mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-07-01 09:02:05 +00:00
Update Linux CVE patches
This commit is contained in:
Tad
parent
12b63c12b7
commit
3989a1b20b
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBjYjZkNjg0MTFmZjUwNmM0OWQ1Yzc3OThkZjQyNjM0MjQxN2NjNTEzCnBhcmVudCA1NjUyNWQ1ZmQzNzVlYWJlZjJiZjU5OGE2ZThiYzQ2NmRmZDY4ZjkxCmF1dGhvciBBbmRyZXcgQ2hhbnQgPGFjaGFudEBnb29nbGUuY29tPiAxNDg2NTk2ODI4IC0wODAwCmNvbW1pdHRlciBKb2huIERpYXMgPGpvYW9kaWFzQGdvb2dsZS5jb20+IDE0ODcyMTI0MjYgKzAwMDAKCnNkY2FyZGZzOiBsaW1pdCBzdGFja2luZyBkZXB0aAoKTGltaXQgZmlsZXN5c3RlbSBzdGFja2luZyB0byBwcmV2ZW50IHN0YWNrIG92ZXJmbG93LgoKQnVnOiAzMjc2MTQ2MwpDaGFuZ2UtSWQ6IEk4YjE0NjJiOWMwZDZjN2YwMGNmMTEwNzI0ZmZiMTdlN2YzMDdjNTFlClNpZ25lZC1vZmYtYnk6IEFuZHJldyBDaGFudCA8YWNoYW50QGdvb2dsZS5jb20+Cg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBkZWNmNTU4OGI2YzA1NzM5ODg0YzViNThhYmY5YzE1ZTk2MmY2YTZlCnBhcmVudCBjODc1ZWViODY4MzUzZDNjYmVmMGVmNWRhYWJkYzU0ZTNkYzQyNTlmCmF1dGhvciBSaWxleSBBbmRyZXdzIDxyaWFuZHJld3NAYW5kcm9pZC5jb20+IDE0MzI4NTEwMTQgLTA3MDAKY29tbWl0dGVyIFRoaWVycnkgU3RydWRlbCA8dHN0cnVkZWxAZ29vZ2xlLmNvbT4gMTQzMzIwMzU4NiAtMDcwMAoKYW5kcm9pZDogZHJpdmVyczogd29ya2Fyb3VuZCBkZWJ1Z2ZzIHJhY2UgaW4gYmluZGVyCgpJZiBhIC9kL2JpbmRlci9wcm9jL1twaWRdIGVudHJ5IGlzIGtlcHQgb3BlbiBhZnRlciBsaW51eCBoYXMKdG9ybiBkb3duIHRoZSBhc3NvY2lhdGVkIHByb2Nlc3MsIGJpbmRlcl9wcm9jX3Nob3cgY2FuIGRlZmVyZW5jZQphbiBpbnZhbGlkIGJpbmRlcl9wcm9jIHRoYXQgaGFzIGJlZW4gc3Rhc2hlZCBpbiB0aGUgZGVidWdmcwppbm9kZS4gIFZhbGlkYXRlIHRoYXQgdGhlIGJpbmRlcl9wcm9jIHB0ciBwYXNzZWQgaW50byBiaW5kZXJfcHJvY19zaG93CmhhcyBub3QgYmVlbiBmcmVlZCBieSBsb29raW5nIGZvciBpdCB3aXRoaW4gdGhlIGdsb2JhbCBwcm9jZXNzIGxpc3QKd2hpbHN0IHRoZSBnbG9iYWwgbG9jayBpcyBoZWxkLiBJZiB0aGUgcHRyIGlzIG5vdCB2YWxpZCwgcHJpbnQgbm90aGluZy4KCkJ1ZyAxOTU4NzQ4MwpDaGFuZ2UtSWQ6IEljZTg3OGMxNzFkYjUxZWY5YTQ4NzljMmY5Mjk5YTJkZWI4NzNkMjU1ClNpZ25lZC1vZmYtYnk6IFJpbGV5IEFuZHJld3MgPHJpYW5kcmV3c0BhbmRyb2lkLmNvbT4K
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSAwMGY1OGIzOTE4ZTQ0OGQxZDRhMTFjY2ExODY4OWRkYTc4ZmJlYzJkCnBhcmVudCBmNjMwZDc5ZGRkM2YzZjYwYWYyZjZmODQ5ZmUwN2ZhMjlmNzM4YWQzCmF1dGhvciBKYW5uIEhvcm4gPGphbm5AdGhlamgubmV0PiAxNDc4NTU4MDg0IC0wODAwCmNvbW1pdHRlciBQYXQgVGppbiA8cGF0dGppbkBnb29nbGUuY29tPiAxNDgxMDk1ODgwICswMDAwCgpCQUNLUE9SVDogYWlvOiBtYXJrIEFJTyBwc2V1ZG8tZnMgbm9leGVjCgpUaGlzIGVuc3VyZXMgdGhhdCBkb19tbWFwKCkgd29uJ3QgaW1wbGljaXRseSBtYWtlIEFJTyBtZW1vcnkgbWFwcGluZ3MKZXhlY3V0YWJsZSBpZiB0aGUgUkVBRF9JTVBMSUVTX0VYRUMgcGVyc29uYWxpdHkgZmxhZyBpcyBzZXQuICBTdWNoCmJlaGF2aW9yIGlzIHByb2JsZW1hdGljIGJlY2F1c2UgdGhlIHNlY3VyaXR5X21tYXBfZmlsZSBMU00gaG9vayBkb2Vzbid0CmNhdGNoIHRoaXMgY2FzZSwgcG90ZW50aWFsbHkgcGVybWl0dGluZyBhbiBhdHRhY2tlciB0byBieXBhc3MgYSBXXlgKcG9saWN5IGVuZm9yY2VkIGJ5IFNFTGludXguCgpJIGhhdmUgdGVzdGVkIHRoZSBwYXRjaCBvbiBteSBtYWNoaW5lLgoKVG8gdGVzdCB0aGUgYmVoYXZpb3IsIGNvbXBpbGUgYW5kIHJ1biB0aGlzOgoKICAgICNkZWZpbmUgX0dOVV9TT1VSQ0UKICAgICNpbmNsdWRlIDx1bmlzdGQuaD4KICAgICNpbmNsdWRlIDxzeXMvcGVyc29uYWxpdHkuaD4KICAgICNpbmNsdWRlIDxsaW51eC9haW9fYWJpLmg+CiAgICAjaW5jbHVkZSA8ZXJyLmg+CiAgICAjaW5jbHVkZSA8c3RkbGliLmg+CiAgICAjaW5jbHVkZSA8c3RkaW8uaD4KICAgICNpbmNsdWRlIDxzeXMvc3lzY2FsbC5oPgoKICAgIGludCBtYWluKHZvaWQpIHsKICAgICAgICBwZXJzb25hbGl0eShSRUFEX0lNUExJRVNfRVhFQyk7CiAgICAgICAgYWlvX2NvbnRleHRfdCBjdHggPSAwOwogICAgICAgIGlmIChzeXNjYWxsKF9fTlJfaW9fc2V0dXAsIDEsICZjdHgpKQogICAgICAgICAgICBlcnIoMSwgImlvX3NldHVwIik7CgogICAgICAgIGNoYXIgY21kWzEwMDBdOwogICAgICAgIHNwcmludGYoY21kLCAiY2F0IC9wcm9jLyVkL21hcHMgfCBncmVwIC1GICcvW2Fpb10nIiwKICAgICAgICAgICAgKGludClnZXRwaWQoKSk7CiAgICAgICAgc3lzdGVtKGNtZCk7CiAgICAgICAgcmV0dXJuIDA7CiAgICB9CgpJbiB0aGUgb3V0cHV0LCAicnctcyIgaXMgZ29vZCwgInJ3eHMiIGlzIGJhZC4KClNpZ25lZC1vZmYtYnk6IEphbm4gSG9ybiA8amFubkB0aGVqaC5uZXQ+ClNpZ25lZC1vZmYtYnk6IExpbnVzIFRvcnZhbGRzIDx0b3J2YWxkc0BsaW51eC1mb3VuZGF0aW9uLm9yZz4KKGNoZXJyeSBwaWNrZWQgZnJvbSBjb21taXQgMjJmNmI0ZDM0ZmNmMDM5YzYzYTk0ZTc2NzBlMGRhMjRmODU3NWE1YSkKCkJ1ZzogMzE3MTE2MTkKQ2hhbmdlLUlkOiBJYjRmZmQzMGI2MWYxZDliYTYyOTA0OWY2NWEyMWFmYmY5NGUyNWNmZAo=
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSAwNDNlNjcwOTBhYWQ2MTIzNTcwMWZjMzI1M2EzMzkwNDZjMzc1ZDQxCnBhcmVudCA1ZGI0MTY3Yzk5MjRjNjhhYjk1NTRiYmEzYTk4ZWNmZDE0YjkxYThlCmF1dGhvciBOaWNrIERlc2F1bG5pZXJzIDxuZGVzYXVsbmllcnNAZ29vZ2xlLmNvbT4gMTQ3OTQ5NDY1NiAtMDgwMApjb21taXR0ZXIgUGF0IFRqaW4gPHBhdHRqaW5AZ29vZ2xlLmNvbT4gMTQ4MTA5NTE5NSArMDAwMAoKQkFDS1BPUlQ6IGFpbzogbWFyayBBSU8gcHNldWRvLWZzIG5vZXhlYwoKVGhpcyBlbnN1cmVzIHRoYXQgZG9fbW1hcCgpIHdvbid0IGltcGxpY2l0bHkgbWFrZSBBSU8gbWVtb3J5IG1hcHBpbmdzCmV4ZWN1dGFibGUgaWYgdGhlIFJFQURfSU1QTElFU19FWEVDIHBlcnNvbmFsaXR5IGZsYWcgaXMgc2V0LiAgU3VjaApiZWhhdmlvciBpcyBwcm9ibGVtYXRpYyBiZWNhdXNlIHRoZSBzZWN1cml0eV9tbWFwX2ZpbGUgTFNNIGhvb2sgZG9lc24ndApjYXRjaCB0aGlzIGNhc2UsIHBvdGVudGlhbGx5IHBlcm1pdHRpbmcgYW4gYXR0YWNrZXIgdG8gYnlwYXNzIGEgV15YCnBvbGljeSBlbmZvcmNlZCBieSBTRUxpbnV4LgoKSSBoYXZlIHRlc3RlZCB0aGUgcGF0Y2ggb24gbXkgbWFjaGluZS4KClRvIHRlc3QgdGhlIGJlaGF2aW9yLCBjb21waWxlIGFuZCBydW4gdGhpczoKCiAgICAjZGVmaW5lIF9HTlVfU09VUkNFCiAgICAjaW5jbHVkZSA8dW5pc3RkLmg+CiAgICAjaW5jbHVkZSA8c3lzL3BlcnNvbmFsaXR5Lmg+CiAgICAjaW5jbHVkZSA8bGludXgvYWlvX2FiaS5oPgogICAgI2luY2x1ZGUgPGVyci5oPgogICAgI2luY2x1ZGUgPHN0ZGxpYi5oPgogICAgI2luY2x1ZGUgPHN0ZGlvLmg+CiAgICAjaW5jbHVkZSA8c3lzL3N5c2NhbGwuaD4KCiAgICBpbnQgbWFpbih2b2lkKSB7CiAgICAgICAgcGVyc29uYWxpdHkoUkVBRF9JTVBMSUVTX0VYRUMpOwogICAgICAgIGFpb19jb250ZXh0X3QgY3R4ID0gMDsKICAgICAgICBpZiAoc3lzY2FsbChfX05SX2lvX3NldHVwLCAxLCAmY3R4KSkKICAgICAgICAgICAgZXJyKDEsICJpb19zZXR1cCIpOwoKICAgICAgICBjaGFyIGNtZFsxMDAwXTsKICAgICAgICBzcHJpbnRmKGNtZCwgImNhdCAvcHJvYy8lZC9tYXBzIHwgZ3JlcCAtRiAnL1thaW9dJyIsCiAgICAgICAgICAgIChpbnQpZ2V0cGlkKCkpOwogICAgICAgIHN5c3RlbShjbWQpOwogICAgICAgIHJldHVybiAwOwogICAgfQoKSW4gdGhlIG91dHB1dCwgInJ3LXMiIGlzIGdvb2QsICJyd3hzIiBpcyBiYWQuCgpTaWduZWQtb2ZmLWJ5OiBKYW5uIEhvcm4gPGphbm5AdGhlamgubmV0PgpTaWduZWQtb2ZmLWJ5OiBMaW51cyBUb3J2YWxkcyA8dG9ydmFsZHNAbGludXgtZm91bmRhdGlvbi5vcmc+CihjaGVycnkgcGlja2VkIGZyb20gY29tbWl0IDIyZjZiNGQzNGZjZjAzOWM2M2E5NGU3NjcwZTBkYTI0Zjg1NzVhNWEpCgpCdWc6IDMxNzExNjE5CkNoYW5nZS1JZDogSTlmMjg3MjcwM2JlZjI0MGQ2YjgyMzIwYzc0NDUyOTQ1OWJiMDc2ZGMK
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA4NjhlZGQwNmEyMmY1ZjFlODQ4MWQxMWUyOWU1OWE1YzcwMGVkZTI5CnBhcmVudCBhMDBkYWZkNjUyZTVlZjc1ZmNlZDk3YWRmNWRlZWE3ZWE3YjhiMTZkCmF1dGhvciBOYXNlZXIgQWhtZWQgPG5hc2VlckBjb2RlYXVyb3JhLm9yZz4gMTQ1ODE2MTA1MCAtMDQwMApjb21taXR0ZXIgWXVhbiBMaW4gPHl1YWxpbkBnb29nbGUuY29tPiAxNDU4ODg4MjY4IC0wNzAwCgptc21fZmI6IGRpc3BsYXk6IEVuYWJsZSBkaXNwbGF5IGRlYnVnZ2luZyB0aHJvdWdoIG1kcCBkZWJ1Z2ZzCgpDaGFuZ2UgdGhlIGNvbmZpZyBmcm9tIERFQlVHX0ZTIHRvIE1EUF9ERUJVR19GUyB0byBkdW1wIGFuZAp3cml0ZSB0aGUgTURQLCBNRERJIGFuZCBIRE1JIGRlYnVnIHJlZ2lzdGVycy4gQnkgZGVmYXVsdApDT05GSUdfTURQX0RFQlVHX0ZTIHNob3VsZCBiZSBkaXNhYmxlZCBhbmQgY2FuIGJlIGVuYWJsZWQKdGhyb3VnaCBkZWZjb25maWcgZmlsZS4KCkNoYW5nZS1JZDogSTJlZDhkY2MzMGIxOWE4MDkxMjczNGVjMTNmMjRhNjczNTFjMzgzMTUKU2lnbmVkLW9mZi1ieTogUmFnaGF2ZW5kcmEgQW1iYWRhcyA8cmFtYmFkQGNvZGVhdXJvcmEub3JnPgpTaWduZWQtb2ZmLWJ5OiBOYXNlZXIgQWhtZWQgPG5hc2VlckBjb2RlYXVyb3JhLm9yZz4KQlVHPTI2NDA0NTI1Cg==
|
||||
|
|
@ -1,58 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - 8292fe595c99ccbcb5e73debdba21d5f1ad91ef6^! - kernel/msm.git - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/msm.git/%2B/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/">msm.git</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E%21/">8292fe595c99ccbcb5e73debdba21d5f1ad91ef6^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>8292fe595c99ccbcb5e73debdba21d5f1ad91ef6</td><td><span>[<a href="/kernel/msm.git/+log/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/">log</a>]</span> <span>[<a href="/kernel/msm.git/+archive/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Ben Romberger <bromberg@codeaurora.org></td><td>Thu Apr 14 14:35:10 2016 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Yuan Lin <yualin@google.com></td><td>Wed Apr 20 17:53:33 2016 -0700</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/">d43e1c522da03f52f6b6082235fc29fdde35cab3</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E">27e5b60af8b7b1fd289b1438a69866a125dacbdc</a> <span>[<a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">ASoC: msm: Add bounds checking to ADM get params
|
||||
|
||||
Add additional bounds checking to ADM get params.
|
||||
Validate that all buffer sizes are valid before
|
||||
dereferencing.
|
||||
|
||||
BUG=27947307
|
||||
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/Iae3643985b5b72b78606f4dff94f8068ee0ddc09">Iae3643985b5b72b78606f4dff94f8068ee0ddc09</a>
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm.git/+/27e5b60af8b7b1fd289b1438a69866a125dacbdc/sound/soc/msm/qdsp6v2/q6adm.c">a/sound/soc/msm/qdsp6v2/q6adm.c</a> <a href="/kernel/msm.git/+/8292fe595c99ccbcb5e73debdba21d5f1ad91ef6/sound/soc/msm/qdsp6v2/q6adm.c">b/sound/soc/msm/qdsp6v2/q6adm.c</a>
|
||||
index 08caf51..14565cc 100644
|
||||
--- a/sound/soc/msm/qdsp6v2/q6adm.c
|
||||
+++ b/sound/soc/msm/qdsp6v2/q6adm.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -508,9 +508,18 @@
|
||||
</span><span class="Diff-change"> rc = -EINVAL;</span>
|
||||
<span class="Diff-change"> goto adm_get_param_return;</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-delete">- if (params_data) {</span>
|
||||
<span class="Diff-insert">+ if ((params_data) &&</span>
|
||||
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) > 0) &&</span>
|
||||
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) >= 1+adm_get_parameters[0]) &&</span>
|
||||
<span class="Diff-insert">+ (params_length/sizeof(int) >= adm_get_parameters[0])) {</span>
|
||||
<span class="Diff-change"> for (i = 0; i < adm_get_parameters[0]; i++)</span>
|
||||
<span class="Diff-change"> params_data[i] = adm_get_parameters[1+i];</span>
|
||||
<span class="Diff-insert">+ } else {</span>
|
||||
<span class="Diff-insert">+ pr_err("%s: Get param data not copied! get_param array size %zd, index %d, params array size %zd, index %d\n",</span>
|
||||
<span class="Diff-insert">+ __func__, ARRAY_SIZE(adm_get_parameters),</span>
|
||||
<span class="Diff-insert">+ (1+adm_get_parameters[0]),</span>
|
||||
<span class="Diff-insert">+ params_length/sizeof(int),</span>
|
||||
<span class="Diff-insert">+ adm_get_parameters[0]);</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> rc = 0;</span>
|
||||
<span class="Diff-change"> adm_get_param_return:</span>
|
||||
<span class="Diff-hunk">@@ -799,17 +808,18 @@
|
||||
</span><span class="Diff-change"> data->payload_size))</span>
|
||||
<span class="Diff-change"> break;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-delete">- if (payload[0] == 0) {</span>
|
||||
<span class="Diff-delete">- if (data->payload_size ></span>
|
||||
<span class="Diff-delete">- (4 * sizeof(uint32_t))) {</span>
|
||||
<span class="Diff-delete">- adm_get_parameters[0] = payload[3];</span>
|
||||
<span class="Diff-insert">+ if ((payload[0] == 0) &&</span>
|
||||
<span class="Diff-insert">+ (data->payload_size > (4 * sizeof(*payload))) &&</span>
|
||||
<span class="Diff-insert">+ (data->payload_size/sizeof(*payload)-4 >= payload[3]) &&</span>
|
||||
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters) > 0) &&</span>
|
||||
<span class="Diff-insert">+ (ARRAY_SIZE(adm_get_parameters)-1 >= payload[3])) {</span>
|
||||
<span class="Diff-insert">+ adm_get_parameters[0] = payload[3];</span>
|
||||
<span class="Diff-change"> pr_debug("GET_PP PARAM:received parameter length: 0x%x\n",</span>
|
||||
<span class="Diff-change"> adm_get_parameters[0]);</span>
|
||||
<span class="Diff-change"> /* storing param size then params */</span>
|
||||
<span class="Diff-change"> for (i = 0; i < payload[3]; i++)</span>
|
||||
<span class="Diff-change"> adm_get_parameters[1+i] =</span>
|
||||
<span class="Diff-change"> payload[4+i];</span>
|
||||
<span class="Diff-delete">- }</span>
|
||||
<span class="Diff-change"> } else {</span>
|
||||
<span class="Diff-change"> adm_get_parameters[0] = -1;</span>
|
||||
<span class="Diff-change"> pr_err("%s: GET_PP_PARAMS failed, setting size to %d\n",</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1,37 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - eb6cc9d4af6791d4d34075e3fa08f0c858087a8c^! - kernel/msm.git - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/msm.git/%2B/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/">msm.git</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E%21/">eb6cc9d4af6791d4d34075e3fa08f0c858087a8c^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>eb6cc9d4af6791d4d34075e3fa08f0c858087a8c</td><td><span>[<a href="/kernel/msm.git/+log/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/">log</a>]</span> <span>[<a href="/kernel/msm.git/+archive/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Rajesh Kemisetti <rajeshk@codeaurora.org></td><td>Tue Apr 19 15:42:12 2016 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Yuan Lin <yualin@google.com></td><td>Tue Apr 19 22:46:09 2016 +0000</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/">e573a8e6012cf35a0adc0983182fa3b007645d98</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E">4029268991f478b98b6d37106af8f1f635c0b595</a> <span>[<a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">msm: kgsl: Add missing checks for alloc size and sglen
|
||||
|
||||
In _kgsl_sharedmem_page_alloc():
|
||||
|
||||
- Make len of type size_t to be in line with size.
|
||||
- Check for boundary limits of requested alloc size before honoring.
|
||||
- Make sure sglen is greater than zero before marking it as end
|
||||
of sg list.
|
||||
|
||||
Bug: 27475454
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/I5b2e6f657f532fc256627cb6b2ab3ca01938a11b">I5b2e6f657f532fc256627cb6b2ab3ca01938a11b</a>
|
||||
Signed-off-by: Yuan Lin <yualin@google.com>
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm.git/+/4029268991f478b98b6d37106af8f1f635c0b595/drivers/gpu/msm/kgsl_sharedmem.c">a/drivers/gpu/msm/kgsl_sharedmem.c</a> <a href="/kernel/msm.git/+/eb6cc9d4af6791d4d34075e3fa08f0c858087a8c/drivers/gpu/msm/kgsl_sharedmem.c">b/drivers/gpu/msm/kgsl_sharedmem.c</a>
|
||||
index 29f6162..a138719 100644
|
||||
--- a/drivers/gpu/msm/kgsl_sharedmem.c
|
||||
+++ b/drivers/gpu/msm/kgsl_sharedmem.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -592,13 +592,18 @@
|
||||
</span><span class="Diff-change"> size_t size)</span>
|
||||
<span class="Diff-change"> {</span>
|
||||
<span class="Diff-change"> int pcount = 0, order, ret = 0;</span>
|
||||
<span class="Diff-delete">- int j, len, page_size, sglen_alloc, sglen = 0;</span>
|
||||
<span class="Diff-insert">+ int j, page_size, sglen_alloc, sglen = 0;</span>
|
||||
<span class="Diff-change"> struct page **pages = NULL;</span>
|
||||
<span class="Diff-change"> pgprot_t page_prot = pgprot_writecombine(PAGE_KERNEL);</span>
|
||||
<span class="Diff-change"> void *ptr;</span>
|
||||
<span class="Diff-insert">+ size_t len;</span>
|
||||
<span class="Diff-change"> unsigned int align;</span>
|
||||
<span class="Diff-change"> int step = SZ_2M >> PAGE_SHIFT;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-insert">+ size = PAGE_ALIGN(size);</span>
|
||||
<span class="Diff-insert">+ if (size == 0 || size > UINT_MAX)</span>
|
||||
<span class="Diff-insert">+ return -EINVAL;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-change"> align = (memdesc->flags & KGSL_MEMALIGN_MASK) >> KGSL_MEMALIGN_SHIFT;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-change"> page_size = (align >= ilog2(SZ_64K) && size >= SZ_64K)</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBmM2U3ZWU2ZDlmNWFhOTc4ZDQ1ZTg0YTA2NDA2MWZjODJkZjMxNTY4CnBhcmVudCA5OTk2N2Y1ZGVkOGEzMTMzZDFmM2FiNmQ2NmM0YjI3MDM0MTAzYzdmCmF1dGhvciB2aXZlayBtZWh0YSA8bXZpdmVrQGNvZGVhdXJvcmEub3JnPiAxNDYwNTg0NDQ4IC0wNzAwCmNvbW1pdHRlciBZdWFuIExpbiA8eXVhbGluQGdvb2dsZS5jb20+IDE0NjA3Njc2MzYgLTA3MDAKCkFTb0M6IG1zbTogZGlzYWJsZSB1bndhbnRlZCBtb2R1bGUKCi0gZGlzYWJsZSBjb21waWxhdGlvbiBvZiB1bndhbnRlZCBtb2R1bGVzCgpCdWc6IDI3NTMxOTkyCkNoYW5nZS1JZDogSTlkZjRlZmQ4OTkwMzJmYjkyMTlhMjg2ZmU0NjlkN2IyZjQ3NjY4NmYKU2lnbmVkLW9mZi1ieTogdml2ZWsgbWVodGEgPG12aXZla0Bjb2RlYXVyb3JhLm9yZz4K
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBmMTE4YzIzODJmNGE0YjE3YjdkNzRlNTAxZTVjOTJjZWQwNzM2MzA0CnBhcmVudCAzNWMzYjc1ZWQyNmUyNDhjNjBmNjQ5MTc1NWFhY2Y2OWIyZWY4NmE0CmF1dGhvciBUaGllcnJ5IFN0cnVkZWwgPHRzdHJ1ZGVsQGdvb2dsZS5jb20+IDE0NjA1NjY5NTUgLTA3MDAKY29tbWl0dGVyIFRoaWVycnkgU3RydWRlbCA8dHN0cnVkZWxAZ29vZ2xlLmNvbT4gMTQ2MDY3MjYyNiAtMDcwMAoKcWNhY2xkLTIuMDogRml4IGJ1ZmZlciBvdmVyd3JpdGUgcHJvYmxlbSBpbiBDQ1hCRUFDT05SRVEKClNldCB0aGUgbnVtYmVyIG9mIElFIGZpZWxkcyB0byBtaW5pbXVtIG9mIGlucHV0IGRhdGEgYW5kClNJUl9FU0VfTUFYX01FQVNfSUVfUkVRUy4KCkNoYW5nZS1JZDogSWU1M2NmZWM3ODcyYWI2OTUzMGJiYjg5MzJmOWY5ZTg1ZmIzMTlmOTIKQ1JzLUZpeGVkOiA5OTM1NjEKQnVnOiAyNzQyNDYwMwpTaWduZWQtb2ZmLWJ5OiBTcmluaXZhcyBHaXJpZ293ZGEgPHNnaXJpZ293QGNvZGVhdXJvcmEub3JnPgpTaWduZWQtb2ZmLWJ5OiBUaGllcnJ5IFN0cnVkZWwgPHRzdHJ1ZGVsQGdvb2dsZS5jb20+Cg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA4ZmJmNmFhNGQzMmE4ZTM3M2I4Njg4ZGUzNGZjMzAyMDdhOTY4MzEwCnBhcmVudCBhYzFkMzE4MTRhOTg1MzhiMDAwNTc4Nzc2MmJiMDYwNTFlNmM0ZTI1CmF1dGhvciBKZXJyeSBMZWUgPGplcnJ5bGVlQGJyb2FkY29tLmNvbT4gMTQ1ODc2ODgzMCAtMDcwMApjb21taXR0ZXIgTWFyayBTYWx5enluIDxzYWx5enluQGdvb2dsZS5jb20+IDE0NTk3OTc0OTEgKzAwMDAKCm5ldDogd2lyZWxlc3M6IGJjbWRoZDogY2hlY2sgcHJpdmlsZWdlIG9uIHByaXYgY21kCgooY2hlcnJ5IHBpY2sgZnJvbSBjb21taXQgN2I0YmQ2ZTQxZWQ1MTRkZGRmOWU0MDM0NzJiMWZiNmY4MDhkM2Y0YikKCmNoZWNrIG5ldCBhZG1pbiBjYXBhYmlsaXR5IGZvciBpb2N0bCBjYWxscwoKU2lnbmVkLW9mZi1ieTogSmVycnkgTGVlIDxqZXJyeWxlZUBicm9hZGNvbS5jb20+CkJ1ZzogMjY0MjU3NjUKQnVnOiAyNzk5NzA3NQpDaGFuZ2UtSWQ6IElhZTFiNTNhYTYyZmRjMjQ1MzBiYjFiODVjYjY5NzQwYzg3ZDE4MmU5Cg==
|
||||
|
|
@ -1,20 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - f2152040cb3c13fa846914df1ad44a8a7fd2e935^! - kernel/msm - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/msm/%2B/f2152040cb3c13fa846914df1ad44a8a7fd2e935%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm/">msm</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935%5E%21/">f2152040cb3c13fa846914df1ad44a8a7fd2e935^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>f2152040cb3c13fa846914df1ad44a8a7fd2e935</td><td><span>[<a href="/kernel/msm/+log/f2152040cb3c13fa846914df1ad44a8a7fd2e935/">log</a>]</span> <span>[<a href="/kernel/msm/+archive/f2152040cb3c13fa846914df1ad44a8a7fd2e935/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Mohamad Ayyash <mkayyash@google.com></td><td>Tue May 24 15:44:24 2016 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Patrick Tjin <pattjin@google.com></td><td>Wed Jun 08 09:40:11 2016 -0700</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935/">94cdf0453986ab2673284370ede95824fff017f9</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935%5E">4641bdfd4961b71547571a20e664f4831715b651</a> <span>[<a href="/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">Don't show empty tag stats for unprivileged uids
|
||||
|
||||
BUG: 27577101
|
||||
BUG: 27532522
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/I890831a72e5ad4485fdf30e51a146712b18052ed">I890831a72e5ad4485fdf30e51a146712b18052ed</a>
|
||||
Signed-off-by: Mohamad Ayyash <mkayyash@google.com
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm/+/4641bdfd4961b71547571a20e664f4831715b651/net/netfilter/xt_qtaguid.c">a/net/netfilter/xt_qtaguid.c</a> <a href="/kernel/msm/+/f2152040cb3c13fa846914df1ad44a8a7fd2e935/net/netfilter/xt_qtaguid.c">b/net/netfilter/xt_qtaguid.c</a>
|
||||
index c690e0f..9ce6228 100644
|
||||
--- a/net/netfilter/xt_qtaguid.c
|
||||
+++ b/net/netfilter/xt_qtaguid.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -2521,7 +2521,7 @@
|
||||
</span><span class="Diff-change"> uid_t stat_uid = get_uid_from_tag(tag);</span>
|
||||
<span class="Diff-change"> struct proc_print_info *ppi = m->private;</span>
|
||||
<span class="Diff-change"> /* Detailed tags are not available to everybody */</span>
|
||||
<span class="Diff-delete">- if (get_atag_from_tag(tag) && !can_read_other_uid_stats(stat_uid)) {</span>
|
||||
<span class="Diff-insert">+ if (!can_read_other_uid_stats(stat_uid)) {</span>
|
||||
<span class="Diff-change"> CT_DEBUG("qtaguid: stats line: "</span>
|
||||
<span class="Diff-change"> "%s 0x%llx %u: insufficient priv "</span>
|
||||
<span class="Diff-change"> "from pid=%u tgid=%u uid=%u stats.gid=%u\n",</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBkNjgwZmM2NWNhN2M2NTA0NzdiNmNkNjRlNjI4ZjUwNWNhZTY4OWVmCnBhcmVudCAzODk3MWZmZWMyNWIyZGVlZjEzNDNhZmJlMzk0NzMzY2JmZDNjNTA3CmF1dGhvciBQaGlsIFR1cm5idWxsIDxwaGlsLnR1cm5idWxsQG9yYWNsZS5jb20+IDE0NTQ0MzgyMDUgLTA1MDAKY29tbWl0dGVyIFBhdCBUamluIDxwYXR0amluQGdvb2dsZS5jb20+IDE0NzQxMDA5ODQgKzAwMDAKCkJBQ0tQT1JUOiBuZXRmaWx0ZXI6IG5mbmV0bGluazogY29ycmVjdGx5IHZhbGlkYXRlIGxlbmd0aCBvZiBiYXRjaCBtZXNzYWdlcwoKKGNoZXJyeSBwaWNrZWQgZnJvbSBjb21taXQgYzU4ZDZjOTM2ODBmMjhhYzU4OTg0YWY2MWQwYTdlYmY0MzE5YzI0MSkKCklmIG5saC0+bmxtc2dfbGVuIGlzIHplcm8gdGhlbiBhbiBpbmZpbml0ZSBsb29wIGlzIHRyaWdnZXJlZCBiZWNhdXNlCidza2JfcHVsbChza2IsIG1zZ2xlbik7JyBwdWxscyB6ZXJvIGJ5dGVzLgoKVGhlIGNhbGN1bGF0aW9uIGluIG5sbXNnX2xlbigpIHVuZGVyZmxvd3MgaWYgJ25saC0+bmxtc2dfbGVuIDwKTkxNU0dfSERSTEVOJyB3aGljaCBieXBhc3NlcyB0aGUgbGVuZ3RoIHZhbGlkYXRpb24gYW5kIHdpbGwgbGF0ZXIKdHJpZ2dlciBhbiBvdXQtb2YtYm91bmQgcmVhZC4KCklmIHRoZSBsZW5ndGggdmFsaWRhdGlvbiBkb2VzIGZhaWwgdGhlbiB0aGUgbWFsZm9ybWVkIGJhdGNoIG1lc3NhZ2UgaXMKY29waWVkIGJhY2sgdG8gdXNlcnNwYWNlLiBIb3dldmVyLCB3ZSBjYW5ub3QgZG8gdGhpcyBiZWNhdXNlIHRoZQpubGgtPm5sbXNnX2xlbiBjYW4gYmUgaW52YWxpZC4gVGhpcyBsZWFkcyB0byBhbiBvdXQtb2YtYm91bmRzIHJlYWQgaW4KbmV0bGlua19hY2s6CgogICAgWyAgIDQxLjQ1NTQyMV0gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09CiAgICBbICAgNDEuNDU2NDMxXSBCVUc6IEtBU0FOOiBzbGFiLW91dC1vZi1ib3VuZHMgaW4gbWVtY3B5KzB4MWQvMHg0MCBhdCBhZGRyIGZmZmY4ODAxMTllNzkzNDAKICAgIFsgICA0MS40NTY0MzFdIFJlYWQgb2Ygc2l6ZSA0Mjk0OTY3MjgwIGJ5IHRhc2sgYS5vdXQvOTg3CiAgICBbICAgNDEuNDU2NDMxXSA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQogICAgWyAgIDQxLjQ1NjQzMV0gQlVHIGttYWxsb2MtNTEyIChOb3QgdGFpbnRlZCk6IGthc2FuOiBiYWQgYWNjZXNzIGRldGVjdGVkCiAgICBbICAgNDEuNDU2NDMxXSAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQogICAgLi4uCiAgICBbICAgNDEuNDU2NDMxXSBCeXRlcyBiNCBmZmZmODgwMTE5ZTc5MzEwOiAwMCAwMCAwMCAwMCBkNSAwMyAwMCAwMCBiMCBmYiBmZSBmZiAwMCAwMCAwMCAwMCAgLi4uLi4uLi4uLi4uLi4uLgogICAgWyAgIDQxLjQ1NjQzMV0gT2JqZWN0IGZmZmY4ODAxMTllNzkzMjA6IDIwIDAwIDAwIDAwIDEwIDAwIDA1IDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwICAgLi4uLi4uLi4uLi4uLi4uCiAgICBbICAgNDEuNDU2NDMxXSBPYmplY3QgZmZmZjg4MDExOWU3OTMzMDogMTQgMDAgMGEgMDAgMDEgMDMgZmMgNDAgNDUgNTYgMTEgMjIgMzMgMTAgMDAgMDUgIC4uLi4uLi5ARVYuIjMuLi4KICAgIFsgICA0MS40NTY0MzFdIE9iamVjdCBmZmZmODgwMTE5ZTc5MzQwOiBmMCBmZiBmZiBmZiA4OCA5OSBhYSBiYiAwMCAxNCAwMCAwYSAwMCAwNiBmZSBmYiAgLi4uLi4uLi4uLi4uLi4uLgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF5eIHN0YXJ0IG9mIGJhdGNoIG5sbXNnIHdpdGgKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBubG1zZ19sZW49NDI5NDk2NzI4MAogICAgLi4uCiAgICBbICAgNDEuNDU2NDMxXSBNZW1vcnkgc3RhdGUgYXJvdW5kIHRoZSBidWdneSBhZGRyZXNzOgogICAgWyAgIDQxLjQ1NjQzMV0gIGZmZmY4ODAxMTllNzk0MDA6IDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwIDAwCiAgICBbICAgNDEuNDU2NDMxXSAgZmZmZjg4MDExOWU3OTQ4MDogMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAgMDAKICAgIFsgICA0MS40NTY0MzFdID5mZmZmODgwMTE5ZTc5NTAwOiAwMCAwMCAwMCAwMCBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYwogICAgWyAgIDQxLjQ1NjQzMV0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIF4KICAgIFsgICA0MS40NTY0MzFdICBmZmZmODgwMTE5ZTc5NTgwOiBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYyBmYwogICAgWyAgIDQxLjQ1NjQzMV0gIGZmZmY4ODAxMTllNzk2MDA6IGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZjIGZiIGZiIGZiIGZiIGZiIGZiCiAgICBbICAgNDEuNDU2NDMxXSA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KCkZpeCB0aGlzIHdpdGggYmV0dGVyIHZhbGlkYXRpb24gb2YgbmxoLT5ubG1zZ19sZW4gYW5kIGJ5IHNldHRpbmcKTkZOTF9CQVRDSF9GQUlMVVJFIGlmIGFueSBiYXRjaCBtZXNzYWdlIGZhaWxzIGxlbmd0aCB2YWxpZGF0aW9uLgoKQ0FQX05FVF9BRE1JTiBpcyByZXF1aXJlZCB0byB0cmlnZ2VyIHRoZSBidWdzLgoKRml4ZXM6IDllYTJhYThiN2RiYSAoIm5ldGZpbHRlcjogbmZuZXRsaW5rOiB2YWxpZGF0ZSBuZm5ldGxpbmsgaGVhZGVyIGZyb20gYmF0Y2giKQpTaWduZWQtb2ZmLWJ5OiBQaGlsIFR1cm5idWxsIDxwaGlsLnR1cm5idWxsQG9yYWNsZS5jb20+ClNpZ25lZC1vZmYtYnk6IFBhYmxvIE5laXJhIEF5dXNvIDxwYWJsb0BuZXRmaWx0ZXIub3JnPgpDaGFuZ2UtSWQ6IElkM2UxNWM0MGNiNDY0YmYyNzkxYWY5MDdjMjM1ZDhhMzE2YjI0NDljCkJ1ZzogMzA5NDcwNTUK
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA2Y2VjNDE4MGU1ODIxMjA5ZDRlMDk4ODljMzFmZjg2Yjk1MjgxOTE0CnBhcmVudCBjOTNmZWIxM2NkMjBmNWIwZjE5ZDUzYzUyNmJiM2Q4ZTA1ZjYxY2ExCmF1dGhvciBNaW4gQ2hvbmcgPG1jaG9uZ0Bnb29nbGUuY29tPiAxNDc2MjMxMTIwIC0wNzAwCmNvbW1pdHRlciBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4gMTQ3NjI4Mjc1MyArMDAwMAoKdXNiOiBkaWFnOiBjaGFuZ2UgJXAgdG8gJXBLIGluIGRlYnVnIG1lc3NhZ2VzCgpUaGUgZm9ybWF0IHNwZWNpZmllciAlcCBjYW4gbGVhayBrZXJuZWwgYWRkcmVzc2VzCndoaWxlIG5vdCB2YWx1aW5nIHRoZSBrcHRyX3Jlc3RyaWN0IHN5c3RlbSBzZXR0aW5ncy4KVXNlICVwSyBpbnN0ZWFkIG9mICVwLCB3aGljaCBhbHNvIGV2YWx1YXRlcyB3aGV0aGVyCmtwdHJfcmVzdHJpY3QgaXMgc2V0LgoKQnVnOiAzMTQ5NTM0OApDaGFuZ2UtSWQ6IEk3MzkyYzJiNDQ0Nzk0MjM0ZWJkNjg1NzM1NTY2ZTdiNGZhMDljNDA5ClNpZ25lZC1vZmYtYnk6IE1pbiBDaG9uZyA8bWNob25nQGdvb2dsZS5jb20+CihjaGVycnkgcGlja2VkIGZyb20gY29tbWl0IGQ4OGNkYWRjNjJhMmIwMDMyZDM4MDc2MzQ4NGE5M2QzZDhlZWI1YjMpCg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBjYmEyNTg1MTJjZGYyZTQ2NjU0YzQzMWRjYTE3NWQ0ZjZiNmI0Nzc3CnBhcmVudCBlNzU0M2RlZDFmMzUwZjVmZjhiY2YyM2MxMzQwNjg3MGJhOTAyMDI4CmF1dGhvciBJbnN1biBTb25nIDxpbnN1bi5zb25nQGJyb2FkY29tLmNvbT4gMTQ3NzQyNzU5OCAtMDcwMApjb21taXR0ZXIgQWRyaWFuIFNhbGlkbyA8c2FsaWRvYUBnb29nbGUuY29tPiAxNDc5MTYzNzcyIC0wODAwCgpuZXQ6IHdpcmVsZXNzOiBiY21kaGQ6IGZpeCBidWZmZXIgb3ZlcnJ1biBpbiBwcml2YXRlIGNvbW1hbmQgcGF0aAoKYnVmZmVyIG92ZXJydW4gY2FzZSBmb3VuZCB3aGVuIGxlbmd0aCBwYXJhbWV0ZXIgbWFuaXB1bGF0ZWQuCgoxLiBpZiBpbnB1dCBwYXJhbWV0ZXIgYnVmZmVyIGxlbmd0aCBpcyBsZXNzIHRoYW4gNGssCnRoZW4gYWxsb2NhdGUgNGsgYnkgZGVmYXVsdC4gSXQgaGVscCB0byBnZXQgZW5vdWdoIG1hcmdpbgpmb3Igb3V0cHV0IHN0cmluZyBvdmVyd3JpdHRlbi4KCjIuIGFkZGVkIGFkZGl0aW9uYWwgbGVuZ3RoIGNoZWNrIG5vdCB0byBvdmVycmlkZSB1c2VyIHNwYWNlCmFsbG9jYXRlZCBidWZmZXIgc2l6ZS4KClNpZ25lZC1vZmYtYnk6IEluc3VuIFNvbmcgPGluc3VuLnNvbmdAYnJvYWRjb20uY29tPgpCdWc6IDI5MDAwMTgzCkNoYW5nZS1JZDogSTBjMTVkNzY0YzE2NDg5MjBmMDIxNGVjNDdhZGE2ODljYTQ0ZWJmYmEK
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA3MGMzOTAzMTg2MjczYTk4YjMzZTIyNmE0ODZhNjQ2ZmQzOWRjMmRjCnBhcmVudCBkNzkwYTE4Mzg1MGVhMWQ3NjNiNzM0YWRmY2VhZGNhODgwYmZjNzE5CmF1dGhvciBBcmllbCBZaW4gPGF5aW5AZ29vZ2xlLmNvbT4gMTQ4NDM0NDczNiAtMDgwMApjb21taXR0ZXIgQXJpZWwgWWluIDxheWluQGdvb2dsZS5jb20+IDE0ODQ3NzczMTUgKzAwMDAKCm1zbTogdmlkYzogV0FSTl9PTigpIHJldmVhbHMgZnVjdGlvbiBhZGRyZXNzZXMKClRoZXJlIGlzIGEgc2VjdXJpdHkgdnVsbmVyYWJpbGl0eSB3aGVyZSBmdW5jdGlvbiBhZGRyZXNzZXMgYXJlCnByaW50ZWQgaW4ga2VybmVsIG1lc3NhZ2UgaWYgV0FSTl9PTigpIGlzIGludm9rZWQgaW1wbGljaXRseS4KV0FSTl9PTigpIGNhbGwgaXMgbWFkZSBleHBsaWNpdCB0byBhdm9pZCB0aGlzIGlzc3VlLgoKQnVnOiAzMjg3MzYxNQpDUnMtRml4ZWQ6IDEwOTM2OTMKQ2hhbmdlLUlkOiBJZjc1NTgxODAzYWRmNjJjYjliZGEzNzg0YWQxZDRmNDA4OGUwZDc5NwpTaWduZWQtb2ZmLWJ5OiBTYW5qYXkgU2luZ2ggPHNpc2FuakBjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogQmlzd2FqaXQgUGF1bCA8Ymlzd2FqaXRwYXVsQGNvZGVhdXJvcmEub3JnPgo=
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA3OWU0MGI2ZTIxMjc1M2VhZThiN2M0NjhhMWQ4OTM2ZDEwMTRhZWU0CnBhcmVudCBmM2I0MTA3NmZmMzQwNmE1MGM1NThmNzllMjE4MDc1OWIwMWMzZWMwCmF1dGhvciBTdWJhc2ggQWJoaW5vdiBLYXNpdmlzd2FuYXRoYW4gPHN1YmFzaGFiQGNvZGVhdXJvcmEub3JnPiAxNDg0Mjg0MTU2IC0wNzAwCmNvbW1pdHRlciBBcmllbCBZaW4gPGF5aW5AZ29vZ2xlLmNvbT4gMTQ4NDc3Nzc2NyArMDAwMAoKbmV0OiBybW5ldF9kYXRhOiBGaXggaW5jb3JyZWN0IG5ldGxpbmsgaGFuZGxpbmcKCnJtbmV0X2RhdGEgbmV0bGluayBoYW5kbGVyIGN1cnJlbnRseSBkb2VzIG5vdCBjaGVjayBmb3IgdGhlCmluY29taW5nIHByb2Nlc3MgcGlkIGFuZCBpbnN0ZWFkIGp1c3QgbG9vcHMgYmFjayB0aGUgcGlkLgpBIG1hbGljaW91cyByb290IHVzZXIgY291bGQgcG90ZW50aWFsbHkgc2VuZCBhIG1lc3NhZ2Ugd2l0aApzb3VyY2UgcGlkIDAgYW5kIHRoaXMgY291bGQgY2F1c2Ugcm1uZXRfZGF0YSB0byBsb29wIHRoZSBtZXNzYWdlCmJhY2sgdGlsbCBhbiBvdXQgb2YgbWVtb3J5IHNpdHVhdGlvbiBvY2N1cnMuCgpybW5ldF9kYXRhIGFsc28gZG9lcyBub3QgY2hlY2sgZm9yIHRoZSBtZXNzYWdlIGxlbmd0aCBvZiB0aGUKaW5jb21pbmcgbmV0bGluayBtZXNzYWdlcyBhbmQgaW5zdGVhZCBjYXN0cyB0aGUgbmV0bGluayBtZXNzYWdlCndpdGhvdXQgY2hlY2tpbmcgZm9yIHRoZSBib3VuZGFyeS4KCkZpeCB0aGVzZSB0d28gc2NlbmFyaW9zIGJ5IGFkZGluZyB0aGUgcGlkIGFuZCBtZXNzYWdlIGxlbmd0aCBjaGVja3MKcmVzcGVjdGl2ZWx5LgoKQnVnOiAzMTI1Mjk2NQpDUnMtRml4ZWQ6IDEwOTg4MDEKQ2hhbmdlLUlkOiBJMTcyYzFhNzExMmU2N2U4Mjk1OWIzOTdhZjdkZGZkOTYzZDgxOWJkYwpTaWduZWQtb2ZmLWJ5OiBTdWJhc2ggQWJoaW5vdiBLYXNpdmlzd2FuYXRoYW4gPHN1YmFzaGFiQGNvZGVhdXJvcmEub3JnPgo=
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA2ZGI4YjkxOTE3NGM5NDk3YjZlZTk4YzdlYzYwZDQyM2E2MDU1ODlmCnBhcmVudCA0ZjliMTA4NWVjOTJjMzIxNjY2ZTBmMjk5MmZmYjQ0MjRhM2E2NjE1CmF1dGhvciBBcmllbCBZaW4gPGF5aW5AZ29vZ2xlLmNvbT4gMTQ4NDM0ODc1NCAtMDgwMApjb21taXR0ZXIgQXJpZWwgWWluIDxheWluQGdvb2dsZS5jb20+IDE0ODQ3Nzc1ODYgKzAwMDAKCkFORFJPSUQ6IGlvbjogY2hlY2sgZm9yIGtyZWYgb3ZlcmZsb3cKClVzZXJzcGFjZSBjYW4gY2F1c2UgdGhlIGtyZWYgdG8gaGFuZGxlcyB0byBpbmNyZW1lbnQKYXJiaXRyYXJpbHkgaGlnaC4gRW5zdXJlIGl0IGRvZXMgbm90IG92ZXJmbG93LgoKU2lnbmVkLW9mZi1ieTogRGFuaWVsIFJvc2VuYmVyZyA8ZHJvc2VuQGdvb2dsZS5jb20+CgpCdWc6IDMxOTkyMzgyClRlc3Q6IFNlZSBidWcgZm9yIHBvYwpDaGFuZ2UtSWQ6IEk2YmZmMWRmMzg1NzQyYjFkODM2ZDQzMTgwZGM4N2ZhZGNlYTgwNzgyCg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA3OTZhNDYzM2E1MTNkNDY1NTJhYTcyODczMTgwYzFhNDk0YjM0ZGJjCnBhcmVudCBmYjJlNmNmNTQ5ZGNiZGNjMTBmOWMzMTE1YmE1MTIzYmRkNWEzMDdlCmF1dGhvciBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4gMTQ4MjI3ODM1OSAtMDgwMApjb21taXR0ZXIgTWFyayBTYWx5enluIDxzYWx5enluQGdvb2dsZS5jb20+IDE0ODM2Mzc1MTYgKzAwMDAKCmFuZHJvaWQ6IGZpcV9kZWJ1Z2dlcjogcmVzdHJpY3QgYWNjZXNzIHRvIGNyaXRpY2FsIGNvbW1hbmRzLgoKU3lzcnEgbXVzdCBiZSBlbmFibGVkIHZpYSAvcHJvYy9zeXMva2VybmVsL3N5c3JxIGFzIGEgc2VjdXJpdHkKbWVhc3VyZSB0byBlbmFibGUgdmFyaW91cyBjcml0aWNhbCBmaXEgZGVidWdnZXIgY29tbWFuZHMgdGhhdAplaXRoZXIgbGVhayBpbmZvcm1hdGlvbiBvciBjYW4gYmUgdXNlZCBhcyBhIHN5c3RlbSBhdHRhY2suCgpEZWZhdWx0IGRpc2FibGVkLCB0aGlzIHdpbGwgbGVhdmUgdGhlIHJlYm9vdCwgcmVzZXQsIGlycXMsIHNsZWVwLApub3NsZWVwLCBjb25zb2xlIGFuZCBwcyBjb21tYW5kcy4gIFJlYm9vdCBhbmQgcmVzZXQgY29tbWFuZHMKd2lsbCBiZSByZXN0cmljdGVkIGZyb20gdGFraW5nIGFueSBwYXJhbWV0ZXJzLiAgV2Ugd2lsbCBhbHNvCnN3aXRjaCB0byBzaG93aW5nIHRoZSBsaW1pdGVkIGNvbW1hbmQgc2V0IGluIHRoaXMgbW9kZS4KClNpZ25lZC1vZmYtYnk6IE1hcmsgU2FseXp5biA8c2FseXp5bkBnb29nbGUuY29tPgpCdWc6IDMyNDAyNTU1CkNoYW5nZS1JZDogSTNmNzRiMWZmNWU0OTcxZDYxOWJjYjM3YTkxMWZlZDY4ZmJiNTM4ZDUKKGNoZXJyeSBwaWNrZWQgZnJvbSBjb21taXQgMTAzMTgzNmMwODk1ZjFmNWEwNWMyNWVmZWM4M2JmYTExYWEwOGNhOSkK
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA1NzUzZjRlNzc0MjRjOThlYWRjMzA3M2ZmZWZlYjI4ZGU1ODdhYjkyCnBhcmVudCAzN2UzYmJlODgxMDcwOWM4NDkyMWU3YTg0NGEwMThiZGMzYzM1NDMwCmF1dGhvciBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4gMTQ4Mjg2MDI3NiAtMDgwMApjb21taXR0ZXIgTWFyayBTYWx5enluIDxzYWx5enluQGdvb2dsZS5jb20+IDE0ODM2MzE2NzQgKzAwMDAKCnJ0NTUwNjogbGltaXQgc2V0IG1vZGUgY2FsbCB0byBNQVhfUkVHX0RBVEEKClNpZ25lZC1vZmYtYnk6IE5hdGhhbiBDcmFuZGFsbCA8bmF0aGFuY3JhbmRhbGwxQGdtYWlsLmNvbT4KQnVnOiAzMzU0NzI0NwpDaGFuZ2UtSWQ6IEk0ZTQ2NjMxNjVmZDIxMzA3MzU2NTJkZDVjZjUzZDgwMTQyN2YwYjJlCihjaGVycnkgcGlja2VkIGZyb20gY29tbWl0IDJmYjNlMDMwYmJkZGE5OGUxMzQ4MWY2ZDgyNGNiYjU5ZGNlYzJmZjEpCg==
|
||||
|
|
@ -1,152 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - 51e09571eef7a6a36c238130575fc11b291afff3^! - kernel/msm.git - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/msm.git/%2B/51e09571eef7a6a36c238130575fc11b291afff3%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/">msm.git</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm.git/+/51e09571eef7a6a36c238130575fc11b291afff3%5E%21/">51e09571eef7a6a36c238130575fc11b291afff3^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>51e09571eef7a6a36c238130575fc11b291afff3</td><td><span>[<a href="/kernel/msm.git/+log/51e09571eef7a6a36c238130575fc11b291afff3/">log</a>]</span> <span>[<a href="/kernel/msm.git/+archive/51e09571eef7a6a36c238130575fc11b291afff3/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Nick Desaulniers <ndesaulniers@google.com></td><td>Fri Feb 10 10:54:56 2017 -0800</td></tr><tr><th class="Metadata-title">committer</th><td>John Dias <joaodias@google.com></td><td>Wed Feb 15 20:53:36 2017 +0000</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm.git/+/51e09571eef7a6a36c238130575fc11b291afff3/">d8ba7e3a5de3bd46ca42b0fa541e087dc5a20426</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm.git/+/51e09571eef7a6a36c238130575fc11b291afff3%5E">3f41af6608b7ed506d3982b57cf34c70ff098f09</a> <span>[<a href="/kernel/msm.git/+/51e09571eef7a6a36c238130575fc11b291afff3%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">ANDROID: ion: Protect kref from userspace manipulation
|
||||
|
||||
This separates the kref for ion handles into two components.
|
||||
Userspace requests through the ioctl will hold at most one
|
||||
reference to the internally used kref. All additional requests
|
||||
will increment a separate counter, and the original reference is
|
||||
only put once that counter hits 0. This protects the kernel from
|
||||
a poorly behaving userspace.
|
||||
|
||||
Bug: 34276203
|
||||
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/Ibc36bc4405788ed0fea7337b541cad3be2b934c0">Ibc36bc4405788ed0fea7337b541cad3be2b934c0</a>
|
||||
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm.git/+/3f41af6608b7ed506d3982b57cf34c70ff098f09/drivers/staging/android/ion/ion.c">a/drivers/staging/android/ion/ion.c</a> <a href="/kernel/msm.git/+/51e09571eef7a6a36c238130575fc11b291afff3/drivers/staging/android/ion/ion.c">b/drivers/staging/android/ion/ion.c</a>
|
||||
index ee1c2f3..e99ea9a 100755
|
||||
--- a/drivers/staging/android/ion/ion.c
|
||||
+++ b/drivers/staging/android/ion/ion.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -116,6 +116,7 @@
|
||||
</span><span class="Diff-change"> */</span>
|
||||
<span class="Diff-change"> struct ion_handle {</span>
|
||||
<span class="Diff-change"> struct kref ref;</span>
|
||||
<span class="Diff-insert">+ unsigned int user_ref_count;</span>
|
||||
<span class="Diff-change"> struct ion_client *client;</span>
|
||||
<span class="Diff-change"> struct ion_buffer *buffer;</span>
|
||||
<span class="Diff-change"> struct rb_node node;</span>
|
||||
<span class="Diff-hunk">@@ -429,6 +430,50 @@
|
||||
</span><span class="Diff-change"> return ret;</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-insert">+/* Must hold the client lock */</span>
|
||||
<span class="Diff-insert">+static void user_ion_handle_get(struct ion_handle *handle)</span>
|
||||
<span class="Diff-insert">+{</span>
|
||||
<span class="Diff-insert">+ if (handle->user_ref_count++ == 0) {</span>
|
||||
<span class="Diff-insert">+ kref_get(&handle->ref);</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-insert">+}</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+/* Must hold the client lock */</span>
|
||||
<span class="Diff-insert">+static struct ion_handle* user_ion_handle_get_check_overflow(struct ion_handle *handle)</span>
|
||||
<span class="Diff-insert">+{</span>
|
||||
<span class="Diff-insert">+ if (handle->user_ref_count + 1 == 0)</span>
|
||||
<span class="Diff-insert">+ return ERR_PTR(-EOVERFLOW);</span>
|
||||
<span class="Diff-insert">+ user_ion_handle_get(handle);</span>
|
||||
<span class="Diff-insert">+ return handle;</span>
|
||||
<span class="Diff-insert">+}</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+/* passes a kref to the user ref count.</span>
|
||||
<span class="Diff-insert">+ * We know we're holding a kref to the object before and</span>
|
||||
<span class="Diff-insert">+ * after this call, so no need to reverify handle. */</span>
|
||||
<span class="Diff-insert">+static struct ion_handle* pass_to_user(struct ion_handle *handle)</span>
|
||||
<span class="Diff-insert">+{</span>
|
||||
<span class="Diff-insert">+ struct ion_client *client = handle->client;</span>
|
||||
<span class="Diff-insert">+ struct ion_handle *ret;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ mutex_lock(&client->lock);</span>
|
||||
<span class="Diff-insert">+ ret = user_ion_handle_get_check_overflow(handle);</span>
|
||||
<span class="Diff-insert">+ ion_handle_put_nolock(handle);</span>
|
||||
<span class="Diff-insert">+ mutex_unlock(&client->lock);</span>
|
||||
<span class="Diff-insert">+ return ret;</span>
|
||||
<span class="Diff-insert">+}</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+/* Must hold the client lock */</span>
|
||||
<span class="Diff-insert">+static int user_ion_handle_put_nolock(struct ion_handle *handle)</span>
|
||||
<span class="Diff-insert">+{</span>
|
||||
<span class="Diff-insert">+ int ret;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ if (--handle->user_ref_count == 0) {</span>
|
||||
<span class="Diff-insert">+ ret = ion_handle_put_nolock(handle);</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ return ret;</span>
|
||||
<span class="Diff-insert">+}</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-change"> static struct ion_handle *ion_handle_lookup(struct ion_client *client,</span>
|
||||
<span class="Diff-change"> struct ion_buffer *buffer)</span>
|
||||
<span class="Diff-change"> {</span>
|
||||
<span class="Diff-hunk">@@ -645,6 +690,24 @@
|
||||
</span><span class="Diff-change"> ion_handle_put_nolock(handle);</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-insert">+static void user_ion_free_nolock(struct ion_client *client, struct ion_handle *handle)</span>
|
||||
<span class="Diff-insert">+{</span>
|
||||
<span class="Diff-insert">+ bool valid_handle;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ BUG_ON(client != handle->client);</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ valid_handle = ion_handle_validate(client, handle);</span>
|
||||
<span class="Diff-insert">+ if (!valid_handle) {</span>
|
||||
<span class="Diff-insert">+ WARN(1, "%s: invalid handle passed to free.\n", __func__);</span>
|
||||
<span class="Diff-insert">+ return;</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-insert">+ if (!handle->user_ref_count > 0) {</span>
|
||||
<span class="Diff-insert">+ WARN(1, "%s: User does not have access!\n", __func__);</span>
|
||||
<span class="Diff-insert">+ return;</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-insert">+ user_ion_handle_put_nolock(handle);</span>
|
||||
<span class="Diff-insert">+}</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-change"> void ion_free(struct ion_client *client, struct ion_handle *handle)</span>
|
||||
<span class="Diff-change"> {</span>
|
||||
<span class="Diff-change"> BUG_ON(client != handle->client);</span>
|
||||
<span class="Diff-hunk">@@ -1439,7 +1502,7 @@
|
||||
</span><span class="Diff-change"> data.allocation.flags, true);</span>
|
||||
<span class="Diff-change"> if (IS_ERR(handle))</span>
|
||||
<span class="Diff-change"> return PTR_ERR(handle);</span>
|
||||
<span class="Diff-delete">-</span>
|
||||
<span class="Diff-insert">+ pass_to_user(handle);</span>
|
||||
<span class="Diff-change"> data.allocation.handle = handle->id;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-change"> cleanup_handle = handle;</span>
|
||||
<span class="Diff-hunk">@@ -1455,7 +1518,7 @@
|
||||
</span><span class="Diff-change"> mutex_unlock(&client->lock);</span>
|
||||
<span class="Diff-change"> return PTR_ERR(handle);</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-delete">- ion_free_nolock(client, handle);</span>
|
||||
<span class="Diff-insert">+ user_ion_free_nolock(client, handle);</span>
|
||||
<span class="Diff-change"> ion_handle_put_nolock(handle);</span>
|
||||
<span class="Diff-change"> mutex_unlock(&client->lock);</span>
|
||||
<span class="Diff-change"> break;</span>
|
||||
<span class="Diff-hunk">@@ -1478,10 +1541,15 @@
|
||||
</span><span class="Diff-change"> {</span>
|
||||
<span class="Diff-change"> struct ion_handle *handle;</span>
|
||||
<span class="Diff-change"> handle = ion_import_dma_buf(client, data.fd.fd);</span>
|
||||
<span class="Diff-delete">- if (IS_ERR(handle))</span>
|
||||
<span class="Diff-insert">+ if (IS_ERR(handle)) {</span>
|
||||
<span class="Diff-change"> ret = PTR_ERR(handle);</span>
|
||||
<span class="Diff-delete">- else</span>
|
||||
<span class="Diff-delete">- data.handle.handle = handle->id;</span>
|
||||
<span class="Diff-insert">+ } else {</span>
|
||||
<span class="Diff-insert">+ handle = pass_to_user(handle);</span>
|
||||
<span class="Diff-insert">+ if (IS_ERR(handle))</span>
|
||||
<span class="Diff-insert">+ ret = PTR_ERR(handle);</span>
|
||||
<span class="Diff-insert">+ else</span>
|
||||
<span class="Diff-insert">+ data.handle.handle = handle->id;</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-change"> break;</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> case ION_IOC_SYNC:</span>
|
||||
<span class="Diff-hunk">@@ -1518,8 +1586,10 @@
|
||||
</span><span class="Diff-change"> if (dir & _IOC_READ) {</span>
|
||||
<span class="Diff-change"> if (copy_to_user((void __user *)arg, &data, _IOC_SIZE(cmd))) {</span>
|
||||
<span class="Diff-change"> if (cleanup_handle) {</span>
|
||||
<span class="Diff-delete">- ion_free(client, cleanup_handle);</span>
|
||||
<span class="Diff-delete">- ion_handle_put(cleanup_handle);</span>
|
||||
<span class="Diff-insert">+ mutex_lock(&client->lock);</span>
|
||||
<span class="Diff-insert">+ user_ion_free_nolock(client, cleanup_handle);</span>
|
||||
<span class="Diff-insert">+ ion_handle_put_nolock(cleanup_handle);</span>
|
||||
<span class="Diff-insert">+ mutex_unlock(&client->lock);</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> return -EFAULT;</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBhMzEwMTdjMTdlMDgxMDNlMTQzZTUxZTZjZjVjMzgyYTI0MjM4ZTM5CnBhcmVudCAwYTIxOTllN2ZmNGUwY2EwYmZkODI2MWIwNGQ1ZTg5ZDE5MzAyNjA2CmF1dGhvciBNYXJrIFNhbHl6eW4gPHNhbHl6eW5AZ29vZ2xlLmNvbT4gMTQ5MDY0OTQyMCAtMDcwMApjb21taXR0ZXIgTWFyayBTYWx5enluIDxzYWx5enluQGdvb2dsZS5jb20+IDE0OTA3MjA1ODkgKzAwMDAKCmZsb3VuZGVyOiBGSVEgYW5kIHN5c3JxIGRlZmF1bHQgZGVhdXRob3JpemVkCgooY2hlcnJ5IHBpY2tlZCBmcm9tIGNvbW1pdCBjNjM4OWIxMWFlNzc5ZDlmMzYwZDJjNjU1NTAzN2UxZDczYzBmZTFiKQoKU2lnbmVkLW9mZi1ieTogTWFyayBTYWx5enluIDxzYWx5enluQGdvb2dsZS5jb20+CkJ1ZzogMzYxMDEyMjAKQ2hhbmdlLUlkOiBJOWYwYWU5YTllMzgyOGRlZGY0YjkzM2JmMWQ3NTJjOTg3NzdjZmE5MQo=
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSAyOTVhYWMwMTUxMmI4MjVkNTU4Yjc3NTZiZWQyNmM0NWEwZGY5ZjU1CnBhcmVudCA4ZDhiZmI5Mjg2ZTU3MjlmMjk1YjM4ODg5ZjY4ZDc0OWYyNmEyNmE1CmF1dGhvciBBZHJpYW4gU2FsaWRvIDxzYWxpZG9hQGdvb2dsZS5jb20+IDE0OTAwMzQ0NjQgLTA3MDAKY29tbWl0dGVyIEFkcmlhbiBTYWxpZG8gPHNhbGlkb2FAZ29vZ2xlLmNvbT4gMTQ5MDAzNDkzNSAtMDcwMAoKQU5EUk9JRDogaW9uOiBwcmV2ZW50IHN0YWNrIGxlYWsgaW4gZGVidWdmcyBmaWxlCgpBdm9pZCBsZWFraW5nIGNvbnRlbnRzIG9mIHN0YWNrIGJ5IGNsZWFyaW5nIGFueSBtZW1vcnkgY29udGVudHMgdGhhdCBhcmUKbm90IGV4cGxpY2l0bHkgd3JpdHRlbi4KClNpZ25lZC1vZmYtYnk6IEFkcmlhbiBTYWxpZG8gPHNhbGlkb2FAZ29vZ2xlLmNvbT4KQnVnOiAzNTY0NDgxNQpDaGFuZ2UtSWQ6IEk1ZDJkYWFmMDgwMjcwMDg4MjZlMGEyZjBiNmUyM2ZlYjNlZTgxN2ZlCg==
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - 6a469209ac014b6d93f373e042500f6e8cd6a04a^! - kernel/msm - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/msm/%2B/6a469209ac014b6d93f373e042500f6e8cd6a04a%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm/">msm</a> / <a class="Breadcrumbs-crumb" href="/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a%5E%21/">6a469209ac014b6d93f373e042500f6e8cd6a04a^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>6a469209ac014b6d93f373e042500f6e8cd6a04a</td><td><span>[<a href="/kernel/msm/+log/6a469209ac014b6d93f373e042500f6e8cd6a04a/">log</a>]</span> <span>[<a href="/kernel/msm/+archive/6a469209ac014b6d93f373e042500f6e8cd6a04a/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Insun Song <insun.song@broadcom.com></td><td>Wed May 03 16:20:41 2017 -0700</td></tr><tr><th class="Metadata-title">committer</th><td>Stuart Scott <stuartscott@google.com></td><td>Tue May 16 20:12:20 2017 +0000</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a/">4d3e208308055cf10fab20c863fa3adfdaadb6fc</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a%5E">6cda862834f58f5cba217f445c00bb83aaa8a32a</a> <span>[<a href="/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">net: wireless: bcmdhd: adding boundary check in wl_cfg80211_mgmt_tx
|
||||
|
||||
added boundary check for user-input parameter not to corrupt kernel
|
||||
memmory.
|
||||
|
||||
Signed-off-by: Insun Song <insun.song@broadcom.com>
|
||||
Bug: 35195787
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/Ia497feae5f502c9a650e50a39fd0620fa976d908">Ia497feae5f502c9a650e50a39fd0620fa976d908</a>
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/msm/+/6cda862834f58f5cba217f445c00bb83aaa8a32a/drivers/net/wireless/bcmdhd/wl_cfg80211.c">a/drivers/net/wireless/bcmdhd/wl_cfg80211.c</a> <a href="/kernel/msm/+/6a469209ac014b6d93f373e042500f6e8cd6a04a/drivers/net/wireless/bcmdhd/wl_cfg80211.c">b/drivers/net/wireless/bcmdhd/wl_cfg80211.c</a>
|
||||
index 9081988..a73b030 100644
|
||||
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||||
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -5830,6 +5830,10 @@
|
||||
</span><span class="Diff-change"> </span>
|
||||
<span class="Diff-change"> WL_DBG(("Enter \n"));</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-insert">+ if (len > (ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN)) {</span>
|
||||
<span class="Diff-insert">+ WL_ERR(("bad length:%zu\n", len));</span>
|
||||
<span class="Diff-insert">+ return BCME_BADARG;</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-change"> dev = cfgdev_to_wlc_ndev(cfgdev, cfg);</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-change"> /* set bsscfg idx for iovar (wlan0: P2PAPI_BSSCFG_PRIMARY, p2p: P2PAPI_BSSCFG_DEVICE) */</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA3OWY2Zjc0YzFjN2UwY2NhNzFmNDU0YmZhZGVhNmY1N2JmYmJhNjBjCnBhcmVudCBlN2Y2MjNhYTFiOGJhM2I4NDNjNzBlZWFlOTlhYWU5NWJkZGZlMDNkCmF1dGhvciBOaWNrIERlc2F1bG5pZXJzIDxuZGVzYXVsbmllcnNAZ29vZ2xlLmNvbT4gMTQ5MzkyOTU0NCAtMDcwMApjb21taXR0ZXIgQW5kcmV3IENoYW50IDxhY2hhbnRAZ29vZ2xlLmNvbT4gMTQ5NDk5MDY5MiArMDAwMAoKUmV2ZXJ0ICJwcm9jOiBzbWFwczogQWxsb3cgc21hcHMgYWNjZXNzIGZvciBDQVBfU1lTX1JFU09VUkNFIgoKVGhpcyByZXZlcnRzIGNvbW1pdCBmMGNlMGVlZTZiNzFiYzMxMDE1M2VkYjg3ZTY2ZTZiMjVlMTJmZWNlLgoKQnVnOiAzNDk1MTg2NApCdWc6IDM2NDY4NDQ3CkNoYW5nZS1JZDogSTg3YmQ5MmUwOTZjNmMyOGE1M2I5ZWNmMzAyYWUwMDhmNWU1OGViYTEKU2lnbmVkLW9mZi1ieTogTmljayBEZXNhdWxuaWVycyA8bmRlc2F1bG5pZXJzQGdvb2dsZS5jb20+Cg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBiNTE2MTZkYWRhMmVmY2Q5MWQ2NjVhMzg1NTMwYTBiYzU1YzcyYTdlCnBhcmVudCBmYTIyNDYyMzJlODhlYjhkZDBjMmJmZTUwMmNkOWEzNzgxZWFjNDA2CmF1dGhvciBSYXZpbmRyYSBMb2toYW5kZSA8cmxva2hhbmRlQG52aWRpYS5jb20+IDE0OTQyMzQ3NjggKzA1MzAKY29tbWl0dGVyIE1hcmsgU2FseXp5biA8c2FseXp5bkBnb29nbGUuY29tPiAxNDk2NjgyNjQwICswMDAwCgpBU29DOiB0ZWdyYTogY2hlY2sgdWNvZGUgdXBwZXIgbGltaXQKCkNoZWNrIHVjb2RlIHNpemUgZm9yIHVwcGVyIGxpbWl0LgoKTnZCdWcgMTkwMTQzNQpCdWc6IDM0MTEyNzI2CgpTaWduZWQtb2ZmLWJ5OiBSYXZpbmRyYSBMb2toYW5kZSA8cmxva2hhbmRlQG52aWRpYS5jb20+ClNpZ25lZC1vZmYtYnk6IFhpYSBZYW5nIDx4aWF5QG52aWRpYS5jb20+CkNoYW5nZS1JZDogSTJmNDU1NzcxMTQ3YmI0NDY2ZDE1NDg3OGQyNDYxZTQ3MjY0N2M0ZmIKKGNoZXJyeSBwaWNrZWQgZnJvbSBjb21taXQgMzNlMmM0YTMyMWI2Y2FmNzcyYzdlZWFhZDNjYTM3MGIxMWNhYTVhMikK
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA4YjI4YTI4OGFjZmJkNDg5OTUyZjUxZGQ3NzkxNTU0YTVjOGJjYjY4CnBhcmVudCBhYjA5NjZkMzhmOWI3YTM3ZWU0MGM5NDFkMjdkYjA2NTEwMGJjYjlhCmF1dGhvciBBZHJpYW4gU2FsaWRvIDxzYWxpZG9hQGdvb2dsZS5jb20+IDE0OTI1NDEwNzMgLTA3MDAKY29tbWl0dGVyIEFkcmlhbiBTYWxpZG8gPHNhbGlkb2FAZ29vZ2xlLmNvbT4gMTQ5Njg2NzM0NCArMDAwMAoKdHJhY2luZzogZml4IHJhY2UgY29uZGl0aW9uIHJlYWRpbmcgc2F2ZWQgdGdpZHMKCkNvbW1pdCA5MzljN2E0ZjA0ZmMgKCJ0cmFjaW5nOiBJbnRyb2R1Y2Ugc2F2ZWRfY21kbGluZXNfc2l6ZSBmaWxlIikKaW50cm9kdWNlZCBhYmlsaXR5IHRvIGNoYW5nZSBzYXZlZCBjbWRsaW5lcyBzaXplLiBUaGlzIHJlc2l6ZWQgc2F2ZWQKY29tbWFuZCBsaW5lcyBidXQgbWlzc2VkIHJlc2l6aW5nIHRnaWQgbWFwcGluZyBhcyB3ZWxsLgoKQW5vdGhlciBpc3N1ZSBpcyB0aGF0IHdoZW4gdGhlIHJlc2l6ZSBoYXBwZW5zLCBpdCByZW1vdmVzIHNhdmVkIGNvbW1hbmQKbGluZXMgYW5kIHJlYWxsb2NhdGVzIG5ldyBtZW1vcnkgZm9yIGl0LiBUaGlzIGludHJvZHVjZWQgYSByYWNlCmNvbmRpdGlvbiB3aGVuIHJlYWRpbmcgdGhlIGdsb2JhbCBzYXZlY21kIGFzIHRoaXMgY2FuIGJlIGZyZWVkIGluIHRoZQptaWRkbGUgb2YgYWNjZXNzaW5nIGl0IGNhdXNpbmcgYSB1c2UgYWZ0ZXIgZnJlZSBhY2Nlc3MuIEZpeCB0aGlzIGJ5CmltcGxlbWVudGluZyBsb2NraW5nLgoKU2lnbmVkLW9mZi1ieTogQWRyaWFuIFNhbGlkbyA8c2FsaWRvYUBnb29nbGUuY29tPgpCdWc6IDM2MDA3NzM1CkNoYW5nZS1JZDogSTMzNDc5MWFjMzVmOGJjYmQzNDM2MmVkMTEyYWE2MjQyNzVhNDY5NDcK
|
||||
|
|
@ -1,78 +0,0 @@
|
|||
<!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><title>Diff - be671c7e17454b4f144a8e05268a6071748a8791^! - kernel/common - Git at Google</title><link rel="stylesheet" type="text/css" href="/+static/base.HLL9TqKl0YYybSzmT_wTdw.cache.css"><!-- default customHeadTagPart --></head><body class="Site"><header class="Site-header"><div class="Header"><a class="Header-image" href="/"><img src="//www.gstatic.com/images/branding/lockups/2x/lockup_git_color_108x24dp.png" width="108" height="24" alt="Google Git"></a><div class="Header-menu"> <a class="Header-menuItem" href="https://accounts.google.com/AccountChooser?service=gerritcodereview&continue=https://android.googlesource.com/login/kernel/common/%2B/be671c7e17454b4f144a8e05268a6071748a8791%255E%2521/">Sign in</a> </div></div></header><div class="Site-content"><div class="Container "><div class="Breadcrumbs"><a class="Breadcrumbs-crumb" href="/?format=HTML">android</a> / <a class="Breadcrumbs-crumb" href="/kernel/">kernel</a> / <a class="Breadcrumbs-crumb" href="/kernel/common/">common</a> / <a class="Breadcrumbs-crumb" href="/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791%5E%21/">be671c7e17454b4f144a8e05268a6071748a8791^!</a> / <span class="Breadcrumbs-crumb">.</span></div><div class="u-monospace Metadata"><table><tr><th class="Metadata-title">commit</th><td>be671c7e17454b4f144a8e05268a6071748a8791</td><td><span>[<a href="/kernel/common/+log/be671c7e17454b4f144a8e05268a6071748a8791/">log</a>]</span> <span>[<a href="/kernel/common/+archive/be671c7e17454b4f144a8e05268a6071748a8791/.tar.gz">tgz</a>]</span></td></tr><tr><th class="Metadata-title">author</th><td>Eric Dumazet <edumazet@google.com></td><td>Tue Feb 14 09:03:51 2017 -0800</td></tr><tr><th class="Metadata-title">committer</th><td>Daniel Rosenberg <drosen@google.com></td><td>Wed Jun 28 16:12:27 2017 -0700</td></tr><tr><th class="Metadata-title">tree</th><td><a href="/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791/">7d6651acb88f24380c4371dd42644dc7417c5cf6</a></td></tr><tr><th class="Metadata-title">parent</th><td><a href="/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791%5E">bd64c0db093a25b3a58eca9742f8d442fd376d2a</a> <span>[<a href="/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791%5E%21/">diff</a>]</span></td></tr></table></div><pre class="u-pre u-monospace MetadataMessage">UPSTREAM: packet: fix races in fanout_add()
|
||||
|
||||
commit d199fab63c11998a602205f7ee7ff7c05c97164b upstream.
|
||||
|
||||
Multiple threads can call fanout_add() at the same time.
|
||||
|
||||
We need to grab fanout_mutex earlier to avoid races that could
|
||||
lead to one thread freeing po->rollover that was set by another thread.
|
||||
|
||||
Do the same in fanout_release(), for peace of mind, and to help us
|
||||
finding lockdep issues earlier.
|
||||
|
||||
[js] no rollover in 3.12
|
||||
|
||||
Fixes: dc99f600698d ("packet: Add fanout support.")
|
||||
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
|
||||
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
||||
Cc: Willem de Bruijn <willemb@google.com>
|
||||
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||||
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
|
||||
Signed-off-by: Willy Tarreau <w@1wt.eu>
|
||||
(cherry picked from commit 2a272abc4e543f488b3a73292ee75a06f20d077a)
|
||||
Bug: 37897645
|
||||
Change-Id: <a href="https://android-review.googlesource.com/#/q/I3b021869ee26b88d10f4d6408ce34d351543ce74">I3b021869ee26b88d10f4d6408ce34d351543ce74</a>
|
||||
</pre><pre class="u-pre u-monospace Diff"><a name="F0" class="Diff-fileIndex"></a>diff --git <a href="/kernel/common/+/bd64c0db093a25b3a58eca9742f8d442fd376d2a/net/packet/af_packet.c">a/net/packet/af_packet.c</a> <a href="/kernel/common/+/be671c7e17454b4f144a8e05268a6071748a8791/net/packet/af_packet.c">b/net/packet/af_packet.c</a>
|
||||
index 05cfee7..2ae5ae2 100644
|
||||
--- a/net/packet/af_packet.c
|
||||
+++ b/net/packet/af_packet.c
|
||||
</pre><pre class="u-pre u-monospace Diff-unified"><span class="Diff-hunk">@@ -1429,13 +1429,16 @@
|
||||
</span><span class="Diff-change"> return -EINVAL;</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-delete">- if (!po->running)</span>
|
||||
<span class="Diff-delete">- return -EINVAL;</span>
|
||||
<span class="Diff-delete">-</span>
|
||||
<span class="Diff-delete">- if (po->fanout)</span>
|
||||
<span class="Diff-delete">- return -EALREADY;</span>
|
||||
<span class="Diff-delete">-</span>
|
||||
<span class="Diff-change"> mutex_lock(&fanout_mutex);</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ err = -EINVAL;</span>
|
||||
<span class="Diff-insert">+ if (!po->running)</span>
|
||||
<span class="Diff-insert">+ goto out;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-insert">+ err = -EALREADY;</span>
|
||||
<span class="Diff-insert">+ if (po->fanout)</span>
|
||||
<span class="Diff-insert">+ goto out;</span>
|
||||
<span class="Diff-insert">+</span>
|
||||
<span class="Diff-change"> match = NULL;</span>
|
||||
<span class="Diff-change"> list_for_each_entry(f, &fanout_list, list) {</span>
|
||||
<span class="Diff-change"> if (f->id == id &&</span>
|
||||
<span class="Diff-hunk">@@ -1491,17 +1494,16 @@
|
||||
</span><span class="Diff-change"> struct packet_sock *po = pkt_sk(sk);</span>
|
||||
<span class="Diff-change"> struct packet_fanout *f;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-delete">- f = po->fanout;</span>
|
||||
<span class="Diff-delete">- if (!f)</span>
|
||||
<span class="Diff-delete">- return;</span>
|
||||
<span class="Diff-delete">-</span>
|
||||
<span class="Diff-change"> mutex_lock(&fanout_mutex);</span>
|
||||
<span class="Diff-delete">- po->fanout = NULL;</span>
|
||||
<span class="Diff-insert">+ f = po->fanout;</span>
|
||||
<span class="Diff-insert">+ if (f) {</span>
|
||||
<span class="Diff-insert">+ po->fanout = NULL;</span>
|
||||
<span class="Diff-change"> </span>
|
||||
<span class="Diff-delete">- if (atomic_dec_and_test(&f->sk_ref)) {</span>
|
||||
<span class="Diff-delete">- list_del(&f->list);</span>
|
||||
<span class="Diff-delete">- dev_remove_pack(&f->prot_hook);</span>
|
||||
<span class="Diff-delete">- kfree(f);</span>
|
||||
<span class="Diff-insert">+ if (atomic_dec_and_test(&f->sk_ref)) {</span>
|
||||
<span class="Diff-insert">+ list_del(&f->list);</span>
|
||||
<span class="Diff-insert">+ dev_remove_pack(&f->prot_hook);</span>
|
||||
<span class="Diff-insert">+ kfree(f);</span>
|
||||
<span class="Diff-insert">+ }</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
<span class="Diff-change"> mutex_unlock(&fanout_mutex);</span>
|
||||
<span class="Diff-change"> }</span>
|
||||
</pre></div> <!-- Container --></div> <!-- Site-content --><!-- default customFooter --><footer class="Site-footer"><div class="Footer"><span class="Footer-poweredBy">Powered by <a href="https://gerrit.googlesource.com/gitiles/">Gitiles</a></span><span class="Footer-formats"><a class="u-monospace Footer-formatsItem" href="?format=TEXT">txt</a> <a class="u-monospace Footer-formatsItem" href="?format=JSON">json</a></span></div></footer></body></html>
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBjOTQ3NDNhNDAzZWI0MmJlMjI5Y2QzMGE3NTFkOGU2YzRmZjg0MmYxCnBhcmVudCA3YjkxZDk3ODM5YThjZWU3NmU3M2RlMTFkMTdiYTQ3MGE3N2UwMTdiCmF1dGhvciBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+IDE0OTA3OTY2ODAgKzAyMDAKY29tbWl0dGVyIEdyZWcgS3JvYWgtSGFydG1hbiA8Z3JlZ2toQGxpbnV4Zm91bmRhdGlvbi5vcmc+IDE0OTI0OTQ5NTIgKzAyMDAKCm5ldC9wYWNrZXQ6IGZpeCBvdmVyZmxvdyBpbiBjaGVjayBmb3IgcHJpdiBhcmVhIHNpemUKCmNvbW1pdCAyYjY4NjdjMmNlNzZjNTk2Njc2YmVjN2QyZDUyNWFmNTI1ZmRjNmUyIHVwc3RyZWFtLgoKU3VidHJhY3RpbmcgdHBfc2l6ZW9mX3ByaXYgZnJvbSB0cF9ibG9ja19zaXplIGFuZCBjYXN0aW5nIHRvIGludAp0byBjaGVjayB3aGV0aGVyIG9uZSBpcyBsZXNzIHRoZW4gdGhlIG90aGVyIGRvZXNuJ3QgYWx3YXlzIHdvcmsKKGJvdGggb2YgdGhlbSBhcmUgdW5zaWduZWQgaW50cykuCgpDb21wYXJlIHRoZW0gYXMgaXMgaW5zdGVhZC4KCkFsc28gY2FzdCB0cF9zaXplb2ZfcHJpdiB0byB1NjQgYmVmb3JlIHVzaW5nIEJMS19QTFVTX1BSSVYsIGFzCml0IGNhbiBvdmVyZmxvdyBpbnNpZGUgQkxLX1BMVVNfUFJJViBvdGhlcndpc2UuCgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IERhdmlkIFMuIE1pbGxlciA8ZGF2ZW1AZGF2ZW1sb2Z0Lm5ldD4KU2lnbmVkLW9mZi1ieTogR3JlZyBLcm9haC1IYXJ0bWFuIDxncmVna2hAbGludXhmb3VuZGF0aW9uLm9yZz4KCg==
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSAwNDEzNmJiYTE4ZjBhYjk1YWYxN2UzYjFlYmQ5MTI3YzQwZDA0ZmZmCnBhcmVudCAxYTAxNjgwNmFlODMxMzBiZGNiMjliMzQwMDc1YjkzMmVjNGM5NDdkCmF1dGhvciBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+IDE0OTA3OTY2ODEgKzAyMDAKY29tbWl0dGVyIEdyZWcgS3JvYWgtSGFydG1hbiA8Z3JlZ2toQGxpbnV4Zm91bmRhdGlvbi5vcmc+IDE0OTQyMjIyNDggKzAyMDAKCm5ldC9wYWNrZXQ6IGZpeCBvdmVyZmxvdyBpbiBjaGVjayBmb3IgdHBfZnJhbWVfbnIKClsgVXBzdHJlYW0gY29tbWl0IDhmOGQyOGU0ZDZkODE1YTM5MTI4NWUxMjFjM2E1M2EwYjZjYjllN2IgXQoKV2hlbiBjYWxjdWxhdGluZyByYi0+ZnJhbWVzX3Blcl9ibG9jayAqIHJlcS0+dHBfYmxvY2tfbnIgdGhlIHJlc3VsdApjYW4gb3ZlcmZsb3cuCgpBZGQgYSBjaGVjayB0aGF0IHRwX2Jsb2NrX3NpemUgKiB0cF9ibG9ja19uciA8PSBVSU5UX01BWC4KClNpbmNlIGZyYW1lc19wZXJfYmxvY2sgPD0gdHBfYmxvY2tfc2l6ZSwgdGhlIGV4cHJlc3Npb24gd291bGQKbmV2ZXIgb3ZlcmZsb3cuCgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IERhdmlkIFMuIE1pbGxlciA8ZGF2ZW1AZGF2ZW1sb2Z0Lm5ldD4KU2lnbmVkLW9mZi1ieTogR3JlZyBLcm9haC1IYXJ0bWFuIDxncmVna2hAbGludXhmb3VuZGF0aW9uLm9yZz4K
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSA5NzdmYzIyODAwOTQ4ZTk4N2EwMjg2ZjZiYzQ0NzFmMDA5OWFlOGVjCnBhcmVudCAzZTc3Y2FjYWFlNjA0Y2QxMjc2NDI4NjkzODFhODc3NzQ4ODBhZmI2CmF1dGhvciBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+IDE0OTA3OTY2ODIgKzAyMDAKY29tbWl0dGVyIEdyZWcgS3JvYWgtSGFydG1hbiA8Z3JlZ2toQGxpbnV4Zm91bmRhdGlvbi5vcmc+IDE0OTQyMjIyNDggKzAyMDAKCm5ldC9wYWNrZXQ6IGZpeCBvdmVyZmxvdyBpbiBjaGVjayBmb3IgdHBfcmVzZXJ2ZQoKWyBVcHN0cmVhbSBjb21taXQgYmNjNTM2NGJkY2ZlMTMxZTYzNzkzNjNmMDg5ZTdiNDEwOGQzNWI3MCBdCgpXaGVuIGNhbGN1bGF0aW5nIHBvLT50cF9oZHJsZW4gKyBwby0+dHBfcmVzZXJ2ZSB0aGUgcmVzdWx0IGNhbiBvdmVyZmxvdy4KCkZpeCBieSBjaGVja2luZyB0aGF0IHRwX3Jlc2VydmUgPD0gSU5UX01BWCBvbiBhc3NpZ24uCgpTaWduZWQtb2ZmLWJ5OiBBbmRyZXkgS29ub3ZhbG92IDxhbmRyZXlrbnZsQGdvb2dsZS5jb20+CkFja2VkLWJ5OiBFcmljIER1bWF6ZXQgPGVkdW1hemV0QGdvb2dsZS5jb20+ClNpZ25lZC1vZmYtYnk6IERhdmlkIFMuIE1pbGxlciA8ZGF2ZW1AZGF2ZW1sb2Z0Lm5ldD4KU2lnbmVkLW9mZi1ieTogR3JlZyBLcm9haC1IYXJ0bWFuIDxncmVna2hAbGludXhmb3VuZGF0aW9uLm9yZz4K
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSAwMDJjZDNkNWM2NTEzNGE3N2VmMjQxMjYzNGIyMjU0NzUzMWQ2ODBkCnBhcmVudCA0MjY4Yjc1MjA4Y2EwNGJjNjNkY2ZhZGJiOWExZWNhOGU5NjRhNjk3CmF1dGhvciBEZW5uaXMgQ2FnbGUgPGQtY2FnbGVAY29kZWF1cm9yYS5vcmc+IDE0OTUwNDUxMDYgLTA3MDAKY29tbWl0dGVyIEFuZHJldyBDaGFudCA8YWNoYW50QGdvb2dsZS5jb20+IDE0OTUwNDU3MDcgKzAwMDAKCm1zbToga2dzbDogRml4IGtnc2wgbWVtb3J5IGFsbG9jYXRpb24gYW5kIGZyZWUgcmFjZSBjb25kaXRpb24KCldoZW4gYWxsb2NhdGluZyB1c2Vyc3BhY2UgbWVtb3J5IGtlZXAgcmVmZXJlbmNlIHRvIG1lbW9yeQphbGxvY2F0aW9uIHRpbGwgaXQgaXMgY29tcGxldGVseSBpbml0aWFsaXplZCBhbmQgaW5mbyBpcyBzZW5kIGJhY2sKdG8gdXNlcnNwYWNlCgpCdWc6IDMyOTM4NDQzCkNScy1GaXhlZDogMjAyOTExMwpDaGFuZ2UtSWQ6IElkNzJjODJiZjk4YzA5NGVjYmQ0NzIyODEzYzczMmE5OThkY2JiMTg4ClNpZ25lZC1vZmYtYnk6IFRhcnVuIEthcnJhIDx0a2FycmFAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IFN1bmlsIEtoYXRyaSA8c3VuaWxraEBjb2RlYXVyb3JhLm9yZz4KU2lnbmVkLW9mZi1ieTogRGVubmlzIENhZ2xlIDxkLWNhZ2xlQGNvZGVhdXJvcmEub3JnPgo=
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBmZDhjZDdkN2M4Njg3MTQ5NTkzNGFlM2NhMTU0OWYzNDkzN2IxOTI1CnBhcmVudCBkOTBlMjUxNzhmNWVjNjUwMDgxYWM2MjQ1YzNhYWRkNzUxNGQ3MWJhCmF1dGhvciBEZW5uaXMgQ2FnbGUgPGQtY2FnbGVAY29kZWF1cm9yYS5vcmc+IDE0OTM5MzY3OTIgLTA3MDAKY29tbWl0dGVyIEFuZHJldyBDaGFudCA8YWNoYW50QGdvb2dsZS5jb20+IDE0OTQ5ODY2NDggKzAwMDAKCmFzaG1lbTogcmVtb3ZlIGNhY2hlIG1haW50ZW5hbmNlIHN1cHBvcnQKClRoZSBjYWNoZSBtYWludGVuYW5jZSByb3V0aW5lcyBpbiBhc2htZW0gd2VyZSBjYXVzaW5nCnNldmVyYWwgc2VjdXJpdHkgaXNzdWVzLiBTaW5jZSB0aGV5IGFyZSBub3QgYmVpbmcgdXNlZAphbnltb3JlIGJ5IGFueSBkcml2ZXJzLCBpdHMgd2VsbCB0byByZW1vdmUgdGhlbSBlbnRpcmVseS4KCkJ1ZzogMzQxMjY4MDgKQnVnOiAzNDE3Mzc1NQpCdWc6IDM0MjAzMTc2CkNScy1GaXhlZDogMTEwNzAzNCwgMjAwMTEyOSwgMjAwNzc4NgpDaGFuZ2UtSWQ6IEk5NTVlMzNkOTBiODg4ZDU4ZGI1Y2Y2YmI0OTA5MDUyODMzNzQ0MjViClNpZ25lZC1vZmYtYnk6IFN1ZGFyc2hhbiBSYWphZ29wYWxhbiA8c3VkYXJhamFAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IERlbm5pcyBDYWdsZSA8ZC1jYWdsZUBjb2RlYXVyb3JhLm9yZz4K
|
||||
|
|
@ -1 +0,0 @@
|
|||
dHJlZSBmZDhjZDdkN2M4Njg3MTQ5NTkzNGFlM2NhMTU0OWYzNDkzN2IxOTI1CnBhcmVudCBkOTBlMjUxNzhmNWVjNjUwMDgxYWM2MjQ1YzNhYWRkNzUxNGQ3MWJhCmF1dGhvciBEZW5uaXMgQ2FnbGUgPGQtY2FnbGVAY29kZWF1cm9yYS5vcmc+IDE0OTM5MzY3OTIgLTA3MDAKY29tbWl0dGVyIEFuZHJldyBDaGFudCA8YWNoYW50QGdvb2dsZS5jb20+IDE0OTQ5ODY2NDggKzAwMDAKCmFzaG1lbTogcmVtb3ZlIGNhY2hlIG1haW50ZW5hbmNlIHN1cHBvcnQKClRoZSBjYWNoZSBtYWludGVuYW5jZSByb3V0aW5lcyBpbiBhc2htZW0gd2VyZSBjYXVzaW5nCnNldmVyYWwgc2VjdXJpdHkgaXNzdWVzLiBTaW5jZSB0aGV5IGFyZSBub3QgYmVpbmcgdXNlZAphbnltb3JlIGJ5IGFueSBkcml2ZXJzLCBpdHMgd2VsbCB0byByZW1vdmUgdGhlbSBlbnRpcmVseS4KCkJ1ZzogMzQxMjY4MDgKQnVnOiAzNDE3Mzc1NQpCdWc6IDM0MjAzMTc2CkNScy1GaXhlZDogMTEwNzAzNCwgMjAwMTEyOSwgMjAwNzc4NgpDaGFuZ2UtSWQ6IEk5NTVlMzNkOTBiODg4ZDU4ZGI1Y2Y2YmI0OTA5MDUyODMzNzQ0MjViClNpZ25lZC1vZmYtYnk6IFN1ZGFyc2hhbiBSYWphZ29wYWxhbiA8c3VkYXJhamFAY29kZWF1cm9yYS5vcmc+ClNpZ25lZC1vZmYtYnk6IERlbm5pcyBDYWdsZSA8ZC1jYWdsZUBjb2RlYXVyb3JhLm9yZz4K
|
||||
31
Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch
Normal file
31
Patches/Linux_CVEs/CVE-2012-6703/ANY/1.patch
Normal file
|
|
@ -0,0 +1,31 @@
|
|||
From 81ce573830e9d5531531b3ec778c58e6b9167bcd Mon Sep 17 00:00:00 2001
|
||||
From: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Date: Wed, 5 Sep 2012 15:32:18 +0300
|
||||
Subject: [PATCH] ALSA: compress_core: integer overflow in
|
||||
snd_compr_allocate_buffer()
|
||||
|
||||
These are 32 bit values that come from the user, we need to check for
|
||||
integer overflows or we could end up allocating a smaller buffer than
|
||||
expected.
|
||||
|
||||
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
|
||||
Signed-off-by: Takashi Iwai <tiwai@suse.de>
|
||||
---
|
||||
sound/core/compress_offload.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c
|
||||
index eb60cb8dbb8a6..68fe02c7400a2 100644
|
||||
--- a/sound/core/compress_offload.c
|
||||
+++ b/sound/core/compress_offload.c
|
||||
@@ -407,6 +407,10 @@ static int snd_compr_allocate_buffer(struct snd_compr_stream *stream,
|
||||
unsigned int buffer_size;
|
||||
void *buffer;
|
||||
|
||||
+ if (params->buffer.fragment_size == 0 ||
|
||||
+ params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size)
|
||||
+ return -EINVAL;
|
||||
+
|
||||
buffer_size = params->buffer.fragment_size * params->buffer.fragments;
|
||||
if (stream->ops->copy) {
|
||||
buffer = NULL;
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user