Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.
Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.
Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
At some point (hours or days after start) ofono gets stuck and stops
processing incoming async transactions. It seems to be caused by BC_FREE_BUFFER
command not getting issued under rare circumstances. The way async_todo queue
is handled in binder kernel driver, next transaction is dequeued only after
BC_FREE_BUFFER command is processed.
This commits attempts to workaround missing the next async transactions even if
the buffer for a particular one is leaked by always adding work to todo queue
instead of handling them separately via async_todo.
Change-Id: I4bfb49787257fa579c2fd2ae498ced566ff35cb5
This reshakes commit d2587ce3968c6fdde3cf09d785bb957c4b75572f
and implements a kernel parameter to explicitly allow disabling
the behavior change to look up caller PIDs in the global namespace.
Mostly coming from the Pro1's qx1000.c keyboard driver, rewritten by Tom Marshall.
This is the bare minimum to get the correct layout.
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
The networking rules upstreamed in 4.17 have a deliberate abi break
with the older 2.x network rules.
This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Currently there is a chance that release for the fence was already called
before we call dma_fence_get during kgsl_timeline_signal and
kgsl_ioctl_timeline_destroy. This can cause use-after-free issue as we can
access fence after release. Fix this by signalling fence only if the last
refcount on the fence was not yet put. This makes sure that release for the
fence will not be called until we are done signalling.
Change-Id: I6bdcefa1f128febb7a0f7aef133757268a3b9ae3
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>
Signed-off-by: Pranav Patel <quic_pranavp@quicinc.com>
When uvc_gadget application tries to call ioctl to send response for
usb control request, it might call compat_ioctl on platforms having
32bit userspace and 64bit kernel space. This leads to UVC functionality
failure as v4l2_compat_ioctl32() is checking only for ioctl type as "V"
and returning error for usb ioctl of type "U". Hence fix the issue by
adding check for ioctl type of "U" as well and allow calling corresponding
ioctl callback.
CRs-Fixed: 3081837
Change-Id: Ie7ae67a796a8af5ea4a80fd437943b0f3d3b2afe
Signed-off-by: Zhou Guo <zhouguo@codeaurora.org>
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: prabha <prabha@codeaurora.org>
Do a final check for firmware assert before powering off device
in calibration mode. Collect RAM dump if firmware has asserted
for debug purpose. Also skip dump collection if device is already
powered off.
Change-Id: I99a438d6b7d7048b300244511c72d6fbfc610094
Signed-off-by: Yue Ma <yuem@codeaurora.org>
Signed-off-by: Madhvapathi Sriram <quic_msriram@quicinc.com>
Display tearing functionality on SXR devices makes use of
both bulk-in and bulk-out endpoints of cdev driver
to acquire real time audio/video data from usb host.
Currently if the userspace application making use of cdev
driver requests 50KB of data from host, the cdev_read function
queues multiple usb requests to host till it gets 50KB of data.
In Display Tearing, although the userspace application requests
50KB of data per frame, the actual amount sent by host for every
frame is variable and can be less than the requested amount. If
host is sending packets of size less that requested amount per frame,
driver ends up appending multiple frames in a single cdev_read call
and returns corrupt information to userspace causing low frame
rate on display.
To resolve this add a configfs property to specify the buffer size
for every usb request on out ep and a flag to specify if we need
single packet mode. If single packet mode is enabled, only one usb
request is queued on out endpoint per cdev_read call and buffer
corresponding to that request contains only one frame of data coming
from host. The driver appends data from one usb request in read_queued
pool to userspace buffer to avoid corrupting video frame information.
CRs-Fixed: 3038067
Change-Id: I1ba0b954d14f187eeddc511f4ac199784248b33b
Signed-off-by: Ligui Deng <ldeng@codeaurora.org>
Below two issues are handled in this change.
1.Use radix_tree_iter_delete instead of radix_tree_delete to properly
remove slots in a radix tree without any dangling references.
2.Flow entry can be deleted when sending process waiting on the queue
if remote socket closes.Which leads to accessing non-valid flow entry.
To resolve this lookup for the tx flow entry each time before reading
flow count or inserting caller process to waiting list to check the
validity of flow entry in the radix tree.
Change-Id: I42b85b53cfcf5cd4256fbd6cb445d0098078a6f0
Signed-off-by: Arun Prakash <app@codeaurora.org>
Assign NULL to pointers that may be used later
after calling kfree on them.
Change-Id: I3298eb484c92ee2373f0bc41aae8ae45fb373cf0
Signed-off-by: Ilia Lin <ilialin@codeaurora.org>