From ae8e7adfc76546ce6f79f56a56fc133b5e0de043 Mon Sep 17 00:00:00 2001
From: Patrick Tjin <pattjin@google.com>
Date: Tue, 22 Mar 2016 09:16:08 -0700
Subject: [PATCH] Revert "Keep history after reset to 9a3e9ef"
This reverts commit 86f0372f71a5cebe0dec80ce5b0c881eb47ec05e, reversing
changes made to 06ec64c1d65f5a57d51dd2883b15633cdd61941c.
Change-Id: I8bf3d97e292de687b29efff33950ddf779cbb842
Signed-off-by: Patrick Tjin <pattjin@google.com>
---
arch/arm/mach-msm/perf_event_msm_krait_l2.c | 21 ++++++++---
drivers/media/platform/msm/vidc/msm_vidc.c | 30 ++++++++--------
drivers/misc/drv2605.c | 40 ++++++++++++++++-----
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 10 +++---
drivers/platform/msm/ipa/rmnet_ipa.c | 5 +++
5 files changed, 74 insertions(+), 32 deletions(-)
diff --git a/arch/arm/mach-msm/perf_event_msm_krait_l2.c b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
index 47816c9c04a8..0b85c759cd52 100644
--- a/arch/arm/mach-msm/perf_event_msm_krait_l2.c
+++ b/arch/arm/mach-msm/perf_event_msm_krait_l2.c
@@ -18,13 +18,15 @@
#include <mach/msm-krait-l2-accessors.h>
+#define PMU_CODES_SIZE 64
+
/*
* The L2 PMU is shared between all CPU's, so protect
* its bitmap access.
*/
struct pmu_constraints {
u64 pmu_bitmap;
- u8 codes[64];
+ u8 codes[PMU_CODES_SIZE];
raw_spinlock_t lock;
} l2_pmu_constraints = {
.pmu_bitmap = 0,
@@ -427,10 +429,9 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
u8 group = evt_type & 0x0000F;
u8 code = (evt_type & 0x00FF0) >> 4;
unsigned long flags;
- u32 err = 0;
+ int err = 0;
u64 bitmap_t;
u32 shift_idx;
-
if (evt_prefix == L2_TRACECTR_PREFIX)
return err;
/*
@@ -444,6 +445,11 @@ static int msm_l2_test_set_ev_constraint(struct perf_event *event)
shift_idx = ((reg * 4) + group);
+ if (shift_idx >= PMU_CODES_SIZE) {
+ err = -EINVAL;
+ goto out;
+ }
+
bitmap_t = 1 << shift_idx;
if (!(l2_pmu_constraints.pmu_bitmap & bitmap_t)) {
@@ -484,6 +490,7 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
unsigned long flags;
u64 bitmap_t;
u32 shift_idx;
+ int err = 1;
if (evt_prefix == L2_TRACECTR_PREFIX)
return 1;
@@ -491,6 +498,10 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
shift_idx = ((reg * 4) + group);
+ if (shift_idx >= PMU_CODES_SIZE) {
+ err = -EINVAL;
+ goto out;
+ }
bitmap_t = 1 << shift_idx;
/* Clear constraint bit. */
@@ -498,9 +509,9 @@ static int msm_l2_clear_ev_constraint(struct perf_event *event)
/* Clear code. */
l2_pmu_constraints.codes[shift_idx] = -1;
-
+out:
raw_spin_unlock_irqrestore(&l2_pmu_constraints.lock, flags);
- return 1;
+ return err;
}
int get_num_events(void)
diff --git a/drivers/media/platform/msm/vidc/msm_vidc.c b/drivers/media/platform/msm/vidc/msm_vidc.c
index cfa46dc98e29..198744da2981 100644
--- a/drivers/media/platform/msm/vidc/msm_vidc.c
+++ b/drivers/media/platform/msm/vidc/msm_vidc.c
@@ -714,11 +714,23 @@ int output_buffer_cache_invalidate(struct msm_vidc_inst *inst,
return 0;
}
+static bool valid_v4l2_buffer(struct v4l2_buffer *b,
+ struct msm_vidc_inst *inst) {
+ enum vidc_ports port =
+ !V4L2_TYPE_IS_MULTIPLANAR(b->type) ? MAX_PORT_NUM :
+ b->type == V4L2_BUF_TYPE_VIDEO_CAPTURE_MPLANE ? CAPTURE_PORT :
+ b->type == V4L2_BUF_TYPE_VIDEO_OUTPUT_MPLANE ? OUTPUT_PORT :
+ MAX_PORT_NUM;
+
+ return port != MAX_PORT_NUM &&
+ inst->fmts[port]->num_planes == b->length;
+}
+
int msm_vidc_prepare_buf(void *instance, struct v4l2_buffer *b)
{
struct msm_vidc_inst *inst = instance;
- if (!inst || !b)
+ if (!inst || !b || !valid_v4l2_buffer(b, inst))
return -EINVAL;
if (is_dynamic_output_buffer_mode(b, inst)) {
@@ -872,15 +884,9 @@ int msm_vidc_qbuf(void *instance, struct v4l2_buffer *b)
int rc = 0;
int i;
- if (!inst || !b)
+ if (!inst || !b || !valid_v4l2_buffer(b, inst))
return -EINVAL;
- if (b->length > VIDEO_MAX_PLANES) {
- dprintk(VIDC_ERR, "num planes exceeds max: %d\n",
- b->length);
- return -EINVAL;
- }
-
if (is_dynamic_output_buffer_mode(b, inst)) {
if (b->m.planes[0].reserved[0])
inst->map_output_buffer = true;
@@ -955,14 +961,8 @@ int msm_vidc_dqbuf(void *instance, struct v4l2_buffer *b)
struct buffer_info *buffer_info = NULL;
int i = 0, rc = 0;
- if (!inst || !b)
- return -EINVAL;
-
- if (b->length > VIDEO_MAX_PLANES) {
- dprintk(VIDC_ERR, "num planes exceed maximum: %d\n",
- b->length);
+ if (!inst || !b || !valid_v4l2_buffer(b, inst))
return -EINVAL;
- }
if (inst->session_type == MSM_VIDC_DECODER)
rc = msm_vdec_dqbuf(instance, b);
diff --git a/drivers/misc/drv2605.c b/drivers/misc/drv2605.c
index ad07ad6ade78..0cadec574cc4 100755
--- a/drivers/misc/drv2605.c
+++ b/drivers/misc/drv2605.c
@@ -991,16 +991,28 @@ static struct i2c_driver drv260x_driver = {
static char read_val;
-static ssize_t drv260x_read(struct file *filp, char *buff, size_t length,
+static ssize_t drv260x_read(struct file *filp, char __user *buff, size_t length,
loff_t * offset)
{
- buff[0] = read_val;
- return 1;
+ size_t tocopy = min(length, sizeof(read_val));
+
+ if (copy_to_user(buff, &read_val, tocopy))
+ return -EFAULT;
+
+ return tocopy;
}
-static ssize_t drv260x_write(struct file *filp, const char *buff, size_t len,
+static ssize_t drv260x_write(struct file *filp, const char __user *buff, size_t len,
loff_t * off)
{
+ char cmdid;
+
+ if (len < 1)
+ return -EINVAL;
+
+ if (copy_from_user(&cmdid, buff, 1))
+ return -EFAULT;
+
mutex_lock(&vibdata.lock);
hrtimer_cancel(&vibdata.timer);
@@ -1013,13 +1025,14 @@ static ssize_t drv260x_write(struct file *filp, const char *buff, size_t len,
drv260x_standby();
}
- switch (buff[0]) {
+ switch (cmdid) {
case HAPTIC_CMDID_PLAY_SINGLE_EFFECT:
case HAPTIC_CMDID_PLAY_EFFECT_SEQUENCE:
{
memset(&vibdata.sequence, 0, sizeof(vibdata.sequence));
if (!copy_from_user
- (&vibdata.sequence, &buff[1], len - 1)) {
+ (&vibdata.sequence, &buff[1],
+ min(len - 1, sizeof(vibdata.sequence)))) {
vibdata.should_stop = NO;
wake_lock(&vibdata.wklock);
schedule_work(&vibdata.work_play_eff);
@@ -1028,12 +1041,23 @@ static ssize_t drv260x_write(struct file *filp, const char *buff, size_t len,
}
case HAPTIC_CMDID_PLAY_TIMED_EFFECT:
{
+ char data[2] = {0, 0};
unsigned int value = 0;
char mode;
- value = buff[2];
+ if (len < (sizeof(data) + 1)) {
+ len = -EINVAL;
+ break;
+ }
+
+ if (copy_from_user(&data, &buff[1], sizeof(data))) {
+ len = -EFAULT;
+ break;
+ }
+
+ value = data[1];
value <<= 8;
- value |= buff[1];
+ value |= data[0];
if (value) {
wake_lock(&vibdata.wklock);
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index fa3db9a4e578..399c71b29656 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -1175,10 +1175,12 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc)
} else if (subelt_id == WPS_ID_DEVICE_NAME) {
char devname[100];
size_t namelen = MIN(subelt_len, sizeof(devname));
- memcpy(devname, subel, namelen);
- devname[namelen-1] = '\0';
- WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
- devname, subelt_len));
+ if (namelen) {
+ memcpy(devname, subel, namelen);
+ devname[namelen - 1] = '\0';
+ WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
+ devname, subelt_len));
+ }
} else if (subelt_id == WPS_ID_DEVICE_PWD_ID) {
valptr[0] = *subel;
valptr[1] = *(subel + 1);
diff --git a/drivers/platform/msm/ipa/rmnet_ipa.c b/drivers/platform/msm/ipa/rmnet_ipa.c
index 65086e12026c..0d92d091ded2 100644
--- a/drivers/platform/msm/ipa/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/rmnet_ipa.c
@@ -1035,6 +1035,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
rmnet_mux_val.mux_id);
return rc;
}
+ if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
+ IPAWANERR("Exceed mux_channel limit(%d)\n",
+ rmnet_index);
+ return -EFAULT;
+ }
IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
extend_ioctl_data.u.rmnet_mux_val.mux_id,
extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
--
GitLab