Commit graph

855765 commits

Author SHA1 Message Date
eeb9e2abd1 Updated for Winebox support 2023-03-26 03:53:50 +00:00
Christian Brauner
45e4d11fa6 binderfs: use refcount for binder control devices too
Binderfs binder-control devices are cleaned up via binderfs_evict_inode
too() which will use refcount_dec_and_test(). However, we missed to set
the refcount for binderfs binder-control devices and so we underflowed
when the binderfs instance got unmounted. Pretty obvious oversight and
should have been part of the more general UAF fix. The good news is that
having test cases (suprisingly) helps.

Technically, we could detect that we're about to cleanup the
binder-control dentry in binderfs_evict_inode() and then simply clean it
up. But that makes the assumption that the binder driver itself will
never make use of a binderfs binder-control device after the binderfs
instance it belongs to has been unmounted and the superblock for it been
destroyed. While it is unlikely to ever come to this let's be on the
safe side. Performance-wise this also really doesn't matter since the
binder-control device is only every really when creating the binderfs
filesystem or creating additional binder devices. Both operations are
pretty rare.

Fixes: f0fe2c0f050d ("binder: prevent UAF for binderfs devices II")
Link: https://lore.kernel.org/r/CA+G9fYusdfg7PMfC9Xce-xLT7NiyKSbgojpK35GOm=Pf9jXXrA@mail.gmail.com
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Acked-by: Todd Kjos <tkjos@google.com>
Link: https://lore.kernel.org/r/20200311105309.1742827-1-christian.brauner@ubuntu.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-01-16 14:59:34 +02:00
Erfan Abdi
59e27f4ecc HACK: Set “Mains” type for BMS and Main
Change-Id: I44dc3743c3a5126b171aa8db1c90b00b8bb13024
2023-01-16 12:13:38 +02:00
Franz-Josef Haider
c9bb59904d Revert "Revert "proc: Convert proc_mount to use mount_ns.""
This reverts commit f0a310e56f.
2022-09-20 15:10:48 +03:00
Asriel Dreemurr
9bd099b9fd Use gbinder workaround only for hwbinder context 2022-09-02 14:35:39 +03:00
TheKit
f849adacfa (halium) binder: do not use a separate queue for async oneway transactions
At some point (hours or days after start) ofono gets stuck and stops
processing incoming async transactions. It seems to be caused by BC_FREE_BUFFER
command not getting issued under rare circumstances. The way async_todo queue
is handled in binder kernel driver, next transaction is dequeued only after
BC_FREE_BUFFER command is processed.

This commits attempts to workaround missing the next async transactions even if
the buffer for a particular one is leaked by always adding work to todo queue
instead of handling them separately via async_todo.

Change-Id: I4bfb49787257fa579c2fd2ae498ced566ff35cb5
2022-09-02 14:35:29 +03:00
TheKit
b861848684 (halium) pro1x-perf_defconfig: enable extra binder devices 2022-08-04 17:05:50 +03:00
Alfred Neumayer
ac89276594 binder: Configurable global PID lookups
This reshakes commit d2587ce3968c6fdde3cf09d785bb957c4b75572f
and implements a kernel parameter to explicitly allow disabling
the behavior change to look up caller PIDs in the global namespace.
2022-08-04 17:01:35 +03:00
Eugenio Paolantonio (g7)
4b5e3db439 arm64: dts: bengal-idp: idea_keys: replace home keycode to KEY_LEFTMETA
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:52:11 +03:00
Eugenio Paolantonio (g7)
66166e5703 arm64: dts: bengal-idp: gpio_keys: replace fn keycode to KEY_LEFTMETA
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:52:02 +03:00
Eugenio Paolantonio (g7)
9fbf83d043 drivers: aw9523: match the Pro1-X us layout, including support for function keys
Mostly coming from the Pro1's qx1000.c keyboard driver, rewritten by Tom Marshall.

This is the bare minimum to get the correct layout.

Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:51:53 +03:00
Eugenio Paolantonio (g7)
fa5e183e0c drivers: gpio_keys: report initial state
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:51:41 +03:00
Eugenio Paolantonio (g7)
97dbcc6f98 arm64: dts: bengal-idp: make keyboard backlight detectable by upower
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:51:31 +03:00
Eugenio Paolantonio (g7)
20585c80f3 drivers: aw9523: remove debug define
Signed-off-by: Eugenio Paolantonio (g7) <me@medesimo.eu>
2022-08-03 12:51:16 +03:00
TheKit
86dd1e0173 dts: bengal-idp: change keyboard slide event to SW_KEYPAD_SLIDE
SW_LID confuses repowerd to turn screen off as it is used on laptops
2022-06-14 01:24:21 +03:00
TheKit
6b6ba3770f vendor/pro1x-perf_defconfig: enable CONFIG_BUILD_ARM64_DT_OVERLAY 2022-06-14 01:16:42 +03:00
TheKit
4271c84668 arm64: dts: import from Pro1-X BSP (2022-06-01) 2022-06-14 01:12:36 +03:00
TheKit
f13e1f4e3e Import F(x)tec Pro1-X BSP kernel changes as of 2022-06-01 2022-06-13 23:51:22 +03:00
TheKit
c3bcbab00e kernel: Merge LA.UM.9.15.r1-05300-KAMORTA.0 2022-06-11 03:14:24 +03:00
TheKit
ff61e8228a vendor/pro1x-perf_defconfig: enable AppArmor 2022-05-12 15:15:57 +03:00
Alfred Neumayer
ca92696699 apparmor: Forward-port query_label function from AppArmor 3.0rc
This fixes the gallery not showing thumbnails due to query_label failing.
2022-05-12 14:37:26 +03:00
John Johansen
4fa869cac3 apparmor: fix use after free in sk_peer_label
BugLink: http://bugs.launchpad.net/bugs/1778646
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-05-12 14:37:12 +03:00
John Johansen
c294600383 apparmor: af_unix mediation
af_socket mediation did not make it into 4.17 so add remaining out
of tree patch

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-05-12 14:36:51 +03:00
John Johansen
c14c8a5bff apparmor: patch to provide compatibility with v2.x net rules
The networking rules upstreamed in 4.17 have a deliberate abi break
with the older 2.x network rules.

This patch provides compatibility with the older rules for those
still using an apparmor 2.x userspace and still want network rules
to work on a newer kernel.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-05-12 14:34:20 +03:00
TheKit
5b5b8f55b8 vendor/pro1x-perf_defconfig: reapply Halium/hybris changes 2022-03-20 22:10:55 +02:00
TheKit
c2a4dee8c7 vendor/pro1x-perf_defconfig: regenerate from bengal-perf_defconfig 2022-03-20 22:05:00 +02:00
TheKit
4b0b2030fb vendor/pro1x_defconfig: make QCA_CLD_WLAN built-in 2022-03-20 21:57:53 +02:00
TheKit
175a880aa5 vendor/pro1x_defconfig: hybris friendly defconfig 2022-03-16 13:20:49 +02:00
TheKit
eb24170bbc vendor/pro1x_defconfig: initial changes for Halium 2022-03-16 12:00:53 +02:00
Linux Build Service Account
a71c4cdc90 Merge 2959ed5eb8 on remote branch
Change-Id: I08b3f8ddabec61613780468af7303919a588162b
2021-12-15 02:25:29 -08:00
Puranam V G Tejaswi
2959ed5eb8 msm: kgsl: Signal fence only if last fence refcount was not put
Currently there is a chance that release for the fence was already called
before we call dma_fence_get during kgsl_timeline_signal and
kgsl_ioctl_timeline_destroy. This can cause use-after-free issue as we can
access fence after release. Fix this by signalling fence only if the last
refcount on the fence was not yet put. This makes sure that release for the
fence will not be called until we are done signalling.

Change-Id: I6bdcefa1f128febb7a0f7aef133757268a3b9ae3
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>
Signed-off-by: Pranav Patel <quic_pranavp@quicinc.com>
2021-12-01 17:16:54 +05:30
TheKit
3978f77820 vendor/pro1x_defconfig: regenerate from /proc/config.gz on device 2021-11-30 14:15:28 +02:00
TheKit
dcc5a3eab7 techpack: audio: import Pro1-X changes 2022-03-20 20:45:59 +02:00
TheKit
1d86f7ae7b Import Pro1-X kernel source code 2022-03-20 00:13:44 +01:00
Linux Build Service Account
426be5f400 Merge e904060a40 on remote branch
Change-Id: Ie4e98c1cfb3b60c97d120857b97baece7b472b31
2021-11-29 22:08:02 -08:00
qctecmdr
e904060a40 Merge "msm: adsprpc: Handle UAF in process shell memory" 2021-11-26 09:39:00 -08:00
Zhou Guo
17f07c01bc media: v4l2: Allow ioctl type of "U" for video devices like usb camera
When uvc_gadget application tries to call ioctl to send response for
usb control request, it might call compat_ioctl on platforms having
32bit userspace and 64bit kernel space. This leads to UVC functionality
failure as v4l2_compat_ioctl32() is checking only for ioctl type as "V"
and returning error for usb ioctl of type "U". Hence fix the issue by
adding check for ioctl type of "U" as well and allow calling corresponding
ioctl callback.

CRs-Fixed: 3081837
Change-Id: Ie7ae67a796a8af5ea4a80fd437943b0f3d3b2afe
Signed-off-by: Zhou Guo <zhouguo@codeaurora.org>
2021-11-25 16:39:55 +08:00
prabha
51e05ee99d msm: adsprpc: Handle UAF in process shell memory
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.

Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: prabha <prabha@codeaurora.org>
2021-11-25 11:46:34 +05:30
qctecmdr
8f53897b99 Merge "cnss2: Check if firmware asserts before power off for CBC" 2021-11-24 06:52:43 -08:00
qctecmdr
f4e3279c9b Merge "net: qrtr: Use radix_tree_iter_delete to delete tx flow" 2021-11-24 03:50:32 -08:00
qctecmdr
c0df939e7a Merge "net: qrtr: Cleanup flow control during DEL proc" 2021-11-23 23:58:07 -08:00
Madhvapathi Sriram
f41797e5c7 cnss2: Check if firmware asserts before power off for CBC
Do a final check for firmware assert before powering off device
in calibration mode. Collect RAM dump if firmware has asserted
for debug purpose. Also skip dump collection if device is already
powered off.

Change-Id: I99a438d6b7d7048b300244511c72d6fbfc610094
Signed-off-by: Yue Ma <yuem@codeaurora.org>
Signed-off-by: Madhvapathi Sriram <quic_msriram@quicinc.com>
2021-11-24 11:33:48 +05:30
qctecmdr
c7fd0e2c85 Merge "net: qrtr: Cleanup flow control during remote socket release" 2021-11-23 20:59:54 -08:00
qctecmdr
01f96cccff Merge "usb: gadget: cdev: Add single packet and dynamic buffer support for Rx path" 2021-11-22 20:51:39 -08:00
Ligui Deng
8c6a54ca0a usb: gadget: cdev: Add single packet and dynamic buffer support for Rx path
Display tearing functionality on SXR devices makes use of
both  bulk-in and bulk-out endpoints of cdev driver
to acquire real time audio/video data from usb host.

Currently if the userspace application making use of cdev
driver requests 50KB of data from host, the cdev_read function
queues multiple usb requests to host till it gets 50KB of data.
In Display Tearing, although the userspace application requests
50KB of data per frame, the actual amount sent by host for every
frame is variable and can be less than the requested amount. If
host is sending packets of size less that requested amount per frame,
driver ends up appending multiple frames in a single cdev_read call
and returns corrupt information to userspace causing low frame
rate on display.

To resolve this add a configfs property to specify the buffer size
for every usb request on out ep and a flag to specify if we need
single packet mode. If single packet mode is enabled, only one usb
request is queued on out endpoint per cdev_read call and buffer
corresponding to that request contains only one frame of data coming
from host. The driver appends data from one usb request in read_queued
pool to userspace buffer to avoid corrupting video frame information.

CRs-Fixed: 3038067
Change-Id: I1ba0b954d14f187eeddc511f4ac199784248b33b
Signed-off-by: Ligui Deng <ldeng@codeaurora.org>
2021-11-22 20:20:34 +08:00
qctecmdr
82146398a4 Merge "ipa: Null persistent pointers after free" 2021-11-18 21:32:31 -08:00
qctecmdr
01d1a8c414 Merge "leds: qpnp-flash-v2: Add support for dynamic torch current update" 2021-11-17 07:28:39 -08:00
qctecmdr
3b795abefd Merge "qdss_bridge: handle usb write done event" 2021-11-17 04:12:22 -08:00
Arun Prakash
b669e0ea2e net: qrtr: Use radix_tree_iter_delete to delete tx flow
Below two issues are handled in this change.

1.Use radix_tree_iter_delete instead of radix_tree_delete to properly
remove slots in a radix tree without any dangling references.

2.Flow entry can be deleted when sending process waiting on the queue
if remote socket closes.Which leads to accessing non-valid flow entry.
To resolve this lookup for the tx flow entry each time before reading
flow count or inserting caller process to waiting list to check the
validity of flow entry in the radix tree.

Change-Id: I42b85b53cfcf5cd4256fbd6cb445d0098078a6f0
Signed-off-by: Arun Prakash <app@codeaurora.org>
2021-11-17 17:41:02 +05:30
Ilia Lin
12f20f950a ipa: Null persistent pointers after free
Assign NULL to pointers that may be used later
after calling kfree on them.

Change-Id: I3298eb484c92ee2373f0bc41aae8ae45fb373cf0
Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
2021-11-17 03:51:32 -08:00