Use list_for_each_entry_safe to safely delete mappings while
iterating over the mappings list.
CRs-Fixed: 1067012
Change-Id: I5326ee8e58d291b1d9b07649b87632d7e9102e0d
Signed-off-by: Liam Mark <lmark@codeaurora.org>
Otherwise this function may read data beyond the ruleset blob.
Change-Id: Idcfb2fffba72618a5fda1c6cc94394ed4f79be93
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Until now, hitting this BUG_ON caused a recursive oops (because oops
handling involves do_exit(), which calls into the scheduler, which in
turn raises an oops), which caused stuff below the stack to be
overwritten until a panic happened (e.g. via an oops in interrupt
context, caused by the overwritten CPU index in the thread_info).
Just panic directly.
Change-Id: I73409be3e4cfba82bae36a487227eb5260cd6e37
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 29d6455178a09e1dc340380c582b13356227e8df
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.
Change-Id: Id3ec56cdc333990d62c99d6c2e59dbcce633bcc1
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: bdf533de6968e9686df777dc178486f600c6e617
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
nt35597 dual DSI panel requires non-standard values for certain DSI
timing parameters for correct operation. Update the existing values
with the recommended values on msmcobalt. This fixes screen corruption
issues seen with these panels.
CRs-Fixed: 1030987
Change-Id: I39029b3d8f58fb6167f81e8863daf04ccea8e56f
Signed-off-by: Aravind Venkateswaran <aravindh@codeaurora.org>
Add support to allocate memory for scan dumps for msmcobalt.
This memory can be used to save CPU scan dumps at the time of
a crash.
Change-Id: I325bc1cb97b5a1ef2c00374b00d967e258a90a48
Signed-off-by: Shashank Mittal <mittals@codeaurora.org>
Allocate memory for scan dump collection along with CPU context
allocation.
This will help in debugging crashes very early during boot up.
Change-Id: Icbb2a60683ecca303cbd48576d80d0a765610c8f
Signed-off-by: Shashank Mittal <mittals@codeaurora.org>
Not all memory are DMA'able. See DMA-API-HOWTO.txt. The dummy hash
request input buffer is changed to be acquired from coherent memory
to kzalloc().
Change-Id: If6961217df08bcf0506eedacb07874dfafd7c1ca
CRs-Fixed: 1064055
Acked-by: Che-Min Hsieh <cheminh@qti.qualcomm.com>
Signed-off-by: Sivanesan Rajapupathi <srajap@codeaurora.org>
Inside glink_scheduler_tx tx_info is not validated after tx operation
and taking spin lock, since there are two functions which can release
the reference for tx_info while glink_scheduler_tx thread is preempted.
These functions are ch_purge_intent_lists and
ch_remove_tx_pending_remote_done.
Validate tx_info from tx_active list after tx operation and taking
spin lock.
CRs-Fixed: 1061565
Change-Id: I80c64d66625b9fe9205e8ffaa7cfc851e06fcb94
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Introduce bus topology for msmfalcon. This is a representation
of the bus connections in the SOC and allows the bus driver
to setup bandwidth requests from clients for the paths desired.
Change-Id: If58f6c5b48a023ba7f9212758d71930116156008
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
Introduce new master/slave ids to identify
the corresponding master/slaves for the
bandwidth aggregation done by the bus driver.
Change-Id: Ibed309284b47ba3f22ccbac45c750f3e366ec40e
Signed-off-by: Kiran Gunda <kgunda@codeaurora.org>
Client driver may disconnect pipe while some data is still
pending on the pipe and might not need IRQ for that data. Current
implementation might result in crash in case disconnect and IRQ happens
on same pipe in parallel. Implement lock to avoid pipe disconnect
while IRQ is in progress for that pipe and viceversa.
Change-Id: Icf43c0a18cfc1644270b684a792632a6c81f1797
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
Add device tree info for Secure Processor Subsystem Utilities driver.
Change-Id: I2657705131fcbbcc63a723b3badb3f43135b4408
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
On msm-4.4, conditional paths are not supported for
supply widgets. Using SND_SOC_DAPM_MUX instead of
using Switches to connect to the native supply.
CRs-Fixed: 1066167
Change-Id: If015dbad0e168e41f1c8c86b502d4cf5fb592045
Signed-off-by: Meng Wang <mwang@codeaurora.org>
commit 70a7fb80e85a ("regulator: core: Fix nested locking of supplies")
Commit fa731ac7ea04 ("regulator: core: avoid unused variable warning")
introduced a subtle change in how supplies are locked. Where previously
code was always locking the regulator of the current iteration, the new
implementation only locks the regulator if it has a supply. For any
given power tree that means that the root will never get locked.
On the other hand the regulator_unlock_supply() will still release all
the locks, which in turn causes the lock debugging code to warn about a
mutex being unlocked which wasn't locked.
Cc: Mark Brown <broonie@kernel.org>
Cc: Arnd Bergmann <arnd@arndb.de>
Fixes: fa731ac7ea04 ("regulator: core: avoid unused variable warning")
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 70a7fb80e85ae7f78f8e90cec3fbd862ea6a4d4b
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[ashayj@codeaurora.org: Fix the regulator bug which was re-introduced by
commit f145f4]
CRs-Fixed: 1065539
Change-Id: I376a6412bb65a1e193647eab54ad993df4c2c24f
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
WCD934X audio codec supports idle detection over headphone
path to reduce power consumption when the audio signal
level is low. Add support to enable headphone idle detection
in the wcd934x codec driver.
CRs-fixed: 1066588
Change-Id: I8d67fa4055898db31b47f87b6659484aeb08f58f
Signed-off-by: Phani Kumar Uppalapati <phaniu@codeaurora.org>
Explicitly send device disconnect notification to client
so that client can disable audio streams. This will in turn
enable sound usb driver to release usb device and notify device
removal to user-space. User-space will clean up audio session.
Without this change sound usb driver is blocking usb device
release till audio streams are disabled. However, audio streams
are only disabled when user-space cleans up audio session on usb
device removal which is blocked. This change is trying to fix
this deadlock condition by notifying device disconnect to clients
explicitly.
Change-Id: I7e5a8aca84a7a620bb61eb0ace8a6b6c622f89de
Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Propagate subsystem state received from SSR notification back to the
service notifier clients so they can know if subsystem crashed.
CRs-Fixed: 1066446
Change-Id: I5418d298290623ac66a2b64108a1f5dab034e5f3
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
The current api which performs the clock reset is moved to use the reset
framework, so support the changes in ufs driver for the same. The reset
framework requires to get reset handle and perform assert/deassert of the
resets.
Change-Id: I78d833639772cf541e563cbf9fae1aa75ec6a7da
Signed-off-by: Amit Nischal <anischal@codeaurora.org>
Disable clocks in reverse order of the way you enable them so as to
avoid clock stuck_on warnings.
CRs-Fixed: 1066446
Change-Id: I071df5d5848878e5ff7b514bf9089c011a0c6a69
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
Create codec entry for wcd934x codec so that userspace can retrieve
the codec info.
CRs-Fixed: 1063367
Change-Id: Ie846b5edf1d8aaecce5140986dad8da69d608d5a
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
As there are many hardware version of wcd934x codec. Add version
check in the code so that userspace can get the version info.
CRs-Fixed: 1063367
Change-Id: Ia320380d568426c2d7a414a832980a556ff27f0f
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
Send SUBSYS_BEFORE_SHUTDOWN notification to clients before doing
graceful shutdown so that clients can do their end of housekeeping.
CRs-Fixed: 1066446
Change-Id: I77b248c51914651aea4b27d7c5a3d5d784b1e542
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
This prevents stacking filesystems (ecryptfs and overlayfs) from using
procfs as lower filesystem. There is too much magic going on inside
procfs, and there is no good reason to stack stuff on top of procfs.
(For example, procfs does access checks in VFS open handlers, and
ecryptfs by design calls open handlers from a kernel thread that doesn't
drop privileges or so.)
Signed-off-by: Jann Horn <jannh@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9
(cherry picked from commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9)
Change-Id: I1bf47b15e8201d3a049a04e1b054c664d9be9bea
Ben Hawkes says:
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset.
Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.
However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.
However, an unconditional rule must also not be using any matches
(no -m args).
The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.
Unify this so that all the callers have same idea of 'unconditional rule'.
Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 54d83fc74aa9ec72794373cb47432c5f7fb1a309
(cherry picked from commit 54d83fc74aa9ec72794373cb47432c5f7fb1a309)
Change-Id: I425228695bd50751476ac6032f10e3b927825f35
If __key_link_begin() failed then "edit" would be uninitialized. I've
added a check to fix that.
This allows a random user to crash the kernel, though it's quite
difficult to achieve. There are three ways it can be done as the user
would have to cause an error to occur in __key_link():
(1) Cause the kernel to run out of memory. In practice, this is difficult
to achieve without ENOMEM cropping up elsewhere and aborting the
attempt.
(2) Revoke the destination keyring between the keyring ID being looked up
and it being tested for revocation. In practice, this is difficult to
time correctly because the KEYCTL_REJECT function can only be used
from the request-key upcall process. Further, users can only make use
of what's in /sbin/request-key.conf, though this does including a
rejection debugging test - which means that the destination keyring
has to be the caller's session keyring in practice.
(3) Have just enough key quota available to create a key, a new session
keyring for the upcall and a link in the session keyring, but not then
sufficient quota to create a link in the nominated destination keyring
so that it fails with EDQUOT.
The bug can be triggered using option (3) above using something like the
following:
echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t
The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system. Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.
Assuming the failure occurs, something like the following will be seen:
kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
...
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8 EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
...
Call Trace:
kfree+0xde/0x1bc
assoc_array_cancel_edit+0x1f/0x36
__key_link_end+0x55/0x63
key_reject_and_link+0x124/0x155
keyctl_reject_key+0xb6/0xe0
keyctl_negate_key+0x10/0x12
SyS_keyctl+0x9f/0xe7
do_syscall_64+0x63/0x13a
entry_SYSCALL64_slow_path+0x25/0x25
Fixes: f70e2e0619 ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 38327424b40bcebe2de92d07312c89360ac9229a
(cherry picked from commit 38327424b40bcebe2de92d07312c89360ac9229a)
Change-Id: I07568c78448b9d4bcc19b506ac0cbeb3d8af6961
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Git-repo: https://android.googlesource.com/kernel/common.git
Git-commit: 012b0adcf7299f6509d4984cf46ee11e6eaed4e4
[d-cagle@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Bug: 29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
perf_event_paranoid was only documented in source code and a perf error
message. Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Bug: 29054680
Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
Git-repo: https://android.googlesource.com/kernel/common.git
Git-commit: b79154b8f7702f6e8a56ce9f1355f841cec16c37
[d-cagle@codeaurora.org: Resolve trivial merge conflicts]
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.
Change-Id: I41f4745f24720c7af5ab08dc4274224d7fe4dcfe
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit: 5f8e44741f9f216e33736ea4ec65ca9ac03036e6
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
If cpr3_ctrl_clear_cpr4_config() returns an error at the
beginning of the cpr3_regulator_measure_aging() function, then
goto cleanup is called. After that, the *_restore values are
written back into hardware registers. Unfortunately, these
*_restore variables are uninitialized in this code path.
Correct this issue.
Change-Id: I906613a00137925c9903ac6c01771c459594864f
CRs-Fixed: 1066407
Signed-off-by: David Collins <collinsd@codeaurora.org>
A discrepancy between cpu_online_mask and cpuset's effective_cpus
mask is inevitable during hotplug since cpuset defers updating of
effective_cpus mask using a workqueue, during which time nothing
prevents the system from more hotplug operations. For that reason
guarantee_online_cpus() walks up the cpuset hierarchy until it finds
an intersection under the assumption that top cpuset's effective_cpus
mask intersects with cpu_online_mask even with such a race occurring.
However a sequence of CPU hotplugs can open a time window, during which
none of the effective CPUs in the top cpuset intersect with
cpu_online_mask.
For example when there are 4 possible CPUs 0-3 and only CPU0 is online:
======================== ===========================
cpu_online_mask top_cpuset.effective_cpus
======================== ===========================
echo 1 > cpu2/online.
CPU hotplug notifier woke up hotplug work but not yet scheduled.
[0,2] [0]
echo 0 > cpu0/online.
The workqueue is still runnable.
[2] [0]
======================== ===========================
Now there is no intersection between cpu_online_mask and
top_cpuset.effective_cpus. Thus invoking sys_sched_setaffinity() at
this moment can cause following:
Unable to handle kernel NULL pointer dereference at virtual address 000000d0
------------[ cut here ]------------
Kernel BUG at ffffffc0001389b0 [verbose debug info unavailable]
Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 2 PID: 1420 Comm: taskset Tainted: G W 4.4.8+ #98
task: ffffffc06a5c4880 ti: ffffffc06e124000 task.ti: ffffffc06e124000
PC is at guarantee_online_cpus+0x2c/0x58
LR is at cpuset_cpus_allowed+0x4c/0x6c
<snip>
Process taskset (pid: 1420, stack limit = 0xffffffc06e124020)
Call trace:
[<ffffffc0001389b0>] guarantee_online_cpus+0x2c/0x58
[<ffffffc00013b208>] cpuset_cpus_allowed+0x4c/0x6c
[<ffffffc0000d61f0>] sched_setaffinity+0xc0/0x1ac
[<ffffffc0000d6374>] SyS_sched_setaffinity+0x98/0xac
[<ffffffc000085cb0>] el0_svc_naked+0x24/0x28
The top cpuset's effective_cpus are guaranteed to be identical to
cpu_online_mask eventually. Hence fall back to cpu_online_mask when
there is no intersection between top cpuset's effective_cpus and
cpu_online_mask.
CRs-fixed: 1058529
Change-Id: I83ee4619feff2ca7452119c9baecb6ffde755287
Signed-off-by: Joonwoo Park <joonwoop@codeaurora.org>
Acked-by: Li Zefan <lizefan@huawei.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: cgroups@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: <stable@vger.kernel.org> # 3.17+
Signed-off-by: Tejun Heo <tj@kernel.org>
EQ bias is enabled in of msmcobalt version 2 csiphy.
Differentiate this setting with new version 2 camera dt file.
CRs-Fixed: 1050172
Change-Id: I5781453f2b2a81b9cf5f7fb643e021b53879583e
Signed-off-by: Viswanadha Raju Thotakura <viswanad@codeaurora.org>
Provide client_id in ind_register QMI request message so that
WLAN FW can identify different clients.
CRs-Fixed: 1065341
Change-Id: I2d79daa72fb87a7d3c0818563a88e94f36af48b8
Signed-off-by: Yuanyuan Liu <yuanliu@codeaurora.org>
The spss-util driver provides utilities required for the SPSS.
It provides the fuse state for key selection.
It provides the SPSS HW version.
Change-Id: I70c37d64db351db86e3d1d5dddb810257c68d72f
Signed-off-by: Amir Samuelov <amirs@codeaurora.org>
