OSDN Git Service
Azhar Shaikh [Thu, 11 Feb 2016 19:00:58 +0000 (11:00 -0800)]
usb: dwc3-msm: Fix restart usb work functionality
Commit
18cd808986ba101d ("usb: dwc3-msm: Make power collapse
and power-on-reset mandatory") removed the device tree properties
for power-collapse due to which the dwc3_restart_usb_work() which
was supposed to do a full POR sequence by simulating a cable
disconnection-reconnection sequence now only does a dbm reset.
Fix this, so that dwc3_restart_usb_work(), does a full POR.
CRs-Fixed: 975249
Change-Id: Iaabe9283ec80954a2e504a55f2b4cdf93ca8ae46
Signed-off-by: Azhar Shaikh <azhars@codeaurora.org>
Linux Build Service Account [Thu, 24 Nov 2016 21:46:43 +0000 (13:46 -0800)]
Merge "clk: qcom: Add snapshot of OSM CPU clock driver"
Linux Build Service Account [Thu, 24 Nov 2016 21:46:39 +0000 (13:46 -0800)]
Merge "ARM: dts: msm: Add RTB support for msmtriton"
Linux Build Service Account [Thu, 24 Nov 2016 21:46:37 +0000 (13:46 -0800)]
Merge "ARM: dts: msm: Add mpm2-sleep-counter device for msmtriton"
Linux Build Service Account [Thu, 24 Nov 2016 21:46:36 +0000 (13:46 -0800)]
Merge "arm: qcom: correct description for MSMTRITON and MSMFALCON"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:39 +0000 (06:13 -0800)]
Merge "msm: vidc: parse 10-bit bus entries for msmfalcon"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:39 +0000 (06:13 -0800)]
Merge "ARM: dts: msm: Add venus device nodes for starlord"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:38 +0000 (06:13 -0800)]
Merge "msm: vidc: Update mbs per second calculation"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:36 +0000 (06:13 -0800)]
Merge "msm: vidc: fix mutex lock issue"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:35 +0000 (06:13 -0800)]
Merge "msm: vidc: fix the interrupt miss issue from video hardware"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:34 +0000 (06:13 -0800)]
Merge "msm: kgsl: Add support for A512 GPU"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:33 +0000 (06:13 -0800)]
Merge "ASoC: msm: Update supported sample rates for USB Backend"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:32 +0000 (06:13 -0800)]
Merge "netfilter: nfnetlink: correctly validate length of batch messages"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:31 +0000 (06:13 -0800)]
Merge "USB: gagget: f_fs: Return error if TX req is queued during device offline"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:29 +0000 (06:13 -0800)]
Merge "clk: qcom: Add support for rf clk1 for msmfalcon"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:28 +0000 (06:13 -0800)]
Merge "ARM: dts: msm: Update clock gfx node for MSMfalcon/Triton"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:26 +0000 (06:13 -0800)]
Merge "clk: qcom: Add support for MMCC clock for MSMFalcon"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:25 +0000 (06:13 -0800)]
Merge "cgroup: prefer %pK to %p"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:24 +0000 (06:13 -0800)]
Merge "HID: core: prevent out-of-bound readings"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:23 +0000 (06:13 -0800)]
Merge "[media] xc2028: avoid use after free"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:22 +0000 (06:13 -0800)]
Merge "tcp: fix use after free in tcp_xmit_retransmit_queue()"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:21 +0000 (06:13 -0800)]
Merge "block: fix use-after-free in sys_ioprio_get()"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:18 +0000 (06:13 -0800)]
Merge "cfg80211: validate beacon int as part of iface combinations"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:18 +0000 (06:13 -0800)]
Merge "cfg80211: fix beacon interval in interface combination iteration"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:17 +0000 (06:13 -0800)]
Merge "cfg80211: identically validate beacon interval for AP/MESH/IBSS"
Linux Build Service Account [Thu, 24 Nov 2016 14:13:16 +0000 (06:13 -0800)]
Merge "msm: sde: Correct max downscale factor for SDE rotator"
Kyle Yan [Wed, 23 Nov 2016 18:54:11 +0000 (10:54 -0800)]
Merge rel/msm-4.4 on remote branch
Change-Id: Id919aee14aa3898b8168015a3ae310437d604812
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
Runmin Wang [Thu, 6 Oct 2016 01:46:09 +0000 (18:46 -0700)]
msm: 8998: Replace cobalt with 8998
Update the code name from msmcobalt to msm8998. As a result, update
the filename containing "cobalt" and files content containing "cobalt".
CRs-Fixed:
1070840
Change-Id: I2c7b95e3e2a2fec7730724da9eeb86a39a77faf1
Signed-off-by: Runmin Wang <runminw@codeaurora.org>
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
Signed-off-by: Jeevan Shriram <jshriram@codeaurora.org>
Rajesh Kemisetti [Thu, 10 Nov 2016 15:41:55 +0000 (21:11 +0530)]
msm: kgsl: Add support for A512 GPU
Add new GPU ID, corresponding VBIF and
initial settings for A512.
Change-Id: Id30415ce0ea73012125ced35771b9aae9f941c22
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Neeraj Upadhyay [Tue, 22 Nov 2016 06:41:28 +0000 (12:11 +0530)]
arm: qcom: correct description for MSMTRITON and MSMFALCON
Correct description for ARCH_MSMFALCON and ARCH_MSMTRITON,
to match the guidelines.
Change-Id: I2e657f3237c7ed38111b7bc6bddbf07ef4420924
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Karthikeyan Periasamy [Sat, 19 Nov 2016 01:30:16 +0000 (17:30 -0800)]
msm: vidc: fix the interrupt miss issue from video hardware
enable_irq() called before processing responses in work handler
which would lead to miss interrupt from video hardware sometimes.
An interrupt from video h/w will queue the work to work handler
but if work is already running the new work is not posted.
work handler has two parts, one, read all the messages from video h/w,
two, process the messages. queue work while processing messages
will miss reading the new messages from video h/w because
the queue work (as a result of interrupt from video h/w) will not
actually queue the work as work handler already running. Fix the
issue by enabling irq after processing all the responses to
makesure interrupt coming from video h/w after work handler
completed processing the messages.
CRs-Fixed:
1086284
Change-Id: Id158e5c6d89fc8b761d8cfe92afbf3592877c556
Signed-off-by: Karthikeyan Periasamy <kperiasa@codeaurora.org>
Linux Build Service Account [Mon, 21 Nov 2016 17:18:58 +0000 (09:18 -0800)]
Merge "msm: gsi: fix interrupt processing"
Linux Build Service Account [Mon, 21 Nov 2016 17:18:57 +0000 (09:18 -0800)]
Merge "clk: qcom: Add set_flags ops for the clk_gate2_ops"
Linux Build Service Account [Mon, 21 Nov 2016 17:18:57 +0000 (09:18 -0800)]
Merge "ARM: dts: msm: Add DT for mediabox variant of apqcobalt"
Linux Build Service Account [Mon, 21 Nov 2016 17:18:56 +0000 (09:18 -0800)]
Merge "msm: ipa: add api for getting IPA pdev"
Taniya Das [Mon, 21 Nov 2016 09:25:00 +0000 (14:55 +0530)]
clk: qcom: Add support for rf clk1 for msmfalcon
RF clock 2 is not required on msmfalcon, so remove the clock instance and
add rf clk1 support instead.
Change-Id: I13258295e9ae9c8607586ed5686e97276823d08c
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Taniya Das [Thu, 17 Nov 2016 06:19:24 +0000 (11:49 +0530)]
ARM: dts: msm: Update clock gfx node for MSMfalcon/Triton
Modify the clock_gfx dummy clock to use the real clock controller for all
gpu clock controller clients.
Change-Id: If3c707877f2a0da04065b57a1c2fd44d256a5303
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Taniya Das [Tue, 8 Nov 2016 14:01:35 +0000 (19:31 +0530)]
defconfig: msm: Add support for GPUCC clocks
GPU clock controller is required to be enabled for GPU clocks
supported by GPU clock controller.
Change-Id: Ica381b0b73bd59a10ac8fd876bda5c21678dfddb
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Taniya Das [Sat, 24 Sep 2016 11:02:36 +0000 (16:32 +0530)]
clk: qcom: Add support for MMCC clock for MSMFalcon
Add support for the multimedia clock controller found on MSMFalcon
based devices. This should allow most clocks for multimedia peripherals
which includes display, video, camera etc.
Change-Id: If8aa0b094af5ff82fe66c95e3ef2f13632950d2e
Signed-off-by: Taniya Das <tdas@codeaurora.org>
Skylar Chang [Fri, 18 Nov 2016 18:56:51 +0000 (10:56 -0800)]
msm: gsi: fix interrupt processing
Fix GSI interrupt processing to make sure interrupt are
not missed. In order to achieve that interrupt should first be
cleared before processed.
Change-Id: I42978f2230e95456e4b4e932365e5b2c83445f56
CRs-Fixed:
1090894
Acked-by: Ady Abraham <adya@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Neeraj Upadhyay [Wed, 16 Nov 2016 14:09:07 +0000 (19:39 +0530)]
ARM: dts: msm: Add RTB support for msmtriton
Add RTB (Register Trace Buffer) device tree entry for
msmtriton.
Change-Id: I6d55bf454cd629cd4894b60e40e9266d7e8b5bb9
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 16 Nov 2016 14:07:49 +0000 (19:37 +0530)]
ARM: dts: msm: Add mpm2-sleep-counter device for msmtriton
Add mpm2-sleep-counter device node, which is used by the
boot_stats driver.
Change-Id: I2c8ffe10b650777f6c0b697c33e958300c9dbe66
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 9 Nov 2016 12:58:07 +0000 (18:28 +0530)]
ARM: dts: msm: Add restart node and imem entries for msmtriton
Add restart node for msmtriton. Additionally, add IMEM
entries for restart-reason, dload_type, and boot_stats.
Change-Id: Ic72005ca76ceea377154e4b11dceccd7c8dc5ab5
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 16 Nov 2016 13:50:19 +0000 (19:20 +0530)]
ARM: dts: msm: Add RTB support for msmfalcon
Add RTB (Register Trace Buffer) device tree entry for
msmfalcon.
Change-Id: Ifd9f97f8595daac67c733e6120cdb3c89e5a02a4
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 16 Nov 2016 13:49:19 +0000 (19:19 +0530)]
ARM: dts: msm: Add mpm2-sleep-counter device for msmfalcon
Add mpm2-sleep-counter device node, which is used by the
boot_stats driver.
Change-Id: I32fb4c9a9be83a4448754bffde798432e417b17c
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 9 Nov 2016 12:39:53 +0000 (18:09 +0530)]
ARM: dts: msm: Add restart node and imem entries for msmfalcon
Add restart node for msmfalcon. Additionally, add IMEM
entries for restart-reason, dload_type, and boot_stats.
Change-Id: I48e84889b0867d98d70056eecae07becebae4c00
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Neeraj Upadhyay [Wed, 9 Nov 2016 12:12:33 +0000 (17:42 +0530)]
ARM: dts: msm: add perf-events support for msmfalcon and msmtriton
Add device tree entry for performance monitor unit (pmu) on msmfalcon
and msmtriton.
Change-Id: I97a28cccc0494ea5ff45ccade9721da0c85edef7
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Amit Nischal [Thu, 17 Nov 2016 09:47:05 +0000 (15:17 +0530)]
clk: qcom: Add set_flags ops for the clk_gate2_ops
Gate clocks would also require to set the flags using
clk_set_flags. Add the clk_ops for the same.
Change-Id: I9d180e4aedb17692eb2e48f98461239d29bbf975
Signed-off-by: Amit Nischal <anischal@codeaurora.org>
Linux Build Service Account [Mon, 21 Nov 2016 01:44:55 +0000 (17:44 -0800)]
Merge "ARM: dts: msm: change UFS/SDHC2 power supply for msmcobalt interposer QRD"
Linux Build Service Account [Sat, 19 Nov 2016 15:36:59 +0000 (07:36 -0800)]
Merge "ARM: dts: msm: add charger/fg device nodes for PMFALCON"
Linux Build Service Account [Sat, 19 Nov 2016 12:39:11 +0000 (05:39 -0700)]
Promotion of kernel.lnx.4.4-161119.
CRs Change ID Subject
--------------------------------------------------------------------------------------------------------------
1088658 I2f994ae0250ffc8f740ea633324815ae429c74be msm: ipa3: linearize large skbs
1077102 I09359b528b4742f72a76690930f3d0ed90bb2caa msm: mdss: move warnings and errors out of mdss spinlock
1089895 I84185558fa6e80b13d7d0078bda9d75143680941 tcp: take care of truncations done by sk_filter()
1091511 Ia151b2dd5229f07790ac961af298305b24e098fb msm: wlan: update regulatory database
1081957 I24820bd6254002f8a8db9604d230dcbce59b1beb clk: qcom: Add support to be able to slew PLL
1081738 I10a788726358c56df9bfe11f2332e3823d7cd332 ARM: dts: msm: Enable auto GM for WLED in pmicobalt
1077726 I031ca48f0e0c39f1b2cb51081ecd55b086fb4c9b msm: mdss: fix pp timeout during transition from LP1 to
1074985 Ib2268181a617c23d62b5b6f857be5327113b2a67 soc: qcom: smem: Redesign smem memory architecture
1090708 I9cda84d1c199b72ce8b9e2997601bcc7430ddbf3 ARM: dts: msm: Update the console uart gpios for msmfalc
1080245 I3b4cf83e776750d993d53331142223109bf0862e clk: qcom: Add support for debugfs support
1087110 I3694952289c76394af8d40cd89fd2175f49ac127 msm: mdss: Add systrace for readptr_done
1089865 Ia73ab1ba51df7b501d246bb45141018409496d01 ARM: dts: msm: ensure contiguous MSI for PCIe on msmcoba
941978 Idee8691d769218d7e732c9b7f936a2c40946b239 Revert "scsi: ufs: stub UFS shutdown handler"
1091072 I7e9ada5de1f619c6a34a4b2e1764f5e908564ce5 iio: rradc: Update reading USBIN_V channel
1075082 I971e555ec8d02ccf4382e83132a696b065a8ff12 qseecom: improve error checks in qseecom_probe()
1080245 Ib67b3a3409c9e7d8adb710bb524f54f543abf712 clk: add/modify debugfs support for clocks
941978 Id499abc27303bfed72fab4d61abb872bad7d9043 scsi: ufs: error out all issued requests after shutdown
1083537 I73fc02b812f2e6694e2a6aa8bdad2381a5f19406 ASoC: msm: Fix sound card registration failure
1085331 I92e98ab46107fbcfd843898423b41716a204c2ae ARM: dts: msm: Correct interrupt assignments for msmcoba
1073250 Idc9ca896b3fe6c1c6a72a066a6e453d27a3173e8 Asoc: clean up bootup errors
1091147 I30b8488a1c19815601e6a1c5bcbdeed53715f8fa usb: phy: qusb: Make sure QUSB PHY is into proper state
1086292 I6482dc3d21fdc3e570fd53022e2fb9427668d939 msm: mdss: add null check before dereferencing src_fmt
1086292 I4812330453dedacd16dad1d920a2bacc3f67042b msm: mdss: fix race condition in dsi clk off request
1088709 I21e1c029e6b245cfa26a187b35bb1f6845302484 clk: msm: Add the CLKFLAG_NO_RATE_CACHE flag for MM cloc
1082112 I171c91e700c24ecc213ccda705bbe6188d22a43a scsi: ufs: fix sleep in atomic context
1091354 I9f928f0aad6af346de43965755beb039e422047a Revert "defconfig: msm: avoid compilation of MDSS DP dri
1090727 I78d2c27743d30b90a96e3d8df60859f67db7ddb8 ARM: dts: msm: Add ufs regulators for msmfalcon interpos
1090029 I66f6de42b106fa2027285e7393b6f9fc143d00d8 leds: qpnp-flash: Fix the mask in the flash prepare API
1089181 I4a382915a6c3a6b9d445ec1f5d57fb499a011f1a driver: thermal: msm_thermal: Enable Reliability algorit
1079438 Ib14c5b9121190dded5071ff60ecf0be8e5e5c232 ARM: dts: msm: Add physical dimensions for NT35597 panel
1060212 Iabe79bae5f9471c3c6128ed21efd04de00739daa leds: qpnp-flash-v2: Add support for thermal derate feat
1091127 I7220ad565212c325514301e4c59415b807deb99a ARM: dts: msm: Add gladiator support on msmfalcon and ms
1091440 I0eb8b9a357f172984612175d1b03dd872df91b6f diag: Call diagmem_exit only if the mempool is initializ
1090076 Ia85688854f26fe871d5c1253c2d51d75d84deb8f ARM: dts: msm: Add dummy regulator for LCDB bias
1064071 Ic0dedbad372fd9029b932dd99633a650049751ed msm: kgsl: Fix pagetable member of struct kgsl_memdesc
1083537 I3d2765535793d6ef9153cfcab4b44a9adad67e15 ASoC: msm: Add support for USB/WCN/TDM Audio
1091141 I6ce48512df5973bf8a2a3081a3a6f8759aeb499f ARM: dts: msm: Set USB core clock rate for USB2/USB3 for
1060212 Ie7a94f59e58b8f1b0816afda2496449694629205 leds: qpnp-flash-v2: add support to read pmic revid
1080701 If08ff46e72d537254e90707f28c849a86f262853 ARM: dts: msm: specify I2C configuration for msmfalcon
1079442 I822d6280b301b2db6194c845098c935e612ca61c ASoC: wcd934x: Fix adie loopback through sidetone src pa
1089895 Idc52737bc96097a9220dfe47bb76e94ff1026a05 rose: limit sk_filter trim to payload
1091147 Ibfecfe1846d02b959bd249acac3fe4c57b88aaf0 USB: phy: qusb: Turn on vdd along with 1p8/3p3 LDOs when
1090701 I0e06be169edc2eb1d35ef7fc6c41ff1809aebd03 pinctrl: qcom: msmfalcon: Update gpios as per latest gpi
1086292 I422d53d008223a9b0520f499e629f681bb6afa05 mdss: mdp: avoid panic if recovery handler is uninitiali
1060212 I42503ccd2b2dcc62c5c868132d202b9698c9d216 leds: qpnp-flash-v2: change from dev_*() to pr_*() for l
1090076 Ie828c8568ef09c89cff157d16d3cb322647b6f6e ARM: dts: msm: enable mdss power supplies for falcon tra
1074879 I8d224a70cbef162f27078b62b73acaa22670861d sched/hmp: Enhance co-location and scheduler boost featu
1087471 I15323e3ef91401142d3841db59c18fd8fee753fd sched: Remove thread group iteration from colocation
1085170 Ie23d473302d7fbda9b243a150e5c52d025007e4f usb: pd: Stop processing SVDM if handler found
1091540 I61523188f45daca026b90943c845b43a8327f51e qcom-charger: smb2: Disable try.SINK mode in the probe
1081738 Iee99e9d1b999c84ece075d2f17e9cdf6aef9a2ac leds: qpnp-wled: Add support to configure AUTO_GM settin
1081922 I9aa7a000e75b50c6b26970deaba2131c87087b8c msm: mdss: fix autorefresh disable during handoff
1075694 I9cf2f94892bdeb83fab0068902419b1603520364 msm: kgsl: preserve ISENSE registers across GPU power co
1085321 1085649 I3c9422f3a790c0c1633ab64d4213a088faaeb9e5 diag: Set the diag write buffers to busy state on channe
1090311 I96cdcb9e3642906b4afa08d9bde07e123d9b3977 USB: Allow skipping device resume during system resume
1074879 I470bcd0588e038b4a540d337fe6a412f2fa74920 sched: revise boost logic when boost_type is SCHED_BOOST
1087020 I6f9b7a630158355a7f920dcf9cfffe537b1c6a85 ASoC: msm: q6dspv2: fix potentional information leak
1089062 Icb04f6175b66fa46405e77d10fddf06b0051ee5f phy: qcom-ufs: update ufs phy 1-lane settings
1082590 I4cdcbd31b5fa5ceac0eea7c743ea9286f231b80b scsi: ufs: handle LINERESET during hibern8
1081738 I964b3452d0cdb3618b4ab446655ae75fa3a1049d leds: qpnp-wled: Add support to configure auto PFM for p
1080245 I936496e553bc958c10e743fd8a225ffc7fbc0f79 clk: Add support to allow client to print all enabled cl
1079373 Ifd7b2b88e7ab4c952b743fede6e24795069d653a qcom-charger: WA for legacy bit set on hard reboot
1090518 I7f1c0d9d84607821893a1e5d17934dae5acef5f4 clk: qcom: Add support for RCGs with dynamic and fixed s
1089865 I1e74f1b03c3e15880efdac7ff07aca2f628de99d ARM: dts: msm: enable QGIC MSI for PCIe on msmcobalt
1088059 I66cbe48b7f4910228a6af57610a8427fea7fd1f2 msm: mdss: fix incorrect mutex unlocking during NOTIFY_U
1087418 Ia3fb69dca00654dacd8d1faae34715e40e097480 scsi: ufs: enable auto hibern8 only after device initial
1088216 I326eceeddff8e77d346c3365fa46cd539324451f ARM: dts: msm: Add support for USB device for msmfalcon
1060212 Iafb7915e196a18b5f8076dda8fb06a4bd71a8e6e leds: qpnp-flash-v2: Add support for configuring OTST th
1086372 Ia03380dfa4852c80fedb38f3c79f55d8d1a9a7f6 icnss: Reset mpm_wcssaon_config bits before top level re
1080245 I0a202af6f46c7cf164036d65487db5c40aab4063 clk: Add support for list_rates ops for clocks
1091477 I7435f05f20e12a7704ae5d9597b5cdc9b5a61d00 qcom-charger: Change usb_icl votable for PD vote
1089062 Ief5df61d91fbd765c595533b3380a602a2540e5e scsi: ufs-qcom: update clock scaling sequence
1085217 I62de66e9b0bb1eeeac3c94d1ac1037285811b631 msm: ipa3: header file change for wdi-stats
1080674 I15ef73049cee76c6ea5b3916d9281bbd9fdfc563 ARM: dts: msm: specify UART configuration on msmfalcon.
1090525 I48c50bc320425c0db40cd4865e05c6b7a7fb5da3 msm: sde: remove secure camera ctrl_id definition
1061507 Iad71abbed72aa40b5c839260f5c297a885f7d128 ASoC: wcd-mbhc: correct cross connection check
1085064 Ib53902459646e590df4dc7fcb00f833d5e8f41ed usb: pd: Don't suspend charging unless changing voltages
1064071 Ic0dedbad661143977a226d50263c26b5af579ce3 msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work tog
1090862 987021 I0d1797a4df9ff67f3b162a1b5d26320ca989f54a msm: mdss: hide additional kernel addresses from unprivi
Change-Id: Ic6272ada932975c2562cb87d4a617520002db3d3
CRs-Fixed:
1082112,
1075694,
1091440,
1085331,
1089062,
1081922,
1089895,
1077726,
1090029,
1061507,
1091354,
1074879, 987021,
1086292,
1085217,
1087020,
1080245,
1088709,
1089181,
1085064,
1087471,
1088059,
1080674,
1090862,
1079442,
1087418,
1090727,
1085649,
1064071,
1081738,
1086372, 941978,
1090518,
1090708,
1077102,
1090076,
1085321,
1091477,
1090701,
1090311,
1091511,
1091141,
1074985,
1079438,
1091147,
1075082,
1091127,
1087110,
1082590,
1081957,
1090525,
1085170,
1088658,
1080701,
1083537,
1091540,
1088216,
1079373,
1060212,
1073250,
1089865,
1091072
Linux Build Service Account [Sat, 19 Nov 2016 04:32:06 +0000 (20:32 -0800)]
Merge "ASoC: msm: q6dspv2: fix potentional information leak"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:05 +0000 (20:32 -0800)]
Merge "ASoC: wcd934x: Fix adie loopback through sidetone src path"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:04 +0000 (20:32 -0800)]
Merge "Asoc: clean up bootup errors"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:03 +0000 (20:32 -0800)]
Merge "Revert "defconfig: msm: avoid compilation of MDSS DP driver for 32-bit msmfalcon""
Linux Build Service Account [Sat, 19 Nov 2016 04:32:03 +0000 (20:32 -0800)]
Merge "ARM: dts: msm: Add support for USB device for msmfalcon and msmtriton"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:02 +0000 (20:32 -0800)]
Merge "ARM: dts: msm: enable mdss power supplies for falcon track3"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:01 +0000 (20:32 -0800)]
Merge "usb: pd: Don't suspend charging unless changing voltages"
Linux Build Service Account [Sat, 19 Nov 2016 04:32:00 +0000 (20:32 -0800)]
Merge "iio: rradc: Update reading USBIN_V channel"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:59 +0000 (20:31 -0800)]
Merge "icnss: Reset mpm_wcssaon_config bits before top level reset"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:58 +0000 (20:31 -0800)]
Merge "qcom-charger: smb2: Disable try.SINK mode in the probe"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:58 +0000 (20:31 -0800)]
Merge "msm: ipa3: header file change for wdi-stats"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:57 +0000 (20:31 -0800)]
Merge "ARM: dts: msm: Set USB core clock rate for USB2/USB3 for msm8996"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:56 +0000 (20:31 -0800)]
Merge "ARM: dts: msm: Add gladiator support on msmfalcon and msmtriton"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:55 +0000 (20:31 -0800)]
Merge "ARM: dts: msm: Correct interrupt assignments for msmcobalt"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:54 +0000 (20:31 -0800)]
Merge "clk: qcom: Add support for RCGs with dynamic and fixed sources"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:54 +0000 (20:31 -0800)]
Merge "qcom-charger: WA for legacy bit set on hard reboot"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:53 +0000 (20:31 -0800)]
Merge "usb: phy: qusb: Make sure QUSB PHY is into proper state"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:52 +0000 (20:31 -0800)]
Merge "USB: phy: qusb: Turn on vdd along with 1p8/3p3 LDOs when PMI requests"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:51 +0000 (20:31 -0800)]
Merge "soc: qcom: smem: Redesign smem memory architecture"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:50 +0000 (20:31 -0800)]
Merge "ARM: dts: msm: Update the console uart gpios for msmfalcon"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:50 +0000 (20:31 -0800)]
Merge "msm: mdss: move warnings and errors out of mdss spinlock"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:49 +0000 (20:31 -0800)]
Merge "msm: mdss: fix pp timeout during transition from LP1 to power on"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:48 +0000 (20:31 -0800)]
Merge "msm: mdss: fix autorefresh disable during handoff"
Linux Build Service Account [Sat, 19 Nov 2016 04:31:45 +0000 (20:31 -0800)]
Merge "ASoC: wcd-mbhc: correct cross connection check"
Nick Desaulniers [Mon, 12 Sep 2016 22:47:42 +0000 (15:47 -0700)]
cgroup: prefer %pK to %p
Prevents leaking kernel pointers when using kptr_restrict.
Bug:
30149174
Change-Id: I0fa3cd8d4a0d9ea76d085bba6020f1eda073c09b
Git-repo: https://android.googlesource.com/kernel/msm.git
Git-commit:
505e48f32f1321ed7cf80d49dd5f31b16da445a8
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Phil Turnbull [Tue, 2 Feb 2016 18:36:45 +0000 (13:36 -0500)]
netfilter: nfnetlink: correctly validate length of batch messages
If nlh->nlmsg_len is zero then an infinite loop is triggered because
'skb_pull(skb, msglen);' pulls zero bytes.
The calculation in nlmsg_len() underflows if 'nlh->nlmsg_len <
NLMSG_HDRLEN' which bypasses the length validation and will later
trigger an out-of-bound read.
If the length validation does fail then the malformed batch message is
copied back to userspace. However, we cannot do this because the
nlh->nlmsg_len can be invalid. This leads to an out-of-bounds read in
netlink_ack:
[ 41.455421] ==================================================================
[ 41.456431] BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 at addr
ffff880119e79340
[ 41.456431] Read of size
4294967280 by task a.out/987
[ 41.456431] =============================================================================
[ 41.456431] BUG kmalloc-512 (Not tainted): kasan: bad access detected
[ 41.456431] -----------------------------------------------------------------------------
...
[ 41.456431] Bytes b4
ffff880119e79310: 00 00 00 00 d5 03 00 00 b0 fb fe ff 00 00 00 00 ................
[ 41.456431] Object
ffff880119e79320: 20 00 00 00 10 00 05 00 00 00 00 00 00 00 00 00 ...............
[ 41.456431] Object
ffff880119e79330: 14 00 0a 00 01 03 fc 40 45 56 11 22 33 10 00 05 .......@EV."3...
[ 41.456431] Object
ffff880119e79340: f0 ff ff ff 88 99 aa bb 00 14 00 0a 00 06 fe fb ................
^^ start of batch nlmsg with
nlmsg_len=
4294967280
...
[ 41.456431] Memory state around the buggy address:
[ 41.456431]
ffff880119e79400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431]
ffff880119e79480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 41.456431] >
ffff880119e79500: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431] ^
[ 41.456431]
ffff880119e79580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 41.456431]
ffff880119e79600: fc fc fc fc fc fc fc fc fc fc fb fb fb fb fb fb
[ 41.456431] ==================================================================
Fix this with better validation of nlh->nlmsg_len and by setting
NFNL_BATCH_FAILURE if any batch message fails length validation.
CAP_NET_ADMIN is required to trigger the bugs.
Fixes:
9ea2aa8b7dba ("netfilter: nfnetlink: validate nfnetlink header from batch")
Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Id91de0fcfc4a94f0c6282b59f96cea7cd0fea64c
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit:
c58d6c93680f28ac58984af61d0a7ebf4319c241
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Benjamin Tissoires [Tue, 19 Jan 2016 11:34:58 +0000 (12:34 +0100)]
HID: core: prevent out-of-bound readings
Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.
The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.
Change-Id: I3b04131079a27f0b1cd60df03c793e8d9ffe5e91
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit:
50220dead1650609206efe91f0cc116132d59b3f
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000 (14:30 -0500)]
tty: Prevent ldisc drivers from re-using stale tty fields
Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].
Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.
[1]
commit
fd98e9419d8d622a4de91f76b306af6aa627aa9c
Author: Tilman Schmidt <tilman@imap.cc>
Date: Tue Jul 14 00:37:13 2015 +0200
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
[2] Report from Sasha Levin <sasha.levin@oracle.com>
[ 634.336761] ==================================================================
[ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr
ffff8800a743efd0
[ 634.339558] Read of size 4 by task syzkaller_execu/8981
[ 634.340359] =============================================================================
[ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
...
[ 634.405018] Call Trace:
[ 634.405277] dump_stack (lib/dump_stack.c:52)
[ 634.405775] print_trailer (mm/slub.c:655)
[ 634.406361] object_err (mm/slub.c:662)
[ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
[ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
[ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
[ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
[ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
[ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
[ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
[ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
[ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
Change-Id: Idc6b27fb0b73b9057541ecc02c6c2aac46b50ffc
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit:
dd42bf1197144ede075a9d4793123f7689e164bc
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Mauro Carvalho Chehab [Thu, 28 Jan 2016 11:22:44 +0000 (09:22 -0200)]
[media] xc2028: avoid use after free
If struct xc2028_config is passed without a firmware name,
the following trouble may happen:
[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr
ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------
[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012] ___slab_alloc+0x581/0x5b0
[11009.908014] __slab_alloc+0x51/0x90
[11009.908017] __kmalloc+0x27b/0x350
[11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029] usb_submit_urb+0xb0e/0x1200
[11009.908032] usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035] usb_serial_generic_write+0x92/0xc0
[11009.908039] usb_console_write+0x38a/0x560
[11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051] console_unlock+0x40d/0x900
[11009.908056] vprintk_emit+0x4b4/0x830
[11009.908061] vprintk_default+0x1f/0x30
[11009.908064] printk+0x99/0xb5
[11009.908067] kasan_report_error+0x10a/0x550
[11009.908070] __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077] __slab_free+0x2ec/0x460
[11009.908080] kfree+0x266/0x280
[11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108] do_one_initcall+0x141/0x300
[11009.908111] do_init_module+0x1d0/0x5ad
[11009.908114] load_module+0x6666/0x9ba0
[11009.908117] SyS_finit_module+0x108/0x130
[11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001
[11009.908130] Bytes b4
ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(......
[11009.908133] Object
ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43
[11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]
ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]
ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]
ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162] [<
ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165] [<
ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168] [<
ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171] [<
ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175] [<
ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179] [<
ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182] [<
ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185] [<
ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189] [<
ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192] [<
ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196] [<
ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200] [<
ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203] [<
ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206] [<
ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211] [<
ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215] [<
ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219] [<
ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222] [<
ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226] [<
ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230] [<
ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233] [<
ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238] [<
ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242] [<
ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245] [<
ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249] [<
ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253] [<
ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257] [<
ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260] [<
ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264] [<
ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268] [<
ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271] [<
ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275] [<
ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278] [<
ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282] [<
ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285] [<
ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289] [<
ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292] [<
ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296] [<
ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299] [<
ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302] [<
ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306] [<
ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309] [<
ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314] [<
ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317] [<
ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320] [<
ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324] [<
ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327] [<
ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330] [<
ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333] [<
ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337] [<
ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340] [<
ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343] [<
ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346] [<
ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350] [<
ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353] [<
ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356] [<
ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361] [<
ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366] [<
ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369] [<
ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374] [<
ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377] [<
ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379] [<
ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383] [<
ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394] [<
ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]
ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]
ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >
ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405] ^
[11009.908407]
ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]
ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================
In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.
Change-Id: I24f0958f97ca04916b8c6845f3122732e1928e6c
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit:
8dfbcc4351a0b6d2f2d77f367552f48ffefafe18
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000 (00:39 -0700)]
block: fix use-after-free in sys_ioprio_get()
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:
int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;
/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);
nproc = sysconf(_SC_NPROCESSORS_ONLN);
for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
return 0;
}
This gets us KASAN dumps like this:
[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr
ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------
[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================
Fix it by grabbing the task lock while we poke at the io_context.
Change-Id: I02fda1eb5173f5cf4db999147c623720892da529
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit:
8ba8682107ee2ca3347354e018865d8e1967c5f4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000 (05:56 -0700)]
tcp: fix use after free in tcp_xmit_retransmit_queue()
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Change-Id: Iba5975e360eb2b2729b6f958b7cb00bfc469e51b
Fixes:
6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git
Git-commit:
bb1fceca22492109be12640d49f5ea5a544c6bb4
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000 (10:40 +0200)]
block: fix use-after-free in seq file
I got a KASAN report of use-after-free:
==================================================================
BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr
ffff8800b6581508
Read of size 8 by task trinity-c1/315
=============================================================================
BUG kmalloc-32 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------
Disabling lock debugging due to kernel taint
INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
___slab_alloc+0x4f1/0x520
__slab_alloc.isra.58+0x56/0x80
kmem_cache_alloc_trace+0x260/0x2a0
disk_seqf_start+0x66/0x110
traverse+0x176/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
__slab_free+0x17a/0x2c0
kfree+0x20a/0x220
disk_seqf_stop+0x42/0x50
traverse+0x3b5/0x860
seq_read+0x7e3/0x11a0
proc_reg_read+0xbc/0x180
do_loop_readv_writev+0x134/0x210
do_readv_writev+0x565/0x660
vfs_readv+0x67/0xa0
do_preadv+0x126/0x170
SyS_preadv+0xc/0x10
do_syscall_64+0x1a1/0x460
return_from_SYSCALL_64+0x0/0x6a
CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
Call Trace:
[<
ffffffff81d6ce81>] dump_stack+0x65/0x84
[<
ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
[<
ffffffff814704ff>] object_err+0x2f/0x40
[<
ffffffff814754d1>] kasan_report_error+0x221/0x520
[<
ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
[<
ffffffff83888161>] klist_iter_exit+0x61/0x70
[<
ffffffff82404389>] class_dev_iter_exit+0x9/0x10
[<
ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
[<
ffffffff8151f812>] seq_read+0x4b2/0x11a0
[<
ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
[<
ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
[<
ffffffff814b4c45>] do_readv_writev+0x565/0x660
[<
ffffffff814b8a17>] vfs_readv+0x67/0xa0
[<
ffffffff814b8de6>] do_preadv+0x126/0x170
[<
ffffffff814b92ec>] SyS_preadv+0xc/0x10
This problem can occur in the following situation:
open()
- pread()
- .seq_start()
- iter = kmalloc() // succeeds
- seqf->private = iter
- .seq_stop()
- kfree(seqf->private)
- pread()
- .seq_start()
- iter = kmalloc() // fails
- .seq_stop()
- class_dev_iter_exit(seqf->private) // boom! old pointer
As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.
An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.
Change-Id: Ia3c791c6cf81a6c156561106230cbf5e8dfad0bc
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git
Git-commit:
77da160530dd1dc94f6ae15a981f24e5f0021e84
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Vijayavardhan Vennapusa [Sat, 19 Nov 2016 00:09:12 +0000 (16:09 -0800)]
USB: gagget: f_fs: Return error if TX req is queued during device offline
when USB cable is disconnected during TX data transfers, endpoints will
be disabled during function disable. If userspace client tries to queue
requests on disabled endpoints, driver will wait till endpoints are
enabled and then queues previous session requests. This results in kernel
driver and userspace driver out of sync and due to this, stall will be
seen. Hence fix this issue by returning error value if client tries to
queue requests on TX endpoint during device offline.
CRs-Fixed: 633497
Change-Id: I3e43b8a704367aff7fe8dd88159315aef811c51c
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Signed-off-by: Mayank Rana <mrana@codeaurora.org>
Service qcabuildsw [Fri, 18 Nov 2016 23:41:21 +0000 (15:41 -0800)]
Merge "msm: wlan: update regulatory database" into msm-4.4
Ashay Jaiswal [Fri, 18 Nov 2016 04:30:49 +0000 (10:00 +0530)]
ARM: dts: msm: add charger/fg device nodes for PMFALCON
Add charger/FG device nodes along with the necessary
configuration.
Keep all these nodes disabled for simulator/RUMI platform.
CRs-fixed:
1091731
Change-Id: I9c751d777d8402cdea3cdfb27da1a19a98a250e2
Signed-off-by: Ashay Jaiswal <ashayj@codeaurora.org>
Johannes Berg [Fri, 21 Oct 2016 12:25:13 +0000 (14:25 +0200)]
cfg80211: validate beacon int as part of iface combinations
Remove the pointless checking against interface combinations in
the initial basic beacon interval validation, that currently isn't
taking into account radar detection or channels properly. Instead,
just validate the basic range there, and then delay real checking
to the interface combination validation that drivers must do.
This means that drivers wanting to use the beacon_int_min_gcd will
now have to pass the new_beacon_int when validating the AP/mesh
start.
CRs-Fixed:
1087922
Change-Id: Iec536bcdf4ed95e3d796324fd8bf5df259b340b0
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit:
4c8dea638c16141adb046fd2e0cab51dfe43650c
[liord@codeaurora.org: Fix conflicts]
Signed-off-by: Lior David <liord@codeaurora.org>
Johannes Berg [Fri, 21 Oct 2016 10:15:00 +0000 (12:15 +0200)]
cfg80211: fix beacon interval in interface combination iteration
We shouldn't abort the iteration with an error when one of the
potential combinations can't accomodate the beacon interval
request, we should just skip that particular combination. Fix
the code to do so.
CRs-Fixed:
1087922
Change-Id: Ib1ae7221291b8176d61d58e756a3814c80d98d27
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit:
0507a3ac6e98f50583912ec78d07c2e4daaf2b28
[liord@codeaurora.org: cherry-pick without changes]
Signed-off-by: Lior David <liord@codeaurora.org>
Purushottam Kushwaha [Thu, 11 Aug 2016 09:44:02 +0000 (15:14 +0530)]
cfg80211: identically validate beacon interval for AP/MESH/IBSS
Beacon interval interface combinations validation was missing
for MESH/IBSS join, add those.
Johannes: also move the beacon interval check disallowing really
tiny and really big intervals into the common function, which
adds it for AP mode.
CRs-Fixed:
1087922
Change-Id: I282300533dcd80f65c9ba366246d028a6130ffff
Signed-off-by: Purushottam Kushwaha <pkushwah@qti.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Git-commit:
12d20fc9186a742d40e824f575df5aa62be31d69
[liord@codeaurora.org: fix conflicts and trivial compile errors]
Signed-off-by: Lior David <liord@codeaurora.org>
Linux Build Service Account [Fri, 18 Nov 2016 09:55:05 +0000 (01:55 -0800)]
Merge "msm: kgsl: Make sure USE_CPU_MAP + MAP_USER_MEM work together"
Linux Build Service Account [Fri, 18 Nov 2016 09:55:03 +0000 (01:55 -0800)]
Merge "msm: kgsl: Fix pagetable member of struct kgsl_memdesc"
Linux Build Service Account [Fri, 18 Nov 2016 09:55:02 +0000 (01:55 -0800)]
Merge "ARM: dts: msm: Enable auto GM for WLED in pmicobalt"
Linux Build Service Account [Fri, 18 Nov 2016 09:55:01 +0000 (01:55 -0800)]
Merge "leds: qpnp-wled: Add support to configure auto PFM for pmicobalt"
Linux Build Service Account [Fri, 18 Nov 2016 09:55:00 +0000 (01:55 -0800)]
Merge "msm: ipa3: linearize large skbs"
Linux Build Service Account [Fri, 18 Nov 2016 09:55:00 +0000 (01:55 -0800)]
Merge "msm: mdss: hide additional kernel addresses from unprivileged users"
Linux Build Service Account [Fri, 18 Nov 2016 09:54:58 +0000 (01:54 -0800)]
Merge "ASoC: msm: Fix sound card registration failure"
Linux Build Service Account [Fri, 18 Nov 2016 09:54:58 +0000 (01:54 -0800)]
Merge "msm: sde: remove secure camera ctrl_id definition"
Linux Build Service Account [Fri, 18 Nov 2016 09:54:57 +0000 (01:54 -0800)]
Merge "ARM: dts: msm: Add ufs regulators for msmfalcon interposer"
Linux Build Service Account [Fri, 18 Nov 2016 09:54:56 +0000 (01:54 -0800)]
Merge "usb: pd: Stop processing SVDM if handler found"
Linux Build Service Account [Fri, 18 Nov 2016 09:54:54 +0000 (01:54 -0800)]
Merge "sched/hmp: Enhance co-location and scheduler boost features"