Commits on Oct 22, 2017
  1. Revert "tcp: do not lock listener to process SYN packets"

    aviraxp authored and mdmower committed Aug 21, 2017
    It's been reported that this change causes kernel crashes. This
    patch is part of a patch series and it probably depends on some
    other changes. Upstream also has multiple fixes for this change
    that should probably applied along with it.
    This commit was meant to fix CVE-2017-5972, but as is it can render
    the system unstable, so revert it.
    Example of crash caused by this change:
    Unable to handle kernel NULL pointer dereference at virtual address 00000000
    [00000000] *pgd=0000000000000000, *pud=0000000000000000
    Internal error: Oops: 9600004% [#!] PREMPT SMP
    Modules linked in:
    CPU: 1 PID: 17801 Comm: pdnsd Not tainted 3.10.107-perf #1
    Hardware name: Qualcomm Technologies, Inc. MSM8994v2.1 MTP (DT)
    task: ffffffc04179e000 ti: ffffffc0342a8000 task.ti: ffffffc0342a8000
    PCis at dcp_check_req+0x388/0x544
    LR is at tcp_check_rea+0x340/0x544
    pc : [<ffffffc000d301dc>] lr : [<ffffffc000d30194>] pstate: 40000145
    sp : fbffffc0342!B8f0
    x29: ffffffc0340ab8f0 x28: ffffffc0012d4240
    x27: 0000000000000001 x26: 0000000000000000
    x25: ffffffc01d6e4000 x24: 0000000000001000
    x23: ffffffc02ffe8298 x22: ffffffc041539680
    x21: ffffffc01d6e4308 x20: ffffffc08c7e1b00
    x19: ffffffc01d6e4318 x18: ffffffc0016d4240
    x17: 00000000000101d0 x16: ffffffc035ce67c8
    x15: 000000001bc0e897 x14: ffffffc001052e10
    x13: ffffffc0baabf280 x12: 0000000000000000
    x11: 0000000000000000 x10: 0000000000000000
    x9 : ffffffc001051f90 x8 : 0000000000000030
    x7 : 0000000000000020 x6 : 000000000000ffd7
    x5 : 000000000000fb00 x4 : 000000006fdbb7eb
    x3 : 00000000c13fe000 x2 : 0000000000000000
    1 : ffffffc088325c80 x0 : 0 0000 000000000
    Process pdnsd (pid: 1701, stack limit = 0xffffffc0342a8058)
    Call trace:
    [<ffffffc000d301dc>] tcp_check_req+0x388/0x544
    [<ffffffc000d2cbec>] tcp_v4_do_rcv+0x250/0x34c
    [<ffffffc000d2f53c>] tcp_v4_rcv+0x700/0x768
    [<ffffffc000d0b204>] ip_local_deliver_finish+0x100/0x24c
    [<ffffffc000d0b7f0>] ip_local_deliver+0xb0/0xc4
    [<ffffffc000d0b42c>] ip_rcv_finish+0xdc/0x2c4
    [<ffffffc000d0ba70>] ip_rcv+0x26c/0x310
    [<ffffffc000c9acac>] __netif_receive_skb_core+0x234/0x7e4
    [<ffffffc000c9b284>] __netif_receive_skb+0x28/0x80
    [<ffffffc000c9c098>] process_backlog+0xb0/0x184
    [<ffffffc000c9cf04>] net_rx_action+0x17c/0x300
    [<ffffffc0000aa5f0>] __do_softirq+0x13c/0x328
    [<ffffffc0000aa8c8>] do_softirq+0x5c/0x60
    [<ffffffc0000aa980>] local_bh_enable_ip+0xb4/0xc8
    [<ffffffc000ec0f0c>] _raw_spin_unlock_bh+0x38/0x40
    This reverts commit bf35e60ab3be08a5a1d798d0c4aee0c76f64b8a8.
    Change-Id: I2bda543f514239f1ce8f0439be6fa27c4468e949
  2. wlan:Check priviledge permission

    Mukul Sharma authored and mdmower committed Mar 17, 2016
    Kernel assumes all SET IOCTL commands are assigned with even
    numbers. But in our WLAN driver, some SET IOCTLS are assigned with
    odd numbers. This leads kernel fail to check, for some SET IOCTLs,
    whether user has the right permission to do SET operation.
    Hence, in driver, before processing SET_VAR_INTS_GETNONE, making
    sure user task has right permission to process the command.
    Bug: 27104184
    Change-Id: Ia2465433aab6366160a167a62ca03e0ba720bcdb
    Signed-off-by: Yuan Lin <>
  3. msm: mdss: fix race condition during mdp debugfs release

    Harsh Sahu authored and mdmower committed Apr 13, 2017
    Fix race condition in the release of the mdp debugfs functions
    panel_debug_base_release and mdss_debug_base_release by adding
    the lock for unpreempted freeing of the buffer so that multiple
    concurrent processes cannot affect the release which can possibly
    lead to use-after-free operation on the buffer.
    Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
    Signed-off-by: Harsh Sahu <>
  4. USB: iowarrior: fix NULL-deref in write

    jhovold authored and mdmower committed Mar 7, 2017
    commit de46e56653de7b3b54baa625bd582635008b8d05 upstream.
    Make sure to verify that we have the required interrupt-out endpoint for
    IOWarrior56 devices to avoid dereferencing a NULL-pointer in write
    should a malicious device lack such an endpoint.
    Change-Id: Ib45a1b8475f0749b48c2dcf27e36ced1a17805ba
    Fixes: 946b960 ("USB: add driver for iowarrior devices.")
    Signed-off-by: Johan Hovold <>
    Signed-off-by: Greg Kroah-Hartman <>
    [bwh: Backported to 3.2: adjust context]
    Signed-off-by: Ben Hutchings <>
  5. msm: mdss: Add sanity check for Gamut LUT size

    Ping Li authored and mdmower committed Jan 3, 2017
    The Gamut LUT size passed from user space needs to go through
    a sanity check to avoid heap overflow. This patch adds the missing
    sanity check in the Gamut LUT config write path.
    Change-Id: I365938e06dbc6ca01961c9be01db10a5a9c863e4
    Signed-off-by: Ping Li <>
  6. USB: cypress_m8: add endpoint sanity check

    oneukum authored and mdmower committed Mar 31, 2016
    An attack using missing endpoints exists.
    Change-Id: Ic4fa75a7133dd7b66c91622dec84776c08ae21c3
    Signed-off-by: Oliver Neukum <>
    Signed-off-by: Johan Hovold <>
    Signed-off-by: Greg Kroah-Hartman <>
  7. msm: vidc: use %pK instead of %p which respects kptr_restrict sysctl

    Abdulla Anam authored and mdmower committed Jun 3, 2016
    Hide kernel pointers from unprivileged ussers by using %pK format-
    specifier instead of %p. This respects the kptr_restrict sysctl
    setting which is by default on. So by default %pK will print zeroes
    as address. echo 1 to kptr_restrict to print proper kernel addresses.
    CRs-Fixed: 987018
    Change-Id: I4772257a557c6730ecc0624cbc8e5614e893e9fd
    Signed-off-by: Abdulla Anam <>
    Signed-off-by: Bikshapathi Kothapeta <>
  8. ANDROID: ion: Protect kref from userspace manipulation

    Daniel Rosenberg authored and mdmower committed Feb 4, 2017
    This separates the kref for ion handles into two components.
    Userspace requests through the ioctl will hold at most one
    reference to the internally used kref. All additional requests
    will increment a separate counter, and the original reference is
    only put once that counter hits 0. This protects the kernel from
    a poorly behaving userspace.
    Bug: 34276203
    Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
    Signed-off-by: Daniel Rosenberg <>
    Git-commit: 20abfcc16884a5af973a5e91dd013ddd789c44f4
    [ Resolve style issues]
    Signed-off-by: Dennis Cagle <>
  9. msm: camera: restructure data handling to be more robust

    Vasko Kalanoski authored and mdmower committed Feb 3, 2015
    add dynamic array allocation instead of static to prevent
    stack overflow.
    Change-Id: Id12ed5b01809021d2b1d1d71436f2523b575d9de
    Signed-off-by: Vasko Kalanoski <>
  10. input: synaptics_dsx: protect tmpbuf allocation.

    Andrew Chant authored and mdmower committed Jan 13, 2017
    Protect tmpbuf from concurrent access by mutex.
    BUG: 33555878
    BUG: 33002026
    Change-Id: Ia7eeb59ca7b626f416e2298b4b9ffd960fe909e4
    Signed-off-by: Andrew Chant <>
  11. tmpfs: clear S_ISGID when setting posix ACLs

    Gu Zheng authored and mdmower committed Jan 9, 2017
    This change was missed the tmpfs modification in In CVE-2016-7097
    commit 073931017b49 ("posix_acl: Clear SGID bit when setting
    file permissions")
    It can test by xfstest generic/375, which failed to clear
    setgid bit in the following test case on tmpfs:
      touch $testfile
      chown 100:100 $testfile
      chmod 2755 $testfile
      _runas -u 100 -g 101 -- setfacl -m u::rwx,g::rwx,o::rwx $testfile
    Change-Id: I639fb4221e65b8c1ab3cc26ba735521e25967faa
    Signed-off-by: Gu Zheng <>
    Signed-off-by: Al Viro <>
    [gmrt: Backport to 3.4]
  12. input: touchscreen: gt9xx: fix memory corruption in Goodix driver

    Vevek Venkatesan authored and mdmower committed Jan 23, 2017
    Fix memory corruption in Goodix touchscreen driver, by resetting
    the global structure cmd_head to zero (except *data and wr flag)
    in goodix_tool_write handler on error case.
    Change-Id: I4f7f8f464b93571627b922b10c10a65826228e42
    Signed-off-by: Vevek Venkatesan <>
  13. prima: Add buf len check in wlan_hdd_cfg80211_testmode

    Manjeet Singh authored and mdmower committed Dec 27, 2016
    In __wlan_hdd_cfg80211_testmode API no checks are in place that
    ensure that buflen is smaller or equal the size of the stack
    variable hb_params. Hence, the vos_mem_copy() call can overflow
    stack memory.
    Add buf len check to avoid stack overflow
    CRs-Fixed: 1105085
    Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
  14. prima: Avoid overflow of "set_bssid_hotlist" params

    Hanumanth Reddy Pothula authored and mdmower committed Jan 27, 2017
    The wlan driver supports the following vendor command:
    This command supplies a "number of APs" attribute as well as a list of
    per-AP attributes.  However there is no validation that the number of
    APs provided won't overflow the destination buffer.  In addition there
    is no validation that the number of APs actually provided matches the
    number of APs expected.
    To address these issues:
    * Verify that the expected number of APs doesn't exceed the maximum
      allowed number of APs
    * Verify that the actual number of APs supplied doesn't exceed the
      expected number of APs
    * Only process the actual number of supplied APs if it is less than
      the expected number of APs.
    Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
    CRs-Fixed: 1095770
  15. defconfig: mt2: Enable CONFIG_INET_DIAG_DESTROY

    Gabriele M authored and mdmower committed Feb 6, 2017
    This allows priviledged processes such as netd and ss to close
    sockets opened by other processes. Also, regenerate config.
    Change-Id: Id6be2e60e26c98dab2636073714655ccfc8a2cb6
  16. net: diag: Check user namespace when destroying socket

    Gabriele M authored and mdmower committed Feb 6, 2017
    Now that each net belongs to a user namespace, change the capability
    check introduced with commit 4dcbf839671138ba8af9dcb9c3d0ca5850d9ec
    ("net: diag: Add the ability to destroy a socket.") so that it matches
    the one of the corresponding upstream commit (64be0aed59ad519d6f21608).
    Change-Id: I9b3f14f2a4b6376c99e7ed13abe6bb30f1a2c018
  17. userns: make each net (net_ns) belong to a user_ns

    ebiederm authored and mdmower committed Jun 14, 2012
    The user namespace which creates a new network namespace owns that
    namespace and all resources created in it.  This way we can target
    capability checks for privileged operations against network resources to
    the user_ns which created the network namespace in which the resource
    lives.  Privilege to the user namespace which owns the network
    namespace, or any parent user namespace thereof, provides the same
    privilege to the network resource.
    This patch is reworked from a version originally by
    Serge E. Hallyn <>
    Change-Id: Ia09de7a028fa4ed7e25a8cb3f67707f6818ffc78
    Acked-by: Serge Hallyn <>
    Signed-off-by: Eric W. Biederman <>
  18. netns: Deduplicate and fix copy_net_ns when !CONFIG_NET_NS

    ebiederm authored and mdmower committed Jun 14, 2012
    The copy of copy_net_ns used when the network stack is not
    built is broken as it does not return -EINVAL when attempting
    to create a new network namespace.  We don't even have
    a previous network namespace.
    Since we need a copy of copy_net_ns in net/net_namespace.h that is
    available when the networking stack is not built at all move the
    correct version of copy_net_ns from net_namespace.c into net_namespace.h
    Leaving us with just 2 versions of copy_net_ns.  One version for when
    we compile in network namespace suport and another stub for all other
    Change-Id: I05d44eb814b5a54430111d5d6c7fa9df69a9376b
    Acked-by: Serge Hallyn <>
    Signed-off-by: Eric W. Biederman <>
  19. soc: qcom: smp2p: Fix kernel address leak

    Karthikeyan Ramasubramanian authored and mdmower committed Aug 16, 2016
    Change format string to %pK instead of %p in the debug statements. This
    change fixes kernel address leaks from the usage of %p.
    CRs-Fixed: 1052825
    Change-Id: Ib95f691919a2977f5436cd4c6ac4a002d70dd729
    Signed-off-by: Chris Lew <>
    Signed-off-by: Karthikeyan Ramasubramanian <>
  20. ipv4: Change flowi4_oif and flowi4_iif in ipmr_rt_fib_lookup()

    Gabriele M authored and mdmower committed Feb 5, 2017
    When upstream commit 4fd551d7bed9 ("ipv4: Kill rt->rt_oif") removed
    rt_oif, ipmr_rt_fib_lookup() was updated so that it didn't depend
    on rt_oif. This commits changes ipmr_rt_fib_lookup() as it is done
    in 4fd551d7bed9 to minize the conflicts with a followup change and,
    as mentioned in the original commit, "for greater correctness of the
    flowi4_oif and flowi4_iif values".
    Change-Id: If43088791ea2fd54eda91ffb1b905ddaee13706f
  21. net: Make ifindex generation per-net namespace

    xemul authored and mdmower committed Aug 8, 2012
    Strictly speaking this is only _really_ required for checkpoint-restore to
    make loopback device always have the same index.
    This change appears to be safe wrt "ifindex should be unique per-system"
    concept, as all the ifindex usage is either already made per net namespace
    of is explicitly limited with init_net only.
    There are two cool side effects of this. The first one -- ifindices of
    devices in container are always small, regardless of how many containers
    we've started (and re-started) so far. The second one is -- we can speed
    up the loopback ifidex access as shown in the next patch.
    v2: Place ifindex right after dev_base_seq : avoid two holes and use the
        same cache line, dirtied in list_netdevice()/unlist_netdevice()
    Change-Id: I3c7a2123cc9ade3c4689cd57ffce43edd1d5416a
    Signed-off-by: Pavel Emelyanov <>
    Acked-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
  22. veth: Allow to create peer link with given ifindex

    xemul authored and mdmower committed Aug 8, 2012
    The ifinfomsg is in there (thanks kaber@ for foreseeing this long time ago),
    so take the given ifidex and register netdev with it.
    Ben noticed, that this code path previously ignored ifmp->ifi_index and
    userland could be passing in garbage. Thus it may now fail occasionally
    because the value clashes with an existing interface.
    To address this it's assumed that if the caller specifies the ifindex for
    the veth master device, then it's aware of this possibility and should
    explicitly specify (or set to 0 for auto-assignment) the peer's ifindex as
    well. With this the compatibility with old tools not setting ifindex is
    Change-Id: I92ef3f85668e06e1144f331e95456a1ac7546764
    Signed-off-by: Pavel Emelyanov <>
    Signed-off-by: David S. Miller <>
  23. net: Allow to create links with given ifindex

    xemul authored and mdmower committed Aug 8, 2012
    Currently the RTM_NEWLINK results in -EOPNOTSUPP if the ifinfomsg->ifi_index
    is not zero. I propose to allow requesting ifindices on link creation. This
    is required by the checkpoint-restore to correctly restore a net namespace
    (i.e. -- a container).
    Change-Id: Iec0bbec648c1720059fa6921dd62f4aaa8fb3472
    Signed-off-by: Pavel Emelyanov <>
    Acked-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
  24. net: Dont use ifindices in hash fns

    xemul authored and mdmower committed Aug 8, 2012
    Eric noticed, that when there will be devices with equal indices, some
    hash functions that use them will become less effective as they could.
    Fix this in advance by mixing the net_device address into the hash value
    instead of the device index.
    This is true for arp and ndisc hash fns. The netlabel, can and llc ones
    are also ifindex-based, but that three are init_net-only, thus will not
    be affected.
    Many thanks to David and Eric for the hash32_ptr implementation!
    Change-Id: Ia34be8a6ed8774cc9d90d4f1b94b8ee8bb634132
    Signed-off-by: Pavel Emelyanov <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
  25. msm: kgsl: fix sync file error handling

    jgebben authored and mdmower committed Feb 27, 2015
    We need to call put_unused_fd() on failure, but only if
    a file hasn't been stored into the fd yet. This function
    wasn't called from kgsl_ioctl_syncsource_create_fence()
    and was called incorrectly from kgsl_add_fence_event().
    Reorder our sync_fence_install() calls to happen after
    all possible failures so that error cleanup will be
    Change-Id: I0e7bb459f2acc010446ac5e5b3b72c8b16cce079
    Signed-off-by: Jeremy Gebben <>
  26. ALSA: Remove transfer_ack_{begin,end} callbacks from struct snd_pcm_r…

    larsclausen authored and mdmower committed Oct 22, 2015
    While there is nothing wrong with the transfer_ack_begin and
    transfer_ack_end callbacks per-se, the last documented user was part of the
    alsa-driver 0.5.12a package, which was released 14 years ago and even
    predates the upstream integration of the ALSA core and has subsequently
    been superseded by newer alsa-driver releases.
    This seems to indicate that there is no need for having these callbacks and
    they are just cruft that can be removed.
    Change-Id: Idd9bce224de8f17c2324f172f6d97230ddb85750
    Signed-off-by: Lars-Peter Clausen <>
    Signed-off-by: Takashi Iwai <>
  27. splice: introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE

    morbidrsa authored and mdmower committed Dec 9, 2016
    Introduce FMODE_SPLICE_READ and FMODE_SPLICE_WRITE. These modes check
    whether it is legal to read or write a file using splice. Both get
    automatically set on regular files and are not checked when a 'struct
    fileoperations' includes the splice_{read,write} methods.
    Suggested-by: Linus Torvalds <>
    Cc: Al Viro <>
    Signed-off-by: Johannes Thumshirn <>
Commits on Oct 19, 2017
  1. ALSA: seq: Fix use-after-free at creating a port

    tiwai authored and mdmower committed Oct 9, 2017
    There is a potential race window opened at creating and deleting a
    port via ioctl, as spotted by fuzzing.  snd_seq_create_port() creates
    a port object and returns its pointer, but it doesn't take the
    refcount, thus it can be deleted immediately by another thread.
    Meanwhile, snd_seq_ioctl_create_port() still calls the function
    snd_seq_system_client_ev_port_start() with the created port object
    that is being deleted, and this triggers use-after-free like:
     BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1
     BUG kmalloc-512 (Tainted: G    B          ): kasan: bad access detected
     INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511
    	snd_seq_create_port+0x94/0x9b0 [snd_seq]
    	snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq]
     	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
     	snd_seq_ioctl+0x40/0x80 [snd_seq]
     INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717
     	port_delete+0x136/0x1a0 [snd_seq]
     	snd_seq_delete_port+0x235/0x350 [snd_seq]
     	snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq]
     	snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
     	snd_seq_ioctl+0x40/0x80 [snd_seq]
     Call Trace:
      [<ffffffff81b03781>] dump_stack+0x63/0x82
      [<ffffffff81531b3b>] print_trailer+0xfb/0x160
      [<ffffffff81536db4>] object_err+0x34/0x40
      [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520
      [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
      [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30
      [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq]
      [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq]
      [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0
      [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq]
      [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq]
      [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80
      [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0
    We may fix this in a few different ways, and in this patch, it's fixed
    simply by taking the refcount properly at snd_seq_create_port() and
    letting the caller unref the object after use.  Also, there is another
    potential use-after-free by sprintf() call in snd_seq_create_port(),
    and this is moved inside the lock.
    This fix covers CVE-2017-15265.
    Change-Id: I19f81dae1e33df95b13b74bba5d700435e68b27d
    Reported-and-tested-by: Michael23 Yu <>
    Suggested-by: Linus Torvalds <>
    Cc: <>
    Signed-off-by: Takashi Iwai <>
Commits on Oct 18, 2017
  1. nl80211: check for the required netlink attributes presence

    nefigtut authored and mdmower committed Sep 12, 2017
    commit e785fa0a164aa11001cba931367c7f94ffaff888 upstream.
    nl80211_set_rekey_data() does not check if the required attributes
    NL80211_REKEY_DATA_{REPLAY_CTR,KEK,KCK} are present when processing
    NL80211_CMD_SET_REKEY_OFFLOAD request. This request can be issued by
    users with CAP_NET_ADMIN privilege and may result in NULL dereference
    and a system crash. Add a check for the required attributes presence.
    This patch is based on the patch by bo Zhang.
    This fixes CVE-2017-12153.
    Fixes: e5497d7 ("cfg80211/nl80211: support GTK rekey offload")
    Reported-by: bo Zhang <>
    Signed-off-by: Vladis Dronov <>
    Signed-off-by: Johannes Berg <>
    Signed-off-by: Ben Hutchings <>
  2. input: synaptics: allocate heap memory for buffer

    m-chong authored and mdmower committed Aug 18, 2016
    Allocate buffer memory on the heap instead of the stack
    to avoid a potential stack overflow in the write function.
    Bug: 30537088
    Change-Id: Ibe54ac391ade69e4c0c87bf5332c8bcae730e94c
    Signed-off-by: Ivan Lozano <>
  3. x86, mm/ASLR: Fix stack randomization on 64-bit systems

    Hector Marco-Gisbert authored and mdmower committed Feb 14, 2015
    commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
    The issue is that the stack for processes is not properly randomized on
    64 bit architectures due to an integer overflow.
    The affected function is randomize_stack_top() in file
      static unsigned long randomize_stack_top(unsigned long stack_top)
               unsigned int random_variable = 0;
               if ((current->flags & PF_RANDOMIZE) &&
                       !(current->personality & ADDR_NO_RANDOMIZE)) {
                       random_variable = get_random_int() & STACK_RND_MASK;
                       random_variable <<= PAGE_SHIFT;
               return PAGE_ALIGN(stack_top) + random_variable;
               return PAGE_ALIGN(stack_top) - random_variable;
    Note that, it declares the "random_variable" variable as "unsigned int".
    Since the result of the shifting operation between STACK_RND_MASK (which
    is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
    	  random_variable <<= PAGE_SHIFT;
    then the two leftmost bits are dropped when storing the result in the
    "random_variable". This variable shall be at least 34 bits long to hold
    the (22+12) result.
    These two dropped bits have an impact on the entropy of process stack.
    Concretely, the total stack entropy is reduced by four: from 2^28 to
    2^30 (One fourth of expected entropy).
    This patch restores back the entropy by correcting the types involved
    in the operations in the functions randomize_stack_top() and
    The successful fix can be tested with:
      $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
      7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
      7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
      7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
      7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
    Once corrected, the leading bytes should be between 7ffc and 7fff,
    rather than always being 7fff.
    Signed-off-by: Hector Marco-Gisbert <>
    Signed-off-by: Ismael Ripoll <>
    [ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
    Signed-off-by: Kees Cook <>
    Cc: Linus Torvalds <>
    Cc: Andrew Morton <>
    Cc: Al Viro <>
    Fixes: CVE-2015-1593
    Signed-off-by: Borislav Petkov <>
    Signed-off-by: Greg Kroah-Hartman <>
  4. fs/exec: fix use after free in execve

    aagit authored and mdmower committed Jul 25, 2017
    "file" can be already freed if bprm->file is NULL after
    search_binary_handler() return. binfmt_script will do exactly that for
    example. If the VM reuses the file after fput run(), this will result in
    a use ater free.
    So obtain d_is_su before search_binary_handler() runs.
    This should explain this crash:
    [25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
    [25333.009918] [2:             am:21861] PC is at do_execve+0x354/0x474
    Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
  5. mm: Fix incorrect type conversion for size during dma allocation

    Maggie White authored and mdmower committed Jul 5, 2017
    This was found during userspace fuzzing test when a large size
    allocation is made from ion
    [<ffffffc00008a098>] show_stack+0x10/0x1c
    [<ffffffc00119c390>] dump_stack+0x74/0xc8
    [<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
    [<ffffffc00020dbd4>] kasan_report+0x34/0x40
    [<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
    [<ffffffc00020d228>] memset+0x20/0x44
    [<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
    [<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
    [<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
    [<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
    [<ffffffc000c250dc>] ion_alloc+0x264/0xb88
    [<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
    [<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
    [<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
    Bug: 38195738
    Signed-off-by: Rohit Vaswani <>
    Signed-off-by: Maggie White <>
    Change-Id: I6b1a0a3eaec10500cd4e73290efad4023bc83da5
  6. prima: Add get valid channels entry to NLA policy

    SaidiReddy Yenuga authored and mdmower committed May 25, 2017
    qcacld-2.0 to prima propagation.
    improper validation of
    Bug: 36817053
    CRs-Fixed: 2051450
    Change-Id: I16e5808492b5b35dc8b646af45d6ac6d65561804
    Signed-off-by: Ecco Park <>
  7. prima: Drop assoc request if RSNIE/WPAIE parsing fail

    Kapil Gupta authored and mdmower committed May 16, 2017
    qcacld-2.0 to prima propagation.
    Add changes to drop assoc request and return error if RSNIE or
    WPAIE parsing fail during parsing of assoc request.
    Bug: 63868020
    CRs-Fixed: 2046578
    Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
    Signed-off-by: Ecco Park <>