commit 5820f140edef111a9ea2ef414ab2428b8cb805b1 upstream.
The old code would hold the userns_state_mutex indefinitely if
memdup_user_nul stalled due to e.g. a userfault region. Prevent that by
moving the memdup_user_nul in front of the mutex_lock().
Note: This changes the error precedence of invalid buf/count/*ppos vs
map already written / capabilities missing.
Fixes: 22d917d80e ("userns: Rework the user_namespace adding uid/gid...")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 36476beac4f8ca9dc7722790b2e8ef0e8e51034e upstream.
It is important that all maps are less than PAGE_SIZE
or else setting the last byte of the buffer to '0'
could write off the end of the allocated storage.
Correct the misleading comment.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 82c9a927bc5df6e06b72d206d24a9d10cced4eb5 upstream.
When running in a container with a user namespace, if you call getxattr
with name = "system.posix_acl_access" and size % 8 != 4, then getxattr
silently skips the user namespace fixup that it normally does resulting in
un-fixed-up data being returned.
This is caused by posix_acl_fix_xattr_to_user() being passed the total
buffer size and not the actual size of the xattr as returned by
vfs_getxattr().
This commit passes the actual length of the xattr as returned by
vfs_getxattr() down.
A reproducer for the issue is:
touch acl_posix
setfacl -m user:0:rwx acl_posix
and the compile:
#define _GNU_SOURCE
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
#include <attr/xattr.h>
/* Run in user namespace with nsuid 0 mapped to uid != 0 on the host. */
int main(int argc, void **argv)
{
ssize_t ret1, ret2;
char buf1[128], buf2[132];
int fret = EXIT_SUCCESS;
char *file;
if (argc < 2) {
fprintf(stderr,
"Please specify a file with "
"\"system.posix_acl_access\" permissions set\n");
_exit(EXIT_FAILURE);
}
file = argv[1];
ret1 = getxattr(file, "system.posix_acl_access",
buf1, sizeof(buf1));
if (ret1 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
ret2 = getxattr(file, "system.posix_acl_access",
buf2, sizeof(buf2));
if (ret2 < 0) {
fprintf(stderr, "%s - Failed to retrieve "
"\"system.posix_acl_access\" "
"from \"%s\"\n", strerror(errno), file);
_exit(EXIT_FAILURE);
}
if (ret1 != ret2) {
fprintf(stderr, "The value of \"system.posix_acl_"
"access\" for file \"%s\" changed "
"between two successive calls\n", file);
_exit(EXIT_FAILURE);
}
for (ssize_t i = 0; i < ret2; i++) {
if (buf1[i] == buf2[i])
continue;
fprintf(stderr,
"Unexpected different in byte %zd: "
"%02x != %02x\n", i, buf1[i], buf2[i]);
fret = EXIT_FAILURE;
}
if (fret == EXIT_SUCCESS)
fprintf(stderr, "Test passed\n");
else
fprintf(stderr, "Test failed\n");
_exit(fret);
}
and run:
./tester acl_posix
On a non-fixed up kernel this should return something like:
root@c1:/# ./t
Unexpected different in byte 16: ffffffa0 != 00
Unexpected different in byte 17: ffffff86 != 00
Unexpected different in byte 18: 01 != 00
and on a fixed kernel:
root@c1:~# ./t
Test passed
Cc: stable@vger.kernel.org
Fixes: 2f6f0654ab ("userns: Convert vfs posix_acl support to use kuids and kgids")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=199945
Reported-by: Colin Watson <cjwatson@ubuntu.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1a5d5e5d51e75a5bca67dadbcea8c841934b7b85 upstream.
'ac->ac_g_ex.fe_len' is a user-controlled value which is used in the
derivation of 'ac->ac_2order'. 'ac->ac_2order', in turn, is used to
index arrays which makes it a potential spectre gadget. Fix this by
sanitizing the value assigned to 'ac->ac2_order'. This covers the
following accesses found with the help of smatch:
* fs/ext4/mballoc.c:1896 ext4_mb_simple_scan_group() warn: potential
spectre issue 'grp->bb_counters' [w] (local cap)
* fs/ext4/mballoc.c:445 mb_find_buddy() warn: potential spectre issue
'EXT4_SB(e4b->bd_sb)->s_mb_offsets' [r] (local cap)
* fs/ext4/mballoc.c:446 mb_find_buddy() warn: potential spectre issue
'EXT4_SB(e4b->bd_sb)->s_mb_maxs' [r] (local cap)
Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Jeremy Cline <jcline@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Ib68e250bab9b81f9bb7fee298193445de77729f6
commit fe9c842695e26d8116b61b80bfb905356f07834b upstream.
The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
this both in the NLA policy and in the code that performs the allocation
and copy, to avoid writing past the end of the allocated buffer.
Fixes: d9b8d8e19b ("NFC: llcp: Service Name Lookup netlink interface")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
commit 109728ccc5933151c68d1106e4065478a487a323 upstream.
The above error path returns with page unlocked, so this place seems also
to behave the same.
Fixes: f8dbdf8182 ("fuse: rework fuse_readpages()")
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a2477b0e67c52f4364a47c3ad70902bc2a61bd4c upstream.
fuse_dev_splice_write() reads pipe->buffers to determine the size of
'bufs' array before taking the pipe_lock(). This is not safe as
another thread might change the 'pipe->buffers' between the allocation
and taking the pipe_lock(). So we end up with too small 'bufs' array.
Move the bufs allocations inside pipe_lock()/pipe_unlock() to fix this.
Fixes: dd3bb14f44 ("fuse: support splice() writing to fuse device")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: <stable@vger.kernel.org> # v2.6.35
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f39b3f45dbcb0343822cce31ea7636ad66e60bc2 upstream.
When ext4_find_entry() falls back to "searching the old fashioned
way" due to a corrupt dx dir, it needs to reset the error code
to NULL so that the nonstandard ERR_BAD_DX_DIR code isn't returned
to userspace.
https://bugzilla.kernel.org/show_bug.cgi?id=199947
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@yandex.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 24eee1e4c47977bdfb71d6f15f6011e7b6188d04 ]
ioremap_prot() can return NULL which could lead to an oops.
Link: http://lkml.kernel.org/r/1533195441-58594-1-git-send-email-chenjie6@huawei.com
Signed-off-by: chen jie <chenjie6@huawei.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Li Zefan <lizefan@huawei.com>
Cc: chenjie <chenjie6@huawei.com>
Cc: Yang Shi <shy828301@gmail.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5cf3006cc81d9aa09a10aa781fc065546b12919d ]
I was looking at usually suppressed gcc warnings,
[-Wimplicit-fallthrough=] in this case:
The code definitely looks like a break is missing here.
However I am not able to test the NL80211_IFTYPE_MESH_POINT,
nor do I actually know what might be :)
So please use this patch with caution and only if you are
able to do some testing.
Signed-off-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
[johannes: looks obvious enough to apply as is, interesting
though that it never seems to have been a problem]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Header entry deleted but same entry pointer using in
routing table not updated. Added checks to confirm
header entry present or not before using it to avoid
null pointer dereference.
Change-Id: Id1d844c60b2dcb0cc7cf18352b78d62fe5a89347
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
voice_svc_dev is allocated as a device managed resource
and need not be freed since it is freed automatically.
Remove the logic to free voice_svc_dev in probe failure
and remove functions to avoid double free.
CRs-Fixed: 2204285
Change-Id: If4f9ca840b00448b987f5ce443f66b0923b01969
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
The increment logic of u64 pointer in skb_copy_to_log_buf() leads to
buffer overflow.
Modify the proto type of skb_copy_to_log_buf() function to accept
only unsigned char pointer.
CRs-Fixed: 2212592
Change-Id: I8affff1316656c1060ec57f2fb10b46f85314358
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
If our length is greater than the size of the buffer, we
overflow the buffer
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
(from https://patchwork.kernel.org/patch/10058587/)
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.
Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit cfe3642b4f6541dffb4899963c61770f54b674ee)
According to CVE-2018-3587, the legacy MEMDUMP feature
should be disabled and replaced with hdd_state_info_dump().
Since hdd_state_info_dump() does not exist on this qcacld branch,
just disable the legacy MEMDUMP feature instead of replacing it.
fixes: "qcacld-2.0: Remove FW memory dump feature"
Change-Id: I0af1bd8842cee2ecdbcdde5e69b082cba8a2049c
The check_interval file in
/sys/devices/system/machinecheck/machinecheck<cpu number>
directory is a global timer value for MCE polling. If it is changed by one
CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
mce_timer variable.
If more than one CPU writes a specific value to the check_interval file
concurrently, mce_timer is not protected from such concurrent accesses and
all kinds of explosions happen. Since only root can write to those sysfs
variables, the issue is not a big deal security-wise.
However, concurrent writes to these configuration variables is void of
reason so the proper thing to do is to serialize the access with a mutex.
Boris:
- Make store_int_with_restart() use device_store_ulong() to filter out
negative intervals
- Limit min interval to 1 second
- Correct locking
- Massage commit message
Signed-off-by: Seunghun Han <kkamagui@gmail.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Tony Luck <tony.luck@intel.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com
Check for CAP_NET_ADMIN capability of the user
space application who tries to access rmnet driver IOCTL.
Bug: 36367253
Change-Id: If6bb4b54659306c5103b5e34bf02c7234c851e0a
CRs-Fixed: 2226355
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2280404
propagation from qcacld-3.0 to qcacld-2.0
The routine wma_extscan_change_results_event_handler sends the ext scan
results to upper layers. This contains the bssid info, rssi values of
different APs that are scanner. If the num_rssi_samples is negative or
greater than UINT32_MAX,then an OOB write could happen.
Add check to ensure rssi_num is not negative or exceeds UINT32_MAX.
Also make sure the numap value is not negative.
Change-Id: If82c4fd1193c45d38bd4495c187a406deb25acad
CRs-Fixed: 2278276
propagation from qcacld-3.0 to qcacld-2.0
Check for nan rsp data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and wmi_nan_event_hdr
size from max allowed size when validating nan rsp data
length.
Change-Id: I341779a33ed218fdda5d008e949ced0c8cf05590
CRs-Fixed: 2289026
In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.
Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.
Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2262294
Propagation from cld3.0 to cld2.0.
When a channel switch request has occured, there will not be a
hidden ssid restart event in progress. So add check to validate
if the req_msg->msg_type == WDA_HIDDEN_SSID_VDEV_RESTART.
Change-Id: Ie3195b23ff136fbfd38fcd4d32e993d4cb016316
CRs-Fixed: 2300291
Propagation from cld3.0 to cld2.0.
In the API limSendAssocReqMgmtFrame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2280599
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2289522
Propagation from cld3.0 to cld2.0.
Add validation check on frameLength to avoid int overflow in
csrScanSavePreferredNetworkFound function.
Change-Id: I0f2a0557fa60e81f0b9d003ae73091f2974046e8
CRs-Fixed: 2276595
propagation from qcacld-3.0 to qcacld-2.0.
The values used to dictate the end of the for loop is great than the
size of array supp_rates, this will cause an OOB read when loop
through supp_rates. So need modify the size of array supp_rates.
There's also a functional issue in that the second call to
sme_cfg_get_str() overwrites the lower values of the first call,
thus not ever allowing the lower channel rates of A to ever be
valid. So need update the read buffer address for the second
sme_cfg_get_str().
Change-Id: I27091a9f48d1eb4d6806ebcfd2310fe848af408f
CRs-Fixed: 2257156
Ac comes from user space. Add check for ac in
limSetEdcaBcastACMFlag to avoid out-of-bounds write.
Change-Id: Id71cacc1cdadacaabe775395dc0cb230091bc21b
CRs-Fixed: 2288818
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2178877
Currently in sme_updateP2pIe() function probe response
information element buffer is dumping before copying
the data into it, this may leads to kernel info leak.
To address this issue, copy data to information element
buffer before dumping it.
Change-Id: I65e9f83b1a245c8891ad914480fbacd744fdb0a0
CRs-Fixed: 2291491
commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream.
TPACKET_V3 stores variable length frames in fixed length blocks.
Blocks must be able to store a block header, optional private space
and at least one minimum sized frame.
Frames, even for a zero snaplen packet, store metadata headers and
optional reserved space.
In the block size bounds check, ensure that the frame of the
chosen configuration fits. This includes sockaddr_ll and optional
tp_reserve.
Syzbot was able to construct a ring with insuffient room for the
sockaddr_ll in the header of a zero-length frame, triggering an
out-of-bounds write in dev_parse_header.
Convert the comparison to less than, as zero is a valid snap len.
This matches the test for minimum tp_frame_size immediately below.
Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.")
Fixes: eb73190f4fbe ("net/packet: refine check for priv area size")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Assuming gEnableModulatedDTIM=9 and gMaxLIModulatedDTIM=9,
when AP's beacon interval is 100ms, the DUT's listen
interval is 900ms, it is OK; But if AP's beacon interval
is 200ms or more, the DUT's listen interval is 1800ms
or even more. This causes large data latency.
Change-Id: I622ae9ab21aaf23c585ca67efa8452a705f8e3f0
CRs-Fixed: 1087619
Stability issues are observed, if pm qos request removes without adding it.
Check pm qos request status before remove it.
The default request type PM_QOS_REQ_ALL_CORES is applicable to
all CPU cores that are online and would have a power impact when there are
more number of CPUs. Specify a request type as PM_QOS_REQ_AFFINE_IRQ.
CRs-Fixed: 995426
Change-Id: I738f201ed126c6be4076c582c37999362e1d0e88
Signed-off-by: Srinu Gorle <sgorle@codeaurora.org>
During video playback, L2 power collapse is occurring far too often to
actually save power. As such, apply a vote to prevent L2 PC from
occurring.
Change-Id: I1d86b47a1ed9dffb02d099d3158892bf99ed955e
Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Secure decode doesn't need userptr and uses ion fd instead. We were
conducting userptr validation regardless of the decode mode (secure/
unsecure). This forced user to populate userptr with a dummy value
during QBUF in secure mode decode on both output and capture ports
to avoid a userptr validation fail.
CRs-Fixed: 2049213
Change-Id: I0060efb52792201a2634072f648a537ebb02d17c
Signed-off-by: Prabhakar Reddy Krishnappa <prkrishn@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
When ion imports dma buf, it will return negative error number
in the case of failure like bad file number or invalid dma buf file.
check ion_handle for error numbers.
CRs-Fixed: 1071602
Change-Id: I1ea93161b85deb667cbb6f8515ff7c6943da6e3d
Signed-off-by: Karthikeyan Periasamy <kperiasa@codeaurora.org>
Signed-off-by: Venumadhav Kurva <kurva@codeaurora.org>
In cases where DSI DMA done operation is performed but isr is
not triggered due to CPU delays, we clear only the DMA_DONE
interrupt. There is a possibility of a DSI read operation for
DSI command mode panels where the DMA_DONE interrupt is cleared and
DSI link clocks are turned off. After some time, the DSI isr gets
triggered for BTA_DONE interrupt and since DSI link clocks are off,
this causes an interrupt storm due to BTA_DONE interrupt not getting
cleared. Clear the BTA_DONE interrupt as well for cases where DMA_DONE
operation is done but isr not getting triggered.
Change-Id: Iceb02e6dd78f4bbf313e2b4d252d6a30699619f0
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
When video driver queues the flush event, it doesn't convey the
port which is flushed. Due to this userspace content has to
handle the event according to the flush status variables that it
maintains. This handling can go wrong when there are concurrent
flush commands from client.Address this by adding port detail
to flush event.
Change-Id: Ie9b7e35ad396ba8eed20dcca1f655b3e23f6626c
Signed-off-by: Abdulla Anam <abdullahanam@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Driver was holding a buffer whose ref count was 1. Since firmware had
already released the reference of this buffer, there was no need for
driver to hold it. By holding the buffer in driver, the buffer gets
lost and is not returned back to client after a flush is issued.
Fix this issue by holding the buffer in driver only if firmware is holding
a reference of the mapped buffer, i.e, the ref count of the buffer is 2.
Change-Id: I18f1de06eee72019f340f68407c07ec76f1539d1
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Firmware does not have any hard requirement for pre-announcement
of input/output buffers. So, remove this driver restriction.
Change-Id: I97786d69cd12c3f162f9a00465c7b3f71d69c06c
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
If the size of captured data oversteps over SRAM boundary then
it causes corruption of configuration data. Add boundary check
while programming configuration linked list in SRAM, to avoid
this problem.
Change-Id: Idd33f53560585fdbfee4d3822fd93d6f3a365e17
Signed-off-by: Xiaogang Cui <xiaogang@codeaurora.org>
Some cases were reported where atomic unmovable allocations of order 2
fails, but kswapd does not wakeup. And in such cases it was seen that,
when zone_watermark_ok check is performed to decide whether to wake up
kswapd, there were lot of CMA pages of order 2 and above. This makes
the watermark check succeed resulting in kswapd not being woken up. But
since these atomic unmovable allocations can't come from CMA region,
further atomic allocations keeps failing, without kswapd trying to
reclaim. Usually concurrent movable allocations result in reclaim and
improves the situtation, but the case reported was from a network test
which was resulting in only atomic skb allocations being attempted.
Change-Id: If953b8a8cfb0a5caa1fb63d3c032b194942f8091
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Prakash Gupta <guptap@codeaurora.org>
Add per free area nr_free_cma counter. The idea is
to also track the number of cma pages present in
free pages. This will be used in later patches to
fix issues with zone_watermark_ok.
Change-Id: I97da9d2f3642db56fc541c48ab56a7ce78e2333c
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Prakash Gupta <guptap@codeaurora.org>