From 5a3dc1728390e5213b877003bcae7c8473101fd0 Mon Sep 17 00:00:00 2001
From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Date: Wed, 27 Jul 2016 10:41:47 -0700
Subject: power: qcom-charger: fix possible out of bounds access for GEN3 FG
 driver

Fix the following things in fg-util.c which is included by GEN3
FG driver:

- Possible out of bounds access in fg_sram_dfs_reg_write() when
  using bytes_read from sscanf
- Fix uninitialized usage of variable in write_next_line_to_log()

Change-Id: If9e7ba5632d1b5f99d91bda6276d9123c37e4dc7
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
---
 drivers/power/qcom-charger/fg-util.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/power/qcom-charger/fg-util.c b/drivers/power/qcom-charger/fg-util.c
index fe00dadc3f38..9f2d9973e04b 100644
--- a/drivers/power/qcom-charger/fg-util.c
+++ b/drivers/power/qcom-charger/fg-util.c
@@ -384,7 +384,7 @@ static int print_to_log(struct fg_log_buffer *log, const char *fmt, ...)
 static int write_next_line_to_log(struct fg_trans *trans, int offset,
 				size_t *pcnt)
 {
-	int i, j;
+	int i;
 	u8 data[ITEMS_PER_LINE];
 	u16 address;
 	struct fg_log_buffer *log = trans->log;
@@ -397,7 +397,6 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
 		goto done;
 
 	memcpy(data, trans->data + (offset - trans->addr), items_to_read);
-
 	*pcnt -= items_to_read;
 
 	/* address is in word now and it increments by 1. */
@@ -407,8 +406,8 @@ static int write_next_line_to_log(struct fg_trans *trans, int offset,
 		goto done;
 
 	/* Log the data items */
-	for (j = 0; i < items_to_log; ++i, ++j) {
-		cnt = print_to_log(log, "%2.2X ", data[j]);
+	for (i = 0; i < items_to_log; ++i) {
+		cnt = print_to_log(log, "%2.2X ", data[i]);
 		if (cnt == 0)
 			goto done;
 	}
@@ -552,7 +551,8 @@ static ssize_t fg_sram_dfs_reg_write(struct file *file, const char __user *buf,
 	values = kbuf;
 
 	/* Parse the data in the buffer.  It should be a string of numbers */
-	while (sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
+	while ((pos < count) &&
+		sscanf(kbuf + pos, "%i%n", &data, &bytes_read) == 1) {
 		pos += bytes_read;
 		values[cnt++] = data & 0xff;
 	}
-- 
cgit v1.2.3


From 1653a12ec91b0959bad311888914b6859c501e4f Mon Sep 17 00:00:00 2001
From: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Date: Mon, 13 Jun 2016 11:31:55 -0700
Subject: defconfig: msmcortex: Enable FG_GEN3 driver

FG_GEN3 driver supports the new FG GEN3 peripheral in pmicobalt.
Enable the support for it.

Change-Id: I0f1408099b0736ac510987c3a17ab798d84fbdff
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
---
 arch/arm64/configs/msmcortex-perf_defconfig | 1 +
 arch/arm64/configs/msmcortex_defconfig      | 1 +
 2 files changed, 2 insertions(+)

diff --git a/arch/arm64/configs/msmcortex-perf_defconfig b/arch/arm64/configs/msmcortex-perf_defconfig
index 742ab830a812..ca370c231a63 100644
--- a/arch/arm64/configs/msmcortex-perf_defconfig
+++ b/arch/arm64/configs/msmcortex-perf_defconfig
@@ -302,6 +302,7 @@ CONFIG_MSM_PM=y
 CONFIG_APSS_CORE_EA=y
 CONFIG_MSM_APM=y
 CONFIG_QPNP_SMBCHARGER=y
+CONFIG_QPNP_FG_GEN3=y
 CONFIG_SMB135X_CHARGER=y
 CONFIG_SMB1351_USB_CHARGER=y
 CONFIG_MSM_BCL_CTL=y
diff --git a/arch/arm64/configs/msmcortex_defconfig b/arch/arm64/configs/msmcortex_defconfig
index afa39ce02376..8b9da2d6b0d3 100644
--- a/arch/arm64/configs/msmcortex_defconfig
+++ b/arch/arm64/configs/msmcortex_defconfig
@@ -307,6 +307,7 @@ CONFIG_MSM_PM=y
 CONFIG_APSS_CORE_EA=y
 CONFIG_MSM_APM=y
 CONFIG_QPNP_SMBCHARGER=y
+CONFIG_QPNP_FG_GEN3=y
 CONFIG_SMB135X_CHARGER=y
 CONFIG_SMB1351_USB_CHARGER=y
 CONFIG_MSM_BCL_CTL=y
-- 
cgit v1.2.3