Select Git revision
Search by author
- Any Author
- authors
-
72162444 72162444 gaochangning
-
Aakash Dave aakash.dave
-
Aaron Kim akim
-
Aaron Kloc akloc
-
Aaron Lan aaron.lan
-
Aaron Nabil aaronna
-
Aaron Pohle aaron.pohle
-
Abbott Chung chung.abbott
-
Abdallah Omar abdallah_omar
-
Abdessamii Chalbi abdessamii.chalbi
-
Abdul Hussain Sirajudeen abdul.hussain
-
Abdullah Alghamdi a.alghamdi
-
Abdullah Elmarghany abdullah_elmarghany
-
Abel Fang abel_fang
-
Abhijeet Badurkar abhijeet.badurkar
-
Abhijit Adsule adsule
-
Abhijit Murthy abhijit
-
Abhi Khanal akhanal
-
Abhilash Sahoo abhilashsahoo
-
Abhimanyu Raj abhimanyu.raj
- May 02, 2017
-
-
Robb Glasser authored
The size of uvc_control_mapping is user controlled leading to a potential heap overflow in the uvc driver. This adds a check to verify the user provided size fits within the bounds of the defined buffer size. Bug: 33300353 Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Robb Glasser <rglasser@google.com> Reviewed-on: https://android.intel.com/577969 Reviewed-by:
Louis, FabienX <fabienx.louis@intel.com> Tested-by:
Dubray, SimonX <simonx.dubray@intel.com> Reviewed-by:
Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
-
Nick Desaulniers authored
This likely breaks tracing tools like trace-cmd. It logs in the same format but now addresses are all 0x0. Bug: 34277115 Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9 Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Nick Desaulniers <ndesaulniers@google.com> Reviewed-on: https://android.intel.com/577968 Reviewed-by:
-
Seung-Woo Kim authored
After freeing pin from regulator_ena_gpio_free, loop can access the pin. So this patch fixes not to access pin after freeing. Change-Id: I65f6ca964802f6265719a6b46ca0e7f9a4d2f23f Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Seung-Woo Kim <sw0312.kim@samsung.com> Signed-off-by:
Mark Brown <broonie@kernel.org> Reviewed-on: https://android.intel.com/577963 Reviewed-by:
-
Amey Telawane authored
Strcpy has no limit on string being copied which causes stack corruption leading to kernel panic. Use strlcpy to resolve the issue by providing length of string to be copied. CRs-fixed: 1048480 Change-Id: Ib290b25f7e0ff96927b8530e5c078869441d409f Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Amey Telawane <ameyt@codeaurora.org> Reviewed-on: https://android.intel.com/577961 Reviewed-by:
-
Takashi Iwai authored
commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream. Currently kill_fasync() is called outside the stream lock in snd_pcm_period_elapsed(). This is potentially racy, since the stream may get released even during the irq handler is running. Although snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't guarantee that the irq handler finishes, thus the kill_fasync() call outside the stream spin lock may be invoked after the substream is detached, as recently reported by KASAN. As a quick workaround, move kill_fasync() call inside the stream lock. The fasync is rarely used interface, so this shouldn't have a big impact from the performance POV. Ideally, we should implement some sync mechanism for the proper finish of stream and irq handler. But this oneliner should suffice for most cases, so far. Change-Id: Ifbe9dee4b884ece32bce50b486b62b88c5816486 Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Reported-by:
Baozeng Ding <sploving1@gmail.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
Willy Tarreau <w@1wt.eu> Reviewed-on: https://android.intel.com/577960 Reviewed-by:
-
Peter Zijlstra authored
The fix from 9fc81d87 ("perf: Fix events installation during moving group") was incomplete in that it failed to recognise that creating a group with events for different CPUs is semantically broken -- they cannot be co-scheduled. Furthermore, it leads to real breakage where, when we create an event for CPU Y and then migrate it to form a group on CPU X, the code gets confused where the counter is programmed -- triggered in practice as well by me via the perf fuzzer. Fix this by tightening the rules for creating groups. Only allow grouping of counters that can be co-scheduled in the same context. This means for the same task and/or the same cpu. Change-Id: Ic3c87e770458aa004bd7ed3f29945ff436fd6511 Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org Signed-off-by:
Ingo Molnar <mingo@kernel.org> Reviewed-on: https://android.intel.com/577959 Reviewed-by:
-
Andy Whitcroft authored
When a new xfrm state is created during an XFRM_MSG_NEWSA call we validate the user supplied replay_esn to ensure that the size is valid and to ensure that the replay_window size is within the allocated buffer. However later it is possible to update this replay_esn via a XFRM_MSG_NEWAE call. There we again validate the size of the supplied buffer matches the existing state and if so inject the contents. We do not at this point check that the replay_window is within the allocated memory. This leads to out-of-bounds reads and writes triggered by netlink packets. This leads to memory corruption and the potential for priviledge escalation. We already attempt to validate the incoming replay information in xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user is not trying to change the size of the replay state buffer which includes the replay_esn. It however does not check the replay_window remains within that buffer. Add validation of the contained replay_window. CVE-2017-7184 Change-Id: Ida6d8c19161eb93d54a1cc0dddcb93bab3eb2e43 Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094 Signed-off-by:
Andy Whitcroft <apw@canonical.com> Acked-by:
Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Reviewed-on: https://android.intel.com/577958 Reviewed-by:
-
Simon Dubray authored
In some cases the controller does not set any reset or abort interrupt, gets crazy and generates a lot of interrupts, leading to soft lockup. If it happens, mask all the interrupts to let the transaction timeout, leading to a reset of the controller to go back in a normal state. Change-Id: Ic3e8829d3ac2e70998daa6badd4c4fc35d3f17b6 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4892 Signed-off-by:
jenkins_ndg <jenkins_ndg@intel.com> Reviewed-by:
Nassiet, GaelleX <gaellex.nassiet@intel.com> Reviewed-by:
Hu, Bingquan <bingquan.hu@intel.com> Reviewed-by:
Whitfield, MichaelX <michaelx.whitfield@intel.com> Reviewed-by:
Zaghdoud, WalidX <walidx.zaghdoud@intel.com> Reviewed-by:
Choudhary, ShriramX <shriramx.choudhary@intel.com>
-
- Apr 27, 2017
-
-
Simon Dubray authored
This patch sets an alarm 60s after if there is no alarm in the next 60s. It is a workaround to avoid sleeping for too long in case the watchdog is not stopped during suspend. Change-Id: Id6722d2257c5bd671e3037cb24bdaf59a2a3160f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212 Signed-off-by:
Ledentec, AlexandreX <alexandrex.ledentec@intel.com> Reviewed-by:
Viel, ClementX <clementx.viel@intel.com> Reviewed-by:
-
Simon Dubray authored
This patch kicks the watchdog on suspend and resume callbacks if the userspace daemon has kicked it in the last timeout period (monotonic clock). Change-Id: Id3c78e063a76dc4334c91e147a580b7b04c8d8b1 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212 Signed-off-by:
-
- Apr 18, 2017
-
-
Insun Song authored
added boundary check not to override allocated buffer. Specially when user input corrupted or manipulated. Bug: 34469904 Change-Id: If8f4ff74a7d284c6fb81b1137b13ba4aac8c1c65 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Insun Song <insun.song@broadcom.com> Signed-off-by:
Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com> Reviewed-on: https://android.intel.com/578162 Reviewed-by:
-
Insun Song authored
added boundary check not to override allocated buffer Bug: 34203305 Change-Id: Ice79209fb54397abd0e1ef6e67f5151f1738d373 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
Sudhir Kohalli authored
(cherry picked from commit 0028b5162c79e0a35884da6a579e3456b9d108e5) 1) The default_chan_list buffer overflow is avoided by checking n_nodfs index does not exceed num_chans, which is the length of default_chan_list buffer. 2) The SSID length check 32(max limit) is done and then the SSID name copied in extra buffer is null terminated. The extra buffer is allocated a length of of 33 in wl_iw_ioctl.c. 3) Issue of chances of cumulative results->pkt_count length exceeding allocated memory length of results->total_count is avoided in this fix. change_array is the destination array whose length is allocated to results->total_count. Bug: 34197514 Bug: 34199963 Bug: 34198729 Change-Id: I966c80c236d3e9df744f5445599f0a864bd234dc Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Sudhir Kohalli <sudhir.kohalli@broadcom.com> Signed-off-by:
-
Insun Song authored
prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL overriden by attacker and its return manipulated. Bug: 34197514 Change-Id: I81bec445fe024b9dbc17404daa6b7dc5c05e8d25 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
Insun Song authored
added boundary check not to override allocated buffer. Bug: 32125310 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
- Apr 13, 2017
-
-
Insun Song authored
WEXT API was already obsoleted and should be removed. Bug: 32124445 Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
-
Eric Dumazet authored
Backport of this upstream commit into stable kernels : 89c22d8c ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Change-Id: I87d77274a7ad45e18956292ca54e49518e4e30aa Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Eric Dumazet <edumazet@google.com> Acked-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net> Reviewed-on: https://android.intel.com/575929 Reviewed-by:
-
Adrian Salido authored
The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Bug: 33040280 Signed-off-by:
Adrian Salido <salidoa@google.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Change-Id: Ifbad3ae07442b9a6266bb52e0b157ef0bff29573 Reviewed-on: https://android.intel.com/575890 Reviewed-by:
-
Daniel Rosenberg authored
This separates the kref for ion handles into two components. Userspace requests through the ioctl will hold at most one reference to the internally used kref. All additional requests will increment a separate counter, and the original reference is only put once that counter hits 0. This protects the kernel from a poorly behaving userspace. Bug: 34276203 Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Daniel Rosenberg <drosen@google.com> Reviewed-on: https://android.intel.com/575863 Reviewed-by:
-
- Mar 21, 2017
-
-
Simon Dubray authored
commit 8ebbb909 introduced a pm qos requests in mmc driver as a workaround for data transfer failures on byt platforms. These qos requests preventing any state below C2 during read or write are not needed on our devices, so remove them to reduce IO wait time and improve experience (especially app cold launch time). Change-Id: I9a5942e521432d573fb3ff18efe39b7241439482 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4588 Signed-off-by:
Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com> Reviewed-by:
-
Hubert CHAUMETTE authored
When covering the sensor, it gives a measurement of 47418 due to arithmetic operations on unsigned types. Change-Id: Icc110fc4aa11286e7a072bc3ac01dadfe45617c2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4487 Signed-off-by:
Hubert CHAUMETTE <hubertx.chaumette@intel.com> Reviewed-on: https://android.intel.com/573584 Reviewed-by:
Ghaddab, RiadhX <riadhx.ghaddab@intel.com> Reviewed-by:
-
- Mar 20, 2017
-
-
Simon Dubray authored
This debug option costs around 5 MBytes of RAM and can be safely removed as our 3.10 kernel is stable enough now. As CONFIG_SPLIT_PTLOCK_CPUS is depending of this one, its value is set back automatically to default (4). Change-Id: Ic218dd58152fe0a22f0e195dd835130d509f262f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4638 Signed-off-by:
-
- Mar 16, 2017
-
-
Ghaddab, RiadhX authored
This reverts commit 5ef1cfba. Change-Id: I90f2287355aef6a3046b7c329632a93433eea515 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4782 Reviewed-on: https://android.intel.com/573335 Reviewed-by:
Jacquet, CyrilX <cyrilx.jacquet@intel.com> Reviewed-by:
-
Simon Dubray authored
DSR count had been increased from 2 to 15 three years ago in order to make it less power-agressive and avoid shutting down the display for nothing. On our platforms, we need to reduce it in order to increase the s0ix residency in use cases with a few fps. It will allow to sleep more between 2 frames. As free_count is incremented every 16ms, 2 is maybe a bit too agressive (32ms) but 4 looks like a good trade-off and should be safe enough. Change-Id: Ie2e142fb7e25897d144c352e6eb3f2f7d0dd8573 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4777 Signed-off-by:
Lachaud, EtienneX <etiennex.lachaud@intel.com> Reviewed-by:
Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com> Tested-by:
-
- Mar 14, 2017
-
-
Simon Dubray authored
Instead of hardcoding all the pci devices we do not want to power on/off, only change power state of lss with a driver registered. Change-Id: Ic5700d02eac32f721f701679a6cbef526f7eac28 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4522 Signed-off-by:
Korpershoek, MattijsX <mattijsx.korpershoek@intel.com> Reviewed-by:
-
- Mar 03, 2017
-
-
Simon Dubray authored
As our kernel 3.10 is quite stable now, we can disable debugging features to save some RAM and improve user experience. Change-Id: If90d13e02c6c2c7bf22693a26a6b881d34298699 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4529 Signed-off-by:
-
Simon Dubray authored
The purpose of this patch is to reduce graphics memory usage. It reduces the size of memory allocated for hashtables from 8MB to 512kB as we assume that our small watches need less memory than merrifield phones. This optimization should save around 15MB of RAM on our kernel. Change-Id: Ic6737eb41b4286707193e6487287aa9cc2c57d26 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4180 Signed-off-by:
Gong, Sophia <sophia.gong@intel.com> Reviewed-by:
Ben Alaya, AymenX <aymenx.ben.alaya@intel.com> Reviewed-by:
-
- Mar 02, 2017
-
-
Simon Dubray authored
As our devices do not need video support, disable this useless config. Change-Id: Ia8730b259569f960cf2d311c3a55cb2895c1a810 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4180 Signed-off-by:
-
Simon Dubray authored
2MB of memory are allocated by the kernel for memory cgroups while we never use them on our devices, so disable support in defconfig Change-Id: I9591e0c8836868a2fb2472cb1e843efe8432a359 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4485 Signed-off-by:
-
- Feb 24, 2017
-
-
Jim Lin authored
When gadget is disconnected, running sequence is like this. . android_work: sent uevent USB_STATE=DISCONNECTED . Call trace: usb_string_copy+0xd0/0x128 gadget_config_name_configuration_store+0x4 gadget_config_name_attr_store+0x40/0x50 configfs_write_file+0x198/0x1f4 vfs_write+0x100/0x220 SyS_write+0x58/0xa8 . configfs_composite_unbind . configfs_composite_bind In configfs_composite_bind, it has "cn->strings.s = cn->configuration;" When usb_string_copy is invoked. it would allocate memory, copy input string, release previous pointed memory space, and use new allocated memory. When gadget is connected, host sends down request to get information. Call trace: usb_gadget_get_string+0xec/0x168 lookup_string+0x64/0x98 composite_setup+0xa34/0x1ee8 android_setup+0xb4/0x140 If gadget is disconnected and connected quickly, in the failed case, cn->configuration memory has been released by usb_string_copy kfree but configfs_composite_bind hasn't been run in time to assign new allocated "cn->configuration" pointer to "cn->strings.s". When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling memory is accessed, "BUG: KASAN: use-after-free" error occurs. BUG=chrome-os-partner:58412 TEST=After smaug device was connected to ubuntu PC host, detached and attached type-C cable quickly several times without seeing "BUG: KASAN: use-after-free in usb_gadget_get_string". Bug: 31614969 Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Jim Lin <jilin@nvidia.com> Signed-off-by:
Siqi Lin <siqilin@google.com> Reviewed-on: https://android.intel.com/569912 Reviewed-by:
Akue, LoicX <loicx.akue@intel.com> Reviewed-by:
-
Andrew Chant authored
Place file offset validity checks under mutex. BUG: 33555878 BUG: 33002026 Change-Id: I1945cfc8af7d1a310ae0d7bbb85002d4c448f30b Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Andrew Chant <achant@google.com> Reviewed-on: https://android.intel.com/569911 Reviewed-by:
-
Eric Dumazet authored
CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930 ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Change-Id: I158db8dd09043734287ba70be657881c5185fd71 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
-
Philip Pettersson authored
When packet_set_ring creates a ring buffer it will initialize a struct timer_list if the packet version is TPACKET_V3. This value can then be raced by a different thread calling setsockopt to set the version to TPACKET_V1 before packet_set_ring has finished. This leads to a use-after-free on a function pointer in the struct timer_list when the socket is closed as the previously initialized timer will not be deleted. The bug is fixed by taking lock_sock(sk) in packet_setsockopt when changing the packet version while also taking the lock at the start of packet_set_ring. Change-Id: Ia7b15ac2269ec7dc8806cb7eeb3a45be8743a881 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by:
Philip Pettersson <philip.pettersson@gmail.com> Signed-off-by:
-
Guillaume Nault authored
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind(). Without lock, a concurrent call could modify the socket flags between the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way, a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it would then leave a stale pointer there, generating use-after-free errors when walking through the list or modifying adjacent entries. BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8 Write of size 8 by task syz-executor/10987 CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0 Call Trace: [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] __write_once_size ./include/linux/compiler.h:249 [< inline >] __hlist_del ./include/linux/list.h:622 [< inline >] hlist_del_init ./include/linux/list.h:637 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff813774f9>] task_work_run+0xf9/0x170 [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448 Allocated: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20 [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153 [ 1116.897025] [< inline >] sock_create net/socket.c:1193 [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0 [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352 [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 1116.897025] [< inline >] slab_free mm/slub.c:2951 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table. Change-Id: I6bff1df385742b1d836d43180dc87fadcea80784 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Reported-by:Guillaume Nault <g.nault@alphalink.fr> Signed-off-by:
-
Daniel Rosenberg authored
Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Bug: 31992382 Test: See bug for poc Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
-
Mark Salyzyn authored
Sysrq must be enabled via /proc/sys/kernel/sysrq as a security measure to enable various critical fiq debugger commands that either leak information or can be used as a system attack. Default disabled, this will leave the reboot, reset, irqs, sleep, nosleep, console and ps commands. Reboot and reset commands will be restricted from taking any parameters. We will also switch to showing the limited command set in this mode. Bug: 32402555 Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Reviewed-on: https://android.intel.com/569870 Reviewed-by:
-
Kai Qiang authored
change the tilt threshold degree from 20 to 15 Change-Id: I054523324172d4dda84477183bb084837ef10195 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4187 Signed-off-by:
Kai Qiang <kaix.qiang@intel.com> Reviewed-on: https://android.intel.com/567758 Reviewed-by:
-
Andrey Ryabinin authored
This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Change-Id: I77e53254632ed7c0bad865e3ae156fafc02c6251 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by:
James Morris <james.l.morris@oracle.com> Reviewed-on: https://android.intel.com/569859 Reviewed-by:
-
- Feb 21, 2017
-
-
MorganX Binet authored
- Currently a wakelock is held only when the cable type is DCP. SDP and CDP cable types are handled in OTG driver. - This patches includes the other types of cable Change-Id: I14083df70b20c73de6322df62ea8756100caa96e Tracked-On: https://jira01.devtools.intel.com/browse/AW-2877 Signed-off-by:
MorganX Binet <morganx.binet@intel.com> Reviewed-on: https://android.intel.com/568927 Reviewed-by:
Saadani, MarouaneX <marouanex.saadani@intel.com> Reviewed-by:
Ferrari, AlainX <alainx.ferrari@intel.com> Reviewed-by:
-
- Feb 20, 2017
-
-
Julien Masson authored
On power on sequence, we should rotate screen to 180 degree. Change-Id: I59b774d0bd2d99165438ff88f4c88907dcef2585 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4188 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/567406 Reviewed-by:
Liu, WeiX W <weix.w.liu@intel.com> Reviewed-by:
-
