Skip to content

GitLab

Switch branch/tag
  1. 03 Jun, 2016 7 commits
  3. 02 Jun, 2016 19 commits
  5. 31 May, 2016 6 commits
  7. 24 May, 2016 2 commits
  9. 23 May, 2016 2 commits
    • Veena Sambasivan's avatar
      msm: perf: Do not allocate new hw_event if event is duplicate. · 8afa5f87
      Veena Sambasivan authored 
      
During a perf_event_enable, kernel/events/core.c calls pmu->add() which
is platform implementation(arch/arm/kernel/perf_event.c). Due to the
duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
drivers marks the event as OFF but returns TRUE to perf_event.c which
goes ahead and allocates the hw_event and enables it.
Since event is marked OFF, kernel events core will try to enable this event
again during next perf_event_enable. Which results in same event enabled
on multiple hw_events. But during the perf_release, event struct is freed
and only one hw_event is released. This results in dereferencing the
invalid pointer and hence the crash.
Fix this by returning error in case of constraint event duplicate. Hence
avoiding the same event programmed on multiple hw event counters.

Change-Id: Ia3360be027dfe87ac753191ffe7e0bc947e72455
Signed-off-by: default avatarArun KS <arunks@codeaurora.org>
Signed-off-by: default avatarVeena Sambasivan <veenas@codeaurora.org>
      8afa5f87
    • Alan Stern's avatar
      USB: fix invalid memory access in hub_activate() · dc901a50
      Alan Stern authored 
      Commit 8520f380

 ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue.  However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so.  As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated.  Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.

This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running.  It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.
Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
Reported-by: default avatarAlexandru Cornea <alexandru.cornea@intel.com>
Tested-by: default avatarAlexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f380

 ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>

Bug: 28712303
Change-Id: Ie696f13c4fa28dd549d459ea607cf27b53610be6
      dc901a50
  11. 20 May, 2016 1 commit
  13. 18 May, 2016 1 commit
    • Raviv Shvili's avatar
      mmc: core : fix arbitrary read/write to user space · 4c291fbb
      Raviv Shvili authored 
      
In the MMC card debug_fs the read and write handlers use the strlcat
and sscanf, without checking the pointer given.
Since the pointer is not checked it is possible to write
everywhere (ring 0 or 3).
In order to fix it, an access_ok function is being used to verify
the buffer's pointer supplied by user is valid.

Bug: 28769136
CRs-fixed: 545716
Change-Id: Ia710b6af5a95974fc930ca902e8ff18afa4e17ba
Signed-off-by: default avatarRaviv Shvili <rshvili@codeaurora.org>
      4c291fbb
  15. 17 May, 2016 1 commit
    • Peter Hurley's avatar
      n_tty: Fix n_tty_write crash when echoing in raw mode · 1e2f4fcf
      Peter Hurley authored 
      The tty atomic_write_lock does not provide an exclusion guarantee for
the tty driver if the termios settings are LECHO & !OPOST. And since
it is unexpected and not allowed to call TTY buffer helpers like
tty_insert_flip_string concurrently, this may lead to crashes when
concurrect writers call pty_write. In that case the following two
writers:
* the ECHOing from a workqueue and
* pty_write from the process
race and can overflow the corresponding TTY buffer like follows.

If we look into tty_insert_flip_string_fixed_flag, there is:
  int space = __tty_buffer_request_room(port, goal, flags);
  struct tty_buffer *tb = port->buf.tail;
  ...
  memcpy(char_buf_ptr(tb, tb->used), chars, space);
  ...
  tb->used += space;

so the race of the two can result in something like this:
          A                             B
   __tty_buffer_request_room
                                  __tty_buffer_request_room
   memcpy(buf(tb->used), ...)
   tb->used += space;
                                 memcpy(buf(tb->used), ...) ->BOOM

B's memcpy is past the tty_buffer due to the previous A's tb->used
increment.

Since the N_TTY line discipline input processing can output
concurrently with a tty write, obtain the N_TTY ldisc output_lock to
serialize echo output with normal tty writes. This ensures the tty
buffer helper tty_insert_flip_string is not called concurrently and
everything is fine.

Note that this is nicely reproducible by an ordinary user using
forkpty and some setup around that (raw termios + ECHO). And it is
present in kernels at least after commit
d945cb9c

 (pty: Rework the pty layer to
use the normal buffering logic) in 2.6.31-rc3.

js: add more info to the commit log
js: switch to bool
js: lock unconditionally
js: lock only the tty->ops->write call

Bug: 28803396
Signed-off-by: default avatarPeter Hurley <peter@hurleysoftware.com>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I9e235db6ec2bb950f26bd8a23f6145dab5dc0a15
Git-commit: 4291086b1f081b869c6d79e5b7441633dc3ace00
Git-repo:
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

Signed-off-by: default avatarAvijit Kanti Das <avijitnsec@codeaurora.org>
[rsiddoji@codeaurora.org: resolve trivial merge conflicts]
Signed-off-by: default avatarRavi Kumar S <rsiddoji@codeaurora.org>
      1e2f4fcf
  17. 13 May, 2016 1 commit