| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into cm-14.1
Android 7.1.1 Release 0.52 (N4F26W,seed)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
commit 197c949e7798fbf28cfadc69d9ca0c2abbf93191 upstream.
Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.
In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
msg->msg_iov);
returns -EFAULT.
This bug does not happen in upstream kernels since Al Viro did a great job to replace this into :
skb_copy_and_csum_datagram_msg(skb,sizeof(struct udphdr), msg);
This variant is safe vs short buffers.
For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic skb_copy_and_csum_datagram_iovec() call.
This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.16: adjusted context ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Signed-off-by: Charles (Chas) Williams <ciwillia@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 98f57e42cab062608cf3dce2b8eecbb2a0780ac4)
Bug: 32813456
Change-Id: I0ed569f72b2caf368c4413ac565073ff17492ea8
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rmnet_data netlink handler currently does not check for the
incoming process pid and instead just loops back the pid.
A malicious root user could potentially send a message with
source pid 0 and this could cause rmnet_data to loop the message
back till an out of memory situation occurs.
rmnet_data also does not check for the message length of the
incoming netlink messages and instead casts the netlink message
without checking for the boundary.
Fix these two scenarios by adding the pid and message length checks
respectively.
Bug: 31252965
CRs-Fixed: 1098801
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allowing services to be registered on a non-client port will cause
either an existing service or a control port to be over-written. This will
cause undefined functional behavior.
Allow the services to be registered only on client ports.
Bug: 33277611
CRs-Fixed: 1101792
Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit 84ac7260236a49c79eede91617700174c2c19b0c)
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ice451620ecf2c2a5ba3709f45fbb5f3f5c5bb389
Bug: 33358926
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290)
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Change-Id: I2b621c28c02267af5b34a379b2970fe5fb61a4f6
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 33363517
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
rmnet_data netlink handler currently does not check for the
incoming process pid and instead just loops back the pid.
A malicious root user could potentially send a message with
source pid 0 and this could cause rmnet_data to loop the message
back till an out of memory situation occurs.
rmnet_data also does not check for the message length of the
incoming netlink messages and instead casts the netlink message
without checking for the boundary.
Fix these two scenarios by adding the pid and message length checks
respectively.
Bug: 31252965
CRs-Fixed: 1098801
Change-Id: I172c1a7112e67e82959b397af7ddfd963d819bdc
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Allowing services to be registered on a non-client port will cause
either an existing service or a control port to be over-written. This will
cause undefined functional behavior.
Allow the services to be registered only on client ports.
Bug: 33277611
CRs-Fixed: 1101792
Change-Id: If6cfc75e9314204b7b44957f1598a8a2e1a45325
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit 84ac7260236a49c79eede91617700174c2c19b0c)
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ice451620ecf2c2a5ba3709f45fbb5f3f5c5bb389
Bug: 33358926
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290)
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Change-Id: I2b621c28c02267af5b34a379b2970fe5fb61a4f6
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 33363517
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Message notifications contains an additional uid field. This field
represents the uid that was responsible for waking the radio. And hence
it is present only in notifications stating that the radio is now
active.
Change-Id: I18fc73eada512e370d7ab24fc9f890845037b729
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Bug: 20264396
|
| |\|
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into cm-14.1
Change-Id: I535707379d360c4c4724ae3e329388a2fc72ef87
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In ping_common_sendmsg(), when len < icmph_len, memcpy_fromiovec()
will access invalid memory because msg->msg_iov only has 1 element
and memcpy_fromiovec() attempts to increment it. KASAN report:
BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G BU 3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[< inline >] print_address_description mm/kasan/report.c:147
[< inline >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[< inline >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[< inline >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[< inline >] __sock_sendmsg_nosec net/socket.c:624
[< inline >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[< inline >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761
Memory state around the buggy address:
ffffffc071077c80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 f1 f1
ffffffc071077d00: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2
>ffffffc071077d80: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
^
ffffffc071077e00: 00 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
ffffffc071077e80: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
Bug: 31349935
Change-Id: Ib7385fc26dfe7e07e9bab42a10ff65a37cbaab54
Signed-off-by: Siqi Lin <siqilin@google.com>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 31796940
Change-Id: Ia2946d6b493126d68281f97778faf578247f088e
Signed-off-by: Min Chong <mchong@google.com>
|
| | |
| |
| |
| |
| |
| |
| | |
This reverts commit 6f489c42a92e0e33d4257017d6fd4a3e79f75f79.
Bug: 28719525
Change-Id: I77707cc93b3c5f0339e6bce36734027586c639d3
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
udp_diag_destroy does look up the IPv4 UDP hashtable for mapped
addresses, but it gets the IPv4 address to look up from the
beginning of the IPv6 address instead of the end.
[backport of net-next f95bf346226b9b79352e05508beececc807cc37a]
Change-Id: I86665b3f4e17c29afd496571d30cec7d14672009
Tested: https://android-review.googlesource.com/269874
Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This simplifies the code a bit and also allows inet_diag_bc_audit
to send to userspace an error that isn't EINVAL.
[backport of net-next 627cc4add53c0470bfd118002669205d222d3a54]
Change-Id: I3afb83931e3dfb56c4c5c2f6567305981458c694
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1)
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to
unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9ec ("unix: avoid use-after-free in
ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue")
Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Bug: 29119002
Change-Id: I7551c495e3a105ff349ec07be5642508d9184910
|
| | |
| |
| |
| |
| |
| |
| | |
This reverts commit 6f489c42a92e0e33d4257017d6fd4a3e79f75f79.
Bug: 28719525
Change-Id: I77707cc93b3c5f0339e6bce36734027586c639d3
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds the capability for a process that has CAP_NET_ADMIN on
a socket to see the socket mark in socket dumps.
Commit a52e95abf772 ("net: diag: allow socket bytecode filters to
match socket marks") recently gave privileged processes the
ability to filter socket dumps based on mark. This patch is
complementary: it ensures that the mark is also passed to
userspace in the socket's netlink attributes. It is useful for
tools like ss which display information about sockets.
[backport of net-next d545caca827b65aab557a9e9dcdcf1e5a3823c2d]
Change-Id: I0c9708aae5ab8dfa296b8a1e6aecceb2a382415a
Tested: https://android-review.googlesource.com/270210
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
udp_diag_destroy does look up the IPv4 UDP hashtable for mapped
addresses, but it gets the IPv4 address to look up from the
beginning of the IPv6 address instead of the end.
[backport of net-next f95bf346226b9b79352e05508beececc807cc37a]
Change-Id: I86665b3f4e17c29afd496571d30cec7d14672009
Tested: https://android-review.googlesource.com/269874
Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This allows a privileged process to filter by socket mark when
dumping sockets via INET_DIAG_BY_FAMILY. This is useful on
systems that use mark-based routing such as Android.
The ability to filter socket marks requires CAP_NET_ADMIN, which
is consistent with other privileged operations allowed by the
SOCK_DIAG interface such as the ability to destroy sockets and
the ability to inspect BPF filters attached to packet sockets.
[backport of net-next a52e95abf772b43c9226e9a72d3c1353903ba96f]
Change-Id: Ic02caf628a71007cc7c48c9da220b4088f5aa4f4
Tested: https://android-review.googlesource.com/261350
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This simplifies the code a bit and also allows inet_diag_bc_audit
to send to userspace an error that isn't EINVAL.
[backport of net-next 627cc4add53c0470bfd118002669205d222d3a54]
Change-Id: I3afb83931e3dfb56c4c5c2f6567305981458c694
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add support to inet_diag facility to filter sockets based on device
index. If an interface index is in the filter only sockets bound
to that index (sk_bound_dev_if) are returned.
[backport of net-next 637c841dd7a5f9bd97b75cbe90b526fa1a52e530]
Change-Id: Ib430cfb44f1b3b1a771a561247ee9140737e52fd
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit a5527dda344fff0514b7989ef7a755729769daa1)
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to
unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9ec ("unix: avoid use-after-free in
ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
("UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue")
Change-Id: I4ebef6a390df3487903b166b837e34c653e01cb2
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Bug: 29119002
Change-Id: I7551c495e3a105ff349ec07be5642508d9184910
|
| |\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://android.googlesource.com/kernel/msm into cm-14.0
616a355 Remove unneeded .a files for ft8716 driver by Robb Glasser · 4 weeks ago android-msm-seed-3.10-nougat android-7.0.0_r0.21
79abacc Revert "Revert "add new tp driver and lcd driver"" by Robb Glasser · 4 weeks ago
1e6834e Revert "add new tp driver and lcd driver" by Robb Glasser · 5 weeks ago
aac1b45 net: ipv6: Fix ping to link-local addresses. by Lorenzo Colitti · 8 weeks ago
7c1b6fb ipv6: fix endianness error in icmpv6_err by Hannes Frederic Sowa · 4 months ago
37734ea add new tp driver and lcd driver by yanghong1 · 7 weeks ago
1f38892 ANDROID: binder: Add strong ref checks by Arve Hjønnevåg · 9 weeks ago
56934a5 ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct by Arve Hjønnevåg · 8 weeks ago
c9a7674 ASoC: msm: qdsp6v2: Add size check in audio cal ioctl by vivek mehta · 3 months ago
1742f13 UPSTREAM: arm64: perf: reject groups spanning multiple HW PMUs by Suzuki K. Poulose · 1 year, 7 months ago
7dc0b6d binder: prevent kptr leak by using %pK format specifier by Ariel Yin · 7 weeks ago
bd49595 BACKPORT: Bluetooth: Fix potential NULL dereference in RFCOMM bind callback by Jaganath Kanakkassery · 1 year, 5 months ago
59cdc27 qcacld-2.0: Remove the support for iw_set_priv ioctl by Ariel Yin · 7 weeks ago
df5503f qseecom: validate the inputs of __qseecom_send_modfd_resp by Ariel Yin · 7 weeks ago
f71e28c input: synaptics: allocate heap memory for temp buf by Ariel Yin · 6 weeks ago
90ac992 msm: camera: sensor: Fix use after free condition by Ariel Yin · 7 weeks ago
25c9ecb arm64: dma-mapping: always clear allocated buffers by Ariel Yin · 7 weeks ago
9df7240 wlan: Remove the support for setwpaie ioctl by Ariel Yin · 7 weeks ago
b0a00a2 BACKPORT: tcp: make challenge acks less predictable by Eric Dumazet · 3 months ago
9ec7e19 msm: crypto: Fix integer overflow check in qcedev driver by Biswajit Paul · 10 weeks ago
48052f2 msm: mdss: Fix to validate data copied from user space by Naseer Ahmed · 9 weeks ago
31e62b1 msm: camera: restructure data handling to be more robust by Ariel Yin · 7 weeks ago
9cbae20 ASoC: msm-lsm-client: free lsm client data in msm_lsm_close by Ariel Yin · 7 weeks ago
364625b staging: android: Change %p to %pK in debug messages by Ariel Yin · 7 weeks ago
5458c42 misc: qcom: qdsp6v2: Add missing initialization by vivek mehta · 8 weeks ago
1e84157 wlan: fix buffer overflow in linkspeed ioctl by Ariel Yin · 7 weeks ago
00c1b70 msm: mdss: Correct block id check for mdss_mdp_misr_table by Ariel Yin · 7 weeks ago
21c7f58 qcacld-2.0: Resolve buffer overflow issue while processing GET_CFG IOCTL by Hanumantha Reddy Pothula · 6 months ago
40ab0c1 wcnss: Avoid user buffer overloading for write cal data by Ariel Yin · 7 weeks ago
49082cb UPSTREAM: net: Fix use after free in the recvmmsg exit path by Arnaldo Carvalho de Melo · 7 months ago
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
ping_v6_sendmsg does not set flowi6_oif in response to
sin6_scope_id or sk_bound_dev_if, so it is not possible to use
these APIs to ping an IPv6 address on a different interface.
Instead, it sets flowi6_iif, which is incorrect but harmless.
Stop setting flowi6_iif, and support various ways of setting oif
in the same priority order used by udpv6_sendmsg.
[Backport of net 5e457896986e16c440c97bb94b9ccd95dd157292]
Bug: 29370996
Change-Id: I2c8bc213c417a4427f64439e0954138cb30416c2
Tested: https://android-review.googlesource.com/#/c/254470/
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
IPv6 ping socket error handler doesn't correctly convert the new 32 bit
mtu to host endianness before using.
[Cherry-pick of net dcb94b88c09ce82a80e188d49bcffdc83ba215a6]
Bug: 29370996
Change-Id: Idf475e2555252d91e1d3fa92071a661242780074
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes: 6d0bfe22611602f ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from 951b6a0717db97ce420547222647bcc40bf1eacd)
addr can be NULL and it should not be dereferenced before NULL checking.
Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Change-Id: I18bda54bb1427d9443a39a04a5c551720118dc26
Bug: 30149612
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit 75ff39ccc1bd5d3c455b6822ab09e533c551f758)
Yue Cao claims that current host rate limiting of challenge ACKS
(RFC 5961) could leak enough information to allow a patient attacker
to hijack TCP sessions. He will soon provide details in an academic
paper.
This patch increases the default limit from 100 to 1000, and adds
some randomization so that the attacker can no longer hijack
sessions without spending a considerable amount of probes.
Based on initial analysis and patch from Linus.
Note that we also have per socket rate limiting, so it is tempting
to remove the host limit in the future.
v2: randomize the count of challenge acks per second, not the period.
Fixes: 282f23c6ee34 ("tcp: implement RFC 5961 3.2")
Reported-by: Yue Cao <ycao009@ucr.edu>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ib46ba66f5e4a5a7c81bfccd7b0aa83c3d9e1b3bb
Bug: 30809774
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
(cherry picked from commit 34b88a68f26a75e4fded796f1a49c40f82234b7d)
The syzkaller fuzzer hit the following use-after-free:
Call Trace:
[<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
[<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
[< inline >] SYSC_recvmmsg net/socket.c:2281
[<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
[<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.
Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I2adb0faf595b7b634d9b739dfdd1a47109e20ecb
Bug: 30515201
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Print format %p displays the kernel address while bypassing the
kptr_restrict sysctl settings.
Change the print format for addresses from %p to %pK. If
kptr_restrict is enabled, addresses are printed as zeroes. To view
the actual addresses, disable kptr_restrict by -
echo 0 > /proc/sys/kernel/kptr_restrict
CRs-Fixed: 987054
Change-Id: Icb8ef62c8263ae7b17d6883c0e6a1c93d2156a6a
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add the MAPv4 ingress and data format handlers. MAPv4 requires the
checksum for uplink TCP and UDP packets to be 1's complemented
before passing the packet onto the physical netdevice.
This workaround is needed due to failures seen in hardware while
processing translated packets.
Change-Id: Ib79382fa7e8b2bd0c1adbe68b8de75f1602df10b
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Conflicts:
include/uapi/linux/rmnet_data.h
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add UL checksum offload routines for MAPv3. Can bypass checksum software
for IPv4/IPv6 TCP/UDP protocols.
Set rmnet_data VNDs hw_flags to NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM to
define the checksum offload abilities.
Add UL checksum meta-info header for IPv4/IPv6 TCP/UDP packets for which
UL checksum is being offloaded.
Change-Id: Ief139d357b528aead66acfe39a5227328b8fbf93
Signed-off-by: Sivan Reinstein <sivanr@codeaurora.org>
[subashab@codeaurora.org: Fix trivial merge conflicts in
net/rmnet_data/rmnet_data_trace.h]
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Checksum offload routine should skip checksum fixup computation on
IPv4 UDP packets which have the checksum field set to 0 by the sender.
This is allowed by RFC768. Packets are marked as checksum unnecessary
and shipped up the stack as-is.
Change-Id: I0432c3e1b25196134ecc8bbbe23c9cab46666d5c
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Specifications state that the MAP packet length in the MAP header do
not account for the number of bytes of packet trailer from DL checksum
offload. Current implementation does not take this into account when
MAP aggregation is enabled.
Fix this by accounting for the extra bytes of the DL checksum trailer
if DL checksum offload is enabled when computing packet length during
MAP deaggregation.
Change-Id: I9c10bb9726413b1f14f94210dbe194c2c15349f5
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, one new work-queue item was created and scheduled with
schedule_work() for each VND getting unregistered. Since we know the
exact set of VNDs which need to be cleared ahead of time, the VNDs
are added to a list and freed at the same time with a single work-queue
task. This saves us from having to malloc/schedule/free for each
VND and provides a speed up on some low tier hardware.
CRs-Fixed: 738039
Change-Id: I02d4de1308a2aed9d493f6fd58cf0984265facba
Acked-by: Nagarjuna Chaganti <nchagant@qti.qualcomm.com>
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Added trace points to debug processing time of rmnet_config_notify_cb.
Additionally, tracepoints were added for succesfull associate/unassociate
events. Needed to debug unusually slow cleanup.
New trace points are:
rmnet_unregister_cb_unhandled
rmnet_unregister_cb_entry
rmnet_unregister_cb_exit
rmnet_unregister_cb_clear_vnds
rmnet_unregister_cb_clear_lepcs
rmnet_associate
rmnet_unassociate
Change-Id: I0269435d9c7234ef21092ba13510fff106a1966f
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
IPC Router binds any port as a control port and moves it from the client
port list to control port list. Misbehaving clients can exploit this
incorrect behavior.
IPC Router to check if the port is a client port before binding it as a
control port.
CRs-Fixed: 974577
Change-Id: I9f189b76967d5f85750218a7cb6537d187a69663
Signed-off-by: Karthikeyan Ramasubramanian <kramasub@codeaurora.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM
sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I897bceae9f0605f7e7a1d8955b77e3a61b37b675
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry pick from commit 54d83fc74aa9ec72794373cb47432c5f7fb1a309)
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.
However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.
However, an unconditional rule must also not be using any matches
(no -m args).
The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.
Unify this so that all the callers have same idea of 'unconditional rule'.
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: I47ec0713ac563ac244200c7b2c54f09a91aceabc
Bug: 28940694
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry pick from commit 6fd99094de2b83d1d4c8457f2c83483b2828e75a)
A local route may have a lower hop_limit set than global routes do.
RFC 3756, Section 4.2.7, "Parameter Spoofing"
> 1. The attacker includes a Current Hop Limit of one or another
> small
> number which the attacker knows will cause legitimate packets to
> be dropped before they reach their destination.
> As an example, one possible approach to mitigate this threat is to
> ignore very small hop limits. The nodes could implement a
> configurable minimum hop limit, and ignore attempts to set it below
> said limit.
Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I24ee5723e4bcb3fbdbf4308531ab58e9ff215e82
Bug: 29409847
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry pick from commit df4d92549f23e1c037e83323aff58a21b3de7fe0)
Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").
Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU. Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.
Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.
This issue was discovered by Marcelo Leitner.
Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I2928da29b79a94b60023a1c19e464eece0f1dc7a
Bug: 29506807
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(cherry pick from commit a3cfde2a311c3679b414b46e29d1a184edf29b0a)
We have two problems in UDP stack related to bogus checksums :
1) We return -EAGAIN to application even if receive queue is not empty.
This breaks applications using edge trigger epoll()
2) Under UDP flood, we can loop forever without yielding to other
processes, potentially hanging the host, especially on non SMP.
This patch is an attempt to make things better.
We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.
Bug: 29507402
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
| |
|
|
|
|
|
|
|
|
| |
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Change-Id: I1db791b7cbe8da8b0eed23032ab71312979de96c
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
