- Jan 20, 2016
-
-
Yevgeny Pats authored
(cherry pick from commit 23567fd0) This fixes CVE-2016-0728. If a thread is asked to join as a session keyring the keyring that's already set as its session, we leak a keyring reference. This can be tested with the following program: #include <stddef.h> #include <stdio.h> #include <sys/types.h> #include <keyutils.h> int main(int argc, const char *argv[]) { int i = 0; key_serial_t serial; serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } if (keyctl(KEYCTL_SETPERM, serial, KEY_POS_ALL | KEY_USR_ALL) < 0) { perror("keyctl"); return -1; } for (i = 0; i < 100; i++) { serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING, "leaked-keyring"); if (serial < 0) { perror("keyctl"); return -1; } } return 0; } If, after the program has run, there something like the following line in /proc/keys: 3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty with a usage count of 100 * the number of times the program has been run, then the kernel is malfunctioning. If leaked-keyring has zero usages or has been garbage collected, then the problem is fixed. Bug: 26636379 Reported-by: Yevgeny Pats <yevgeny@perception-point.io> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Don Zickus <dzickus@redhat.com> Acked-by: Prarit Bhargava <prarit@redhat.com> Acked-by: Jarod Wilson <jarod@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
-
- Jan 13, 2016
-
-
Kirill A. Shutemov authored
(cherry pick from commit ab676b7d) As pointed by recent post[1] on exploiting DRAM physical imperfection, /proc/PID/pagemap exposes sensitive information which can be used to do attacks. This disallows anybody without CAP_SYS_ADMIN to read the pagemap. [1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html [ Eventually we might want to do anything more finegrained, but for now this is the simple model. - Linus ] Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Acked-by: Konstantin Khlebnikov <khlebnikov@openvz.org> Acked-by: Andy Lutomirski <luto@amacapital.net> Cc: Pavel Emelyanov <xemul@parallels.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Mark Seaborn <mseaborn@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 26038659 Change-Id: I122aa8113f1d7cfddad47bc04ad809f07563b422
-
- Jan 08, 2016
-
-
Vasily Kulikov authored
Poison pointer values should be small enough to find a room in non-mmap'able/hardly-mmap'able space. E.g. on x86 "poison pointer space" is located starting from 0x0. Given unprivileged users cannot mmap anything below mmap_min_addr, it should be safe to use poison pointers lower than mmap_min_addr. The current poison pointer values of LIST_POISON{1,2} might be too big for mmap_min_addr values equal or less than 1 MB (common case, e.g. Ubuntu uses only 0x10000). There is little point to use such a big value given the "poison pointer space" below 1 MB is not yet exhausted. Changing it to a smaller value solves the problem for small mmap_min_addr setups. The values are suggested by Solar Designer: http://www.openwall.com/lists/oss-security/2015/05/02/6 Bug: 26186802 Change-Id: I88328e7fbe8aba1fd0c5dae27649253f0e74a58d Signed-off-by: Yuan Lin <yualin@google.com>
-
- Dec 21, 2015
-
-
Wish Wu authored
Prevent unintended kernel NULL pointer dereferencing. Code: hlist_del_rcu(&event->hlist_entry); Fix: Adding pointer check: if(!hlist_unhashed(&p_event->hlist_entry)) hlist_del_rcu(&p_event->hlist_entry); Bug: 25364034 Change-Id: Ib13a7400d4a36a4b08b0afc9b7d69c6027e741b6 Signed-off-by: Yuan Lin <yualin@google.com>
-
- Dec 09, 2015
-
-
Patrick Tjin authored
Check the datalen field is less than the size of packet received from the network. Bug: 25306181 Bug: 25682871 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I3b021d88a95bd7d4e6e0d745d2527d73487bcadc
-
chengjia4574 authored
Current array-bound-check does not cover all cases. An attacker can use this loophole to redirect $PC to attacker-controlled functions. The fix is to move the existing array-bound-check to a later location to cover all cases. Bug: 25773204 Change-Id: I947c872bf3c39dfdd13f029b2fbbb81874a8bca6 Signed-off-by: Yuan Lin <yualin@google.com>
-
- Dec 01, 2015
-
-
dataanddreams authored
These two checks prevent exploitable buffer overflows in two scenarios. 1. Long WPS_ID_DEVICE_NAME in WPS info elements 2. Invalid SSID determined in certain scan results Bug: 25258438 Change-Id: I63348c6a14914194b6bd27057075d6c9071b6e1d
-
- Nov 04, 2015
-
-
Ashwin authored
Protect access to the sched_scan_req ptr Bug: 25394415 Change-Id: Idbcea74344c4c1a85a4f80a6ff90585ec176bee2 Signed-off-by: Ashwin <ashwin.bhat@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Nov 02, 2015
-
-
Ashwin authored
Remove ptr clearance so as to allow sched scan results as long as supplicant doesnt issue stop. Bug: 25394415 Change-Id: I19b38bfad5216f5fb6cd7bc21c986f9fdd0b9e19 Signed-off-by: Ashwin <ashwin.bhat@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com> (cherry picked from commit 24a3715f)
-
- Oct 22, 2015
-
-
Subash Abhinov Kasiviswanathan authored
skb_clone does not copy all fields from original skb. Fields which are uninitialized may cause unexpected behavior when they are passed down to network stack. In case ndisc_nodetype is set to a random value for a router advertisement, kernel looks at this field and drops it assuming that this packet originates from a node and not a router. Fix this by copying the ndisc_nodetype from the original skb rather than relying on an uninitialized cloned skb. Bug: 24810548 Change-Id: I9686e31808c94a3bbf309007f521c0e06bac2e96 Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> (cherry picked from commit 33175b05)
-
Patrick Tjin authored
Signed-off-by: Patrick Tjin <pattjin@google.com>
-
- Oct 15, 2015
-
-
Patrick Tjin authored
Limit the size of copy to the minimum of what was asked for or the number of results returned to prevent leaking of uninitialized kernel memory to userspace. Bug: 24157888 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: I410dfb80e04b0ee8484f9835933d4be090eea74e
-
Eric Dumazet authored
SYN_RECV & TIMEWAIT sockets are not full blown, they do not have a pinet6 pointer. Bug: 24163529 Change-Id: I6ce67a190d67d200c6ebeb81d2daeb9c86cd7581 Fixes: ca6fb065 ("tcp: attach SYNACK messages to request sockets instead of listener") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
-
Eric Dumazet authored
We have many places where we want to check if a socket is not a timewait or request socket. Use a helper to avoid hard coding this. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> [backported from net-next 1d0ab253] [lorenzo@google.com: removed TCPF_NEW_SYN_RECV, and added a comment to add it back.] Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Bug: 24163529 Change-Id: Ibf09017e1ab00af5e6925273117c335d7f515d73
-
- Oct 14, 2015
-
-
Manfred Spraul authored
(cherry pick from commit e8577d1f) ipc_addid() makes a new ipc identifier visible to everyone. New objects start as locked, so that the caller can complete the initialization after the call. Within struct sem_array, at least sma->sem_base and sma->sem_nsems are accessed without any locks, therefore this approach doesn't work. Thus: Move the ipc_addid() to the end of the initialization. Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reported-by: Rik van Riel <riel@redhat.com> Acked-by: Rik van Riel <riel@redhat.com> Acked-by: Davidlohr Bueso <dave@stgolabs.net> Acked-by: Rafael Aquini <aquini@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 24551430 Change-Id: I36a8cc2281dfd68e9a399695f1d7e7b038e105d0
-
Patrick Tjin authored
System V IPCs are not compliant with Android's application lifecycle because allocated resources are not freeable by the low memory killer. This lead to global kernel resource leakage. For example, there is no way to automatically release a SysV semaphore allocated in the kernel when: - a buggy or malicious process exits - a non-buggy and non-malicious process crashes or is explicitly killed. Killing processes automatically to make room for new ones is an important part of Android's application lifecycle implementation. This means that, even assuming only non-buggy and non-malicious code, it is very likely that over time, the kernel global tables used to implement SysV IPCs will fill up. BUG: 24551430 BUG: 22300191 Signed-off-by: Patrick Tjin <pattjin@google.com> Change-Id: Ib3ae565ccb75bb90e337742969e40b05ca71847f
-
- Oct 12, 2015
-
-
Patrick Tjin authored
Don't disable preemption until after mmput since mmput might sleep. Bug: 24452701 Signed-off-by: Patrick Tjin <pattjin@google.com>
-
Riley Andrews authored
Change-Id: I90fe02cdedb8a5677b900a68528fb443b9204322 Signed-off-by: Riley Andrews <riandrews@google.com>
-
Riley Andrews authored
Use wake_up_interruptible_sync() to hint to the scheduler binder transactions are synchronous wakeups. Disable premption while waking to avoid ping-ponging on the binder lock. Change-Id: Ic406a232d0873662f80148e37acefe5243d912a0
-
- Oct 08, 2015
-
-
Riley Andrews authored
This deliberately changes the behavior of the per-cpuset cpus file to not be effected by hotplug. When a cpu is offlined, it will be removed from the cpuset/cpus file. When a cpu is onlined, if the cpuset originally requested that that cpu was part of the cpuset, that cpu will be restored to the cpuset. The cpus files still have to be hierachical, but the ranges no longer have to be out of the currently online cpus, just the physically present cpus. Change-Id: I3efbae24a1f6384be1e603fb56f0d3baef61d924
-
Riley Andrews authored
Change-Id: Ic1b61b2bbb7ce74c9e9422b5e22ee9078251de21
-
Tim Murray authored
enables cpusets for Shamu. bug 24773526 Change-Id: Ia0b146f5848a6a790399a683b8b4d20ac498964f
-
Praveen Chavan authored
When encoder clients specify the color space, the resulting bitstream will have the color space embedded in it. This allows for the decoder to display the picture accurately without the color being skewed. Similarly decoder clients can query the color space of the bitstream by enabling MSM_VIDC_EXTRADATA_VUI_DISPLAY_INFO. If the bitstream contains the colorspace hint, the appropriate extradata will be emitted by the decoder. Author: Deva Ramasubramanian <dramasub@codeaurora.org> Change-Id: I83a3e28b13c3aa306e7cc2d1552a6d39c0d3d49f Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org> Signed-off-by: Praveen Chavan <pchavan@codeaurora.org>
-
- Aug 31, 2015
-
-
Ecco Park authored
Bug: 21372067 Change-Id: I54ea42a77e8c69011fa71755b0bc08e11919ee43 Signed-off-by: Ecco Park <eccopark@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Aug 28, 2015
-
-
Ashwin authored
Do not conditionally compile the individual vendor events because the removal of one can cause __cfg80211_alloc_event_skb() to put the next event's ID from vendor_events[] array. Bug: 23556192 Change-Id: Ib187c17756b81ceab02f42bc797ff9ff37b2a3c8 Signed-off-by: Ashwin <ashwin.bhat@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Aug 25, 2015
-
-
Ashwin authored
Added extra check to see if FW is up and running before we try to setup SAR and if ther is no return error. Bug: 23464710 Bug: 23481741 Change-Id: If3bab41594995baffc5749d6f431ec10bcfd8a66 Signed-off-by: Ashwin <ashwin.bhat@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Aug 19, 2015
-
-
Ashwin authored
Crash will be seen if we try to get FW memdump when bus is down. Bug 23190001 Change-Id: I7f77419555e66e7973c7097703d47a2dcf24205f Signed-off-by: Ashwin <ashwin.bhat@broadcom.com>
-
Ashwin authored
Tag ch144 as DFS bug 22602374 Change-Id: I82c8c199f244020ceaffe97e84fda60ef484b101 Signed-off-by: Ashwin <ashwin.bhat@broadcom.com>
-
Jerry Lee authored
b/23286899 Save previous value first and then change to KERNEL_DS address limit Change-Id: I4e375319d68ba880b302fc5db5a5f548612cec7e Signed-off-by: Jerry Lee <jerrylee@broadcom.com>
-
- Aug 18, 2015
-
-
Ashwin authored
Auto recovery was turned off for debug purposes, turning it back on. Bug: 23190001 Change-Id: Ie9e3bf9921d99db3efaddbf932d6f39894c6021d Signed-off-by: Ashwin <ashwin.bhat@broadcom.com> Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Aug 17, 2015
-
-
Dmitry Shmidt authored
Bug: 22339691 Change-Id: If72c8f2ad7c347d038a318601429f89b86a8db3c Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
-
- Aug 13, 2015
-
-
Lorenzo Colitti authored
Bug: 23016816 Change-Id: I3d05a282982837dd0b020a9b4904df89063dfa59
-
- Aug 12, 2015
-
-
Lorenzo Colitti authored
kernel/sched/core.c calls acct_update_power, but that function is only compiled if CONFIG_CPU_FREQ_STAT is enabled. This breaks the ability to run kernel unit tests because the kernel won't link on ARCH=um. #ifdef out the code on ARCH=um. BUG=21498425 BUG=23016816 Change-Id: I7a95c842ac7eb9017d5e2ff554c9ab8a011a3e4d Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
-
- Aug 07, 2015
-
-
Sasha Levitskiy authored
Change-Id: Ie27ec46f63bcf01c5bee0661e41266c2058a30c8 Signed-off-by: Sasha Levitskiy <sanek@google.com>
-
Ecco park authored
P2P NOA was not working because action NONE is sent instead of DOZE Change-Id: I1ca7a70970d972fb39a60422df3ec3d2378c11dc Signed-off-by: Gautams <gautams@broadcom.com>
-
Ruchi Kandoi authored
Bug: 22368519 Change-Id: I9dd0262111d50079a7df371716508ea66e272337 Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
-
- Aug 06, 2015
-
-
Insun Song authored
=> 1) bug:22657897 set correct sequence setting LTR/ASPM bit to prevent DPM timeout error Bug: 22916761 Change-Id: I33f23e4f43324c9c4dab0f0c0e0868c338f59ae2 Signed-off-by: Insun Song <isong@broadcom.com>
-
Ecco Park authored
1) Bug : 22339691 2) Prioritize EAPOL packets to avoid delay In the processing EAPOL packets in case of high data traffic 3) This code is required to work with new FW(7.35.79.96) Signed-off-by: Ecco Park <eccopark@broadcom.com> Change-Id: I65e03b57ba2f23c60d8fa663df5843abc0ee34fe
-
- Aug 04, 2015
-
-
Ecco Park authored
1) Bug: 22808829 2) Device will wake up at every another DTIM on scree off. However, the extended DTIM skip period will not be bigger than 400ms So, if the DTIM interval is 300ms, device will still wake up at every DTIM on screen off becaues of 400ms limitation. Signed-off-by: Ecco Park <eccopark@broadcom.com> Change-Id: I8ad0d453b756797a3c9f1c575c65b303842355f3
-
Ravi Vembu authored
Add entry in the device tree to enable Maxim empty learning feature and set lavg_empty register to Battery_capacity/4. Empty Learning is a feature to correct SOC Errors in Aged batteries. Signed-off-by: Ravi Vembu <raviv@motorola.com>
-