The SNDRV_RAWMIDI_STREAM_{OUTPUT,INPUT} ioctls may reallocate
runtime->buffer while other kernel threads are accessing it. If the
underlying krealloc() call frees the original buffer, then this can turn
into a use-after-free.
Most of these accesses happen while the thread is holding runtime->lock,
and can be fixed by just holding the same lock while replacing
runtime->buffer, however we can't hold this spinlock while
snd_rawmidi_kernel_{read1,write1} are copying to/from userspace. We
need to add and acquire a new mutex to prevent this from happening
concurrently with reallocation. We hold this mutex during the entire
reallocation process, to also prevent multiple concurrent reallocations
leading to a double-free.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
bug: 64315347
Change-Id: I05764d4f1a38f373eb7c0ac1c98607ee5ff0eded
[dcagle@codeaurora.org: Resolve trivial merge conflict]
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: d7193540482d11ff0ad3a07fc18717811641c6eb
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
As per the sd card spec, mmc need to power cycle sd card in case sd
card voltage switch operation fails. Currently we are directly going
for low speed mode without power cycle, which is in violation of sd
card spec. Now we will retry for 10 times in case timeout happens
while switching voltage and at last, in case, it did not succeed in
switching sd card voltage, mmc would go for low speed mode.
Change-Id: Icece08732b8d52104e0890dce81ad16844265edd
Signed-off-by: Ram Prakash Gupta <rampraka@codeaurora.org>
Due to command queuing, there is a possibility of servicing
completion of multiple requests from hw irq context. So in
this case, hw irq will launch softirq for all requests which
were completed (irrespective of whether it was success or failure).
If one of the requests failed, then the softirq corresponding
to error ed request will set current cmdq state to CMDQ_STATE_ERR.
Because of this, subsequent completion softirqs for successful
requests will BUG_ON.
We should let higher layers know of completion of successful
requests. Hence change the BUG_ON to WARN_ON and skip
blk_end_request() only if the corresponding request has
an error (instead of checking if the cmdq state is in error)
Change-Id: Ieb7f9d12ba04b6ab6499bf29f3716b0ddfb880fb
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>
The user-space may send regulatory hint that has cellular sub-type
enabled. To process such events, enable
CONFIG_CFG80211_REG_CELLULAR_HINTS.
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Change-Id: I79aceece8e7f17bbcf8186b03c74d82be82c5a4c
CRs-Fixed: 2201959
Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
(cherry-pick from 'commit 580ec70acac4 ("fbdev: msm: Allocate fd
with O_CLOEXEC flag")') and made similar changes
for MDP3.
When fd is requested during get_metadata call, create
fd using O_CLOEXEC flag.
Change-Id: Iaa55927ac04b019ea45fbdfe9c64b10d1f0e3ceb
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Signed-off-by: Sachin Bhayare <sachin.bhayare@codeaurora.org>
This reverts commit 44d8abb6e0.
If we return error on PLL lock failure, it results in open_stream
failure for TIF. So, if we open the TV app first and then connect
HDMI cable, it will not start streaming. Therefore reverting this
change.
Change-Id: Ic99a6986a3138bc3abb9e65eb598a743f1634c5c
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Change data rate to uint64, to ensure that the value sent
to kernel is not corrupted.
Change-Id: I692c1c3e591cbac24931078e0fb8938900fc991c
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
Currently, the code calculated for a desired target current and
IRES is rounded up since DIV_ROUND_UP is used in the calculation.
With a higher IRES (12.5 mA), code can be configured to a higher
value. Fix this by using DIV_ROUND_CLOSEST so that the optimal
code can be obtained.
Change-Id: I51c1b15fff3ff2a23cb256f2ae1d341f5271adf2
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Currently as a part of host cable connection, we are notifying
cable connect to phy driver first and then resuming the PHY. This
leads to bus resume case running instead of the cable connect
case resume, hence the phy driver does not vote for the LDOs. As
a result, PHY goes into bad state. Fix this by first resuming PHY
so that cable connect case resume runs.
Change-Id: Ica5b16e420c38b920688b86a24af396644487a6b
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
currently hab only supports importing remote buffer
to cpu address, which can't be shared to other process.
Therefore we add dma_buf import/export function in hab
Change-Id: I156c925d7c0cefef5bf146ad8cff38de9c4b3bee
Signed-off-by: Yajun Li <yajunl@codeaurora.org>
Currently there is possibility of out-of-bound read due to
incorrect validation of received dci event and log mask for
query. The patch update the validation for the same.
Change-Id: I4266eb0f69fdbfa48c5aacc17744dec83995e9e6
Signed-off-by: Hardik Arya <harya@codeaurora.org>
In wow suspend method clean up the old configured wow events
before enabling the WLAN offloads and wakeup wow events.
The rekey data set ops is not part of the ieee80211 power
management ops so remove the rekey data set method from wow
and add it in ath10k mac layer.
CRs-Fixed: 2226944
Change-Id: Ida7592097f949734b5880c470845780295a695af
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
In high speed sensor data stream case system is not entering into
suspend state due to edge and port specific wake-up sources.
Add flag to check and avoid the wakeup sources for all sensor ports.
CRs-Fixed: 2196601
Change-Id: Ibf642619b969925dc96e8a57e11f7e349b85c024
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
* refs/heads/tmp-b1c4836
Linux 4.4.129
writeback: safer lock nesting
fanotify: fix logic of events on child
ext4: bugfix for mmaped pages in mpage_release_unused_pages()
mm/filemap.c: fix NULL pointer in page_cache_tree_insert()
mm: allow GFP_{FS,IO} for page_cache_read page cache allocation
autofs: mount point create should honour passed in mode
Don't leak MNT_INTERNAL away from internal mounts
rpc_pipefs: fix double-dput()
hypfs_kill_super(): deal with failed allocations
jffs2_kill_sb(): deal with failed allocations
powerpc/lib: Fix off-by-one in alternate feature patching
powerpc/eeh: Fix enabling bridge MMIO windows
MIPS: memset.S: Fix clobber of v1 in last_fixup
MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup
MIPS: memset.S: EVA & fault support for small_memset
MIPS: uaccess: Add micromips clobbers to bzero invocation
HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device
ALSA: hda - New VIA controller suppor no-snoop path
ALSA: rawmidi: Fix missing input substream checks in compat ioctls
ALSA: line6: Use correct endpoint type for midi output
ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea()
ext4: fix crashes in dioread_nolock mode
drm/radeon: Fix PCIe lane width calculation
ext4: don't allow r/w mounts if metadata blocks overlap the superblock
vfio/pci: Virtualize Maximum Read Request Size
vfio/pci: Virtualize Maximum Payload Size
vfio-pci: Virtualize PCIe & AF FLR
ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation
ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls
ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams
ALSA: pcm: Avoid potential races between OSS ioctls and read/write
ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation
ALSA: oss: consolidate kmalloc/memset 0 call to kzalloc
watchdog: f71808e_wdt: Fix WD_EN register read
thermal: imx: Fix race condition in imx_thermal_probe()
clk: bcm2835: De-assert/assert PLL reset signal when appropriate
clk: mvebu: armada-38x: add support for missing clocks
clk: mvebu: armada-38x: add support for 1866MHz variants
mmc: jz4740: Fix race condition in IRQ mask update
iommu/vt-d: Fix a potential memory leak
um: Use POSIX ucontext_t instead of struct ucontext
dmaengine: at_xdmac: fix rare residue corruption
IB/srp: Fix completion vector assignment algorithm
IB/srp: Fix srp_abort()
ALSA: pcm: Fix UAF at PCM release via PCM timer access
RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device
ext4: fail ext4_iget for root directory if unallocated
ext4: don't update checksum of new initialized bitmaps
jbd2: if the journal is aborted then don't allow update of the log tail
random: use a tighter cap in credit_entropy_bits_safe()
thunderbolt: Resume control channel after hibernation image is created
ASoC: ssm2602: Replace reg_default_raw with reg_default
HID: core: Fix size as type u32
HID: Fix hid_report_len usage
powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops
powerpc/powernv: define a standard delay for OPAL_BUSY type retry loops
powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently
powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write()
HID: i2c-hid: fix size check and type usage
usb: dwc3: pci: Properly cleanup resource
USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw
ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status()
ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E
regmap: Fix reversed bounds check in regmap_raw_write()
xen-netfront: Fix hang on device removal
ARM: dts: at91: sama5d4: fix pinctrl compatible string
ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property
usb: musb: gadget: misplaced out of bounds check
mm, slab: reschedule cache_reap() on the same CPU
ipc/shm: fix use-after-free of shm file via remap_file_pages()
resource: fix integer overflow at reallocation
fs/reiserfs/journal.c: add missing resierfs_warning() arg
ubi: Reject MLC NAND
ubi: Fix error for write access
ubi: fastmap: Don't flush fastmap work on detach
ubifs: Check ubifs_wbuf_sync() return code
tty: make n_tty_read() always abort if hangup is in progress
x86/hweight: Don't clobber %rdi
x86/hweight: Get rid of the special calling convention
lan78xx: Correctly indicate invalid OTP
slip: Check if rstate is initialized before uncompressing
cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN
hwmon: (ina2xx) Fix access to uninitialized mutex
rtl8187: Fix NULL pointer dereference in priv->conf_mutex
getname_kernel() needs to make sure that ->name != ->iname in long case
s390/ipl: ensure loadparm valid flag is set
s390/qdio: don't merge ERROR output buffers
s390/qdio: don't retry EQBS after CCQ 96
block/loop: fix deadlock after loop_set_status
Revert "perf tests: Decompress kernel module before objdump"
radeon: hide pointless #warning when compile testing
perf intel-pt: Fix timestamp following overflow
perf intel-pt: Fix error recovery from missing TIP packet
perf intel-pt: Fix sync_switch
perf intel-pt: Fix overlap detection to identify consecutive buffers correctly
parisc: Fix out of array access in match_pci_device()
media: v4l2-compat-ioctl32: don't oops on overlay
f2fs: check cap_resource only for data blocks
Revert "f2fs: introduce f2fs_set_page_dirty_nobuffer"
f2fs: clear PageError on writepage
UPSTREAM: timer: Export destroy_hrtimer_on_stack()
BACKPORT: dm verity: add 'check_at_most_once' option to only validate hashes once
f2fs: call unlock_new_inode() before d_instantiate()
f2fs: refactor read path to allow multiple postprocessing steps
fscrypt: allow synchronous bio decryption
Change-Id: I45f4ac10734d92023b53118d83dcd6c83974a283
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
