Commit graph

314557 commits

Author SHA1 Message Date
Masatake YAMATO
941eda2515 net: Providing protocol type via system.sockprotoname xattr of /proc/PID/fd entries
lsof reports some of socket descriptors as "can't identify protocol" like:

    [yamato@localhost]/tmp% sudo lsof | grep dbus | grep iden
    dbus-daem   652          dbus    6u     sock ... 17812 can't identify protocol
    dbus-daem   652          dbus   34u     sock ... 24689 can't identify protocol
    dbus-daem   652          dbus   42u     sock ... 24739 can't identify protocol
    dbus-daem   652          dbus   48u     sock ... 22329 can't identify protocol
    ...

lsof cannot resolve the protocol used in a socket because procfs
doesn't provide the map between inode number on sockfs and protocol
type of the socket.

For improving the situation this patch adds an extended attribute named
'system.sockprotoname' in which the protocol name for
/proc/PID/fd/SOCKET is stored. So lsof can know the protocol for a
given /proc/PID/fd/SOCKET with getxattr system call.

A few weeks ago I submitted a patch for the same purpose. The patch
was introduced /proc/net/sockfs which enumerates inodes and protocols
of all sockets alive on a system. However, it was rejected because (1)
a global lock was needed, and (2) the layout of struct socket was
changed with the patch.

This patch doesn't use any global lock; and doesn't change the layout
of any structs.

In this patch, a protocol name is stored to dentry->d_name of sockfs
when new socket is associated with a file descriptor. Before this
patch dentry->d_name was not used; it was just filled with empty
string. lsof may use an extended attribute named
'system.sockprotoname' to retrieve the value of dentry->d_name.

It is nice if we can see the protocol name with ls -l
/proc/PID/fd. However, "socket:[#INODE]", the name format returned
from sockfs_dname() was already defined. To keep the compatibility
between kernel and user land, the extended attribute is used to
prepare the value of dentry->d_name.

Change-Id: I04143ee6da5c236835a897086fc0de819abb0cdc
Signed-off-by: Masatake YAMATO <yamato@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:37:00 +01:00
Sabrina Dubroca
82794d1071 BACKPORT: tcp: fix recv with flags MSG_WAITALL | MSG_PEEK
Currently, tcp_recvmsg enters a busy loop in sk_wait_data if called
with flags = MSG_WAITALL | MSG_PEEK.

sk_wait_data waits for sk_receive_queue not empty, but in this case,
the receive queue is not empty, but does not contain any skb that we
can use.

Add a "last skb seen on receive queue" argument to sk_wait_data, so
that it sleeps until the receive queue has new skbs.

Change-Id: If58492ae474effe058541f7e9a0c03dc24155393
Link: https://bugzilla.kernel.org/show_bug.cgi?id=99461
Link: https://sourceware.org/bugzilla/show_bug.cgi?id=18493
Link: https://bugzilla.redhat.com/show_bug.cgi?id=1205258
Reported-by: Enrico Scholz <rh-bugzilla@ensc.de>
Reported-by: Dan Searle <dan@censornet.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:36:52 +01:00
Joe Perches
721c4f160d BACKPORT: sock.h: Remove extern from function prototypes
There are a mix of function prototypes with and without extern
in the kernel sources.  Standardize on not using extern for
function prototypes.

Function prototypes don't need to be written with extern.
extern is assumed by the compiler.  Its use is as unnecessary as
using auto to declare automatic/local variables in a block.

Change-Id: I65041ae9f8472dc9f84f5f8e09dc3ac859c7d05a
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian DC <radian.dc@gmail.com>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:36:36 +01:00
Daniel Borkmann
e9ff904465 BACKPORT: net: sock: make sock_tx_timestamp void
Currently, sock_tx_timestamp() always returns 0. The comment that
describes the sock_tx_timestamp() function wrongly says that it
returns an error when an invalid argument is passed (from commit
20d4947353, ``net: socket infrastructure for SO_TIMESTAMPING'').
Make the function void, so that we can also remove all the unneeded
if conditions that check for such a _non-existant_ error case in the
output path.

Change-Id: Ibdfd5071737190371d4abec5ae76046b5aa8de23
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:32:19 +01:00
Eric Dumazet
cab65020e8 BACKPORT: net: include/net/sock.h cleanup
bool/const conversions where possible

__inline__ -> inline

space cleanups

Change-Id: I0ee0135e737edd702f753fac182b293ec5cc652a
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:32:14 +01:00
Will Deacon
9587d567d2 BACKPORT: ipc: add COMPAT_SHMLBA support
If the SHMLBA definition for a native task differs from the definition for
a compat task, the do_shmat() function would need to handle both.

This patch introduces COMPAT_SHMLBA, which is used by the compat shmat
syscall when calling the ipc code and allows architectures such as AArch64
(where the native SHMLBA is 64k but the compat (AArch32) definition is
16k) to provide the correct semantics for compat IPC system calls.

Change-Id: I0292f1fedabaa6cbbab843611aa76a8f50f47771
Cc: David S. Miller <davem@davemloft.net>
Cc: Chris Zankel <chris@zankel.net>
Cc: Arnd Bergmann <arnd@arndb.de>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2023-02-18 18:32:08 +01:00
Roger Hu
7c56badc9a kernel: Revert "tcp: do not lock listener to process SYN packets"
This commit belongs to the patch set (https://lwn.net/Articles/659199/)
that attempts to remove the use of locks on the socket table by
relocating the SYN table to a separate hash table and adding a spin lock
to protect the SYN request queue. Adding only this commit introduces a
race condition for LineageOS kernels for TCP listens, since the TCP SYN
data structures can be corrupted.

A TCP curl bomb on a TCP listen port will corrupt the SYN accept backlog:

for i in $(seq 1 400); do curl -x localhost:443 https://myhost.com -L  --connect-timeout 30 -o /dev/null -sS & done

Run `ss -nltp` and usually the RecVQ column does not drain to 0.

This reverts commit 7d9f104f9cabe1d72a50c4816a48f64fc1da7a64.

This really needs to be reverted across all LineageOS forks:
https://gitlab.com/LineageOS/issues/android/-/issues/3916#note_669493796

Change-Id: Ia7969aeedae411677b307a8e094f9a4cc02b801d
2022-07-05 01:10:45 -04:00
Rick Yiu
0b02bd0ec5 defconfig: flo: enable CFQ group schedule
Bug: 117857342
Test: function enabled correctly

Change-Id: I655f8b18b3e48721c96536e5e97972f5b6812401
Signed-off-by: Rick Yiu <rickyiu@google.com>
2021-09-21 10:56:40 -04:00
Nolen Johnson
5d6180c47f defconfigs: flo: Explicitly disable QCRYPTO
* Causes battery drain in some cases.

Change-Id: Ib32e241ba5f995b0c0cf554cb805934d66d88e69
2021-09-21 10:45:43 -04:00
Dundi Raviteja
823860941d wlan: Drop broadcast AMSDU frames
Drop AMSDU subframes if AMSDU subframe header's DA
is equal to broadcast address.

Change-Id: I21f2b95b45fb150a857d23ba158a0f9df15d5c46
CRs-Fixed: 2897293
2021-09-21 10:38:47 -04:00
Dundi Raviteja
c08882d58a wlan: Drop invalid AMSDU subframe
Drop AMSDU subframes if AMSDU subframe header's DA
is equal to LLC header.

Change-Id: Ieeb680cd395f275fe2b3bd98afdf4a2e57609b10
CRs-Fixed: 2867994
2021-09-21 10:38:46 -04:00
Dundi Raviteja
d25cb7e425 wlan: Drop invalid EAPOL packets in SAP mode
Drop inalid EAPOL packets in SAP mode which are not
destined to self mac address.

Change-Id: I9754dddf580e60bd88ddc6e28355162499a8d125
CRs-Fixed: 2868054
2021-09-21 10:38:46 -04:00
Sravan Kumar Kairam
0a25b3c7c0 wlan: Fix RX thread stuck in while loop
Currently during roaming for LFR make before break feature under
stress testing RX thread is stuck in while loop resulting in host
RX low resource and firmware watch dog bite. In this change refactor
the code to check for null termination of the received frames rather
than checking for the local variable pointer assigned to the input
received frames.

Change-Id: I47b40566d52134b58304541c708cd87263fabfc6
CRs-Fixed: 2009414
2021-09-21 10:38:45 -04:00
syphyr
3c95567b07 defconfig: Don't set default I/O scheduler to BFQ
This reverts commit 2fbcde8e868dda6b466a937d32e18206f4e5e763.

BFQ still has issues and is not being maintained on older branches

<6>[18559.203457]  [3:        mmcqd/0:  282] ------------[ cut here ]------------
<2>[18559.203523]  [3:        mmcqd/0:  282] Kernel BUG at ffffffc000313b50 [verbose debug info unavailable]
<0>[18559.203615]  [3:        mmcqd/0:  282] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
<6>[18559.203674]  [3:        mmcqd/0:  282] CPU: 3 PID: 282 Comm: mmcqd/0 Not tainted 3.10.108-g43a2eba3d1690-05651-gf35e694e0efc2 #1
<6>[18559.203758]  [3:        mmcqd/0:  282] task: ffffffc0ad531880 ti: ffffffc0ace50000 task.ti: ffffffc0ace50000
<6>[18559.203839]  [3:        mmcqd/0:  282] pc : bfq_dispatch_requests+0x584/0x74c
<6>[18559.203894]  [3:        mmcqd/0:  282] lr : bfq_dispatch_requests+0x334/0x74c
<6>[18559.203950]  [3:        mmcqd/0:  282] sp : ffffffc0ace53d20 pstate : 800001c5
<6>[18559.204006]  [3:        mmcqd/0:  282] x29: ffffffc0ace53d20 x28: 0000000000000000
<6>[18559.204059]  [3:        mmcqd/0:  282] x27: 0000000000000000 x26: ffffffc0ae095898
<6>[18559.204112]  [3:        mmcqd/0:  282] x25: 0000000000000030 x24: ffffffc001401000
<6>[18559.204164]  [3:        mmcqd/0:  282] x23: ffffffc0ae0958c8 x22: ffffffc0747f46b0
<6>[18559.204217]  [3:        mmcqd/0:  282] x21: ffffffc0a5e726b0 x20: ffffffc0ae095888
<6>[18559.204270]  [3:        mmcqd/0:  282] x19: ffffffc0ae08e800 x18: 0000000000000001
<6>[18559.204323]  [3:        mmcqd/0:  282] x17: 0000007faeca5120 x16: ffffffc00015f170
<6>[18559.204374]  [3:        mmcqd/0:  282] x15: 2e8ba2e8ba2e8ba3 x14: 000000000000000c
<6>[18559.204427]  [3:        mmcqd/0:  282] x13: 00000000000000a2 x12: ffffffc0014e9000
<6>[18559.204481]  [3:        mmcqd/0:  282] x11: 0000000000000001 x10: 0000000000000f9c
<6>[18559.204533]  [3:        mmcqd/0:  282] x9 : 000000000000bc00 x8 : 000000000000250a
<6>[18559.204585]  [3:        mmcqd/0:  282] x7 : 0000000000000000 x6 : ffffffc01008d330
<6>[18559.204643]  [3:        mmcqd/0:  282] x5 : 000000043b3d99f9 x4 : ffffffc0a5e726b0
<6>[18559.204697]  [3:        mmcqd/0:  282] x3 : 0000000000000000 x2 : ffffffc0a5e726b0
<6>[18559.204756]  [3:        mmcqd/0:  282] x1 : 0000000000000000 x0 : ffffffc0a5e726b0
<6>[18559.204817]  [3:        mmcqd/0:  282]
<0>[18559.207745]  [3:        mmcqd/0:  282] Process mmcqd/0 (pid: 282, stack limit = 0xffffffc0ace50028)
<6>[18559.207801]  [3:        mmcqd/0:  282] Call trace:
<6>[18559.207841]  [3:        mmcqd/0:  282]  bfq_dispatch_requests+0x584/0x74c
<6>[18559.207891]  [3:        mmcqd/0:  282]  blk_peek_request+0xa0/0x270
<6>[18559.207937]  [3:        mmcqd/0:  282]  blk_fetch_request+0x10/0x2c
<6>[18559.207984]  [3:        mmcqd/0:  282]  mmc_queue_thread+0xb0/0x1c0
<6>[18559.208031]  [3:        mmcqd/0:  282]  kthread+0xe0/0xe8
<0>[18559.208073]  [3:        mmcqd/0:  282] Code: 51000421 7100083f 54000048 b5000040 (e7f001f2)
<4>[18559.208129]  [3:        mmcqd/0:  282] ---[ end trace e4a2bef826d7bd11 ]---

Change-Id: I91da13ef7b469383e300626b0c1716c96001c422
2021-09-21 10:38:44 -04:00
Diogo Ferreira
e7c36fe2c0 bfq-sched: Forcefully lookup entities when the cache is inconsistent
bfq maintains a 'next-in-service' cache to prevent expensive lookups in
the hot path. However, the cache sometimes becomes inconsistent and
triggers a BUG:

[44042.622839] -(3)[154:mmcqd/0]BUG: failure at ../../../../../../kernel/cyanogen/mt6735/block/bfq-sched.c:72/bfq_check_next_in_service()!
[44042.622858] -(3)[154:mmcqd/0]Unable to handle kernel paging request at virtual address 0000dead
[44042.622866] -(3)[154:mmcqd/0]pgd = ffffffc001361000
[44042.622872] [0000dead] *pgd=000000007d816003, *pud=000000007d816003, *pmd=000000007d817003, *pte=0000000000000000
[44042.622890] -(3)[154:mmcqd/0]Internal error: Oops: 96000045 [#1] PREEMPT SMP
[44042.622907] -(3)[154:mmcqd/0]CPU: 3 PID: 154 Comm: mmcqd/0 Tainted:
[44042.622915] -(3)[154:mmcqd/0]Hardware name: MT6735 (DT)
[44042.622922] -(3)[154:mmcqd/0]task: ffffffc0378a6000 ti: ffffffc0378c4000
[44042.622936] -(3)[154:mmcqd/0]PC is at bfq_dispatch_requests+0x6c4/0x9bc
[44042.622944] -(3)[154:mmcqd/0]LR is at bfq_dispatch_requests+0x6bc/0x9bc
[44042.622952] -(3)[154:mmcqd/0]pc : [<ffffffc000306a68>] lr : [<ffffffc000306a60>] pstate: 800001c5
[44042.622958] -(3)[154:mmcqd/0]sp : ffffffc0378c7d30
[44042.622962] x29: ffffffc0378c7d30 x28: 0000000000000000
[44042.622972] x27: 0000000000000000 x26: ffffffc006c58810
[44042.622981] x25: ffffffc037f89820 x24: ffffffc000f14000
[44042.622990] x23: ffffffc036adb088 x22: ffffffc0369b2800
[44042.623000] x21: ffffffc036adb098 x20: ffffffc01d6a3b60
[44042.623009] x19: ffffffc036adb0c8 x18: 0000007f8cfa1500
[44042.623018] x17: 0000007f8db44f40 x16: ffffffc00012d0c0
[44042.623027] x15: 0000007f8dde04d8 x14: 676f6e6179632f6c
[44042.623037] x13: 656e72656b2f2e2e x12: 2f2e2e2f2e2e2f2e
[44042.623046] x11: 2e2f2e2e2f2e2e20 x10: 7461206572756c69
[44042.623055] x9 : 6166203a4755425d x8 : 00000000001f0cc5
[44042.623064] x7 : ffffffc000f3d5a0 x6 : 000000000000008b
[44042.623073] x5 : 0000000000000000 x4 : 0000000000000004
[44042.623082] x3 : 0000000000000002 x2 : 0000000000000001
[44042.623091] x1 : 0000000000000aee x0 : 000000000000dead

This patch makes the lookup resilient to cache inconsistencies by doing
the expensive recomputation in cases where the bug would otherwise be
triggered.

Ticket: PORRDIGE-527

Change-Id: I5dd701960057983a42d3d3bd57521e8d17c03d7f
2021-09-21 10:38:44 -04:00
google
254c8c4efb prima: add define SIR_ESE_MAX_MEAS_IE_REQS
Change-Id: I61f2add5e5382b791c802170502c3a243890bc35
2021-09-21 10:38:43 -04:00
Abhinav Kumar
c417602f79 wlan: Fix OOB read in sme_RrmProcessBeaconReportReqInd
Propagate from cld-3.0 to prima.

When beacon report request action frame is received,
rrmProcessBeaconReportReq() is called and num_channels value
is calculated from the action frame directly from user. This
value is assigned to pSmeBcnReportReq->channelList.numChannels
and this num channels value along with the channel list is
posted to sme for further processing. The sme function
sme_RrmProcessBeaconReportReqInd() processes this sme
message eWNI_SME_BEACON_REPORT_REQ_IND. In this function,
the channels in channel list are looped through the received
value pBeaconReq->channelList.numChannels and is copied to the
destination pSmeRrmContext->channelList array from the
pBeaconReq->channelList.channelNumber[] array.
The maximum possible number of channels in channel list
BeaconReq->channelList.channelNumber[] allocated statically
in the definition of tSirChannelList is
SIR_ESE_MAX_MEAS_IE_REQS (8).
So when the pBeaconReq->channelList.numChannels, possible OOB
read occurs.

Validate the value of pBeaconReq->channelList.numChannels
received from the action frame against the maximum supported
number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8).
Place this validation inside the function
sme_RrmProcessBeaconReportReqInd() instead of validating it
at rrmProcessBeaconReportReq() so that it defends from other
caller sme_SetEseBeaconRequest() which is from user space
command through IOCTL.

Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3
CRs-Fixed: 2462152
2021-09-21 10:38:43 -04:00
lifeng
653a991df0 wlan: Fix possible buffer overflow in sirConvertAddtsRsp2Struct
In the function sirConvertAddtsRsp2Struct, iterator j is
assigned with the value pAddTs->numTclas + addts.num_WMMTCLAS.
The j value is used as the index to the array pAddTs->tclasInfo.
Maximum limit on  pAddTs->tclasInfo entries is 2. So when the
value of j exceeds 2, then a possible buffer overflow could
occur.

Validate the value of j against SIR_MAC_TCLASIE_MAXNUM(2).

Change-Id: Icc723380ed4ccd51c729194d509e288be0e0712c
CRs-Fixed: 2449899
2021-09-21 10:38:42 -04:00
gaurank kathpalia
4b5cf10b21 wlan: Fix OOB read in limProcessDeauthFrame
Propagation from cld2.0 to prima
In the API limProcessDeauthFrame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.

Fix is to have a min length check of 16 bits for the
reason code before accessing it.

Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2341590
2021-09-21 10:38:41 -04:00
gaurank kathpalia
ba43c1b6e6 wlan: Fix Out-of-bound access in sapInterferenceRssiCount
Fix Out-of-bound access in sapInterferenceRssiCount, by checking
the limit of start address for channel info and end address for
channel info.

Change-Id: If21e09d0f11bd655a8e04139ccf55d3682734b17
CRs-Fixed: 2149350
2021-09-21 10:38:41 -04:00
Ashish Kumar Dhanotiya
4f0971198b prima: Avoid possible stack overflow in hdd_ProcessGENIE API
There is no check for the return value of dot11fUnpackIeRSN API
in hdd_ProcessGENIE API, which may cause stack overflow if
pmkid_count is returned as more than the PMKIDCache size.

Add a check for return value of dot11fUnpackIeRSN to avoid possible
stack overflow.

Change-Id: I56424c706de121b18b8d3f2c4a35089ec0434452
CRs-Fixed: 2149187
2021-09-21 10:38:40 -04:00
yeshwanth sriram guntuka
4535be1ba3 wlan: Fix memory allocation error
Allocation of memory for ric data fails
when ric data length is zero and error message
is displayed.

Fix is to allocate memory only when ric data length
is greater than zero.

Change-Id: I7c8825a5d287e13d660b0b1173c6c520f75ad3ef
CRs-Fixed: 2065221
2021-09-21 10:38:39 -04:00
Jeff Johnson
3840b68b9f prima: Propagate key sequence counter to SME
Currently the key sequence counter received from userspace is not
propagated to SME, so add logic to propagate it.

Change-Id: I5371700003744eb967c578c44e4d130628efcdc8
CRs-Fixed: 2129237
2021-09-21 10:38:38 -04:00
Vignesh Viswanathan
82533270de qcacld-2.0: Fix buffer overrun in function ProcSetReqInternal
In function ProcSetReqInternal, valueLen is obtained from the
message buffer pParam. This valueLen is used as argument to the
function GetStrValue where the contents of the buffer pParam is
copied to pMac->cfg.gSBuffer for valueLen number of bytes. However
the array pMac->cfg.gSBuffer is a static array of size CFG_MAX_STR_LEN.
If the value of valueLen exceeds CFG_MAX_STR_LEN, a buffer overwrite
will occur in GetStrValue.

Add Sanity check to make sure valueLen does not exceed CFG_MAX_STR_LEN.

Change-Id: Id16d4c4b8d2414c00a0fae8f8292f011d0763b84
CRs-Fixed: 2143847
2021-09-21 10:38:37 -04:00
syphyr
448463a947 qcacld-2.0: Fix double memory allocation of encrAuthFrame
The commit "qcacld-2.0: Fix incorrect length of encrypted auth frame" is
already allocating and setting memory for encrAuthFrame.  Don't allocate and
set the memory twice.

Change-Id: Id5c30d4213b9e41040bca303d42f990b0a9932c9
2021-09-21 10:38:36 -04:00
google
e468a98c08 qcacld-2.0: Add maximum bound check on WPA RSN IE length
WPA RSN IE is copied from source without a check on the given IE length.
A malicious IE length can cause buffer overflow.
Add maximum bound check on WPA RSN IE length.

Change-Id: Id159d307e8f9c1de720d4553a7c29f23cbd28571
CRs-Fixed: 2033213
2021-09-21 10:38:34 -04:00
google
87d7ec3737 qcacld-2.0: Fix incorrect frame length of encrypted auth frame
STA is not able to connect to AP configured with WEP shared
due to incorrect frame length of encrypted auth frame.

Fix this by using the correct frame length.

Bug: 67754642
Change-Id: Ida8d78b512ecf79314200a7c96f5b5c293e5474e
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
2021-09-21 10:38:32 -04:00
google
b40d05a047 qcacld-2.0: Fix incorrect length of encrypted auth frame
Memory for encrypted auth frame is allocated based on macro
SIR_MAC_AUTH_CHALLENGE_LENGTH. SIR_MAC_AUTH_CHALLENGE_LENGTH
was updated to 253 from 128. Auth failure is observed on
receiving challenge text of length 128.

Fix is to use length based on the challenge text received.

Change-Id: I9a8b1a05d36421cfab2bf699fe38c50e150cf464
CRs-Fixed: 2100554
Bug: 67030205
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
2021-09-21 10:38:30 -04:00
google
c58b4a7a63 qcacld-2.0: Check on IE length to avoid buffer over-read
An incorrect IE length can overflow the remaining length variable
and make IE parsing logic perform a buffer over-read.
Check on IE length to avoid buffer over-read.

Bug: 63868629
Change-Id: I20ef6a0136c7a5b602ad15a2fb725f20807b81d0
CRs-Fixed: 2033195
Signed-off-by: Ecco Park <eccopark@google.com>
2021-09-21 10:38:28 -04:00
google
454df2f458 qcacld-2.0: Add check for set_ft_ies buffer length
qcacld-3.0 to qcacld-2.0 propagation

Add check for buffer length in function sme_set_ft_ies.

Bug: 64431968

Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
CRs-Fixed: 2070583
Signed-off-by: Ecco Park <eccopark@google.com>
Fix CVE-2017-11035
2021-09-21 10:38:25 -04:00
google
95ed424795 qcacld-2.0: Fix incorrect processing of encrypted auth frame
qcacld-3.0 to qcacld-2.0 propagation.

Fix incorrect processing of encrypted auth frame by allocating
appropriate local buffer and using correct type for frame length.

Change-Id: I87d6f4c3c43dd332d5b1877ddf4b3b46a717468b
CRs-Fixed: 2082544
Fix CVE-2017-11015

Change-Id: I7cb934fa97e0250fdc62eec74000f0dd5b323633
2021-09-21 10:38:23 -04:00
google
18be83da4a wlan: Change local variables to dynamic in limProcessAuthFrame
Currently limProcessAuthFrame stack frame size exceeds 1024 and causes
build failures for 32 bit platforms.

Move multiple variables from local to dynamic allocation to reduce the
frame size of limProcessAuthFrame.

Change-Id: I83cf5ab24693e0ce012894d808ac79bf37fa9a08
CRs-Fixed: 2083572
Fix CVE-2017-11015

Change-Id: Ifb1971d07ba99705f14d693a6d9a484f71a48c67
2021-09-21 10:38:22 -04:00
google
1c9eae999d wlan: Add bound check before writing to channel list
qcacld-3.0 to prima propagation

In function rrmProcessBeaconReportReq, add bound check before
writing to channel list which is of fixed size.

Change-Id: I3c80974bba84a96f7b85e4ce62bbb01c23b4babf
CRs-Fixed: 2072774
Fix CVE-2017-11014

Change-Id: Ie5ec655f449093b8b5042a398d94b8342df60e3e
2021-09-21 10:38:20 -04:00
google
e45a21534d qcacld-2.0: Update SIR_MAC_AUTH_CHALLENGE_LENGTH as per IEEE spec
qcacld-3.0 to qcacld-2.0 propagation

Update SIR_MAC_AUTH_CHALLENGE_LENGTH to 253 as per IEEE spec.
Currently value of SIR_MAC_AUTH_CHALLENGE_LENGTH is set to 128.
This may result in potential buffer overflow since frame parser
allows challenge text of length upto 253 but driver can not handle
challenge text longer than 128 bytes.

Change-Id: I7baf860fdde51a14a6573b4f0f26817f5071193e
CRs-Fixed: 2072937
Fix CVE-2017-11015

Change-Id: Ia8aafbb92ac089449d9ea448e45bbb4678d4bd36
2021-09-21 10:38:18 -04:00
google
e01f647bf8 qcacld-2.0: Update limComputeCrc32 to pass uint16_t
qcacld-3.0 to qcacld-2.0 propagation

Update limComputeCrc32() to pass uint16_t as a length type.
Currently uint8_t is being passed as length and there will be type
mismatch when authentication frame to be encrypted will be larger
than 255 bytes.

Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba
CRs-Fixed: 2072937
fix CVE-2017-11015

Change-Id: I0d2044fee3d597493d6c846de4122b6472a45b5e
2021-09-21 10:38:16 -04:00
google
4556591e9b prima: Skip an IE if found more its max times in a frame
Check if a IE has been encountered more than max possible for that IE while
 parsing a frame.

Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
CRs-Fixed: 2069927
Fix CVE-2017-11013

Change-Id: I41b97a29cf984e0fc605a22f6f6abfc07880976c
2021-09-21 10:38:12 -04:00
Daniel Rosenberg
f35f655694 BACKPORT: ANDROID: mnt: Propagate remount correctly
This switches over to propagation_next to respect
namepsace semantics.

Test: Remounting to change the options of a fs with mount based
      options should propagate to all shared copies of that mount,
      and the slaves/indirect slaves of those.
Bug: 122428178
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Change-Id: Ic35cd2782a646435689f5bedfa1f218fe4ab8254
2021-09-16 18:33:29 -04:00
Eric W. Biederman
c48074f579 BACKPORT: propogate_mnt: Handle the first propogated copy being a slave
commit 5ec0811d30378ae104f250bfc9b3640242d81e3f upstream.

When the first propgated copy was a slave the following oops would result:
> BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> IP: [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
> PGD bacd4067 PUD bac66067 PMD 0
> Oops: 0000 [#1] SMP
> Modules linked in:
> CPU: 1 PID: 824 Comm: mount Not tainted 4.6.0-rc5userns+ #1523
> Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
> task: ffff8800bb0a8000 ti: ffff8800bac3c000 task.ti: ffff8800bac3c000
> RIP: 0010:[<ffffffff811fba4e>]  [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
> RSP: 0018:ffff8800bac3fd38  EFLAGS: 00010283
> RAX: 0000000000000000 RBX: ffff8800bb77ec00 RCX: 0000000000000010
> RDX: 0000000000000000 RSI: ffff8800bb58c000 RDI: ffff8800bb58c480
> RBP: ffff8800bac3fd48 R08: 0000000000000001 R09: 0000000000000000
> R10: 0000000000001ca1 R11: 0000000000001c9d R12: 0000000000000000
> R13: ffff8800ba713800 R14: ffff8800bac3fda0 R15: ffff8800bb77ec00
> FS:  00007f3c0cd9b7e0(0000) GS:ffff8800bfb00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000010 CR3: 00000000bb79d000 CR4: 00000000000006e0
> Stack:
>  ffff8800bb77ec00 0000000000000000 ffff8800bac3fd88 ffffffff811fbf85
>  ffff8800bac3fd98 ffff8800bb77f080 ffff8800ba713800 ffff8800bb262b40
>  0000000000000000 0000000000000000 ffff8800bac3fdd8 ffffffff811f1da0
> Call Trace:
>  [<ffffffff811fbf85>] propagate_mnt+0x105/0x140
>  [<ffffffff811f1da0>] attach_recursive_mnt+0x120/0x1e0
>  [<ffffffff811f1ec3>] graft_tree+0x63/0x70
>  [<ffffffff811f1f6b>] do_add_mount+0x9b/0x100
>  [<ffffffff811f2c1a>] do_mount+0x2aa/0xdf0
>  [<ffffffff8117efbe>] ? strndup_user+0x4e/0x70
>  [<ffffffff811f3a45>] SyS_mount+0x75/0xc0
>  [<ffffffff8100242b>] do_syscall_64+0x4b/0xa0
>  [<ffffffff81988f3c>] entry_SYSCALL64_slow_path+0x25/0x25
> Code: 00 00 75 ec 48 89 0d 02 22 22 01 8b 89 10 01 00 00 48 89 05 fd 21 22 01 39 8e 10 01 00 00 0f 84 e0 00 00 00 48 8b 80 d8 00 00 00 <48> 8b 50 10 48 89 05 df 21 22 01 48 89 15 d0 21 22 01 8b 53 30
> RIP  [<ffffffff811fba4e>] propagate_one+0xbe/0x1c0
>  RSP <ffff8800bac3fd38>
> CR2: 0000000000000010
> ---[ end trace 2725ecd95164f217 ]---

This oops happens with the namespace_sem held and can be triggered by
non-root users.  An all around not pleasant experience.

To avoid this scenario when finding the appropriate source mount to
copy stop the walk up the mnt_master chain when the first source mount
is encountered.

Further rewrite the walk up the last_source mnt_master chain so that
it is clear what is going on.

The reason why the first source mount is special is that it it's
mnt_parent is not a mount in the dest_mnt propagation tree, and as
such termination conditions based up on the dest_mnt mount propgation
tree do not make sense.

To avoid other kinds of confusion last_dest is not changed when
computing last_source.  last_dest is only used once in propagate_one
and that is above the point of the code being modified, so changing
the global variable is meaningless and confusing.

fixes: f2ebb3a921 ("smarter propagate_mnt()")
Reported-by: Tycho Andersen <tycho.andersen@canonical.com>
Reviewed-by: Seth Forshee <seth.forshee@canonical.com>
Tested-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ie55a2c52db9773b461acc6ebe427221acb7093f0
2021-09-16 14:14:38 -04:00
Maxim Patlasov
01609cc4af BACKPORT: fs/pnode.c: treat zero mnt_group_id-s as unequal
commit 7ae8fd0351f912b075149a1e03a017be8b903b9a upstream.

propagate_one(m) calculates "type" argument for copy_tree() like this:

>    if (m->mnt_group_id == last_dest->mnt_group_id) {
>        type = CL_MAKE_SHARED;
>    } else {
>        type = CL_SLAVE;
>        if (IS_MNT_SHARED(m))
>           type |= CL_MAKE_SHARED;
>   }

The "type" argument then governs clone_mnt() behavior with respect to flags
and mnt_master of new mount. When we iterate through a slave group, it is
possible that both current "m" and "last_dest" are not shared (although,
both are slaves, i.e. have non-NULL mnt_master-s). Then the comparison
above erroneously makes new mount shared and sets its mnt_master to
last_source->mnt_master. The patch fixes the problem by handling zero
mnt_group_id-s as though they are unequal.

The similar problem exists in the implementation of "else" clause above
when we have to ascend upward in the master/slave tree by calling:

>    last_source = last_source->mnt_master;
>    last_dest = last_source->mnt_parent;

proper number of times. The last step is governed by
"n->mnt_group_id != last_dest->mnt_group_id" condition that may lie if
both are zero. The patch fixes this case in the same way as the former one.

[AV: don't open-code an obvious helper...]

Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I78454c89b1f672e49c8ffcf63d1339a3e371aa87
2021-09-16 14:14:33 -04:00
Daniel Rosenberg
5c4b88269c ANDROID: sdcardfs: Add option to not link obb
Add mount option unshared_obb to not link the obb
folders of multiple users together.

Bug: 27915347
Test: mount with option. Check if altering one obb
      alters the other
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Change-Id: I3956e06bd0a222b0bbb2768c9a8a8372ada85e1e
2021-05-08 17:13:15 -04:00
Daniel Rosenberg
5e5a0b5125 fs: sdcardfs: Add missing option to show_options
unshared_obb was missing from show_options

bug: 133257717
Change-Id: I1bc49d1b4098052382a518540e5965e037aa39f1
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
2021-05-08 17:11:24 -04:00
Amir Goldstein
42110ed780 locks: print unsigned ino in /proc/locks
commit 98ca480a8f22fdbd768e3dad07024c8d4856576c upstream.

An ino is unsigned, so display it as such in /proc/locks.

Cc: stable@vger.kernel.org
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I250a495fe3fc809e880535347f462fe552644edf
2021-01-24 09:56:22 +00:00
Jeff Layton
5e483034fd locks: rename FL_FILE_PVT and IS_FILE_PVT to use "*_OFDLCK" instead
File-private locks have been re-christened as "open file description"
locks.  Finish the symbol name cleanup in the internal implementation.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: Iee48047540a7d8fefb5078cc005ae9ea8994f521
2021-01-24 09:56:22 +00:00
Jeff Layton
059e6ee3a1 locks: rename file-private locks to "open file description locks"
File-private locks have been merged into Linux for v3.15, and *now*
people are commenting that the name and macro definitions for the new
file-private locks suck.

...and I can't even disagree. The names and command macros do suck.

We're going to have to live with these for a long time, so it's
important that we be happy with the names before we're stuck with them.
The consensus on the lists so far is that they should be rechristened as
"open file description locks".

The name isn't a big deal for the kernel, but the command macros are not
visually distinct enough from the traditional POSIX lock macros. The
glibc and documentation folks are recommending that we change them to
look like F_OFD_{GETLK|SETLK|SETLKW}. That lessens the chance that a
programmer will typo one of the commands wrong, and also makes it easier
to spot this difference when reading code.

This patch makes the following changes that I think are necessary before
v3.15 ships:

1) rename the command macros to their new names. These end up in the uapi
   headers and so are part of the external-facing API. It turns out that
   glibc doesn't actually use the fcntl.h uapi header, but it's hard to
   be sure that something else won't. Changing it now is safest.

2) make the the /proc/locks output display these as type "OFDLCK"

Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Carlos O'Donell <carlos@redhat.com>
Cc: Stefan Metzmacher <metze@samba.org>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Frank Filz <ffilzlnx@mindspring.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: Ia975197281d4c80a4ad420d7621896d2f369cef6
2021-01-24 09:56:22 +00:00
Jeff Layton
45ab3fb2a2 locks: add new fcntl cmd values for handling file private locks
Due to some unfortunate history, POSIX locks have very strange and
unhelpful semantics. The thing that usually catches people by surprise
is that they are dropped whenever the process closes any file descriptor
associated with the inode.

This is extremely problematic for people developing file servers that
need to implement byte-range locks. Developers often need a "lock
management" facility to ensure that file descriptors are not closed
until all of the locks associated with the inode are finished.

Additionally, "classic" POSIX locks are owned by the process. Locks
taken between threads within the same process won't conflict with one
another, which renders them useless for synchronization between threads.

This patchset adds a new type of lock that attempts to address these
issues. These locks conflict with classic POSIX read/write locks, but
have semantics that are more like BSD locks with respect to inheritance
and behavior on close.

This is implemented primarily by changing how fl_owner field is set for
these locks. Instead of having them owned by the files_struct of the
process, they are instead owned by the filp on which they were acquired.
Thus, they are inherited across fork() and are only released when the
last reference to a filp is put.

These new semantics prevent them from being merged with classic POSIX
locks, even if they are acquired by the same process. These locks will
also conflict with classic POSIX locks even if they are acquired by
the same process or on the same file descriptor.

The new locks are managed using a new set of cmd values to the fcntl()
syscall. The initial implementation of this converts these values to
"classic" cmd values at a fairly high level, and the details are not
exposed to the underlying filesystem. We may eventually want to push
this handing out to the lower filesystem code but for now I don't
see any need for it.

Also, note that with this implementation the new cmd values are only
available via fcntl64() on 32-bit arches. There's little need to
add support for legacy apps on a new interface like this.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: I35691bdfed9cadcbbcb6ff6804d9eea1db661ddc
2021-01-24 09:56:22 +00:00
Jeff Layton
ef04cb49df locks: pass the cmd value to fcntl_getlk/getlk64
Once we introduce file private locks, we'll need to know what cmd value
was used, as that affects the ownership and whether a conflict would
arise.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: Iaeb8233ae25bde5ef0049118ff94e4a9e0f02214
2021-01-24 09:56:22 +00:00
Jeff Layton
9c43335d3c locks: report l_pid as -1 for FL_FILE_PVT locks
FL_FILE_PVT locks are no longer tied to a particular pid, and are
instead inheritable by child processes. Report a l_pid of '-1' for
these sorts of locks since the pid is somewhat meaningless for them.

This precedent comes from FreeBSD. There, POSIX and flock() locks can
conflict with one another. If fcntl(F_GETLK, ...) returns a lock set
with flock() then the l_pid member cannot be a process ID because the
lock is not held by a process as such.

Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: I7d702fcaaaf8592356926d51b60e53ee217ca747
2021-01-24 09:56:22 +00:00
Jeff Layton
a84df81cdf locks: make /proc/locks show IS_FILE_PVT locks as type "FLPVT"
In a later patch, we'll be adding a new type of lock that's owned by
the struct file instead of the files_struct. Those sorts of locks
will be flagged with a new FL_FILE_PVT flag.

Report these types of locks as "FLPVT" in /proc/locks to distinguish
them from "classic" POSIX locks.

Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: Id0b6d9c7a947b512e5683ad3b6188d73582c2de9
2021-01-24 09:56:22 +00:00
Jeff Layton
e3691f6a9e locks: rename locks_remove_flock to locks_remove_file
This function currently removes leases in addition to flock locks and in
a later patch we'll have it deal with file-private locks too. Rename it
to locks_remove_file to indicate that it removes locks that are
associated with a particular struct file, and not just flock locks.

Acked-by: J. Bruce Fields <bfields@fieldses.org>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Change-Id: I1289cfbc02eb778532e984a29adffb02a9370cc1
2021-01-24 09:56:22 +00:00
Eric Dumazet
2f393588f0 net: add sk_fullsock() helper
We have many places where we want to check if a socket is
not a timewait or request socket. Use a helper to avoid
hard coding this.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

[backported from net-next 1d0ab253872cdd3d8e7913f59c266c7fd01771d0]
[lorenzo@google.com: removed TCPF_NEW_SYN_RECV, and added a comment to add it back.]

Signed-off-by: Lorenzo Colitti <lorenzo@google.com>

Bug: 24163529
Change-Id: Ibf09017e1ab00af5e6925273117c335d7f515d73
2021-01-24 09:56:08 +00:00