- Jun 03, 2016
-
-
yanghong1 authored
- fix new tp slow reaction problem - fix tp auto-jump with 10 points bug:29118543 Change-Id: I2a3d515fda2b460b9c0fc2e9e803273e7a94f13b Signed-off-by: yanghong1 <yanghong1@longcheer.net>
-
- May 25, 2016
-
-
Divya Ponnusamy authored
If the ioctl syncsource_destroy is accessed by parallel threads, where the spinlock is acquired by threads after getting syncsource, then the simultaneous processes try to remove the already destroyed syncsource->refcount by the first thread that acquires this spinlock. This leads to race condition while removing syncsource->idr. Avoid separate lock inside getting syncsource, instead acquire spinlock before we get the syncsource in destroy ioctl so that the threads access the spinlock and operate on syncsource without use-after-free issue. Change-Id: I6add3800c40cd09f6e6e0cf2720e69059bd83cbc Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
-
Alan Stern authored
(cherry pick from commit e50293ef) Commit 8520f380 ("USB: change hub initialization sleeps to delayed_work") changed the hub_activate() routine to make part of it run in a workqueue. However, the commit failed to take a reference to the usb_hub structure or to lock the hub interface while doing so. As a result, if a hub is plugged in and quickly unplugged before the work routine can run, the routine will try to access memory that has been deallocated. Or, if the hub is unplugged while the routine is running, the memory may be deallocated while it is in active use. This patch fixes the problem by taking a reference to the usb_hub at the start of hub_activate() and releasing it at the end (when the work is finished), and by locking the hub interface while the work routine is running. It also adds a check at the start of the routine to see if the hub has already been disconnected, in which nothing should be done. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Reported-by: Alexandru Cornea <alexandru.cornea@intel.com> Tested-by: Alexandru Cornea <alexandru.cornea@intel.com> Fixes: 8520f380 ("USB: change hub initialization sleeps to delayed_work") CC: <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 28712303 Change-Id: Id91be8695d4dc68d726dc0d87504912dd85915d0
-
Greg Kroah-Hartman authored
commit ff19ac8f upstream In Linus's tree, the iovec code has been reworked massively, but in older kernels the AIO layer should be checking this before passing the request on to other layers. Many thanks to Ben Hawkes of Google Project Zero for pointing out the issue. Bug: 28588279 Reported-by: Ben Hawkes <hawkes@google.com> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Tested-by: Willy Tarreau <w@1wt.eu> [backported to 3.10 - willy] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Icf8b8d26a52ed579075e86d58e637cf510749307
-
Hariprasad Dhalinarasimha authored
Check if there is no integer overflow before using req_len and resp_len (received from user space). If an overflow is detected then exit the operation. Bug: 28571496 Change-Id: I0459a6992bb3b280db42be63a275c55fa6105b1c Signed-off-by: Hariprasad Dhalinarasimha <hnamgund@codeaurora.org>
-
Thierry Strudel authored
This reverts commit f72129c2. Bug: 28557020 Change-Id: I4e5bde6b9ee86ce27692add6da7e4dc3dc9751d6 Signed-off-by: Thierry Strudel <tstrudel@google.com>
-
- May 20, 2016
-
-
Peter Hurley authored
(cherry pick from commit 5c17c861) ioctl(TIOCGETD) retrieves the line discipline id directly from the ldisc because the line discipline id (c_line) in termios is untrustworthy; userspace may have set termios via ioctl(TCSETS*) without actually changing the line discipline via ioctl(TIOCSETD). However, directly accessing the current ldisc via tty->ldisc is unsafe; the ldisc ptr dereferenced may be stale if the line discipline is changing via ioctl(TIOCSETD) or hangup. Wait for the line discipline reference (just like read() or write()) to retrieve the "current" line discipline id. Cc: <stable@vger.kernel.org> Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 28409131 Change-Id: I8e0a1c6cd51f2cc05ee45995c7ac05cd770c650b
-
Vijayavardhan Vennapusa authored
User can pass arguments as part of write to requests and endpoint number will be calculated based on the arguments. There is a chance that driver can access ep structue that is not allocated due to invalid arguments passed by user. Hence fix the issue by having check and return error in case of invalid arguments. Bug: 28172322 Change-Id: I060ea878b55ce0f9983b91c50e58718c8a2c2fa1 Signed-off-by: Vijayavardhan Vennapusa <vvreddy@qti.qualcomm.com>
-
Veena Sambasivan authored
During a perf_event_enable, kernel/events/core.c calls pmu->add() which is platform implementation(arch/arm/kernel/perf_event.c). Due to the duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c drivers marks the event as OFF but returns TRUE to perf_event.c which goes ahead and allocates the hw_event and enables it. Since event is marked OFF, kernel events core will try to enable this event again during next perf_event_enable. Which results in same event enabled on multiple hw_events. But during the perf_release, event struct is freed and only one hw_event is released. This results in dereferencing the invalid pointer and hence the crash. Fix this by returning error in case of constraint event duplicate. Hence avoiding the same event programmed on multiple hw event counters. Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455 Signed-off-by: Arun KS <arunks@codeaurora.org> Signed-off-by: Veena Sambasivan <veenas@codeaurora.org>
-
Rajesh Bondugula authored
step_boundary can take values upto the total_steps Validate the step_boundary before consuming it. Convert the type of step_index and region_index to uint16_t step_index and region_index cannot be negative. CRs-Fixed: 1001092 Change-Id: I1f23fd6f28bb897824a1ef99a8873b9f986eee70 Signed-off-by: Rajesh Bondugula <rajeshb@codeaurora.org>
-
Veena Sambasivan authored
If user tries to send SMD data more than the driver buffer can handle then fail the same and print error message. This smd_write is exposed to userspace through ioctl using a misc device. Bug: 27657963 Change-Id: Ie8a1c1c0799cd10cef512ad6b1e1e95001dd43b2 Signed-off-by: Manu Gautam <mgautam@codeaurora.org> Signed-off-by: Veena Sambasivan <veenas@codeaurora.org>
-
Mohamad Ayyash authored
BUG: 27577101 BUG: 27532522 Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
-
- May 03, 2016
-
-
yanghong1 authored
add booyi otm1287 sec panel driver init code Touchscreen: support booyi-himax module - firmware version: 0x15 - Increase i2c rate for touchscreen - add 10 point - fix tp bug Change-Id: I3e08bec2c5c59c4f58d977a835985a64fa6c0fe7 Signed-off-by: yanghong1 <yanghong1@longcheer.net>
-
- Apr 21, 2016
-
-
Ravi Kumar Alamanda authored
- disable compilation of unwanted modules Bug: 27976772 Bug: 27531992 Change-Id: I9df4efd899032fb9219a286fe469d7b2f476686f Signed-off-by: vivek mehta <mvivek@codeaurora.org>
-
Robb Glasser authored
Presently we are not validating the length of the essid received and directly copying the buffer without size checking. Perform bound checking before processing the scan req. Change-Id: I786e4feb67bf039df3d217138a412da54f51787d CRs-fixed: 890228
-
Robb Glasser authored
Userspace supplies the actual number of used VFEs in session to ISPIF. Validate the userspace input value and if found to be invalid, return error. CRs-Fixed: 898074 Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org> Signed-off-by: Suman <Mukherjee<sumam@codeaurora.org> Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
-
- Apr 20, 2016
-
-
Rajesh Kemisetti authored
In _kgsl_sharedmem_page_alloc(): - Make len of type size_t to be in line with size. - Check for boundary limits of requested alloc size before honoring. - Make sure sglen is greater than zero before marking it as end of sg list. Bug: 27804025 Change-Id: I8b9e225e515a0f31593df6f4cad253236475d0ae Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
-
Robb Glasser authored
Set the number of IE fields to minimum of input data and SIR_ESE_MAX_MEAS_IE_REQS. Change-Id: Ie53cfec7872ab69530bbb8932f9f9e85fb319f92 CRs-Fixed: 993561 Bug: 27424603 Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org> Signed-off-by: Thierry Strudel <tstrudel@google.com>
-
Adrian Salido-Moreno authored
There are few cases where the count argument passed by the user space is not validated, which can potentially lead to out of bounds or overflow issues. In some cases, kernel might copy more data than what is requested. Add necessary checks to avoid such cases. BUG=27407865 Change-Id: Idaac148e9c2c82408c4cf4a867e92fca3a6b5429 Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org> Signed-off-by: Adrian Salido-Moreno <adrianm@codeaurora.org>
-
Robb Glasser authored
In adreno_perfcounter_query_group() make sure to cast the user passed count to an unsigned int before comparing it to the group count. Otherwise the user count could be interpeted as a signed int and hilarity ensues. Change-Id: Ie86da3d2a0cc2647ddf865d3f56e7925522246a0 Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-
Ravi Kumar Alamanda authored
Fix overwrite of updt_params allocated in heap, and stack overread where param pointer is passed from user space. Bug: 27555177 Bug: 26876409 Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66 Signed-off-by: Ravi Kumar Alamanda <arkumar@codeaurora.org>
-
- Mar 25, 2016
-
-
Colin Cross authored
prctl_set_vma_anon_name could attempt to set the name across two vmas at the same time due to a typo, which might corrupt the vma list. Fix it to use tmp instead of end to limit the name setting to a single vma at a time. Reported-by: Jed Davis <jld@mozilla.com> Signed-off-by: Colin Cross <ccross@android.com> (cherry picked from commit 091ff4dc) Change-Id: I626f7b7b84885220a51daa76b8c40575dfa6fce0
-
Jeff Vander Stoep authored
Previous upstream *stable* fix 14f81062 was incomplete. A local process can trigger a system crash with an OOB read on buf. This occurs when the state of buf gets out of sync. After an error in pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset but not buf->len. Upon retrying pipe_read() while in pipe_iov_copy_to_user() *remaining will be larger than the space left after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE, buf->offset = 0x300. This is fixed by not updating the state of buf->offset until after the full copy is completed, similar to how pipe_write() is implemented. For stable kernels < 3.16. Bug: 27721803 Change-Id: Idf224a5d09af55a42d0a5d31cf3d467bf73f49f5 Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
-
- Mar 23, 2016
-
-
Robb Glasser authored
prima to qcacld-2.0 propagation Return failure to applications if genie ioctl is invoked to configure WPS/WPA/RSN IEs with arguments of improper length. Change-Id: I2e034ef9f2537922be35d46ce266e6b99dab7bb6 CRs-Fixed: 931451
-
Shawn Chang authored
This is a backport fix and the original patch from: https://github.com/CyanogenMod/android_kernel_sony_msm8960t/commit/d58f1eacbdf55946ec7062ab6e4df462bf30ef32 "Check for valid length before copying the packet filter data from userspace buffer to kernel space buffer to avoid buffer overflow issue.". It's a device driver related bug and it can be exploited. I've only tested it on Nexus 7 2013. Signed-off-by: Shawn Chang <citypw@gmail.com>
-
Takashi Iwai authored
A slave timer instance might be still accessible in a racy way while operating the master instance as it lacks of locking. Since the master operation is mostly protected with timer->lock, we should cope with it while changing the slave instance, too. Also, some linked lists (active_list and ack_list) of slave instances aren't unlinked immediately at stopping or closing, and this may lead to unexpected accesses. This patch tries to address these issues. It adds spin lock of timer->lock (either from master or slave, which is equivalent) in a few places. For avoiding a deadlock, we ensure that the global slave_active_lock is always locked at first before each timer lock. Also, ack and active_list of slave instances are properly unlinked at snd_timer_stop() and snd_timer_close(). Last but not least, remove the superfluous call of _snd_timer_stop() at removing slave links. This is a noop, and calling it may confuse readers wrt locking. Further cleanup will follow in a later patch. Actually we've got reports of use-after-free by syzkaller fuzzer, and this hopefully fixes these issues. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> (cherry picked from commit b5a663aa) Signed-off-by: Ben Zhang <benzh@chromium.org> BUG=b:26636060 TEST=Build and boot Ryu Change-Id: I02ec39c7a51d8b2b7948af899811d1bcd4ba8c02 Reviewed-on: https://chromium-review.googlesource.com/329044 Commit-Ready: Ben Zhang <benzh@chromium.org> Tested-by: Ben Zhang <benzh@chromium.org> Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
-
Robb Glasser authored
Remove the buspm module from msm_bus since it adds no functionality to the bus bandwidth aggregation driver. It is a loadable module used for profiling purposes. Change-Id: I125cc734988101b9ae400be1d2fcb17852473191
-
- Mar 18, 2016
-
-
Ben Hutchings authored
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9 ("new helper: copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
-
- Feb 26, 2016
-
-
Deva Ramasubramanian authored
Check for the exact number of planes that we advertised to the client rather than the worst-case checks. Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org> Change-Id: Ibaf705367db98beb0e01bb2c3087126cf2ba73e8 Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
-
- Jan 22, 2016
-
-
(cherry pick from commit ab676b7d) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by: Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 25739721 Change-Id: I5582c993dbeb0b7287e6d41b57e494d123d33083 Signed-off-by: Christian Bejram <cbejram@google.com>
-
(cherry pick from commit 8a5e5e02) Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 Signed-off-by: Vasily Kulikov <segoon@openwall.com> Cc: Solar Designer <solar@openwall.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Bug: 26429468 Bug: 26186802 Bug: 26429658 Bug: 26428990 Bug: 26429465 Bug: 26429464 Change-Id: I28bddf3d76b3f16a7b46a391cd2af851718fdb75 Signed-off-by: Christian Bejram <cbejram@google.com>
-
Prevent unintended kernel NULL pointer dereferencing. Code: hlist_del_rcu(&event->hlist_entry); Fix: Adding pointer check: if(!hlist_unhashed(&p_event->hlist_entry)) hlist_del_rcu(&p_event->hlist_entry); Bug: 25364034 Change-Id: Ib13a7400d4a36a4b08b0afc9b7d69c6027e741b6 Signed-off-by: Yuan Lin <yualin@google.com> Signed-off-by: Christian Bejram <cbejram@google.com>
-
(cherry pick from commit 23567fd0) This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Reported-by: Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Acked-by: Prarit Bhargava <prarit@redhat.com> Acked-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Change-Id: I10177a58a7b3178eda95017557edaa7298594d06 Bug: 26636379 Signed-off-by: Christian Bejram <cbejram@google.com>
-
LCM: optimize color for truly HX8394F panel Change-Id: Icf73a2a8d46567621738bccf19af9b9533e65a77 Signed-off-by: hexiaoqiang <hexiaoqiang@longcheer.net> (cherry picked from commit 659311d7)
-
LCM: add truly HX8394F panel LCM: enable esd function for truly HX8394F panel, Touchscreen: enable esd function for goodix GT615 Touchscreen: update goodix kernel config to V72 LCM: remove duplicated code Touchscreen: remove needless condition and use loop when fw burned. Touchscreen: set setction flag when burning ss51 Bug=26329167 Change-Id: Ia3b2d8b78d8bf044b3dca3066d8379c2ff956198 Signed-off-by: hexiaoqiang <hexiaoqiang@longcheer.net> (cherry picked from commit 695be5e9)
-
- Oct 08, 2015
-
-
Daniel Rosenberg authored
Bug: 24551430 Change-Id: Ie2cec7a12325aeaeb846b930508d6e9218738765
-
Daniel Rosenberg authored
Change-Id: Idf9a8f740a8c6fa48b3f18d41f8e0ccf6015c934
-
- Oct 07, 2015
-
-
Linus Torvalds authored
(cherry pick from commit b9a53227) As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before having initialized the IPC object state. Yes, we initialize the IPC object in a locked state, but with all the lockless RCU lookup work, that IPC object lock no longer means that the state cannot be seen. We already did this for the IPC semaphore code (see commit e8577d1f: "ipc/sem.c: fully initialize sem_array before making it visible") but we clearly forgot about msg and shm. Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 24551430 Change-Id: Ic7b980a6f2a79eb3c04fc43b6531c396645af1db
-
Manfred Spraul authored
ipc_addid() makes a new ipc identifier visible to everyone. New objects start as locked, so that the caller can complete the initialization after the call. Within struct sem_array, at least sma->sem_base and sma->sem_nsems are accessed without any locks, therefore this approach doesn't work. Thus: Move the ipc_addid() to the end of the initialization. Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reported-by: Rik van Riel <riel@redhat.com> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Davidlohr Bueso <dave@stgolabs.net> Acked-by: Rafael Aquini <aquini@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit e8577d1f)
-
- Sep 29, 2015
-
-
Christian Bejram authored
b/24287717 Change-Id: I8efbebff2f6f122f932b1ec9011f702acec39316
-