Skip to content
Snippets Groups Projects
Select Git revision
  • aosp-new/mirror-aosp-android-mainline
  • aosp-new/android-gs-bluejay-5.10-android15-qpr1
  • aosp-new/android-gs-felix-5.10-android15-qpr1
  • aosp-new/android-gs-lynx-5.10-android15-qpr1
  • aosp-new/android-gs-pantah-5.10-android15-qpr1
  • aosp-new/android-gs-raviole-5.10-android15-qpr1
  • aosp-new/android-gs-tangorpro-5.10-android15-qpr1
  • aosp-new/android-gs-bluejay-5.10-android15
  • aosp-new/android-gs-felix-5.10-android15
  • aosp-new/android-gs-lynx-5.10-android15
  • aosp-new/android-gs-pantah-5.10-android15
  • aosp-new/android-gs-raviole-5.10-android15
  • aosp-new/android-gs-tangorpro-5.10-android15
  • aosp-new/android-gs-bluejay-android15-qpr1-beta3
  • aosp-new/android-gs-felix-5.10-android15-qpr1-beta3
  • aosp-new/android-gs-lynx-5.10-android15-qpr1-beta3
  • aosp-new/android-gs-pantah-5.10-android15-qpr1-beta3
  • aosp-new/android-gs-raviole-5.10-android15-qpr1-beta3
  • aosp-new/android-gs-tangorpro-5.10-android15-qpr1-beta3
  • aosp-new/android-gs-bluejay-5.10-android14-qpr3
  • android-15.0.0_r0.55
  • android-15.0.0_r0.54
  • android-15.0.0_r0.53
  • android-15.0.0_r0.52
  • android-15.0.0_r0.51
  • android-15.0.0_r0.50
  • android-15.0.0_r0.42
  • android-15.0.0_r0.35
  • android-15.0.0_r0.34
  • android-15.0.0_r0.33
  • android-15.0.0_r0.32
  • android-15.0.0_r0.31
  • android-15.0.0_r0.30
  • android-15.0.0_r0.25
  • android-15.0.0_r0.24
  • android-15.0.0_r0.23
  • android-15.0.0_r0.22
  • android-15.0.0_r0.21
  • android-15.0.0_r0.20
  • android-15-qpr1-beta-3_r0.10
40 results
Search by author
  • Any Author
  • 72162444 72162444 72162444 72162444 gaochangning
  • Aakash Dave Aakash Dave aakash.dave
  • Aaron Kim Aaron Kim akim
  • Aaron Kloc Aaron Kloc akloc
  • Aaron Lan Aaron Lan aaron.lan
  • Aaron Nabil Aaron Nabil aaronna
  • Aaron Pohle Aaron Pohle aaron.pohle
  • Abbott Chung Abbott Chung chung.abbott
  • Abdallah Omar Abdallah Omar abdallah_omar
  • Abdessamii Chalbi Abdessamii Chalbi abdessamii.chalbi
  • Abdul Hussain Sirajudeen Abdul Hussain Sirajudeen abdul.hussain
  • Abdullah Alghamdi Abdullah Alghamdi a.alghamdi
  • Abdullah Elmarghany Abdullah Elmarghany abdullah_elmarghany
  • Abel Fang Abel Fang abel_fang
  • Abhijeet Badurkar Abhijeet Badurkar abhijeet.badurkar
  • Abhijit Adsule Abhijit Adsule adsule
  • Abhijit Murthy Abhijit Murthy abhijit
  • Abhi Khanal Abhi Khanal akhanal
  • Abhilash Sahoo Abhilash Sahoo abhilashsahoo
  • Abhimanyu Raj Abhimanyu Raj abhimanyu.raj
20 authors
  1. Dec 13, 2024
  3. Dec 09, 2024
  5. Dec 05, 2024
  7. Sep 13, 2024
  9. Sep 12, 2024
  11. Sep 11, 2024
  13. Sep 02, 2024
    • Hangyu Hua's avatar
      UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune() · 17e85e80
      Hangyu Hua authored 
      
[ Upstream commit affc18fd ]

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.

Bug: 349777785
Fixes: c2999f7f ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit 0f208fad86631e005754606c3ec80c0d44a11882)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Iec8413c39878596795420ae58bbe6974890cf2de
      17e85e80
    • Hangyu Hua's avatar
      UPSTREAM: net: sched: sch_multiq: fix possible OOB write in multiq_tune() · 62d26972
      Hangyu Hua authored 
      
[ Upstream commit affc18fd ]

q->bands will be assigned to qopt->bands to execute subsequent code logic
after kmalloc. So the old q->bands should not be used in kmalloc.
Otherwise, an out-of-bounds write will occur.

Bug: 349777785
Fixes: c2999f7f ("net: sched: multiq: don't call qdisc_put() while holding tree lock")
Signed-off-by: default avatarHangyu Hua <hbh25y@gmail.com>
Acked-by: default avatarCong Wang <cong.wang@bytedance.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
(cherry picked from commit 0f208fad)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
Change-Id: Iec8413c39878596795420ae58bbe6974890cf2de
      62d26972
    • Carlos Llamas's avatar
      FROMLIST: binder: fix UAF caused by offsets overwrite · 148d7d15
      Carlos Llamas authored 
      
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.

Fixes: 6d98eb95 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>

Bug: 352520660
Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/


Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2
Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>
(cherry picked from commit b42ed94769088450987f2b52f41a3fb274244827)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
      148d7d15
    • Carlos Llamas's avatar
      FROMLIST: binder: fix UAF caused by offsets overwrite · c436466a
      Carlos Llamas authored 
      
Binder objects are processed and copied individually into the target
buffer during transactions. Any raw data in-between these objects is
copied as well. However, this raw data copy lacks an out-of-bounds
check. If the raw data exceeds the data section size then the copy
overwrites the offsets section. This eventually triggers an error that
attempts to unwind the processed objects. However, at this point the
offsets used to index these objects are now corrupted.

Unwinding with corrupted offsets can result in decrements of arbitrary
nodes and lead to their premature release. Other users of such nodes are
left with a dangling pointer triggering a use-after-free. This issue is
made evident by the following KASAN report (trimmed):

  ==================================================================
  BUG: KASAN: slab-use-after-free in _raw_spin_lock+0xe4/0x19c
  Write of size 4 at addr ffff47fc91598f04 by task binder-util/743

  CPU: 9 UID: 0 PID: 743 Comm: binder-util Not tainted 6.11.0-rc4 #1
  Hardware name: linux,dummy-virt (DT)
  Call trace:
   _raw_spin_lock+0xe4/0x19c
   binder_free_buf+0x128/0x434
   binder_thread_write+0x8a4/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Allocated by task 743:
   __kmalloc_cache_noprof+0x110/0x270
   binder_new_node+0x50/0x700
   binder_transaction+0x413c/0x6da8
   binder_thread_write+0x978/0x3260
   binder_ioctl+0x18f0/0x258c
  [...]

  Freed by task 745:
   kfree+0xbc/0x208
   binder_thread_read+0x1c5c/0x37d4
   binder_ioctl+0x16d8/0x258c
  [...]
  ==================================================================

To avoid this issue, let's check that the raw data copy is within the
boundaries of the data section.

Fixes: 6d98eb95 ("binder: avoid potential data leakage when copying txn")
Cc: Todd Kjos <tkjos@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>

Bug: 352520660
Link: https://lore.kernel.org/all/20240822182353.2129600-1-cmllamas@google.com/


Change-Id: I1b2dd8403b63e5eeb58904558b7b542141c83fc2
Signed-off-by: default avatarCarlos Llamas <cmllamas@google.com>
(cherry picked from commit b42ed94769088450987f2b52f41a3fb274244827)
Signed-off-by: default avatarLee Jones <joneslee@google.com>
      c436466a
  15. Aug 20, 2024
  17. Aug 19, 2024
  19. Aug 16, 2024
  21. Aug 13, 2024
  23. Aug 09, 2024
    • Kever Yang's avatar
      ANDROID: Fix scmi driver for platform do not have a a2p interrupt · c9d48536
      Kever Yang authored 
      
The "scmi_info->irq" get -22 (-EINVAL) when no "a2p" interrupt, keep to
use (scmi_info->irq > 0) as if condition to avoid BUG happen like this:

For cherry picked patch 18126b26 (UPSTREAM: firmware: arm_scmi: Fix chan_free cleanup on SMC),
it depends on below two patches from mainline to avoid the BUG we met.
f716cbd3 firmware: arm_scmi: Make smc transport use common completions
a690b7e6 firmware: arm_scmi: Add configurable polling mode for transports

These two patch can't apply directly now, quiet a lot of changes need to merge,
which is much higher risk than just apply this simple fix.

[ 0.199652][ T1] arm-scmi firmware:scmi: SCMI Notifications - Core Enabled.
[ 0.200296][ T1] list_add corruption. prev is NULL.
[ 0.200773][ T1] ------------[ cut here ]------------
[ 0.201242][ T1] kernel BUG at lib/list_debug.c:24!
[ 0.201696][ T1] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
[ 0.202246][ T1] Modules linked in:
[ 0.202581][ T1] CPU: 4 PID: 1 Comm: swapper/0 Not tainted 5.10.214-android13-4-00002-g4c868a6e89f5-ab12097184 #1
[ 0.203511][ T1] Hardware name: Rockchip RK3588S EVB8 LP4X V10 Board (DT)
[ 0.204137][ T1] pstate: 60800085 (nZCv daIf -PAN +UAO -TCO BTYPE=--)
[ 0.204735][ T1] pc : list_add_valid+0x80/0xc0
[ 0.205168][ T1] lr : __list_add_valid+0x80/0xc0
[ 0.205599][ T1] sp : ffffffc00b24b700
[ 0.205958][ T1] x29: ffffffc00b24b700 x28: 0000000000000002
[ 0.206494][ T1] x27: 00000000000000e0 x26: ffffff810019ca00
[ 0.207027][ T1] x25: 0000000000000000 x24: ffffff810122c1e0
[ 0.207560][ T1] x23: ffffff810122c1d8 x22: ffffffc00b24b728
[ 0.208097][ T1] x21: ffffff810122c1d0 x20: 0000000000000000
[ 0.208631][ T1] x19: 7fffffffffffffff x18: ffffffc00b2350b8
[ 0.209165][ T1] x17: ffffffffffffffff x16: 0000000000000000
[ 0.209697][ T1] x15: 0000000000000004 x14: ffffffc00af6d130
[ 0.210231][ T1] x13: 0000000000000fff x12: 0000000000000003
[ 0.210769][ T1] x11: 00000000ffffffff x10: c0000000ffffefff
[ 0.211300][ T1] x9 : 91b264ed20239600 x8 : 91b264ed20239600
[ 0.211834][ T1] x7 : 322e30202020205b x6 : ffffffc00b1873d8
[ 0.212365][ T1] x5 : ffffffc00b184fee x4 : 0000000000000000
[ 0.212896][ T1] x3 : 0000000000000000 x2 : 0000000000000000
[ 0.213426][ T1] x1 : ffffffc00b24b4d0 x0 : 0000000000000022
[ 0.213959][ T1] Call trace:
[ 0.214239][ T1] __list_add_valid+0x80/0xc0
[ 0.214645][ T1] wait_for_common+0x104/0x308
[ 0.215059][ T1] smc_send_message+0x100/0x2a8
[ 0.215477][ T1] do_xfer+0x128/0x858
[ 0.215826][ T1] version_get+0x88/0x20c
[ 0.216198][ T1] scmi_base_protocol_init+0x6c/0x720
[ 0.216663][ T1] scmi_get_protocol_instance+0x1f4/0x49c
[ 0.217156][ T1] scmi_probe+0x244/0x724
[ 0.217531][ T1] platform_drv_probe+0x60/0x17c
[ 0.217956][ T1] really_probe+0x310/0x974
[ 0.218342][ T1] driver_probe_device+0x74/0x298
[ 0.218776][ T1] device_driver_attach+0x158/0x208
[ 0.219224][ T1] __driver_attach+0x248/0x420
[ 0.219634][ T1] bus_add_driver+0x1d4/0x498
[ 0.220036][ T1] driver_register+0x84/0x17c
[ 0.220442][ T1] scmi_driver_init+0xb0/0xc0
[ 0.220846][ T1] __initstubkmod_scmi_module__425_1626_scmi_driver_init4.cfi+0x14/0x24
[ 0.221589][ T1] do_one_initcall+0x114/0x3b0
[ 0.221998][ T1] do_initcall_level+0xdc/0x1bc
[ 0.222415][ T1] do_initcalls+0x58/0x9c
[ 0.222785][ T1] do_basic_setup+0x28/0x38
[ 0.223172][ T1] kernel_init_freeable+0xfc/0x1bc
[ 0.223616][ T1] kernel_init+0x2c/0x304
[ 0.223988][ T1] ret_from_fork+0x10/0x30
[ 0.224369][ T1] Code: d4210000 d000c600 9118a800 97e0729d (d4210000)
[ 0.224974][ T1] ---[ end trace 6c77dafcd8f3982d ]---
[ 0.225881][ T1] Kernel panic - not syncing: Oops - BUG: Fatal exception

Bug: 357011632
Bug: 358529695
Fixes: 18126b26 ("UPSTREAM: firmware: arm_scmi: Fix chan_free cleanup on SMC")
Signed-off-by: default avatarKever Yang <kever.yang@rock-chips.com>
Change-Id: I9d9edb48a313b1e4277749082e41ea02ca5ec2a5
(cherry picked from commit fcc95b0adc7f1387fc638592ab284d69d96ef91b)
      c9d48536
  25. Jul 30, 2024
  27. Jul 26, 2024
  29. Jul 25, 2024
  31. Jul 19, 2024
  33. Jul 18, 2024