Select Git revision
Search by author
- Any Author
- authors
-
72162444 72162444 gaochangning
-
Aakash Dave aakash.dave
-
Aaron Kim akim
-
Aaron Kloc akloc
-
Aaron Lan aaron.lan
-
Aaron Nabil aaronna
-
Aaron Pohle aaron.pohle
-
Abbott Chung chung.abbott
-
Abdallah Omar abdallah_omar
-
Abdessamii Chalbi abdessamii.chalbi
-
Abdul Hussain Sirajudeen abdul.hussain
-
Abdullah Alghamdi a.alghamdi
-
Abdullah Elmarghany abdullah_elmarghany
-
Abel Fang abel_fang
-
Abel Vesa
abel.vesa
-
Abhijeet Badurkar abhijeet.badurkar
-
Abhijit Adsule adsule
-
Abhijit Murthy abhijit
-
Abhi Khanal akhanal
-
Abhilash Sahoo abhilashsahoo
- Feb 24, 2017
-
-
Andrey Ryabinin authored
This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Change-Id: I77e53254632ed7c0bad865e3ae156fafc02c6251 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by:
James Morris <james.l.morris@oracle.com> Reviewed-on: https://android.intel.com/569859 Reviewed-by:
Louis, FabienX <fabienx.louis@intel.com> Tested-by:
Dubray, SimonX <simonx.dubray@intel.com> Reviewed-by:
Akue, LoicX <loicx.akue@intel.com> Reviewed-by:
Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
-
- Feb 21, 2017
-
-
MorganX Binet authored
- Currently a wakelock is held only when the cable type is DCP. SDP and CDP cable types are handled in OTG driver. - This patches includes the other types of cable Change-Id: I14083df70b20c73de6322df62ea8756100caa96e Tracked-On: https://jira01.devtools.intel.com/browse/AW-2877 Signed-off-by:
MorganX Binet <morganx.binet@intel.com> Reviewed-on: https://android.intel.com/568927 Reviewed-by:
jenkins_ndg <jenkins_ndg@intel.com> Reviewed-by:
Chaumette, HubertX <hubertx.chaumette@intel.com> Reviewed-by:
Ghaddab, RiadhX <riadhx.ghaddab@intel.com> Reviewed-by:
Whitfield, MichaelX <michaelx.whitfield@intel.com> Reviewed-by:
Saadani, MarouaneX <marouanex.saadani@intel.com> Reviewed-by:
Ferrari, AlainX <alainx.ferrari@intel.com> Reviewed-by:
-
- Feb 20, 2017
-
-
Julien Masson authored
On power on sequence, we should rotate screen to 180 degree. Change-Id: I59b774d0bd2d99165438ff88f4c88907dcef2585 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4188 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/567406 Reviewed-by:
Gong, Sophia <sophia.gong@intel.com> Reviewed-by:
Liu, WeiX W <weix.w.liu@intel.com> Reviewed-by:
Ledentec, AlexandreX <alexandrex.ledentec@intel.com> Reviewed-by:
-
- Feb 16, 2017
-
-
Kai Qiang authored
modified scale from 2G to 8G of st_lsm6ds3h Change-Id: I83184453d1d0d361e8a3381fb654d26fb6538598 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3409 Signed-off-by:
Kai Qiang <kaix.qiang@intel.com> Reviewed-on: https://android.intel.com/568254 Reviewed-by:
Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com> Reviewed-by:
-
- Feb 15, 2017
-
-
Sophia Gong authored
This patch is to WA below CTS 7.1-r1 dEQP mem stress failures. The failed case intends to create 128 EGL contexts. Each 3D EGL context allocates about 1.5MB memory. 1MB of them are for 3D heap size. This patch decreases PDS/USC heap size to 48MB for overall 128 EGL contexts. Full CTS-7.1, gfx smooth validation shows no side effects. dEQP-EGL.functional.multicontext#non_shared dEQP-EGL.functional.multicontext#non_shared_clear dEQP-EGL.functional.multicontext#non_shared_make_current Change-Id: I26c55ec940ab154986f475e16c72fb0a807fde18 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3635 Signed-off-by:
wenshelx <wenshengx.wang@intel.com> Reviewed-on: https://android.intel.com/567744 Reviewed-by:
-
- Feb 09, 2017
-
-
Greg Hackmann authored
Bug: 32838767 Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Signed-off-by:
Greg Hackmann <ghackmann@google.com> Reviewed-on: https://android.intel.com/565598 Reviewed-by:
Ben Abdessalem, AmrX <amrx.ben.abdessalem@intel.com> Reviewed-by:
-
Adrian Salido authored
As mentioned in commit 52ee2dfd ("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns helpers used to be buggy. The commit addresses most of the helpers but is missing task_tgid_xxx() Without this protection there is a possible use after free reported by kasan instrumented kernel: ================================================================== BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr *** Read of size 8 by task cat/2472 CPU: 1 PID: 2472 Comm: cat Tainted: **** Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c [<ffffffc00020aec0>] show_stack+0x18/0x24 [<ffffffc0011573d0>] dump_stack+0x94/0x100 [<ffffffc0003c7dc0>] kasan_report+0x308/0x554 [<ffffffc0003c7518>] __asan_load8+0x20/0x7c [<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44 [<ffffffc00046951c>] proc_pid_status+0x444/0x1080 [<ffffffc000460f60>] proc_single_show+0x8c/0xdc [<ffffffc0004081b0>] seq_read+0x2e8/0x6f0 [<ffffffc0003d1420>] vfs_read+0xd8/0x1e0 [<ffffffc0003d1b98>] SyS_read+0x68/0xd4 Accessing group_leader while holding rcu_lock and using the now safe helpers introduced in the commit mentioned, this race condition is addressed. Bug: 31495866 Signed-off-by:
Adrian Salido <salidoa@google.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b Reviewed-on: https://android.intel.com/565596 Reviewed-by:
-
Simon Dubray authored
Handle properly return values in tmd26723 probe to return negative values when data structures have been free'd. Change-Id: I6b7ba86bdac9dac9544dcb3bd979f18e6b4e4c64 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4020 Signed-off-by:
-
Jann Horn authored
This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include <unistd.h> #include <sys/personality.h> #include <linux/aio_abi.h> #include <err.h> #include <stdlib.h> #include <stdio.h> #include <sys/syscall.h> int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Signed-off-by:Jann Horn <jann@thejh.net> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a) Bug: 31711619 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Change-Id: Ib4ffd30b61f1d9ba629049f65a21afbf94e25cfd Reviewed-on: https://android.intel.com/565587 Reviewed-by:
-
- Feb 03, 2017
-
-
MorganX Binet authored
previous VINDPM implementation did not take into account that register is reset at each cable connection so VINDPM is forced every minute at the same time as threshold value update Change-Id: I249666e061eec3d73c45e6ee4af37fb3562d53e0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3147 Signed-off-by:
-
Julien Masson authored
This type aims to be the reference for display device. Change-Id: Ib21b3a93587ad0ac3b0e35ac7ab413557a6811ee Tracked-On: https://jira01.devtools.intel.com/browse/AW-2918 Signed-off-by:
Afonso, PhilippeX <philippex.afonso@intel.com> Reviewed-by:
-
- Jan 25, 2017
-
-
Hu Bingquan authored
The mod_timer might be called the workqueue handler, and also from the power_enable sys nodes, they might collide. The fix is to protect again this collision. Change-Id: Iae939ab1fe4dfdf9b1fb1c75d19ebfe146ae9dcd Tracked-On: https://jira01.devtools.intel.com/browse/AW-3861 Signed-off-by:
Hu Bingquan <bingquan.hu@intel.com> Reviewed-on: https://android.intel.com/563390 Reviewed-by:
Nassiet, GaelleX <gaellex.nassiet@intel.com> Reviewed-by:
Rouis, KhalifaX <khalifax.rouis@intel.com> Reviewed-by:
Lachaud, EtienneX <etiennex.lachaud@intel.com> Reviewed-by:
-
Simon Dubray authored
lowmemorykiller was not taking into account unevictable pages when deciding what level to kill. If significant amounts of memory were pinned, this caused lowmemorykiller to effectively stop at a much higher level than it should. Change-Id: I4cdbe9bd8546b3d8eb9ec6c2f463e82fe7fa15e9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3921 Signed-off-by:
Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com> Reviewed-by:
Ben Alaya, AymenX <aymenx.ben.alaya@intel.com> Reviewed-by:
-
- Jan 20, 2017
-
-
Amr BEN ABDESSALEM authored
This patch fixes a faced memory leak caused by not detaching sih structure if firmware download fails. unreferenced object 0xffff8800091ae300 (size 256): comm "WifiStateMachin", pid 621, jiffies 4296455689 (age 869.950s) backtrace: [<ffffffff829c2449>] kmemleak_alloc+0x49/0xb0 [<ffffffff821817ef>] __kmalloc+0x12f/0x2c0 [<ffffffff8243ba6c>] osl_malloc+0x6c/0xa0 [<ffffffff8243baae>] osl_mallocz+0xe/0x30 [<ffffffff8243fd12>] si_attach+0x32/0x110 [<ffffffff8248308b>] dhdsdio_probe_attach+0x43b/0xd20 [<ffffffff8248dc0d>] dhd_bus_devreset+0x16d/0x2e0 [<ffffffff8242d098>] dhd_net_bus_devreset+0x48/0xf0 [<ffffffff82444372>] wl_android_wifi_on+0xe2/0x160 [<ffffffff82430e89>] dhd_open+0xb9/0x270 unreferenced object 0xffff880010154000 (size 2048): comm "WifiStateMachin", pid 621, jiffies 4296455689 (age 870.010s) backtrace: [<ffffffff829c2449>] kmemleak_alloc+0x49/0xb0 [<ffffffff821817ef>] __kmalloc+0x12f/0x2c0 [<ffffffff8243ba6c>] osl_malloc+0x6c/0xa0 [<ffffffff8243baae>] osl_mallocz+0xe/0x30 [<ffffffff8243fd2b>] si_attach+0x4b/0x110 [<ffffffff8248308b>] dhdsdio_probe_attach+0x43b/0xd20 [<ffffffff8248dc0d>] dhd_bus_devreset+0x16d/0x2e0 [<ffffffff8242d098>] dhd_net_bus_devreset+0x48/0xf0 [<ffffffff82444372>] wl_android_wifi_on+0xe2/0x160 [<ffffffff82430e89>] dhd_open+0xb9/0x270 Change-Id: I1a63e33e0a7e1f91bdf061dc519f418f7fdfb698 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3799 Signed-off-by:
-
Sebastien MICHEL authored
Change-Id: I48e1e1dcfbd70e1de8d6e9aeb262594204f86bb7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3920 Signed-off-by:
Sebastien MICHEL <sebastien.michel@intel.com> Signed-off-by:
-
- Jan 19, 2017
-
-
Ben Abdessalem, AmrX authored
Cypress proposed an other patch for fixing this issue; to be aligned, we revert so. This reverts commit 42f53e7b. Change-Id: Ib7c2b7c12f85fcea34632752584a2d9addf16e4d Tracked-On: https://jira01.devtools.intel.com/browse/AW-3799 Signed-off-by:
-
Kai Qiang authored
When the proximity sensor was not well configured the thresholds has been lowered to 0x60 in a range of (0x0 -> 0x3ff) measured data. This threshold has to be increased to 0x100 as for some devices (DVT) the reported data for a far distance corresponds to a value near 0xa0 Change-Id: Id455c1a02ae1c943026a81dd7e9fa7f338c18b8e Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
Samoun, JacquesX <jacquesx.samoun@intel.com> Reviewed-by:
-
- Jan 18, 2017
-
-
Riadh GHADDAB authored
- This patch resolves the false detection issues due to a storm of interrupts coming from the proximity sensor - It is achieved by changing the comparison logic to detect proximity and by initialize a proximity read on probe and on resume. - A reconfiguration of the device is also added in the resume function - Change deprecated function __cancel_scheduled_work Change-Id: I35f881079fadecdc18fcb053247075858301e0e2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
Bride, Jacques <jacques.bride@intel.com> Reviewed-by:
-
MorganX Binet authored
bq25898 reboot notifier was not called after a "reboot -p" command because of shutdown called previously by osip reboot notifier increasing its priority in order to be called before shutdown Change-Id: Ia39ae08270df534aad2f1f9b7f08754b623f0039 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2906 Signed-off-by:
-
Riadh GHADDAB authored
- This patch corrects some coding style errors in the proximity sensor driver. - It adds as well some logs to help debugging the driver Change-Id: I12e81ffdc7c776a4d3fadc908b8e7190fe526efa Tracked-On: https://jira01.devtools.intel.com/browse/AW-3821 Signed-off-by:
-
- Jan 16, 2017
-
-
Peiqian Li authored
This reverts commit 09af6739. With the new HW variant SPL SP3, the coordinate flip is not needed, the fix was verified ok. Change-Id: I7e0e1702956eeb125995d0a482c1fc639ada6bc9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3736 Signed-off-by:
Peiqian Li <peiqianx.li@intel.com> Reviewed-on: https://android.intel.com/561284 Reviewed-by:
-
- Jan 13, 2017
-
-
MorganX Binet authored
when VUSB is low (~ 4.5V-4.7V), the charger behaves wrongly (toggling between charging and stop charging) HW team propose to fix it by setting VINDPM voltage within the charger every minute at a value where VINDPM = VBAT + 400mV FORCE_VINDPM should be forced to 1 Change-Id: Idfe9c0f39b03ae6e0344d4b4338121d4d27e1bae Tracked-On: https://jira01.devtools.intel.com/browse/AW-3147 Signed-off-by:
-
Louis, FabienX authored
This patch fix an issue introduced by the following commit : fbe2f38d8f6f8c127f93a197a5abe73b45c7393b Change-Id: I9144e991e6370f973c0715abf18b27f37dd1f30e Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Korpershoek, MattijsX <mattijsx.korpershoek@intel.com> Reviewed-by:
-
- Jan 12, 2017
-
-
Andrew Wyper authored
Patch to adjust the timer/wakelock delays in the BT LPM driver, improving bt power consumption. Change-Id: I9129f0426571a814d134f11ec4d7923cf28735bf Tracked-On: https://jira01.devtools.intel.com/browse/AW-1701 Signed-off-by:
Andrew Wyper <andrewx.wyper@intel.com> Reviewed-on: https://android.intel.com/562195 Reviewed-by:
Ferraton, Jean RegisX <jean.regisx.ferraton@intel.com> Tested-by:
Ranquet, Guillaume <guillaume.ranquet@intel.com> Reviewed-by:
-
- Jan 09, 2017
-
-
Sudhir Kohalli authored
Security Vulnerability fix for memory overflow wifi driver function wl_cfgvendor_rtt_set_config. In the current fix added check to validate if the target_cnt is valid or not if it is not valid then parse error. Since target_cnt can be controlled by user netlink input which needs to validated at the DHD level. Bug: 32219255 Signed-off-by:
Sudhir Kohalli <sudhir.kohalli@broadcom.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Change-Id: I5cf771c60a6ae8019e5e36571197e2849c572b40 Reviewed-on: https://android.intel.com/560338 Reviewed-by:
Maalem, Saadi <saadi.maalem@intel.com> Reviewed-on: https://android.intel.com/561355
-
Insun Song authored
In case PCIe BUS already down, we're not supposed to do access BAR0 area in any reason. One instance seen on test that made kernel panic. removed disable irq calling which is useless in bus down case. bug=24739315 Change-Id: I474e08c14c4dec0f4cc4cd207f29fef32e85ead7 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Insun Song <isong@broadcom.com> Reviewed-on: https://android.intel.com/557914 Reviewed-by:
-
Ram Sripathi authored
handled heap overwrite with checks Bug: 31822524 Change-Id: I9e9bc97a3f410d40d9bc6a44707a6c0f8917cd31 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Ram Sripathi <ram.sripathi@broadcom.com> Reviewed-on: https://android.intel.com/557932 Reviewed-by:
-
Daniel Rosenberg authored
If a user happens to call ION_IOC_FREE during an ION_IOC_ALLOC on the just allocated id, and the copy_to_user fails, the cleanup code will attempt to free an already freed handle. This adds a wrapper for ion_alloc that adds an ion_handle_get to avoid this. Bug: 31568617 Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Daniel Rosenberg <drosen@google.com> Reviewed-on: https://android.intel.com/559452 Reviewed-by:
-
Insun Song authored
1. added limit check for GSCAN-PNO max channel bucket 2. added length check in each NL TLV parsing and error handling Bug: 32174590 Signed-off-by:
Insun Song <insun.song@broadcom.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Change-Id: Ic946bfa3b3ab6b2b201043371c27ee7dbedb7e75 Reviewed-on: https://android.intel.com/557933 Reviewed-by:
-
Siqi Lin authored
snd_info_entry_write() resizes the buffer with an unsigned long size argument that gets truncated because resize_info_buffer() takes the size parameter as an unsigned int. On 64-bit kernels, this causes the following copy_to_user() to write out-of-bounds if (pos + count) can't be represented by an unsigned int. Bug: 32510733 Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Siqi Lin <siqilin@google.com> Reviewed-on: https://android.intel.com/557913 Reviewed-by:
-
John Dias authored
When perf_group_detach is called on a group leader, it should empty its sibling list. Otherwise, when a sibling is later deallocated, list_del_event() removes the sibling's group_entry from its current list, which can be the now-deallocated group leader's sibling list (use-after-free bug). Bug: 32402548 Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
John Dias <joaodias@google.com> Reviewed-on: https://android.intel.com/557910 Reviewed-by:
-
David Howells authored
This fixes CVE-2016-7042. Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector is turned on, this can cause a panic due to stack corruption. The problem is that xbuf[] is not big enough to hold a 64-bit timeout rendered as weeks: (gdb) p 0xffffffffffffffffULL/(60*60*24*7) $2 = 30500568904943 That's 14 chars plus NUL, not 11 chars plus NUL. Expand the buffer to 16 chars. I think the unpatched code apparently works if the stack-protector is not enabled because on a 32-bit machine the buffer won't be overflowed and on a 64-bit machine there's a 64-bit aligned pointer at one side and an int that isn't checked again on the other side. The panic incurred looks something like: Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679 Call Trace: [<ffffffff813d941f>] dump_stack+0x63/0x84 [<ffffffff811b2cb6>] panic+0xde/0x22a [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0 [<ffffffff81350410>] ? key_validate+0x50/0x50 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20 [<ffffffff8126b31c>] seq_read+0x2cc/0x390 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70 [<ffffffff81244fc7>] __vfs_read+0x37/0x150 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0 [<ffffffff81246156>] vfs_read+0x96/0x130 [<ffffffff81247635>] SyS_read+0x55/0xc0 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4 Change-Id: Idb71b0d6658bf9eb6d9deaaec735b851a48782cc Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Reported-by:
Ondrej Kozina <okozina@redhat.com> Signed-off-by:
-
Mark Zhang authored
We use syncpt id to get the syncpt infos from host1x syncpt array. And the id can be specified by userspace, so in kernel we need to make sure the ID from userspace doesn't beyond the boundary of syncpt array. Unfortunately our host1x driver doesn't do the check right so this patch fixes it. BUG=chrome-os-partner:59595 TEST=System boots OK Change-Id: Ib9b4ee73d9468dbf6b20932c0b1c77dddd743d10 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Signed-off-by:
Mark Zhang <markz@nvidia.com> Reviewed-on: https://android.intel.com/560885 Reviewed-by:
-
Steven Rostedt (Red Hat) authored
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE then the DIV_ROUND_UP() will return zero. Here's the details: # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb tracing_entries_write() processes this and converts kb to bytes. 18014398509481980 << 10 = 18446744073709547520 and this is passed to ring_buffer_resize() as unsigned long size. size = DIV_ROUND_UP(size, BUF_PAGE_SIZE); Where DIV_ROUND_UP(a, b) is (a + b - 1)/b BUF_PAGE_SIZE is 4080 and here 18446744073709547520 + 4080 - 1 = 18446744073709551599 where 18446744073709551599 is still smaller than 2^64 2^64 - 18446744073709551599 = 17 But now 18446744073709551599 / 4080 = 4521260802379792 and size = size * 4080 = 18446744073709551360 This is checked to make sure its still greater than 2 * 4080, which it is. Then we convert to the number of buffer pages needed. nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE) but this time size is 18446744073709551360 and 2^64 - (18446744073709551360 + 4080 - 1) = -3823 Thus it overflows and the resulting number is less than 4080, which makes 3823 / 4080 = 0 an nr_pages is set to this. As we already checked against the minimum that nr_pages may be, this causes the logic to fail as well, and we crash the kernel. There's no reason to have the two DIV_ROUND_UP() (that's just result of historical code changes), clean up the code and fix this bug. Change-Id: I6b0336dc15e5f9e789427bbf36c6d265352e408d Tracked-On: https://jira01.devtools.intel.com/browse/AW-3683 Cc: stable@vger.kernel.org # 3.5+ Fixes: 83f40318 ("ring-buffer: Make removal of ring buffer pages atomic") Signed-off-by:
Steven Rostedt <rostedt@goodmis.org> Reviewed-on: https://android.intel.com/557934 Reviewed-by:
-
- Jan 04, 2017
-
-
Riadh GHADDAB authored
Change-Id: Ie814610d683d469ec6bd8eb9f8f548d5ee7b72b0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2875 Signed-off-by:
-
- Dec 28, 2016
-
-
Simon Dubray authored
As /config needs to be the configfs mount point, our old /config will now be mounted on /device_config so the wlan mac address path changes. Change-Id: I53493527ec55bdd0194dab618c9097fc8226552e Tracked-On: https://jira01.devtools.intel.com/browse/AW-2935 Signed-off-by:
-
- Dec 20, 2016
-
-
Marouane authored
Add an attribute for proximity sensor detection. After enabling the proximity sensor, ps_detection value is being equal to 1 when a physical contact is made with device (on-wrist). Change-Id: Ife91bd1d5795b4b799514d640735378180041b92 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2268 Signed-off-by:
-
- Dec 14, 2016
-
-
Amr BEN ABDESSALEM authored
Ported/based on this patch : https://android.intel.com/#/c/536627 This is to allow userspace process such as netd to administratively close sockets belonging to other apps when the network they were established on has disconnected. Change-Id: I6c8f47ee8377b843a40db7fe71605f31e7d44942 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2513 Signed-off-by:
Mlayeh, AbdelmajidX <abdelmajidx.mlayeh@intel.com> Reviewed-by:
-
- Dec 13, 2016
-
-
Peiqian Li authored
Change-Id: I51fbffb702a3e0926a7666a383f7b3eb12793df4 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2955 Signed-off-by:
Bonnaffe, Jean-louisX <jean-louisx.bonnaffe@intel.com> Reviewed-by:
-
- Dec 06, 2016
-
-
Mattijs Korpershoek authored
Checking for each variant is error-prone. Use INTEL_MID_BOARD_CDP_ALL() instead. Change-Id: Ic376b711f43a3872bd629d1c9e6d2f9694cdc410 Tracked-On: https://jira01.devtools.intel.com/browse/AW-2106 Signed-off-by:
Viel, ClementX <clementx.viel@intel.com> Reviewed-by:
-
