* refs/heads/tmp-736005d
Linux 4.4.196
NFC: fix attrs checks in netlink interface
smack: use GFP_NOFS while holding inode_smack::smk_lock
Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
net/rds: Fix error handling in rds_ib_add_one()
xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
sch_dsmark: fix potential NULL deref in dsmark_init()
nfc: fix memory leak in llcp_sock_bind()
net: qlogic: Fix memory leak in ql_alloc_large_buffers
net: ipv4: avoid mixed n_redirects and rate_tokens usage
ipv6: drop incoming packets having a v4mapped source address
hso: fix NULL-deref on tty open
ANDROID: binder: synchronize_rcu() when using POLLFREE.
ANDROID: binder: remove waitqueue when thread exits.
kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
ocfs2: wait for recovering done after direct unlock request
hypfs: Fix error number left in struct pointer member
fat: work around race with userspace's read via blockdev while mounting
security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
HID: apple: Fix stuck function keys when using FN
ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes
mfd: intel-lpss: Remove D3cold delay
scsi: core: Reduce memory required for SCSI logging
powerpc/pseries: correctly track irq state in default idle
powerpc/64s/exception: machine check use correct cfar for late handler
vfio_pci: Restore original state on release
pinctrl: tegra: Fix write barrier placement in pmx_writel
powerpc/pseries/mobility: use cond_resched when updating device tree
powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function
powerpc/rtas: use device model APIs and serialization during LPM
clk: sirf: Don't reference clk_init_data after registration
clk: qoriq: Fix -Wunused-const-variable
ipmi_si: Only schedule continuously in the thread in maintenance mode
gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property()
video: ssd1307fb: Start page range at page_offset
Change-Id: If2b47b65954e56510e7a8b963a7110ebc9a4f1cc
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* refs/heads/tmp-4af3204
Linux 4.4.195
Btrfs: fix race setting up and completing qgroup rescan workers
btrfs: Relinquish CPUs in btrfs_compare_trees
Btrfs: fix use-after-free when using the tree modification log
ovl: filter of trusted xattr results in audit
CIFS: Fix oplock handling for SMB 2.1+ protocols
i2c: riic: Clear NACK in tend isr
hwrng: core - don't wait on add_early_randomness()
quota: fix wrong condition in is_quota_modification()
ext4: fix punch hole for inline_data file systems
/dev/mem: Bail out upon SIGKILL.
cfg80211: Purge frame registrations on iftype change
md/raid6: Set R5_ReadError when there is read failure on parity disk
alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
ASoC: Intel: Fix use of potentially uninitialized variable
media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
KVM: x86: Manually calculate reserved bits when loading PDPTRS
KVM: x86: set ctxt->have_exception in x86_decode_insn()
KVM: x86: always stop emulation on page fault
parisc: Disable HP HSC-PCI Cards to prevent kernel crash
fuse: fix missing unlock_page in fuse_writepage()
printk: Do not lose last line in kmsg buffer dump
ALSA: firewire-tascam: check intermediate state of clock status and retry
ALSA: firewire-tascam: handle error code when getting current source of clock
media: omap3isp: Set device on omap3isp subdevs
btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type
ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
libertas: Add missing sentinel at end of if_usb.c fw_table
mmc: sdhci: Fix incorrect switch to HS mode
ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
kprobes: Prohibit probing on BUG() and WARN() address
dmaengine: ti: edma: Do not reset reserved paRAM slots
md/raid1: fail run raid1 array when active disk less than one
hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
ACPI: custom_method: fix memory leaks
libtraceevent: Change users plugin directory
ACPI / CPPC: do not require the _PSD method
media: ov9650: add a sanity check
media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
media: cpia2_usb: fix memory leaks
media: saa7146: add cleanup in hexium_attach()
media: hdpvr: add terminating 0 at end of string
media: radio/si470x: kill urb on error
net: lpc-enet: fix printk format strings
media: omap3isp: Don't set streaming state on random subdevs
dmaengine: iop-adma: use correct printk format strings
media: gspca: zero usb_buf on error
efi: cper: print AER info of PCIe fatal error
md: don't set In_sync if array is frozen
md: don't call spare_active in md_reap_sync_thread if all member devices can't work
ia64:unwind: fix double free for mod->arch.init_unw_table
ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
base: soc: Export soc_device_register/unregister APIs
media: iguanair: add sanity checks
ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls()
ALSA: hda - Show the fatal CORB/RIRB error more clearly
x86/apic: Soft disable APIC before initializing it
x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails
sched/core: Fix CPU controller for !RT_GROUP_SCHED
sched/fair: Fix imbalance due to CPU affinity
media: hdpvr: Add device num check and handling
media: dib0700: fix link error for dibx000_i2c_set_speed
leds: leds-lp5562 allow firmware files up to the maximum length
dmaengine: bcm2835: Print error in case setting DMA mask fails
ASoC: sgtl5000: Fix charge pump source assignment
ALSA: hda: Flush interrupts on disabling
nfc: enforce CAP_NET_RAW for raw sockets
ieee802154: enforce CAP_NET_RAW for raw sockets
ax25: enforce CAP_NET_RAW for raw sockets
appletalk: enforce CAP_NET_RAW for raw sockets
mISDN: enforce CAP_NET_RAW for raw sockets
usbnet: sanity checking of packet sizes and device mtu
usbnet: ignore endpoints with invalid wMaxPacketSize
skge: fix checksum byte order
sch_netem: fix a divide by zero in tabledist()
openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
net/phy: fix DP83865 10 Mbps HDX loopback disable function
cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
arcnet: provide a buffer big enough to actually receive packets
Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
drm: Flush output polling on shutdown
f2fs: fix to do sanity check on segment bitmap of LFS curseg
Revert "f2fs: avoid out-of-range memory access"
f2fs: check all the data segments against all node ones
irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
locking/lockdep: Add debug_locks check in __lock_downgrade()
mac80211: handle deauthentication/disassociation from TDLS peer
mac80211: Print text for disassociation reason
ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
net: rds: Fix NULL ptr use in rds_tcp_kill_sock
crypto: talitos - fix missing break in switch statement
mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
HID: hidraw: Fix invalid read in hidraw_ioctl
HID: logitech: Fix general protection fault caused by Logitech driver
HID: lg: make transfer buffers DMA capable
HID: prodikeys: Fix general protection fault during probe
Revert "Bluetooth: validate BLE connection interval updates"
ANDROID: usb: gadget: Fix dependency for f_accessory
Remove taskname from lowmemorykiller kill reports
ANDROID: Fixes to locking around handle_lmk_event
Conflicts:
drivers/staging/android/lowmemorykiller.c
fs/f2fs/segment.c
fs/f2fs/super.c
Change-Id: Id4b74ec2b0512aa13bc4392d61d5092f633fed0e
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
This change is done to check the size of input before doing the
buffer copy.
Change-Id: I01f8b1f3c3b6e920f186f5f90ea9707bb25bcbbc
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
callback
There is race condition around private data used in put() and get()
of few mixer ctls with close() callback. Added global mutex lock and
code changes to protect such critical section by accessing such lock.
Change-Id: I276c2a234cfcbef88b4272b945e5c3f121e8eb32
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
Current acc_relative_busy calculation is causing integer overflow
in 32 bit system. "stats->busy_time * stats->current_frequency"
results in a value which is beyond the 32 bit range.
Typecasting the value to u64 to avoid overflow.
Change-Id: Id97da02bef608787ceb7c9751bbfc203af56deb1
Signed-off-by: Harshitha Sai Neelati <hsaine@codeaurora.org>
In ioctls like kgsl_ioctl_submit_commands(), if both syncobj
type and cmd/marker/sparseobj type are submitted, the syncobj
is queued first followed by the other obj type. After syncobj
is successfully queued, in case of failure in get_timestamp
while queuing the other obj, both the command objs are
destroyed. As sync obj is already queued, accessing this
later would cause a crash.
Compare the user generated timestamp with the drawctxt
timestamp and return early in case of error. This avoids
unnecessary queuing of drawobjs.
Change-Id: I336c95c42ab1075d7653cba02772f92c918c884c
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Signed-off-by: Harshitha Sai Neelati <hsaine@codeaurora.org>
The register window needs to be configed properly before accessing
any larger than 4K range PCIe registers. Expose the lock to WLAN
driver to avoid race condition when both drivers try to config it.
Change-Id: I94ccd963d4fd0a9715330d2e5733346ccd993ae1
Signed-off-by: Yue Ma <yuem@codeaurora.org>
When unloading the app, reset all client members to NULL
to protect from accessing the memory after being freed.
Change-Id: I573b9c6fde03539522d2b04724a2246660c62518
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
[ Upstream commit 58e75155009cc800005629955d3482f36a1e0eec ]
As seen on some USB wireless keyboards manufactured by Primax, the HID
parser was using some assumptions that are not always true. In this case
it's s the fact that, inside the scope of a main item, an Usage Page
will always precede an Usage.
The spec is not pretty clear as 6.2.2.7 states "Any usage that follows
is interpreted as a Usage ID and concatenated with the Usage Page".
While 6.2.2.8 states "When the parser encounters a main item it
concatenates the last declared Usage Page with a Usage to form a
complete usage value." Being somewhat contradictory it was decided to
match Window's implementation, which follows 6.2.2.8.
In summary, the patch moves the Usage Page concatenation from the local
item parsing function to the main item parsing function.
Change-Id: Id25c0c7e11712501d117fb715b64db7772ac2066
Signed-off-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
Reviewed-by: Terry Junge <terry.junge@poly.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Git-commit: 5db3c5adf4
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Rahul Shahare <rshaha@codeaurora.org>
It seems there is out of bound access chances for lsm_app_type_cfg
array within msm_routing_get_lsm_app_type_cfg_control() callback.
Added case check to return invalid value if user tries to exceed
maximum allocated size of array to avoid it.
Change-Id: Ied86e6c9a957255c55bb126a09741fbde429be32
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
The reg in soc_mixer_control is 32-bit. When using
SOC_SINGLE_EXT, the value of FE DAI ID which is passed
as shift(to be operated on the reg) may be more than 31,
which may cause overflow.
Use SOC_DOUBLE_EXT instead of SOC_SINGLE_EXT so that the
reg field can be set to SOC_NO_PM to avoid any DAPM operation,
while passing BE and FE IDs in shift and rshift fields. And
these values can be retrieve in get/put functions and use them.
This is to avoid any possible overflow in DAPM operation.
Change-Id: I17fa4e059889ae725e6f015a779f518e6d0a813f
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
This change ask hypervisor to remove memory mapping for MSS
from IOMMU second stage table and assign the ownership back to
HLOS just after MBA is booted.
Presently this is being done only after MBA is booted and MDT is
authenticated.
Change-Id: I724c1bcc664827e666612dd34cd078f3f044498a
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Main DRM & eDRM driver has asynchronous probes. In order to ensure that
both the driver's probe has completed there is a wait for completion for
respective driver is executed. There is an issue where the
wait for the eDRM driver blocks the eDRM driver deferred probe call.
This change remove wait in the eDRM driver for completion of its probe
as eDRM driver is always initialized after main DRM and necessary clock
voting would also be done in main DRM.
Change-Id: I422419d381ad3d0361fb80f3b2b9d176203a9342
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
In mdss_dsi_cmd_write, a failure in copying the cmds to
'string_buf' can cause an early return. In this case,
the 'pcmds->string_buf' won't be pointing to a valid
buffer. This can lead to use-after-free and memory leak.
To avoid this, assign the newly allocated buffer to
'pcmds->string_buf' after returning from krealloc call.
Change-Id: I286f12c86078d1989cb09453c8a395a4ad94b324
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Votable callback accesses work structure as part of
their callback, initialize work before creation of votables.
Change-Id: I91741b3d54c73aab5c695a31292a32752edc77cd
Signed-off-by: Umang Chheda <uchheda@codeaurora.org>
Place check for mask size and validate source length against
sum of header length and mask size to prevent out of bound access.
Change-Id: I8ac089202b6e3007773b92be8cfdc52fcb30ec3c
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2bi3UACgkQONu9yGCS
aT5v6A//e5UzgJT3Y/V8goghiTF4gQqUP0AWRhfV0oJqjoOYHpDFxIBZ/6kJOmnS
alYjMReNbjcYFg83MbCbggIm5BPfXFW7jtOWBHXuTBHQQv1Hj9tp6AA2dHe6ZLRs
LgYpwrUhj7HF1kNBK3Ax/ojhIwCcCPNpED1KMoudAv/PDPhX/PyA2DXrrjCwgI8B
lveownJVPhD/q6DMGjXpTkgBxtw/oKuJBz8fO0DzB7vwRacJXD9pCv7N8+wD3msY
TCZ1N9Pc2uhWYrNMefMsRlLsnI35Ohfm3dNmMA6V/NZ5so6knnymmOO/Sqah88iO
2AnTiqdqosv1LATxQPEMKTJpK+rXks24cLCAUhHgBfGE5zlLDhljVb2vAhXZgj6F
/yNRUxX90rcGJMrUmIvTGmlf/fYjduteDRdckyGZmkHN931LDTLQq7AACNbhV7Iy
HWAgkBUgCsdzzdPPWgVEv+e3l/0N01U5uVsMQa2JYl7SzzDEddu1h+0mKIuaNFNW
CyJngR2UDduvoQUAm6gk/izwG3bbsAwldCWNC5WYjz0SKJ1swJuqvUAk2U4xhh+x
hXBKTAr0RP0tOrxeSV1iMCf2IkA83f4r2imO+HTYr0Zvi+T5Pz+LEGs24pj+q2wi
0oxDCk4OaetukAnIANhG2NguFXgEdyZvqbJOHZH+dni/k9ybyq8=
=VjDb
-----END PGP SIGNATURE-----
Merge 4.4.196 into android-4.4-p
Changes in 4.4.196
video: ssd1307fb: Start page range at page_offset
gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property()
ipmi_si: Only schedule continuously in the thread in maintenance mode
clk: qoriq: Fix -Wunused-const-variable
clk: sirf: Don't reference clk_init_data after registration
powerpc/rtas: use device model APIs and serialization during LPM
powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function
powerpc/pseries/mobility: use cond_resched when updating device tree
pinctrl: tegra: Fix write barrier placement in pmx_writel
vfio_pci: Restore original state on release
powerpc/64s/exception: machine check use correct cfar for late handler
powerpc/pseries: correctly track irq state in default idle
scsi: core: Reduce memory required for SCSI logging
mfd: intel-lpss: Remove D3cold delay
ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes
HID: apple: Fix stuck function keys when using FN
security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
fat: work around race with userspace's read via blockdev while mounting
hypfs: Fix error number left in struct pointer member
ocfs2: wait for recovering done after direct unlock request
kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
ANDROID: binder: remove waitqueue when thread exits.
ANDROID: binder: synchronize_rcu() when using POLLFREE.
hso: fix NULL-deref on tty open
ipv6: drop incoming packets having a v4mapped source address
net: ipv4: avoid mixed n_redirects and rate_tokens usage
net: qlogic: Fix memory leak in ql_alloc_large_buffers
nfc: fix memory leak in llcp_sock_bind()
sch_dsmark: fix potential NULL deref in dsmark_init()
xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
net/rds: Fix error handling in rds_ib_add_one()
sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
smack: use GFP_NOFS while holding inode_smack::smk_lock
NFC: fix attrs checks in netlink interface
Linux 4.4.196
Change-Id: I7e03bb3ca1865988df014b8e38336b76430842a9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream.
nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX
attribute being present, but doesn't check whether it is actually
provided by the user. Same goes for nfc_genl_fw_download() and
NFC_ATTR_FIRMWARE_NAME.
This patch adds appropriate checks.
Found with syzkaller.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
