The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.
Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Git-repo: https://android.googlesource.com/kernel/msm
Git-commit: 8bc3ec72a02052187397d0de1a7b8bbe7340451c
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Transition to D3 hot in system suspend allows the wil6210
device to preserve the active connections in system suspend.
Change-Id: I4c24551f91ee7e59d4bfee02b0911c31ae0a05b1
Signed-off-by: Maya Erez <merez@codeaurora.org>
In order to preserve the connection in suspend/resume flow,
wil6210 host allows going to PCIe D3hot state in suspend,
instead of performing a full wil6210 device reset. This
requires the platform ability to initiate wakeup in case of
RX data. To check that, a new platform API is added.
In addition, add cfg80211 suspend/resume callbacks
implementation.
Change-Id: I3846eaaa8d6e9ecbe5adbb0c04c7574865d5af5e
Signed-off-by: Maya Erez <merez@codeaurora.org>
Serializing reset_hw and reset_irq, to avoid race condition.
Change-Id: I0fd4fc8cfcdef9fe0e0679c3cee44b2dddc7b506
Signed-off-by: Ramesh V <ramev@codeaurora.org>
Variable "slave_info->sensor_name", "slave_info->eeprom_name",
"slave_info->actuator_name" and "slave_info->ois_name" are
from user input, which may be not NULL terminated.
OOB will be possible when accessing these variable.
Add a validation for these name length.
Change-Id: I9a570372707b7f8365a625d6b0662e87d1b4926e
Signed-off-by: Depeng Shao <dshao@codeaurora.org>
Running SMP2P tests from multiple threads causes simultaneous access to
the global loopback data and resulting into unexpected behavior.
Protect the global loopback data by synchronizing the SMP2P tests.
CRs-Fixed: 2041374
Change-Id: Ifb0e7ce5198af27602881a9132afb353f1a4fc2f
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
The pseudo-file char-device-nodes /dev/spcom and /dev/sp_ssr are not
associated with a logical channel for data transfer with the Secure
Processor (SP).
Avoid sending user command by file write() over those device nodes.
The command "create channel" should be done over /dev/sp_kernel rather
than over /dev/spcom.
Verify that glink pass valid channel pointer to spcom callbacks.
Use size_t for channel "actual_rx_size" parameter that is provided by
glink to spcom callback.
Remove "fake SSR" command, since real SSR is supported by SP.
Change-Id: Id9113389d94ab4aed01d3ac1e370c4e8f3c8965b
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
Initial driver directory setup for automotive
imaging subsystem - ais. The camera kernel drivers
for mobile and automotive platforms have been decoupled
and placed in separate directories as automotive usecases
will require significant divergence from mobile drivers.
The changes to the imaging pipeline drivers enable
automotive imaging subsystem interface from userspace.
This snapshot is taken as of msm-3.18 'commit c3d5931bbc51
("msm: Initial ais driver for automotive camera")'
Change-Id: I49b8e827818994d0a8b320ffe92f8031ffbb69ca
Signed-off-by: Terence Ho <terenceh@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
The SPLIT related registers are only for DSI interfaces. Without
checking the interface type, they could be overwrote by
configurations through HDMI path.
CRs-Fixed: 1085586
Change-Id: I7ace9fd8dfe5ee99cb750b2723e8f22701039552
Signed-off-by: Jin Li <jinl@codeaurora.org>
Signed-off-by: Yunyun Cao <yunyunc@codeaurora.org>
The h/v polarity should always be set from the panel configuration.
For HDMI display, it's from the EDID information. For DSI display,
it's from the panel settings in the dtsi.
CRs-Fixed: 1085021
Change-Id: I3776603d7055e69eb2c8e5003ab83bc0483ab7c8
Signed-off-by: Jin Li <jinl@codeaurora.org>
Signed-off-by: Yunyun Cao <yunyunc@codeaurora.org>
Clear deferrable_pending everytime timer softirq is run.
This handles a potential race condition, where one CPU
handles all deferrable timers, before the other CPU gets
a change to run timer softirq. Due to the deferrable_pending
not getting cleared, subsequently, CPUs do not raise
the softirq for handling expired deferrable timers,
in nohz idle enter path.
Change-Id: Ie5fd78f9b27e7553ba43101b86ad939c289827e0
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Buffer overflow can happen when finding next set bit
due to type casting of uint32_t to unsigned long.
Fix this to correctly print number of active cores in
rpm_master_stat.
Change-Id: Ibeacc5ac66535e373965d8f8e4919829367cc257
Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
Some cameras have same sensor id in one device,
but camera sensor driver just validate sensor
id now which may result in wrong probe when camera
daemon is killed and camera re-probe sensor again.
Also validate the sensor name if sensor has probed.
Change-Id: I641bf8c346bada9e6cc619389077e25e666c743f
Signed-off-by: Depeng Shao <dshao@codeaurora.org>
Throttle clocks are always on, add entries in device node so that
driver can enable during session is running and disable it when
session is closed to save power.
Change-Id: I818d0c9121b0830cbaeb3bc0b89ea3c421f6028d
CRs-Fixed: 2036215
Signed-off-by: Deepak Kushwah <dkushwah@codeaurora.org>
Use the same FG ESR timer value (96) for charging and
discharging. This is to avoid the frequent periodic spur
seen in the RF performance with charger connected.
CRs-Fixed: 2046553
Change-Id: I9d1ad61f75f553bf527906715699817236f44b01
Signed-off-by: Anirudh Ghayal <aghayal@codeaurora.org>
At this point, there is nothing left to fail. And submit already has a
fence assigned and is added to the submit_list. Any problems from here
on out are asynchronous (ie. hangcheck/recovery).
Change-Id: Ib6b6bf00099137972649c97cc6cd8c4fe25ce7c3
Signed-off-by: Rob Clark <robdclark@gmail.com>
Git-commit: 1193c3bcb581807d58dd7df90528ec744af387a9
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[smasetty@codeaurora.org: fixed merge conflict issues; made corresponding
changes to A5XX submit function.]
Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
commit 19b7ccf8651df09d274671b53039c672a52ad84d upstream.
Commit 25520d55cd ("block: Inline blk_integrity in struct gendisk")
introduced blk_integrity_revalidate(), which seems to assume ownership
of the stable pages flag and unilaterally clears it if no blk_integrity
profile is registered:
if (bi->profile)
disk->queue->backing_dev_info->capabilities |=
BDI_CAP_STABLE_WRITES;
else
disk->queue->backing_dev_info->capabilities &=
~BDI_CAP_STABLE_WRITES;
It's called from revalidate_disk() and rescan_partitions(), making it
impossible to enable stable pages for drivers that support partitions
and don't use blk_integrity: while the call in revalidate_disk() can be
trivially worked around (see zram, which doesn't support partitions and
hence gets away with zram_revalidate_disk()), rescan_partitions() can
be triggered from userspace at any time. This breaks rbd, where the
ceph messenger is responsible for generating/verifying CRCs.
Since blk_integrity_{un,}register() "must" be used for (un)registering
the integrity profile with the block layer, move BDI_CAP_STABLE_WRITES
setting there. This way drivers that call blk_integrity_register() and
use integrity infrastructure won't interfere with drivers that don't
but still want stable pages.
Fixes: 25520d55cd ("block: Inline blk_integrity in struct gendisk")
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Mike Snitzer <snitzer@redhat.com>
Tested-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
[idryomov@gmail.com: backport to < 4.11: bdi is embedded in queue]
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3089c1df10e2931b1d72d2ffa7d86431084c86b3 upstream.
The vm fault handler relies on the fact that the VMA owns a reference
to the BO. However, once mmap_sem is released, other tasks are free to
destroy the VMA, which can lead to the BO being freed. Fix two code
paths where that can happen, both related to vm fault retries.
Found via a lock debugging warning which flagged &bo->wu_mutex as
locked while being destroyed.
Fixes: cbe12e74ee ("drm/ttm: Allow vm fault retries")
Signed-off-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b9dd46188edc2f0d1f37328637860bb65a771124 upstream.
F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ac45bd93a5035c2f39c9862b8b6ed692db0fdc87 ]
We have the number of longs, but we need to calculate the number of
bytes required.
Fixes: c0c050c58d ("bnxt_en: New Broadcom ethernet driver.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 242d3a49a2a1a71d8eb9f953db1bcaa9d698ce00 ]
For each netns (except init_net), we initialize its null entry
in 3 places:
1) The template itself, as we use kmemdup()
2) Code around dst_init_metrics() in ip6_route_net_init()
3) ip6_route_dev_notify(), which is supposed to initialize it after
loopback registers
Unfortunately the last one still happens in a wrong order because
we expect to initialize net->ipv6.ip6_null_entry->rt6i_idev to
net->loopback_dev's idev, thus we have to do that after we add
idev to loopback. However, this notifier has priority == 0 same as
ipv6_dev_notf, and ipv6_dev_notf is registered after
ip6_route_dev_notifier so it is called actually after
ip6_route_dev_notifier. This is similar to commit 2f460933f58e
("ipv6: initialize route null entry in addrconf_init()") which
fixes init_net.
Fix it by picking a smaller priority for ip6_route_dev_notifier.
Also, we have to release the refcnt accordingly when unregistering
loopback_dev because device exit functions are called before subsys
exit functions.
Acked-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2f460933f58eee3393aba64f0f6d14acb08d1724 ]
Andrey reported a crash on init_net.ipv6.ip6_null_entry->rt6i_idev
since it is always NULL.
This is clearly wrong, we have code to initialize it to loopback_dev,
unfortunately the order is still not correct.
loopback_dev is registered very early during boot, we lose a chance
to re-initialize it in notifier. addrconf_init() is called after
ip6_route_init(), which means we have no chance to correct it.
Fix it by moving this initialization explicitly after
ipv6_add_dev(init_net.loopback_dev) in addrconf_init().
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 77ef033b687c3e030017c94a29bf6ea3aaaef678 ]
IFLA_PHYS_PORT_NAME is a string attribute, so terminate it with \0.
Otherwise libnl3 fails to validate netlink messages with this attribute.
"ip -detail a" assumes too that the attribute is NUL-terminated when
printing it. It often was, due to padding.
I noticed this as libvirtd failing to start on a system with sfc driver
after upgrading it to Linux 4.11, i.e. when sfc added support for
phys_port_name.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a9f11f963a546fea9144f6a6d1a307e814a387e7 ]
Be careful when comparing tcp_time_stamp to some u32 quantity,
otherwise result can be surprising.
Fixes: 7c106d7e78 ("[TCP]: TCP Low Priority congestion control")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 7162fb242cb8322beb558828fd26b33c3e9fc805 ]
Andrey found a way to trigger the WARN_ON_ONCE(delta < len) in
skb_try_coalesce() using syzkaller and a filter attached to a TCP
socket over loopback interface.
I believe one issue with looped skbs is that tcp_trim_head() can end up
producing skb with under estimated truesize.
It hardly matters for normal conditions, since packets sent over
loopback are never truncated.
Bytes trimmed from skb->head should not change skb truesize, since
skb->head is not reallocated.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ab949d519601880fd46e8bc1445d6a453bf2dc09 upstream.
Imre Deak reported a deadlock of HD-audio driver at unbinding while
it's still in probing. Since we probe the codecs asynchronously in a
work, the codec driver probe may still be kicked off while the
controller itself is being unbound. And, azx_remove() tries to
process all pending tasks via cancel_work_sync() for fixing the other
races (see commit [0b8c82190c12: ALSA: hda - Cancel probe work instead
of flush at remove]), now we may meet a bizarre deadlock:
Unbind snd_hda_intel via sysfs:
device_release_driver() ->
device_lock(snd_hda_intel) ->
azx_remove() ->
cancel_work_sync(azx_probe_work)
azx_probe_work():
codec driver probe() ->
__driver_attach() ->
device_lock(snd_hda_intel)
This deadlock is caused by the fact that both device_release_driver()
and driver_probe_device() take both the device and its parent locks at
the same time. The codec device sets the controller device as its
parent, and this lock is taken before the probe() callback is called,
while the controller remove() callback gets called also with the same
lock.
In this patch, as an ugly workaround, we unlock the controller device
temporarily during cancel_work_sync() call. The race against another
bind call should be still suppressed by the parent's device lock.
Reported-by: Imre Deak <imre.deak@intel.com>
Fixes: 0b8c82190c12 ("ALSA: hda - Cancel probe work instead of flush at remove")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4f3445067d5f78fb8d1970b02610f85c2f377ea4 upstream.
The probe function is not marked __init, but some other functions
are. This leads to a warning on older compilers (e.g. gcc-4.3),
and can cause executing freed memory when built with those
compilers:
WARNING: drivers/staging/emxx_udc/emxx_udc.o(.text+0x2d78): Section mismatch in reference from the function nbu2ss_drv_probe() to the function .init.text:nbu2ss_drv_contest_init()
This removes the annotations.
Fixes: 33aa8d45a4 ("staging: emxx_udc: Add Emma Mobile USB Gadget driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2c474b8579e9b67ff72b2bcefce9f53c7f4469d4 upstream.
Conversion macros le16_to_cpu was removed and that caused new sparse warning
sparse output:
drivers/staging/wlan-ng/p80211netdev.c:241:44: warning: incorrect type in argument 2 (different base types)
drivers/staging/wlan-ng/p80211netdev.c:241:44: expected unsigned short [unsigned] [usertype] fc
drivers/staging/wlan-ng/p80211netdev.c:241:44: got restricted __le16 [usertype] fc
Fixes: 7ad8257234 ("staging:wlan-ng:Fix sparse warning")
Signed-off-by: Igor Pylypiv <igor.pylypiv@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9cc4b7cb86cbcc6330a3faa8cd65268cd2d3c227 upstream.
The driver was making changes to the skb_header without
ensuring it was writable (i.e. uncloned).
This patch also removes some boiler plate header size
checking/adjustment code as that is also handled by the
skb_cow_header function used to make header writable.
Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 455a1eb4654c24560eb9dfc634f29cba3d87601e upstream.
The incoming skb header may be resized if header space is
insufficient, which might change the data adddress in the skb.
Ensure that a cached pointer to that data is correctly set by
moving assignment to after any possible changes.
Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
