evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
577918 commits 7 branches 0 tags 1.1 GiB
Commit graph

577918 commits

This branch
This branch
All branches
Author SHA1 Message Date
Omar Sandoval
f1c3024e5d block: fix use-after-free in sys_ioprio_get() 
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
	pid_t pid, child;
	long nproc, i;

	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
	syscall(SYS_ioprio_set, 1, 0, 0x6000);

	nproc = sysconf(_SC_NPROCESSORS_ONLN);

	for (i = 0; i < nproc; i++) {
		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				pid = fork();
				assert(pid != -1);
				if (pid == 0) {
					_exit(0);
				} else {
					child = wait(NULL);
					assert(child == pid);
				}
			}
		}

		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
				syscall(SYS_ioprio_get, 2, 0);
			}
		}
	}

	for (;;) {
		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
		syscall(SYS_ioprio_get, 2, 0);
	}

	return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009] 	___slab_alloc+0x55d/0x5a0
[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
[   35.530009] 	create_task_io_context+0x2b/0x370
[   35.530009] 	get_task_io_context+0x92/0xb0
[   35.530009] 	copy_process.part.8+0x5029/0x5660
[   35.530009] 	_do_fork+0x155/0x7e0
[   35.530009] 	SyS_clone+0x19/0x20
[   35.530009] 	do_syscall_64+0x195/0x3a0
[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009] 	__slab_free+0x27b/0x3d0
[   35.530009] 	kmem_cache_free+0x1fb/0x220
[   35.530009] 	put_io_context+0xe7/0x120
[   35.530009] 	put_io_context_active+0x238/0x380
[   35.530009] 	exit_io_context+0x66/0x80
[   35.530009] 	do_exit+0x158e/0x2b90
[   35.530009] 	do_group_exit+0xe5/0x2b0
[   35.530009] 	SyS_exit_group+0x1d/0x20
[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Change-Id: I02fda1eb5173f5cf4db999147c623720892da529
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 8ba8682107ee2ca3347354e018865d8e1967c5f4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
 2016-11-18 16:45:13 -08:00
Vegard Nossum
44e1cd2173 block: fix use-after-free in seq file 
I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Change-Id: Ia3c791c6cf81a6c156561106230cbf5e8dfad0bc
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit: 77da160530dd1dc94f6ae15a981f24e5f0021e84
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
 2016-11-18 16:39:10 -08:00
Service qcabuildsw
42939d0685 Merge "msm: wlan: update regulatory database" into msm-4.4 2016-11-18 15:41:21 -08:00
Linux Build Service Account
2f088241d7 Merge "msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work together" 2016-11-18 01:55:04 -08:00
Linux Build Service Account
efcb7b1d55 Merge "msm: kgsl: Fix pagetable member of struct kgsl_memdesc" 2016-11-18 01:55:03 -08:00
Linux Build Service Account
c10fa02a2e Merge "ARM: dts: msm: Enable auto GM for WLED in pmicobalt" 2016-11-18 01:55:01 -08:00
Linux Build Service Account
7ee7f710ec Merge "leds: qpnp-wled: Add support to configure auto PFM for pmicobalt" 2016-11-18 01:55:01 -08:00
Linux Build Service Account
a708ddf420 Merge "msm: ipa3: linearize large skbs" 2016-11-18 01:55:00 -08:00
Linux Build Service Account
dc3c5f14a2 Merge "msm: mdss: hide additional kernel addresses from unprivileged users" 2016-11-18 01:54:59 -08:00
Linux Build Service Account
6f4c99dfce Merge "ASoC: msm: Fix sound card registration failure" 2016-11-18 01:54:58 -08:00
Linux Build Service Account
b140cb0936 Merge "msm: sde: remove secure camera ctrl_id definition" 2016-11-18 01:54:57 -08:00
Linux Build Service Account
0bdfb6133f Merge "ARM: dts: msm: Add ufs regulators for msmfalcon interposer" 2016-11-18 01:54:57 -08:00
Linux Build Service Account
072148d62f Merge "usb: pd: Stop processing SVDM if handler found" 2016-11-18 01:54:56 -08:00
Linux Build Service Account
54e5bae2ed Merge "sched/hmp: Enhance co-location and scheduler boost features" 2016-11-18 01:54:54 -08:00
Linux Build Service Account
d1a64e4014 Merge "USB: Allow skipping device resume during system resume" 2016-11-18 01:54:53 -08:00
Linux Build Service Account
a8277a5b93 Merge "clk: msm: Add the CLKFLAG_NO_RATE_CACHE flag for MM clocks on MSM COBALT" 2016-11-18 01:54:52 -08:00
Linux Build Service Account
69fe3ef296 Merge "clk: qcom: Add support to be able to slew PLL" 2016-11-18 01:54:52 -08:00
Linux Build Service Account
73542728de Merge "qseecom: improve error checks in qseecom_probe()" 2016-11-18 01:54:51 -08:00
Linux Build Service Account
473a3d597b Merge "msm: mdss: Add systrace for readptr_done" 2016-11-18 01:54:50 -08:00
Linux Build Service Account
54f38dfe87 Merge "ARM: dts: msm: Add physical dimensions for NT35597 panel" 2016-11-18 01:54:49 -08:00
Linux Build Service Account
2ddc39e634 Merge "msm: mdss: fix incorrect mutex unlocking during NOTIFY_UPDATE_STOP" 2016-11-18 01:54:48 -08:00
Linux Build Service Account
db18e6f95e Merge "msm: mdss: fix race condition in dsi clk off request" 2016-11-18 01:54:46 -08:00
Linux Build Service Account
07d79c7409 Merge "ARM: dts: msm: specify I2C configuration for msmfalcon" 2016-11-18 01:54:45 -08:00
Linux Build Service Account
24adf86dfa Merge "ARM: dts: msm: specify UART configuration on msmfalcon." 2016-11-18 01:54:45 -08:00
Linux Build Service Account
0956d6dd49 Merge "clk: qcom: Add support for debugfs support" 2016-11-18 01:54:43 -08:00
Linux Build Service Account
5d4d0ab7a7 Merge "clk: Add support to allow client to print all enabled clocks" 2016-11-18 01:54:42 -08:00
Linux Build Service Account
29674d7418 Merge "scsi: ufs: enable auto hibern8 only after device initialization" 2016-11-18 01:54:41 -08:00
Linux Build Service Account
0f04e7c48a Merge "scsi: ufs: fix sleep in atomic context" 2016-11-18 01:54:40 -08:00
Linux Build Service Account
94410a85f4 Merge "phy: qcom-ufs: update ufs phy 1-lane settings" 2016-11-18 01:54:36 -08:00
Linux Build Service Account
bf1c2c6407 Merge "diag: Set the diag write buffers to busy state on channel close" 2016-11-18 01:54:35 -08:00
Amar Singhal
1a8e292bce msm: wlan: update regulatory database 
Incorporate the 2016-10-31 updates to the internal regulatory
database. Update countries Bahrain, Belize, Chile, Egypt, Honduras,
India, S Korea, Nepal, Panama, Russia, Senegal, TT and UAE. Also
update St. Kitts&Navis and St. Lucia dfs region.

Change-Id: Ia151b2dd5229f07790ac961af298305b24e098fb
CRs-Fixed: 1091511
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
 2016-11-17 12:19:51 -08:00
Linux Build Service Account
d52c401860 Merge "leds: qpnp-wled: Add support to configure AUTO_GM settings" 2016-11-17 10:08:45 -08:00
Linux Build Service Account
a2f4ac784a Merge "tcp: take care of truncations done by sk_filter()" 2016-11-17 10:08:44 -08:00
Linux Build Service Account
5b00a91adb Merge "scsi: ufs: handle LINERESET during hibern8" 2016-11-17 10:08:43 -08:00
Linux Build Service Account
a1008bfb76 Merge "scsi: ufs-qcom: update clock scaling sequence" 2016-11-17 10:08:42 -08:00
Linux Build Service Account
64f717aeaa Merge "ARM: dts: msm: ensure contiguous MSI for PCIe on msmcobalt" 2016-11-17 10:08:41 -08:00
Linux Build Service Account
b953b336af Merge "driver: thermal: msm_thermal: Enable Reliability algorithm" 2016-11-17 10:08:40 -08:00
Linux Build Service Account
3c8d77bac1 Merge "leds: qpnp-flash: Fix the mask in the flash prepare API" 2016-11-17 10:08:40 -08:00
Linux Build Service Account
37d58e6c59 Merge "leds: qpnp-flash-v2: change from dev_*() to pr_*() for logging" 2016-11-17 10:08:38 -08:00
Linux Build Service Account
a1716776fd Merge "leds: qpnp-flash-v2: Add support for configuring OTST thresholds" 2016-11-17 10:08:38 -08:00
Linux Build Service Account
f645e3ce31 Merge "leds: qpnp-flash-v2: Add support for thermal derate features" 2016-11-17 10:08:37 -08:00
Linux Build Service Account
a58828453e Merge "msm: kgsl: preserve ISENSE registers across GPU power collapse" 2016-11-17 10:08:36 -08:00
Linux Build Service Account
f01a84f38a Merge "scsi: ufs: error out all issued requests after shutdown" 2016-11-17 10:08:33 -08:00
Fenglin Wu
877c99e11d ARM: dts: msm: Enable auto GM for WLED in pmicobalt 
Enable auto GM for WLED module in pmicobalt to make LOOP_GM adaptively
changes with brightness change.

CRs-Fixed: 1081738
Change-Id: I10a788726358c56df9bfe11f2332e3823d7cd332
Signed-off-by: Fenglin Wu <fenglinw@codeaurora.org>
 2016-11-17 03:43:49 -08:00
Fenglin Wu
596b431a5f leds: qpnp-wled: Add support to configure auto PFM for pmicobalt 
The WLED boost controller in pmicobalt supports auto PFM mode when
LCD mode is selected. Auto PFM mode is enabled by default except
on some specific hardware versions. Add a property to specify
AUTO_PFM_THRESHOLD for the boost controller so that it can enter
PFM mode when the adaptive headroom voltage falls below the
threshold.

CRs-Fixed: 1081738
Change-Id: I964b3452d0cdb3618b4ab446655ae75fa3a1049d
Signed-off-by: Fenglin Wu <fenglinw@codeaurora.org>
 2016-11-17 19:38:14 +08:00
Linux Build Service Account
4b1c2e228c Merge "leds: qpnp-wled: Add support to configure VREF_CONTROL for pmicobalt" 2016-11-17 02:22:35 -08:00
Linux Build Service Account
15c0f0e20c Merge "msm: cpp: Use the src clock node to read the cpp src clock rate" 2016-11-17 02:22:34 -08:00
Linux Build Service Account
f60b2ad20f Merge "ARM: dts: msm: Add cpp src clock rates configuration for msmcobalt" 2016-11-17 02:22:33 -08:00
Laxminath Kasam
f88f90a547 ASoC: msm: Fix sound card registration failure 
In external codec machine driver, register
SSR notifier after sound card register. Also,
add separate snd_soc_card variables for tavil
and tasha since same machine driver is used
for both codecs.

CRs-Fixed: 1083537
Change-Id: I73fc02b812f2e6694e2a6aa8bdad2381a5f19406
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
 2016-11-17 11:23:15 +05:30
Laxminath Kasam
1b29a217c2 ASoC: msm: Add support for USB/WCN/TDM Audio 
Add required machine driver support for
USB Audio, BT, FM, TDM interfaces both
for internal and external codecs.

CRs-Fixed: 1083537
Change-Id: I3d2765535793d6ef9153cfcab4b44a9adad67e15
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
 2016-11-17 11:20:40 +05:30