The smallest string that this function deals with is "1", which is of
size 1. Correct the if to allow this case.
Change-Id: Iaa68bcc452a3428d4752e5c34c98d0bd2e926c5a
Signed-off-by: MarijnS95 <marijns95@gmail.com>
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
Copying from user to a global variable inside the driver is
unsafe and insecure: allocate and free the memory used for
copying from userspace in the functions doing it.
This also has the good side effect of solving a build failure
when the kernel is built with GCC >=4.9
Change-Id: I6c009b555f39d577bdb0321ca7c759bb1013824e
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
Change-Id: I512afa97c7cc07a9200f0ba3265fc9b3fbca44cf
Signed-off-by: Alexander Winkowski <dereference23@outlook.com>
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
This reverts commit 47faa7fb96296181e7b94b3939424914cfca6646.
Change-Id: Ic8c9048217346c334279be9001fc54186a29a13c
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
To make sure detach and attach netif instead of stop
and wakeup and also to update transfer timer update.
Change-Id: I9d589b7f9f6fe98f778df509d3c16f339dfdeea1
Signed-off-by: Michael Adisumarta <madisuma@codeaurora.org>
Signed-off-by: Andrzej Perczak <linux@andrzejperczak.com>
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
"LA.UM.9.1.r1-14600-SMxxx0.QSSI14.0"
* tag 'LA.UM.9.1.r1-14600-SMxxx0.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.14: (103 commits)
msm: npu: Fix use after free issue
iommu: Fix missing return check of arm_lpae_init_pte
msm: kgsl: Prevent wrap around during user address mapping
iommu: Fix missing return check of arm_lpae_init_pte
UPSTREAM: security: selinux: allow per-file labeling for bpffs
UPSTREAM: security: selinux: allow per-file labeling for bpffs
arm: configs: Enable QCOM_SHOW_RESUME_IRQ module for mdm9607
Revert "irqchip/gic-v2: implement suspend and resume"
exec: Force single empty string when argv is empty
bus: mhi: misc: Add check for dev_rp if it is iommu range or not
BACKPORT: FROMLIST: mm: protect free_pgtables with mmap_lock write lock in exit_mmap
bus: mhi: misc: Add check for dev_rp if it is iommu range or not
mdm: dataipa: increase the size of prefetch buffer
msm: ais: core: validation of session/device/link handle
soc: qcom: minidump: check the size parameter passed to qcom_smem_get()
msm: camera: core: validation of session/device/link handle
qcedev: vote for crypto clocks during module close
msm: ais: smmu: Use get_file to increase ref count
pinctrl: qcom: Using readl_relaxed/writel_relaxed APIs
net: qrtr: Add bounds check in rx path
...
Change-Id: Ia2603d18afb240a1fcdce609944dd4038c988dbf
prefetch buffer is updated from 128 to 256 byte for route
and filter rule read.
Change-Id: Ibddddfda355e8032d6ec40da73394037534d1d78
Signed-off-by: Fakruddin Vohra <quic_fakruddi@quicinc.com>
"LA.UM.9.1.r1-12200-SMxxx0.QSSI13.0"
* tag 'LA.UM.9.1.r1-12200-SMxxx0.QSSI13.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.14:
smcinvoke : file private data validation, which is sent by userspace
input: touchscreen: focaltech: queue touch suspend work on workqueue
input: touchscreen: focaltech: fix return value
haven: irq_lend: add support for IRQ notifications
haven: Add support for the MEM_ACCEPTED notification
msm: ADSPRPC: Restrict untrusted applications from attaching to GuestOS
msm: vidc: fix msm_comm_get_vidc_buffer fd race issue
msm: ipa: clear the ipa pipeline before any ep config
In suspend just before stopping the channel possible to receive
the IEOB interrupt and xfer pointer will not be processed in this
mode but gsi stats are updated. In resume after starting the channel
will receive the IEOB interrupt and xfer pointer will be overwritten
because of this observing the gsi/sys len stats are not matching and
buffers won't be replinished properly leading to HW stall.
To avoid this process all data in polling context, gsi/sys len
stats are updated properly.
Bug: 158990845
Test: 1.build pass and can boot to home
2.Mobile data,VoLTE,WFC,MMS,MHS
Change-Id: Id665448165b6aa51b251cddd72573c6df64ee541
Signed-off-by: Ashok Vuyyuru <avuyyuru@codeaurora.org>
Signed-off-by: Pranav Vashi <neobuddy89@gmail.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
"LA.UM.9.1.r1-12100-SMxxx0.QSSI12.0"
* tag 'LA.UM.9.1.r1-12100-SMxxx0.QSSI12.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.14:
FROMGIT: cgroup: Use separate src/dst nodes when preloading css_sets for migration
input: touchscreen: focaltech: Add trusted touch support
input: touchscreen: focaltech_touch: support dynamic report rate
input: touchscreen: focaltech_touch: Remove vfs_read()
input: touchscreen: focaltech_touch: Configure power supply
input: touchscreen: Enable new Focaltech touch driver
ARM: dts: msm: Add support for facepay camera sensor on trinket
msm: ipa: fix to NULL terminate the pointer
input: touchscreen: Add new Focaltech touch driver
ARM: dts: msm: Add support for HSUART for RS232 usecase
msm: camera: Add page read support for EEPROM
diag: Validate the dci client before sending dci packet
ARM: dts: msm: changing sound card qcom model
The packets on IPA RX pipe 0 are route back to IPA TX pipe 0
which is causing the IPA stall. This fix allows to clear ipa
pipeline for ep config such as set/reset DMA mode
for rmnet tethering config.
Change-Id: Idd923f67bebfbc0aed8afcd0ea94a175ff691395
Signed-off-by: Vinayaka B M <quic_vinaybm@quicinc.com>
Added branch prediction in an effort to make
the data path more efficent.
Acked-by: Tal Gelbard <tgelbard@qti.qualcomm.com>
Change-Id: I3bd2157ee6c263d89de9425c7a0249370ab918fc
Signed-off-by: Amir Levy <alevy@codeaurora.org>
Signed-off-by: Andrzej Perczak <linux@andrzejperczak.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
Sometimes remnet_ipa fails to suspend with the following trace:
NETDEV WATCHDOG: rmnet_ipa0 (): transmit queue 0 timed out
Signed-off-by: celtare21 <celtare21@gmail.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
Fix to NULL terminate the peers list ptr
after freeing it, to get rid of use after
free issue.
Change-Id: Ide9fde9e7648a7af561a5b0ae0fa085810e59ea6
Signed-off-by: Prashanth Reddy Baddam <quic_pbaddam@quicinc.com>
* This is spurious and does not get destroyed, which keeps this
wakelock as pending. Remove this code to save power.
* To enable these wakelocks again, pass `-DIPA_WAKELOCKS` as a
cflag.
Signed-off-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: Panchajanya1999 <panchajanya@azure-dev.live>
Signed-off-by: azrim <mirzaspc@gmail.com>
Calling usleep_range with identical min and max values,
results in a delta of 0us.
This causes the issue that the scheduler gets no chance to re-use an already
scheduled interrupt for this wait which results in a negative performance
impact by adding uninterruptible sleep.
Fix the issue by allowing the delay to take 20% longer than requested.
This should be good enough for these cases.
Signed-off-by: Alex Naidis <alex.naidis@paranoidandroid.co>
Signed-off-by: Park Ju Hyung <qkrwngud825@gmail.com>
Signed-off-by: Vaisakh Murali <mvaisakh@statixos.com>
Signed-off-by: Cyber Knight <cyberknight755@gmail.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
Accessing an atomic variable without the atomic_*() helpers is illegal.
Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
This mostly occurs after voting for clock synchronously :
[ 151.601852] NOHZ: local_softirq_pending 08
[ 151.601860] NOHZ: local_softirq_pending 08
To ensure that scheduling handled in a proper context, disable
bottom-halves while scheduling NAPI pool in the same way it was done at
commit 56ff8052b ("s390/qeth: invoke softirqs after napi_schedule()")
Signed-off-by: Nauval Rizky <enuma.alrizky@gmail.com>
Signed-off-by: azrim <mirzaspc@gmail.com>
Remove __packed from the usage of union gsi_evt_scratch.
__packed is only needed in the union definition.
include/linux/msm_gsi.h:
union __packed gsi_evt_scratch {
...
}
Bug: 139442076
Bug: 139808631
Bug: 142366585
Change-Id: If3d0e1bc2674f01d5a9a02e73d33b28a648539bc
Signed-off-by: Petri Gynther <pgynther@google.com>
(cherry picked from commit 33c2fa85bdfd90436d4c975757eefc6706a785c5)
Remove __packed from the usage of union gsi_wdi_channel_scratch3_reg.
__packed is only needed in the union definition.
include/linux/msm_gsi.h:
union __packed gsi_wdi_channel_scratch3_reg {
...
}
Bug: 139442076
Bug: 139808631
Bug: 142366585
Change-Id: I70edc50fbbe4c004309f76c020ac4d77cad91aad
Signed-off-by: Petri Gynther <pgynther@google.com>
(cherry picked from commit 2871c785dd89dd0926d12a93161fca6e27a6cd2e)
Remove __packed from the usage of union gsi_channel_scratch.
__packed is only needed in the union definition.
include/linux/msm_gsi.h:
union __packed gsi_channel_scratch {
...
}
Bug: 139442076
Bug: 139808631
Bug: 142366585
Change-Id: If59d3d217e6a4bae92b9931523e2f89a39a04be9
Signed-off-by: Petri Gynther <pgynther@google.com>
(cherry picked from commit 54ace836af62b9fc1edff9c3a436064e177fe2e4)
During NAT table Initialization parameter pass from HLOS, if max/zero
table entries passed it was leading to out of bound read. Adding checks
to validate the table entries before passing to NAT table parameter.
Change-Id: Ie2b252ea18deed694c6f76a34955af604ffeb3f3
Signed-off-by: Himansu Nayak <quic_himansu@quicinc.com>
Assign NULL to pointers that may be used later
after calling kfree on them.
Change-Id: I3298eb484c92ee2373f0bc41aae8ae45fb373cf0
Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
While resetting the header rules if it finds invalid header ID it
will return before freeing proc header table it was leading to use
after free when accessing the header pointer from proc header table.
Adding changes to NULL terminating header pointer in proc header table
after header table deleted from the list.
Change-Id: If270d855d3907e61368336316161a250053e1e62
Signed-off-by: Jagadeesh Ponduru <jponduru@codeaurora.org>
Fix use-after-free of rt_tbl in __ipa_del_flt_rule
by checking if the rt_tbl is already freed.
Change-Id: I09541f65f474dc42f262c603d99f6bbcbb0ce8ec
Signed-off-by: Muralidharan M <murm@codeaurora.org>
Signed-off-by: Marco Zhang <zhangx@codeaurora.org>
Non null terminated string from user space can cause out
of bound access issue. Hence added a NULL character
explicitly in dev name when received from user space.
Change-Id: I956b4cb2ceb1c3bac171e9f9e35929256c937948
Signed-off-by: Sivakanth Vaka <svaka@codeaurora.org>
Signed-off-by: Marco Zhang <zhangx@codeaurora.org>
The value of `req->filter_spec_ex2_list_len`
is user input via ioctl and it's type is uint32,
so an integer overflow may occur. Which can result
in out of bound access in the following loop. Now
add changes to prevent Integer overflow.
Change-Id: Ia29b9ddc674e5dd3d5baf6623cf0a464c156d8f7
Signed-off-by: Piyush Dhyani <pdhyani@codeaurora.org>
Add changes to fix race condition when freeing QMI
handles during SSR scenario.
Change-Id: Ie83f0386ea3bd9b40c4964327415421a144d4715
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
Signed-off-by: Raghavendar rao l <rlomte@codeaurora.org>
Adding changes to check ipa_q6_clnt pointer NULL or not
before accessing it.
Change-Id: I255dd021c9534fe6ca4d7b19c3b576a0d3c80c7d
Signed-off-by: Ashok Vuyyuru <avuyyuru@codeaurora.org>
Signed-off-by: Raghvaendar rao l <rlomte@codeaurora.org>
ECONNRESET is returned if Q6 QMI service is down. Make changes to
check for ECONNRESET as well to detect SSR.
Change-Id: I9a88b816618558123b3623396f38dde010d62abd
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
Added check to verify pdn config type
which may cause out-of-bounds read in wlan_msg_process.
Change-Id: Idce7cb966a5a1c33d4f6b040f4f9d2ec4fb203be
Signed-off-by: raghavendar rao l <rlomte@codeaurora.org>
Make changes to memcopy before preload end.
Change-Id: Icc056a3bcd5b739b8165813202c87dd84e72c78a
Signed-off-by: Michael Adisumarta <madisuma@codeaurora.org>
The stats counter which saved in idr was some stack memory which
could be freed and cause memory corruption. The fix is to use
the memory allocated in heap instead.
Change-Id: Ie398b0271571fcff41cdb85de4d77d202b6552b5
Signed-off-by: Bojun Pan <bojunp@codeaurora.org>
Add check to see if it is freed in pm deregister context
and trying to read again after free.
Change-Id: I764f012d0c7cd53f126aee221f7c1d6a914b7390
Signed-off-by: Michael Adisumarta <madisuma@codeaurora.org>
Currently during IPA_IOC_GET_PHERIPHERAL_EP_INFO ioctl we are not
returning for the invalid values of max_ep_pairs and ep_pair_size,
which is resulting in call of functions with invalid parameters.
So now changing the control when we receive unexpected values.
Change-Id: Idc0a8986478ece5eaad2a31152c2a16cd758b612
Signed-off-by: Piyush Dhyani <pdhyani@codeaurora.org>
Add proper check to validate table rule count
which may lead to overflow error.
Change-Id: I9bdcafcaae4e4cff1b901929c8dc6ae804f85642
Signed-off-by: Praveen Kurapati <pkurapat@codeaurora.org>
Make change to use endpoint 6 & 18 for hastings WLAN2_CONS/PROD
on msmnile gvmq target.
Change-Id: I8e5a7711dccc53419e7a17851df7a878e2ef0063
Signed-off-by: Akshay Pandit <pandit@codeaurora.org>
In low latency ping scenario clock unvoting fastly due to this
ping RTT was increased. To avoid these scenario increased the
inactivity timer to 100msec.
Change-Id: I9b11e2adbe087aa67fa2e7ed751b190abb09d0ed
Signed-off-by: Ashok Vuyyuru <avuyyuru@codeaurora.org>
ADPLv3 targets do not require status to be enabled on ODL_DPL pipe.
Make changes to disable the status for targets with IPAv4.5 and above.
Change-Id: Ica07a25a01e742928d3ecb19a88b7ee2305235ae
Signed-off-by: Chaitanya Pratapa <cpratapa@codeaurora.org>
Signed-off-by: Ashok Vuyyuru <avuyyuru@codeaurora.org>
