| Age | Commit message (Collapse) | Author |
|---|
|
https://source.codeaurora.org/quic/la/kernel/msm-4.4 into lineage-18.1-caf-msm8998
"LA.UM.9.2.r1-03700-SDMxx0.0"
* tag 'LA.UM.9.2.r1-03700-SDMxx0.0' of https://source.codeaurora.org/quic/la/kernel/msm-4.4:
msm: kgsl: Fix out of bound write in adreno_profile_submit_time
uapi: Add UAPI headers for slatecom_interface driver
soc: qcom: Add check to handle out of bound access
msm: adsprpc: Handle UAF in process shell memory
Change-Id: I7dcf42763390a7a156c41a9c08a9a3d653b7f0f2
|
|
Added a check to validate map before freeing it to avoid Use after
free scenario.
Change-Id: Ic723a4fe964a4909119663500018f2a07976105b
Signed-off-by: Vamsi krishna Gattupalli <vgattupa@codeaurora.org>
CVE-2021-1927
|
|
Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.
Change-Id: Ifa621dee171b3d1f98b82302c847f4d767f3e736
Signed-off-by: Swathi K <kataka@codeaurora.org>
|
|
Reslove the problem of kernel log print continuous when do not
use secure_domain feature in fastrpc.
Change-Id: I3f0c13ea104b21670a5639bb13ebfd07a5ec59a6
Signed-off-by: zhaochen <zhaochen@codeaurora.org>
Signed-off-by: Arian <arian.kulmer@web.de>
|
|
Add check to restrict index underflow.This is to avoid
that it does not access invalid index.
Change-Id: Ib971033c5820ca4dab38ace3b106c7b1b42529e4
Acked-by: Gururaj Chalger <gchalger@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Add check to restrict index underflow.This is to avoid
that it does not access invalid index.
Change-Id: Ib971033c5820ca4dab38ace3b106c7b1b42529e4
Acked-by: Gururaj Chalger <gchalger@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Support 2 separate device nodes with this change, one for ADSP/SLPI
and another for CDSP.
Change-Id: I2a09ebfdeccd9a092b1a3602c249b2727ec91c93
Acked-by: Amol Mahesh <amahesh@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
Integer overflow in refcount of map is leading to use after free. Error
out if refcount reaches INT_MAX.
Change-Id: I21e88361a8e70ef8c5c9593f1fc0ddd2b351a55a
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Print error message if process kill on remote subsystem failed.
Validate channel ID before dereferencing the channel info struct.
When trying to release process on DSP, print failure message only
when the subsystem is up, to avoid flooding of kernel logs for
daemons.
Change-Id: I1b7325d686f6e8699e6f98f529c5dff85cce630d
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Since DSP is not supposed to modify the base pointer rpra of the
input/output arguments offloaded to DSP, maintain a local copy of
the pointer and use it after receiving interrupt from DSP.
Change-Id: I4afade7184cb2aca148060fb0cda06c6174f3b55
Acked-by: Maitreyi Gupta <maitreyi@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Verify that user applications are not using the kernel RPC message
handle to restrict them from directly attaching to guest OS on the
remote subsystem.
Change-Id: Icfa114a12f2bebbe815eb9930027fded51f717fd
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Perfrom NULL check with return value of kzalloc in
order to avoid NULL pointer dereference.
Change-Id: Ic45cc702b19a87d851b75595e1cf86e1674dd9d4
Signed-off-by: Firoz Khan <firozk@codeaurora.org>
|
|
Fixes memory out of bound error.
Change-Id: I9cc11b5231ba3654588eadf7a7adca68aff35684
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.
Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Changes the naming convention and adds
PID as suffix to the debugfs files.
Adds debugfs file data in the tabular format and also
creates global file in /sys/kernel/debug/adsprpc directory.
Change-Id: I25f3f7ea59dd39c9d44d99c8503f431f10072c33
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
|
|
Applicable only for CDSP present branches. Not needed for 4.4 kernel.
This reverts commit 90cb306f507025bf6a387f1e06ceac1d649c514d.
Change-Id: I645120212b2c9a43cb5d12cc866d5592979cd44b
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Support 2 separate device nodes with this change, one for ADSP/SLPI
and another for CDSP.
Change-Id: I2a09ebfdeccd9a092b1a3602c249b2727ec91c92
Acked-by: Amol Mahesh <amahesh@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Destroy mutex before file free, to avoid use after free of mutex.
Change-Id: I4ff73dc17b15043eacbb299219a379bfd1a8efa6
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Handle 32 bit support without any truncation.
Add IOCTL calls for map and unmap for 64 bit separately.
Change-Id: I077a0b4345a6c21a88d7a500aa5c9faf7193f620
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
|
|
In get_args function their is no NULL pointer check for rpra
variable, that might lead to null pointer dereference. Add
condition to verify.
Change-Id: I0789e8ea875221de5809598419bc7f842aa3e22e
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
The fixed issues include variable initialization missing and improper NULL
pointer checking.
Change-Id: I5302cf84f7f0414fe0cf69ccc0cafc8225142c5f
Signed-off-by: Tony Han <xiahan@codeaurora.org>
|
|
Send context ID in rpc header instead of context pointer.
Validate context ID received in response and get context pointer.
Change-Id: I9cfd10d0c1b25c3085b8e15c7ca1c8ff214bf10d
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Variable map may pointing to the same buffer on race conditions
in functions fastrpc_internal_mmap and fastrpc_internal_munmap,
use mutex to avoid race conditions on same buffer.
Change-Id: I96ed884c44a36f574677ba3ba189dfbf2ce3751d
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
As the length datatype is signed, supplying a negative number
can have undesired consequences. Always use unsigned integer
types for length values.
Change-Id: Ifde2f0d35129014b976507f7723a319c53fabddf
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
|
|
Check the validity of the pointer in user space that you intend to
access. access_ok function simply checks that the address is likely
in user space, not in the kernel.
Change-Id: I936f73a2c2029f9e7ca12cc8fc06d0698e6710c0
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Validate context pointer using magic number instead of searching
through context list. It removes the usage of spin lock in interrupt
handler for avoiding deadlock and reducing latency.
Change-Id: I2492a7984a8d6545618a9cfb7a2d239d03ddd5a2
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Change Dest VM of SSC from 5 to 38 and it can be unmapped to
HLOS through hyp_assign.
Change-Id: I8e4ace8e9722d4fa79b553ad6b8d29353954f8c5
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
|
|
|
|
Queue 2 intents for adsprpc glink channel to avoid remote
processor failure for glink.
One intent for threads responding back of size 16,
another intent for IST failure responding without intent
request of size 64.
Change-Id: I85444cb0283c57ddf15cf7d1d50b827fe5339d4c
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
To avoid leak info of pointers addresses to dmesg,
use %pK instead of %p to print virtual addresses.
Change-Id: I7d8e900d7cd62e9ad3fb9ea3ba9865d6911bdfcb
Acked-by: Chenna Kesava Raju <chennak@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
validate user buffers before accessing in kernel driver.
Change-Id: I7997d069d0549de03f1467c63bdb81b20fcf3d6c
Acked-by: Chenna Kesava Raju <chennak@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Remove the use of dmac_flush_range for userspace buffers and add
msm_ion_do_cache_op for flushing user space buffers.
Change-Id: Ice73eafac840bd1cabee0a2bfc8a641832a7d0c8
Acked-by: Bharath Kumar <bkumar@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Enable audio remote heap protection for separate hyp_assign call to map
HLOS buffer to ADSP_Q6_ELF VM.
Change-Id: I91a70cb8ef2c2feb2d4c398c15c220c78c96a509
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Queue receive intent for adsprpc glink channel to avoid remote
processor failure to acknowlege first message.
Change-Id: I314099acca71683a36661c0ff6c4a0430653d97e
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
|
|
Handle multiple sessions properly for given channel.
Change-Id: I3061fd883794da0465bfdae2b1c19d425ede7470
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Add execute permission for hyp_assign_phys for adsp shared
memory region to allow for the memory to be reused by other user
space processes when this is not used by the remote processor.
Change-Id: I4f593584f332f8dc775afb68e6bfae1ea8f803fa
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
When fastrpc_device_release is in progress, don't send any new
requets to DSP
Change-Id: I4d9e2f06485cde6dbd3d7aef402e3e853e0be998
Acked-by: Chenna Kesava Raju <chennak@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
|
|
Access to dma shared buffer is set at device probe, avoid making
multiple hypervisor assign calls for the same buffer.
Change-Id: I91f7dd0bca109fa774af49159bdec57b8acd65b2
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
|
|
Handle Glink register bail path in case of SSR.
Change-Id: Ic3b7d9d4b0b53d348faf338d03d12fc471030ae6
Acked-by: Krishnaiah Tadakamalla <ktadakam@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
|
Initializing metadata buffer to zero before reusing the buffer
for next invoke.
Change-Id: Iaab3478732b83427a475e95afa0e031cb76f60d9
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
|
