- Dec 17, 2023
-
-
guyang authored
Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. commit b18e36df ("media: venus: hfi: fix the check to handle session buffer requirement"). Change-Id: I8169c57b2c244c52bac0b4de460b9820707f6ff7 Cc: stable@vger.kernel.org Fixes: 09c2845e ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Reviewed-by:
Nathan Hebert <nhebert@chromium.org> Signed-off-by:
Stanimir Varbanov <stanimir.k.varbanov@gmail.com> Signed-off-by:
Hans Verkuil <hverkuil-cisco@xs4all.nl> Signed-off-by:
Vikash Garodia <quic_vgarodia@quicinc.com> Signed-off-by:
Guang Yang <quic_guyang@quicinc.com> (cherry picked from commit 1e0b4cf7)
-
- Sep 28, 2023
-
-
Sanjay Yadav authored
When setting svm region during the gpuobj import ioctl call for a usermem address, there is a possibility of a very large input size causing the region's 64-bit end address to wrap around. This can cause the region to incorrectly be considered valid, ultimately allowing a use after free scenario. To prevent this, detect the occurrence of a wrap and reject the import. Change-Id: I4a88f56c58b830d4342e47dc1d1f6290c78ab6b4 Signed-off-by:
Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com> Signed-off-by:
Sanjay Yadav <quic_sanjyada@quicinc.com> (cherry picked from commit 89a22de4)
-
- Sep 27, 2023
-
-
Pratyush Brahma authored
UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation. Fixes: 27de1978 ("ANDROID: GKI: iommu/io-pgtable-arm: LPAE related updates by vendor") Change-Id: I674b9b520e705b8f8e63ba20ed76e64cb2fe0f47 Signed-off-by:
Pratyush Brahma <quic_pbrahma@quicinc.com> (cherry picked from commit b0322c86)
-
- Sep 12, 2023
-
-
Vamsi Krishna Gattupalli authored
Added reference count for contex map indicate memory under used in remote call. And, this memory would not removed in internal unmap to avoid UAF. Change-Id: Ieb4ff6b298ff9c48953bc5b3539fdfe19a14b442 Acked-by:
DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com> Signed-off-by:
Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com> (cherry picked from commit ece60003a987be183596e81b4668fb38ee5f341f)
-
- Sep 09, 2023
-
-
Linux Build Service Account authored
-
- Sep 08, 2023
-
-
Jilai Wang authored
There is possibility that network will be used after free. This change is to fix this issue. Change-Id: Iac85b733119aef8dfc5193984fbb2cdca663568a Signed-off-by:
Jilai Wang <quic_jilaiw@quicinc.com> (cherry picked from commit 6dc37213)
-
Krishna chaitanya chundru authored
er_ctxt->rp pointer is updated by MDM which is untrusted to HLOS, it could be arbitrary value. If there is security issue on MDM, and updated pointer which is not align then driver will never come out of loop where checking against dev_rp != rp. So added check to make sure it is in the buffer range & aligned to 128bit. Change-Id: Ib484e07f2c75fcd657a4ccc648a3a20de3edeebc Signed-off-by:
Krishna chaitanya chundru <quic_krichai@quicinc.com> Signed-off-by:
Paras Sharma <quic_parass@quicinc.com> (cherry picked from commit bbaea4ac)
-
- Jun 14, 2023
-
-
Dheeraj Kumar Chaudhary authored
Replacing scm_io_read/scm_io_write with readl_relaxed/writel_relaxed respectively. Change-Id: I0f509047d2523a1cb51d999dd8c3eec8ab9fd2f2 Signed-off-by:
Dheeraj Kumar Chaudhary <quic_dheech@quicinc.com> Signed-off-by:
Srinivasarao Pathipati <quic_c_spathi@quicinc.com>
-
- Apr 03, 2023
-
-
Akhil P Oommen authored
Postamble packets are executed in privileged mode by gpu. So we should keep them in a privileged scratch buffer to block userspace access. For targets with APRIV feature support, we can mark the preemption scratch buffer as privileged too to avoid similar issues in future. Change-Id: Ifda360dda251083f38dfde80ce1b5dc83daae902 Signed-off-by:
Akhil P Oommen <quic_akhilpo@quicinc.com> Signed-off-by:
Kaushal Sanadhya <quic_ksanadhy@quicinc.com>
-
- Mar 31, 2023
-
-
Linux Build Service Account authored
-
- Mar 30, 2023
-
-
Linux Build Service Account authored
-
Linux Build Service Account authored
-
- Mar 29, 2023
-
-
Performance counter values need not be retained across contexts unless specifically requested for debug. Zap the counters by initialising perfcounter SRAM with 0's using GPU_RBBM_PERFCTR_SRAM_INIT_CMD. Add pm4 packets during context switches and add a KMD postamble packet to clear the counters during preemption. Do not enable perfcounter save and restore unless requested. Change-Id: I371779ce659c07a1cc664327f5ecdcf0374201d8 Signed-off-by:
Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com> Signed-off-by:
Pranav Patel <quic_pranavp@quicinc.com> Signed-off-by:
Sebanti Das <quic_sebadas@quicinc.com>
-
Currently performance counters are global and can be read by anyone. Change the behaviour to disable reading global counters as default and add a sysfs node to enable/disable reads. Change-Id: Ic3785acd9bd7425c2a844ed103d7b870d9f80adf Signed-off-by:
Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com> Signed-off-by:
Pranav Patel <quic_pranavp@quicinc.com> Signed-off-by:
Sebanti Das <quic_sebadas@quicinc.com>
-
Abhishek Barman authored
Currently gpuaddr_in_range() accepts only the gpuaddr & returns true if it lies in valid range. But this does not mean that the entire buffer is within range. Modify the function to accept size as a parameter and check that both starting & ending points of buffer lie within mmu range. Change-Id: I5b0d021de7e59ffb6aec2ea77ae5c0e72872b3a1 Signed-off-by:
Abhishek Barman <quic_abarman@quicinc.com>
-
Puranam V G Tejaswi authored
Currently we don't ensure if vma->vm_file is associated with dma_buf. This can cause issues later when private_data from a non dma_buf file is used as dma_buf structure. Hence get the fd that is associated with vma->vm_file and use dma_buf_get() to get pointer to dma_buf structure. dma_buf_get() ensures that the file from the input fd is associated with dma_buf. Change-Id: Ib78aef8b16bedca5ca86d3a132278ff9f07dce73 Signed-off-by:
Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>
-
- Mar 28, 2023
-
-
Linux Build Service Account authored
-
Kamal Agrawal authored
Before putting a page back in the pool be sure that it doesn't have any additional references that would be a signal that somebody else is looking at the page and that it would be a bad idea to keep it around and run the risk of accidentally handing it to a different process. Change-Id: Ic0dedbad0cf2ffb34b76ad23e393c5a911114b82 Signed-off-by:
Jordan Crouse <jcrouse@codeaurora.org> Signed-off-by:
Kamal Agrawal <quic_kamaagra@quicinc.com>
-
Abhishek Barman authored
Get the dma_buf handle directly from 'vm_file' after doing necessary checks on the file. Change-Id: Id5eec16588d64e4e28483b32bb52d4d3d9b86b99 Signed-off-by:
ravnar <quic_ravnar@quicinc.com> Signed-off-by:
Sanjay Yadav <quic_sanjyada@quicinc.com> Signed-off-by:
Abhishek Barman <quic_abarman@quicinc.com>
-
- Mar 27, 2023
-
-
Linux Build Service Account authored
-
Jilai Wang authored
Remove asynchronous network execution related code since it's not used. Change-Id: I0b693ae4729e8ce20f74eb2776ae425b36ac4930 Signed-off-by:
Jilai Wang <quic_jilaiw@quicinc.com>
-
Sarannya S authored
Add bounds check on values read from shared memory in the tx path. In cases where the VM is misbehaving, the qrtr transport should exit and print a warning when bogus values may cause out of bounds to be read. Change-Id: Ic4bdb838ea7f72703327020ec31db2f4150b3474 Signed-off-by:
Sarannya S <quic_sarannya@quicinc.com>
-
- Mar 24, 2023
-
-
Jilai Wang authored
Remove asynchronous network execution related code since it's not used. Change-Id: I8332b7a24d8cb89df50ea1a20e4a0f6120289ba6 Signed-off-by:
Jilai Wang <quic_jilaiw@quicinc.com>
-
- Dec 07, 2021
-
-
Linux Build Service Account authored
-
Sujit Das authored
Return successs for STREAM_OFF apply setting if failed for hot-plug camera Change-Id: I4ced5382d0bf33dcebadb4bf020cef92239bd692 Signed-off-by:
Sujit Das <sujitd@codeaurora.org>
-
Nagireddy Annem authored
Restrict secure Apps's size reduction to Qcs610 2GB DDR varinat only. Change-Id: Ieb67cb31a8b887f96951e90c4ff80d555909a2a0 Signed-off-by:
Nagireddy Annem <quic_nannem@quicinc.com> Signed-off-by:
Sandeepkumar Yenugula <quic_syenugul@quicinc.com>
-
- Nov 26, 2021
-
-
Linux Build Service Account authored
Change-Id: I1ee0fae84983a71052fa164da59a9bf9b88dc2cb
-
- Nov 19, 2021
-
-
qctecmdr authored
-
- Nov 18, 2021
-
-
Anmolpreet Kaur authored
Copy the entire userspace request buffer to local kernel buffer and use that to send to TZ. Update the response received in the local buffer to the actual userspace buffer after the request is complete. Change-Id: I673d74a32966816c5248778fc967eb91da5b6df5 Signed-off-by:
Anmolpreet Kaur <anmolpre@codeaurora.org>
-
Arun Prakash authored
Object 'qdev' deferenced after being freed by calling kfree() in qcom_ethernet_qrtr_probe() API. Dereference the 'qdev' object first to copy the return value to local variable before releasing the object. Change-Id: I0d33bf8462ed194bc90d79a27be2f4c170e99148 Signed-off-by:
Arun Prakash <app@codeaurora.org>
-
qctecmdr authored
-
- Nov 17, 2021
-
-
qctecmdr authored
-
Sujit Das authored
Return successs for STREAM_OFF apply setting if failed for hot-plug camera Change-Id: I4ced5382d0bf33dcebadb4bf020cef92239bd692 Signed-off-by:
Sujit Das <sujitd@codeaurora.org>
-
Jenson Kang authored
add feature that supports SET_REPORT command through EP0. Since lots of Windows application sends SET_REPORT message through EP0 while Linux and other Unix machine sends it through OUT_EP, this change handles SET_REPORT command from EP0. Change-Id: Ib5e11f2063bdbfeacf8a3f9ccc65137159d40e43 Signed-off-by:
Jenson Kang <jensonk@codeaurora.org>
-
- Nov 16, 2021
- Nov 15, 2021
-
-
Gopala Krishna Nuthaki authored
Change a variable type in QMI encode logic to avoid buffer overflow scenario. Change-Id: I11b10cce0e9ab5b02738b2ba13e637df979e9310 Signed-off-by:
Gopala Krishna Nuthaki <gnuthaki@codeaurora.org>
-
Arun Prakash authored
Add decode buffer size sanity check before allocating memory for decoded buffer. There is chance that qmi will call buffer allocation API with buffer size as zero if qmi client set decoded buffer size as zero. Which will result page allocation failure. Change-Id: Ie6351d6ed40301379709e944bb92ccdd2d10b171 Signed-off-by:
Arun Prakash <app@codeaurora.org>
-
- Nov 11, 2021
-
-
qctecmdr authored
-