Permalink
Commits on Feb 5, 2017
  1. netfilter: xt_rpfilter: skip locally generated broadcast/multicast, too

    Florian Westphal authored and mdmower committed Apr 17, 2013
    Alex Efros reported rpfilter module doesn't match following packets:
    IN=br.qemu SRC=192.168.2.1 DST=192.168.2.255 [ .. ]
    (netfilter bugzilla #814).
    
    Problem is that network stack arranges for the locally generated broadcasts
    to appear on the interface they were sent out, so the IFF_LOOPBACK check
    doesn't trigger.
    
    As -m rpfilter is restricted to PREROUTING, we can check for existing
    rtable instead, it catches locally-generated broad/multicast case, too.
    
    Change-Id: I2d921ac4d53e5b1ca9a5249e489c33e4fa4a4b3a
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  2. net: Loopback ifindex is constant now

    xemul authored and mdmower committed Aug 8, 2012
    As pointed out, there are places, that access net->loopback_dev->ifindex
    and after ifindex generation is made per-net this value becomes constant
    equals 1. So go ahead and introduce the LOOPBACK_IFINDEX constant and use
    it where appropriate.
    
    Change-Id: I29fd08fa01a9522240ab654d436b02a577bb610c
    Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Commits on Feb 1, 2017
  1. ANDROID: trace: net: use %pK for kernel pointers

    mukesh agrawal authored and mdmower committed Jul 12, 2016
    We want to use network trace events in production
    builds, to help diagnose Wifi problems. However, we
    don't want to expose raw kernel pointers in such
    builds.
    
    Change the format specifier for the skbaddr field,
    so that, if kptr_restrict is enabled, the pointers
    will be reported as 0.
    
    Bug: 30090733
    Change-Id: Ic4bd583d37af6637343601feca875ee24479ddff
    Signed-off-by: mukesh agrawal <quiche@google.com>
Commits on Jan 29, 2017
  1. media: radio: Fix building and loading the IRIS transport

    rmcc authored and mdmower committed Jan 8, 2015
    Break the initialization dependency on module-load and tie it to
    opening up the actual v4l device.
    
    Change-Id: I12d5226e7e9b15d14cf62e2dc666612f4cb608f1
  2. Revert "radio: iris: change the FM module from modular to built in"

    mdmower committed Jan 29, 2017
    This reverts commit 64d38bd.
    
    Change-Id: I527049f2aee2ecc13f336b144cbb7333f7ddf841
  3. Revert "radio: iris: Fix the possibility of NULL pointer access"

    mdmower committed Jan 29, 2017
    This reverts commit c52ca80.
    
    Change-Id: I93f28b2c5c8828ae34b662daa6def9a41a404da8
Commits on Jan 14, 2017
  1. Makefile: update CROSS_COMPILE prefix

    mdmower committed Jan 14, 2017
    Resolves script errors when running 'make mrproper'
    
    Change-Id: I59c72871c1a608503e7da644b20195a9e7b5dd16
Commits on Jan 2, 2017
  1. arm: Rename mt2 defconfig

    mdmower committed Jan 2, 2017
    * Remove cyanogenmod qualifier
    
    Change-Id: I80461b2b5dcbc9718a7979ac6021d378bca65da6
Commits on Dec 21, 2016
  1. fs: Resolve uninitialized variable warnings

    mdmower committed Dec 21, 2016
    Change-Id: Icb9d8bbfe6757ca269e1990139f60939cadf09fa
  2. power: qpnp-bms: Resolve uninitialized variable warnings

    mdmower committed Dec 21, 2016
    Change-Id: I3f4e52b4f016cb0808ee5807419b7a000b8fe14a
  3. msm: kgsl: Resolve uninitialized variable warnings

    mdmower committed Dec 21, 2016
    Change-Id: Ie8be0081c256005fb43e26182bb64c4ae321b14e
  4. fs: Add TTY PM IOCTLs to compat table

    Naveen Kaje authored and mdmower committed Jul 29, 2014
    Augment the compat ioctl table with entries for
    PM control of TTY devices. These compat entries
    were not present since other TTY/serial core drivers
    were not using them.
    
    Change-Id: I96a0e54c001d780a2a427380655f1fbb0091aef7
    Signed-off-by: Naveen Kaje <nkaje@codeaurora.org>
  5. net: fix uninitialized variable usage

    ccfries authored and mdmower committed Mar 19, 2013
    Change-Id: I66e024ce16bda11143dbbee9ca1d465aa451cf9b
    Signed-off-by: Chris Fries <C.Fries@motorola.com>
    (cherry picked from commit 7f35d9daca3f4eabd852a7d03a307e978f647658)
  6. get rid of kern_path_parent()

    Al Viro authored and mdmower committed Jun 14, 2012
    all callers want the same thing, actually - a kinda-sorta analog of
    kern_path_create().  I.e. they want parent vfsmount/dentry (with
    ->i_mutex held, to make sure the child dentry is still their child)
    + the child dentry.
    
    Signed-off-by Al Viro <viro@zeniv.linux.org.uk>
    
    Change-Id: I58cc7b0a087646516db9af69962447d27fb3ee8b
  7. arm: msm: mt2: enable NF_MATCH_RPFILTER

    intervigilium authored and mdmower committed Dec 8, 2016
    Needed for tethering
    
    Change-Id: I9f081d2217ffbdec46616864c24e8eb6ae57af9c
  8. SQUASH: Revert incorrect CVE fixes to msm: camera

    mdmower committed Dec 21, 2016
    Revert "msm: camera: Don't return error code if array size is zero"
    
    This reverts commit 7c9d9f4.
    
    Revert "msm: camera: Restructure data handling to be more robust"
    
    This reverts commit d5c5e1c.
    
    Revert "msm: camera: Validate size param before allocating memory"
    
    This reverts commit 2942674.
    
    Revert "platform: msm: sensor: Fix out of bounds and null pointer."
    
    This reverts commit 69fb558.
    
    Revert "Revert "msm: camera: Don't return error code if array size is zero""
    
    This reverts commit acb26c7.
    
    Change-Id: I73a267ac7c3c892f8a8f1f81fa6ed2cbc2463996
Commits on Dec 18, 2016
  1. ASoC: msm: qdsp6v2: Change audio drivers to use %pK

    Ben Romberger authored and mdmower committed May 19, 2016
    Change all qdsp6v2 audio driver to use %pK instead
    of %p. %pK hides addresses when the users doesn't
    have kernel permissions. If address information
    is needed echo 0 > /proc/sys/kernel/kptr_restrict.
    
    Change-Id: I7baa9f127266726fecf9238167a1e0128a258847
    Signed-off-by: Ben Romberger <bromberg@codeaurora.org>
    Signed-off-by: Surendar karka <sukark@codeaurora.org>
  2. msm: camera: Avoid exposing kernel addresses

    Azam Sadiq Pasha Kapatrala Syed authored and mdmower committed Mar 10, 2016
    Usage of %p exposes the kernel addresses, an easy target to
    kernel write vulnerabilities. With this patch currently
    %pK prints only Zeros as address. If you need actual address
    echo 0 > /proc/sys/kernel/kptr_restrict
    
    CRs-Fixed: 987011
    Change-Id: I6c79f82376936fc646b723872a96a6694fe47cd9
    Signed-off-by: Azam Sadiq Pasha Kapatrala Syed <akapatra@codeaurora.org>
  3. msm: mdss: hide kernel addresses from unprevileged users

    Abhijit Kulkarni authored and mdmower committed Jun 15, 2016
    for printing kernel pointers which should be hidden from unprivileged
    users, use %pK which evaluates whether kptr_restrict is set.
    
    CRs-Fixed: 987021
    Change-Id: Ie49eee9478f4657cfb2a994ba60da1ec4c356339
    Signed-off-by: Abhijit Kulkarni <kabhijit@codeaurora.org>
    Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Commits on Dec 17, 2016
  1. usb: gadget: f_mbim: Change %p to %pK in debug messages

    m-chong authored and mdmower committed Oct 14, 2016
    The format specifier %p can leak kernel addresses
    while not valuing the kptr_restrict system settings.
    Use %pK instead of %p, which also evaluates whether
    kptr_restrict is set.
    
    Bug: 31802656
    Change-Id: I74e83192e0379586469edba3c7579a1cd75cf3c0
    Signed-off-by: Min Chong <mchong@google.com>
  2. netfilter: Change %p to %pK in debug messages

    m-chong authored and mdmower committed Oct 14, 2016
    The format specifier %p can leak kernel addresses
    while not valuing the kptr_restrict system settings.
    Use %pK instead of %p, which also evaluates whether
    kptr_restrict is set.
    
    RM-290
    
    Bug: 31796940
    Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
    Signed-off-by: Min Chong <mchong@google.com>
  3. drivers: video: Add bounds checking in fb_cmap_to_user

    spfetsch authored and mdmower committed Oct 14, 2016
    Verify that unsigned int value will not become negative before cast to
    signed int.
    
    Bug: 31651010
    Change-Id: I548a200f678762042617f11100b6966a405a3920
  4. msm: camera: cpp: Add validation for v4l2 ioctl arguments

    Suman Mukherjee authored and mdmower committed Sep 29, 2016
    In CPP v4l2 ioctl command is made, if _IOC_DIR(cmd) is
    _IOC_NONE, then the user-supplied argument arg is not checked
    and an information disclosure is possible
    CRs-Fixed: 1042068
    
    Change-Id: Iddb291b10cdcb5c42ab8497e06c2ce47885cd5ab
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
    Signed-off-by: Sunid Wilson <sunidw@codeaurora.org>
  5. net: ping: Fix stack buffer overflow in ping_common_sendmsg()

    Siqi Lin authored and mdmower committed Oct 13, 2016
    In ping_common_sendmsg(), when len < icmph_len, memcpy_fromiovec()
    will access invalid memory because msg->msg_iov only has 1 element
    and memcpy_fromiovec() attempts to increment it. KASAN report:
    
    BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
    Read of size 8 by task trinity-c2/9623
    page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
    flags: 0x0()
    page dumped because: kasan: bad access detected
    CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
    Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
    Call trace:
    [<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
    [<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
    [<     inline     >] __dump_stack lib/dump_stack.c:15
    [<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
    [<     inline     >] print_address_description mm/kasan/report.c:147
    [<     inline     >] kasan_report_error mm/kasan/report.c:236
    [<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
    [<     inline     >] check_memory_region mm/kasan/kasan.c:264
    [<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
    [<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
    [<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
    [<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
    [<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
    [<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
    [<     inline     >] __sock_sendmsg_nosec net/socket.c:624
    [<     inline     >] __sock_sendmsg net/socket.c:632
    [<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
    [<     inline     >] SYSC_sendto net/socket.c:1797
    [<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
    Memory state around the buggy address:
     ffffffc071077c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
     ffffffc071077d00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
    >ffffffc071077d80: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
                                   ^
     ffffffc071077e00: 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
     ffffffc071077e80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
    
    RM-290
    
    Bug: 31349935
    Change-Id: Ib7385fc26dfe7e07e9bab42a10ff65a37cbaab54
    Signed-off-by: Siqi Lin <siqilin@google.com>
  6. ASoC: msm: lock read/write when add/free audio ion memory

    Walter Yang authored and mdmower committed Sep 28, 2016
    As read/write get access to ion memory region as well, it's
    necessary to lock them when ion memory is about to be added/freed
    to avoid racing cases.
    
    CRs-Fixed: 1071809
    Change-Id: I436ead23c93384961b38ca99b9312a40c50ad03a
    Signed-off-by: Walter Yang <yandongy@codeaurora.org>
    [GabrieleM: Adapted for msm8226 kernel]
  7. perf: protect group_leader from races that cause ctx double-free

    John Dias authored and mdmower committed Oct 10, 2016
    When moving a group_leader perf event from a software-context
    to a hardware-context, there's a race in checking and
    updating that context. The existing locking solution
    doesn't work; note that it tries to grab a lock inside
    the group_leader's context object, which you can only
    get at by going through a pointer that should be protected
    from these races. To avoid that problem, and to produce
    a simple solution, we can just use a lock per group_leader
    to protect all checks on the group_leader's context.
    The new lock is grabbed and released when no context locks
    are held.
    
    Bug: 30955111
    Bug: 31095224
    Change-Id: If37124c100ca6f4aa962559fba3bd5dbbec8e052
  8. BACKPORT: perf: Fix event->ctx locking

    Ariel Yin authored and mdmower committed Oct 13, 2016
    There have been a few reported issues wrt. the lack of locking around
    changing event->ctx. This patch tries to address those.
    
    It avoids the whole rwsem thing; and while it appears to work, please
    give it some thought in review.
    
    What I did fail at is sensible runtime checks on the use of
    event->ctx, the RCU use makes it very hard.
    
    Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
    Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
    Cc: Jiri Olsa <jolsa@redhat.com>
    Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    
    (cherry picked from commit f63a8daa5812afef4f06c962351687e1ff9ccb2b)
    Bug: 30955111
    Bug: 31095224
    
    Change-Id: I5bab713034e960fad467637e98e914440de5666d
  9. BACKPORT: lockdep: Silence warning if CONFIG_LOCKDEP isn't set

    pebolle authored and mdmower committed Jan 24, 2013
    Since commit c9a4962881929df7f1ef6e63e1b9da304faca4dd ("nfsd:
    make client_lock per net") compiling nfs4state.o without
    CONFIG_LOCKDEP set, triggers this GCC warning:
    
        fs/nfsd/nfs4state.c: In function ‘free_client’:
        fs/nfsd/nfs4state.c:1051:19: warning: unused variable ‘nn’ [-Wunused-variable]
    
    The cause of that warning is that lockdep_assert_held() compiles
    away if CONFIG_LOCKDEP is not set. Silence this warning by using
    the argument to lockdep_assert_held() as a nop if CONFIG_LOCKDEP
    is not set.
    
    Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Stanislav Kinsbursky <skinsbursky@parallels.com>
    Cc: J. Bruce Fields <bfields@redhat.com>
    Link: http://lkml.kernel.org/r/1359060797.1325.33.camel@x61.thuisdomein
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
    --
     include/linux/lockdep.h |    2 +-
     1 file changed, 1 insertion(+), 1 deletion(-)
    
    Change-Id: I4a4e78fd92dccffe5fc7c3a2617ef7d4cf59f738
  10. BACKPORT: perf: Introduce perf_pmu_migrate_context()

    Yan, Zheng authored and mdmower committed Jun 15, 2012
    Originally from Peter Zijlstra. The helper migrates perf events
    from one cpu to another cpu.
    
    Conflicts (perf: Fix race in removing an event):
        kernel/events/core.c
    
    Change-Id: I7885fe36c9e2803b10477d556163197085be3d19
    Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1339741902-8449-5-git-send-email-zheng.z.yan@intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
  11. BACKPORT: perf: Allow the PMU driver to choose the CPU on which to in…

    Yan, Zheng authored and mdmower committed Jun 15, 2012
    …stall events
    
    Allow the pmu->event_init callback to change event->cpu, so the PMU driver
    can choose the CPU on which to install events.
    
    Change-Id: I0f8b4310d306f4c87bc961f0359c2bdf65c129b6
    Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Link: http://lkml.kernel.org/r/1339741902-8449-4-git-send-email-zheng.z.yan@intel.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>
  12. msm: sensor: validate the i2c table index before use

    Suman Mukherjee authored and mdmower committed Sep 22, 2016
    Verifying the i2c table index value before accessing
    the i2c table to avoid memory corruption issues.
    CRs-Fixed: 1065916
    
    RM-290
    
    Change-Id: I0e31c22f90006f27a77cd420288334b8355cee95
    Signed-off-by: Sureshnaidu Laveti <lsuresh@codeaurora.org>
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>
  13. UPSTREAM: staging/android/ion : fix a race condition in the ion driver

    Ariel Yin authored and mdmower committed Oct 12, 2016
    There is a use-after-free problem in the ion driver.
    This is caused by a race condition in the ion_ioctl()
    function.
    
    A handle has ref count of 1 and two tasks on different
    cpus calls ION_IOC_FREE simultaneously.
    
    cpu 0                                   cpu 1
    -------------------------------------------------------
    ion_handle_get_by_id()
    (ref == 2)
                                ion_handle_get_by_id()
    			    (ref == 3)
    
    ion_free()
    (ref == 2)
    
    ion_handle_put()
    (ref == 1)
    
                                ion_free()
    			    (ref == 0 so ion_handle_destroy() is
    			    called and the handle is freed.)
    
    			    ion_handle_put() is called and it
    			    decreases the slub's next free pointer
    
    The problem is detected as an unaligned access in the
    spin lock functions since it uses load exclusive
     instruction. In some cases it corrupts the slub's
     free pointer which causes a mis-aligned access to the
     next free pointer.(kmalloc returns a pointer like
     ffffc0745b4580aa). And it causes lots of other
     hard-to-debug problems.
    
     This symptom is caused since the first member in the
     ion_handle structure is the reference count and the
     ion driver decrements the reference after it has been
     freed.
    
     To fix this problem client->lock mutex is extended
     to protect all the codes that uses the handle.
    
     Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
     Reviewed-by: Laura Abbott <labbott@redhat.com>
     Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
     (cherry picked from commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7)
     bug: 31568617
     Change-Id: I4ea2be0cad3305c4e196126a02e2ab7108ef0976
    
    Change-Id: I5463992cc764bba0a1ebdaa3d59c422a46f8f6e0
Commits on Dec 8, 2016
  1. arm: fix handling of F_OFD_... in oabi_fcntl64()

    Al Viro authored and mdmower committed Dec 29, 2015
    Change-Id: I75054f88e8c2c10a61b100a20b00bfbf09ff7c4d
    Cc: stable@vger.kernel.org # 3.15+
    Reviewed-by: Jeff Layton <jeff.layton@primarydata.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
  2. packet: fix race condition in packet_set_ring

    Philip Pettersson authored and mdmower committed Nov 30, 2016
    When packet_set_ring creates a ring buffer it will initialize a
    struct timer_list if the packet version is TPACKET_V3. This value
    can then be raced by a different thread calling setsockopt to
    set the version to TPACKET_V1 before packet_set_ring has finished.
    
    This leads to a use-after-free on a function pointer in the
    struct timer_list when the socket is closed as the previously
    initialized timer will not be deleted.
    
    The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
    changing the packet version while also taking the lock at the start
    of packet_set_ring.
    
    Change-Id: Iec8b20f499134e1edd0f9214aa4dde477d1674e1
    Fixes: f6fb8f1 ("af-packet: TPACKET_V3 flexible buffer implementation.")
    Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
Commits on Dec 1, 2016
  1. msm: camera: Don't return error code if array size is zero

    Suman Mukherjee authored and mdmower committed Jun 18, 2015
    i2c write can get invoked initially when conf_array size is zero.
    Returning failure code is causing camera failed to launch.
    
    Change-Id: Ic19d8916c5e433020fc7f0558054c26ed3651cdf
    Signed-off-by: Suman Mukherjee <sumam@codeaurora.org>