diff --git a/drivers/crypto/msm/qce50.c b/drivers/crypto/msm/qce50.c
index 8b06ed01850f88f5374dd4bb89eb61a05e97728b..85191e5cd55b6d07e7e27edfb70dd4903c47ce96 100644
--- a/drivers/crypto/msm/qce50.c
+++ b/drivers/crypto/msm/qce50.c
@@ -2074,6 +2074,10 @@ static int _sha_complete(struct qce_device *pce_dev)
uint32_t status;
areq = (struct ahash_request *) pce_dev->areq;
+ if (!areq) {
+ pr_err("sha operation error. areq is NULL\n");
+ return -ENXIO;
+ }
qce_dma_unmap_sg(pce_dev->pdev, areq->src, pce_dev->src_nents,
DMA_TO_DEVICE);
memcpy(digest, (char *)(&pce_dev->ce_sps.result->auth_iv[0]),
diff --git a/drivers/crypto/msm/qcrypto.c b/drivers/crypto/msm/qcrypto.c
index a6aa61676f66ba880f2c9c343e5437eb3989386b..c85c45fee4a1724003d8c600cb1fc4c55c58cc39 100644
--- a/drivers/crypto/msm/qcrypto.c
+++ b/drivers/crypto/msm/qcrypto.c
@@ -3380,6 +3380,7 @@ static int _sha1_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
unsigned int len)
{
struct qcrypto_sha_ctx *sha_ctx = crypto_tfm_ctx(&tfm->base);
+ int ret = 0;
memset(&sha_ctx->authkey[0], 0, SHA1_BLOCK_SIZE);
if (len <= SHA1_BLOCK_SIZE) {
memcpy(&sha_ctx->authkey[0], key, len);
@@ -3387,16 +3388,19 @@ static int _sha1_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
} else {
sha_ctx->alg = QCE_HASH_SHA1;
sha_ctx->diglen = SHA1_DIGEST_SIZE;
- _sha_hmac_setkey(tfm, key, len);
+ ret = _sha_hmac_setkey(tfm, key, len);
+ if (ret)
+ pr_err("SHA1 hmac setkey failed\n");
sha_ctx->authkey_in_len = SHA1_BLOCK_SIZE;
}
- return 0;
+ return ret;
}
static int _sha256_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
unsigned int len)
{
struct qcrypto_sha_ctx *sha_ctx = crypto_tfm_ctx(&tfm->base);
+ int ret = 0;
memset(&sha_ctx->authkey[0], 0, SHA256_BLOCK_SIZE);
if (len <= SHA256_BLOCK_SIZE) {
@@ -3405,11 +3409,13 @@ static int _sha256_hmac_setkey(struct crypto_ahash *tfm, const u8 *key,
} else {
sha_ctx->alg = QCE_HASH_SHA256;
sha_ctx->diglen = SHA256_DIGEST_SIZE;
- _sha_hmac_setkey(tfm, key, len);
+ ret = _sha_hmac_setkey(tfm, key, len);
+ if (ret)
+ pr_err("SHA256 hmac setkey failed\n");
sha_ctx->authkey_in_len = SHA256_BLOCK_SIZE;
}
- return 0;
+ return ret;
}
static int _sha_hmac_init_ihash(struct ahash_request *req,
diff --git a/drivers/net/wireless/bcmdhd/dhd_debug.c b/drivers/net/wireless/bcmdhd/dhd_debug.c
index d19c63a3aff2a6048e42b219b473528dc0135dde..d468aeaec150a6ce749d4e373317a1423f6a8ffc 100644
--- a/drivers/net/wireless/bcmdhd/dhd_debug.c
+++ b/drivers/net/wireless/bcmdhd/dhd_debug.c
@@ -384,6 +384,12 @@ dhd_dbg_custom_evnt_handler(dhd_pub_t *dhdp, event_log_hdr_t *hdr, uint32 *data)
wl_log_id.t = *data;
if (wl_log_id.version != DIAG_VERSION) return BCME_VERSION;
+ /* custom event log should at least contain a wl_event_log_id_ver_t
+ * header and an arm cycle count
+ */
+ if (hdr->count < 2)
+ return BCME_BADLEN;
+
ts_hdr = (void *)data - sizeof(event_log_hdr_t);
if (ts_hdr->tag == EVENT_LOG_TAG_TS) {
ts_data = (uint32 *)ts_hdr - ts_hdr->count;
@@ -614,7 +620,8 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
msgtrace_hdr_t *hdr;
char *data;
int id;
- uint32 hdrlen = sizeof(event_log_hdr_t);
+ const uint32 log_hdr_len = sizeof(event_log_hdr_t);
+ uint32 log_pyld_len;
static uint32 seqnum_prev = 0;
event_log_hdr_t *log_hdr;
bool event_type = FALSE;
@@ -622,6 +629,13 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
dll_t list_head, *cur;
loglist_item_t *log_item;
+ /* log trace event consists of
+ * msgtrace header
+ * event log block header
+ * event log payload
+ */
+ if (datalen <= MSGTRACE_HDRLEN + EVENT_LOG_BLOCK_HDRLEN)
+ return;
hdr = (msgtrace_hdr_t *)event_data;
data = (char *)event_data + MSGTRACE_HDRLEN;
datalen -= MSGTRACE_HDRLEN;
@@ -630,30 +644,36 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
return;
/* XXX: skip the meaningless pktlen/count and timestamp */
- data += 8;
- datalen -= 8;
+ data += EVENT_LOG_BLOCK_HDRLEN;
+ datalen -= EVENT_LOG_BLOCK_HDRLEN;
/* start from the end and walk through the packet */
dll_init(&list_head);
- while (datalen > 0) {
- log_hdr = (event_log_hdr_t *)(data + datalen - hdrlen);
- /* pratially overwritten entries */
- if ((uint32 *)log_hdr - (uint32 *)data < log_hdr->count)
- break;
- /* end of frame? */
+ while (datalen > log_hdr_len) {
+ log_hdr = (event_log_hdr_t *)(data + datalen - log_hdr_len);
+ /* skip zero padding at end of frame */
if (log_hdr->tag == EVENT_LOG_TAG_NULL) {
- log_hdr--;
- datalen -= hdrlen;
+ datalen -= log_hdr_len;
continue;
}
+
+ /* Check argument count, any event log should contain at least
+ * one argument (4 bytes) for arm cycle count and up to 16
+ * arguments
+ */
+ if ((log_hdr->count == 0) || (log_hdr->count > MAX_NO_OF_ARG))
+ break;
+
+ log_pyld_len = log_hdr->count * DATA_UNIT_FOR_LOG_CNT;
+ /* log data should not cross event data boundary */
+ if (((char *)log_hdr - data) < log_pyld_len)
+ break;
+
/* skip 4 bytes time stamp packet */
if (log_hdr->tag == EVENT_LOG_TAG_TS) {
- datalen -= log_hdr->count * 4 + hdrlen;
- log_hdr -= log_hdr->count + hdrlen / 4;
+ datalen -= log_pyld_len + log_hdr_len;
continue;
}
- if (log_hdr->count > MAX_NO_OF_ARG)
- break;
if (!(log_item = MALLOC(dhdp->osh, sizeof(*log_item)))) {
DHD_ERROR(("%s allocating log list item failed\n",
__FUNCTION__));
@@ -661,7 +681,7 @@ dhd_dbg_msgtrace_log_parser(dhd_pub_t *dhdp, void *event_data,
}
log_item->hdr = log_hdr;
dll_insert(&log_item->list, &list_head);
- datalen -= (log_hdr->count * 4 + hdrlen);
+ datalen -= (log_pyld_len + log_hdr_len);
}
while (!dll_empty(&list_head)) {
diff --git a/drivers/net/wireless/bcmdhd/include/event_log.h b/drivers/net/wireless/bcmdhd/include/event_log.h
index 6f0bbc4e40ec1aa095b3d166eb494edb0160dc97..3964d203d2fb9e48ec761c8232687366989bcd35 100644
--- a/drivers/net/wireless/bcmdhd/include/event_log.h
+++ b/drivers/net/wireless/bcmdhd/include/event_log.h
@@ -141,6 +141,7 @@
#define LOGSTRS_MAGIC 0x4C4F4753
#define LOGSTRS_VERSION 0x1
+#define EVENT_LOG_BLOCK_HDRLEN 8
/*
* There are multiple levels of objects define here:
diff --git a/drivers/video/msm/mdss/mdss_mdp_pp.c b/drivers/video/msm/mdss/mdss_mdp_pp.c
index 80d52700d6ae2e8443aecb08ca30827d34f04c40..5b778e4a239e74b044aef405a7b54c79de2b4923 100644
--- a/drivers/video/msm/mdss/mdss_mdp_pp.c
+++ b/drivers/video/msm/mdss/mdss_mdp_pp.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -333,7 +333,7 @@ struct mdss_pp_res_type {
struct mdp_hist_lut_data enhist_disp_cfg[MDSS_BLOCK_DISP_NUM];
struct mdp_dither_cfg_data dither_disp_cfg[MDSS_BLOCK_DISP_NUM];
struct mdp_gamut_cfg_data gamut_disp_cfg[MDSS_BLOCK_DISP_NUM];
- uint16_t gamut_tbl[MDSS_BLOCK_DISP_NUM][GAMUT_TOTAL_TABLE_SIZE];
+ uint16_t gamut_tbl[MDSS_BLOCK_DISP_NUM][GAMUT_TOTAL_TABLE_SIZE * 3];
u32 hist_data[MDSS_BLOCK_DISP_NUM][HIST_V_SIZE];
struct pp_sts_type pp_disp_sts[MDSS_BLOCK_DISP_NUM];
/* physical info */
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index 422d8bdacc0d930244eb4f4fb4e34cce1c538d9c..154a123647eb5f809bcfd01497b5519aa6d8cd88 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -657,6 +657,9 @@ static struct sock *sctp_v6_create_accept_sk(struct sock *sk,
newnp = inet6_sk(newsk);
memcpy(newnp, np, sizeof(struct ipv6_pinfo));
+ newnp->ipv6_mc_list = NULL;
+ newnp->ipv6_ac_list = NULL;
+ newnp->ipv6_fl_list = NULL;
/* Initialize sk's sport, dport, rcv_saddr and daddr for getsockname()
* and getpeername().