diff options
| author | David Lin <dtwlin@google.com> | 2018-06-05 10:42:31 -0700 |
|---|---|---|
| committer | David Lin <dtwlin@google.com> | 2018-06-05 17:56:32 +0000 |
| commit | 169e98a55701a04a2c2cf019313a3e2fef25735c (patch) | |
| tree | b27bfda8e0a3c319e409080795d339735a96a7d8 | |
| parent | f753b9f4e7492fc107a830d38bc1da884e4cba9f (diff) | |
| parent | 34957db26bc80bce410d7833a158b4d157be3e2a (diff) | |
Merge branch 'android-msm-bullhead-3.10-security-next' into android-msm-bullhead-3.10android-8.1.0_r0.92
August 2018.1
Bug: 80192174
Change-Id: I9e764529ca03931d029685270567fbdf320b8603
Signed-off-by: David Lin <dtwlin@google.com>
| -rw-r--r-- | drivers/char/diag/diagchar_core.c | 7 | ||||
| -rw-r--r-- | drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c | 4 | ||||
| -rw-r--r-- | drivers/platform/msm/ipa/rmnet_ipa.c | 4 | ||||
| -rw-r--r-- | drivers/power/qcom/lpm-stats.c | 9 | ||||
| -rw-r--r-- | drivers/video/msm/mdss/mdss_debug_xlog.c | 7 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebtables.c | 13 | ||||
| -rw-r--r-- | sound/soc/msm/qdsp6v2/msm-lsm-client.c | 6 |
7 files changed, 36 insertions, 14 deletions
diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c index be581c25ef91..2c7b12b45522 100644 --- a/drivers/char/diag/diagchar_core.c +++ b/drivers/char/diag/diagchar_core.c @@ -1,4 +1,5 @@ -/* Copyright (c) 2008-2015, 2017 The Linux Foundation. All rights reserved. +/* Copyright (c) 2008-2015, 2017-2018 The Linux Foundation. + * All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -322,9 +323,9 @@ static int diagchar_open(struct inode *inode, struct file *file) return -ENOMEM; fail: - mutex_unlock(&driver->diagchar_mutex); driver->num_clients--; - pr_alert("diag: Insufficient memory for new client"); + mutex_unlock(&driver->diagchar_mutex); + pr_err_ratelimited("diag: Insufficient memory for new client"); return -ENOMEM; } diff --git a/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c b/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c index 76896f2a5044..3c4f144b0aee 100644 --- a/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c +++ b/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2015, 2018 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -384,7 +384,7 @@ static int msm_fd_open(struct file *file) ctx->mem_pool.fd_device = ctx->fd_device; ctx->mem_pool.domain_num = ctx->fd_device->iommu_domain_num; - ctx->stats = vmalloc(sizeof(*ctx->stats) * MSM_FD_MAX_RESULT_BUFS); + ctx->stats = vzalloc(sizeof(*ctx->stats) * MSM_FD_MAX_RESULT_BUFS); if (!ctx->stats) { dev_err(device->dev, "No memory for face statistics\n"); ret = -ENOMEM; diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c index 2079d36671ce..6c90f4c788ca 100644 --- a/drivers/platform/msm/ipa/rmnet_ipa.c +++ b/drivers/platform/msm/ipa/rmnet_ipa.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1152,6 +1152,8 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) /* Extended IOCTLs */ case RMNET_IOCTL_EXTENDED: + if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN)) + return -EPERM; IPAWANDBG("get ioctl: RMNET_IOCTL_EXTENDED\n"); if (copy_from_user(&extend_ioctl_data, (u8 *)ifr->ifr_ifru.ifru_data, diff --git a/drivers/power/qcom/lpm-stats.c b/drivers/power/qcom/lpm-stats.c index 321e13c2b7ea..f4f22007b4cb 100644 --- a/drivers/power/qcom/lpm-stats.c +++ b/drivers/power/qcom/lpm-stats.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2014, 2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -590,11 +590,14 @@ static void cleanup_stats(struct lpm_stats *stats) { struct list_head *centry = NULL; struct lpm_stats *pos = NULL; + struct lpm_stats *n = NULL; centry = &stats->child; - list_for_each_entry_reverse(pos, centry, sibling) { - if (!list_empty(&pos->child)) + list_for_each_entry_safe_reverse(pos, n, centry, sibling) { + if (!list_empty(&pos->child)) { cleanup_stats(pos); + continue; + } list_del_init(&pos->child); diff --git a/drivers/video/msm/mdss/mdss_debug_xlog.c b/drivers/video/msm/mdss/mdss_debug_xlog.c index 3c31de418292..008ba402d52b 100644 --- a/drivers/video/msm/mdss/mdss_debug_xlog.c +++ b/drivers/video/msm/mdss/mdss_debug_xlog.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2016, 2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -546,6 +546,11 @@ static ssize_t mdss_xlog_dump_read(struct file *file, char __user *buff, if (__mdss_xlog_dump_calc_range()) { len = mdss_xlog_dump_entry(xlog_buf, MDSS_XLOG_BUF_MAX); + if (len < 0 || len > count) { + pr_err("len is more than the size of user buffer\n"); + return 0; + } + if (copy_to_user(buff, xlog_buf, len)) return -EFAULT; *ppos += len; diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 6651a7797d46..924af39089ea 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2010,7 +2010,9 @@ static int ebt_size_mwt(struct compat_ebt_entry_mwt *match32, if (match_kern) match_kern->match_size = ret; - WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; } @@ -2067,6 +2069,15 @@ static int size_entry_mwt(struct ebt_entry *entry, const unsigned char *base, * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size; diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c index 6f25512b86ef..d42b954ffe79 100644 --- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c +++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c @@ -1148,7 +1148,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, } size = sizeof(*user) + userarg32.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", @@ -1169,7 +1169,7 @@ static int msm_lsm_ioctl_compat(struct snd_pcm_substream *substream, err = -EFAULT; } if (!err) { - user32 = kmalloc(size, GFP_KERNEL); + user32 = kzalloc(size, GFP_KERNEL); if (!user32) { dev_err(rtd->dev, "%s: Allocation event user status size %d\n", @@ -1583,7 +1583,7 @@ static int msm_lsm_ioctl(struct snd_pcm_substream *substream, size = sizeof(struct snd_lsm_event_status) + userarg.payload_size; - user = kmalloc(size, GFP_KERNEL); + user = kzalloc(size, GFP_KERNEL); if (!user) { dev_err(rtd->dev, "%s: Allocation failed event status size %d\n", |