January 2017.1

Bug: 68996174
Change-Id: Iccdc88be6cea832954e016a5d0b805bf107bd699
Signed-off-by: Patrick Tjin <pattjin@google.com>

Bug: 68266545
Change-Id: Ibdb1fd768b748002b90bfc165612c12c8311f8a2

Bug: 68266545
Change-Id: I6005a6e944494257bfc2243fde2f7a09c3fd76c6

We now trap accesses to CNTVCT_EL0 when the counter is broken
enough to require the kernel to mediate the access. But it
turns out that some existing userspace (such as OpenMPI) do
probe for the counter frequency, leading to an UNDEF exception
as CNTVCT_EL0 and CNTFRQ_EL0 share the same control bit.

The fix is to handle the exception the same way we do for CNTVCT_EL0.

Bug: 68266545
Fixes: a86bd139 ("arm64: arch_timer: Enable CNTVCT_EL0 trap if workaround is enabled")
Reported-by: Hanjun Guo <guohanjun@huawei.com>
Tested-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 9842119a)

Change-Id: Ie5a9a93fcca238d6097ecacd6df0e540be90220b

Since people seem to make a point in breaking the userspace visible
counter, we have no choice but to trap the access. Add the required
handler.

Bug: 68266545
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
(cherry picked from commit 6126ce05)

Change-Id: I0705f47c85a78040df38df18f51a4a22500b904d

commit 4f0414e5 upstream.

We need to load the TX SG list in sendmsg(2) after waiting for
incoming data, not before.

Bug: 64386293
Change-Id: Ibb0b7969ee1df314b49462ecd65ce381118d915d
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Siqi Lin <siqilin@google.com>

The configs for this is used for Bluez.
So, there is no reason to keep this that causes the Security
Vulnerability.
Bug: 63527053

Change-Id: Ia25a8268412ce58c6a162953af3602634b219669
Signed-off-by: Ecco Park <eccopark@google.com>

validate user buffers before accessing in kernel driver.

Bug: 67713083
Change-Id: I7997d069d0549de03f1467c63bdb81b20fcf3d6c
Acked-by: Chenna Kesava Raju <chennak@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

Bug: 62800865
Change-Id: I386b9bfbf5463527bf20dacc5da6574ad8d613a0
Signed-off-by: Steve Pfetsch <spfetsch@google.com>

The 'move_paghes()' system call was introduced long long ago with the
same permission checks as for sending a signal (except using
CAP_SYS_NICE instead of CAP_SYS_KILL for the overriding capability).

That turns out to not be a great choice - while the system call really
only moves physical page allocations around (and you need other
capabilities to do a lot of it), you can check the return value to map
out some the virtual address choices and defeat ASLR of a binary that
still shares your uid.

So change the access checks to the more common 'ptrace_may_access()'
model instead.

This tightens the access checks for the uid, and also effectively
changes the CAP_SYS_NICE check to CAP_SYS_PTRACE, but it's unlikely that
anybody really _uses_ this legacy system call any more (we hav ebetter
NUMA placement models these days), so I expect nobody to notice.

Famous last words.

Reported-by: Otto Ebeling <otto.ebeling@iki.fi>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: stable@kernel.org
Bug: 65468230
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

cherry-picked from: 197e7e52

This branch does not have the PTRACE_MODE_REALCREDS flag but its
default behavior is the same as PTRACE_MODE_REALCREDS. So use
PTRACE_MODE_READ instead of PTRACE_MODE_READ_REALCREDS.

Change-Id: I75364561d91155c01f78dd62cdd41c5f0f418854

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Bug: 66954097
Signed-off-by: Viktor Slavkovic <viktors@google.com>
Change-Id: Ia52312a75ade30bc94be6b94420f17f34e0c1f86

Remove read permission for debugfs reg dump node
for group and users to not allow reading of wcd9xxx
registers.

CRs-fixed: 2113240
Bug: 62464339
Change-Id: I73a22e140446828e694fdc95fde7ac4e051c9548
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>

Fix missing locking around rx data packet list,
correct work & wakeup source initialization.

Bug: 67713091
Change-Id: Ia8dcac71c370a902e960368d5bb3aa6016ab33d9
Signed-off-by: Andrew Chant <achant@google.com>

The current implementation is using mutex lock to protect the Rx data
packet list but Glink core can notify the Rx data in atomic context
and the mutex lock is not used in some places.

Replace the mutex lock with spinlock to protect the Rx data packet list.

CRs-Fixed: 852949
Bug: 67713091
Change-Id: Ie7543a98e6589e8068b873a8bb4f49b9a195d881
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Signed-off-by: Suyash Nahata <sunahata@codeaurora.org>

December 2017.1

Bug: 67749245
Change-Id: I3cc87859f6679d5c91a622d101a172f2a0598520

December 2017.1

Bug: 67749245
Change-Id: I29f4c24bd9139e2e2ec5d8ebc5aa103ddf70308f

Complete removal of gud mobicore driver.
The driver author delivers an updated version of this driver to
interested parties directly rendering this version obsolete.

Bug: 65468975
Change-Id: I40498d3203b1d6ca04f2b5a2e65461851d84d2d4
Acked-by: Tony Hamilton <tonyh@qti.qualcomm.com>
Signed-off-by: Trudy Shearer <tshearer@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.

Bug: 65468973
Change-Id: I7bdd702225ed179af841db9a67cc7b93eadf9dcc
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

Bug: 65023233
Signed-off-by: Roberto Pereira <rpere@google.com>
Change-Id: Ib45f402cf304f9b8bf18884738f92b9c3db55573

Make use of mutex lock to access IOCTL so that two threads
can avoid race condition.

Bug: 64728950
Bug: 65468993
Change-Id: I00db78a42c86eef8a157b5b3547e4ca0006b0853
Signed-off-by: annamraj <annamraj@codeaurora.org>

Set address to NULL on error to ensure a stale address is not used.

CRs-Fixed: 2038685
Bug: 64453423
Signed-off-by: Siena Richard <sienar@codeaurora.org>
Change-Id: I17e7b7b404625d21721b2466e70fa8be2370b517

'commit 734aabed17090: ("coresight: tmc: Fix use after free issue
with tmc read")' adds lock in tmc_read() to fix race condition seen in
reading tmc buffer and enabling the device.But commit has unbalanced
lock. This patch fixes the lock.

Bug: 64453422
Change-Id: Iaf3ecd83ef5af346725885ea2c84c4185f1a1c50
Signed-off-by: Saranya Chidura <schidura@codeaurora.org>

Fix race condition seen between reading tmc buffer and enabling
the device. The race condition can result in a use after free
issue if the buffer is released while a read is in progress.

Bug: 64453422
Signed-off-by: Saranya Chidura <schidura@codeaurora.org>
Change-Id: I9908fa78acbf3152ee791c63fef525f09a9a23d5

When fd is requested during get_metadata call, create fd
using O_CLOEXEC flag.

CRs-Fixed: 2030638
Bug: 64453105
Change-Id: I1c874f713a3ebada63ba2c85f021aa78b04af44b
Signed-off-by: Krishna Manikandan <mkrishn@codeaurora.org>

Provide complete resolution details in a sysfs node "res_info"
limited to PAGE_SIZE. Different modules can query for multiple
resolution details based on the resolution ids received from
EDID of the TV. In case resolution details exceed PAGE_SIZE,
reuse res_info to get remaining timing details by provide page
details. Check page id is within the max supported resolution
ids to avoid reading extra memory than required.

Bug: 64431967
Change-Id: I7cdd071ba462080fe5bb302d0da824ed95b50f15
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>

IOCTL interface to send QMI NOTIFY REQ messages can be called
from multiple contexts which can result into buffer overflow of
msg cache. Make a change to add mutext protection to prevent
buffer overflow.

Bug: 63868933
Change-Id: I22c37f2b61051494123c5c9599c56560ac7e3418
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Signed-off-by: Jonathan Solnit <jsolnit@google.com>

commit 49d31c2f upstream.

take_dentry_name_snapshot() takes a safe snapshot of dentry name;
if the name is a short one, it gets copied into caller-supplied
structure, otherwise an extra reference to external name is grabbed
(those are never modified).  In either case the pointer to stable
string is stored into the same structure.

dentry must be held by the caller of take_dentry_name_snapshot(),
but may be freely dropped afterwards - the snapshot will stay
until destroyed by release_dentry_name_snapshot().

Intended use:
	struct name_snapshot s;

	take_dentry_name_snapshot(&s, dentry);
	...
	access s.name
	...
	release_dentry_name_snapshot(&s);

Replaces fsnotify_oldname_...(), gets used in fsnotify to obtain the name
to pass down with event.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[carnil: backport 4.9: adjust context]
[bwh: Backported to 3.16:
 - External names are not ref-counted, so copy them
 - Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[ghackmann@google.com: backported to 3.10: adjust context]
Signed-off-by: Greg Hackmann <ghackmann@google.com>

Change-Id: I612e687cbffa1a03107331a6b3f00911ffbebd8e
Bug: 63689921

BUG: 63100473

Change-Id: If6cb5ce50524d34b30f09a22eeb76d2cd3a0e834

Protecting operations performed during ois powerdown
from race condition by adding mutex locks.

CRs-Fixed: 2081806
Bug: 62674846
Change-Id: I27a735fd69d3e98fdd2ed48456336c560b6f3adc
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>

This patch provides the protection to dci client
entries from corruption.

CRs-Fixed: 984942 992683
Bug: 62378232
Change-Id: Ifcd9f14dc03d9e42a31b3e126839489881e98303
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>

Currently, protection is missing when querying event
status due to which already removed dci client entry
might be accessed. This patch takes care of issue by
taking proper locking.

CRs-Fixed: 2015892
Bug: 62378232
Change-Id: I4195c4c6198d85e96559f1728d74419527a76bc5
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>

Currently while extracting events and logs information from
the data read over peripherals, the clients details are accessed
without mutex protection. As the client access may happen from
multiple context, mutex protection is needed. This patch
resolves the same.

Bug: 62378232
Change-Id: I9bd115e1cd9eebc625f4a68854d554ff874d866d
Signed-off-by: Katish Paran <kparan@codeaurora.org>

Currently, while de-initializing dci clients, there is
a possibility to access stale entries. This patch fixes
this issue by adding proper protection mechanism.
CRs-Fixed: 961469

Bug: 62378232
Change-Id: I829c9497eeb356662a6531592c66108e615ce6e4
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

If the user passes in a negative file size in a int64,
this will compare to be smaller than buffer length,
and it will get truncated to form a read length that
is larger than the buffer length.

To fix, return -EINVAL if the count argument is negative,
so the loop will never happen.

Bug: 37429972
Test: Test with PoC
Change-Id: I5d52e38e6fbe2c17eb8c493f9eb81df6cfd780a4
Signed-off-by: Jerry Zhang <zhangjerry@google.com>

snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock.  This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.

The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.

Bug: 37240993
Change-Id: Ib90099f88c8b04928a8cdd2808cd9e16da6d519c
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>

commit ed8b1d6d upstream.

A slave timer element also unlinks at snd_timer_stop() but it takes
only slave_active_lock.  When a slave is assigned to a master,
however, this may become a race against the master's interrupt
handling, eventually resulting in a list corruption.  The actual bug
could be seen with a syzkaller fuzzer test case in BugLink below.

As a fix, we need to take timeri->timer->lock when timer isn't NULL,
i.e. assigned to a master, while the assignment to a master itself is
protected by slave_active_lock.

Bug: 37240993
Change-Id: Ib6eae144d5fdc92546d2210bcd6bc56454ad3e42
BugLink: http://lkml.kernel.org/r/CACT4Y+Y_Bm+7epAb=8Wi=AaWd+DYS7qawX52qxdCfOfY49vozQ@mail.gmail.com


Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

commit f784beb7 upstream.

Although ALSA timer code got hardening for races, it still causes
use-after-free error.  This is however rather a corrupted linked list,
not actually the concurrent accesses.  Namely, when timer start is
triggered twice, list_add_tail() is called twice, too.  This ends
up with the link corruption and triggers KASAN error.

The simplest fix would be replacing list_add_tail() with
list_move_tail(), but fundamentally it's the problem that we don't
check the double start/stop correctly.  So, the right fix here is to
add the proper checks to snd_timer_start() and snd_timer_stop() (and
their variants).

Bug: 37240993
Change-Id: I86a327c4479fecf9b502ba6122c8ae67a2326754
BugLink: http://lkml.kernel.org/r/CACT4Y+ZyPRoMQjmawbvmCEDrkBD2BQuH7R09=eOkf5ESK8kJAw@mail.gmail.com


Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

commit c3b16813 upstream.

This is a minor code cleanup without any functional changes:
- Kill keep_flag argument from _snd_timer_stop(), as all callers pass
  only it false.
- Remove redundant NULL check in _snd_timer_stop().

Bug: 37240993
Change-Id: Idc3778ca1cd62b8c22e2a57b3c1130fe7b3d13f6
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Siqi Lin <siqilin@google.com>

snd_timer_user_read() has a potential race among parallel reads, as
qhead and qused are updated outside the critical section due to
copy_to_user() calls.  Move them into the critical section, and also
sanitize the relevant code a bit.

Bug: 37240993
Change-Id: I7358a57638ef23eb7f97341eaee1f0dd4ba2795a
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 4dff5c7b)

[ Upstream commit 230323da ]

Currently ALSA timer device doesn't take the disconnection into
account very well; it merely unlinks the timer device at disconnection
callback but does nothing else.  Because of this, when an application
accessing the timer device is disconnected, it may release the
resource before actually closed.  In most cases, it results in a
warning message indicating a leftover timer instance like:
   ALSA: timer xxxx is busy?
But basically this is an open race.

This patch tries to address it.  The strategy is like other ALSA
devices: namely,
- Manage card's refcount at each open/close
- Wake up the pending tasks at disconnection
- Check the shutdown flag appropriately at each possible call

Note that this patch has one ugly hack to handle the wakeup of pending
tasks.  It'd be cleaner to introduce a new disconnect op to
snd_timer_instance ops.  But since it would lead to internal ABI
breakage and it eventually increase my own work when backporting to
stable kernels, I took a different path to implement locally in
timer.c.  A cleanup patch will follow at next for 4.5 kernel.

Bug: 37240993
Change-Id: I05c7f0e7d28b63fc343091f800ceae9ec2afe4a4
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=109431


Cc: <stable@vger.kernel.org> # v3.15+
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit 230323da)