From 59f90787847cdcf9689b6724ba88dac25bd2226e Mon Sep 17 00:00:00 2001 From: Sarannya S Date: Wed, 13 Jul 2022 17:45:06 +0530 Subject: [PATCH 01/10] net: qrtr: smd: kfree svc_arr after use If svc_arr is not freed once it is allocated, it can cause memory leak issue. kfree svc_arr to avoid memory leak. Change-Id: Idfd963443673ffe303aed545503ce8e17f0d5d7b Signed-off-by: Sarannya S --- net/qrtr/smd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/qrtr/smd.c b/net/qrtr/smd.c index 45626f99dad6..705e6523e1b2 100644 --- a/net/qrtr/smd.c +++ b/net/qrtr/smd.c @@ -93,6 +93,7 @@ static int qcom_smd_qrtr_probe(struct rpmsg_device *rpdev) svc_arr, size); } rc = qrtr_endpoint_register(&qdev->ep, net_id, rt, svc_arr); + kfree(svc_arr); if (rc) return rc; From ad5ca445f16024e66403a67ce656c46da5d5ace6 Mon Sep 17 00:00:00 2001 From: Vikash Garodia Date: Wed, 29 Nov 2023 09:24:47 +0530 Subject: [PATCH 02/10] BACKPORT: media: venus: hfi: add checks to perform sanity on queue pointers Read and write pointers are used to track the packet index in the memory shared between video driver and firmware. There is a possibility of OOB access if the read or write pointer goes beyond the queue memory size. Add checks for the read and write pointers to avoid OOB access. cherry picked from 5e538fce3358 ("media: venus: hfi: add checks to perform sanity on queue pointers"). Change-Id: I6c280854a7a51e38d92a2923d4c9bfe6a49c0ce2 Cc: stable@vger.kernel.org Fixes: d96d3f30c0f2 ("[media] media: venus: hfi: add Venus HFI files") Signed-off-by: Stanimir Varbanov Signed-off-by: Hans Verkuil Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_venus.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/drivers/media/platform/qcom/venus/hfi_venus.c b/drivers/media/platform/qcom/venus/hfi_venus.c index 0d8855014ab3..306082e25943 100644 --- a/drivers/media/platform/qcom/venus/hfi_venus.c +++ b/drivers/media/platform/qcom/venus/hfi_venus.c @@ -206,6 +206,11 @@ static int venus_write_queue(struct venus_hfi_device *hdev, new_wr_idx = wr_idx + dwords; wr_ptr = (u32 *)(queue->qmem.kva + (wr_idx << 2)); + + if (wr_ptr < (u32 *)queue->qmem.kva || + wr_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*wr_ptr))) + return -EINVAL; + if (new_wr_idx < qsize) { memcpy(wr_ptr, packet, dwords << 2); } else { @@ -273,6 +278,11 @@ static int venus_read_queue(struct venus_hfi_device *hdev, } rd_ptr = (u32 *)(queue->qmem.kva + (rd_idx << 2)); + + if (rd_ptr < (u32 *)queue->qmem.kva || + rd_ptr > (u32 *)(queue->qmem.kva + queue->qmem.size - sizeof(*rd_ptr))) + return -EINVAL; + dwords = *rd_ptr >> 2; if (!dwords) return -EINVAL; From ef4ff7c657d0054c2991d469a1cc99910ec89b6a Mon Sep 17 00:00:00 2001 From: Vikash Garodia Date: Wed, 29 Nov 2023 09:32:28 +0530 Subject: [PATCH 03/10] BACKPORT: media: venus: hfi: fix the check in session buffer requirement Buffer requirement, for different buffer type, comes from video firmware. While copying these requirements, there is an OOB possibility when the payload from firmware is more than expected size. Fix the check to avoid the OOB possibility. cherry picked from b18e36dfd6c9 ("media: venus: hfi: fix the check to handle session buffer requirement"). Change-Id: I8169c57b2c244c52bac0b4de460b9820707f6ff7 Cc: stable@vger.kernel.org Fixes: 09c2845e8fe4 ("[media] media: venus: hfi: add Host Firmware Interface (HFI)") Reviewed-by: Nathan Hebert Signed-off-by: Stanimir Varbanov Signed-off-by: Hans Verkuil Signed-off-by: Vikash Garodia --- drivers/media/platform/qcom/venus/hfi_msgs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/media/platform/qcom/venus/hfi_msgs.c b/drivers/media/platform/qcom/venus/hfi_msgs.c index 04ef2286efc6..5694d18b43d5 100644 --- a/drivers/media/platform/qcom/venus/hfi_msgs.c +++ b/drivers/media/platform/qcom/venus/hfi_msgs.c @@ -350,7 +350,7 @@ session_get_prop_buf_req(struct hfi_msg_session_property_info_pkt *pkt, memcpy(&bufreq[idx], buf_req, sizeof(*bufreq)); idx++; - if (idx > HFI_BUFFER_TYPE_MAX) + if (idx >= HFI_BUFFER_TYPE_MAX) return HFI_ERR_SESSION_INVALID_PARAMETER; req_bytes -= sizeof(struct hfi_buffer_requirements); From 7ce6eef9ba291d6dec586cce7373540a041b2dba Mon Sep 17 00:00:00 2001 From: Jishnu Prakash Date: Tue, 21 Nov 2023 11:42:06 +0530 Subject: [PATCH 04/10] input: misc: Validate input pattern count in pattern_s_dbgfs_write Add a check for number of input patterns detected in string read from userspace in pattern_s_dbgfs_write() API, to avoid out-of-bounds write in a local array. Change-Id: Ic35561ae34f95c67fbd54ae4db4a7174342f45f4 Signed-off-by: Jishnu Prakash --- drivers/input/misc/qcom-hv-haptics.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/input/misc/qcom-hv-haptics.c b/drivers/input/misc/qcom-hv-haptics.c index 029970344159..7f79ba9af213 100644 --- a/drivers/input/misc/qcom-hv-haptics.c +++ b/drivers/input/misc/qcom-hv-haptics.c @@ -1,7 +1,7 @@ // SPDX-License-Identifier: GPL-2.0-only /* * Copyright (c) 2020-2021, The Linux Foundation. All rights reserved. - * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved. + * Copyright (c) 2022-2023, Qualcomm Innovation Center, Inc. All rights reserved. */ #include @@ -3035,6 +3035,11 @@ static ssize_t pattern_s_dbgfs_write(struct file *fp, goto exit; } + if (i >= ARRAY_SIZE(tmp)) { + pr_err("too many patterns in input string\n"); + rc = -EINVAL; + goto exit; + } tmp[i++] = val; } From b1cdc135e89c61b1c32de9801bf3ef714fc4260a Mon Sep 17 00:00:00 2001 From: Rohit Agarwal Date: Tue, 12 Dec 2023 16:05:08 +0530 Subject: [PATCH 05/10] soc: qcom: peripheral-loader: Add KPI marker Add KPI marker for minidump way of dump collection for modem SSR. Change-Id: I60b2522fd48e4f8a13ba15a3e60e12dc54c17a20 Signed-off-by: Rohit Agarwal --- drivers/soc/qcom/peripheral-loader.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/drivers/soc/qcom/peripheral-loader.c b/drivers/soc/qcom/peripheral-loader.c index b7f17cc80d22..3ab98373a2b2 100644 --- a/drivers/soc/qcom/peripheral-loader.c +++ b/drivers/soc/qcom/peripheral-loader.c @@ -383,6 +383,10 @@ static int pil_do_minidump(struct pil_desc *desc, void *ramdump_dev) pil_err(desc, "%s: Minidump collection failed for subsys %s rc:%d\n", __func__, desc->name, ret); +#ifdef CONFIG_QGKI_MSM_BOOT_TIME_MARKER + if (!strcmp(desc->name, "modem")) + update_marker("M - Modem Dump completed"); +#endif if (desc->subsys_vmid > 0) ret = pil_assign_mem_to_subsys(desc, priv->region_start, (priv->region_end - priv->region_start)); From acf2f0eb6a4aabcfae75f869af836cdc30f29419 Mon Sep 17 00:00:00 2001 From: Kaushal Hooda Date: Thu, 1 Jun 2023 23:45:30 +0530 Subject: [PATCH 06/10] rpmsg: slatecom: Discard unaligned packet to read If intent_alloc_size and chunk size are unaligned with the minimum offset, then ahb_read can lead to bytes overflow as ahb_read is performed with word_size aligned. If the received chunk_size is not aligned to word_size, discard packet to read. Change-Id: Iae2c87636675da653bd182ac082a285b699e0a83 Signed-off-by: Kaushal Hooda --- drivers/rpmsg/qcom_glink_slatecom.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/rpmsg/qcom_glink_slatecom.c b/drivers/rpmsg/qcom_glink_slatecom.c index e2a4f49042cf..d57adfa3c92f 100644 --- a/drivers/rpmsg/qcom_glink_slatecom.c +++ b/drivers/rpmsg/qcom_glink_slatecom.c @@ -1694,12 +1694,21 @@ static int glink_slatecom_rx_data(struct glink_slatecom *glink, if (intent->size - intent->offset < chunk_size) { dev_err(glink->dev, "Insufficient space in intent\n"); + glink_slatecom_free_intent(channel, intent); mutex_unlock(&channel->intent_lock); /* The packet header lied, drop payload */ return msglen; } + if (chunk_size % WORD_SIZE) { + dev_err(glink->dev, "For chunk_size %d use short packet\n", + chunk_size); + glink_slatecom_free_intent(channel, intent); + mutex_unlock(&channel->intent_lock); + return -EBADMSG; + } + rc = slatecom_ahb_read(glink->slatecom_handle, (uint32_t)(size_t)addr, ALIGN(chunk_size, WORD_SIZE)/WORD_SIZE, intent->data + intent->offset); From 57a0e96e09e71f8c5e22400e6d258bce4fa7d145 Mon Sep 17 00:00:00 2001 From: Mao Jinlong Date: Mon, 16 Oct 2023 20:37:06 +0800 Subject: [PATCH 07/10] soc: qcom: dcc_v2: Fix slab-out-of-bounds issue in dcc driver The link list number should use nr_link_list of driver data instead of DCC_MAX_LINK_LIST. Change-Id: Iaf42c4e6ee6ea29bf8b4bea6ffb64a4b2354fcfd Signed-off-by: Mao Jinlong --- drivers/soc/qcom/dcc_v2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/qcom/dcc_v2.c b/drivers/soc/qcom/dcc_v2.c index 00bb1defa415..1e877c8fe67e 100644 --- a/drivers/soc/qcom/dcc_v2.c +++ b/drivers/soc/qcom/dcc_v2.c @@ -612,7 +612,7 @@ static bool is_dcc_enabled(struct dcc_drvdata *drvdata) bool dcc_enable = false; int list; - for (list = 0; list < DCC_MAX_LINK_LIST; list++) { + for (list = 0; list < drvdata->nr_link_list; list++) { if (drvdata->enable[list]) { dcc_enable = true; break; From b6d7ae331ec58b4415fcccaeb641188bb121b514 Mon Sep 17 00:00:00 2001 From: Rohit Agarwal Date: Fri, 17 Nov 2023 11:57:45 +0530 Subject: [PATCH 08/10] soc: qcom: Don't print thread info for arm arch Don't print thread info for arm arch as it is not supported for 32 bit architecture. Change-Id: I9327675d85670fed78e1778c993ab6fa574c972a Signed-off-by: Rohit Agarwal --- drivers/soc/qcom/minidump_log.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/soc/qcom/minidump_log.c b/drivers/soc/qcom/minidump_log.c index 921e2a6ea63b..ac26549bf15e 100644 --- a/drivers/soc/qcom/minidump_log.c +++ b/drivers/soc/qcom/minidump_log.c @@ -656,10 +656,16 @@ static void md_dump_task_info(struct task_struct *task, char *status, se = &task->se; if (task == curr) { +#ifdef CONFIG_ARM64 seq_buf_printf(md_runq_seq_buf, "[status: curr] pid: %d comm: %s preempt: %#x\n", task_pid_nr(task), task->comm, task->thread_info.preempt_count); +#else + seq_buf_printf(md_runq_seq_buf, + "[status: curr] pid: %d comm: %s\n", + task_pid_nr(task), task->comm); +#endif return; } From 9227be441690428ad873b285cca4dce65c598fb5 Mon Sep 17 00:00:00 2001 From: Sayan Dey Date: Fri, 17 Nov 2023 12:19:49 +0530 Subject: [PATCH 09/10] defconfig: sdxlemur: Enable minidump for sdxlemur Enable configs to add minidump functionalities for sdxlemur. Change-Id: Icd68c7500e20eaf50f5ee8785a645736d5e2ef89 Signed-off-by: Sayan Dey Signed-off-by: Rohit Agarwal --- arch/arm/configs/vendor/sdxlemur-debug.config | 1 + arch/arm/configs/vendor/sdxlemur.config | 3 +++ 2 files changed, 4 insertions(+) diff --git a/arch/arm/configs/vendor/sdxlemur-debug.config b/arch/arm/configs/vendor/sdxlemur-debug.config index 33b0155a4128..a645ca71e380 100644 --- a/arch/arm/configs/vendor/sdxlemur-debug.config +++ b/arch/arm/configs/vendor/sdxlemur-debug.config @@ -38,3 +38,4 @@ CONFIG_BUG_ON_DATA_CORRUPTION=y CONFIG_DEBUG_CREDENTIALS=y CONFIG_QCOM_MEMORY_DUMP_V2=y CONFIG_LKDTM=m +CONFIG_SLUB_DEBUG=y diff --git a/arch/arm/configs/vendor/sdxlemur.config b/arch/arm/configs/vendor/sdxlemur.config index eb3bd9d5e827..a816f4605758 100644 --- a/arch/arm/configs/vendor/sdxlemur.config +++ b/arch/arm/configs/vendor/sdxlemur.config @@ -350,6 +350,8 @@ CONFIG_POWER_RESET_QCOM_DOWNLOAD_MODE_DEFAULT=y CONFIG_POWER_RESET_QCOM_REBOOT_REASON=y CONFIG_POWER_RESET_MSM=y CONFIG_QCOM_MINIDUMP=y +CONFIG_QCOM_MINIDUMP_FTRACE=y +CONFIG_QCOM_MINIDUMP_PANIC_DUMP=y CONFIG_ENABLE_SFE=y # CONFIG_ENABLE_VMALLOC_SAVING is not set # CONFIG_SLUB_DEBUG is not set @@ -510,3 +512,4 @@ CONFIG_ANDROID_BINDER_IPC=y CONFIG_ANDROID_BINDERFS=y CONFIG_ANDROID_BINDER_DEVICES="binder,hwbinder,vndbinder" # CONFIG_ANDROID_BINDER_IPC_SELFTEST is not set +CONFIG_IPC_LOG_MINIDUMP_BUFFERS=16 From 52c3eb6f125b8da62b3eb8256eaa5ef83f619b5c Mon Sep 17 00:00:00 2001 From: Mukesh Ojha Date: Mon, 11 Dec 2023 15:09:42 +0530 Subject: [PATCH 10/10] qcom-dload-mode: Convert reboot notifier to restart notifier There could be chance of edl download mode written by qcom-dload-mode driver overwritten by Scm device shutdown call as the reboot notifiers gets called prior to device_shutdown in reboot path. To fix this convert the reboot notifiers to restart notifiers and keep its priority higher than scm restart handler so that warm reboot_mode set here should be seen by SCM restart handler (priority 130). Change-Id: I2daa41d04788e525f274323e9c815bf10cb79ed2 Signed-off-by: Mukesh Ojha Signed-off-by: Rohit Agarwal --- drivers/firmware/qcom_scm.c | 1 + drivers/power/reset/qcom-dload-mode.c | 36 +++++++++++---------------- 2 files changed, 15 insertions(+), 22 deletions(-) diff --git a/drivers/firmware/qcom_scm.c b/drivers/firmware/qcom_scm.c index ea41ae1d5bf5..5b6543836b50 100644 --- a/drivers/firmware/qcom_scm.c +++ b/drivers/firmware/qcom_scm.c @@ -1229,6 +1229,7 @@ static void qcom_scm_shutdown(struct platform_device *pdev) { qcom_scm_disable_sdi(); qcom_scm_halt_spmi_pmic_arbiter(); + /* Clean shutdown, disable download mode to allow normal restart */ qcom_scm_set_download_mode(QCOM_DOWNLOAD_NODUMP, 0); } diff --git a/drivers/power/reset/qcom-dload-mode.c b/drivers/power/reset/qcom-dload-mode.c index 113db59c2aab..ec181d36f373 100644 --- a/drivers/power/reset/qcom-dload-mode.c +++ b/drivers/power/reset/qcom-dload-mode.c @@ -24,7 +24,7 @@ enum qcom_download_dest { struct qcom_dload { struct notifier_block panic_nb; - struct notifier_block reboot_nb; + struct notifier_block restart_nb; struct kobject kobj; bool in_panic; @@ -251,28 +251,15 @@ static int qcom_dload_panic(struct notifier_block *this, unsigned long event, return NOTIFY_OK; } -static int qcom_dload_reboot(struct notifier_block *this, unsigned long event, +static int qcom_dload_restart(struct notifier_block *this, unsigned long event, void *ptr) { char *cmd = ptr; - struct qcom_dload *poweroff = container_of(this, struct qcom_dload, - reboot_nb); - /* Clean shutdown, disable dump mode to allow normal restart */ - if (!poweroff->in_panic) - set_download_mode(QCOM_DOWNLOAD_NODUMP); - - if (cmd) { - if (!strcmp(cmd, "edl")) { - early_pcie_init_enable ? set_download_mode(QCOM_EDLOAD_PCI_MODE) - : set_download_mode(QCOM_DOWNLOAD_EDL); - } - else if (!strcmp(cmd, "qcom_dload")) - msm_enable_dump_mode(true); - } - - if (current_download_mode != QCOM_DOWNLOAD_NODUMP) + if (cmd && !strcmp(cmd, "edl")) { + set_download_mode(QCOM_DOWNLOAD_EDL); reboot_mode = REBOOT_WARM; + } return NOTIFY_OK; } @@ -381,9 +368,14 @@ static int qcom_dload_probe(struct platform_device *pdev) atomic_notifier_chain_register(&panic_notifier_list, &poweroff->panic_nb); - poweroff->reboot_nb.notifier_call = qcom_dload_reboot; - poweroff->reboot_nb.priority = 255; - register_reboot_notifier(&poweroff->reboot_nb); + poweroff->restart_nb.notifier_call = qcom_dload_restart; + /* Here, Restart handler priority should be higher than + * of restart handler present in scm driver so that + * reboot_mode set by this handler seen by SCM's one + * for EDL mode. + */ + poweroff->restart_nb.priority = 131; + register_restart_handler(&poweroff->restart_nb); platform_set_drvdata(pdev, poweroff); @@ -396,7 +388,7 @@ static int qcom_dload_remove(struct platform_device *pdev) atomic_notifier_chain_unregister(&panic_notifier_list, &poweroff->panic_nb); - unregister_reboot_notifier(&poweroff->reboot_nb); + unregister_restart_handler(&poweroff->restart_nb); if (poweroff->dload_dest_addr) iounmap(poweroff->dload_dest_addr);