When unloading the app, reset all client members to NULL
to protect from accessing the memory after being freed.
Change-Id: I573b9c6fde03539522d2b04724a2246660c62518
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
Check if the handle data_type received from userspace is valid
for app loaded query request to avoid the offset boundary check
for qseecom_send_modfd_resp is bypassed.
Change-Id: I5f3611a8f830d6904213781c5ba70cfc0ba3e2e0
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to validate if there exists enough space to write a
unit64 instead of a unit32 value, in __qseecom_update_cmd_buf_64.
Change-Id: Iabf61dea240f16108e1765585aae3a12d2d651c9
Signed-off-by: jitendra thakare <jitendrathakare@codeaurora.org>
To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.
Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Bug: 65468973
Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
A new smc cmd is added to check RPMB key provision status
Change-Id: I50411bf9ae7f31589be34d7b5aaf48f2c12f0018
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Check size of payload array before access in q6usm_callback.
Change-Id: Id0c85209a053f9dfdb53133aeb6b2510ecf18eb8
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Check size of payload before access in q6usm_mmapcallback.
Change-Id: Iff0672532c2ea40e7129237a92d8365d6b554cf2
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
The range checking for audio buffer copying in function
"audio_in_write" is using the incorrect buffer size.
Change it to the actual allocated audio buffer size.
Change-Id: Ib7aaa2163c0d99161369eb85d09dc2d23d8c787b
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
Reset app_crash flag to make sure app entry is not freed when
there is another client still being blocked on the same app.
Change-Id: I25d236abc97e60fe8a4abbbc8c086291c764a9c1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add mutex unlock in function audio_effects_shared_ioctl
at appropriate place to prevent use after free.
CRs-Fixed: 2123291
Change-Id: Ie0d321dc8cc20a295d102a44faea7e5710834932
Signed-off-by: Tanya Dixit <tdixit@codeaurora.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Initialize member value of struct audio_aio_write_param after declaration.
CRs-Fixed: 2091953
Change-Id: Iaf3ff1232e85ae8d26e9d97ce4c2aa3408da7a80
Signed-off-by: Yidong Huang <yidongh@codeaurora.org>
A thread can read audio debugfs entry while another closes the
device. Protect these operations with a mutex and before read
check audio data for a valid pointer.
Change-Id: If29a308c1a8329d7befd047d41abe5f6ab626199
Signed-off-by: Divya Ojha <dojha@codeaurora.org>
A thread can read audio debugfs entry while another closes the
device. Protect these operations with a mutex and before read
check audio data for a valid pointer.
Change-Id: If29a308c1a8329d7befd047d41abe5f6ab626199
Signed-off-by: Divya Ojha <dojha@codeaurora.org>
Validate a buffer virtual address is fully within the region for an
extended edge case.
CRs-Fixed: 2049911
Signed-off-by: Siena Richard <sienar@codeaurora.org>
Change-Id: I4c56fdd42336d00a2294a8b7cc17c74606e56be2
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
A audio_process_event_req is not always to success. Therefore,
check the return value for audio_process_event_req, and
initializ usr_evt before using it.
CRs-Fixed: 2029798
Change-Id: I4adf682575f5f9233a1a1a533f9c6361af8a5bcf
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
Add mutex around qseecom_set_client_mem_param to prevent an
ioctl thread modifying and corrupting data which is being
processed by another ioctl in the other thread
Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make opened device count atomic variable to avoid probable race
condition. Race condition leads to memory leak and list corruption.
Change-Id: I4da98f27d36f616bc8fa7b1a848c20cc7eea04e5
Signed-off-by: Divya Ojha <dojha@codeaurora.org>
Eagle driver is not in use any more.
Remove the code and associated calls
to it.
CRs-Fixed: 1103106
Change-Id: Ice5333861beda9538f0783b70b3267523d16fd2b
Signed-off-by: Alexy Joseph <alexyj@codeaurora.org>
Add mutex protection to avoid simultaneous access the
same memory by multiple threads.
CRs-Fixed: 2013494
Change-Id: I440ea633ceb7312637c9a3b29d22236166d21a39
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
Variable "load_img_req.img_len" and "load_img_req.mdt_len" are
from user land, so check their values against ion buf length
to avoid buffer overread on QSEE side.
Change-Id: I9e8bfe32d3b0cd5b441ad724543c56467fa5e4da
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
__qseecom_update_cmd_buf_64() called __qseecom_allocate_sg_list_buffer()
to allocate memory from within a for loop. Should it fail on any other
than the first time through the loop, the prior allocations will not be
deallocated, make change to deallocate memory in this error case.
Change-Id: I8cb71a3b141249d8266aec4890632f200d147405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Validate a buffer virtual address is fully within the region before
returning the region to ensure functionality for an extended edge
case.
Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
Signed-off-by: Siena Richard <sienar@codeaurora.org>
CRs-fixed: 1108461
Add range check for cfg->sample_rate to prevent the user space from
providing an invalid sample rate.
CRs-Fixed: 1108109
Change-Id: I17ccda0901aa4ad84d6e2f78679d71aa327f42eb
Signed-off-by: Xiaoyu Ye <benyxy@codeaurora.org>
release app list entry when __qseecom_get_fw_size() returns error.
Change-Id: I82406c39a2def87395811f442f39b57201766091
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Perform a complete or adequate check of return codes for several
functions, including __qseecom_enable_clk, ion_do_cache_op and
ion_sg_table(), used by qseecom.
Change-Id: Ib1682bdc6d3034a22586af62a3d8986c54d369d5
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to improve input validation on request and response
buffers' address and length for qseecom_send_service_cmd.
Change-Id: I047e3264333d767541e43b7dadd1727232fd48ef
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in qseecom_probe() to improve the error return value
checks on some subfunctions, and free memory allocated within
qseecom_retrieve_ce_data.
CRs-fixed: 1075082
Change-Id: I971e555ec8d02ccf4382e83132a696b065a8ff12
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
This change fixes issues reagrding the ioctl
QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ uncovered by fuzzy tests.
Modified handler of above ioctl, not to allow input/output
buffer sizes greater than a fixed defined size.
Change-Id: I69f94a29d939341564f6f3ebfda48fceaa934542
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Add whitelist support for listener to send modified resp to TZ;
also add whitelist support for kernel client; and change the method
to check whitelist feature.
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>