Merge branch 'android-msm-bullhead-3.10-security-next' into android-msm-bullhead-3.10
August 2018.1
Bug: 80192174
Change-Id: I9e764529ca03931d029685270567fbdf320b8603
Signed-off-by: David Lin <dtwlin@google.com>
diff --git a/drivers/char/diag/diagchar_core.c b/drivers/char/diag/diagchar_core.c
index be581c2..2c7b12b 100644
--- a/drivers/char/diag/diagchar_core.c
+++ b/drivers/char/diag/diagchar_core.c
@@ -1,4 +1,5 @@
-/* Copyright (c) 2008-2015, 2017 The Linux Foundation. All rights reserved.
+/* Copyright (c) 2008-2015, 2017-2018 The Linux Foundation.
+ * All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -322,9 +323,9 @@
return -ENOMEM;
fail:
- mutex_unlock(&driver->diagchar_mutex);
driver->num_clients--;
- pr_alert("diag: Insufficient memory for new client");
+ mutex_unlock(&driver->diagchar_mutex);
+ pr_err_ratelimited("diag: Insufficient memory for new client");
return -ENOMEM;
}
diff --git a/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c b/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c
index 76896f2..3c4f144 100644
--- a/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c
+++ b/drivers/media/platform/msm/camera_v2/fd/msm_fd_dev.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2015, 2018 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -384,7 +384,7 @@
ctx->mem_pool.fd_device = ctx->fd_device;
ctx->mem_pool.domain_num = ctx->fd_device->iommu_domain_num;
- ctx->stats = vmalloc(sizeof(*ctx->stats) * MSM_FD_MAX_RESULT_BUFS);
+ ctx->stats = vzalloc(sizeof(*ctx->stats) * MSM_FD_MAX_RESULT_BUFS);
if (!ctx->stats) {
dev_err(device->dev, "No memory for face statistics\n");
ret = -ENOMEM;
diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
index 2079d36..6c90f4c 100644
--- a/drivers/platform/msm/ipa/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1152,6 +1152,8 @@
/* Extended IOCTLs */
case RMNET_IOCTL_EXTENDED:
+ if (!ns_capable(dev_net(dev)->user_ns, CAP_NET_ADMIN))
+ return -EPERM;
IPAWANDBG("get ioctl: RMNET_IOCTL_EXTENDED\n");
if (copy_from_user(&extend_ioctl_data,
(u8 *)ifr->ifr_ifru.ifru_data,
diff --git a/drivers/power/qcom/lpm-stats.c b/drivers/power/qcom/lpm-stats.c
index 321e13c..f4f2200 100644
--- a/drivers/power/qcom/lpm-stats.c
+++ b/drivers/power/qcom/lpm-stats.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2014, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2014, 2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -590,11 +590,14 @@
{
struct list_head *centry = NULL;
struct lpm_stats *pos = NULL;
+ struct lpm_stats *n = NULL;
centry = &stats->child;
- list_for_each_entry_reverse(pos, centry, sibling) {
- if (!list_empty(&pos->child))
+ list_for_each_entry_safe_reverse(pos, n, centry, sibling) {
+ if (!list_empty(&pos->child)) {
cleanup_stats(pos);
+ continue;
+ }
list_del_init(&pos->child);
diff --git a/drivers/video/msm/mdss/mdss_debug_xlog.c b/drivers/video/msm/mdss/mdss_debug_xlog.c
index 3c31de4..008ba40 100644
--- a/drivers/video/msm/mdss/mdss_debug_xlog.c
+++ b/drivers/video/msm/mdss/mdss_debug_xlog.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2016, 2018, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -546,6 +546,11 @@
if (__mdss_xlog_dump_calc_range()) {
len = mdss_xlog_dump_entry(xlog_buf, MDSS_XLOG_BUF_MAX);
+ if (len < 0 || len > count) {
+ pr_err("len is more than the size of user buffer\n");
+ return 0;
+ }
+
if (copy_to_user(buff, xlog_buf, len))
return -EFAULT;
*ppos += len;
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index 6651a77..924af39 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -2010,7 +2010,9 @@
if (match_kern)
match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left);
+ if (WARN_ON(type == EBT_COMPAT_TARGET && size_left))
+ return -EINVAL;
+
match32 = (struct compat_ebt_entry_mwt *) buf;
}
@@ -2067,6 +2069,15 @@
*
* offsets are relative to beginning of struct ebt_entry (i.e., 0).
*/
+ for (i = 0; i < 4 ; ++i) {
+ if (offsets[i] >= *total)
+ return -EINVAL;
+ if (i == 0)
+ continue;
+ if (offsets[i-1] > offsets[i])
+ return -EINVAL;
+ }
+
for (i = 0, j = 1 ; j < 4 ; j++, i++) {
struct compat_ebt_entry_mwt *match32;
unsigned int size;
diff --git a/sound/soc/msm/qdsp6v2/msm-lsm-client.c b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
index 6f25512..d42b954 100644
--- a/sound/soc/msm/qdsp6v2/msm-lsm-client.c
+++ b/sound/soc/msm/qdsp6v2/msm-lsm-client.c
@@ -1148,7 +1148,7 @@
}
size = sizeof(*user) + userarg32.payload_size;
- user = kmalloc(size, GFP_KERNEL);
+ user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",
@@ -1169,7 +1169,7 @@
err = -EFAULT;
}
if (!err) {
- user32 = kmalloc(size, GFP_KERNEL);
+ user32 = kzalloc(size, GFP_KERNEL);
if (!user32) {
dev_err(rtd->dev,
"%s: Allocation event user status size %d\n",
@@ -1583,7 +1583,7 @@
size = sizeof(struct snd_lsm_event_status) +
userarg.payload_size;
- user = kmalloc(size, GFP_KERNEL);
+ user = kzalloc(size, GFP_KERNEL);
if (!user) {
dev_err(rtd->dev,
"%s: Allocation failed event status size %d\n",