aboutsummaryrefslogtreecommitdiff
path: root/drivers
Commit message (Collapse)AuthorAgeFilesLines
...
* ion: kmemleakShangbing Hu2017-09-251-0/+5
| | | | | | | | | | | | | [Detail] heap_data need to be free after used [Solution] free heap_data to avoid kmemleak MTK-Commit-Id: 7011735a00a6b8ae9b8df045c9be12d955f5a526 Change-Id: I3362db1e3c8b674c9bdfbf8aacfc2e850b994695 Signed-off-by: Shangbing Hu <shangbing.hu@mediatek.com> CR-Id: ALPS02418280 Feature: Memory Optimization
* FROMLIST: acpi: acpica: fix acpi operand cache leak in nseval.cSeunghun Han2017-09-241-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (cherry picked from https://lkml.org/lkml/2017/7/19/94) I found an ACPI cache leak in ACPI early termination and boot continuing case. When early termination occurs due to malicious ACPI table, Linux kernel terminates ACPI function and continues to boot process. While kernel terminates ACPI function, kmem_cache_destroy() reports Acpi-Operand cache leak. Boot log of ACPI operand cache leak is as follows: >[ 0.464168] ACPI: Added _OSI(Module Device) >[ 0.467022] ACPI: Added _OSI(Processor Device) >[ 0.469376] ACPI: Added _OSI(3.0 _SCP Extensions) >[ 0.471647] ACPI: Added _OSI(Processor Aggregator Device) >[ 0.477997] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) >[ 0.482706] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461) >[ 0.487503] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.492136] ACPI Error: Method parse/execution failed [\_SB._INI] (Node ffff88021710a618), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.497683] ACPI: Interpreter enabled >[ 0.499385] ACPI: (supports S0) >[ 0.501151] ACPI: Using IOAPIC for interrupt routing >[ 0.503342] ACPI Error: Null stack entry at ffff880215c0aad8 (20170303/exresop-174) >[ 0.506522] ACPI Exception: AE_AML_INTERNAL, While resolving operands for [OpcodeName unavailable] (20170303/dswexec-461) >[ 0.510463] ACPI Error: Method parse/execution failed [\DBG] (Node ffff88021710ab40), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.514477] ACPI Error: Method parse/execution failed [\_PIC] (Node ffff88021710ab18), AE_AML_INTERNAL (20170303/psparse-543) >[ 0.518867] ACPI Exception: AE_AML_INTERNAL, Evaluating _PIC (20170303/bus-991) >[ 0.522384] kmem_cache_destroy Acpi-Operand: Slab cache still has objects >[ 0.524597] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 4.12.0-rc5 #26 >[ 0.526795] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 >[ 0.529668] Call Trace: >[ 0.530811] ? dump_stack+0x5c/0x81 >[ 0.532240] ? kmem_cache_destroy+0x1aa/0x1c0 >[ 0.533905] ? acpi_os_delete_cache+0xa/0x10 >[ 0.535497] ? acpi_ut_delete_caches+0x3f/0x7b >[ 0.537237] ? acpi_terminate+0xa/0x14 >[ 0.538701] ? acpi_init+0x2af/0x34f >[ 0.540008] ? acpi_sleep_proc_init+0x27/0x27 >[ 0.541593] ? do_one_initcall+0x4e/0x1a0 >[ 0.543008] ? kernel_init_freeable+0x19e/0x21f >[ 0.546202] ? rest_init+0x80/0x80 >[ 0.547513] ? kernel_init+0xa/0x100 >[ 0.548817] ? ret_from_fork+0x25/0x30 >[ 0.550587] vgaarb: loaded >[ 0.551716] EDAC MC: Ver: 3.0.0 >[ 0.553744] PCI: Probing PCI hardware >[ 0.555038] PCI host bridge to bus 0000:00 > ... Continue to boot and log is omitted ... I analyzed this memory leak in detail and found acpi_ns_evaluate() function only removes info->return_object in AE_CTRL_RETURN_VALUE case. But, when errors occur, the status value is not AE_CTRL_RETURN_VALUE, and info->return_object is also not null. Therefore, this causes acpi operand memory leak. This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. I made a patch to fix ACPI operand cache leak. Signed-off-by: Seunghun Han <kkamagui@gmail.com> [salyzyn@google.com: complied with checkpatch.pl] Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 66438987 Change-Id: Ic2269226c556c1748b064a16a755ebfaf0955095
* FROMLIST: [V4] acpi: acpica: fix acpi parse and parseext cache leaksMark Salyzyn2017-09-241-37/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (cherry picked from https://patchwork.kernel.org/patch/9806085/) I'm Seunghun Han, and I work for National Security Research Institute of South Korea. I have been doing a research on ACPI and found an ACPI cache leak in ACPI early abort cases. Boot log of ACPI cache leak is as follows: [ 0.352414] ACPI: Added _OSI(Module Device) [ 0.353182] ACPI: Added _OSI(Processor Device) [ 0.353182] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.353182] ACPI: Added _OSI(Processor Aggregator Device) [ 0.356028] ACPI: Unable to start the ACPI Interpreter [ 0.356799] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.360215] kmem_cache_destroy Acpi-State: Slab cache still has objects [ 0.360648] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #10 [ 0.361273] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 0.361873] Call Trace: [ 0.362243] ? dump_stack+0x5c/0x81 [ 0.362591] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.362944] ? acpi_sleep_proc_init+0x27/0x27 [ 0.363296] ? acpi_os_delete_cache+0xa/0x10 [ 0.363646] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.364000] ? acpi_terminate+0xa/0x14 [ 0.364000] ? acpi_init+0x2af/0x34f [ 0.364000] ? __class_create+0x4c/0x80 [ 0.364000] ? video_setup+0x7f/0x7f [ 0.364000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.364000] ? do_one_initcall+0x4e/0x1a0 [ 0.364000] ? kernel_init_freeable+0x189/0x20a [ 0.364000] ? rest_init+0xc0/0xc0 [ 0.364000] ? kernel_init+0xa/0x100 [ 0.364000] ? ret_from_fork+0x25/0x30 I analyzed this memory leak in detail. I found that “Acpi-State” cache and “Acpi-Parse” cache were merged because the size of cache objects was same slab cache size. I finally found “Acpi-Parse” cache and “Acpi-ParseExt” cache were leaked using SLAB_NEVER_MERGE flag in kmem_cache_create() function. Real ACPI cache leak point is as follows: [ 0.360101] ACPI: Added _OSI(Module Device) [ 0.360101] ACPI: Added _OSI(Processor Device) [ 0.360101] ACPI: Added _OSI(3.0 _SCP Extensions) [ 0.361043] ACPI: Added _OSI(Processor Aggregator Device) [ 0.364016] ACPI: Unable to start the ACPI Interpreter [ 0.365061] ACPI Error: Could not remove SCI handler (20170303/evmisc-281) [ 0.368174] kmem_cache_destroy Acpi-Parse: Slab cache still has objects [ 0.369332] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.371256] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 0.372000] Call Trace: [ 0.372000] ? dump_stack+0x5c/0x81 [ 0.372000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? acpi_os_delete_cache+0xa/0x10 [ 0.372000] ? acpi_ut_delete_caches+0x56/0x7b [ 0.372000] ? acpi_terminate+0xa/0x14 [ 0.372000] ? acpi_init+0x2af/0x34f [ 0.372000] ? __class_create+0x4c/0x80 [ 0.372000] ? video_setup+0x7f/0x7f [ 0.372000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.372000] ? do_one_initcall+0x4e/0x1a0 [ 0.372000] ? kernel_init_freeable+0x189/0x20a [ 0.372000] ? rest_init+0xc0/0xc0 [ 0.372000] ? kernel_init+0xa/0x100 [ 0.372000] ? ret_from_fork+0x25/0x30 [ 0.388039] kmem_cache_destroy Acpi-ParseExt: Slab cache still has objects [ 0.389063] CPU: 1 PID: 1 Comm: swapper/0 Tainted: G W 4.12.0-rc4-next-20170608+ #8 [ 0.390557] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 0.392000] Call Trace: [ 0.392000] ? dump_stack+0x5c/0x81 [ 0.392000] ? kmem_cache_destroy+0x1aa/0x1c0 [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? acpi_os_delete_cache+0xa/0x10 [ 0.392000] ? acpi_ut_delete_caches+0x6d/0x7b [ 0.392000] ? acpi_terminate+0xa/0x14 [ 0.392000] ? acpi_init+0x2af/0x34f [ 0.392000] ? __class_create+0x4c/0x80 [ 0.392000] ? video_setup+0x7f/0x7f [ 0.392000] ? acpi_sleep_proc_init+0x27/0x27 [ 0.392000] ? do_one_initcall+0x4e/0x1a0 [ 0.392000] ? kernel_init_freeable+0x189/0x20a [ 0.392000] ? rest_init+0xc0/0xc0 [ 0.392000] ? kernel_init+0xa/0x100 [ 0.392000] ? ret_from_fork+0x25/0x30 When early abort is occurred due to invalid ACPI information, Linux kernel terminates ACPI by calling acpi_terminate() function. The function calls acpi_ut_delete_caches() function to delete local caches (acpi_gbl_namespace_ cache, state_cache, operand_cache, ps_node_cache, ps_node_ext_cache). But the deletion codes in acpi_ut_delete_caches() function only delete slab caches using kmem_cache_destroy() function, therefore the cache objects should be flushed before acpi_ut_delete_caches() function. “Acpi-Parse” cache and “Acpi-ParseExt” cache are used in an AML parse function, acpi_ps_parse_loop(). The function should have flush codes to handle an error state due to invalid AML codes. This cache leak has a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR. To fix ACPI cache leak for enhancing security, I made a patch which has flush codes in acpi_ps_parse_loop() function. I hope that this patch improves the security of Linux kernel. Thank you. Signed-off-by: Seunghun Han <kkamagui@gmail.com> Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 66434432 Change-Id: Ie73dc38979e58bbb80f098dcc777799ee4628486
* usb: gadget: f_accessory: Fix for UsbAccessory clean unbind.Anson Jacob2017-09-231-5/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reapplying fix by Darren Whobrey (Change 69674) Fixes issues: 20545, 59667 and 61390. With prior version of f_accessory.c, UsbAccessories would not unbind cleanly when application is closed or i/o stopped while the usb cable is still connected. The accessory gadget driver would be left in an invalid state which was not reset on subsequent binding or opening. A reboot was necessary to clear. In some phones this issues causes the phone to reboot upon unplugging the USB cable. Main problem was that acc_disconnect was being called on I/O error which reset disconnected and online. Minor fix required to properly track setting and unsetting of disconnected and online flags. Also added urb Q wakeup's on unbind to help unblock waiting threads. Tested on Nexus 7 grouper. Expected behaviour now observed: closing accessory causes blocked i/o to interrupt with IOException. Accessory can be restarted following closing of file handle and re-opening. This is a generic fix that applies to all devices. Change-Id: I4e08b326730dd3a2820c863124cee10f7cb5501e Signed-off-by: Darren Whobrey <d.whobrey@mildai.org> Signed-off-by: Anson Jacob <ansonjacob.aj@gmail.com> Signed-off-by: Joe Maples <joe@frap129.org>
* max77819: more logspam removalMister Oyster2017-09-232-0/+10
|
* flashlight: remove logspamMister Oyster2017-09-231-0/+2
|
* mali: remove some logspamMister Oyster2017-09-232-0/+8
|
* max77819: remove log & dead code, fix indentMister Oyster2017-09-232-655/+456
|
* misc: replace __FUNCTION__ by __function__Moyster2017-09-23388-1877/+1877
| | | | | result of : git grep -l '__FUNCTION__' | xargs sed -i 's/__FUNCTION__/__func__/g'
* kernel.h: remove ancient __FUNCTION__ hackRasmus Villemoes2017-09-232-3/+3
| | | | | | | | | | | | | | | | __FUNCTION__ hasn't been treated as a string literal since gcc 3.4, so this only helps people who only test-compile using 3.3 (compiler-gcc3.h barks at anything older than that). Besides, there are almost no occurrences of __FUNCTION__ left in the tree. [akpm@linux-foundation.org: convert remaining __FUNCTION__ references] Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Cc: Michal Nazarewicz <mina86@mina86.com> Cc: Joe Perches <joe@perches.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Moyster <oysterized@gmail.com>
* MSDC: Denali Secruity VolnerabilityHuan Tang2017-09-201-9/+20
| | | | | | | | | | | | | | [Detail] Stack overflow & Null Pointer [Solution] 1.Limited the param 'count' for 'copy_from_user' 2.Check Pointer Change-Id: I81a91a64494b5f088c131f2d1ebc11fcf4b21939 Signed-off-by: Huan Tang <huan.tang@mediatek.com> CR-Id: ALPS03361487 Feature: Others Backported to 3.10 and a few code style ocds Signed-off-by: Mister Oyster <oysterized@gmail.com>
* auxadc: fix auxadc security defectXuexi Bai2017-09-202-12/+40
| | | | | | | | | | | | | [Detail] auxadc: 1. fix auxadc security defect` Change-Id: I60eeade13b8ddef14cbc2773d7f6fb9d7e8d49b0 Signed-off-by: Xuexi Bai <xuexi.bai@mediatek.com> CR-Id: ALPS03353887 Feature: Others Backported to 3.10 Signed-off-by: Mister Oyster <oysterized@gmail.com>
* lowmemorykiller: account for unevictable pagesTim Murray2017-09-181-0/+1
| | | | | | | | | | | lowmemorykiller was not taking into account unevictable pages when deciding what level to kill. If significant amounts of memory were pinned, this caused lowmemorykiller to effectively stop at a much higher level than it should. bug 31255977 Change-Id: I763ecbfef8c56d65bb8f6147ae810692bd81b6e2
* staging: android: lowmemorykiller: set TIF_MEMDIE before send kill sigWeijie Yang2017-09-181-1/+1
| | | | | | | | | | | | | Set TIF_MEMDIE tsk_thread flag before send kill signal to the selected thread. This is to fit a usual code sequence and avoid potential race issue. Signed-off-by: Weijie Yang <weijie.yang@samsung.com> Acked-by: David Rientjes <rientjes@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6bc2b856bb7c49f238914d965c0b1057ec78226e) Change-Id: I3c4869d525ce80d339ec3742382beae2ee45f76e
* lmk: remove unused codeMister Oyster2017-09-181-9/+0
|
* staging: android: lowmemorykiller: neglect swap cached pages in other_fileVinayak Menon2017-09-181-5/+2
| | | | | | | | | | | | | | | | | | | With ZRAM enabled it is observed that lowmemory killer doesn't trigger properly. swap cached pages are accounted in NR_FILE, and lowmemorykiller considers this as reclaimable and adds to other_file. But these pages can't be reclaimed unless lowmemorykiller triggers. So subtract swap pages from other_file. Signed-off-by: Vinayak Menon <vinayakm.list@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 058dbde928597e7a8bd04e28e77e5cfc4270591d) Change-Id: I217e831bbe1db830e6d61c7943e442a32a7548a1 Reverts some Mediatek customisation to lmk Signed-off-by: Mister Oyster <oysterized@gmail.com>
* lowmemorykiller: trace kill events.Martijn Coenen2017-09-182-3/+50
| | | | | | | Allows for capturing lmk kill events and their rationale. Change-Id: Ibe215db5bb9806fc550c72c0b9832c85cbd56bf6 Signed-off-by: Martijn Coenen <maco@google.com>
* drivers: mtk: remove mlog driverMister Oyster2017-09-186-984/+0
| | | | best it can do is crash the whole kernel when zram is used
* battery: mtk: remove meizu fuelgauge_dump_info log, taking stupid amount of ↵Mister Oyster2017-09-171-54/+0
| | | | space in /data, doing stupid kernel file manipulation
* ANDROID: uid_sys_stats: Fix implicit declaration of get_cmdline()Amit Pundir2017-09-161-0/+1
| | | | | | | | | Include linux/mm.h for get_cmdline() declaration. Change-Id: Icad6ef7deef4d93d92d423c96bfa61fb5d66d0b7 Fixes: Change-Id: I30083b757eaef8c61e55a213a883ce8d0c9cf2b1 ("uid_sys_stats: log task io with a debug flag") Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
* uid_sys_stats: log task io with a debug flagYang Jin2017-09-162-60/+267
| | | | | | | | | Add a hashmap inside each uid_entry to keep track of task name and io. Task full name is a combination of thread and process name. Bug: 63739275 Change-Id: I30083b757eaef8c61e55a213a883ce8d0c9cf2b1 Signed-off-by: Yang Jin <yajin@google.com>
* FROMLIST: binder: fix an ret value overrideXu YiPing2017-09-161-1/+0
| | | | | | | | | | | | (from https://patchwork.kernel.org/patch/9939409/) commit 372e3147df70 ("binder: guarantee txn complete / errors delivered in-order") incorrectly defined a local ret value. This ret value will be invalid when out of the if block Change-Id: If7bd963ac7e67d135aa949133263aac27bf15d1a Signed-off-by: Xu YiPing <xuyiping@hislicon.com> Signed-off-by: Todd Kjos <tkjos@google.com>
* FROMLIST: binder: fix memory corruption in binder_transaction binderXu YiPing2017-09-161-0/+1
| | | | | | | | | | | | | | | | | (from https://patchwork.kernel.org/patch/9939405/) commit 7a4408c6bd3e ("binder: make sure accesses to proc/thread are safe") made a change to enqueue tcomplete to thread->todo before enqueuing the transaction. However, in err_dead_proc_or_thread case, the tcomplete is directly freed, without dequeued. It may cause the thread->todo list to be corrupted. So, dequeue it before freeing. Bug: 65333488 Change-Id: Id063a4db18deaa634f4d44aa6ebca47bea32537a Signed-off-by: Xu YiPing <xuyiping@hisilicon.com> Signed-off-by: Todd Kjos <tkjos@google.com>
* binder: make FIFO inheritance a per-context optionTim Murray2017-09-161-1/+36
| | | | | | | | | | | | | Add a new ioctl to binder to control whether FIFO inheritance should happen. In particular, hwbinder should inherit FIFO priority from callers, but standard binder threads should not. Test: boots bug 36516194 Signed-off-by: Tim Murray <timmurray@google.com> Change-Id: I8100c4364b7d15d1bf00a8ca5c286e4d4b23ce85
* drivers: merged Android Binder from 4.9Lukas06102017-09-165-1574/+3726
| | | | | Change-Id: I857ef86b2d502293fb8c37398383dceaa21dd29f Signed-off-by: Mister Oyster <oysterized@gmail.com>
* sensor: fix memory leak issuehongxu.zhao2017-09-161-1/+1
| | | | | | | | | | | | [Detail] dat initialize to 0 [Solution] Change-Id: Ib539e9624b1b8153eda8dd8f7ce55cb67052be59 CR-Id: ALPS03288635 Feature: Others Signed-off-by: hongxu.zhao <hongxu.zhao@mediatek.com> (cherry picked from commit ba50a5f9d3254520dda3a70db87a35401e4e14ac)
* display: fbconfig use after freeQinglong Chai2017-09-161-0/+6
| | | | | | | | | | | [Detail] add mutex protect list_add and list_del to avoid use after free Change-Id: Ic7d02a5b97955eaee4d3684e13a4a67f3349b42b Signed-off-by: Qinglong Chai <qinglong.chai@mediatek.com> CR-Id: ALPS03275524 Feature: disp
* ANDROID: fiq_debugger: Fix minor bug in codeGreg Kaiser2017-09-141-1/+1
| | | | | | | | | | | We fix a typo in the code which had us comparing a pointer instead of the value which was being pointed to. This turns out to be a relatively benign bug, as we'd incorrectly pass in the empty string instead of NULL to the function, and the function can handle both. But we fix it so the code is clearly doing what we intend. Signed-off-by: Greg Kaiser <gkaiser@google.com> Change-Id: Ib059819775a3bebca357d4ce684be779853156e3
* drivers: cpufreq: checks to avoid kernel crash in cpufreq_interactivegaurav jindal2017-09-141-1/+2
| | | | | | | | | | | | In cpufreq_governor_interactive, driver throws warning with WARN_ON for !tunables and event != CPUFREQ_GOV_POLICY_INIT. In case when tunables is NULL for event other than CPUFREQ_GOV_POLICY_INIT, kernel will crash as there is no safe check available before accessing tunables. So to handle such case and avoid the kernel crash, return -EINVAL if WARN_ON returns TRUE. Change-Id: I7a3a22d58e3c8a315a1cc1d31143649dc8807dee Signed-off-by: gaurav jindal <gauravjindal1104@gmail.com>
* ion: Fix permissions on source fileAlex Naidis2017-09-141-0/+0
| | | | | | | | | | | The source file ion.c should not be executable. This patch resets the permissions to "644". Signed-off-by: Alex Naidis <alex.naidis@linux.com> Signed-off-by: Francisco Franco <franciscofranco.1990@gmail.com>
* usb: gadget: f_fs: Add ioctl for allocating endpoint buffers.Jerry Zhang2017-09-141-6/+41
| | | | | | | | | | | This creates an ioctl named FUNCTIONFS_ENDPOINT_ALLOC which will preallocate buffers for a given size. Any reads/writes on that endpoint below that size will use those buffers instead of allocating their own. If the endpoint is not active, the buffer will not be allocated until it becomes active. Change-Id: I4da517620ed913161ea9e21a31f6b92c9a012b44 Signed-off-by: Jerry Zhang <zhangjerry@google.com>
* usb: gadget: f_fs: add ioctl returning ep descriptorRobert Baldyga2017-09-141-0/+23
| | | | | | | | | | | | This patch introduces ioctl named FUNCTIONFS_ENDPOINT_DESC, which returns endpoint descriptor to userspace. It works only if function is active. Signed-off-by: Robert Baldyga <r.baldyga@samsung.com> Acked-by: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Jerry Zhang <zhangjerry@google.com> Change-Id: I55987bf0c6744327f7763b567b5a2b39c50d18e6
* mm: Fix incorrect type conversion for size during dma allocationRohit Vaswani2017-09-141-1/+1
| | | | | | | | | | | | | | | | | | | | | | | This was found during userspace fuzzing test when a large size allocation is made from ion [<ffffffc00008a098>] show_stack+0x10/0x1c [<ffffffc00119c390>] dump_stack+0x74/0xc8 [<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408 [<ffffffc00020dbd4>] kasan_report+0x34/0x40 [<ffffffc00020cfec>] __asan_storeN+0x15c/0x168 [<ffffffc00020d228>] memset+0x20/0x44 [<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c [<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c [<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0 [<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190 [<ffffffc000c250dc>] ion_alloc+0x264/0xb88 [<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480 [<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764 [<ffffffc00022f790>] SyS_ioctl+0x58/0x8c Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
* mm: Fix incorrect type conversion for size during dma allocationMaggie White2017-09-111-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | This was found during userspace fuzzing test when a large size allocation is made from ion [<ffffffc00008a098>] show_stack+0x10/0x1c [<ffffffc00119c390>] dump_stack+0x74/0xc8 [<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408 [<ffffffc00020dbd4>] kasan_report+0x34/0x40 [<ffffffc00020cfec>] __asan_storeN+0x15c/0x168 [<ffffffc00020d228>] memset+0x20/0x44 [<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c [<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c [<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0 [<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190 [<ffffffc000c250dc>] ion_alloc+0x264/0xb88 [<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480 [<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764 [<ffffffc00022f790>] SyS_ioctl+0x58/0x8c Bug: 38195738 Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org> Signed-off-by: Maggie White <maggiewhite@google.com> Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
* fbdev: core: Initialise structure to prevent kernel information leakKrishna Manikandan2017-09-081-0/+7
| | | | | | | | The structure fix is initialised before its usage to prevent kernel information leak during copy_to_user. Change-Id: Ice4da4c9bd6095a4387e1d16cb20ca474accb9dc Signed-off-by: Krishna Manikandan <mkrishn@codeaurora.org>
* mtk: gps: derpMister Oyster2017-08-311-2/+2
|
* vt: fix unchecked __put_user() in tioclinux ioctlsAdam Borowski2017-08-311-3/+3
| | | | | | | | | | | | | | | | Only read access is checked before this call. Actually, at the moment this is not an issue, as every in-tree arch does the same manual checks for VERIFY_READ vs VERIFY_WRITE, relying on the MMU to tell them apart, but this wasn't the case in the past and may happen again on some odd arch in the future. If anyone cares about 3.7 and earlier, this is a security hole (untested) on real 80386 CPUs. Signed-off-by: Adam Borowski <kilobyte@angband.pl> CC: stable@vger.kernel.org # v3.7- Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* PM / Domains: Fix unsafe iteration over modified list of device linksKrzysztof Kozlowski2017-08-311-2/+2
| | | | | | | | | | | | | | commit c6e83cac3eda5f7dd32ee1453df2f7abb5c6cd46 upstream. pm_genpd_remove_subdomain() iterates over domain's master_links list and removes matching element thus it has to use safe version of list iteration. Fixes: f721889ff65a ("PM / Domains: Support for generic I/O PM domains (v8)") Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org> Acked-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Revert "dm ioctl: prevent stack leak in dm ioctl call"Jonathan Solnit2017-08-301-1/+1
| | | | | | | | This reverts commit 1d5b6ba1bfe0ce28eca6fa79a74d0088e706e63e. Bug: 35644370 Change-Id: I0880d5f11cd22547934a13b7aa564a4102b95aa9 Signed-off-by: Jonathan Solnit <jsolnit@google.com>
* mtk: gps: upstream changesMister Oyster2017-08-202-4/+46
|
* Merge mediatek security patchesfire8552017-08-206-30/+69
| | | | | | | * Revert : Merge mediatek security patches (14326e25d3fc3b4d780c2d9d2eebbe3231ad5376) * Reapply : 14326e25d3fc3b4d780c2d9d2eebbe3231ad5376 Signed-off-by: Mister Oyster <oysterized@gmail.com>
* ANDROID: keychord: Fix for a memory leak in keychord.Mohan Srinivasan2017-08-121-0/+1
| | | | | | | | | | | | Fixes a steady memory leak in the keychord release code. A close of the keychord device will leak 1 keychord structure. Easily reproducible by a simple program that does an open()->write()->close() of the keychord device. Bug: 64483974 Change-Id: I1fa402c666cffb00b8cfd6379d9fe47a0989152c Signed-off-by: Mohan Srinivasan <srmohan@google.com> (cherry picked from commit 72a8dae2c25d0277e48672ee85b70236268add01)
* ANDROID: keychord: Fix races in keychord_write.Mohan Srinivasan2017-08-121-1/+60
| | | | | | | | | | | | | | | | | | There are multiple bugs caused by threads racing in keychord_write. 1) Threads racing through this function can cause the same element to be added to a linked list twice (multiple calls to input_register_handler() for the same input_handler struct). And the races can also cause an element in a linked list that doesn't exist attempted to be removed (multiple calls to input_unregister_handler() with the same input_handler struct). 2) The races can also cause duplicate kfree's of the keychords struct. Bug: 64133562 Bug: 63974334 Change-Id: I6329a4d58c665fab5d3e96ef96391e07b4941e80 Signed-off-by: Mohan Srinivasan <srmohan@google.com> (cherry picked from commit 59584701f1e2ce8ce024570576b206bea6ac69cf)
* Use %zu to print resid (size_t).Mohan Srinivasan2017-08-121-2/+2
| | | | | | | | Print resid (size_t) portably. Signed-off-by: Mohan Srinivasan <srmohan@google.com> Change-Id: Ic5c9dc498bfeef2be21594ec5efd45a98a3c4b4d (cherry picked from commit a1e4c795e1b6de6b34b8cbc75499d1675608c36b)
* ANDROID: keychord: Fix a slab out-of-bounds read.Mohan Srinivasan2017-08-121-6/+22
| | | | | | | | | Fix a slab out of bounds read in keychord_write(), detected by KASAN. Signed-off-by: Mohan Srinivasan <srmohan@google.com> Bug: 63962952 Change-Id: Iafef48b5d7283750ac0f39f5aaa767b1c3bf2004 (cherry picked from commit 913d980e07d84a843f5323acc55d185212a2abec)
* UPSTREAM: brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()Arend van Spriel2017-08-121-0/+5
| | | | | | | | | | | | | | | | | | | | | | | commit 8f44c9a41386729fea410e688959ddaa9d51be7c upstream. The lower level nl80211 code in cfg80211 ensures that "len" is between 25 and NL80211_ATTR_FRAME (2304). We subtract DOT11_MGMT_HDR_LEN (24) from "len" so thats's max of 2280. However, the action_frame->data[] buffer is only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can overflow. memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN], le16_to_cpu(action_frame->len)); (cherry picked from commit ae10cf5c80b897b3a46ef1bdf77a52dd84bd336d) Bug: 64258073 Fixes: 18e2f61db3b70 ("brcmfmac: P2P action frame tx.") Reported-by: "freenerguo(郭大兴)" <freenerguo@tencent.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Change-Id: Iec2e6c99d113ef95127525a92336b6ccdbd10cb8
* uid_sys_stats: fix overflow when io usage delta is negativeJin Qian2017-08-121-5/+21
| | | | | | | | | Setuid can cause negative delta. Check this and update total usage only if delta is positive. Bug: 64317562 Change-Id: I4818c246db66cabf3b11d277faceedec1678694a Signed-off-by: Jin Qian <jinqian@google.com>
* mtk: smi: byebye debugMoyster2017-08-121-63/+0
|
* mtk: cmdq: upstream updateMister Oyster2017-08-111-2/+26
|
* mtk: gud: upstream update (up to ~june 17)Mister Oyster2017-08-111-5/+12
|
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-16 17:15:34 +0000