Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421611
Change-Id: Ifed71c506a26105eac3db9ee35f086d7dbf5a3a3
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
Structures in shared memory that can be modified by remote
processors may have untrusted values, they should be validated
before use.
Adding proper validation before using fields of shared
structures.
CRs-Fixed: 2421602
Change-Id: I947ed5b0fe5705e5223d75b0ea8aafb36113ca5a
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
arr_filp is an alias to filp_to_release. It is exposed
to access indices greater than allotted space of 15 bytes,
equal to size of OBJECT_COUNTS_MAX_OO. This change fixes
the stack overflow by taking an independent variable to track
the number of output objects.
Change-Id: Idca9cef3c69693d27d4ca3d0e0b4845fc27c998a
Signed-off-by: Anmolpreet Kaur <anmolpre@codeaurora.org>
When icnss receive server arrive it send wlfw_msa_mem_info_send_sync_msg
QMI request to firmware and in response expect range of addresses and size
to be mapped. Add condition to check whether addresses in response falls
under valid range otherwise it asserts.
Change-Id: I9a8542cb6c3b3cefe112d1f08a76dd2eadf68d2f
Signed-off-by: Naman Padhiar <npadhiar@codeaurora.org>
Currently, if processing an SG table consumes more memory
than can fit in the pre-allocated buffer, then calls to
hyp_assign_table() will fail as if there were not enough
memory available to process the request.
Instead, for every call to hyp assign, allocate enough
memory to process the maximum batch size, and process large
SG tables in pieces, using this memory. This avoids failures
due to large SG tables. Also, since the memory for handling
these requests is now allocated per hyp_assign_table() call,
we can drop the pre-allocated buffer, as it is no longer in
use.
Change-Id: Ie9899a5e2c8de6127707609101f5fb557e3f0533
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
Initialization of channel's local state is not done at the time of
fetching context from list of channels. This leads to race condition
if remote close happens during this time. Remote close will check if
local state is not open then delete channel from list. This leads to
use after free scenerio.
Initialize local state at the time of fetching channel context from
list of channels.
CRs-Fixed: 2155992
Change-Id: If113daba129191bd67ef2460eb4e87c2d5614403
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
For production, we shouldn't have any trace_printk entries
Change-Id: I48e9fabdbbb8da595db350630463bb065a8a6ff7
(cherry picked from commit 99bb9adb91b350bd7ec09c9018eb0901687d85a4)
Signed-off-by: celtare21 <celtare21@gmail.com>
Opening of multiple instance of voice_svc user space from app will
lead to pointer deference of private data within apr callback. As
multi-instance not supported added check to deny open() from user
space if previous instance hasn't been closed.
Change-Id: Ia5ef16c69a517760fc9d45530a8a41a333fa2a21
Signed-off-by: Ajit Pandey <ajitp@codeaurora.org>
In case WLAN driver probe is in progress and modem graceful
shutdown occurs and if modem shutdown request is sent just
before the mode on request sent to firmware, firmware may end up
in illegal memory access.
To address this issue, modem notifier needs to be blocked needs for
probe to complete or max 5 seconds timeout.
CRs-Fixed: 2381846
Change-Id: I9e13a11c56059cb29e161c34df11de484f87ac5e
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Add a QMI command to indicate graceful shutdown to the FW
and updating the QMI file.
Change-Id: I0360f6f5b49bc19ea4a7acbbd0e192e1596463d6
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
Check if packet size is large enough to hold the header.
Change-Id: I7261f8111d8b5f4f7c181e469de248a732242d64
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Currently we are not validating read and write index of
tx and rx fifo's before calculating ptr, this can lead to
out-of-bound access. The patch adds proper check for the same.
CR-Fixed: 2355425
Change-Id: I7b158e94ae743a90ac364783fe31914ca0fa582b
Signed-off-by: Deepak Kumar Singh <deesin@codeaurora.org>
The SVA history buffer is out of order if there are
more than 2 continuous RX buffer done from GLINK. Implement
FIFO to ensure sequence consistency.
Change-Id: If70e2d0160e8f3140d621298b0db03bd89ba88ba
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
WDSP private data structure is freed in wdsp_glink_release()
but some of the member variables like work_queue pointer is
accessed even after free. Fix this issue by making sure that
glink callback functions are finished execution
before freeing up wdsp private data structure.
Change-Id: Ia4dd9d667109168874dc9188d70741cb9541b0c6
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, when a client invokes the service-locator to get
the domain list for a service, a data structure is dynamically
allocated to hold this information, and that is given to the
client for use. However, after the client uses the domain list,
the data structure is not freed, resulting in a memory leak.
Free domain list data structure after client use to fix
memory leak.
Change-Id: I2b87afefbb35c2c296b4267450fa3152e3725ab9
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
If fw build timestamp passed by QMI is a non-NULL terminated string,
it might result in a out-of-bounds read in icnss_get_soc_info. Hence,
manually NULL terminate the string.
Change-Id: I252196cd12784d841b29303c42591efc59da64f1
CRs-Fixed: 2322317
Signed-off-by: Yuanyuan Liu <yuanliu@codeaurora.org>
Currently, fw_down is not getting set in case of rejuvenate
since the qmi server never exit or arrive in case of rejuvenate.
Add ICNSS_REJUVENATE flag to take care of rejuvenate.
Change-Id: If85e8048cbad9a15e1c94af1c8d0012e004e6150
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
scm_call2 can block scm calls up to 2s due to its
retry mechanism whenever the secure firmware is
busy waiting for certain processing by the client
who in turn is waiting upon its scm call to either
complete or return with failure.
Upon early return, client can process the pending
requests to free up secure firmware and unblock
processing of all pending scm calls. Add a noretry
variant for scm_call2 which can be used by clients
who do not intend to wait for 2s for return status.
Change-Id: I1f0849464a64c32a4de4510fa5787b0ab328725c
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, when a client invokes the service-locator to get
the domain list for a service, a data structure is dynamically
allocated to hold this information, and that is given to the
client for use. However, after the client uses the domain list,
the data structure is not freed, resulting in a memory leak.
Free domain list data structure after client use to fix
memory leak.
Change-Id: I2b87afefbb35c2c296b4267450fa3152e3725ab9
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
If fw build timestamp passed by QMI is a non-NULL terminated string,
it might result in a out-of-bounds read in icnss_get_soc_info. Hence,
manually NULL terminate the string.
Change-Id: I252196cd12784d841b29303c42591efc59da64f1
CRs-Fixed: 2322317
Signed-off-by: Yuanyuan Liu <yuanliu@codeaurora.org>
Currently, fw_down is not getting set in case of rejuvenate
since the qmi server never exit or arrive in case of rejuvenate.
Add ICNSS_REJUVENATE flag to take care of rejuvenate.
Change-Id: If85e8048cbad9a15e1c94af1c8d0012e004e6150
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
The "tx_blocked_signal_sent" flag is not reset correctly after receiving
the interrupt from the remote side. Hence further READ_NOTIF commands are
not written into FIFO in FIFO full case.
Reset the "tx_blocked_signal_sent" correctly after write space available
in FIFO.
CRs-Fixed: 2175526
Change-Id: I236da2a2b984b3f3cce8400b50f72ce1016d7e40
Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org>
In some of the SCM APIs implememnted by the QCPE front end,
some return values were not propagated correctly.
Change-Id: I2b0aa7f5511eac384db82a65b380a5d964514e57
Signed-off-by: Amit Blay <ablay@codeaurora.org>
The virtclk can disable clocks by hab in suspend flow. If hab irq is
disabled then, the power manage task will stick in uninterruptable hab
receive function.
Change-Id: I780ecede7494346953f5f77d665dd77c2cc6d28a
Signed-off-by: Yimin Peng <yiminp@codeaurora.org>
For "chunk_list + chunk_list_len", if the chunk_list is type of u32*,
the chunk_list_len will be 4 * of original size. So we flushed a wrong
area size. In some condition like we enabled CONFIG_DEBUG_PAGEALLOC, it
may flush out of page bound of the invalid pte page.
Fix it by manually convert it as void* when doing the addition.
CRs-Fixed: 2309993
Change-Id: I2b88d78ba73d9904fa2bf6106937001715b6037f
Signed-off-by: Zhenhua Huang <zhenhuah@codeaurora.org>
Since message received from spi cannot be trusted there is possibility
of out-of-bound read if received read_id is not in range of fifo.
The patch validate rx_fifo_read index of edge info for remote side.
Change-Id: I3d3fa749935f477e5f98f986adc24e6e6a682d4d
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Add socinfo support for SDM455 Soc and update the
bindings fot the same.
Change-Id: I9b30795e202d84ae06020983b2d656772fb4f313
Signed-off-by: Teng Fei Fan <tengfei@codeaurora.org>
HAB returns -EINTR instead of -EAGAIN to request a retry from the
habmm_socket_recv() call.
Change-Id: I61bcef5c11048a3947b8079d1591937d7b83602a
Signed-off-by: Tony Han <xiahan@codeaurora.org>
An error check casts an integer to a pointer. Fix the error
check so that the integer is not casted to a pointer.
Change-Id: Ib15634745cc2243e4fe54557d6670956d8349e93
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Add a flag to maintain fw rejuvenate state,
set if fw rejuvenate happens and reset at fw ready.
export an API to the wlan host driver to distinguish the
case of ssr or pdr with the FW rejuventae.
Change-Id: I7a01cc4996f68f78aa13eacf36648331a701882a
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
The driver is modified to allow communication between a virtual
subsystem, and its native clients.
Change-Id: I40854327431f3691f76df9d781dbd0a24090594e
Signed-off-by: Anant Goel <anantg@codeaurora.org>
During capability qmi message failure ICNSS_MSA0_ASSIGNED
flag is not getting clear. Due to this after PDR/SSR next
time it is not configuring the MSA0 permission to q6 which
result into NOC error as q6 is not having access permission.
To address above issue clear ICNSS_MSA0_ASSIGNED bit in
failure case.
CRs-Fixed: 2300877
Change-Id: I6aeaedb5a394b843c4f1c8ef1e0be47a6947b331
Signed-off-by: Hardik Kantilal Patel <hkpatel@codeaurora.org>
Such warning of "initialization from incompatible pointer type"
is found in the build time, and it's good to fix it.
Change-Id: Iaf820ae7ec4a7851185febbdebaaab3706fb2402
Signed-off-by: Yong Ding <yongding@codeaurora.org>
A disable and unprepare is called on a clock which is voted for, but never
unvoted for. By disabling and unpreparing this clock, the clock state is
maintained the same across modem restarts.
Change-Id: I4d6cb219ac718de4b7bad593d7f7aa9fd67b1cef
Signed-off-by: Anant Goel <anantg@codeaurora.org>
