diff options
| author | Oleg Matcovschi <omatcovschi@google.com> | 2018-03-15 17:18:33 -0700 |
|---|---|---|
| committer | Oleg Matcovschi <omatcovschi@google.com> | 2018-03-15 17:23:23 -0700 |
| commit | 1df3f1db09882a7facd600ecc4865804d548dc77 (patch) | |
| tree | 1716c699df431ba243058c033d407ed0f3c7bc1d | |
| parent | da039c93611cc0da0c16dcd31cbddf16e457a36e (diff) | |
| parent | da833fdf800b2cc1233c79d5d9ba0e14e03b5654 (diff) | |
| download | msm-android-8.1.0_r0.51.tar.gz | |
Merge android-msm-wahoo-4.4-oc-mr1-security-next into android-msm-wahoo-4.4-oc-mr1android-8.1.0_r0.55android-8.1.0_r0.51
May 2018.2
Bug: 74403877
Signed-off-by: Oleg Matcovschi <omatcovschi@google.com>
Change-Id: Iff9001cade1c53a7ae7b58a09787f6ac5a7f6a86
19 files changed, 296 insertions, 72 deletions
diff --git a/drivers/gpu/msm/kgsl_debugfs.c b/drivers/gpu/msm/kgsl_debugfs.c index 37d92428f02c..592257a332d1 100644 --- a/drivers/gpu/msm/kgsl_debugfs.c +++ b/drivers/gpu/msm/kgsl_debugfs.c @@ -299,6 +299,7 @@ static int print_sparse_mem_entry(int id, void *ptr, void *data) if (!(m->flags & KGSL_MEMFLAGS_SPARSE_VIRT)) return 0; + spin_lock(&entry->bind_lock); node = rb_first(&entry->bind_tree); while (node != NULL) { @@ -309,6 +310,7 @@ static int print_sparse_mem_entry(int id, void *ptr, void *data) obj->v_off, obj->size, obj->p_off); node = rb_next(node); } + spin_unlock(&entry->bind_lock); seq_putc(s, '\n'); diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c index 7c18249d6c8e..8b68a210277b 100644 --- a/drivers/input/tablet/gtco.c +++ b/drivers/input/tablet/gtco.c @@ -231,13 +231,17 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, /* Walk this report and pull out the info we need */ while (i < length) { - prefix = report[i]; - - /* Skip over prefix */ - i++; + prefix = report[i++]; /* Determine data size and save the data in the proper variable */ - size = PREF_SIZE(prefix); + size = (1U << PREF_SIZE(prefix)) >> 1; + if (i + size > length) { + dev_err(ddev, + "Not enough data (need %d, have %d)\n", + i + size, length); + break; + } + switch (size) { case 1: data = report[i]; @@ -245,8 +249,7 @@ static void parse_hid_report_descriptor(struct gtco *device, char * report, case 2: data16 = get_unaligned_le16(&report[i]); break; - case 3: - size = 4; + case 4: data32 = get_unaligned_le32(&report[i]); break; } diff --git a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c index cd48f871eb79..c583d02d5321 100644 --- a/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c +++ b/drivers/media/platform/msm/camera_v2/sensor/actuator/msm_actuator.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2011-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -96,6 +96,11 @@ static void msm_actuator_parse_i2c_params(struct msm_actuator_ctrl_t *a_ctrl, return; } + if (a_ctrl->i2c_reg_tbl == NULL) { + pr_err("failed. i2c reg tabl is NULL"); + return; + } + size = a_ctrl->reg_tbl_size; write_arr = a_ctrl->reg_tbl; i2c_tbl = a_ctrl->i2c_reg_tbl; @@ -619,6 +624,8 @@ static int32_t msm_actuator_move_focus( a_ctrl->curr_step_pos, dest_step_pos, curr_lens_pos); while (a_ctrl->curr_step_pos != dest_step_pos) { + if (a_ctrl->curr_region_index >= a_ctrl->region_size) + break; step_boundary = a_ctrl->region_params[a_ctrl->curr_region_index]. step_bound[dir]; @@ -1278,9 +1285,11 @@ static int32_t msm_actuator_set_param(struct msm_actuator_ctrl_t *a_ctrl, if (copy_from_user(&a_ctrl->region_params, (void *)set_info->af_tuning_params.region_params, - a_ctrl->region_size * sizeof(struct region_params_t))) + a_ctrl->region_size * sizeof(struct region_params_t))) { + a_ctrl->total_steps = 0; + pr_err("Error copying region_params\n"); return -EFAULT; - + } if (a_ctrl->act_device_type == MSM_CAMERA_PLATFORM_DEVICE) { cci_client = a_ctrl->i2c_client.cci_client; cci_client->sid = diff --git a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c index e602650c4cb5..ebe9ab763a68 100644 --- a/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c +++ b/drivers/misc/qcom/qdsp6v2/audio_hwacc_effects.c @@ -161,7 +161,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd, pr_err("%s: Read buffer Allocation failed rc = %d\n", __func__, rc); rc = -ENOMEM; - mutex_unlock(&effects->lock); goto readbuf_fail; } atomic_set(&effects->out_count, effects->config.output.num_buf); @@ -176,7 +175,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd, if (rc < 0) { pr_err("%s: pcm read block config failed\n", __func__); rc = -EINVAL; - mutex_unlock(&effects->lock); goto cfg_fail; } pr_debug("%s: dec: sample_rate: %d, num_channels: %d, bit_width: %d\n", @@ -191,7 +189,6 @@ static int audio_effects_shared_ioctl(struct file *file, unsigned cmd, pr_err("%s: pcm write format block config failed\n", __func__); rc = -EINVAL; - mutex_unlock(&effects->lock); goto cfg_fail; } @@ -325,6 +322,7 @@ ioctl_fail: readbuf_fail: q6asm_audio_client_buf_free_contiguous(IN, effects->ac); + mutex_unlock(&effects->lock); return rc; cfg_fail: q6asm_audio_client_buf_free_contiguous(IN, @@ -332,6 +330,7 @@ cfg_fail: q6asm_audio_client_buf_free_contiguous(OUT, effects->ac); effects->buf_alloc = 0; + mutex_unlock(&effects->lock); return rc; } diff --git a/drivers/misc/qseecom.c b/drivers/misc/qseecom.c index dba339d1ddc0..903f21cead08 100644 --- a/drivers/misc/qseecom.c +++ b/drivers/misc/qseecom.c @@ -2541,6 +2541,8 @@ static int qseecom_unload_app(struct qseecom_dev_handle *data, if (!strcmp((void *)ptr_app->app_name, (void *)data->client.app_name)) { found_app = true; + if (ptr_app->app_blocked) + app_crash = false; if (app_crash || ptr_app->ref_cnt == 1) unload = true; break; diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c index 1d2d9b2e9aca..56f81311482c 100644 --- a/drivers/net/wireless/ath/wil6210/wmi.c +++ b/drivers/net/wireless/ath/wil6210/wmi.c @@ -1365,8 +1365,14 @@ int wmi_set_ie(struct wil6210_priv *wil, u8 type, u16 ie_len, const void *ie) }; int rc; u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len; - struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL); + struct wmi_set_appie_cmd *cmd; + if (len < ie_len) { + rc = -EINVAL; + goto out; + } + + cmd = kzalloc(len, GFP_KERNEL); if (!cmd) { rc = -ENOMEM; goto out; diff --git a/drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c index cb95f6e98956..5b038a1ee68c 100644 --- a/drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c +++ b/drivers/platform/msm/ipa/ipa_v2/ipa_debugfs.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1438,7 +1438,11 @@ static ssize_t ipa_read_nat4(struct file *file, pr_err("Table Size:%d\n", ipa_ctx->nat_mem.size_base_tables); - pr_err("Expansion Table Size:%d\n", + if (!ipa_ctx->nat_mem.size_expansion_tables) + pr_err("Expansion Table Size:%d\n", + ipa_ctx->nat_mem.size_expansion_tables); + else + pr_err("Expansion Table Size:%d\n", ipa_ctx->nat_mem.size_expansion_tables-1); if (!ipa_ctx->nat_mem.is_sys_mem) @@ -1453,6 +1457,8 @@ static ssize_t ipa_read_nat4(struct file *file, pr_err("\nBase Table:\n"); } else { + if (!ipa_ctx->nat_mem.size_expansion_tables) + continue; tbl_size = ipa_ctx->nat_mem.size_expansion_tables-1; base_tbl = (u32 *)ipa_ctx->nat_mem.ipv4_expansion_rules_addr; @@ -1552,6 +1558,8 @@ static ssize_t ipa_read_nat4(struct file *file, pr_err("\nIndex Table:\n"); } else { + if (!ipa_ctx->nat_mem.size_expansion_tables) + continue; tbl_size = ipa_ctx->nat_mem.size_expansion_tables-1; indx_tbl = (u32 *)ipa_ctx->nat_mem.index_table_expansion_addr; diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c index fbf84ab7d2d4..886debd0c294 100644 --- a/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c +++ b/drivers/platform/msm/ipa/ipa_v3/ipa_debugfs.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -1496,7 +1496,11 @@ static ssize_t ipa3_read_nat4(struct file *file, pr_err("Table Size:%d\n", ipa3_ctx->nat_mem.size_base_tables); - pr_err("Expansion Table Size:%d\n", + if (!ipa3_ctx->nat_mem.size_expansion_tables) + pr_err("Expansion Table Size:%d\n", + ipa3_ctx->nat_mem.size_expansion_tables); + else + pr_err("Expansion Table Size:%d\n", ipa3_ctx->nat_mem.size_expansion_tables-1); if (!ipa3_ctx->nat_mem.is_sys_mem) @@ -1511,6 +1515,8 @@ static ssize_t ipa3_read_nat4(struct file *file, pr_err("\nBase Table:\n"); } else { + if (!ipa3_ctx->nat_mem.size_expansion_tables) + continue; tbl_size = ipa3_ctx->nat_mem.size_expansion_tables-1; base_tbl = (u32 *)ipa3_ctx->nat_mem.ipv4_expansion_rules_addr; @@ -1610,6 +1616,8 @@ static ssize_t ipa3_read_nat4(struct file *file, pr_err("\nIndex Table:\n"); } else { + if (!ipa3_ctx->nat_mem.size_expansion_tables) + continue; tbl_size = ipa3_ctx->nat_mem.size_expansion_tables-1; indx_tbl = (u32 *)ipa3_ctx->nat_mem.index_table_expansion_addr; diff --git a/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c b/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c index a876484859eb..ba1adb8acea7 100644 --- a/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c +++ b/drivers/soc/qcom/msm_bus/msm_bus_dbg_voter.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2014-2017, The Linux Foundation. All rights reserved. * * This program is Mree software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -27,6 +27,7 @@ struct msm_bus_floor_client_type { }; static struct class *bus_floor_class; +static DEFINE_RT_MUTEX(msm_bus_floor_vote_lock); #define MAX_VOTER_NAME (50) #define DEFAULT_NODE_WIDTH (8) #define DBG_NAME(s) (strnstr(s, "-", 7) + 1) @@ -64,18 +65,22 @@ static ssize_t bus_floor_active_only_store(struct device *dev, { struct msm_bus_floor_client_type *cl; + rt_mutex_lock(&msm_bus_floor_vote_lock); cl = dev_get_drvdata(dev); if (!cl) { pr_err("%s: Can't find cl", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return 0; } if (sscanf(buf, "%d", &cl->active_only) != 1) { pr_err("%s:return error", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return -EINVAL; } + rt_mutex_unlock(&msm_bus_floor_vote_lock); return n; } @@ -100,20 +105,24 @@ static ssize_t bus_floor_vote_store(struct device *dev, struct msm_bus_floor_client_type *cl; int ret = 0; + rt_mutex_lock(&msm_bus_floor_vote_lock); cl = dev_get_drvdata(dev); if (!cl) { pr_err("%s: Can't find cl", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return 0; } if (sscanf(buf, "%llu", &cl->cur_vote_hz) != 1) { pr_err("%s:return error", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return -EINVAL; } ret = msm_bus_floor_vote_context(dev_name(dev), cl->cur_vote_hz, cl->active_only); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return n; } @@ -126,15 +135,18 @@ static ssize_t bus_floor_vote_store_api(struct device *dev, char name[10]; u64 vote_khz = 0; + rt_mutex_lock(&msm_bus_floor_vote_lock); cl = dev_get_drvdata(dev); if (!cl) { pr_err("%s: Can't find cl", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return 0; } if (sscanf(buf, "%9s %llu", name, &vote_khz) != 2) { pr_err("%s:return error", __func__); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return -EINVAL; } @@ -142,6 +154,7 @@ static ssize_t bus_floor_vote_store_api(struct device *dev, __func__, name, vote_khz); ret = msm_bus_floor_vote(name, vote_khz); + rt_mutex_unlock(&msm_bus_floor_vote_lock); return n; } diff --git a/drivers/staging/qcacld-3.0/core/dp/htt/htt_t2h.c b/drivers/staging/qcacld-3.0/core/dp/htt/htt_t2h.c index 3111c0102006..ad15b5dc2296 100644 --- a/drivers/staging/qcacld-3.0/core/dp/htt/htt_t2h.c +++ b/drivers/staging/qcacld-3.0/core/dp/htt/htt_t2h.c @@ -601,6 +601,9 @@ static void htt_t2h_rx_in_order_indication_handler( } #endif +#define HTT_TX_COMPL_HEAD_SZ 4 +#define HTT_TX_COMPL_BYTES_PER_MSDU_ID 2 + /** * Generic Target to host Msg/event handler for low priority messages * Low priority message are handler in a different handler called from @@ -691,10 +694,26 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt) { int num_msdus; enum htt_tx_status status; + int msg_len = qdf_nbuf_len(htt_t2h_msg); /* status - no enum translation needed */ status = HTT_TX_COMPL_IND_STATUS_GET(*msg_word); num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word); + + /* + * each desc id will occupy 2 bytes. + * the 4 is for htt msg header + */ + if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID + + HTT_TX_COMPL_HEAD_SZ) > msg_len) { + qdf_print("%s: num_msdus(%d) is invalid," + "adf_nbuf_len = %d\n", + __FUNCTION__, + num_msdus, + msg_len); + break; + } + if (num_msdus & 0x1) { struct htt_tx_compl_ind_base *compl = (void *)msg_word; @@ -770,8 +789,23 @@ void htt_t2h_msg_handler(void *context, HTC_PACKET *pkt) case HTT_T2H_MSG_TYPE_TX_INSPECT_IND: { int num_msdus; + int msg_len = qdf_nbuf_len(htt_t2h_msg); num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word); + /* + * each desc id will occupy 2 bytes. + * the 4 is for htt msg header + */ + if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID + + HTT_TX_COMPL_HEAD_SZ) > msg_len) { + qdf_print("%s: num_msdus(%d) is invalid," + "adf_nbuf_len = %d\n", + __FUNCTION__, + num_msdus, + msg_len); + break; + } + if (num_msdus & 0x1) { struct htt_tx_compl_ind_base *compl = (void *)msg_word; @@ -917,6 +951,21 @@ void htt_t2h_msg_handler_fast(void *context, qdf_nbuf_t *cmpl_msdus, /* status - no enum translation needed */ status = HTT_TX_COMPL_IND_STATUS_GET(*msg_word); num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word); + + /* + * each desc id will occupy 2 bytes. + * the 4 is for htt msg header + */ + if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID + + HTT_TX_COMPL_HEAD_SZ) > msg_len) { + qdf_print("%s: num_msdus(%d) is invalid," + "adf_nbuf_len = %d\n", + __FUNCTION__, + num_msdus, + msg_len); + break; + } + if (num_msdus & 0x1) { struct htt_tx_compl_ind_base *compl = (void *)msg_word; @@ -976,6 +1025,20 @@ void htt_t2h_msg_handler_fast(void *context, qdf_nbuf_t *cmpl_msdus, int num_msdus; num_msdus = HTT_TX_COMPL_IND_NUM_GET(*msg_word); + /* + * each desc id will occupy 2 bytes. + * the 4 is for htt msg header + */ + if ((num_msdus * HTT_TX_COMPL_BYTES_PER_MSDU_ID + + HTT_TX_COMPL_HEAD_SZ) > msg_len) { + qdf_print("%s: num_msdus(%d) is invalid," + "adf_nbuf_len = %d\n", + __FUNCTION__, + num_msdus, + msg_len); + break; + } + if (num_msdus & 0x1) { struct htt_tx_compl_ind_base *compl = (void *)msg_word; diff --git a/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx.c b/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx.c index 7f7048559b3c..5d55f56a4fca 100644 --- a/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx.c +++ b/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx.c @@ -1154,6 +1154,10 @@ ol_txrx_pdev_attach(ol_pdev_handle ctrl_pdev, TAILQ_INIT(&pdev->vdev_list); + TAILQ_INIT(&pdev->req_list); + pdev->req_list_depth = 0; + qdf_spinlock_create(&pdev->req_list_spinlock); + /* do initial set up of the peer ID -> peer object lookup map */ if (ol_txrx_peer_find_attach(pdev)) goto fail1; @@ -1921,6 +1925,8 @@ void ol_txrx_pdev_pre_detach(ol_txrx_pdev_handle pdev, int force) void ol_txrx_pdev_detach(ol_txrx_pdev_handle pdev) { struct hif_opaque_softc *osc = cds_get_context(QDF_MODULE_ID_HIF); + struct ol_txrx_stats_req_internal *req; + int i = 0; /*checking to ensure txrx pdev structure is not NULL */ if (!pdev) { @@ -1931,6 +1937,30 @@ void ol_txrx_pdev_detach(ol_txrx_pdev_handle pdev) htt_pktlogmod_exit(pdev, osc); + qdf_spin_lock_bh(&pdev->req_list_spinlock); + if (pdev->req_list_depth > 0) + ol_txrx_err( + "Warning: the txrx req list is not empty, depth=%d\n", + pdev->req_list_depth + ); + TAILQ_FOREACH(req, &pdev->req_list, req_list_elem) { + TAILQ_REMOVE(&pdev->req_list, req, req_list_elem); + pdev->req_list_depth--; + ol_txrx_err( + "%d: %p,verbose(%d), concise(%d), up_m(0x%x), reset_m(0x%x)\n", + i++, + req, + req->base.print.verbose, + req->base.print.concise, + req->base.stats_type_upload_mask, + req->base.stats_type_reset_mask + ); + qdf_mem_free(req); + } + qdf_spin_unlock_bh(&pdev->req_list_spinlock); + + qdf_spinlock_destroy(&pdev->req_list_spinlock); + OL_RX_REORDER_TIMEOUT_CLEANUP(pdev); if (pdev->cfg.is_high_latency) @@ -3624,13 +3654,6 @@ void ol_txrx_discard_tx_pending(ol_txrx_pdev_handle pdev_handle) ol_tx_discard_target_frms(pdev_handle); } -/*--- debug features --------------------------------------------------------*/ -struct ol_txrx_stats_req_internal { - struct ol_txrx_stats_req base; - int serviced; /* state of this request */ - int offset; -}; - static inline uint64_t ol_txrx_stats_ptr_to_u64(struct ol_txrx_stats_req_internal *req) { @@ -3684,19 +3707,29 @@ ol_txrx_fw_stats_get(ol_txrx_vdev_handle vdev, struct ol_txrx_stats_req *req, /* use the non-volatile request object's address as the cookie */ cookie = ol_txrx_stats_ptr_to_u64(non_volatile_req); + if (response_expected) { + qdf_spin_lock_bh(&pdev->req_list_spinlock); + TAILQ_INSERT_TAIL(&pdev->req_list, non_volatile_req, req_list_elem); + pdev->req_list_depth++; + qdf_spin_unlock_bh(&pdev->req_list_spinlock); + } + if (htt_h2t_dbg_stats_get(pdev->htt_pdev, req->stats_type_upload_mask, req->stats_type_reset_mask, HTT_H2T_STATS_REQ_CFG_STAT_TYPE_INVALID, 0, cookie)) { + if (response_expected) { + qdf_spin_lock_bh(&pdev->req_list_spinlock); + TAILQ_REMOVE(&pdev->req_list, non_volatile_req, req_list_elem); + pdev->req_list_depth--; + qdf_spin_unlock_bh(&pdev->req_list_spinlock); + } + qdf_mem_free(non_volatile_req); return A_ERROR; } - if (req->wait.blocking) - while (qdf_semaphore_acquire(req->wait.sem_ptr)) - ; - if (response_expected == false) qdf_mem_free(non_volatile_req); @@ -3711,11 +3744,27 @@ ol_txrx_fw_stats_handler(ol_txrx_pdev_handle pdev, enum htt_dbg_stats_status status; int length; uint8_t *stats_data; - struct ol_txrx_stats_req_internal *req; + struct ol_txrx_stats_req_internal *req, *tmp; int more = 0; + int found = 0; req = ol_txrx_u64_to_stats_ptr(cookie); + qdf_spin_lock_bh(&pdev->req_list_spinlock); + TAILQ_FOREACH(tmp, &pdev->req_list, req_list_elem) { + if (req == tmp) { + found = 1; + break; + } + } + qdf_spin_unlock_bh(&pdev->req_list_spinlock); + + if (!found) { + ol_txrx_err( + "req(%p) from firmware can't be found in the list\n", req); + return; + } + do { htt_t2h_dbg_stats_hdr_parse(stats_info_list, &type, &status, &length, &stats_data); @@ -3896,9 +3945,16 @@ ol_txrx_fw_stats_handler(ol_txrx_pdev_handle pdev, } while (1); if (!more) { - if (req->base.wait.blocking) - qdf_semaphore_release(req->base.wait.sem_ptr); - qdf_mem_free(req); + qdf_spin_lock_bh(&pdev->req_list_spinlock); + TAILQ_FOREACH(tmp, &pdev->req_list, req_list_elem) { + if (req == tmp) { + TAILQ_REMOVE(&pdev->req_list, req, req_list_elem); + pdev->req_list_depth--; + qdf_mem_free(req); + break; + } + } + qdf_spin_unlock_bh(&pdev->req_list_spinlock); } } diff --git a/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx_types.h b/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx_types.h index 6dbf0ac8b0d8..9c3801a477cd 100644 --- a/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx_types.h +++ b/drivers/staging/qcacld-3.0/core/dp/txrx/ol_txrx_types.h @@ -513,6 +513,17 @@ struct ol_txrx_peer_id_map { qdf_atomic_t del_peer_id_ref_cnt; }; +/** + * ol_txrx_stats_req_internal - specifications of the requested + * statistics internally + */ +struct ol_txrx_stats_req_internal { + struct ol_txrx_stats_req base; + TAILQ_ENTRY(ol_txrx_stats_req_internal) req_list_elem; + int serviced; /* state of this request */ + int offset; +}; + /* * As depicted in the diagram below, the pdev contains an array of * NUM_EXT_TID ol_tx_active_queues_in_tid_t elements. @@ -630,6 +641,10 @@ struct ol_txrx_pdev_t { /* ol_txrx_vdev list */ TAILQ_HEAD(, ol_txrx_vdev_t) vdev_list; + TAILQ_HEAD(, ol_txrx_stats_req_internal) req_list; + int req_list_depth; + qdf_spinlock_t req_list_spinlock; + /* peer ID to peer object map (array of pointers to peer objects) */ struct ol_txrx_peer_id_map *peer_id_to_obj_map; diff --git a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_scan.c b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_scan.c index 6dce9ff078d8..0aa8eac5e0ec 100644 --- a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_scan.c +++ b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_scan.c @@ -2562,9 +2562,9 @@ static int __wlan_hdd_cfg80211_vendor_scan(struct wiphy *wiphy, struct cfg80211_scan_request *request = NULL; struct nlattr *attr; enum nl80211_band band; - uint8_t n_channels = 0, n_ssid = 0, ie_len = 0; + uint8_t n_channels = 0, n_ssid = 0; uint32_t tmp, count, j; - unsigned int len; + size_t len, ie_len; struct ieee80211_channel *chan; hdd_context_t *hdd_ctx = wiphy_priv(wiphy); int ret; diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_probe_req_frame.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_probe_req_frame.c index 620b98616178..8d2ff306832d 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_probe_req_frame.c +++ b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_probe_req_frame.c @@ -666,6 +666,13 @@ lim_send_sme_probe_req_ind(tpAniSirGlobal pMac, MTRACE(mac_trace(pMac, TRACE_CODE_TX_SME_MSG, psessionEntry->peSessionId, msgQ.type)); + + if (ProbeReqIELen > sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq. + probeReqIE)) { + ProbeReqIELen = sizeof(pSirSmeProbeReqInd->WPSPBCProbeReq. + probeReqIE); + } + pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIELen = (uint16_t) ProbeReqIELen; qdf_mem_copy(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE, pProbeReqIE, diff --git a/drivers/staging/qcacld-3.0/core/utils/pktlog/linux_ac.c b/drivers/staging/qcacld-3.0/core/utils/pktlog/linux_ac.c index e707932dc27d..66d788d4e44c 100644 --- a/drivers/staging/qcacld-3.0/core/utils/pktlog/linux_ac.c +++ b/drivers/staging/qcacld-3.0/core/utils/pktlog/linux_ac.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -78,6 +78,8 @@ static struct ath_pktlog_info *g_pktlog_info; static struct proc_dir_entry *g_pktlog_pde; +static DEFINE_MUTEX(proc_mutex); + static int pktlog_attach(struct hif_opaque_softc *sc); static void pktlog_detach(struct hif_opaque_softc *sc); static int pktlog_open(struct inode *i, struct file *f); @@ -225,9 +227,11 @@ qdf_sysctl_decl(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp, ppos) ol_ath_generic_softc_handle scn; struct ol_pktlog_dev_t *pl_dev; + mutex_lock(&proc_mutex); scn = (ol_ath_generic_softc_handle) ctl->extra1; if (!scn) { + mutex_unlock(&proc_mutex); printk("%s: Invalid scn context\n", __func__); ASSERT(0); return -EINVAL; @@ -236,6 +240,7 @@ qdf_sysctl_decl(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp, ppos) pl_dev = get_pl_handle((struct hif_opaque_softc *)scn); if (!pl_dev) { + mutex_unlock(&proc_mutex); printk("%s: Invalid pktlog context\n", __func__); ASSERT(0); return -ENODEV; @@ -266,6 +271,7 @@ qdf_sysctl_decl(ath_sysctl_pktlog_enable, ctl, write, filp, buffer, lenp, ppos) ctl->data = NULL; ctl->maxlen = 0; + mutex_unlock(&proc_mutex); return ret; } @@ -283,9 +289,11 @@ qdf_sysctl_decl(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp, ppos) ol_ath_generic_softc_handle scn; struct ol_pktlog_dev_t *pl_dev; + mutex_lock(&proc_mutex); scn = (ol_ath_generic_softc_handle) ctl->extra1; if (!scn) { + mutex_unlock(&proc_mutex); printk("%s: Invalid scn context\n", __func__); ASSERT(0); return -EINVAL; @@ -294,6 +302,7 @@ qdf_sysctl_decl(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp, ppos) pl_dev = get_pl_handle((struct hif_opaque_softc *)scn); if (!pl_dev) { + mutex_unlock(&proc_mutex); printk("%s: Invalid pktlog handle\n", __func__); ASSERT(0); return -ENODEV; @@ -316,6 +325,7 @@ qdf_sysctl_decl(ath_sysctl_pktlog_size, ctl, write, filp, buffer, lenp, ppos) ctl->data = NULL; ctl->maxlen = 0; + mutex_unlock(&proc_mutex); return ret; } diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_scan_roam.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_scan_roam.c index 3c58cafc79d5..0caa94654778 100644 --- a/drivers/staging/qcacld-3.0/core/wma/src/wma_scan_roam.c +++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_scan_roam.c @@ -4314,6 +4314,11 @@ int wma_extscan_hotlist_match_event_handler(void *handle, dest_ap->ieLength = src_hotlist->ie_length; WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid, dest_ap->bssid.bytes); + if (src_hotlist->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGE("%s Invalid SSID len %d, truncating", + __func__, src_hotlist->ssid.ssid_len); + src_hotlist->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH; + } qdf_mem_copy(dest_ap->ssid, src_hotlist->ssid.ssid, src_hotlist->ssid.ssid_len); dest_ap->ssid[src_hotlist->ssid.ssid_len] = '\0'; @@ -4488,6 +4493,13 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info, WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid, ap->bssid.bytes); + if (src_hotlist->ssid.ssid_len > + SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGD("%s Invalid SSID len %d, truncating", + __func__, src_hotlist->ssid.ssid_len); + src_hotlist->ssid.ssid_len = + SIR_MAC_MAX_SSID_LENGTH; + } qdf_mem_copy(ap->ssid, src_hotlist->ssid.ssid, src_hotlist->ssid.ssid_len); ap->ssid[src_hotlist->ssid.ssid_len] = '\0'; @@ -4522,7 +4534,7 @@ int wma_extscan_cached_results_event_handler(void *handle, struct extscan_cached_scan_results empty_cachelist; wmi_extscan_wlan_descriptor *src_hotlist; wmi_extscan_rssi_info *src_rssi; - int numap, i, moredata, scan_ids_cnt, buf_len; + int i, moredata, scan_ids_cnt, buf_len; tpAniSirGlobal pMac = cds_get_context(QDF_MODULE_ID_PE); uint32_t total_len; bool excess_data = false; @@ -4544,47 +4556,29 @@ int wma_extscan_cached_results_event_handler(void *handle, event = param_buf->fixed_param; src_hotlist = param_buf->bssid_list; src_rssi = param_buf->rssi_list; - numap = event->num_entries_in_page; WMA_LOGD("Total_entries: %u first_entry_index: %u num_entries_in_page: %d", event->total_entries, - event->first_entry_index, numap); - if (!src_hotlist || !src_rssi || !numap) { + event->first_entry_index, + event->num_entries_in_page); + + if (!src_hotlist || !src_rssi || !event->num_entries_in_page) { WMA_LOGW("%s: Cached results empty, send 0 results", __func__); goto noresults; } - if (event->first_entry_index + - event->num_entries_in_page < event->total_entries) - moredata = 1; - else - moredata = 0; - - dest_cachelist = qdf_mem_malloc(sizeof(*dest_cachelist)); - if (!dest_cachelist) { - WMA_LOGE("%s: qdf_mem_malloc failed", __func__); - return -ENOMEM; - } - qdf_mem_zero(dest_cachelist, sizeof(*dest_cachelist)); - dest_cachelist->request_id = event->request_id; - dest_cachelist->more_data = moredata; - - scan_ids_cnt = wma_extscan_find_unique_scan_ids(cmd_param_info); - WMA_LOGD("%s: scan_ids_cnt %d", __func__, scan_ids_cnt); - dest_cachelist->num_scan_ids = scan_ids_cnt; if (event->num_entries_in_page > - (WMI_SVC_MSG_MAX_SIZE - sizeof(*event))/sizeof(*src_hotlist)) { + (WMI_SVC_MSG_MAX_SIZE - sizeof(*event))/sizeof(*src_hotlist)) { WMA_LOGE("%s:excess num_entries_in_page %d in WMI event", - __func__, event->num_entries_in_page); - qdf_mem_free(dest_cachelist); - QDF_ASSERT(0); + __func__, + event->num_entries_in_page); return -EINVAL; } else { total_len = sizeof(*event) + (event->num_entries_in_page * sizeof(*src_hotlist)); } for (i = 0; i < event->num_entries_in_page; i++) { - if (src_hotlist[i].ie_length > WMI_SVC_MSG_MAX_SIZE - - total_len) { + if (src_hotlist[i].ie_length > + WMI_SVC_MSG_MAX_SIZE - total_len) { excess_data = true; break; } else { @@ -4593,7 +4587,7 @@ int wma_extscan_cached_results_event_handler(void *handle, } if (src_hotlist[i].number_rssi_samples > - (WMI_SVC_MSG_MAX_SIZE - total_len)/sizeof(*src_rssi)) { + (WMI_SVC_MSG_MAX_SIZE - total_len) / sizeof(*src_rssi)) { excess_data = true; break; } else { @@ -4604,11 +4598,29 @@ int wma_extscan_cached_results_event_handler(void *handle, } if (excess_data) { WMA_LOGE("%s:excess data in WMI event", - __func__); - qdf_mem_free(dest_cachelist); - QDF_ASSERT(0); + __func__); return -EINVAL; } + + if (event->first_entry_index + + event->num_entries_in_page < event->total_entries) + moredata = 1; + else + moredata = 0; + + dest_cachelist = qdf_mem_malloc(sizeof(*dest_cachelist)); + if (!dest_cachelist) { + WMA_LOGE("%s: qdf_mem_malloc failed", __func__); + return -ENOMEM; + } + qdf_mem_zero(dest_cachelist, sizeof(*dest_cachelist)); + dest_cachelist->request_id = event->request_id; + dest_cachelist->more_data = moredata; + + scan_ids_cnt = wma_extscan_find_unique_scan_ids(cmd_param_info); + WMA_LOGD("%s: scan_ids_cnt %d", __func__, scan_ids_cnt); + dest_cachelist->num_scan_ids = scan_ids_cnt; + buf_len = sizeof(*dest_result) * scan_ids_cnt; dest_cachelist->result = qdf_mem_malloc(buf_len); if (!dest_cachelist->result) { @@ -4814,10 +4826,15 @@ int wma_passpoint_match_event_handler(void *handle, WMI_SVC_MSG_MAX_SIZE) { WMA_LOGE("IE Length: %d or ANQP Length: %d is huge", event->ie_length, event->anqp_length); - QDF_ASSERT(0); return -EINVAL; } + if (event->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGD("%s: Invalid ssid len %d, truncating", + __func__, event->ssid.ssid_len); + event->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH; + } + dest_match = qdf_mem_malloc(sizeof(*dest_match) + event->ie_length + event->anqp_length); if (!dest_match) { diff --git a/drivers/video/fbdev/msm/mdss_mdp_util.c b/drivers/video/fbdev/msm/mdss_mdp_util.c index 378798df3f05..e859f33e3aa9 100644 --- a/drivers/video/fbdev/msm/mdss_mdp_util.c +++ b/drivers/video/fbdev/msm/mdss_mdp_util.c @@ -524,11 +524,12 @@ int mdss_mdp_get_plane_sizes(struct mdss_mdp_format_params *fmt, u32 w, u32 h, if (ps == NULL) return -EINVAL; + memset(ps, 0, sizeof(struct mdss_mdp_plane_sizes)); + if ((w > MAX_IMG_WIDTH) || (h > MAX_IMG_HEIGHT)) return -ERANGE; bpp = fmt->bpp; - memset(ps, 0, sizeof(struct mdss_mdp_plane_sizes)); if (mdss_mdp_is_ubwc_format(fmt)) { rc = mdss_mdp_get_ubwc_plane_size(fmt, w, h, ps); diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c index 2e9a1c2818c7..b5c351d2830b 100644 --- a/net/core/net_namespace.c +++ b/net/core/net_namespace.c @@ -261,7 +261,7 @@ struct net *get_net_ns_by_id(struct net *net, int id) spin_lock_irqsave(&net->nsid_lock, flags); peer = idr_find(&net->netns_ids, id); if (peer) - get_net(peer); + peer = maybe_get_net(peer); spin_unlock_irqrestore(&net->nsid_lock, flags); rcu_read_unlock(); diff --git a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c index 37b4882a6f6a..d0888ce9ed9f 100644 --- a/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c +++ b/sound/soc/msm/qdsp6v2/msm-pcm-q6-v2.c @@ -182,6 +182,11 @@ static void event_handler(uint32_t opcode, case ASM_DATA_EVENT_READ_DONE_V2: { pr_debug("ASM_DATA_EVENT_READ_DONE_V2\n"); buf_index = q6asm_get_buf_index_from_token(token); + if (buf_index >= CAPTURE_MAX_NUM_PERIODS) { + pr_err("%s: buffer index %u is out of range.\n", + __func__, buf_index); + return; + } pr_debug("%s: token=0x%08x buf_index=0x%08x\n", __func__, token, buf_index); prtd->in_frame_info[buf_index].size = payload[4]; |