aboutsummaryrefslogtreecommitdiff
path: root/drivers
Commit message (Collapse)AuthorAgeFilesLines
...
* ANDROID: uid_sys_stats: fix typo in initJin Qian2017-05-231-1/+1
| | | | | Change-Id: I8a41b331c973898015d11d2018257727083f7910 Signed-off-by: Jin Qian <jinqian@google.com>
* ANDROID: uid_sys_stats: change to use rt_mutexWei Wang2017-05-231-15/+16
| | | | | | | | | | | | | | | | | | | | | | | | | We see this happens multiple times in heavy workload in systrace and AMS stuck in uid_lock. Running process: Process 953 Running thread: android.ui State: Uninterruptible Sleep Start: 1,025.628 ms Duration: 27,955.949 ms On CPU: Running instead: system_server Args: {kernel callsite when blocked:: "uid_procstat_write+0xb8/0x144"} Changing to rt_mutex can mitigate the priority inversion Bug: 34991231 Bug: 34193533 Change-Id: I481baad840b7bc2dfa9b9a59b4dff93cafb90077 Test: on marlin Signed-off-by: Wei Wang <wvw@google.com>
* ANDROID: uid_sys_stats: account for fsync syscallsJin Qian2017-05-231-2/+9
| | | | | Change-Id: Ie888d8a0f4ec7a27dea86dc4afba8e6fd4203488 Signed-off-by: Jin Qian <jinqian@google.com>
* ANDROID: uid_sys_stats: fix negative write bytes.Jin Qian2017-05-231-4/+10
| | | | | | | | | | | | A task can cancel writes made by other tasks. In rare cases, cancelled_write_bytes is larger than write_bytes if the task itself didn't make any write. This doesn't affect total size but may cause confusion when looking at IO usage on individual tasks. Bug: 35851986 Change-Id: If6cb549aeef9e248e18d804293401bb2b91918ca Signed-off-by: Jin Qian <jinqian@google.com>
* ANDROID: uid_sys_stats: remove unnecessary code in procstat switchJin Qian2017-05-231-14/+1
| | | | | | | | | No need to aggregate the switched uid separately since update_io_stats_locked covers all uids. Bug: 34198239 Change-Id: Ifed347264b910de02e3f3c8dec95d1a2dbde58c0 Signed-off-by: Jin Qian <jinqian@google.com>
* ANDROID: uid_sys_stats: return full size when state is not changed.Jin Qian2017-05-231-1/+1
| | | | | | | Userspace keeps retrying when it sees nothing is written. Bug: 34364961 Change-Id: Ie288c90c6a206fb863dcad010094fcd1373767aa
* ANDROID: uid_sys_stats: allow writing same stateJin Qian2017-05-231-1/+6
| | | | | | Signed-off-by: Jin Qian <jinqian@google.com> Bug: 34360629 Change-Id: Ia748351e07910b1febe54f0484ca1be58c4eb9c7
* ANDROID: uid_sys_stats: rename uid_cputime.c to uid_sys_stats.cJin Qian2017-05-233-3/+4
| | | | | | | | This module tracks cputime and io stats. Signed-off-by: Jin Qian <jinqian@google.com> Bug: 34198239 Change-Id: I9ee7d9e915431e0bb714b36b5a2282e1fdcc7342
* ANDROID: uid_cputime: add per-uid IO usage accountingJin Qian2017-05-231-16/+233
| | | | | | | | | | | | | | | | | | IO usages are accounted in foreground and background buckets. For each uid, io usage is calculated in two steps. delta = current total of all uid tasks - previus total current bucket += delta Bucket is determined by current uid stat. Userspace writes to /proc/uid_procstat/set <uid> <stat> when uid stat is updated. /proc/uid_io/stats shows IO usage in this format. <uid> <foreground IO> <background IO> Signed-off-by: Jin Qian <jinqian@google.com> Bug: 34198239 Change-Id: I3369e59e063b1e5ee0dfe3804c711d93cb937c0c
* mtk: mlog: fix build without lmkMister Oyster2017-05-201-0/+4
|
* zram: do not use copy_page with non-page aligned addressMinchan Kim2017-05-201-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit d72e9a7a93e4f8e9e52491921d99e0c8aa89eb4e upstream. The copy_page is optimized memcpy for page-alinged address. If it is used with non-page aligned address, it can corrupt memory which means system corruption. With zram, it can happen with 1. 64K architecture 2. partial IO 3. slub debug Partial IO need to allocate a page and zram allocates it via kmalloc. With slub debug, kmalloc(PAGE_SIZE) doesn't return page-size aligned address. And finally, copy_page(mem, cmem) corrupts memory. So, this patch changes it to memcpy. Actuaully, we don't need to change zram_bvec_write part because zsmalloc returns page-aligned address in case of PAGE_SIZE class but it's not good to rely on the internal of zsmalloc. Note: When this patch is merged to stable, clear_page should be fixed, too. Unfortunately, recent zram removes it by "same page merge" feature so it's hard to backport this patch to -stable tree. I will handle it when I receive the mail from stable tree maintainer to merge this patch to backport. Fixes: 42e99bd ("zram: optimize memory operations with clear_page()/copy_page()") Link: http://lkml.kernel.org/r/1492042622-12074-2-git-send-email-minchan@kernel.org Signed-off-by: Minchan Kim <minchan@kernel.org> Cc: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Joe Maples <joe@frap129.org>
* cam: Sync code from L1.Mp10Anmin Hsu2017-05-111-0/+1
| | | | | | | | | | | | | | [Detail] sync code from L1.MP10 [Solution] manual sync in 1 commit [Feature] Camcorder Application MTK-Commit-Id: 7009349bf8a23dd0377dad6759af3da264f6b863 Change-Id: Idba37e1f05a9b05d7da6200c28da114d63f5c33d Signed-off-by: John.Wei <john.wei@mediatek.com> CR-Id: ALPS02321162
* Fuel Gauge: fix suspend/resume calculationAnmin Hsu2017-05-111-20/+2
| | | | | | | | | | | | | | | | | | | [Detail] 1. bat volt is wrong in the fuel gauge algorithm of suspend/resume 2. fuel gauge log cannot print out [Solution] 1. fix correct bat volt in resume 2. fix fuel gauge log level [Feature] Battery Management MTK-Commit-Id: 81ea0e76922c6280d1f7dcdb601d6ba04cf21369 Change-Id: Ibfd975bc72a373c8b15a0737361c50b7054fa865 Signed-off-by: Hsin-Hsiung Wang <hsin-hsiung.wang@mediatek.com> CR-Id: ALPS02314143 (cherry picked from commit bd1c50b3720b0e12f3e6b8d0fb32dcab1ca41461) Backported for 3.10 Signed-off-by: Mister Oyster <oysterized@gmail.com>
* aee: enable mt_dump flowAnmin Hsu2017-05-111-0/+11
| | | | | | | | | | | | | | | | | | | [Detail] ipanic flow need to use mt_dump flow to avoid reserve memory for preloader/lk [Solution] 1.Enable mt_dump ke flow 2.remove preloader/lk memory reserve in MT6735 [Feature] CTS(*) MTK-Commit-Id: aff7a2ce6a1c6bd805b2acdeaef7c8c28a0cd613 Change-Id: I2264b0544d3219b4ed2dd53483a134182d76aa17 Signed-off-by: Ji Zhang <ji.zhang@mediatek.com> CR-Id: ALPS02296880 (cherry picked from commit abaf1e786c9856e1a048e55714faa7f98309b96d)
* AEE: fix code defects.Anmin Hsu2017-05-112-1/+7
| | | | | | | | | | | | | | | [Detail] defects found out by Coverity: memroy leak risk. related files:aee kernel driver aed-debug.c & aed-main.c [Solution] fix the defects with kfree(). [Feature] Android Exception Engine(AEE) MTK-Commit-Id: 3c664402362bd16414b09e9050b91f45849b6a3f Change-Id: Ib4a67f16d5552a5c5c1096eedef1e8b4ef8faece Signed-off-by: Zhiyong Wang <zhiyong.wang@mediatek.com> CR-Id: ALPS02319644
* lmk: remove duplicate includeMister Oyster2017-05-101-1/+0
|
* android: fiq_debugger: restrict access to critical commands.Mark Salyzyn2017-05-102-34/+56
| | | | | | | | | | | | | | | | | | Sysrq must be enabled via /proc/sys/kernel/sysrq as a security measure to enable various critical fiq debugger commands that either leak information or can be used as a system attack. Default disabled, this will leave the reboot, reset, irqs, sleep, nosleep, console and ps commands. Reboot and reset commands will be restricted from taking any parameters. We will also switch to showing the limited command set in this mode. Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 32402555 Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5 Git-repo: https://android.googlesource.com/kernel/msm Git-commit: 1031836c0895f1f5a05c25efec83bfa11aa08ca9 Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
* CHROMIUM: usb: gadget: configfs: Fix KASAN use-after-freeJim Lin2017-05-101-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When gadget is disconnected, running sequence is like this. . composite_disconnect . Call trace: usb_string_copy+0xd0/0x128 gadget_config_name_configuration_store+0x4 gadget_config_name_attr_store+0x40/0x50 configfs_write_file+0x198/0x1f4 vfs_write+0x100/0x220 SyS_write+0x58/0xa8 . configfs_composite_unbind . configfs_composite_bind In configfs_composite_bind, it has "cn->strings.s = cn->configuration;" When usb_string_copy is invoked. it would allocate memory, copy input string, release previous pointed memory space, and use new allocated memory. When gadget is connected, host sends down request to get information. Call trace: usb_gadget_get_string+0xec/0x168 lookup_string+0x64/0x98 composite_setup+0xa34/0x1ee8 If gadget is disconnected and connected quickly, in the failed case, cn->configuration memory has been released by usb_string_copy kfree but configfs_composite_bind hasn't been run in time to assign new allocated "cn->configuration" pointer to "cn->strings.s". When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling memory is accessed, "BUG: KASAN: use-after-free" error occurs. BUG=chrome-os-partner:58412 TEST=After smaug device was connected to ubuntu PC host, detached and attached type-C cable quickly several times without seeing "BUG: KASAN: use-after-free in usb_gadget_get_string". Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032 Signed-off-by: Jim Lin <jilin@nvidia.com> Reviewed-on: https://chromium-review.googlesource.com/428059 Commit-Ready: Jim Lin <jilin%nvidia.com@gtempaccount.com> Tested-by: Jim Lin <jilin%nvidia.com@gtempaccount.com> Reviewed-by: Adrian Salido <salidoa@google.com> Reviewed-by: Benson Leung <bleung@chromium.org> Git-repo: https://chromium.googlesource.com/chromiumos/third_party/kernel Git-commit: a7b597d255d70f6f0c6bfdfb7e4e04f67fcebf9d Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
* Staging: android: binder: Remove support for old 32 bit binder protocol.Arve Hjønnevåg2017-05-072-17/+0
| | | | | | Change-Id: I371072175a298282254a21ea69503b9d75633dc5 Signed-off-by: Arve Hjønnevåg <arve@android.com> Signed-off-by: Mister Oyster <oysterized@gmail.com>
* random: strengthen input validation for RNDADDTOENTCNTTheodore Ts'o2017-05-071-6/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative entropy value. It doesn't make any sense to subtract from the entropy counter, and it can trigger a warning: random: negative entropy/overflow: pool input count -40000 ------------[ cut here ]------------ WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 Modules linked in: CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40 fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40 ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [<ffffffff82cc838f>] dump_stack+0x12e/0x18f lib/dump_stack.c:51 [<ffffffff8136d27f>] __warn+0x19f/0x1e0 kernel/panic.c:516 [<ffffffff8136d48c>] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551 [<ffffffff83283dae>] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 [< inline >] credit_entropy_bits_safe drivers/char/random.c:734 [<ffffffff8328785d>] random_ioctl+0x21d/0x250 drivers/char/random.c:1546 [< inline >] vfs_ioctl fs/ioctl.c:43 [<ffffffff8185316c>] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674 [< inline >] SYSC_ioctl fs/ioctl.c:689 [<ffffffff8185405f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 [<ffffffff86a995c0>] entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207 ---[ end trace 5d4902b2ba842f1f ]--- This was triggered using the test program: // autogenerated by syzkaller (http://github.com/google/syzkaller) int main() { int fd = open("/dev/random", O_RDWR); int val = -5000; ioctl(fd, RNDADDTOENTCNT, &val); return 0; } It's harmless in that (a) only root can trigger it, and (b) after complaining the code never does let the entropy count go negative, but it's better to simply not allow this userspace from passing in a negative entropy value altogether. Google-Bug-Id: #29575089 Reported-By: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: Joe Maples <joe@frap129.org> Signed-off-by: Joe Maples <joe@frap129.org>
* random: print a warning for the first ten uninitialized random usersTheodore Ts'o2017-05-071-4/+8
| | | | | | | | | | | | Since systemd is consistently using /dev/urandom before it is initialized, we can't see the other potentially dangerous users of /dev/urandom immediately after boot. So print the first ten such complaints instead. Cc: stable@kernel.org Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: mydongistiny <jaysonedson@gmail.com> Signed-off-by: Joe Maples <joe@frap129.org>
* mm: Tighten x86 /dev/mem with zeroing readsKees Cook2017-05-071-30/+52
| | | | | | | | | | | | | | | | | | | | | | | | commit a4866aa812518ed1a37d8ea0c881dc946409de94 upstream. Under CONFIG_STRICT_DEVMEM, reading System RAM through /dev/mem is disallowed. However, on x86, the first 1MB was always allowed for BIOS and similar things, regardless of it actually being System RAM. It was possible for heap to end up getting allocated in low 1MB RAM, and then read by things like x86info or dd, which would trip hardened usercopy: usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes) This changes the x86 exception for the low 1MB by reading back zeros for System RAM areas instead of blindly allowing them. More work is needed to extend this to mmap, but currently mmap doesn't go through usercopy, so hardened usercopy won't Oops the kernel. Change-Id: If63add732b7f654918aded70f5196166416ae905 Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com> Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: Brad Spengler <spender@grsecurity.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* android: binder: fix duplicate error return.Riley Andrews2017-04-301-1/+1
| | | | | | | | Duplicate errors can be returned to userspace when the thread error code is left set when the read buffer runs out of space. Change-Id: I921effcb6a7d620841177741a5ad5784acc7a907 Signed-off-by: Riley Andrews <riandrews@google.com>
* mlog: use round_jiffies in mlog timerAnmin Hsu2017-04-251-1/+1
| | | | | | | | | | | | | | | | [Detail] CPU0 off [Solution] use round_jiffies in mlog timer [Feature] Others MTK-Commit-Id: b39445fa9c9c93fbd6bb660011c242688af44f0b Change-Id: I2b209908f2a7493e1760faafe5bd394969445996 Signed-off-by: mtk10008 <tehsin.lin@mediatek.com> CR-Id: ALPS02298339
* mlog: Fixed stack overflowAnmin Hsu2017-04-251-1/+1
| | | | | | | | | | | | | | | | [Detail] Function sprintf does not check the length of buffer. [Solution] Using snprintf prevent stack overflow. [Feature] Monkey Test MTK-Commit-Id: 699464af6ac730e4edd21773b02aa5e1f6dc9403 Change-Id: I238b71ac9966b1967f4c93ffeb29a7c88d441193 Signed-off-by: mtk10008 <tehsin.lin@mediatek.com> CR-Id: ALPS02316340
* AEE: kernel driver memory leak riskAnmin Hsu2017-04-251-1/+1
| | | | | | | | | | | | | | [Detail] It has memory leak risk while call aee_kernel_dal_api(). [Solution] Modify aee_kernel_dal_api() with kfree() system call. [Feature] Memory Optimization MTK-Commit-Id: 09f75c2a0814049e8285693b5b5c715efe1298f7 Change-Id: I9902927084839175bb72e746c481b0d969d819d6 Signed-off-by: Zhiyong Wang <zhiyong.wang@mediatek.com> CR-Id: ALPS02312652
* UPSTREAM: char: lack of bool string made CONFIG_DEVPORT always onMax Bires2017-04-251-1/+4
| | | | | | | | | | | | | | | | | (cherry pick from commit f2cfa58b136e4b06a9b9db7af5ef62fbb5992f62) Without a bool string present, using "# CONFIG_DEVPORT is not set" in defconfig files would not actually unset devport. This esnured that /dev/port was always on, but there are reasons a user may wish to disable it (smaller kernel, attack surface reduction) if it's not being used. Adding a message here in order to make this user visible. Signed-off-by: Max Bires <jbires@google.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 37210310 Bug: 36604779 Change-Id: Ib1e947526f6c6f7cdf6389923287631056f32c36
* UPSTREAM: char: Drop bogus dependency of DEVPORT on !M68KGeert Uytterhoeven2017-04-251-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | (cherry pick from commit 309124e2648d668a0c23539c5078815660a4a850) According to full-history-linux commit d3794f4fa7c3edc3 ("[PATCH] M68k update (part 25)"), port operations are allowed on m68k if CONFIG_ISA is defined. However, commit 153dcc54df826d2f ("[PATCH] mem driver: fix conditional on isa i/o support") accidentally changed an "||" into an "&&", disabling it completely on m68k. This logic was retained when introducing the DEVPORT symbol in commit 4f911d64e04a44c4 ("Make /dev/port conditional on config symbol"). Drop the bogus dependency on !M68K to fix this. Fixes: 153dcc54df826d2f ("[PATCH] mem driver: fix conditional on isa i/o support") Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Tested-by: Al Stone <ahs3@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Bug: 37210310 Bug: 36604779 Change-Id: I9139bd8a5a6e9e39c2e428bde23a7d9be07e2f91
* drivers: mtk: conn_md: backport from 3.18Mister Oyster2017-04-2511-160/+65
|
* staging: android: ashmem: convert range macros to inlinesGuillaume Tucker2017-04-171-4/+8
| | | | | | | | | | Convert range_size and range_on_lru macros to inline functions to fix checkpatch check: CHECK: Macro argument reuse 'range' - possible side-effects? Signed-off-by: Guillaume Tucker <guillaume.tucker@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* drivers:lmk: Fix null pointer issueHong-Mei Li2017-04-171-1/+1
| | | | | | | | | | | | | | | | On some race, the tsk that lmk is using may be deleted from the RB tree by other thread, and rb_next would return a NULL if we use this tsk to get next. For this case, we need to skip this round of shrink and wait for the next turn. Otherwise, tsk would trigger NULL pointer panic. Change-Id: If28d9a2d3160177f682c08f62421c20eb0cb5e81 Signed-off-by: Hong-Mei Li <a21834@motorola.com> Reviewed-on: http://gerrit.mot.com/729547 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver <sltawvr@motorola.com> Tested-by: Jira Key <jirakey@motorola.com> Reviewed-by: Yi-Wei Zhao <gbjc64@motorola.com> Submit-Approved: Jira Key <jirakey@motorola.com>
* drivers:lmk: Fix double delete issueHong-Mei Li2017-04-171-1/+4
| | | | | | | | | | | | | | | | | someone may change a process's oom_score_adj by proc fs, even though the process has exited. In that case, the task was deleted from the rb tree already, and the redundant deleting would trigger rb_erase panic finally. In this patch, we make sure to clear the node after deteting and check its empty status before rb_erase. Change-Id: I26098ca3350f111e94567f9e65ec3dce413197aa Signed-off-by: Hong-Mei Li <a21834@motorola.com> Reviewed-on: http://gerrit.mot.com/727760 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver <sltawvr@motorola.com> Tested-by: Jira Key <jirakey@motorola.com> Reviewed-by: Sheng-Zhe Zhao <a18689@motorola.com> Submit-Approved: Jira Key <jirakey@motorola.com>
* BACKPORT: ion:synchronize debugfs callback and ion_client_destroyNeil Zhang2017-04-161-0/+43
| | | | | | | | | | | (cherry picked from commit 948c4db4ee10d85fe78ed3755dcaeb85cd37a148) There are race condition B/T ion_client_destroy and debugfs callbacks. Let's use a mutex to synchronize them. Change-Id: I4d73b258ac1fb67604b62f237da0e004275fd3da Signed-off-by: Neil Zhang <neilzhang1123@hotmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* ANDROID: ion: Protect kref from userspace manipulationNick Desaulniers2017-04-162-7/+75
| | | | | | | | | | | | | | This separates the kref for ion handles into two components. Userspace requests through the ioctl will hold at most one reference to the internally used kref. All additional requests will increment a separate counter, and the original reference is only put once that counter hits 0. This protects the kernel from a poorly behaving userspace. Bug: 34276203 Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0 Signed-off-by: Daniel Rosenberg <drosen@google.com>
* ANDROID: ion: check for kref overflowDaniel Rosenberg2017-04-161-3/+14
| | | | | | | | | | | | | | | Userspace can cause the kref to handles to increment arbitrarily high. Ensure it does not overflow. Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 31992382 Test: See bug for poc Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782 Git-repo: https://android.googlesource.com/kernel/msm Git-commit: 0c702db4d90de88df11057bcf0d8fb2dfe741605 Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org> Signed-off-by: c_vkeert <vkeert@codeaurora.org>
* Security patchesfire8552017-04-1613-92/+117
| | | | Signed-off-by: Mister Oyster <oysterized@gmail.com>
* ion: indMister Oyster2017-04-161-117/+115
|
* ashmem: missing braces & indentMister Oyster2017-04-161-17/+15
|
* lmk: indent & sym perm -> octalMister Oyster2017-04-161-14/+15
|
* mtk: nfc: remove nfc driverMister Oyster2017-04-165-902/+0
|
* zram: sym permissions -> octal perm (checkpath warnings)Mister Oyster2017-04-161-8/+8
|
* zram: fix indents/warnings from checkpathMister Oyster2017-04-164-15/+25
|
* alarm-dev/timerfd: cleanupMister Oyster2017-04-161-8/+8
|
* staging: android: ashmem: lseek failed due to no FMODE_LSEEK.zhangshuxiao2017-04-161-0/+1
| | | | | | | | | | | vfs_llseek will check whether the file mode has FMODE_LSEEK, no return failure. But ashmem can be lseek, so add FMODE_LSEEK to ashmem file. Change-Id: Ia78ef4c7c96adb89d52e70b63f7c00636fe60d01 Signed-off-by: zhangshuxiao <zhangshuxiao@xiaomi.com> (cherry picked from commit 6c8d409129bbebe36cde9f8e511011756216163a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
* conn_soc: Security Vulnerability in Mediatek driver : arbitrary kernel writeEddie Chen2017-04-131-9/+19
| | | | | | | | | | google security issue fix Bug num:25873324 Change-Id: I2eb8e03dc67209d9a709fc4a27976f986f0b7606 Signed-off-by: Eddie Chen <eddie.chen@mediatek.com> Signed-off-by: Mister Oyster <oysterized@gmail.com>
* Fix ANDROID_ALARM_POWER_ON on stop/start sequenceMarcos Marado2017-04-131-1/+4
| | | | | | | | The POWER_ON alarm structures must be initialized as ALARM_REALTIME timers, not hrtimers. Change-Id: Ib3a7e8cb8fe4f5dfabb6af47eddadac92ebadbc1 Ticket: PORRIDGE-12
* ANDROID_ALARM_POWER_ON is now 6 (mathing fw/base)Marcos Marado2017-04-131-2/+1
| | | | | Change-Id: Idaf4238a0280d47fcf83d5335a46b04b44fc92a3 Ticket: PORRIDGE-12
* staging: alarm-dev: Set the license to GPLPramod Gurav2017-04-131-1/+1
| | | | | | | | | Adding "GPL" license to fix a warning while compiling as module. CC: Brian Swetland <swetland@google.com> Signed-off-by: Pramod Gurav <pramod.gurav.etc@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging: alarm-dev: Seperate functions with one blank lineSeongJae Park2017-04-131-0/+1
| | | | | Signed-off-by: SeongJae Park <sj38.park@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* staging: alarm-dev: Remove unnecessary blank linesSeongJae Park2017-04-131-3/+0
| | | | | Signed-off-by: SeongJae Park <sj38.park@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
generated by cgit v1.2.3 (git 2.39.1) at 2026-03-17 10:24:58 +0000