Piteball/android_kernel_samsung_msm8976
1
1
Fork 0
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git synced 2024-09-20 19:34:46 +00:00
Code Issues Projects Releases Wiki Activity
android_kernel_samsung_msm8976/drivers
History
Eric Biggers 9d142346b2 ppp: remove the PPPIOCDETACH ioctl 
commit af8d3c7c001ae7df1ed2b2715f058113efc86187 upstream.

The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
before f_count has reached 0, which is fundamentally a bad idea.  It
does check 'f_count < 2', which excludes concurrent operations on the
file since they would only be possible with a shared fd table, in which
case each fdget() would take a file reference.  However, it fails to
account for the fact that even with 'f_count == 1' the file can still be
linked into epoll instances.  As reported by syzbot, this can trivially
be used to cause a use-after-free.

Yet, the only known user of PPPIOCDETACH is pppd versions older than
ppp-2.4.2, which was released almost 15 years ago (November 2003).
Also, PPPIOCDETACH apparently stopped working reliably at around the
same time, when the f_count check was added to the kernel, e.g. see
https://lkml.org/lkml/2002/12/31/83.  Also, the current 'f_count < 2'
check makes PPPIOCDETACH only work in single-threaded applications; it
always fails if called from a multithreaded application.

All pppd versions released in the last 15 years just close() the file
descriptor instead.

Therefore, instead of hacking around this bug by exporting epoll
internals to modules, and probably missing other related bugs, just
remove the PPPIOCDETACH ioctl and see if anyone actually notices.  Leave
a stub in place that prints a one-time warning and returns EINVAL.

Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Guillaume Nault <g.nault@alphalink.fr>
Tested-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
2019-07-27 21:52:16 +02:00
..
accessibility
acpi ACPI: APEI / ERST: Fix missing error handling in erst_reader() 2019-07-27 21:46:19 +02:00
amba
android binder: check for binder_thread allocation failure in binder_poll() 2019-07-27 21:52:07 +02:00
ata libata: array underflow in ata_find_dev() 2019-07-27 21:44:15 +02:00
atm
auxdisplay
base power: align wakeup_sources format 2019-07-27 21:47:56 +02:00
battery Import T813XXS2BRC2 kernel source changes 2018-05-26 00:39:42 +02:00
battery_v2 Import latest Samsung release 2017-04-18 03:43:52 +02:00
bcma
bif
block loop: remember whether sysfs_create_group() was done 2019-07-27 21:50:24 +02:00
bluetooth Merge tag 'LA.BR.1.3.6-05410-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2018-02-06 13:11:45 +01:00
bus
cdrom BACKPORT: block: add blk_rq_set_block_pc() 2017-04-22 23:03:01 +02:00
char diag: Protect the decrement of number of diag clients 2019-07-27 21:50:47 +02:00
clk clk: qcom: mdss: initialise spread freq variable before usage 2019-07-27 21:51:05 +02:00
clocksource Merge tag 'LA.BR.1.3.6-05410-8976.0' of https://source.codeaurora.org/quic/la/kernel/msm-3.10 into HEAD 2018-02-06 13:11:45 +01:00
connector connector: bump skb->users before callback invocation 2016-01-28 21:49:33 -08:00
coresight coresight: tmc: Fix use after free issue with tmc read 2017-07-30 10:34:00 -07:00
cpufreq cpufreq: interactive governor drops bits in time calculation 2019-07-27 21:50:42 +02:00
cpuidle cpuidle: Remove unnecessary WARN for calculate_residency 2019-07-27 21:45:56 +02:00
crypto crypto: hash - annotate algorithms taking optional key 2019-07-27 21:49:17 +02:00
dca
debug Import latest Samsung release 2017-04-18 03:43:52 +02:00
debug_32 Import latest Samsung release 2017-04-18 03:43:52 +02:00
devfreq dev_freq: devfreq_spdm: add null terminator to prevent OOB access 2019-07-27 21:50:47 +02:00
dio
dma Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
edac This is the 3.10.102 stable release 2017-04-18 17:22:08 +02:00
eisa
esoc
extcon Import latest Samsung release 2017-04-18 03:43:52 +02:00
fingerprint drivers: fingerprint: Kill FEATURE_SPI_WAKELOCK 2017-04-19 17:02:36 +02:00
firewire This is the 3.10.95 stable release 2017-04-18 17:14:54 +02:00
firmware Import T813XXU2BQD1 kernel source changes 2017-04-22 16:30:03 +02:00
gpio gpio: Handle EPROBE_DEFER while probing 2019-07-27 21:45:55 +02:00
gpu drm: set FMODE_UNSIGNED_OFFSET for drm files 2019-07-27 21:52:11 +02:00
hid HID: debug: check length before copy_to_user() 2019-07-27 21:51:21 +02:00
hsi
hv Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors 2016-06-07 10:42:52 +02:00
hwmon This is the 3.10.102 stable release 2017-04-18 17:22:08 +02:00
hwspinlock
i2c i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA 2019-07-27 21:46:30 +02:00
ide UPSTREAM: block: disable entropy contributions for nonrot devices 2019-07-27 21:47:56 +02:00
idle
iio iio: adis_lib: Initialize trigger before requesting interrupt 2019-07-27 21:46:10 +02:00
infiniband IB/qib: fix mcast detach when qp not attached 2016-03-03 15:06:24 -08:00
input BACKPORT: Input: xpad - fix oops when attaching an unknown Xbox One gamepad 2019-07-27 21:50:43 +02:00
iommu iommu/amd: Finish TLB flush in amd_iommu_unmap() 2019-07-27 21:44:19 +02:00
ipack
irqchip Import latest Samsung release 2017-04-18 03:43:52 +02:00
isdn ppp, slip: Validate VJ compression slot parameters completely 2016-01-28 21:49:35 -08:00
leds Merge tag 'LA.BR.1.3.6-03510-8976.0' into HEAD 2017-04-18 12:11:50 +02:00
lguest Import latest Samsung release 2017-04-18 03:43:52 +02:00
macintosh
mailbox
md dm kcopyd: avoid softlockup in run_complete_job 2019-07-27 21:51:38 +02:00
media media: v4l: event: Prevent freeing event subscriptions while accessed 2019-07-27 21:51:55 +02:00
memory
memstick
message
mfd mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode 2019-07-27 21:44:34 +02:00
misc qseecom: Fix typo in format specifier 2019-07-27 21:44:44 +02:00
mmc mmc: cmdq-hci: Change unnecessary pr_err logs to pr_debug 2019-07-27 21:50:45 +02:00
motor Import latest Samsung release 2017-04-18 03:43:52 +02:00
mtd UPSTREAM: block: disable entropy contributions for nonrot devices 2019-07-27 21:47:56 +02:00
muic Import T813XXS2BRC2 kernel source changes 2018-05-26 00:39:42 +02:00
net ppp: remove the PPPIOCDETACH ioctl 2019-07-27 21:52:16 +02:00
nfc Import latest Samsung release 2017-04-18 03:43:52 +02:00
ntb
nubus
of of: fdt: add missing allocation-failure check 2019-07-27 21:44:47 +02:00
oprofile
parisc parisc iommu: fix panic due to trying to allocate too large region 2016-01-28 21:49:36 -08:00
parport
pci PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() 2019-07-27 21:46:19 +02:00
pcmcia
phy
pinctrl pinctrl: Really force states during suspend/resume 2019-07-27 21:49:40 +02:00
platform msm: ipa: Fix to handle NULL pointer dereference 2019-07-27 21:51:22 +02:00
pnp asmlinkage, pnp: Make variables used from assembler code visible 2016-06-07 10:42:53 +02:00
power drivers: qcom: lpm-stats: Fix undefined access error 2019-07-27 21:50:48 +02:00
pps
ps3
ptp
pwm pwm: qpnp: do not control EN_PWM_OUTPUT for LPG lite peripherals 2015-03-10 16:12:38 -07:00
rapidio
regulator Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
remoteproc remoteproc: avoid stack overflow in debugfs file 2016-02-19 14:22:37 -08:00
reset
rpmsg
rtc rtc: set the alarm to the next expiring timer 2019-07-27 21:46:00 +02:00
s390 UPSTREAM: block: disable entropy contributions for nonrot devices 2019-07-27 21:47:56 +02:00
sbus
scsi scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() 2019-07-27 21:51:41 +02:00
sensorhub Import T713XXU2BQD3 kernel source changes 2017-07-01 12:51:07 +02:00
sensors Import latest Samsung release 2017-04-18 03:43:52 +02:00
sfi
sh
slimbus slim-msm: Synchronize SSR callbacks 2017-05-05 19:20:28 +00:00
sn
soc voice_svc: Avoid double free in voice_svc driver 2019-07-27 21:51:22 +02:00
soundwire swr-wcd-ctrl: Ensure soundwire banks are always in sync 2016-05-03 04:51:39 -07:00
spi This is the 3.10.97 stable release 2017-04-18 17:17:20 +02:00
spmi Merge tag 'LA.BR.1.3.6-03510-8976.0' into HEAD 2017-04-18 12:11:50 +02:00
ssb
ssbi
staging staging: android: ashmem: Fix mmap size validation 2019-07-27 21:51:53 +02:00
switch
target scsi: target: fix __transport_register_session locking 2019-07-27 21:51:38 +02:00
tc
thermal msm_thermal: Handle defer while probing 2019-07-27 21:45:58 +02:00
tty tty: make n_tty_read() always abort if hangup is in progress 2019-07-27 21:49:23 +02:00
uio uio: potential double frees if __uio_register_device() fails 2019-07-27 21:51:39 +02:00
usb USB: Increment wakeup count on remote wakeup. 2019-07-27 21:52:12 +02:00
uwb
vfio
vhost Merge remote-tracking branch 'f2fs/linux-3.10.y' into HEAD 2017-04-18 17:02:28 +02:00
video BACKPORT: msm: mdss: Fix invalid dma attachment during fb shutdown 2019-07-27 21:51:53 +02:00
virt
virtio virtio: fix memory leak of virtio ida cache layers 2016-03-03 15:06:21 -08:00
vlynq
vme
w1
watchdog watchdog: rc32434_wdt: fix ioctl error handling 2016-06-07 10:42:46 +02:00
xen This is the 3.10.96 stable release 2017-04-18 17:16:02 +02:00
zorro
Kconfig msm: gud: Remove gud driver 2017-09-08 18:49:12 +00:00
Makefile msm: gud: Remove gud driver 2017-09-08 18:49:12 +00:00