Buffer requirement, for different buffer type, comes from video firmware.
While copying these requirements, there is an OOB possibility when the
payload from firmware is more than expected size. Fix the check to avoid
the OOB possibility.

commit b18e36df ("media: venus: hfi: fix the check to handle session
buffer requirement").

Change-Id: I8169c57b2c244c52bac0b4de460b9820707f6ff7
Cc: stable@vger.kernel.org
Fixes: 09c2845e

 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)")
Reviewed-by: Nathan Hebert <nhebert@chromium.org>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Vikash Garodia <quic_vgarodia@quicinc.com>
Signed-off-by: Guang Yang <quic_guyang@quicinc.com>
(cherry picked from commit 1e0b4cf7)

When setting svm region during the gpuobj import ioctl call for a usermem
address, there is a possibility of a very large input size causing the
region's 64-bit end address to wrap around. This can cause the region
to incorrectly be considered valid, ultimately allowing a use after free
scenario. To prevent this, detect the occurrence of a wrap and reject the
import.

Change-Id: I4a88f56c58b830d4342e47dc1d1f6290c78ab6b4
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Sanjay Yadav <quic_sanjyada@quicinc.com>
(cherry picked from commit 89a22de4)

UAF scenario may occur in clients with EL1 privileges for
iova mappings when we miss to check the return value of
arm_lpae_init_pte which may lead to an PTE be counted as
it was set even if it was already existing. This can cause a
dangling IOMMU PTE to be left mapped pointing to a
freed object and cause UAF in the client if the dangling PTE
is accessed after a failed unmap operation.

Fixes: 27de1978

 ("ANDROID: GKI: iommu/io-pgtable-arm: LPAE related updates by vendor")
Change-Id: I674b9b520e705b8f8e63ba20ed76e64cb2fe0f47
Signed-off-by: Pratyush Brahma <quic_pbrahma@quicinc.com>
(cherry picked from commit b0322c86)

Added reference count for contex map indicate memory under used
in remote call. And, this memory would not removed in internal
unmap to avoid UAF.

Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442
Acked-by: DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>
(cherry picked from commit ece60003a987be183596e81b4668fb38ee5f341f)

There is possibility that network will be used after free.
This change is to fix this issue.

Change-Id: Iac85b733119aef8dfc5193984fbb2cdca663568a
Signed-off-by: Jilai Wang <quic_jilaiw@quicinc.com>
(cherry picked from commit 6dc37213)

er_ctxt->rp pointer is updated by MDM which is untrusted to HLOS,
it could be arbitrary value.

If there is security issue on MDM, and updated pointer which is not
align then driver will never come out of loop where checking against
dev_rp != rp.

So added check to make sure it is in the buffer range & aligned to 128bit.

Change-Id: Ib484e07f2c75fcd657a4ccc648a3a20de3edeebc
Signed-off-by: Krishna chaitanya chundru <quic_krichai@quicinc.com>
Signed-off-by: Paras Sharma <quic_parass@quicinc.com>
(cherry picked from commit bbaea4ac)

Replacing scm_io_read/scm_io_write with readl_relaxed/writel_relaxed
respectively.

Change-Id: I0f509047d2523a1cb51d999dd8c3eec8ab9fd2f2
Signed-off-by: Dheeraj Kumar Chaudhary <quic_dheech@quicinc.com>
Signed-off-by: Srinivasarao Pathipati <quic_c_spathi@quicinc.com>

Postamble packets are executed in privileged mode by gpu. So we should keep
them in a privileged scratch buffer to block userspace access. For
targets with APRIV feature support, we can mark the preemption scratch
buffer as privileged too to avoid similar issues in future.

Change-Id: Ifda360dda251083f38dfde80ce1b5dc83daae902
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Signed-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>

Performance counter values need not be retained across contexts unless
specifically requested for debug. Zap the counters by initialising
perfcounter SRAM with 0's using GPU_RBBM_PERFCTR_SRAM_INIT_CMD.

Add pm4 packets during context switches and add a KMD postamble packet to
clear the counters during preemption. Do not enable perfcounter save and
restore unless requested.

Change-Id: I371779ce659c07a1cc664327f5ecdcf0374201d8
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Pranav Patel <quic_pranavp@quicinc.com>
Signed-off-by: Sebanti Das <quic_sebadas@quicinc.com>

Currently performance counters are global and can be read by anyone. Change
the behaviour to disable reading global counters as default and add a sysfs
node to enable/disable reads.

Change-Id: Ic3785acd9bd7425c2a844ed103d7b870d9f80adf
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Pranav Patel <quic_pranavp@quicinc.com>
Signed-off-by: Sebanti Das <quic_sebadas@quicinc.com>

Currently gpuaddr_in_range() accepts only the gpuaddr & returns
true if it lies in valid range. But this does not mean that the
entire buffer is within range.
Modify the function to accept size as a parameter and check that
both starting & ending points of buffer lie within mmu range.

Change-Id: I5b0d021de7e59ffb6aec2ea77ae5c0e72872b3a1
Signed-off-by: Abhishek Barman <quic_abarman@quicinc.com>

Currently we don't ensure if vma->vm_file is associated with dma_buf. This
can cause issues later when private_data from a non dma_buf file is used as
dma_buf structure. Hence get the fd that is associated with vma->vm_file
and use dma_buf_get() to get pointer to dma_buf structure. dma_buf_get()
ensures that the file from the input fd is associated with dma_buf.

Change-Id: Ib78aef8b16bedca5ca86d3a132278ff9f07dce73
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>

Before putting a page back in the pool be sure that it doesn't have
any additional references that would be a signal that somebody else
is looking at the page and that it would be a bad idea to keep it
around and run the risk of accidentally handing it to a different
process.

Change-Id: Ic0dedbad0cf2ffb34b76ad23e393c5a911114b82
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>

Get the dma_buf handle directly from 'vm_file' after
doing necessary checks on the file.

Change-Id: Id5eec16588d64e4e28483b32bb52d4d3d9b86b99
Signed-off-by: ravnar <quic_ravnar@quicinc.com>
Signed-off-by: Sanjay Yadav <quic_sanjyada@quicinc.com>
Signed-off-by: Abhishek Barman <quic_abarman@quicinc.com>

Remove asynchronous network execution related code since it's
not used.

Change-Id: I0b693ae4729e8ce20f74eb2776ae425b36ac4930
Signed-off-by: Jilai Wang <quic_jilaiw@quicinc.com>

Add bounds check on values read from shared memory in the tx path. In
cases where the VM is misbehaving, the qrtr transport should exit and
print a warning when bogus values may cause out of bounds to be read.

Change-Id: Ic4bdb838ea7f72703327020ec31db2f4150b3474
Signed-off-by: Sarannya S <quic_sarannya@quicinc.com>

Remove asynchronous network execution related code since it's
not used.

Change-Id: I8332b7a24d8cb89df50ea1a20e4a0f6120289ba6
Signed-off-by: Jilai Wang <quic_jilaiw@quicinc.com>

Return successs for STREAM_OFF apply setting if failed for hot-plug camera

Change-Id: I4ced5382d0bf33dcebadb4bf020cef92239bd692
Signed-off-by: Sujit Das <sujitd@codeaurora.org>

Restrict secure Apps's size reduction to Qcs610 2GB DDR varinat only.

Change-Id: Ieb67cb31a8b887f96951e90c4ff80d555909a2a0
Signed-off-by: Nagireddy Annem <quic_nannem@quicinc.com>
Signed-off-by: Sandeepkumar Yenugula <quic_syenugul@quicinc.com>

Change-Id: I1ee0fae84983a71052fa164da59a9bf9b88dc2cb

Copy the entire userspace request buffer to local kernel
buffer and use that to send to TZ. Update the response
received in the local buffer to the actual userspace buffer
after the request is complete.

Change-Id: I673d74a32966816c5248778fc967eb91da5b6df5
Signed-off-by: Anmolpreet Kaur <anmolpre@codeaurora.org>

Object 'qdev' deferenced after being freed by calling kfree()
in qcom_ethernet_qrtr_probe() API.

Dereference the 'qdev' object first to copy the return value to
local variable before releasing the object.

Change-Id: I0d33bf8462ed194bc90d79a27be2f4c170e99148
Signed-off-by: Arun Prakash <app@codeaurora.org>

Return successs for STREAM_OFF apply setting if failed for hot-plug camera

Change-Id: I4ced5382d0bf33dcebadb4bf020cef92239bd692
Signed-off-by: Sujit Das <sujitd@codeaurora.org>

add feature that supports SET_REPORT command through EP0.  Since
lots of Windows application sends SET_REPORT message through EP0
while Linux and other Unix machine sends it through OUT_EP, this
change handles SET_REPORT command from EP0.

Change-Id: Ib5e11f2063bdbfeacf8a3f9ccc65137159d40e43
Signed-off-by: Jenson Kang <jensonk@codeaurora.org>

Change a variable type in QMI encode logic to avoid
buffer overflow scenario.

Change-Id: I11b10cce0e9ab5b02738b2ba13e637df979e9310
Signed-off-by: Gopala Krishna Nuthaki <gnuthaki@codeaurora.org>

Add decode buffer size sanity check before allocating memory for
decoded buffer. There is chance that qmi will call buffer allocation
API with buffer size as zero if qmi client set decoded buffer size
as zero. Which will result page allocation failure.

Change-Id: Ie6351d6ed40301379709e944bb92ccdd2d10b171
Signed-off-by: Arun Prakash <app@codeaurora.org>