In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call at
the same time.
Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
There is race condition around private data used in put() and get()
of few mixer ctls with close() callback.Add global mutex lock and
code changes to protect such critical section by accessing such lock.
Change-Id: I276c2a234cfcbef88b4272b945e5c3f121e8eb32
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.
Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.
Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2541970
In the function ConvertWscOpaque, driver does copy of the
new parameters present in the additional IEs of the upstream
assoc request frame. While copy of the IE length pOld->length to
curAddIELen, possible integer truncation could occur, as the
curAddIELen is of the type tANI_U8 whereas pOld->length is of
type tANI_U16.
Change the data type of curAddIELen to tANI_U16. Make changes in
ConvertP2POpaque and ConvertWFDOpaque as well.
Change-Id: Ic26660fca4a02a265bfc9553b066c7ee42f1d1f4
CRs-Fixed: 2528392
Currently, capabilities suBeamformeeCap and muBeamformeeCap are set
during association request but not in re-association request. This
can lead to failure in beamforming after roaming. Fix this by updating
them during roaming as well.
Change-Id: I28e86b93a5114f3b76733effe4428a92cf94b441
CRs-Fixed: 1033328
Fix the index error of chanBondingSet element. If not, the channel list
[116,120,124,128] will be ingored to consider adding into the available
channels, when channel bonding is set as 40/80Mhz during sapRandomChannelSel
stage.
Change-Id: Ia90ece227c32fd9aad4a3cb69372e9cb8cf981a8
CRs-Fixed: 1037612
It's a fix for sns issue. Set DUT as sap, ref client sends assoc req
to DUT and as part of this frame processing lim does ADD_STA and posts
eWNI_SME_ASSOC_IND to sme layer. Before SME layer sends eWNI_SME_ASSOC_CNF,
DUT receives auth frame which triggers deauth. In this case lim layer
will delete ref client's related info, but wma layer doesn't get any
notification.
To fix this lim has to notify wma to do DEL_STA for that peer.
Change-Id: Id4aae51aae3fb68e752d09793ad3bce17665fc2e
CRs-Fixed: 979687
When leave ibss is called, disconnect ibss command is posted to
SME and leave ibss function returns without waiting for disconnect
to get complete.
Now if unload is started before ibss disconnect is completed, as
part of stop adapter again ibss disconnect command is posted to SME
as HDD state is still not disconnected.
The first disconnect sets the BSSID to zero and thus once second
disconnect calls disconnect handler, warning is seen as BSSID passed
to ipa event handler is zero.
As part of fix add wait for disconnect completion in leave ibss and
move the BSSID check after SAP device mode check.
Change-Id: I83cdac1514833d21aa19052cde9b32476348f0c4
CRs-Fixed: 1017319
wma_ibss_peer_info_event_handler returns error when peer_info is NULL.
However, peer_info can be NULL in case num_peers connected is 0.
Handle this case in hdd_get_ibss_peer_info_cb so that callers of
GETIBSSPEERINFOALL do not see stale results after all connected peers
have left the IBSS. Also, log the errors for enabling debug and reset
the ibss_peer_info statistics.
CRs-Fixed: 1007555
Change-Id: I913748bf11f9362e5faaaf29c26fc39fda85f4a9
Presently the Roam Scan Offload commands(Start/Restart/Stop etc) are all
sent directly from CSR to WDA. This fix reroutes these commands to LIM
and send them to WDA from there so that any session specific data
can be updated on this RSO command exchange. "roaming_in_progress"
is a PE session parameter which needs to be reset for STOP/START/RESTART
commands. If not even though firmware sends KICK STA event driver wont
disconnect from AP
Change-Id: I86c3b93570a38329cbc6a8a31017ece172164732
CRs-fixed: 1009486
During P2P functionality, Host will send GO NEG REQ and
receives ACK completion from firmware which will be queued
to indicate HDD. Meanwhile if host receives GO-NEG RESP it
will be sent directly to HDD via function callback. In HDD as
we got GO NEG RESP before ACK completion for GO-NEG REQ, HDD
will generate pkt completion for GO NEG Request.
Now GO NEG CONFORMATION frame will be sent and driver will be
expecting completion for this. The GO NEG REQ ACK completion
which got buffered in PE will be delivered to Supplicant and
Supplicant assumes that this is the ACK for GO NEG CONF frame.
This causes early termination of remain on channel due to which
firmware may drop the GO NEG CONF frame and may not retry as ROC
is terminated.
Fix this by making ACK Completion indication to HDD via function
callback.
Change-Id: I0dd3acb236b270839649d2becfdc007e7aae9fdd
CRs-Fixed: 1012547
In function lim_update_ibss_prop_add_ies size of a malloc is based on
sum of two integers. Add check for integer overflow before malloc.
Change-Id: I53ad59f0a38b102d714fa8cfe9471b52935d8376
CRs-Fixed: 2116415
Vendor ibss feature doesn't work because the wpa ie is cleared by
setting vendor specific ie. Per vendor spec, need add logic to replace
vendor specific ie instead of simply overwrite or append to exist ie.
Change-Id: Ie1569b22e22716abcf7d215c2e93870b84cf668f
CRs-Fixed: 962051
Some stations send association request with zero length of SuppChannels
IE then currently dot11f decodes it to an invalid value.
To fix this, set the minsize of SuppChannels IE to 2.
Change-Id: If44807d2f2b8a62e5a137ca3d17af2e2654f72f2
CRs-Fixed: 2303493
commit 35033ab988c396ad7bce3b6d24060c16a9066db8 upstream.
In parse_options(), if match_strdup() failed, parse_options() leaves
opts->iocharset in unexpected state (i.e. still pointing the freed
string). And this can be the cause of double free.
To fix, this initialize opts->iocharset always when freeing.
Change-Id: Ic7e843b1b4f66cefa10e9563d8a382c29e436099
Link: http://lkml.kernel.org/r/8736wp9dzc.fsf@mail.parknet.co.jp
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Reported-by: syzbot+90b8e10515ae88228a92@syzkaller.appspotmail.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
makes ->d_hash() and ->d_compare() safety in RCU mode independent
from vfsmount_lock.
Change-Id: I7764e4e14a3d41458e641a74355f2e2a13ecf835
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
propagation from qcacld-3.0 to qcacld-2.0
While processing DO_ACS vendor command session context, which is
of type union holds either station's or SAP's session, is updated
without checking adapter's mode. This may lead to corrupt station's
session context if DO_ACS is invoked with station adapter.
Validate adapter mode and process DO_ACS vendor commands only if the
mode is SAP/P2P_GO
Change-Id: Id882acd5514274a092807995f8eb58c4b5ff7fee
CRs-Fixed: 2295622
Bug: 73173201
Signed-off-by: Andrew LeCain <alecain@google.com>
Propagation from qcacld-3.0 to qcacld-2.0
Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.
To address this issue, add length checks before copying supported
rates and extended rates.
Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2427503
Bug: 112432329
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
CVE-2019-10566
commit 7c80eb1c7e2b8420477fbc998971d62a648035d9 upstream.
In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
allocated sk_buff. Free it on error.
Fixes: 55569ce256 ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
Change-Id: I9ddc961fd70c2c2f30d56c10b5a322d1e780778d
Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 903869bd10e6719b9df6718e785be7ec725df59f upstream.
ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST
Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
Change-Id: I486d8608b0e56a1ebff5b7e41420d7639c625b19
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 upstream.
Andrey reported a lockdep warning on non-initialized
spinlock:
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:16
dump_stack+0x292/0x395 lib/dump_stack.c:52
register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
? 0xffffffffa0000000
__lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
__raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
_raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
spin_lock_bh ./include/linux/spinlock.h:304
ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736
We miss a spin_lock_init() in igmpv3_add_delrec(), probably
because previously we never use it on this code path. Since
we already unlink it from the global mc_tomb list, it is
probably safe not to acquire this spinlock here. It does not
harm to have it although, to avoid conditional locking.
Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()")
Change-Id: I1b59ee14a75d081dd01445afda7001163c4ead38
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit c38b7d327aafd1e3ad7ff53eefac990673b65667 upstream.
Andrey reported a use-after-free in add_grec():
for (psf = *psf_list; psf; psf = psf_next) {
...
psf_next = psf->sf_next;
where the struct ip_sf_list's were already freed by:
kfree+0xe8/0x2b0 mm/slub.c:3882
ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
sock_release+0x8d/0x1e0 net/socket.c:597
sock_close+0x16/0x20 net/socket.c:1072
This happens because we don't hold pmc->lock in ip_mc_clear_src()
and a parallel mr_ifc_timer timer could jump in and access them.
The RCU lock is there but it is merely for pmc itself, this
spinlock could actually ensure we don't access them in parallel.
Thanks to Eric and Long for discussion on this bug.
Change-Id: I53caaedd2487e58e14026c6d770380bb3dbb78c0
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 9c8bb163ae784be4f79ae504e78c862806087c54 upstream.
In function igmpv3/mld_add_delrec() we allocate pmc and put it in
idev->mc_tomb, so we should free it when we don't need it in del_delrec().
But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.
Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when ...")
Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when ...")
Change-Id: I81bad9c39912fbdd8170fafaf7f9d122cb9c52c3
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
kgsl_cmdbatch_destroy() tries to cancel all pending sync events
by taking local copy of pending list. In case of sync point timestamp
event, it goes ahead and accesses context's events list assuming that
event's context would be alive.
But at the same time, if the other context, which is of interest for
these sync point events, can be destroyed by cancelling all
events in its group.
This leads to use-after-free in kgsl_cmdbatch_destroy() path.
Fix is to give the responsibility of putting the context's ref count
to the thread which clears the pending mask.
Change-Id: I8d08ef6ddb38ca917f75088071c04727bced11d2
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
commit 5f8cf712582617d523120df67d392059eaf2fc4b upstream.
If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.
[ The original problem was introduced in 3.1 kernel, while it was
developed in a different form. The Fixes tag below indicates the
original commit but it doesn't mean that the patch is applicable
cleanly. -- tiwai ]
Fixes: 362e4e49ab ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[surenb@google.com: resolve 3.18 differences]
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I54aecb9fe09beb178bc5d48f18ffa9ca13cf26e0
CVE-2018-19824
To prevent races with ep_remove_waitqueue() removing the
waitqueue at the same time.
Change-Id: Ib0cb4fc4549a813bc7f788961e37c1b89d318d83
Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com
Signed-off-by: Martijn Coenen <maco@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
binder_poll() passes the thread->wait waitqueue that
can be slept on for work. When a thread that uses
epoll explicitly exits using BINDER_THREAD_EXIT,
the waitqueue is freed, but it is never removed
from the corresponding epoll data structure. When
the process subsequently exits, the epoll cleanup
code tries to access the waitlist, which results in
a use-after-free.
Prevent this by using POLLFREE when the thread exits.
(cherry picked from commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f)
Change-Id: Ib34b1cbb8ab2192d78c3d9956b2f963a66ecad2e
Signed-off-by: Martijn Coenen <maco@android.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream.
We currently don't validate the beacon head, i.e. the header,
fixed part and elements that are to go in front of the TIM
element. This means that the variable elements there can be
malformed, e.g. have a length exceeding the buffer size, but
most downstream code from this assumes that this has already
been checked.
Add the necessary checks to the netlink policy.
Change-Id: Ib0fc57efd6ef4bd4fd5e93de3af0a22dded6e520
Cc: stable@vger.kernel.org
Fixes: ed1b6cc7f8 ("cfg80211/nl80211: add beacon settings")
Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
only the attributes are required and not the whole netlink info, as the
function accesses the attributes only anyway. This makes it easier to
parse nested beacon IEs later.
Change-Id: I1445cf91edbf018f8a1de5434f0a84acb27dbbdd
Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Mathias Kretschmer <mathias.kretschmer@fokus.fraunhofer.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
commit 7388afe09143210f555bdd6c75035e9acc1fab96 upstream.
Enforce the first argument to be a correct type of a pointer to struct
element and avoid unnecessary typecasts from const to non-const pointers
(the change in validate_ie_attr() is needed to make this part work). In
addition, avoid signed/unsigned comparison within for_each_element() and
mark struct element packed just in case.
Change-Id: I9351410943062797b21ef76a93b9c955f62242cb
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0f3b07f027f87a38ebe5c436490095df762819be upstream.
Rather than always iterating elements from frames with pure
u8 pointers, add a type "struct element" that encapsulates
the id/datalen/data format of them.
Then, add the element iteration macros
* for_each_element
* for_each_element_id
* for_each_element_extid
which take, as their first 'argument', such a structure and
iterate through a given u8 array interpreting it as elements.
While at it and since we'll need it, also add
* for_each_subelement
* for_each_subelement_id
* for_each_subelement_extid
which instead of taking data/length just take an outer element
and use its data/datalen.
Also add for_each_element_completed() to determine if any of
the loops above completed, i.e. it was able to parse all of
the elements successfully and no data remained.
Use for_each_element_id() in cfg80211_find_ie_match() as the
first user of this.
Change-Id: I4222114545b72f91688c0d6e4ea0915842e089c9
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
There is a possibility of use-after-free and
double free because of not marking buffer as
NULL after freeing. The patch marks buffer
as NULL after freeing in error case.
Change-Id: Iacf8f8a4a4e644f48c87d5445ccd594766f2e156
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Make change to validate if there exists enough space to write a
unit64 instead of a unit32 value, in __qseecom_update_cmd_buf_64.
Change-Id: Iabf61dea240f16108e1765585aae3a12d2d651c9
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
netlbl_unlabel_addrinfo_get() assumes that if it finds the
NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
not necessarily the case as the current checks in
netlbl_unlabel_staticadd() and friends are not sufficent to
enforce this.
If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
these functions will all call netlbl_unlabel_addrinfo_get() which
will then attempt dereference NULL when fetching the non-existent
NLBL_UNLABEL_A_IPV4MASK attribute:
Unable to handle kernel NULL pointer dereference at virtual address 0
Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
Call trace:
netlbl_unlabel_addrinfo_get+0x44/0xd8
netlbl_unlabel_staticremovedef+0x98/0xe0
genl_rcv_msg+0x354/0x388
netlink_rcv_skb+0xac/0x118
genl_rcv+0x34/0x48
netlink_unicast+0x158/0x1f0
netlink_sendmsg+0x32c/0x338
sock_sendmsg+0x44/0x60
___sys_sendmsg+0x1d0/0x2a8
__sys_sendmsg+0x64/0xb4
SyS_sendmsg+0x34/0x4c
el0_svc_naked+0x34/0x38
Code: 51001149 7100113f 540000a0 f9401508 (79400108)
---[ end trace f6438a488e737143 ]---
Kernel panic - not syncing: Fatal exception
Change-Id: Ib2ec6e8c8296554b8b7394592a24e0cb2e92cbf5
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
propagation from qcacld-3.0 to qcacld-2.0
In wma_log_supported_evt_handler, events_logs_list in
wma handle is freed if previously allocated. If the
num_of_diag_events_logs exceeds the max size, we exit
from the function early without allocating memory for
events_logs_list. This can result in potential double
free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED
event from firmware.
Fix is to set events_logs_list pointer to NULL after
freeing memory.
Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c
CRs-Fixed: 2482603
commit 38c73529de13e1e10914de7030b659a2f8b01c3b upstream.
In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local
traffic"), the dif argument to __raw_v4_lookup() is coming from the
returned value of inet_iif() but the change was done only for the first
lookup. Subsequent lookups in the while loop still use skb->dev->ifIndex.
Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic")
Change-Id: I2e40ae96d0513cbab9332fd58d6dd96a2ac3c307
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 3.18
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.
Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>
When reading an extra descriptor, we need to properly check the minimum
and maximum size allowed, to prevent from invalid data being sent by a
device.
Change-Id: If4dd31307e0531261c9d9a21fbea5487732f7baa
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This change fixes buffer overflows and silent data corruption with the
usbmon device driver text file read operations.
Change-Id: Ie9953b9b05863feebfe81f4d2e18f2b6af72d58d
Signed-off-by: Fredrik Noring <noring@nocrew.org>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sec_ts touch driver sysfs store callback had couple of userspace buffer copy
operations where it was not checking for validity of length being copied
from source buffer. This CL adds necessary boundary checks to make sure the
destination kernel buffer is not overflown.
Bug: 120211708
Bug: 120211415
Change-Id: I8bfe1ab9ae50d89ce12eeaf856204c20056a2061
Signed-off-by: Biswajit Dash <bisdash@google.com>
Signed-off-by: Danny Lin <danny@kdrag0n.dev>
The kernel address is used as cookie to keep track
of stats request. This address can be disclosed to
target leading to a security vulnerability.
Implement a FW stats descriptor pool, and use a
descriptor ID to keep track of stats requests,
instead of the kernel address, to prevent
kernel address leak.
Change-Id: Ib49150da899c0b9314f614868a90867f4aa92d3d
CRs-Fixed: 2276007
Propagate from qcacld3.0 to qcacld2.0
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To avoid buffer over-write add check for the valid num_mpdu_ranges
Change-Id: I54e138d4bd63cbe7a0ae4faf0fe9d8e59ca92c71
CRs-Fixed: 2500393
Add adf_print API to print error logs from ADF module.
Add ADF_BUG implementation to warn in case crash is not
required.
Change-Id: If4ba15c669cf5d6769cb7850314cd3bd66f8fd90
CRs-Fixed: 1074129
'nRoamingTime' is 32bit integer, it can overflow when multipled
with PAL_TICKS_PER_SECOND so type cast it to 64bit before
multiplying to avoid overflow.
Change-Id: I66b303dc0631078cc442fcf3c95027bc224bf57f
[ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ]
On policies with a transport mode template, we pass the addresses
from the flowi to xfrm_state_find(), assuming that the IP addresses
(and address family) don't change during transformation.
Unfortunately our policy template validation is not strict enough.
It is possible to configure policies with transport mode template
where the address family of the template does not match the selectors
address family. This lead to stack-out-of-bound reads because
we compare arddesses of the wrong family. Fix this by refusing
such a configuration, address family can not change on transport
mode.
We use the assumption that, on transport mode, the first templates
address family must match the address family of the policy selector.
Subsequent transport mode templates must mach the address family of
the previous template.
Change-Id: I33678e32df020045f419f38fc4d955863c42409a
Git-commit: 732706afe1cc46ef48493b3d2b69c98f36314ae4
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>