kgsl_context_init() prints error message continuously if a process
tries to create more number of contexts that KGSL supports.
This hogs CPU and might lead to watchdog timeout.
Reduce this log frequency by using KGSL_DRV_ERR_RATELIMIT().
Change-Id: I7e3a5d3db41ab0c60d1b6b620cbcdef96d5c21a9
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Check size of payload before access in q6usm_mmapcallback.
Change-Id: Iff0672532c2ea40e7129237a92d8365d6b554cf2
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Opening of multiple instance of voice_svc user space from app will
lead to pointer deference of private data within apr callback. As
multi-instance not supported added check to deny open() from user
space if previous instance hasn't been closed.
Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
Check size of payload array before access in q6usm_callback.
Change-Id: Id0c85209a053f9dfdb53133aeb6b2510ecf18eb8
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
The current design of hrtimers migrates the pinned timers to a
different CPU upon its hotplug. However, perf-core needs to
maintain the mux-hrtimers on a per CPU basis. That is, each
hrtimer carries the context for that particular CPU and would
lose this context if it gets migrated to a different CPU. As a
result, cancel the hrtimer for the CPU that's about to go down
and restart it (if required) when the perf-events are being created.
Change-Id: I7a1d0456208855e3a99a7d49e59c6dae811d146e
Signed-off-by: Raghavendra Rao Ananta <rananta@codeaurora.org>
[mojha@codeaurora.org: Resolved merge conflict and added missing
`cpuctx` variable to avoid build failure]
Signed-off-by: Mukesh Ojha <mojha@codeaurora.org>
Payload length must exceed structure size. Otherwise, it may
lead to out-of-boundary memory access.
Change-Id: I090de5116ab04a4ca2b9c485e17617fe9e861ad5
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
Check buffer size in qdsp_cvs_callback before access in
ul_pkt.
Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
An munmap() on a binder device causes binder_vma_close() to be called
which clears the alloc->vma pointer.
If direct reclaim causes binder_alloc_free_page() to be called, there
is a race where alloc->vma is read into a local vma pointer and then
used later after the mm->mmap_sem is acquired. This can result in
calling zap_page_range() with an invalid vma which manifests as a
use-after-free in zap_page_range().
The fix is to check alloc->vma after acquiring the mmap_sem (which we
were acquiring anyway) and bail out of binder_alloc_free_page() if it
has changed to NULL.
Change-Id: I9ea0558a57635a747d7a48ed35991d39b860abf6
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit 7257eac9401f989a62503b6c12a47af1b10591d1)
commit 7bada55ab50697861eee6bb7d60b41e68a961a9c upstream
Malicious code can attempt to free buffers using the BC_FREE_BUFFER
ioctl to binder. There are protections against a user freeing a buffer
while in use by the kernel, however there was a window where
BC_FREE_BUFFER could be used to free a recently allocated buffer that
was not completely initialized. This resulted in a use-after-free
detected by KASAN with a malicious test program.
This window is closed by setting the buffer's allow_user_free attribute
to 0 when the buffer is allocated or when the user has previously freed
it instead of waiting for the caller to set it. The problem was that
when the struct buffer was recycled, allow_user_free was stale and set
to 1 allowing a free to go through.
Bug: 116855682
Change-Id: I0b38089f6fdb1adbf7e1102747e4119c9a05b191
Signed-off-by: Todd Kjos <tkjos@google.com>
Acked-by: Arve Hjønnevåg <arve@android.com>
Cc: stable <stable@vger.kernel.org> # 4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c3d21ec4d4fb68baf47248dfe0e0ce0080fd7bcc)
commit 513f86d73855ce556ea9522b6bfd79f87356dc3a upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.4: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I06728150aefd0fffbdb6bd7cbce0858221ff6f74
(cherry picked from commit 62a28a64d87fbdce5c0a988b440a4ae6dd37b41e)
commit 8bc1379b82b8e809eef77a9fedbb75c6c297be19 upstream.
Use a separate journal transaction if it turns out that we need to
convert an inline file to use an data block. Otherwise we could end
up failing due to not having journal credits.
This addresses CVE-2018-10883.
https://bugzilla.kernel.org/show_bug.cgi?id=200071
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[fengc@google.com: 4.4 backport: adjust context]
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I75f040b4276587a6a234a6a53fd1d3d70be6ae09
(cherry picked from commit d49dc6f1d53479bca01900540a89639eea8b154e)
commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.
In theory this should have been caught earlier when the xattr list was
verified, but in case it got missed, it's simple enough to add check
to make sure we don't overrun the xattr buffer.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16:
- Add inode parameter to ext4_xattr_set_entry() and update callers
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[adjusted for 4.4 context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ife3baeba57d5e63e7745ee8d5f4b01c6e9de4bc6
(cherry picked from commit ff3692e264d5c34ca9a15ab995808f98d9f874a8)
Validate buffer index obtained from ADSP token before using it.
CRs-Fixed: 2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
There can be many ice instances present in dtsi file but
not all of them will be initialized by storage driver.
Check if crypto instance is initialized before setting
it up for data encryption/decryption usage.
Change-Id: I7c9227007474052513b277dec5963a973781c524
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
In case WLAN driver probe is in progress and modem graceful
shutdown occurs and if modem shutdown request is sent just
before the mode on request sent to firmware, firmware may end up
in illegal memory access.
To address this issue, modem notifier needs to be blocked needs for
probe to complete or max 5 seconds timeout.
CRs-Fixed: 2381846
Change-Id: I9e13a11c56059cb29e161c34df11de484f87ac5e
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Token from DSP might be invalid for array index. Validate the
token before being used as array index.
Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
The GCC wrapper writes any error message from GCC to stdout
along with the messages from the wrapper itself. This is okay
for most case, but when GCC is used with -print-xxx flags,
the stdout output is supposed to be taken as input to some
other build command, so putting error messages in there is
pretty bad. Fix this by writing error messages to stderr.
Change-Id: I4656033f11ba5212fdcc884cc588f8b9d2c23419
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>
Add a QMI command to indicate graceful shutdown to the FW
and updating the QMI file.
Change-Id: I0360f6f5b49bc19ea4a7acbbd0e192e1596463d6
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Validate the dci entries and its task structure before
accessing structure members to prevent copying dci data to
invalid entries.
Change-Id: I07c59ef0705bc52a8268b0dc984ebfa9d26d178e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.
Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, there is possibility of memory leak due to not
freeing allocated memory for usb buffer's entry after
removing it from list. The patch handle this by freeing
the entry.
Change-Id: Idb08ecad859749e6ab1b09184362de38de4a9836
Signed-off-by: Hardik Arya <harya@codeaurora.org>
The range checking for audio buffer copying in function
"audio_in_write" is using the incorrect buffer size.
Change it to the actual allocated audio buffer size.
Change-Id: Ib7aaa2163c0d99161369eb85d09dc2d23d8c787b
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
input: tri-state-key: Fix trivial code style issue in IRQ handler
Change-Id: Ie1e9396cf4674586a68dbf606a1d51fbffeaaca4
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Use ffz() instead of find_first_zero_bit()
find_first_zero_bit() is intended for large bitmaps; ffz() is much faster
when only a single word needs to be searched through.
Change-Id: Ib81b742805489947164af96bb8603f6732d64e8b
Suggested-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Clean up some code styling
Use a macro to store the number of states, reduce the curr_state member in
the struct to uint8_t (since it only needs to contain 3 bits), and use
find_first_zero_bit() instead of a loop to find the first zero bit.
Change-Id: I35f369dc30186ab95033a4d27b550a07e4dc2dd8
Suggested-by: Joel Porquet <joel@porquet.org>
Signed-off-by: Sultanxda <sultanxda@gmail.com>
input: tri-state-key: Rewrite and optimize
A driver for such a simple device shouldn't be so ugly. Clean it up and
optimize it in the process.
Summary of changes:
-Remove unneeded switch device
-Remove unused/unnecessary struct members
-Remove module references (this driver will always be built in)
-Utilize fixed loops and clever logic to eliminate significant amounts of
code duplication
-Remove unused pinctrl code
-Use a threaded interrupt handler
-Process interrupts directly in the threaded interrupt handler (which runs
with realtime priority) rather than a worker
-Read the initial switch state upon init (so userspace gets the correct
switch state upon boot)
-Refactor code wherever possible to make it cleaner
Note that although the procfs naming scheme is non-standard (i.e.
"keyCode_top" instead of "keycode_top"), the old naming scheme is retained
in order to maintain compatibility with userspace.
Change-Id: Ic2de6ddeb223aa7669d61c186be0b57a15e1488b
Signed-off-by: Sultanxda <sultanxda@gmail.com>
Read and increment context count atomic variable under a lock
to avoid race condition between read and increment. This is
necessary to make sure no process goes beyond the specified
context limit.
Change-Id: I483e2ac169beaff49e19b8ef1b46541f6eb740b0
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
Adding code changes to validate buffer size.
While calling ipa_read verifying the kernel buffer
size in range or not.
Change-Id: Idc608c2cf0587a00f19ece38a4eb646f7fde68e3
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
For TX5 MUX registers, offset is not followed
in TXn order. Update driver to read/write correct
register offset when TX5 MUX registers access.
CRs-Fixed: 2218938
Change-Id: I8958b6cd1847967cbd37e7145c9f3909b0b8853b
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
bfq-iosched was missing from the Makefile.
Test: Check /sys/block/sda/queue/scheduler. bfq now available.
Change-Id: I57407ef65aad9ef319d56b9338a3180fadc9053b
Check if packet size is large enough to hold the header.
Change-Id: I7261f8111d8b5f4f7c181e469de248a732242d64
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Channel_mapping array size varies for different commands.
Add check for num_channels before calling q6asm_map_channels.
Change-Id: Iccbcfe82f716fc0ffe0a26b1779dcaa1c3cb805b
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
