Permalink
Commits on Dec 21, 2016
  1. SQUASH: Revert incorrect CVE fixes to msm: camera

    mdmower committed Dec 21, 2016
    Revert "msm: camera: Don't return error code if array size is zero"
    
    This reverts commit 7c9d9f4.
    
    Revert "msm: camera: Restructure data handling to be more robust"
    
    This reverts commit d5c5e1c.
    
    Revert "msm: camera: Validate size param before allocating memory"
    
    This reverts commit 2942674.
    
    Revert "platform: msm: sensor: Fix out of bounds and null pointer."
    
    This reverts commit 69fb558.
    
    Revert "Revert "msm: camera: Don't return error code if array size is zero""
    
    This reverts commit acb26c7.
    
    Change-Id: I73a267ac7c3c892f8a8f1f81fa6ed2cbc2463996
Commits on Dec 18, 2016
  1. ASoC: msm: qdsp6v2: Change audio drivers to use %pK

    Ben Romberger authored and mdmower committed May 19, 2016
    Change all qdsp6v2 audio driver to use %pK instead
    of %p. %pK hides addresses when the users doesn't
    have kernel permissions. If address information
    is needed echo 0 > /proc/sys/kernel/kptr_restrict.
    
    Change-Id: I7baa9f127266726fecf9238167a1e0128a258847
    Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
    Signed-off-by: Surendar karka <sukark@codeaurora.org>
  2. msm: camera: Avoid exposing kernel addresses

    Azam Sadiq Pasha Kapatrala Syed authored and mdmower committed Mar 10, 2016
    Usage of %p exposes the kernel addresses, an easy target to
    kernel write vulnerabilities. With this patch currently
    %pK prints only Zeros as address. If you need actual address
    echo 0 > /proc/sys/kernel/kptr_restrict
    
    CRs-Fixed: 987011
    Change-Id: I6c79f82376936fc646b723872a96a6694fe47cd9
    Signed-off-by: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
  3. msm: mdss: hide kernel addresses from unprevileged users

    Abhijit Kulkarni authored and mdmower committed Jun 15, 2016
    for printing kernel pointers which should be hidden from unprivileged
    users, use %pK which evaluates whether kptr_restrict is set.
    
    CRs-Fixed: 987021
    Change-Id: Ie49eee9478f4657cfb2a994ba60da1ec4c356339
    Signed-off-by: Abhijit Kulkarni <kabhijit@codeaurora.org>
    Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Commits on Dec 17, 2016
  1. usb: gadget: f_mbim: Change %p to %pK in debug messages

    m-chong authored and mdmower committed Oct 14, 2016
    The format specifier %p can leak kernel addresses
    while not valuing the kptr_restrict system settings.
    Use %pK instead of %p, which also evaluates whether
    kptr_restrict is set.
    
    Bug: 31802656
    Change-Id: I74e83192e0379586469edba3c7579a1cd75cf3c0
    Signed-off-by: Min Chong <mchong@google.com>
  2. netfilter: Change %p to %pK in debug messages

    m-chong authored and mdmower committed Oct 14, 2016
    The format specifier %p can leak kernel addresses
    while not valuing the kptr_restrict system settings.
    Use %pK instead of %p, which also evaluates whether
    kptr_restrict is set.
    
    RM-290
    
    Bug: 31796940
    Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
    Signed-off-by: Min Chong <mchong@google.com>
  3. drivers: video: Add bounds checking in fb_cmap_to_user

    spfetsch authored and mdmower committed Oct 14, 2016
    Verify that unsigned int value will not become negative before cast to
    signed int.
    
    Bug: 31651010
    Change-Id: I548a200f678762042617f11100b6966a405a3920
  4. msm: camera: cpp: Add validation for v4l2 ioctl arguments

    Suman Mukherjee authored and mdmower committed Sep 29, 2016
    In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
    _IOC_NONE, then the user-supplied argument arg is not checked
    and an information disclosure is possible
    CRs-Fixed: 1042068
    
    Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
    Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
  5. net: ping: Fix stack buffer overflow in ping_common_sendmsg()

    Siqi Lin authored and mdmower committed Oct 13, 2016
    In ping_common_sendmsg(), when len < icmph_len, memcpy_fromiovec()
    will access invalid memory because msg->msg_iov only has 1 element
    and memcpy_fromiovec() attempts to increment it. KASAN report:
    
    BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
    Read of size 8 by task trinity-c2/9623
    page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
    flags: 0x0()
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
    Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
    Call trace:
    [<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
    [<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
    [<     inline     >] __dump_stack lib/dump_stack.c:15
    [<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
    [<     inline     >] print_address_description mm/kasan/report.c:147
    [<     inline     >] kasan_report_error mm/kasan/report.c:236
    [<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
    [<     inline     >] check_memory_region mm/kasan/kasan.c:264
    [<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
    [<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
    [<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
    [<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
    [<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
    [<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
    [<     inline     >] __sock_sendmsg_nosec net/socket.c:624
    [<     inline     >] __sock_sendmsg net/socket.c:632
    [<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
    [<     inline     >] SYSC_sendto net/socket.c:1797
    [<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
    Memory state around the buggy address:
     ffffffc071077c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
     ffffffc071077d00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
    >ffffffc071077d80: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
                                   ^
     ffffffc071077e00: 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
     ffffffc071077e80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
    
    RM-290
    
    Bug: 31349935
    Change-Id: Ib7385fc26dfe7e07e9bab42a10ff65a37cbaab54
    Signed-off-by: Siqi Lin <siqilin@google.com>
  6. ASoC: msm: lock read/write when add/free audio ion memory

    Walter Yang authored and mdmower committed Sep 28, 2016
    As read/write get access to ion memory region as well, it's
    necessary to lock them when ion memory is about to be added/freed
    to avoid racing cases.
    
    CRs-Fixed: 1071809
    Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
    Signed-off-by: Walter Yang <yandongy@codeaurora.org>
    [GabrieleM: Adapted for msm8226 kernel]
  7. perf: protect group_leader from races that cause ctx double-free

    John Dias authored and mdmower committed Oct 10, 2016
    When moving a group_leader perf event from a software-context
    to a hardware-context, there's a race in checking and
    updating that context. The existing locking solution
    doesn't work; note that it tries to grab a lock inside
    the group_leader's context object, which you can only
    get at by going through a pointer that should be protected
    from these races. To avoid that problem, and to produce
    a simple solution, we can just use a lock per group_leader
    to protect all checks on the group_leader's context.
    The new lock is grabbed and released when no context locks
    are held.
    
    Bug: 30955111
    Bug: 31095224
    Change-Id: If37124c100ca6f4aa962559fba3bd5dbbec8e052
  8. BACKPORT: perf: Fix event->ctx locking

    Ariel Yin authored and mdmower committed Oct 13, 2016
    There have been a few reported issues wrt. the lack of locking around
    changing event->ctx. This patch tries to address those.
    
    It avoids the whole rwsem thing; and while it appears to work, please
    give it some thought in review.
    
    What I did fail at is sensible runtime checks on the use of
    event->ctx, the RCU use makes it very hard.
    
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    
    (cherry picked from commit f63a8daa5812afef4f06c962351687e1ff9ccb2b)
    Bug: 30955111
    Bug: 31095224
    
    Change-Id: I5bab713034e960fad467637e98e914440de5666d
  9. BACKPORT: lockdep: Silence warning if CONFIG_LOCKDEP isn't set

    pebolle authored and mdmower committed Jan 24, 2013
    Since commit c9a4962881929df7f1ef6e63e1b9da304faca4dd ("nfsd:
    make client_lock per net") compiling nfs4state.o without
    CONFIG_LOCKDEP set, triggers this GCC warning:
    
        fs/nfsd/nfs4state.c: In function ‘free_client’:
        fs/nfsd/nfs4state.c:1051:19: warning: unused variable ‘nn’ [-Wunused-variable]
    
    The cause of that warning is that lockdep_assert_held() compiles
    away if CONFIG_LOCKDEP is not set. Silence this warning by using
    the argument to lockdep_assert_held() as a nop if CONFIG_LOCKDEP
    is not set.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: J. Bruce Fields <bfields@redhat.com>
    Link: http://lkml.kernel.org/r/1359060797.1325.33.camel@x61.thuisdomein
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    --
     include/linux/lockdep.h |    2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    
    Change-Id: I4a4e78fd92dccffe5fc7c3a2617ef7d4cf59f738
  10. BACKPORT: perf: Introduce perf_pmu_migrate_context()

    Yan, Zheng authored and mdmower committed Jun 15, 2012
    Originally from Peter Zijlstra. The helper migrates perf events
    from one cpu to another cpu.
    
    Conflicts (perf: Fix race in removing an event):
        kernel/events/core.c
    
    Change-Id: I7885fe36c9e2803b10477d556163197085be3d19
    Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1339741902-8449-5-git-send-email-zheng.z.yan@intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
  11. BACKPORT: perf: Allow the PMU driver to choose the CPU on which to in…

    Yan, Zheng authored and mdmower committed Jun 15, 2012
    …stall events
    
    Allow the pmu->event_init callback to change event->cpu, so the PMU driver
    can choose the CPU on which to install events.
    
    Change-Id: I0f8b4310d306f4c87bc961f0359c2bdf65c129b6
    Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1339741902-8449-4-git-send-email-zheng.z.yan@intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
  12. msm: sensor: validate the i2c table index before use

    Suman Mukherjee authored and mdmower committed Sep 22, 2016
    Verifying the i2c table index value before accessing
    the i2c table to avoid memory corruption issues.
    CRs-Fixed: 1065916
    
    RM-290
    
    Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
    Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
  13. UPSTREAM: staging/android/ion : fix a race condition in the ion driver

    Ariel Yin authored and mdmower committed Oct 12, 2016
    There is a use-after-free problem in the ion driver.
    This is caused by a race condition in the ion_ioctl()
    function.
    
    A handle has ref count of 1 and two tasks on different
    cpus calls ION_IOC_FREE simultaneously.
    
    cpu 0                                   cpu 1
    -------------------------------------------------------
    ion_handle_get_by_id()
    (ref == 2)
                                ion_handle_get_by_id()
    			    (ref == 3)
    
    ion_free()
    (ref == 2)
    
    ion_handle_put()
    (ref == 1)
    
                                ion_free()
    			    (ref == 0 so ion_handle_destroy() is
    			    called and the handle is freed.)
    
    			    ion_handle_put() is called and it
    			    decreases the slub's next free pointer
    
    The problem is detected as an unaligned access in the
    spin lock functions since it uses load exclusive
     instruction. In some cases it corrupts the slub's
     free pointer which causes a mis-aligned access to the
     next free pointer.(kmalloc returns a pointer like
     ffffc0745b4580aa). And it causes lots of other
     hard-to-debug problems.
    
     This symptom is caused since the first member in the
     ion_handle structure is the reference count and the
     ion driver decrements the reference after it has been
     freed.
    
     To fix this problem client->lock mutex is extended
     to protect all the codes that uses the handle.
    
     Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
     Reviewed-by: Laura Abbott <labbott@redhat.com>
     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
     (cherry picked from commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7)
     bug: 31568617
     Change-Id: I4ea2be0cad3305c4e196126a02e2ab7108ef0976
    
    Change-Id: I5463992cc764bba0a1ebdaa3d59c422a46f8f6e0
Commits on Dec 8, 2016
  1. arm: fix handling of F_OFD_... in oabi_fcntl64()

    Al Viro authored and mdmower committed Dec 29, 2015
    Change-Id: I75054f88e8c2c10a61b100a20b00bfbf09ff7c4d
    Cc: stable@vger.kernel.org # 3.15+
    Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
  2. packet: fix race condition in packet_set_ring

    Philip Pettersson authored and mdmower committed Nov 30, 2016
    When packet_set_ring creates a ring buffer it will initialize a
    struct timer_list if the packet version is TPACKET_V3. This value
    can then be raced by a different thread calling setsockopt to
    set the version to TPACKET_V1 before packet_set_ring has finished.
    
    This leads to a use-after-free on a function pointer in the
    struct timer_list when the socket is closed as the previously
    initialized timer will not be deleted.
    
    The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
    changing the packet version while also taking the lock at the start
    of packet_set_ring.
    
    Change-Id: Iec8b20f499134e1edd0f9214aa4dde477d1674e1
    Fixes: f6fb8f1 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Commits on Dec 1, 2016
  1. msm: camera: Don't return error code if array size is zero

    Suman Mukherjee authored and mdmower committed Jun 18, 2015
    i2c write can get invoked initially when conf_array size is zero.
    Returning failure code is causing camera failed to launch.
    
    Change-Id: Ic19d8916c5e433020fc7f0558054c26ed3651cdf
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
  2. msm: camera: Restructure data handling to be more robust

    Samyukta Mogily authored and mdmower committed Sep 8, 2016
    Use dynamic array allocation instead of static array to
    prevent stack overflow.
    User-supplied number of bytes may result in integer overflow.
    To fix this we check that the num_byte isn't above 8K size.
    
    CRs-Fixed: 1060554
    Change-Id: I407b5ec8cdc2ac7f3b491644418d3eb1101ce65a
    Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
  3. msm: camera: Validate size param before allocating memory

    Deepak Kaushal authored and mdmower committed Apr 8, 2015
    When ever i2c write is initiated check size param for NULL
    and in case of sequence write check for maximun allowed
    size per i2c sequence write.
    
    Change-Id: I111282537663d6b263a3686927c85b8f71560dae
    Signed-off-by: Deepak Kaushal <dkaushal@codeaurora.org>
  4. platform: msm: sensor: Fix out of bounds and null pointer.

    Ivan Tiyanov authored and mdmower committed Jun 19, 2014
    This change fixes out of bounds and null pointer
    dereferences in sensor drivers.
    
    [GabrieleM: Remove unneeded NULL pointer check]
    Change-Id: I5f8974d3435c2770f6e91809c153a98aa38f52a7
    Signed-off-by: Ivan Tiyanov <ivant@codeaurora.org>
    Signed-off-by: Lakshmi Narayana Kalavala <lkalaval@codeaurora.org>
  5. Revert "msm: camera: Don't return error code if array size is zero"

    mdmower committed Dec 1, 2016
    This reverts commit 4b3bccf.
    
    Change-Id: Ide953a347991f032e058a3a6483e65b4686c0ca3
Commits on Nov 15, 2016
  1. ion: disable system contig heap

    Liam Mark authored and mdmower committed Oct 12, 2016
    A malicious application can take advantage of the ION contig heap to
    create a specific memory chunk size to exercise a rowhammer attack on the
    physical hardware.
    So remove support for the ION contig heap.
    
    Change-Id: I9cb454cebb74df291479cecc3533d2c684363f77
    Signed-off-by: Liam Mark <lmark@codeaurora.org>
    Signed-off-by: Prakash Gupta <guptap@codeaurora.org>
  2. HID: core: prevent out-of-bound readings

    Benjamin Tissoires authored and mdmower committed Jan 19, 2016
    Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
    out-of-bound readings.
    
    The fields are allocated up to MAX_USAGE, meaning that potentially, we do
    not have enough fields to fit the incoming values.
    Add checks and silence KASAN.
    
    Change-Id: I11d44957b450a3eda258c05f9e833c71a079e83c
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
  3. BACKPORT: tty: Prevent ldisc drivers from re-using stale tty fields

    peterhurley authored and mdmower committed Nov 27, 2015
    (cherry picked from commit dd42bf1197144ede075a9d4793123f7689e164bc)
    
    Line discipline drivers may mistakenly misuse ldisc-related fields
    when initializing. For example, a failure to initialize tty->receive_room
    in the N_GIGASET_M101 line discipline was recently found and fixed [1].
    Now, the N_X25 line discipline has been discovered accessing the previous
    line discipline's already-freed private data [2].
    
    Harden the ldisc interface against misuse by initializing revelant
    tty fields before instancing the new line discipline.
    
    [1]
        commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
        Author: Tilman Schmidt <tilman@imap.cc>
        Date:   Tue Jul 14 00:37:13 2015 +0200
    
        isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
    
    [2] Report from Sasha Levin <sasha.levin@oracle.com>
        [  634.336761] ==================================================================
        [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
        [  634.339558] Read of size 4 by task syzkaller_execu/8981
        [  634.340359] =============================================================================
        [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
        ...
        [  634.405018] Call Trace:
        [  634.405277] dump_stack (lib/dump_stack.c:52)
        [  634.405775] print_trailer (mm/slub.c:655)
        [  634.406361] object_err (mm/slub.c:662)
        [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
        [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
        [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
        [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
        [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
        [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
        [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
        [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
        [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
    
    Cc: Tilman Schmidt <tilman@imap.cc>
    Cc: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Change-Id: Ibed6feadfb9706d478f93feec3b240aecfc64af3
    Bug: 30951112
Commits on Nov 14, 2016
  1. msm: sensor: Avoid potential stack overflow

    VijayaKumar T M authored and mdmower committed Sep 6, 2016
    Add a check to validate the user input data is not
    greater than expected stack buffer size to avoid out
    of bounds array accesses
    -Fix checkpatch.pl warnings.
    
    RM-290
    
    CRs-Fixed: 1056307
    Change-Id: I8b31006772367a120828269243b1971d33a4d7d3
    Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
  2. msm: crypto: Fix integer over flow check in qcrypto driver

    Zhen Kong authored and mdmower committed Aug 16, 2016
    Integer overflow check is invalid when ULONG_MAX is used,
    as ULONG_MAX has typeof 'unsigned long', while req->assoclen,
    req->crytlen, and qreq.ivsize are 'unsigned int'. Make change
    to use UINT_MAX instead of ULONG_MAX.
    
    RM-290
    
    CRs-fixed: 1050970
    Change-Id: I3782ea7ed2eaacdcad15b34e047a4699bf4f9e4f
    Signed-off-by: Zhen Kong <zkong@codeaurora.org>
  3. qcedev: Validate Source and Destination addresses

    AnilKumar Chimata authored and mdmower committed Aug 31, 2016
    Source and Destination addresses passed by user space apps/clients
    are validated independent of type of operation to mitigate kernel
    address space exploitation.
    
    RM-290
    
    Change-Id: If831275cdcc96cb0bf829fc62056e408accbfcca
    Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
  4. BACKPORT: audit: fix a double fetch in audit_log_single_execve_arg()

    pcmoore authored and mdmower committed Sep 13, 2016
    (cherry picked from commit 43761473c254b45883a64441dd0bc85a42f3645c)
    
    There is a double fetch problem in audit_log_single_execve_arg()
    where we first check the execve(2) argumnets for any "bad" characters
    which would require hex encoding and then re-fetch the arguments for
    logging in the audit record[1].  Of course this leaves a window of
    opportunity for an unsavory application to munge with the data.
    
    This patch reworks things by only fetching the argument data once[2]
    into a buffer where it is scanned and logged into the audit
    records(s).  In addition to fixing the double fetch, this patch
    improves on the original code in a few other ways: better handling
    of large arguments which require encoding, stricter record length
    checking, and some performance improvements (completely unverified,
    but we got rid of some strlen() calls, that's got to be a good
    thing).
    
    As part of the development of this patch, I've also created a basic
    regression test for the audit-testsuite, the test can be tracked on
    GitHub at the following link:
    
     * linux-audit/audit-testsuite#25
    
    [1] If you pay careful attention, there is actually a triple fetch
    problem due to a strnlen_user() call at the top of the function.
    
    [2] This is a tiny white lie, we do make a call to strnlen_user()
    prior to fetching the argument data.  I don't like it, but due to the
    way the audit record is structured we really have no choice unless we
    copy the entire argument at once (which would require a rather
    wasteful allocation).  The good news is that with this patch the
    kernel no longer relies on this strnlen_user() value for anything
    beyond recording it in the log, we also update it with a trustworthy
    value whenever possible.
    
    Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
    Cc: <stable@vger.kernel.org>
    Signed-off-by: Paul Moore <paul@paul-moore.com>
    Change-Id: I10e979e94605e3cf8d461e3e521f8f9837228aa5
    Bug: 30956807
  5. perf: Fix race in swevent hash

    Peter Zijlstra authored and mdmower committed Dec 15, 2015
    There's a race on CPU unplug where we free the swevent hash array
    while it can still have events on. This will result in a
    use-after-free which is BAD.
    
    Simply do not free the hash array on unplug. This leaves the thing
    around and no use-after-free takes place.
    
    When the last swevent dies, we do a for_each_possible_cpu() iteration
    anyway to clean these up, at which time we'll free it, so no leakage
    will occur.
    
    Change-Id: I751faf3215bbdaa6b6358f3a752bdd24126cfa0b
    Reported-by: Sasha Levin <sasha.levin@oracle.com>
    Tested-by: Sasha Levin <sasha.levin@oracle.com>
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
    Cc: Frederic Weisbecker <fweisbec@gmail.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stephane Eranian <eranian@google.com>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Vince Weaver <vincent.weaver@maine.edu>
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
  6. ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_aud…

    nefigtut authored and mdmower committed Mar 31, 2016
    …io_stream() call
    
    create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
    create_uaxx_quirk() functions allocate the audioformat object by themselves
    and free it upon error before returning. However, once the object is linked
    to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
    double-freed, eventually resulting in a memory corruption.
    
    This patch fixes these failures in the error paths by unlinking the audioformat
    object before freeing it.
    
    Based on a patch by Takashi Iwai <tiwai@suse.de>
    
    [Note for stable backports:
     this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
     code cleanup in create_fixed_stream_quirk()')]
    
    RM-290
    
    Change-Id: I129dc4f3b0ae4cb6f790c16d24dd768c9ee06822
    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
    Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
    Cc: <stable@vger.kernel.org> # see the note above
    Signed-off-by: Vladis Dronov <vdronov@redhat.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  7. ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()

    tiwai authored and mdmower committed Mar 15, 2016
    Just a minor code cleanup: unify the error paths.
    
    Change-Id: I31346b08ed1024819c58eff797c63bb42c283512
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
  8. sg: Fix double-free when drives detach during SG_IO

    jcalvinowens authored and mdmower committed Oct 30, 2015
    In sg_common_write(), we free the block request and return -ENODEV if
    the device is detached in the middle of the SG_IO ioctl().
    
    Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
    end up freeing rq->cmd in the already free rq object, and then free
    the object itself out from under the current user.
    
    This ends up corrupting random memory via the list_head on the rq
    object. The most common crash trace I saw is this:
    
      ------------[ cut here ]------------
      kernel BUG at block/blk-core.c:1420!
      Call Trace:
      [<ffffffff81281eab>] blk_put_request+0x5b/0x80
      [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
      [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
      [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
      [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
      [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
      [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
      [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
      [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
      [<ffffffff81602afb>] tracesys+0xdd/0xe2
        RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0
    
    The solution is straightforward: just set srp->rq to NULL in the
    failure branch so that sg_finish_rem_req() doesn't attempt to re-free
    it.
    
    Additionally, since sg_rq_end_io() will never be called on the object
    when this happens, we need to free memory backing ->cmd if it isn't
    embedded in the object itself.
    
    KASAN was extremely helpful in finding the root cause of this bug.
    
    Change-Id: I8c2389a4e2e1b5f753a47f8af60502a761b891b5
    Signed-off-by: Calvin Owens <calvinowens@fb.com>
    Acked-by: Douglas Gilbert <dgilbert@interlog.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>