dchdr->dlen is a short variable controlled by the user-provided data.
If the value is negative, loop continues, also increasing the value
of "len". As a result buffer overflow occurs. So define the len as
unsigned and check with length of string input from user space.
Change-Id: I8bb9ab33d543c826eb330e16ae116385d823ca98
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Currently we set CONFIG_CC_OPTIMIZE_FOR_SIZE which suppressed the compiler
warning of unused variables which can lead undefined behavior e.g. memory
corruption and panic. See https://lkml.org/lkml/2013/3/25/347.
This patch fixes all the uninitilized variables in kernel
Bug: 33353384
Test: On device
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I0ae1082f447b435d71156d471878ba71aa16c378
Sanitize debugfs inputs to only allow access to mdp memory block
specified in dtsi file. This change will allow only one single block
to be read at the time and will avoid accessing memory outside of valid
decode space which can trigger AHB error bus response.
Change-Id: Icede9a8939a66faa59d674c18183fb0ebcf67908
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Memory allocated with "devm_kzalloc" is automatically released
by the kernel if the "probe" function fails with an error code.
Therefore, using "kfree" is unsafe because it can lead to the Double-Free.
Change-Id: Ic9285ebbd7d246e275a93cde4d03656d99d5ea3d
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
If DMA attachment fail during fb_mmap, all ION memory will get free. It
is necessary to reset the fbmem and fb_attachemnt pointer to NULL,
otherwise during shutdown will perform another free and causing issue.
CRs-Fixed: 1090244
Bug: 36251984
Change-Id: If998615655f69d9d867d7655d617083d3d9c03eb
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
Signed-off-by: Jonathan Solnit <jsolnit@google.com>
In cases where DSI DMA done operation is performed but isr is
not triggered due to CPU delays, we clear only the DMA_DONE
interrupt. There is a possibility of a DSI read operation for
DSI command mode panels where the DMA_DONE interrupt is cleared and
DSI link clocks are turned off. After some time, the DSI isr gets
triggered for BTA_DONE interrupt and since DSI link clocks are off,
this causes an interrupt storm due to BTA_DONE interrupt not getting
cleared. Clear the BTA_DONE interrupt as well for cases where DMA_DONE
operation is done but isr not getting triggered.
Change-Id: Iceb02e6dd78f4bbf313e2b4d252d6a30699619f0
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
while commit thread is in progress, suspend is called and stop thread
sets the commit_pending flag to zero, but commit thread increments the
flag, due to which while resume pan idle func time out.
check for disp thread before incrementing the commit_pending flag.
Change-Id: I92483a2b9c44cc41c6d31e8a7d3b2a5bfe11fbc9
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
The caller could have a small buf passed (less then < blen).
Since, the length of count and blen is not checked, it can
write beyond the end of buf.
Change-Id: I9138cd742b6166937f3cc1cbf1af36f280c94bdb
Signed-off-by: Rashi Bindra <rbindra@codeaurora.org>
Check the number of bytes to copy against the size of the
user buffer before copy to user to avoid buffer overflow.
Change-Id: Icdd3d4e755deca19fa431e903620bd9e4c701c89
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
current code does not have locking mechanism between
rotator play and rotator unset, due to which race condition
can occur when concurrent threads invoke rotator play and
unset ioctl cmd. So use mutex lock to avoid such issues.
Bug: 77527701
Change-Id: I6a7cd16ee8a8f3a4c9397e87b8c109809ec6f573
Signed-off-by: Raghavendra Ambadas <rambad@codeaurora.org>
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
Parameter mdss_mdp_plane_sizes must be cleared to 0 before returning
under an error condition, otherwise caller function will use the
uninitialized mdss_mdp_plane_sizes values and caused incorrect
operation.
Bug: 71501679
Change-Id: I856b17ce9e917cc450040463ec34b7309d34b9b5
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
Fix the following warning on startup:
[5: swapper/0: 1] WARNING: at ../../../../../../kernel/samsung/msm8976/
drivers/base/core.c:576 device_create_file+0x7c/0xac()
[5: swapper/0: 1] Attribute mode_max: write permission without 'store'
Change-Id: I4806801f9a87eb5c52fa1756f58431362dea7431
dchdr->dlen is a short variable controlled by the user-provided data
(a string). If the value is negative, the condition does not pass
and loop continues, also increasing the value of "len". As a result
buffer overflow and overwrite occurs.
Change-Id: I5eacec446c9a8b5b82fc3bc6d1281303f336d4de
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
No upper-bound validation is performed when reading number of
extended CEA blocks from the untrusted source (EDID). Add a check
to limit the number of CEA extension blocks.
Change-Id: I69f09ed0ad28a4c267cf3e8f7a12efe46f75e244
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
While trying to write dsi commands from userspace, the user buffer
is copied using simple_write_to_buffer. If the number of bytes in
the user buffer is less than the destination buffer, the length was
set to the destination buffer length. Subsequently the buffer could
be read from userspace to dump a lot of uninitialized kernel heap
data. Update the destination buffer with the correct size of bytes
copied from the user buffer.
Change-Id: Ib28f3698655d25ad8103fc02199a1d214092e232
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
The reference count for fbmem buf is not increased before use,
which means it can be get freed unintentionally when the reference
count is decreased to "0". In this case, there is possibility of
use after free. Ensure that fbmem buf refcount is incremented
before use.
Change-Id: I525d41e5496a1123e53a438b5f78d4da8bc046bd
Signed-off-by: Jayant Shekhar <jshekhar@codeaurora.org>
Signed-off-by: Mishra Mahima <mahima@codeaurora.org>
When fd is requested during get_metadata call, create fd
using O_CLOEXEC flag.
CRs-Fixed: 2030638
Change-Id: I1c874f713a3ebada63ba2c85f021aa78b04af44b
Signed-off-by: Krishna Manikandan <mkrishn@codeaurora.org>
the spec says the frame size will not be greater than
14, but this have a security hole when somebody sends
a message with a size greater than 14. So need check
up-boud of the CEC frame size.
Change-Id: I743208badc5e77ae911cfb2d102f758d4843138f
Signed-off-by: zhaoyuan <yzhao@codeaurora.org>
There is no validation of the "count" parameter, which is controlled
by the user and used as a size of allocated memory. If the user
provides a value of "0" for "count", then kmalloc would not return
NULL, but also there will be a memory block of "zero" size. This can
lead to buffer overflows. Also trying to access invalid memory will
cause kernel crashes. Ensure to check that the number of bytes to be
written is non-zero. If zero, return invalid input.
Change-Id: I9613043881a91fd5a5f99337119c4a3d41493b54
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
Provide complete resolution details in a sysfs node "res_info"
limited to PAGE_SIZE. Different modules can query for multiple
resolution details based on the resolution ids received from
EDID of the TV. In case resolution details exceed PAGE_SIZE,
reuse res_info to get remaining timing details by provide page
details. Check page id is within the max supported resolution
ids to avoid reading extra memory than required.
Change-Id: I7cdd071ba462080fe5bb302d0da824ed95b50f15
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
debug offset comes from the user and can hold any value which can
cause unaligned access. This change fixes the unaligned access
problem on debug offset by properly aligning it.
Change-Id: Ic61c2651986ea6c98cc7d58e27af3e5fe6e42a88
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
Modified the size of the gamut table data-structure in order to
avoid a buffer overflow while copying data from user-space.
Change-Id: I8c5fa1caff450a2d25d7859bd159ab4a60045e54
Signed-off-by: Bharath Gopal <gopalb@codeaurora.org>
If there is any failure while registering a DBA client with MDSS
driver, then remove the client from device client list first and
then free the client. Otherwise driver might crash when
traversing the device client list in later stage, because of an
uninitialized entry in the list.
Change-Id: I60666f4c3dea5c7ea7b7c77bcb14b080ee25b54d
Signed-off-by: Sandeep Panda <spanda@codeaurora.org>
Fix race condition in the release of the mdp debugfs functions
panel_debug_base_release and mdss_debug_base_release by adding
the lock for unpreempted freeing of the buffer so that multiple
concurrent processes cannot affect the release which can possibly
lead to use-after-free operation on the buffer.
Change-Id: I9586081b65ae2eb0e7f6e30c606ee748ae9ef7e8
Signed-off-by: Harsh Sahu <hsahu@codeaurora.org>
* MDSS5 supports Polynomial Color Correction. Use this to implement
a simple sysfs API for adjusting RGB scaling values. This can be
used to implement color temperature and other controls.
* Why use this when we have KCAL? This code is dead simple, the
interface is in the right place, and it allows for 128X accuracy.
Change-Id: Ie17c84ee3c1092ea65804566bdf05326a34a6d4d
video: mdss: Report PCC values from pp registers
Other drivers write to these regs (KCAL, Sony) and other developers may
implement more than one driver. Make sure we are always reporting the correct
PCC values.
Change-Id: Id4a28602d6678d8032f1328c49163b52c15d52b1
When multiple panel timings are available and enumerating videomode
list, pixclock is calculated using htotal, vtotal and refresh rate.
But fb var struct is populated with actual pixclock value calculated
by DSI. This pixclock mismatch would cause issues, when usermode
does GET_VSCREENINFO/PUT_VSCREENINFO. Fix by using the same pixclock
calculation for both structures.
Change-Id: I42bfc40b5904ec80f20b296e3b4610ca3b2c5ee0
[veeras@codeaurora.org: Resolved conflicts in mdss_fb.c]
Signed-off-by: Veera Sundaram Sankaran <veeras@codeaurora.org>
Signed-off-by: Sandeep Panda <spanda@codeaurora.org>
Signed-off-by: Nirmal Abraham <nabrah@codeaurora.org>
raghavendra ambadas
Wei Wang
Amine Najahi
Jonathan Solnit
Padmanabhan Komanduru
syphyr
Rashi Bindra
Harsh Sahu
Benjamin Chan
LuK1337
Linux Build Service Account
Ashish Garg
Narender Ankam
Sachin Bhayare
Mishra Mahima
Krishna Manikandan
zhaoyuan
Bharath Gopal
Sandeep Panda
Zhao Wei Liew
Steve Kondik
Luca Stefani
Veera Sundaram Sankaran
Linux Build Service Account