l2tp_session_create() relies on its caller for checking for duplicate
sessions. This is racy since a session can be concurrently inserted
after the caller's verification.

Fix this by letting l2tp_session_create() verify sessions uniqueness
upon insertion. Callers need to be adapted to check for
l2tp_session_create()'s return code instead of calling
l2tp_session_find().

pppol2tp_connect() is a bit special because it has to work on existing
sessions (if they're not connected) or to create a new session if none
is found. When acting on a preexisting session, a reference must be
held or it could go away on us. So we have to use l2tp_session_get()
instead of l2tp_session_find() and drop the reference before exiting.

Change-Id: I650f6ea597bef06a429f41e0f533c8d4fab5e325
Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 38159931

Taking a reference on sessions in l2tp_recv_common() is racy; this
has to be done by the callers.

To this end, a new function is required (l2tp_session_get()) to
atomically lookup a session and take a reference on it. Callers then
have to manually drop this reference.

Change-Id: Ib48214a90805c6fa20229fdb37a9d3cbeb2aef3a
Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 38159931

Harrison Lingren authored 6 years ago and Harrison Lingren committed 6 years ago

September 2018.1

Signed-off-by: Harrison Lingren <hlingren@google.com>

Bug: 110044919
Test: Build
Change-Id: I9fa83b84cf52a54c24405f2416f8747a20901d3f
Signed-off-by: Wei Wang <wvw@google.com>

Initialize task's cpufreq to NULL including for idle
Make sure free task's cpufreq when free task struct

Bug: 110044919
Change-Id: Ie4629d0ebe3ef4b72dffea3ee613b15f40a57142
Signed-off-by: Wei Wang <wvw@google.com>

Every time _cpu_up() is called for a CPU, idle_thread_get() is called which
then re-initializes a CPU's idle thread that was already previously created
and cached in a global variable in smpboot.c. idle_thread_get() calls
init_idle() which then calls __sched_fork(). __sched_fork() is where
cpufreq_task_stats_init() is, and cpufreq_task_stats_init() allocates
512 bytes of memory to a pointer in the task struct.

Since idle_thread_get() reuses a task struct instance that was already
previously created, this means that every time it calls init_idle(),
cpufreq_task_stats_init() allocates 512 bytes again and overwrites the
existing 512-byte allocation that the idle thread already had.

This causes 512 bytes to be leaked every time a CPU is onlined. This is
significant when non-boot CPUs are enabled during resume from suspend; this
means that (NR_CPUS - 1) * 512 bytes are leaked every time the device exits
suspend (this turned out to be ~500 kiB leaked in 20 minutes with the
device left on a desk with the screen off).

In order to fix this, don't initialize cpufreq stats at all for the idle
threads. The cpufreq stats interface is intended to be used for tracking
userspace tasks, so we can safely remove it from the kernel's idle threads
without killing any functionality.

Bug: 110044919
Change-Id: I12fe7611fc88eb7f6c39f8f7629ad27b6ec4722c
Signed-off-by: Sultan Alsawaf <sultanxda@gmail.com>

wlan host driver upgrade to 4.4.25.050.

Bug: 80160768
Change-Id: I765ff068ab795c44caeec7e1bcc46156f8199df8
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

There might be scenario when NET_TX is preempted by
irq context and context is resumed when recovery flag is set.
Resumed context will try to enqueue data packet in invalid
state and can result to  invalid HW access.

To mitigate this problem check for recovery flag and return
the context gracefully.

Change-Id: I6d58875e1f3d668984f76936a7e304fe68279c47
CRs-Fixed: 2252943
Bug: 80160768
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

August 2018.2

Bug: 80191244
Change-Id: I923a70db60984b02fa5740834d6ace7150544204
Signed-off-by: Thierry Strudel <tstrudel@google.com>

This reverts commit f5b04bed.

Reason for revert: Fix was for android-msm-marlin-3.18 branch not 	android-msm-marlin-3.18-oc-mr1

Change-Id: If591e26b8c2a97ebfd7512e9cde357dbc937c2f7
Signed-off-by: Thierry Strudel <tstrudel@google.com>

(from https://patchwork.kernel.org/patch/10058587/

)

proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.

Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit cfe3642b)

August 2018.1

Bug: 80191244
Change-Id: I5d3360b157167d567f3a96e0fc911b4b27c6290f
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>

The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.

Bug: 79422409
Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>

Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.

Bug: 79422277
Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

In diagchar_open() protect the decrement of number of diag clients
so that there will be no race conditions while reading the value
from other functions.

Bug: 79421261
Change-Id: I0e2fb5331eec9c7bba39e7d881b69559256833a3
Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>

In cleanup_stats(), a freed memory pointer pos might be accessed for
list traversal. Switch to using _safe() variant of the list API to
prevent undefined accesses.

Bug: 79421260
Change-Id: I7d068cb7813ccb9bfdbcab4646b4ec890145828a
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>

While enabling ICE setup and on error conditions, the regulator
is disabled. Before disabling the regulator, check if the
regulator is up and able to access the registers of regulator.

Bug: 78238455
Change-Id: I94dd2b3e25444818f7bdf2f791f4fa9efaefce15
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

Fix for possible information leak issue because of unintialised variable
Which can be accesed from userspace in camera fd driver

Bug: 73889358
Signed-off-by: annamraj <annamraj@codeaurora.org>
Change-Id: I4552c4829e9532d848e46fd123316b26105e310e

In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.

CRs-fixed: 2026045
Bug: 73888283
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>

(from https://patchwork.kernel.org/patch/10058587/

)

proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".

The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.

Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Siqi Lin <siqilin@google.com>

August 2018.1

Bug: 80191244
Change-Id: I9e764529ca03931d029685770567fbdf320b8609
Signed-off-by: Badhri Jagan Sridharan <Badhri@google.com>

Suspect device may have posibility to be blocked by lmh_read when resume,
and we do not need to get the details about sensors which supported by LMH Lite,
so remove lmh lite driver to avoid resume hang risk.

Bug: 80022235
Test: Thermal-engine work properly

Change-Id: I8d7052246aa9f2c8669132931dc91893c43d30cd
Signed-off-by: TeYuan Wang <kamewang@google.com>

[ Upstream commit 008ba2a1 ]

Packet socket bind operations must hold the po->bind_lock. This keeps
po->running consistent with whether the socket is actually on a ptype
list to receive packets.

fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then
binds the fanout object to receive through packet_rcv_fanout.

Make it hold the po->bind_lock when testing po->running and rebinding.
Else, it can race with other rebind operations, such as that in
packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates
can result in a socket being added to a fanout group twice, causing
use-after-free KASAN bug reports, among others.

Reported independently by both trinity and syzkaller.
Verified that the syzkaller reproducer passes after this patch.

Fixes: dc99f600 ("packet: Add fanout support.")
Reported-by: nixioaming <nixiaoming@huawei.com>
Bug: 79377438
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Maggie White <maggiewhite@google.com>
Change-Id: I75820f430562b1603c35b55fece92161aa1b1e6f

[ Upstream commit 4971613c ]

Once a socket has po->fanout set, it remains a member of the group
until it is destroyed. The prot_hook must be constant and identical
across sockets in the group.

If fanout_add races with packet_do_bind between the test of po->fanout
and taking the lock, the bind call may make type or dev inconsistent
with that of the fanout group.

Hold po->bind_lock when testing po->fanout to avoid this race.

I had to introduce artificial delay (local_bh_enable) to actually
observe the race.

Fixes: dc99f600 ("packet: Add fanout support.")
Bug: 79377438
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Id7d8fa55b0bbb6d49c10bf669538294531299974

The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.

Bug: 79422409
Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>

Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.

Bug: 79422277
Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

In diagchar_open() protect the decrement of number of diag clients
so that there will be no race conditions while reading the value
from other functions.

Bug: 79421261
Change-Id: I0e2fb5331eec9c7bba39e7d881b69559256833a3
Signed-off-by: Sreelakshmi Gownipalli <sgownipa@codeaurora.org>

In cleanup_stats(), a freed memory pointer pos might be accessed for
list traversal. Switch to using _safe() variant of the list API to
prevent undefined accesses.

Bug: 79421260
Change-Id: I7d068cb7813ccb9bfdbcab4646b4ec890145828a
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>

While enabling ICE setup and on error conditions, the regulator
is disabled. Before disabling the regulator, check if the
regulator is up and able to access the registers of regulator.

Bug: 78238455
Change-Id: I94dd2b3e25444818f7bdf2f791f4fa9efaefce15
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

commit b7181216 upstream.

We need to make sure the offsets are not out of range of the
total size.
Also check that they are in ascending order.

The WARN_ON triggered by syzkaller (it sets panic_on_warn) is
changed to also bail out, no point in continuing parsing.

Briefly tested with simple ruleset of
-A INPUT --limit 1/s' --log
plus jump to custom chains using 32bit ebtables binary.

Reported-by:  <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com>
Bug: 77902350
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: If7c132b8e56743a0a3c7ada0272163bb4e4e4a09

Fix for possible information leak issue because of unintialised variable
Which can be accesed from userspace in camera fd driver

Bug: 73889358
Signed-off-by: annamraj <annamraj@codeaurora.org>
Change-Id: I4552c4829e9532d848e46fd123316b26105e310e

In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.

CRs-fixed: 2026045
Bug: 73888283
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>

Suspect device may have posibility to be blocked by lmh_read when resume,
and we do not need to get the details about sensors which supported by LMH Lite,
so remove lmh lite driver to avoid resume hang risk.

Bug: 80022235
Test: Thermal-engine work properly

Change-Id: I8d7052246aa9f2c8669132931dc91893c43d30cd
Signed-off-by: TeYuan Wang <kamewang@google.com>

wlan host driver upgrade to 4.4.25.049.

Bug: 80256778
Change-Id: I711d876bcfa9a1eaa342b3d0676347a8c5a3c69f
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

Driver has smeNeighborMiddleOfRoaming to check if STA is in middle
of roaming. Further sme_staInMiddleOfRoaming acquires lock to know
roam status, which is not required at all. Further driver can enter
sleep state because of mutex lock in suspend path and can result in
DPM device timeout.

Hence, replace sme_staInMiddleOfRoaming with smeNeighborMiddleOfRoaming
and remove redundant API sme_staInMiddleOfRoaming. Driver does not use
any lock in smeNeighborMiddleOfRoaming to check roaming status.

Change-Id: I96193becaa05a68044e092bb607eb5db60526a11
CRs-Fixed: 2250171
Bug: 80256778
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>

Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.

Bug: 36367253
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.

Bug: 36367253
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

This patch fixes the previous workaround which consumes lots of power by
giving EINVAL on ufshcd_suspend().

Bug: 78058462
Bug: 77551464
Bug: 79276122
Fixes: d42e73eb ("scsi: ufs: fix LINERESET on hibern8")
Change-Id: I5660e5f097fa31bb0914669bda28598a1de062c2
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>

After PORT_RESET, the port is set to the appropriate
default_state. Ignore processing CC changes here as this
could cause the port to be switched into sink states
by default.

[  154.528547] pending state change PORT_RESET -> PORT_RESET_WAIT_OFF @ 100 ms
[  154.528560] CC1: 0 -> 0, CC2: 3 -> 0 [state PORT_RESET, polarity 0, disconnected]
[  154.528564] state change PORT_RESET -> SNK_UNATTACHED

Bug: 79846307
Change-Id: I7f45c4975b12512c547e6fd1fb46e53230ed5703
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>

Harrison Lingren authored 6 years ago and Harrison Lingren committed 6 years ago

August 2018.1

Signed-off-by: Harrison Lingren <hlingren@google.com>