Based on TAG LA.BR.1.2.9-03710-8x16.0 from CAF.

Change-Id: I5fbeddd562a311ea522557e8a77e331e9ea14d8b

Update configs in msm8909_defconfig and msm8909-perf_defconfig to be
used for wearables.

Change-Id: I2b06612a8e3bcee90b2eb5cc50767466f9ff3d25
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>

Resync msm8909_defconfig and msm8909-perf_defconfig.

Change-Id: Ie5532831a1bca504ade2d47d19289626475adba3
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>

Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.

Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>

Make sure to use proper locks when using the
vma_struct_area. This will avoid the race condition
in a scenario where one thread gets a vma_struct_area
and other thread is unmapping the vma from the process.

Change-Id: I6c7837d1a8dd24fc6955ab5be8b1917a42f2cb53
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>

Make use of mutex lock to access IOCTL so that two threads
can avoid race condition.

Change-Id: I00db78a42c86eef8a157b5b3547e4ca0006b0853
Signed-off-by: annamraj <annamraj@codeaurora.org>

commit 4617f564c06117c7d1b611be49521a4430042287 upstream.

When calling a dm ioctl that doesn't process any data
(IOCTL_FLAGS_NO_PARAMS), the contents of the data field in struct
dm_ioctl are left initialized.  Current code is incorrectly extending
the size of data copied back to user, causing the contents of kernel
stack to be leaked to user.  Fix by only copying contents before data
and allow the functions processing the ioctl to override.

CRs-Fixed: 2094612
Change-Id: Id643af806105d898c53afae4e7760709c7f0896c
Signed-off-by: Adrian Salido <salidoa@google.com>
Reviewed-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Git-commit: 4617f564c06117c7d1b611be49521a4430042287
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git


Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>

Accessing of incorrect structure pointer is causing
memory out of bound access, fixed issue by accessing
the correct structure pointer.

Change-Id: I3c2f5f7a97cac854093ef670184d06db4231f5e1
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git


Git-commit: b9dd46188edc2f0d1f37328637860bb65a771124
[srkupp@codeaurora.org: Resolved minor conflict]
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Change-Id: Id1a67927262451762a4d423fa50b370ec3cdb56c

Update synaptics touch resolution to 480p for msm8909 MTP wearble
device tree.

Change-Id: I230805b81cbbc8ba886d03fd677736d0bccc3eb1
Signed-off-by: Vevek Venkatesan <vevekv@codeaurora.org>

Add conditional check when sending VIDIOC_MSM_OIS_CFG.

Change-Id: I128591359d7996fe73e9ac3d8a17c47004a2e04e
CRs-Fixed:2078155
Signed-off-by: Tanvi Aggarwal <tanvia@codeaurora.org>

Issue:
the invalid slave_info is used by msm_sensor_driver_probe.
This cause crash when ioctl VIDIOC_MSM_SENSOR_INIT_CFG repeatedly.

Fix:
1) avoid the same msm_sd_subdev added into the ordered_sd_list.
2) enlarge the buffer size for i2c addr and data.

Change-Id: Idffcd3b82b9590dbfdcaf14b80668cc894178f54
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>

Add msm8909 MTP device tree support for wearable. This platform
is based on PM8916 and 512MB DDR. Update the modem size to 78MB.
Simulate 480p display on 720p panel.

Change-Id: I95e1ac1e8b4578f6e20dcc908c5b71cede44f9b3
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>

There is no syncronization between msm_vb2_get_buf
and msm_delete_stream which can lead to use after
free.
Fixed it by using read/write lock.

CRs-Fixed: 2013052
Change-Id: I8e80d70ec866253aab8836457a28ae14175f5d61
Signed-off-by: Manish Poddar <mpoddar@codeaurora.org>
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>

Change-Id: Idfe451a185f1907f2d1e0ecf1710d035cbf56efc

Add the check against negative or invalid firmware size passed
by the userspace thread in firmware setup sysfs write operation.
Update the datatype of the variable which holds the firmware size
passed by userspace thread during firmware setup and WLAN calibration
data update process.

CRs-Fixed: 2072966
Change-Id: I8c84ad0d1b0a5f44a39c9c5b228734b0f693e8dd
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>

Use mutex lock for all VB2 operations, and use separatelock other
than used for stop streaming operation to avoid dead lock.

Change-Id: Idba956e5e3bce48ee57eaa5984786ded218e32d5
Signed-off-by: annamraj <annamraj@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>

event->handle pointer can be used after free due to
the race condition between kgsl_sync_callback and
kgsl_sync_fence_async_cancel.

Protect the event->handle with a spinlock to
avoid concurrent access issues.

Change-Id: I3719e401af9ece82ac68b72f2aef784c7fdc1104
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>

fix one potential out of boundary query of stats info.

Change-Id: I13e4bf8802fcce529f9268c272e4727619d5ad8f
Signed-off-by: Fei Zhang <feizhang@codeaurora.org>

Return error code directly to avoid further integer overflow leading
to buffer overflow.

Change-Id: I8b74efda227726494724f4387c45b5b6fa04637b
CRs-Fixed: 2077909
Signed-off-by: Weiyin Jiang <wjiang@codeaurora.org>

Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.

Fixes: 3b1c5a53 ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari <dasaris@qti.qualcomm.com>
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git


Git-commit: 8feb69c7bd89513be80eb19198d48f154b254021
Change-Id: Ie20993309501fd242782311b9fe787931f716116
CRs-Fixed: 2055013
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>

Clients may wish to implement custom functions on a particular
heap ID. That function assumes that the heap ID has a specific heap
type. Make that requirement explicit by only calling the custom
function if both the ID and type match.

CRs-Fixed: 2078339
Change-Id: Ie746362a19a22dceb6e47148d67901d483778a85
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>