From 76d723976118b0e1843817714d3f3cb122358ba4 Mon Sep 17 00:00:00 2001 From: "xiaocong.gu" Date: Sat, 27 Nov 2021 11:19:03 +0800 Subject: [PATCH 1/6] Integrate security patch 2021-12-05-CVE-2021-30335 Change-Id: Ica6c38222583d0200dd1b715c0b8289d8c44337f --- drivers/char/adsprpc.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 3b611f6a4477..007d278fe89d 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -470,6 +470,7 @@ struct fastrpc_file { struct mutex perf_mutex; struct pm_qos_request pm_qos_req; int qos_request; + struct mutex pm_qos_mutex; struct mutex map_mutex; struct mutex internal_map_mutex; /* Identifies the device (MINOR_NUM_DEV / MINOR_NUM_SECURE_DEV) */ @@ -3721,6 +3722,7 @@ static int fastrpc_file_free(struct fastrpc_file *fl) mutex_unlock(&fl->perf_mutex); mutex_destroy(&fl->perf_mutex); mutex_destroy(&fl->map_mutex); + mutex_destroy(&fl->pm_qos_mutex); mutex_destroy(&fl->internal_map_mutex); kfree(fl); return 0; @@ -4085,6 +4087,7 @@ static int fastrpc_device_open(struct inode *inode, struct file *filp) hlist_add_head(&fl->hn, &me->drivers); spin_unlock(&me->hlock); mutex_init(&fl->perf_mutex); + mutex_init(&fl->pm_qos_mutex); return 0; } @@ -4211,6 +4214,7 @@ static int fastrpc_internal_control(struct fastrpc_file *fl, fl->pm_qos_req.type = PM_QOS_REQ_AFFINE_CORES; cpumask_copy(&fl->pm_qos_req.cpus_affine, &mask); + mutex_lock(&fl->pm_qos_mutex); if (!fl->qos_request) { pm_qos_add_request(&fl->pm_qos_req, PM_QOS_CPU_DMA_LATENCY, latency); @@ -4218,6 +4222,7 @@ static int fastrpc_internal_control(struct fastrpc_file *fl, } else pm_qos_update_request(&fl->pm_qos_req, latency); + mutex_unlock(&fl->pm_qos_mutex); /* Ensure CPU feature map updated to DSP for early WakeUp */ fastrpc_send_cpuinfo_to_dsp(fl); break; -- GitLab From 85934ed4f5aab170c2ccfd19dec9854f2d76bbb4 Mon Sep 17 00:00:00 2001 From: "xiaocong.gu" Date: Sat, 27 Nov 2021 11:25:28 +0800 Subject: [PATCH 2/6] Integrate security patch 2021-12-05-CVE-2021-33909 Change-Id: Ia18049796e6f422eb3ef540fa45aa4d12fa2a3f0 --- fs/seq_file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/seq_file.c b/fs/seq_file.c index 05e58b56f620..fbde04e8cf54 100644 --- a/fs/seq_file.c +++ b/fs/seq_file.c @@ -29,6 +29,9 @@ static void seq_set_overflow(struct seq_file *m) static void *seq_buf_alloc(unsigned long size) { + if (unlikely(size > MAX_RW_COUNT)) + return NULL; + return kvmalloc(size, GFP_KERNEL_ACCOUNT); } -- GitLab From db9b09d2cdd3e50bc9300d4fa4023f6ce6c8a22e Mon Sep 17 00:00:00 2001 From: "xiaocong.gu" Date: Sat, 27 Nov 2021 11:26:03 +0800 Subject: [PATCH 3/6] Integrate security patch 2021-12-05-CVE-2021-38204 Change-Id: I50c68f9f257c3209d42f1a5297427c3af37db231 --- drivers/usb/host/max3421-hcd.c | 43 ++++++++++------------------------ 1 file changed, 13 insertions(+), 30 deletions(-) diff --git a/drivers/usb/host/max3421-hcd.c b/drivers/usb/host/max3421-hcd.c index afa321ab55fc..9d6a1cfd6a60 100644 --- a/drivers/usb/host/max3421-hcd.c +++ b/drivers/usb/host/max3421-hcd.c @@ -153,8 +153,6 @@ struct max3421_hcd { */ struct urb *curr_urb; enum scheduling_pass sched_pass; - struct usb_device *loaded_dev; /* dev that's loaded into the chip */ - int loaded_epnum; /* epnum whose toggles are loaded */ int urb_done; /* > 0 -> no errors, < 0: errno */ size_t curr_len; u8 hien; @@ -492,39 +490,17 @@ max3421_set_speed(struct usb_hcd *hcd, struct usb_device *dev) * Caller must NOT hold HCD spinlock. */ static void -max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum, - int force_toggles) +max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum) { - struct max3421_hcd *max3421_hcd = hcd_to_max3421(hcd); - int old_epnum, same_ep, rcvtog, sndtog; - struct usb_device *old_dev; + int rcvtog, sndtog; u8 hctl; - old_dev = max3421_hcd->loaded_dev; - old_epnum = max3421_hcd->loaded_epnum; - - same_ep = (dev == old_dev && epnum == old_epnum); - if (same_ep && !force_toggles) - return; - - if (old_dev && !same_ep) { - /* save the old end-points toggles: */ - u8 hrsl = spi_rd8(hcd, MAX3421_REG_HRSL); - - rcvtog = (hrsl >> MAX3421_HRSL_RCVTOGRD_BIT) & 1; - sndtog = (hrsl >> MAX3421_HRSL_SNDTOGRD_BIT) & 1; - - /* no locking: HCD (i.e., we) own toggles, don't we? */ - usb_settoggle(old_dev, old_epnum, 0, rcvtog); - usb_settoggle(old_dev, old_epnum, 1, sndtog); - } /* setup new endpoint's toggle bits: */ rcvtog = usb_gettoggle(dev, epnum, 0); sndtog = usb_gettoggle(dev, epnum, 1); hctl = (BIT(rcvtog + MAX3421_HCTL_RCVTOG0_BIT) | BIT(sndtog + MAX3421_HCTL_SNDTOG0_BIT)); - max3421_hcd->loaded_epnum = epnum; spi_wr8(hcd, MAX3421_REG_HCTL, hctl); /* @@ -532,7 +508,6 @@ max3421_set_address(struct usb_hcd *hcd, struct usb_device *dev, int epnum, * address-assignment so it's best to just always load the * address whenever the end-point changed/was forced. */ - max3421_hcd->loaded_dev = dev; spi_wr8(hcd, MAX3421_REG_PERADDR, dev->devnum); } @@ -667,7 +642,7 @@ max3421_select_and_start_urb(struct usb_hcd *hcd) struct max3421_hcd *max3421_hcd = hcd_to_max3421(hcd); struct urb *urb, *curr_urb = NULL; struct max3421_ep *max3421_ep; - int epnum, force_toggles = 0; + int epnum; struct usb_host_endpoint *ep; struct list_head *pos; unsigned long flags; @@ -777,7 +752,6 @@ max3421_select_and_start_urb(struct usb_hcd *hcd) usb_settoggle(urb->dev, epnum, 0, 1); usb_settoggle(urb->dev, epnum, 1, 1); max3421_ep->pkt_state = PKT_STATE_SETUP; - force_toggles = 1; } else max3421_ep->pkt_state = PKT_STATE_TRANSFER; } @@ -785,7 +759,7 @@ max3421_select_and_start_urb(struct usb_hcd *hcd) spin_unlock_irqrestore(&max3421_hcd->lock, flags); max3421_ep->last_active = max3421_hcd->frame_number; - max3421_set_address(hcd, urb->dev, epnum, force_toggles); + max3421_set_address(hcd, urb->dev, epnum); max3421_set_speed(hcd, urb->dev); max3421_next_transfer(hcd, 0); return 1; @@ -1380,6 +1354,15 @@ max3421_urb_done(struct usb_hcd *hcd) status = 0; urb = max3421_hcd->curr_urb; if (urb) { + /* save the old end-points toggles: */ + u8 hrsl = spi_rd8(hcd, MAX3421_REG_HRSL); + int rcvtog = (hrsl >> MAX3421_HRSL_RCVTOGRD_BIT) & 1; + int sndtog = (hrsl >> MAX3421_HRSL_SNDTOGRD_BIT) & 1; + int epnum = usb_endpoint_num(&urb->ep->desc); + + /* no locking: HCD (i.e., we) own toggles, don't we? */ + usb_settoggle(urb->dev, epnum, 0, rcvtog); + usb_settoggle(urb->dev, epnum, 1, sndtog); max3421_hcd->curr_urb = NULL; spin_lock_irqsave(&max3421_hcd->lock, flags); usb_hcd_unlink_urb_from_ep(hcd, urb); -- GitLab From e153ebfe4528aa5247e4711ffcbd5f78c8ee42b2 Mon Sep 17 00:00:00 2001 From: "xiaocong.gu" Date: Sat, 27 Nov 2021 11:26:16 +0800 Subject: [PATCH 4/6] Integrate security patch 2021-12-05-CVE-2021-0961 Change-Id: Ice7acbe7aca4448be8ef3f147f6ea0c8e2540142 --- net/netfilter/xt_quota2.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/net/netfilter/xt_quota2.c b/net/netfilter/xt_quota2.c index c9a06d0652fe..32bfa2dad476 100644 --- a/net/netfilter/xt_quota2.c +++ b/net/netfilter/xt_quota2.c @@ -106,23 +106,17 @@ static void quota2_log(unsigned int hooknum, return; } pm = nlmsg_data(nlh); + memset(pm, 0, sizeof(*pm)); if (skb->tstamp == 0) __net_timestamp((struct sk_buff *)skb); - pm->data_len = 0; pm->hook = hooknum; if (prefix != NULL) strlcpy(pm->prefix, prefix, sizeof(pm->prefix)); - else - *(pm->prefix) = '\0'; if (in) strlcpy(pm->indev_name, in->name, sizeof(pm->indev_name)); - else - pm->indev_name[0] = '\0'; if (out) strlcpy(pm->outdev_name, out->name, sizeof(pm->outdev_name)); - else - pm->outdev_name[0] = '\0'; NETLINK_CB(log_skb).dst_group = 1; pr_debug("throwing 1 packets to netlink group 1\n"); @@ -162,6 +156,8 @@ static ssize_t quota_proc_write(struct file *file, const char __user *input, if (copy_from_user(buf, input, size) != 0) return -EFAULT; buf[sizeof(buf)-1] = '\0'; + if (size < sizeof(buf)) + buf[size] = '\0'; spin_lock_bh(&e->lock); e->quota = simple_strtoull(buf, NULL, 0); @@ -348,6 +344,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = { .match = quota_mt2, .destroy = quota_mt2_destroy, .matchsize = sizeof(struct xt_quota_mtinfo2), + .usersize = offsetof(struct xt_quota_mtinfo2, master), .me = THIS_MODULE, }, { @@ -358,6 +355,7 @@ static struct xt_match quota_mt2_reg[] __read_mostly = { .match = quota_mt2, .destroy = quota_mt2_destroy, .matchsize = sizeof(struct xt_quota_mtinfo2), + .usersize = offsetof(struct xt_quota_mtinfo2, master), .me = THIS_MODULE, }, }; -- GitLab From 953378bb4fe3b053c5dc36a7549602532afe7402 Mon Sep 17 00:00:00 2001 From: "mingwu.zhang" Date: Thu, 6 Jan 2022 09:15:15 +0800 Subject: [PATCH 5/6] [FP4-3123]:Modify USB usage options greyed out. &&&%%%comment::Modify USB usage options greyed out. &&&%%%bug number:FP4-3123 &&&%%%root cause:coding &&&%%%Bug category:T2M &&&%%%Module_Impact:kernel &&&%%%Test_Suggestion:NA &&&%%%Solution:usb &&&%%%Test_Report:ok &&&%%%VAL Can Test:NA --- drivers/power/supply/qcom/smb5-lib.c | 10 ++++++++++ drivers/power/supply/qcom/smb5-reg.h | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/drivers/power/supply/qcom/smb5-lib.c b/drivers/power/supply/qcom/smb5-lib.c index 38beda317d3b..503759f1ade3 100644 --- a/drivers/power/supply/qcom/smb5-lib.c +++ b/drivers/power/supply/qcom/smb5-lib.c @@ -3970,15 +3970,24 @@ static int smblib_get_prop_ufp_mode(struct smb_charger *chg) } smblib_dbg(chg, PR_REGISTER, "TYPE_C_STATUS_1 = 0x%02x\n", stat); + /* config 0x154A to 0x17 */ + if (stat &(SNK_RP_STD_DAM_BIT | SNK_RP_1P5_DAM_BIT | SNK_RP_3P0_DAM_BIT)){ + smblib_masked_write(chg, TYPE_C_DEBUG_ACCESS_SINK_REG,TYPEC_DEBUG_ACCESS_SINK_MASK,0x17); + } + switch (stat & DETECTED_SRC_TYPE_MASK) { case SNK_RP_STD_BIT: + case SNK_RP_STD_DAM_BIT: return POWER_SUPPLY_TYPEC_SOURCE_DEFAULT; case SNK_RP_1P5_BIT: + case SNK_RP_1P5_DAM_BIT: return POWER_SUPPLY_TYPEC_SOURCE_MEDIUM; case SNK_RP_3P0_BIT: + case SNK_RP_3P0_DAM_BIT: return POWER_SUPPLY_TYPEC_SOURCE_HIGH; case SNK_RP_SHORT_BIT: return POWER_SUPPLY_TYPEC_NON_COMPLIANT; +/* case SNK_DAM_500MA_BIT: case SNK_DAM_1500MA_BIT: case SNK_DAM_3000MA_BIT: @@ -3987,6 +3996,7 @@ static int smblib_get_prop_ufp_mode(struct smb_charger *chg) #else return POWER_SUPPLY_TYPEC_SINK_DEBUG_ACCESSORY; #endif +*/ default: break; } diff --git a/drivers/power/supply/qcom/smb5-reg.h b/drivers/power/supply/qcom/smb5-reg.h index 1d0d08212f2c..ecaf6961b101 100644 --- a/drivers/power/supply/qcom/smb5-reg.h +++ b/drivers/power/supply/qcom/smb5-reg.h @@ -337,7 +337,17 @@ enum { * TYPEC Peripheral Registers * ********************************/ #define TYPE_C_SNK_STATUS_REG (TYPEC_BASE + 0x06) + + #define DETECTED_SRC_TYPE_MASK GENMASK(6, 0) +#define SNK_RP_STD_DAM_BIT BIT(6) +#define SNK_RP_1P5_DAM_BIT BIT(5) +#define SNK_RP_3P0_DAM_BIT BIT(4) + +#define TYPE_C_DEBUG_ACCESS_SINK_REG (TYPEC_BASE + 0x4A) +#define TYPEC_DEBUG_ACCESS_SINK_MASK GENMASK(4, 0) + + #define SNK_DAM_MASK GENMASK(6, 4) #define SNK_DAM_500MA_BIT BIT(6) #define SNK_DAM_1500MA_BIT BIT(5) -- GitLab From d1c30a623c813360022f14049553b2e381c0ecd2 Mon Sep 17 00:00:00 2001 From: "xiaocong.gu" Date: Thu, 13 Jan 2022 17:28:06 +0800 Subject: [PATCH 6/6] Integrate security patch 2022-01-05-CVE-2021-39633 Change-Id: Id2e43d346f22f0a5311e97373a905c96176889de --- net/ipv4/ip_gre.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index de6f89511a21..6a299d2cfb47 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -449,6 +449,8 @@ static void __gre_xmit(struct sk_buff *skb, struct net_device *dev, static int gre_handle_offloads(struct sk_buff *skb, bool csum) { + if (csum && skb_checksum_start(skb) < skb->data) + return -EINVAL; return iptunnel_handle_offloads(skb, csum ? SKB_GSO_GRE_CSUM : SKB_GSO_GRE); } -- GitLab