Linux Build Service Account
f6b3ab0e32
Merge "clk: qcom: Add support for RCGs with dynamic and fixed sources"
2016-11-18 20:31:54 -08:00
Linux Build Service Account
43c797f34c
Merge "qcom-charger: WA for legacy bit set on hard reboot"
2016-11-18 20:31:53 -08:00
Linux Build Service Account
bf9bb2a461
Merge "usb: phy: qusb: Make sure QUSB PHY is into proper state"
2016-11-18 20:31:52 -08:00
Linux Build Service Account
ca52fb4ff7
Merge "USB: phy: qusb: Turn on vdd along with 1p8/3p3 LDOs when PMI requests"
2016-11-18 20:31:52 -08:00
Linux Build Service Account
ebe82ef7e9
Merge "soc: qcom: smem: Redesign smem memory architecture"
2016-11-18 20:31:51 -08:00
Linux Build Service Account
b5bbeae208
Merge "ARM: dts: msm: Update the console uart gpios for msmfalcon"
2016-11-18 20:31:50 -08:00
Linux Build Service Account
3e919fe874
Merge "msm: mdss: move warnings and errors out of mdss spinlock"
2016-11-18 20:31:49 -08:00
Linux Build Service Account
f6a461edb6
Merge "msm: mdss: fix pp timeout during transition from LP1 to power on"
2016-11-18 20:31:49 -08:00
Linux Build Service Account
c9c246439d
Merge "msm: mdss: fix autorefresh disable during handoff"
2016-11-18 20:31:48 -08:00
Linux Build Service Account
9ce677c421
Merge "ASoC: wcd-mbhc: correct cross connection check"
2016-11-18 20:31:45 -08:00
Nick Desaulniers
3b5cf91f45
cgroup: prefer %pK to %p
...
Prevents leaking kernel pointers when using kptr_restrict.
Bug: 30149174
Change-Id: I0fa3cd8d4a0d9ea76d085bba6020f1eda073c09b
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit: 505e48f32f1321ed7cf80d49dd5f31b16da445a8
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 17:08:58 -08:00
Phil Turnbull
5488bec236
netfilter: nfnetlink: correctly validate length of batch messages
...
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.
If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:
[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
[ 41.456431] Read of size 4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================
Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.
CAP_NET_ADMIN is required to trigger the bugs.
Fixes: 9ea2aa8b7dhttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: c58d6c93680f28ac58984af61d0a7ebf4319c241
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 17:05:18 -08:00
Benjamin Tissoires
a10d83024d
HID: core: prevent out-of-bound readings
...
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Change-Id: I3b04131079a27f0b1cd60df03c793e8d9ffe5e91
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 50220dead1650609206efe91f0cc116132d59b3f
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:59:58 -08:00
Peter Hurley
d62ea94957
tty: Prevent ldisc drivers from re-using stale tty fields
...
Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].
Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.
[1]
commit fd98e9419dhttps://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: dd42bf1197144ede075a9d4793123f7689e164bc
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:57:49 -08:00
Mauro Carvalho Chehab
694339fd33
[media] xc2028: avoid use after free
...
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Change-Id: I24f0958f97ca04916b8c6845f3122732e1928e6c
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:49:49 -08:00
Omar Sandoval
f1c3024e5d
block: fix use-after-free in sys_ioprio_get()
...
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Change-Id: I02fda1eb5173f5cf4db999147c623720892da529
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 8ba8682107ee2ca3347354e018865d8e1967c5f4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:45:13 -08:00
Eric Dumazet
29c1418082
tcp: fix use after free in tcp_xmit_retransmit_queue()
...
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Change-Id: Iba5975e360eb2b2729b6f958b7cb00bfc469e51b
Fixes: 6859d49475https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: bb1fceca22492109be12640d49f5ea5a544c6bb4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:41:19 -08:00
Vegard Nossum
44e1cd2173
block: fix use-after-free in seq file
...
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<ffffffff81d6ce81>] dump_stack+0x65/0x84
[<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<ffffffff814704ff>] object_err+0x2f/0x40
[<ffffffff814754d1>] kasan_report_error+0x221/0x520
[<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<ffffffff83888161>] klist_iter_exit+0x61/0x70
[<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<ffffffff814b8de6>] do_preadv+0x126/0x170
[<ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Change-Id: Ia3c791c6cf81a6c156561106230cbf5e8dfad0bc
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 77da160530dd1dc94f6ae15a981f24e5f0021e84
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
2016-11-18 16:39:10 -08:00
Vijayavardhan Vennapusa
beafbd43d5
USB: gagget: f_fs: Return error if TX req is queued during device offline
...
when USB cable is disconnected during TX data transfers, endpoints will
be disabled during function disable. If userspace client tries to queue
requests on disabled endpoints, driver will wait till endpoints are
enabled and then queues previous session requests. This results in kernel
driver and userspace driver out of sync and due to this, stall will be
seen. Hence fix this issue by returning error value if client tries to
queue requests on TX endpoint during device offline.
CRs-Fixed: 633497
Change-Id: I3e43b8a704367aff7fe8dd88159315aef811c51c
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
2016-11-18 16:09:57 -08:00
Service qcabuildsw
42939d0685
Merge "msm: wlan: update regulatory database" into msm-4.4
2016-11-18 15:41:21 -08:00
Ashay Jaiswal
206b28bea6
ARM: dts: msm: add charger/fg device nodes for PMFALCON
...
Add charger/FG device nodes along with the necessary
configuration.
Keep all these nodes disabled for simulator/RUMI platform.
CRs-fixed: 1091731
Change-Id: I9c751d777d8402cdea3cdfb27da1a19a98a250e2
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
2016-11-18 18:49:03 +05:30
Johannes Berg
3b64a0127c
cfg80211: validate beacon int as part of iface combinations
...
Remove the pointless checking against interface combinations in
the initial basic beacon interval validation, that currently isn't
taking into account radar detection or channels properly. Instead,
just validate the basic range there, and then delay real checking
to the interface combination validation that drivers must do.
This means that drivers wanting to use the beacon_int_min_gcd will
now have to pass the new_beacon_int when validating the AP/mesh
start.
CRs-Fixed: 1087922
Change-Id: Iec536bcdf4ed95e3d796324fd8bf5df259b340b0
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 4c8dea638c16141adb046fd2e0cab51dfe43650c
[liord@codeaurora.org: Fix conflicts]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:16:44 +02:00
Johannes Berg
54afc7997e
cfg80211: fix beacon interval in interface combination iteration
...
We shouldn't abort the iteration with an error when one of the
potential combinations can't accomodate the beacon interval
request, we should just skip that particular combination. Fix
the code to do so.
CRs-Fixed: 1087922
Change-Id: Ib1ae7221291b8176d61d58e756a3814c80d98d27
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 0507a3ac6e98f50583912ec78d07c2e4daaf2b28
[liord@codeaurora.org: cherry-pick without changes]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:15:29 +02:00
Purushottam Kushwaha
9a27bdb53f
cfg80211: identically validate beacon interval for AP/MESH/IBSS
...
Beacon interval interface combinations validation was missing
for MESH/IBSS join, add those.
Johannes: also move the beacon interval check disallowing really
tiny and really big intervals into the common function, which
adds it for AP mode.
CRs-Fixed: 1087922
Change-Id: I282300533dcd80f65c9ba366246d028a6130ffff
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 12d20fc9186a742d40e824f575df5aa62be31d69
[liord@codeaurora.org: fix conflicts and trivial compile errors]
Signed-off-by: Lior David <liord@codeaurora.org>
2016-11-18 14:13:42 +02:00
Linux Build Service Account
2f088241d7
Merge "msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work together"
2016-11-18 01:55:04 -08:00
Linux Build Service Account
efcb7b1d55
Merge "msm: kgsl: Fix pagetable member of struct kgsl_memdesc"
2016-11-18 01:55:03 -08:00
Linux Build Service Account
c10fa02a2e
Merge "ARM: dts: msm: Enable auto GM for WLED in pmicobalt"
2016-11-18 01:55:01 -08:00
Linux Build Service Account
7ee7f710ec
Merge "leds: qpnp-wled: Add support to configure auto PFM for pmicobalt"
2016-11-18 01:55:01 -08:00
Linux Build Service Account
a708ddf420
Merge "msm: ipa3: linearize large skbs"
2016-11-18 01:55:00 -08:00
Linux Build Service Account
dc3c5f14a2
Merge "msm: mdss: hide additional kernel addresses from unprivileged users"
2016-11-18 01:54:59 -08:00
Linux Build Service Account
6f4c99dfce
Merge "ASoC: msm: Fix sound card registration failure"
2016-11-18 01:54:58 -08:00
Linux Build Service Account
b140cb0936
Merge "msm: sde: remove secure camera ctrl_id definition"
2016-11-18 01:54:57 -08:00
Linux Build Service Account
0bdfb6133f
Merge "ARM: dts: msm: Add ufs regulators for msmfalcon interposer"
2016-11-18 01:54:57 -08:00
Linux Build Service Account
072148d62f
Merge "usb: pd: Stop processing SVDM if handler found"
2016-11-18 01:54:56 -08:00
Linux Build Service Account
54e5bae2ed
Merge "sched/hmp: Enhance co-location and scheduler boost features"
2016-11-18 01:54:54 -08:00
Linux Build Service Account
d1a64e4014
Merge "USB: Allow skipping device resume during system resume"
2016-11-18 01:54:53 -08:00
Linux Build Service Account
a8277a5b93
Merge "clk: msm: Add the CLKFLAG_NO_RATE_CACHE flag for MM clocks on MSM COBALT"
2016-11-18 01:54:52 -08:00
Linux Build Service Account
69fe3ef296
Merge "clk: qcom: Add support to be able to slew PLL"
2016-11-18 01:54:52 -08:00
Linux Build Service Account
73542728de
Merge "qseecom: improve error checks in qseecom_probe()"
2016-11-18 01:54:51 -08:00
Linux Build Service Account
473a3d597b
Merge "msm: mdss: Add systrace for readptr_done"
2016-11-18 01:54:50 -08:00
Linux Build Service Account
54f38dfe87
Merge "ARM: dts: msm: Add physical dimensions for NT35597 panel"
2016-11-18 01:54:49 -08:00
Linux Build Service Account
2ddc39e634
Merge "msm: mdss: fix incorrect mutex unlocking during NOTIFY_UPDATE_STOP"
2016-11-18 01:54:48 -08:00
Linux Build Service Account
db18e6f95e
Merge "msm: mdss: fix race condition in dsi clk off request"
2016-11-18 01:54:46 -08:00
Linux Build Service Account
07d79c7409
Merge "ARM: dts: msm: specify I2C configuration for msmfalcon"
2016-11-18 01:54:45 -08:00
Linux Build Service Account
24adf86dfa
Merge "ARM: dts: msm: specify UART configuration on msmfalcon."
2016-11-18 01:54:45 -08:00
Linux Build Service Account
0956d6dd49
Merge "clk: qcom: Add support for debugfs support"
2016-11-18 01:54:43 -08:00
Linux Build Service Account
5d4d0ab7a7
Merge "clk: Add support to allow client to print all enabled clocks"
2016-11-18 01:54:42 -08:00
Linux Build Service Account
29674d7418
Merge "scsi: ufs: enable auto hibern8 only after device initialization"
2016-11-18 01:54:41 -08:00
Linux Build Service Account
0f04e7c48a
Merge "scsi: ufs: fix sleep in atomic context"
2016-11-18 01:54:40 -08:00
Linux Build Service Account
94410a85f4
Merge "phy: qcom-ufs: update ufs phy 1-lane settings"
2016-11-18 01:54:36 -08:00
