- Apr 27, 2017
-
-
Simon Dubray authored
This patch sets an alarm 60s after if there is no alarm in the next 60s. It is a workaround to avoid sleeping for too long in case the watchdog is not stopped during suspend. Change-Id: Id6722d2257c5bd671e3037cb24bdaf59a2a3160f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212 Signed-off-by:
Simon Dubray <simonx.dubray@intel.com> Reviewed-on: https://android.intel.com/578966 Reviewed-by:
jenkins_ndg <jenkins_ndg@intel.com> Reviewed-by:
Whitfield, MichaelX <michaelx.whitfield@intel.com> Reviewed-by:
Nassiet, GaelleX <gaellex.nassiet@intel.com> Reviewed-by:
Ledentec, AlexandreX <alexandrex.ledentec@intel.com> Reviewed-by:
Viel, ClementX <clementx.viel@intel.com> Reviewed-by:
Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
-
Simon Dubray authored
This patch kicks the watchdog on suspend and resume callbacks if the userspace daemon has kicked it in the last timeout period (monotonic clock). Change-Id: Id3c78e063a76dc4334c91e147a580b7b04c8d8b1 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212 Signed-off-by:
-
- Apr 18, 2017
-
-
Insun Song authored
added boundary check not to override allocated buffer. Specially when user input corrupted or manipulated. Bug: 34469904 Change-Id: If8f4ff74a7d284c6fb81b1137b13ba4aac8c1c65 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Insun Song <insun.song@broadcom.com> Signed-off-by:
Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com> Reviewed-on: https://android.intel.com/578162 Reviewed-by:
Louis, FabienX <fabienx.louis@intel.com> Reviewed-by:
-
Insun Song authored
added boundary check not to override allocated buffer Bug: 34203305 Change-Id: Ice79209fb54397abd0e1ef6e67f5151f1738d373 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
Sudhir Kohalli authored
(cherry picked from commit 0028b5162c79e0a35884da6a579e3456b9d108e5) 1) The default_chan_list buffer overflow is avoided by checking n_nodfs index does not exceed num_chans, which is the length of default_chan_list buffer. 2) The SSID length check 32(max limit) is done and then the SSID name copied in extra buffer is null terminated. The extra buffer is allocated a length of of 33 in wl_iw_ioctl.c. 3) Issue of chances of cumulative results->pkt_count length exceeding allocated memory length of results->total_count is avoided in this fix. change_array is the destination array whose length is allocated to results->total_count. Bug: 34197514 Bug: 34199963 Bug: 34198729 Change-Id: I966c80c236d3e9df744f5445599f0a864bd234dc Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Sudhir Kohalli <sudhir.kohalli@broadcom.com> Signed-off-by:
-
Insun Song authored
prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL overriden by attacker and its return manipulated. Bug: 34197514 Change-Id: I81bec445fe024b9dbc17404daa6b7dc5c05e8d25 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
Insun Song authored
added boundary check not to override allocated buffer. Bug: 32125310 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
-
- Apr 13, 2017
-
-
Insun Song authored
WEXT API was already obsoleted and should be removed. Bug: 32124445 Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
-
Eric Dumazet authored
Backport of this upstream commit into stable kernels : 89c22d8c ("net: Fix skb csum races when peeking") exposed a bug in udp stack vs MSG_PEEK support, when user provides a buffer smaller than skb payload. In this case, skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr), msg->msg_iov); returns -EFAULT. This bug does not happen in upstream kernels since Al Viro did a great job to replace this into : skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg); This variant is safe vs short buffers. For the time being, instead reverting Herbert Xu patch and add back skb->ip_summed invalid changes, simply store the result of udp_lib_checksum_complete() so that we avoid computing the checksum a second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call. This patch can be applied on recent kernels as it avoids a double checksumming, then backported to stable kernels as a bug fix. Change-Id: I87d77274a7ad45e18956292ca54e49518e4e30aa Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Eric Dumazet <edumazet@google.com> Acked-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
David S. Miller <davem@davemloft.net> Reviewed-on: https://android.intel.com/575929 Reviewed-by:
-
Adrian Salido authored
The buffer allocation is not currently accounting for an extra byte for the report id. This can cause an out of bounds access in function i2c_hid_set_or_send_report() with reportID > 15. Bug: 33040280 Signed-off-by:
Adrian Salido <salidoa@google.com> Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Change-Id: Ifbad3ae07442b9a6266bb52e0b157ef0bff29573 Reviewed-on: https://android.intel.com/575890 Reviewed-by:
-
Daniel Rosenberg authored
This separates the kref for ion handles into two components. Userspace requests through the ioctl will hold at most one reference to the internally used kref. All additional requests will increment a separate counter, and the original reference is only put once that counter hits 0. This protects the kernel from a poorly behaving userspace. Bug: 34276203 Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805 Signed-off-by:
Daniel Rosenberg <drosen@google.com> Reviewed-on: https://android.intel.com/575863 Reviewed-by:
-
- Mar 21, 2017
-
-
Simon Dubray authored
commit 8ebbb909 introduced a pm qos requests in mmc driver as a workaround for data transfer failures on byt platforms. These qos requests preventing any state below C2 during read or write are not needed on our devices, so remove them to reduce IO wait time and improve experience (especially app cold launch time). Change-Id: I9a5942e521432d573fb3ff18efe39b7241439482 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4588 Signed-off-by:
Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com> Reviewed-by:
-
Hubert CHAUMETTE authored
When covering the sensor, it gives a measurement of 47418 due to arithmetic operations on unsigned types. Change-Id: Icc110fc4aa11286e7a072bc3ac01dadfe45617c2 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4487 Signed-off-by:
Hubert CHAUMETTE <hubertx.chaumette@intel.com> Reviewed-on: https://android.intel.com/573584 Reviewed-by:
Ghaddab, RiadhX <riadhx.ghaddab@intel.com> Reviewed-by:
Hu, Bingquan <bingquan.hu@intel.com> Reviewed-by:
-
- Mar 20, 2017
-
-
Simon Dubray authored
This debug option costs around 5 MBytes of RAM and can be safely removed as our 3.10 kernel is stable enough now. As CONFIG_SPLIT_PTLOCK_CPUS is depending of this one, its value is set back automatically to default (4). Change-Id: Ic218dd58152fe0a22f0e195dd835130d509f262f Tracked-On: https://jira01.devtools.intel.com/browse/AW-4638 Signed-off-by:
Zaghdoud, WalidX <walidx.zaghdoud@intel.com> Reviewed-by:
-
- Mar 16, 2017
-
-
Ghaddab, RiadhX authored
This reverts commit 5ef1cfba. Change-Id: I90f2287355aef6a3046b7c329632a93433eea515 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4782 Reviewed-on: https://android.intel.com/573335 Reviewed-by:
Jacquet, CyrilX <cyrilx.jacquet@intel.com> Reviewed-by:
-
Simon Dubray authored
DSR count had been increased from 2 to 15 three years ago in order to make it less power-agressive and avoid shutting down the display for nothing. On our platforms, we need to reduce it in order to increase the s0ix residency in use cases with a few fps. It will allow to sleep more between 2 frames. As free_count is incremented every 16ms, 2 is maybe a bit too agressive (32ms) but 4 looks like a good trade-off and should be safe enough. Change-Id: Ie2e142fb7e25897d144c352e6eb3f2f7d0dd8573 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4777 Signed-off-by:
Lachaud, EtienneX <etiennex.lachaud@intel.com> Reviewed-by:
Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com> Tested-by:
-
- Mar 14, 2017
-
-
Simon Dubray authored
Instead of hardcoding all the pci devices we do not want to power on/off, only change power state of lss with a driver registered. Change-Id: Ic5700d02eac32f721f701679a6cbef526f7eac28 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4522 Signed-off-by:
Korpershoek, MattijsX <mattijsx.korpershoek@intel.com> Reviewed-by:
-
- Mar 03, 2017
-
-
Simon Dubray authored
As our kernel 3.10 is quite stable now, we can disable debugging features to save some RAM and improve user experience. Change-Id: If90d13e02c6c2c7bf22693a26a6b881d34298699 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4529 Signed-off-by:
-
Simon Dubray authored
The purpose of this patch is to reduce graphics memory usage. It reduces the size of memory allocated for hashtables from 8MB to 512kB as we assume that our small watches need less memory than merrifield phones. This optimization should save around 15MB of RAM on our kernel. Change-Id: Ic6737eb41b4286707193e6487287aa9cc2c57d26 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4180 Signed-off-by:
Gong, Sophia <sophia.gong@intel.com> Reviewed-by:
Ben Alaya, AymenX <aymenx.ben.alaya@intel.com> Reviewed-by:
-
- Mar 02, 2017
-
-
Simon Dubray authored
As our devices do not need video support, disable this useless config. Change-Id: Ia8730b259569f960cf2d311c3a55cb2895c1a810 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4180 Signed-off-by:
-
Simon Dubray authored
2MB of memory are allocated by the kernel for memory cgroups while we never use them on our devices, so disable support in defconfig Change-Id: I9591e0c8836868a2fb2472cb1e843efe8432a359 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4485 Signed-off-by:
-
- Feb 24, 2017
-
-
Jim Lin authored
When gadget is disconnected, running sequence is like this. . android_work: sent uevent USB_STATE=DISCONNECTED . Call trace: usb_string_copy+0xd0/0x128 gadget_config_name_configuration_store+0x4 gadget_config_name_attr_store+0x40/0x50 configfs_write_file+0x198/0x1f4 vfs_write+0x100/0x220 SyS_write+0x58/0xa8 . configfs_composite_unbind . configfs_composite_bind In configfs_composite_bind, it has "cn->strings.s = cn->configuration;" When usb_string_copy is invoked. it would allocate memory, copy input string, release previous pointed memory space, and use new allocated memory. When gadget is connected, host sends down request to get information. Call trace: usb_gadget_get_string+0xec/0x168 lookup_string+0x64/0x98 composite_setup+0xa34/0x1ee8 android_setup+0xb4/0x140 If gadget is disconnected and connected quickly, in the failed case, cn->configuration memory has been released by usb_string_copy kfree but configfs_composite_bind hasn't been run in time to assign new allocated "cn->configuration" pointer to "cn->strings.s". When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling memory is accessed, "BUG: KASAN: use-after-free" error occurs. BUG=chrome-os-partner:58412 TEST=After smaug device was connected to ubuntu PC host, detached and attached type-C cable quickly several times without seeing "BUG: KASAN: use-after-free in usb_gadget_get_string". Bug: 31614969 Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Jim Lin <jilin@nvidia.com> Signed-off-by:
Siqi Lin <siqilin@google.com> Reviewed-on: https://android.intel.com/569912 Reviewed-by:
Akue, LoicX <loicx.akue@intel.com> Reviewed-by:
-
Andrew Chant authored
Place file offset validity checks under mutex. BUG: 33555878 BUG: 33002026 Change-Id: I1945cfc8af7d1a310ae0d7bbb85002d4c448f30b Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Andrew Chant <achant@google.com> Reviewed-on: https://android.intel.com/569911 Reviewed-by:
-
Eric Dumazet authored
CAP_NET_ADMIN users should not be allowed to set negative sk_sndbuf or sk_rcvbuf values, as it can lead to various memory corruptions, crashes, OOM... Note that before commit 82981930 ("net: cleanups in sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF and SO_RCVBUF were vulnerable. This needs to be backported to all known linux kernels. Again, many thanks to syzkaller team for discovering this gem. Change-Id: I158db8dd09043734287ba70be657881c5185fd71 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Andrey Konovalov <andreyknvl@google.com> Signed-off-by:
-
Philip Pettersson authored
When packet_set_ring creates a ring buffer it will initialize a struct timer_list if the packet version is TPACKET_V3. This value can then be raced by a different thread calling setsockopt to set the version to TPACKET_V1 before packet_set_ring has finished. This leads to a use-after-free on a function pointer in the struct timer_list when the socket is closed as the previously initialized timer will not be deleted. The bug is fixed by taking lock_sock(sk) in packet_setsockopt when changing the packet version while also taking the lock at the start of packet_set_ring. Change-Id: Ia7b15ac2269ec7dc8806cb7eeb3a45be8743a881 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: f6fb8f10 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by:
Philip Pettersson <philip.pettersson@gmail.com> Signed-off-by:
-
Guillaume Nault authored
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind(). Without lock, a concurrent call could modify the socket flags between the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way, a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it would then leave a stale pointer there, generating use-after-free errors when walking through the list or modifying adjacent entries. BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8 Write of size 8 by task syz-executor/10987 CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0 Call Trace: [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156 [< inline >] print_address_description mm/kasan/report.c:194 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283 [< inline >] kasan_report mm/kasan/report.c:303 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329 [< inline >] __write_once_size ./include/linux/compiler.h:249 [< inline >] __hlist_del ./include/linux/list.h:622 [< inline >] hlist_del_init ./include/linux/list.h:637 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [<ffffffff813774f9>] task_work_run+0xf9/0x170 [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448 Allocated: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20 [ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417 [ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708 [ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153 [ 1116.897025] [< inline >] sock_create net/socket.c:1193 [ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6 Freed: PID = 10987 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0 [ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352 [ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374 [ 1116.897025] [< inline >] slab_free mm/slub.c:2951 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973 [ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156 [ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6 Memory state around the buggy address: ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table. Change-Id: I6bff1df385742b1d836d43180dc87fadcea80784 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Reported-by:Baozeng Ding <sploving1@gmail.com> Reported-by:
Guillaume Nault <g.nault@alphalink.fr> Signed-off-by:
-
Daniel Rosenberg authored
Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Bug: 31992382 Test: See bug for poc Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
-
Mark Salyzyn authored
Sysrq must be enabled via /proc/sys/kernel/sysrq as a security measure to enable various critical fiq debugger commands that either leak information or can be used as a system attack. Default disabled, this will leave the reboot, reset, irqs, sleep, nosleep, console and ps commands. Reboot and reset commands will be restricted from taking any parameters. We will also switch to showing the limited command set in this mode. Bug: 32402555 Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Signed-off-by:
Mark Salyzyn <salyzyn@google.com> Reviewed-on: https://android.intel.com/569870 Reviewed-by:
-
Kai Qiang authored
change the tilt threshold degree from 20 to 15 Change-Id: I054523324172d4dda84477183bb084837ef10195 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4187 Signed-off-by:
Kai Qiang <kaix.qiang@intel.com> Reviewed-on: https://android.intel.com/567758 Reviewed-by:
-
Andrey Ryabinin authored
This fixes CVE-2016-8650. If mpi_powm() is given a zero exponent, it wants to immediately return either 1 or 0, depending on the modulus. However, if the result was initalised with zero limb space, no limbs space is allocated and a NULL-pointer exception ensues. Fix this by allocating a minimal amount of limb space for the result when the 0-exponent case when the result is 1 and not touching the limb space when the result is 0. This affects the use of RSA keys and X.509 certificates that carry them. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 PGD 0 Oops: 0002 [#1] SMP Modules linked in: CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 task: ffff8804011944c0 task.stack: ffff880401294000 RIP: 0010:[<ffffffff8138ce5d>] [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP: 0018:ffff880401297ad8 EFLAGS: 00010212 RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0 RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0 RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000 R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50 FS: 00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0 Stack: ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4 0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30 ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8 Call Trace: [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66 [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146 [<ffffffff8132a95c>] rsa_verify+0x9d/0xee [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1 [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228 [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4 [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1 [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1 [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61 [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399 [<ffffffff812fe227>] SyS_add_key+0x154/0x19e [<ffffffff81001c2b>] do_syscall_64+0x80/0x191 [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25 Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f RIP [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6 RSP <ffff880401297ad8> CR2: 0000000000000000 ---[ end trace d82015255d4a5d8d ]--- Basically, this is a backport of a libgcrypt patch: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526 Change-Id: I77e53254632ed7c0bad865e3ae156fafc02c6251 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391 Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)") Signed-off-by:
Andrey Ryabinin <aryabinin@virtuozzo.com> Signed-off-by:
David Howells <dhowells@redhat.com> cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com> cc: linux-ima-devel@lists.sourceforge.net cc: stable@vger.kernel.org Signed-off-by:
James Morris <james.l.morris@oracle.com> Reviewed-on: https://android.intel.com/569859 Reviewed-by:
-
- Feb 21, 2017
-
-
MorganX Binet authored
- Currently a wakelock is held only when the cable type is DCP. SDP and CDP cable types are handled in OTG driver. - This patches includes the other types of cable Change-Id: I14083df70b20c73de6322df62ea8756100caa96e Tracked-On: https://jira01.devtools.intel.com/browse/AW-2877 Signed-off-by:
MorganX Binet <morganx.binet@intel.com> Reviewed-on: https://android.intel.com/568927 Reviewed-by:
Saadani, MarouaneX <marouanex.saadani@intel.com> Reviewed-by:
Ferrari, AlainX <alainx.ferrari@intel.com> Reviewed-by:
-
- Feb 20, 2017
-
-
Julien Masson authored
On power on sequence, we should rotate screen to 180 degree. Change-Id: I59b774d0bd2d99165438ff88f4c88907dcef2585 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4188 Signed-off-by:
Julien Masson <julienx.masson@intel.com> Reviewed-on: https://android.intel.com/567406 Reviewed-by:
Liu, WeiX W <weix.w.liu@intel.com> Reviewed-by:
-
- Feb 16, 2017
-
-
Kai Qiang authored
modified scale from 2G to 8G of st_lsm6ds3h Change-Id: I83184453d1d0d361e8a3381fb654d26fb6538598 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3409 Signed-off-by:
-
- Feb 15, 2017
-
-
Sophia Gong authored
This patch is to WA below CTS 7.1-r1 dEQP mem stress failures. The failed case intends to create 128 EGL contexts. Each 3D EGL context allocates about 1.5MB memory. 1MB of them are for 3D heap size. This patch decreases PDS/USC heap size to 48MB for overall 128 EGL contexts. Full CTS-7.1, gfx smooth validation shows no side effects. dEQP-EGL.functional.multicontext#non_shared dEQP-EGL.functional.multicontext#non_shared_clear dEQP-EGL.functional.multicontext#non_shared_make_current Change-Id: I26c55ec940ab154986f475e16c72fb0a807fde18 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3635 Signed-off-by:
wenshelx <wenshengx.wang@intel.com> Reviewed-on: https://android.intel.com/567744 Reviewed-by:
-
- Feb 09, 2017
-
-
Greg Hackmann authored
Bug: 32838767 Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Signed-off-by:
Greg Hackmann <ghackmann@google.com> Reviewed-on: https://android.intel.com/565598 Reviewed-by:
-
Adrian Salido authored
As mentioned in commit 52ee2dfd ("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns helpers used to be buggy. The commit addresses most of the helpers but is missing task_tgid_xxx() Without this protection there is a possible use after free reported by kasan instrumented kernel: ================================================================== BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr *** Read of size 8 by task cat/2472 CPU: 1 PID: 2472 Comm: cat Tainted: **** Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT) Call trace: [<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c [<ffffffc00020aec0>] show_stack+0x18/0x24 [<ffffffc0011573d0>] dump_stack+0x94/0x100 [<ffffffc0003c7dc0>] kasan_report+0x308/0x554 [<ffffffc0003c7518>] __asan_load8+0x20/0x7c [<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44 [<ffffffc00046951c>] proc_pid_status+0x444/0x1080 [<ffffffc000460f60>] proc_single_show+0x8c/0xdc [<ffffffc0004081b0>] seq_read+0x2e8/0x6f0 [<ffffffc0003d1420>] vfs_read+0xd8/0x1e0 [<ffffffc0003d1b98>] SyS_read+0x68/0xd4 Accessing group_leader while holding rcu_lock and using the now safe helpers introduced in the commit mentioned, this race condition is addressed. Bug: 31495866 Signed-off-by:
-
Simon Dubray authored
Handle properly return values in tmd26723 probe to return negative values when data structures have been free'd. Change-Id: I6b7ba86bdac9dac9544dcb3bd979f18e6b4e4c64 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4020 Signed-off-by:
-
Jann Horn authored
This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include <unistd.h> #include <sys/personality.h> #include <linux/aio_abi.h> #include <err.h> #include <stdlib.h> #include <stdio.h> #include <sys/syscall.h> int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Signed-off-by:Jann Horn <jann@thejh.net> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> (cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a) Bug: 31711619 Tracked-On: https://jira01.devtools.intel.com/browse/AW-4085 Change-Id: Ib4ffd30b61f1d9ba629049f65a21afbf94e25cfd Reviewed-on: https://android.intel.com/565587 Reviewed-by:
-
- Feb 03, 2017
-
-
MorganX Binet authored
previous VINDPM implementation did not take into account that register is reset at each cable connection so VINDPM is forced every minute at the same time as threshold value update Change-Id: I249666e061eec3d73c45e6ee4af37fb3562d53e0 Tracked-On: https://jira01.devtools.intel.com/browse/AW-3147 Signed-off-by:
-
Julien Masson authored
This type aims to be the reference for display device. Change-Id: Ib21b3a93587ad0ac3b0e35ac7ab413557a6811ee Tracked-On: https://jira01.devtools.intel.com/browse/AW-2918 Signed-off-by:
Afonso, PhilippeX <philippex.afonso@intel.com> Reviewed-by:
-
