evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_oneplus_msm8998/drivers
History
Todd Kjos 642da1dade FROMLIST: binder: fix use-after-free in binder_transaction() 
(from https://patchwork.kernel.org/patch/9978801/)

User-space normally keeps the node alive when creating a transaction
since it has a reference to the target. The local strong ref keeps it
alive if the sending process dies before the target process processes
the transaction. If the source process is malicious or has a reference
counting bug, this can fail.

In this case, when we attempt to decrement the node in the failure
path, the node has already been freed.

This is fixed by taking a tmpref on the node while constructing
the transaction. To avoid re-acquiring the node lock and inner
proc lock to increment the proc's tmpref, a helper is used that
does the ref increments on both the node and proc.

Bug: 66899329
Change-Id: Iad40e1e0bccee88234900494fb52a510a37fe8d7
Signed-off-by: Todd Kjos <tkjos@google.com>
2017-10-02 18:08:29 +00:00
..
accessibility
acpi ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal 2017-08-30 10:19:29 +02:00
amba
android FROMLIST: binder: fix use-after-free in binder_transaction() 2017-10-02 18:08:29 +00:00
ata cs5536: add support for IDE controller variant 2017-09-13 14:09:45 -07:00
atm
auxdisplay
base This is the 4.4.88 stable release 2017-09-14 09:48:29 -07:00
bcma bcma: use (get|put)_device when probing/removing device driver 2017-03-12 06:37:30 +01:00
block skd: Submit requests to firmware before triggering the doorbell 2017-09-27 11:00:14 +02:00
bluetooth Bluetooth: Add support of 13d3:3494 RTL8723BE device 2017-09-13 14:09:45 -07:00
bus bus: vexpress-config: fix device reference leak 2017-01-19 20:17:22 +01:00
cdrom
char tpm: Replace device number bitmap with IDR 2017-08-06 19:19:43 -07:00
clk clk: Make x86/ conditional on CONFIG_COMMON_CLK 2017-05-14 13:32:55 +02:00
clocksource clocksource/exynos_mct: Clear interrupt when cpu is shut down 2017-01-26 08:23:48 +01:00
connector
cpufreq drivers: cpufreq_interactive: handle error for module load fail 2017-09-17 19:40:29 +00:00
cpuidle This is the 4.4.26 stable release 2016-10-21 13:40:45 -07:00
crypto crypto: caam - fix signals handling 2017-07-21 07:44:59 +02:00
dca
devfreq
dio
dma dmaengine: ti-dma-crossbar: Add some 'of_node_put()' in error path. 2017-08-06 19:19:45 -07:00
dma-buf
edac EDAC: Increment correct counter in edac_inc_ue_error() 2016-09-07 08:32:41 +02:00
eisa
extcon extcon: max77843: Use correct size for reading the interrupt register 2016-05-04 14:48:54 -07:00
firewire firewire: net: fix fragmented datagram_size off-by-one 2016-11-10 16:36:35 +01:00
firmware Merge remote-tracking branch 'common/android-4.4' into android-4.4.y 2016-12-12 10:15:36 -08:00
fmc
fpga
gpio gpio: mpc8xxx: Correct irq handler function 2016-10-28 03:01:25 -04:00
gpu drm/bridge: adv7511: Re-write the i2c address before EDID probing 2017-09-13 14:09:46 -07:00
hid This is the 4.4.80 stable release 2017-08-07 14:29:16 -07:00
hsi
hv hv: don't reset hv_context.tsc_page on crash 2017-04-27 09:09:34 +02:00
hwmon hwmon: (g762) Fix overflows and crash seen when writing limit attributes 2017-01-12 11:22:48 +01:00
hwspinlock
hwtracing intel_th: pci: Add Cannon Lake PCH-LP support 2017-09-13 14:09:44 -07:00
i2c i2c: ismt: Return EMSGSIZE for block reads with bogus length 2017-09-07 08:34:09 +02:00
ide
idle intel_idle: Support for Intel Xeon Phi Processor x200 Product Family 2016-09-15 08:27:46 +02:00
iio iio: hid-sensor-trigger: Fix the race with user space powering up sensors 2017-08-30 10:19:27 +02:00
infiniband iser-target: Avoid isert_conn->cm_id dereference in isert_login_recv_done 2017-08-11 09:08:50 -07:00
input This is the 4.4.89 stable release 2017-09-27 11:52:16 +02:00
iommu iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() 2017-07-05 14:37:22 +02:00
ipack
irqchip irqchip: mips-gic: SYNC after enabling GIC region 2017-09-07 08:34:08 +02:00
isdn isdn/i4l: fix buffer overflow 2017-08-06 19:19:41 -07:00
leds leds: ktd2692: avoid harmless maybe-uninitialized warning 2017-05-14 13:32:55 +02:00
lguest
lightnvm lightnvm: put bio before return 2016-09-24 10:07:35 +02:00
macintosh
mailbox mailbox: handle empty message in tx_tick 2017-08-06 19:19:41 -07:00
mcb mcb: Fixed bar number assignment for the gdd 2016-06-01 12:15:53 -07:00
md This is the 4.4.89 stable release 2017-09-27 11:52:16 +02:00
media media: uvcvideo: Prevent heap overflow when accessing mapped controls 2017-09-27 11:00:16 +02:00
memory memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing 2016-07-27 09:47:35 -07:00
memstick memstick: rtsx_usb_ms: Manage runtime PM when accessing the device 2016-10-28 03:01:35 -04:00
message
mfd mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode 2017-06-26 07:13:09 +02:00
misc This is the 4.4.85 stable release 2017-08-30 14:35:43 +02:00
mmc This is the 4.4.71 stable release 2017-06-07 12:36:01 +02:00
mtd This is the 4.4.76 stable release 2017-07-05 16:16:58 +02:00
net This is the 4.4.89 stable release 2017-09-27 11:52:16 +02:00
nfc ANDROID: NFC: st21nfca: Fix memory OOB and leak issues in connectivity events handler 2017-08-25 15:53:20 +00:00
ntb ntb_transport: fix bug calculating num_qps_mw 2017-08-30 10:19:29 +02:00
nubus
nvdimm libnvdimm, btt: fix btt_rw_page not returning errors 2017-08-06 19:19:42 -07:00
nvme nvme: apply DELAY_BEFORE_CHK_RDY quirk at probe time too 2017-06-29 12:48:53 +02:00
nvmem nvmem: imx-ocotp: Fix wrong register size 2017-08-06 19:19:46 -07:00
of This is the 4.4.79 stable release 2017-07-27 15:36:54 -07:00
oprofile
parisc parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo 2017-08-24 17:02:35 -07:00
parport parisc, parport_gsc: Fixes for printk continuation lines 2017-06-17 06:39:37 +02:00
pci PCI: shpchp: Enable bridge bus mastering if MSI is enabled 2017-09-27 11:00:16 +02:00
pcmcia pcmcia: db1xxx_ss: fix last irq_to_gpio user 2016-04-20 15:42:09 +09:00
perf UPSTREAM: drivers/perf: arm-pmu: fix RCU usage on pmu resume from low-power 2017-06-28 12:35:41 -07:00
phy phy: qcom-usb-hs: Add depends on EXTCON 2017-05-14 13:32:57 +02:00
pinctrl pinctrl: samsung: Remove bogus irq_[un]mask from resource management 2017-08-16 13:40:30 -07:00
platform This is the 4.4.76 stable release 2017-07-05 16:16:58 +02:00
pnp PNP: Add Broadwell to Intel MCH size workaround 2016-08-16 09:30:48 +02:00
power This is the 4.4.68 stable release 2017-05-15 09:25:05 +02:00
powercap
pps pps: do not crash when failed to register 2016-08-10 11:49:25 +02:00
ps3
ptp
pwm pwm: pca9685: Fix period change with same duty cycle 2017-03-15 09:57:14 +08:00
rapidio
ras
regulator regulator: tps65023: Fix inverted core enable logic. 2017-05-25 14:30:09 +02:00
remoteproc remoteproc: Fix potential race condition in rproc_add 2016-08-20 18:09:20 +02:00
reset
rpmsg
rtc This is the 4.4.63 stable release 2017-04-21 09:47:01 +02:00
s390 scsi: zfcp: trace high part of "new" 64 bit SCSI LUN 2017-09-27 11:00:15 +02:00
sbus
scsi This is the 4.4.89 stable release 2017-09-27 11:52:16 +02:00
sfi
sh
sn
soc soc: qcom/spm: shut up uninitialized variable warning 2016-09-24 10:07:42 +02:00
spi spi: dw: Make debugfs name unique between instances 2017-08-06 19:19:44 -07:00
spmi spmi: Include OF based modalias in device uevent 2017-07-27 15:06:10 -07:00
ssb ssb: Fix error routine when fallback SPROM fails 2017-01-09 08:07:42 +01:00
staging This is the 4.4.88 stable release 2017-09-14 09:48:29 -07:00
target iscsi-target: Fix iscsi_np reset hung task during parallel delete 2017-08-16 13:40:28 -07:00
tc
thermal thermal: cpu_cooling: Avoid accessing potentially freed structures 2017-07-27 15:06:02 -07:00
thunderbolt thunderbolt: Fix double free of drom buffer 2016-06-01 12:15:53 -07:00
tty This is the 4.4.89 stable release 2017-09-27 11:52:16 +02:00
uio uio: fix dmem_region_start computation 2016-10-31 04:13:59 -06:00
usb This is the 4.4.88 stable release 2017-09-14 09:48:29 -07:00
uwb uwb: fix device quirk on big-endian hosts 2017-05-25 14:30:17 +02:00
vfio vfio-pci: Handle error from pci_iomap 2017-08-06 19:19:46 -07:00
vhost vhost/scsi: fix reuse of &vq->iov[out] in response 2016-09-15 08:27:53 +02:00
video This is the 4.4.80 stable release 2017-08-07 14:29:16 -07:00
virt
virtio Merge 4.4.59 into android-4.4 2017-04-06 19:01:38 +00:00
vlynq
vme vme: Fix wrong pointer utilization in ca91cx42_slave_get 2017-01-19 20:17:21 +01:00
w1 w1: ds2490: USB transfer buffers need to be DMAable 2017-03-12 08:21:03 +00:00
watchdog watchdog: bcm281xx: Fix use of uninitialized spinlock. 2017-07-05 14:37:21 +02:00
xen xen: fix bio vec merging 2017-08-24 17:02:36 -07:00
zorro
Kconfig Revert "switch: switch class and GPIO drivers." 2016-04-20 10:38:12 -07:00
Makefile usb: Make sure usb/phy/of gets built-in 2017-05-20 14:26:59 +02:00