This repository has been archived by the owner on May 1, 2020. It is now read-only.
Upstream changes #20
Closed
Upstream changes #20
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make sure there are no stale tlb entries when dma_unremap returns, thus preventing speculative fetches. Change-Id: I22070de282f25fe5ea20177e67a6d629123e29a4 Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org> Signed-off-by: Ramesh Gupta Guntha <rgguntha@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
After commit da60ce9 (cpufreq: call cpufreq_driver->get() after calling ->init()) __cpufreq_add_dev() sometimes fails for CPUs handled by intel_pstate, because that driver may return 0 from its ->get() callback if it has not run long enough to collect enough samples on the given CPU. That didn't happen before commit da60ce9 which added policy->cur initialization to __cpufreq_add_dev() to help reduce code duplication in other cpufreq drivers. However, the code added by commit da60ce9 need not be executed for cpufreq drivers having the ->setpolicy callback defined, because the subsequent invocation of cpufreq_set_policy() will use that callback to initialize the policy anyway and it doesn't need policy->cur to be initialized upfront. The analogous code in cpufreq_update_policy() is also unnecessary for cpufreq drivers having ->setpolicy set and may be skipped for them as well. Since intel_pstate provides ->setpolicy, skipping the upfront policy->cur initialization for cpufreq drivers with that callback set will cover intel_pstate and the problem it's been having after commit da60ce9 will be addressed. Fixes: da60ce9 (cpufreq: call cpufreq_driver->get() after calling ->init()) Change-Id: Ie51ddf53138e489fd057044fc8c11bea5a6ea915 References: https://bugzilla.kernel.org/show_bug.cgi?id=71931 Reported-and-tested-by: Patrik Lundquist <patrik.lundquist@gmail.com> Acked-by: Dirk Brandewie <dirk.j.brandewie@intel.com> Cc: 3.13+ <stable@vger.kernel.org> # 3.13+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Commit bd0fa9b introduced a failure path to cpufreq_update_policy() if cpufreq_driver->get(cpu) returns NULL. However, it jumps to the 'no_policy' label, which exits without unlocking any of the locks the function acquired earlier. This causes later calls into cpufreq to hang. Fix this by creating a new 'unlock' label and jumping to that instead. Fixes: bd0fa9b ("cpufreq: Return error if ->get() failed in cpufreq_update_policy()") Change-Id: I5c9f8e4776b3d4027eca68c8c514c296c1798882 Link: https://devtalk.nvidia.com/default/topic/751903/kernel-3-15-and-nv-drivers-337-340-failed-to-initialize-the-nvidia-kernel-module-gtx-550-ti-/ Signed-off-by: Aaron Plattner <aplattner@nvidia.com> Cc: 3.15+ <stable@vger.kernel.org> # 3.15+ Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
cpufreq_suspend is now a function in core CPUfreq framework. Rename qcom-cpufreq's local per-cpu variable to suspend_data. Change-Id: I2f567f0c04271d728d4e6a17b61cea2152c4d8f7 Signed-off-by: Junjie Wu <junjiew@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
commit fc9e50f upstream. The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 142afbc) Change-Id: Ibaaffde651e76be2defeaa081ae56ca9e8f93602 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. This patch fixes it by using the cb->start mechanism to ensure that the initialisation is always done regardless of the buffer situation. Change-Id: Id41cdd41c4e43e0c3ac30c5d03c15b8046d70845 Fixes: 12a169e ("ipsec: Put dumpers on the dump list") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
On systems that use mark-based routing it may be necessary for routing lookups to use marks in order for packets to be routed correctly. An example of such a system is Android, which uses socket marks to route packets via different networks. Currently, routing lookups in tunnel mode always use a mark of zero, making routing incorrect on such systems. This patch adds a new output_mark element to the xfrm state and a corresponding XFRMA_OUTPUT_MARK netlink attribute. The output mark differs from the existing xfrm mark in two ways: 1. The xfrm mark is used to match xfrm policies and states, while the xfrm output mark is used to set the mark (and influence the routing) of the packets emitted by those states. 2. The existing mark is constrained to be a subset of the bits of the originating socket or transformed packet, but the output mark is arbitrary and depends only on the state. The use of a separate mark provides additional flexibility. For example: - A packet subject to two transforms (e.g., transport mode inside tunnel mode) can have two different output marks applied to it, one for the transport mode SA and one for the tunnel mode SA. - On a system where socket marks determine routing, the packets emitted by an IPsec tunnel can be routed based on a mark that is determined by the tunnel, not by the marks of the unencrypted packets. - Support for setting the output marks can be introduced without breaking any existing setups that employ both mark-based routing and xfrm tunnel mode. Simply changing the code to use the xfrm mark for routing output packets could xfrm mark could change behaviour in a way that breaks these setups. If the output mark is unspecified or set to zero, the mark is not set or changed. [backport of upstream 077fbac] Bug: 63589535 Test: https://android-review.googlesource.com/452776/ passes Tested: make allyesconfig; make -j64 Tested: https://android-review.googlesource.com/452776 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Change-Id: I76120fba036e21780ced31ad390faf491ea81e52 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
commit 1137b5e upstream. This is a fix for CVE-2017-16939 suitable for older stable branches. The upstream fix is commit 1137b5e, from which the following explanation is taken: An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security's SecuriTeam Secure Disclosure program. The xfrm_dump_policy_done function expects xfrm_dump_policy to have been called at least once or it will crash. This can be triggered if a dump fails because the target socket's receive buffer is full. It was not possible to define a 'start' callback for netlink dumps until Linux 4.5, so instead add a check for the initialisation flag in the 'done' callback. Change-Id: Id8a129889b11800178c37374ff9fee5af68ccff9 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
We now use the lower filesystem's getattr for time and size related information. Change-Id: I3dd05614a0c2837a13eeb033444fbdf070ddce2a Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 72007585 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
This reverts commit fd825dd8ffd9c4873f80438c3030dd21c204512d. Instead of calling notify within sdcardfs, which reverse the order of notifications during an open with truncate, we'll make fs_notify worry about it. Change-Id: Ic634401c0f223500066300a4df8b1453a0b35b60 Bug: 70706497 Signed-off-by: Daniel Rosenberg <drosen@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
If the filesystem being watched supports d_canonical_path, notify the lower filesystem of the open as well. Change-Id: I2b1739e068afbaf5eb39950516072bff8345ebfe Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 70706497 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
If the top is changed while we're attempting to use it, it's possible that the reference will be put while we are in the process of grabbing a reference. Now we grab a spinlock to protect grabbing our reference count. Additionally, we now set the inode_info's top value to point to it's own data when initializing, which makes tracking changes easier. Change-Id: If15748c786ce4c0480ab8c5051a92523aff284d2 Signed-off-by: Daniel Rosenberg <drosen@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
When we call i_size_write, we must be holding i_mutex to avoid possible lockups on 32 bit/SMP architectures. This is not necessary on 64 bit architectures. Change-Id: Ic3b946507c54d81b5c9046f9b57d25d4b0f9feef Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 73287721 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Without this patch when you delete an extension from configfs it still exists in the hash table data structures and we are unable to delete it or change it's group. This happens because during deletion the key & value is taken from extension_details, and was not properly set. Fix it by this patch. Change-Id: I7c20cb1ab4d99e6aceadcb5ef850f0bb47f18be8 Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org> Signed-off-by: Daniel Rosenberg <drosen@google.com> Bug: 73055997 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
This reverts commit d43fa69. Change-Id: I315e206b228f828c1a2e0ff5c5c15260a39b4774 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
This reverts commit 91bca269f649061eb5a54510f466d06c3b5ca1fb. Change-Id: Ib298dafdcfad95f6815c46bb80202267bd23d485 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
This reverts commit c688d2c. Change-Id: I90508f23fcacfe9de6eb256affdd3ff839051b05 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: I2ab8557a9d10b88ef5d0bf0aa55e00b8fb67200a Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: I0833d298a6568cb490ac87561e884552cb1d0488 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: I29d8a2a3dc7adff734bdbbd0e9969323b86e461f Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: Ic43b0fcd869d12768b2b421d2e235cfbf32b7cba Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Change-Id: I0c47844e47d0396e4f241d4472e904b1ee7dc1bc Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Set freed pointers to NULL to avoid double free in msm_compr_playback_open and msm_compr_playback_free functions of the compress driver. CRs-Fixed: 2142216 Bug: 68664502 Change-Id: Ifd011dd85dd9f610c7b69dd460f73d26e006cd66 Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Default IPA header is added or deleted from the driver directly and not by user space application. This change prevents adding/deleting it from user application which may cause inconsistencies in the driver. Also the change fixes the header reset function to skip on the correct default header. Bug: 72957269 Change-Id: Ic813433655411f1447db8b0c15efdf64038d8c26 CRs-fixed: 2151146 Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add boundary checks for APR port received from ADSP. CRs-Fixed: 2143207 Bug: 72956842 Change-Id: I9a7fa39ee223e1859323caa6eb74c1c8a26a041d Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
[ Upstream commit 8f659a0 ] inet->hdrincl is racy, and could lead to uninitialized stack pointer usage, so its value should be read only once. Bug: 71500434 Change-Id: Ic02fa0f7b8f8525739996be2e0309ad2fa5b97dc Fixes: c008ba5 ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt") Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Jonathan Solnit <jsolnit@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com> # Conflicts: # net/ipv4/raw.c
With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: linux-stable <stable@vger.kernel.org> # 3.18.y Cc: Mimi Zohar <zohar@linux.vnet.ibm.com> Bug: 70526974 Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: James Morris <james.l.morris@oracle.com> Signed-off-by: Jin Qian <jinqian@google.com> Signed-off-by: Steve Pfetsch <spfetsch@google.com> Change-Id: I2cc3af94f855e66f2014dd1dced4425ed8a41f29 (cherry picked from commit 794b4bc) Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Andrey Konovalov reported a possible out-of-bounds problem for the cdc_parse_cdc_header function. He writes: It looks like cdc_parse_cdc_header() doesn't validate buflen before accessing buffer[1], buffer[2] and so on. The only check present is while (buflen > 0). So fix this issue up by properly validating the buffer length matches what the descriptor says it is. (cherry picked from commit 2e1c423) (The original patch fixed the generic cdc_parser_cdc_header function. That generic function did not exist in 3.10 but there are a couple cdc parsers that suffer from the same underlying problem.) Bug: 69052594 Change-Id: Ib251469de39e51b0ed7c1a1b88873270afccd90f Reported-by: Andrey Konovalov <andreyknvl@google.com> Tested-by: Andrey Konovalov <andreyknvl@google.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Marissa Wall <marissaw@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Define a policy for packet pattern attributes in order to fix a potential read over the end of the buffer during nla_get_u32() of the NL80211_WOWLAN_PKTPAT_OFFSET attribute. Note that the data there can always be read due to SKB allocation (with alignment and struct skb_shared_info at the end), but the data might be uninitialized. This could be used to leak some data from uninitialized vmalloc() memory, but most drivers don't allow an offset (so you'd just get -EINVAL if the data is non-zero) or just allow it with a fixed value - 100 or 128 bytes, so anything above that would get -EINVAL. With brcmfmac the limit is 1500 so (at least) one byte could be obtained. Cc: stable@kernel.org Bug: 64403015 Signed-off-by: Peng Xu <pxu@qti.qualcomm.com> Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> [rewrite description based on SKB allocation knowledge] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Git-commit: ad67023 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git CRs-fixed: 2116387 Change-Id: Ia84ca10f85507fe3ddbbb518388ca7b453fd8453 [Backport: Fix conflicts] Signed-off-by: Vidyullatha Kanchanapally <vidyullatha@codeaurora.org> Signed-off-by: Peng Xu <pxu@codeaurora.org> Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
There is a race condition be observed on global variable num_q6_rule used in ipa wan-driver. The fix is to add lock to prevent different threads are accessing it at the same time. Bug: 68992477 Change-Id: Ia9190c60361cb5605b61963309beca3acdeac89d Signed-off-by: Skylar Chang <chiaweic@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Check for the validity of num_msdus when received the htt message of HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from firmware to ensure the buffer overflow does not happen. Bug: 72957505 Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388 CRs-Fixed: 2146869 Signed-off-by: Ahmed ElArabawy <arabawy@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
There is no check for the return value of dot11fUnpackIeRSN API in hdd_ProcessGENIE API, which may cause stack overflow if pmkid_count is returned as more than the PMKIDCache size. Add a check for return value of dot11fUnpackIeRSN to avoid possible stack overflow. Bug: 72957507 Change-Id: I56424c706de121b18b8d3f2c4a35089ec0434452 CRs-Fixed: 2149187 Signed-off-by: Ecco Park <eccopark@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
The txrx_fw_stats cmd will allocate a req object before sending the cmd to the firmware, this memory is only freed when get response from firmware. The memory leak will appear if the firmware doesn't response in time before the driver unloading. This fix will add a pending queue to trace this req object in the pdev. when pdev is detaching, it will clean up this queue to avoid memory leak. Bug: 72957257 Change-Id: I35f6216d35befbab978bba161252b305488bd34c CRs-Fixed: 2113219 Signed-off-by: Ecco Park <eccopark@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Dump the txrx stat req if the queue is not empty when detatch the pdev. Bug: 72957257 Change-Id: Ic38e01668efd28baf55acb04f448e236cc224c79 CRs-Fixed: 2113219 Signed-off-by: Ecco Park <eccopark@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
In function wma_unified_link_iface_stats_event_handler, num_ac is received from the firmware and is used in the loop to populate values into results. However, the memory for results is allocated only for WIFI_AC_MAX and a buffer overflow will occur if num_ac is greater than or equal to WIFI_AC_MAX. Add checks to make sure num_ac is not greater than to WIFI_AC_MAX. Note: This CL has been updated to fix the check to only return error on num_ac > WIFI_AC_MAX since an equal value is a valid value. This is to fix b/73597588. Bug: 70237689 Change-Id: Ie2056017aae641236efb118889e2919795b60f18 CRs-Fixed: 2154226 Signed-off-by: Ahmed ElArabawy <arabawy@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
In function wma_vdev_start_rsp_ind, vdev_id is received from the FW and is used to access wma_handle->interfaces without validating the upper limit. If the value of vdev_id received from the FW is not less than max_bssid, then a buffer overwrite will occur in the function wma_vdev_start_rsp_ind. Add sanity check to make sure vdev_id is less than max_bssid. Bug: 72957725 Change-Id: I83e1b797ca50a7fb58519f66dde26b035a2393ce CRs-Fixed: 2150359 Signed-off-by: Ahmed ElArabawy <arabawy@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Fragment count will be larger than the upper limit of cvg_nbuf_cb->extra_flag.num which would lead to an overread of fragment length. Upper limit check for fragment count is added in this change. Change-Id: Icc078b2efee554ac84377b5edd90d0a5c7a61f98 CRs-Fixed: 2129566 Bug: 72957387 Signed-off-by: Ecco Park <eccopark@google.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add data_len check in wma_nan_rsp_event_handler() to avoid OOB access. Bug: 74237168 Change-Id: Iff42da84567381a4b64bc07e69ff1a0cd4b5a543 CRs-Fixed: 2170630 Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
sdcardfs_mkdir() calls check_min_free_space(). When reserved_mb is not zero, a negative dentry will be passed to ext4_statfs() at last and ext4_statfs() will crash. The parent dentry is positive. So we use the parent dentry to check free space. Change-Id: I80ab9623fe59ba911f4cc9f0e029a1c6f7ee421b Signed-off-by: Lianjun Huang <huanglianjun@vivo.com> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add spin lock to resolve race conditions while accessing substream runtime resource CRs-fixed: 2112713 Change-Id: I8db743303ceb50205d62adfc02caf6ecab635d47 Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Fix memory leak due to rpm request not freed during error conditions. Change-Id: I440a58bf452e76c8886f7bcd8f89b24698a301e9 Signed-off-by: Raghavendra Kakarla <rkakarla@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
During probe function of the Linux PIL kernel driver Initialization of various resources are done. This fix is for acquired resource cleanup, in case of error. CRs-Fixed: 2129451 Change-Id: I0b3511cff7e2917fe83bddfc15086e939f5c2abc Signed-off-by: Jitendra Sharma <shajit@codeaurora.org> Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Export new ioctl to user space to know the qsee version, which is required for QSEECOM listener services. Change-Id: Idd80ce0a3153d669d5f6fb748f73f7aaedefb3a5 Signed-off-by: Neeraj Soni <neersoni@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add boundary check before copying data from userspace buffer to dwc3 local buffer. The third parameter passed to copy_from_user() should be minimum of the two values between userpsace buffer size count and (local_buffer size - 1). The last one byte in local_buffer should be reserved for null terminator. Change-Id: I9b2e3db4d5ad6b5f14515cadafa6264f9e8b786c Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add size check to make sure the data sizes from WDSP ELF metadata and the split firmware ELF are the same. Change-Id: Ic2f7dc04dfc95608302cba23461c519378619db0 Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Issue is seen when apr callback is received while voice_svc_release is in process of freeing the driver private data. Avoid invalid access of private data pointer by putting the callback and release functions in the same locked context. Change-Id: I93af13cab0a3c7e653a9bc9fa7f4f86bfa0502df Signed-off-by: smanag <smanag@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
ac could get freed during the execution of q6asm_callback. And kernel panic happens. Add spinlock to protect ac to avoid kernel panic. Change-Id: Ie49c8a3979231552ba7d5f207aab0d95ffdc2a72 Signed-off-by: Meng Wang <mwang@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Add null terminator to end of buffered copied from user to prevent over reading. Change-Id: I80cfcb087ea2c335fd65d8fcdaf372c7d34a533d Signed-off-by: David Dai <daidavid1@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Fix issue in msm_thermal_process_voltage_table_request. For voltage tables bigger than 16 it is not correclty passing the partial table size to user space. The full size is passed instead of the partial size. For example if reading a table of 18 values the first read returns 16, and the partial read returns 18 but it should return 2. Change-Id: I75943e94341388cca772ee45bc1275fb5d2091d2 Signed-off-by: Jeff Bernard <jbernard@codeaurora.org> Signed-off-by: Santhosh Kumar Thimmanna Bhattar <sthim@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Increase the memstore size to increase the number of the kgsl context that can be supported simultaneously. Signed-off-by: Sriharsha P V <spvasu@codeaurora.org> Change-Id: I295dfd057cf5869a77b265262b38b41fca3cf3ba Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
The first APPS default routing table rule is installed at the IPA driver initialization. To prevent routing exception, this rule cannot be deleted by user application. This change prevents deleting this rule. Change-Id: Ia27434fd24a15fea5956018a1271b11bbe227df7 CRs-fixed: 2165859 Signed-off-by: Ghanim Fodi <gfodi@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
There a possibility of out-of-bound read because of not validating source buffer length against length that about to be copied. The patch adds proper check for validating length before copying data CRs-Fixed: 2163793 Change-Id: I7c93839d0c4d83024ce23a0ce494d09dd08567a9 Signed-off-by: Hardik Arya <harya@codeaurora.org> Signed-off-by: Bharat Pawar <bpawar@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Memory allocated with devm_kzalloc is automatically released by the kernel if the probe function fails with an error code. Therefore, using kfree is unsafe since it can lead to the Double-Free security issue. This change removes kfree from msm_dbm_probe function to avoid double free for dbm_data. Change-Id: I512284d021ba89d5d04a6d498aa17489e37bff2e Signed-off-by: Pratham Pratap <prathampratap@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
The part of old d_free() is that dealt with actual freeing of dentry. Taken out of dentry_kill() into a separate function. Git-repo: https://github.com/torvalds/linux.git Git-commit: b4f0354 Change-Id: I4b16554b6f6acc558d299ca3282eebf93612d8a9 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Ankit Jain <jankit@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
* external dentry names get a small structure prepended to them (struct external_name). * it contains an atomic refcount, matching the number of struct dentry instances that have ->d_name.name pointing to that external name. The first thing free_dentry() does is decrementing refcount of external name, so the instances that are between the call of free_dentry() and RCU-delayed actual freeing do not contribute. * __d_move(x, y, false) makes the name of x equal to the name of y, external or not. If y has an external name, extra reference is grabbed and put into x->d_name.name. If x used to have an external name, the reference to the old name is dropped and, should it reach zero, freeing is scheduled via kfree_rcu(). * free_dentry() in dentry with external name decrements the refcount of that name and, should it reach zero, does RCU-delayed call that will free both the dentry and external name. Otherwise it does what it used to do, except that __d_free() doesn't even look at ->d_name.name; it simply frees the dentry. All non-RCU accesses to dentry external name are safe wrt freeing since they all should happen before free_dentry() is called. RCU accesses might run into a dentry seen by free_dentry() or into an old name that got already dropped by __d_move(); however, in both cases dentry must have been alive and refer to that name at some point after we'd done rcu_read_lock(), which means that any freeing must be still pending. Git-repo: https://github.com/torvalds/linux.git Git-commit: 8d85b48 Change-Id: I1fa645f0e2eba6e8485daa8593600f933a5342c9 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Ankit Jain <jankit@codeaurora.org> Signed-off-by: Mugata, Sreenivasa Rao <smugat@codeaurora.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Increase the buffer-head per-CPU LRU size to allow efficient filesystem operations that access many blocks for each transaction. For example, creating a file in a large ext4 directory with quota enabled will access multiple buffer heads and will overflow the LRU at the default 8-block LRU size: * parent directory inode table block (ctime, nlinks for subdirs) * new inode bitmap * inode table block * 2 quota blocks * directory leaf block (not reused, but pollutes one cache entry) * 2 levels htree blocks (only one is reused, other pollutes cache) * 2 levels indirect/index blocks (only one is reused) The buffer-head per-CPU LRU size is raised to 16, as it shows in metadata performance benchmarks up to 10% gain for create, 4% for lookup and 7% for destroy. Change-Id: Ia8e4c430886b29fca32b7d4319365088cc2ca9d1 Signed-off-by: Liang Zhen <liang.zhen@intel.com> Signed-off-by: Andreas Dilger <andreas.dilger@intel.com> Signed-off-by: Sebastien Buisson <sebastien.buisson@bull.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
When debugging the read-only hugepage case, I was confused by the fact that get_futex_key() did an access_ok() only for the non-shared futex case, since the user address checking really isn't in any way specific to the private key handling. Now, it turns out that the shared key handling does effectively do the equivalent checks inside get_user_pages_fast() (it doesn't actually check the address range on x86, but does check the page protections for being a user page). So it wasn't actually a bug, but the fact that we treat the address differently for private and shared futexes threw me for a loop. Just move the check up, so that it gets done for both cases. Also, use the 'rw' parameter for the type, even if it doesn't actually matter any more (it's a historical artifact of the old racy i386 "page faults from kernel space don't check write protections"). Change-Id: I70a366e4e392e917dce1ac19d66dfaea8984939b Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
randomhydrosol
pushed a commit
that referenced
this pull request
Mar 27, 2019
commit 54451f60c8fa061af9051a53be9786393947367c upstream. When IDLETIMER rule is added, sysfs file is created under /sys/class/xt_idletimer/timers/ But some label name shouldn't be used. ".", "..", "power", "uevent", "subsystem", etc... So that sysfs filename checking routine is needed. test commands: %iptables -I INPUT -j IDLETIMER --timeout 1 --label "power" splat looks like: [95765.423132] sysfs: cannot create duplicate filename '/devices/virtual/xt_idletimer/timers/power' [95765.433418] CPU: 0 PID: 8446 Comm: iptables Not tainted 4.19.0-rc6+ #20 [95765.449755] Call Trace: [95765.449755] dump_stack+0xc9/0x16b [95765.449755] ? show_regs_print_info+0x5/0x5 [95765.449755] sysfs_warn_dup+0x74/0x90 [95765.449755] sysfs_add_file_mode_ns+0x352/0x500 [95765.449755] sysfs_create_file_ns+0x179/0x270 [95765.449755] ? sysfs_add_file_mode_ns+0x500/0x500 [95765.449755] ? idletimer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER] [95765.449755] ? rcu_read_lock_sched_held+0x114/0x130 [95765.449755] ? __kmalloc_track_caller+0x211/0x2b0 [95765.449755] ? memcpy+0x34/0x50 [95765.449755] idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER] [ ... ] Fixes: 0902b46 ("netfilter: xtables: idletimer target implementation") Change-Id: I0340b4b7e9929409b819a733899b51d61d4bbe5c Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
randomhydrosol
pushed a commit
that referenced
this pull request
Mar 27, 2019
commit 54451f60c8fa061af9051a53be9786393947367c upstream. When IDLETIMER rule is added, sysfs file is created under /sys/class/xt_idletimer/timers/ But some label name shouldn't be used. ".", "..", "power", "uevent", "subsystem", etc... So that sysfs filename checking routine is needed. test commands: %iptables -I INPUT -j IDLETIMER --timeout 1 --label "power" splat looks like: [95765.423132] sysfs: cannot create duplicate filename '/devices/virtual/xt_idletimer/timers/power' [95765.433418] CPU: 0 PID: 8446 Comm: iptables Not tainted 4.19.0-rc6+ #20 [95765.449755] Call Trace: [95765.449755] dump_stack+0xc9/0x16b [95765.449755] ? show_regs_print_info+0x5/0x5 [95765.449755] sysfs_warn_dup+0x74/0x90 [95765.449755] sysfs_add_file_mode_ns+0x352/0x500 [95765.449755] sysfs_create_file_ns+0x179/0x270 [95765.449755] ? sysfs_add_file_mode_ns+0x500/0x500 [95765.449755] ? idletimer_tg_checkentry+0x3e5/0xb1b [xt_IDLETIMER] [95765.449755] ? rcu_read_lock_sched_held+0x114/0x130 [95765.449755] ? __kmalloc_track_caller+0x211/0x2b0 [95765.449755] ? memcpy+0x34/0x50 [95765.449755] idletimer_tg_checkentry+0x4e2/0xb1b [xt_IDLETIMER] [ ... ] Fixes: 0902b46 ("netfilter: xtables: idletimer target implementation") Change-Id: I0340b4b7e9929409b819a733899b51d61d4bbe5c Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: anupritaisno1 <www.anuprita804@gmail.com>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.