An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and bail out of binder_alloc_free_page() if it
has changed to NULL.
Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit 7257eac9401f989a62503b6c12a47af1b10591d1)
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.
This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.
Bug: 116855682
Change-Id: I0b38089f6fdb1adbf7e1102747e4119c9a05b191
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c3d21ec4d4fb68baf47248dfe0e0ce0080fd7bcc)
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.4: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I06728150aefd0fffbdb6bd7cbce0858221ff6f74
(cherry picked from commit 62a28a64d87fbdce5c0a988b440a4ae6dd37b41e)
commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
Use a separate journal transaction if it turns out that we need to
convert an inline file to use an data block. Otherwise we could end
up failing due to not having journal credits.
This addresses CVE-2018-10883.
https://bugzilla.kernel.org/show_bug.cgi?id=200071
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[fengc@google.com: 4.4 backport: adjust context]
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I75f040b4276587a6a234a6a53fd1d3d70be6ae09
(cherry picked from commit d49dc6f1d53479bca01900540a89639eea8b154e)
commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.
In theory this should have been caught earlier when the xattr list was
verified, but in case it got missed, it's simple enough to add check
to make sure we don't overrun the xattr buffer.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16:
- Add inode parameter to ext4_xattr_set_entry() and update callers
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[adjusted for 4.4 context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ife3baeba57d5e63e7745ee8d5f4b01c6e9de4bc6
(cherry picked from commit ff3692e264d5c34ca9a15ab995808f98d9f874a8)
input: tri-state-key: Fix trivial code style issue in IRQ handler
Change-Id: Ie1e9396cf4674586a68dbf606a1d51fbffeaaca4
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Use ffz() instead of find_first_zero_bit()
find_first_zero_bit() is intended for large bitmaps; ffz() is much faster
when only a single word needs to be searched through.
Change-Id: Ib81b742805489947164af96bb8603f6732d64e8b
Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Clean up some code styling
Use a macro to store the number of states, reduce the curr_state member in
the struct to uint8_t (since it only needs to contain 3 bits), and use
find_first_zero_bit() instead of a loop to find the first zero bit.
Change-Id: I35f369dc30186ab95033a4d27b550a07e4dc2dd8
Suggested-by: Joel Porquet <joel@porquet.org>
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Rewrite and optimize
A driver for such a simple device shouldn't be so ugly. Clean it up and
optimize it in the process.
Summary of changes:
-Remove unneeded switch device
-Remove unused/unnecessary struct members
-Remove module references (this driver will always be built in)
-Utilize fixed loops and clever logic to eliminate significant amounts of
code duplication
-Remove unused pinctrl code
-Use a threaded interrupt handler
-Process interrupts directly in the threaded interrupt handler (which runs
with realtime priority) rather than a worker
-Read the initial switch state upon init (so userspace gets the correct
switch state upon boot)
-Refactor code wherever possible to make it cleaner
Note that although the procfs naming scheme is non-standard (i.e.
"keyCode_top" instead of "keycode_top"), the old naming scheme is retained
in order to maintain compatibility with userspace.
Change-Id: Ic2de6ddeb223aa7669d61c186be0b57a15e1488b
Signed-off-by: Sultanxda <sultanxda@gmail.com>
bfq-iosched was missing from the Makefile.
Test: Check /sys/block/sda/queue/scheduler. bfq now available.
Change-Id: I57407ef65aad9ef319d56b9338a3180fadc9053b
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I54777fe71a2f29297b439ac26f80b9684222d89a
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I2c61364f0385c83aa304788cc705bf4ca48ac2cc
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In db.txt, update ETSI1 and ETSI13 countries with NO-OUTDOOR flag
for frequency ranges: (5170 - 5250) and (5250 - 5330).
CRs-Fixed: 2379868
Change-Id: I8a9ce955e82b14814ead5f0bf118608ea90cbc53
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
The kernel buffer 'ubuf' can overflow while copying data to user
space in debugfs read functions. Fix it by limiting the length of
data to be copied to userspace.
Change-Id: Ibb3d8c4fb637ddc0e63677ec2dff14a4cf8c0c73
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
A fixed sink PDO request includes both operating current and
max current. Although the max current requested may be greater
than the available source advertisement, as per spec only the
operating current request needs to be considered. The sink will
likely have also set the Capability Mismatch bit as well. Hence,
don't reject the request otherwise the sink will keep
re-requesting and never enter a contract.
Change-Id: Ia15e2e17abe43f2bcbc1fe7011b70ab0e0f5d9eb
Signed-off-by: Jack Pham <jackp@codeaurora.org>
Update country ETSI13 related country's frequency range and tx
power.
Change-Id: Iae27b12df3b36621c395ef9e8a3b1b46461848b6
CRs-Fixed: 2246140
Signed-off-by: Gaole Zhang <gaolez@codeaurora.org>
Per the EU STD. ETSI EN 300 440, sub-band 5725-5875 is
allowed in EU at reduced power of 25 mW. Add the sub-band to
the EU countries that support this sub-band.
CRs-Fixed: 2141740
Change-Id: I0a43e99c4357527f607110faecddd9d0fd444fc6
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Specify the name of GPU temperature sensor in the device tree.
This name is used to get the sensor's temperature by querying the
thermal driver API.
CRs-Fixed: 1064728
Change-Id: Ia93d93a442aa848cbd42a5fb8ecad5ef875f9abf
Signed-off-by: Harshdeep Dhatt <hdhatt@codeaurora.org>
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Increase MAX_RESERVED_REGIONS for reserved regions
Change-Id: Ica7f7196d2c10d99a7d134f1036131657753df93
(cherry picked from commit f071e4e0734f90eb1be8c6c3d41cbc60cc46e243)
Android has been benefiting quicker boot from bigger readahead during
boottime than runtime. However, the boottime readahead setting is set
when init is established after treble early mount. This patch will make
readahead bigger by default so early boot can benefit from it. Readahead
will be reset by init on boot_complete.
Bug: 62413151
Test: boot walleye 100ms faster
Change-Id: Ic9dad5666ce3d4836d73afbcee04cfb875f64f5d
Signed-off-by: Wei Wang <wvw@google.com>
Change the VM_MAX_READAHEAD value from the default 128KB to a
configurable value. This will allow the readahead window to grow to a
maximum size bigger than 128KB, which greatly benefits to sequential
read throughput and thus boot performance.
Bug: 62413151
Test: boot walleye 100ms faster
Change-Id: Iad448cf1198056de46654dcb409466802b3b908d
Signed-off-by: Wei Wang <wvw@google.com>
Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.
Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
In certain 802.11 wireless deployments, there will be ARP proxies
that use knowledge of the network to correctly answer requests.
To prevent gratuitous ARP frames on the shared medium from being
a problem, on such deployments wireless needs to drop them.
Enable this by providing an option called "drop_gratuitous_arp".
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 4078228159c9f54cca7347a8bdace29f2abdef65)
Change-Id: I8772dbd7471085878f8b4161eb2a056d79b8b232
In certain 802.11 wireless deployments, there will be NA proxies
that use knowledge of the network to correctly answer requests.
To prevent unsolicitd advertisements on the shared medium from
being a problem, on such deployments wireless needs to drop them.
Enable this by providing an option called "drop_unsolicited_na".
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit aec215e7aa380fe5f85eb6948766b58bf78cb6c3)
Change-Id: Iad429a767a786087b0985632be44932b2e3fd1a8
In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv6 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit dede82143bf1bbf92ea73a519bb0298b19c56cb9)
Change-Id: I76c8f84b53e95c40ad3c2b5adac0ec4964cc920c
In order to solve a problem with 802.11, the so-called hole-196 attack,
add an option (sysctl) called "drop_unicast_in_l2_multicast" which, if
enabled, causes the stack to drop IPv4 unicast packets encapsulated in
link-layer multi- or broadcast frames. Such frames can (as an attack)
be created by any member of the same wireless network and transmitted
as valid encrypted frames since the symmetric key for broadcast frames
is shared between all stations.
Additionally, enabling this option provides compliance with a SHOULD
clause of RFC 1122.
Change-Id: I8de9fa5bdbea0556802f2ee553d0e73c1349213e
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Causes freezes and crashes on cheeseburger when using MTP
or switching android usb debugging on/off.
Change-Id: If08cc8a2662122b24c3fd0fcc5d421bb6a84d777
To resolve the timing issue between usb-driver
and android framework, made the change on rndis
ipa to send the usb-connect msg when usb-driver
connect the IPA pipes.
Change-Id: I51de37bc7610cb0a94659c64146f10ed322210b2
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
