OverlayFS is needed to be enabled to align with the
latest android base config. Enable it for SDM660 and
MSM8998.
Change-Id: I9856b55bbda74fdd7f03644d5aad1464549a053f
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
IMO the override_edid should override any default EDID for the
connector, whether that came in via the connector helper ->get_modes()
vfunc or via the firmware EDID mechanism.
Cc: Thomas Wood <thomas.wood@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.kernel.org/patch/7822361/
Git-Commit: 0e8578c996a33c8da9c28f8ed2d1be68694070ee
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Change-Id: I247c19010434473c9af9e0bb8cdeed6b335e4714
Signed-off-by: Tanmay Shah <tanmay@codeaurora.org>
when isp tasklet get delayed due to scheduling, recover
pingpong mismatch from both isp and send back buffer to
framework to avoid framedrop.
Change-Id: If7357d7b2669f99eb45c364288f09954b9f0a710
Signed-off-by: Ramesh V <ramev@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Some structures are used uninitialized, which may
result in unexpected behavior.
Initialize these structures before using them.
CRs-Fixed: 2494231
Change-Id: I89c7c8ec9defe1db14b9c8cdc3632f5d0051e626
Signed-off-by: Yu Wang <yyuwang@codeaurora.org>
Add CPP HW/AXI reset to make sure no stale data
present at hardware.
Change-Id: I19ce0857ade736d69fcc50bb66fb76d4b0d94470
Signed-off-by: Venu Raidu <vraidu@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Signed-off-by: Shadul Shaikh <sshadu@codeaurora.org>
CPP AXI need to be reset during camera close
to overcome stale data.
Change-Id: I4af43bbf67a84eaa5fc2a722854117a5936ab896
Signed-off-by: Venu Raidu <vraidu@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Signed-off-by: Shadul Shaikh <sshadu@codeaurora.org>
In dual vfe mode set frame drop notify mask to
vfe0 and vfe1. so that downstream camera module
will not miss frame drop notify.
Change-Id: Ida61e0041bef245dcc2c6c6f3bbbfdf982d4acbc
Signed-off-by: Ramesh V <ramev@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Log and event mask ranges are updated and new entry of msg
mask array is updated.
Change-Id: I0a257e6b54b8d6ccdb3ec5d7ac2400751c95fa61
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Use trusted packet size on the received packet and check for
the size of the data received against the expected size
before accessing the packet.
Change-Id: I1bd6008249a0bf4edeec711ec8d23cf7b8dac1f1
Signed-off-by: Priyanka Gujjula <pgujjula@codeaurora.org>
Add matching else case to fix uninitialized buffer usage in
case of version id mismatch.
Change-Id: I7140692f62760d8f0e38f1cde4e3f9ce91a263f4
Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
* refs/heads/tmp-14e1196
ANDROID: Communicates LMK events to userland where they can be logged
Linux 4.4.185
dmaengine: imx-sdma: remove BD_INTR for channel0
KVM: x86: degrade WARN to pr_warn_ratelimited
arm64, vdso: Define vdso_{start,end} as array
ARC: handle gcc generated __builtin_trap for older compiler
tty: rocket: fix incorrect forward declaration of 'rp_init()'
btrfs: Ensure replaced device doesn't have pending chunk allocation
lib/mpi: Fix karactx leak in mpi_powm
ALSA: usb-audio: fix sign unintended sign extension on left shifts
ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
crypto: user - prevent operating on larval algorithms
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
MIPS: Workaround GCC __builtin_unreachable reordering bug
bug.h: work around GCC PR82365 in BUG()
swiotlb: Make linux/swiotlb.h standalone includible
mfd: omap-usb-tll: Fix register offsets
MIPS: math-emu: do not use bools for arithmetic
ARC: fix build warning in elf.h
ARC: Assume multiplier is always present
scsi: hpsa: correct ioaccel2 chaining
usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
ASoC: max98090: remove 24-bit format support if RJ is 0
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
ASoC : cs4265 : readable register too low
um: Compile with modern headers
Bluetooth: Fix faulty expression for minimum encryption key size check
net: check before dereferencing netdev_ops during busy poll
bonding: Always enable vlan tx offload
ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
team: Always enable vlan tx offload
tipc: check msg->req data len in tipc_nl_compat_bearer_disable
tipc: change to use register_pernet_device
sctp: change to hold sk after auth shkey is created successfully
cpu/speculation: Warn on unsupported mitigations= parameter
x86/speculation: Allow guests to use SSBD even if host does not
ovl: modify ovl_permission() to do checks on two inodes
KVM: X86: Fix scan ioapic use-before-initialization
net/9p: include trans_common.h to fix missing prototype warning.
9p: p9dirent_read: check network-provided name length
9p/rdma: remove useless check in cm_event_handler
9p: acl: fix uninitialized iattr access
9p/rdma: do not disconnect on down_interruptible EAGAIN
perf help: Remove needless use of strncpy()
perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
mac80211: drop robust management frames from unknown TA
cfg80211: fix memory leak of wiphy device name
SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write
Bluetooth: Fix regression with minimum encryption key size alignment
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
can: purge socket error queue on sock destruct
can: flexcan: fix timeout when set small bitrate
btrfs: start readahead also in seed devices
Btrfs: fix race between readahead and device replace/removal
hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
scsi: ufs: Check that space was properly alloced in copy_query_response
scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD
net: hns: Fix loopback test failed at copper ports
MIPS: uprobes: remove set but not used variable 'epc'
IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
parisc: Fix compiler warnings in float emulation code
parport: Fix mem leak in parport_register_dev_model
apparmor: enforce nullbyte at end of tag string
Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
usb: chipidea: udc: workaround for endpoint conflict issue
gcc-9: silence 'address-of-packed-member' warning
tracing: Silence GCC 9 array bounds warning
scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
fs/binfmt_flat.c: make load_flat_shared_library() work
ANDROID: Fixes to locking around handle_lmk_event
ANDROID: Avoid taking multiple locks in handle_lmk_event
Side effects from the commit "ANDROID: Communicates LMK events to userland
where they can be logged" is addressed here, so picking this commit which
ignored from 4.4.180 merge.
Conflicts:
drivers/staging/android/lowmemorykiller.c
Change-Id: I1156dc21d0f35e74e86d2ad202f99b7bc173b874
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
It observe that sometime, there are multiple SMD
packets in SMD channel. In current scenario,
driver reading one packet at single event.
Reading all SMD packets to avoid any packets miss.
Change-Id: Id7ef388af6200891b17bbe1456cc2fffa580a3d3
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
USB presence is notified before setting EXTCON_USB_SPEED,
this prevents the SS PHY resume. Fix this ordering.
Change-Id: I4ad7bc065b968c6a7a461a2a436b7f2c755bab67
Signed-off-by: Chetan C R <cravin@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0lmj0ACgkQONu9yGCS
aT67kRAAgoQ2/imz/GJ7bBKhtql6XneFD7fPDnggxHNRGA4VvkV+KcpHIinWZtXp
QV5sq8u092SlvQHYolLcVyK3OsMzfzjsK0HMXJRxEa4UsI38hEDBqpgDaUIYiKrb
l1NUsQLy8foFobbKsTkdiN3+RBdjkTFWZ/SxDXg1T6EicbntvpP/E0QXQ4J+H9TQ
Wdvx0wMS1m8RkBQzoUxyqz10vCDP67e2NPIBotaKOQS3iYa1he6nU5Y7mLpJOw7s
mEPkwnT9+DnDENhL7YHo37JPIgSKz+kLdnw6xLzKSIEOl7MUylu7ocbxcJlAHyxC
LkLRA6E3vCBu540ajHhyjIfN4IPln78qnV1ciGmyTE+YNWtvyPqZVERDXqh9thM9
4lPUm20HAyhopmxdYfoAq933Ki8IH/mTc3vXpcXbVnAOp2uZfJ0nhVOyhqov9B+t
p6ct9t9/1ARPITmFTGNWFvTTRT+OoPLDi6ND1o+8ukXRmn9+sl0/VpWsJNpdIAiM
ss93JfdVTFkR84Oc0zL4Cg55q01BvJYiGtj2oeU5cBECXvXAEvR3ro17b17fmCFh
jk5xcckickpSK1g8iXNsC8EAAL0tIE+vQemxmJDPCcV3rM83addo9Lwqyme6Wa/3
F702sfcOSvRvoEfd+9WZcKV01GfTEFu4jK7onrvL16Xn60Wq1iM=
=Qr7D
-----END PGP SIGNATURE-----
Merge 4.4.185 into android-4.4
Changes in 4.4.185
fs/binfmt_flat.c: make load_flat_shared_library() work
mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
tracing: Silence GCC 9 array bounds warning
gcc-9: silence 'address-of-packed-member' warning
usb: chipidea: udc: workaround for endpoint conflict issue
Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
apparmor: enforce nullbyte at end of tag string
parport: Fix mem leak in parport_register_dev_model
parisc: Fix compiler warnings in float emulation code
IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
MIPS: uprobes: remove set but not used variable 'epc'
net: hns: Fix loopback test failed at copper ports
sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD
scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
scsi: ufs: Check that space was properly alloced in copy_query_response
s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
Btrfs: fix race between readahead and device replace/removal
btrfs: start readahead also in seed devices
can: flexcan: fix timeout when set small bitrate
can: purge socket error queue on sock destruct
ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
Bluetooth: Fix regression with minimum encryption key size alignment
SMB3: retry on STATUS_INSUFFICIENT_RESOURCES instead of failing write
cfg80211: fix memory leak of wiphy device name
mac80211: drop robust management frames from unknown TA
perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
perf help: Remove needless use of strncpy()
9p/rdma: do not disconnect on down_interruptible EAGAIN
9p: acl: fix uninitialized iattr access
9p/rdma: remove useless check in cm_event_handler
9p: p9dirent_read: check network-provided name length
net/9p: include trans_common.h to fix missing prototype warning.
KVM: X86: Fix scan ioapic use-before-initialization
ovl: modify ovl_permission() to do checks on two inodes
x86/speculation: Allow guests to use SSBD even if host does not
cpu/speculation: Warn on unsupported mitigations= parameter
sctp: change to hold sk after auth shkey is created successfully
tipc: change to use register_pernet_device
tipc: check msg->req data len in tipc_nl_compat_bearer_disable
team: Always enable vlan tx offload
ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
bonding: Always enable vlan tx offload
net: check before dereferencing netdev_ops during busy poll
Bluetooth: Fix faulty expression for minimum encryption key size check
um: Compile with modern headers
ASoC : cs4265 : readable register too low
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
ASoC: max98090: remove 24-bit format support if RJ is 0
usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
scsi: hpsa: correct ioaccel2 chaining
ARC: Assume multiplier is always present
ARC: fix build warning in elf.h
MIPS: math-emu: do not use bools for arithmetic
mfd: omap-usb-tll: Fix register offsets
swiotlb: Make linux/swiotlb.h standalone includible
bug.h: work around GCC PR82365 in BUG()
MIPS: Workaround GCC __builtin_unreachable reordering bug
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
crypto: user - prevent operating on larval algorithms
ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
ALSA: usb-audio: fix sign unintended sign extension on left shifts
lib/mpi: Fix karactx leak in mpi_powm
btrfs: Ensure replaced device doesn't have pending chunk allocation
tty: rocket: fix incorrect forward declaration of 'rp_init()'
ARC: handle gcc generated __builtin_trap for older compiler
arm64, vdso: Define vdso_{start,end} as array
KVM: x86: degrade WARN to pr_warn_ratelimited
dmaengine: imx-sdma: remove BD_INTR for channel0
Linux 4.4.185
Change-Id: I222f9f81b9d7fba3cd3ac028b473b1ea2fae7cf0
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Added missing lock to avoid race conditon for dqbuf and
streamon.
Change-Id: I260dfc964066ad68552dfab0c43584708cfc8b8e
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Couple of code cleanup
- Check for upper boundary for resource_index
not to dependent on ipa_rm_dep_get_index function.
- Check actual argument for NULL and return.
Change-Id: I0ab244e68d96f7841ab2a10e61f2546314166165
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
commit 3f93a4f297961c12bb17aa16cb3a4d1291823cae upstream.
It is possible for an irq triggered by channel0 to be received later
after clks are disabled once firmware loaded during sdma probe. If
that happens then clearing them by writing to SDMA_H_INTR won't work
and the kernel will hang processing infinite interrupts. Actually,
don't need interrupt triggered on channel0 since it's pollling
SDMA_H_STATSTOP to know channel0 done rather than interrupt in
current code, just clear BD_INTR to disable channel0 interrupt to
avoid the above case.
This issue was brought by commit 1d069bfa3c78 ("dmaengine: imx-sdma:
ack channel 0 IRQ in the interrupt handler") which didn't take care
the above case.
Fixes: 1d069bfa3c78 ("dmaengine: imx-sdma: ack channel 0 IRQ in the interrupt handler")
Cc: stable@vger.kernel.org #5.0+
Signed-off-by: Robin Gong <yibin.gong@nxp.com>
Reported-by: Sven Van Asbroeck <thesven73@gmail.com>
Tested-by: Sven Van Asbroeck <thesven73@gmail.com>
Reviewed-by: Michael Olbrich <m.olbrich@pengutronix.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3f16a5c318392cbb5a0c7a3d19dff8c8ef3c38ee upstream.
This warning can be triggered easily by userspace, so it should certainly not
cause a panic if panic_on_warn is set.
Reported-by: syzbot+c03f30b4f4c46bdf8575@syzkaller.appspotmail.com
Suggested-by: Alexander Potapenko <glider@google.com>
Acked-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af1be2e21203867cb958aaceed5366e2e24b88e8 upstream.
ARC gcc prior to GNU 2018.03 release didn't have a target specific
__builtin_trap() implementation, generating default abort() call.
Implement the abort() call - emulating what newer gcc does for the same,
as suggested by Arnd.
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 423ea3255424b954947d167681b71ded1b8fca53 ]
Make the forward declaration actually match the real function
definition, something that previous versions of gcc had just ignored.
This is another patch to fix new warnings from gcc-9 before I start the
merge window pulls. I don't want to miss legitimate new warnings just
because my system update brought a new compiler with new warnings.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit debd1c065d2037919a7da67baf55cc683fee09f0 upstream.
Recent FITRIM work, namely bbbf7243d62d ("btrfs: combine device update
operations during transaction commit") combined the way certain
operations are recoded in a transaction. As a result an ASSERT was added
in dev_replace_finish to ensure the new code works correctly.
Unfortunately I got reports that it's possible to trigger the assert,
meaning that during a device replace it's possible to have an unfinished
chunk allocation on the source device.
This is supposed to be prevented by the fact that a transaction is
committed before finishing the replace oepration and alter acquiring the
chunk mutex. This is not sufficient since by the time the transaction is
committed and the chunk mutex acquired it's possible to allocate a chunk
depending on the workload being executed on the replaced device. This
bug has been present ever since device replace was introduced but there
was never code which checks for it.
The correct way to fix is to ensure that there is no pending device
modification operation when the chunk mutex is acquire and if there is
repeat transaction commit. Unfortunately it's not possible to just
exclude the source device from btrfs_fs_devices::dev_alloc_list since
this causes ENOSPC to be hit in transaction commit.
Fixing that in another way would need to add special cases to handle the
last writes and forbid new ones. The looped transaction fix is more
obvious, and can be easily backported. The runtime of dev-replace is
long so there's no noticeable delay caused by that.
Reported-by: David Sterba <dsterba@suse.com>
Fixes: 391cd9df81 ("Btrfs: fix unprotected alloc list insertion during the finishing procedure of replace")
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c8ea9fce2baf7b643384f36f29e4194fa40d33a6 upstream.
Sometimes mpi_powm will leak karactx because a memory allocation
failure causes a bail-out that skips the freeing of karactx. This
patch moves the freeing of karactx to the end of the function like
everything else so that it can't be skipped.
Reported-by: syzbot+f7baccc38dcc1e094e77@syzkaller.appspotmail.com
Fixes: cdec9cb516 ("crypto: GnuPG based MPI lib - source files...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2acf5a3e6e9371e63c9e4ff54d84d08f630467a0 upstream.
There are a couple of left shifts of unsigned 8 bit values that
first get promoted to signed ints and hence get sign extended
on the shift if the top bit of the 8 bit values are set. Fix
this by casting the 8 bit values to unsigned ints to stop the
unintentional sign extension.
Addresses-Coverity: ("Unintended sign extension")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7fbd1753b64eafe21cf842348a40a691d0dee440 upstream.
In IEC 61883-6, 8 MIDI data streams are multiplexed into single
MIDI conformant data channel. The index of stream is calculated by
modulo 8 of the value of data block counter.
In fireworks, the value of data block counter in CIP header has a quirk
with firmware version v5.0.0, v5.7.3 and v5.8.0. This brings ALSA
IEC 61883-1/6 packet streaming engine to miss detection of MIDI
messages.
This commit fixes the miss detection to modify the value of data block
counter for the modulo calculation.
For maintainers, this bug exists since a commit 18f5ed365d ("ALSA:
fireworks/firewire-lib: add support for recent firmware quirk") in Linux
kernel v4.2. There're many changes since the commit. This fix can be
backported to Linux kernel v4.4 or later. I tagged a base commit to the
backport for your convenience.
Besides, my work for Linux kernel v5.3 brings heavy code refactoring and
some structure members are renamed in 'sound/firewire/amdtp-stream.h'.
The content of this patch brings conflict when merging -rc tree with
this patch and the latest tree. I request maintainers to solve the
conflict to replace 'tx_first_dbc' with 'ctx_data.tx.first_dbc'.
Fixes: df075feefb ("ALSA: firewire-lib: complete AM824 data block processing layer")
Cc: <stable@vger.kernel.org> # v4.4+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c3ea60c231446663afd6ea1054da6b7f830855ca upstream.
There are two occurrances of a call to snd_seq_oss_fill_addr where
the dest_client and dest_port arguments are in the wrong order. Fix
this by swapping them around.
Addresses-Coverity: ("Arguments in wrong order")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 21d4120ec6f5b5992b01b96ac484701163917b63 upstream.
Michal Suchanek reported [1] that running the pcrypt_aead01 test from
LTP [2] in a loop and holding Ctrl-C causes a NULL dereference of
alg->cra_users.next in crypto_remove_spawns(), via crypto_del_alg().
The test repeatedly uses CRYPTO_MSG_NEWALG and CRYPTO_MSG_DELALG.
The crash occurs when the instance that CRYPTO_MSG_DELALG is trying to
unregister isn't a real registered algorithm, but rather is a "test
larval", which is a special "algorithm" added to the algorithms list
while the real algorithm is still being tested. Larvals don't have
initialized cra_users, so that causes the crash. Normally pcrypt_aead01
doesn't trigger this because CRYPTO_MSG_NEWALG waits for the algorithm
to be tested; however, CRYPTO_MSG_NEWALG returns early when interrupted.
Everything else in the "crypto user configuration" API has this same bug
too, i.e. it inappropriately allows operating on larval algorithms
(though it doesn't look like the other cases can cause a crash).
Fix this by making crypto_alg_match() exclude larval algorithms.
[1] https://lkml.kernel.org/r/20190625071624.27039-1-msuchanek@suse.de
[2] https://github.com/linux-test-project/ltp/blob/20190517/testcases/kernel/crypto/pcrypt_aead01.c
Reported-by: Michal Suchanek <msuchanek@suse.de>
Fixes: a38f7907b9 ("crypto: Add userspace configuration API")
Cc: <stable@vger.kernel.org> # v3.2+
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6994eefb0053799d2e07cd140df6c2ea106c41ee upstream.
Fix two issues:
When called for PTRACE_TRACEME, ptrace_link() would obtain an RCU
reference to the parent's objective credentials, then give that pointer
to get_cred(). However, the object lifetime rules for things like
struct cred do not permit unconditionally turning an RCU reference into
a stable reference.
PTRACE_TRACEME records the parent's credentials as if the parent was
acting as the subject, but that's not the case. If a malicious
unprivileged child uses PTRACE_TRACEME and the parent is privileged, and
at a later point, the parent process becomes attacker-controlled
(because it drops privileges and calls execve()), the attacker ends up
with control over two processes with a privileged ptrace relationship,
which can be abused to ptrace a suid binary and obtain root privileges.
Fix both of these by always recording the credentials of the process
that is requesting the creation of the ptrace relationship:
current_cred() can't change under us, and current is the proper subject
for access control.
This change is theoretically userspace-visible, but I am not aware of
any code that it will actually break.
Fixes: 64b875f7ac8a ("ptrace: Capture the ptracer's creds not PT_PTRACE_CAP")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
