Unverified Commit 9829e33b authored Aug 25, 2023 by Michael Bestas

Merge remote-tracking branch 'sm8250/lineage-20' into lineage-20

* sm8250/lineage-20:
  Revert "mm: change max readahead size to 512KB"
  ASoC: msm-pcm-host-voice: Check validity of session idx
  dsp: q6lsm: Address use after free for mmap handle
  dsp: q6lsm: Add check for payload buffer
  ASoC: Resolve use after free in listen sound client
  msm: kgsl: Defer drawobj_sync_timeline_fence_work() to a workqueue
  ASoC: dsp: q6core: Avoid use after free
  ASoC: msm-pcm-q6-v2: Add dsp buf check
  ASoC: dsp: q6core: Avoid use after free
  ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy
  bus: mhi: misc: Add check for dev_rp if it is iommu range or not
  msm: kgsl: Defer drawobj_sync_timeline_fence_work() to a workqueue
  soc: qcom: minidump: check the size parameter passed to qcom_smem_get()
  msm: camera: mem_mgr: release buffers after usage
  msm: camera: mem_mgr: release buffers after usage
  exfat: add necessary header for vmalloc
  exfat: release s_lock before calling dir_emit()
  exfat: check if filename entries exceeds max filename length
  exfat: github action: make space for running xfstests
  exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree
  exfat: splice: Use filemap_splice_read() instead of generic_file_splice_read()
  exfat: fs: build the legacy direct I/O code conditionally
  exfat: fs: port ->rename() to pass mnt_idmap
  exfat: fs: port ->mkdir() to pass mnt_idmap
  exfat: fs: port ->create() to pass mnt_idmap
  exfat: fs: port ->getattr() to pass mnt_idmap
  exfat: fs: port ->setattr() to pass mnt_idmap
  exfat: fix the newly allocated clusters are not freed in error handling
  exfat: don't print error log in normal case
  exfat: remove unneeded code from exfat_alloc_cluster()
  exfat: remove ->writepage
  ASoC: msm-pcm-q6-v2: Add dsp buf check
  msm: camera: sensor: Add changes to prevent unmap buffers
  msm: camera: mem_mgr: Add refcount to track in use buffers
  fw-api: CL 23575205 - update fw common interface files
  msm: camera: sensor: Add changes to prevent unmap buffers
  fw-api: CL 23566455 - update fw common interface files
  msm: npu: Fix use after free issue
  fw-api: CL 23557966 - update fw common interface files
  fw-api: CL 23542073 - update fw common interface files
  fw-api: CL 23529709 - update fw common interface files
  fw-api: CL 23523211 - update fw common interface files
  fw-api: CL 23520891 - update fw common interface files
  fw-api: CL 23507997 - update fw common interface files
  fw-api: CL 23504182 - update fw common interface files
  fw-api: Changes in monitor headers to support Big endian
  msm: camera: mem_mgr: Add refcount to track in use buffers
  dsp: q6core: Avoid OOB access in q6core
  ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_start
  dsp: afe: Add check for num_channels
  dsp: asm: validate payload size before access
  dsp: afe: Add check for sidetone iir config copy size
  dsp: q6voice: Add buf size check for cvs cal data
  UPSTREAM: security: selinux: allow per-file labeling for bpffs
  fw-api: CL 23485853 - update fw common interface files
  fw-api: CL 23485848 - update fw common interface files
  dsp: Added fix to resolve compilation error
  fw-api: CL 23467477 - update fw common interface files
  fw-api: CL 23459857 - update fw common interface files
  fw-api: CL 23459166 - update fw common interface files
  dsp: q6voice: added fix to resolve Lookahead error
  ASoC: msm-pcm-host-voice: Handle OOB access in hpcm_start
  msm: camera: core: validation of session/device/link handle
  msm: camera: cci: Fix some cci stability issues
  msm: ipa3: fix pointer arithmetic to avoid out-of-bound
  msm: camera: core: validation of session/device/link handle
  fw-api: CL 23441442 - update fw common interface files
  fw-api: CL 23420522 - update fw common interface files
  dsp: q6core: Avoid OOB access in q6core
  dsp: q6voice: Add buf size check for cvs cal data
  dsp: afe: Add check for num_channels
  dsp: afe: Add check for sidetone iir config copy size
  ASoC: msm-pcm-voip: Avoid interger underflow
  fw-api: CL 23329795 - update fw common interface files
  fw-api: CL 23307781 - update fw common interface files
  fw-api: CL 23242420 - update fw common interface files
  fw-api: CL 23191762 - update fw common interface files
  fw-api: CL 23190594 - update fw common interface files
  fw-api: CL 23178089 - update fw common interface files
  fw-api: CL 23138893 - update fw common interface files
  fw-api: CL 23101916 - update fw common interface files
  msm: ADSPRPC: Add subsystem states for restart, up and down
  Release 5.2.022.12A
  qcacld-3.0: Fix OOB in wma_scan_roam.c
  ASoC: msm-pcm-host-voice: Address buffer overflow in hpcm copy
  ASoC: msm-pcm-voip: Avoid interger underflow
  dsp: afe: check for param size before copying
  dsp: q6core: validate payload size before access for AVCS
  Release 5.2.022.12
  dsp: asm: validate payload size before access
  dsp: q6core: validate payload size before access for AVCS
  dsp:  afe: check for param size before copying
  asoc: Compilation fix for SDLLVM toolchain 16.0
  msm: camera: cci: Move load report cmd in lock context
  msm: camera: cci: Add report id in report command for CCI I2C queue
  fw-api: Add evm info headers for qcn9224
  fw-api: CL 22994196 - update fw common interface files
  fw-api: CL 22946448 - update fw common interface files
  fw-api: CL 22928086 - update fw common interface files
  fw-api: CL 22895719 - update fw common interface files
  fw-api: CL 22882405 - update fw common interface files
  fw-api: CL 22860575 - update fw common interface files
  fw-api: CL 22845599 - update fw common interface files
  fw-api: CL 22832398 - update fw common interface files
  fw-api: CL 22832353 - update fw common interface files
  fw-api: CL 22808446 - update fw common interface files
  fw-api: CL 22808430 - update fw common interface files
  qcacld-3.0: Don't start vdev trans if vdev ops is pending
  msm: kgsl: Fix buffer overflow while capturing memory entries
  fw-api: CL 22791601 - update fw common interface files
  fw-api: CL 22788805 - update fw common interface files
  fw-api: CL 22765461 - update fw common interface files
  fw-api: CL 22691990 - update fw common interface files
  fw-api: CL 22674286 - update fw common interface files
  fw-api: CL 22650243 - update fw common interface files
  fw-api: CL 22641645 - update fw common interface files
  fw-api: CL 22630619 - update fw common interface files
  Revert "fw-api: Add evm info headers for qcn9224"
  fw-api: Add qcnn6432 target header files to fw-api project
  fw-api: CL 22585871 - update fw common interface files
  fw-api: CL 22585869 - update fw common interface files
  fw-api: CL 22545098 - update fw common interface files
  fw-api: CL 22522091 - update fw common interface files
  fw-api: CL 22520756 - update fw common interface files
  fw-api: CL 22520752 - update fw common interface files
  fw-api: kiwi_v2: Hardware files required for TxMon
  fw-api: Add evm info headers for qcn9224
  fw-api: CL 22455643 - update fw common interface files
  fw-api: CL 22445623 - update fw common interface files
  fw-api: CL 22436998 - update fw common interface files
  fw-api: CL 22399292 - update fw common interface files
  fw-api: CL 22378824 - update fw common interface files
  fw-api: CL 22373448 - update fw common interface files
  fw-api: CL 22354304 - update fw common interface files
  fw-api: CL 22350054 - update fw common interface files
  fw-api: CL 22339714 - update fw common interface files
  fw-api: CL 22334073 - update fw common interface files
  fw-api: CL 22317292 - update fw common interface files
  fw-api: CL 22315999 - update fw common interface files
  fw-api: CL 22299540 - update fw common interface files
  fw-api: CL 22294819 - update fw common interface files
  fw-api: CL 22275520 - update fw common interface files
  Release 5.2.022.11Z
  qcacld-3.0: Move SAP to STA channel during SAP start
  fw-api: CL 22219624 - update fw common interface files
  fw-api: CL 22219619 - update fw common interface files
  asoc: routing: add PRI_TDM path as echo reference data
  Release 5.2.022.11Y
  qcacld-3.0: acquire lock before update connection list
  Release 5.2.022.11X
  qcacld-3.0: Add dfs channel to ACS chan selection list
  qcacmn: check bssid hint for OWE transition mode
  qcacmn: Fix possible OOB write in extract_time_sync_ftm_offset_event_tlv
  dsp: add lock in ion free to avoid use after free
  Release 5.2.022.11W
  qcacld-3.0: Use freq hint in scan for ssid
  qcacld-3.0: Increase the scan database size to 500 from 300
  Release 5.2.022.11V
  qcacld-3.0: Peer may not be present if NDP confirm fails
  Release 5.2.022.11U
  exfat: handle unreconized benign secondary entries
  qcacld-3.0: Add check to avoid potential OOB access for bssid_list
  exfat: fix inode->i_blocks for non-512 byte sector size device
  exfat: redefine DIR_DELETED as the bad cluster number
  exfat: fix reporting fs error when reading dir beyond EOF
  exfat: fix unexpected EOF while reading dir
  exfat: reuse exfat_find_location() to simplify exfat_get_dentry_set()
  exfat: fix overflow in sector and cluster conversion
  exfat: remove i_size_write() from __exfat_truncate()
  exfat: remove argument 'size' from exfat_truncate()
  exfat: remove unnecessary arguments from exfat_find_dir_entry()
  exfat: remove unneeded codes from __exfat_rename()
  exfat: remove call ilog2() from exfat_readdir()
  exfat: remove generic/286
  exfat: fix python package installation failure
  exfat: github actions: add apt-get update command
  exfat: treewide: use get_random_u32() when possible
  exfat: replace magic numbers with Macros
  exfat: rename exfat_free_dentry_set() to exfat_put_dentry_set()
  exfat: move exfat_entry_set_cache from heap to stack
  exfat: support dynamic allocate bh for exfat_entry_set_cache
  exfat: reduce the size of exfat_entry_set_cache
  exfat: add SECTOR_SIZE macro
  exfat: hint the empty entry which at the end of cluster chain
  exfat: simplify empty entry hint
  exfat: add auto-test using github action
  exfat: remove travis-CI test

Change-Id: I647b5fb65462a3aa6c6918f4640096eba6d24fb1

parents ecee3aaa ea9e1e00

drivers/bus/mhi/core/mhi_internal.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -808,6 +808,12 @@ static inline void mhi_trigger_resume(struct mhi_controller *mhi_cntrl)
		pm_wakeup_hard_event(&mhi_cntrl->mhi_dev->dev);
		}

		static inline bool is_valid_ring_ptr(struct mhi_ring *ring, dma_addr_t addr)
		{
		return ((addr >= ring->iommu_base &&
		addr < ring->iommu_base + ring->len) && (addr % 16 == 0));
		}

		/* queue transfer buffer */
		int mhi_gen_tre(struct mhi_controller mhi_cntrl, struct mhi_chan mhi_chan,
		void buf, void cb, size_t buf_len, enum MHI_FLAGS flags);

drivers/bus/mhi/core/mhi_main.c

+15 −1

Original line number	Diff line number	Diff line
		@@ -1385,6 +1385,13 @@ int mhi_process_tsync_ev_ring(struct mhi_controller *mhi_cntrl,
		int ret = 0;

		spin_lock_bh(&mhi_event->lock);
		if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
		MHI_ERR(
		"Event ring rp points outside of the event ring or unalign rp %llx\n",
		er_ctxt->rp);
		spin_unlock_bh(&mhi_event->lock);
		return 0;
		}
		dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
		if (ev_ring->rp == dev_rp) {
		spin_unlock_bh(&mhi_event->lock);
		@@ -1477,8 +1484,15 @@ int mhi_process_bw_scale_ev_ring(struct mhi_controller *mhi_cntrl,
		int result, ret = 0;

		spin_lock_bh(&mhi_event->lock);
		dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
		if (!is_valid_ring_ptr(ev_ring, er_ctxt->rp)) {
		MHI_ERR(
		"Event ring rp points outside of the event ring or unalign rp %llx\n",
		er_ctxt->rp);
		spin_unlock_bh(&mhi_event->lock);
		return 0;
		}

		dev_rp = mhi_to_virtual(ev_ring, er_ctxt->rp);
		if (ev_ring->rp == dev_rp) {
		spin_unlock_bh(&mhi_event->lock);
		goto exit_bw_scale_process;

drivers/char/adsprpc.c

+20 −11

Original line number	Diff line number	Diff line
		@@ -144,6 +144,13 @@
		#define INIT_MEMLEN_MAX (810241024)
		#define MAX_CACHE_BUF_SIZE (810241024)

		/* FastRPC remote subsystem state*/
		enum fastrpc_remote_subsys_state {
		SUBSYSTEM_RESTARTING = 0,
		SUBSYSTEM_DOWN,
		SUBSYSTEM_UP,
		};

		#define PERF_END (void)0

		#define PERF(enb, cnt, ff) \
		@@ -349,7 +356,7 @@ struct fastrpc_channel_ctx {
		uint64_t ssrcount;
		void *handle;
		uint64_t prevssrcount;
		int issubsystemup;
		int subsystemstate;
		int vmid;
		struct secure_vm rhvm;
		int ramdumpenabled;
		@@ -2936,7 +2943,7 @@ static int fastrpc_get_info_from_dsp(struct fastrpc_file *fl,
		case ADSP_DOMAIN_ID:
		case SDSP_DOMAIN_ID:
		case CDSP_DOMAIN_ID:
		if (me->channel[domain].issubsystemup)
		if (me->channel[domain].subsystemstate == SUBSYSTEM_UP)
		dsp_support = 1;
		break;
		case MDSP_DOMAIN_ID:
		@@ -3060,7 +3067,8 @@ static int fastrpc_release_current_dsp_process(struct fastrpc_file *fl)
		VERIFY(err, fl->apps->channel[cid].rpdev != NULL);
		if (err)
		goto bail;
		VERIFY(err, fl->apps->channel[cid].issubsystemup == 1);
		VERIFY(err, fl->apps->channel[cid].subsystemstate !=
		SUBSYSTEM_RESTARTING);
		if (err) {
		wait_for_completion(&fl->shutdown);
		goto bail;
		@@ -3926,8 +3934,8 @@ static ssize_t fastrpc_debugfs_read(struct file filp, char __user buffer,
		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
		"\n%s %s %s\n", title, " CHANNEL INFO ", title);
		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
		"%-7s\|%-10s\|%-14s\|%-9s\|%-13s\n",
		"subsys", "sesscount", "issubsystemup",
		"%-7s\|%-10s\|%-15s\|%-9s\|%-13s\n",
		"subsys", "sesscount", "subsystemstate",
		"ssrcount", "session_used");
		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
		"-%s%s%s%s-\n", single_line, single_line,
		@@ -3941,8 +3949,8 @@ static ssize_t fastrpc_debugfs_read(struct file filp, char __user buffer,
		DEBUGFS_SIZE - len, "\|%-10u",
		chan->sesscount);
		len += scnprintf(fileinfo + len,
		DEBUGFS_SIZE - len, "\|%-14d",
		chan->issubsystemup);
		DEBUGFS_SIZE - len, "\|%-15d",
		chan->subsystemstate);
		len += scnprintf(fileinfo + len,
		DEBUGFS_SIZE - len, "\|%-9u",
		chan->ssrcount);
		@@ -4163,7 +4171,7 @@ static int fastrpc_channel_open(struct fastrpc_file *fl)
		mutex_lock(&me->channel[cid].smd_mutex);
		if (me->channel[cid].ssrcount !=
		me->channel[cid].prevssrcount) {
		if (!me->channel[cid].issubsystemup) {
		if (me->channel[cid].subsystemstate != SUBSYSTEM_UP) {
		err = -ENOTCONN;
		mutex_unlock(&me->channel[cid].smd_mutex);
		goto bail;
		@@ -4778,7 +4786,7 @@ static int fastrpc_restart_notifier_cb(struct notifier_block *nb,
		__func__, gcinfo[cid].subsys);
		mutex_lock(&me->channel[cid].smd_mutex);
		ctx->ssrcount++;
		ctx->issubsystemup = 0;
		ctx->subsystemstate = SUBSYSTEM_RESTARTING;
		mutex_unlock(&me->channel[cid].smd_mutex);
		} else if (code == SUBSYS_AFTER_SHUTDOWN) {
		pr_info("adsprpc: %s: %s subsystem is down\n",
		@@ -4790,6 +4798,7 @@ static int fastrpc_restart_notifier_cb(struct notifier_block *nb,
		complete(&fl->shutdown);
		}
		spin_unlock(&me->hlock);
		ctx->subsystemstate = SUBSYSTEM_DOWN;
		} else if (code == SUBSYS_RAMDUMP_NOTIFICATION) {
		if (cid == RH_CID) {
		if (me->ramdump_handle)
		@@ -4808,7 +4817,7 @@ static int fastrpc_restart_notifier_cb(struct notifier_block *nb,
		} else if (code == SUBSYS_AFTER_POWERUP) {
		pr_info("adsprpc: %s: %s subsystem is up\n",
		__func__, gcinfo[cid].subsys);
		ctx->issubsystemup = 1;
		ctx->subsystemstate = SUBSYSTEM_UP;
		}
		return NOTIFY_DONE;
		}
		@@ -5481,7 +5490,7 @@ static int __init fastrpc_device_init(void)
		me->channel[i].dev = dev;
		me->channel[i].ssrcount = 0;
		me->channel[i].prevssrcount = 0;
		me->channel[i].issubsystemup = 1;
		me->channel[i].subsystemstate = SUBSYSTEM_UP;
		me->channel[i].ramdumpenabled = 0;
		me->channel[i].rh_dump_dev = NULL;
		me->channel[i].nb.notifier_call = fastrpc_restart_notifier_cb;

drivers/gpu/msm/adreno_snapshot.c

+10 −17

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
		* Copyright (c) 2023 Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		#include <linux/msm-bus.h>
		@@ -502,28 +503,15 @@ struct mem_entry {
		unsigned int type;
		} __packed;

		static int _save_mem_entries(int id, void ptr, void data)
		{
		struct kgsl_mem_entry *entry = ptr;
		struct mem_entry m = (struct mem_entry ) data;
		unsigned int index = id - 1;

		m[index].gpuaddr = entry->memdesc.gpuaddr;
		m[index].size = entry->memdesc.size;
		m[index].type = kgsl_memdesc_get_memtype(&entry->memdesc);

		return 0;
		}

		static size_t snapshot_capture_mem_list(struct kgsl_device *device,
		u8 buf, size_t remain, void priv)
		{
		struct kgsl_snapshot_mem_list_v2 *header =
		(struct kgsl_snapshot_mem_list_v2 *)buf;
		int num_mem = 0;
		int ret = 0;
		unsigned int data = (unsigned int )(buf + sizeof(*header));
		int id, index = 0, ret = 0, num_mem = 0;
		struct kgsl_process_private *process = priv;
		struct mem_entry m = (struct mem_entry )(buf + sizeof(*header));
		struct kgsl_mem_entry *entry;

		/* we need a process to search! */
		if (process == NULL)
		@@ -550,7 +538,12 @@ static size_t snapshot_capture_mem_list(struct kgsl_device *device,
		* Walk through the memory list and store the
		* tuples(gpuaddr, size, memtype) in snapshot
		*/
		idr_for_each(&process->mem_idr, _save_mem_entries, data);
		idr_for_each_entry(&process->mem_idr, entry, id) {
		m[index].gpuaddr = entry->memdesc.gpuaddr;
		m[index].size = entry->memdesc.size;
		m[index].type = kgsl_memdesc_get_memtype(&entry->memdesc);
		index++;
		}

		ret = sizeof(header) + (num_mem sizeof(struct mem_entry));
		out:

drivers/gpu/msm/kgsl_drawobj.c

+4 −4

Original line number	Diff line number	Diff line
		// SPDX-License-Identifier: GPL-2.0-only
		/*
		* Copyright (c) 2016-2021, The Linux Foundation. All rights reserved.
		* Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
		* Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved.
		*/

		/*
		@@ -283,7 +283,7 @@ static void drawobj_destroy_sparse(struct kgsl_drawobj *drawobj)
		}
		}

		static void drawobj_sync_timeline_fence_work(struct irq_work *work)
		static void drawobj_sync_timeline_fence_work(struct work_struct *work)
		{
		struct kgsl_drawobj_sync_event *event = container_of(work,
		struct kgsl_drawobj_sync_event, work);
		@@ -303,7 +303,7 @@ static void drawobj_sync_timeline_fence_callback(struct dma_fence *f,
		* removing the fence
		*/
		if (drawobj_sync_expire(event->device, event))
		irq_work_queue(&event->work);
		queue_work(kgsl_driver.mem_workqueue, &event->work);
		}

		static void syncobj_destroy(struct kgsl_drawobj *drawobj)
		@@ -497,7 +497,7 @@ static int drawobj_add_sync_timeline(struct kgsl_device *device,
		event->device = device;
		event->context = NULL;
		event->fence = fence;
		init_irq_work(&event->work, drawobj_sync_timeline_fence_work);
		INIT_WORK(&event->work, drawobj_sync_timeline_fence_work);

		INIT_LIST_HEAD(&event->cb.node);