Token from DSP might be invalid for array index. Validate the
token before being used as array index.
Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
The GCC wrapper writes any error message from GCC to stdout
along with the messages from the wrapper itself. This is okay
for most case, but when GCC is used with -print-xxx flags,
the stdout output is supposed to be taken as input to some
other build command, so putting error messages in there is
pretty bad. Fix this by writing error messages to stderr.
Change-Id: I4656033f11ba5212fdcc884cc588f8b9d2c23419
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>
Add a QMI command to indicate graceful shutdown to the FW
and updating the QMI file.
Change-Id: I0360f6f5b49bc19ea4a7acbbd0e192e1596463d6
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Validate the dci entries and its task structure before
accessing structure members to prevent copying dci data to
invalid entries.
Change-Id: I07c59ef0705bc52a8268b0dc984ebfa9d26d178e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.
Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, there is possibility of memory leak due to not
freeing allocated memory for usb buffer's entry after
removing it from list. The patch handle this by freeing
the entry.
Change-Id: Idb08ecad859749e6ab1b09184362de38de4a9836
Signed-off-by: Hardik Arya <harya@codeaurora.org>
The range checking for audio buffer copying in function
"audio_in_write" is using the incorrect buffer size.
Change it to the actual allocated audio buffer size.
Change-Id: Ib7aaa2163c0d99161369eb85d09dc2d23d8c787b
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
Read and increment context count atomic variable under a lock
to avoid race condition between read and increment. This is
necessary to make sure no process goes beyond the specified
context limit.
Change-Id: I483e2ac169beaff49e19b8ef1b46541f6eb740b0
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
Adding code changes to validate buffer size.
While calling ipa_read verifying the kernel buffer
size in range or not.
Change-Id: Idc608c2cf0587a00f19ece38a4eb646f7fde68e3
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
For TX5 MUX registers, offset is not followed
in TXn order. Update driver to read/write correct
register offset when TX5 MUX registers access.
CRs-Fixed: 2218938
Change-Id: I8958b6cd1847967cbd37e7145c9f3909b0b8853b
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Check if packet size is large enough to hold the header.
Change-Id: I7261f8111d8b5f4f7c181e469de248a732242d64
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Channel_mapping array size varies for different commands.
Add check for num_channels before calling q6asm_map_channels.
Change-Id: Iccbcfe82f716fc0ffe0a26b1779dcaa1c3cb805b
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Doing a cat on pte,test_virt_addr from adb shell prints a null
character as well which is at the end of the string this is not
required so, don't pass this null character to copy_to_user.
Change-Id: I8d9120f64d1df84a704379eb00bd239fc7059e9e
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>
Currently we are not validating read and write index of
tx and rx fifo's before calculating ptr, this can lead to
out-of-bound access. The patch adds proper check for the same.
CR-Fixed: 2355425
Change-Id: I7b158e94ae743a90ac364783fe31914ca0fa582b
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Video driver and firmware communicates over shared queue.
The queue header has the indices which synchronizes the read
and write between the driver and firmware modules.
This change ensures that the indices are within the valid
range before accessing them.
CRs-fixed: 2345481
Change-Id: I8da6bb4218a5b8ec0e2e2c7b87f6cc9eec21bd16
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Paras Nagda <pnagda@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Even when ION_FLAG_POOL_FORCE_ALLOC is set for secure alloc,
alloc_from_pool_preferred tries to get the pages from pool
first. In case if it enters split_page_from_secure_pool,
free_buffer_page can end up calling __free_pages on the page
from pool which is hyp assigned, resulting in issues for e.g.
a fault if page poisoning is enabled.
Change-Id: I68759dc17551a5705693506a5c137977d429fe36
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") removed the
VMACACHE_FULL_FLUSHES statistics, but didn't remove the corresponding
entry in vmstat_text. This causes an out-of-bounds access in
vmstat_show().
Luckily this only affects kernels with CONFIG_DEBUG_VM_VMACACHE=y, which
is probably very rare.
Change-Id: Ia4f5f0327d58a7831aff010949fa31bfd56139dc
Link: http://lkml.kernel.org/r/20181001143138.95119-1-jannh@google.com
Fixes: 7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely")
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Roman Gushchin <guro@fb.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Christoph Lameter <clameter@sgi.com>
Cc: Kemi Wang <kemi.wang@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
commit 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 upstream.
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
also just goes away entirely with this ]
Change-Id: Ib485c9f33638e844f2378a1ec376e64200d30fd2
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Will Deacon <will.deacon@arm.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 84580567f1f856d2c7a610273315852e345bc3ac
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
Fix errors reported after enabling Kernel Control Flow
Integrity (KCFI) on kernel code. This is a security
mechanism that disallows changes to the original
control flow of a compiled binary.
Change-Id: I1e1e901c5889d9928411dc785da88e1eac378560
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
In error handling, trying to free memory which is not yet
allocated. Fix is added to correct this error handling.
Change-Id: I4e91a95f7ebd9132141d8686ae2bdfaed3a9a8c1
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Add memory barrier after updating queue header variables
to ensure main memory is updated so that video hardware
reads the updated header values.
CRs-Fixed: 2135048
Change-Id: I1a2778bee16c9093284c4d33980e6985c279f499
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
In fast_smmu_alloc size_t variable size is type casted to int
variable count, this variable count can get truncated and can
result in memory corruption during unmap, make count as size_t
and also add a check for count as sg_alloc_table_from_pages
accepts unsigned int value for count.
Change-Id: I4780a554c5c062fd9dd229e5cc0ac804b1ba31d8
Signed-off-by: Vijayanand Jitta <vjitta@codeaurora.org>
Ensure the count of supported encoder and decoder returned
from firmware are within the range of supported sessions
Change-Id: If3eae7bc82dc8302444e2e4104fb6ae3cfbfed5a
Signed-off-by: Dikshita Agarwal <dikshita@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
The SVA history buffer is out of order if there are
more than 2 continuous RX buffer done from GLINK. Implement
FIFO to ensure sequence consistency.
Change-Id: If70e2d0160e8f3140d621298b0db03bd89ba88ba
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
gadget_driver can become null if gadget_stop is called while any other
gadget callbacks are in progress. As gadget callbacks needs to release
spinlock before the callback, store the local copy of gadget_driver to
avoid the race with gadget_stop.
Change-Id: I7f0cbf9af3e3b286f2826647f08215f29f699de1
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I54777fe71a2f29297b439ac26f80b9684222d89a
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I2c61364f0385c83aa304788cc705bf4ca48ac2cc
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In db.txt, update ETSI1 and ETSI13 countries with NO-OUTDOOR flag
for frequency ranges: (5170 - 5250) and (5250 - 5330).
CRs-Fixed: 2379868
Change-Id: I8a9ce955e82b14814ead5f0bf118608ea90cbc53
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
The kernel buffer 'ubuf' can overflow while copying data to user
space in debugfs read functions. Fix it by limiting the length of
data to be copied to userspace.
Change-Id: Ibb3d8c4fb637ddc0e63677ec2dff14a4cf8c0c73
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
A fixed sink PDO request includes both operating current and
max current. Although the max current requested may be greater
than the available source advertisement, as per spec only the
operating current request needs to be considered. The sink will
likely have also set the Capability Mismatch bit as well. Hence,
don't reject the request otherwise the sink will keep
re-requesting and never enter a contract.
Change-Id: Ia15e2e17abe43f2bcbc1fe7011b70ab0e0f5d9eb
Signed-off-by: Jack Pham <jackp@codeaurora.org>
