page allocated in fuse_dentry_canonical_path to be handled in
fuse_dev_do_write is allocated using __get_free_pages(GFP_KERNEL).
This may not return a page with data filled with 0. Now this
page may not have a null terminator at all.
If this happens and userspace fuse daemon screws up by passing a string
to kernel which is not NULL terminated (or did not fill anything),
then inside fuse driver in kernel when we try to do
strlen(fuse_dev_write->kern_path->getname_kernel)
on that page data -> it may give us issue with kernel paging request.
Unable to handle kernel paging request at virtual address
------------[ cut here ]------------
<..>
PC is at strlen+0x10/0x90
LR is at getname_kernel+0x2c/0xf4
<..>
strlen+0x10/0x90
kern_path+0x28/0x4c
fuse_dev_do_write+0x5b8/0x694
fuse_dev_write+0x74/0x94
do_iter_readv_writev+0x80/0xb8
do_readv_writev+0xec/0x1cc
vfs_writev+0x54/0x64
SyS_writev+0x64/0xe4
el0_svc_naked+0x24/0x28
To avoid this we should ensure in case of FUSE_CANONICAL_PATH,
the page is null terminated.
Change-Id: I33ca7cc76b4472eaa982c67bb20685df451121f5
Bug: 75984715
[Daniel - small edit, using args size ]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Git-Repo: https://source.codeaurora.org/quic/la/kernel/msm-4.9/commit/?h=aosp-new/android-4.9&id=4fb542f2aa1414cea5686efcf72a411b7213c375
Git-Commit: 4fb542f2aa1414cea5686efcf72a411b7213c375
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>
When processing blocked listener request, ptr_app's app_blocked
flag should be set to prevent it being unloaded at this time;
Besides, need to check unblock request's scm_call response result
to see if it is blocked again; and removed redundant codes.
Change-Id: I2d72a88e9e600d6b7e944ae978b9d89a7b6db242
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to block system signals when qseecom is waiting for
a blocked listener becomes available. This will prevent qseecom
being waken up by power collapse and returning to kernel, which
may cause XPU violation as TA req/resp buffer is still XPU protected
at this time
Change-Id: Ie5ea16f11ad653937236de042afb1bb5710123e6
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
SDE plane src/dst size is uninitialized and programmed to hw when
only color format is changed. This change will only configure hw
when src/dst size is calculated.
Change-Id: I5953f899a2c503b1d8f2577c28a67711b9ed9a67
Signed-off-by: Camus Wong <camusw@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
This reverts commit 84d22be9dc ("msm: vidc: Add support for decoder
STOP command")
There is regression for Video playback with this commit. Therefore,
it needs to be reverted.
Change-Id: Ibc4ca31c48e148063de60f59ea90d693d5657163
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Currently the number of maximum bytes to be copied from buffer is
incorrectly using the size of buffer. Replace to use the count
which is the maximum number of bytes to be read.
Change-Id: I797c4dc0af626e347dfef43a754d0c469585ba55
Signed-off-by: Taniya Das <tdas@codeaurora.org>
When WLAN driver encounters FW timeout scenarios, it may check if the
FW is down by calling icnss_is_fw_down() API. Recovery should also be
considered as FW down, as FW has not completely recovered and ready
for WLAN communication.
Change-Id: I4c9e15aacc5605dca823e2cfcbf6f87152aaa78e
CRs-Fixed: 2218795
Signed-off-by: Sameer Thalappil <sameert@codeaurora.org>
Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.
Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Use the resource managed regulator API for the wcnss
regulator parsing and configuration.
CRs-Fixed: 2214888
Change-Id: Ib376893c26bb9aa797e7e9df25cc7302a84a3726
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Update the voltage regulator enable/disable status
during proxy vote and unvote request by wcnss wlan
module.
CRs-Fixed: 2211050
Change-Id: I334df98612b0915fe00d5390fbcd37c95e9f6509
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.
Change-Id: I95083227cfefaf1a81815296145b0c370127e061
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Initialize variables that are passed by reference, so that
they can be used safely afterwards, irrespective of the
called function actions.
Change-Id: Ib7fa26b0682c719cabdb9cb94f206a93e3eaaf63
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
Currently there is a possibility of kmalloc failing
when system is running low on memory condition.
The patch changes the dci memory allocation from
kzalloc to vzalloc.
CRs-Fixed: 2195818
Change-Id: I92b20d8e77ce5b2a96212f9d0757fbbff2703891
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Add DTSI entries for ADV7481 on Auto CDP. This is the
HDMI-CSI conversion bridge chip. Also enable the required
CSIDs in camera sensor DTSI.
Change-Id: I972cd2cd538cddf9012fc52400b2980930f77775
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Stuffs relevant with ioctl are only for hab driver
itself and hab clients in user space. Those hab clients
in kernel dose not need them. So here uapi/linux/habmm.h
is refined into two files as habmmid.h and hab_ioctl.h.
Change-Id: I9344e3e3fec88a042ec1915a9c0d51a28cea6e9a
Signed-off-by: Yong Ding <yongding@codeaurora.org>
increase MAX_QTI_PKT_SIZE to 8KB to handle QMI messages of bigger
length of 8KB.
Change-Id: I479794c9563ae89b9062b75031b6cdc739a0f620
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
