commit 47bb117911b051bbc90764a8bff96543cbd2005f upstream.
When initially testing the Camera Terminal Descriptor wTerminalType
field (buffer[4]), no mask is used. Later in the function, the MSB is
overloaded to store the descriptor subtype, and so a mask of 0x7fff
is used to check the type.
If a descriptor is specially crafted to set this overloaded bit in the
original wTerminalType field, the initial type check will fail (falling
through, without adjusting the buffer size), but the later type checks
will pass, assuming the buffer has been made suitably large, causing an
overflow.
Avoid this problem by checking for the MSB in the wTerminalType field.
If the bit is set, assume the descriptor is bad, and abort parsing it.
Originally reported here:
https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
A similar (non-compiling) patch was provided at that time.
Change-Id: Icedffeb8d406351675f5195fdd9000a644d07b95
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Alistair Strachan <astrachan@google.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
currently only NULL pointer check is used to validate the return
value from clkget this change to handle all the failures.
Change-Id: I275cb4717c675baf528e05c50058f2c6b0025011
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
The region index for bivcm is not validated against the region size.
This causes out-of-bound read on the KASAN kernel.
Add restriction that region index smaller than region size.
CRs-Fixed: 2379514
Change-Id: I72c4a41a4b41c8fa70c174ffd3215a81eaa14355
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from auto-kernel.lnx.4.4.c1
ported it from auto-kernel.lnx.4.4.c1 to 4.4
Change-Id: I275cb4717c675baf528e05c50058f2c6b0025011
Signed-off-by: E V Ravi <evenka@codeaurora.org>
In few scenarios, the request frame may get
delayed and current and request frame id may
become same. While user space is informed to
delay a frame in such scenarios, the pattern
shouldn't get reset.
Change-Id: I63f1301fbbe7cba024a686cbd783af25232f1293
Signed-off-by: Meera Gande <mgande@codeaurora.org>
Lock Implementation for avoid race condition leading
to out-of-bound write in "msm_vb2_queue_setup
Change-Id: I386f1709bdf3328ae0c1db44980db8453849babf
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Lock Implementation for avoid race condition leading
to out-of-bound write in "msm_vb2_queue_setup
CRs-Fixed: 2362627
Change-Id: I7f7420c7437b9ac2f215929a8614b0846e890c98
Signed-off-by: Vijay kumar Tumati <vtumati@codeaurora.org>
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
currently only NULL pointer check is used to validate the return
value from clk_get, this change to handle all the failures.
This snapshot is taken from msm-4.9
Ported it from 4.9 to 4.4
Change-Id: Icd8b7e33d0f235a7c5dde2307972a594908e6a60
Signed-off-by: Sumalatha Malothu <smalot@codeaurora.org>
No need to process response messages from video hardware
after device went into invalid state. Processing responses
may result in use-after-free memory fault because client
might free all the resources after error.
Change-Id: I3bfb26e5aa52aba33b7b62cda7820dcbc5fe033f
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
If video state set to DEINIT before processing all frame done
packets in the list may create video failures as explained below,
the client communication to video hardware will fail because of
DEINIT state and client will close the session upon failure which
will happen in parallel to response thread processing the response
packets in the list. It may happen that client already free'd the
buffer references and response thread might access the same buffer
reference and results in use-after-free memory fault. So In case
of sys error from video hardware, set video state to DEINIT after
processing all packets in the list to avoid use-after-free failure
Change-Id: I688c3ec3feb2b5621d75c4da93ee9870aa0e6dfe
Signed-off-by: Darshan Kumsi Srinivasa <darssr@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.
Bug: 114041685
Change-Id: I3c22a5b3375b970ff6b1c6de983dd5833f4e11d0
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
Signed-off-by: VijayaKumar T M <vtmuni@codeaurora.org>
For production, we shouldn't have any trace_printk entries
Change-Id: I48e9fabdbbb8da595db350630463bb065a8a6ff7
(cherry picked from commit 99bb9adb91b350bd7ec09c9018eb0901687d85a4)
Signed-off-by: celtare21 <celtare21@gmail.com>
Video driver and firmware communicates over shared queue.
The queue header has the indices which synchronizes the read
and write between the driver and firmware modules.
This change ensures that the indices are within the valid
range before accessing them.
CRs-fixed: 2345481
Change-Id: I8da6bb4218a5b8ec0e2e2c7b87f6cc9eec21bd16
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Paras Nagda <pnagda@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Fix errors reported after enabling Kernel Control Flow
Integrity (KCFI) on kernel code. This is a security
mechanism that disallows changes to the original
control flow of a compiled binary.
Change-Id: I1e1e901c5889d9928411dc785da88e1eac378560
Signed-off-by: Govindaraj Rajagopal <grajagop@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
In error handling, trying to free memory which is not yet
allocated. Fix is added to correct this error handling.
Change-Id: I4e91a95f7ebd9132141d8686ae2bdfaed3a9a8c1
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Add memory barrier after updating queue header variables
to ensure main memory is updated so that video hardware
reads the updated header values.
CRs-Fixed: 2135048
Change-Id: I1a2778bee16c9093284c4d33980e6985c279f499
Signed-off-by: Vikash Garodia <vgarodia@codeaurora.org>
Signed-off-by: Sanjay Singh <sisanj@codeaurora.org>
Ensure the count of supported encoder and decoder returned
from firmware are within the range of supported sessions
Change-Id: If3eae7bc82dc8302444e2e4104fb6ae3cfbfed5a
Signed-off-by: Dikshita Agarwal <dikshita@codeaurora.org>
Signed-off-by: Vasantha Balla <vballa@codeaurora.org>
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I54777fe71a2f29297b439ac26f80b9684222d89a
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Due to improper type conversion compilation
issue will be seen. Made change to access the
appropriate type.
Change-Id: I2c61364f0385c83aa304788cc705bf4ca48ac2cc
Signed-off-by: Meera Gande <mgande@codeaurora.org>
If user passes an aribitary command with _IOC_DIR(cmd) == _IOC_NONE,
"arg" should point to any arbitrary address.
Check for invalid command and return error.
Change-Id: If60191a07bb80939af2d471a5acf1b17dd68aa58
CRs-Fixed: 2299567
Signed-off-by: Abhishek Abbanaveni <aabban@codeaurora.org>
Invalid type conversion with x64 bit command VIDIOC_MSM_LASER_LED_CFG
passed in,for which the type should be "msm_laser_led_cfg_data_t"
Change-Id: I43e112224c612fb5390fa5fc23e8ae9c0e553288
CRs-Fixed: 2299699
Signed-off-by: Abhishek Abbanaveni <aabban@codeaurora.org>
Signed-off-by: E V Ravi <evenka@codeaurora.org>
If the user passes the arbitrary command with _IOC_DIR(cmd) == _IOC_NONE,
"arg" should point to any arbitrary address.
Check for invalid command and return error.
CRs-Fixed: 2299567
Change-Id: Ibd77adfe53ef0777ff4eb96c914e21f43dfd6749
Signed-off-by: E V Ravi <evenka@codeaurora.org>
In few scenarios where the buffers are not
queued from HAL, request queue overflow is seen.
Added changes to reset the queue at destroy and
when the buffer is not available to process.
Change-Id: I7239175dda9cbc26fb65f568cbc5f7183ceaa24d
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, where the register update ioctl is
missed, the handling of frame drop is not working
in such scenarios as the frame drop pattern is not
set correctly. Once the epoch handling is done,
we need to re-configure the buffer and pattern.
Change-Id: I87b2cecda7e7e1addc68511dad6a80498051f87a
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, the request frame may get
delayed and current and request frame id may
become same. To handle such scenarios, made
changes to inform user to delay a frame and
process the request.
Change-Id: I31fa04c386922c48a043c511a163c76316e21987
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.
In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.
use the is_compat_task to distinguish two condition.
CRs-Fixed: 2283160
Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
In 64 bit kernel and 32 bit userspace,ioctl_ptr from
kernel space, should NOT call the copy_from_user.
In 64 bit kernel and 64 bit userspace,ioctl_ptr from
user space, use the copy_from_user to copy data.
use the is_compat_task to distinguish two condition.
CRs-Fixed: 2283160
Change-Id: If9205e4f3176a52e52f694a3183dc9c5b7617a97
Signed-off-by: Haibin Liu <haibinl@codeaurora.org>
1080p60Hz HDMI_OUT(PC) not displayed in TIF due to wrong clock value,
So increasing clock value to 148.5MHz in Detailed Timing Descriptor
And reorder video data block to support 1080p60Hz.
Change-Id: I91ffc02f97c9b4fa5362444382af1b91af9c03b6
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
In msm_cpp_irq function, tx_level is read using msm_carmera_io_r(),
However, this value is never verified to lower than
MSM_CPP_TX_FIFO_LEVEL (16), As tx_level is used as the upper bound
for the following loop, any value bigger than 16 will result in a
buffer overflow. Hence handling this case as error with error log.
Change-Id: I13222b315c3c9ee46bedb8b4e8e161179fea321d
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
Check the cid number to be less than MAX_CID in csid.
Change-Id: I16777dc8e8c72e01dc10490cd4c205c939adb7b5
Signed-off-by: Chunhuan Zhan <zhanc@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.
Change-Id: I92ccd4629cef8a06b7715b8483cf53a9607bd22f
Signed-off-by: Deepak Shankar <dees@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>
