Age | Commit message (Collapse) | Author |
|
|
|
The size of the settings copied from userspace, is directly checked
in msm_cci_data_queue with CCI_I2C_MAX_WRITE. This might cause
out of bound access in function msm_cci_data_queue as the max size is
MAX_I2C_REG_SET. Hence adding check on the size in flash driver itself.
Change-Id: Ifac358be9f4b4ff60d14c20e02886c2d044e7f52
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
|
|
put_buf and buf_done are not unlocking rwlock in error case.
Change-Id: Ie10afa15f332cf7bd38be69ea8b99b163b125e66
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
|
|
|
|
|
|
|
|
|
|
|
|
Check whether ispif->base is null before dumping.
CRs-Fixed: 2046207
Change-Id: Ib026632252b43bb4d607ba00188c4c4143c1725e
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
|
|
When userspace uses ioctl(), kernel should get the data from
userpsace through copy_from_user() or get_user() and send it
back to userpsace though copy_to_user() or put_user().
In this case, kernel is not using put_user or copy_to_user
which is leading to a crash during I2C read when it tries to
access memory.
CRs-Fixed: 2058381
Change-Id: Ie5596b62cb589ee048e54f37c7e6beda0d62cad5
Signed-off-by: Tanvi Aggarwal <tanvia@codeaurora.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Add state check before execute CCI function.
Change-Id: I1c876e4eac70316bfe322b11f807e367c020e7d0
Signed-off-by: Wei Ding <weiding@codeaurora.org>
|
|
The pointer req_frm is coming from userspace, it may overflow stream_info.
Adding a bound check to prevent the same.
CRs-fixed: 2008683
Change-Id: I8682e09ff2ab7ba490bbbd9e20db978493c5f3e4
Signed-off-by: Senthil Kumar Rajagopal <skrajago@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
|
|
Neighbour index of step table possibly have same position,
so i2c operation reported invalid size parameters.
we add protection condition to return success value.
Change-Id: I7dab8f44a99c7c3c7d6996c8decb8bcd09c246c9
Signed-off-by: penliu <pengfeiliu@codeaurora.org>
|
|
When write masters are reloaded pingpong status regi-
-ster will not be reset. Instead, it would be holding
a stale data, until new axi_done irq is interrupted.
So, place a check to validate the pingpong register
value based on the reloaded status of write masters.
Change-Id: Id14b886154f8a8ef8d5c05338023d8172d6925d0
Signed-off-by: Lokesh Kumar Aakulu <lkumar@codeaurora.org>
|
|
debug offset comes from the user and can hold any value which can
cause unaligned access. This change fixes the unaligned access
problem on debug offset by properly aligning it.
Change-Id: Ie4de9a12433f6ffd568c6c86928b71a5537b0dff
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
|
|
|
|
|
|
|
|
* refs/heads/tmp-77ddb50:
UPSTREAM: usb: gadget: f_fs: avoid out of bounds access on comp_desc
Linux 4.4.74
mm: fix new crash in unmapped_area_topdown()
Allow stack to grow up to address space limit
mm: larger stack guard gap, between vmas
alarmtimer: Rate limit periodic intervals
MIPS: Fix bnezc/jialc return address calculation
usb: dwc3: exynos fix axius clock error path to do cleanup
alarmtimer: Prevent overflow of relative timers
genirq: Release resources in __setup_irq() error path
swap: cond_resched in swap_cgroup_prepare()
mm/memory-failure.c: use compound_head() flags for huge pages
USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks
usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk
drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR()
usb: r8a66597-hcd: decrease timeout
usb: r8a66597-hcd: select a different endpoint on timeout
USB: gadget: dummy_hcd: fix hub-descriptor removable fields
pvrusb2: reduce stack usage pvr2_eeprom_analyze()
usb: core: fix potential memory leak in error path during hcd creation
USB: hub: fix SS max number of ports
iio: proximity: as3935: recalibrate RCO after resume
staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data()
mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
mac80211: fix IBSS presp allocation size
mac80211: fix CSA in IBSS mode
mac80211/wpa: use constant time memory comparison for MACs
mac80211: don't look at the PM bit of BAR frames
vb2: Fix an off by one error in 'vb2_plane_vaddr'
cpufreq: conservative: Allow down_threshold to take values from 1 to 10
can: gs_usb: fix memory leak in gs_cmd_reset()
configfs: Fix race between create_link and configfs_rmdir
UPSTREAM: bpf: don't let ldimm64 leak map addresses on unprivileged
BACKPORT: ext4: fix data exposure after a crash
ANDROID: sdcardfs: remove dead function open_flags_to_access_mode()
ANDROID: android-base.cfg: split out arm64-specific configs
Linux 4.4.73
sparc64: make string buffers large enough
s390/kvm: do not rely on the ILC on kvm host protection fauls
xtensa: don't use linux IRQ #0
tipc: ignore requests when the connection state is not CONNECTED
proc: add a schedule point in proc_pid_readdir()
romfs: use different way to generate fsid for BLOCK or MTD
sctp: sctp_addr_id2transport should verify the addr before looking up assoc
r8152: avoid start_xmit to schedule napi when napi is disabled
r8152: fix rtl8152_post_reset function
r8152: re-schedule napi for tx
nfs: Fix "Don't increment lock sequence ID after NFS4ERR_MOVED"
ravb: unmap descriptors when freeing rings
drm/ast: Fixed system hanged if disable P2A
drm/nouveau: Don't enabling polling twice on runtime resume
parisc, parport_gsc: Fixes for printk continuation lines
net: adaptec: starfire: add checks for dma mapping errors
pinctrl: berlin-bg4ct: fix the value for "sd1a" of pin SCRD0_CRD_PRES
gianfar: synchronize DMA API usage by free_skb_rx_queue w/ gfar_new_page
net/mlx4_core: Avoid command timeouts during VF driver device shutdown
drm/nouveau/fence/g84-: protect against concurrent access to semaphore buffers
drm/nouveau: prevent userspace from deleting client object
ipv6: fix flow labels when the traffic class is non-0
FS-Cache: Initialise stores_lock in netfs cookie
fscache: Clear outstanding writes when disabling a cookie
fscache: Fix dead object requeue
ethtool: do not vzalloc(0) on registers dump
log2: make order_base_2() behave correctly on const input value zero
kasan: respect /proc/sys/kernel/traceoff_on_warning
jump label: pass kbuild_cflags when checking for asm goto support
PM / runtime: Avoid false-positive warnings from might_sleep_if()
ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches
i2c: piix4: Fix request_region size
sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications
sierra_net: Skip validating irrelevant fields for IDLE LSIs
net: hns: Fix the device being used for dma mapping during TX
NET: mkiss: Fix panic
NET: Fix /proc/net/arp for AX.25
ipv6: Inhibit IPv4-mapped src address on the wire.
ipv6: Handle IPv4-mapped src to in6addr_any dst.
net: xilinx_emaclite: fix receive buffer overflow
net: xilinx_emaclite: fix freezes due to unordered I/O
Call echo service immediately after socket reconnect
staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
ARM: dts: imx6dl: Fix the VDD_ARM_CAP voltage for 396MHz operation
partitions/msdos: FreeBSD UFS2 file systems are not recognized
s390/vmem: fix identity mapping
usb: gadget: f_fs: Fix possibe deadlock
Conflicts:
drivers/usb/gadget/function/f_fs.c
Change-Id: I23106e9fc2c4f2d0b06acce59b781f6c36487fcc
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
|
|
|
Generate and cache fence file descriptor. Multiple
ioctl calls return cached value.
Change-Id: I60d1b46b04007899c9ed983aafc5d0dd3e13312a
Depends-On: Ic83d93fd3c7f404774007065df02b402adbf80af
Signed-off-by: Animesh Kishore <animeshk@codeaurora.org>
|
|
|
|
Pointer from userspace is de-referenced before the command is checked.
This might cause a crash if the command being sent is not a valid command.
Hence changing the de-reference such that the pointer is accessed after
checking if a valid command is sent from the userspace.
Change-Id: I731a015c952d131187a47a8d346fb6478fddeeb1
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
|
|
commit 6830733d53a4517588e56227b9c8538633f0c496 upstream.
The driver uses a relatively large data structure on the stack, which
showed up on my radar as we get a warning with the "latent entropy"
GCC plugin:
drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]
The warning is usually hidden as we raise the warning limit to 2048
when the plugin is enabled, but I'd like to lower that again in the
future, and making this function smaller helps to do that without
build regressions.
Further analysis shows that putting an 'i2c_client' structure on
the stack is not really supported, as the embedded 'struct device'
is not initialized here, and we are only saved by the fact that
the function that is called here does not use the pointer at all.
Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.
We should ensure that 'plane_no' is '< vb->num_planes' as done in
'vb2_plane_cookie' just a few lines below.
Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
IOMMU will be detached for Secure Display session. We need to make
sure to unmap all the buffers before detaching IOMMU. There are a
couple of cases where the buffer on pipe which is being used for
Secure Display, isn't unmapped before IOMMU detach. Add handling
for such cases in validate and kickoff. Also, add changes to wait
for secure session completion in rotator, before mapping buffers.
Change-Id: Ia47f519b8ba471848bbf2eef4ae1c010f1d0c1d2
Signed-off-by: Krishna Chaitanya Devarakonda <kdevarak@codeaurora.org>
|
|
|
|
|
|
There is no syncronization between msm_vb2_get_buf
and msm_delete_stream which can lead to use after
free.
Fixed it by using read/write lock.
Change-Id: Icff5cd81b1a4e9c28f19936dec570751feab0ccf
Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: Andy Sun <bins@codeaurora.org>
|
|
|
|
Use mutex lock before using queuing ioctls like
queuing, dequeing buffers to avoid race condition.
Change-Id: Ia9fdfd5a766add2f8d99003b0c2bfe7d34d57a09
Signed-off-by: Krupal Divvela <kdivvela@codeaurora.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
stream_cfg_cmd->num_streams is from userspace,
need to check it against MSM_ISP_STATS_MAX before using it.
CRs-Fixed: 2029867
Change-Id: I02a71b983947981806470454654d712bcc732077
Signed-off-by: Terence Ho <terenceh@codeaurora.org>
|
|
Fix a potential out of boundary query of stats info.
CRs-Fixed: 2041066
Change-Id: I76d4aa8c8ddd523fde007bfb6fa387a17930c2ba
Signed-off-by: Fei Zhang <feizhang@codeaurora.org>
|
|
1. function/variable static declare;
2. dereference of noderef expression;
3. cast removes address space of expression;
4. using plain integer as NULL pointer;
Change-Id: If11a29aca93380de68a323880d55597bf320470f
Signed-off-by: Andy Sun <bins@codeaurora.org>
|
|
Fix performance issue in SDE rotator by coverting workq into kernel
thread. workq priority is not high enough and can be easily preempted.
For sde rotator being used for realtime deadline usecase, it is
necessary to move up the priority of the worker thread, and we need to
move into kernel thread to handle the works.
Change-Id: Id77e80cb69162326a3894a41bec295bb9bd7f5c1
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
|