Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421602
Change-Id: I947ed5b0fe5705e5223d75b0ea8aafb36113ca5a
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Opening of multiple instance of voice_svc user space from app will
lead to pointer deference of private data within apr callback. As
multi-instance not supported added check to deny open() from user
space if previous instance hasn't been closed.
Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
Currently we set CONFIG_CC_OPTIMIZE_FOR_SIZE which suppressed the compiler
warning of unused variables which can lead undefined behavior e.g. memory
corruption and panic. See https://lkml.org/lkml/2013/3/25/347.
This patch fixes all the uninitilized variables in kernel
Bug: 33353384
Test: On device
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I0ae1082f447b435d71156d471878ba71aa16c378
Check if packet size is large enough to hold the header.
Change-Id: I7261f8111d8b5f4f7c181e469de248a732242d64
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Currently we are not validating read and write index of
tx and rx fifo's before calculating ptr, this can lead to
out-of-bound access. The patch adds proper check for the same.
Change-Id: I7b158e94ae743a90ac364783fe31914ca0fa582b
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
voice_svc_dev is allocated as a device managed resource
and need not be freed since it is freed automatically.
Remove the logic to free voice_svc_dev in probe failure
and remove functions to avoid double free.
CRs-Fixed: 2204285
Change-Id: If4f9ca840b00448b987f5ce443f66b0923b01969
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
If the size of captured data oversteps over SRAM boundary then
it causes corruption of configuration data. Add boundary check
while programming configuration linked list in SRAM, to avoid
this problem.
Change-Id: Idd33f53560585fdbfee4d3822fd93d6f3a365e17
Signed-off-by: Xiaogang Cui <xiaogang@codeaurora.org>
Issue is seen when apr callback is received while voice_svc_release
is in process of freeing the driver private data.
Avoid invalid access of private data pointer by putting
the callback and release functions in the same locked context.
Change-Id: I93af13cab0a3c7e653a9bc9fa7f4f86bfa0502df
Signed-off-by: smanag <smanag@codeaurora.org>
Add the trivial support necessary to get hardware breakpoints
working for GDB on ARMv8 simulators running in AArch32 mode.
Change-Id: I340d8793e0da08d1b1f07e72cbf34362dff79fa7
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Christopher Covington <cov@codeaurora.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Git-commit: 5b61d4a5d6676b5bb4c3c101683d3c7fd0df2a38
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[schikk@codeaurora.org: fix multiple definitions error
(from jtagv8.c) in this change]
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
Audio Packet Router (APR) is used by multiple audio services
to communicate between APSS and ADSP. These audio services
registers for service level APR communication (port 0xFFFFFFFF),
or for session level APR communication (using port 0x101 etc.).
The services might choose to call apr_register for any port at
random. The expectation is that the refcounting for the number
of ports registered with APR for any specific service, is handled
irrespective of the order in which registrations are done. The
current logic fails to handle the refcounting when apr_register
is called for 0xFFFFFFFF before other session based ports. Fix
this correctly using the service count (svc_cnt) variable in apr_svc.
CRs-fixed: 2022490
Bug: 34088848
Change-Id: I2fcd1269facf24d509db0d90314e0d2545a2ad67
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
Add boundary checks for APR port received from ADSP.
CRs-Fixed: 2143207
Change-Id: I9a7fa39ee223e1859323caa6eb74c1c8a26a041d
Signed-off-by: Aditya Bavanari <abavanar@codeaurora.org>
During probe function of the Linux PIL kernel driver
Initialization of various resources are done.
This fix is for acquired resource cleanup, in case of error.
CRs-Fixed: 2129451
Change-Id: I0b3511cff7e2917fe83bddfc15086e939f5c2abc
Signed-off-by: Jitendra Sharma <shajit@codeaurora.org>
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
Fix memory leak due to rpm request not freed during error conditions.
Change-Id: I440a58bf452e76c8886f7bcd8f89b24698a301e9
Signed-off-by: Raghavendra Kakarla <rkakarla@codeaurora.org>
Initialize member value of struct apr_client_data after declaration.
CRs-Fixed: 2091948
Change-Id: I8a185ebd4126f7d064de90bf652bc96c2ab7b408
Signed-off-by: Yidong Huang <yidongh@codeaurora.org>
Signed-off-by: Yasir Malik <ymalik@codeaurora.org>
Few function pointers are left uninitialized in dummy transport.
System can crash if these function pointer get dereferenced.
Initialize all the function pointers which can get called, with
dummy functions.
CRs-Fixed: 2067859
Change-Id: I9172776d9ffa0af5deb9898125fc6403fdcdee0f
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Initialize the has_locked member before running SSR
spinlock test to ensure consistent results.
CRs-Fixed: 2091946
Change-Id: Ifad37541a94668b496aa9204dc80920b9a7ff244
Signed-off-by: Chris Lew <clew@codeaurora.org>
It is a case of write after free, this is causing page allocation
failure due to corruption. This is due to freeing up of segments
allocated for venus subsystem, when venus fw loading fail midway.
CRs-Fixed: 2078950
Change-Id: I902ed0241f46fc340c4a307bcb59134e999f8cba
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Signed-off-by: Chetan C R <cravin@codeaurora.org>
As scheduler doesn't guarantee scheduling even into high
priority worker task within 1 sec after waking up, it can't
pet watchdog properly. Use rt task to pet watchdog even if
the scheduler is busy to handle normal priority tasks.
CRs-Fixed: 940039
Change-Id: Ief8a01df8ef61481c94c3f781d22796882320fc0
Signed-off-by: Se Wang (Patrick) Oh <sewango@codeaurora.org>
[pdaly@codeaurora.org:
resolve INIT_COMPLETION rename
resolve include file changes]
Signed-off-by: Patrick Daly <pdaly@codeaurora.org>
The current implementation is using mutex lock to protect the Rx data
packet list but Glink core can notify the Rx data in atomic context
and the mutex lock is not used in some places.
Replace the mutex lock with spinlock to protect the Rx data packet list.
CRs-Fixed: 852949
Change-Id: Ie7543a98e6589e8068b873a8bb4f49b9a195d881
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
The buffer allocated in rpmstats_show need to be protected
as there can be a possiblity of use-after-free scenario.
Process A B
| |
open |
| |
read started |
| close
Add mutex lock to protect the buffer to avoid this.
Also allow reading RPM stats information using sysfs nodes.
The stats are available at
/sys/power/system_sleep/stats
Change-Id: I28ab98e264fc4e425f23c71ddc6dcc8f275d8f6b
Signed-off-by: Naresh Malladi <namall@codeaurora.org>
The buffer allocated in rpmstats_show need to be protected
as there can be a possiblity of use-after-free scenario.
Process A B
| |
open |
| |
read started |
| close
Add mutex lock to protect the buffer to avoid this.
Also allow reading RPM stats information using sysfs nodes.
The stats are available at
/sys/power/system_sleep/stats
Change-Id: I28ab98e264fc4e425f23c71ddc6dcc8f275d8f6b
Signed-off-by: Naresh Malladi <namall@codeaurora.org>
The buffer allocated in file open operations need to be
protected as there can be a possiblity of use-after-free
scenario.
Process A B
| |
open |
| |
read started |
| close
Add mutex lock to protect the buffer to avoid this.
"msm_rpmstats_copy_stats" accesses the variable "pdata->read_idx"
without locking. The userspace can invoke the "read" call from
multiple threads which will call "msm_rpmstats_file_read" which
in turn calls "msm_rpmstats_copy_stats".
This can allow the statement "pdata->read_idx++" increment
"read_idx" beyond the limit ("prvdata->num_records") and call
"msm_rpmstats_read_register" with this value.
Also allow reading RPM stats information using sysfs nodes.
The stats are available at
/sys/power/system_sleep/stats
Change-Id: I031f02bb2694a97ced86da0a9f54d0e434e4ad6d
Signed-off-by: Naresh Malladi <namall@codeaurora.org>
Initialize few variables and check return value of sscanf.
use 'goto' to exit without sending rpm send message request
in case of sscanf failure.
Change-Id: I86f723b4dbbca30b80a33de8b2c28116da8730dd
Signed-off-by: Naresh Malladi <namall@codeaurora.org>
Buffer overflow can occur if MBA firmware size exceeds 1MB.
So validate size before copying the firmware.
CRs-Fixed: 2001803
Change-Id: I070ddf85fbc47df072e7258369272366262ebf46
Signed-off-by: Kishor PK <kpbhat@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
As debugfs interface is intended to test the respective ssr, remove
from the driver to make sure it won't be available by default.
CRs-Fixed: 2025661
Change-Id: I6af9a8333c8028611f889cc2f9b0beb37ef12c9b
Signed-off-by: Satya Durga Srinivasu Prabhala <satyap@codeaurora.org>
The core_ctl module takes input from userspace and CPU load information to
decide how many CPUs to keep online. User space has the following tunables:
- min_cpus: Minimum number of CPUs to keep online. This overrides other
heuristics.
- max_cpus: Maximum number of CPUs to keep online. This overrides other
heuristics.
- additional_cpus: Additional idle CPUs to keep ready for use.
- busy_up_thres: The normalized load% threshold that the CPU load should
exceeded for the CPU to be go from not busy to busy.
It could be a single threshold for all CPUs in a group, or num_cpus
thresholds separated by spaces to specify different thresholds based on
the current number of online CPUs.
- busy_down_thres: The normalized load% threshold that the CPU load should
be lower than for the CPU to go from busy to not busy.
It could be a single threshold for all CPUs in a group, or num_cpus
thresholds separated by spaces to specify different thresholds based on
the current number of online CPUs.
- offline_delay_ms: The time to wait for before offline cores when the
number of needed CPUs goes down.
Mot-CRs-fixed: (CR)
Change-Id: Ied1d5bcbb8da5bbd5f3d1a3f042599babace6b65
Signed-off-by: Saravana Kannan <skannan@codeaurora.org>
Signed-off-by: Junjie Wu <junjiew@codeaurora.org>
Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
Signed-off-by: Ravi Chebolu <arc095@motorola.com>
Reviewed-on: http://gerrit.mot.com/866560
SME-Granted: SME Approvals Granted
SLTApproved: Slta Waiver <sltawvr@motorola.com>
Tested-by: Jira Key <jirakey@motorola.com>
Reviewed-by: Lian-Wei Wang <lian-wei.wang@motorola.com>
Reviewed-by: Christopher Fries <cfries@motorola.com>
Submit-Approved: Jira Key <jirakey@motorola.com>
Variable current_image can be modified by multiple threads.
This change will protect current_image getting modified
by multiple threads.
Change-Id: I33df463311b24f73b1ba124d388731a72bd13263
CRs-Fixed: 2016485
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
Explicitly clear the subsystem loading address in case of any
memory failure. It will help to avoid any platform dependency.
Change-Id: I3be8f6318d68f02c02e637fc34f4a868e9fafa45
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
PIL boot failure if happened due to memory allocation failure then skip
clearing segments as there is nothing loaded in fw region.
Change-Id: If0c09dd47941be0d9fe42496db43365ece32f3e9
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
In existing implementation, we are clearing fw region when loading fails
midway. This is not in consonance with MBA design so differentiate
between modem and other PIL modules. While at it, rectify the data type
of subsys_state in qmi_client_info as well.
Change-Id: I985456fca42346947eac24df5bf66599dcbf4c53
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
In existing implementation elf region was being clearead before memory
access to firmware region assigned to HLOS. So to avoid it using
separate function which will be called only when HLOS is the owner.
Change-Id: I8bb22e4dbe3e1f898678d0c0f6e60268b88fc150
Signed-off-by: Gaurav Kohli <gkohli@codeaurora.org>
Clear memory where elf segments are loaded if any of the segments fail
authentication.
CRs-Fixed: 1113126
Change-Id: I85d6bdc8efbb5738a863e59c0244222defcc1bcb
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
Add size check to ensure the payload fits inside the declared payload
size to prevent loss of data when copying.
CRs-Fixed: 2009224
Signed-off-by: Siena Richard <sienar@codeaurora.org>
Change-Id: I4275c626605272941143b54a7b8861b25f8e750a
Add a mutex to prevent two threads from processing the same response
at the same time. This ensures responses are processed completely and
sequentially.
CRs-Fixed: 1116015
Change-Id: Id2ef32edb939f8af2850b54bd6f6f447939c0732
Signed-off-by: Siena Richard <sienar@codeaurora.org>
variable size is output variable and is not initialized,
printing it can lead to information leak.
variable size is removed from log message.
CRs-Fixed: 1093837
Change-Id: I95cf227bb82a2ee7c6f43db151f75a942e8e55ce
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Replace WARN with pr_warn so that stack trace is not printed with the
message.
CRs-Fixed: 1111653
Change-Id: Id1c7bbe8a528199261455ba7901e9df81913aef8
Signed-off-by: Puja Gupta <pujag@codeaurora.org>
Some targets may share same msm-id, but they can have
different product name.
To differentiate them, add support to append suffix to soc_id_string.
Change-Id: Id0272cc4bd776c9872680a218f445160125d6faf
Signed-off-by: Lingutla Chandrasekhar <clingutla@codeaurora.org>