]>
Date: Tue Aug 2 15:40:39 2016 -0700
ANDROID: binder: Add strong ref checks
Prevent using a binder_ref with only weak references where a strong
reference is required.
BUG: 30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <[email protected]>
drivers/staging/android/binder.c | 26 +++++++++++++++++---------
1 file changed, 17 insertions(+), 9 deletions(-)
commit de5cc248096f1b2b0c2adc56e5f8972de138d6cc
Author: Patrick Tjin <[email protected]>
Date: Mon Aug 22 09:01:25 2016 -0700
Branch kernel for NDR Factory ROM
Change-Id: I7f71f70489b2d5c7b9a96ca1cb20bbcc86d96b3a
build.config | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment