diag: Fix for possible memory corruption · 2da25adb21 - evie/android_kernel_oneplus_msm8998 - Gay Catgirls Forgejo: gay catgirls having sex

evie/android_kernel_oneplus_msm8998

diag: Fix for possible memory corruption

When peripheral supporting more ssids than apps
in a given table entry needs reallocation.
No reallocation causes slab-out-of-bounds reads seen as
bad access/memory corruption.
This patch fixes memory availability limitation.

KASAN Report
27.044086:<6> ===========================================================
27.044108:<6> BUG: KASAN: slab-out-of-bounds in
diag_cntl_process_read_data+0xeb0/0x10d4 at addr 0xffffffc033997e6c
27.044112:<6> Read of size 4 by task kworker/u8:9/671
27.044117:<6> ===========================================================
27.044123:<6> BUG kmalloc-128 (Tainted: G B W):kasan: bad access detected
27.044126:<6> -----------------------------------------------------------
27.044136:<6> INFO: Allocated in d
	iag_create_msg_mask_table_entry+0x10c/0x148 age=1444 cpu=3 pid=1
27.044147:<6> alloc_debug_processing+0x118/0x170
27.044153:<6> __slab_alloc.isra.20.constprop.22+0x2a4/0x3a0
27.044159:<6> __kmalloc+0xe8/0x27c
27.044165:<6> diag_create_msg_mask_table_entry+0x108/0x148
27.044170:<6> diag_masks_init+0x30c/0xa1c
27.044184:<6> diagchar_init+0x624/0xa4c
27.044190:<6> do_one_initcall+0x250/0x278
27.044198:<6> kernel_init_freeable+0x1c4/0x268
27.044207:<6> kernel_init+0x10/0xd8
27.044212:<6> ret_from_fork+0xc/0x30
27.044219:<6> INFO: Slab 0xffffffba47b79720 objects=16 used=16 fp=0x
	(null) flags=0x4080
27.044224:<6> INFO: Object 0xffffffc033997e00 @offset=7680
	fp=0xffffffc033997c00
27.044232:<6> Bytes b4 0xffffffc033997df0: 5a 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044238:<6> Object 0xffffffc033997e00: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044244:<6> Object 0xffffffc033997e10: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044249:<6> Object 0xffffffc033997e20: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044255:<6> Object 0xffffffc033997e30: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044260:<6> Object 0xffffffc033997e40: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044266:<6> Object 0xffffffc033997e50: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 1f 00 00 00  ................
27.044271:<6> Object 0xffffffc033997e60: 1f 00 00 00 1f 00 00 00 1f
	00 00 00 00 00 00 00  ................
27.044277:<6> Object 0xffffffc033997e70: 00 00 00 00 00 00 00 00 00
	00 00 00 00 00 00 00  ................
27.044283:<6> Redzone 0xffffffc033997e80: cc cc cc cc cc cc cc cc
                      ........
27.044288:<6> Padding 0xffffffc033997fc0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044294:<6> Padding 0xffffffc033997fd0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044299:<6> Padding 0xffffffc033997fe0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044305:<6> Padding 0xffffffc033997ff0: 5a 5a 5a 5a 5a 5a 5a 5a
	5a 5a 5a 5a 5a 5a 5a 5a  ZZZZZZZZZZZZZZZZ
27.044315:<6> CPU: 1 PID: 671 Comm: kworker/u8:9
	Tainted: G    B   W  3.18.20-g2c703ee #2
27.044319:<6> Hardware name: Qualcomm Technologies, Inc.
	MSM 8996 v3.0 + PMI8994 MTP (DT)
27.044332:<2> Workqueue: DIAG_SOCKMODEM_CNTL socket_read_work_fn
27.044335:<6> Call trace:
27.044343:<2> [<ffffffc00008a168>] dump_backtrace+0x0/0x1c4
27.044350:<2> [<ffffffc00008a33c>] show_stack+0x10/0x1c
27.044359:<2> [<ffffffc00129a850>] dump_stack+0x74/0xc8
27.044366:<2> [<ffffffc000213d8c>] print_trailer+0x19c/0x1b0
27.044372:<2> [<ffffffc000214788>] object_err+0x3c/0x50
27.044378:<2> [<ffffffc000219918>] kasan_report+0x34c/0x504
27.044385:<2> [<ffffffc000218928>] __asan_load4+0x20/0x74
27.044392:<2>[<ffffffc0006f1594>] diag_cntl_process_read_data+0xeac/0x10d4
27.044399:<2> [<ffffffc0006e67f0>] diagfwd_cntl_read_done+0x78/0xf0
27.044407:<2> [<ffffffc0006e7b38>] diagfwd_channel_read_done+0x154/0x184
27.044414:<2> [<ffffffc0006ebdd4>] diag_socket_read+0x480/0x534
27.044420:<2> [<ffffffc0006e85cc>] diagfwd_channel_read+0x348/0x368
27.044427:<2> [<ffffffc0006eabc4>] socket_read_work_fn+0x20/0x30
27.044437:<2> [<ffffffc0000cabf8>] process_one_work+0x394/0x64c
27.044444:<2> [<ffffffc0000cbfb8>] worker_thread+0x3bc/0x550
27.044450:<2> [<ffffffc0000d256c>] kthread+0x180/0x194
27.044753:<6> coresight-tmc 3028000.tmc: TMC aborted
27.044765:<6> Kernel panic - not syncing: kasan: bad access detected

CRs-Fixed: 993725
Change-Id: I90a6a560900d6c1c3694cce460ae8f772dc3434e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

This commit is contained in:

Manoj Prabhu B

2016-03-23 11:27:58 +05:30

• committed by

Kyle Yan

parent 85ba07bc3f

commit 2da25adb21

1 changed files with 1 additions and 1 deletions

									
										2

drivers/char/diag/diag_masks.c
									
										View file
										
				@ -1260,7 +1260,7 @@ int diag_create_msg_mask_table_entry(struct diag_msg_mask_t *msg_mask,

					msg_mask->ssid_last = range->ssid_last;

					msg_mask->ssid_last_tools = range->ssid_last;

					msg_mask->range = msg_mask->ssid_last - msg_mask->ssid_first + 1;

					if (msg_mask->range > MAX_SSID_PER_RANGE)

					if (msg_mask->range < MAX_SSID_PER_RANGE)

						msg_mask->range = MAX_SSID_PER_RANGE;

					msg_mask->range_tools = msg_mask->range;

					mutex_init(&msg_mask->lock);