4.9-stable patches

added patches:
	remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch

diff --git a/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
new file mode 100644 (file)
index 0000000..924a6b5
--- /dev/null
+++ b/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From foo@baz Wed Feb 10 03:25:42 PM CET 2021
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:45 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit e013f455d95add874f310dc47c608e8c70692ae5 upstream
+
+The following mem abort is observed when the mba firmware size exceeds
+the allocated mba region. MBA firmware size is restricted to a maximum
+size of 1M and remaining memory region is used by modem debug policy
+firmware when available. Hence verify whether the MBA firmware size lies
+within the allocated memory region and is not greater than 1M before
+loading.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0x40/0x218
+  rproc_boot+0x5b4/0x608
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+  __arm64_sys_write+0x24/0x30
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sudip: manual backport to old file path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -193,6 +193,12 @@ static int q6v5_load(struct rproc *rproc
+ {
+       struct q6v5 *qproc = rproc->priv;
+ 
++      /* MBA is restricted to a maximum size of 1M */
++      if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
++              dev_err(qproc->dev, "MBA firmware load failed\n");
++              return -EINVAL;
++      }
++
+       memcpy(qproc->mba_region, fw->data, fw->size);
+ 
+       return 0;

diff --git a/queue-4.9/series b/queue-4.9/series
index 839c240831a0b39cd8fca200864b317a012ad4b9..710b7f8fecc20f3917d95a1cf7f00e3d7d56b55a 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,2 +1,3 @@
 mm-memcontrol-fix-null-pointer-crash-in-test_clear_page_writeback.patch
 fgraph-initialize-tracing_graph_pause-at-task-creation.patch
+remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch