diff options
| author | Vishal Agarwal <agarwalvishal@google.com> | 2019-05-09 17:36:43 -0700 |
|---|---|---|
| committer | Vishal Agarwal <agarwalvishal@google.com> | 2019-05-09 17:36:43 -0700 |
| commit | a195d14b4165c0286851d722c2fea86e0746e367 (patch) | |
| tree | 7d8ada5762e52abadf378afb6b42b28c6aa64983 | |
| parent | 92605b1b55ecd5d7991a4c5c8383da9a43d65eee (diff) | |
| parent | 029cf9bc93722588df11846a203961ccb99c647b (diff) | |
Merge branch 'android-msm-wahoo-4.4-pi-qpr2' into android-msm-wahoo-4.4-pi-qpr3android-9.0.0_r0.96
JULY 2019.4
Bug:131238758
Change-Id: Iecc008ed2c581d13d69b50ad1715c3a618f6bba2
Signed-off-by: Vishal Agarwal <agarwalvishal@google.com>
| -rw-r--r-- | drivers/char/adsprpc.c | 31 | ||||
| -rw-r--r-- | drivers/staging/android/ion/ion_system_heap.c | 6 | ||||
| -rw-r--r-- | drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_main.c | 7 | ||||
| -rw-r--r-- | drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_disassoc_frame.c | 13 | ||||
| -rw-r--r-- | drivers/staging/qcacld-3.0/core/sme/src/rrm/sme_rrm.c | 8 | ||||
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6afe.c | 26 | ||||
| -rw-r--r-- | sound/soc/msm/qdsp6v2/q6asm.c | 73 |
7 files changed, 142 insertions, 22 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c index 66fca9a640c3..931dd26f77d4 100644 --- a/drivers/char/adsprpc.c +++ b/drivers/char/adsprpc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -78,6 +78,7 @@ #define FASTRPC_LINK_DISCONNECTING (0x7) #define PERF_KEYS "count:flush:map:copy:glink:getargs:putargs:invalidate:invoke" +#define FASTRPC_STATIC_HANDLE_KERNEL (1) #define FASTRPC_STATIC_HANDLE_LISTENER (3) #define FASTRPC_STATIC_HANDLE_MAX (20) @@ -1507,14 +1508,24 @@ static int fastrpc_internal_invoke(struct fastrpc_file *fl, uint32_t mode, int err = 0; struct timespec invoket = {0}; + if (fl->profile) + getnstimeofday(&invoket); + + if (!kernel) { + VERIFY(err, invoke->handle != FASTRPC_STATIC_HANDLE_KERNEL); + if (err) { + pr_err("adsprpc: ERROR: %s: user application %s trying to send a kernel RPC message to channel %d", + __func__, current->comm, cid); + goto bail; + } + } + VERIFY(err, fl->sctx != NULL); if (err) goto bail; VERIFY(err, fl->cid >= 0 && fl->cid < NUM_CHANNELS); if (err) goto bail; - if (fl->profile) - getnstimeofday(&invoket); if (!kernel) { VERIFY(err, 0 == context_restore_interrupted(fl, inv, &ctx)); @@ -1617,7 +1628,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl, int tgid = current->tgid; ra[0].buf.pv = (void *)&tgid; ra[0].buf.len = sizeof(tgid); - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; ioctl.inv.sc = REMOTE_SCALARS_MAKE(0, 1, 0); ioctl.inv.pra = ra; ioctl.fds = NULL; @@ -1690,7 +1701,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl, ra[5].buf.len = sizeof(inbuf.siglen); fds[5] = 0; - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; ioctl.inv.sc = REMOTE_SCALARS_MAKE(6, 4, 0); if (uproc->attrs) ioctl.inv.sc = REMOTE_SCALARS_MAKE(7, 6, 0); @@ -1761,7 +1772,7 @@ static int fastrpc_init_process(struct fastrpc_file *fl, ra[2].buf.pv = (void *)pages; ra[2].buf.len = sizeof(*pages); fds[2] = 0; - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; ioctl.inv.sc = REMOTE_SCALARS_MAKE(8, 3, 0); ioctl.inv.pra = ra; @@ -1805,7 +1816,7 @@ static int fastrpc_release_current_dsp_process(struct fastrpc_file *fl) tgid = fl->tgid; ra[0].buf.pv = (void *)&tgid; ra[0].buf.len = sizeof(tgid); - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; ioctl.inv.sc = REMOTE_SCALARS_MAKE(1, 1, 0); ioctl.inv.pra = ra; ioctl.fds = NULL; @@ -1848,7 +1859,7 @@ static int fastrpc_mmap_on_dsp(struct fastrpc_file *fl, uint32_t flags, ra[2].buf.pv = (void *)&routargs; ra[2].buf.len = sizeof(routargs); - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; if (fl->apps->compat) ioctl.inv.sc = REMOTE_SCALARS_MAKE(4, 2, 1); else @@ -1905,7 +1916,7 @@ static int fastrpc_munmap_on_dsp_rh(struct fastrpc_file *fl, ra[0].buf.pv = (void *)&routargs; ra[0].buf.len = sizeof(routargs); - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; ioctl.inv.sc = REMOTE_SCALARS_MAKE(7, 0, 1); ioctl.inv.pra = ra; ioctl.fds = NULL; @@ -1953,7 +1964,7 @@ static int fastrpc_munmap_on_dsp(struct fastrpc_file *fl, ra[0].buf.pv = (void *)&inargs; ra[0].buf.len = sizeof(inargs); - ioctl.inv.handle = 1; + ioctl.inv.handle = FASTRPC_STATIC_HANDLE_KERNEL; if (fl->apps->compat) ioctl.inv.sc = REMOTE_SCALARS_MAKE(5, 1, 0); else diff --git a/drivers/staging/android/ion/ion_system_heap.c b/drivers/staging/android/ion/ion_system_heap.c index a8b3ffca2f12..ff0463638015 100644 --- a/drivers/staging/android/ion/ion_system_heap.c +++ b/drivers/staging/android/ion/ion_system_heap.c @@ -2,7 +2,7 @@ * drivers/staging/android/ion/ion_system_heap.c * * Copyright (C) 2011 Google, Inc. - * Copyright (c) 2011-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2019, The Linux Foundation. All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -265,6 +265,9 @@ static struct page_info *alloc_from_pool_preferred( struct page_info *info; int i; + if (buffer->flags & ION_FLAG_POOL_FORCE_ALLOC) + goto force_alloc; + info = kmalloc(sizeof(*info), GFP_KERNEL); if (!info) return NULL; @@ -296,6 +299,7 @@ static struct page_info *alloc_from_pool_preferred( } kfree(info); +force_alloc: return alloc_largest_available(heap, buffer, size, max_order); } diff --git a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_main.c b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_main.c index 4112efd69fb5..1e3401dc8c69 100644 --- a/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_main.c +++ b/drivers/staging/qcacld-3.0/core/hdd/src/wlan_hdd_main.c @@ -8166,6 +8166,8 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) hdd_adapter_t *adapter = NULL; void *cds_context = NULL; int i; + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *)frame_ind->frameBuf; /* Get the global VOSS context.*/ cds_context = cds_get_global_context(); @@ -8179,6 +8181,11 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) if (0 != wlan_hdd_validate_context(hdd_ctx)) return; + if (frame_ind->frame_len < ieee80211_hdrlen(mgmt->frame_control)) { + hdd_err(" Invalid frame length"); + return; + } + if (SME_SESSION_ID_ANY == frame_ind->sessionId) { for (i = 0; i < CSR_ROAM_SESSION_MAX; i++) { adapter = diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_disassoc_frame.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_disassoc_frame.c index c8ae79fc8618..e36ecc939f35 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_disassoc_frame.c +++ b/drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_disassoc_frame.c @@ -77,13 +77,12 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, uint16_t aid, reasonCode; tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; -#ifdef WLAN_FEATURE_11W - uint32_t frameLen; -#endif + uint32_t frame_len; int32_t frame_rssi; pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); @@ -137,11 +136,10 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, /* If the frame received is unprotected, forward it to the supplicant to initiate */ /* an SA query */ - frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); /* send the unprotected frame indication to SME */ lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType, (uint8_t *) pHdr, - (frameLen + + (frame_len + sizeof(tSirMacMgmtHdr)), psessionEntry->smeSessionId, psessionEntry); @@ -149,6 +147,11 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, } #endif + if (frame_len < 2) { + pe_err("frame len less than 2"); + return; + } + /* Get reasonCode from Disassociation frame body */ reasonCode = sir_read_u16(pBody); diff --git a/drivers/staging/qcacld-3.0/core/sme/src/rrm/sme_rrm.c b/drivers/staging/qcacld-3.0/core/sme/src/rrm/sme_rrm.c index 38b756042902..8e7cba1a4e47 100644 --- a/drivers/staging/qcacld-3.0/core/sme/src/rrm/sme_rrm.c +++ b/drivers/staging/qcacld-3.0/core/sme/src/rrm/sme_rrm.c @@ -845,6 +845,14 @@ QDF_STATUS sme_rrm_process_beacon_report_req_ind(tpAniSirGlobal pMac, sme_debug("Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum); + + if (pBeaconReq->channelList.numChannels > + SIR_ESE_MAX_MEAS_IE_REQS) { + sme_err("Beacon report request numChannels:%u exceeds max num channels", + pBeaconReq->channelList.numChannels); + return QDF_STATUS_E_INVAL; + } + /* section 11.10.8.1 (IEEE Std 802.11k-2008) */ /* channel 0 and 255 has special meaning. */ if ((pBeaconReq->channelInfo.channelNum == 0) || diff --git a/sound/soc/msm/qdsp6v2/q6afe.c b/sound/soc/msm/qdsp6v2/q6afe.c index f45bb530c118..de9e5475032b 100644 --- a/sound/soc/msm/qdsp6v2/q6afe.c +++ b/sound/soc/msm/qdsp6v2/q6afe.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2017, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -291,6 +291,15 @@ static int32_t sp_make_afe_callback(uint32_t *payload, uint32_t payload_size) return 0; } +static bool afe_token_is_valid(uint32_t token) +{ + if (token >= AFE_MAX_PORTS) { + pr_err("%s: token %d is invalid.\n", __func__, token); + return false; + } + return true; +} + static int32_t afe_callback(struct apr_client_data *data, void *priv) { if (!data) { @@ -395,7 +404,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) case AFE_PORTS_CMD_DTMF_CTL: case AFE_SVC_CMD_SET_PARAM: atomic_set(&this_afe.state, 0); - wake_up(&this_afe.wait[data->token]); + if (afe_token_is_valid(data->token)) + wake_up(&this_afe.wait[data->token]); + else + return -EINVAL; break; case AFE_SERVICE_CMD_REGISTER_RT_PORT_DRIVER: break; @@ -407,7 +419,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) break; case AFE_CMD_ADD_TOPOLOGIES: atomic_set(&this_afe.state, 0); - wake_up(&this_afe.wait[data->token]); + if (afe_token_is_valid(data->token)) + wake_up(&this_afe.wait[data->token]); + else + return -EINVAL; pr_debug("%s: AFE_CMD_ADD_TOPOLOGIES cmd 0x%x\n", __func__, payload[1]); break; @@ -429,7 +444,10 @@ static int32_t afe_callback(struct apr_client_data *data, void *priv) else this_afe.mmap_handle = payload[0]; atomic_set(&this_afe.state, 0); - wake_up(&this_afe.wait[data->token]); + if (afe_token_is_valid(data->token)) + wake_up(&this_afe.wait[data->token]); + else + return -EINVAL; } else if (data->opcode == AFE_EVENT_RT_PROXY_PORT_STATUS) { port_id = (uint16_t)(0x0000FFFF & payload[0]); } diff --git a/sound/soc/msm/qdsp6v2/q6asm.c b/sound/soc/msm/qdsp6v2/q6asm.c index 04cee0c8a2fe..3ad7fc3edd6c 100644 --- a/sound/soc/msm/qdsp6v2/q6asm.c +++ b/sound/soc/msm/qdsp6v2/q6asm.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. * Author: Brian Swetland <swetland@google.com> * * This software is licensed under the terms of the GNU General Public @@ -3420,6 +3420,12 @@ int q6asm_open_shared_io(struct audio_client *ac, if (!ac || !config) return -EINVAL; + if (config->channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, + config->channels); + return -EINVAL; + } + bufsz = config->bufsz; bufcnt = config->bufcnt; num_watermarks = 0; @@ -3879,6 +3885,13 @@ int q6asm_set_encdec_chan_map(struct audio_client *ac, int rc = 0; pr_debug("%s: Session %d, num_channels = %d\n", __func__, ac->session, num_channels); + + if (num_channels > MAX_CHAN_MAP_CHANNELS) { + pr_err("%s: Invalid channel count %d\n", __func__, + num_channels); + return -EINVAL; + } + q6asm_add_hdr(ac, &chan_map.hdr, sizeof(chan_map), TRUE); atomic_set(&ac->cmd_state, -1); chan_map.hdr.opcode = ASM_STREAM_CMD_SET_ENCDEC_PARAM; @@ -3957,6 +3970,12 @@ int q6asm_enc_cfg_blk_pcm_v4(struct audio_client *ac, goto fail_cmd; } + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + rc = -EINVAL; + goto fail_cmd; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -4056,6 +4075,12 @@ int q6asm_enc_cfg_blk_pcm_v3(struct audio_client *ac, goto fail_cmd; } + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + rc = -EINVAL; + goto fail_cmd; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -4138,6 +4163,11 @@ int q6asm_enc_cfg_blk_pcm_v2(struct audio_client *ac, return -EINVAL; } + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: Session %d, rate = %d, channels = %d\n", __func__, ac->session, rate, channels); @@ -4293,9 +4323,13 @@ int q6asm_enc_cfg_blk_pcm_native(struct audio_client *ac, struct asm_multi_channel_pcm_enc_cfg_v2 enc_cfg; u8 *channel_mapping; u32 frames_per_buf = 0; - int rc = 0; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: Session %d, rate = %d, channels = %d\n", __func__, ac->session, rate, channels); @@ -4782,6 +4816,11 @@ static int __q6asm_media_format_block_pcm(struct audio_client *ac, u8 *channel_mapping; int rc = 0; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]\n", __func__, ac->session, rate, channels); @@ -4864,6 +4903,11 @@ static int __q6asm_media_format_block_pcm_v3(struct audio_client *ac, u8 *channel_mapping; int rc; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -4947,6 +4991,11 @@ static int __q6asm_media_format_block_pcm_v4(struct audio_client *ac, u8 *channel_mapping; int rc; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -5135,6 +5184,11 @@ static int __q6asm_media_format_block_multi_ch_pcm(struct audio_client *ac, u8 *channel_mapping; int rc = 0; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]\n", __func__, ac->session, rate, channels); @@ -5202,6 +5256,11 @@ static int __q6asm_media_format_block_multi_ch_pcm_v3(struct audio_client *ac, u8 *channel_mapping; int rc; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -5273,6 +5332,11 @@ static int __q6asm_media_format_block_multi_ch_pcm_v4(struct audio_client *ac, u8 *channel_mapping; int rc; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]wordsize[%d]\n", __func__, ac->session, rate, channels, bits_per_sample, sample_word_size); @@ -5430,6 +5494,11 @@ int q6asm_media_format_block_gen_compr(struct audio_client *ac, u8 *channel_mapping; int rc = 0; + if (channels > PCM_FORMAT_MAX_NUM_CHANNEL) { + pr_err("%s: Invalid channel count %d\n", __func__, channels); + return -EINVAL; + } + pr_debug("%s: session[%d]rate[%d]ch[%d]bps[%d]\n", __func__, ac->session, rate, channels, bits_per_sample); |