The NVID settings for 5.4 Ghz link rate doesn't need
the multiplying factor since this is handled in the
pll dividers. Add changes to remove the multiplying
factor in controller driver.
Change-Id: I695c08323e0e6ea30d6fdafc0eecaa4c8e04aaa5
Signed-off-by: Chandan Uddaraju <chandanu@codeaurora.org>
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.
If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:
[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr ffff880119e79340
[ 41.456431] Read of size 4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4 ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431] ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431] ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================
Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.
CAP_NET_ADMIN is required to trigger the bugs.
Fixes: 9ea2aa8b7d ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Id91de0fcfc4a94f0c6282b59f96cea7cd0fea64c
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: c58d6c93680f28ac58984af61d0a7ebf4319c241
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Change-Id: I3b04131079a27f0b1cd60df03c793e8d9ffe5e91
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 50220dead1650609206efe91f0cc116132d59b3f
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Change-Id: Iba5975e360eb2b2729b6f958b7cb00bfc469e51b
Fixes: 6859d49475 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: bb1fceca22492109be12640d49f5ea5a544c6bb4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
when USB cable is disconnected during TX data transfers, endpoints will
be disabled during function disable. If userspace client tries to queue
requests on disabled endpoints, driver will wait till endpoints are
enabled and then queues previous session requests. This results in kernel
driver and userspace driver out of sync and due to this, stall will be
seen. Hence fix this issue by returning error value if client tries to
queue requests on TX endpoint during device offline.
CRs-Fixed: 633497
Change-Id: I3e43b8a704367aff7fe8dd88159315aef811c51c
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Isolation code needs to be synchronized with both hotplug and suspend.
Ensure this by taking the lock that is taken by both paths and ensure
hotplug notifiers are processed for suspend/resume.
Change-Id: I663588cfd2f9e3972b9adc1a10887ef36cd70c57
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
QTI needs an indication of cable connect for DPL.
Since host DPL driver does not send DTR indication
send zero length packet to QTI upon cable connect.
Change-Id: I545771f9a84ecc9c2f641c17e057673a32b1f305
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Add charger/FG device nodes along with the necessary
configuration.
Keep all these nodes disabled for simulator/RUMI platform.
CRs-fixed: 1091731
Change-Id: I9c751d777d8402cdea3cdfb27da1a19a98a250e2
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
It is found that "dc civac" from el0 on a non-COW RO VA results in a
segmentation fault, while as per ARM ARM, for el0 only read access
permission is needed on a VA to perform clean and invalidate. This bug
was introduced by commit 3fbe6bc28a6b ("arm64: Allow cache maintenance
operations to trigger write faults"), which enabled write faults on all
cache maintenance faults.
The original intention of the above commit was to trigger write faults
only for cache maintenance operations performed by EL1 on user VA. But
it introduced this side effect of generating a write fault on EL0 cache
maintenance ops also when a read permission is sufficient for operation
to succeed. This results in a segmentation fault when the VA is part of
region marked as PROT_READ.
So trigger write faults only when the cache maintenance fault is generated
in non-user mode. Still, there can be a case where kernel performs a cache
maintenance op on a PROT_READ mapped VA which will result in a kernel
fault. But that looks invalid since there is no need for a kernel driver
to perform a cache maintenance on a RO buffer and such cases if they exist
need to be fixed.
Change-Id: I001ca0473c37fcf713201386b5ed6a6244f6b37d
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
arm64 sets non-dirty userspace PTEs as read only by default.
The expectation is that on the first write the fault handler will
properly unmark the PTE as read only. Currently, the fault handler
will not mark a fault coming from a cache maintenance operation as
a write. The result of this is that a write to a user space address
from a cache maintenance operation will not get unmarked as read only
and the access may be retried infinitely. Rather than going through
the hassel and side effects of adding the cache operations to the
exception table and changing arm code to match, just drop the CM
check from the fault handler and let cache maintenance faults be
handled like normal writes.
Change-Id: I4b295b47ebdd24abf94204ad634e91ca5f71ce8a
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Remove the pointless checking against interface combinations in
the initial basic beacon interval validation, that currently isn't
taking into account radar detection or channels properly. Instead,
just validate the basic range there, and then delay real checking
to the interface combination validation that drivers must do.
This means that drivers wanting to use the beacon_int_min_gcd will
now have to pass the new_beacon_int when validating the AP/mesh
start.
CRs-Fixed: 1087922
Change-Id: Iec536bcdf4ed95e3d796324fd8bf5df259b340b0
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 4c8dea638c16141adb046fd2e0cab51dfe43650c
[liord@codeaurora.org: Fix conflicts]
Signed-off-by: Lior David <liord@codeaurora.org>
We shouldn't abort the iteration with an error when one of the
potential combinations can't accomodate the beacon interval
request, we should just skip that particular combination. Fix
the code to do so.
CRs-Fixed: 1087922
Change-Id: Ib1ae7221291b8176d61d58e756a3814c80d98d27
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 0507a3ac6e98f50583912ec78d07c2e4daaf2b28
[liord@codeaurora.org: cherry-pick without changes]
Signed-off-by: Lior David <liord@codeaurora.org>
Beacon interval interface combinations validation was missing
for MESH/IBSS join, add those.
Johannes: also move the beacon interval check disallowing really
tiny and really big intervals into the common function, which
adds it for AP mode.
CRs-Fixed: 1087922
Change-Id: I282300533dcd80f65c9ba366246d028a6130ffff
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit: 12d20fc9186a742d40e824f575df5aa62be31d69
[liord@codeaurora.org: fix conflicts and trivial compile errors]
Signed-off-by: Lior David <liord@codeaurora.org>
