There is a possibility of integer overflow in the arithmetic
calculation for cmd_size. Fix this by adding checks for such
arithmetic.
Change-Id: I2298a32f8ba3411decb29f55bb7b55e2214de35a
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
Format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings. When kptr_restrict is set to (1), kernel
pointers printed using the %pK format specifier will be replaced with
0's.
Debugging Note : &pK prints only Zeros as address. If you need actual
address information, write 0 to kptr_restrict.
echo 0 > /proc/sys/kernel/kptr_restrict
Change-Id: If3e3a7d5c737b8b7e2c2f78e2814747db4a770cd
Signed-off-by: Liangliang Lu <luliang@codeaurora.org>
Whenever userspace calls read system call for ctrl_dev, ccid driver
waits till it receives control request from host. Once it receives
control data, it unblocks read and passes data to userspace. But if
cable is disconnected, then ccid driver is not unblocking read due
to which next open of ctrl_dev failing. This results in ccid functionality
not working after cable reconnection as userspace not able to open
ctrl_dev. Hence fix the issue by checking for online status and if
online flag is cleared, unblock read and return -ENODEV.
Also align request buffer length to OUT endpoint's max packet size,
when userspace tries to queue buffer length that is not multiple of
OUT endpoint max packet as USB controller expects length multiple of
maxpacket.
Change-Id: I97d1819c21919b6c66b7a1e5fbf1c452ec691639
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Vote 1.8V IO and XTAL regulators before 3.3V VREG for WLAN hardware
to strictly follow the hardware requirement. Make sure 3.3V VREG is
voted at least 100us after 1.8V IO.
Change-Id: Ifc52c2062349a9913e6c998573b62d111faa5886
CRs-fixed: 1009287
Signed-off-by: Yue Ma <yuem@codeaurora.org>
During preemption microcode does save restore for all perf
counters. If we read the power counters at preemption boundary
we might get abnormal value from the perf counter. This will
result in showing incorrect GPU busy percentage. Fix this by
setting the abnormal power perf counter value with zero.
Change-Id: I96ba367ceeeb92d6adb507d0d917113297b4b58d
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.
Validate size of each attribute before parsing to avoid potential buffer
overread.
Fixes: 2a51931192 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Git-commit: d7f13f7450369281a5d0ea463cc69890a15923ae
Change-Id: I34198e599a950c30495ec3445799972db7f9f42e
CRs-Fixed: 2069828
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Add GI country to regulatory database
CRs-Fixed: 2084871
Change-Id: If8726ae6ee414b49e1efae65825601214a800092
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Few functions have variables which might get used with out
proper initialization. Initialize variables to default values.
CRs-Fixed: 2087109
Change-Id: I7645940e8d466e0ef67a5b8b7702b18b160cc10f
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.
Fixes: 3b1c5a5307 ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Git-commit: 8feb69c7bd89513be80eb19198d48f154b254021
Change-Id: Ie20993309501fd242782311b9fe787931f716116
CRs-Fixed: 2055013
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Remove IR country from regdb.
CRs-Fixed: 2084887
Change-Id: Id69e26e584dcd66096358d0acb6d7c847ce0784b
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
event->handle pointer can be used after free due to
the race condition between kgsl_sync_callback and
kgsl_sync_fence_async_cancel.
Protect the event->handle with a spinlock to
avoid concurrent access issues.
Change-Id: I3719e401af9ece82ac68b72f2aef784c7fdc1104
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
There is a race condition issue between the IRQ context trying to
trigger preemption and the user context trying to submit commands to
the GPU. The check in a5xx_flush() API only updates the wptr if the GPU is
not in preemption. In the cases where we move from PREEMPT_START to
PREEMPT_NONE there is a small window where the preempt state is still
in START but the CPU context switches to the user thread which is in
the a5xx_flush() call to update the wptr, but fails to update the wptr to
the GPU since the preempt state is not PREEMPT_NONE. This leads to a
GPU stall.
Introduce a new intermediate state PREEMPT_ABORT and
change preempt_trigger() to use gpu's current ring instead of the
ring retrieved from get_next_ring() while in this state.
Change-Id: I333e9de19824bd373901bbc8afc829de04635017
CRs-Fixed: 2081164
Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.
Fixes: 67fbb16be6 ("nl80211: PMKSA caching support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Git-commit: 9361df14d1cbf966409d5d6f48bb334384fbe138
Change-Id: I5feb729a9ef48f67c4ee460e7e133d5fc8cecd4f
CRs-Fixed: 2061676
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Alexei had his box explode because doing read() on a package
(rapl/uncore) event that isn't currently scheduled in ends up doing an
out-of-bounds load.
Rework the code to more explicitly deal with event->oncpu being -1.
Author: Peter Zijlstra (Intel) <peterz@infradead.org>
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Tested-by: Alexei Starovoitov <ast@kernel.org>
Tested-by: David Carrillo-Cisneros <davidcc@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: eranian@google.com
Fixes: d6a2f9035bfc ("perf/core: Introduce PMU_EV_CAP_READ_ACTIVE_PKG")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Git-commit: 451d24d1e5f40bad000fa9abe36ddb16fc9928cb
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[pfay@codeaurora.org: apply the event->oncpu validity check from
from the patch. Other code from the patch calls routines
not yet in 4.4 so omit that part of patch. This code fixes
segfault crashes during reboot where the event->oncpu value is -1.
Change-Id: I040f0af2030e53ac3329e4b3a1bbcd37f080cdcf
Signed-off-by: Patrick Fay <pfay@codeaurora.org>
In mmc_blk_ioctl_rpmb_cmd(), if user data copy fails, the card
variable is dereferenced without NULL pointer check.
Adding NULL pointer check in this condition.
Change-Id: If3fd2175946cccaf838768d45de72bc2f5c32f6b
Signed-off-by: Siba Prasad <sibap@codeaurora.org>
If requested, trace the GPU time to ensure
a useful mapping regardless of the chosen
trace clock.
Change-Id: I76a893975de9a278c8178f935991191354f29e2f
Signed-off-by: Jonathan Wicks <jwicks@codeaurora.org>
The wcn external gpio configuration has moved to WLAN firmware
code. To avoid the gpio resource request conflict and power offload
failure between wcnss platform driver and WLAN firmware.
Remove external gpio configuration from the wcnss platform driver.
Change-Id: Iaef979437d9e48d66a5e9e2fc88bc5783fed7480
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
