In peripheral SSR case SMEM dump is collected and stored which
is not expected on secure devices.

Add a check and avoid dumping SMEM on secure device.

Bug: 135588290
CRs-Fixed: 2264360
Change-Id: I2895aeb86d97b45dcb3ea293aa79a06174b8ac0b
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.

To avoid buffer over-write add check for the valid num_mpdu_ranges

Change-Id: I54e138d4bd63cbe7a0ae4faf0fe9d8e59ca92c71
CRs-Fixed: 2213655
Bug: 136195284
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

In wma_unified_radio_tx_mem_free() function, results buffer array may be
dereferenced with large index value, that may result OOB memory access.

Fix the same by correcting incrementing pointer to results buffer.

Change-Id: I57a26dba9db32758c7d7fd51b99d3364a8020a9d
CRs-Fixed: 2308644
Bug: 136197213
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

SEP 2019.1
Bug: 137148856

Change-Id: I2572deae1abbd94155a29c30bfba033277f8d630
Signed-off-by: Wilson Sung <wilsonsung@google.com>

Miguel de Dios authored 5 years ago and CHUNG WEI SUNG committed 5 years ago

Validate the dci entries and its task structure before
accessing structure members to prevent copying dci data to
invalid entries.

Bug: 134440011

Change-Id: I07c59ef0705bc52a8268b0dc984ebfa9d26d178e
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

Sumalatha Malothu authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 4.4

Bug: 134440735
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>

Rajesh Kemisetti authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

set_page_dirty() is racy if the caller has no
reference against page->mapping->host, and if
the page is unlocked. This is because another
CPU could truncate the page off the mapping and
then free the mapping.

Use set_page_dirty_lock() to avoid this race condition.

Bug: 134439992
Change-Id: I517fb9aee66560618c7676b311368f7a7498011f
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>

kunleiz authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Payload size validity is not checked before using it in array index.
Check payload size to avoid out-of-boundary memory.

Bug: 134439528
Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8
Signed-off-by: kunleiz <kunleiz@codeaurora.org>

lesl authored 5 years ago and CHUNG WEI SUNG committed 5 years ago

In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.

Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.

Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2232526
Bug: 133236783
Signed-off-by: lesl <lesl@google.com>

Xiaojun Sang authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Payload size is not checked before payload access. Check size
to avoid out-of-boundary memory access.

Bug: 132171963
Change-Id: Iaa39ee4ea5489bb5579e7b7d5dfada12d88c5809
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>

Ajit Pandey authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Opening of multiple instance of voice_svc user space from app will
lead to pointer deference of private data within apr callback. As
multi-instance not supported added check to deny open() from user
space if previous instance hasn't been closed.

Bug: 132173298
Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>

smanag authored 7 years ago and CHUNG WEI SUNG committed 5 years ago

Issue is seen when apr callback is received while voice_svc_release
is in process of freeing the driver private data.
Avoid invalid access of private data pointer by putting
the callback and release functions in the same locked context.

Bug: 132173298
Change-Id: I93af13cab0a3c7e653a9bc9fa7f4f86bfa0502df
Signed-off-by: smanag <smanag@codeaurora.org>

Todd Kjos authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

commit 0b050950 upstream.

When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.

Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tharun Kumar Merugu authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Ensure that the same CPU address returned from the DMA memory
allocation API is passed to the DMA memory free API.

Bug: 134698934

Change-Id: I09d23fb9960bc3400f85aef84bb16d64b546b112
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>

Mohammed Nayeem Ur Rahman authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Update correct VA to user space, so that during unmap VA will be
matched and memory is freed.

Bug: 134698934

Change-Id: I22d7940b0526db96e47fdf634ada63449f4f2d3f
Acked-by: Himateja Reddy <hmreddy@qti.qualcomm.com>
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>

Add a check to set the pending_free flag if it is not already
set before freeing sparse memory entry. This is required to
prevent multiple ioctl threads from freeing the same sparse
memory entry.

Bug: 121220290
Change-Id: I4e2bbe6fcd98c58d36340c4f87cdff27fc1de22e
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>

This reverts commit bf4b7e49.

Reason for revert: GPU faults while dEQP cts run
Bug: 121220290
Test: Graphics-related CTS including dEQP

Change-Id: I513651b81f3f6ca799f4550e27773fabeabd3128
Signed-off-by: Siddharth Kapoor <ksiddharth@google.com>

Combine below 3 kinds of debug configs into build.config.debug_memory
  - build.config.debug_hang
  - build.config.debug_locking
  - build.config.debug_memory

Bug: 135770167
Change-Id: Ie9e2901e648ba72a750738dcacd88060a6067f7c
Signed-off-by: Eva Huang <evahuang@google.com>

For modem watchdog bite cases, modem fw will be stuck and we should not
capture MSA dump to prevent memory permission problems.

Bug: 135764971

Change-Id: I67a3327b44d1c4ffaf30d33d4e65111ff7cf9138
Signed-off-by: SalmaxChang <salmaxchang@google.com>

Christian Borntraeger reported that panic_on_warn doesn't have any
effect on s390.

The panic_on_warn feature was introduced with 9e3961a0 ("kernel: add
panic_on_warn").  However it did care only for the case when
WANT_WARN_ON_SLOWPATH is defined.  This is turn is only the case for
architectures which do not have an own __WARN_TAINT defined.

Other architectures which do have __WARN_TAINT defined call report_bug()
for warnings within lib/bug.c which does not call panic() in case
panic_on_warn is set.

Let's simply enable the panic_on_warn feature by adding the same code
like it was added to warn_slowpath_common() in panic.c.

This enables panic_on_warn also for arm64, parisc, powerpc, s390 and sh.

Bug: 134156483

Change-Id: Ic468fab23c1ed9e3fc6937f0f245a0fe79dc9a40
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reported-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: "James E.J. Bottomley" <jejb@parisc-linux.org>
Cc: Helge Deller <deller@gmx.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Tested-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Bug: 134156483
Change-Id: Ib1b1a7d4bb242052e50ddbe7cbb29d9df6f0426a
Signed-off-by: Eva Huang <evahuang@google.com>

Add config:
  CONFIG_PANIC_ON_WARN_DEFAULT_ENABLE

This patchset adds CONFIG_PANIC_ON_DEFAULT_ENABLE to determine
the behavior at build time. Even though we could do same thing
by kernel parameter, it's not handy for vendor kernel because
they usually store kernel cmd parameter into different partition
with kernel so that it needs platform image rebuild to change
kernel cmd line as well as kernel image.

To remove such dependency to save much time, this patch adds
default enable by Kconfig at build time.

Bug: 134156483
Change-Id: Ib73e6e2c8d2c2e87ad96cd4c59feeb1c8102d041
Signed-off-by: Eva Huang <evahuang@google.com>

Register a cooling device for system thermal throtting.

Bug: 120552736
Bug: 119689840
Test: ls /sys/class/thermal/cdev-by-name/mnh
Change-Id: I7b5d705bd56d9b36e85eee72b8ead1afa135987b
Signed-off-by: Rui Ma <rma@google.com>
(cherry picked from commit 18a773f5)
Signed-off-by: Cheng Gu <gucheng@google.com>
(cherry picked from commit b33f2b7acfedc638e5d24aa49bee9a82e082d6b3)

Enable support for some generic USB controllers.

Bug: 130357427
Bug: 122273348
Change-Id: I62c325a3415dbf33b319f9d4475e4f23862a6fb3
Signed-off-by: Steve Pfetsch <spfetsch@google.com>

We got several report fastrpc_buf_alloc order-3 allocation failure
and OOM kill because fastrpc_buf_alloc try to allocate high-order
allcation based on the user request size. However, high-order allocation
is not a must to make IOMMU work so it makes system trouble when the
memory pressure is heavy in that OOM kill and long stall so let's
try to avoid that to pass __GFP_NORETRY and removing __GFP_RECLAIM
for only high-order allocation.

Bug: 130426072
Change-Id: I4c1552ed1fc5665c0fe8464e7352a88125949829
Signed-off-by: Vinayak Menon <vinmenon@codeaurora.org>
Signed-off-by: Minchan Kim <minchan@google.com>
(cherry picked from commit f193e933f50cac36a8a461a97ecbbf78e0673c7a)

Tharun Kumar Merugu authored 6 years ago and Harrison Lingren committed 5 years ago

Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.

Bug: 134698934

Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>

AUG 2019.1
Bug: 134574226

Change-Id: I5e3f7d474966a1d05ba1682410dca04ef942a565
Signed-off-by: Vishal Agarwal <agarwalvishal@google.com>

sockaddr structure is filled with required information only which
results in few memory locations of structure with uninitialized data.

Memset complete structure before using it to remove uninitialized data.

CRs-Fixed: 2274853
Bug: 109697864
Change-Id: I181710bde100fb1553b925d9fdf227af35ff38b5
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>

Due to redundant payload checks, ASM
get param requests in RTAC mode fail with timeout
errors. Fix this by removing the redundant
payload checks.

CRs-Fixed: 2372302
Change-Id: If08ec942f3530e132b5980da579ea1766d21c52b
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>

Check the size of ADSP payload before accessing it.
Validate buffer index obtained from ADSP token before using it.

Bug: 132171784

CRs-Fixed: 2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>

The temperature compensation algorithm is returning excessive delta
temperature in high battery temp cases and while charging.
Lower the charging comp and the factor in the 45 to 55 degC temperatures
to avoid getting the device too hot while charging.

Bug: 131281133
Change-Id: I224b4ff7e28e33125961cbfe1993768e08a76574
Signed-off-by: Thierry Strudel <tstrudel@google.com>
(cherry picked from commit 32d146a1f9a22a174c0050bb1d7b16b79c0fe59f)

htc_battery_probe_process() which got batt_id fell into
EPROBE_DEFER when profile_loaded had not completed.
However, the re-probe did not happen in charger mode and
the probe init was not done.

Because batt_id is not used later, set batt_id to default
type if profile is loading, not block battery driver running.

Bug: 127586646
Change-Id: I15960b77db1c85408dfe4df5d2137ef5e9aa7e2e
Signed-off-by: Jack Wu <wjack@google.com>
(cherry picked from commit 0c254e97e6e0ed451d80603f698acac855c6cc20)

- Not to capture modem ssrdump as disable_ramdump crash pattern
- Refine icnss modem ssr notify cb

Bug: 125051465
Change-Id: I1401d5670d20a5f3e2fcb9dba554c5d574fbe26b
Signed-off-by: SalmaxChang <salmaxchang@google.com>
(cherry picked from commit 47d4d21b10b1d0cd49946797257c92c440c1b8e8)

Hardik Arya authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

In case of invalid input, fifo_read() function is returning
success instead of error. The patch returns error properly in
case of invalid input.

Bug: 127513124
Change-Id: I6e3903381ef7ec8d0dd536623d10213460d0ae8e
Signed-off-by: Hardik Arya <harya@codeaurora.org>

Deepak Kumar Singh authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Currently we are not validating read and write index of
tx and rx fifo's before calculating ptr, this can lead to
out-of-bound access. The patch adds proper check for the same.

CR-Fixed: 2355425
Bug: 127513124
Change-Id: I7b158e94ae743a90ac364783fe31914ca0fa582b
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>

Vatsal Bucha authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Check buffer size in qdsp_cvs_callback before access in
ul_pkt.

Bug: 132171785
Change-Id: Ic19994b46086709231656ec747d2df988b7a512f
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>

Neeraj Soni authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

There can be many ice instances present in dtsi file but
not all of them will be initialized by storage driver.
Check if crypto instance is initialized before setting
it up for data encryption/decryption usage.

Bug: 132173424
Change-Id: I7c9227007474052513b277dec5963a973781c524
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>

Zhen Kong authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

Remove kzfree() after kclient list iteration to avoid invalid
pointer deference.

Bug: 114041748
Change-Id: I78922269e219fcb16d3cff05f8b168a75a3c05ae
Signed-off-by: Zhen Kong <zkong@codeaurora.org>

Xiaoyu Ye authored 6 years ago and CHUNG WEI SUNG committed 5 years ago

The range checking for audio buffer copying in function
"audio_in_write" is using the incorrect buffer size.
Change it to the actual allocated audio buffer size.

Bug: 132172264
Change-Id: Ib7aaa2163c0d99161369eb85d09dc2d23d8c787b
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>

Amine Najahi authored 5 years ago and CHUNG WEI SUNG committed 5 years ago

Sanitize debugfs inputs to only allow access to mdp memory block
specified in dtsi file. This change will allow only one single block
to be read at the time and will avoid accessing memory outside of valid
decode space which can trigger AHB error bus response

Bug: 119053530
Test: boot, suspend/resume, CtsDisplayTestCases
Change-Id: Ifd4d50ce128bf338bc27db26e07844cc60c3c249
Signed-off-by: Amine Najahi <anajahi@codeaurora.org>