Few functions have variables which might get used with out
proper initialization. Initialize variables to default values.
CRs-Fixed: 2087109
Change-Id: I7645940e8d466e0ef67a5b8b7702b18b160cc10f
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.
Fixes: 3b1c5a5307 ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Git-commit: 8feb69c7bd89513be80eb19198d48f154b254021
Change-Id: Ie20993309501fd242782311b9fe787931f716116
CRs-Fixed: 2055013
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Remove IR country from regdb.
CRs-Fixed: 2084887
Change-Id: Id69e26e584dcd66096358d0acb6d7c847ce0784b
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Enable CC_STACKPROTECTOR_STRONG option for msm so that we
can make use of stack protector feature provided by compiler.
Change-Id: I28cfe711f42b7ad4d52a59169df6c72ec3458a12
Signed-off-by: Imran Khan <kimran@codeaurora.org>
Privilege Access Never (PAN) enforces the usage of
copy_to_user/copy_from_user and friends when kernel accesses data from
user space. If user space memory is accessed outside of these functions
a kernel panic occurs.
Change-Id: Iacd5b3b2e1fd97487a4cd13ec96cb3508717d5fb
Signed-off-by: Ramakrishna Gottimukkula <rgottimu@codeaurora.org>
Hardened user copy provides an extra layer of security checks when
copy_to_user/copy_from_user APIs are used to ensure data accesses are
valid. When invalid accesses are detected the kernel will forcibly
crash.
Change-Id: Ie13ef8a6ee1a3431d43c57a4b7d6e14985e5c33a
Signed-off-by: Ramakrishna Gottimukkula <rgottimu@codeaurora.org>
event->handle pointer can be used after free due to
the race condition between kgsl_sync_callback and
kgsl_sync_fence_async_cancel.
Protect the event->handle with a spinlock to
avoid concurrent access issues.
Change-Id: I3719e401af9ece82ac68b72f2aef784c7fdc1104
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
There is a race condition issue between the IRQ context trying to
trigger preemption and the user context trying to submit commands to
the GPU. The check in a5xx_flush() API only updates the wptr if the GPU is
not in preemption. In the cases where we move from PREEMPT_START to
PREEMPT_NONE there is a small window where the preempt state is still
in START but the CPU context switches to the user thread which is in
the a5xx_flush() call to update the wptr, but fails to update the wptr to
the GPU since the preempt state is not PREEMPT_NONE. This leads to a
GPU stall.
Introduce a new intermediate state PREEMPT_ABORT and
change preempt_trigger() to use gpu's current ring instead of the
ring retrieved from get_next_ring() while in this state.
Change-Id: I333e9de19824bd373901bbc8afc829de04635017
CRs-Fixed: 2081164
Signed-off-by: Sharat Masetty <smasetty@codeaurora.org>
nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.
Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.
Fixes: 67fbb16be6 ("nl80211: PMKSA caching support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Git-commit: 9361df14d1cbf966409d5d6f48bb334384fbe138
Change-Id: I5feb729a9ef48f67c4ee460e7e133d5fc8cecd4f
CRs-Fixed: 2061676
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Alexei had his box explode because doing read() on a package
(rapl/uncore) event that isn't currently scheduled in ends up doing an
out-of-bounds load.
Rework the code to more explicitly deal with event->oncpu being -1.
Author: Peter Zijlstra (Intel) <peterz@infradead.org>
Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Tested-by: Alexei Starovoitov <ast@kernel.org>
Tested-by: David Carrillo-Cisneros <davidcc@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: eranian@google.com
Fixes: d6a2f9035bfc ("perf/core: Introduce PMU_EV_CAP_READ_ACTIVE_PKG")
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Git-commit: 451d24d1e5f40bad000fa9abe36ddb16fc9928cb
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[pfay@codeaurora.org: apply the event->oncpu validity check from
from the patch. Other code from the patch calls routines
not yet in 4.4 so omit that part of patch. This code fixes
segfault crashes during reboot where the event->oncpu value is -1.
Change-Id: I040f0af2030e53ac3329e4b3a1bbcd37f080cdcf
Signed-off-by: Patrick Fay <pfay@codeaurora.org>
In mmc_blk_ioctl_rpmb_cmd(), if user data copy fails, the card
variable is dereferenced without NULL pointer check.
Adding NULL pointer check in this condition.
Change-Id: If3fd2175946cccaf838768d45de72bc2f5c32f6b
Signed-off-by: Siba Prasad <sibap@codeaurora.org>
If requested, trace the GPU time to ensure
a useful mapping regardless of the chosen
trace clock.
Change-Id: I76a893975de9a278c8178f935991191354f29e2f
Signed-off-by: Jonathan Wicks <jwicks@codeaurora.org>
It seems possibility that usb_gadget_map_request may not been called
during usb cable connected so ep0_usb_req.request.dma is still by
default 0 which will pass the if condition in unmapping, hence unmap
a request which never been mapped.
Initialize ep0_usb_req.request.dma to DMA_ERROR_CODE will avoid this
corner case crash.
Change-Id: Icf63dc383304c83fe36fb908226240e139a7f9fc
Signed-off-by: Ziqi Chen <ziqic@codeaurora.org>
The wcn external gpio configuration has moved to WLAN firmware
code. To avoid the gpio resource request conflict and power offload
failure between wcnss platform driver and WLAN firmware.
Remove external gpio configuration from the wcnss platform driver.
Change-Id: Iaef979437d9e48d66a5e9e2fc88bc5783fed7480
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
The wcnss wlan module power up sequence has been changed.
To add support for the wcnss new power up sequence configured
3.3v external GPIO in wcnss platform driver.
Add check for the target to support the 3.3v external gpio for
the wcnss power up and routine to control the gpio like gpio
init, enable, disable for the device power management in different
state of the wcnss wlan device.
CRs-Fixed: 2065396
Change-Id: Ie6b79415b670522aa0abee58a23a31cffec76f5a
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
The WLAN dual band support vary from target to target
and to enable/disable dual band support for a particular
target the wcnss platform driver read the wlan hardware
qfuse register and export the dual band capability info
to wlan host driver to enable/disable this dual band feature.
Add export symbol for dual band capability info.
CRs-Fixed: 1115909
Change-Id: I7dc26435e3ac0ac1eec71f0e334878b35e25224d
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
It is a hardware requirement to increase snoc clock frequency
in HID sniff mode due to low wlan throughput. To provide this,
add support to enable and disable snoc clock.
Update the voltage regulator configuration API as per upstream
kernel.
CRs-Fixed: 1101377
Change-Id: I1130353bf861ca31792c40ef51243497788ed56d
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Update the synchronization process of the cnss platform driver
memory expansion and WLAN firmware table configuration from
the userspace through sysfs firmware update node.
CRs-Fixed: 2071560
Change-Id: I672ba84ad10c905be7855c1b8a930ac7adf349f1
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
- num of stream comes from userspace and used without
any bound check.It may result to overflow update_info.
Change-Id: I67341f3c3e1a3384474c35f6e6275d6e1917fdcd
CRs-Fixed: 2006829
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
Source pipe index may returned invalid or
given invalid from IOCTl.
Check it for valid before sending it to Q6.
Change-Id: I9dbbc930014549ed2d0620af6872816a18b438b5
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Couple of code cleanup
- Initialize the return variable before using it.
- Remove unnecessary NULL check.
Change-Id: I8e63cb95ae99d1656143ae4b1d130f92890bb3c5
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Make use of mutex lock to access IOCTL so that two threads
can avoid race condition.
Change-Id: I3650affa0577b30531160e1d11c57d13baf34c2f
CRs-Fixed: 2060377
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
Make a change not to handle Q6 resource manager
deinit in SSR situation.
Change-Id: I5c3f68deb4514747146c5118fb58dad121ca7335
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
In the completion handler of rndis command requests we
are parsing the request buffers without checking the
status of the request. This might cause parsing of the
erroneous requests. Fix this by checking the status
of the request before parsing the request buffer.
Change-Id: I15ffd0bef4b42adf2300085dc3720d599e647cb5
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
Add support for parsing the colorimetry data block
of EDID to get information about the supported
encoding formats of the sink.
This information is needed to use the appropriate
color encoding scheme before transmitting the video
stream to the sink.
Change-Id: I133e8f21fa4ad843219dbefed2d072ad2edab197
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Add support for parsing the RGB and YCC quantization
selectable field from the Video Capability Data block(VCDB)
of the EDID.
These fields help to decide whether the default quantization
range for a particular video format can be overridden by the
source.
Change-Id: Ibc72eb13302527089ad66231cd7e8bb34fb364f3
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Set the private page bit on each sg of secure CMA buffers
to inform other entities, which import these buffers as an
fd, that this memory is secure.
Change-Id: I2f012443f99a90e20afd7e43b62b751c3eea4be3
Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
In the completion handler of the rndis command requests we
are parsing the request buffers without checking the
status of the request. This might cause parsing of the
erroneous requests. Fix this by checking the status
of the request before parsing the request buffer.
Change-Id: I476c6c82d367f6f5fc6eff25b049b3323b68b859
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
In the completion handler of rndis command requests
we are parsing the request buffers without
checking the status of the request. This might
cause parsing of the erroneous requests.
Fix this by checking the status of the request before
parsing the request buffer.
Change-Id: I52001128ac421e58e1801eebc243a8c91618582c
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
This change is to move specific node parsing code to other place
for early splash feature on auto platform, not impacting kernel
booting process of other platforms.
Change-Id: I6deed1a75545c82ee777d9b4269f1420ab2eb07a
Signed-off-by: Guchun Chen <guchunc@codeaurora.org>
Set bus resume polocy for eMMC & SD drivers.
Change-Id: If2e76877fb229a4aba38249c4a1bb2ff8d28ba32
Signed-off-by: San Mehat <san@google.com>
Git-commit: 2c84417a1305da892c8a7d0bf8d0bad50d1688b8
Git-repo: git://git-android.quicinc.com/kernel/msm-3.10
[vbadigan@codeaurora.org: Dropped changes which are already
present in mmc driver as part of other propagations]
Signed-off-by: Veerabhadrarao Badiganti <vbadigan@codeaurora.org>
Remove a useless system reset, reduce the fts_status_event_handler's
print level and modify a error at parsing reset pin to fix the long
time resume problem. Besides, remove the needless auto-apdate-FW func
when probe to speed up TP's probe process.
Change-Id: I1c68fa7add65106d7efcf87b9002363a9242b2f7
Signed-off-by: Jin Fu <jinf@codeaurora.org>
Add support for switch latency property to add
additional delay if switch is present.
Change-Id: Ia64a79d5ec51d3abb66cebd0a187349711c96af2
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
This reverts commit 0e4399bcb0.
Delay is needed only in case of PCIe switch and not required
for normal case.
Change-Id: Ifa6317f7be1159b2ebc55f64fabcc47d450dc260
Signed-off-by: Rama Krishna Phani A <rphani@codeaurora.org>
Add physical width and height parameters for Sharp 4K panel to
help in setting the right DPI for UI.
Change-Id: If8d841037bb216bfb0b7b0aa0fc4a1db5a45500b
Signed-off-by: Vishnuvardhan Prodduturi <vproddut@codeaurora.org>
