Ram Prakash Gupta
authored
Buffer allocated in sequential files are used by firmware loader,
when no vendor firmware path is used, firmware uploader is modifying
the memory in the redzone.
=============================================================================
BUG kmalloc-4k (Tainted: G W OE ): Left Redzone overwritten
-----------------------------------------------------------------------------
0xffffff8854ae0fff-0xffffff8854ae0fff @offset=4095. First byte 0x0
instead of 0xcc
Allocated in kvmalloc_node+0x194/0x2b4 age=10 cpu=2 pid=4758
__kmem_cache_alloc_node+0x2a8/0x388
__kmalloc_node+0x60/0x1e0
kvmalloc_node+0x194/0x2b4
seq_read_iter+0x8c/0x4f0
kernfs_fop_read_iter+0x70/0x1ec
vfs_read+0x238/0x2d8
ksys_read+0x78/0xe8
__arm64_sys_read+0x1c/0x2c
invoke_syscall+0x58/0x114
el0_svc_common+0xac/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x3c/0x74
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Freed in kfree_link+0x10/0x20 age=46 cpu=1 pid=4786
__kmem_cache_free+0x268/0x358
kfree+0xa0/0x168
kfree_link+0x10/0x20
walk_component+0x90/0x128
link_path_walk+0x27c/0x3cc
path_openat+0x94/0xc7c
do_filp_open+0xb8/0x164
do_sys_openat2+0x84/0xf0
__arm64_sys_openat+0x70/0x9c
invoke_syscall+0x58/0x114
el0_svc_common+0xac/0xe0
do_el0_svc+0x1c/0x28
el0_svc+0x3c/0x74
el0t_64_sync_handler+0x68/0xbc
el0t_64_sync+0x1a8/0x1ac
Redzone ffffff8854ae0ff0: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 00
redzone modified ^^
Object ffffff8854ae1000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Add check to avoid memory update in redzone when no vendor firmware path
is used.
Fixes: 2a46f357 ("ANDROID: firmware_loader: Add support for customer firmware paths")
Bug: 395517985
Change-Id: If58a44c0c8a26f3fe58b0e37b0fcc1f0e88e28cb
Signed-off-by: 
Ram Prakash Gupta <quic_rampraka@quicinc.com>
Signed-off-by: 
Souradeep Chowdhury <quic_schowdhu@quicinc.com>