| Age | Commit message (Collapse) | Author |
|---|
|
SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
ipv6_mc_list from parent"), otherwise bad things can happen.
Change-Id: Ia0887948642ee3dc24453a405481a32db0c75285
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7175
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/600485
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.
Change-Id: I72b52968433019dc7dff4f7a92ad1ac65dee554a
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7202
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Wajdix Zairi <wajdix.zairi@intel.com>
Reviewed-on: https://android.intel.com/600492
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
|
|
Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.
__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.
This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.
Again, this gem was found by syzkaller tool.
Change-Id: Ie3407c32dee061d082554bb4ac134058bcdfa980
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7202
Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Wajdix Zairi <wajdix.zairi@intel.com>
Reviewed-on: https://android.intel.com/600352
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
|
|
We should call ipxitf_put() if the copy_to_user() fails.
Change-Id: I790cf43214ef813ff96b71d8fa0ab37d2f28e496
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7202
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Wajdix Zairi <wajdix.zairi@intel.com>
Reviewed-on: https://android.intel.com/600346
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Andrey Konovalov reported out of bound accesses in ip6gre_err()
If GRE flags contains GRE_KEY, the following expression
*(((__be32 *)p) + (grehlen / 4) - 1)
accesses data ~40 bytes after the expected point, since
grehlen includes the size of IPv6 headers.
Let's use a "struct gre_base_hdr *greh" pointer to make this
code more readable.
p[1] becomes greh->protocol.
grhlen is the GRE header length.
Change-Id: Ieb125f0d9829c837200c0df9c82a6a075c9c064c
Tracked-On: https://jira01.devtools.intel.com/browse/AW-7202
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Wajdix Zairi <wajdix.zairi@intel.com>
Reviewed-on: https://android.intel.com/600348
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This reverts commit b7211b984bd160f244b5b297533cd2002053b2c2.
Change-Id: Ia50a65c897b0448e3cf4fb47aff545a3de7bdbc8
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6328
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/597278
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Bertolin, PierreX <pierrex.bertolin@intel.com>
|
|
This reverts commit cec60fc38bd599c592e714d016a6ff8958fc5be7.
Change-Id: I454da6974f26c4331961d6580ad4321b0e9ea781
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6328
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/597277
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Bertolin, PierreX <pierrex.bertolin@intel.com>
|
|
This reverts commit 223871c77902e0946ee4c1c5a6400bca6a7b8c55.
Change-Id: I2c395a4022a28e33f7b96fbcbee836e6953d63e3
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6328
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/597276
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Bertolin, PierreX <pierrex.bertolin@intel.com>
|
|
This reverts commit 249b7afbd4d70917fc97feb401a4c7cb23573d2b.
Change-Id: I1fd70f42c800cbcdef876e04ddd3283b8b28097a
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6328
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/597275
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Bertolin, PierreX <pierrex.bertolin@intel.com>
|
|
This reverts commit dd7edfc99a81b50631e21b1563a7575fecc55b2b.
Change-Id: I3c2f0cbc24d98208623912830a4555263d9f2adc
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6328
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/597274
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Bertolin, PierreX <pierrex.bertolin@intel.com>
|
|
Make sure segno and blkoff read from raw image are valid.
(url https://sourceforge.net/p/linux-f2fs/mailman/message/35835945)
Signed-off-by: Jin Qian <jinqian@google.com>
Bug: 36588520
Change-Id: Iba66ab97d3d0870ea48b5ef192d9075f225a934a
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6221
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/594760
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Akue, LoicX <loicx.akue@intel.com>
|
|
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
Change-Id: I4b7d0024fcc530a1d6a553c26fe5145a789ef39c
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6221
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/594759
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Akue, LoicX <loicx.akue@intel.com>
|
|
f2fs currently only supports 4KB block size and 2MB segment size.
Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)
Partially
(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)
f2fs: do more integrity verification for superblock
Do more sanity check for superblock during ->mount.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Jin Qian <jinqian@google.com>
Bug: 36817013
Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6221
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/594758
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Akue, LoicX <loicx.akue@intel.com>
|
|
The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.
Protect the context for these operations with a seperate lock.
The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.
Change-Id: I5ccfd9bff148278d50589582450755946cb85f0a
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tracked-On: https://jira01.devtools.intel.com/browse/AW-6221
Signed-off-by: Victor Tasayco Loarte <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/594757
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Zairi, WajdiX <wajdix.zairi@intel.com>
Reviewed-by: Akue, LoicX <loicx.akue@intel.com>
|
|
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
Since frames_per_block <= tp_block_size, the expression would
never overflow.
Change-Id: I71b9547a7f832ceda2349108e2129905cb6d1121
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589259
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).
Compare them as is instead.
Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.
Change-Id: Ia02b8748d4af204e75aabb1e5031f563bc92a44e
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589258
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.
Change-Id: I9de5e256d5a3978f4247d15b61e0ca2b0dc95d19
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589257
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Similar fixes for TCP:
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed
Change-Id: I572812d1789144cb363b84a12d733049e0d58e96
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589256
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This reverts commit f0ce0eee6b71bc310153edb87e66e6b25e12fece.
Bug: 34951864
Bug: 36468447
Change-Id: I9667f6a1b5ddd0ecc358bd9f2fb4ce8e62185486
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/590704
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Change-Id: I22f6c56ae02c435f9d5413effad43f32d9c18cdb
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589260
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
|
|
Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
is accessed.
ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
are present.
We could refine the test to the presence of ts_needtime or srr,
but IP options are not often used, so let's be conservative.
Thanks to syzkaller team for finding this bug.
Change-Id: I76d78d2ec831ff447334e8c71efb72736305c8f9
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5928
Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589255
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Bug: 36101220
Change-Id: I21bf000142b3560d27ff4808eaa2356bee449e79
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5877
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589225
Reviewed-by: Korpershoek, MattijsX <mattijsx.korpershoek@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
(cherry pick from commit 0c2d19ba23be8cf424ac9d74067039d237152dfc)
Validate the intr_reg_num value returned by touchscreen
to ensure no out of bounds access can occur.
Change-Id: I9df191a0679694e7d1206d61ce6aa1a021da9508
Bug: 35472278
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5877
Signed-off-by: Loic Akue <loicx.akue@intel.com>
Reviewed-on: https://android.intel.com/589224
Reviewed-by: Korpershoek, MattijsX <mattijsx.korpershoek@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
the gpio pins reused for i2c bus needs to be configured,
otherwise master i2c abort will fail, and so will the
following disable and re-enable.
Change-Id: Ibccd16c46b1e3cccb5916f09a871d1f4d2d89af6
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5284
Signed-off-by: Hu Bingquan <bingquan.hu@intel.com>
Reviewed-on: https://android.intel.com/582763
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Qin, Jian Feng <jian.feng.qin@intel.com>
Tested-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Ghaddab, RiadhX <riadhx.ghaddab@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
as requested by HW team VINDPM min threshold is set
to 4100, due to device not charging when booting
with depleted battery
every VINDPM refresh value has to be:
max(VBATT+400mV, 4100)
vindpm is set at boot to 4100
Change-Id: I5a26fae96dab0afcee6498eb0f41e4aa8a2dd70f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4614
Signed-off-by: Mattijs Korpershoek <mattijsx.korpershoek@intel.com>
Signed-off-by: MorganX Binet <morganx.binet@intel.com>
Reviewed-on: https://android.intel.com/576046
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Chaumette, HubertX <hubertx.chaumette@intel.com>
Reviewed-by: Ferrari, AlainX <alainx.ferrari@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Robb Glasser <rglasser@google.com>
Reviewed-on: https://android.intel.com/577969
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This likely breaks tracing tools like trace-cmd. It logs in the same
format but now addresses are all 0x0.
Bug: 34277115
Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-on: https://android.intel.com/577968
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.
Change-Id: I65f6ca964802f6265719a6b46ca0e7f9a4d2f23f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Reviewed-on: https://android.intel.com/577963
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Strcpy has no limit on string being copied which causes
stack corruption leading to kernel panic. Use strlcpy to
resolve the issue by providing length of string to be copied.
CRs-fixed: 1048480
Change-Id: Ib290b25f7e0ff96927b8530e5c078869441d409f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
Reviewed-on: https://android.intel.com/577961
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.
Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed(). This is potentially racy, since the stream
may get released even during the irq handler is running. Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.
As a quick workaround, move kill_fasync() call inside the stream
lock. The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.
Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler. But this oneliner should suffice for most
cases, so far.
Change-Id: Ifbe9dee4b884ece32bce50b486b62b88c5816486
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-on: https://android.intel.com/577960
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.
Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.
Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.
Change-Id: Ic3c87e770458aa004bd7ed3f29945ff436fd6511
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Reviewed-on: https://android.intel.com/577959
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer. However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents. We do
not at this point check that the replay_window is within the allocated
memory. This leads to out-of-bounds reads and writes triggered by
netlink packets. This leads to memory corruption and the potential for
priviledge escalation.
We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained
replay_window.
CVE-2017-7184
Change-Id: Ida6d8c19161eb93d54a1cc0dddcb93bab3eb2e43
Tracked-On: https://jira01.devtools.intel.com/browse/AW-5094
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: https://android.intel.com/577958
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
In some cases the controller does not set any reset or abort interrupt,
gets crazy and generates a lot of interrupts, leading to soft lockup.
If it happens, mask all the interrupts to let the transaction timeout,
leading to a reset of the controller to go back in a normal state.
Change-Id: Ic3e8829d3ac2e70998daa6badd4c4fc35d3f17b6
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4892
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/580379
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Nassiet, GaelleX <gaellex.nassiet@intel.com>
Reviewed-by: Hu, Bingquan <bingquan.hu@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Zaghdoud, WalidX <walidx.zaghdoud@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: Choudhary, ShriramX <shriramx.choudhary@intel.com>
|
|
This patch sets an alarm 60s after if there is no alarm in the next 60s.
It is a workaround to avoid sleeping for too long in case the watchdog
is not stopped during suspend.
Change-Id: Id6722d2257c5bd671e3037cb24bdaf59a2a3160f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/578966
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Nassiet, GaelleX <gaellex.nassiet@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Viel, ClementX <clementx.viel@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This patch kicks the watchdog on suspend and resume callbacks if the userspace
daemon has kicked it in the last timeout period (monotonic clock).
Change-Id: Id3c78e063a76dc4334c91e147a580b7b04c8d8b1
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4212
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/578779
Reviewed-by: Viel, ClementX <clementx.viel@intel.com>
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Nassiet, GaelleX <gaellex.nassiet@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.
Bug: 34469904
Change-Id: If8f4ff74a7d284c6fb81b1137b13ba4aac8c1c65
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com>
Reviewed-on: https://android.intel.com/578162
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
added boundary check not to override allocated buffer
Bug: 34203305
Change-Id: Ice79209fb54397abd0e1ef6e67f5151f1738d373
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com>
Reviewed-on: https://android.intel.com/578156
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
(cherry picked from commit 0028b5162c79e0a35884da6a579e3456b9d108e5)
1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.
3) Issue of chances of cumulative results->pkt_count length
exceeding allocated memory length of results->total_count is
avoided in this fix. change_array is the destination array
whose length is allocated to results->total_count.
Bug: 34197514
Bug: 34199963
Bug: 34198729
Change-Id: I966c80c236d3e9df744f5445599f0a864bd234dc
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Signed-off-by: Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com>
Reviewed-on: https://android.intel.com/578154
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
overriden by attacker and its return manipulated.
Bug: 34197514
Change-Id: I81bec445fe024b9dbc17404daa6b7dc5c05e8d25
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com>
Reviewed-on: https://android.intel.com/578149
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
added boundary check not to override allocated buffer.
Bug: 32125310
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Amr BEN ABDESSALEM <amrx.ben.abdessalem@intel.com>
Change-Id: I9faaef3e084dea26910585310f59312f5c575ef5
Reviewed-on: https://android.intel.com/578148
Reviewed-by: Ben Abdessalem, AmrX <amrx.ben.abdessalem@intel.com>
Tested-by: Ben Abdessalem, AmrX <amrx.ben.abdessalem@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
WEXT API was already obsoleted and should be removed.
Bug: 32124445
Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4391
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-on: https://android.intel.com/570045
Reviewed-by: Ben Abdessalem, AmrX <amrx.ben.abdessalem@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.
In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov);
returns -EFAULT.
This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.
For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.
This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.
Change-Id: I87d77274a7ad45e18956292ca54e49518e4e30aa
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-on: https://android.intel.com/575929
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
The buffer allocation is not currently accounting for an extra byte for
the report id. This can cause an out of bounds access in function
i2c_hid_set_or_send_report() with reportID > 15.
Bug: 33040280
Signed-off-by: Adrian Salido <salidoa@google.com>
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Change-Id: Ifbad3ae07442b9a6266bb52e0b157ef0bff29573
Reviewed-on: https://android.intel.com/575890
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This separates the kref for ion handles into two components.
Userspace requests through the ioctl will hold at most one
reference to the internally used kref. All additional requests
will increment a separate counter, and the original reference is
only put once that counter hits 0. This protects the kernel from
a poorly behaving userspace.
Bug: 34276203
Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4805
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Reviewed-on: https://android.intel.com/575863
Reviewed-by: Louis, FabienX <fabienx.louis@intel.com>
Tested-by: Louis, FabienX <fabienx.louis@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
commit 8ebbb9096a1cdf8d166b13ee17f422dcde6527f8 introduced a pm qos requests
in mmc driver as a workaround for data transfer failures on byt platforms.
These qos requests preventing any state below C2 during read or write are not
needed on our devices, so remove them to reduce IO wait time and improve
experience (especially app cold launch time).
Change-Id: I9a5942e521432d573fb3ff18efe39b7241439482
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4588
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/571943
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com>
Reviewed-by: Viel, ClementX <clementx.viel@intel.com>
Tested-by: Viel, ClementX <clementx.viel@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
When covering the sensor, it gives a measurement of 47418 due to
arithmetic operations on unsigned types.
Change-Id: Icc110fc4aa11286e7a072bc3ac01dadfe45617c2
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4487
Signed-off-by: Hubert CHAUMETTE <hubertx.chaumette@intel.com>
Reviewed-on: https://android.intel.com/573584
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Ghaddab, RiadhX <riadhx.ghaddab@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Hu, Bingquan <bingquan.hu@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
This debug option costs around 5 MBytes of RAM and can be safely removed
as our 3.10 kernel is stable enough now. As CONFIG_SPLIT_PTLOCK_CPUS is
depending of this one, its value is set back automatically to default (4).
Change-Id: Ic218dd58152fe0a22f0e195dd835130d509f262f
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4638
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/572652
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Zaghdoud, WalidX <walidx.zaghdoud@intel.com>
Reviewed-by: Nassiet, GaelleX <gaellex.nassiet@intel.com>
Reviewed-by: Viel, ClementX <clementx.viel@intel.com>
Tested-by: Viel, ClementX <clementx.viel@intel.com>
Reviewed-by: Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
|
|
This reverts commit 5ef1cfbaa03d5ffb5fe8a7c208ac3492ba1f51d0.
Change-Id: I90f2287355aef6a3046b7c329632a93433eea515
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4782
Reviewed-on: https://android.intel.com/573335
Reviewed-by: Ghaddab, RiadhX <riadhx.ghaddab@intel.com>
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Tested-by: Ghaddab, RiadhX <riadhx.ghaddab@intel.com>
Reviewed-by: Dubray, SimonX <simonx.dubray@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Jacquet, CyrilX <cyrilx.jacquet@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
|
DSR count had been increased from 2 to 15 three years ago in order to make
it less power-agressive and avoid shutting down the display for nothing.
On our platforms, we need to reduce it in order to increase the s0ix residency
in use cases with a few fps. It will allow to sleep more between 2 frames.
As free_count is incremented every 16ms, 2 is maybe a bit too agressive (32ms)
but 4 looks like a good trade-off and should be safe enough.
Change-Id: Ie2e142fb7e25897d144c352e6eb3f2f7d0dd8573
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4777
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/565718
Reviewed-by: Lachaud, EtienneX <etiennex.lachaud@intel.com>
Reviewed-by: Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com>
Tested-by: Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
Reviewed-on: https://android.intel.com/569082
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com>
Tested-by: Deverge, Jean-francoisX <jean-francoisx.deverge@intel.com>
Reviewed-by: Whitfield, MichaelX <michaelx.whitfield@intel.com>
Reviewed-by: Jacquet, CyrilX <cyrilx.jacquet@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
|
|
Instead of hardcoding all the pci devices we do not want to power on/off,
only change power state of lss with a driver registered.
Change-Id: Ic5700d02eac32f721f701679a6cbef526f7eac28
Tracked-On: https://jira01.devtools.intel.com/browse/AW-4522
Signed-off-by: Simon Dubray <simonx.dubray@intel.com>
Reviewed-on: https://android.intel.com/571046
Reviewed-by: jenkins_ndg <jenkins_ndg@intel.com>
Reviewed-by: Lachaud, EtienneX <etiennex.lachaud@intel.com>
Reviewed-by: Ledentec, AlexandreX <alexandrex.ledentec@intel.com>
Reviewed-by: Korpershoek, MattijsX <mattijsx.korpershoek@intel.com>
Reviewed-by: Bel Aj Ali, HabibX <habibx.bel.aj.ali@intel.com>
Reviewed-by: Tasayco Loarte, VictorX <victorx.tasayco.loarte@intel.com>
|
