In few scenarios, the request frame may get
delayed and current and request frame id may
become same. While user space is informed to
delay a frame in such scenarios, the pattern
shouldn't get reset.
Change-Id: I63f1301fbbe7cba024a686cbd783af25232f1293
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Add check for minimum length before typecasting to build mask
structure to prevent out of bound access while processing
get msg mask command.
CRs-Fixed: 2431047
Change-Id: I5b8341f278b0b46359800e43c604c5671261c728
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
As part of EDID parser, add support to parse extended EDID
Block Map (0xf0) block and parse all subsequent CEA (0x02)
extended EDID Blocks.
Change-Id: I581efae59dde3abf6f297d5a2519ac0088554b64
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Only Block0 and Block1 of EDID are being read successfully.
Fix EDID segment read failure for Block2 and Block3.
Change-Id: I2d501878c6089b275e77587f3f41416aec2ef389
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
As part of destination scalar on HDMI, INTF3 will be
configured as dual LM single display for higher video
timings. Assign block_id for HDMI INTF.
Change-Id: I09f5eb4136c4a8248f3dc9a36e2d94110419112d
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Check the size of ADSP payload before accessing it.
CRs-Fixed: 2380694
Change-Id: Icdc19a85b39a397ba6d7177f42ece4626b901832
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
Lock Implementation for avoid race condition leading
to out-of-bound write in "msm_vb2_queue_setup
Change-Id: I386f1709bdf3328ae0c1db44980db8453849babf
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Check if payload data is atleast the minimum expected size
before accessing the data in it.
Change-Id: Ia1295ca5ad5d002122e416fae53588681da687ea
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
Check size of payload array before access in qdsp_mvm_callback.
Change-Id: I81d945f963cfb4a3cb26155700b82880d891ec5e
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Within EDID parser's data structure, sink_caps of previous
EDID are being retained. Reset sink_caps before parsing new
EDID.
Change-Id: I7927161256ec87ab77b26a9d7bc5e0cd1df5583b
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Try to allocate mixers LM0 and LM1 to an external pluggable
display if it is configured as primary display.
Change-Id: I81672132a6452535dcd7c2977e76f88a5f3aecf9
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Check if payload data is big enough before accessing
the data in it.
Change-Id: I939f205a8cebf6ef4859f81fae5429bca013d540
Signed-off-by: Karthikeyan Mani <kmani@codeaurora.org>
set_page_dirty() is racy if the caller has no
reference against page->mapping->host, and if
the page is unlocked. This is because another
CPU could truncate the page off the mapping and
then free the mapping.
Use set_page_dirty_lock() to avoid this race condition.
Change-Id: I517fb9aee66560618c7676b311368f7a7498011f
Signed-off-by: Rajesh Kemisetti <rajeshk@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Lock Implementation for avoid race condition leading
to out-of-bound write in "msm_vb2_queue_setup
CRs-Fixed: 2362627
Change-Id: I7f7420c7437b9ac2f215929a8614b0846e890c98
Signed-off-by: Vijay kumar Tumati <vtumati@codeaurora.org>
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
When icnss receive server arrive it send wlfw_msa_mem_info_send_sync_msg
QMI request to firmware and in response expect range of addresses and size
to be mapped. Add condition to check whether addresses in response falls
under valid range otherwise it asserts.
Change-Id: I9a8542cb6c3b3cefe112d1f08a76dd2eadf68d2f
Signed-off-by: Naman Padhiar <npadhiar@codeaurora.org>
currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 4.4
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
In case of HDMI as primary, skip pan_display until
handoff completes.
Change-Id: I5af8142292bcac0f085fffab1af99f635d3ff304
Signed-off-by: Venkata Prahlad Valluru <vvalluru@codeaurora.org>
Restrict printing of kernel virtual addresses in SPS driver.
In debug prints, handles to bam device structures may be printed
as integers. As these handles are obtained by casting pointer
to bam device structures to integer, they can reveal addresses
of the structures to attackers.
Cast the handles in debug prints to pointers, printed with with %pK,
which hides these values if kptr_restrict is set (default on Android).
Change-Id: Idd28c7d11a06113605f7428a4cfc2505c1ae0073
Signed-off-by: Jishnu Prakash <jprakash@codeaurora.org>
Validate the buffer size against the parsing command structure size
before parsing to prevent possible out of bound error case.
CRs-Fixed: 2437341
Change-Id: I31c9a556539fce403691294a76160ae4936e7065
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
While processing a packet containing command request, buffer size
need to be checked against size of the command structures that is
being parsed to prevent possible out of bound access.
CRs-Fixed: 2432633
Change-Id: I048bdbd0c096a6d03501bdd5b1d2d4bb50d45dd6
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Prevent possible out of bound access due to missing length check
while extracting dci packet response by adding proper checks.
CRs-Fixed: 2434571
Change-Id: I7b6972bf6559bdca99333a75d989cd6d3431b801
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>
Initialization of channel's local state is not done at the time of
fetching context from list of channels. This leads to race condition
if remote close happens during this time. Remote close will check if
local state is not open then delete channel from list. This leads to
use after free scenerio.
Initialize local state at the time of fetching channel context from
list of channels.
CRs-Fixed: 2155992
Change-Id: If113daba129191bd67ef2460eb4e87c2d5614403
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Check the size of ADSP payload before accessing it.
CRs-Fixed: 2380694
Change-Id: Icdc19a85b39a397ba6d7177f42ece4626b901832
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure
Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Currently, if processing an SG table consumes more memory
than can fit in the pre-allocated buffer, then calls to
hyp_assign_table() will fail as if there were not enough
memory available to process the request.
Instead, for every call to hyp assign, allocate enough
memory to process the maximum batch size, and process large
SG tables in pieces, using this memory. This avoids failures
due to large SG tables. Also, since the memory for handling
these requests is now allocated per hyp_assign_table() call,
we can drop the pre-allocated buffer, as it is no longer in
use.
Change-Id: Ie9899a5e2c8de6127707609101f5fb557e3f0533
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
No need to process response messages from video hardware
after device went into invalid state. Processing responses
may result in use-after-free memory fault because client
might free all the resources after error.
Change-Id: I3bfb26e5aa52aba33b7b62cda7820dcbc5fe033f
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure
Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Payload size validity is not checked before using it in array index.
Check payload size to avoid out-of-boundary memory.
Change-Id: Ic0b06bb331fc1753ff7543bb218ab12d6a4a3ca8
Signed-off-by: kunleiz <kunleiz@codeaurora.org>
