diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index 7d6e62a137cccb3388e50a018d235871560400d7..9cb1a60b53a0ae2600488e7eb855c7645913cb7b 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -123,7 +123,7 @@ struct fastrpc_buf {
struct fastrpc_file *fl;
void *virt;
uint64_t phys;
- ssize_t size;
+ size_t size;
};
struct fastrpc_ctx_lst;
@@ -148,7 +148,7 @@ struct smq_invoke_ctx {
int *fds;
struct fastrpc_mmap **maps;
struct fastrpc_buf *buf;
- ssize_t used;
+ size_t used;
struct fastrpc_file *fl;
uint32_t sc;
struct overlap *overs;
@@ -233,9 +233,9 @@ struct fastrpc_mmap {
struct dma_buf_attachment *attach;
struct ion_handle *handle;
uint64_t phys;
- ssize_t size;
+ size_t size;
uintptr_t va;
- ssize_t len;
+ size_t len;
int refs;
uintptr_t raddr;
int uncached;
@@ -276,7 +276,7 @@ static struct fastrpc_channel_ctx gcinfo[NUM_CHANNELS] = {
static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache)
{
- struct fastrpc_file *fl = buf == 0 ? 0 : buf->fl;
+ struct fastrpc_file *fl = buf == NULL ? NULL : buf->fl;
int vmid;
if (!fl)
@@ -311,7 +311,8 @@ static void fastrpc_buf_list_free(struct fastrpc_file *fl)
struct fastrpc_buf *buf, *free;
do {
struct hlist_node *n;
- free = 0;
+
+ free = NULL;
spin_lock(&fl->hlock);
hlist_for_each_entry_safe(buf, n, &fl->bufs, hn) {
hlist_del_init(&buf->hn);
@@ -342,11 +343,13 @@ static void fastrpc_mmap_add(struct fastrpc_mmap *map)
}
static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
- ssize_t len, int mflags, struct fastrpc_mmap **ppmap)
+ size_t len, int mflags, struct fastrpc_mmap **ppmap)
{
struct fastrpc_apps *me = &gfa;
- struct fastrpc_mmap *match = 0, *map;
+ struct fastrpc_mmap *match = NULL, *map = NULL;
struct hlist_node *n;
+ if ((va + len) < va)
+ return -EOVERFLOW;
if (mflags == ADSP_MMAP_HEAP_ADDR) {
spin_lock(&me->hlock);
hlist_for_each_entry_safe(map, n, &me->maps, hn) {
@@ -379,10 +382,10 @@ static int fastrpc_mmap_find(struct fastrpc_file *fl, int fd, uintptr_t va,
return -ENOTTY;
}
-static int dma_alloc_memory(phys_addr_t *region_start, ssize_t size)
+static int dma_alloc_memory(phys_addr_t *region_start, size_t size)
{
struct fastrpc_apps *me = &gfa;
- void *vaddr = 0;
+ void *vaddr = NULL;
DEFINE_DMA_ATTRS(attrs);
if (me->dev == NULL) {
@@ -402,9 +405,9 @@ static int dma_alloc_memory(phys_addr_t *region_start, ssize_t size)
}
static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,
- ssize_t len, struct fastrpc_mmap **ppmap)
+ size_t len, struct fastrpc_mmap **ppmap)
{
- struct fastrpc_mmap *match = 0, *map;
+ struct fastrpc_mmap *match = NULL, *map = NULL;
struct hlist_node *n;
struct fastrpc_apps *me = &gfa;
@@ -511,11 +514,11 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map)
}
static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, uintptr_t va,
- ssize_t len, int mflags, struct fastrpc_mmap **ppmap)
+ size_t len, int mflags, struct fastrpc_mmap **ppmap)
{
struct fastrpc_apps *me = &gfa;
struct fastrpc_session_ctx *sess = fl->sctx;
- struct fastrpc_mmap *map = 0;
+ struct fastrpc_mmap *map = NULL;
struct dma_attrs attrs;
phys_addr_t region_start = 0;
unsigned long flags;
@@ -534,7 +537,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, uintptr_t va,
map->fd = fd;
if (mflags == ADSP_MMAP_HEAP_ADDR) {
map->apps = me;
- map->fl = 0;
+ map->fl = NULL;
VERIFY(err, !dma_alloc_memory(®ion_start, len));
if (err)
goto bail;
@@ -609,11 +612,11 @@ bail:
return err;
}
-static int fastrpc_buf_alloc(struct fastrpc_file *fl, ssize_t size,
+static int fastrpc_buf_alloc(struct fastrpc_file *fl, size_t size,
struct fastrpc_buf **obuf)
{
int err = 0, vmid;
- struct fastrpc_buf *buf = 0, *fr = 0;
+ struct fastrpc_buf *buf = NULL, *fr = NULL;
struct hlist_node *n;
VERIFY(err, size > 0);
@@ -633,13 +636,13 @@ static int fastrpc_buf_alloc(struct fastrpc_file *fl, ssize_t size,
*obuf = fr;
return 0;
}
- buf = 0;
- VERIFY(err, buf = kzalloc(sizeof(*buf), GFP_KERNEL));
+ buf = NULL;
+ VERIFY(err, NULL != (buf = kzalloc(sizeof(*buf), GFP_KERNEL)));
if (err)
goto bail;
INIT_HLIST_NODE(&buf->hn);
buf->fl = fl;
- buf->virt = 0;
+ buf->virt = NULL;
buf->phys = 0;
buf->size = size;
buf->virt = dma_alloc_coherent(fl->sctx->dev, buf->size,
@@ -680,7 +683,7 @@ static int context_restore_interrupted(struct fastrpc_file *fl,
struct smq_invoke_ctx **po)
{
int err = 0;
- struct smq_invoke_ctx *ctx = 0, *ictx = 0;
+ struct smq_invoke_ctx *ctx = NULL, *ictx = NULL;
struct hlist_node *n;
struct fastrpc_ioctl_invoke *invoke = &invokefd->inv;
spin_lock(&fl->hlock);
@@ -733,7 +736,7 @@ static int context_build_overlap(struct smq_invoke_ctx *ctx)
ctx->overs[i].raix = i;
ctx->overps[i] = &ctx->overs[i];
}
- sort(ctx->overps, nbufs, sizeof(*ctx->overps), overlap_ptr_cmp, 0);
+ sort(ctx->overps, nbufs, sizeof(*ctx->overps), overlap_ptr_cmp, NULL);
max.start = 0;
max.end = 0;
for (i = 0; i < nbufs; ++i) {
@@ -762,7 +765,8 @@ bail:
#define K_COPY_FROM_USER(err, kernel, dst, src, size) \
do {\
if (!(kernel))\
- VERIFY(err, 0 == copy_from_user((dst), (src),\
+ VERIFY(err, 0 == copy_from_user((dst),\
+ (void const __user *)(src),\
(size)));\
else\
memmove((dst), (src), (size));\
@@ -771,8 +775,8 @@ bail:
#define K_COPY_TO_USER(err, kernel, dst, src, size) \
do {\
if (!(kernel))\
- VERIFY(err, 0 == copy_to_user((dst), (src),\
- (size)));\
+ VERIFY(err, 0 == copy_to_user((void __user *)(dst), \
+ (src), (size)));\
else\
memmove((dst), (src), (size));\
} while (0)
@@ -786,7 +790,7 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
{
int err = 0, bufs, ii, size = 0;
struct fastrpc_apps *me = &gfa;
- struct smq_invoke_ctx *ctx = 0;
+ struct smq_invoke_ctx *ctx = NULL;
struct fastrpc_ctx_lst *clst = &fl->clst;
struct fastrpc_ioctl_invoke *invoke = &invokefd->inv;
@@ -796,7 +800,7 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
sizeof(*ctx->overs) * (bufs) +
sizeof(*ctx->overps) * (bufs);
- VERIFY(err, ctx = kzalloc(sizeof(*ctx) + size, GFP_KERNEL));
+ VERIFY(err, NULL != (ctx = kzalloc(sizeof(*ctx) + size, GFP_KERNEL)));
if (err)
goto bail;
@@ -809,7 +813,7 @@ static int context_alloc(struct fastrpc_file *fl, uint32_t kernel,
ctx->overs = (struct overlap *)(&ctx->fds[bufs]);
ctx->overps = (struct overlap **)(&ctx->overs[bufs]);
- K_COPY_FROM_USER(err, kernel, ctx->lpra, invoke->pra,
+ K_COPY_FROM_USER(err, kernel, (void *)ctx->lpra, invoke->pra,
bufs * sizeof(*ctx->lpra));
if (err)
goto bail;
@@ -939,10 +943,10 @@ static void context_list_ctor(struct fastrpc_ctx_lst *me)
static void fastrpc_context_list_dtor(struct fastrpc_file *fl)
{
struct fastrpc_ctx_lst *clst = &fl->clst;
- struct smq_invoke_ctx *ictx = 0, *ctxfree;
+ struct smq_invoke_ctx *ictx = NULL, *ctxfree;
struct hlist_node *n;
do {
- ctxfree = 0;
+ ctxfree = NULL;
spin_lock(&fl->hlock);
hlist_for_each_entry_safe(ictx, n, &clst->interrupted, hn) {
hlist_del_init(&ictx->hn);
@@ -954,7 +958,7 @@ static void fastrpc_context_list_dtor(struct fastrpc_file *fl)
context_free(ctxfree);
} while (ctxfree);
do {
- ctxfree = 0;
+ ctxfree = NULL;
spin_lock(&fl->hlock);
hlist_for_each_entry_safe(ictx, n, &clst->pending, hn) {
hlist_del_init(&ictx->hn);
@@ -973,7 +977,7 @@ static void fastrpc_file_list_dtor(struct fastrpc_apps *me)
struct fastrpc_file *fl, *free;
struct hlist_node *n;
do {
- free = 0;
+ free = NULL;
spin_lock(&me->hlock);
hlist_for_each_entry_safe(fl, n, &me->drivers, hn) {
hlist_del_init(&fl->hn);
@@ -997,31 +1001,32 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
int outbufs = REMOTE_SCALARS_OUTBUFS(sc);
int bufs = inbufs + outbufs;
uintptr_t args;
- ssize_t rlen = 0, copylen = 0, metalen = 0;
+ size_t rlen = 0, copylen = 0, metalen = 0;
int i, inh, oix;
int err = 0;
int mflags = 0;
/* calculate size of the metadata */
- rpra = 0;
+ rpra = NULL;
list = smq_invoke_buf_start(rpra, sc);
pages = smq_phy_page_start(sc, list);
ipage = pages;
for (i = 0; i < bufs; ++i) {
uintptr_t buf = (uintptr_t)lpra[i].buf.pv;
- ssize_t len = lpra[i].buf.len;
+ size_t len = lpra[i].buf.len;
if (ctx->fds[i])
fastrpc_mmap_create(ctx->fl, ctx->fds[i], buf, len,
mflags, &ctx->maps[i]);
ipage += 1;
}
- metalen = copylen = (ssize_t)&ipage[0];
+ metalen = copylen = (size_t)&ipage[0];
/* calculate len requreed for copying */
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
uintptr_t mstart, mend;
- ssize_t len = lpra[i].buf.len;
+ size_t len = lpra[i].buf.len;
+
if (!len)
continue;
if (ctx->maps[i])
@@ -1054,7 +1059,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
ipage = pages;
args = (uintptr_t)ctx->buf->virt + metalen;
for (i = 0; i < bufs; ++i) {
- ssize_t len = lpra[i].buf.len;
+ size_t len = lpra[i].buf.len;
list[i].num = 0;
list[i].pgidx = 0;
if (!len)
@@ -1067,7 +1072,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
for (i = 0; i < inbufs + outbufs; ++i) {
struct fastrpc_mmap *map = ctx->maps[i];
uint64_t buf = ptr_to_uint64(lpra[i].buf.pv);
- ssize_t len = lpra[i].buf.len;
+ size_t len = lpra[i].buf.len;
rpra[i].buf.pv = 0;
rpra[i].buf.len = len;
if (!len)
@@ -1075,7 +1080,7 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
if (map) {
struct vm_area_struct *vma;
uintptr_t offset;
- int num = buf_num_pages(buf, len);
+ uint64_t num = buf_num_pages(buf, len);
int idx = list[i].pgidx;
down_read(¤t->mm->mmap_sem);
@@ -1101,9 +1106,10 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx)
for (oix = 0; oix < inbufs + outbufs; ++oix) {
int i = ctx->overps[oix]->raix;
struct fastrpc_mmap *map = ctx->maps[i];
- ssize_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
+ size_t mlen = ctx->overps[oix]->mend - ctx->overps[oix]->mstart;
uint64_t buf;
- ssize_t len = lpra[i].buf.len;
+ size_t len = lpra[i].buf.len;
+
if (!len)
continue;
if (map)
@@ -1173,7 +1179,7 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx,
goto bail;
} else {
fastrpc_mmap_free(ctx->maps[i]);
- ctx->maps[i] = 0;
+ ctx->maps[i] = NULL;
}
}
size = sizeof(*rpra) * REMOTE_SCALARS_OUTHANDLES(sc);
@@ -1253,7 +1259,7 @@ static int fastrpc_invoke_send(struct smq_invoke_ctx *ctx,
struct fastrpc_file *fl = ctx->fl;
int err = 0, len;
- VERIFY(err, 0 != fl->apps->channel[fl->cid].chan);
+ VERIFY(err, NULL != fl->apps->channel[fl->cid].chan);
if (err)
goto bail;
msg->pid = current->tgid;
@@ -1356,7 +1362,7 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode,
uint32_t kernel,
struct fastrpc_ioctl_invoke_fd *invokefd)
{
- struct smq_invoke_ctx *ctx = 0;
+ struct smq_invoke_ctx *ctx = NULL;
struct fastrpc_ioctl_invoke *invoke = &invokefd->inv;
int cid = fl->cid;
int interrupted = 0;
@@ -1424,7 +1430,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
int err = 0;
struct fastrpc_ioctl_invoke_fd ioctl;
struct smq_phy_page pages[1];
- struct fastrpc_mmap *file = 0, *mem = 0;
+ struct fastrpc_mmap *file = NULL, *mem = NULL;
if (init->flags == FASTRPC_INIT_ATTACH) {
remote_arg_t ra[1];
int tgid = current->tgid;
@@ -1433,7 +1439,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl,
ioctl.inv.handle = 1;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 0);
ioctl.inv.pra = ra;
- ioctl.fds = 0;
+ ioctl.fds = NULL;
VERIFY(err, !(err = fastrpc_internal_invoke(fl,
FASTRPC_MODE_PARALLEL, 1, &ioctl)));
if (err)
@@ -1513,7 +1519,7 @@ static int fastrpc_release_current_dsp_process(struct fastrpc_file *fl)
remote_arg_t ra[1];
int tgid = 0;
- VERIFY(err, fl->apps->channel[fl->cid].chan != 0);
+ VERIFY(err, fl->apps->channel[fl->cid].chan != NULL);
if (err)
goto bail;
tgid = fl->tgid;
@@ -1522,7 +1528,7 @@ static int fastrpc_release_current_dsp_process(struct fastrpc_file *fl)
ioctl.inv.handle = 1;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(1, 1, 0);
ioctl.inv.pra = ra;
- ioctl.fds = 0;
+ ioctl.fds = NULL;
VERIFY(err, 0 == (err = fastrpc_internal_invoke(fl,
FASTRPC_MODE_PARALLEL, 1, &ioctl)));
bail:
@@ -1567,7 +1573,7 @@ static int fastrpc_mmap_on_dsp(struct fastrpc_file *fl, uint32_t flags,
else
ioctl.inv.sc = REMOTE_SCALARS_MAKE(2, 2, 1);
ioctl.inv.pra = ra;
- ioctl.fds = 0;
+ ioctl.fds = NULL;
VERIFY(err, 0 == (err = fastrpc_internal_invoke(fl,
FASTRPC_MODE_PARALLEL, 1, &ioctl)));
map->raddr = (uintptr_t)routargs.vaddrout;
@@ -1605,7 +1611,7 @@ static int fastrpc_munmap_on_dsp_rh(struct fastrpc_file *fl,
ioctl.inv.handle = 1;
ioctl.inv.sc = REMOTE_SCALARS_MAKE(7, 0, 1);
ioctl.inv.pra = ra;
- ioctl.fds = 0;
+ ioctl.fds = NULL;
VERIFY(err, 0 == (err = fastrpc_internal_invoke(fl,
FASTRPC_MODE_PARALLEL, 1, &ioctl)));
@@ -1632,7 +1638,7 @@ static int fastrpc_munmap_on_dsp(struct fastrpc_file *fl,
struct {
int pid;
uintptr_t vaddrout;
- ssize_t size;
+ size_t size;
} inargs;
if (map->flags == ADSP_MMAP_HEAP_ADDR) {
VERIFY(err, !fastrpc_munmap_on_dsp_rh(fl, map));
@@ -1652,7 +1658,7 @@ static int fastrpc_munmap_on_dsp(struct fastrpc_file *fl,
else
ioctl.inv.sc = REMOTE_SCALARS_MAKE(3, 1, 0);
ioctl.inv.pra = ra;
- ioctl.fds = 0;
+ ioctl.fds = NULL;
VERIFY(err, 0 == (err = fastrpc_internal_invoke(fl,
FASTRPC_MODE_PARALLEL, 1, &ioctl)));
bail:
@@ -1661,7 +1667,7 @@ bail:
static int fastrpc_mmap_remove_ssr(struct fastrpc_file *fl)
{
- struct fastrpc_mmap *match = 0, *map = NULL;
+ struct fastrpc_mmap *match = NULL, *map = NULL;
struct hlist_node *n = NULL;
int err = 0, ret = 0;
struct fastrpc_apps *me = &gfa;
@@ -1702,7 +1708,7 @@ bail:
}
static int fastrpc_mmap_remove(struct fastrpc_file *fl, uintptr_t va,
- ssize_t len, struct fastrpc_mmap **ppmap);
+ size_t len, struct fastrpc_mmap **ppmap);
static void fastrpc_mmap_add(struct fastrpc_mmap *map);
@@ -1710,7 +1716,7 @@ static int fastrpc_internal_munmap(struct fastrpc_file *fl,
struct fastrpc_ioctl_munmap *ud)
{
int err = 0;
- struct fastrpc_mmap *map = 0;
+ struct fastrpc_mmap *map = NULL;
mutex_lock(&fl->map_mutex);
if (!fastrpc_mmap_remove(fl, ud->vaddrout, ud->size,
@@ -1731,7 +1737,7 @@ static int fastrpc_internal_mmap(struct fastrpc_file *fl,
struct fastrpc_ioctl_mmap *ud)
{
- struct fastrpc_mmap *map = 0;
+ struct fastrpc_mmap *map = NULL;
int err = 0;
mutex_lock(&fl->map_mutex);
@@ -1769,7 +1775,7 @@ static void fastrpc_channel_close(struct kref *kref)
glink_unregister_link_state_cb(ctx->link_notify_handle);
glink_close(ctx->chan);
}
- ctx->chan = 0;
+ ctx->chan = NULL;
mutex_unlock(&me->smd_mutex);
cid = ctx - &gcinfo[0];
pr_info("'closed /dev/%s c %d %d'\n", gcinfo[cid].name,
@@ -1781,7 +1787,7 @@ static void fastrpc_context_list_dtor(struct fastrpc_file *fl);
static int fastrpc_file_free(struct fastrpc_file *fl)
{
struct hlist_node *n;
- struct fastrpc_mmap *map = 0;
+ struct fastrpc_mmap *map = NULL;
int cid;
if (!fl)
@@ -1843,19 +1849,20 @@ static int fastrpc_session_free(struct fastrpc_channel_ctx *chan, int session)
return err;
}
-bool fastrpc_glink_notify_rx_intent_req(void *h, const void *priv, size_t size)
+static bool fastrpc_glink_notify_rx_intent_req(void *h, const void *priv,
+ size_t size)
{
if (0 != glink_queue_rx_intent(h, NULL, size))
return false;
return true;
}
-void fastrpc_glink_notify_tx_done(void *handle, const void *priv,
+static void fastrpc_glink_notify_tx_done(void *handle, const void *priv,
const void *pkt_priv, const void *ptr)
{
}
-void fastrpc_glink_notify_rx(void *handle, const void *priv,
+static void fastrpc_glink_notify_rx(void *handle, const void *priv,
const void *pkt_priv, const void *ptr, size_t size)
{
struct smq_invoke_rsp *rsp = (struct smq_invoke_rsp *)ptr;
@@ -1888,7 +1895,8 @@ bail:
glink_rx_done(handle, ptr, true);
}
-void fastrpc_glink_notify_state(void *handle, const void *priv, unsigned event)
+static void fastrpc_glink_notify_state(void *handle, const void *priv,
+ unsigned int event)
{
struct fastrpc_apps *me = &gfa;
int cid = (int)(uintptr_t)priv;
@@ -1909,7 +1917,7 @@ static int fastrpc_device_release(struct inode *inode, struct file *file)
{
struct fastrpc_apps *me = &gfa;
struct fastrpc_file *fl = (struct fastrpc_file *)file->private_data;
- struct fastrpc_fl *pfl = 0;
+ struct fastrpc_fl *pfl = NULL;
int session, cid;
int err = 0;
@@ -1944,7 +1952,7 @@ static int fastrpc_device_release(struct inode *inode, struct file *file)
me->pending_free++;
mutex_unlock(&me->flfree_mutex);
mutex_destroy(&fl->map_mutex);
- file->private_data = 0;
+ file->private_data = NULL;
}
bail:
if (err)
@@ -1956,8 +1964,8 @@ bail:
static void file_free_work_handler(struct work_struct *w)
{
struct fastrpc_apps *me = &gfa;
- struct fastrpc_fl *fl = 0, *freefl = 0;
- struct hlist_node *n = 0;
+ struct fastrpc_fl *fl = NULL, *freefl = NULL;
+ struct hlist_node *n = NULL;
while (1) {
mutex_lock(&me->flfree_mutex);
@@ -2037,7 +2045,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp)
int err = 0, session;
int event;
struct fastrpc_apps *me = &gfa;
- struct fastrpc_file *fl = 0;
+ struct fastrpc_file *fl = NULL;
if (me->pending_free) {
event = wait_event_interruptible_timeout(wait_queue,
@@ -2069,7 +2077,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp)
fl->ssrcount = me->channel[cid].ssrcount;
if ((kref_get_unless_zero(&me->channel[cid].kref) == 0) ||
- (me->channel[cid].chan == 0)) {
+ (me->channel[cid].chan == NULL)) {
if (me->glink) {
VERIFY(err, 0 == fastrpc_glink_open(cid, me));
} else {
@@ -2085,7 +2093,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp)
VERIFY(err, wait_for_completion_timeout(&me->channel[cid].work,
RPC_TIMEOUT));
if (err) {
- me->channel[cid].chan = 0;
+ me->channel[cid].chan = NULL;
goto bail;
}
kref_init(&me->channel[cid].kref);
@@ -2216,7 +2224,7 @@ static int fastrpc_restart_notifier_cb(struct notifier_block *nb,
} else {
smd_close(ctx->chan);
}
- ctx->chan = 0;
+ ctx->chan = NULL;
pr_info("'restart notifier: closed /dev/%s c %d %d'\n",
gcinfo[cid].name, MAJOR(me->dev_no), cid);
}
@@ -2271,7 +2279,8 @@ static int fastrpc_cb_probe(struct device *dev)
int err = 0, i;
int disable_htw = 1;
- VERIFY(err, 0 != (name = of_get_property(dev->of_node, "label", NULL)));
+ VERIFY(err, NULL != (name = of_get_property(dev->of_node,
+ "label", NULL)));
if (err)
goto bail;
for (i = 0; i < NUM_CHANNELS; i++) {
@@ -2318,11 +2327,11 @@ static int fastrpc_cb_legacy_probe(struct device *dev)
{
struct device_node *domains_child_node = NULL;
struct device_node *ctx_node = NULL;
- struct fastrpc_channel_ctx *chan;
- struct fastrpc_session_ctx *first_sess, *sess;
- const char *name;
- unsigned int *range = 0, range_size = 0;
- unsigned int *sids = 0, sids_size = 0;
+ struct fastrpc_channel_ctx *chan = NULL;
+ struct fastrpc_session_ctx *first_sess = NULL, *sess = NULL;
+ const char *name = NULL;
+ unsigned int *range = NULL, range_size = 0;
+ unsigned int *sids = NULL, sids_size = 0;
int err = 0, ret = 0, i;
int disable_htw = 1;
@@ -2453,17 +2462,17 @@ static void fastrpc_deinit(void)
if (chan->chan) {
kref_put_mutex(&chan->kref,
fastrpc_channel_close, &me->smd_mutex);
- chan->chan = 0;
+ chan->chan = NULL;
}
for (j = 0; j < NUM_SESSIONS; j++) {
struct fastrpc_session_ctx *sess = &chan->session[j];
if (sess->smmu.enabled) {
arm_iommu_detach_device(sess->dev);
- sess->dev = 0;
+ sess->dev = NULL;
}
if (sess->smmu.mapping) {
arm_iommu_release_mapping(sess->smmu.mapping);
- sess->smmu.mapping = 0;
+ sess->smmu.mapping = NULL;
}
}
}
@@ -2521,7 +2530,7 @@ static int __init fastrpc_device_init(void)
me->channel[i].ssrcount = 0;
me->channel[i].prevssrcount = 0;
me->channel[i].ramdumpenabled = 0;
- me->channel[i].remoteheap_ramdump_dev = 0;
+ me->channel[i].remoteheap_ramdump_dev = NULL;
me->channel[i].nb.notifier_call = fastrpc_restart_notifier_cb;
me->channel[i].handle = subsys_notif_register_notifier(
gcinfo[i].subsys,
diff --git a/drivers/char/adsprpc_compat.c b/drivers/char/adsprpc_compat.c
index 80b30a2a2b7312798786186bf06729a448e3973e..43d65910db2d33fb4b1969f8b19884632c7069b9 100644
--- a/drivers/char/adsprpc_compat.c
+++ b/drivers/char/adsprpc_compat.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2015,2017 The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -33,7 +33,7 @@
struct compat_remote_buf {
compat_uptr_t pv; /* buffer pointer */
- compat_ssize_t len; /* length of buffer */
+ compat_size_t len; /* length of buffer */
};
union compat_remote_arg {
@@ -56,13 +56,13 @@ struct compat_fastrpc_ioctl_mmap {
compat_int_t fd; /* ion fd */
compat_uint_t flags; /* flags for dsp to map with */
compat_uptr_t vaddrin; /* optional virtual address */
- compat_ssize_t size; /* size */
+ compat_size_t size; /* size */
compat_uptr_t vaddrout; /* dsps virtual address */
};
struct compat_fastrpc_ioctl_munmap {
compat_uptr_t vaddrout; /* address to unmap */
- compat_ssize_t size; /* size */
+ compat_size_t size; /* size */
};
struct compat_fastrpc_ioctl_init {
@@ -81,7 +81,7 @@ static int compat_get_fastrpc_ioctl_invoke(
unsigned int cmd)
{
compat_uint_t u, sc;
- compat_ssize_t s;
+ compat_size_t s;
compat_uptr_t p;
struct fastrpc_ioctl_invoke_fd *inv;
union compat_remote_arg *pra32;
@@ -164,7 +164,7 @@ static int compat_get_fastrpc_ioctl_mmap(
{
compat_uint_t u;
compat_int_t i;
- compat_ssize_t s;
+ compat_size_t s;
compat_uptr_t p;
int err;
@@ -198,7 +198,7 @@ static int compat_get_fastrpc_ioctl_munmap(
struct fastrpc_ioctl_munmap __user *unmap)
{
compat_uptr_t p;
- compat_ssize_t s;
+ compat_size_t s;
int err;
err = get_user(p, &unmap32->vaddrout);
diff --git a/drivers/char/adsprpc_shared.h b/drivers/char/adsprpc_shared.h
index d0a1e11871f35447f4b27b1c62664df6d2afa1e1..9fac4bb53abe969aba1980412b5558385ce83ba7 100644
--- a/drivers/char/adsprpc_shared.h
+++ b/drivers/char/adsprpc_shared.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -106,7 +106,7 @@ union remote_arg64 {
struct remote_buf {
void *pv; /* buffer pointer */
- ssize_t len; /* length of buffer */
+ size_t len; /* length of buffer */
};
union remote_arg {
@@ -127,25 +127,25 @@ struct fastrpc_ioctl_invoke_fd {
struct fastrpc_ioctl_init {
uint32_t flags; /* one of FASTRPC_INIT_* macros */
- uintptr_t __user file; /* pointer to elf file */
- int32_t filelen; /* elf file length */
+ uintptr_t file; /* pointer to elf file */
+ uint32_t filelen; /* elf file length */
int32_t filefd; /* ION fd for the file */
- uintptr_t __user mem; /* mem for the PD */
- int32_t memlen; /* mem length */
+ uintptr_t mem; /* mem for the PD */
+ uint32_t memlen; /* mem length */
int32_t memfd; /* ION fd for the mem */
};
struct fastrpc_ioctl_munmap {
uintptr_t vaddrout; /* address to unmap */
- ssize_t size; /* size */
+ size_t size; /* size */
};
struct fastrpc_ioctl_mmap {
int fd; /* ion fd */
uint32_t flags; /* flags for dsp to map with */
- uintptr_t __user *vaddrin; /* optional virtual address */
- ssize_t size; /* size */
+ uintptr_t vaddrin; /* optional virtual address */
+ size_t size; /* size */
uintptr_t vaddrout; /* dsps virtual address */
};
@@ -184,14 +184,14 @@ struct smq_invoke_rsp {
static inline struct smq_invoke_buf *smq_invoke_buf_start(remote_arg64_t *pra,
uint32_t sc)
{
- int len = REMOTE_SCALARS_LENGTH(sc);
+ unsigned int len = REMOTE_SCALARS_LENGTH(sc);
return (struct smq_invoke_buf *)(&pra[len]);
}
static inline struct smq_phy_page *smq_phy_page_start(uint32_t sc,
struct smq_invoke_buf *buf)
{
- int nTotal = REMOTE_SCALARS_INBUFS(sc) + REMOTE_SCALARS_OUTBUFS(sc);
+ uint32_t nTotal = REMOTE_SCALARS_INBUFS(sc)+REMOTE_SCALARS_OUTBUFS(sc);
return (struct smq_phy_page *)(&buf[nTotal]);
}
diff --git a/drivers/cpuidle/lpm-levels-of.c b/drivers/cpuidle/lpm-levels-of.c
index 9a226516212b48522e246ccbe4a0feb7163a8715..27955a155c3e1e9f9b6653dab36a48c1f065a875 100644
--- a/drivers/cpuidle/lpm-levels-of.c
+++ b/drivers/cpuidle/lpm-levels-of.c
@@ -804,14 +804,12 @@ failed:
void free_cluster_node(struct lpm_cluster *cluster)
{
- struct list_head *list;
int i;
+ struct lpm_cluster *cl, *m;
- list_for_each(list, &cluster->child) {
- struct lpm_cluster *n;
- n = list_entry(list, typeof(*n), list);
- list_del(list);
- free_cluster_node(n);
+ list_for_each_entry_safe(cl, m, &cluster->child, list) {
+ list_del(&cl->list);
+ free_cluster_node(cl);
};
if (cluster->cpu) {
diff --git a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
index bc6da046efdc4885c1688461bc8f8d887eb5bc2d..40124427bb78a7109abe07111f9649d240834fa0 100644
--- a/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
+++ b/drivers/media/platform/msm/camera_v2/sensor/ois/msm_ois.c
@@ -666,6 +666,10 @@ static long msm_ois_subdev_do_ioctl(
parg = &ois_data;
break;
}
+ break;
+ case VIDIOC_MSM_OIS_CFG:
+ pr_err("%s: invalid cmd 0x%x received\n", __func__, cmd);
+ return -EINVAL;
}
rc = msm_ois_subdev_ioctl(sd, cmd, parg);
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 7bdfd143dae6ab3eeea8e11777dbf2a97e79988d..e303ed012e759602e18cd7dccde3d1d3634e866b 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -2119,11 +2119,12 @@ sg_get_rq_mark(Sg_fd * sfp, int pack_id)
if ((1 == resp->done) && (!resp->sg_io_owned) &&
((-1 == pack_id) || (resp->header.pack_id == pack_id))) {
resp->done = 2; /* guard against other readers */
- break;
+ write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
+ return resp;
}
}
write_unlock_irqrestore(&sfp->rq_list_lock, iflags);
- return resp;
+ return NULL;
}
/* always adds to end of list */
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index c94b701043f6566ff0165ce69ddebb8ee3925244..d48e37bdd7b6ea81ae986aca3faf50750b7d10cc 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -32335,6 +32335,7 @@ static int wma_apfind_evt_handler(void *handle, u_int8_t *event,
u_int8_t ssid_tmp[WMI_MAX_SSID_LEN + 1];
u_int8_t *mac;
u_int32_t vdev_id;
+ u_int32_t buf_len;
if (!param_buf) {
WMA_LOGE("Invalid APFIND event buffer");
@@ -32342,8 +32343,36 @@ static int wma_apfind_evt_handler(void *handle, u_int8_t *event,
}
apfind_event_hdr = param_buf->hdr;
- WMA_LOGD("APFIND event received, id=%d, data_length=%d",
- apfind_event_hdr->event_type, apfind_event_hdr->data_len);
+ WMA_LOGD("APFIND event received, id=%d, data_len=%d",
+ apfind_event_hdr->event_type, apfind_event_hdr->data_len);
+
+ /* data_len = WMI_TLV_HDR_SIZE + length of data */
+ if (apfind_event_hdr->data_len <= WMI_TLV_HDR_SIZE) {
+ WMA_LOGE("APFIND event with no data");
+ return -EINVAL;
+ }
+
+ buf_len = param_buf->num_data;
+ if (buf_len != (apfind_event_hdr->data_len - WMI_TLV_HDR_SIZE)) {
+ WMA_LOGE("APFIND event with unmatched len: %u - %u",
+ buf_len, apfind_event_hdr->data_len);
+ return -EINVAL;
+ }
+
+ if ((apfind_event_hdr->data_len >
+ (len - sizeof(wmi_apfind_event_hdr))) ||
+ (apfind_event_hdr->data_len >
+ (WMA_SVC_MSG_MAX_SIZE - sizeof(wmi_apfind_event_hdr)))) {
+ WMA_LOGE("APFIND event with invalid data_len: %u",
+ apfind_event_hdr->data_len);
+ return -EINVAL;
+ }
+
+ if (buf_len < WMI_MAX_SSID_LEN + IEEE80211_ADDR_LEN) {
+ WMA_LOGE("APFIND event with invalid buf_len: %u", buf_len);
+ return -EINVAL;
+ }
+
buf = param_buf->data;
A_MEMZERO(ssid_tmp, sizeof(ssid_tmp));
A_MEMCPY(ssid_tmp, buf, WMI_MAX_SSID_LEN);
@@ -32352,12 +32381,10 @@ static int wma_apfind_evt_handler(void *handle, u_int8_t *event,
buf = ¶m_buf->data[WMI_MAX_SSID_LEN];
mac = buf;
- WMA_LOGD("%s, APFIND dump mac=0x%08X-0x%08X",
- __func__, *(u_int32_t *)buf, *(u_int32_t *)(buf + sizeof(u_int32_t)));
+ WMA_LOGD("%s, APFIND dump mac=%pM", __func__, mac);
- if (apfind_event_hdr->data_len >=
- (WMI_MAX_SSID_LEN + IEEE80211_ADDR_LEN + sizeof(vdev_id)
- + sizeof(apfind_event_hdr->tlv_header))) {
+ if (buf_len >=
+ (WMI_MAX_SSID_LEN + IEEE80211_ADDR_LEN + sizeof(vdev_id))) {
/* FW had the tlv_header len calculated into the data_len */
buf = ¶m_buf->data[WMI_MAX_SSID_LEN + IEEE80211_ADDR_LEN];
vdev_id = *(u_int32_t*) buf;
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_tlv_helper.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_tlv_helper.c
index 2dc7e53e52509c4e2db833cfd55c1cfdd41db24d..1268f5b3053d55b013d910650ae253ee86418f2d 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_tlv_helper.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_tlv_helper.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2014,2017-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -375,6 +375,7 @@ wmitlv_check_and_pad_tlvs(
wmitlv_cmd_param_info *cmd_param_tlvs_ptr = NULL;
A_UINT32 remaining_expected_tlvs=0xFFFFFFFF;
A_UINT32 len_wmi_cmd_struct_buf;
+ A_UINT32 free_buf_len;
/* Get the number of TLVs for this command/event */
if (wmitlv_get_attributes(is_cmd_id, wmi_cmd_event_id, WMITLV_GET_ATTRIB_NUM_TLVS, &attr_struct_ptr) != 0)
@@ -420,6 +421,12 @@ wmitlv_check_and_pad_tlvs(
A_UINT32 curr_tlv_len = WMITLV_GET_TLVLEN(WMITLV_GET_HDR(buf_ptr));
int num_padding_bytes = 0;
+ free_buf_len = param_buf_len - (buf_idx + WMI_TLV_HDR_SIZE);
+ if (curr_tlv_len > free_buf_len) {
+ wmi_tlv_print_error("%s: TLV length overflow", __func__);
+ goto Error_wmitlv_check_and_pad_tlvs;
+ }
+
/* Get the attributes of the TLV with the given order in "tlv_index" */
wmi_tlv_OS_MEMZERO(&attr_struct_ptr,sizeof(wmitlv_attributes_struc));
if (wmitlv_get_attributes(is_cmd_id, wmi_cmd_event_id, tlv_index, &attr_struct_ptr) != 0)
@@ -473,17 +480,19 @@ wmitlv_check_and_pad_tlvs(
{
A_UINT32 in_tlv_len = 0;
- if (curr_tlv_len != 0)
- {
+ if (curr_tlv_len != 0) {
in_tlv_len = WMITLV_GET_TLVLEN(WMITLV_GET_HDR(buf_ptr));
in_tlv_len += WMI_TLV_HDR_SIZE;
+ if (in_tlv_len > curr_tlv_len) {
+ wmi_tlv_print_error("%s: Invalid in_tlv_len=%d",
+ __func__, in_tlv_len);
+ goto Error_wmitlv_check_and_pad_tlvs;
+ }
tlv_size_diff = in_tlv_len - attr_struct_ptr.tag_struct_size;
num_of_elems = curr_tlv_len/in_tlv_len;
wmi_tlv_print_verbose("%s: WARN: TLV array of structures in_tlv_len=%d struct_size:%d diff:%d num_of_elems=%d \n",
__func__, in_tlv_len, attr_struct_ptr.tag_struct_size, tlv_size_diff, num_of_elems);
- }
- else
- {
+ } else {
tlv_size_diff = 0;
num_of_elems = 0;
}
@@ -562,40 +571,54 @@ wmitlv_check_and_pad_tlvs(
if (tlv_size_diff < 0)
{
- /* Incoming structure size is smaller than expected size then this needs padding for each element in the array */
+ /*
+ * Incoming structure size is smaller than expected size
+ * then this needs padding for each element in the array
+ */
/* Find amount of bytes to be padded for one element */
num_padding_bytes = tlv_size_diff * -1;
- /* Move subsequent TLVs by number of bytes to be padded for all elements */
- if (param_buf_len > (buf_idx + curr_tlv_len))
- {
+ /*
+ * Move subsequent TLVs by number of bytes to be
+ * padded for all elements
+ */
+ if (free_buf_len < attr_struct_ptr.tag_struct_size *
+ num_of_elems ||
+ param_buf_len < buf_idx + curr_tlv_len +
+ num_padding_bytes * num_of_elems) {
+ wmi_tlv_print_error("%s: Insufficent buffer\n",
+ __func__);
+ goto Error_wmitlv_check_and_pad_tlvs;
+ } else {
src_addr = buf_ptr + curr_tlv_len;
- dst_addr = buf_ptr + curr_tlv_len + (num_padding_bytes * num_of_elems);
+ dst_addr = buf_ptr + curr_tlv_len +
+ num_padding_bytes * num_of_elems;
buf_mov_len = param_buf_len - (buf_idx + curr_tlv_len);
wmi_tlv_OS_MEMMOVE(dst_addr, src_addr, buf_mov_len);
}
- /* Move subsequent elements of array down by number of bytes to be padded for one element and alse set padding bytes to zero */
+ /*
+ * Move subsequent elements of array down by number of bytes
+ * to be padded for one element and alse set padding bytes
+ * to zero
+ */
tlv_buf_ptr = buf_ptr;
- for(i=0; i<num_of_elems; i++)
+ for (i = 0; i < num_of_elems - 1; i++)
{
src_addr = tlv_buf_ptr + in_tlv_len;
- if (i != (num_of_elems-1))
- {
- /* Need not move anything for last element in the array */
- dst_addr = tlv_buf_ptr + in_tlv_len + num_padding_bytes;
- buf_mov_len = curr_tlv_len - ((i+1) * in_tlv_len);
-
- wmi_tlv_OS_MEMMOVE(dst_addr, src_addr, buf_mov_len);
- }
+ dst_addr = tlv_buf_ptr + in_tlv_len + num_padding_bytes;
+ buf_mov_len = curr_tlv_len - ((i + 1) * in_tlv_len);
+ wmi_tlv_OS_MEMMOVE(dst_addr, src_addr, buf_mov_len);
/* Set the padding bytes to zeroes */
wmi_tlv_OS_MEMZERO(src_addr, num_padding_bytes);
tlv_buf_ptr += attr_struct_ptr.tag_struct_size;
}
+ src_addr = tlv_buf_ptr + in_tlv_len;
+ wmi_tlv_OS_MEMZERO(src_addr, num_padding_bytes);
/* Update the number of padding bytes to total number of bytes padded for all elements in the array */
num_padding_bytes = num_padding_bytes * num_of_elems;
diff --git a/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c b/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c
index 4585f9718c1858a3bcbd0fa5615dceacaf369009..729fd786b9dab7e90dedfa7dbf7a1c00e84652c6 100644
--- a/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c
+++ b/drivers/staging/qcacld-2.0/CORE/UTILS/FWLOG/dbglog_host.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -1539,7 +1539,7 @@ dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length)
char parseArgsString[DBGLOG_PARSE_ARGS_STRING_LENGTH];
char *dbgidString;
- while (count < length) {
+ while ((count + 1) < length) {
debugid = DBGLOG_GET_DBGID(buffer[count + 1]);
moduleid = DBGLOG_GET_MODULEID(buffer[count + 1]);
@@ -1551,12 +1551,15 @@ dbglog_print_raw_data(A_UINT32 *buffer, A_UINT32 length)
OS_MEMZERO(parseArgsString, sizeof(parseArgsString));
totalWriteLen = 0;
+ if (!numargs || (count + numargs + 2 > length))
+ goto skip_args_processing;
+
for (curArgs = 0; curArgs < numargs; curArgs++){
// Using sprintf_s instead of sprintf, to avoid length overflow
writeLen = snprintf(parseArgsString + totalWriteLen, DBGLOG_PARSE_ARGS_STRING_LENGTH - totalWriteLen, "%x ", buffer[count + 2 + curArgs]);
totalWriteLen += writeLen;
}
-
+skip_args_processing:
if (debugid < MAX_DBG_MSGS){
dbgidString = DBG_MSG_ARR[moduleid][debugid];
if (dbgidString != NULL) {
@@ -1986,6 +1989,11 @@ dbglog_parse_debug_logs(ol_scn_t scn, u_int8_t *data, u_int32_t datalen)
len = param_buf->num_bufp;
}
+ if (len < sizeof(dropped)) {
+ AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("Invalid length\n"));
+ return A_ERROR;
+ }
+
dropped = *((A_UINT32 *)datap);
if (dropped > 0) {
AR_DEBUG_PRINTF(ATH_DEBUG_TRC , ("%d log buffers are dropped \n", dropped));
diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index 59ab62c92b66667e77b4ba35cd59f754584e0fd2..46a1207eb1aa340f05eee1e03dd84e49b855b382 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -197,6 +197,13 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
/* pick the first one */
list = list_first_entry(&hidg->completed_out_req,
struct f_hidg_req_list, list);
+
+ /*
+ * Remove this from list to protect it from beign free()
+ * while host disables our function
+ */
+ list_del(&list->list);
+
req = list->req;
count = min_t(unsigned int, count, req->actual - list->pos);
spin_unlock_irqrestore(&hidg->spinlock, flags);
@@ -212,15 +219,20 @@ static ssize_t f_hidg_read(struct file *file, char __user *buffer,
* call, taking into account its current read position.
*/
if (list->pos == req->actual) {
- spin_lock_irqsave(&hidg->spinlock, flags);
- list_del(&list->list);
kfree(list);
- spin_unlock_irqrestore(&hidg->spinlock, flags);
req->length = hidg->report_length;
ret = usb_ep_queue(hidg->out_ep, req, GFP_KERNEL);
- if (ret < 0)
+ if (ret < 0) {
+ free_ep_req(hidg->out_ep, req);
return ret;
+ }
+ } else {
+ spin_lock_irqsave(&hidg->spinlock, flags);
+ list_add(&list->list, &hidg->completed_out_req);
+ spin_unlock_irqrestore(&hidg->spinlock, flags);
+
+ wake_up(&hidg->read_queue);
}
return count;
@@ -455,6 +467,7 @@ static void hidg_disable(struct usb_function *f)
{
struct f_hidg *hidg = func_to_hidg(f);
struct f_hidg_req_list *list, *next;
+ unsigned long flags;
usb_ep_disable(hidg->in_ep);
hidg->in_ep->driver_data = NULL;
@@ -462,10 +475,13 @@ static void hidg_disable(struct usb_function *f)
usb_ep_disable(hidg->out_ep);
hidg->out_ep->driver_data = NULL;
+ spin_lock_irqsave(&hidg->spinlock, flags);
list_for_each_entry_safe(list, next, &hidg->completed_out_req, list) {
+ free_ep_req(hidg->out_ep, list->req);
list_del(&list->list);
kfree(list);
}
+ spin_unlock_irqrestore(&hidg->spinlock, flags);
}
static int hidg_set_alt(struct usb_function *f, unsigned intf, unsigned alt)
diff --git a/kernel/futex.c b/kernel/futex.c
index 54ebb63711f44ab795dd9d3122d6789835084665..ed99fda98cb144f5cb8b000aacbef98e0e721eac 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -400,6 +400,7 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
unsigned long address = (unsigned long)uaddr;
struct mm_struct *mm = current->mm;
struct page *page, *page_head;
+ struct address_space *mapping;
int err, ro = 0;
/*
@@ -478,7 +479,19 @@ again:
}
#endif
- lock_page(page_head);
+ /*
+ * The treatment of mapping from this point on is critical. The page
+ * lock protects many things but in this context the page lock
+ * stabilizes mapping, prevents inode freeing in the shared
+ * file-backed region case and guards against movement to swap cache.
+ *
+ * Strictly speaking the page lock is not needed in all cases being
+ * considered here and page lock forces unnecessarily serialization
+ * From this point on, mapping will be re-verified if necessary and
+ * page lock will be acquired only if it is unavoidable
+ */
+
+ mapping = READ_ONCE(page_head->mapping);
/*
* If page_head->mapping is NULL, then it cannot be a PageAnon
@@ -495,18 +508,31 @@ again:
* shmem_writepage move it from filecache to swapcache beneath us:
* an unlikely race, but we do need to retry for page_head->mapping.
*/
- if (!page_head->mapping) {
- int shmem_swizzled = PageSwapCache(page_head);
+ if (unlikely(!mapping)) {
+ int shmem_swizzled;
+
+ /*
+ * Page lock is required to identify which special case above
+ * applies. If this is really a shmem page then the page lock
+ * will prevent unexpected transitions.
+ */
+ lock_page(page);
+ shmem_swizzled = PageSwapCache(page) || page->mapping;
unlock_page(page_head);
put_page(page_head);
+
if (shmem_swizzled)
goto again;
+
return -EFAULT;
}
/*
* Private mappings are handled in a simple way.
*
+ * If the futex key is stored on an anonymous page, then the associated
+ * object is the mm which is implicitly pinned by the calling process.
+ *
* NOTE: When userspace waits on a MAP_SHARED mapping, even if
* it's a read-only handle, it's expected that futexes attach to
* the object not the particular process.
@@ -524,16 +550,74 @@ again:
key->both.offset |= FUT_OFF_MMSHARED; /* ref taken on mm */
key->private.mm = mm;
key->private.address = address;
+
+ get_futex_key_refs(key); /* implies smp_mb(); (B) */
+
} else {
+ struct inode *inode;
+
+ /*
+ * The associated futex object in this case is the inode and
+ * the page->mapping must be traversed. Ordinarily this should
+ * be stabilised under page lock but it's not strictly
+ * necessary in this case as we just want to pin the inode, not
+ * update the radix tree or anything like that.
+ *
+ * The RCU read lock is taken as the inode is finally freed
+ * under RCU. If the mapping still matches expectations then the
+ * mapping->host can be safely accessed as being a valid inode.
+ */
+ rcu_read_lock();
+
+ if (READ_ONCE(page_head->mapping) != mapping) {
+ rcu_read_unlock();
+ put_page(page_head);
+
+ goto again;
+ }
+
+ inode = READ_ONCE(mapping->host);
+ if (!inode) {
+ rcu_read_unlock();
+ put_page(page_head);
+
+ goto again;
+ }
+
+ /*
+ * Take a reference unless it is about to be freed. Previously
+ * this reference was taken by ihold under the page lock
+ * pinning the inode in place so i_lock was unnecessary. The
+ * only way for this check to fail is if the inode was
+ * truncated in parallel so warn for now if this happens.
+ *
+ * We are not calling into get_futex_key_refs() in file-backed
+ * cases, therefore a successful atomic_inc return below will
+ * guarantee that get_futex_key() will still imply smp_mb(); (B).
+ */
+ if (WARN_ON_ONCE(!atomic_inc_not_zero(&inode->i_count))) {
+ rcu_read_unlock();
+ put_page(page_head);
+
+ goto again;
+ }
+
+ /* Should be impossible but lets be paranoid for now */
+ if (WARN_ON_ONCE(inode->i_mapping != mapping)) {
+ err = -EFAULT;
+ rcu_read_unlock();
+ iput(inode);
+
+ goto out;
+ }
+
key->both.offset |= FUT_OFF_INODE; /* inode-based key */
- key->shared.inode = page_head->mapping->host;
+ key->shared.inode = inode;
key->shared.pgoff = basepage_index(page);
+ rcu_read_unlock();
}
- get_futex_key_refs(key); /* implies MB (B) */
-
out:
- unlock_page(page_head);
put_page(page_head);
return err;
}
@@ -1514,6 +1598,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
struct futex_hash_bucket *hb1, *hb2;
struct futex_q *this, *next;
+ if (nr_wake < 0 || nr_requeue < 0)
+ return -EINVAL;
+
if (requeue_pi) {
/*
* Requeue PI only works on two distinct uaddrs. This
diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c
index b02ff57a6f93bcc75a5b40109336276084423a60..a5a859c21d00001429fc24fb9e2ad2565a400b6e 100644
--- a/sound/soc/msm/qdsp6v2/q6asm.c
+++ b/sound/soc/msm/qdsp6v2/q6asm.c
@@ -203,6 +203,11 @@ static ssize_t audio_output_latency_dbgfs_read(struct file *file,
pr_err("%s: out_buffer is null\n", __func__);
return 0;
}
+ if (count < OUT_BUFFER_SIZE) {
+ pr_err("%s: read size %d exceeds buf size %zd\n", __func__,
+ OUT_BUFFER_SIZE, count);
+ return 0;
+ }
snprintf(out_buffer, OUT_BUFFER_SIZE, "%ld,%ld,%ld,%ld,%ld,%ld,",\
out_cold_tv.tv_sec, out_cold_tv.tv_usec, out_warm_tv.tv_sec,\
out_warm_tv.tv_usec, out_cont_tv.tv_sec, out_cont_tv.tv_usec);
@@ -256,6 +261,11 @@ static ssize_t audio_input_latency_dbgfs_read(struct file *file,
pr_err("%s: in_buffer is null\n", __func__);
return 0;
}
+ if (count < IN_BUFFER_SIZE) {
+ pr_err("%s: read size %d exceeds buf size %zd\n", __func__,
+ IN_BUFFER_SIZE, count);
+ return 0;
+ }
snprintf(in_buffer, IN_BUFFER_SIZE, "%ld,%ld,",\
in_cont_tv.tv_sec, in_cont_tv.tv_usec);
return simple_read_from_buffer(buf, IN_BUFFER_SIZE, ppos,