From ad123452d0ea8b255127bd0c15fc5bd833566a83 Mon Sep 17 00:00:00 2001 From: Elliot Berman Date: Thu, 11 Aug 2022 11:41:02 -0700 Subject: [PATCH 01/25] virt: haven: rsc_mgr: Allocate right buffer size of requests The correct size for sending RM messages is HH_MSGQ_MAX_MSG_SIZE_BYTES. The amount of actual payload data is HH_RM_MAX_MSG_SIZE_BYTES and is incorrect. Change-Id: I8aa7de79ab57b60da366c0a4a1f82233d22ab59c Signed-off-by: Elliot Berman --- drivers/virt/haven/hh_rm_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/virt/haven/hh_rm_core.c b/drivers/virt/haven/hh_rm_core.c index 02fcfcb8ef82c..cb45cd65aad4a 100644 --- a/drivers/virt/haven/hh_rm_core.c +++ b/drivers/virt/haven/hh_rm_core.c @@ -525,7 +525,7 @@ static int hh_rm_send_request(u32 message_id, return -E2BIG; } - msg = kzalloc(HH_RM_MAX_MSG_SIZE_BYTES, GFP_KERNEL); + msg = kzalloc(HH_MSGQ_MAX_MSG_SIZE_BYTES, GFP_KERNEL); if (!msg) return -ENOMEM; @@ -542,7 +542,7 @@ static int hh_rm_send_request(u32 message_id, payload_size = buff_size_remaining; } - memset(msg, 0, HH_RM_MAX_MSG_SIZE_BYTES); + memset(msg, 0, HH_MSGQ_MAX_MSG_SIZE_BYTES); /* Fill header */ hdr = msg; From 4b3ce87e4720ff14047613532977c11c5d21e4ae Mon Sep 17 00:00:00 2001 From: Raihan Haider Date: Tue, 14 Feb 2023 17:40:00 +0530 Subject: [PATCH 02/25] defconfig: sdxlemur: Enable R8168 driver config Set R8168 driver config to y. Change-Id: I31cfdf90592db9da3e5e02be2f23c2d625863055 Signed-off-by: Raihan Haider --- arch/arm/configs/vendor/sdxlemur.config | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/arm/configs/vendor/sdxlemur.config b/arch/arm/configs/vendor/sdxlemur.config index f9323a93463e2..6f909a87bf875 100644 --- a/arch/arm/configs/vendor/sdxlemur.config +++ b/arch/arm/configs/vendor/sdxlemur.config @@ -363,6 +363,7 @@ CONFIG_IOSS=m CONFIG_AQFWD_IOSS=m CONFIG_R8125=y CONFIG_R8125_IOSS=m +CONFIG_R8168=y CONFIG_QCOM_SHOW_RESUME_IRQ=y CONFIG_HARDENED_USERCOPY=y # CONFIG_HARDENED_USERCOPY_FALLBACK is not set From 87acdd7036208f2656c9d1cf1cb0102f26b0073e Mon Sep 17 00:00:00 2001 From: Arun Prakash Date: Fri, 25 Feb 2022 12:25:09 +0530 Subject: [PATCH 03/25] net: qrtr: Move service id based filter check before queueing skb Move service id based filter check before queueing skb to avoid possible use after free issue since skb might get released once rx thread completed the processing of skb. Change-Id: Iff93e32abd3d55f78bf4ce80675fc3bb312b0841 Signed-off-by: Arun Prakash --- net/qrtr/qrtr.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index 569e95262be1e..5467eb4f17017 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -939,13 +939,6 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) return -ENODEV; } - if (sock_queue_rcv_skb(&ipc->sk, skb)) - goto err; - - /* Force wakeup for all packets except for sensors */ - if (node->nid != 9 && node->nid != 5) - pm_wakeup_ws_event(node->ws, qrtr_wakeup_ms, true); - if (node->nid == 5) { svc_id = qrtr_get_service_id(cb->src_node, cb->src_port); if (svc_id > 0) { @@ -956,9 +949,19 @@ int qrtr_endpoint_post(struct qrtr_endpoint *ep, const void *data, size_t len) } } } - if (wake) - pm_wakeup_ws_event(node->ws, qrtr_wakeup_ms, true); } + + if (sock_queue_rcv_skb(&ipc->sk, skb)) + goto err; + + /** + * Force wakeup for all packets except for sensors and blacklisted services + * from adsp side + */ + if ((node->nid != 9 && node->nid != 5) || + (node->nid == 5 && wake)) + pm_wakeup_ws_event(node->ws, qrtr_wakeup_ms, true); + qrtr_port_put(ipc); } From 931dbd1b072f7b1c45adc73d7add78aeafd1d8f8 Mon Sep 17 00:00:00 2001 From: Yuanfang Zhang Date: Tue, 21 Mar 2023 18:44:03 +0800 Subject: [PATCH 04/25] coresight-tmc: increase qdss pcie sw path throughput Increase throughput for qdss pcie sw path. Change-Id: I4bb52e81d2617d8e83d0dcfe525cad2f6f5ca93a Signed-off-by: Yuanfang Zhang --- drivers/hwtracing/coresight/coresight-tmc-etr.c | 4 +++- drivers/hwtracing/coresight/coresight-tmc.h | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/hwtracing/coresight/coresight-tmc-etr.c b/drivers/hwtracing/coresight/coresight-tmc-etr.c index 86987252862f3..552e202e7226d 100644 --- a/drivers/hwtracing/coresight/coresight-tmc-etr.c +++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c @@ -1129,9 +1129,11 @@ tmc_etr_setup_sysfs_buf(struct tmc_drvdata *drvdata) && drvdata->byte_cntr->sw_usb) new_buf = tmc_alloc_etr_buf(drvdata, TMC_ETR_SW_USB_BUF_SIZE, 0, cpu_to_node(0), NULL); - else if (drvdata->out_mode == TMC_ETR_OUT_MODE_PCIE) + else if (drvdata->out_mode == TMC_ETR_OUT_MODE_PCIE) { new_buf = tmc_alloc_etr_buf(drvdata, TMC_ETR_PCIE_MEM_SIZE, 0, cpu_to_node(0), NULL); + drvdata->size = TMC_ETR_PCIE_MEM_SIZE; + } else new_buf = tmc_alloc_etr_buf(drvdata, drvdata->size, 0, cpu_to_node(0), NULL); diff --git a/drivers/hwtracing/coresight/coresight-tmc.h b/drivers/hwtracing/coresight/coresight-tmc.h index 0c70b54863bbd..e911342ddf318 100644 --- a/drivers/hwtracing/coresight/coresight-tmc.h +++ b/drivers/hwtracing/coresight/coresight-tmc.h @@ -104,7 +104,7 @@ #define TMC_ETR_BAM_PIPE_INDEX 0 #define TMC_ETR_BAM_NR_PIPES 2 -#define TMC_ETR_PCIE_MEM_SIZE 0x400000 +#define TMC_ETR_PCIE_MEM_SIZE 0x2000000 #define TMC_AUTH_NSID_MASK GENMASK(1, 0) From b4b121f38dccaec2677e9e61090673c9e73a498f Mon Sep 17 00:00:00 2001 From: Pradeep P V K Date: Tue, 11 Apr 2023 16:34:04 +0530 Subject: [PATCH 05/25] mtd: msm_qpic_nand: Add boot_a and boot_b access to APPS As part of FR53657, make changes to support for boot_a and boot_b partition access to HLOS APPS. Change-Id: Ic173bd54df11e42b1811c198314719c4c34338db Signed-off-by: Pradeep P V K --- drivers/mtd/devices/msm_qpic_nand.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/mtd/devices/msm_qpic_nand.c b/drivers/mtd/devices/msm_qpic_nand.c index 78517b27c3091..19fdb76fb6972 100644 --- a/drivers/mtd/devices/msm_qpic_nand.c +++ b/drivers/mtd/devices/msm_qpic_nand.c @@ -2,6 +2,7 @@ /* * Copyright (C) 2007 Google, Inc. * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved. + * Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved. */ #include "msm_qpic_nand.h" @@ -797,9 +798,15 @@ static int msm_nand_flash_onfi_probe(struct msm_nand_info *info) memset(&data, 0, sizeof(struct msm_nand_flash_onfi_data)); - /* Lookup the partition to which apps has access to */ + /* + * Lookup the partition to which apps has access to + * As a part of FR53657, add support for boot_a + * and boot_b partitions. + */ for (i = 0; i < FLASH_PTABLE_MAX_PARTS_V4; i++) { - if (mtd_part[i].name && !strcmp("boot", mtd_part[i].name)) { + if (mtd_part[i].name && (!strcmp("boot", mtd_part[i].name) || + !strcmp("boot_a", mtd_part[i].name) || + !strcmp("boot_b", mtd_part[i].name))) { page_address = mtd_part[i].offset << 6; break; } From 96507bd86309aa9330dbb9adaf6a260deecd4cea Mon Sep 17 00:00:00 2001 From: Santosh Sakore Date: Thu, 23 Mar 2023 16:44:49 +0530 Subject: [PATCH 06/25] msm: adsprpc: Handle UAF in fastrpc internal munmap Added reference count for contex map indicate memory under used in remote call. And, this memory would not removed in internal unmap to avoid UAF. Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442 Acked-by: Santosh Sakore Signed-off-by: Santosh Sakore --- drivers/char/adsprpc.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 56d93e1ccb272..3e9e9589b1552 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2012-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved. */ /* Uncomment this block to log an error on every VERIFY failure */ @@ -579,10 +579,11 @@ struct fastrpc_mmap { bool is_persistent; /* Indicates whether map is persistent */ int frpc_md_index; /* Minidump unique index */ uintptr_t attr; - bool in_use; /* Indicates if persistent map is in use*/ + bool in_use; /* Indicates if persistent map is in use */ struct timespec64 map_start_time; struct timespec64 map_end_time; - bool is_filemap; /*flag to indicate map used in process init*/ + bool is_filemap; /* flag to indicate map used in process init */ + unsigned int ctx_refs; /* Indicates reference count for context map */ }; enum fastrpc_perfkeys { @@ -1220,7 +1221,7 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, int fd, uintptr_t va, hlist_for_each_entry_safe(map, n, &me->maps, hn) { if (map->refs == 1 && map->raddr == va && map->raddr + map->len == va + len && - /*Remove map if not used in process initialization*/ + /* Remove map if not used in process initialization */ !map->is_filemap) { match = map; hlist_del_init(&map->hn); @@ -1233,9 +1234,10 @@ static int fastrpc_mmap_remove(struct fastrpc_file *fl, int fd, uintptr_t va, return 0; } hlist_for_each_entry_safe(map, n, &fl->maps, hn) { - if (map->refs == 1 && map->raddr == va && - map->raddr + map->len == va + len && - /*Remove map if not used in process initialization*/ + /* Remove if only one reference map and no context map */ + if (map->refs == 1 && !map->ctx_refs && + map->raddr == va && map->raddr + map->len == va + len && + /* Remove map if not used in process initialization */ !map->is_filemap) { match = map; hlist_del_init(&map->hn); @@ -1274,7 +1276,7 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags) map->flags == ADSP_MMAP_REMOTE_HEAP_ADDR) { spin_lock(&me->hlock); map->refs--; - if (!map->refs && !map->is_persistent) + if (!map->refs && !map->is_persistent && !map->ctx_refs) hlist_del_init(&map->hn); spin_unlock(&me->hlock); if (map->refs > 0) { @@ -1290,7 +1292,7 @@ static void fastrpc_mmap_free(struct fastrpc_mmap *map, uint32_t flags) } } else { map->refs--; - if (!map->refs) + if (!map->refs && !map->ctx_refs) hlist_del_init(&map->hn); if (map->refs > 0 && !flags) return; @@ -1426,6 +1428,7 @@ static int fastrpc_mmap_create(struct fastrpc_file *fl, int fd, map->attr = attr; map->frpc_md_index = -1; map->is_filemap = false; + map->ctx_refs = 0; ktime_get_real_ts64(&map->map_start_time); if (mflags == ADSP_MMAP_HEAP_ADDR || mflags == ADSP_MMAP_REMOTE_HEAP_ADDR) { @@ -2177,8 +2180,11 @@ static void context_free(struct smq_invoke_ctx *ctx) spin_unlock(&ctx->fl->hlock); mutex_lock(&ctx->fl->map_mutex); - for (i = 0; i < nbufs; ++i) + for (i = 0; i < nbufs; ++i) { + if (ctx->maps[i] && ctx->maps[i]->ctx_refs) + ctx->maps[i]->ctx_refs--; fastrpc_mmap_free(ctx->maps[i], 0); + } mutex_unlock(&ctx->fl->map_mutex); fastrpc_buf_free(ctx->buf, 1); @@ -2485,6 +2491,8 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) err = fastrpc_mmap_create(ctx->fl, ctx->fds[i], ctx->attrs[i], buf, len, mflags, &ctx->maps[i]); + if (ctx->maps[i]) + ctx->maps[i]->ctx_refs++; mutex_unlock(&ctx->fl->map_mutex); if (err) goto bail; @@ -2502,9 +2510,14 @@ static int get_args(uint32_t kernel, struct smq_invoke_ctx *ctx) err = fastrpc_mmap_create(ctx->fl, ctx->fds[i], FASTRPC_ATTR_NOVA, 0, 0, dmaflags, &ctx->maps[i]); + if (!err && ctx->maps[i]) + ctx->maps[i]->ctx_refs++; if (err) { - for (j = bufs; j < i; j++) + for (j = bufs; j < i; j++) { + if (ctx->maps[j] && ctx->maps[j]->ctx_refs) + ctx->maps[j]->ctx_refs--; fastrpc_mmap_free(ctx->maps[j], 0); + } mutex_unlock(&ctx->fl->map_mutex); goto bail; } @@ -2835,6 +2848,8 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx, } } else { mutex_lock(&ctx->fl->map_mutex); + if (ctx->maps[i]->ctx_refs) + ctx->maps[i]->ctx_refs--; fastrpc_mmap_free(ctx->maps[i], 0); mutex_unlock(&ctx->fl->map_mutex); ctx->maps[i] = NULL; @@ -2845,8 +2860,11 @@ static int put_args(uint32_t kernel, struct smq_invoke_ctx *ctx, if (!fdlist[i]) break; if (!fastrpc_mmap_find(ctx->fl, (int)fdlist[i], 0, 0, - 0, 0, &mmap)) + 0, 0, &mmap)) { + if (mmap && mmap->ctx_refs) + mmap->ctx_refs--; fastrpc_mmap_free(mmap, 0); + } } mutex_unlock(&ctx->fl->map_mutex); if (ctx->crc && crclist && rpra) From f20dfe7d99f89a826830bd3d650adade62a07f48 Mon Sep 17 00:00:00 2001 From: Ram Nagesh Date: Mon, 13 Mar 2023 16:00:34 +0530 Subject: [PATCH 07/25] msm: synx: Check for zero before reducing bind handles Suppose user has sent invalid external fence to bind API. Now, while binding, if synx signal comes in parallel, it will set number of bound synxs as 0 after signal. Further reduction on that number(num_bound_synxs) (in case of callback registration failure) would make it wrap around. So, now num_bound_synxs is large value and abrupt close on synx fd will lead to synx_util_object_destroy. Here, the for loop on num_bound_synxs would lead to invalid memory access. This change decrements num_bound_synxs only if not zero. Change-Id: I0cfffc90d4164b149c87545818ae4dcf57fc4c46 Signed-off-by: Ram Nagesh --- drivers/media/platform/msm/synx/synx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/platform/msm/synx/synx.c b/drivers/media/platform/msm/synx/synx.c index 8043cc1489ed3..21c9cce7a958e 100644 --- a/drivers/media/platform/msm/synx/synx.c +++ b/drivers/media/platform/msm/synx/synx.c @@ -870,7 +870,8 @@ int synx_bind(struct synx_session session_id, mutex_lock(&synx_obj->obj_lock); memset(&synx_obj->bound_synxs[bound_idx], 0, sizeof(struct synx_external_desc)); - synx_obj->num_bound_synxs--; + if (synx_obj->num_bound_synxs) + synx_obj->num_bound_synxs--; goto free; } From 0a7a6f15011326260483289cc452b565384144ac Mon Sep 17 00:00:00 2001 From: Gaurav Kashyap Date: Wed, 15 Mar 2023 11:30:04 -0700 Subject: [PATCH 08/25] qcedev: vote for crypto clocks during module close When qcedev module is exiting, it disconnects SPS. At this times, crypto clocks need to be turned on or it will cause a synchronous abort. Tests: rmmod on the qcedev module. Change-Id: I1721fe408392ef81b07a6c08d2196b2413ba2b2f Signed-off-by: Gaurav Kashyap Signed-off-by: Nageswara reddy Karnati --- drivers/crypto/msm/qcedev.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/crypto/msm/qcedev.c b/drivers/crypto/msm/qcedev.c index d81ce43e3fd6a..12117d6ee7aff 100644 --- a/drivers/crypto/msm/qcedev.c +++ b/drivers/crypto/msm/qcedev.c @@ -2163,8 +2163,11 @@ static int qcedev_remove(struct platform_device *pdev) podev = platform_get_drvdata(pdev); if (!podev) return 0; + + qcedev_ce_high_bw_req(podev, true); if (podev->qce) qce_close(podev->qce); + qcedev_ce_high_bw_req(podev, false); if (podev->icc_path) icc_put(podev->icc_path); From e57b2b062ec19f9c6e09af2298072b3d1768cfe0 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 14:45:42 +0530 Subject: [PATCH 09/25] interconnect: qcom: holi: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: If4ddebec67f008e5412c1bf03bed0693fcaaffe0 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/holi.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/holi.c b/drivers/interconnect/qcom/holi.c index a6a92e8719c86..8503687a1cd5c 100644 --- a/drivers/interconnect/qcom/holi.c +++ b/drivers/interconnect/qcom/holi.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -1868,11 +1869,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Holi NoC driver"); MODULE_LICENSE("GPL v2"); From c36b875972f1c2945b389bc275945ebb5e77cb33 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 14:57:22 +0530 Subject: [PATCH 10/25] interconnect: qcom: lahaina: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I7a840812752b34248ec3dcb241b069cf4bf77608 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/lahaina.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/lahaina.c b/drivers/interconnect/qcom/lahaina.c index 4f4847dfd65b6..114fa54f250bd 100644 --- a/drivers/interconnect/qcom/lahaina.c +++ b/drivers/interconnect/qcom/lahaina.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2019-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2903,11 +2904,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Lahaina NoC driver"); MODULE_LICENSE("GPL v2"); From bb0e2f4acfebf6d7a6779316a682267b6a2c75e1 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 14:59:19 +0530 Subject: [PATCH 11/25] interconnect: qcom: scshrike: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: Ib420005ad94507db927a3014a39bd0d06b4d416f Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/scshrike.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/scshrike.c b/drivers/interconnect/qcom/scshrike.c index c8bd1f831a19a..8af77557b40a5 100644 --- a/drivers/interconnect/qcom/scshrike.c +++ b/drivers/interconnect/qcom/scshrike.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2977,11 +2978,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("SCSHRIKE NoC driver"); MODULE_LICENSE("GPL v2"); From 153bf8409ab9a4b9f74b7e69966b2661b4cad4dc Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 15:01:17 +0530 Subject: [PATCH 12/25] interconnect: qcom: shima: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I296b40141d3d844f3011cd704e8c593c8bc0f5e0 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/shima.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/shima.c b/drivers/interconnect/qcom/shima.c index f372f4515d281..967386d1f80a2 100644 --- a/drivers/interconnect/qcom/shima.c +++ b/drivers/interconnect/qcom/shima.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2708,11 +2709,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Shima NoC driver"); MODULE_LICENSE("GPL v2"); From 194c56a921fc5f842805f59f783cee263919e786 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 15:03:49 +0530 Subject: [PATCH 13/25] interconnect: qcom: sm6150: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: Ib1335860da25147ca87715a1935d2e8feee3fde4 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/sm6150.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/sm6150.c b/drivers/interconnect/qcom/sm6150.c index 4a1447b0f15dc..796bfda33becb 100644 --- a/drivers/interconnect/qcom/sm6150.c +++ b/drivers/interconnect/qcom/sm6150.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2457,11 +2458,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("SM6150 NoC driver"); MODULE_LICENSE("GPL v2"); From ee142e497dbafcb2fb2eb0082ed76235bc881af8 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 15:07:26 +0530 Subject: [PATCH 14/25] interconnect: qcom: sdxlemur: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: Ic75d04bf95dc21d5453c6e5e3a0a4864304fc8b5 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/sdxlemur.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/sdxlemur.c b/drivers/interconnect/qcom/sdxlemur.c index b1ee56ff93f44..e0cdb3a68d7c3 100644 --- a/drivers/interconnect/qcom/sdxlemur.c +++ b/drivers/interconnect/qcom/sdxlemur.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -1289,11 +1290,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("SDXLEMUR NoC driver"); MODULE_LICENSE("GPL v2"); From adf5e4ca9dcf875c1ffe0743a5f6df6f91571e36 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 15:09:25 +0530 Subject: [PATCH 15/25] interconnect: qcom: sdxnightjar: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I761c047c722cebe3b2c721adab3fbed9dc1d7e47 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/sdxnightjar.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/sdxnightjar.c b/drivers/interconnect/qcom/sdxnightjar.c index 738eff7f8740e..b4f75cb7ab500 100644 --- a/drivers/interconnect/qcom/sdxnightjar.c +++ b/drivers/interconnect/qcom/sdxnightjar.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -1027,11 +1028,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("sdxnightjar NoC driver"); MODULE_LICENSE("GPL v2"); From 9904cf1df1b8dc16021a013c46af9e603f416b3d Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 15:11:01 +0530 Subject: [PATCH 16/25] interconnect: qcom: yupik: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I608e85bc66028878b9dbfeff1c0a4caf683d03fb Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/yupik.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/yupik.c b/drivers/interconnect/qcom/yupik.c index 7eec1af9c0e16..2088257b2d600 100644 --- a/drivers/interconnect/qcom/yupik.c +++ b/drivers/interconnect/qcom/yupik.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2731,11 +2732,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Yupik NoC driver"); MODULE_LICENSE("GPL v2"); From b4c93ec98ea89b0ca394a3dd6c14c0cbdb7d2dd8 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Tue, 2 May 2023 19:33:14 +0530 Subject: [PATCH 17/25] interconnect: qcom: direwolf: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I7bd39e3269409527cc55e5a7ceaddedb70324612 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/direwolf.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/direwolf.c b/drivers/interconnect/qcom/direwolf.c index aeaffed4dc795..49e72bfa4f9fa 100644 --- a/drivers/interconnect/qcom/direwolf.c +++ b/drivers/interconnect/qcom/direwolf.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2693,11 +2694,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Direwolf NoC driver"); MODULE_LICENSE("GPL v2"); From a5e1d0fedf8ac275e450baabc94d51ef610e82e6 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Fri, 12 May 2023 19:16:16 +0530 Subject: [PATCH 18/25] interconnect: qcom: monaco: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I249472490349c227d9f30f276439fd1d0de0bdb9 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/monaco.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/monaco.c b/drivers/interconnect/qcom/monaco.c index f839bc69cef44..841554a7c1c5f 100644 --- a/drivers/interconnect/qcom/monaco.c +++ b/drivers/interconnect/qcom/monaco.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -1389,11 +1390,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("Monaco NoC driver"); MODULE_LICENSE("GPL v2"); From ae2d0077d6dbdf72ae8df04a1ebf1db916fd07b8 Mon Sep 17 00:00:00 2001 From: Raviteja Laggyshetty Date: Fri, 12 May 2023 19:20:57 +0530 Subject: [PATCH 19/25] interconnect: qcom: sm8150: fix UAF under remove function UAF is observed while unloading the interconnect driver. Interconnect is core to the system and should not be unloaded once it is probed. Marking the driver as permanent by removing the module_exit function. Change-Id: I0c8cfd628483cd44408b987e4765dc7237ef7ad5 Signed-off-by: Raviteja Laggyshetty --- drivers/interconnect/qcom/sm8150.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/drivers/interconnect/qcom/sm8150.c b/drivers/interconnect/qcom/sm8150.c index f160789b605d2..b254319543d7a 100644 --- a/drivers/interconnect/qcom/sm8150.c +++ b/drivers/interconnect/qcom/sm8150.c @@ -1,6 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020, The Linux Foundation. All rights reserved. + * Copyright (c) 2023, Qualcomm Innovation Center, Inc. All rights reserved. * */ @@ -2899,11 +2900,5 @@ static int __init qnoc_driver_init(void) } core_initcall(qnoc_driver_init); -static void __exit qnoc_driver_exit(void) -{ - platform_driver_unregister(&qnoc_driver); -} -module_exit(qnoc_driver_exit); - MODULE_DESCRIPTION("SM8150 NoC driver"); MODULE_LICENSE("GPL v2"); From 7cf8efc166f5c95397f344d2646d1de66a998606 Mon Sep 17 00:00:00 2001 From: Tapas Dey Date: Mon, 8 May 2023 15:44:52 +0530 Subject: [PATCH 20/25] msm: adsprpc: Handle UAF in fastrpc_buf_free Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding buffer reference. Now thread T2 will aquire fl->hlock and free buffer in fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer. Moving reference buffer uses for T1 inside fl->hlock to avoid UAF. Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6 Signed-off-by: Tapas Dey --- drivers/char/adsprpc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 3e9e9589b1552..8e7b4eff7325b 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1017,8 +1017,8 @@ static void fastrpc_buf_free(struct fastrpc_buf *buf, int cache) } hlist_add_head(&buf->hn, &fl->cached_bufs); fl->num_cached_buf++; - spin_unlock(&fl->hlock); buf->type = -1; + spin_unlock(&fl->hlock); return; } skip_buf_cache: From 06426824a281c9aef5bf0c50927eae9c7431db1e Mon Sep 17 00:00:00 2001 From: Auditya Bhattaram Date: Tue, 18 Apr 2023 16:41:03 +0530 Subject: [PATCH 21/25] soc: qcom: Add Upperbounds check for program header e_phnum represent the number of entries in the program header table. So add Upperbounds check for program header and return invalid if the number of program headers is greater than PN_XNUM (0xffff). Change-Id: I63927e2e88a57a567a52b4eb377abe94ad3713b8 Signed-off-by: Auditya Bhattaram --- drivers/soc/qcom/mdt_loader.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/qcom/mdt_loader.c b/drivers/soc/qcom/mdt_loader.c index 83c2679b6fcf5..38249a1a27d0a 100644 --- a/drivers/soc/qcom/mdt_loader.c +++ b/drivers/soc/qcom/mdt_loader.c @@ -95,7 +95,7 @@ void *qcom_mdt_read_metadata(const struct firmware *fw, size_t *data_len) ehdr = (struct elf32_hdr *)fw->data; phdrs = (struct elf32_phdr *)(ehdr + 1); - if (ehdr->e_phnum < 2) + if (ehdr->e_phnum < 2 || ehdr->e_phnum > PN_XNUM) return ERR_PTR(-EINVAL); if (phdrs[0].p_type == PT_LOAD) From c62a901eab7ea94b81f89bf12a18d68a8b70bdbd Mon Sep 17 00:00:00 2001 From: Prerna Singh Date: Tue, 28 Mar 2023 16:25:59 +0530 Subject: [PATCH 22/25] qcom: cpufreq-hw: Use the topology coreid for offset Use the topology_core_id() API to calculate the offset of the CPU cores. This will help to correctly calculate the offset in case of CPU with fused cores. Change-Id: I78992edc3a646b8062e8bdd80f4c72e8c97387ec Signed-off-by: Prerna Singh --- drivers/cpufreq/qcom-cpufreq-hw.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/drivers/cpufreq/qcom-cpufreq-hw.c b/drivers/cpufreq/qcom-cpufreq-hw.c index 98f9456f8697f..14c0c04011763 100644 --- a/drivers/cpufreq/qcom-cpufreq-hw.c +++ b/drivers/cpufreq/qcom-cpufreq-hw.c @@ -17,6 +17,7 @@ #include #include #include +#include #define CREATE_TRACE_POINTS #include @@ -33,8 +34,8 @@ #define LIMITS_POLLING_DELAY_MS 10 #define MAX_ROW 2 -#define CYCLE_CNTR_OFFSET(c, m, acc_count) \ - (acc_count ? ((c - cpumask_first(m) + 1) * 4) : 0) +#define CYCLE_CNTR_OFFSET(core_id, m, acc_count) \ + (acc_count ? ((core_id + 1) * 4) : 0) enum { REG_ENABLE, @@ -214,7 +215,7 @@ static u64 qcom_cpufreq_get_cpu_cycle_counter(int cpu) cpu_counter = &qcom_cpufreq_counter[cpu]; spin_lock_irqsave(&cpu_counter->lock, flags); - offset = CYCLE_CNTR_OFFSET(cpu, policy->related_cpus, + offset = CYCLE_CNTR_OFFSET(topology_core_id(cpu), policy->related_cpus, accumulative_counter); val = readl_relaxed_no_log(policy->driver_data + offsets[REG_CYCLE_CNTR] + offset); @@ -232,6 +233,8 @@ static u64 qcom_cpufreq_get_cpu_cycle_counter(int cpu) cycle_counter_ret = cpu_counter->total_cycle_counter; spin_unlock_irqrestore(&cpu_counter->lock, flags); + pr_debug("CPU %u, core-id 0x%x, offset %u\n", cpu, topology_core_id(cpu), offset); + return cycle_counter_ret; } From eba92f48bebc59492bf4e58bf5f1bc14ae775b74 Mon Sep 17 00:00:00 2001 From: Pradeep P V K Date: Tue, 18 Apr 2023 17:37:13 +0530 Subject: [PATCH 23/25] mtd: msm_qpic_nand: Add boot_a and boot_b access to APPS The existing code logic, checks for partitions that have access to apps by name "boot". This logic may not work if the boot partition name changes, let's say as boot_a/b. So, get the active boot partition details by reading the new kernel command line parameter "part.activeboot=" and use this partition page offset address to read the ONFI parameter page. If active boot partition details are not found, fallback to legacy code. Change-Id: I7c7071ccfc687f2e03bd9209a3c7260fb131ff10 Signed-off-by: Pradeep P V K --- drivers/mtd/devices/msm_qpic_nand.c | 31 ++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/drivers/mtd/devices/msm_qpic_nand.c b/drivers/mtd/devices/msm_qpic_nand.c index 19fdb76fb6972..fda89bf0cba8b 100644 --- a/drivers/mtd/devices/msm_qpic_nand.c +++ b/drivers/mtd/devices/msm_qpic_nand.c @@ -19,8 +19,24 @@ #define SMEM_AARM_PARTITION_TABLE 9 #define SMEM_APPS 0 #define ONE_CODEWORD_SIZE 516 +#define ACTIVE_BOOT_PART_MAX 30 static struct device *dev_node; +static char active_boot_part[ACTIVE_BOOT_PART_MAX] = "boot"; + +/* + * Function to get the active boot partition information + * from kernel command line during system boot. + */ +#ifndef MODULE +static int __init get_active_boot_part(char *str) +{ + strlcpy(active_boot_part, str, ACTIVE_BOOT_PART_MAX); + return 0; +} + +__setup("part.activeboot=", get_active_boot_part); +#endif /* * Get the DMA memory for requested amount of size. It returns the pointer @@ -798,24 +814,25 @@ static int msm_nand_flash_onfi_probe(struct msm_nand_info *info) memset(&data, 0, sizeof(struct msm_nand_flash_onfi_data)); - /* - * Lookup the partition to which apps has access to - * As a part of FR53657, add support for boot_a - * and boot_b partitions. + /* Lookup the partition to which apps has access to + * + * active_boot_part value gets updated to either kernel command line + * parameter "part.activeboot=" value (if present) or hold the default + * "boot" value. */ for (i = 0; i < FLASH_PTABLE_MAX_PARTS_V4; i++) { - if (mtd_part[i].name && (!strcmp("boot", mtd_part[i].name) || - !strcmp("boot_a", mtd_part[i].name) || - !strcmp("boot_b", mtd_part[i].name))) { + if (mtd_part[i].name && !strcmp(active_boot_part, mtd_part[i].name)) { page_address = mtd_part[i].offset << 6; break; } } + if (!page_address) { pr_err("%s: no apps partition found in smem\n", __func__); ret = -EPERM; goto free_dma; } + data.cfg.cmd = MSM_NAND_CMD_PAGE_READ_ONFI; data.exec = 1; data.cfg.addr0 = (page_address << 16) | From 5e4dbce2b710cbc3a91e810de1c0940d15a2e851 Mon Sep 17 00:00:00 2001 From: Sai Chaitanya Kaveti Date: Wed, 24 May 2023 18:00:01 +0530 Subject: [PATCH 24/25] msm: mhi_dev: Support async write in UCI for size greater than 8k In the current implementation of MHI UCI layer, write operation from device to host fails if the size requested by client is more than 8k. Removing this condition in this change as MHI supports buffer size of upto 64k in async path. Continuing to fail write in sync case, as MHI layer uses pre allocated buffers of size 8k. Also, added debug logs to check if buffer size of Diag is more than 16k. With this change async writes of size greater than 8k are supported in UCI layer. Change-Id: I084da6a49a00095e806872f591365eabb9edc1de Signed-off-by: Sai Chaitanya Kaveti --- drivers/platform/msm/mhi_dev/mhi.h | 1 + drivers/platform/msm/mhi_dev/mhi_uci.c | 33 +++++++++++++++----------- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/drivers/platform/msm/mhi_dev/mhi.h b/drivers/platform/msm/mhi_dev/mhi.h index 253274b5d9e6c..775c2690f2e07 100644 --- a/drivers/platform/msm/mhi_dev/mhi.h +++ b/drivers/platform/msm/mhi_dev/mhi.h @@ -267,6 +267,7 @@ struct mhi_config { #define MHI_ENV_VALUE 2 #define MHI_MASK_ROWS_CH_EV_DB 4 #define TRB_MAX_DATA_SIZE 8192 +#define TRB_MAX_DATA_SIZE_16K 16384 #define MHI_CTRL_STATE 100 /* maximum transfer completion events buffer */ diff --git a/drivers/platform/msm/mhi_dev/mhi_uci.c b/drivers/platform/msm/mhi_dev/mhi_uci.c index 222c71854d3b6..8aca45f6957c5 100644 --- a/drivers/platform/msm/mhi_dev/mhi_uci.c +++ b/drivers/platform/msm/mhi_dev/mhi_uci.c @@ -173,7 +173,7 @@ static const struct chan_attr mhi_chan_attr_table[] = { }, { MHI_CLIENT_DIAG_OUT, - TRB_MAX_DATA_SIZE, + TRB_MAX_DATA_SIZE_16K, MAX_NR_TRBS_PER_CHAN, MHI_DIR_OUT, NULL, @@ -184,7 +184,7 @@ static const struct chan_attr mhi_chan_attr_table[] = { }, { MHI_CLIENT_DIAG_IN, - TRB_MAX_DATA_SIZE, + TRB_MAX_DATA_SIZE_16K, MAX_NR_TRBS_PER_CHAN, MHI_DIR_IN, NULL, @@ -629,10 +629,17 @@ static int mhi_uci_send_sync(struct uci_client *uci_handle, struct mhi_req ureq; int ret_val; - uci_log(UCI_DBG_VERBOSE, + uci_log(UCI_DBG_DBG, "Sync write for ch_id:%d size %d\n", uci_handle->out_chan, size); + if (size > TRB_MAX_DATA_SIZE) { + uci_log(UCI_DBG_ERROR, + "Too big write size: %lu, max supported size is %d\n", + size, TRB_MAX_DATA_SIZE); + return -EFBIG; + } + ureq.client = uci_handle->out_handle; ureq.buf = data_loc; ureq.len = size; @@ -945,7 +952,7 @@ static int mhi_uci_read_sync(struct uci_client *uci_handle, int *bytes_avail) struct mhi_req ureq; struct mhi_dev_client *client_handle; - uci_log(UCI_DBG_INFO, + uci_log(UCI_DBG_DBG, "Sync read for ch_id:%d\n", uci_handle->in_chan); client_handle = uci_handle->in_handle; @@ -1484,11 +1491,10 @@ static ssize_t mhi_uci_client_write(struct file *file, return -ENODEV; } - if (count > TRB_MAX_DATA_SIZE) { - uci_log(UCI_DBG_ERROR, - "Too big write size: %lu, max supported size is %d\n", - count, TRB_MAX_DATA_SIZE); - return -EFBIG; + if (count > uci_handle->out_chan_attr->max_packet_size) { + uci_log(UCI_DBG_DBG, + "Warning: big write size: %lu, max supported size is %d\n", + count, uci_handle->out_chan_attr->max_packet_size); } data_loc = kmalloc(count, GFP_KERNEL); @@ -1543,11 +1549,10 @@ static ssize_t mhi_uci_client_write_iter(struct kiocb *iocb, return -ENODEV; } - if (count > TRB_MAX_DATA_SIZE) { - uci_log(UCI_DBG_ERROR, - "Too big write size: %lu, max supported size is %d\n", - count, TRB_MAX_DATA_SIZE); - return -EFBIG; + if (count > uci_handle->out_chan_attr->max_packet_size) { + uci_log(UCI_DBG_DBG, + "Warning: big write size: %lu, max supported size is %d\n", + count, uci_handle->out_chan_attr->max_packet_size); } data_loc = kmalloc(count, GFP_KERNEL); From 65d21518f83ff8bd5b8e2f5ef51f401ca9fae63d Mon Sep 17 00:00:00 2001 From: Srinivasarao Pathipati Date: Thu, 18 May 2023 14:40:32 +0530 Subject: [PATCH 25/25] cpufreq: schedutil: Fix UAF issue sugov_tunables are getting deleted with kobject release() in 'commit 67c98e023135 ("cpufreq: schedutil: Use kobject release() method to free sugov_tunables")'. So save tunables before freeing. Change-Id: I9df2604210cb071bb907a39cf7fcc1131e4de5f8 Signed-off-by: Srinivasarao Pathipati --- kernel/sched/cpufreq_schedutil.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c index 1cc72eb764a76..9de29b93c046e 100644 --- a/kernel/sched/cpufreq_schedutil.c +++ b/kernel/sched/cpufreq_schedutil.c @@ -1296,12 +1296,14 @@ static void sugov_exit(struct cpufreq_policy *policy) mutex_lock(&global_tunables_lock); + /* Save tunables before last owner release it in gov_attr_set_put() */ + if (tunables->attr_set.usage_count == 1) + sugov_tunables_save(policy, tunables); + count = gov_attr_set_put(&tunables->attr_set, &sg_policy->tunables_hook); policy->governor_data = NULL; - if (!count) { - sugov_tunables_save(policy, tunables); + if (!count) sugov_clear_global_tunables(); - } mutex_unlock(&global_tunables_lock);