LineageUpdates #3
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
665bd4e to
158bf82
Compare
lineageos-gerrit
force-pushed
the
cm-14.1
branch
2 times, most recently
from
f37a9d5 to
d56e6d5
Compare
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
b2c9f6a to
153cd61
Compare
* Fix broken touchscreen after kernel rebase, since it now defaults to 250Hz instead of 100Hz TODO: actually find what breaks and fix it Change-Id: I575b4d725457c997b1847c22de0f8bb740ff9e3d
Change-Id: I7baecd92438ef0168969a264bfb574104624661d
CRs Change ID Subject -------------------------------------------------------------------------------------------------------------- 2072774 I3c80974bba84a96f7b85e4ce62bbb01c23b4babf wlan: Add bound check before writing to channel list Change-Id: If08671b100c284b0a86c61f7efe10c5da5377533 CRs-Fixed: 2072774
The reference count for fbmem buf is not increased before use, which means it can be get freed unintentionally when the reference count is decreased to "0". In this case, there is possibility of use after free. Ensure that fbmem buf refcount is incremented before use. Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd Signed-off-by: Jayant Shekhar <[email protected]> Signed-off-by: Mishra Mahima <[email protected]>
Fix race condition seen between reading tmc buffer and enabling the device. The race condition can result in a use after free issue if the buffer is released while a read is in progress. Signed-off-by: Saranya Chidura <[email protected]> Change-Id: I9908fa78acbf3152ee791c63fef525f09a9a23d5
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
3e28d63 to
8415dad
Compare
qcacld-3.0 to prima propagation Update limComputeCrc32() to pass uint16_t as a length type. Currently uint8_t is being passed as length and there will be type mismatch when authentication frame to be encrypted will be larger than 255 bytes. Change-Id: Ic009197c13a2d70c9015a184acff2e82bf80eaba CRs-Fixed: 2076603
CRs Change ID Subject -------------------------------------------------------------------------------------------------------------- 2058442 I3b20cb28d1beccd2e804b022b531413ad1edb533 wlan: Avoid extscan bucket spec overread Change-Id: I8f3a0142e584f96643e388a8c388bb1dc8d9376d CRs-Fixed: 2058442
Check the digest length to avoid buffer overflow while doing the SHA operations. Change-Id: I4d3fb20723f59e905a672edaf84ee5d0865905b1 Signed-off-by: Brahmaji K <[email protected]>
Add conditional check when operating VIDIOC_MSM_ACTUATOR_CFG32. CRs-Fixed: 2060371 Change-Id: I9cfaff05b1fff6969a2543c3816d41ed1fabf897 Signed-off-by: Haibin Liu <[email protected]>
Change-Id: I13c1d796c5a05cdd813c9121686d32df5affffe3
Add conditional check when operating VIDIOC_MSM_ACTUATOR_CFG32. CRs-Fixed: 2060371 Change-Id: I9cfaff05b1fff6969a2543c3816d41ed1fabf897 Signed-off-by: Haibin Liu <[email protected]>
Currently limProcessAuthFrame stack frame size exceeds 1024 and causes build failures for 32 bit platforms. Move multiple variables from local to dynamic allocation to reduce the frame size of limProcessAuthFrame. Change-Id: I83cf5ab24693e0ce012894d808ac79bf37fa9a08 CRs-Fixed: 2083572
This reverts commit f0ce0ee. Bug: 34951864 Bug: 36468447 Change-Id: I87bd92e096c6c28a53b9ecf302ae008f5e58eba1 Signed-off-by: Nick Desaulniers <[email protected]>
commit 98da7d08850fb8bdeb395d6368ed15753304aa0c upstream. When limiting the argv/envp strings during exec to 1/4 of the stack limit, the storage of the pointers to the strings was not included. This means that an exec with huge numbers of tiny strings could eat 1/4 of the stack limit in strings and then additional space would be later used by the pointers to the strings. For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721 single-byte strings would consume less than 2MB of stack, the max (8MB / 4) amount allowed, but the pointers to the strings would consume the remaining additional stack space (1677721 * 4 == 6710884). The result (1677721 + 6710884 == 8388605) would exhaust stack space entirely. Controlling this stack exhaustion could result in pathological behavior in setuid binaries (CVE-2017-1000365). [[email protected]: additional commenting from Kees] Fixes: b6a2fea ("mm: variable length argument support") Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast Signed-off-by: Kees Cook <[email protected]> Acked-by: Rik van Riel <[email protected]> Acked-by: Michal Hocko <[email protected]> Cc: Alexander Viro <[email protected]> Cc: Qualys Security Advisory <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Change-Id: I2e01d7be2d52415264ff48c632bfe307008c4e03
Symlink reading code does not check whether the resulting path fits into the page provided by the generic code. This isn't as easy as just checking the symlink size because of various encoding conversions we perform on path. So we have to check whether there is still enough space in the buffer on the fly. Change-Id: I3b9106eaf9ce09df4e5db8bb94eb52fd0e0f966f CC: [email protected] Reported-by: Carl Henrik Lunde <[email protected]> Signed-off-by: Jan Kara <[email protected]>
* 3.10 doesn't normally use iterate for filesystems, but it was backported in hopes of removing vfs_readdir() * Because the romnt variable was only set for filesystems using iterate, the su hide patches were broken for many filesytems like ext4, which still use vfs_readdir() instead of iterate_dir() like their mainline counterparts * Remove the iterate check around setting romnt to fix this Change-Id: I26426683df0fd199a80f053294f352e31754bec5
"file" can be already freed if bprm->file is NULL after search_binary_handler() return. binfmt_script will do exactly that for example. If the VM reuses the file after fput run(), this will result in a use ater free. So obtain d_is_su before search_binary_handler() runs. This should explain this crash: [25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185 [..] [25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474 Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681 Signed-off-by: Kevin F. Haggerty <[email protected]>
…m-14.1-caf-8916 Change-Id: Icdb0c3ebf8706229dc0f058502d59eb24de9d244
…4.1-caf-8916 Change-Id: I01c2d1e9e4948ff57761d85e965c2371904e4304
smatch warns about the suspicious formatting in the last line of open_flags_to_access_mode(). It turns out the only caller was deleted over a year ago by "ANDROID: sdcardfs: Bring up to date with Android M permissions:", so we can "fix" the function's formatting by deleting it. Change-Id: Id85946f3eb01722eef35b1815f405a6fda3aa4ff Signed-off-by: Greg Hackmann <[email protected]>
Use the VFS mount_nodev instead of customized mount_nodev_with_options and fix generic_shutdown_super to kill_anon_super because of set_anon_super Signed-off-by: Gao Xiang <[email protected]> Change-Id: Ibe46647aa2ce49d79291aa9d0295e9625cfccd80
The mmap_sem lock does not appear to be protecting anything, and has been removed in Samsung's more recent versions of sdcardfs. Signed-off-by: Daniel Rosenberg <[email protected]> Change-Id: I76ff3e33002716b8384fc8be368028ed63dffe4e Bug: 63785372
propagate from (CR). On embedded devices with built-in batteries, it is not so important to sync the file systems before suspend. The chance of losing power during suspend are no greater than they are when the system is awake. The sync operations can greatly increase suspend latency when the system has accrued many dirty pages and/or the target storage devices are not particularly fast. This commit adds a kernel config option to allow file system sync in the suspend path to be disabled. It is enabled by default. Change-Id: I21b712cce67f5782518371e1483b1860dcca8856 Signed-off-by: Lianwei Wang <[email protected]> Reviewed-on: http://gerrit.mot.com/842434 SME-Granted: SME Approvals Granted SLTApproved: Slta Waiver <[email protected]> Tested-by: Jira Key <[email protected]> Reviewed-by: Ravi Chebolu <[email protected]> Reviewed-by: Zhi-Ming Yuan <[email protected]> Submit-Approved: Jira Key <[email protected]>
Resync msm8909_defconfig and msm8909-perf_defconfig. Change-Id: Ie5532831a1bca504ade2d47d19289626475adba3 Signed-off-by: Shadab Naseem <[email protected]>
Update configs in msm8909_defconfig and msm8909-perf_defconfig to be used for wearables. Change-Id: I2b06612a8e3bcee90b2eb5cc50767466f9ff3d25 Signed-off-by: Shadab Naseem <[email protected]>
Change-Id: Ide52b71c71bac9f8b78769a03259cccf8d6277c2
Change-Id: I5fbeddd562a311ea522557e8a77e331e9ea14d8b
…m-14.1-caf-8916 Conflicts: drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_core.c drivers/media/platform/msm/camera_v2/sensor/io/msm_camera_cci_i2c.c fs/f2fs/super.c Change-Id: I382a0d82e1bab13292781a4a7ff2d88bb07eb8bf
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
458a9ca to
29591c2
Compare
backported 71105998845fb012937332fe2e806d443c09e026 from https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git There is a potential race window opened at creating and deleting a port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates a port object and returns its pointer, but it doesn't take the refcount, thus it can be deleted immediately by another thread. Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, and this triggers use-after-free like: BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 ============================================================================= BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 ___slab_alloc+0x425/0x460 __slab_alloc+0x20/0x40 kmem_cache_alloc_trace+0x150/0x190 snd_seq_create_port+0x94/0x9b0 [snd_seq] snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 __slab_free+0x204/0x310 kfree+0x15f/0x180 port_delete+0x136/0x1a0 [snd_seq] snd_seq_delete_port+0x235/0x350 [snd_seq] snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] snd_seq_ioctl+0x40/0x80 [snd_seq] do_vfs_ioctl+0x54b/0xda0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x16/0x75 Call Trace: [<ffffffff81b03781>] dump_stack+0x63/0x82 [<ffffffff81531b3b>] print_trailer+0xfb/0x160 [<ffffffff81536db4>] object_err+0x34/0x40 [<ffffffff815392d3>] kasan_report.part.2+0x223/0x520 [<ffffffffa07aadf4>] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffff815395fe>] __asan_report_load1_noabort+0x2e/0x30 [<ffffffffa07aadf4>] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] [<ffffffffa07aa8f0>] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] [<ffffffff8136be50>] ? taskstats_exit+0xbc0/0xbc0 [<ffffffffa07abc5c>] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] [<ffffffffa07abd10>] snd_seq_ioctl+0x40/0x80 [snd_seq] [<ffffffff8136d433>] ? acct_account_cputime+0x63/0x80 [<ffffffff815b515b>] do_vfs_ioctl+0x54b/0xda0 ..... We may fix this in a few different ways, and in this patch, it's fixed simply by taking the refcount properly at snd_seq_create_port() and letting the caller unref the object after use. Also, there is another potential use-after-free by sprintf() call in snd_seq_create_port(), and this is moved inside the lock. This fix covers CVE-2017-15265. Change-Id: I329a13fac06fe45d08c68afba38405ca0e05c397 Reported-and-tested-by: Michael23 Yu <[email protected]> Suggested-by: Linus Torvalds <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>
When a key is reinstalled we can reset the replay counters etc. which can lead to nonce reuse and/or replay detection being impossible, breaking security properties, as described in the "KRACK attacks". In particular, CVE-2017-13080 applies to GTK rekeying that happened in firmware while the host is in D3, with the second part of the attack being done after the host wakes up. In this case, the wpa_supplicant mitigation isn't sufficient since wpa_supplicant doesn't know the GTK material. In case this happens, simply silently accept the new key coming from userspace but don't take any action on it since it's the same key; this keeps the PN replay counters intact. Change-Id: I7576ed8c8df85a767ebf15e74a642063eb34d0f5 Signed-off-by: Johannes Berg <[email protected]>
Disabling compiler optimizations can be fragile, since a new optimization could be added to -O0 or -Os that breaks the assumptions the code is making. Instead of disabling compiler optimizations, use a dummy inline assembly (based on RELOC_HIDE) to block the problematic kinds of optimization, while still allowing other optimizations to be applied to the code. The dummy inline assembly is added after every OR, and has the accumulator variable as its input and output. The compiler is forced to assume that the dummy inline assembly could both depend on the accumulator variable and change the accumulator variable, so it is forced to compute the value correctly before the inline assembly, and cannot assume anything about its value after the inline assembly. This change should be enough to make crypto_memneq work correctly (with data-independent timing) even if it is inlined at its call sites. That can be done later in a followup patch. Compile-tested on x86_64. Change-Id: I1ea18fc4ecd05fe7c0dba0564b2088c60f3c25df Signed-off-by: Cesar Eduardo Barros <[email protected]> Acked-by: Daniel Borkmann <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
Commit fe8c8a1 introduced a possible build error for archs that do not have CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS set. :/ Fix this up by bringing else braces outside of the ifdef. Change-Id: I68815db6a6b2c59101cd5f65e87532ca21070319 Reported-by: Fengguang Wu <[email protected]> Fixes: fe8c8a1 ("crypto: more robust crypto_memneq") Signed-off-by: Daniel Borkmann <[email protected]> Acked-By: Cesar Eduardo Barros <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
Otherwise we risk leaking information via timing side channel.
Change-Id: I777afd16f7b0ca8a5ab1b95ddc66689afdc96636
Fixes: fdf7cb4185b6 ("mac80211: accept key reinstall without changing anything")
Signed-off-by: Jason A. Donenfeld <[email protected]>
Signed-off-by: Johannes Berg <[email protected]>
Change-Id: I6362a810f188ea44c1176c3d265fdc5d342611d4
Change-Id: I6d45b11f1ade0fe24ca12dd02208a04fc0e689ed
* Version 1.6.5.1022 Change-Id: I560a6146fcae4b6b314c75e2e026642a3a3f118d
Change-Id: I8abe75f9f2038760d5e6cac7070511ab62aff12b
Change-Id: Id46fb1d1f79f121bc2670e228df31b201085eafe
* Squashed commits from: https://github.com/LineageOS/android_kernel_wingtech_msm8916/commits/cm-14.1 Change-Id: Ie5ca2bd2c3b5f4008ab708869ea067d7ecebb44e
Change-Id: I58ee1f6c2f2ddb0b4acef03d2134a1477a3e083e
Change-Id: I13090b3e6de1fb6944ffbf4022d09fd03e2eebbf
* wt88047 has some issues using the default camera stack. * Changes from ido and LA.BR.1.2.4-04410 Change-Id: I2cfb0e55bda6029c056de656fe74a3adb9de955e
* We now use minimal defconfig * To regenerate minimal defconfig, "make savedefconfig" Change-Id: I6d00ba88cc35edd94253cfe79af39b0c74821354
* This is a classic mutex_lock() / cancel_delayed_work_sync() where the delayed work function attempts to take the same mutex too. * This should fix https://jira.lineageos.org/browse/BUGBASH-865 Change-Id: Iecededf5e61f5b41cd9d8eea51c94725d546d6dc
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
29591c2 to
462348f
Compare
* This commit fixes the misalignment of LCD panels Change-Id: Ic00bb0368b91a8b6abc699d3fb22da83daa1de87
lineageos-gerrit
force-pushed
the
cm-14.1
branch
from
462348f to
92c76f6
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.