Merge tag 'LA.UM.8.4.c25-06600-8x98.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4 into android13-4.4-msm8998

"LA.UM.8.4.c25-06600-8x98.0" * tag 'LA.UM.8.4.c25-06600-8x98.0' of https://git.codelinaro.org/clo/la/kernel/msm-4.4: diag: Prevent out of bound write while sending dci pkt to remote diag: Ensure dci entry is valid before sending the packet ion: Fix integer overflow in msm_ion_custom_ioctl diag: Use valid data_source for a valid token msm: kgsl: Remove 'fd' dependency to get dma_buf handle msm: kgsl: Fix gpuaddr_in_range() to check upper bound msm: adsprpc: Handle UAF in fastrpc debugfs read msm: kgsl: Add a sysfs node to control performance counter reads msm: kgsl: Perform cache flush on the pages obtained using get_user_pages() soc: qcom: hab: Add sanity check for payload_count msm: kgsl: Fix out of bound write in adreno_profile_submit_time futex: Fix inode life-time issue futex: Handle faults correctly for PI futexes futex: Simplify fixup_pi_state_owner() futex: Use pi_state_update_owner() in put_pi_state() rtmutex: Remove unused argument from rt_mutex_proxy_unlock() futex: Provide and use pi_state_update_owner() futex: Replace pointless printk in fixup_owner() futex: Avoid violating the 10th rule of futex futex: Rework inconsistent rt_mutex/futex_q state futex: Remove rt_mutex_deadlock_account_*() futex,rt_mutex: Provide futex specific rt_mutex API msm: adsprpc: Handle UAF in process shell memory Disable TRACER Check to improve Camera Performance msm: kgsl: Deregister gpu address on memdesc_sg_virt failure crypto: Fix possible stack out-of-bound error msm: kgsl: Correct the refcount on current process PID. msm: kgsl: Compare pid pointer instead of TGID for a new process qcom,max-freq-level change for trial msm: kgsl: Protect the memdesc->gpuaddr in SVM use cases. msm: kgsl: Stop using memdesc->usermem. Conflicts: drivers/char/adsprpc.c drivers/char/diag/diag_dci.c drivers/gpu/msm/kgsl.c drivers/gpu/msm/kgsl_debugfs.c drivers/gpu/msm/kgsl_iommu.c drivers/gpu/msm/kgsl_mmu.c drivers/gpu/msm/kgsl_sharedmem.c drivers/gpu/msm/kgsl_trace.h kernel/futex.c kernel/locking/rtmutex.c kernel/locking/rtmutex_common.h Change-Id: I777ee96b855e2967ef6733e603d12f40174974d0
author: Michael Bestas <mkbestas@lineageos.org> 2022-11-05 17:51:13 +0200
committer: Michael Bestas <mkbestas@lineageos.org> 2022-11-05 17:51:13 +0200
commit: 7dbda95466d5447b89c0209f0086815bbecc5e2f (patch)
tree: 706dcb52841614b589db43dbc4d9b62d6a6c4c79 /drivers/char
parent: 369119e5df4e48f1e737791e781da185b7810921 (diff)
parent: 67887f6ac3f11fd5ee1639e18d854e6071e58c51 (diff)
2 files changed, 26 insertions, 5 deletions
diff --git a/drivers/char/adsprpc.c b/drivers/char/adsprpc.c
index b5b239eb6dc3..69bfaa0bc6f4 100644
--- a/drivers/char/adsprpc.c
+++ b/drivers/char/adsprpc.c
@@ -2747,6 +2747,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 	char *fileinfo = NULL;
 	char single_line[UL_SIZE] = "----------------";
 	char title[UL_SIZE] = "=========================";
+	unsigned long irq_flags = 0;
 
 	fileinfo = kzalloc(DEBUGFS_SIZE, GFP_KERNEL);
 	if (!fileinfo)
@@ -2809,6 +2810,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%s%s%s%s%s\n", single_line, single_line,
 			single_line, single_line, single_line);
+		spin_lock_irqsave(&me->hlock, irq_flags);
 		hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20d|0x%-18llX|0x%-18X|0x%-20lX\n\n",
@@ -2816,18 +2818,21 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 			(uint32_t)gmaps->size,
 			gmaps->va);
 		}
+		spin_unlock_irqrestore(&me->hlock, irq_flags);
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20s|%-20s|%-20s|%-20s\n",
 			"len", "refs", "raddr", "flags");
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%s%s%s%s%s\n", single_line, single_line,
 			single_line, single_line, single_line);
+		spin_lock_irqsave(&me->hlock, irq_flags);
 		hlist_for_each_entry_safe(gmaps, n, &me->maps, hn) {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"0x%-18X|%-20d|%-20lu|%-20u\n",
 			(uint32_t)gmaps->len, gmaps->refs,
 			gmaps->raddr, gmaps->flags);
 		}
+		spin_unlock_irqrestore(&me->hlock, irq_flags);
 	} else {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			 "\n%s %13s %d\n", "cid", ":", fl->cid);
@@ -2869,6 +2874,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 			"%s%s%s%s%s\n",
 			single_line, single_line, single_line,
 			single_line, single_line);
+		mutex_lock(&fl->map_mutex);
 		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"0x%-20lX|0x%-20llX|0x%-20zu\n\n",
@@ -2878,6 +2884,7 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 				"%s %d\n\n",
 				"DEV_MINOR:", fl->dev_minor);
 		}
+		mutex_unlock(&fl->map_mutex);
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20s|%-20s|%-20s|%-20s\n",
 			"len", "refs",
@@ -2886,23 +2893,27 @@ static ssize_t fastrpc_debugfs_read(struct file *filp, char __user *buffer,
 			"%s%s%s%s%s\n",
 			single_line, single_line, single_line,
 			single_line, single_line);
+		mutex_lock(&fl->map_mutex);
 		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20zu|%-20d|0x%-20lX|%-20d\n\n",
 			map->len, map->refs, map->raddr,
 			map->uncached);
 		}
+		mutex_unlock(&fl->map_mutex);
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20s|%-20s\n", "secure", "attr");
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%s%s%s%s%s\n",
 			single_line, single_line, single_line,
 			single_line, single_line);
+		mutex_lock(&fl->map_mutex);
 		hlist_for_each_entry_safe(map, n, &fl->maps, hn) {
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"%-20d|0x%-20lX\n\n",
 			map->secure, map->attr);
 		}
+		mutex_unlock(&fl->map_mutex);
 		len += scnprintf(fileinfo + len, DEBUGFS_SIZE - len,
 			"\n%s %s %s\n", title,
 			" LIST OF PENDING SMQCONTEXTS ", title);
diff --git a/drivers/char/diag/diag_dci.c b/drivers/char/diag/diag_dci.c
index 973bc3b1c5b5..ed52ebbb786a 100644
--- a/drivers/char/diag/diag_dci.c
+++ b/drivers/char/diag/diag_dci.c
@@ -1,4 +1,5 @@
 /* Copyright (c) 2012-2021, The Linux Foundation. All rights reserved.
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1615,7 +1616,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry,
 		return -EIO;
 	}
 
-	mutex_lock(&driver->dci_mutex);
 	/* prepare DCI packet */
 	header.start = CONTROL_CHAR;
 	header.version = 1;
@@ -1634,7 +1634,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry,
 		diag_update_pkt_buffer(driver->apps_dci_buf, write_len,
 				       DCI_PKT_TYPE);
 		diag_update_sleeping_process(entry->pid, DCI_PKT_TYPE);
-		mutex_unlock(&driver->dci_mutex);
 		return DIAG_DCI_NO_ERROR;
 	}
 
@@ -1654,7 +1653,6 @@ static int diag_send_dci_pkt(struct diag_cmd_reg_t *entry,
 		       entry->proc);
 		status = DIAG_DCI_SEND_DATA_FAIL;
 	}
-	mutex_unlock(&driver->dci_mutex);
 	return status;
 }
 
@@ -1734,7 +1732,16 @@ static int diag_send_dci_pkt_remote(unsigned char *data, int len, int tag,
 	write_len += dci_header_size;
 	*(int *)(buf + write_len) = tag;
 	write_len += sizeof(int);
-	memcpy(buf + write_len, data, len);
+	if ((write_len + len) < DIAG_MDM_BUF_SIZE) {
+		memcpy(buf + write_len, data, len);
+	} else {
+		pr_err("diag: skip writing invalid length packet, token: %d, pkt_len: %d\n",
+			token, (write_len + len));
+		spin_lock_irqsave(&driver->dci_mempool_lock, flags);
+		diagmem_free(driver, buf, dci_ops_tbl[token].mempool);
+		spin_unlock_irqrestore(&driver->dci_mempool_lock, flags);
+		return -EAGAIN;
+	}
 	write_len += len;
 	*(buf + write_len) = CONTROL_CHAR; /* End Terminator */
 	write_len += sizeof(uint8_t);
@@ -2115,8 +2122,11 @@ static int diag_process_dci_pkt_rsp(unsigned char *buf, int len)
 	if (temp_entry) {
 		reg_item = container_of(temp_entry, struct diag_cmd_reg_t,
 								entry);
-		ret = diag_send_dci_pkt(reg_item, req_buf, req_len,
+		mutex_lock(&driver->dci_mutex);
+		if (req_entry)
+			ret = diag_send_dci_pkt(reg_item, req_buf, req_len,
 					req_entry->tag);
+		mutex_unlock(&driver->dci_mutex);
 	} else {
 		DIAG_LOG(DIAG_DEBUG_DCI, "Command not found: %02x %02x %02x\n",
 				reg_entry.cmd_code, reg_entry.subsys_id,
author	Michael Bestas <mkbestas@lineageos.org>	2022-11-05 17:51:13 +0200
committer	Michael Bestas <mkbestas@lineageos.org>	2022-11-05 17:51:13 +0200
commit	7dbda95466d5447b89c0209f0086815bbecc5e2f (patch)
tree	706dcb52841614b589db43dbc4d9b62d6a6c4c79 /drivers/char
parent	369119e5df4e48f1e737791e781da185b7810921 (diff)
parent	67887f6ac3f11fd5ee1639e18d854e6071e58c51 (diff)