drawobj_sync_timeline_fence_work() does a cleanup of fence and syncobj
allocations. Doing this cleanup in irq context requires the irq_work
struct to remain valid after the function executes. Avoid this constraint
by deferring this work to the memory workqueue.

Change-Id: Icf648a61686c1ef3fd84467a2376b11a9a4bb803
Signed-off-by: Lynus Vaz <quic_lvaz@quicinc.com>

Add buffer overflow check while accessing data buffer
received from AON.

Change-Id: I0472a0ad1e6edc3fe8102850fddacd89ceea4959
Signed-off-by: Praveen koya <quic_pkoya@quicinc.com>

Thread T1 add buffer to fl->cached_bufs and release fl->hlock and holding
buffer reference. Now thread T2 will aquire fl->hlock and free buffer in
fastrpc_cached_buf_list_free(). T1 will dereference the freed buffer.
Moving reference buffer uses for T1 inside fl->hlock to avoid UAF.

Change-Id: I5f08d5497099133f87d55f5879cfe50c2ba23ae6
Acked-by: DEEPAK SANNAPAREDDY <sdeeredd@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>

In ioctls like kgsl_ioctl_submit_commands(), if both syncobj
type and cmd/marker/sparseobj type are submitted, the syncobj
is queued first followed by the other obj type. After syncobj
is successfully queued, in case of failure in get_timestamp
while queuing the other obj, both the command objs are
destroyed. As sync obj is already queued, accessing this
later would cause a crash.

Compare the user generated timestamp with the drawctxt
timestamp and return early in case of error. This avoids
unnecessary queuing of drawobjs.

Change-Id: Iedebd480bc18cd74d2f69d24a9dc1032fab01cdb
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>

Postamble packets are executed in privileged mode by gpu. So we should keep
them in a privileged scratch buffer to block userspace access. For
targets with APRIV feature support, we can mark the preemption scratch
buffer as privileged too to avoid similar issues in future.

Change-Id: Ifda360dda251083f38dfde80ce1b5dc83daae902
Signed-off-by: Akhil P Oommen <quic_akhilpo@quicinc.com>
Signed-off-by: Kaushal Sanadhya <quic_ksanadhy@quicinc.com>

Currently we don't ensure if vma->vm_file is associated with dma_buf. This
can cause issues later when private_data from a non dma_buf file is used as
dma_buf structure. Hence get the fd that is associated with vma->vm_file
and use dma_buf_get() to get pointer to dma_buf structure. dma_buf_get()
ensures that the file from the input fd is associated with dma_buf.

Change-Id: Ib78aef8b16bedca5ca86d3a132278ff9f07dce73
Signed-off-by: Puranam V G Tejaswi <quic_pvgtejas@quicinc.com>

Update the IFPC power up reglist to include all the CP Protect
registers.

Change-Id: I1b43420c466b8a228892afac8ecf05b11b5a80e6
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>

Get the dma_buf handle directly from 'vm_file' after
doing necessary checks on the file.

Change-Id: Id5eec16588d64e4e28483b32bb52d4d3d9b86b99
Signed-off-by: ravnar <quic_ravnar@quicinc.com>
Signed-off-by: Sanjay Yadav <quic_sanjyada@quicinc.com>

Performance counter values need not be retained across contexts unless
specifically requested for debug. Zap the counters by initialising
perfcounter SRAM with 0's using GPU_RBBM_PERFCTR_SRAM_INIT_CMD.

Add pm4 packets during context switches and add a KMD postamble packet to
clear the counters during preemption. Do not enable perfcounter save and
restore unless requested.

Change-Id: I371779ce659c07a1cc664327f5ecdcf0374201d8
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Harshitha Sai Neelati <quic_hsaineel@quicinc.com>

Currently performance counters are global and can be read by anyone. Change
the behaviour to disable reading global counters as default and add a sysfs
node to enable/disable reads.

Change-Id: Ic3785acd9bd7425c2a844ed103d7b870d9f80adf
Signed-off-by: Mohammed Mirza Mandayappurath Manzoor <quic_mmandaya@quicinc.com>
Signed-off-by: Harshitha Sai Neelati <quic_hsaineel@quicinc.com>

Currently gpuaddr_in_range() accepts only the gpuaddr & returns
true if it lies in valid range. But this does not mean that the
entire buffer is within range.
Modify the function to accept size as a parameter and check that
both starting & ending points of buffer lie within mmu range.

Change-Id: I1d722295b9a27e746bfdb6d3bf409ffe722193cb
Signed-off-by: Rohan Sethi <rohsethi@codeaurora.org>

Currently there is a chance that release for the fence was already called
before we call dma_fence_get during kgsl_timeline_signal and
kgsl_ioctl_timeline_destroy. This can cause use-after-free issue as we can
access fence after release. Fix this by signalling fence only if the last
refcount on the fence was not yet put. This makes sure that release for the
fence will not be called until we are done signalling.

Change-Id: I6bdcefa1f128febb7a0f7aef133757268a3b9ae3
Signed-off-by: Puranam V G Tejaswi <pvgtejas@codeaurora.org>

kgsl_ioctl_gpu_aux_command creates a separate drawobj for each command
in numcmds sent from userspace. All drawbojs created will have same
timestamp. We can not queue more than one drawobj with same timestamp.
Each new drawobj must have timestamp greater than previously queued
drawobjs. This results in failure of kgsl_ioctl_gpu_aux_command.
Add proper check and return early when numcmds is invalid.

Change-Id: I06413c16b0a21abcffb121b2e332752eb71e6be0
Signed-off-by: Pranav Patel <pranavp@codeaurora.org>
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>

There are multiple refcounting bugs related to multi-BSSID:
 - In bss_ref_get(), if the BSS has a hidden_beacon_bss, then
   the bss pointer is overwritten before checking for the
   transmitted BSS, which is clearly wrong. Fix this by using
   the bss_from_pub() macro.

 - In cfg80211_bss_update() we copy the transmitted_bss pointer
   from tmp into new, but then if we release new, we'll unref
   it erroneously. We already set the pointer and ref it, but
   need to NULL it since it was copied from the tmp data.

 - In cfg80211_inform_single_bss_data(), if adding to the non-
   transmitted list fails, we unlink the BSS and yet still we
   return it, but this results in returning an entry without
   a reference. We shouldn't return it anyway if it was broken
   enough to not get added there.

This fixes CVE-2022-42720.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: a3584f56 ("cfg80211: Properly track transmitting and non-transmitting BSS")
Link: https://lore.kernel.org/lkml/20221013175147.168042993@linuxfoundation.org/


Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: If6ed330dc65fdf387ee8584b5a69840242edf5cc
Signed-off-by: Balaji Pothunoori <quic_bpothuno@quicinc.com>

If a non-transmitted BSS shares enough information (both
SSID and BSSID!) with another non-transmitted BSS of a
different AP, then we can find and update it, and then
try to add it to the non-transmitted BSS list. We do a
search for it on the transmitted BSS, but if it's not
there (but belongs to another transmitted BSS), the list
gets corrupted.

Since this is an erroneous situation, simply fail the
list insertion in this case and free the non-transmitted
BSS.

This fixes CVE-2022-42721.

Reported-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Sönke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Link: https://lore.kernel.org/all/20221013175145.382242160@linuxfoundation.org/


Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: bcca8520
Git-repo: https://android.googlesource.com/kernel/common



Change-Id: Icb2106b5ac5ff5e3ecb50bd09440bce5560fbb05
Signed-off-by: Srikanth Marepalli <quic_srimarep@quicinc.com>

Add bounds check on values read from shared memory in the tx path. In
cases where the VM is misbehaving, the qrtr haven transport should
exit and print a warning when bogus values may cause out of bounds to
be read.

Change-Id: Ic1177ced6f41de66459970eff4537d82de4f614e
Signed-off-by: Sarannya S <quic_sarannya@quicinc.com>

Remove asynchronous network execution related code since it's
not used.

Change-Id: I9e9b54fddbbe9a0a1c0721983ae65e464fd49c0f
Signed-off-by: Jilai Wang <quic_jilaiw@quicinc.com>

Add a data length validation check in fw response message in
qdss_data_send_sync().

Change-Id: I750f46549bc914698baaf4e24f1710536ca8e356
CRs-Fixed: 3366343
Signed-off-by: Alan Chen <quic_alache@quicinc.com>

Add a data length validation check in fw response message in
qdss_data_send_sync().

Change-Id: I197b8d52c06e35f5fcf0f8fee94429fdcf500fcb
CRs-Fixed: 3359589
Signed-off-by: Alan Chen <quic_alache@quicinc.com>

For WIN use case maximum number of memory segments requested
by FW is increased to 52 in QMI layer. Since CNSS2 driver uses
same QMI header files and message structures the same maximum
number of segment is applicable for CNSS2. It means for memory
allocation, FW can request 52 memory segments to CNSS2 via QMI
indication but local CNSS2 variable which get segment info from
indication supports maximum 32 segments.
To fix it, change CNSS2 array variable size to same as number of
maximum segment supported in QMI layer.

Change-Id: I661b55b53cb31327da12f064d0a516884159eb5b
Signed-off-by: Naman Padhiar <quic_npadhiar@quicinc.com>

In the copy code of the elements, we do the following calculation
to reach the end of the MBSSID element:

	/* copy the IEs after MBSSID */
	cpy_len = mbssid[1] + 2;

This looks fine, however, cpy_len is a u8, the same as mbssid[1],
so the addition of two can overflow. In this case the subsequent
memcpy() will overflow the allocated buffer, since it copies 256
bytes too much due to the way the allocation and memcpy() sizes
are calculated.

Fix this by using size_t for the cpy_len variable.

This fixes CVE-2022-41674.

Reported-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Tested-by: Soenke Huster <shuster@seemoo.tu-darmstadt.de>
Fixes: 0b8fb823 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Link: https://lore.kernel.org/lkml/20221013175147.067414219@linuxfoundation.org/


Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: aebe9f46
Git-repo: https://android.googlesource.com/kernel/common



Change-Id: If6ed330dc65fdf387ee8584b5a69840242edf5cf
Signed-off-by: Vulupala Shashank <Reddy&lt;quic_vulupa@quicinc.com>

Validating the CID is a valid channel number.

Change-Id: Ia30c084801795882a24462fe0b9b4200a7084228
Acked-by: Ranjith Goud Namala <rnamala@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>

Untrusted application can attach to guestOS and staticPD if it can
somehow make INIT IOCTL call with ATTACH flag. This is a potential
security issue as the untrusted application can crash guestOS or
staticPD. Restrict attach to guestOS or staticPD request if request
is being made using non-secure device node.

Change-Id: I322c7b242fd0baaf1c1bce2d83b992fecb0ca593
Acked-by: Ekansh Gupta <ekangupt@qti.qualcomm.com>
Signed-off-by: Vamsi Krishna Gattupalli <quic_vgattupa@quicinc.com>

Add a check to ensure that overflow does not happen in multiplication
operation.

Change-Id: I28ea55c760257775c1bec3fdfb373fe075190cab
Signed-off-by: Naman Jain <quic_namajain@quicinc.com>
Signed-off-by: Kishor Krishna Bhat <quic_kishkris@quicinc.com>

Added flag to indicate memory used
in process initialization. And, this memory
would not removed in internal unmap to avoid
UAF or double free.

Change-Id: Ie470fe58ac334421d186feb41fa67bd24bb5efea
Signed-off-by: prabha <prabha@codeaurora.org>

Update the register protection configurations as per the latest
recommendation.

Change-Id: I70365268e8e4c7ee4ff28538f22e970822e4edf0
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>

Change-Id: Ibfef7b06d988d3f411636fdf54529cdb0238004c

bt_gpio_sw_ctrl is configured input by pmic by default.
For some platform such as jr510, gpio_direction_input would
lead to wdog error as REGISTER read only permission is just given.

Change-Id: Ie446f2ec9aa7539acf67d88e9635dc9d3d65595a
Signed-off-by: xiaowang <xiaowang@codeaurora.org>