There is a few change in here:
- sus_mount functionality still remain in v1.5.5 as backporting it to the latest version will result a mount detection leak in some apps/detectors
Thank you @simonpunk for the help of sus_path backport
Co-authored-by: sidex15 <24408329+sidex15@users.noreply.github.com>
Co-authored-by: simonpunk <simonpunk2016@gmail.com>
Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.
CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
[ Upstream commit 177f25d1292c7e16e1199b39c85480f7f8815552 ]
Since the report buffer is used by all kinds of drivers in various ways, let's
zero-initialize it during allocation to make sure that it can't be ever used
to leak kernel memory via specially-crafted report.
Bug: 380395346
Fixes: 27ce405039 ("HID: fix data access in implement()")
Reported-by: Benoît Sevens <bsevens@google.com>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 9d9f5c75c0c7f31766ec27d90f7a6ac673193191)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I31f64f2745347137bbc415eb35b7fab5761867f3
This refactors original KSU hooks to replace deep kernel function hooks with targeted hooks.
This backports KernelSU pr#1657 and having pr#2084 elements (32-bit sucompat).
It reduces the scope of kernel function interception and still maintains full fucntionality.
This commit is a squash of the following:
* fs/exec: do_execve: ksu_handle_execveat hook
* fs/exec: compat_do_execve: ksu_handle_execveat_sucompat hook
fs/open: sys_faccessat: ksu_handle_faccessat hook
* fs/read_write: sys_read: ksu_handle_sys_read hook
* fs/stat: sys_newfstatat: ksu_handle_stat hook
* fs/stat: sys_fstatat64: ksu_handle_stat hook
* drivers: input: input_event: ksu_handle_input_handle_event hook
* drivers: tty/pty.c: pts_unix98_lookup: ksu_handle_devpts hook
references: KernelSU pr#1657, pr#2084
https://kernelsu.org/guide/how-to-integrate-for-non-gki.html
Signed-off-by: backslashxx <118538522+backslashxx@users.noreply.github.com>
Possible bufer overflow risk in function
wmi_unified_bcn_tmpl_send.
Validate the beacon template length against
WMI_BEACON_TX_BUFFER_SIZE length to avoid overflow.
Change-Id: I98665de677f314f30a57991f48191f847718740c
CRs-Fixed: 2960714
Do not intrabss forward fragmented EAPOL frames that have
DA different from the SAP vdev mac addr when high latency
is enabled.
Change-Id: Idb6e6c001f4dae51c2181e70ab9adbbb964f0ee3
CRs-Fixed:
Prevents mishandling USB requests that are no longer present.
Bug: 161010552
Fixes: 483cb5629ea78 ("ANDROID: usb: gadget: f_accessory: Add Android Accessory function")
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I8ff24d6d49214c3bd10a1b5d5e72814ec2a91c61
currently the fdget is failed and freed in mdp3_get_img,
and again same is freed in mdp3_put_img function.
This can cause a use after free issue.
Change-Id: Ic2ad97a201d36b2bb49d3fdc93bb19ce089b6cb4
Signed-off-by: Raghavendra Ambadas <quic_c_rambad@quicinc.com>
Signed-off-by: srikanthreddy ponogoti <quic_sponogot@quicinc.com>
Validate the input fence for mdss and sde rotator before
referencing the structure objects.
and also log the fence driver name waiting for the fence.
Earlier the fence name was null irrespective of the
driver.
Change-Id: Ie277d861057a41092505c73ef3815f7d769d114e
Signed-off-by: Raghavendra Ambadas <quic_c_rambad@quicinc.com>
Possibility of a race condition which can free the dci entry
causing use after free case is prevented by adding the check
for entry's validity.
Change-Id: Ib436ffd16c266636d99885d6091eb1a6887737c7
Signed-off-by: Manoj Prabhu B <quic_bmanoj@quicinc.com>
Consider a scenario where user allocates anonymous memory but does not
write to it. Here the physical pages are not yet allocated. Now when this
memory is requested to be imported, a list of newly allocated zero pages
is obtained using get_user_pages(). Currently cache flush is not done for
these pages and hence GPU sees stale data. Fix this by performing cache
flush on these pages.
Change-Id: Id1e8aa20e8a9de112761732ed92f30c01088840b
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>
if2fs_fill_super
-> f2fs_build_segment_manager
-> create_discard_cmd_control
-> f2fs_start_discard_thread
It invokes kthread_run to create a thread and run issue_discard_thread.
However, if f2fs_build_node_manager fails, the control flow goes to
free_nm and calls f2fs_destroy_node_manager. This function will free
sbi->nm_info. However, if issue_discard_thread accesses sbi->nm_info
after the deallocation, but before the f2fs_stop_discard_thread, it will
cause UAF(Use-after-free).
-> f2fs_destroy_segment_manager
-> destroy_discard_cmd_control
-> f2fs_stop_discard_thread
Fix this by stopping discard thread before f2fs_destroy_node_manager.
Note that, the commit d6d2b491a82e1 introduces the call of
f2fs_available_free_memory into issue_discard_thread.
Cc: stable@vger.kernel.org
Fixes: d6d2b491a82e ("f2fs: allow to change discard policy based on cached discard cmds")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
(cherry picked from commit 5429c9dbc9025f9a166f64e22e3a69c94fd5b29b)
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: If121b453455b11b2aded8ba8a3899faad431dbd3
With the default DPOLICY_BG discard thread is ioaware, which prevents
the discard thread from issuing the discard commands. On low RAM setups,
it is observed that these discard commands in the cache are consuming
high memory. This patch aims to relax the memory pressure on the system
due to f2fs pending discard cmds by changing the policy to DPOLICY_FORCE
based on the nm_i->ram_thresh configured.
Change-Id: I5f48f908cd6bbe6c6f3addda7018f7daffbb53b5
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
[mkbestas: backport to 4.9]
Signed-off-by: Michael Bestas <mkbestas@lineageos.org>
commit dfd0743f1d9ea76931510ed150334d571fbab49d upstream.
Since the tee subsystem does not keep a strong reference to its idle
shared memory buffers, it races with other threads that try to destroy a
shared memory through a close of its dma-buf fd or by unmapping the
memory.
In tee_shm_get_from_id() when a lookup in teedev->idr has been
successful, it is possible that the tee_shm is in the dma-buf teardown
path, but that path is blocked by the teedev mutex. Since we don't have
an API to tell if the tee_shm is in the dma-buf teardown path or not we
must find another way of detecting this condition.
Fix this by doing the reference counting directly on the tee_shm using a
new refcount_t refcount field. dma-buf is replaced by using
anon_inode_getfd() instead, this separates the life-cycle of the
underlying file from the tee_shm. tee_shm_put() is updated to hold the
mutex when decreasing the refcount to 0 and then remove the tee_shm from
teedev->idr before releasing the mutex. This means that the tee_shm can
never be found unless it has a refcount larger than 0.
Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem")
Cc: stable@vger.kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Lars Persson <larper@axis.com>
Reviewed-by: Sumit Garg <sumit.garg@linaro.org>
Reported-by: Patrik Lantz <patrik.lantz@axis.com>
[JW: backport to 5.4-stable]
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
[mkbestas: backport to 4.9]
Signed-off-by: Michael Bestas <mkbestas@lineageos.org>
Change-Id: Ibd2809a225b167563c65faff4a44e56e23c2e97b
With the configfs filesystem it’s possible to manipulate kernel
object by creating/deleting folders into /config path. Here port
object is created by a mkdir and leads to allocate this object,
while the rmdir syscall leads to free this object.
If one thread does these two operations of creation and deletion
of the folder and one tries to open it, it can lead to a
race condition where port object can be freed by the time
it is used in f_cdev_open leading to use after free error.
Fix this by using embedded struct device and the refcounting
mechanism built-in which increases and decreases refcount upon
creation and deletion of port and port will be freed when
reference count is zero ensuring that "port" object survives
until the last user releases it.
Change-Id: I88701ef161c9f3215631da81c3a8d4c980d12b25
Signed-off-by: Rohith Kollalsi <rkollals@codeaurora.org>
commit f7d306b47a24367302bd4fe846854e07752ffcd9 upstream.
The usb_get_descriptor() function does DMA so we're not allowed
to use a stack buffer for that. Doing DMA to the stack is not portable
all architectures. Move the "new_device_descriptor" from being stored
on the stack and allocate it with kmalloc() instead.
Bug: 382243530
Fixes: b909df18ce2a ("ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices")
Cc: stable@kernel.org
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://patch.msgid.link/60e3aa09-039d-46d2-934c-6f123026c2eb@stanley.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Benoît Sevens <bsevens@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 4e54dc4bbc602133217de301d9f814f3e6d22eee)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I469212aa538584e3d8cc5b0087b68c99acf43f64
commit b909df18ce2a998afef81d58bbd1a05dc0788c40 upstream.
A bogus device can provide a bNumConfigurations value that exceeds the
initial value used in usb_get_configuration for allocating dev->config.
This can lead to out-of-bounds accesses later, e.g. in
usb_destroy_configuration.
Bug: 382243530
Signed-off-by: Benoît Sevens <bsevens@google.com>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@kernel.org
Link: https://patch.msgid.link/20241120124144.3814457-1-bsevens@google.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 9887d859cd60727432a01564e8f91302d361b72b)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I2df0d59750943fa34747bd4bae2e549320f2a0ce
This can lead to out of bounds writes since frames of this type were not
taken into account when calculating the size of the frames buffer in
uvc_parse_streaming.
Fixes: c0efd23292 ("V4L/DVB (8145a): USB Video Class driver")
Signed-off-by: Benoit Sevens <bsevens@google.com>
Cc: stable@vger.kernel.org
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 378455392
(cherry picked from commit ecf2b43018da9579842c774b7f35dbe11b5c38dd)
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I959a6374ba7adf021fc19da755f5c7611fef9b8c
This is needed so common components between kernel
4.9 and kernel 4.14 can compile OK.
CRs-Fixed: 2295428
Change-Id: I36b28c0f9ee4a4aca1303d298e88b98cceac36e3
Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org>
NAT invalid protocol is needed by user space process.
Move it to uapi to make it accessible to user space.
Change-Id: I4d1700176483c93f78f48979d602f7568867b378
Acked-by: Michal Amsterdam <mamsterd@qti.qualcomm.com>
Signed-off-by: Amir Levy <alevy@codeaurora.org>
Fixes the following error when building with clang r530567:
error: version 'kernel' in target triple 'arm-unknown-linux-androidkernel' is invalid
Change-Id: I5a2d27bf0e8a22b2fe752c64efc0cc91c790b5f0
Calling clock_debug_print_enabled with print_parent = true
during suspend may cause a scheduling while atomic violation.
Call with print_parent = false instead to prevent the violation.
Bug: 132511008
Change-Id: I80f646d77d0cc98b4004084022ce1dce0e80cc93
Signed-off-by: Jonglin Lee <jonglin@google.com>
Signed-off-by: GeoPD <geoemmanuelpd2001@gmail.com>
Currently iowait doesn't distinguish background/foreground tasks and we
have seen cases where a device run to high frequency unnecessarily when
running some background I/O. This patch limits iowait boost to tasks with
prefer_idle only. Specifically, on Pixel, those are foreground and top
app tasks.
Bug: 130308826
Test: Boot and trace
Change-Id: I2d892beeb4b12b7e8f0fb2848c23982148648a10
Signed-off-by: Wei Wang <wvw@google.com>
Signed-off-by: Lau <laststandrighthere@gmail.com>
Clear walt rq request in cpu starting.
Change-Id: Id3004337f3924984b8b812151a6ba01c6f1c013e
Signed-off-by: Maria Yu <aiquny@codeaurora.org>
(cherry picked from commit 32df8f93e147dd54331161e9180d7ea488b750f9)
The memory for task load pointers are allocated twice for each
idle thread except for the boot CPU. This happens during boot
from idle_threads_init()->idle_init() in the following 2 paths.
1. idle_init()->fork_idle()->copy_process()->
sched_fork()->init_new_task_load()
2. idle_init()->fork_idle()-> init_idle()->init_new_task_load()
The memory allocation for all tasks happens through the 1st path,
so use the same for idle tasks and kill the 2nd path. Since
the idle thread of boot CPU does not go through fork_idle(),
allocate the memory for it separately.
Change-Id: I4696a414ffe07d4114b56d326463026019e278f1
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
(cherry picked from commit eb58f47212c9621be82108de57bcf3e94ce1035a)
