Add check for minimum length before typecasting to build mask
structure to prevent out of bound access while processing
get msg mask command.
CRs-Fixed: 2431047
Change-Id: I5b8341f278b0b46359800e43c604c5671261c728
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Validate the buffer size against the parsing command structure size
before parsing to prevent possible out of bound error case.
CRs-Fixed: 2437341
Change-Id: I31c9a556539fce403691294a76160ae4936e7065
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
While processing a packet containing command request, buffer size
need to be checked against size of the command structures that is
being parsed to prevent possible out of bound access.
CRs-Fixed: 2432633
Change-Id: I048bdbd0c096a6d03501bdd5b1d2d4bb50d45dd6
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Prevent possible out of bound access due to missing length check
while extracting dci packet response by adding proper checks.
CRs-Fixed: 2434571
Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Validate the dci entries and its task structure before
accessing structure members to prevent copying dci data to
invalid entries.
Change-Id: I07c59ef0705bc52a8268b0dc984ebfa9d26d178e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.
Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, there is possibility of memory leak due to not
freeing allocated memory for usb buffer's entry after
removing it from list. The patch handle this by freeing
the entry.
Change-Id: Idb08ecad859749e6ab1b09184362de38de4a9836
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.
Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Changes the naming convention and adds
PID as suffix to the debugfs files.
Adds debugfs file data in the tabular format and also
creates global file in /sys/kernel/debug/adsprpc directory.
Change-Id: I25f3f7ea59dd39c9d44d99c8503f431f10072c33
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.
Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
There is a possibility of use-after-free and
double free because of not marking buffer as
NULL after freeing. The patch marks buffer
as NULL after freeing in error case.
Change-Id: Iacf8f8a4a4e644f48c87d5445ccd594766f2e156
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Changes the naming convention and adds
PID as suffix to the debugfs files.
Adds debugfs file data in the tabular format and also
creates global file in /sys/kernel/debug/adsprpc directory.
Change-Id: I25f3f7ea59dd39c9d44d99c8503f431f10072c33
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
Only include the MHI header file if CONFIG_MSM_MHI
is enabled, avoid compilation errors if the platform
does not support MHI.
Change-Id: Ic2d84a8bbd066d0d8e50711a7499ae9a959a0b71
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>
There is a possibility of out-of-bound read if msg mask
ranges received from peripheral are more than max ssid per
range. Cap msg mask's ssid ranges to MAX_SSID_PER_RANGE if
ranges received from peripheral are greater than the same.
Change-Id: I886692ad223e16678bfaecbe381c62fdf3503cb5
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Move the mask_info mutex initialization outside mask structure
to facilitate prevention of out of bound access while initializing
msg mask during md session creation. Use separate msg_mask_tbl_count
for ODL session msg mask and regular msg mask to prevent out of
bound access in a possible race condition of accessing mask ranges.
Change-Id: I87497c67daff8cc1797a1266d50456bdbd3a9c23
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
* refs/heads/tmp-f057ff9
Linux 4.4.148
x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures
x86/init: fix build with CONFIG_SWAP=n
x86/speculation/l1tf: Fix up CPU feature flags
x86/mm/kmmio: Make the tracer robust against L1TF
x86/mm/pat: Make set_memory_np() L1TF safe
x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert
x86/speculation/l1tf: Invert all not present mappings
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
x86/speculation/l1tf: Protect PAE swap entries against L1TF
x86/cpufeatures: Add detection of L1D cache flush support.
x86/speculation/l1tf: Extend 64bit swap file size limit
x86/bugs: Move the l1tf function and define pr_fmt properly
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
mm: fix cache mode tracking in vm_insert_mixed()
mm: Add vm_insert_pfn_prot()
x86/speculation/l1tf: Add sysfs reporting for l1tf
x86/speculation/l1tf: Make sure the first page is always reserved
x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
x86/speculation/l1tf: Protect swap entries against L1TF
x86/speculation/l1tf: Change order of offset/type in swap entry
mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
x86/mm: Fix swap entry comment and macro
x86/mm: Move swap offset/type up in PTE to work around erratum
x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
x86/irqflags: Provide a declaration for native_save_fl
kprobes/x86: Fix %p uses in error messages
x86/speculation: Protect against userspace-userspace spectreRSB
x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
ARM: dts: imx6sx: fix irq for pcie bridge
IB/ocrdma: fix out of bounds access to local buffer
IB/mlx4: Mark user MR as writable if actual virtual memory is writable
IB/core: Make testing MR flags for writability a static inline function
fix __legitimize_mnt()/mntput() race
fix mntput/mntput race
root dentries need RCU-delayed freeing
scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
xen/netfront: don't cache skb_shinfo()
parisc: Define mb() and add memory barriers to assembler unlock sequences
parisc: Enable CONFIG_MLONGCALLS by default
fork: unconditionally clear stack on fork
ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
tpm: fix race condition in tpm_common_write()
ext4: fix check to prevent initializing reserved inodes
Linux 4.4.147
jfs: Fix inconsistency between memory allocation and ea_buf->max_size
i2c: imx: Fix reinit_completion() use
ring_buffer: tracing: Inherit the tracing setting to next ring buffer
ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle
ext4: fix false negatives *and* false positives in ext4_check_descriptors()
netlink: Don't shift on 64 for ngroups
netlink: Don't shift with UB on nlk->ngroups
netlink: Do not subscribe to non-existent groups
nohz: Fix local_timer_softirq_pending()
genirq: Make force irq threading setup more robust
scsi: qla2xxx: Return error when TMF returns
scsi: qla2xxx: Fix ISP recovery on unload
Conflicts:
include/linux/swapfile.h
Removed CONFIG_CRYPTO_ECHAINIV from defconfig files since this upmerge is
adding this config to Kconfig file.
Change-Id: Ide96c29f919d76590c2bdccf356d1d464a892fd7
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Applicable only for CDSP present branches. Not needed for 4.4 kernel.
This reverts commit 90cb306f50.
Change-Id: I645120212b2c9a43cb5d12cc866d5592979cd44b
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
commit 3ab2011ea368ec3433ad49e1b9e1c7b70d2e65df upstream.
There is a race condition in tpm_common_write function allowing
two threads on the same /dev/tpm<N>, or two different applications
on the same /dev/tpmrm<N> to overwrite each other commands/responses.
Fixed this by taking the priv->buffer_mutex early in the function.
Also converted the priv->data_pending from atomic to a regular size_t
type. There is no need for it to be atomic since it is only touched
under the protection of the priv->buffer_mutex.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Reviewed-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The chances of accessing uninitialized mask is prevented
by adding null pointer checks for the mask structure and its
member pointer.
Change-Id: Ibf0467228794b773fc2537d34f1da6719bbb975a
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Currently protection is missing while accessing global
variable md_session_map. The patch adds protection before
accessing the same.
Change-Id: I165b9a7900cec20ca7970b37ca4823e2186fe27c
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Support 2 separate device nodes with this change, one for ADSP/SLPI
and another for CDSP.
Change-Id: I2a09ebfdeccd9a092b1a3602c249b2727ec91c92
Acked-by: Amol Mahesh <amahesh@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Currently, mutex protection is missing while accessing md session's
info via macro. The patch adds proper protection before accessing
the same.
Change-Id: I17b18183407279447229783fd0165337bd173423
Signed-off-by: Hardik Arya <harya@codeaurora.org>
* refs/heads/tmp-13962260
Linux 4.4.146
scsi: sg: fix minor memory leak in error path
crypto: padlock-aes - Fix Nano workaround data corruption
kvm: x86: vmx: fix vpid leak
virtio_balloon: fix another race between migration and ballooning
net: socket: fix potential spectre v1 gadget in socketcall
can: ems_usb: Fix memory leak on ems_usb_disconnect()
squashfs: more metadata hardenings
squashfs: more metadata hardening
netlink: Fix spectre v1 gadget in netlink_create()
net: dsa: Do not suspend/resume closed slave_dev
inet: frag: enforce memory limits earlier
tcp: add one more quick ack after after ECN events
tcp: refactor tcp_ecn_check_ce to remove sk type cast
tcp: do not aggressively quick ack after ECN events
tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode
tcp: do not force quickack when receiving out-of-order packets
NET: stmmac: align DMA stuff to largest cache line length
xen-netfront: wait xenbus state change when load module manually
net: lan78xx: fix rx handling before first packet is send
net: fix amd-xgbe flow-control issue
ipv4: remove BUG_ON() from fib_compute_spec_dst
ASoC: pxa: Fix module autoload for platform drivers
dmaengine: pxa_dma: remove duplicate const qualifier
ext4: check for allocation block validity with block group locked
ext4: fix inline data updates with checksums enabled
squashfs: be more careful about metadata corruption
random: mix rdrand with entropy sent in from userspace
drm: Add DP PSR2 sink enable bit
media: si470x: fix __be16 annotations
scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs
scsi: scsi_dh: replace too broad "TP9" string with the exact models
media: omap3isp: fix unbalanced dma_iommu_mapping
crypto: authenc - don't leak pointers to authenc keys
crypto: authencesn - don't leak pointers to authenc keys
usb: hub: Don't wait for connect state at resume for powered-off ports
microblaze: Fix simpleImage format generation
audit: allow not equal op for audit by executable
rsi: Fix 'invalid vdd' warning in mmc
ipconfig: Correctly initialise ic_nameservers
drm/gma500: fix psb_intel_lvds_mode_valid()'s return type
memory: tegra: Apply interrupts mask per SoC
memory: tegra: Do not handle spurious interrupts
ALSA: hda/ca0132: fix build failure when a local macro is defined
drm/atomic: Handling the case when setting old crtc for plane
media: siano: get rid of __le32/__le16 cast warnings
bpf: fix references to free_bpf_prog_info() in comments
thermal: exynos: fix setting rising_threshold for Exynos5433
scsi: megaraid: silence a static checker bug
scsi: 3w-xxxx: fix a missing-check bug
scsi: 3w-9xxx: fix a missing-check bug
perf: fix invalid bit in diagnostic entry
s390/cpum_sf: Add data entry sizes to sampling trailer entry
brcmfmac: Add support for bcm43364 wireless chipset
mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages
media: saa7164: Fix driver name in debug output
libata: Fix command retry decision
media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open()
dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA
tty: Fix data race in tty_insert_flip_string_fixed_flag
HID: i2c-hid: check if device is there before really probing
powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet
drm/radeon: fix mode_valid's return type
HID: hid-plantronics: Re-resend Update to map button for PTT products
ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback
media: smiapp: fix timeout checking in smiapp_read_nvm
md: fix NULL dereference of mddev->pers in remove_and_add_spares()
regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
ALSA: emu10k1: Rate-limit error messages about page errors
scsi: ufs: fix exception event handling
mwifiex: correct histogram data with appropriate index
PCI: pciehp: Request control of native hotplug only if supported
pinctrl: at91-pio4: add missing of_node_put
powerpc/8xx: fix invalid register expression in head_8xx.S
powerpc/powermac: Mark variable x as unused
powerpc/powermac: Add missing prototype for note_bootable_part()
powerpc/chrp/time: Make some functions static, add missing header include
powerpc/32: Add a missing include header
ath: Add regulatory mapping for Bahamas
ath: Add regulatory mapping for Bermuda
ath: Add regulatory mapping for Serbia
ath: Add regulatory mapping for Tanzania
ath: Add regulatory mapping for Uganda
ath: Add regulatory mapping for APL2_FCCA
ath: Add regulatory mapping for APL13_WORLD
ath: Add regulatory mapping for ETSI8_WORLD
ath: Add regulatory mapping for FCC3_ETSIC
PCI: Prevent sysfs disable of device while driver is attached
btrfs: qgroup: Finish rescan when hit the last leaf of extent tree
btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups
media: videobuf2-core: don't call memop 'finish' when queueing
wlcore: sdio: check for valid platform device data before suspend
mwifiex: handle race during mwifiex_usb_disconnect
mfd: cros_ec: Fail early if we cannot identify the EC
ASoC: dpcm: fix BE dai not hw_free and shutdown
Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning
iwlwifi: pcie: fix race in Rx buffer allocator
perf/x86/intel/uncore: Correct fixed counter index check for NHM
perf/x86/intel/uncore: Correct fixed counter index check in generic code
usbip: usbip_detach: Fix memory, udev context and udev leak
f2fs: fix to don't trigger writeback during recovery
disable loading f2fs module on PAGE_SIZE > 4KB
RDMA/mad: Convert BUG_ONs to error flows
powerpc/64s: Fix compiler store ordering to SLB shadow area
hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
infiniband: fix a possible use-after-free bug
netfilter: ipset: List timing out entries with "timeout 1" instead of zero
rtc: ensure rtc_set_alarm fails when alarms are not supported
mm/slub.c: add __printf verification to slab_err()
mm: vmalloc: avoid racy handling of debugobjects in vunmap
nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
ALSA: fm801: add error handling for snd_ctl_add
ALSA: emu10k1: add error handling for snd_ctl_add
xen/netfront: raise max number of slots in xennet_get_responses()
tracing: Quiet gcc warning about maybe unused link variable
tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
tracing: Fix possible double free in event_enable_trigger_func()
tracing: Fix double free of event_trigger_data
Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
Input: elan_i2c - add ACPI ID for lenovo ideapad 330
MIPS: Fix off-by-one in pci_resource_to_user()
kernel/sys.c: fix merge error with 4.4.144
Conflicts:
drivers/scsi/ufs/ufshcd.c
include/net/tcp.h
net/socket.c
Change-Id: Ie84fdcf54b0a45508f76ef56330291f54e35ed30
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
commit 81e69df38e2911b642ec121dec319fad2a4782f3 upstream.
Fedora has integrated the jitter entropy daemon to work around slow
boot problems, especially on VM's that don't support virtio-rng:
https://bugzilla.redhat.com/show_bug.cgi?id=1572944
It's understandable why they did this, but the Jitter entropy daemon
works fundamentally on the principle: "the CPU microarchitecture is
**so** complicated and we can't figure it out, so it *must* be
random". Yes, it uses statistical tests to "prove" it is secure, but
AES_ENCRYPT(NSA_KEY, COUNTER++) will also pass statistical tests with
flying colors.
So if RDRAND is available, mix it into entropy submitted from
userspace. It can't hurt, and if you believe the NSA has backdoored
RDRAND, then they probably have enough details about the Intel
microarchitecture that they can reverse engineer how the Jitter
entropy daemon affects the microarchitecture, and attack its output
stream. And if RDRAND is in fact an honest DRNG, it will immeasurably
improve on what the Jitter entropy daemon might produce.
This also provides some protection against someone who is able to read
or set the entropy seed file.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Only call kfree if the item is valid and drain
the whole buffer before leaving the work function.
Change-Id: Ie9c253c394be1aa859789262e0f03a986a4ad207
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>
Extend the scope of protection to md_info till queueing
the write to sdcard. Patch adds protection to diag client map
synchronizing access by various clients.
CRs-Fixed: 2282558
Change-Id: If076af2d09180a282a9077b4ebcda0184e9f67b5
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
The possibility of md_info structure being accessed simultaneously
by two threads is prevented by synchronizing while buffer
reallocation for hdlc encoding. Extend the scope of protection to
md_info till queueing the write to sdcard.
CRs-Fixed: 2279473
Change-Id: I75ddb102adfc6c79f35ed69914c9140cb82894c9
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Add a new work queue to process the HSIC diag
data instead of processing it in the interrupt
context.
Change-Id: I8c546cd608c662d1c3133194f70af4953d734b08
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>
Currently, in case IPC logging related config
is disabled then there are some unwanted error
logs in kernel logs. Featurize IPC logging to
get rid of error logs.
Change-Id: I8455f5e3a13cf58b4d65d1e1a5c4f1ec0adedabf
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
