rtc: fix clock sync after boot-up #6

The IIO buffer is dereference to NULL when user space application trying to change the parameters of iio buffer while driver pushing data to iio buffer. The issue is solved by using proper initialization of iio buffer and using standard api to push the data to iio buffer so that driver will do proper conditon checking before changing the parameters of buffer and before pushing the data. Change-Id: I6c9b015fc2915c0d6f635e488305290a36eb9221 Signed-off-by: Puneet Yatnal <[email protected]>

Adding code changes to validate buffer size. While calling ipa_read verifying the kernel buffer size in range or not. Change-Id: Idc608c2cf0587a00f19ece38a4eb646f7fde68e3 Signed-off-by: Praveen Kurapati <[email protected]>

Disable APC CPR under 10 degC and re-enable it at 15degC. This is for device stability at cold temperature. Change-Id: I6c9b015fc2915c0d6f635e488305290a36eb9222 Signed-off-by: Anirudh Ghayal <[email protected]>

Currently we are not validating read and write index of tx and rx fifo's before calculating ptr, this can lead to out-of-bound access. The patch adds proper check for the same. Change-Id: I7b158e94ae743a90ac364783fe31914ca0fa582b Signed-off-by: Hardik Arya <[email protected]>

We call arm64_apply_bp_hardening() from post_ttbr_update_workaround, which has the unexpected consequence of being triggered on every exception return to userspace when ARM64_SW_TTBR0_PAN is selected, even if no context switch actually occured. This is a bit suboptimal, and it would be more logical to only invalidate the branch predictor when we actually switch to a different mm. In order to solve this, move the call to arm64_apply_bp_hardening() into check_and_switch_context(), where we're guaranteed to pick a different mm context. Change-Id: I28f2fb09b77544e5ead095e9dad1ad64b2b3ae36 Acked-by: Will Deacon <[email protected]> Signed-off-by: Marc Zyngier <[email protected]> Signed-off-by: Catalin Marinas <[email protected]> Git-commit: a8e4c0a919ae310944ed2c9ace11cf3ccd8a609b Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Srinivas Ramana <[email protected]> Signed-off-by: Swetha Chikkaboraiah <[email protected]>

Doing a cat on pte,test_virt_addr from adb shell prints a null character as well which is at the end of the string this is not required so, don't pass this null character to copy_to_user. Change-Id: I8d9120f64d1df84a704379eb00bd239fc7059e9e Signed-off-by: Vijayanand Jitta <[email protected]> Signed-off-by: Srinivasarao P <[email protected]>

Changes in 3.18.135: (108 commits) staging: iio: adc: ad7280a: handle error from __ad7280_read32() ARM: 8808/1: kexec:offline panic_smp_self_stop CPU dlm: Don't swamp the CPU with callbacks queued during recovery x86/PCI: Fix Broadcom CNB20LE unintended sign extension (redux) powerpc/pseries: add of_node_put() in dlpar_detach_node() serial: fsl_lpuart: clear parity enable bit when disable parity staging:iio:ad2s90: Make probe handle spi_setup failure staging: iio: ad7780: update voltage on read ARM: OMAP2+: hwmod: Fix some section annotations modpost: validate symbol names also in find_elf_symbol perf tools: Add Hygon Dhyana support soc/tegra: Don't leak device tree node reference f2fs: move dir data flush to write checkpoint process nfsd4: fix crash on writing v4_end_grace before nfsd startup arm64: ftrace: don't adjust the LR value media: DaVinci-VPBE: fix error handling in vpbe_initialize() smack: fix access permissions for keyring usb: hub: delay hub autosuspend if USB3 port is still link training timekeeping: Use proper seqcount initializer ARM: dts: Fix OMAP4430 SDP Ethernet startup mips: bpf: fix encoding bug for mm_srlv32_op sata_rcar: fix deferred probing clk: imx6sl: ensure MMDC CH0 handshake is bypassed cpuidle: big.LITTLE: fix refcount leak udf: Fix BUG on corrupted inode ARM: pxa: avoid section mismatch warning ASoC: fsl: Fix SND_SOC_EUKREA_TLV320 build error on i.MX8M memstick: Prevent memstick host from getting runtime suspended during card detection arm64: KVM: Skip MMIO insn after emulation powerpc/uaccess: fix warning/error with access_ok() xfrm6_tunnel: Fix spi check in __xfrm6_tunnel_alloc_spi drbd: narrow rcu_read_lock in drbd_sync_handshake drbd: disconnect, if the wrong UUIDs are attached on a connected peer drbd: skip spurious timeout (ping-timeo) when failing promote drbd: Avoid Clang warning about pointless switch statment video: clps711x-fb: release disp device node in probe() fbdev: fbmem: behave better with small rotated displays and many CPUs igb: Fix an issue that PME is not enabled during runtime suspend fbdev: fbcon: Fix unregister crash when more than one framebuffer NFS: nfs_compare_mount_options always compare auth flavors. hwmon: (lm80) fix a missing check of the status of SMBus read hwmon: (lm80) fix a missing check of bus read in lm80 probe crypto: ux500 - Use proper enum in cryp_set_dma_transfer crypto: ux500 - Use proper enum in hash_set_dma_transfer cifs: check ntwrk_buf_start for NULL before dereferencing it um: Avoid marking pages with "changed protection" niu: fix missing checks of niu_pci_eeprom_read scripts/decode_stacktrace: only strip base path when a prefix of the path ocfs2: don't clear bh uptodate for block read isdn: hisax: hfc_pci: Fix a possible concurrency use-after-free bug in HFCPCI_l1hw() gdrom: fix a memory leak bug block/swim3: Fix -EBUSY error when re-opening device after unmount kernel/hung_task.c: break RCU locks based on jiffies fs/epoll: drop ovflist branch prediction exec: load_script: don't blindly truncate shebang string thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set dccp: fool proof ccid_hc_[rt]x_parse_options() skge: potential memory corruption in skge_get_regs() net: systemport: Fix WoL with password after deep sleep net: dsa: slave: Don't propagate flag changes on down slave interfaces enic: fix checksum validation for IPv6 ALSA: compress: Fix stop handling on compressed capture streams fuse: call pipe_buf_release() under pipe lock fuse: decrement NR_WRITEBACK_TEMP on the right page fuse: handle zero sized retrieve correctly dmaengine: imx-dma: fix wrong callback invoke usb: phy: am335x: fix race condition in _probe usb: gadget: udc: net2272: Fix bitwise and boolean operations KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222) KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221) perf/x86/intel/uncore: Add Node ID mask perf/core: Don't WARN() for impossible ring-buffer sizes perf tests evsel-tp-sched: Fix bitwise operator mtd: rawnand: gpmi: fix MX28 bus master lockup problem signal: Always notice exiting tasks signal: Better detection of synchronous signals misc: vexpress: Off by one in vexpress_syscfg_exec() debugfs: fix debugfs_rename parameter checking MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled ARM: iop32x/n2100: fix PCI IRQ mapping drm/modes: Prevent division by zero htotal drm/vmwgfx: Fix setting of dma masks drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user HID: debug: fix the ring buffer implementation libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() xfrm: refine validation of template and selector families batman-adv: Avoid WARN on net_device without parent in netns batman-adv: Force mac header to start of data on xmit usb: host: ehci-msm: fix handling platform_get_irq result Revert "exec: load_script: don't blindly truncate shebang string" ARM: dts: da850-evm: Correct the sound card name ARM: dts: kirkwood: Fix polarity of GPIO fan lines gpio: pl061: handle failed allocations cifs: Limit memory used by lock request calls to a page perf/core: Fix impossible ring-buffer sizes warning ALSA: usb-audio: Fix implicit fb endpoint setup by quirk Input: bma150 - register input device after setting private data Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 alpha: fix page fault handling for r16-r18 targets alpha: Fix Eiger NR_IRQS to 128 tracing/uprobes: Fix output for multiple string arguments signal: Restore the stop PTRACE_EVENT_EXIT x86/a.out: Clear the dump structure initially smsc95xx: Use skb_cow_head to deal with cloned skbs kaweth: use skb_cow_head() to deal with cloned skbs usb: dwc2: Remove unnecessary kfree pinctrl: msm: fix gpio-hog related boot issues Linux 3.18.135 Signed-off-by: Nathan Chancellor <[email protected]> Conflicts: drivers/usb/host/ehci-msm.c

Initialize global mutex with DEFINE_MUTEX to avoid calling mutex_lock without mutex_init. CRs-fixed: 2392685 Change-Id: I847d86f493552524e8abec9a18525cdde8a8de23 Signed-off-by: Jhansi Konathala <[email protected]>

Change-Id: I2c73449f1e0e3033d7c056cbd412982647063aa3

Change-Id: If301e458a3a4b46b41efd41320d6692958809681

In low power mode stop DMA, turn off clocks and vsync. Change-Id: Ic6d4f1a2fdba9817633ba63c42f54f88e0c48d6f Signed-off-by: Animesh Kishore <[email protected]>

During fb blank or dma stop check if there are any pending retire fences. Signal all. Change-Id: I24322c8eeb1afbd79c898d037b72b77df27a91fa Signed-off-by: Animesh Kishore <[email protected]>

Changes in 3.18.136: (14 commits) net: fix IPv6 prefix route residue sky2: Increase D3 delay again tcp: tcp_v4_err() should be more careful tcp: clear icsk_backoff in tcp_write_queue_purge() vxlan: test dev->flags & IFF_UP before calling netif_rx() vsock: cope with memory allocation failure at socket creation time net: stmmac: Fix a race in EEE enable callback net: ipv4: use a dedicated counter for icmp_v4 redirect packets hwmon: (lm80) Fix missing unlock on error in set_fan_div() kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974) net/x25: do not hold the cpu too long in x25_new_lci() mISDN: fix a race in dev_expire_timer() ax25: fix possible use-after-free Linux 3.18.136 Signed-off-by: Nathan Chancellor <[email protected]>

Adding code changes to validate buffer size. While calling ipa_read verifying the kernel buffer size in range or not. Change-Id: I5c9a908b0500a5f0148ec7764425897570bdd713 Signed-off-by: Praveen Kurapati <[email protected]>

Power configuration is a value measured as HxW of a video session. If the resolution of current video session meets this value, the session will be configured in low power mode to get power benefits. CRs-Fixed: 1106972 Change-Id: Ibe4eba7a76a070b1bc02caff89cfb871993043c2 Signed-off-by: Sanjay Singh <[email protected]>

Host will set the Venus firmware in below modes 1. If the load of current video session exceeds the venus capability, video driver sets power save mode for that session. 2. If an usecase is recommended to run in power save mode to get power benefits, video driver configures the session in power save mode. 3. If any V4L2 client makes an explicit call to configure the usecase in a certain perf mode, video driver sets the same to venus firmware, unless restricted by core capability. CRs-Fixed: 1106972 Change-Id: Ib8be6c9af1508389edc9cb6444531c6e711b6a11 Signed-off-by: Sanjay Singh <[email protected]>

Video session is made to run in TURBO mode during various stages of the session. Video instance load do not reflect the actual video load which can be utilized to initialize DCVS state from the DCVS table. Change-Id: I539a7098159e6486e3c436c449a540c5ac60d6d3 Signed-off-by: Sanjay Singh <[email protected]>

Check if packet size is large enough to hold the header. Change-Id: I7261f8111d8b5f4f7c181e469de248a732242d64 Signed-off-by: Vatsal Bucha <[email protected]>

…998"

Channel_mapping array size varies for different commands. Add check for num_channels before calling q6asm_map_channels. Change-Id: Iccbcfe82f716fc0ffe0a26b1779dcaa1c3cb805b Signed-off-by: Rohit kumar <[email protected]>

Add range check to make sure the received audio port index from ADSP is within the valid range. Change-Id: Ief647df1659f7f349a843f666d8f92f34a9a43be Signed-off-by: Xiaoyu Ye <[email protected]>

"LA.UM.7.5.r1-04300-8x96.0" * tag 'LA.UM.7.5.r1-04300-8x96.0': iommu: iommu-debug: don't pass null character to copy_to_user arm64: Move BP hardening to check_and_switch_context soc: qcom: Validate read and write index before calculating ptr ARM: dts: msm: Disable APC CPR at cold for 9x07 msm: ipa: Fix to validate the buffer size drivers: iio: imu: Fix NULL pointer dereference in bmi160 driver msm: vidc: ensure codec count is in supported session range iommu: dma-mapping-fast: Add a check for count in fast_smmu_alloc ARM: dts: mdm: Disable dynamic address for wlan ramdump checkpatch: Treat duplicate signatures as a different error class usb: gadget: f_mbim: Handle response complete before notify_complete usb: gadget: f_mbim: Use notify_req_queued instead of notify_count usb: gadget: f_mbim: Remove usage of notify_state SoC: msm: Add global mutex lock to fix the panic issue diag: Mark Buffer as NULL after freeing iommu/iommu-debug: fix buffer overflows in debugfs read functions ARM: dts: mdm: Enable dynamic address for wlan ramdump msm: ais: ispif: Fix invalid type conversion diag: Handle data ready notification properly msm: wlan: Update ETSI1 and ETSI13 countries msm: camera: isp: Fix invalid type conversion mdm: Update frequence & Tx power in the regulatory database netfilter: x_tables: kill check_entry helper drivers: iio: imu: increased the ASM buffer size defconfig: 8909: enable CONFIG_NETFILTER_XT_TARGET_TEE for iwlan scenarios ANDROID: sdcardfs: Change current->fs under lock msm: mdss: save state of vsync handler ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro Signed-off-by: Nathan Chancellor <[email protected]>

The range checking for audio buffer copying in function "audio_in_write" is using the incorrect buffer size. Change it to the actual allocated audio buffer size. Change-Id: Ib7aaa2163c0d99161369eb85d09dc2d23d8c787b Signed-off-by: Xiaoyu Ye <[email protected]>

Increment data ready only if it is not incremented earlier. Change-Id: Ia61e638bcf18e17dfe4bef15fc8ed4168b4c1891 Signed-off-by: Sreelakshmi Gownipalli <[email protected]>

Validate buffer index obtained from ADSP token before using it. CRs-Fixed: 2372302 Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17 Signed-off-by: Vignesh Kulothungan <[email protected]>

There can be many ice instances present in dtsi file but not all of them will be initialized by storage driver. Check if crypto instance is initialized before setting it up for data encryption/decryption usage. Change-Id: I7c9227007474052513b277dec5963a973781c524 Signed-off-by: Neeraj Soni <[email protected]>

Currently, mutex protection is missing while accessing md session's info via macro. The patch adds proper protection before accessing the same. Change-Id: I17b18183407279447229783fd0165337bd173423 Signed-off-by: Hardik Arya <[email protected]>

There is a possibility of out-of-bound read if msg mask ranges received from peripheral are more than max ssid per range. Cap msg mask's ssid ranges to MAX_SSID_PER_RANGE if ranges received from peripheral are greater than the same. Change-Id: I886692ad223e16678bfaecbe381c62fdf3503cb5 Signed-off-by: Hardik Arya <[email protected]>

When processing WAN_IOC_SEND_LAN_CLIENT_MSG ioctl there is a possibility of message_type being invalid and this can lead to out of buffer error. Make a change to validate the ioctl params before processing. Change-Id: If7955f77863b772ae1c8feda5ca0145c822403b9 Signed-off-by: Chaitanya Pratapa <[email protected]>

If video state set to DEINIT before processing all frame done packets in the list may create video failures as explained below, the client communication to video hardware will fail because of DEINIT state and client will close the session upon failure which will happen in parallel to response thread processing the response packets in the list. It may happen that client already free'd the buffer references and response thread might access the same buffer reference and results in use-after-free memory fault. So In case of sys error from video hardware, set video state to DEINIT after processing all packets in the list to avoid use-after-free failure Change-Id: Id44c26b1bbfc49e9725bf70e21a3e861a04d0133 Signed-off-by: Maheshwar Ajja <[email protected]> Signed-off-by: Sanjay Singh <[email protected]>

SPI fps calculation was over-riding the DTV fps calculation due to a missing break statement. Correct this so that fps is calculated in default case. Change-Id: I07da394d44827ddb9be999a63f34e56e3fd2b373 Signed-off-by: Raghavendra Ambadas <[email protected]>

No need to process response messages from video hardware after device went into invalid state. Processing responses may result in use-after-free memory fault because client might free all the resources after error Change-Id: Ia2c22a2740466e6368e61437aa4246927150858b Signed-off-by: Maheshwar Ajja <[email protected]> Signed-off-by: Sanjay Singh <[email protected]>

Token from DSP might be invalid for array index. Validate the token before being used as array index. Change-Id: I9f47e1328d75d9f9acf7e85ddb452019b6eced0a Signed-off-by: Xiaojun Sang <[email protected]>

Payload size is not checked before payload access. Check payload size to avoid out-of-boundary memory access. Change-Id: Iaa39ee4ea5489bb5579e7b7d5dfada12d88c5809 Signed-off-by: Xiaojun Sang <[email protected]>

Changes in 3.18.137: (135 commits) ceph: avoid repeatedly adding inode to mdsc->snap_flush_list numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES KEYS: allow reaching the keys quotas exactly mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells mfd: twl-core: Fix section annotations on {,un}protect_pm_master mfd: db8500-prcmu: Fix some section annotations mfd: ab8500-core: Return zero in get_register_interruptible() mfd: wm5110: Add missing ASRC rate register mfd: mc13xxx: Fix a missing check of a register-read failure MIPS: ath79: Enable OF serial ports in the default config scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param scsi: isci: initialize shost fully before calling scsi_add_host() MIPS: jazz: fix 64bit build isdn: i4l: isdn_tty: Fix some concurrency double-free bugs atm: he: fix sign-extension overflow on large shift leds: lp5523: fix a missing check of return value of lp55xx_read isdn: avm: Fix string plus integer warning from Clang KEYS: user: Align the payload buffer KEYS: always initialize keyring_index_key::desc_len batman-adv: fix uninit-value in batadv_interface_tx() net/packet: fix 4gb buffer limit due to overflow check team: avoid complex list operations in team_nl_cmd_options_set() sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() netlink: Trim skb to alloc size to avoid MSG_TRUNC libceph: handle an empty authorize reply scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached drm/msm: Unblock writer if reader closes file ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field ALSA: compress: prevent potential divide by zero bugs usb: dwc3: gadget: Fix the uninitialized link_state when udc starts usb: gadget: Potential NULL dereference on allocation error ASoC: imx-audmux: change snprintf to scnprintf for possible overflow mac80211: fix miscounting of ttl-dropped frames serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() net: altera_tse: fix connect_local_phy error path ibmveth: Do not process frames after calling napi_reschedule mac80211: don't initiate TDLS connection if station is not associated to AP cfg80211: extend range deviation for DMG KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 mmc: spi: Fix card detection during probe mm: enforce min addr even if capable() in expand_downwards() USB: serial: cp210x: add ID for Ingenico 3070 net-sysfs: Fix mem leak in netdev_register_kobject sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 team: Free BPF filter when unregistering netdev net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails net: Add __icmp_send helper. net: avoid use IPCB in cipso_v4_error net: phy: Micrel KSZ8061: link failure after cable connect netlabel: fix out-of-bounds memory accesses ip6mr: Do not call __IP6_INC_STATS() from preemptible context hugetlbfs: fix races and page leaks during migration media: uvcvideo: Fix 'type' check leading to overflow vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel perf tools: Handle TOPOLOGY headers with no CPU ipvs: Fix signed integer overflow when setsockopt timeout iommu/amd: Fix IOMMU page flush when detach device from a domain xtensa: SMP: fix secondary CPU initialization xtensa: smp_lx200_defconfig: fix vectors clash xtensa: SMP: mark each possible CPU as present xtensa: SMP: limit number of possible CPUs by NR_CPUS net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case nfs: Fix NULL pointer dereference of dev_name scsi: libfc: free skb when receiving invalid flogi resp platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 cifs: fix computation for MAX_SMB2_HDR_SIZE x86/kexec: Don't setup EFI info if EFI runtime is not enabled mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone autofs: drop dentry reference only when it is never used autofs: fix error return in autofs_fill_super() ARM: pxa: ssp: unneeded to free devm_ allocated data irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable dmaengine: dmatest: Abort test in case of mapping error s390/qeth: fix use-after-free in error path perf symbols: Filter out hidden symbols from labels Input: wacom_serial4 - add support for Wacom ArtPad II tablet iscsi_ibft: Fix missing break in switch statement l2tp: fix infoleak in l2tp_ip6_recvmsg() net: hsr: fix memory leak in hsr_dev_finalize() net: sit: fix UBSAN Undefined behaviour in check_6rd net/x25: fix use-after-free in x25_device_event() net/x25: reset state in x25_connect() pptp: dst_release sk_dst_cache in pptp_sock_destruct net/mlx4_core: Fix qp mtt size calculation net/x25: fix a race in x25_bind() mdio_bus: Fix use-after-free on device_register fails net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 missing barriers in some of unix_sock ->addr and ->path accesses vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() net/hsr: fix possible crash in add_timer() gro_cells: make sure device is up in gro_cells_receive() ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 It's wrong to add len to sector_nr in raid10 reshape twice 9p/net: fix memory leak in p9_client_create ASoC: fsl_esai: fix register setting issue in RIGHT_J mode crypto: ahash - fix another early termination in hash walk s390/dasd: fix using offset into zero size array error Input: matrix_keypad - use flush_delayed_work() i2c: cadence: Fix the hold bit setting Input: st-keyscan - fix potential zalloc NULL dereference assoc_array: Fix shortcut creation scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task net: systemport: Fix reception of BPDUs net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() arm64: Relax GIC version check during early boot tmpfs: fix link accounting when a tmpfile is linked in net: set static variable an initial value in atl2_probe() CIFS: Fix read after write for files with read caching regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 regulator: s2mpa01: Fix step values for some LDOs scsi: virtio_scsi: don't send sc payload with tmfs scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock m68k: Add -ffreestanding to CFLAGS Btrfs: fix corruption reading shared and compressed extents after hole punching crypto: pcbc - remove bogus memcpy()s with src == dest cpufreq: pxa2xx: remove incorrect __init annotation ext4: fix crash during online resizing ext2: Fix underflow in ext2_max_size() mm/vmalloc: fix size check for remap_vmalloc_range_partial() kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv parport_pc: fix find_superio io compare code, should use equal test. jbd2: clear dirty flag when revoking a buffer from an older transaction powerpc/32: Clear on-stack exception marker upon exception return powerpc/wii: properly disable use of BATs when requested. powerpc/powernv: Make opal log only readable by root powerpc/83xx: Also save/restore SPRG4-7 during suspend ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify nfsd: fix memory corruption caused by readdir nfsd: fix wrong check in write_v4_end_grace() md: Fix failed allocation of md_register_thread media: uvcvideo: Avoid NULL pointer dereference at the end of streaming drm/radeon/evergreen_cs: fix missing break in switch statement tmpfs: fix uninitialized return value in shmem_link Linux 3.18.137 Signed-off-by: Nathan Chancellor <[email protected]> Conflicts: sound/core/compress_offload.c

The GCC wrapper writes any error message from GCC to stdout along with the messages from the wrapper itself. This is okay for most case, but when GCC is used with -print-xxx flags, the stdout output is supposed to be taken as input to some other build command, so putting error messages in there is pretty bad. Fix this by writing error messages to stderr. Change-Id: I4656033f11ba5212fdcc884cc588f8b9d2c23419 Signed-off-by: Shadab Naseem <[email protected]>

Fix errors reported after enabling Kernel Control Flow Integrity (KCFI) on kernel code. This is a security mechanism that disallows changes to the original control flow of a compiled binary. Change-Id: I1e1e901c5889d9928411dc785da88e1eac378568 Signed-off-by: Govindaraj Rajagopal <[email protected]>

Opening of multiple instance of voice_svc user space from app will lead to pointer deference of private data within apr callback. As multi-instance not supported added check to deny open() from user space if previous instance hasn't been closed. Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21 Signed-off-by: Ajit Pandey <[email protected]>

Check size of payload array before access in q6usm_callback. Change-Id: Id0c85209a053f9dfdb53133aeb6b2510ecf18eb8 Signed-off-by: Vatsal Bucha <[email protected]>

Check size of payload before access in q6usm_mmapcallback. Change-Id: Iff0672532c2ea40e7129237a92d8365d6b554cf2 Signed-off-by: Vatsal Bucha <[email protected]>

Check buffer size in qdsp_cvs_callback before access in ul_pkt. Change-Id: Ic19994b46086709231656ec747d2df988b7a512f Signed-off-by: Vatsal Bucha <[email protected]>

Changes in 3.18.138: (51 commits) udf: Fix crash on IO error during truncate futex: Ensure that futex address is aligned in handle_futex_death() ext4: fix NULL pointer dereference while journal is aborted ext4: fix data corruption caused by unaligned direct AIO ext4: brelse all indirect buffer in ext4_ind_remove_space() mmc: tmio_mmc_core: don't claim spurious interrupts media: v4l2-ctrls.c/uvc: zero v4l2_event Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer mmc: block: Allow more than 8 partitions per card arm64: fix COMPAT_SHMLBA definition for large pages ARM: 8458/1: bL_switcher: add GIC dependency android: unconditionally remove callbacks in sync_fence_free() asm-generic: Fix local variable shadow in __set_fixmap_offset staging: ashmem: Avoid deadlock with mmap/shrink staging: ashmem: Add missing include staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT staging: goldfish: audio: fix compiliation on arm ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies arm64/kernel: fix incorrect EL0 check in inv_entry macro arm64: kernel: Include _AC definition in page.h ipv6: fix endianness error in icmpv6_err usb: gadget: configfs: add mutex lock before unregister gadget video: fbdev: Set pixclock = 0 in goldfishfb arm64: kconfig: drop CONFIG_RTC_LIB dependency mmc: mmc: fix switch timeout issue caused by jiffies precision cfg80211: size various nl80211 messages correctly dccp: do not use ipv6 header for ipv4 flow mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec net: rose: fix a possible stack overflow Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) packets: Always register packet sk in the same order tcp: do not use ipv6 header for ipv4 flow sctp: get sctphdr by offset in sctp_compute_cksum mac8390: Fix mmio access size probe ALSA: pcm: Fix possible OOB access in PCM oss plugins ALSA: pcm: Don't suspend stream in unrecoverable PCM state scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices serial: max310x: Fix to avoid potential NULL pointer dereference USB: serial: cp210x: add new device id USB: serial: ftdi_sio: add additional NovaTech products USB: serial: mos7720: fix mos_parport refcount imbalance on error path Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input KVM: Reject device ioctls from processes other than the VM's creator xhci: Fix port resume done detection for SS ports with LPM enabled ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time arm64: support keyctl() system call in 32-bit mode Linux 3.18.138 Signed-off-by: Nathan Chancellor <[email protected]> Conflicts: drivers/staging/android/sync.c

Release spinlock in EVENT_READ_DONE before return if payload size is invalid. Change-Id: I0fe4f841ce73ecfc30fe70334e203443e5e2cb28 Signed-off-by: Vatsal Bucha <[email protected]>

Change-Id: I8f7825d87a14928960258fa55e6ff1908eea41f3

Change-Id: Icd9c6b31b9930f9190e3bd241ec4b9741f0e2e5e

Check the size of ADSP payload before accessing it. CRs-Fixed: 2380694 Change-Id: I52e74e5a86499ea61f8426f767948ce940d4d59c Signed-off-by: Vignesh Kulothungan <[email protected]>

Check if payload data is big enough before accessing the data in it. Change-Id: I939f205a8cebf6ef4859f81fae5429bca013d540 Signed-off-by: Karthikeyan Mani <[email protected]>

…ance"

…size"

The QMI TLV value for strings in a lot of qmi element info structures account for null terminated strings with MAX_LEN + 1. If a string is actually MAX_LEN + 1 length, this will cause an out of bounds access when the NULL character is appended in decoding. CR-Fixed: 2359244 Change-Id: I4d789bc6017ff58458f77fe875ca4e175a4f1357 Signed-off-by: Chris Lew <[email protected]> Signed-off-by: Deepak Kumar Singh <[email protected]>

"LA.UM.7.5.r1-04500-8x96.0" * tag 'LA.UM.7.5.r1-04500-8x96.0': msm: vidc: fix KCFI errors scripts: gcc-wrapper: Route the GCC errors to stderr dsp: asm: validate payload size before access dsp: validate token before usage as array index msm: vidc: ignore processing responses in invalid state msm: mdss: correct the DTV panel fps calculation msm: vidc: do not set video state to DEINIT very early msm: ipa: fix to validate the ioctl WAN_IOC_SEND_LAN_CLIENT_MSG params diag: Update msg mask's ranges properly diag: Add missing protection while accessing session's info msm: ice: check for crypto engine availability msm: asm: validate ADSP data before access diag: Increment data ready only if it is first update dsp: codecs: fix range check for audio buffer copying ASoC: msm: qdsp6v2: add range check for audio port index dsp: asm: Add check for num_channels before calling q6asm_map_channels qdsp6v2: apr: check for packet size to header size comparison msm: vidc: Initialize DCVS load properly msm: vidc: Handle perf mode configuration ARM: dts: msm: Define power configuration for msm8996 and msm8998 fbdev: mdss: Signal pending retire fence mdss: mdp3: Optimize power save in lp mode ASoC: msm: Initialize global Mutex in audio_cal_utils Signed-off-by: Nathan Chancellor <[email protected]>

Validate the dci entries and its task structure before accessing structure members to prevent copying dci data to invalid entries. Change-Id: I07c59ef0705bc52a8268b0dc984ebfa9d26d178e Signed-off-by: Manoj Prabhu B <[email protected]>

Expected buffer size to read is 2 bytes. Corrected the size check to return error when count is not 2. Change-Id: I43b572d191f6f98a8a790b5ae77b43fabcd7329a Signed-off-by: Soumya Managoli <[email protected]>

…out"

Check size of payload array before access in qdsp_mvm_callback. Change-Id: I81d945f963cfb4a3cb26155700b82880d891ec5e Signed-off-by: Vatsal Bucha <[email protected]>

Payload size validity is not checked before using it in array index. Check payload size to avoid out-of-boundary memory. Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8 Signed-off-by: Kunlei Zhang <[email protected]>

Change-Id: Iec1e9320f920825a64846af6a9488f321f7a66eb

Payload size is not checked before memory copy. Check payload size to avoid out-of-boundary memory access. Change-Id: I07857564d4e8ce415df3810b25f0e9e17a60993d Signed-off-by: Kunlei Zhang <[email protected]>

Changes in 3.18.139: (105 commits) ext4: cleanup bh release code in ext4_ind_remove_space() i2c: core-smbus: prevent stack corruption on read I2C_BLOCK_DATA tracing: kdb: Fix ftdump to not sleep sysctl: handle overflow for file-max mm/cma.c: cma_declare_contiguous: correct err handling mm/vmalloc.c: fix kernel BUG at mm/vmalloc.c:512! mm/slab.c: kmemleak no scan alien caches ocfs2: fix a panic problem caused by o2cb_ctl cifs: use correct format characters dm thin: add sanity checks to thin-pool and external snapshot creation cifs: Fix NULL pointer dereference of devname fs: fix guard_bio_eod to check for real EOD errors tools lib traceevent: Fix buffer overflow in arg_eval scsi: core: replace GFP_ATOMIC with GFP_KERNEL in scsi_scan.c ARM: 8840/1: use a raw_spinlock_t in unwind mmc: omap: fix the maximum timeout setting e1000e: Fix -Wformat-truncation warnings IB/mlx4: Increase the timeout for CM cache scsi: megaraid_sas: return error when create DMA pool failed SoC: imx-sgtl5000: add missing put_device() leds: lp55xx: fix null deref on firmware load failure kprobes: Prohibit probing on bsearch() ARM: 8833/1: Ensure that NEON code always compiles with Clang ALSA: PCM: check if ops are defined before suspending PCM bcache: fix input overflow to cache set sysfs file io_error_halflife bcache: fix input overflow to sequential_cutoff bcache: improve sysfs_strtoul_clamp() fbdev: fbmem: fix memory access if logo is bigger than the screen cdrom: Fix race condition in cdrom_sysctl_register tty: increase the default flip buffer limit to 2*640K media: mt9m111: set initial frame size other than 0x0 hwrng: virtio - Avoid repeated init of completion hpet: Fix missing '=' character in the __setup() code of hpet_mmap_enable dmaengine: imx-dma: fix warning comparison of distinct pointer types media: s5p-jpeg: Check for fmt_ver_flag when doing fmt enumeration wlcore: Fix memory leak in case wl12xx_fetch_firmware failure x86/build: Mark per-CPU symbols as absolute explicitly for LLD dmaengine: tegra: avoid overflow of byte tracking drm/dp/mst: Configure no_stop_bit correctly for remote i2c xfers binfmt_elf: switch to new creds when switching to new mm lib/string.c: implement a basic bcmp tty: mark Siemens R3964 line discipline as BROKEN tty: ldisc: add sysctl to prevent autoloading of ldiscs openvswitch: fix flow actions reallocation qmi_wwan: add Olicard 600 sctp: initialize _pad of sockaddr_in before copying to user memory netns: provide pure entropy for net_hash_mix() net: ethtool: not call vzalloc for zero sized memory request ip6_tunnel: Match to ARPHRD_TUNNEL6 for dev type ALSA: seq: Fix OOB-reads from strlcpy ASoC: fsl_esai: fix channel swap issue when stream starts block: do not leak memory in bio_copy_user_iov() arm64: futex: Fix FUTEX_WAKE_OP atomic ops with non-zero result value xen: Prevent buffer overflow in privcmd ioctl sched/fair: Do not re-read ->h_load_next during hierarchical load calculation xtensa: fix return_address PCI: Add function 1 DMA alias quirk for Marvell 9170 SATA controller string: drop __must_check from strscpy() and restore strscpy() usages in cgroup perf/core: Restore mmap record type correctly ext4: report real fs size after failed resize ALSA: echoaudio: add a check for ioremap_nocache ALSA: sb8: add a check for request_region IB/mlx4: Fix race condition between catas error reset and aliasguid flows mmc: davinci: remove extraneous __init annotation ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration thermal/int340x_thermal: fix mode setting tools/power turbostat: return the exit status of a command perf top: Fix error handling in cmd_top() perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test() x86/hpet: Prevent potential NULL pointer dereference x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors iommu/vt-d: Check capability before disabling protected memory fix incorrect error code mapping for OBJECTID_NOT_FOUND rsi: improve kernel thread handling to fix kernel panic 9p: do not trust pdu content for stat item size 9p locks: add mount option for lock retry interval serial: uartps: console_setup() can't be placed to init section ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms ACPI / SBS: Fix GPE storm on recent MacBookPro's iommu/dmar: Fix buffer overflow during PCI bus notification appletalk: Fix use-after-free in atalk_proc_exit lib/div64.c: off by one in shift include/linux/swap.h: use offsetof() instead of custom __swapoffset macro inet: update the IP ID generation algorithm to higher standards. appletalk: Fix compile regression crypto: crypto4xx - properly set IV after de- and encrypt tpm/tpm_i2c_atmel: Return -E2BIG when the transfer is incomplete bonding: fix event handling for stacked bonds net: bridge: multicast: use rcu to access port list from br_multicast_start_querier ipv4: recompile ip options in ipv4_link_failure ipv4: ensure rcu_read_lock() in ipv4_link_failure() tcp: tcp_grow_window() needs to respect tcp_space() iio: ad_sigma_delta: select channel when reading register iio: adc: at91: disable adc channel interrupt in timeout case staging: comedi: vmk80xx: Fix use of uninitialized semaphore staging: comedi: vmk80xx: Fix possible double-free of ->usb_rx_buf staging: comedi: ni_usb6501: Fix possible double-free of ->usb_rx_buf ALSA: core: Fix card races between register and disconnect x86/kprobes: Verify stack frame on kretprobe kprobes: Fix error check when reusing optimized probes sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup device_cgroup: fix RCU imbalance in error case arm64: futex: Restore oldval initialization to work around buggy compilers kernel/sysctl.c: fix out-of-bounds access when setting file-max Linux 3.18.139 Signed-off-by: Nathan Chancellor <[email protected]> Conflicts: drivers/tty/tty_buffer.c include/net/netns/hash.h

Payload size validity is not checked before using it in array index. Check payload size to avoid out-of-boundary memory. Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8 Signed-off-by: Kunlei Zhang <[email protected]>

Ignore DSI FIFO overflow errors while sending DCS commands in dma_tpg_tx path. This extends the handling of overflow as done in non-TPG path through commit 2aa6192 "msm: mdss: ignore overflow error when sending dcs command" to the dma_tpg path. Change-Id: I9ab9b79d7c2100cf9f2e7c01983500c098a12770 Signed-off-by: Nirmal Abraham <[email protected]>

In current implementation, count becomes -1 when number of clusters passed is 0, resulting in invalid address. This change fixes issue by bailing out when number of clusters passed is 0. Change-Id: I240333501815654d40e4b6bde7ed4dc06615f9c6 Signed-off-by: Chetan C R <[email protected]> Signed-off-by: Karthik Gopalan <[email protected]> Signed-off-by: Shashi Shekar Shankar <[email protected]>

Prevent possible out of bound access due to missing length check while extracting dci packet response by adding proper checks. CRs-Fixed: 2434571 Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801 Signed-off-by: Manoj Prabhu B <[email protected]>

Restrict printing of kernel virtual addresses in SPS driver. In debug prints, handles to bam device structures may be printed as integers. As these handles are obtained by casting pointer to bam device structures to integer, they can reveal addresses of the structures to attackers. Cast the handles in debug prints to pointers, printed with with %pK, which hides these values if kptr_restrict is set (default on Android). Change-Id: Idd28c7d11a06113605f7428a4cfc2505c1ae0073 Signed-off-by: Jishnu Prakash <[email protected]>

"LA.UM.7.5.r1-04800-8x96.0" * tag 'LA.UM.7.5.r1-04800-8x96.0': lsm: check payload size validity before using it as array index ASoC: msm: Modify buf size check to prevent OOB error soc: qcom: qmi_encdec: Restrict string length in decode dsp: afe: check for payload size before payload access msm: adm: validate ADSP payload size before access dsp: q6usm: Release spinlock before return if invalid payload size dsp: q6voice: Check size of shared memory buffer before access qdsp6v2: q6usm: Check size of payload before access qdsp6v2: q6usm: Check size of payload before access drivers: soc: qcom: Added check to avoid opening multiple instance msm: kgsl: Limit log frequency in case of context count maxed out Signed-off-by: Nathan Chancellor <[email protected]>

currently only NULL pointer check is used to validate the return value from clk_get, this change to handle all the failures. Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60 Signed-off-by: Srikanth Uyyala <[email protected]> Signed-off-by: Vandana Jain <[email protected]>

currently only NULL pointer check is used to validate the return value from clk_get, this change to handle all the failures. Change-Id: I3f981b0a2605dbf57d1a22222f9fb56fa882ec8b Signed-off-by: E V Ravi <[email protected]>

While processing a packet containing command request, buffer size need to be checked against size of the command structures that is being parsed to prevent possible out of bound access. CRs-Fixed: 2432633 Change-Id: I048bdbd0c096a6d03501bdd5b1d2d4bb50d45dd6 Signed-off-by: Manoj Prabhu B <[email protected]>

Lock Implementation for avoid race condition leading to out-of-bound write in "msm_vb2_queue_setup CRs-Fixed: 2362627 Change-Id: I5b9eeb35eb47cfb7b0dc8c0db17b4af359967f1c Signed-off-by: E V Ravi <[email protected]>

Lock Implementation for avoid race condition leading to out-of-bound write in "msm_vb2_queue_setup CRs-Fixed: 2362627 Change-Id: I7f7420c7437b9ac2f215929a8614b0846e890c98 Signed-off-by: Vijay kumar Tumati <[email protected]> Signed-off-by: Vandana Jain <[email protected]>

Video driver and firmware communicates over shared queue. The queue header has the indices which synchronizes the read and write between the driver and firmware modules. This change ensures that the indices are within the valid range before accessing them. CRs-fixed: 2345481 Change-Id: I8da6bb4218a5b8ec0e2e2c7b87f6cc9eec21bd16 Signed-off-by: Vikash Garodia <[email protected]> Signed-off-by: Paras Nagda <[email protected]>

Changes in 3.18.140: (87 commits) MIPS: scall64-o32: Fix indirect syscall number load trace: Fix preempt_enable_no_resched() abuse sched/numa: Fix a possible divide-by-zero ceph: ensure d_name stability in ceph_dentry_hash() sunrpc: don't mark uninitialised items as VALID. slip: make slhc_free() silently accept an error pointer fs/proc/proc_sysctl.c: Fix a NULL pointer dereference NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family. netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON Revert "block/loop: Use global lock for ioctl() operation." ipv4: add sanity checks in ipv4_link_failure() team: fix possible recursive locking when add slaves net: stmmac: move stmmac_check_ether_addr() to driver probe qlcnic: Avoid potential NULL pointer dereference usb: gadget: net2280: Fix overrun of OUT messages usb: gadget: net2272: Fix net2272_dequeue() net: ks8851: Dequeue RX packets explicitly net: ks8851: Reassert reset pin if chip ID check fails net: ks8851: Delay requesting IRQ until opened net: ks8851: Set initial carrier state to down net: ibm: fix possible object reference leak scsi: qla4xxx: fix a potential NULL pointer dereference usb: u132-hcd: fix resource leak ceph: fix use-after-free on symlink traversal scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN libata: fix using DMA buffers on stack kconfig/[mn]conf: handle backspace (^H) key ipv4: ip_do_fragment: Preserve skb_iif during fragmentation ipv6: invert flowlabel sharing check in process and user mode packet: validate msg_namelen in send directly ipv6/flowlabel: wait rcu grace period before put_pid() USB: yurex: Fix protection fault after device removal USB: w1 ds2490: Fix bug caused by improper use of altsetting array USB: core: Fix unterminated string returned by usb_string() USB: media: disable tlg2300 driver USB: core: Fix bug caused by duplicate interface PM usage counter HID: debug: fix race condition with between rdesc_show() and device removal rtc: sh: Fix invalid alarm warning for non-enabled alarm igb: Fix WARN_ONCE on runtime suspend bonding: show full hw address in sysfs for slave entries jffs2: fix use-after-free on symlink traversal scsi: storvsc: Fix calculation of sub-channel count hugetlbfs: fix memory leak for resv_map xsysace: Fix error handling in ace_setup ARM: orion: don't use using 64-bit DMA masks ARM: iop: don't use using 64-bit DMA masks usb: usbip: fix isoc packet num validation in get_pipe staging: iio: adt7316: allow adt751x to use internal vref for all dacs staging: iio: adt7316: fix the dac read calculation staging: iio: adt7316: fix the dac write calculation media: v4l2: i2c: ov7670: Fix PLL bypass register values scsi: libsas: fix a race condition when smp task timeout ASoC:soc-pcm:fix a codec fixup issue in TDM case ASoC: cs4270: Set auto-increment bit for register writes ASoC: tlv320aic32x4: Fix Common Pins scsi: csiostor: fix missing data copy in csio_scsi_err_handler() iommu/amd: Set exclusion range correctly genirq: Prevent use-after-free and work list corruption scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines Bluetooth: hidp: fix buffer overflow Bluetooth: Align minimum encryption key size for LE and BR/EDR connections timer/debug: Change /proc/timer_stats from 0644 to 0600 netfilter: compat: initialize all fields in xt_init platform/x86: sony-laptop: Fix unintentional fall-through iio: adc: xilinx: fix potential use-after-free on remove HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys s390/dasd: Fix capacity calculation for large volumes s390/3270: fix lockdep false positive on view->lock KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing tools lib traceevent: Fix missing equality check for strcmp init: initialize jump labels before command line option parsing s390: ctcm: fix ctcm_new_device error return code selftests/net: correct the return value for run_netsocktests gpu: ipu-v3: dp: fix CSC handling Don't jump to compute_result state from check_result state USB: serial: use variable for status USB: serial: fix unthrottle races bridge: Fix error path for kobject_init_and_add() net: ucc_geth - fix Oops when changing number of buffers in the ring packet: Fix error path in packet_init vlan: disable SIOCSHWTSTAMP in container ipv4: Fix raw socket lookup for local traffic bonding: fix arp_validate toggling in active-backup mode drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl powerpc/booke64: set RI in default MSR Linux 3.18.140 Signed-off-by: Nathan Chancellor <[email protected]> Conflicts: drivers/net/ethernet/micrel/ks8851.c drivers/usb/usbip/stub_rx.c kernel/irq/manage.c

set_page_dirty() is racy if the caller has no reference against page->mapping->host, and if the page is unlocked. This is because another CPU could truncate the page off the mapping and then free the mapping. Use set_page_dirty_lock() to avoid this race condition. Change-Id: I517fb9aee66560618c7676b311368f7a7498011f Signed-off-by: Rajesh Kemisetti <[email protected]> Signed-off-by: Archana Sriram <[email protected]>

Payload size validity is not checked before using it in array index. Check payload size to avoid out-of-boundary memory. Add the check in lsm_event_detect_status_v3. Change-Id: I2f4ec3af5fa60ada6155ff3cf88e122a9066ab3b Signed-off-by: Kunlei Zhang <[email protected]>

Add check for minimum length before typecasting to build mask structure to prevent out of bound access while processing get msg mask command. CRs-Fixed: 2431047 Change-Id: I5b8341f278b0b46359800e43c604c5671261c728 Signed-off-by: Manoj Prabhu B <[email protected]>

Validate the buffer size against the parsing command structure size before parsing to prevent possible out of bound error case. CRs-Fixed: 2437341 Change-Id: I31c9a556539fce403691294a76160ae4936e7065 Signed-off-by: Manoj Prabhu B <[email protected]>

Change-Id: Ifa80bc0dfbd1900476c26b6b3977e4d01d53efb7

Change-Id: I0715ce4fe568cf98fa74cd079b5c7a7ca8f57191

Add check for minimum length before typecasting to build mask structure to prevent out of bound access. CRs-Fixed: 2431005 Change-Id: I97b439ead62c8a67869c9209442ef771308f2d3f Signed-off-by: Manoj Prabhu B <[email protected]>

arr_filp is an alias to filp_to_release. It is exposed to access indices greater than allotted space of 15 bytes, equal to size of OBJECT_COUNTS_MAX_OO. This change fixes the stack overflow by taking an independent variable to track the number of output objects. Change-Id: Idca9cef3c69693d27d4ca3d0e0b4845fc27c998a Signed-off-by: Anmolpreet Kaur <[email protected]>

pkt->msg_size can be corrupted and that leads to OOB access. So added additional conditional check to avoid OOB access in debug queue packet handling. Change-Id: I360812c40369ecef2dd99464d400661bc785074b Signed-off-by: Govindaraj Rajagopal <[email protected]>

Use-after-free is seen when sending a sockev netlink message since socket is not held which can race with sk_free. KASAN: use-after-free in sockev_client_cb+0x41c/0x4b8 in net/core/sockev_nlmcast.c:104 Read of size 2 at addr ffffffc08420c550 Call trace: dump_backtrace+0x0/0x388 arch/arm64/kernel/time.c:55 show_stack+0x24/0x30 arch/arm64/kernel/traps.c:152 __dump_stack+0x24/0x2c lib/dump_stack.c:17 dump_stack+0x8c/0xd0 lib/dump_stack.c:53 print_address_description+0x74/0x234 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x240/0x264 mm/kasan/report.c:412 __asan_report_load2_noabort+0x2c/0x38 mm/kasan/report.c:431 sockev_client_cb+0x41c/0x4b8 net/core/sockev_nlmcast.c:104 notifier_call_chain+0x104/0x158 kernel/notifier.c:93 __blocking_notifier_call_chain+0x80/0xb0 kernel/notifier.c:317 blocking_notifier_call_chain+0x3c/0x4c kernel/notifier.c:328 sockev_notify+0x30/0x3c net/socket.c:181 SYSC_bind net/socket.c:1509 [inline] SyS_bind+0x1ec/0x30c net/socket.c:1489 el0_svc_naked+0x34/0x38 Freed by task 19460: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x134/0x20c mm/kasan/kasan.c:520 kasan_slab_free+0x10/0x1c mm/kasan/kasan.c:527 slab_free_hook mm/slub.c:1401 [inline] slab_free_freelist_hook mm/slub.c:1422 [inline] slab_free mm/slub.c:2979 [inline] kmem_cache_free+0x114/0x664 mm/slub.c:3001 sk_prot_free net/core/sock.c:1504 [inline] __sk_destruct+0x324/0x3c0 net/core/sock.c:1585 __sk_free+0x180/0x200 net/core/sock.c:1601 sk_free+0x44/0x50 net/core/sock.c:1612 sock_put include/net/sock.h:1643 [inline] sk_common_release+0x198/0x20c net/core/sock.c:3014 raw_close+0x38/0x44 net/ipv4/raw.c:703 inet_release+0x128/0x15c net/ipv4/af_inet.c:446 __sock_release+0xb8/0x258 net/socket.c:614 sock_close+0x24/0x34 net/socket.c:1150 __fput+0x1f4/0x4e4 fs/file_table.c:345 ____fput+0x20/0x2c fs/file_table.c:380 task_work_run+0x9c/0x174 kernel/task_work.c:113 Change-Id: Idb4335889b6e4228f36d76ca5b6156cc5e5838da Signed-off-by: Sharath Chandra Vurukala <[email protected]>

Structures in shared memory that can be modified by remote processors may have untrusted values, they should be validated before use. Adding proper validation before using fields of shared structures. CRs-Fixed: 2421602 Change-Id: I947ed5b0fe5705e5223d75b0ea8aafb36113ca5a Signed-off-by: Deepak Kumar Singh <[email protected]>

dchdr->dlen is a short variable controlled by the user-provided data. If the value is negative, loop continues, also increasing the value of "len". As a result buffer overflow occurs. So define the len as unsigned and check with length of string input from user space. Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98 Signed-off-by: Raghavendra Ambadas <[email protected]>

The region index for bivcm is not validated against the region size. This causes out-of-bound read on the KASAN kernel. Add restriction that region index smaller than region size. CRs-Fixed: 2379514 Change-Id: I72c4a41a4b41c8fa70c174ffd3215a81eaa14355 Signed-off-by: Haibin Liu <[email protected]>

Ratelimit error logs of boundary check conditions in audio effects driver to avoid excessive logging. CRs-Fixed: 2426159 Change-Id: Iaf10eee281389773a21340997e3ffbe88c6e79f6 Signed-off-by: Aditya Bavanari <[email protected]> Signed-off-by: Soumya Managoli <[email protected]>

…params"

Since DSP is not supposed to modify the base pointer rpra of the input/output arguments offloaded to DSP, maintain a local copy of the pointer and use it after receiving interrupt from DSP. Change-Id: I4afade7184cb2aca148060fb0cda06c6174f3b55 Acked-by: Maitreyi Gupta <[email protected]> Signed-off-by: Mohammed Nayeem Ur Rahman <[email protected]>

This is required to fix the VTS test case failures which are failing as the kernel supports EXT2/EXT3 but the tools mkfs.ext2/mkfs.ext3 doesn't exist anymore. Change-Id: I433b3775c974a9bf38a62d9cd71319164fe0593f Signed-off-by: Naitik Bharadiya <[email protected]>

Proper buffer length checks are missing in diagchar_write handlers for userspace data while processing the same buffer. Change-Id: I5b8095766e09c22f164398089505fe827fee8b54 Signed-off-by: Hardik Arya <[email protected]>

Change the start address of TZ apps region and increase the size to 2 MB. Change-Id: I13c41af5918a808d953a24219ff1e07eb064c0ca Signed-off-by: Jiten Patel <[email protected]>

"LA.UM.7.5.r1-05300-8x96.0" * tag 'LA.UM.7.5.r1-05300-8x96.0': diag: Check buffer size against command structure size diag: Check command size against the minimum before parsing lsm: check payload size validity in lsm_event_detect_status_v3 msm: kgsl: Fix race condition while making page as dirty msm: vidc: Ensure validity of shared Q indices msm: camera : Lock Implementation for avoid race condition msm: ais : Lock Implementation for avoid race condition diag: Validate command length against size of command structure msm: ais: handle the error value returned during get clock msm: camera_v2: handle the error value returned during get clock msm: sps: Update debug message format specifier diag: dci: Validate dci response length before parsing soc: qcom: Bail out when number of clusters is set to 0 msm: mdss: Ignore overflow errors in dma_tpg_tx path lsm: check payload size validity before using it as array index msm: qdsp6v2: Check size of payload before access diag: dci: Validate dci client entries prior read Signed-off-by: Nathan Chancellor <[email protected]>

During ringbuffer parsing, same IB can exist multiple times but size validation happens only for the first time. This leads to out of bound access if the subsequent sizes are greater than the allocated size. Add a check to make sure that requested size is within the allocated range. Change-Id: Ie5d3c02c1669de2e6188821399e985f0991aa57c Signed-off-by: Rajesh Kemisetti <[email protected]>

Change-Id: I8506e859a33e8978493528fa46825266fe886596

Change-Id: I5a12bd0a4998de2ad123568ef8b72d6e9564eabb

Update year marking for apq8009w-nowgr-memory.dtsi Change-Id: I5cc7a5719c9227eea89ebff8b363b4244f87a171 Signed-off-by: Jiten Patel <[email protected]>

…erly"

Added missing lock to avoid race conditon for dqbuf and streamon CRs-Fixed: 2376566 Change-Id: I1c0ef9014914a9892c4d443600618c52d0aeebfa Signed-off-by: VijayaKumar T M <[email protected]> Signed-off-by: Vandana Jain <[email protected]>

Proper buffer length check is missing for dci userspace data buffer before processing the dci transaction. The patch adds proper check for the same. Change-Id: I68c0e8c41d4e05493adecf8a1fcacea708dfafa2 Signed-off-by: Hardik Arya <[email protected]>

Use trusted packet size on the received packet and check for the size of the data received against the expected size before accessing the packet. Change-Id: I1bd6008249a0bf4edeec711ec8d23cf7b8dac1f1 Signed-off-by: Priyanka Gujjula <[email protected]>

Use bin2hex function instead of a chap_binaryhex_to_asciihex. Change-Id: I0e3c4dc45b4a951af848514e70dda0f8daa62450 Signed-off-by: Vincent Pelletier <[email protected]> Reviewed-by: Mike Christie <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> Git-commit: 8c39e2699f8acb2e29782a834e56306da24937fe Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/mkp/scsi.git Signed-off-by: Krishnamurthy K R <[email protected]>

when create DMA pool for cmd frames failed, we should return -ENOMEM, instead of 0. In some case in: megasas_init_adapter_fusion() -->megasas_alloc_cmds() -->megasas_create_frame_pool create DMA pool failed, --> megasas_free_cmds() [1] -->megasas_alloc_cmds_fusion() failed, then goto fail_alloc_cmds. -->megasas_free_cmds() [2] we will call megasas_free_cmds twice, [1] will kfree cmd_list, [2] will use cmd_list.it will cause a problem: Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = ffffffc000f70000 [00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003, *pmd=0000001fbf894003, *pte=006000006d000707 Internal error: Oops: 96000005 [#1] SMP Modules linked in: CPU: 18 PID: 1 Comm: swapper/0 Not tainted task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000 PC is at megasas_free_cmds+0x30/0x70 LR is at megasas_free_cmds+0x24/0x70 ... Call trace: [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70 [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8 [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760 [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8 [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4 [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430 [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0 [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8 [<ffffffc000539e88>] driver_attach+0x28/0x34 [<ffffffc000539a18>] bus_add_driver+0x16c/0x248 [<ffffffc00053b234>] driver_register+0x6c/0x138 [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8 [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284 [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4. Change-Id: I6a8af3e178b3ab9d143f1e12fbb0d6534db1a55f Signed-off-by: Jason Yan <[email protected]> Acked-by: Sumit Saxena <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> Git-commit: bcf3b67d16a4c8ffae0aa79de5853435e683945c Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

When the lldd is processing the complete sas task in interrupt and set the task stat as SAS_TASK_STATE_DONE, the smp timeout timer is able to be triggered at the same time. And smp_task_timedout() will complete the task wheter the SAS_TASK_STATE_DONE is set or not. Then the sas task may freed before lldd end the interrupt process. Thus a use-after-free will happen. Fix this by calling the complete() only when SAS_TASK_STATE_DONE is not set. And remove the check of the return value of the del_timer(). Once the LLDD sets DONE, it must call task->done(), which will call smp_task_done()->complete() and the task will be completed and freed correctly. Change-Id: If154bee6a62e51515dbf204edf77110609c2504e Reported-by: chenxiang <[email protected]> Signed-off-by: Jason Yan <[email protected]> CC: John Garry <[email protected]> CC: Johannes Thumshirn <[email protected]> CC: Ewan Milne <[email protected]> CC: Christoph Hellwig <[email protected]> CC: Tomas Henzl <[email protected]> CC: Dan Williams <[email protected]> CC: Hannes Reinecke <[email protected]> Reviewed-by: Hannes Reinecke <[email protected]> Reviewed-by: John Garry <[email protected]> Reviewed-by: Johannes Thumshirn <[email protected]> Signed-off-by: Martin K. Petersen <[email protected]> Git-commit: b90cd6f2b905905fb42671009dc0e27c310a16ae Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Make sure to check that we actually have an Interface Association Descriptor before dereferencing it during probe to avoid dereferencing a NULL-pointer. Fixes: e0d3baf ("V4L/DVB (10954): Add cx231xx USB driver"). Change-Id: Ib3d82edf28ad0a945046cf39cb7d599a5bb6d922 Cc: stable <[email protected]> # 2.6.30 Reported-by: Andrey Konovalov <[email protected]> Signed-off-by: Johan Hovold <[email protected]> Tested-by: Andrey Konovalov <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]> Git-commit: 6c3b047fa2d2286d5e438bcb470c7b1a49f415f6 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Jann Horn points out that the vmacache_flush_all() function is not only potentially expensive, it's buggy too. It also happens to be entirely unnecessary, because the sequence number overflow case can be avoided by simply making the sequence number be 64-bit. That doesn't even grow the data structures in question, because the other adjacent fields are already 64-bit. So simplify the whole thing by just making the sequence number overflow case go away entirely, which gets rid of all the complications and makes the code faster too. Win-win. [ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics also just goes away entirely with this ]. Change-Id: Ic9ffd061f3116cfcf563a5d9808c3dddf0547e5d Reported-by: Jann Horn <[email protected]> Suggested-by: Will Deacon <[email protected]> Acked-by: Davidlohr Bueso <[email protected]> Cc: Oleg Nesterov <[email protected]> Cc: [email protected] Signed-off-by: Linus Torvalds <[email protected]> Git-commit: 7a9cdebdcc17e426fb5287e4a82db1dfe86339b2 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Commit d1cd214 ("pwm: Set enable state properly on failed call to enable") introduced a mutex that is needed to protect internal state of PWM devices. Since that mutex is acquired in pwm_set_polarity() and in pwm_enable() and might potentially block, all PWM devices effectively become "might sleep". It's rather pointless to keep the .can_sleep field around, but given that there are external users let's postpone the removal for the next release cycle. Change-Id: I37237c2e04c171d29c2b4559aadcb36937b9d41e Signed-off-by: Thierry Reding <[email protected]> Git-commit: ff01c94 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

FS_CGROUP_WRITEBACK indicates whether a file_system_type supports cgroup writeback; however, different super_blocks of the same file_system_type may or may not support cgroup writeback depending on filesystem options. This patch replaces FS_CGROUP_WRITEBACK with a per-super_block flag. super_block->s_flags carries some internal flags in the high bits but it's exposd to userland through uapi header and running out of space anyway. This patch adds a new field super_block->s_iflags to carry kernel-internal flags. It is currently only used by the new SB_I_CGROUPWB flag whose concatenated and abbreviated name is for consistency with other super_block flags. ext2_fill_super() is updated to set SB_I_CGROUPWB. v2: Added super_block->s_iflags instead of stealing another high bit from sb->s_flags as suggested by Christoph and Jan. Change-Id: I62a6811d3118901f9ad14cee12dc156d376e56c5 Signed-off-by: Tejun Heo <[email protected]> Cc: Alexander Viro <[email protected]> Cc: [email protected] Cc: Christoph Hellwig <[email protected]> Cc: Jan Kara <[email protected]> Cc: [email protected] Reviewed-by: Christoph Hellwig <[email protected]> Signed-off-by: Jens Axboe <[email protected]> Git-commit: 46b15ca Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git [[email protected]: resolve trivial merge conflicts] Signed-off-by: Krishnamurthy K R <[email protected]>

Today proc and sysfs do not contain any executable files. Several applications today mount proc or sysfs without noexec and nosuid and then depend on there being no exectuables files on proc or sysfs. Having any executable files show on proc or sysfs would cause a user space visible regression, and most likely security problems. Therefore commit to never allowing executables on proc and sysfs by adding a new flag to mark them as filesystems without executables and enforce that flag. Test the flag where MNT_NOEXEC is tested today, so that the only user visible effect will be that exectuables will be treated as if the execute bit is cleared. The filesystems proc and sysfs do not currently incoporate any executable files so this does not result in any user visible effects. This makes it unnecessary to vet changes to proc and sysfs tightly for adding exectuable files or changes to chattr that would modify existing files, as no matter what the individual file say they will not be treated as exectuable files by the vfs. Not having to vet changes to closely is important as without this we are only one proc_create call (or another goof up in the implementation of notify_change) from having problematic executables on proc. Those mistakes are all too easy to make and would create a situation where there are security issues or the assumptions of some program having to be broken (and cause userspace regressions). Change-Id: I67c6f5dbf270fde36b3b3f25ab8af33dd0008992 Signed-off-by: "Eric W. Biederman" <[email protected]> Git-commit: 90f8572 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include <unistd.h> #include <sys/personality.h> #include <linux/aio_abi.h> #include <err.h> #include <stdlib.h> #include <stdio.h> #include <sys/syscall.h> int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Change-Id: I0805d18f8c38c47e3e3f8c06118f34e9513e1e90 Signed-off-by: Jann Horn <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Git-commit: 22f6b4d Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Since a_alt_hnp_support is obsolete in OTG 2.0, HNP capable host should send this set feature request only if the otg device is connecting to a non-HNP port and it's compliant with OTG 1.x revision. This is done by checking its otg descriptor length, OTG 2.0 uses usb_otg20_descriptor which has different length than OTG 1.x using usb_otg_descriptor. Change-Id: I554ea895de0f8845b9df0a4af7d5424b25f50f48 Signed-off-by: Li Jun <[email protected]> Acked-by: Peter Chen <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Git-commit: 7d2d641 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Added check for max array index Change-Id: I4f8a4b559c83c04577cd58376526668d29b6b723 Signed-off-by: Sumalatha Malothu <[email protected]>

validate structures and payload sizes in the packet against packet size to avoid OOB access. Change-Id: I8bc3002e51a18e08b212b13af724480ec48994d7 Signed-off-by: Mahesh Voorugonda <[email protected]> Signed-off-by: Sanjay Singh <[email protected]>

Disable Automotive Imaging systems(Auto Camera) for msm-3.18.c13 branch. Change-Id: I0d98ae8ae2c71ec146c50982116aaa5076864c48 Signed-off-by: E V Ravi <[email protected]>

Removing ais folders from the camera drivers. Since none of the automotive projects are using msm-3.18.c13 kernel. Change-Id: I52fafaf2089714a8f610b6e60581dde7d83282a7 Signed-off-by: E V Ravi <[email protected]>

When reading an extra descriptor, we need to properly check the minimum and maximum size allowed, to prevent from invalid data being sent by a device. Change-Id: I9457c9c373dde0d6323177a8dc0d82e42d5861d6 Reported-by: Hui Peng <[email protected]> Reported-by: Mathias Payer <[email protected]> Co-developed-by: Linus Torvalds <[email protected]> Signed-off-by: Hui Peng <[email protected]> Signed-off-by: Mathias Payer <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Cc: stable <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Git-commit: 704620afc70cf47abb9d6a1a57f3825d2bca49cf Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Zero initialize the local variables that store information from the remote. On the chance reading from the remote fails, the data in these structs will now be zero instead of stale data. Change-Id: Iafaeb71a5dc57e27a34b4250ea529fbe27df2393 Signed-off-by: Chris Lew <[email protected]>

Using l2tp_tunnel_find() in pppol2tp_session_create() and l2tp_eth_create() is racy, because no reference is held on the returned session. These functions are only used to implement the ->session_create callback which is run by l2tp_nl_cmd_session_create(). Therefore searching for the parent tunnel isn't necessary because l2tp_nl_cmd_session_create() already has a pointer to it and holds a reference. This patch modifies ->session_create()'s prototype to directly pass the the parent tunnel as parameter, thus avoiding searching for it in pppol2tp_session_create() and l2tp_eth_create(). Since we have to touch the ->session_create() call in l2tp_nl_cmd_session_create(), let's also remove the useless conditional: we know that ->session_create isn't NULL at this point because it's already been checked earlier in this same function. Finally, one might be tempted to think that the removed l2tp_tunnel_find() calls were harmless because they would return the same tunnel as the one held by l2tp_nl_cmd_session_create() anyway. But that tunnel might be removed and a new one created with same tunnel Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find() would return the new tunnel which wouldn't be protected by the reference held by l2tp_nl_cmd_session_create(). Fixes: 309795f ("l2tp: Add netlink control API for L2TP") Fixes: d9e31d1 ("l2tp: Add L2TP ethernet pseudowire support") Change-Id: If0ee6b251bceb334aae3049cad8da371036dee89 Signed-off-by: Guillaume Nault <[email protected]> Signed-off-by: David S. Miller <[email protected]> Git-commit: f026bc29a8e093edfbb2a77700454b285c97e8ad Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

Ensure the available data size with in the packet before type casting from smaller data type to larger data type in order to avoid information leak or packet out of boundary access. Change-Id: I8614a8b3f930c87af8aa49f77ea9d768a73ea203 Signed-off-by: Priyanka Gujjula <[email protected]> Signed-off-by: Sanjay Singh <[email protected]>

A CDC Ethernet functional descriptor with wMaxSegmentSize = 0 will cause a divide error in usbnet_probe: divide error: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 0 PID: 24 Comm: kworker/0:1 Not tainted 4.14.0-rc8-44453-g1fdc1a82c34f #56 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006bef5c00 task.stack: ffff88006bf60000 RIP: 0010:usbnet_update_max_qlen+0x24d/0x390 drivers/net/usb/usbnet.c:355 RSP: 0018:ffff88006bf67508 EFLAGS: 00010246 RAX: 00000000000163c8 RBX: ffff8800621fce40 RCX: ffff8800621fcf34 RDX: 0000000000000000 RSI: ffffffff837ecb7a RDI: ffff8800621fcf34 RBP: ffff88006bf67520 R08: ffff88006bef5c00 R09: ffffed000c43f881 R10: ffffed000c43f880 R11: ffff8800621fc406 R12: 0000000000000003 R13: ffffffff85c71de0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88006ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffe9c0d6dac CR3: 00000000614f4000 CR4: 00000000000006f0 Call Trace: usbnet_probe+0x18b5/0x2790 drivers/net/usb/usbnet.c:1783 qmi_wwan_probe+0x133/0x220 drivers/net/usb/qmi_wwan.c:1338 usb_probe_interface+0x324/0x940 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x522/0x740 drivers/base/dd.c:557 Fix by simply ignoring the bogus descriptor, as it is optional for QMI devices anyway. Fixes: 423ce8c ("net: usb: qmi_wwan: New driver for Huawei QMI based WWAN devices") Change-Id: I4d1597c40d91dc3a61754f68a0c8ce736c22cfb1 Reported-by: Andrey Konovalov <[email protected]> Signed-off-by: Bjørn Mork <[email protected]> Signed-off-by: David S. Miller <[email protected]> Git-commit: 7fd078337201cf7468f53c3d9ef81ff78cb6df3b Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git Signed-off-by: Krishnamurthy K R <[email protected]>

"LA.UM.7.6.r1-05500-89xx.0" * tag 'LA.UM.7.6.r1-05500-89xx.0': ARM: dts: msm: Increase TZ apps region to 2MB on msm8909w diag: Prevent out-of-bound access while processing userspace data defconfig: msm: Disable EXT2 and EXT3 FS configs for MSM8996 msm: adsprpc: maintain local copy of rpra offloaded to DSP asoc: Ratelimit error logs to avoid excessive logging msm: sensor: actuator: fix out of bound read for bivcm region params soc: qcom: smem: validate fields of shared structures net: sockev: avoid races between sockev and socket_close msm: vidc: add additional check to avoid out of bound access qcom: smcinvoke: Fix stack overflow for arr_filp diag: Prevent out of bound access while getting build mask dsp: q6core: validate payload size before memory copy msm: ipa3: Fix to validate the buffer size Signed-off-by: Nathan Chancellor <[email protected]>

* blocked other ARCH dts complications * build ugglite full dts only * added /system mount point only, not /vendor support Signed-off-by: zainarbani <[email protected]>

Signed-off-by: zainarbani <[email protected]>

…g/quic/la/platform/vendor/qcom-opensource/wlan/prima into lineage-16.0 "LA.UM.7.6.r1-05500-89xx.0"

Change-Id: I670c8d7eb24de9f431d8dd89a8694fa216f4f9ff

adapted from xiaomi commit on branch oxygen. console-ramoops is usefull for debuging when device crash such as (random reboot or phone just getting freeze). Signed-off-by: Ryan Andri <[email protected]>

Change-Id: Ib8ad562c5e847a8511bf1e2dbda7c0f863ea25dd

* Rename vmax_mv to vtg_level * Add min/max/default voltage sysfs entries Change-Id: Iefa3accdb75fcef9bcb2d4c730ca0a72763994f3

* Add mutexes and call hap_set without the workqueue for direct mode Change-Id: I98f5b8ddea572def2706ad2cfa18f9dd460757ed

Blocking the timed_output sysfs node due to mutex contention causes severe device wake-up latency, as a process crucial to system resume writes to the timed_output vibrator node every time the device is resumed via the fingerprint reader (fingerprint reader triggers a haptic response on success). By processing haptics asynchronously via a worker, the timed_output sysfs won't get stalled for long periods of time (>30ms), and thus the device will consistently wake from sleep faster. Signed-off-by: Sultanxda <[email protected]> msm: qpnp-haptic: Prevent redundant calls to disable vibrator A redundant call to disable the vibrator right before something wants to enable it results in lack of vibration. Avoid re-disabling haptics to fix this. Signed-off-by: Sultanxda <[email protected]> msm: qpnp-haptic: Start shutoff timer after haptics actually start qpnp_hap_set() sometimes lags when enabling haptics, causing the shutoff timer to kill the haptics prematurely. Start the shutoff timer after haptics are enabled so that the requested duration is actually carried out. Change-Id: I91bad94d18415476b5b05c1e1a4a60ae180947df Signed-off-by: Sultanxda <[email protected]>

* Bring in a lightweight version of the LiveDisplay driver which works for this chipset. * This version of the driver does not include the generic RGB offset postprocessing, since we're going to do this using the official QDCM APIs. Change-Id: Ifcaaf93d56933d019d1f469fd70b8466cd4ad3e7

Signed-off-by: flar2 <[email protected]>

Our kernel build sometimes has the following build output: 123148- MKELF scripts/mod/elfconfig.h 123149- HOSTCC scripts/mod/modpost.o 123150- HOSTCC scripts/dtc/data.o 123151- HOSTLD scripts/genksyms/genksyms 123152- HOSTCC scripts/selinux/genheaders/genheaders 123153:scripts/basic/fixdep.c:462:1: fatal error: opening dependency file scripts/basic/.fixdep.d: Permission denied 123154- } 123155- ^ 123156-compilation terminated. 123157- HOSTCC scripts/selinux/mdp/mdp 123158- HOSTCC scripts/dtc/livetree.o 123159- HOSTCC scripts/kallsyms 123160:make[5]: *** [scripts/basic/fixdep] Error 1 123161-make[4]: *** [scripts_basic] Error 2 The build succeeds, but we see the error. This is due some odd exfat makefile logic: ifneq ($(KERNELRELEASE),) # do the usual kernel module make ... else ... KDIR := /lib/modules/$(shell uname -r)/build ... KREL := $(shell cd ${KDIR} && make -s kernelrelease) ... all: $(MAKE) -C $(KDIR) M=$(PWD) modules ... endif If KERNELRELEASE isn't set then KDIR points to the server's Linux source. In that case, we try to set KREL by calling: cd <host kernel source>; make -s kernelrelease This command, on my server, exits with the above error. But since the command is wrapped in a $(shell) it does not cause the build to fail. KERNELRELEASE is set via the main kernel Makefile: KERNELRELEASE = $(shell cat include/config/kernel.release 2> /dev/null) During a parallel build the kernel.release file is sometimes not yet set up when KERNELRELEASE is set (e.g., the first time kernel Makefile is parsed during a clean build). So it is not valid for a subordinate makefile to use KERNELRELEASE for important build logic. We don't ever want to build external kernel modules, so just disable this faulty logic. Change-Id: If1dbe3e54c41efb71e4c648fb45f46412f7c5abb Signed-off-by: Andrew Wheeler <[email protected]> Reviewed-on: https://gerrit.mot.com/972154 SLTApproved: Slta Waiver <[email protected]> SME-Granted: SME Approvals Granted Tested-by: Jira Key <[email protected]> Reviewed-by: Shi-Yong Li <[email protected]> Submit-Approved: Jira Key <[email protected]>

Since N, the Keyguard uses watt data rather than amperage alone. It needs both voltage and amperage information for the power supply subsystem to do so. This brings back the "Charging slowly", "Charging" and "Charging rapidly" texts on the lock screen. Change-Id: Iac37d8b69d2acc048e8c132b2c26c2bed3676d75

Add AMR_WB_PLUS to supported offload formats and send media format block through compress driver. Change-Id: I258dc05fd5b6442ef40a5d1d4538870c4ddcbe2e Signed-off-by: Asish Bhattacharya <[email protected]>

Change-Id: I4bc641b4f6430f888b7b4219bbdfea5f234942e3

* Turn the partition used by Xiaomi to ship MIUI regional customizations into something more useful for us. This mounts /cust partition as /vendor, allowing us to build a dedicated vendor image. Change-Id: Ie4a9ea12085d5ee19e9ec422fb32dce7b230ac2f Signed-off-by: zainarbani <[email protected]>

Change-Id: If4ffcad8c4a7433d8dabfc64d997bd28d5a7da5a

The power settings for a camera sensor can be parsed and have its memory never freed in the error path if part of the probe sequence fails after the power settings are parsed. Free the power settings in the error paths to fix the memory leaks. Signed-off-by: Sultanxda <[email protected]> Signed-off-by: Francisco Franco <[email protected]> Signed-off-by: MOVZX <[email protected]>

Issue: the invalid slave_info is used by msm_sensor_driver_probe. This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly. Fix: 1) avoid the same msm_sd_subdev added into the ordered_sd_list. 2) enlarge the buffer size for i2c addr and data. Bug: 36492827 Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54 Signed-off-by: Haibin Liu <[email protected]> Signed-off-by: Francisco Franco <[email protected]>

[ 5.684876] /soc/qcom,cam_smmu/msm_cam_smmu_cb1: could not get #iommu-cells for /soc/qcom,iommu@1e00000 [ 5.685406] CAM-SMMU cam_populate_smmu_context_banks:1586 Invalid pointer of ctx : vfe_secure rc = -517 [ 5.685408] CAM-SMMU cam_smmu_probe:1636 Error: populating context banks [ 5.685415] msm_cam_smmu: probe of soc:qcom,cam_smmu:msm_cam_smmu_cb2 failed with error -12 [ 5.685507] /soc/qcom,cam_smmu/msm_cam_smmu_cb3: could not get #iommu-cells for /soc/qcom,iommu@1e00000 [ 5.685746] /soc/qcom,cam_smmu/msm_cam_smmu_cb4: could not get #iommu-cells for /soc/qcom,iommu@1e00000 [ 5.686188] CAM-SMMU cam_populate_smmu_context_banks:1586 Invalid pointer of ctx : vfe_secure rc = -517 [ 5.686190] CAM-SMMU cam_smmu_probe:1636 Error: populating context banks [ 5.686196] msm_cam_smmu: probe of soc:qcom,cam_smmu:msm_cam_smmu_cb2 failed with error -12

Change-Id: I547af7ddc93256fdce716d9fbe1e49530698d112

…y status is near to full When charger is online for a long time, such as 12 hour, the battery status changes from charging to full and resumes charging. The reason is that battery is not full at the first full state. So increse charge time from 30s to 100s when battery status is near to full. This methods will reduce the number of recharging times BUG:24316771 Signed-off-by: l00228880 <[email protected]> Signed-off-by: Francisco Franco <[email protected]>

Bug: 30891496 Change-Id: I65725fd7f8bd2b10543bf3fc3307308d9d11a9c0 Signed-off-by: Naseer Ahmed <[email protected]>

Based on ideas of FranciscoFranco's non-generic driver. Sysfs node: /sys/class/misc/boeffla_wakelock_blocker/wakelock_blocker - list of wakelocks to be blocked, separated by semicolons /sys/class/misc/boeffla_wakelock_blocker/debug - write: 0/1 to switch off and on debug logging into dmesg - read: get current driver internals /sys/class/misc/boeffla_wakelock_blocker/version - show driver version Signed-off-by: andip71 <[email protected]> Signed-off-by: mracar07 <[email protected]>

- currently active wakelocks on the list are forcefully killed Signed-off-by: mracar07 <[email protected]>

There are now two lists: - the previously existing list of user defined wakelocks to block - a new list called "wakelock_blocker_default" which comes prepopulated with the most common and safe wakelocks to block: qcom_rx_wakelock;wlan;wlan_wow_wl;wlan_extscan_wl;netmgr_wl;NETLINK A combination of both wakelock lists will be blocked finally. Signed-off-by: mracar07 <[email protected]>

This causes userspace to receive xt_idletimer events but without params, in turn making netd unhappy. system/netd/server/NetlinkHandler.cpp:132 constantly spams the log with "NetlinkEvent::FindParam(): Parameter '...' not found". xt_hardidletimer subsystem is also not handled in netd, so avoid flooding uevent here too. This reverts commit f97c993.

Bug: 27134656 Change-Id: I681ec2171472514489365ca4bfc4ef16d9b344fe

Bug: 27997214 Change-Id: If5cbd097a082ff05c174bc0531276c97c191087e Signed-off-by: Thierry Strudel <[email protected]>

We need kgsl_worker_thread to preempt all userspace surfaceflinger threads to avoid a possible deadlock. This will prevent the SF threads from "stealing" cputime from kgsl_worker_thread. This is important, since kgsl_worker_thread executes work which blocks SF from proceeding. Signed-off-by: Alex Naidis <[email protected]> Signed-off-by: Francisco Franco <[email protected]>

It does not make sense to run kgsl on high and devfreq on regular priority. Change-Id: Ie5e6c9353a4e1324a6a49278e5ad3638462f551c Signed-off-by: Francisco Franco <[email protected]>

Adds per process nodes in /proc/PID/time_in_state showing per frequency times and adds a global /proc/uid_time_in_state showing per frequency per uid times. Bug: 34133340 Bug: 38320164 Tests: boot sailfish and reading /proc/uid_time_in_state and /proc/$$/time_in_state Signed-off-by: Andres Oportus <[email protected]> Change-Id: Ideb22b608b9a5e7bd2200a3a6df0f110b635f96a

Signed-off-by: franciscofranco <[email protected]> Signed-off-by: LordShenron <[email protected]>

Signed-off-by: zainarbani <[email protected]>

This reverts commit 6c8635a.

…g/quic/la/kernel/msm-3.18 into pie "LA.UM.7.6.r1-05900-89xx.0"

mount cust as /vendor for treble support

# Enable double tap to wake by default for Goodix-TS

# Fix Goodix fingerprint driver

# Fix reboot recovery in latest firmware

This switches over to propagation_next to respect namepsace semantics. Test: Remounting to change the options of a fs with mount based options should propagate to all shared copies of that mount, and the slaves/indirect slaves of those. Bug: 122428178 Signed-off-by: Daniel Rosenberg <[email protected]> Change-Id: Ic35cd2782a646435689f5bedfa1f218fe4ab8254 Signed-off-by: SunnyRaj84348 <[email protected]>

Temporary fix for broken brightness slider on shenchao panel Signed-off-by: R. Adi Permana <[email protected]>

# Enable double tap to wake by default for FT5435-TS

NAT invalid protocol is needed by user space process. Move it to uapi to make it accessible to user space. Change-Id: I4d1700176483c93f78f48979d602f7568867b378 Acked-by: Michal Amsterdam <[email protected]> Signed-off-by: Amir Levy <[email protected]>

# ugg: dts: Fix brightness slider for shenchao ili9881c 720p video mode dsi panel

This reverts commit 8e81ba6.

#Thanks to dorimanx

Commits on Oct 6, 2019

dts: ugglite: Import Xiaomi dts changes

adislice committed Oct 6, 2019

Configuration menu

View commit details

Copy full SHA for 2066dc7

Browse repository at this point

Copy the full SHA

2066dc7 View commit details

Browse the repository at this point in the history

Commits on Jun 9, 2020

ugg: defconfig: Android 10 bring up!

adislice authored Jun 9, 2020

Configuration menu

View commit details

Copy full SHA for 5bb680b

Browse repository at this point

Copy the full SHA

5bb680b View commit details

Browse the repository at this point in the history

Commits on Jun 14, 2020

configs: Enable Front Flashlight on ugg

zqm64 committed Jun 14, 2020

Configuration menu

View commit details

Copy full SHA for e103d91

Browse repository at this point

Copy the full SHA

e103d91 View commit details

Browse the repository at this point in the history

Commits on Jul 21, 2020

Unify!

zqm64 authored Jul 21, 2020

Configuration menu

View commit details

Copy full SHA for 5624f8e

Browse repository at this point

Copy the full SHA

5624f8e View commit details

Browse the repository at this point in the history

rtc: fix clock sync after boot-up #6

Are you sure you want to change the base?

rtc: fix clock sync after boot-up #6

Commits on Feb 8, 2019

Commits on Feb 11, 2019

Commits on Feb 13, 2019

Commits on Feb 15, 2019

Commits on Feb 18, 2019

Commits on Feb 20, 2019

Commits on Feb 21, 2019

Commits on Feb 22, 2019

Commits on Feb 23, 2019

Commits on Feb 25, 2019

Commits on Mar 1, 2019

Commits on Mar 4, 2019

Commits on Mar 6, 2019

Commits on Mar 8, 2019

Commits on Mar 9, 2019

Commits on Mar 11, 2019

Commits on Mar 13, 2019

Commits on Mar 17, 2019

Commits on Mar 19, 2019

Commits on Mar 20, 2019

Commits on Mar 21, 2019

Commits on Mar 23, 2019

Commits on Mar 25, 2019

Commits on Mar 26, 2019

Commits on Apr 1, 2019

Commits on Apr 3, 2019

Commits on Apr 4, 2019

Commits on Apr 5, 2019

Commits on Apr 9, 2019

Commits on Apr 10, 2019

Commits on Apr 12, 2019

Commits on Apr 19, 2019

Commits on Apr 23, 2019

Commits on Apr 25, 2019

Commits on Apr 27, 2019

Commits on Apr 30, 2019

Commits on May 8, 2019

Commits on May 9, 2019

Commits on May 10, 2019

Commits on May 13, 2019

Commits on May 14, 2019

Commits on May 16, 2019

Commits on May 21, 2019

Commits on May 29, 2019

Commits on May 30, 2019

Commits on May 31, 2019

Commits on Jun 5, 2019

Commits on Jun 7, 2019

Commits on Jun 11, 2019

Commits on Jun 12, 2019

Commits on Jun 18, 2019

Commits on Jun 19, 2019

Commits on Jun 20, 2019

Commits on Jun 21, 2019

Commits on Jun 24, 2019

Commits on Jun 25, 2019

Commits on Jun 27, 2019

Commits on Jun 28, 2019

Commits on Jul 3, 2019

Commits on Jul 9, 2019

Commits on Jul 15, 2019

Commits on Jul 18, 2019

Commits on Jul 25, 2019

Commits on Jul 26, 2019

Commits on Jul 30, 2019

Commits on Jul 31, 2019

Commits on Aug 1, 2019

Commits on Aug 2, 2019

Commits on Aug 9, 2019

Commits on Aug 12, 2019

Commits on Aug 13, 2019

Commits on Aug 14, 2019

Commits on Aug 18, 2019

Commits on Aug 20, 2019

Commits on Aug 24, 2019

Commits on Aug 26, 2019

Commits on Aug 27, 2019