From: Greg Kroah-Hartman Date: Wed, 10 Feb 2021 14:27:31 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.19.176~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=774c0b7fead03c44ac1b4c1f2e6fb6f7e5a6870a;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch --- diff --git a/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch new file mode 100644 index 00000000000..924a6b526d5 --- /dev/null +++ b/queue-4.9/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch @@ -0,0 +1,61 @@ +From foo@baz Wed Feb 10 03:25:42 PM CET 2021 +From: Sibi Sankar +Date: Thu, 23 Jul 2020 01:40:45 +0530 +Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load + +From: Sibi Sankar + +commit e013f455d95add874f310dc47c608e8c70692ae5 upstream + +The following mem abort is observed when the mba firmware size exceeds +the allocated mba region. MBA firmware size is restricted to a maximum +size of 1M and remaining memory region is used by modem debug policy +firmware when available. Hence verify whether the MBA firmware size lies +within the allocated memory region and is not greater than 1M before +loading. + +Err Logs: +Unable to handle kernel paging request at virtual address +Mem abort info: +... +Call trace: + __memcpy+0x110/0x180 + rproc_start+0x40/0x218 + rproc_boot+0x5b4/0x608 + state_store+0x54/0xf8 + dev_attr_store+0x44/0x60 + sysfs_kf_write+0x58/0x80 + kernfs_fop_write+0x140/0x230 + vfs_write+0xc4/0x208 + ksys_write+0x74/0xf8 + __arm64_sys_write+0x24/0x30 +... + +Reviewed-by: Bjorn Andersson +Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") +Cc: stable@vger.kernel.org +Signed-off-by: Sibi Sankar +Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org +Signed-off-by: Bjorn Andersson +[sudip: manual backport to old file path] +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/qcom_q6v5_pil.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/remoteproc/qcom_q6v5_pil.c ++++ b/drivers/remoteproc/qcom_q6v5_pil.c +@@ -193,6 +193,12 @@ static int q6v5_load(struct rproc *rproc + { + struct q6v5 *qproc = rproc->priv; + ++ /* MBA is restricted to a maximum size of 1M */ ++ if (fw->size > qproc->mba_size || fw->size > SZ_1M) { ++ dev_err(qproc->dev, "MBA firmware load failed\n"); ++ return -EINVAL; ++ } ++ + memcpy(qproc->mba_region, fw->data, fw->size); + + return 0; diff --git a/queue-4.9/series b/queue-4.9/series index 839c240831a..710b7f8fecc 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,2 +1,3 @@ mm-memcontrol-fix-null-pointer-crash-in-test_clear_page_writeback.patch fgraph-initialize-tracing_graph_pause-at-task-creation.patch +remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch