RSCC wake-up sequence should only be triggered if RSCC
sleep sequence was done earlier i.e. they should always
be balanced to make sure GMU FW, RSCC and PDC state are
in sync.

Add GMU_RSCC_SLEEP_SEQ_DONE GMU flag to track whether
RSCC sleep sequence was done or not and trigger sleep
and wake-up sequence based on this flag to make they
are always balanced.

Change-Id: I78d8be52a770bd6e939da91fa68b6fd01f10034e
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

If the IRQ pending count is incremented, make sure it is decremented
even in case of errors.

Change-Id: I63443d4430b24ff82eb58d729e42f7115607ff25
Signed-off-by: Lynus Vaz <lvaz@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Call trace:
 [<ffffff9203a8d7a8>] dump_backtrace+0x0/0x428
 [<ffffff9203a8dbf8>] show_stack+0x28/0x38
 [<ffffff920409bfb8>] dump_stack+0xd4/0x124
 [<ffffff9203d187e8>] print_address_description+0x68/0x258
 [<ffffff9203d18c00>] kasan_report.part.2+0x228/0x2f0
 [<ffffff9203d1927c>] kasan_report+0x5c/0x70
 [<ffffff9203d1776c>] check_memory_region+0x12c/0x1c0
 [<ffffff9203d17cdc>] memcpy+0x34/0x68
 [<ffffff9203d75348>] xattr_getsecurity+0xe0/0x160
 [<ffffff9203d75490>] vfs_getxattr+0xc8/0x120
 [<ffffff9203d75d68>] getxattr+0x100/0x2c8
 [<ffffff9203d76fb4>] SyS_fgetxattr+0x64/0xa0
 [<ffffff9203a83f70>] el0_svc_naked+0x24/0x28

If user get root access and calls security.selinux setxattr() with an
embedded NUL on a file and then if some process performs a getxattr()
on that file with a length greater than the actual length of the string,
it would result in a panic.

To fix this, add the actual length of the string to the security context
instead of the length passed by the userspace process.

Change-Id: Ie0b8bfc7c96bc12282b955fb3adf41b3c2d011cd
Signed-off-by: Sachin Grover <sgrover@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

As part of shutdown when we free the power settings we should
assign the pointer to NULL. And in power down we validate the
settings.

Change-Id: I7abe11548e211dfd89387069191234488dcfd0ce
Signed-off-by: Karthik Anantha Ram <kartanan@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Sensor power settings can be freed by some thread while another
thread try to access it. Add NULL check before to prevent this.

Change-Id: Ice3d8c6da65afd5196be67860543eb974183c55e
Signed-off-by: Vivek Veenam <vveenam@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

As L7B regulator used as micbias regulator for audio,
SDM710 PMIC regulator require L10 and L1 also to be enabled
along with L7B. Add L10 and L1 to on-demand supply list
of audio regulators.

CRs-Fixed: 2287883
Change-Id: Ifba608f1f348ab2e65db49bebed7effd0c07567c
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
	[17659.112635]      alloc_debug_processing+0x18c/0x1a0
	[17659.117208]      __slab_alloc+0x52c/0x560
	[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
	[17659.125309]      __alloc_skb+0x6c/0x260
	[17659.128837]      tcp_send_ack+0x8c/0x280
	[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
	[17659.136587]      tcp_rcv_established+0x5a4/0xa70
	[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
	[17659.144687]      tcp_prequeue_process+0x108/0x170
	[17659.149085]      tcp_recvmsg+0x940/0x1020
	[17659.152787]      inet_recvmsg+0x124/0x180
	[17659.156488]      sock_recvmsg+0x64/0x80
	[17659.160012]      SyS_recvfrom+0xd8/0x180
	[17659.163626]      __sys_trace_return+0x0/0x4
	[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
	[17659.174000]      free_debug_processing+0x1d4/0x2c0
	[17659.178486]      __slab_free+0x240/0x390
	[17659.182100]      kmem_cache_free+0x24c/0x270
	[17659.186062]      kfree_skbmem+0xa0/0xb0
	[17659.189587]      __kfree_skb+0x28/0x40
	[17659.193025]      napi_gro_receive+0x168/0x1c0
	[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
	[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
	[17659.205352]      hns_nic_common_poll+0x94/0x140
	[17659.209576]      net_rx_action+0x458/0x5e0
	[17659.213363]      __do_softirq+0x1b8/0x480
	[17659.217062]      run_ksoftirqd+0x64/0x80
	[17659.220679]      smpboot_thread_fn+0x224/0x310
	[17659.224821]      kthread+0x150/0x170
	[17659.228084]      ret_from_fork+0x10/0x40

	BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
	[17751.080490]      __slab_alloc+0x52c/0x560
	[17751.084188]      kmem_cache_alloc+0x244/0x280
	[17751.088238]      __build_skb+0x40/0x150
	[17751.091764]      build_skb+0x28/0x100
	[17751.095115]      __alloc_rx_skb+0x94/0x150
	[17751.098900]      __napi_alloc_skb+0x34/0x90
	[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
	[17751.107097]      hns_nic_common_poll+0x94/0x140
	[17751.111333]      net_rx_action+0x458/0x5e0
	[17751.115123]      __do_softirq+0x1b8/0x480
	[17751.118823]      run_ksoftirqd+0x64/0x80
	[17751.122437]      smpboot_thread_fn+0x224/0x310
	[17751.126575]      kthread+0x150/0x170
	[17751.129838]      ret_from_fork+0x10/0x40
	[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
	[17751.139951]      free_debug_processing+0x1d4/0x2c0
	[17751.144436]      __slab_free+0x240/0x390
	[17751.148051]      kmem_cache_free+0x24c/0x270
	[17751.152014]      kfree_skbmem+0xa0/0xb0
	[17751.155543]      __kfree_skb+0x28/0x40
	[17751.159022]      napi_gro_receive+0x168/0x1c0
	[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
	[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
	[17751.171358]      hns_nic_common_poll+0x94/0x140
	[17751.175585]      net_rx_action+0x458/0x5e0
	[17751.179373]      __do_softirq+0x1b8/0x480
	[17751.183076]      run_ksoftirqd+0x64/0x80
	[17751.186691]      smpboot_thread_fn+0x224/0x310
	[17751.190826]      kthread+0x150/0x170
	[17751.194093]      ret_from_fork+0x10/0x40

Change-Id: I5fbdea5d0264c79dbcc91f8519cda1004b667866
Fixes: 13ac695e ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 27463ad9
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

The rationale for removing the check is only correct for rulesets
generated by ip(6)tables.

In iptables, a jump can only occur to a user-defined chain, i.e.
because we size the stack based on number of user-defined chains we
cannot exceed stack size.

However, the underlying binary format has no such restriction,
and the validation step only ensures that the jump target is a
valid rule start point.

IOW, its possible to build a rule blob that has no user-defined
chains but does contain a jump.

If this happens, no jump stack gets allocated and crash occurs
because no jumpstack was allocated.

Change-Id: I03e0851c2c9feeb4350c55bbc797a67ed7b3d8b7
Fixes: 7814b6ec ("netfilter: xtables: don't save/restore jumpstack offset")
Reported-by:  <syzbot+e783f671527912cd9403@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 57ebd808
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

If the list search in sg_get_rq_mark() fails to find a valid request, we
return a bogus element. This then can later lead to a GPF in
sg_remove_scat().

So don't return bogus Sg_requests in sg_get_rq_mark() but NULL in case
the list search doesn't find a valid request.

Bug: 79090045
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Doug Gilbert <dgilbert@interlog.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Acked-by: Doug Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit 48ae8484)

Change-Id: If95d1a8eef3748c9937201e524184b89a5eaaf2e
Bug: 75300370
Git-repo: https://android.googlesource.com/kernel/msm


Git-commit: 58408c68
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

SPS driver does not support manual bind/unbind operations
through sysfs. Suppress the bind/unbind nodes. Do not free
SPS struct in sps_device_de_init since it is being done in
sps_exit, and also to avoid use-after-free.

Change-Id: If6da6c5fb9d1a44d0420c6151f7f9d0a33cb2d04
Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Currently, mask pointers are not updated in
case peripherals are supporting more mask
tables. The patch updates the mask pointers
properly.

Change-Id: I1360c722076fca0215e0ccd28247c4741a1ebd88
Signed-off-by: Mohit Aggarwal <maggarwa@codeaurora.org>
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Destroy mutex before file free, to avoid use after free of mutex.

Change-Id: I4ff73dc17b15043eacbb299219a379bfd1a8efa6
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Modified conditional checks to read lm_sequence so as to avoid
the possibility of pointer overflow.

CRs-Fixed: 2212443
Change-Id: I72b30e35996c40f23fc81739e27724b1188f1c05
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

ion_system_heap_destroy_pools frees the pool, but
does not invalidate the pointer. This can result in
a double free if ion_system_heap_create_pools fails,
and then causes ion_system_heap_create to call into
ion_system_heap_destroy_pools again from the error
path. This can happen in ion_system_heap_create when
one of the secure pool creation fails.

Change-Id: Ic73ca78722aa5a575cc4dd7c1caa560b518094f2
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

Remove the use of dmac_flush_range for userspace buffers and add
msm_ion_do_cache_op for flushing user space buffers.

Change-Id: Ice73eafac840bd1cabee0a2bfc8a641832a7d0c8
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Satyanarayana Dash <sadash@codeaurora.org>

* changes:
  irqchip: gic-v3: Restore enable bit of spi interrupts
  irqchip: gic-v3: Clear restore configuration across save/restore

While setting enable bit of spi interrupt, there is
chance of enabling spurious interrupt which is by default
disabled for soc. So instead of setting restore the
previous state of enable bit.

Change-Id: Ie6e363f04864fc6e36be83ebd20b19b5e6b45f54
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>

Clear all saved restore configuration, and changed spi
configuration, from prior save/restore.

Change-Id: Ic750b39d95d074d911406cf44b295c251532e40e
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>

This patch makes sure to process the RX EOT bit post cancel command
as part of stop rx sequencer. There could be a race between ISR and
userspace thread doing stop rx where ISR clears out the interrupts
generated as part of other operations and EOT poll may timeout.

Also there are chances that stop_rx can generate an interrupt if the
peer device sends data when client hasn't disabled the flow control.
This will trigger a call to handle_dma_rx which basically un-maps the
rx dma buffer, handles the rx data and remaps the same rx dma buffer.

As part of baud change, make sure ISR gets called exclusively against
the start_rx call. There is a slight window where dma_map of start_rx
sets the iova as DMA_ERROR_CODE for a while before actually mapping
to valid dma address and ISR uses this invalid address as part of
un-mapping the same buffer address which results into the page fault.

Change-Id: I9c69f7f9399aac060188ccee5648b8b7c46a656b
Signed-off-by: Mukesh Kumar Savaliya <msavaliy@codeaurora.org>
Signed-off-by: Ashok Kundurthi <askund@codeaurora.org>

This patch removes the manual flow control and instead gives the RFR
control to the HW depending on the FIFO level. In case of Manual flow
control FW introduced a race and caused RFR to remain High at RX shutdown
which blocked peer device from sending any data.

The latest FW along with this patch makes sure RFR gets configured as an
RFR OPEN post RX cancel and removes the need to have any manual flow. Also
wait for the RX EOT bit post cancel command as per the suggested sequence.

Also Log the GENI FW version for primary and secondary sequencer.

Change-Id: Ifc06a3f1c971eb7490ff8e678779e7163008f999
Signed-off-by: Mukesh Kumar Savaliya <msavaliy@codeaurora.org>
Signed-off-by: Ashok Kundurthi <askund@codeaurora.org>

Merge "ANDROID: Bluetooth: hidp: buffer overflow in hidp_process_report" into kernel.lnx.4.9.r15-rel

Merge "ARM: amba: Don't read past the end of sysfs "driver_override" buffer" into kernel.lnx.4.9.r15-rel

Add locks at proper place while acquiring, enqueuing and executing
a task from the list and while accessing the elements of workq.
Also the change ensures that the workq is destroyed safely.

Change-Id: I01bf2032133cc1a5269d699b94770141347d3cd0
Signed-off-by: Abhilash Kumar <krabhi@codeaurora.org>
Signed-off-by: Karthik Anantha Ram <kartanan@codeaurora.org>

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Fixes: 678af93e46ac10318b54f2f0c9abbdfe75c4e078 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Bug: 65853588
Change-Id: I779ce783ae7c3bce8c5a66c0954ef31347e42cfc
Git-repo: https://android.googlesource.com/kernel/msm


Git-commit: 34c56d55
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

If blkg_create fails, new_blkg passed as an argument will
be freed by blkg_create, so there is no need to free it again.

Change-Id: If6e90b17ac102895cebb08cec68b2ea13ed68481
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 9b54d816
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

When printing the driver_override parameter when it is 4095 and 4094
bytes long, the printing code would access invalid memory because we
need count + 1 bytes for printing.

Cfr. commits 4efe874a ("PCI: Don't read past the end of sysfs
"driver_override" buffer") and bf563b01 ("driver core: platform:
Don't read past the end of "driver_override" buffer").

Change-Id: I9302aae2b38494fb1f6966cb3b07fb352c53ac6a
Fixes: 3cf38571 ("ARM: 8256/1: driver coamba: add device binding path 'driver_override'")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Todd Kjos <tkjos@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: d2ffed51
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

When cleaning up the configurations, make sure we only free the number
of configurations and interfaces that we could have allocated.

Change-Id: I81b9513cc2ccc8bdd5e98982bb66e34711f61883
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Git-commit: 32fd87b3
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>

Sometimes updates from framework comes with slight delay after
early wake up. In such case prevent clock switch off to avoid
frame miss or jank in next update. So, increase the command
mode idle timeout sufficiently to prevent such issue.

Change-Id: I4c92f3cfca5402ee9f6ee29beaf7a32506ac92c7
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>

Provide api to save/restore GICD state for SPIs. SPI
configuration is restored for GICD_ICFGR, GICD_ISENABLER,
GICD_IPRIORITYR, GICD_IROUTER registers. Following is the
sequence for restore:

1. For SPIs, check whether any of GICD_ICFGR, GICD_ISENABLER,
   GICD_IPRIORITYR, GICD_IROUTER, current configuration is
   different from saved configuration.

For all irqs, with mismatched configurations,

2. Set GICD_ICENABLER and wait for its completion.

3. Restore any changed GICD_ICFGR, GICD_IPRIORITYR, GICD_IROUTER
   configurations.

4. Set GICD_ICACTIVER.

5. Set pending for the interrupt.

6. Enable interrupt and wait for its completion.

Change-Id: I31cd5eb8c3226dcdfd474bc88b91c1cb5ca909e6
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>
Signed-off-by: Channagoud Kadabi <ckadabi@codeaurora.org>

Thermal framework resets all thermal zone passive counter during
resume path. But governors are not checking this while handling
mitigation. If mitigation is already applied prior to suspend and
it stays same post suspend, governor assumes it is already mitigated
and passive counter is already updated. But in resume path, it resets
passive counter prior to each thermal zone update. For sensor which
doesn't support clear interrupt and relies on thermal framework to
clear, can lead to a case where thermal zone is always in mitigated
state even though thermal zone temperature is in below clear trip.

Update stepwise and low limits governor logic for passive counter
update for resume scenario.

Change-Id: I055deb5c2a79e032a41bcbbe097221d0b892946a
Signed-off-by: Manaf Meethalavalappu Pallikunhi <manafm@codeaurora.org>

Merge "drivers: qcom: system_pm: Save/restore GICD registers at system sleep" into kernel.lnx.4.9.r15-rel

Some of the GICD registers could be read in and stored as zeros if an
intterupt is triggered around the same time as the system sleep. The
pending state of the interrupt would be latched but the configuration
registers for the interrupt is reset. To ensure that the interrupt
triggers, restore the interrupts configuration around System sleep
notification.

Change-Id: Ib04720241e8fa4382383bd08897c4e19aaaded8c
Signed-off-by: Mahesh Sivasubramanian <msivasub@codeaurora.org>
Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org>

Ignore mem timer interrupt while saving/restoring GICD
configuration for SDM670.

Change-Id: Ief15873cae5d186e3dd25c774b1bf9faf726e274
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>