Added missing lock to avoid race conditon for dqbuf and
streamon.
Change-Id: I260dfc964066ad68552dfab0c43584708cfc8b8e
Signed-off-by: E V Ravi <evenka@codeaurora.org>
drawobj_destroy_sync() tries to cancel all pending sync events
by taking local copy of pending list. In case of sync point timestamp
event, it goes ahead and accesses context's events list assuming that
event's context would be alive.
But at the same time, if the other context, which is of interest for
these sync point events, can be destroyed by cancelling all
events in its group.
This leads to use-after-free in drawobj_destroy_sync() path.
Fix is to give the responsibility of putting the context's ref count
to the thread which clears the pending mask.
Change-Id: I8d08ef6ddb38ca917f75088071c04727bced11d2
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
validate structures and payload sizes in the
packet against packet size to avoid OOB access.
Change-Id: Id44e5c6be4dde3e6545d453f5edd3219776a4e58
Signed-off-by: Manikanta Kanamarlapudi <kmanikan@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Use trusted packet size on the received packet and check for
the size of the data received against the expected size
before accessing the packet.
Change-Id: I1bd6008249a0bf4edeec711ec8d23cf7b8dac1f1
Signed-off-by: Priyanka Gujjula <pgujjula@codeaurora.org>
Proper buffer length check is missing for dci userspace data
buffer before processing the dci transaction. The patch adds
proper check for the same.
Change-Id: I68c0e8c41d4e05493adecf8a1fcacea708dfafa2
Signed-off-by: Hardik Arya <harya@codeaurora.org>
As param_size is included in apr header pkt_size, out of
bounds access occurs in glink. Remove the param size addition
to fix this issue.
CRs-Fixed: 2472208
Change-Id: If8b34aeacd3bc9ba67ac9276eb1a8ebf0933f9f9
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
pkt->msg_size can be corrupted and that leads to OOB access. So added
additional conditional check to avoid OOB access in debug queue
packet handling.
Change-Id: I360812c40369ecef2dd99464d400661bc785074b
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
skip pan display operation if found hdmi as primary
and handoff is pending. This check will help pan display path
to execute for primary display in recovery mode.
Change-Id: Iedd7e6b98f62d3a0d5b9cdda4ba4591ed8bfac68
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Added missing lock to avoid race conditon for dqbuf and
streamon
CRs-Fixed: 2376566
Change-Id: I1c0ef9014914a9892c4d443600618c52d0aeebfa
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
dchdr->dlen is a short variable controlled by the user-provided data.
If the value is negative, loop continues, also increasing the value
of "len". As a result buffer overflow occurs. So define the len as
unsigned and check with length of string input from user space.
Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98
Signed-off-by: raghavendra ambadas <rambad@codeaurora.org>
Add a check to make sure that the length of bytes copied
to the destination buffer doesn't exceed the requested
buffer length before calling the copy_to_user to avoid
buffer overflow.
Change-Id: Icd65b9be2791a8a487dfc8d7461aadce61de3f1b
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
When KASLR is enabled (CONFIG_RANDOMIZE_BASE=y), the top 4K of kernel
virtual address space may be mapped to physical addresses despite being
reserved for ERR_PTR values.
Fix the randomization of the linear region so that we avoid mapping the
last page of the virtual address space.
Change-Id: I3035dbe8e64b2a31f5d56b7dc29366958adda6ce
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: liyueyi <liyueyi@live.com>
[will: rewrote commit message; merged in suggestion from Ard]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Git-commit: c8a43c18a97845e7f94ed7d181c11f41964976a2
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
During ringbuffer parsing, same IB can exist multiple times
but size validation happens only for the first time.
This leads to out of bound access if the subsequent sizes are
greater than the allocated size.
Add a check to make sure that requested size is within the
allocated range.
Change-Id: Ie5d3c02c1669de2e6188821399e985f0991aa57c
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Define macro to indicate backport support for
external authentication where authentication can be
offloaded to userspace in specific cases such as SAE.
Change-Id: Ib253b303e82f583f61bc13d14c8d491d5ea2af15
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
The memory for task load pointers are allocated twice for each
idle thread except for the boot CPU. This happens during boot
from idle_threads_init()->idle_init() in the following 2 paths.
1. idle_init()->fork_idle()->copy_process()->
sched_fork()->init_new_task_load()
2. idle_init()->fork_idle()-> init_idle()->init_new_task_load()
The memory allocation for all tasks happens through the 1st path,
so use the same for idle tasks and kill the 2nd path. Since
the idle thread of boot CPU does not go through fork_idle(),
allocate the memory for it separately.
Change-Id: I4696a414ffe07d4114b56d326463026019e278f1
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
[schikk@codeaurora.org: resolved merge conflicts]
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
This commit allows SAE Authentication for NL80211_CMD_CONNECT
interface, provided host driver advertises the support.
Host drivers may offload the SAE authentication to user space
through NL80211_CMD_EXTERNAL_AUTH interface and thus expect
the user space to advertise support to handle offload through
NL80211_ATTR_EXTERNAL_AUTH_SUPPORT in NL80211_CMD_CONNECT
request. Such drivers should reject the connect request on no
offload support from user space.
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 10773a7c09b327d02144c7d181e6544b7015ffc7
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
CRs-Fixed: 2468738
Change-Id: I41b49228e88b32a35323c4dc8fa98e507a8a971d
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
This interface allows the host driver to offload the authentication to
user space. This is exclusively defined for host drivers that do not
define separate commands for authentication and association, but rely on
userspace SME (e.g., in wpa_supplicant for the ~WPA_DRIVER_FLAGS_SME
case) for the authentication to happen. This can be used to implement
SAE without full implementation in the kernel/firmware while still being
able to use NL80211_CMD_CONNECT with driver-based BSS selection.
Host driver sends NL80211_CMD_EXTERNAL_AUTH event to start/abort
authentication to the port on which connect is triggered and status
of authentication is further indicated by user space to host
driver through the same command response interface.
User space entities advertise this capability through the
NL80211_ATTR_EXTERNAL_AUTH_SUPP flag in the NL80211_CMD_CONNECT request.
Host drivers shall look at this capability to offload the authentication.
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[add socket connection ownership check]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 40cbfa90218bc570a7959b436b9d48a18c361041
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
CRs-Fixed: 2468738
Change-Id: Id925dd82d9a9c719b32aac2de75b6ad001f1a958
[dasaris@codeaurora.org: merging with msm-specific changes]
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
Update nl80211_commands to be in sync with upstream.
This is needed to add new commands.
Change-Id: Ib6b71e3f66560b035377c7bc0c115490b04f5c4f
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Change-Id: Icedffeb8d406351675f5195fdd9000a644d07b95
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These contribute to a great amount of idle drain.
Tests: 30 minutes of playing Spotify with the screen off, unplugged.
Change-Id: Ibe62c631fd93de99d71d56ee6cb2387571f71d34
Signed-off-by: Tyler Nijmeh <tylernij@gmail.com>
currently only NULL pointer check is used to validate the return
value from clkget this change to handle all the failures.
Change-Id: I275cb4717c675baf528e05c50058f2c6b0025011
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421611
Change-Id: Ifed71c506a26105eac3db9ee35f086d7dbf5a3a3
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
When processing WAN_IOC_SEND_LAN_CLIENT_MSG ioctl there is a possibility
of message_type being invalid and this can lead to out of buffer error.
Make a change to validate the ioctl params before processing.
Change-Id: If7955f77863b772ae1c8feda5ca0145c822403b9
Signed-off-by: Chaitanya Pratapa <cpratapa@codeaurora.org>
Proper buffer length checks are missing in diagchar_write
handlers for userspace data while processing the same buffer.
Change-Id: I5b8095766e09c22f164398089505fe827fee8b54
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Disconnect or deauthenticate when the owning socket is closed if this
flag is supplied to CMD_CONNECT or CMD_ASSOCIATE. This may be used
to ensure userspace daemon doesn't leave an unmanaged connection behind.
In some situations it would be possible to account for that, to some
degree, in the deamon restart code or in the up/down scripts without
the use of this attribute. But there will be systems where the daemon
can go away for varying periods without a warning due to local resource
management.
Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 36a554cec119bbd20c4ec0cb96bd4712d124bfea
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
Change-Id: Ic09ee323fc6215059d5c2572ba3e77c56addad32
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
