| Age | Commit message (Collapse) | Author |
|---|
|
2606196, 2604521, 2604522, 2606197, 2604523, 2605696, 2605697, 2605698, 2606198, 2604524, 2604525, 2604526, 2604300, 2604527, 2606199, 2604528, 2604529, 2604301, 2606200, 2604302, 2606410, 2606201, 2606411, 2606202, 2606413, 2606203, 2606414, 2604303, 2604304, 2606204, 2604305, 2606206, 2606207, 2604306, 2606415, 2606208, 2606209, 2606416] into nyc-mr1-volantis-release
Change-Id: Icf988c37299e82278aac900d52bc8675d9bc8ecf
|
|
1c36a774828 Revert "UPSTREAM: dm ioctl: prevent stack leak in dm ioctl call"
a8a638ee3ff Revert "BACKPORT: ALSA: timer: Fix race between read and ioctl"
4d3f8802e90 Revert "UPSTREAM: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT"
8c774705da4 UPSTREAM: mm: fix new crash in unmapped_area_topdown()
29ddf3d425d UPSTREAM: mm: larger stack guard gap, between vmas
49e5afd287b UPSTREAM: packet: fix races in fanout_add()
aca45be9587 UPSTREAM: mm/mempolicy.c: fix error handling in set_mempolicy and mbind.
18828ac096d UPSTREAM: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT
6485db24b60 BACKPORT: ALSA: timer: Fix race between read and ioctl
1ac73a7cba5 BACKPORT: ext4: fix data exposure after a crash
b7d8bc35fe7 UPSTREAM: sctp: do not inherit ipv6_{mc|ac|fl}_list from parent
09481cd30a7 UPSTREAM: ipx: call ipxitf_put() in ioctl error path
50ee82cb713 net: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds
last commits before this is:
98245ed4c59 net: wireless: bcmdhd: additional length check for BRCM EVENT frame.
NB: This reverts Bug: 35644370 which was part of August Kernel release
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 38413813
Bug: 37897645
Bug: 37751399
Bug: 62198330
Bug: 62298712
Bug: 62070688
Bug: 37622847
Change-Id: Ic1c66a41f4d362875c1b9fa54b33c4e8ff2994bd
(cherry picked from commit 713c52be98963b01d9ce323f4ab3b18beceaec81)
|
|
Change-Id: I9bfd38dd0243e80269340eed48e2d256fc65b32e
|
|
NOT MERGE
98245ed4c59 net: wireless: bcmdhd: additional length check for BRCM EVENT frame.
last commits before this are:
9d7ceb18f628 BACKPORT: ip6_gre: fix ip6gre_err() invalid reads
6fe4b76beddd BACKPORT: dccp/tcp: do not inherit mc_list from parent
e468d713930a UPSTREAM: dm ioctl: prevent stack leak in dm ioctl call
5c6ada561458 UPSTREAM: tcp: avoid infinite loop in tcp_splice_read()
c58990980e65 android: base-cfg: disable CONFIG_NFSD and CONFIG_NFS_FS
ec1f0ee6e6ef i2c: chip: CwMcuSensor: Fix Security Vulnerability
8054a1fe453e ASoC: tegra: check ucode upper limit
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 37168488
Change-Id: I251e83d0f3b964ab3805a93675dbf3bf8b1c58ce
(cherry picked from commit 4abf9ef5e8b8b4899f569fe2f7e1daedec68555f)
|
|
2420266, 2420284, 2420308, 2420342, 2420177, 2420195, 2420344, 2420345, 2420179, 2420324, 2420251, 2420269, 2420271, 2420325, 2420310, 2420220, 2420348, 2420291, 2420328, 2420330, 2420383, 2420331, 2420255, 2420296, 2420278, 2420229, 2420335] into nyc-mr1-volantis-release
Change-Id: I57b55b51fdf1f613504bbb92e403a01b1706eb31
|
|
9d7ceb18f628 BACKPORT: ip6_gre: fix ip6gre_err() invalid reads
6fe4b76beddd BACKPORT: dccp/tcp: do not inherit mc_list from parent
e468d713930a UPSTREAM: dm ioctl: prevent stack leak in dm ioctl call
5c6ada561458 UPSTREAM: tcp: avoid infinite loop in tcp_splice_read()
c58990980e65 android: base-cfg: disable CONFIG_NFSD and CONFIG_NFS_FS
ec1f0ee6e6ef i2c: chip: CwMcuSensor: Fix Security Vulnerability
8054a1fe453e ASoC: tegra: check ucode upper limit
last commit before this is:
fa2246232e88 UPSTREAM: net/packet: fix overflow in check for tp_reserve
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 37871211
Bug: 38413975
Bug: 35644370
Bug: 37901268
Bug: 37753761
Bug: 35472983
Bug: 35265193
Bug: 34112726
Change-Id: I95151b648a8d30769e570553791d12471beb9467
(cherry picked from commit 4229210c18170604ce13616a5544ffeea53d9129)
|
|
2337423, 2337481, 2337412, 2337521, 2337413, 2337426, 2337414, 2337415, 2337523, 2337502, 2337503, 2337524, 2337463, 2337483, 2337417, 2337427, 2337561, 2337464, 2337581, 2337484, 2337525, 2337526, 2337527, 2337394, 2337562, 2337528, 2337504, 2337563, 2337565, 2337584, 2337602, 2337530, 2337585, 2337532, 2337487, 2337396, 2337505, 2337432, 2337603, 2337604, 2337534, 2337536, 2337508, 2337606] into nyc-mr1-volantis-release
Change-Id: I93821109afbe5f3a6f203d84cf3d59f056d39e87
|
|
fa2246232e88 UPSTREAM: net/packet: fix overflow in check for tp_reserve
9dcce4e26077 UPSTREAM: net/packet: fix overflow in check for tp_frame_nr
65dc57b3bcec UPSTREAM: f2fs: sanity check segment count
14e11f26f858 UPSTREAM: net/packet: fix overflow in check for priv area size
432855dae96b net: wireless: bcmdhd: arpoe/ndoe IOVAR bug patch
77e08a529bf6 net: wireless: bcmdhd: adding boundary check in SWC gscan config
3a2dcef12385 video: tegra: dsi: Set max limit for reading panel
83b8866ff70a ANDROID: f2fs: sanity check checkpoint segno and blkoff
5bd9f926b4a0 UPSTREAM: timerfd: Protect the might cancel mechanism proper
040ec0da3218 BACKPORT: f2fs: sanity check log_blocks_per_seg
9674f946341f ANDROID: Fix the incompatible goto command in security Fix.
5a4753cfca09 BACKPORT: [UPSTREAM] udf: Check component length before reading it
df981e278c2c BACKPORT: [UPSTREAM] udf: Verify i_size when loading inode
757833a2492b net: wireless: bcmdhd: adding boundary check in wl_cfg80211_mgmt_tx
last commit before this is:
b7c30cdef95b BACKPORT: selinux: fix off-by-one in setprocattr
Change-Id: I440cd89b1e84dbc0f288446c4ed1b1bdb6e21721
Bug: 36815012
Bug: 36725304
Bug: 38309523
Bug: 36000515
Bug: 34973477
Bug: 33718700
Bug: 36588520
Bug: 36266767
Bug: 36817013
Bug: 35808154
Bug: 35195787
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from commit c660e23182ec24243120bddbf5603aa1246bbc07)
|
|
b7c30cdef95b BACKPORT: selinux: fix off-by-one in setprocattr
242be00a475d flounder_defconfig: Unsetting DEVPORT from config
b782e0c35315 UPSTREAM: char: lack of bool string made CONFIG_DEVPORT always on
15cfbef59a5b UPSTREAM: char: Drop bogus dependency of DEVPORT on !M68K
277fcbbf8321 BACKPORT: dccp: fix freeing skb too early for IPV6_RECVPKTINFO
d0fb858824cb i2c: chip: CwMcuSensor: Fix Security Vulnerability
703b41c5433c input: synaptics_dsx: validate bounds of intr_reg_num
34597d088801 flounder: FIQ and sysrq default deauthorized
last commit before this is:
0a2199e7ff4e net: wireless: bcmdhd: fix for IOVAR GET failed
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 35136920
Bug: 37210310
Bug: 36604779
Bug: 35784697
Bug: 37280933
Bug: 35472278
Bug: 36101220
Change-Id: I11cdc1eead5bdf0dcab06b1597f7cb5bffa409c7
(cherry picked from commit a9732f325f5928014a3e96d0f83c4c99c9d35cf4)
|
|
NOT MERGE)
VERY Late additions:
2199e7ff4e net: wireless: bcmdhd: fix for IOVAR GET failed
last commit before this is belongs to 2017 May NYC-MR1 Security part Deux release:
93cfabdf1495 xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 36000515
Change-Id: I69a7b70aaa61c83c69903b084fd02e43e751f8a3
(cherry picked from commit 6033adaae3770dc7fa6ed86788d30f1bf3ebaf50)
|
|
978597436301 Prevent heap overflow in uvc driver
4cc129c974d6 FROMLIST: trace: resolve stack corruption due to string copy
8a475ed425fc video: tegra: nvmap: fix time-of-check,time-of-use vulnerability
c7f2efaf7c87 tracing: do not leak kernel addresses
3924db4103e2 perf: Tighten (and fix) the grouping condition
828ea88cf83d ALSA: pcm : Call kill_fasync() in stream lock
441bd8d46cda UPSTREAM: staging: ion: Fix error handling in ion_buffer_create
3c459473801c UPSTREAM: regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing
last commit before this set is:
52d51e398e02 net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref (part deux)
Bug: 33300353
Bug: 35399704
Bug: 34113000
Bug: 34277115
Bug: 34515362
Bug: 34068036
Bug: 34283718
Bug: 35399757
Change-Id: Ia3d5caae784783a67cb9befc301b0ee2ecff3630
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit 98301f934e2fb8e24276bfa6a1b14ff4ff527629)
|
|
52d51e398e02 net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref (part deux)
0903d4e74cd0 net: wireless: bcmdhd: remove unused WEXT file.
3b8aee094f32 sdcardfs: limit stacking depth
488daa8100ef BACKPORT: fs: limit filesystem stacking depth
74d0e4d3d96d ANDROID: fix acl leaks
09f0a7d2a3fb FROMLIST: 9p: fix a potential acl leak
7cf54a589cab BACKPORT: posix_acl: Clear SGID bit when setting file permissions
5d09e9c8a524 net: wireless: bcmdhd: Heap overflow in wl_run_escan.
44d21038cc3e net: wireless: bcmdhd: Fix for arbitrary memory free.
e217cbbeb160 net: wireless: bcmdhd: fix overrun in wl_run_escan
95e9b66a92b9 tegra-cryptodev:Fix untrusted pointer dereference in SHA
8517de73b111 tegra-cryptodev:check valid SHA message length
2217aff90f97 net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref
0b6a98b1cc99 flounder_defconfig: disable tegra-cryptodev
last commit before this set is:
420e75934c58 gpu: nvgpu: serialize debug session IOCTLs
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 34469904
Bug: 32124445
Bug: 32761463
Bug: 32458736
Bug: 34197514
Bug: 34199963
Bug: 34198729
Bug: 34624457
Bug: 33898322
Bug: 33893669
Bug: 27930566
Bug: 33812508
Change-Id: I6e10b51b77da839ebec0b80e93f51a7e06986b7f
(cherry picked from commit 8fa76979267bf593a6e194417898883eca5600cb)
|
|
(Part Deux)
420e75934c58 gpu: nvgpu: serialize debug session IOCTLs
20d455bebf0d gpu: nvgpu: gk20a: wrap debug session as optional (retry)
last commit before this set is:
c6b8a6328289 UPSTREAM: packet: fix race condition in packet_set_ring
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 31799885
Bug: 32370135
Change-Id: I3fa5242a0abb53db4b6cf8128a2414800b817cc0
(cherry picked from commit 8af1048bde145dafff6852c64d989b4e86f11117)
|
|
c6b8a6328289 UPSTREAM: packet: fix race condition in packet_set_ring
010ecd6508e4 UPSTREAM: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
3ef97317b30d flounder: disable i2c hid driver
a02fb61b4fd8 input: synaptics: put offset checks under mutex.
b45b23e70847 net: rmnet_data: Fix incorrect netlink handling
687e106e7ffb video: tegra: host: Fix overflow issues in allocation
9252b229ed96 UPSTREAM: net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
36e266348e92 ANDROID: ion: check for kref overflow
5851803561a3 i2c: chip: CwMcuSensor: Fix Security Vulnerability
a075f8ab69f6 android: fiq_debugger: restrict access to critical commands.
fb2e6cf549dc rt5506: limit set mode call to MAX_REG_DATA
last commit before this set is:
37e3bbe88107 Revert "gpu: nvgpu: gk20a: wrap debug session as optional"
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 33358926
Bug: 33753815
Bug: 33040280
Bug: 33555878
Bug: 33002026
Bug: 31252965
Bug: 34132950
Bug: 33363517
Bug: 31992382
Bug: 33897738
Bug: 33899318
Bug: 32402555
Bug: 33547247
Change-Id: Ied94029dc2bad5947c1c80e80c8073d7b01baa5a
(cherry picked from commit 267102fa214797e2fb7208cdf7f93144bf531681)
|
|
37e3bbe Revert "gpu: nvgpu: gk20a: wrap debug session as optional"
eb4422e gpu: nvgpu: Fix pgsz_idx used in gk20a_vm_alloc_space()
2fde6b7 synaptics: remove sysfs
fe956f0 BACKPORT: aio: mark AIO pseudo-fs noexec
8f74ca4 tegra: remove information leak in syncpt_name_show
2c46670 gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
990e7c0 video: tegra: nvmap: Check if handle holds a buffer before map
230f280 rt5677: protect model_buf and model_len
01599d0 fs/proc/array.c: make safe access to group_leader
last commit before this set is:
f7e8d07 net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
NB: Bug 32370135 is reverted
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 33379507
Bug: 33260045
Bug: 33461166
Bug: 32636619
Bug: 31913571
Bug: 31711619
Bug: 32721029
Bug: 32401526
Bug: 31801045
Bug: 32705232
Bug: 31495866
Change-Id: I06d649a5f1fa0300a3d8b416c0b994db291a30bb
(cherry picked from commit 3da918bdd823aea54986f9875d67c7d610554447)
|
|
717090a gpu: nvgpu: gk20a: wrap debug session as optional
caused problems in gpu-related activities.
Bug: 33379507
Bug: 33260045
Bug: 32370135
Bug: 33461166
This reverts commit 1f1c93dec3d1a056c750a47052e87500232b5628.
Change-Id: Ie9c071a464e3ffb9dff3b02d4a0b0bda76ce0b01
|
|
f7e8d07 net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
c3c4f0a video: tegra: host: fix create fence error checks
717090a gpu: nvgpu: gk20a: wrap debug session as optional
78c92d7 net: wireless: bcmdhd: fix overrun in dhd_pno_set_cfg_gscan
22a5a2f input: synaptics_dsx: add update bounds checks.
99a3450 net: wireless: bcmdhd: fix buffer overrun in wl_cfgvendor_hotlist_cfg
8353016 net: wireless: bcmdhd: Fix up the BRCM wifi DHD code
f6bfb80 net: wireless: bcmdhd: fix buffer overrun in private command path
ab21147 net: wireless: bcmdhd: fix buffer overrun in anqpo config
d237fba nvmap_ioctl_pinop failure to initialize addr field
8aa87ee video: tegra: host: Add submit checks
5d5095d ALSA: info: Check for integer overflow in snd_info_entry_write()
38b7b94 perf: don't leave group_entry on sibling list (use-after-free)
2190da5 media: tegra: nvavp: Fix UAF issue.
e85b751 video: tegra: nvmap: fix nvmap create handle vulnerability
e7c1f64 tegra: information leak in GET_STATUS ioctl command
b6dea2e gpu: nvgpu: fix crash in gk20a_channel_release
11603a5 video: tegra: host: Protect channel ioctl
fd89df9 video: tegra: host: Prevent the race between channel open and close
ca04323 video: tegra: nvmap: Fix OOB vulnerability
4af032a net: wireless: bcmdhd: Heap over write in dhdmsgbuf_query_ioctl
last commit before this set is:
e912bb7 BACKPORT: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32838767
Bug: 31801049
Bug: 31799885
Bug: 32370135
Bug: 32174590
Bug: 31525965
Bug: 31968442
Bug: 32474971
Bug: 32219255
Bug: 29000183
Bug: 32219453
Bug: 31668540
Bug: 31799834
Bug: 32510733
Bug: 32402548
Bug: 31798848
Bug: 32160775
Bug: 31351206
Bug: 31799206
Bug: 32225180
Bug: 31797770
Bug: 31993456
Bug: 31822524
Change-Id: I8266f01735312c7bc55f1c91ff3afd8ac0a54861
(cherry picked from commit 1f1c93dec3d1a056c750a47052e87500232b5628)
|
|
|
|
MERGE) am: cc8b6f5a7c
am: 37a37ed70c -s ours
Change-Id: I857ee0221184cc67fcac8e708e94cd7f8893f141
|
|
am: cc8b6f5a7c
Change-Id: I42475b955876247461d48f067ae9e5ac932ac5d8
|
|
Contains Dec 2016 Security
e912bb7 BACKPORT: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32141528
Change-Id: I14c634a0fe431c435fe22f83cbc67f029a775b48
|
|
ef951c8 BACKPORT: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
last commit before this set is:
ffa1067 perf: protect group_leader from races that cause ctx double-free
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32141528
Change-Id: I23f5e85dfc5963f94123927ccfc37ec928c6bc3b
|
|
1d805588dd
am: 9706f09716 -s ours
Change-Id: Id646e5f3a4c9d7d2980de8aaa54f18beb1f7153b
|
|
am: 1d805588dd
Change-Id: I024102d820672fa6d8649cebb80461d42695c4fc
|
|
ffa1067 perf: protect group_leader from races that cause ctx double-free
6dd381a BACKPORT: perf: Fix event->ctx locking
486a516 binder: blacklist %p kptr_restrict
a3257b9 net: ping: Fix stack buffer overflow in ping_common_sendmsg()
dba01f1 drivers: video: Add bounds checking in fb_cmap_to_user
7ab118a UPSTREAM: arm64: make sys_call_table const
528f6d8 gpu: nvgpu: fix use-after-free in case of error notifier
bdd624a netfilter: Change %p to %pK in debug messages
8b0d13e gpu: nvgpu: add ptr validation for vm_map_buffer
8c9d0d2 gpu: nvgpu: Add ref counting to channels
a59b1ae tfa9895l: kernel heap buffer out of bounds access in ioctl
8acf118 rt5506: OOB access
07069e7 tfa9895: kernel heap buffer out of bounds access in ioctl
27524d6 video: tegra: host: add upper bound for num_syncpt_incrs
09bd6dc video: tegra: host: fix integer overflow
df7cf51 video: tegra: host: fix possible overflow with num_syncpt_incrs
e18d78b video: tegra: nvmap: prevent kernel information leak
c0a04c8 input: synaptics_dsx: add bounds checks for firmware id
004fe58 UPSTREAM: staging/android/ion : fix a race condition in the ion driver
2850f0d UPSTREAM: KEYS: Fix race between key destruction and finding a keyring by name
d88cdad usb: diag: change %p to %pK in debug messages
cd6328c video: tegra: nvmap: fix possible use after free
9ff4a0c usb: diag: prevent showing the address of kernel variable 'port'
df89305 video: tegra: nvmap: fix information leak
0efedaf tegra: nvmap: prevent showing the address of kernel variable 'handle'
8c28e9c input: synaptics_dsx: add checks of user input data for image name
last commit before this set is:
6acf95d input: touchscreen: Synaptics: prevent sysfs races
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 30955111
Bug: 31095224
Bug: 31495231
Bug: 31349935
Bug: 31651010
Bug: 31660652
Bug: 31910462
Bug: 31796940
Bug: 28300481
Bug: 31680980
Bug: 31386004
Bug: 31251496
Bug: 31384646
Bug: 31471161
Bug: 31496571
Bug: 31911920
Bug: 31568617
Bug: 31253168
Bug: 31495348
Bug: 31222873
Bug: 31496950
Bug: 31385953
Bug: 31495687
Bug: 31913197
Change-Id: I571594e3df13a40a374827a29eebce392f6965bd
|
|
Contains Dec 2016 Security
3c31376 net: ping: Fix stack buffer overflow in ping_common_sendmsg()
c8ca63b binder: blacklist %p kptr_restrict
992db73 drivers: video: Add bounds checking in fb_cmap_to_user
d29115f UPSTREAM: arm64: make sys_call_table const
2078b7f gpu: nvgpu: fix use-after-free in case of error notifier
3b239c4 netfilter: Change %p to %pK in debug messages
90d0178 gpu: nvgpu: add ptr validation for vm_map_buffer
36e5283 gpu: nvgpu: Add ref counting to channels
b9ae0d3 tfa9895l: kernel heap buffer out of bounds access in ioctl
b0f0c73 rt5506: OOB access
a6f8152 tfa9895: kernel heap buffer out of bounds access in ioctl
32dd706 video: tegra: host: add upper bound for num_syncpt_incrs
b7ef3cd video: tegra: host: fix possible overflow with num_syncpt_incrs
aa70a15 video: tegra: host: fix integer overflow
0034369 video: tegra: nvmap: prevent kernel information leak
eb3b98d input: synaptics_dsx: add bounds checks for firmware id
aa55627 UPSTREAM: staging/android/ion : fix a race condition in the ion driver
ba78d6d UPSTREAM: KEYS: Fix race between key destruction and finding a keyring by name
75f902e perf: protect group_leader from races that cause ctx double-free
49d16f6 BACKPORT: perf: Fix event->ctx locking
de55d30 usb: diag: change %p to %pK in debug messages
c93feb1 video: tegra: nvmap: fix possible use after free
232ec80 usb: diag: prevent showing the address of kernel variable 'port'
b860552 video: tegra: nvmap: fix information leak
2a85b06 tegra: nvmap: prevent showing the address of kernel variable 'handle'
9b59154e input: synaptics_dsx: add checks of user input data for image name
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 31349935
Bug: 31495231
Bug: 31651010
Bug: 31660652
Bug: 31910462
Bug: 31796940
Bug: 28300481
Bug: 31680980
Bug: 31386004
Bug: 31251496
Bug: 31384646
Bug: 31471161
Bug: 31496571
Bug: 31911920
Bug: 31568617
Bug: 31253168
Bug: 30955111
Bug: 31095224
Bug: 31495348
Bug: 31222873
Bug: 31496950
Bug: 31385953
Bug: 31495687
Bug: 31913197
Change-Id: Ia5d8e7a47cb1dc0e0dea32268110a1ed906937c5
|
|
|
|
0a879a2705
am: 38b695f04f -s ours
Change-Id: Ifafbfc3b0c7e2b46a651418c1dda29e8a90de78b
|
|
am: 0a879a2705
Change-Id: I7120f34dcfce3d09700ae4e1359a58616ea07a82
|
|
6acf95d input: touchscreen: Synaptics: prevent sysfs races
3a8c228 input: synaptics: defer sysfs creation during init
a420466 BACKPORT: audit: fix a double fetch in audit_log_single_execve_arg()
d11e05b cgroup: prefer %pK to %p
fac16f6 UPSTREAM: perf: Fix race in swevent hash
90f103f input: synaptics_dsx: add checks of user input data
9c43405 BACKPORT: ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
baad3a9 BACKPORT: ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
73422f2 UPSTREAM: block: fix use-after-free in sys_ioprio_get()
d280a3b UPSTREAM: HID: core: prevent out-of-bound readings
717d787 BACKPORT: tty: Prevent ldisc drivers from re-using stale tty fields
17423fb UPSTREAM: proc: prevent accessing /proc/<PID>/environ until it's ready
162aca3 UPSTREAM: [media] xc2028: unlock on error in xc2028_set_config()
f2a9870 UPSTREAM: [media] xc2028: avoid use after free
b408bd4 UPSTREAM: block: fix use-after-free in seq file
0724ef9 UPSTREAM: USB: cdc-acm: more sanity checking
a795801 UPSTREAM: USB: iowarrior: fix oops with malicious USB descriptors
7fd2bd0 UPSTREAM: USB: usb_driver_claim_interface: add sanity checking
02dd2b2 UPSTREAM: USB: mct_u232: add sanity checking in probe
8d72f1b UPSTREAM: USB: cypress_m8: add endpoint sanity check
490e3c7 UPSTREAM: Input: powermate - fix oops with malicious USB descriptors
eebf8d2 ASoC: check for null function pointer for dummy device read/write
31b3db7 quadd: add nr_events check
b81ed20 Tegra TLK Driver missing kernel heap allocation succeeded check
fc62c36 UPSTREAM: tcp: fix use after free in tcp_xmit_retransmit_queue()
last commit before this set is:
e8084ec binder: prevent kptr leak by using %pK format specifier HAHA
NB: Bug: 28694392 in security bulletin does not apply to this kernel
NB: Bug: 27532522 in security bulletin does not apply to this kernel
NB: Bug: 30400942 in security bulletin does not apply to this kernel
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 31252388
Bug: 30799828
Bug: 30956807
Bug: 30149174
Bug: 30952077
Bug: 30937462
Bug: 30952477
Bug: 30946378
Bug: 30951261
Bug: 30951112
Bug: 30951939
Bug: 30946097
Bug: 30942273
Bug: 28242610
Bug: 28838221
Bug: 29492476
Bug: 30259274
Bug: 31183296
Change-Id: Id9897cb78a4a604a24df904a7ae9675fc696262f
|
|
de7c57d input: touchscreen: Synaptics: prevent sysfs races
fcf9059 input: synaptics: defer sysfs creation during init
3724945 net: inet: diag: expose the socket mark to privileged processes.
a6226bb net: diag: make udp_diag_destroy work for mapped addresses.
f7d5f82 net: diag: support SOCK_DESTROY for UDP sockets
d4c5e38 net: diag: allow socket bytecode filters to match socket marks
4a63970 net: diag: slightly refactor the inet_diag_bc_audit error checks.
41e1e3f net: diag: Add support to filter on device index
4bc74f1 BACKPORT: audit: fix a double fetch in audit_log_single_execve_arg()
8c43520 UPSTREAM: ARM: 8494/1: mm: Enable PXN when running non-LPAE kernel on LPAE processor
5bc4531 BACKPORT: ARM: 8235/1: Support for the PXN CPU feature on ARMv7
dd7047a cgroup: prefer %pK to %p
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 31252388
Bug: 30799828
Bug: 30956807
Bug: 31161206
Bug: 30149174
Change-Id: Ic4a45f414d783b97d54c9ec9a73d04cbf599fc59
|
|
9c4afa9 UPSTREAM: perf: Fix race in swevent hash
639e0ec UPSTREAM: perf: Prevent false warning in perf_swevent_add
ff10406 UPSTREAM: perf: Fix hotplug splat
a9bb706 input: synaptics_dsx: add checks of user input data
bdcd4484 UPSTREAM: capabilities: ambient capabilities
0e7ad12 BACKPORT: ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
5982d2e BACKPORT: ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
b581331 pstore: drop pmsg bounce buffer
fbb62d1 UPSTREAM: block: fix use-after-free in sys_ioprio_get()
8aaed94 UPSTREAM: HID: core: prevent out-of-bound readings
b307df3 BACKPORT: tty: Prevent ldisc drivers from re-using stale tty fields
d85e322 Don't show empty tag stats for unprivileged uids
991eaa6 UPSTREAM: proc: prevent accessing /proc/<PID>/environ until it's ready
12f0688 UPSTREAM: [media] xc2028: unlock on error in xc2028_set_config()
9469da1 UPSTREAM: [media] xc2028: avoid use after free
300e001 UPSTREAM: block: fix use-after-free in seq file
6a88f39 ANDROID: base-cfg: enable SECCOMP config
801c5f9 UPSTREAM: USB: cdc-acm: more sanity checking
2fac1c2 UPSTREAM: USB: iowarrior: fix oops with malicious USB descriptors
e846f8e UPSTREAM: USB: usb_driver_claim_interface: add sanity checking
2633b8d UPSTREAM: USB: mct_u232: add sanity checking in probe
7a17891 UPSTREAM: USB: cypress_m8: add endpoint sanity check
cb2cecc UPSTREAM: Input: powermate - fix oops with malicious USB descriptors
4f73004 Revert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent"
6ff842a ANDROID: MMC: Fix a 32 bit build breakage.
d54ba4d UPSTREAM: af_unix: Guard against other == sk in unix_dgram_sendmsg
9e63349 UPSTREAM: ALSA: timer: Fix race among timer ioctls
4a55158 ASoC: check for null function pointer for dummy device read/write
2fbdb8e quadd: add nr_events check
209e5c6 Tegra TLK Driver missing kernel heap allocation succeeded check
a31bf47 UPSTREAM: tcp: fix use after free in tcp_xmit_retransmit_queue()
NB: removed commits already present, or that were added then reverted
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 30952077
Bug: 30937462
Bug: 31038224
Bug: 30952477
Bug: 31057326
Bug: 30946378
Bug: 30951261
Bug: 30951112
Bug: 31183296
Bug: 27577101
Bug: 27532522
Bug: 30951939
Bug: 30946097
Bug: 30942273
Bug: 28242610
Bug: 28719525
Bug: 28694392
Bug: 28838221
Bug: 29492476
Bug: 30259274
Change-Id: I4114b2eea0123d4e1f4dba413dc51061f468bfa2
|
|
98c9a26 Merge tag 'v3.10.103' into android-tegra-flounder-3.10-nyc-mr1
Bug: 28242610
Bug: 30259163
Change-Id: I0b2cb81c25ab004bae28543d2f108bb2ba24d33d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
|
|
ours am: 226d8f3d31 am: 2704efd084 -s ours am: 9f1f6253d8
am: c47012a709
Change-Id: I1c767ce4457b4fdb1c94dbe639f0fbe20e4096ce
|
|
ours am: 226d8f3d31 am: 2704efd084 -s ours
am: 9f1f6253d8
Change-Id: Id5488a188eeda3b35f9ecf6def62162d4a6386de
|
|
ours am: 226d8f3d31
am: 2704efd084 -s ours
Change-Id: Ie91d5e6932f6f74b58d8367e7c2d3e3a9ba631a1
|
|
ours
am: 226d8f3d31
Change-Id: Ie8607c6110a99d8dd0e6af145a9c7591064be40f
|
|
am: f76c52bbae -s ours
Change-Id: Iea1fc49b4ea9e30c99aae47439f78299f48c6ef3
|
|
am: 2e7131e65b
Change-Id: I53d9b92d0703189b8f33e4ba24345e3608cbdb52
|
|
am: 659282afac
Change-Id: I025ed29c184be0dc3ef773d624c2611159f7e906
|
|
ae993e4 media: tegra: Add MFI init/de-init code for drv201
16d2f32 dts: flounder: remove camera dtsi files.
b08f52c flounder: register camera devices using boardfiles
b3cc6ee binder: prevent kptr leak by using %pK format specifier
073e023 tegra: quadd: fix stack information leak bug in case IOCTL_GET_STATE
503f192 ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
bfeb261 ANDROID: binder: Add strong ref checks
5793f33 quadd: fix stack info leak when getting capabilities
a3879a6 mmc: card: test: Fix out of boundary array access
d85ccef BACKPORT: Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
a7f13e9 UPSTREAM: ecryptfs: don't allow mmap when the lower fs doesn't support it
acd30a1 BACKPORT: tcp: make challenge acks less predictable
a0541b7 UPSTREAM: net: Fix use after free in the recvmmsg exit path
ae1e9cf tegra: quadd: fix stack information disclose bug
79baf4a6e gpu: nvgpu: initialize local variable
95bac36 staging: android: Change %p to %pK in debug messages
NB: commit/reverts squashed out of list
Right after Sep MR2 commit
493780e ANDROID: tegra: cl_dvfs arbitrary kernel memory access
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28760138
Bug: 30143283
Bug: 30148243
Bug: 30149612
Bug: 30162222
Bug: 30163101
Bug: 30204201
Bug: 30259955
Bug: 30445380
Bug: 30515201
Bug: 30593080
Bug: 30768347
Bug: 30809774
Change-Id: I74420eba5bd067e5e137058959bb8852d98c822b
|
|
e8084ec binder: prevent kptr leak by using %pK format specifier
56b36fc tegra: quadd: fix stack information leak bug in case IOCTL_GET_STATE
9bf0af9 ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
fad3cb3 ANDROID: binder: Add strong ref checks
a16cab6 quadd: fix stack info leak when getting capabilities
0e1e56d mmc: card: test: Fix out of boundary array access
1ac2e09 media: tegra: Add MFI init/de-init code for drv201
5c0ed9b dts: flounder: remove camera dtsi files.
230b602 flounder: register camera devices using boardfiles
e693691 ipv6: fix endianness error in icmpv6_err
4944f26 net: ipv6: Fix ping to link-local addresses.
39e7abb BACKPORT: Bluetooth: Fix potential NULL dereference in RFCOMM bind callback
952f5d2 UPSTREAM: ecryptfs: don't allow mmap when the lower fs doesn't support it
67418b6 BACKPORT: tcp: make challenge acks less predictable
5293558 UPSTREAM: net: Fix use after free in the recvmmsg exit path
a689639 tegra: quadd: fix stack information disclose bug
e8d1e37 gpu: nvgpu: initialize local variable
5b14cdf staging: android: Change %p to %pK in debug messages
0ae8be1 flounder: Add IPv6 rpfilter support.
NB: commit/reverts squashed out of list.
last commit before this set is:
a139acc ANDROID: tegra: cl_dvfs arbitrary kernel memory access
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 9580643
Bug: 28760138
Bug: 29370996
Bug: 30143283
Bug: 30148243
Bug: 30149612
Bug: 30162222
Bug: 30163101
Bug: 30204201
Bug: 30259955
Bug: 30298058
BUG: 30445380
Bug: 30515201
Bug: 30593080
Bug: 30768347
Bug: 30809774
Change-Id: I03a5e1dccb8360b0b2fc61cf59db236ca065ac4a
|
|
|
|
am: 104e3442c9 -s ours
Change-Id: Ia2ec991e6abf4136065aba6138d869ca4ade0942
|
|
a139acc ANDROID: tegra: cl_dvfs arbitrary kernel memory access
c267ff1 CHROMIUM: android: binder: Fix potential scheduling-while-atomic
7e6931a fs: ext4: disable support for fallocate FALLOC_FL_PUNCH_HOLE
2dd005c media: tegra: nvavp: Fix reloc offset check
4584ab1 input: synaptics_dsx: allocate heap memory for temp buf
005fd17 net: wireless: bcmdhd: security vulnerability - protect array overflow in PNO
1f23703 UPSTREAM: netfilter: x_tables: make sure e->next_offset covers remaining blob size
5f24fc4 UPSTREAM: netfilter: x_tables: validate e->target_offset early
b211bd6 UPSTREAM: KEYS: Fix ASN.1 indefinite length object parsing
a738ffa UPSTREAM: ALSA: control: Fix replacing user controls
e11ce62 UPSTREAM: ppp: take reference on channels netns
51ca447 UPSTREAM: ipv6: tcp: add rcu locking in tcp_v6_send_synack()
e5ee61a UPSTREAM: netfilter: x_tables: fix unconditional helper
a49c3c3 UPSTREAM: ipv6: Don't reduce hop limit for an interface
af1c2a8 UPSTREAM: ipv4: try to cache dst_entries which would cause a redirect
8d579e4 UPSTREAM: ASN.1: Fix non-match detection failure on data overrun
eaa2cf6 ANDROID: sdcardfs: fix itnull.cocci warnings
8a1b654 android-recommended.cfg: enable fstack-protector-strong
552e984 UPSTREAM: KEYS: close race between key lookup and freeing
500635f sdcardfs: Truncate packages_gid.list on overflow
e0328ff UPSTREAM: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
67b6ba5 UPSTREAM: udp: fix behavior of wrong checksums
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 27441354
Bug: 28744625
Bug: 28751627
Bug: 28760453
Bug: 28799389
Bug: 28940694
Bug: 28967314
Bug: 28979703
Bug: 29009982
Bug: 29119002
Bug: 29409847
Bug: 29506807
Bug: 29507402
Bug: 29510361
Bug: 29518457
Bug: 29535845
Bug: 29637687
Bug: 29814470
Bug: 29823941
Bug: 29916012
Bug: 30013843
Bug: 30141999
Change-Id: Ie72e5f7db40e8f20e1a7c8f4f383584ef032cadf
|
|
ours am: e327abc3c6 am: 0f5ff2e504 -s ours
am: 62259caa60
Change-Id: I1ad1e5ef38727718d156a259123fdcd5c8aa64bf
|
|
ours am: e327abc3c6
am: 0f5ff2e504 -s ours
Change-Id: If50af0bdcf7d95fb576ae5957e8bef475d290d1d
|
|
ours
am: e327abc3c6
Change-Id: I8ac046c3d65078774697282f85d87f767a2f11f2
|
|
am: 61a74bfa4f -s ours
Change-Id: Ida32e42d3303a961f6e4df29a16f53a0d78e6586
|
|
493780e ANDROID: tegra: cl_dvfs arbitrary kernel memory access
8e273f9 fs: ext4: disable support for fallocate FALLOC_FL_PUNCH_HOLE
c59ee86 input: synaptics_dsx: allocate heap memory for temp buf
84f914b media: tegra: nvavp: Fix reloc offset check
0a9adfe UPSTREAM: netfilter: x_tables: make sure e->next_offset covers remaining blob size
f58bfc8 UPSTREAM: netfilter: x_tables: validate e->target_offset early
5cf11fb net: wireless: bcmdhd: security vulnerability - protect array overflow in PNO
31c9e4e UPSTREAM: KEYS: close race between key lookup and freeing
a2d9037 UPSTREAM: udp: fix behavior of wrong checksums
967a801 UPSTREAM: ipv4: try to cache dst_entries which would cause a redirect
2d35672 UPSTREAM: ALSA: control: Fix replacing user controls
d537a3b UPSTREAM: ipv6: Don't reduce hop limit for an interface
9b8063d UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue
5394663 UPSTREAM: ppp: take reference on channels netns
365fccd UPSTREAM: netfilter: x_tables: fix unconditional helper
5898717 BACKPORT: KEYS: potential uninitialized variable
a57aa23 BACKPORT: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
Right after Aug MR2 commit
21b3591 UPSTREAM: usbnet: cleanup after bind() in probe()
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 27441354
Bug: 28760453
Bug: 28799389
Bug: 28940694
Bug: 28979703
Bug: 29009982
Bug: 29119002
Bug: 29371030 28744625
Bug: 29409847
Bug: 29506807
Bug: 29507402
Bug: 29510361
Bug: 29518457
Bug: 29535845
Bug: 29637687
Bug: 29731397
Bug: 29823941
Bug: 29916012
Change-Id: I658fea969abf90a95e37e3801e4309639b69a7d4
|
