The reg in soc_mixer_control is 32-bit. When using
SOC_SINGLE_EXT, the value of FE DAI ID which is passed
as shift(to be operated on the reg) may be more than 31,
which may cause overflow.
Use SOC_DOUBLE_EXT instead of SOC_SINGLE_EXT so that the
reg field can be set to SOC_NO_PM to avoid any DAPM operation,
while passing BE and FE IDs in shift and rshift fields. And
these values can be retrieve in get/put functions and use them.
This is to avoid any possible overflow in DAPM operation.
Change-Id: I17fa4e059889ae725e6f015a779f518e6d0a813f
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>
This change ask hypervisor to remove memory mapping for MSS
from IOMMU second stage table and assign the ownership back to
HLOS just after MBA is booted.
Presently this is being done only after MBA is booted and MDT is
authenticated.
Change-Id: I724c1bcc664827e666612dd34cd078f3f044498a
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Main DRM & eDRM driver has asynchronous probes. In order to ensure that
both the driver's probe has completed there is a wait for completion for
respective driver is executed. There is an issue where the
wait for the eDRM driver blocks the eDRM driver deferred probe call.
This change remove wait in the eDRM driver for completion of its probe
as eDRM driver is always initialized after main DRM and necessary clock
voting would also be done in main DRM.
Change-Id: I422419d381ad3d0361fb80f3b2b9d176203a9342
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
In mdss_dsi_cmd_write, a failure in copying the cmds to
'string_buf' can cause an early return. In this case,
the 'pcmds->string_buf' won't be pointing to a valid
buffer. This can lead to use-after-free and memory leak.
To avoid this, assign the newly allocated buffer to
'pcmds->string_buf' after returning from krealloc call.
Change-Id: I286f12c86078d1989cb09453c8a395a4ad94b324
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Votable callback accesses work structure as part of
their callback, initialize work before creation of votables.
Change-Id: I91741b3d54c73aab5c695a31292a32752edc77cd
Signed-off-by: Umang Chheda <uchheda@codeaurora.org>
Place check for mask size and validate source length against
sum of header length and mask size to prevent out of bound access.
Change-Id: I8ac089202b6e3007773b92be8cfdc52fcb30ec3c
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
There is a chance that wr_offset can be modified to
an arbitrary value as it is a global variable. Have
a local copy of this value and use it for further
manipulation.
Change-Id: If3b76a0dd95e81bd057d89626818c72405f91d65
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
CONFIG_ENABLE_FP_SIMD_SETTINGS :
Enable FP(Floating Point) and SIMD settings required
during execution of AArch32 processes.
CONFIG_MSM_APP_SETTINGS :
Enable support for app specific setting on MSM8996. This
is required for providing an interface so that app specific
settings can be applied / cleared.
Change-Id: Ife81b927dc58ef5e5fb7a6668286c176f16ad7bf
Signed-off-by: Naitik Bharadiya <bharad@codeaurora.org>
Base_sel variable is being accessed with out any check.
Add proper check before accessing base_sel variable.
Change-Id: I31232cc0285bc8cc01d8fa4ee7954bf2f766cbce
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
validate structures and payload sizes in the
packet against packet size to avoid OOB access.
Change-Id: I8a203a81506f603c2e37c1b2a780d3088e6933be
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Make change to validate if there exists enough space to write a
unit64 instead of a unit32 value, in __qseecom_update_cmd_buf_64.
Change-Id: Iabf61dea240f16108e1765585aae3a12d2d651c9
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
* refs/heads/tmp-a749771
Linux 4.4.194
net_sched: let qdisc_put() accept NULL pointer
ARC: export "abort" for modules
media: technisat-usb2: break out of loop at end of buffer
floppy: fix usercopy direction
keys: Fix missing null pointer check in request_key_auth_describe()
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
net: seeq: Fix the function used to release some memory in an error handling path
tools/power turbostat: fix buffer overrun
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
cifs: Use kzfree() to zero out the password
cifs: set domainName when a domain-key is used in multiuser
NFSv2: Fix write regression
NFSv2: Fix eof handling
netfilter: nf_conntrack_ftp: Fix debug output
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
r8152: Set memory to all 0xFFs on failed reg reads
ARM: 8874/1: mm: only adjust sections of valid mm structures
Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
NFSv4: Fix return values for nfs4_file_open()
s390/bpf: use 32-bit index for tail calls
ARM: OMAP2+: Fix omap4 errata warning on other SoCs
s390/bpf: fix lcgr instruction encoding
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
tty/serial: atmel: reschedule TX after RX was started
serial: sprd: correct the wrong sequence of arguments
KVM: coalesced_mmio: add bounds checking
xen-netfront: do not assume sk_buff_head list is empty in error handling
x86/boot: Add missing bootparam that breaks boot on some platforms
media: tm6000: double free if usb disconnect while streaming
USB: usbcore: Fix slab-out-of-bounds bug during device reset
ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning
crypto: talitos - check data blocksize in ablkcipher.
crypto: talitos - check AES key size
driver core: Fix use-after-free and double free on glue directory
clk: rockchip: Don't yell about bad mmc phases when getting
MIPS: VDSO: Use same -m%-float cflag as the kernel proper
MIPS: VDSO: Prevent use of smp_processor_id()
KVM: nVMX: handle page fault in vmread
KVM: x86: work around leak of uninitialized stack contents
KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
genirq: Prevent NULL pointer dereference in resend_irqs()
Btrfs: fix assertion failure during fsync and use of stale transaction
Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
tun: fix use-after-free when register netdev failed
tipc: add NULL pointer check before calling kfree_rcu
tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
net: Fix null de-reference of device refcount
isdn/capi: check message length in capi_write()
ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
cdc_ether: fix rndis support for Mediatek based smartphones
bridge/mdb: remove wrong use of NLM_F_MULTI
Change-Id: I950778c771159febb721a4ebc2656c57ef40ad83
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
During SUSPEND event, check the pointer for governor
private data is not NULL before updating bus parameters
to zero.
Change-Id: I1a37173e8ae7ad4bcd5f8497c5956302e647c862
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2FsVgACgkQONu9yGCS
aT6jWQ//QxbQEVU+rNV3vs/kZi/gIOzZfHM0hI0riI7OdRAz/PorXIvLsaO2CAOB
LUGLnDJ1jLQTptsgwGYqipaJNaFkrSkXdlzWKtkOaQ26uurE0Tszy4vddFEZQs0S
I4AVm6Kqk4Lk21aFJgHd2QixewzXmimiFaKl3Qv272dN9IMX1tJ0PnzBg4aUV2bC
WMzP+7/nx2Pimz4ShssqyazslBHIjJ9r49+Zxahlk5su0oJBdcK2wHALcaZxTGZe
LjKTkzd83vpwvamzbZm28gpjbaxzeg1bgsW9k6A+80NRx3bCF502awQtZLODqa4v
DmrtnizyNaNBuB9j7C7C6aJ+7HutmGkQs6XEcpyqxBJ4yG9Pn7IEdGv1F99dhkCU
R5xBZvJDw/W/zkwg1Lk5n53VqgU6c78bwhlUEBTxqyy25Bdn3Xqr6IGtnZRNrrzA
lK90cFnV1PgAXdPNuEk8rEsIhq8CBXQvaJS9+2bydJS79h6+4ND6NhBoZ8B9ni/f
C92MUh/sIMKUpkKOAcuE6+9vz7P8t0h3aulRbHw/vUQzfqdaOCkWSCJ17ALHf526
eNdTskUa3ZUKtLNJlQQclOJTU0lsOjUheshO39rYdofivn2TLhB6PS2IlqAMNJNJ
ZHQmqqZHLXFwmzKk0yoNs7aaG6KLu4R/Zo2t8eTzdsNR/07IPHg=
=ntfQ
-----END PGP SIGNATURE-----
Merge 4.4.194 into android-4.4
Changes in 4.4.194
bridge/mdb: remove wrong use of NLM_F_MULTI
cdc_ether: fix rndis support for Mediatek based smartphones
ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'
isdn/capi: check message length in capi_write()
net: Fix null de-reference of device refcount
sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()'
sctp: use transport pf_retrans in sctp_do_8_2_transport_strike
tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR
tipc: add NULL pointer check before calling kfree_rcu
tun: fix use-after-free when register netdev failed
Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
Btrfs: fix assertion failure during fsync and use of stale transaction
genirq: Prevent NULL pointer dereference in resend_irqs()
KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
KVM: x86: work around leak of uninitialized stack contents
KVM: nVMX: handle page fault in vmread
MIPS: VDSO: Prevent use of smp_processor_id()
MIPS: VDSO: Use same -m%-float cflag as the kernel proper
clk: rockchip: Don't yell about bad mmc phases when getting
driver core: Fix use-after-free and double free on glue directory
crypto: talitos - check AES key size
crypto: talitos - check data blocksize in ablkcipher.
x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning
MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
USB: usbcore: Fix slab-out-of-bounds bug during device reset
media: tm6000: double free if usb disconnect while streaming
x86/boot: Add missing bootparam that breaks boot on some platforms
xen-netfront: do not assume sk_buff_head list is empty in error handling
KVM: coalesced_mmio: add bounds checking
serial: sprd: correct the wrong sequence of arguments
tty/serial: atmel: reschedule TX after RX was started
mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings
s390/bpf: fix lcgr instruction encoding
ARM: OMAP2+: Fix omap4 errata warning on other SoCs
s390/bpf: use 32-bit index for tail calls
NFSv4: Fix return values for nfs4_file_open()
NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup
Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
ARM: 8874/1: mm: only adjust sections of valid mm structures
r8152: Set memory to all 0xFFs on failed reg reads
x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines
netfilter: nf_conntrack_ftp: Fix debug output
NFSv2: Fix eof handling
NFSv2: Fix write regression
cifs: set domainName when a domain-key is used in multiuser
cifs: Use kzfree() to zero out the password
sky2: Disable MSI on yet another ASUS boards (P6Xxxx)
tools/power turbostat: fix buffer overrun
net: seeq: Fix the function used to release some memory in an error handling path
dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe()
keys: Fix missing null pointer check in request_key_auth_describe()
floppy: fix usercopy direction
media: technisat-usb2: break out of loop at end of buffer
ARC: export "abort" for modules
net_sched: let qdisc_put() accept NULL pointer
Linux 4.4.194
Change-Id: Ia27dd36133c3294c756d2376357572325afcd6fb
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ]
When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
pointer which leads to a crash in sfb_destroy(). Similar for
sch_dsmark.
Instead of fixing each separately, Linus suggested to just accept
NULL pointer in qdisc_put(), which would make callers easier.
(For sch_dsmark, the bug probably exists long before commit
6529eaba33f0.)
Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a custom patch (no mainline equivalent) for stable backport only
to address 0-Day kernel test infra ARC 4.x.y builds errors.
The reason for this custom patch as that it is a single patch, touches
only ARC, vs. atleast two 7c2c11b208be09c1, dc8635b78cd8669 which touch
atleast 3 other arches (one long removed) and could potentially have a
fallout.
Reported-by: kbuild test robot <lkp@intel.com>
CC: stable@vger.kernel.org # 4.4, 4.9
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0c4df39e504bf925ab666132ac3c98d6cbbe380b upstream.
Ensure we do not access the buffer beyond the end if no 0xff byte
is encountered.
Reported-by: syzbot+eaaaf38a95427be88f4b@syzkaller.appspotmail.com
Signed-off-by: Sean Young <sean@mess.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d41a3effbb53b1bcea41e328d16a4d046a508381 ]
If a request_key authentication token key gets revoked, there's a window in
which request_key_auth_describe() can see it with a NULL payload - but it
makes no check for this and something like the following oops may occur:
BUG: Kernel NULL pointer dereference at 0x00000038
Faulting instruction address: 0xc0000000004ddf30
Oops: Kernel access of bad area, sig: 11 [#1]
...
NIP [...] request_key_auth_describe+0x90/0xd0
LR [...] request_key_auth_describe+0x54/0xd0
Call Trace:
[...] request_key_auth_describe+0x54/0xd0 (unreliable)
[...] proc_keys_show+0x308/0x4c0
[...] seq_read+0x3d0/0x540
[...] proc_reg_read+0x90/0x110
[...] __vfs_read+0x3c/0x70
[...] vfs_read+0xb4/0x1b0
[...] ksys_read+0x7c/0x130
[...] system_call+0x5c/0x70
Fix this by checking for a NULL pointer when describing such a key.
Also make the read routine check for a NULL pointer to be on the safe side.
[DH: Modified to not take already-held rcu lock and modified to also check
in the read routine]
Fixes: 04c567d931 ("[PATCH] Keys: Fix race between two instantiators of a key")
Reported-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Sachin Sant <sachinp@linux.vnet.ibm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 962411b05a6d3342aa649e39cda1704c1fc042c6 ]
If devm_request_irq() fails to disable all interrupts, no cleanup is
performed before retuning the error. To fix this issue, invoke
omap_dma_free() to do the cleanup.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Link: https://lore.kernel.org/r/1565938570-7528-1-git-send-email-wenwen@cs.uga.edu
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit e1e54ec7fb55501c33b117c111cb0a045b8eded2 ]
In commit 99cd149efe ("sgiseeq: replace use of dma_cache_wback_inv"),
a call to 'get_zeroed_page()' has been turned into a call to
'dma_alloc_coherent()'. Only the remove function has been updated to turn
the corresponding 'free_page()' into 'dma_free_attrs()'.
The error hndling path of the probe function has not been updated.
Fix it now.
Rename the corresponding label to something more in line.
Fixes: 99cd149efe ("sgiseeq: replace use of dma_cache_wback_inv")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit eeb71c950bc6eee460f2070643ce137e067b234c ]
turbostat could be terminated by general protection fault on some latest
hardwares which (for example) support 9 levels of C-states and show 18
"tADDED" lines. That bloats the total output and finally causes buffer
overrun. So let's extend the buffer to avoid this.
Signed-off-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 189308d5823a089b56e2299cd96589507dac7319 ]
A similar workaround for the suspend/resume problem is needed for yet
another ASUS machines, P6X models. Like the previous fix, the BIOS
doesn't provide the standard DMI_SYS_* entry, so again DMI_BOARD_*
entries are used instead.
Reported-and-tested-by: SteveM <swm@swm1.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 478228e57f81f6cb60798d54fc02a74ea7dd267e ]
It's safer to zero out the password so that it can never be disclosed.
Fixes: 0c219f5799c7 ("cifs: set domainName when a domain-key is used in multiuser")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
