Charging was not disabled in retail mode. The charging disable
path was not executed because the priority of charger present
check was higher. Separate the check of charger in/out and
charging enable/disable to fix this.

Bug: 110489408

Change-Id: If0180621903ec20a969cb22359e03a76eb3bd8aa
Signed-off-by: Jack Wu <wjack@google.com>

This reverts commit 730b6712.

Reason for revert: fix b/111785512

Bug: 111785512
Change-Id: Ib2e1718bb2141e762cc5d14b71d252e8c3d14e6b

Merge remote-tracking branch 'remotes/origin/android-msm-wahoo-4.4-security-next' into android-msm-wahoo-4.4

September 2018.2

Bug: 110908141
Bug: 111785512

This reverts commit c67f8db8.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 06708336.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 8baef323.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 4ce2133f.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 22c95b83.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit f6f50a1a.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit ee1ea8f1.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit ed871bbb.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 3e24cbf5.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 075ba134.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit f42328ae.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit 92f2e946.

Bug: 111785512
Signed-off-by: David Lin <dtwlin@google.com>

Bug: 111785512
This reverts commit be7f3de2.

Signed-off-by: David Lin <dtwlin@google.com>

Based on change in android-base.cfg: aosp/721208

Bug: 68016944
Change-Id: Iab290a49fe782a9283288b02f3ab78c635fedde5
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>

This patch disables UNMAP_KERNEL_AT_EL0 for CFI build due to it's
causing "Entry trampoline text too big" compile error.

Bug: 74207468
Test: build
Change-Id: Ic8097e58dbd9254f647c35b93b812bf6ba9e0ba9
Signed-off-by: David Lin <dtwlin@google.com>

This reverts commit bdef9099.
Bug: 69856074
Bug: 74207468

Change-Id: I3ef2b56f381d792d0c01fff744922fa6452e7538
Signed-off-by: Patrick Tjin <pattjin@google.com>

September 2018.1

Bug: 110908141
Change-Id: I764474f440db2b761837f8ef6a040c9ec2331337

voice_svc_dev is allocated as a device managed resource
and need not be freed since it is freed automatically.
Remove the logic to free voice_svc_dev in probe failure
and remove functions to avoid double free.

CRs-Fixed: 2204285
Bug: 109741750
Change-Id: If4f9ca840b00448b987f5ce443f66b0923b01969
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>

Initialize 'flags' variables before use in spinlocks.
CRs-Fixed: 2257317

Bug: 77528410
Change-Id: Ie8bf37b10fa7448daaaa6480e1fabdc4eb08330c
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>

ac could get freed during the execution of q6asm_callback.
And kernel panic happens. Add spinlock to protect ac to avoid
kernel panic.

Bug: 77528410
Change-Id: Ie49c8a3979231552ba7d5f207aab0d95ffdc2a72
Signed-off-by: Meng Wang <mwang@codeaurora.org>

The increment logic of u64 pointer in skb_copy_to_log_buf() leads to
buffer overflow.

Modify the proto type of skb_copy_to_log_buf() function to accept
only unsigned char pointer.

CRs-Fixed: 2212592
Bug: 109741922
Change-Id: I8affff1316656c1060ec57f2fb10b46f85314358
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

While processing DO_ACS vendor command session context, which is
of type union holds either station's or SAP's session, is updated
without checking adapter’s mode. This may lead to corrupt station's
session context if DO_ACS is invoked with station adapter.

Validate adapter mode and process DO_ACS vendor commands only if the
mode is SAP/P2P_GO.

Bug: 73173201
Change-Id: Id99ba126fcfa1f06f68b89d4627c029948a201c5
CRs-Fixed: 2237661
Signed-off-by: Ecco Park <eccopark@google.com>

In the function wma_update_intf_hw_mode_params, vdev_id received
from caller wma_pdev_set_hw_mode_resp_evt_handler, is used as
the array index for wma->interfaces. If vdev_id exceeds
wma->max_bssid then a possible OOB write could occur.

Add check to validate vdev_id against wma->max_bssid. Print
error if it exceeds.

Bug: 111128640
Change-Id: I3ddf5e1b24fbd2bd401ac879219300857d05e4b7
CRs-Fixed: 2243990
Signed-off-by: Kumar Anand <kumaranand@google.com>

In the API lim_send_assoc_req_mgmt_frame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with cds packet free, which was not even allocated

Fix is to remove the packet free in case of memory not
allocated

Bug: 111124974
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2216741
Signed-off-by: Kumar Anand <kumaranand@google.com>

Currently there is a possibility of accessing freed mdlog
session info and it's attributes after closing the session.
The patch adds protection while accessing mdlog session info
for preventing use-after-free issue.

There is also a possibility of NULL pointer
dereference issue due to NULL pointers checks are
missing for mask info. The patch fixes the issue by
adding NULL pointer checks.

CRs-Fixed: 2133028 2108911
Signed-off-by: Hardik Arya <harya@codeaurora.org>
(cherry picked from https://source.codeaurora.org/quic/la/kernel/msm-4.4
 commit 7c80939b0651b6bf43d0126c35a6a16323204626)
(cherry-picked from https://source.codeaurora.org/quic/la/kernel/msm-4.4


 commit 15a9d5118c3d1b75333b30493f1da418dd058752)

Bug: 63528466
Change-Id: I806944bf1cf6f8455396c0ba05c08dcd115d5799
Signed-off-by: Sean Callanan <spyffe@google.com>

[ Upstream commit fe9c8426 ]

The tlv_len is u8, so we need to limit the size of the SDP URI. Enforce
this both in the NLA policy and in the code that performs the allocation
and copy, to avoid writing past the end of the allocated buffer.

Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface")
Bug: 73083945
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: I91b0242d6f9469c1613fc1e5ecddd6892e05f524

If our length is greater than the size of the buffer, we
overflow the buffer

Change-Id: I113a1955a2bac83c83084d5cd28d886175673219
Bug: 71361580
Signed-off-by: Daniel Rosenberg <drosen@google.com>

Out of bounds kernel accesses in st21nfca's NFC HCI layer
might happen when handling ATR_REQ events if user-specified
atr_req->length is bigger than the buffer size. In
that case memcpy() inside st21nfca_tm_send_atr_res() will
read extra bytes resulting in OOB read from the kernel heap.

Bug: 62679012

Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Id9776a3f625c42e2b29e0b56fb545de2fe643bcb

l2tp_tunnel_destruct() sets tunnel->sock to NULL, then removes the
tunnel from the pernet list and finally closes all its sessions.
Therefore, it's possible to add a session to a tunnel that is still
reachable, but for which tunnel->sock has already been reset. This can
make l2tp_session_create() dereference a NULL pointer when calling
sock_hold(tunnel->sock).

This patch adds the .acpt_newsess field to struct l2tp_tunnel, which is
used by l2tp_tunnel_closeall() to prevent addition of new sessions to
tunnels. Resetting tunnel->sock is done after l2tp_tunnel_closeall()
returned, so that l2tp_session_add_to_tunnel() can safely take a
reference on it when .acpt_newsess is true.

The .acpt_newsess field is modified in l2tp_tunnel_closeall(), rather
than in l2tp_tunnel_destruct(), so that it benefits all tunnel removal
mechanisms. E.g. on UDP tunnels, a session could be added to a tunnel
after l2tp_udp_encap_destroy() proceeded. This would prevent the tunnel
from being removed because of the references held by this new session
on the tunnel and its socket. Even though the session could be removed
manually later on, this defeats the purpose of
commit 9980d001 ("l2tp: add udp encap socket destroy handler").

Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit f3c66d4e)
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 38159931

Change-Id: I50fb32e85d0ec6131d3998870d258b185ad4c1ff

Sessions must be fully initialised before calling
l2tp_session_add_to_tunnel(). Otherwise, there's a short time frame
where partially initialised sessions can be accessed by external users.

Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 9ee369a4)
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 38159931
Change-Id: I396088939bcdb5900c50f4fcfabefa9f264f5c0f

l2tp_session_create() relies on its caller for checking for duplicate
sessions. This is racy since a session can be concurrently inserted
after the caller's verification.

Fix this by letting l2tp_session_create() verify sessions uniqueness
upon insertion. Callers need to be adapted to check for
l2tp_session_create()'s return code instead of calling
l2tp_session_find().

pppol2tp_connect() is a bit special because it has to work on existing
sessions (if they're not connected) or to create a new session if none
is found. When acting on a preexisting session, a reference must be
held or it could go away on us. So we have to use l2tp_session_get()
instead of l2tp_session_find() and drop the reference before exiting.

Fixes: d9e31d17 ("l2tp: Add L2TP ethernet pseudowire support")
Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit dbdbc73b)
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 38159931

Change-Id: If99263c0c4da1bdb80f3ea2bd3dd5e87e371f7c5

Taking a reference on sessions in l2tp_recv_common() is racy; this
has to be done by the callers.

To this end, a new function is required (l2tp_session_get()) to
atomically lookup a session and take a reference on it. Callers then
have to manually drop this reference.

Fixes: fd558d18 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>

(cherry picked from commit 61b9a047)
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 38159931
Change-Id: I206a40ff51b4c8230d68acc2932f3277524d0f90

Add concurrency protection for scatter-gather list create and destroy
calls.

Return -EBUSY on a duplicate attempt to send or receive DMA for a
message that already has a scatter-gather list setup; do not
overwrite the pointer to the existing scatter-gather list, and remove
the ability to free a scatter-gather list in use by another thread.

Bug: 69808833
Change-Id: I8e9366f290817c0065b1e3c33453d96057be3172
Test: Bug 69808833 POC
Test: EzlshTest
Test: manual: EaselCamera
Test: manual: GCA-eng
Signed-off-by: Todd Poynor <toddpoynor@google.com>

The buffer allocated with lenth "ATH6KL_FWLOG_PAYLOAD_SIZE "
is not initialized, this may lead to information leak during
memcpy when len < ATH6KL_FWLOG_PAYLOAD_SIZE.

To resolve this issue, memset the buffer for length
(ATH6KL_FWLOG_PAYLOAD_SIZE - len) to 0

Bug: 73885536
Change-Id: If4a49347d674ad2af0438b408a4a4b9308c61026
CRs-Fixed: 2216339
Signed-off-by: Ecco Park <eccopark@google.com>

Currently, in ptt_sock_send_msg_to_app() function sizeof(tAniHdr) is adding
to payload, but this size is already added in length field of tAniHdr.

To address this issue, remove the addition of sizeof(tAniHdr) in
ptt_sock_send_msg_to_app(). Also remove the checking of length against
sizeof(tAniHdr) in ptt_cmd_handler() function.

Bug: 73884889
Change-Id: I58036fd172f3a3c6963757205e0c82e407e2f69b
CRs-Fixed: 2216431
Signed-off-by: Ecco Park <eccopark@google.com>

Bug: 79422410
Change-Id: I38043cc0bf6659b2dd7d4704f1ba356c80769508
Signed-off-by: Patrick Tjin <pattjin@google.com>

We call arm64_apply_bp_hardening() from post_ttbr_update_workaround,
which has the unexpected consequence of being triggered on every
exception return to userspace when ARM64_SW_TTBR0_PAN is selected,
even if no context switch actually occured.

This is a bit suboptimal, and it would be more logical to only
invalidate the branch predictor when we actually switch to
a different mm.

In order to solve this, move the call to arm64_apply_bp_hardening()
into check_and_switch_context(), where we're guaranteed to pick
a different mm context.

Bug: 79422410
Change-Id: I28f2fb09b77544e5ead095e9dad1ad64b2b3ae36
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Git-commit: a8e4c0a9
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Signed-off-by: Srinivas Ramana <sramana@codeaurora.org>