Permalink
Commits on Jul 13, 2016
  1. netfilter: x_tables: make sure e->next_offset covers remaining blob size

    Florian Westphal authored and invisiblek committed Mar 22, 2016
    Otherwise this function may read data beyond the ruleset blob.
    
    Change-Id: Ia58e3bd484cd9235b373a4ad9cbcd2f603424680
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Commits on Jun 29, 2016
  1. HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES com…

    ScottyBauer authored and invisiblek committed Jun 23, 2016
    …mands
    
    This patch validates the num_values parameter from userland during the
    HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
    to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
    leading to a heap overflow.
    
    Change-Id: I3fee952859a321777074ab5915adea8c0209f057
    Cc: stable@vger.kernel.org
    Signed-off-by: Scott Bauer <sbauer@plzdonthack.me>
    Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Commits on Jun 20, 2016
  1. ALSA: compress: add num_sample_rates in snd_codec_desc

    Eric Laurent authored and invisiblek committed Jan 7, 2014
    this gives ability to convey the valid values of supported rates in
    sample_rates array
    
    Bug: 17398311.
    
    Change-Id: If00a1b01af1f92f2248c82ae8ec88be67e1c8f6b
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Eric Laurent <elaurent@google.com>
  2. ALSA: compress: update struct snd_codec_desc for sample rate

    Eric Laurent authored and invisiblek committed Jan 7, 2014
    Now that we don't use SNDRV_PCM_RATE_xxx bit fields for sample rate, we need to
    change the description to an array for describing the sample rates supported by
    the sink/source
    
    Bug: 17398311.
    
    Change-Id: I1738d68707f83fa87bb3e62840ca2ac7fa5b84f2
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Eric Laurent <elaurent@google.com>
  3. ALSA: compress: update comment for sample rate in snd_codec

    Eric Laurent authored and invisiblek committed Jan 6, 2014
    Bug: 17398311.
    
    Change-Id: I7db4cfcbb8ece477f86e2732ce87a80f32f44b7e
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Eric Laurent <elaurent@google.com>
  4. ALSA: compress: remove the sample rate check

    Vinod Koul authored and invisiblek committed Jan 4, 2014
    commit f0e9c080 - "ALSA: compress: change the way sample rates are sent to
    kernel" changed the way sample rates are sent. So now we don't need to check for
    PCM_RATE_xxx in kernel
    
    Bug: 17398311.
    
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Eric Laurent <elaurent@google.com>
    
    Change-Id: Ia45e14af954f0caf9aa73b719ec91f65986bc319
  5. ALSA: compress: change the way sample rates are sent to kernel

    Eric Laurent authored and invisiblek committed Jan 4, 2014
    The usage of SNDRV_RATES is not effective as we can have rates like 12000 or
    some other ones used by decoders. This change the usage of this to use the raw
    Hz values to be sent to kernel
    
    Bug: 17398311.
    
    Change-Id: I1a1a68fa1db66a93b054a97b6c03cc1fbe69ed4b
    Signed-off-by: Vinod Koul <vinod.koul@intel.com>
    Signed-off-by: Takashi Iwai <tiwai@suse.de>
    Signed-off-by: Eric Laurent <elaurent@google.com>
  6. ASoC: msm: qdsp6v2: fix incomplete playback issue for non-gapless for…

    Dhananjay Kumar authored and invisiblek committed Jun 1, 2015
    …mats
    
    Fix data loss on auto switching of playback to next clip
    when current playback format is not having gapless support
    in compressed driver.
    Media playback complete event is sent to framework on completion
    of partial drain, this is supposed to be before actual renderer
    EOS by duration equal to value of PARTIAL_DRAIN_ACK_EARLY_BY_MSEC,
    but due to uninitialized frame size for non-gapless formats this
    duration calculated is inaccurate and sometimes triggers drain
    completion too early, leading to premature teardown of playback
    session.
    Fix this by disabling gapless on formats not having valid gapless
    parameters.
    
    Change-Id: I7f70a6fc17cc9c339ea754fd21aae6865355bef2
    Signed-off-by: Dhananjay Kumar <dhakumar@codeaurora.org>
Commits on Jun 16, 2016
  1. net: validate the range we feed to iov_iter_init() in sys_sendto/sys_…

    Al Viro authored and invisiblek committed Mar 20, 2015
    …recvfrom
    
    Change-Id: I991c9e352bf4c35a941d052591eb147cace256e5
    Cc: stable@vger.kernel.org # v3.19
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  2. mnt: Fail collect_mounts when applied to unmounted mounts

    ebiederm authored and invisiblek committed Jan 7, 2015
    The only users of collect_mounts are in audit_tree.c
    
    In audit_trim_trees and audit_add_tree_rule the path passed into
    collect_mounts is generated from kern_path passed an audit_tree
    pathname which is guaranteed to be an absolute path.   In those cases
    collect_mounts is obviously intended to work on mounted paths and
    if a race results in paths that are unmounted when collect_mounts
    it is reasonable to fail early.
    
    The paths passed into audit_tag_tree don't have the absolute path
    check.  But are used to play with fsnotify and otherwise interact with
    the audit_trees, so again operating only on mounted paths appears
    reasonable.
    
    Avoid having to worry about what happens when we try and audit
    unmounted filesystems by restricting collect_mounts to mounts
    that appear in the mount tree.
    
    Change-Id: I2edfee6d6951a2179ce8f53785b65ddb1eb95629
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Commits on Jun 15, 2016
  1. KEYS: potential uninitialized variable

    Dan Carpenter authored and invisiblek committed May 26, 2016
    If __key_link_begin() failed then "edit" would be uninitialized.  I've
    added a check to fix that.
    
    Change-Id: I0e28bdba07f645437db2b08daf67ca27f16c6f5c
    Fixes: f70e2e0 ('KEYS: Do preallocation for __key_link()')
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Commits on Jun 8, 2016
  1. msm: camera: ispif: Validate VFE num input during reset

    Suman Mukherjee authored and invisiblek committed Mar 4, 2016
    Userspace supplies the actual number of used VFEs in session to ISPIF.
    Validate the userspace input value and if found to be invalid, return
    error.
    
    CRs-Fixed: 898074
    Signed-off-by: Venu Yeshala <vyeshala@codeaurora.org>
    Signed-off-by: Suman Mukherjee<sumam@codeaurora.org>
    Change-Id: I3288ddb6404e817a705a92281b4c54666f372c56
  2. Revert "msm: camera: ispif: Validate VFE num input during reset"

    invisiblek committed Jun 8, 2016
    This reverts commit 358dcf9.
    
    Change-Id: I332856ec6d9e7abae64070b4d9842cd49d068fa3
Commits on Jun 7, 2016
  1. ASoC: msm: audio-effects: fix stack overread and heap overwrite

    Ravi Kumar Alamanda authored and invisiblek committed Apr 13, 2016
    Fix overwrite of updt_params allocated in heap, and stack overread
    where param pointer is passed from user space.
    
    Bug: 27555224
    Change-Id: Ida8bdb7da2fcb97023dce3b6eafe4b899a51cb66
    Signed-off-by: Ravi Kumar Alamanda <arkumar@codeaurora.org>
  2. msm: camera: ispif: Validate VFE num input during reset

    Suman Mukherjee authored and invisiblek committed Apr 13, 2016
    Userspace supplies the actual number of used VFEs in session to ISPIF.
    Validate the userspace input value and if found to be invalid, return
    error.
    
    BUG=27600832
    
    Change-Id: I91944434e9a83d34af765c40bf8ad297a09ce2f5
  3. ASoC: msm: disable unwanted module

    vivek mehta authored and invisiblek committed Apr 13, 2016
    - disable compilation of unwanted modules
    
    Bug: 27531992
    Change-Id: I9df4efd899032fb9219a286fe469d7b2f476686f
    Signed-off-by: vivek mehta <mvivek@codeaurora.org>
  4. prima: Fix buffer overwrite problem in CCXBEACONREQ

    Thierry Strudel authored and invisiblek committed Apr 13, 2016
    Set the number of IE fields to minimum of input data and
    SIR_ESE_MAX_MEAS_IE_REQS.
    
    Change-Id: Ie53cfec7872ab69530bbb8932f9f9e85fb319f92
    CRs-Fixed: 993561
    Bug: 27424603
    Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
    Signed-off-by: Thierry Strudel <tstrudel@google.com>
  5. msm: kgsl: Add missing checks for alloc size and sglen

    Rajesh Kemisetti authored and invisiblek committed Apr 13, 2016
    In _kgsl_sharedmem_page_alloc():
    
    - Make len of type size_t to be in line with size.
      - Check for boundary limits of requested alloc size before honoring.
        - Make sure sglen is greater than zero before marking it as end
          of sg list.
    
    BUG=27475454
    
    Change-Id: I8e18aad2118f58ce677050ff4c4a4b0823c4b4b3
  6. msm: mdss: fix possible out-of-bounds and overflow issue in mdp debugfs

    adriansm authored and invisiblek committed Apr 15, 2016
    There are few cases where the count argument passed by the user
    space is not validated, which can potentially lead to out of bounds
    or overflow issues. In some cases, kernel might copy more data than
    what is requested. Add necessary checks to avoid such cases.
    
    BUG=27407629
    BUG=27407865
    
    Change-Id: I32ccccce3179346fd261ffc5b3a379230e7b413f
Commits on Jun 6, 2016
  1. victara: Patch up to caf/LA.BF.1.1.3_rb1.13

    crpalmer committed Apr 26, 2016
    I dropped a lot of commits in this patching (mm/vmscan which has moto changes
    that appear to address the same problem, as well as qseecom, mmc, usb and camera
    because they are all tracking moto not caf).
    
    6c0f34b msm: camera: Add NULL check in msm_actuator
    
    a0b8890 Revert "mmc: queue: use cached attributes of special requests"
    95d90a5 Revert "mmc: queue: exclude asynchronous transfer for special request"
    
    59155a7 qseecom: Register the existing app if it is loaded by appsbl.
    56d6264 qseecom: Change to work with appsbl qseecom
    
    ac13c00 msm: vidc: skip fps round off when client sets 1 fps
    
    Change-Id: Ib57cf4a38a7f4d9860781f30fe5144e30ca837b1
Commits on Jun 5, 2016
  1. wlan: Purge the scan results by age before posting to upper layer

    Deepthi Gowri authored and crpalmer committed Apr 7, 2016
    Currently the age out of scan results is ineffective as the aging
    timer is started only once the scan results are obtained from
    the FW, which would expire in 1 sec, so it could be possible that
    the cached scan entries may still persist and may not be aged out.
    
    To address this issue, purge the scan results by age, before the
    scan results are updated to upper layer.
    
    CRs-Fixed: 997430
    Change-Id: Ib70b04f4a720123d21ba820dd3c1e86076083dc9
  2. Wlan: Add log in vos_mem_vmalloc if vmalloc takes more than 300ms

    Abhishek Singh authored and crpalmer committed Feb 1, 2016
    During scan issues where the scan is taking more than 30 sec to
    complete, the difference between channels is around 500-1000 ms.
    So to detect this reduce the VOS_GET_MEMORY_TIME_THRESHOLD value
    to print the time taken by kmalloc, to 300ms from 3 sec.
    
    Also prints time taken by vmalloc, if time taken is more
    than VOS_GET_MEMORY_TIME_THRESHOLD.
    
    Change-Id: I0f7e1587b2ddd2839d70a19b047aa46bb6a2cea1
    CRs-Fixed: 970017
  3. Revert "wlan: Channel avoidance is not working inside Screen room"

    Hanumantha Reddy Pothula authored and crpalmer committed Mar 30, 2016
    This reverts commit e3b1522ef9360609e01ad3eec4b65c83a6732384.
    
    With commit e3b1522ef9360609e01ad3eec4b65c83a6732384 changes,
    when all channels in the operating band(gAPChannelSelectOperatingBand)
    are set to unsafe, driver may not pick operating channel from the same
    operating band, instead it picks a valid channel from the other band.
    Hence reverting the change, so that when all channels are unsafe
    in operating band, driver sets a default channel, from the same band,
    as operating channel.
    
    Change-Id: Ic27d12bc88fd60e0da1ab70792e810bc4c38d2ae
    CRs-Fixed: 996697
  4. wlan: Resolve mem leak and buf overflow access issues

    Gupta, Kapil authored and crpalmer committed Mar 17, 2016
    1. In some case if command posting fails then memory allocated for
    command is not freed, free the memory if command fails.
    
    2. Its possbile to access invalid index of array gRatefromIdx,
    Add changes to prevent buffer overload when accessing the array.
    
    Change-Id: I49ef7d2f1f6e01da0d0bad1d0d3a426e16504b6e
    CRs-Fixed: 995431
  5. wlan: Fix memory leak issue

    Sreelakshmi Konamki authored and crpalmer committed Mar 18, 2016
    'pUapsdParams' is not freed when trigger enabled and
    delivery enabled is zero for all ACs.
    
    This fix includes free the memory for the same.
    
    Change-Id: I60affe4434cb9a9ea991ab40b9915ac29fdbd2c1
    CRs-Fixed: 995431
  6. Wlan: If MCC is disabled do not roam to an AP which cause MCC

    Abhishek Singh authored and crpalmer committed Mar 21, 2016
    Even though MCC is disabled by gEnableMCCMode ini, driver try to
    roam to APs which may cause MCC but as MCC is disable the roaming
    fails eventually in CSR while trying to connect to the new profile.
    
    Driver creates a preauth session which is not deleted upon failure.
    The session sme state is eLIM_SME_WT_REASSOC_STATE and thus fresh
    scan required is set to false and cached scan result are returned.
    
    Do not add the APs which cause MCC scenario, in preauth candidate
    list if MCC is disabled.
    
    Change-Id: Iae2a887e1fa34f89f340bd7392d757e1add97a16
    CRs-Fixed: 992672
  7. Wlan: Remove mac trace from fatal events which leads to ssr

    Abhishek Singh authored and crpalmer committed Feb 4, 2016
    In case of fatal events which leads to ssr, the svc logs are
    filled with mac trace and flush all other important logs.
    
    To avoid this do not dump mac trace in fatal event which leads
    to ssr and also limit the number of mac trace to be dumped
    to 500.
    
    Change-Id: Ie3351fc3c5d2cd213845a056a8f46bef2568f89d
    CRs-Fixed: 972065
  8. Wlan: Abort scan if it takes more than active list cmd expiry time

    Abhishek Singh authored and crpalmer committed Feb 4, 2016
    In low memory condition scan might take more than active list cmd
    expiry time to complete. With current design SSR is triggered in
    this case and may lead to crash. So in scan case it is better to
    abort the scan to recover instead of SSR.
    
    This change aborts the scan if it takes more than active list cmd
    expiry time.
    
    Change-Id: I1371e149f28f28579cf7dd0d7e616ce86f74e3e4
    CRs-Fixed: 972637
  9. wlan: Resolve memory leak issues

    Hanumantha Reddy Pothula authored and crpalmer committed Feb 10, 2016
    In SME, if command posting fails then memory allocated for
    command is not freed.
    Free the memory if SME fails to post command.
    
    Change-Id: I281ef5eb9492fe75d639b2bef7ed588aacee8e74
    CRs-Fixed: 974567
  10. wlan: Pass proper values to bit manipulation methods to avoid panic

    Mahesh A Saptasagar authored and crpalmer committed Feb 24, 2016
    Observed kernel panic due to improper arguments passed to kernel bit
    manipulation functions (like set_bit, clear_bit etc.) i.e these
    functions expects bit positions as its first argument but bit mask
    values are being passed.
    
    To fix these issues ensure below points:
       - Pass bit position as a first argument to bit manipulation
         functions.
       - Re-define MACROs which gives false impression of bit mask values
         with their naming convention.
    
    Change-Id: Ief8cd83b05f01a0926f91c0e9fb461ddd498e05e
    CRs-Fixed: 981050
  11. prima: Reduce roaming delay by moving tdls cb after enabling queues

    Padma, Santhosh Kumar authored and crpalmer committed Feb 18, 2016
    Function wlan_hdd_tdls_connection_callback takes few milliseconds
    to complete its functionality which can effect roaming delay.
    Move this functionality after enabling queues to reduce roaming delay.
    
    Change-Id: I78d7b4deadb6cccdfd81f8431b6dd7c013e05340
    CRs-Fixed: 978673
  12. wlan: SAP: Release spin lock in STA TX/RX cleanup

    Hanumantha Reddy Pothula authored and crpalmer committed Dec 23, 2015
    During cleanup of STA TX/RX modules, if driver fails to remove STA
    ID from hash table then staInfo lock should be released.
    
    Change-Id: I943e44b001391216dc86c943990ee4eade7b5f5b
    CRs-Fixed: 955386
  13. wlan: Fix to enable TDLS only if enabled in INI and supported by FW

    Masti, Narayanraddi authored and crpalmer committed Mar 3, 2016
    Though TDLS Feature is disabled in ini, during wlan startup tdls
    mode is set based on either implicit or explicit mode from ini
    regardless of TDLS feature support in ini which will lead to send
    TDLS frames depending on TDLS mode of configuration(implicit or explicit)
    which is incorrect and in current scenario TDLS discovery request
    is sent with disabling BMPS(if enabled) and host will neither process
    TDLS discovery response nor enable BMPS since tdls context is NULL
    and TDLS context is NULL because of TDLS feature is not enabled
    in ini thus leading to issue.
    
    Fix is to ensure that TDLS mode is set to either implicit or explicit
    only if TDLS feature is enabled in ini and supported by FW.
    
    Change-Id: I3b7bb9026839c15d495ac3dc3b190fc75d48cc7a
    CRs-Fixed: 981745
  14. Wlan: Remove SSR from thread stuck detect logic

    Abhishek Singh authored and crpalmer committed Dec 24, 2015
    Remove SSR from thread stuck detect logic as stack dump in
    kernel log are enough to debug the issue.
    
    Change-Id: I075b5ed397f95199466a2a615257971fb35028ac
    CRs-Fixed: 955675
  15. Wlan: Send protocol reason code instead of generic reason

    Wu Gao authored and crpalmer committed Feb 1, 2016
    When assoc fail, send protocol reason code instead of generic
    reason code. Customer complain that it just reports generic
    reason for WPA2 AP and cause UI mismatch.
    
    Change-Id: I69f99a10664510beed9f9700d53fe1201ed1122e
    CRs-Fixed: 970759