4.14-stable patches

added patches:
	remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
	remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch

diff --git a/queue-4.14/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-4.14/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
new file mode 100644 (file)
index 0000000..9be96ad
--- /dev/null
+++ b/queue-4.14/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From foo@baz Wed Feb 10 03:25:39 PM CET 2021
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:45 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit e013f455d95add874f310dc47c608e8c70692ae5 upstream
+
+The following mem abort is observed when the mba firmware size exceeds
+the allocated mba region. MBA firmware size is restricted to a maximum
+size of 1M and remaining memory region is used by modem debug policy
+firmware when available. Hence verify whether the MBA firmware size lies
+within the allocated memory region and is not greater than 1M before
+loading.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0x40/0x218
+  rproc_boot+0x5b4/0x608
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+  __arm64_sys_write+0x24/0x30
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sudip: manual backport to old file path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -293,6 +293,12 @@ static int q6v5_load(struct rproc *rproc
+ {
+       struct q6v5 *qproc = rproc->priv;
+ 
++      /* MBA is restricted to a maximum size of 1M */
++      if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
++              dev_err(qproc->dev, "MBA firmware load failed\n");
++              return -EINVAL;
++      }
++
+       memcpy(qproc->mba_region, fw->data, fw->size);
+ 
+       return 0;

diff --git a/queue-4.14/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch b/queue-4.14/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
new file mode 100644 (file)
index 0000000..4854847
--- /dev/null
+++ b/queue-4.14/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From foo@baz Wed Feb 10 03:25:19 PM CET 2021
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:46 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream
+
+The following mem abort is observed when one of the modem blob firmware
+size exceeds the allocated mpss region. Fix this by restricting the copy
+size to segment size using request_firmware_into_buf before load.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0xd0/0x190
+  rproc_boot+0x404/0x550
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sudip: manual backport to old file path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -560,14 +560,13 @@ static int q6v5_mpss_load(struct q6v5 *q
+ 
+               if (phdr->p_filesz) {
+                       snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i);
+-                      ret = request_firmware(&seg_fw, seg_name, qproc->dev);
++                      ret = request_firmware_into_buf(&seg_fw, seg_name, qproc->dev,
++                                                      ptr, phdr->p_filesz);
+                       if (ret) {
+                               dev_err(qproc->dev, "failed to load %s\n", seg_name);
+                               goto release_firmware;
+                       }
+ 
+-                      memcpy(ptr, seg_fw->data, seg_fw->size);
+-
+                       release_firmware(seg_fw);
+               }
+ 

diff --git a/queue-4.14/series b/queue-4.14/series
index 16ff1cdf36283c68e354ba7c346f92cd720c8491..4fe554911c7b0d28ca3dfe7b6261073bc2542a28 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1 +1,3 @@
 fgraph-initialize-tracing_graph_pause-at-task-creation.patch
+remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
+remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch