During ringbuffer parsing, same IB can exist multiple times
but size validation happens only for the first time.
This leads to out of bound access if the subsequent sizes are
greater than the allocated size.
Add a check to make sure that requested size is within the
allocated range.
Change-Id: Ie5d3c02c1669de2e6188821399e985f0991aa57c
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Define macro to indicate backport support for
external authentication where authentication can be
offloaded to userspace in specific cases such as SAE.
Change-Id: Ib253b303e82f583f61bc13d14c8d491d5ea2af15
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
The memory for task load pointers are allocated twice for each
idle thread except for the boot CPU. This happens during boot
from idle_threads_init()->idle_init() in the following 2 paths.
1. idle_init()->fork_idle()->copy_process()->
sched_fork()->init_new_task_load()
2. idle_init()->fork_idle()-> init_idle()->init_new_task_load()
The memory allocation for all tasks happens through the 1st path,
so use the same for idle tasks and kill the 2nd path. Since
the idle thread of boot CPU does not go through fork_idle(),
allocate the memory for it separately.
Change-Id: I4696a414ffe07d4114b56d326463026019e278f1
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
[schikk@codeaurora.org: resolved merge conflicts]
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
This commit allows SAE Authentication for NL80211_CMD_CONNECT
interface, provided host driver advertises the support.
Host drivers may offload the SAE authentication to user space
through NL80211_CMD_EXTERNAL_AUTH interface and thus expect
the user space to advertise support to handle offload through
NL80211_ATTR_EXTERNAL_AUTH_SUPPORT in NL80211_CMD_CONNECT
request. Such drivers should reject the connect request on no
offload support from user space.
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 10773a7c09b327d02144c7d181e6544b7015ffc7
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
CRs-Fixed: 2468738
Change-Id: I41b49228e88b32a35323c4dc8fa98e507a8a971d
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
This interface allows the host driver to offload the authentication to
user space. This is exclusively defined for host drivers that do not
define separate commands for authentication and association, but rely on
userspace SME (e.g., in wpa_supplicant for the ~WPA_DRIVER_FLAGS_SME
case) for the authentication to happen. This can be used to implement
SAE without full implementation in the kernel/firmware while still being
able to use NL80211_CMD_CONNECT with driver-based BSS selection.
Host driver sends NL80211_CMD_EXTERNAL_AUTH event to start/abort
authentication to the port on which connect is triggered and status
of authentication is further indicated by user space to host
driver through the same command response interface.
User space entities advertise this capability through the
NL80211_ATTR_EXTERNAL_AUTH_SUPP flag in the NL80211_CMD_CONNECT request.
Host drivers shall look at this capability to offload the authentication.
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
[add socket connection ownership check]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 40cbfa90218bc570a7959b436b9d48a18c361041
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
CRs-Fixed: 2468738
Change-Id: Id925dd82d9a9c719b32aac2de75b6ad001f1a958
[dasaris@codeaurora.org: merging with msm-specific changes]
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
Update nl80211_commands to be in sync with upstream.
This is needed to add new commands.
Change-Id: Ib6b71e3f66560b035377c7bc0c115490b04f5c4f
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Change-Id: Icedffeb8d406351675f5195fdd9000a644d07b95
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These contribute to a great amount of idle drain.
Tests: 30 minutes of playing Spotify with the screen off, unplugged.
Change-Id: Ibe62c631fd93de99d71d56ee6cb2387571f71d34
Signed-off-by: Tyler Nijmeh <tylernij@gmail.com>
currently only NULL pointer check is used to validate the return
value from clkget this change to handle all the failures.
Change-Id: I275cb4717c675baf528e05c50058f2c6b0025011
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421611
Change-Id: Ifed71c506a26105eac3db9ee35f086d7dbf5a3a3
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
When processing WAN_IOC_SEND_LAN_CLIENT_MSG ioctl there is a possibility
of message_type being invalid and this can lead to out of buffer error.
Make a change to validate the ioctl params before processing.
Change-Id: If7955f77863b772ae1c8feda5ca0145c822403b9
Signed-off-by: Chaitanya Pratapa <cpratapa@codeaurora.org>
Proper buffer length checks are missing in diagchar_write
handlers for userspace data while processing the same buffer.
Change-Id: I5b8095766e09c22f164398089505fe827fee8b54
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Disconnect or deauthenticate when the owning socket is closed if this
flag is supplied to CMD_CONNECT or CMD_ASSOCIATE. This may be used
to ensure userspace daemon doesn't leave an unmanaged connection behind.
In some situations it would be possible to account for that, to some
degree, in the deamon restart code or in the up/down scripts without
the use of this attribute. But there will be systems where the daemon
can go away for varying periods without a warning due to local resource
management.
Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 36a554cec119bbd20c4ec0cb96bd4712d124bfea
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
Change-Id: Ic09ee323fc6215059d5c2572ba3e77c56addad32
CRs-Fixed: 2468738
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Jiachao Wu <jiacwu@codeaurora.org>
Signed-off-by: Min Liu <minliu@codeaurora.org>
Signed-off-by: stonez <stonez@codeaurora.org>
The region index for bivcm is not validated against the region size.
This causes out-of-bound read on the KASAN kernel.
Add restriction that region index smaller than region size.
CRs-Fixed: 2379514
Change-Id: I72c4a41a4b41c8fa70c174ffd3215a81eaa14355
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
Add check for minimum length before typecasting to build mask
structure to prevent out of bound access.
CRs-Fixed: 2431005
Change-Id: I97b439ead62c8a67869c9209442ef771308f2d3f
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421602
Change-Id: I947ed5b0fe5705e5223d75b0ea8aafb36113ca5a
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Since DSP is not supposed to modify the base pointer rpra of the
input/output arguments offloaded to DSP, maintain a local copy of
the pointer and use it after receiving interrupt from DSP.
Change-Id: I4afade7184cb2aca148060fb0cda06c6174f3b55
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
* This change makes WiFi report invalid signal strength.
This reverts commit be468730d315e973e9936da275b06600d0ce276c.
Change-Id: I01094049520ea706c27e00f316539f9d9d53bbc7
* Makes the device get stuck on splash screen
when booting in offline charging mode.
This reverts commit b03b261cfc.
Change-Id: I79fc04a43a7995c1015464b2d3c481200ddcaf8d
Add proper check for validating the IP type while
sending request for ul-filter-rule install.
Change-Id: I170230310884f176cf41d5ae20287f6d74a4bc29
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
