prima to qcacld-2.0 propagation
Validate cfg_ini before dereferencing the ini
parameter gEnableRoamDelayStats.
Change-Id: I0b2b78f8838cb1c46c60669b8f327ac18e863e80
CRs-Fixed: 1059205
[ Upstream commit 70ba5b6db96ff7324b8cfc87e0d0383cf59c9677 ]
The low and high values of the net.ipv4.ping_group_range sysctl were
being silently forced to the default disabled state when a write to the
sysctl contained GIDs that didn't map to the associated user namespace.
Confusingly, the sysctl's write operation would return success and then
a subsequent read of the sysctl would indicate that the low and high
values are the overflowgid.
This patch changes the behavior by clearly returning an error when the
sysctl write operation receives a GID range that doesn't map to the
associated user namespace. In such a situation, the previous value of
the sysctl is preserved and that range will be returned in a subsequent
read of the sysctl.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1236f22fbae15df3736ab4a984c64c0c6ee6254c ]
If SACK is not enabled and the first cumulative ACK after the RTO
retransmission covers more than the retransmitted skb, a spurious
FRTO undo will trigger (assuming FRTO is enabled for that RTO).
The reason is that any non-retransmitted segment acknowledged will
set FLAG_ORIG_SACK_ACKED in tcp_clean_rtx_queue even if there is
no indication that it would have been delivered for real (the
scoreboard is not kept with TCPCB_SACKED_ACKED bits in the non-SACK
case so the check for that bit won't help like it does with SACK).
Having FLAG_ORIG_SACK_ACKED set results in the spurious FRTO undo
in tcp_process_loss.
We need to use more strict condition for non-SACK case and check
that none of the cumulatively ACKed segments were retransmitted
to prove that progress is due to original transmissions. Only then
keep FLAG_ORIG_SACK_ACKED set, allowing FRTO undo to proceed in
non-SACK case.
(FLAG_ORIG_SACK_ACKED is planned to be renamed to FLAG_ORIG_PROGRESS
to better indicate its purpose but to keep this change minimal, it
will be done in another patch).
Besides burstiness and congestion control violations, this problem
can result in RTO loop: When the loss recovery is prematurely
undoed, only new data will be transmitted (if available) and
the next retransmission can occur only after a new RTO which in case
of multiple losses (that are not for consecutive packets) requires
one RTO per loss to recover.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Tested-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Variable map may pointing to the same buffer on race conditions
in functions fastrpc_internal_mmap and fastrpc_internal_munmap,
use mutex to avoid race conditions on same buffer.
Change-Id: I96ed884c44a36f574677ba3ba189dfbf2ce3751d
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
When set_buffers fails, binfo is freed and again accessed
while freeing smem memory.
CRs-Fixed: 2118860
Change-Id: Ifdd683f907862665e34d6d39d5a8634984804c01
Signed-off-by: Chinmay Sawarkar <chinmays@codeaurora.org>
CVE-2018-5844
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
In the code, start_fetch can try to access the
buffer pointer variable after free, as the
same pointer can be freed at RELEASE_BUF call
at the same time.
CRs-Fixed: 2149998
Change-Id: Ic83f22336504cf67afe12131f791eee25477f011
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
Bug: 69065862
Signed-off-by: Sean Callanan <spyffe@google.com>
This fix checks the validity of dci client's process descriptor
before issuing a signal to it when subsystem restart is performed.
This fix avoids accessing cleaned-up process descriptor's fields.
CRs-Fixed: 2047235
Change-Id: Ic26977dc22c68f0a7007dd963c9273bba2a5dbfe
Signed-off-by: Gopikrishna Mogasati <gmogas@codeaurora.org>
This patch provides the protection on dci session by
checking for the session pid and task pid being same.
CRs-Fixed: 1008138
Change-Id: I7d78a13032365a42097ad71cfd0abab2792a1b98
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Following change causes unnecessary warnings printed for those IRQ's
which are affine to several CPU's when one of these CPU's is taken off
line. It shouldn't be considered a broken affinity when one online
CPU can satisfy the IRQ's affinity preference.
commit 0410136f26
Author: Praveen Chidambaram <pchidamb@codeaurora.org>
Date: Mon Jun 23 08:58:08 2014 -0600
arm: irq: Notify affinity change when migrating IRQs during hotplug
Hotplug causes IRQs affine to a core that is being taken down to migrate
to an online core. This is done by directly calling the irq_set_affinity
associated with the irq_chip structure. Instead using the
irq_set_affinity() api lets the notifications bubble through.
Change-Id: Id4ab4e751f647cbe07ab159f371a5ef94db988cf
Signed-off-by: Peng Liu <a22543@motorola.com>
Reviewed-on: http://gerrit.mot.com/755421
SLTApproved: Slta Waiver <sltawvr@motorola.com>
SME-Granted: SME Approvals Granted
Tested-by: Jira Key <jirakey@motorola.com>
Reviewed-by: Lian-Wei Wang <lian-wei.wang@motorola.com>
Reviewed-by: Christopher Fries <cfries@motorola.com>
Submit-Approved: Jira Key <jirakey@motorola.com>
qcacld-3.0 to qcacld-2.0 propagation
In function wma_extscan_cached_results_event_handler,
event->num_entries_in_page is received from the FW and is used in the
function wma_extscan_find_unique_scan_ids to calculate scan_ids_cnt
from src_rssi buffer. If the value of num_entries_in_page is greater
than the number of src_rssi buffers present, a buffer overread would
occur in the function wma_extscan_find_unique_scan_ids.
There is already a check in place to valudate num_entries_in_page in
the function wma_extscan_cached_results_event_handler however it is done
after the call of wma_extscan_find_unique_scan_ids.
Move the checks on num_entries_in_page before using it in the function
wma_extscan_cached_results_event_handler
Change-Id: I303c0f7f2f150fe0b96d5473370b9553ae61304d
CRs-Fixed: 2221702
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.
Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.
CRs-Fixed: 2257124
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
Strlen() is unsafe to get string length. Change it to strnlen in
wma_send_udp_resp_offload_cmd to avoid potential OOB read.
Change-Id: I8b6fd9239b7f9e4bdb4facd217bbc1f9f914ac4c
CRs-Fixed: 2226834
Currently tx desc id is extracted from HTT message and it is used
without check. This may cause possible OOB array read. To address
this add check for valid tx desc id.
Change-Id: I121fc4d550aa587f00ec315e3a20dfb136f4d7af
CRs-Fixed: 2225461
Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.
To address this issue add length check before accessing data offset
Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2240226
propagation from qcacld-3.0 to qcacld-2.0
Fix buffer overwrite in limMlmAddBss() by adding
validation check.
Change-Id: I67b8b63b6de33390ee5288fc6f6cef52f9203c1f
CRs-Fixed: 2268657
Revert the changes of Validating NLA attr in
wlan_hdd_cfg80211_ocb_set_config API to fix the
dsrc_config fail issue.
Change-Id: I5037498a510820a86cba9e61149640a957b46086
CRs-Fixed: 2218073
The buffer allocated with lenth "ATH6KL_FWLOG_PAYLOAD_SIZE "
is not initialized, this may lead to information leak during
memcpy when len < ATH6KL_FWLOG_PAYLOAD_SIZE.
To resolve this issue, memset the buffer for length
(ATH6KL_FWLOG_PAYLOAD_SIZE - len) to 0
Change-Id: If4a49347d674ad2af0438b408a4a4b9308c61026
CRs-Fixed: 2253103
Propagation from qcacld-3.0 to qcacld-2.0
Stats events are sent by WLAN FW based on over the air frame reception
and may contain incorrect vdev id hence sanitize vdev id received from
FW in stats events before accessing interface array based on it.
Change-Id: I4ecc73fc27285c98c0ea8cebc27955213cd68399
CRs-Fixed: 2264008
In commit I5c79bff3427a842036af788fea5003a96c7696a6,
ssid IE length address is compared in limLookupNaddHashEntry,
which results memory leak. Compare ssid IE length to fix
this issue.
Change-Id: I8fbf12b612297443319a9f5ff17140758200721b
CRs-Fixed: 2266859
Without this patch, the fields app_solicit, gc_thresh1, gc_thresh2,
gc_thresh3, proxy_qlen, ucast_solicit, mcast_solicit could have
assumed negative values when setting large numbers.
Signed-off-by: Francesco Fusco <ffusco@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
thresh and interval are global resources,
only init net can change them.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Though we don't export the /proc/sys/net/ipv[4,6]/neigh/default/
directory to the un-init_net, but we can still use cmd such as
"ip ntable change name arp_cache locktime 129" to change the locktime
of default neigh_parms.
This patch disallows the un-init_net to find out the neigh_table.parms.
So the un-init_net will failed to influence the init_net.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
neigh_table.parms always exist and is initialized,kmemdup
can use it to create new neigh_parms, actually lookup_neigh_parms
here will return neigh_table.parms too.
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The neighbour code sends up an RTM_NEWNEIGH netlink notification if
the NUD state of a neighbour cache entry is changed by a timer (e.g.
from REACHABLE to STALE), even if the lladdr of the entry has not
changed.
But an administrative change to the the NUD state of a neighbour cache
entry that does not change the lladdr (e.g. via "ip -4 neigh change
... nud ...") does not trigger a netlink notification. This means
that netlink listeners will not hear about administrative NUD state
changes such as from a resolved state to PERMANENT.
This patch changes the neighbor code to generate an RTM_NEWNEIGH
message when the NUD state of an entry is changed administratively.
Signed-off-by: Bob Gilligan <gilligan@aristanetworks.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Because those following if conditions will not be matched.
Signed-off-by: Duan Jiong <duanj.fnst@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently we always use the first member of the arp_queue to determine
the sender ip address of the arp packet (or in case of IPv6 - source
address of the ndisc packet). This skb is fixed as long as the queue is
not drained by a complete purge because of a timeout or by a successful
response.
If the first packet enqueued on the arp_queue is from a local application
with a manually set source address and the to be discovered system
does some kind of uRPF checks on the source address in the arp packet
the resolving process hangs until a timeout and restarts. This hurts
communication with the participating network node.
This could be mitigated a bit if we use the latest enqueued skb's
source address for the resolving process, which is not as static as
the arp_queue's head. This change of the source address could result in
better recovery of a failed solicitation.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Julian Anastasov <ja@ssi.bg>
Reviewed-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit ce00bf07cc95a57cd20b208e02b3c2604e532ae8 upstream.
The old code would indefinitely block other users of nf_log_mutex if
a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
region. Fix it by moving proc_dostring() out of the locked region.
This is a followup to commit 266d07cb1c ("netfilter: nf_log: fix
sleeping function called from invalid context"), which changed this code
from using rcu_read_lock() to taking nf_log_mutex.
Fixes: 266d07cb1c ("netfilter: nf_log: fix sleeping function calle[...]")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Increase the inactivity timeout to 75ms to prevent kickout.
Fixes: qcacld-2.0: sustain wlan in low PS mode
Change-Id: Ia12cb4d74c20075aa238136482bb319e2a87599b
If BSS is present in kernel and driver scan cache, supplicant
tries to connect to the BSS multiple time even if the BSS is
unreachable. Due to multiple failures to connect supplicant
disable the network.
To avoid this, remove the BSS from scan cache:
- If connect fails due to BSS unreachable i.e. probe
resp/auth/assoc timeout and scan for ssid failure.
- If disconnect is due to Link lost.
Change-Id: I3263dd02691000d83d4aef61c75b72d78c28f582
CRS-Fixed: 1039104
Commit "cfg80211: add bss_type and privacy arguments in
cfg80211_get_bss()" was backported to kernel-3.18.
This commit updates the new bss_type and privacy argument, so adding
the Kernel version check accordingly.
cfg80211_get_bss new signature is:
struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy,
struct ieee80211_channel *channel, const u8 *bssid,
const u8 *ssid, size_t ssid_len, enum ieee80211_bss_type bss_type,
enum ieee80211_privacy);
Since this needs a backport change from Kernel 4.1, the Kernel
version check and the feature macro - IEEE80211_PRIVACY check is used
to enclose the new changes.
Change-Id: I2eee1d7297b3dbd8ee5b5c89677e76bacbb47e03
CRs-Fixed: 984939
If gEnableDynamicSTAChainMask is set and DUT is connected to 1x1
AP, TDLS uses 1x1 even if peer is capable of 2x2.
To fix this set chainmask to 2x2 once TDLS peer is connected, and
fallback to APs capability once all TDLS peer are disconnected.
Change-Id: Ia003d02b142dcd51582c20359ee44a181620e4e3
CRs-Fixed: 1021796
In case of dynamic chain mask for SAP case, driver does not
update correct chain mask due to station specific validation.
Move the validation to station related code.
Change-Id: I2d75610457e157acc2a3d7445a5f39b16eaf2007
CRs-Fixed: 1014181
Add support for dynamic chainmask for STA.
- Set chainmask to 1x1 during driver load.
- Set chainmask to 2x2 if any session is started on connect or
start bss request.
- In association completion, connect failure, disconnect handler,
start BSS failure and stop BSS take decision considering number
of active sessions, type of active sessions and concurrency as
below :
- If only STA is active set chainmask to the AP's config.
- If no session is active set the chainmask to 1x1.
- If concurrency or non-STA session is active set the
chainmask to 2x2.
Change-Id: I2d348ed02a16390a13f0e0b0b6ff25062a3288bb
CRs-Fixed: 1001582
Peer supported NSS should be updated based on the presence of HT
and VHT capabilities in the beacon/probe response IE from the AP.
Also, update session supported NSS during reassociation. Otherwise,
station will end up sending SMPS action frames to AP which only
supports 1x1 mode.
CRs-Fixed: 979545
Change-Id: Ie2dbfbb577f08c5090101e1330184e72a9f6cd46
When antenna mode is switched from 2x2 to 1x1 before reassociation,
the handler for processing the reassoc request returns before updating
the session SMPS mode to static. This will result in station reassociating
in 2x2 mode although the current antenna mode is 1x1.
Change-Id: Ic265b63ea908f54b64d6e097e0d9824f61d1e76d
CRs-Fixed: 971164
Dynamic Antenna mode switch from 2x2 to 1x1 in the non connected state
is updating the association request HT SMPS to static but the reassociation
request HT SMPS mode is still disabled. This will lead to station
reassociating in 2x2 mode although the current antenna mode is 1x1.
Change-Id: Iafbaf7f97ce56171b3fde469550a11ebfa20b0fc
CRs-Fixed: 966939
Rename enumeration associated with scan types
WMI interface files shared between host and Firmware have
the same macro defined resulting in compilaiton issue. Hence
renaming these enumeration with LIM prefix.
Change-Id: Ia196b8e4bb582490a9f957b8cdf1e3a12c4fbde0
CRs-Fixed: 981355
Currently whenever country code changes, nvtable is updated
only for channels which are enabled in wiphy.
vos_update_band updates wiphy on basis of nv table.
There can be an issue when band change, country code and again band
change happens.
Driver will not have channel information to enable channels for second
band change as at the time of driver change nv table will have only
channels associated with previous band.
Now with this fix, nv table will have all the channels.
Along with channels nv table will store wiphy flags as well.
vos_update_band will update those flags whenever band
change happens.
Change-Id: Ia1d7d85cd0acbfa95e23410825559506253a579c
CRs-Fixed: 978660
This reverts Change-Id I35d802f564e41ee0b30386ee7b74d2b44eb80ecf
Revert this change to allow re-association to same AP which is
required for HS certification.
Change-Id: I75114b5e36b4ce6def602b9054481845ac09c56a
CRs-Fixed: 936342
prima to qcacld-2.0 propagation
In the scenario where association times out because device has missed
the assoc resp sent by peer, the peer assumes the device to be
connected and thus when device again sends the auth for fresh
connection the peer sends deauth. Thus fresh connection also fails.
To avoid this send deauth after association time out, to cleanup
the session in peer.
Change-Id: I1f7bfbe804da0dc92ce4ece87dc65954b086133c
CRs-Fixed: 987455
When 32 STA's are associated with DUT SAP, during SSR deleting peers
is adding delay to SSR shutdown. To account for this delay, increase
the SSR delay to 40sec from 30sec.
Change-Id: I7b224e3881c17bbf3cf3a4fe805ae1a8b66c63b9
CRs-Fixed: 999368
If ieee80211w=2 or pmf=2 is an explicit configuration in the
supplicant configuration MFPEnabled is set and driver assume it
as a PMF required connection, even if AP is in open security
mode.
Now when disconnect is received from supplicant driver sends a
protected deauth and assert is observed as firmware do not have
any valid key.
To fix this if ieee80211w=2 or pmf=2 is an explicit configuration
in the supplicant configuration but peer AP is non-PMF drop the
connection request.
Change-Id: I40faf63df4e95b367d66e9b51ff165759989a1d1
CRs-Fixed: 1011976
prima to qcacld-2.0 propagation
Function wlan_hdd_tdls_connection_callback takes few milliseconds
to complete its functionality which can effect roaming delay.
Move this functionality after enabling queues to reduce roaming delay.
Change-Id: I78d7b4deadb6cccdfd81f8431b6dd7c013e05340
CRs-Fixed: 978673
Mike Galbraith reported that the LTP test case futex_wake04 was broken
by commit 65d8fc777f6d ("futex: Remove requirement for lock_page()
in get_futex_key()").
This test case uses futexes backed by hugetlbfs pages and so there is an
associated inode with a futex stored on such pages. The problem is that
the key is being calculated based on the head page index of the hugetlbfs
page and not the tail page.
Prior to the optimisation, the page lock was used to stabilise mappings and
pin the inode is file-backed which is overkill. If the page was a compound
page, the head page was automatically looked up as part of the page lock
operation but the tail page index was used to calculate the futex key.
After the optimisation, the compound head is looked up early and the page
lock is only relied upon to identify truncated pages, special pages or a
shmem page moving to swapcache. The head page is looked up because without
the page lock, special care has to be taken to pin the inode correctly.
However, the tail page is still required to calculate the futex key so
this patch records the tail page.
On vanilla 4.6, the output of the test case is;
futex_wake04 0 TINFO : Hugepagesize 2097152
futex_wake04 1 TFAIL : futex_wake04.c:126: Bug: wait_thread2 did not wake after 30 secs.
With the patch applied
futex_wake04 0 TINFO : Hugepagesize 2097152
futex_wake04 1 TPASS : Hi hydra, thread2 awake!
Fixes: 65d8fc777f6d "futex: Remove requirement for lock_page() in get_futex_key()"
Reported-and-tested-by: Mike Galbraith <umgwanakikbuti@gmail.com>
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/20160608132522.GM2469@suse.de
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
When dealing with key handling for shared futexes, we can drastically reduce
the usage/need of the page lock. 1) For anonymous pages, the associated futex
object is the mm_struct which does not require the page lock. 2) For inode
based, keys, we can check under RCU read lock if the page mapping is still
valid and take reference to the inode. This just leaves one rare race that
requires the page lock in the slow path when examining the swapcache.
Additionally realtime users currently have a problem with the page lock being
contended for unbounded periods of time during futex operations.
Task A
get_futex_key()
lock_page()
---> preempted
Now any other task trying to lock that page will have to wait until
task A gets scheduled back in, which is an unbound time.
With this patch, we pretty much have a lockless futex_get_key().
Experiments show that this patch can boost/speedup the hashing of shared
futexes with the perf futex benchmarks (which is good for measuring such
change) by up to 45% when there are high (> 100) thread counts on a 60 core
Westmere. Lower counts are pretty much in the noise range or less than 10%,
but mid range can be seen at over 30% overall throughput (hash ops/sec).
This makes anon-mem shared futexes much closer to its private counterpart.
Signed-off-by: Mel Gorman <mgorman@suse.de>
[ Ported on top of thp refcount rework, changelog, comments, fixes. ]
Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Chris Mason <clm@fb.com>
Cc: Darren Hart <dvhart@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: dave@stgolabs.net
Link: http://lkml.kernel.org/r/1455045314-8305-3-git-send-email-dave@stgolabs.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Change-Id: Ief4a41ce23493c8479b0007bd0d3e9a31594527a