Linux Build Service Account
3c45c2a8a2
Promotion of kernel.lnx.4.4-161119.
...
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
1088658 I2f994ae0250ffc8f740ea633324815ae429c74be msm: ipa3: linearize large skbs
1077102 I09359b528b4742f72a76690930f3d0ed90bb2caa msm: mdss: move warnings and errors out of mdss spinlock
1089895 I84185558fa6e80b13d7d0078bda9d75143680941 tcp: take care of truncations done by sk_filter()
1091511 Ia151b2dd5229f07790ac961af298305b24e098fb msm: wlan: update regulatory database
1081957 I24820bd6254002f8a8db9604d230dcbce59b1beb clk: qcom: Add support to be able to slew PLL
1081738 I10a788726358c56df9bfe11f2332e3823d7cd332 ARM: dts: msm: Enable auto GM for WLED in pmicobalt
1077726 I031ca48f0e0c39f1b2cb51081ecd55b086fb4c9b msm: mdss: fix pp timeout during transition from LP1 to
1074985 Ib2268181a617c23d62b5b6f857be5327113b2a67 soc: qcom: smem: Redesign smem memory architecture
1090708 I9cda84d1c199b72ce8b9e2997601bcc7430ddbf3 ARM: dts: msm: Update the console uart gpios for msmfalc
1080245 I3b4cf83e776750d993d53331142223109bf0862e clk: qcom: Add support for debugfs support
1087110 I3694952289c76394af8d40cd89fd2175f49ac127 msm: mdss: Add systrace for readptr_done
1089865 Ia73ab1ba51df7b501d246bb45141018409496d01 ARM: dts: msm: ensure contiguous MSI for PCIe on msmcoba
941978 Idee8691d769218d7e732c9b7f936a2c40946b239 Revert "scsi: ufs: stub UFS shutdown handler"
1091072 I7e9ada5de1f619c6a34a4b2e1764f5e908564ce5 iio: rradc: Update reading USBIN_V channel
1075082 I971e555ec8d02ccf4382e83132a696b065a8ff12 qseecom: improve error checks in qseecom_probe()
1080245 Ib67b3a3409c9e7d8adb710bb524f54f543abf712 clk: add/modify debugfs support for clocks
941978 Id499abc27303bfed72fab4d61abb872bad7d9043 scsi: ufs: error out all issued requests after shutdown
1083537 I73fc02b812f2e6694e2a6aa8bdad2381a5f19406 ASoC: msm: Fix sound card registration failure
1085331 I92e98ab46107fbcfd843898423b41716a204c2ae ARM: dts: msm: Correct interrupt assignments for msmcoba
1073250 Idc9ca896b3fe6c1c6a72a066a6e453d27a3173e8 Asoc: clean up bootup errors
1091147 I30b8488a1c19815601e6a1c5bcbdeed53715f8fa usb: phy: qusb: Make sure QUSB PHY is into proper state
1086292 I6482dc3d21fdc3e570fd53022e2fb9427668d939 msm: mdss: add null check before dereferencing src_fmt
1086292 I4812330453dedacd16dad1d920a2bacc3f67042b msm: mdss: fix race condition in dsi clk off request
1088709 I21e1c029e6b245cfa26a187b35bb1f6845302484 clk: msm: Add the CLKFLAG_NO_RATE_CACHE flag for MM cloc
1082112 I171c91e700c24ecc213ccda705bbe6188d22a43a scsi: ufs: fix sleep in atomic context
1091354 I9f928f0aad6af346de43965755beb039e422047a Revert "defconfig: msm: avoid compilation of MDSS DP dri
1090727 I78d2c27743d30b90a96e3d8df60859f67db7ddb8 ARM: dts: msm: Add ufs regulators for msmfalcon interpos
1090029 I66f6de42b106fa2027285e7393b6f9fc143d00d8 leds: qpnp-flash: Fix the mask in the flash prepare API
1089181 I4a382915a6c3a6b9d445ec1f5d57fb499a011f1a driver: thermal: msm_thermal: Enable Reliability algorit
1079438 Ib14c5b9121190dded5071ff60ecf0be8e5e5c232 ARM: dts: msm: Add physical dimensions for NT35597 panel
1060212 Iabe79bae5f9471c3c6128ed21efd04de00739daa leds: qpnp-flash-v2: Add support for thermal derate feat
1091127 I7220ad565212c325514301e4c59415b807deb99a ARM: dts: msm: Add gladiator support on msmfalcon and ms
1091440 I0eb8b9a357f172984612175d1b03dd872df91b6f diag: Call diagmem_exit only if the mempool is initializ
1090076 Ia85688854f26fe871d5c1253c2d51d75d84deb8f ARM: dts: msm: Add dummy regulator for LCDB bias
1064071 Ic0dedbad372fd9029b932dd99633a650049751ed msm: kgsl: Fix pagetable member of struct kgsl_memdesc
1083537 I3d2765535793d6ef9153cfcab4b44a9adad67e15 ASoC: msm: Add support for USB/WCN/TDM Audio
1091141 I6ce48512df5973bf8a2a3081a3a6f8759aeb499f ARM: dts: msm: Set USB core clock rate for USB2/USB3 for
1060212 Ie7a94f59e58b8f1b0816afda2496449694629205 leds: qpnp-flash-v2: add support to read pmic revid
1080701 If08ff46e72d537254e90707f28c849a86f262853 ARM: dts: msm: specify I2C configuration for msmfalcon
1079442 I822d6280b301b2db6194c845098c935e612ca61c ASoC: wcd934x: Fix adie loopback through sidetone src pa
1089895 Idc52737bc96097a9220dfe47bb76e94ff1026a05 rose: limit sk_filter trim to payload
1091147 Ibfecfe1846d02b959bd249acac3fe4c57b88aaf0 USB: phy: qusb: Turn on vdd along with 1p8/3p3 LDOs when
1090701 I0e06be169edc2eb1d35ef7fc6c41ff1809aebd03 pinctrl: qcom: msmfalcon: Update gpios as per latest gpi
1086292 I422d53d008223a9b0520f499e629f681bb6afa05 mdss: mdp: avoid panic if recovery handler is uninitiali
1060212 I42503ccd2b2dcc62c5c868132d202b9698c9d216 leds: qpnp-flash-v2: change from dev_*() to pr_*() for l
1090076 Ie828c8568ef09c89cff157d16d3cb322647b6f6e ARM: dts: msm: enable mdss power supplies for falcon tra
10748791074879108702010748791087020
2016-11-19 05:39:11 -07:00
Linux Build Service Account
599e3b8615
Merge "ASoC: msm: q6dspv2: fix potentional information leak"
2016-11-18 20:32:05 -08:00
Linux Build Service Account
0f4381183c
Merge "ASoC: wcd934x: Fix adie loopback through sidetone src path"
2016-11-18 20:32:05 -08:00
Linux Build Service Account
be8cb4023a
Merge "Asoc: clean up bootup errors"
2016-11-18 20:32:04 -08:00
Linux Build Service Account
ea9a78c52a
Merge "Revert "defconfig: msm: avoid compilation of MDSS DP driver for 32-bit msmfalcon""
2016-11-18 20:32:03 -08:00
Linux Build Service Account
e9719c4157
Merge "ARM: dts: msm: Add support for USB device for msmfalcon and msmtriton"
2016-11-18 20:32:02 -08:00
Linux Build Service Account
b2c7e8b303
Merge "ARM: dts: msm: enable mdss power supplies for falcon track3"
2016-11-18 20:32:01 -08:00
Linux Build Service Account
38553d1c06
Merge "usb: pd: Don't suspend charging unless changing voltages"
2016-11-18 20:32:00 -08:00
Linux Build Service Account
2003828449
Merge "iio: rradc: Update reading USBIN_V channel"
2016-11-18 20:32:00 -08:00
Linux Build Service Account
609853f219
Merge "icnss: Reset mpm_wcssaon_config bits before top level reset"
2016-11-18 20:31:59 -08:00
Linux Build Service Account
6dfb1148cd
Merge "qcom-charger: smb2: Disable try.SINK mode in the probe"
2016-11-18 20:31:58 -08:00
Linux Build Service Account
f6087edb1c
Merge "msm: ipa3: header file change for wdi-stats"
2016-11-18 20:31:57 -08:00
Linux Build Service Account
254513bc2a
Merge "ARM: dts: msm: Set USB core clock rate for USB2/USB3 for msm8996"
2016-11-18 20:31:56 -08:00
Linux Build Service Account
2966690a35
Merge "ARM: dts: msm: Add gladiator support on msmfalcon and msmtriton"
2016-11-18 20:31:55 -08:00
Linux Build Service Account
1dd78d6f6c
Merge "ARM: dts: msm: Correct interrupt assignments for msmcobalt"
2016-11-18 20:31:55 -08:00
Linux Build Service Account
f6b3ab0e32
Merge "clk: qcom: Add support for RCGs with dynamic and fixed sources"
2016-11-18 20:31:54 -08:00
Linux Build Service Account
43c797f34c
Merge "qcom-charger: WA for legacy bit set on hard reboot"
2016-11-18 20:31:53 -08:00
Linux Build Service Account
bf9bb2a461
Merge "usb: phy: qusb: Make sure QUSB PHY is into proper state"
2016-11-18 20:31:52 -08:00
Linux Build Service Account
ca52fb4ff7
Merge "USB: phy: qusb: Turn on vdd along with 1p8/3p3 LDOs when PMI requests"
2016-11-18 20:31:52 -08:00
Linux Build Service Account
ebe82ef7e9
Merge "soc: qcom: smem: Redesign smem memory architecture"
2016-11-18 20:31:51 -08:00
Linux Build Service Account
b5bbeae208
Merge "ARM: dts: msm: Update the console uart gpios for msmfalcon"
2016-11-18 20:31:50 -08:00
Linux Build Service Account
3e919fe874
Merge "msm: mdss: move warnings and errors out of mdss spinlock"
2016-11-18 20:31:49 -08:00
Linux Build Service Account
f6a461edb6
Merge "msm: mdss: fix pp timeout during transition from LP1 to power on"
2016-11-18 20:31:49 -08:00
Linux Build Service Account
c9c246439d
Merge "msm: mdss: fix autorefresh disable during handoff"
2016-11-18 20:31:48 -08:00
Linux Build Service Account
9ce677c421
Merge "ASoC: wcd-mbhc: correct cross connection check"
2016-11-18 20:31:45 -08:00
Nick Desaulniers
3b5cf91f45
cgroup: prefer %pK to %p
...
Prevents leaking kernel pointers when using kptr_restrict.
Bug: 30149174
Change-Id: I0fa3cd8d4a0d9ea76d085bba6020f1eda073c09b
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 505e48f32f1321ed7cf80d49dd5f31b16da445a8
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 17:08:58 -08:00
Phil Turnbull
5488bec236
netfilter: nfnetlink: correctly validate length of batch messages
...
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.
If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:
[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
[ 41.456431] Read of size 4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================
Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.
CAP_NET_ADMIN is required to trigger the bugs.
Fixes: 9ea2aa8b7dhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: c58d6c93680f28ac58984af61d0a7ebf4319c241
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 17:05:18 -08:00
Benjamin Tissoires
a10d83024d
HID: core: prevent out-of-bound readings
...
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Change-Id: I3b04131079a27f0b1cd60df03c793e8d9ffe5e91
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 50220dead1650609206efe91f0cc116132d59b3f
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:59:58 -08:00
Peter Hurley
d62ea94957
tty: Prevent ldisc drivers from re-using stale tty fields
...
Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].
Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.
[1]
commit fd98e9419dhttps://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: dd42bf1197144ede075a9d4793123f7689e164bc
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:57:49 -08:00
Mauro Carvalho Chehab
694339fd33
[media] xc2028: avoid use after free
...
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Change-Id: I24f0958f97ca04916b8c6845f3122732e1928e6c
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:49:49 -08:00
Omar Sandoval
f1c3024e5d
block: fix use-after-free in sys_ioprio_get()
...
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Change-Id: I02fda1eb5173f5cf4db999147c623720892da529
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 8ba8682107ee2ca3347354e018865d8e1967c5f4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:45:13 -08:00
Eric Dumazet
29c1418082
tcp: fix use after free in tcp_xmit_retransmit_queue()
...
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Change-Id: Iba5975e360eb2b2729b6f958b7cb00bfc469e51b
Fixes: 6859d49475https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: bb1fceca22492109be12640d49f5ea5a544c6bb4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:41:19 -08:00
Vegard Nossum
44e1cd2173
block: fix use-after-free in seq file
...
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Change-Id: Ia3c791c6cf81a6c156561106230cbf5e8dfad0bc
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 77da160530dd1dc94f6ae15a981f24e5f0021e84
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:39:10 -08:00
Vijayavardhan Vennapusa
beafbd43d5
USB: gagget: f_fs: Return error if TX req is queued during device offline
...
when USB cable is disconnected during TX data transfers, endpoints will
be disabled during function disable. If userspace client tries to queue
requests on disabled endpoints, driver will wait till endpoints are
enabled and then queues previous session requests. This results in kernel
driver and userspace driver out of sync and due to this, stall will be
seen. Hence fix this issue by returning error value if client tries to
queue requests on TX endpoint during device offline.
CRs-Fixed: 633497
Change-Id: I3e43b8a704367aff7fe8dd88159315aef811c51c
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
2016-11-18 16:09:57 -08:00
Service qcabuildsw
42939d0685
Merge "msm: wlan: update regulatory database" into msm-4.4
2016-11-18 15:41:21 -08:00
Ashay Jaiswal
206b28bea6
ARM: dts: msm: add charger/fg device nodes for PMFALCON
...
Add charger/FG device nodes along with the necessary
configuration.
Keep all these nodes disabled for simulator/RUMI platform.
CRs-fixed: 1091731
Change-Id: I9c751d777d8402cdea3cdfb27da1a19a98a250e2
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
2016-11-18 18:49:03 +05:30
Johannes Berg
3b64a0127c
cfg80211: validate beacon int as part of iface combinations
...
Remove the pointless checking against interface combinations in
the initial basic beacon interval validation, that currently isn't
taking into account radar detection or channels properly. Instead,
just validate the basic range there, and then delay real checking
to the interface combination validation that drivers must do.
This means that drivers wanting to use the beacon_int_min_gcd will
now have to pass the new_beacon_int when validating the AP/mesh
start.
CRs-Fixed: 1087922
Change-Id: Iec536bcdf4ed95e3d796324fd8bf5df259b340b0
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 4c8dea638c16141adb046fd2e0cab51dfe43650c
[liord@codeaurora.org: Fix conflicts]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:16:44 +02:00
Johannes Berg
54afc7997e
cfg80211: fix beacon interval in interface combination iteration
...
We shouldn't abort the iteration with an error when one of the
potential combinations can't accomodate the beacon interval
request, we should just skip that particular combination. Fix
the code to do so.
CRs-Fixed: 1087922
Change-Id: Ib1ae7221291b8176d61d58e756a3814c80d98d27
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 0507a3ac6e98f50583912ec78d07c2e4daaf2b28
[liord@codeaurora.org: cherry-pick without changes]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:15:29 +02:00
Purushottam Kushwaha
9a27bdb53f
cfg80211: identically validate beacon interval for AP/MESH/IBSS
...
Beacon interval interface combinations validation was missing
for MESH/IBSS join, add those.
Johannes: also move the beacon interval check disallowing really
tiny and really big intervals into the common function, which
adds it for AP mode.
CRs-Fixed: 1087922
Change-Id: I282300533dcd80f65c9ba366246d028a6130ffff
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 12d20fc9186a742d40e824f575df5aa62be31d69
[liord@codeaurora.org: fix conflicts and trivial compile errors]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:13:42 +02:00
Linux Build Service Account
2f088241d7
Merge "msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work together"
2016-11-18 01:55:04 -08:00
Linux Build Service Account
efcb7b1d55
Merge "msm: kgsl: Fix pagetable member of struct kgsl_memdesc"
2016-11-18 01:55:03 -08:00
Linux Build Service Account
c10fa02a2e
Merge "ARM: dts: msm: Enable auto GM for WLED in pmicobalt"
2016-11-18 01:55:01 -08:00
Linux Build Service Account
7ee7f710ec
Merge "leds: qpnp-wled: Add support to configure auto PFM for pmicobalt"
2016-11-18 01:55:01 -08:00
Linux Build Service Account
a708ddf420
Merge "msm: ipa3: linearize large skbs"
2016-11-18 01:55:00 -08:00
Linux Build Service Account
dc3c5f14a2
Merge "msm: mdss: hide additional kernel addresses from unprivileged users"
2016-11-18 01:54:59 -08:00
Linux Build Service Account
6f4c99dfce
Merge "ASoC: msm: Fix sound card registration failure"
2016-11-18 01:54:58 -08:00
Linux Build Service Account
b140cb0936
Merge "msm: sde: remove secure camera ctrl_id definition"
2016-11-18 01:54:57 -08:00
Linux Build Service Account
0bdfb6133f
Merge "ARM: dts: msm: Add ufs regulators for msmfalcon interposer"
2016-11-18 01:54:57 -08:00
Linux Build Service Account
072148d62f
Merge "usb: pd: Stop processing SVDM if handler found"
2016-11-18 01:54:56 -08:00
Linux Build Service Account
54e5bae2ed
Merge "sched/hmp: Enhance co-location and scheduler boost features"
2016-11-18 01:54:54 -08:00
