Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.232 2023-01-24T06:18:00+00:00 2023-01-24T06:18:00+00:00 Ola Jeppsson ola@snap.com 2022-11-24T17:49:41+00:00 urn:sha1:556dfdb226ce1e5231d8836159b23f8bb0395bf4 commit 96b328d119eca7563c1edcc4e1039a62e6370ecb upstream. It is possible that in between calling fastrpc_map_get() until map->fl->lock is taken in fastrpc_free_map(), another thread can call fastrpc_map_lookup() and get a reference to a map that is about to be deleted. Rewrite fastrpc_map_get() to only increase the reference count of a map if it's non-zero. Propagate this to callers so they can know if a map is about to be deleted. Fixes this warning: refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 10100 at lib/refcount.c:25 refcount_warn_saturate ... Call trace: refcount_warn_saturate [fastrpc_map_get inlined] [fastrpc_map_lookup inlined] fastrpc_map_create fastrpc_internal_invoke fastrpc_device_ioctl __arm64_sys_ioctl invoke_syscall Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: stable <stable@kernel.org> Signed-off-by: Ola Jeppsson <ola@snap.com> Signed-off-by: Abel Vesa <abel.vesa@linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Link: https://lore.kernel.org/r/20221124174941.418450-4-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-01-24T06:18:00+00:00 Abel Vesa abel.vesa@linaro.org 2022-11-24T17:49:40+00:00 urn:sha1:4b5c44e924a571d0ad07054de549624fbc04e4d7 commit 5bb96c8f9268e2fdb0e5321cbc358ee5941efc15 upstream. Do not remove the map from the list on error path in fastrpc_init_create_process, instead call fastrpc_map_put, to avoid use-after-free. Do not remove it on fastrpc_device_release either, call fastrpc_map_put instead. The fastrpc_free_map is the only proper place to remove the map. This is called only after the reference count is 0. Fixes: b49f6d83e290 ("misc: fastrpc: Fix a possible double free") Cc: stable <stable@kernel.org> Co-developed-by: Ola Jeppsson <ola@snap.com> Signed-off-by: Ola Jeppsson <ola@snap.com> Signed-off-by: Abel Vesa <abel.vesa@linaro.org> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Link: https://lore.kernel.org/r/20221124174941.418450-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-09-15T10:04:51+00:00 Johan Hovold johan+linaro@kernel.org 2022-08-29T08:05:30+00:00 urn:sha1:f8632b8bb53ebc005d8f24a68a0c1f9678c0e908 commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream. The probe session-duplication overflow check incremented the session count also when there were no more available sessions so that memory beyond the fixed-size slab-allocated session array could be corrupted in fastrpc_session_alloc() on open(). Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org # 5.1 Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-09-15T10:04:51+00:00 Johan Hovold johan+linaro@kernel.org 2022-08-29T08:05:29+00:00 urn:sha1:ec186b9f4aa2e6444d5308a6cc268aada7007639 commit 9baa1415d9abdd1e08362ea2dcfadfacee8690b5 upstream. Add the missing sanity check on the probed-session count to avoid corrupting memory beyond the fixed-size slab-allocated session array when there are more than FASTRPC_MAX_SESSIONS sessions defined in the devicetree. Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") Cc: stable@vger.kernel.org # 5.1 Signed-off-by: Johan Hovold <johan+linaro@kernel.org> Link: https://lore.kernel.org/r/20220829080531.29681-2-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-02-16T11:52:50+00:00 Mathias Krause minipli@grsecurity.net 2022-01-27T13:02:18+00:00 urn:sha1:4e6fd2b5fcf8e7119305a6042bd92e7f2b9ed215 [ Upstream commit 46963e2e0629cb31c96b1d47ddd89dc3d8990b34 ] If the copy back to userland fails for the FASTRPC_IOCTL_ALLOC_DMA_BUFF ioctl(), we shouldn't assume that 'buf->dmabuf' is still valid. In fact, dma_buf_fd() called fd_install() before, i.e. "consumed" one reference, leaving us with none. Calling dma_buf_put() will therefore put a reference we no longer own, leading to a valid file descritor table entry for an already released 'file' object which is a straight use-after-free. Simply avoid calling dma_buf_put() and rely on the process exit code to do the necessary cleanup, if needed, i.e. if the file descriptor is still valid. Fixes: 6cffd79504ce ("misc: fastrpc: Add support for dmabuf exporter") Acked-by: Christian König <christian.koenig@amd.com> Signed-off-by: Mathias Krause <minipli@grsecurity.net> Link: https://lore.kernel.org/r/20220127130218.809261-1-minipli@grsecurity.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-12-14T13:49:06+00:00 Jeya R jeyr@codeaurora.org 2021-11-24T16:31:21+00:00 urn:sha1:b8a2c49aa956dde5d146c1c36c4b622112663f3f commit 3a1bf591e9a410f220b7405a142a47407394a1d5 upstream. The buffer list is sorted and this is not being considered while calculating packet size. This would lead to improper copy length calculation for non-dmaheap buffers which would eventually cause sending improper buffers to DSP. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Signed-off-by: Jeya R <jeyr@codeaurora.org> Link: https://lore.kernel.org/r/1637771481-4299-1-git-send-email-jeyr@codeaurora.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-03-17T16:03:52+00:00 Dmitry Baryshkov dmitry.baryshkov@linaro.org 2021-02-12T19:26:58+00:00 urn:sha1:e4b52c7cbaaf4d11288d331b654b0fac450e4971 commit 20c40794eb85ea29852d7bc37c55713802a543d6 upstream. Verify that user applications are not using the kernel RPC message handle to restrict them from directly attaching to guest OS on the remote subsystem. This is a port of CVE-2019-2308 fix. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context Invoke method") Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Cc: Jonathan Marek <jonathan@marek.ca> Cc: stable@vger.kernel.org Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org> Link: https://lore.kernel.org/r/20210212192658.3476137-1-dmitry.baryshkov@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-24T15:50:13+00:00 Srinivas Kandagatla srinivas.kandagatla@linaro.org 2020-05-12T11:09:30+00:00 urn:sha1:08f396eb02c8e5adf8c933414627879ae39876e5 [ Upstream commit 74003385cf716f1b88cc7753ca282f5493f204a2 ] fastrpc_invoke_ctx can have refcount of 2 in error path where rpmsg_send() fails to send invoke message. decrement the refcount properly in the error path to fix this leak. This also fixes below static checker warning: drivers/misc/fastrpc.c:990 fastrpc_internal_invoke() warn: 'ctx->refcount.refcount.ref.counter' not decremented on lines: 990. Fixes: c68cfb718c8f ("misc: fastrpc: Add support for context") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20200512110930.2550-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-24T15:50:13+00:00 Srinivas Kandagatla srinivas.kandagatla@linaro.org 2020-05-11T16:27:22+00:00 urn:sha1:8d8991bb2bf042d46fe277d7a52adccdfc98b8eb [ Upstream commit 0978de9fc7335c73934ab8fac189fb4cb3f23191 ] fastrpc_channel_ctx is not freed if misc_register() fails, this would lead to a memory leak. Fix this leak by adding kfree in misc_register() error path. Fixes: 278d56f970ae ("misc: fastrpc: Reference count channel context") Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20200511162722.2552-1-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2019-12-31T15:43:58+00:00 Srinivas Kandagatla srinivas.kandagatla@linaro.org 2019-10-09T14:41:20+00:00 urn:sha1:6083bbaee80f6bc4e489c3648db9a23175b0c4a9 [ Upstream commit 2d10d2d170723e9278282458a6704552dcb77eac ] Fix a memory leak in miscdev->name by using devm_variant Orignally reported by kmemleak: [<ffffff80088b74d8>] kmemleak_alloc+0x50/0x84 [<ffffff80081e015c>] __kmalloc_track_caller+0xe8/0x168 [<ffffff8008371ab0>] kvasprintf+0x78/0x100 [<ffffff8008371c6c>] kasprintf+0x50/0x74 [<ffffff8008507f2c>] fastrpc_rpmsg_probe+0xd8/0x20c [<ffffff80086b63b4>] rpmsg_dev_probe+0xa8/0x148 [<ffffff80084de50c>] really_probe+0x208/0x248 [<ffffff80084de2dc>] driver_probe_device+0x98/0xc0 [<ffffff80084dec6c>] __device_attach_driver+0x9c/0xac [<ffffff80084dca8c>] bus_for_each_drv+0x60/0x8c [<ffffff80084de64c>] __device_attach+0x8c/0x100 [<ffffff80084de6e0>] device_initial_probe+0x20/0x28 [<ffffff80084dcbd0>] bus_probe_device+0x34/0x7c [<ffffff80084da32c>] device_add+0x420/0x498 [<ffffff80084da680>] device_register+0x24/0x2c Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org> Link: https://lore.kernel.org/r/20191009144123.24583-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>