The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate
runtime->buffer while other kernel threads are accessing it. If the
underlying krealloc() call frees the original buffer, then this can turn
into a use-after-free.
Most of these accesses happen while the thread is holding runtime->lock,
and can be fixed by just holding the same lock while replacing
runtime->buffer, however we can't hold this spinlock while
snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We
need to add and acquire a new mutex to prevent this from happening
concurrently with reallocation. We hold this mutex during the entire
reallocation process, to also prevent multiple concurrent reallocations
leading to a double-free.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
bug: 64315347
Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded
[dcagle@codeaurora.org: Resolve trivial merge conflict]
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: d7193540482d11ff0ad3a07fc18717811641c6eb
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
As per the sd card spec, mmc need to power cycle sd card in case sd
card voltage switch operation fails. Currently we are directly going
for low speed mode without power cycle, which is in violation of sd
card spec. Now we will retry for 10 times in case timeout happens
while switching voltage and at last, in case, it did not succeed in
switching sd card voltage, mmc would go for low speed mode.
Change-Id: Icece08732b8d52104e0890dce81ad16844265edd
Signed-off-by: Ram Prakash Gupta <rampraka@codeaurora.org>
Due to command queuing, there is a possibility of servicing
completion of multiple requests from hw irq context. So in
this case, hw irq will launch softirq for all requests which
were completed (irrespective of whether it was success or failure).
If one of the requests failed, then the softirq corresponding
to error ed request will set current cmdq state to CMDQ_STATE_ERR.
Because of this, subsequent completion softirqs for successful
requests will BUG_ON.
We should let higher layers know of completion of successful
requests. Hence change the BUG_ON to WARN_ON and skip
blk_end_request() only if the corresponding request has
an error (instead of checking if the cmdq state is in error)
Change-Id: Ieb7f9d12ba04b6ab6499bf29f3716b0ddfb880fb
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>
In the code, start_fetch can try to access the buffer
pointer variable after free, as the same pointer can
can be freed at RELEASE_BUF call too at the same time.
Hence fixing this race condition.
Change-Id: I05825fb3423f95bc251e79416de50dc32cf086dc
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
We use GFP_KERNEL in the outer context.
Bug: 72717639
Bug: 66884503
Change-Id: I5e10dba5138818351936ec0f70cd01070eaf199f
Signed-off-by: Roman Kiryanov <rkir@google.com>
Return an error instead of crashing in signalled_pipes_add_locked.
Bug: 72717639
Bug: 66884503
Change-Id: I811ad1932f1600f8bbe4598cdaf206bd96ea921a
Signed-off-by: Roman Kiryanov <rkir@google.com>
The user-space may send regulatory hint that has cellular sub-type
enabled. To process such events, enable
CONFIG_CFG80211_REG_CELLULAR_HINTS.
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Change-Id: I79aceece8e7f17bbcf8186b03c74d82be82c5a4c
CRs-Fixed: 2201959
Casting twice is not required.
Bug: 72717639
Bug: 66884503
Change-Id: I3420388683a9746f2d2110af51d9d25c12c7eea6
Signed-off-by: Roman Kiryanov <rkir@google.com>
Replace the 'goldfish' prefix with 'goldfish_pipe' to
say they are pipe functions.
Bug: 72717639
Bug: 66884503
Change-Id: I5a5cf7ee38cf2ae193877b1ffac19eadb15a374a
Signed-off-by: Roman Kiryanov <rkir@google.com>
We don't need an array of 1 for pipe_dev and
use better names to distinguish between
goldfish_pipe_dev and miscdevice.
Bug: 72717639
Bug: 66884503
Change-Id: Iab040c158745f034ca8e9569fd49c84933b1c4ba
Signed-off-by: Roman Kiryanov <rkir@google.com>
To separate variable declarations from executable code
and to improve readability.
Bug: 72717639
Bug: 66884503
Change-Id: I46fb70b13b8e3d061dfc2288f5720a379f1f39a9
Signed-off-by: Roman Kiryanov <rkir@google.com>
Pop is heard after PDR is triggered. This is
resolved by disable PA before boost is discharged.
CRs-Fixed: 2186640
Change-Id: Ie48668725f5162251cf09215f9448a6965fac3e2
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Limit the index to buffer length while copying from
'strptr' to 'firmware_id'.
Change-Id: I1d7cb7a3d9593ca213c7f7341776632e635eb0df
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
Enable sensor device node to allow Anti-Noise
Cancellation (ANC) algorithm to be running on
sensor subsystem for automotive msm8996 and
apq8096 platforms.
CRs-fixed: 2153236
Change-Id: I213c2eb94f6fe01e7c2ceca2d9033616817db38b
Signed-off-by: Derek Chen <chenche@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrlXREACgkQONu9yGCS
aT6hkA//dewP2AXQLE4Nb3ufxBOo2CcDOKRrMQTgwnaqe06FnXcdty8jZ6I6ziBV
MtpYmyTY4Ujj062LPjwov6CEI3qS5aNXFd9Xqtq490FQBeKBA56MgZ7qOEb/aHDQ
4e7D9hIFp+gu2J41toWMJO/BZ1qcMKOEo9e49NNQG+4JjNz6fhdQpdsGC8QqFauQ
aT6l+cHhU+yxuBdj/Nzu5YnQrE4Ijk3omOsLrGR6hUCjG0pSOX2YK7XF+W+VcWd9
7Uky54yPC/DuDLTLCWdZJxD/2WzrE0vvKhfkhty4X0k9ZXqnGbSr1x/FSKLrnXNi
aigN2OBvlHI2RBwl8J06QOfmG32Ndi32nNj7f5+45VXQkiVK7OS3B0CgkYh4m+7J
dEZVvH8Ddj4p6Io8WqWWRP0UDRNPP+reUwlIIg19dSKMv0veez1g0AFO7AbWh2Lu
q9QRxtKTeYR7We8w3F2CeLHjP1NLhKvdffT8TVjhEL6MekWkOjFjQXGoRIOPpeld
T0buhSQMgoEuJXMPz9zywJ2MmgKcRtmQKGKfZ7MDa82kwiIY5KRemTVnwn1lEKXU
EC+kCQmjiobcuGbBbH1hXfWcSpDl/+ZwI5r0L2Lzkzf0R+Efge7rGBXZQCgz3FGp
DVtpPPnRnXbGZX+0GyeiZ5O9wCfZTQxqOrMk2rtPbxJY5f6yIcE=
=IA5i
-----END PGP SIGNATURE-----
Merge 4.4.130 into android-4.4
Changes in 4.4.130
cifs: do not allow creating sockets except with SMB1 posix exensions
x86/tsc: Prevent 32bit truncation in calc_hpet_ref()
perf: Return proper values for user stack errors
staging: ion : Donnot wakeup kswapd in ion system alloc
r8152: add Linksys USB3GIGV1 id
Input: drv260x - fix initializing overdrive voltage
ath9k_hw: check if the chip failed to wake up
jbd2: fix use after free in kjournald2()
Revert "ath10k: send (re)assoc peer command when NSS changed"
s390: introduce CPU alternatives
s390: enable CPU alternatives unconditionally
KVM: s390: wire up bpb feature
s390: scrub registers on kernel entry and KVM exit
s390: add optimized array_index_mask_nospec
s390/alternative: use a copy of the facility bit mask
s390: add options to change branch prediction behaviour for the kernel
s390: run user space and KVM guests with modified branch prediction
s390: introduce execute-trampolines for branches
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
s390: do not bypass BPENTER for interrupt system calls
s390/entry.S: fix spurious zeroing of r0
s390: move nobp parameter functions to nospec-branch.c
s390: add automatic detection of the spectre defense
s390: report spectre mitigation via syslog
s390: add sysfs attributes for spectre
s390: correct nospec auto detection init order
s390: correct module section names for expoline code revert
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
KEYS: DNS: limit the length of option strings
l2tp: check sockaddr length in pppol2tp_connect()
net: validate attribute sizes in neigh_dump_table()
llc: delete timers synchronously in llc_sk_free()
tcp: don't read out-of-bounds opsize
team: avoid adding twice the same option to the event list
team: fix netconsole setup over team
packet: fix bitfield update race
pppoe: check sockaddr length in pppoe_connect()
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
sctp: do not check port in sctp_inet6_cmp_addr
llc: hold llc_sap before release_sock()
llc: fix NULL pointer deref for SOCK_ZAPPED
tipc: add policy for TIPC_NLA_NET_ADDR
net: fix deadlock while clearing neighbor proxy table
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: af_packet: fix race in PACKET_{R|T}X_RING
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
scsi: mptsas: Disable WRITE SAME
cdrom: information leak in cdrom_ioctl_media_changed()
s390/cio: update chpid descriptor after resource accessibility event
s390/uprobes: implement arch_uretprobe_is_alive()
Linux 4.4.130
Change-Id: I58646180c70ac61da3e2a602085760881d914eb5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
validate port doesn't handle MULTICHAN_HDMI_RX
and causes failure to set afe params.
Included MULTICHAN_HDMI_RX in port validation
Change-Id: I3603ec2a3d392970cb48be1658b6030d3f4107f2
Signed-off-by: Ramu Gottipati <ramug@codeaurora.org>
Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
