(from https://patchwork.kernel.org/patch/10058587/

)

proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.

Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit cfe3642b)

August 2018.1

Bug: 80191244
Change-Id: I5d3360b157167d567f3a96e0fc911b4b27c6290f
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>

August 2018.1

Bug: 80191244
Change-Id: I9e764529ca03931d029685770567fbdf320b8609
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>

Suspect device may have posibility to be blocked by lmh_read when resume,
and we do not need to get the details about sensors which supported by LMH Lite,
so remove lmh lite driver to avoid resume hang risk.

Bug: 80022235
Test: Thermal-engine work properly

Change-Id: I8d7052246aa9f2c8669132931dc91893c43d30cd
Signed-off-by: TeYuan Wang <kamewang@google.com>

[ Upstream commit 008ba2a1 ]

Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.

fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.

Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.

Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.

Fixes: dc99f600 ("packet: Add fanout support.")
Reported-by: nixioaming <nixiaoming@huawei.com>
Bug: 79377438
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Maggie White <maggiewhite@google.com>
Change-Id: I75820f430562b1603c35b55fece92161aa1b1e6f

[ Upstream commit 4971613c ]

Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.

If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.

Hold po->bind_lock when testing po->fanout to avoid this race.

I had to introduce artificial delay (local_bh_enable) to actually
observe the race.

Fixes: dc99f600 ("packet: Add fanout support.")
Bug: 79377438
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Id7d8fa55b0bbb6d49c10bf669538294531299974

The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.

Bug: 79422409
Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>

Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.

Bug: 79422277
Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

In diagchar_open() protect the decrement of number of diag clients
so that there will be no race conditions while reading the value
from other functions.

Bug: 79421261
Change-Id: I0e2fb5331eec9c7bba39e7d881b69559256833a3
Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>

In cleanup_stats(), a freed memory pointer pos might be accessed for
list traversal. Switch to using _safe() variant of the list API to
prevent undefined accesses.

Bug: 79421260
Change-Id: I7d068cb7813ccb9bfdbcab4646b4ec890145828a
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>

While enabling ICE setup and on error conditions, the regulator
is disabled. Before disabling the regulator, check if the
regulator is up and able to access the registers of regulator.

Bug: 78238455
Change-Id: I94dd2b3e25444818f7bdf2f791f4fa9efaefce15
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

commit b7181216 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by:  <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Bug: 77902350
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: If7c132b8e56743a0a3c7ada0272163bb4e4e4a09

Fix for possible information leak issue because of unintialised variable
Which can be accesed from userspace in camera fd driver

Bug: 73889358
Signed-off-by: annamraj <annamraj@codeaurora.org>
Change-Id: I4552c4829e9532d848e46fd123316b26105e310e

In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.

CRs-fixed: 2026045
Bug: 73888283
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>

Suspect device may have posibility to be blocked by lmh_read when resume,
and we do not need to get the details about sensors which supported by LMH Lite,
so remove lmh lite driver to avoid resume hang risk.

Bug: 80022235
Test: Thermal-engine work properly

Change-Id: I8d7052246aa9f2c8669132931dc91893c43d30cd
Signed-off-by: TeYuan Wang <kamewang@google.com>

wlan host driver upgrade to 4.4.25.049.

Bug: 80256778
Change-Id: I711d876bcfa9a1eaa342b3d0676347a8c5a3c69f
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

Driver has smeNeighborMiddleOfRoaming to check if STA is in middle
of roaming. Further sme_staInMiddleOfRoaming acquires lock to know
roam status, which is not required at all. Further driver can enter
sleep state because of mutex lock in suspend path and can result in
DPM device timeout.

Hence, replace sme_staInMiddleOfRoaming with smeNeighborMiddleOfRoaming
and remove redundant API sme_staInMiddleOfRoaming. Driver does not use
any lock in smeNeighborMiddleOfRoaming to check roaming status.

Change-Id: I96193becaa05a68044e092bb607eb5db60526a11
CRs-Fixed: 2250171
Bug: 80256778
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.

Bug: 36367253
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

This patch fixes the previous workaround which consumes lots of power by
giving EINVAL on ufshcd_suspend().

Bug: 78058462
Bug: 77551464
Bug: 79276122
Fixes: d42e73eb ("scsi: ufs: fix LINERESET on hibern8")
Change-Id: I5660e5f097fa31bb0914669bda28598a1de062c2
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>

After PORT_RESET, the port is set to the appropriate
default_state. Ignore processing CC changes here as this
could cause the port to be switched into sink states
by default.

[  154.528547] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms
[  154.528560] CC1: 0 -> 0, CC2: 3 -> 0 [state PORT_RESET, polarity 0, disconnected]
[  154.528564] state change PORT_RESET -> SNK_UNATTACHED

Bug: 79846307
Change-Id: I7f45c4975b12512c547e6fd1fb46e53230ed5703
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>

b/30870027 has been seen a handful of times but without
enough information to diagnose the issue. Add debugging
code to dump out the apparently corrupt rbtree prior
to crashing. The bug was first reported in 8/2016 before
the fine-grained locking and other binder driver changes
associated with O, but has also been seen at least twice
since those changes merged.

Bug: 65196691 30870027
Change-Id: Ib701dfaabf5f8237d45ac6ccc6670c81771abee0
Signed-off-by: Todd Kjos <tkjos@google.com>

July 2018.1

Bug: 79365489
Change-Id: Ia2ff04d7dbd8b56d83e5c299142bb41f5efc24f1
Signed-off-by: Daniel Mentz <danielmentz@google.com>

Add conditional check when sending VIDIOC_MSM_OIS_CFG.

Bug: 38258851
Change-Id: I095418b47409f5291e5c3fcfd227897022f77f71
CRs-Fixed:2078155
Signed-off-by: Tanvi Aggarwal <tanvia@codeaurora.org>

As the length datatype is signed, an attacker can both overflow
the calculation or supply a negative number to trick the check
into returning an chosen chunk. This can have undesired
consequences. Always use unsigned integer types for length
values.

Bug: 63165135
Change-Id: Ifde2f0d35129014b976507f7723a319c53fabddf
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

The list_for_each macro was not used correctly, where the intermediate
variable would be LIST_POISON, resulting in a untrusted pointer
dereference. Switch to using list_for_each_entry_safe to for safe
removal of a list entry.

Bug: 72956998
Change-Id: I0e0fd5dd9f251b5093d6e9d6335387512ec59249
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>

commit aa65d11a upstream.

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c51500 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner <david@lechnology.com>
Bug: 74447444
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ia5d3da0952d87cd82a9e476e90a7cd3633536d94

If the list search in sg_get_rq_mark() fails to find a valid request, we
return a bogus element. This then can later lead to a GPF in
sg_remove_scat().

So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
the list search doesn't find a valid request.

Bug: 79090045
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Doug Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Doug Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit 48ae8484)

Change-Id: If95d1a8eef3748c9937201e524184b89a5eaaf2e
Bug: 75300370

commit fbe0e839 upstream.

UBSAN reports signed integer overflow in kernel/futex.c:

 UBSAN: Undefined behaviour in kernel/futex.c:2041:18
 signed integer overflow:
 0 - -2147483648 cannot be represented in type 'int'

Add a sanity check to catch negative values of nr_wake and nr_requeue.

Bug: 76106267
Signed-off-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: dvhart@infradead.org
Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com


Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Iccefa7465b9cc6475d00c0509af7988e351e6341

Add sanity check for wmi TLV header length before padding/shrinking
elements in a wmi which has a variable length for its TLV structure.

Currently, the TLV length is not checked so its maximum value could
be 65535 which results in a hugh count for elements. Number of elements
is used to terminate the loop for padding/shrinking. If the number
was too large, there would be memory overflow.

CRs-Fixed: 2169157
Bug: 77527719
Change-Id: I99c700d62f8c0db84cbd95fc6efcb5249b89eb1d
Signed-off-by: Ecco Park <eccopark@google.com>

Currently, there is no check of:
1) Firmware event parameters in dbglog_parse_debug_logs(), which can
result in integer underflow.
2) Number of dbg log args against the total length, which can result in
buffer over-read.

To fix this, compare size of firmware event parameters and number of
dbg log args with total buffer length.

Bug: 77528512
Change-Id: I981441ecf8e866afc00cf2e0e316779c8cc803c6
CRs-Fixed: 2205372
Signed-off-by: Ecco Park <eccopark@google.com>

Check for debugfs ops buf size passed before reading
to eliminate the possibility of reading out of bounds.

Bug: 77528653
Change-Id: I28fd60ce93256b6b0bad62b449092a891cc15463
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>

Check whether the data_len is valid, to avoid
out-of-bounds reading issue.

Bug: 77528805

Change-Id: If9fef306f455fcc1bd34d7aa713dd5c5535b8bfb
CRs-Fixed: 2170392
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>

July 2018.1

Bug: 79365489
Change-Id: I94021bdf7ed127cadc470396fad7bc3a935a9c97
Signed-off-by: Daniel Mentz <danielmentz@google.com>

July 2018.1

Bug: 79365489
Change-Id: I5d8a5434e5d878f5c420bfc97c8805f94119a791
Signed-off-by: Daniel Mentz <danielmentz@google.com>

commit 65d8fc77 upstream.

When dealing with key handling for shared futexes, we can drastically reduce
the usage/need of the page lock. 1) For anonymous pages, the associated futex
object is the mm_struct which does not require the page lock. 2) For inode
based, keys, we can check under RCU read lock if the page mapping is still
valid and take reference to the inode. This just leaves one rare race that
requires the page lock in the slow path when examining the swapcache.

Additionally realtime users currently have a problem with the page lock being
contended for unbounded periods of time during futex operations.

Task A
     get_futex_key()
     lock_page()
    ---> preempted

Now any other task trying to lock that page will have to wait until
task A gets scheduled back in, which is an unbound time.

With this patch, we pretty much have a lockless futex_get_key().

Experiments show that this patch can boost/speedup the hashing of shared
futexes with the perf futex benchmarks (which is good for measuring such
change) by up to 45% when there are high (> 100) thread counts on a 60 core
Westmere. Lower counts are pretty much in the noise range or less than 10%,
but mid range can be seen at over 30% overall throughput (hash ops/sec).
This makes anon-mem shared futexes much closer to its private counterpart.

Signed-off-by: Mel Gorman <mgorman@suse.de>
[ Ported on top of thp refcount rework, changelog, comments, fixes. ]
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Chris Mason <clm@fb.com>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1455045314-8305-3-git-send-email-dave@stgolabs.net


Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 74250718
Change-Id: I4104985900c2f0ff7d7a5835c56fed15cf994f0e

Add conditional check when sending VIDIOC_MSM_OIS_CFG.

Bug: 38258851
Change-Id: I095418b47409f5291e5c3fcfd227897022f77f71
CRs-Fixed:2078155
Signed-off-by: Tanvi Aggarwal <tanvia@codeaurora.org>

If the list search in sg_get_rq_mark() fails to find a valid request, we
return a bogus element. This then can later lead to a GPF in
sg_remove_scat().

So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
the list search doesn't find a valid request.

Bug: 79090045
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Doug Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Doug Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit 48ae8484)

Change-Id: If95d1a8eef3748c9937201e524184b89a5eaaf2e
Bug: 75300370

commit aa65d11a upstream.

When we unlock our spinlock to copy data to user we may get
disabled by USB host and free the whole list of completed out
requests including the one from which we are copying the data
to user memory.

To prevent from this let's remove our working element from
the list and place it back only if there is sth left when we
finish with it.

Fixes: 99c51500 ("usb: gadget: hidg: register OUT INT endpoint for SET_REPORT")
Cc: stable@vger.kernel.org
Tested-by: David Lechner <david@lechnology.com>
Bug: 74447444
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Jerry Zhang <zhangjerry@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ia5d3da0952d87cd82a9e476e90a7cd3633536d94

Check for debugfs ops buf size passed before reading
to eliminate the possibility of reading out of bounds.

Bug: 77528653
Change-Id: I28fd60ce93256b6b0bad62b449092a891cc15463
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>

Currently, there is no check of:
1) Firmware event parameters in dbglog_parse_debug_logs(), which can
result in integer underflow.
2) Number of dbg log args against the total length, which can result in
buffer over-read.

To fix this, compare size of firmware event parameters and number of
dbg log args with total buffer length.

Bug: 77528512
Change-Id: I981441ecf8e866afc00cf2e0e316779c8cc803c6
CRs-Fixed: 2205372
Signed-off-by: Ecco Park <eccopark@google.com>