commit 2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.
It is OK for s_first_meta_bg to be equal to the number of block group
descriptor blocks. (It rarely happens, but it shouldn't cause any
problems.)
https://bugzilla.kernel.org/show_bug.cgi?id=194567
Fixes: 3a4b77cd47bb837b8557595ec7425f281f2ca1fe
Fixes: ext4: validate s_first_meta_bg at mount time
Change-Id: I401a32cc3fca59e08dd578b0e43c0429e17bd673
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
prima to qcacld-2.0 propagation
In PS non-offload case the "remainInPowerActiveTillDHCP" flag
allows cfg80211 layer to control BMPS and it should not be modified
by SME/CSR. SME/CSR use remainInPowerActiveTillDHCP to block BMPS
till set key is not completed. Due to this cfg80211 layer is not
in full control of BMPS.
To fix this add a new variable to block BMPS until set key is
done and let remainInPowerActiveTillDHCP be be controlled by
cfg80211 layer based on whether DHCP in progress or not.
Change-Id: I48315893a881d8da4db79a8b9366525617e8c898
CRs-Fixed: 1072635
commit 7dd7eb9513bd02184d45f000ab69d78cb1fa1531 upstream.
Do not use unsigned variables to see if it returns a negative
error or not.
Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options")
Change-Id: Ib68fdb197391f1f5f14128741ac033079dccf644
Reported-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 43a6684519ab0a6c52024b5e25322476cabad893 upstream.
We got a report of yet another bug in ping
http://www.openwall.com/lists/oss-security/2017/03/24/6
->disconnect() is not called with socket lock held.
Fix this by acquiring ping rwlock earlier.
Thanks to Daniel, Alexander and Andrey for letting us know this problem.
Fixes: c319b4d76b ("net: ipv4: add IPPROTO_ICMP socket kind")
Change-Id: Ia0694904e67dd9d31a08fcadfacfd1feaacc3cd2
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Daniel Jiang <danieljiang0415@gmail.com>
Reported-by: Solar Designer <solar@openwall.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.
Fix is to update messageLen with size of struct.
Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175
SCTP needs fixes similar to 83eaddab4378 ("ipv6/dccp: do not inherit
ipv6_mc_list from parent"), otherwise bad things can happen.
Change-Id: I4ab6f39f225bd9e68b54eaec023ad737bbc6c14a
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrey Konovalov and idaifish@gmail.com reported crashes caused by
one skb shared_info being overwritten from __ip6_append_data()
Andrey program lead to following state :
copy -4200 datalen 2000 fraglen 2040
maxfraglen 2040 alloclen 2048 transhdrlen 0 offset 0 fraggap 6200
The skb_copy_and_csum_bits(skb_prev, maxfraglen, data + transhdrlen,
fraggap, 0); is overwriting skb->head and skb_shared_info
Since we apparently detect this rare condition too late, move the
code earlier to even avoid allocating skb and risking crashes.
Once again, many thanks to Andrey and syzkaller team.
Change-Id: Ie338b060f4b446f3d9784bb17e5f1bf829dfb6de
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Reported-by: <idaifish@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.
Change-Id: If8dc0cefa694a73589b6599b63d2c5c7c4d1c0aa
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Huang has reported that in his powerfail testing he is seeing stale
block contents in some of recently allocated blocks although he mounts
ext4 in data=ordered mode. After some investigation I have found out
that indeed when delayed allocation is used, we don't add inode to
transaction's list of inodes needing flushing before commit. Originally
we were doing that but commit f3b59291a6 removed the logic with a
flawed argument that it is not needed.
The problem is that although for delayed allocated blocks we write their
contents immediately after allocating them, there is no guarantee that
the IO scheduler or device doesn't reorder things and thus transaction
allocating blocks and attaching them to inode can reach stable storage
before actual block contents. Actually whenever we attach freshly
allocated blocks to inode using a written extent, we should add inode to
transaction's ordered inode list to make sure we properly wait for block
contents to be written before committing the transaction. So that is
what we do in this patch. This also handles other cases where stale data
exposure was possible - like filling hole via mmap in
data=ordered,nodelalloc mode.
The only exception to the above rule are extending direct IO writes where
blkdev_direct_IO() waits for IO to complete before increasing i_size and
thus stale data exposure is not possible. For now we don't complicate
the code with optimizing this special case since the overhead is pretty
low. In case this is observed to be a performance problem we can always
handle it using a special flag to ext4_map_blocks().
Change-Id: I3d2d79f0f6743159481f80fc10faf042a18927f1
CC: stable@vger.kernel.org
Fixes: f3b59291a6
Reported-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Tested-by: "HUANG Weller (CM/ESW12-CN)" <Weller.Huang@cn.bosch.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
-Use %pK for kernel address to avoid the information leak.
CRs-Fixed: 2009672
Change-Id: Ib0631d5578aba033510babe4f43e2a63bb959747
Signed-off-by: Alok Kediya <kediya@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
This fix removes dependency between real time message mask
table and build time message mask table. Also this fix
synchronizes retrieval and modification of real time message
mask table.
CRs-Fixed: 2015227
Change-Id: Id0a0964337ec4645d7061fc35120dfa061a990ff
Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org>
Static variable node_list list need to be protected with a mutex
to prevent race conditions and use after free cases.
Change-Id: I4790b06712b8a8b401f43418cfcc53b415fb0019
Signed-off-by: David Dai <daidavid1@codeaurora.org>
Cldata needed to be protected by lock since crash
happened when synchronous update and free.
CRs-Fixed: 2034222
Change-Id: Ied86461b784d69d9758dc3fc793a8a0de86e7f9c
Signed-off-by: Maria Yu <aiquny@codeaurora.org>
Place file offset validity checks under mutex for
synaptics_dsx_rmi_dev.c touch driver.
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: e1fb1600fc222337989e3084d68df929882deae5
Change-Id: I2c32babbccb483547204cb2843973abf97e988a5
Signed-off-by: Andrew Chant <achant@google.com>
[srkupp@codeaurora.org: This change is a fix for buggy
code pointed by sil after merging the above commit.}
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Shantanu Jain <shjain@codeaurora.org>
Signed-off-by: Niranjan Reddy Dumbala <ndumba@codeaurora.org>
In some rare race condition during SSR, modem might
programmed commands to IPA to lock the pipe, and AP will
enable delay on this pipe which will prevent IPA to read
unlock command. In this case IPA HW will be stalled as it
is locked forever on this pipe.
CRs-Fixed: 1040724
Change-Id: Ifc874c9e881eb1b3ccea321679bb272cd427fabb
Acked-by: Ady Abraham <adya@qti.qualcomm.com>
Acked-by: Mohammed Javid <mjavid@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Signed-off-by: Utkarsh Saxena <usaxena@codeaurora.org>
When the Camera application exercises the V4L2 ioctl operations, CPP
driver would attempt to the copy user space buffer contents into the
internal kernel buffer. If an invalid length of the user space buffer
is passed onto the driver, it could trigger buffer overflow condition.
Thus, fix this by copying user space buffer contents into kernel space
buffer of the driver for further processing, only after checking for
proper length of user space buffer.
CRs-fixed: 2025367
Change-Id: I85cf4a961884c7bb0d036299b886044aef7baf7c
Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
When user application provides invalid (out of range) stripe size and
stripe indices, while submitting requests for the stripe based image
processing by the CPP kernel driver, the driver could perform out of
bounds access of the internal buffers.
This fix ensures that stripe size and indices of frame/command buffer
are properly validated during the configuration and before processing
such requests through the CPP hardware block.
CRs-fixed: 2002207
Change-Id: Ib79e36fb507d8e75d8fc28afb990020a0e1bf845
Signed-off-by: Ravi kumar Koyyana <rkoyyana@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
If there is any failure while registering a DBA client with MDSS
driver, then remove the client from device client list first and
then free the client. Otherwise driver might crash when
traversing the device client list in later stage, because of an
uninitialized entry in the list.
Change-Id: I60666f4c3dea5c7ea7b7c77bcb14b080ee25b54d
Signed-off-by: Sandeep Panda <spanda@codeaurora.org>
msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
CRs-Fixed: 2022953
Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Assume that there are two threads, thread1 is setting
value of _rndis_qc variable in rndis_qc_bind_config_vendor
function. Thread2 jumps in and get the value of _rndis_qc
in rndis_qc_open_dev function before it is freed in
rndis_qc_bind_config_vendor function, since rndis_ipa_init
or usb_add_function failed. Use-after-free will happen as
Thread2 is referencing freed objects. To prevent this
spinlock is used where ever it is needed to protect
_rndis_qc variable.
Change-Id: Ibfe10cedc18bcb19dd01cd2bec43a5554fd008bc
Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org>
The range checking between "WCD_CPE_IMAGE_FNAME_MAX" and
"copy_count" is off-by-one due to the size of array
"core->dyn_fname" is "WCD_CPE_IMAGE_FNAME_MAX". Subtract
one from the range checking to fix this issue.
Change-Id: I87fd55206f79ad7b13c3878f6642bf5579303b17
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
In the ioctl function, driver allocates memory to store data
internally before calling copy_to_user to copy data to user-space.
It is possible that kernel internal information can be leaked to
user space through this if the allocated memory is not completely
overwritten with valid data. Use kzalloc to fix this.
CRs-fixed: 2026045
Change-Id: I754ae2157034a135aaca4a15badf10d2567b7ed6
Signed-off-by: Bhalchandra Gajare <gajare@codeaurora.org>
syzkaller found a way to trigger double frees from ip_mc_drop_socket()
It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.
Very similar to commit 8b485ce69876 ("tcp: do not inherit
fastopen_req from parent")
Initial report from Pray3r, completed by Andrey one.
Thanks a lot to them !
Change-Id: I9ab96385fcbcad25d3e6829927d586b91d22afe8
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Pray3r <pray3r.z@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.
Add a check that tp_block_size * tp_block_nr <= UINT_MAX.
Since frames_per_block <= tp_block_size, the expression would
never overflow.
Change-Id: I3598423e621275aa1d890b80bcf9018929087d90
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.
Fix by checking that tp_reserve <= INT_MAX on assign.
Change-Id: I6a4ea0cbe87cfd3db0979896c9bf9b3c626ec1d6
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
In msm_ispif_is_intf_valid(),
we convert a enum variable msm_ispif_vfe_intf,
to uint8_t type for validating.
This could cause potential issue,
if the value is crafted in such a way that lower 8bits pass the validation.
Don't use uint8_t as input parm to avoid such vulnerability.
CRs-Fixed: 2008469
Change-Id: I4ee400ac0edd830decfbe5712966d968976a268a
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>