From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 10 Feb 2021 14:28:10 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.176~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e2deaa172af7f28ef09f8f625972c8ef76c1bbfa;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
	remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
---

diff --git a/queue-4.19/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch b/queue-4.19/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
new file mode 100644
index 00000000000..2ed780da8ad
--- /dev/null
+++ b/queue-4.19/remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From foo@baz Wed Feb 10 03:25:36 PM CET 2021
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:45 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit e013f455d95add874f310dc47c608e8c70692ae5 upstream
+
+The following mem abort is observed when the mba firmware size exceeds
+the allocated mba region. MBA firmware size is restricted to a maximum
+size of 1M and remaining memory region is used by modem debug policy
+firmware when available. Hence verify whether the MBA firmware size lies
+within the allocated memory region and is not greater than 1M before
+loading.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0x40/0x218
+  rproc_boot+0x5b4/0x608
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+  __arm64_sys_write+0x24/0x30
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-2-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sudip: manual backport to old file path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -340,6 +340,12 @@ static int q6v5_load(struct rproc *rproc
+ {
+ 	struct q6v5 *qproc = rproc->priv;
+ 
++	/* MBA is restricted to a maximum size of 1M */
++	if (fw->size > qproc->mba_size || fw->size > SZ_1M) {
++		dev_err(qproc->dev, "MBA firmware load failed\n");
++		return -EINVAL;
++	}
++
+ 	memcpy(qproc->mba_region, fw->data, fw->size);
+ 
+ 	return 0;
diff --git a/queue-4.19/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch b/queue-4.19/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
new file mode 100644
index 00000000000..648548f18d1
--- /dev/null
+++ b/queue-4.19/remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
@@ -0,0 +1,61 @@
+From foo@baz Wed Feb 10 03:25:16 PM CET 2021
+From: Sibi Sankar <sibis@codeaurora.org>
+Date: Thu, 23 Jul 2020 01:40:46 +0530
+Subject: remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load
+
+From: Sibi Sankar <sibis@codeaurora.org>
+
+commit 135b9e8d1cd8ba5ac9ad9bcf24b464b7b052e5b8 upstream
+
+The following mem abort is observed when one of the modem blob firmware
+size exceeds the allocated mpss region. Fix this by restricting the copy
+size to segment size using request_firmware_into_buf before load.
+
+Err Logs:
+Unable to handle kernel paging request at virtual address
+Mem abort info:
+...
+Call trace:
+  __memcpy+0x110/0x180
+  rproc_start+0xd0/0x190
+  rproc_boot+0x404/0x550
+  state_store+0x54/0xf8
+  dev_attr_store+0x44/0x60
+  sysfs_kf_write+0x58/0x80
+  kernfs_fop_write+0x140/0x230
+  vfs_write+0xc4/0x208
+  ksys_write+0x74/0xf8
+...
+
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 051fb70fd4ea4 ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sibi Sankar <sibis@codeaurora.org>
+Link: https://lore.kernel.org/r/20200722201047.12975-3-sibis@codeaurora.org
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+[sudip: manual backport to old file path]
+Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/remoteproc/qcom_q6v5_pil.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/remoteproc/qcom_q6v5_pil.c
++++ b/drivers/remoteproc/qcom_q6v5_pil.c
+@@ -739,14 +739,13 @@ static int q6v5_mpss_load(struct q6v5 *q
+ 
+ 		if (phdr->p_filesz) {
+ 			snprintf(seg_name, sizeof(seg_name), "modem.b%02d", i);
+-			ret = request_firmware(&seg_fw, seg_name, qproc->dev);
++			ret = request_firmware_into_buf(&seg_fw, seg_name, qproc->dev,
++							ptr, phdr->p_filesz);
+ 			if (ret) {
+ 				dev_err(qproc->dev, "failed to load %s\n", seg_name);
+ 				goto release_firmware;
+ 			}
+ 
+-			memcpy(ptr, seg_fw->data, seg_fw->size);
+-
+ 			release_firmware(seg_fw);
+ 		}
+ 
diff --git a/queue-4.19/series b/queue-4.19/series
index 3fd957d6657..8dc457dd31f 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -1,3 +1,5 @@
 tracing-kprobe-fix-to-support-kretprobe-events-on-unloaded-modules.patch
 block-fix-null-pointer-dereference-in-register_disk.patch
 fgraph-initialize-tracing_graph_pause-at-task-creation.patch
+remoteproc-qcom_q6v5_mss-validate-modem-blob-firmware-size-before-load.patch
+remoteproc-qcom_q6v5_mss-validate-mba-firmware-size-before-load.patch