As the length datatype is signed, an attacker can both overflow
the calculation or supply a negative number to trick the check
into returning an chosen chunk. This can have undesired
consequences. Always use unsigned integer types for length
values.
Change-Id: Ifde2f0d35129014b976507f7723a319c53fabddf
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Bug: 63165135
CRs-Fixed: 2139538
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
(cherry picked from commit c29e11c774b3c59660c1c599b73b7fabf1492d43)
Signed-off-by: David Lin <dtwlin@google.com>
Send context ID in rpc header instead of context pointer.
Validate context ID received in response and get context pointer.
Bug: 74237782
Change-Id: I9cfd10d0c1b25c3085b8e15c7ca1c8ff214bf10d
Acked-by: Viswanatham Paduchuri <vpaduchu@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Steve Pfetsch <spfetsch@google.com>
The FASTRPC_IOCTL_INIT ioctl registers a pointer for later
access without checking that it is a user pointer. This could
allow arbitrary kernel memory access.
This patch verifies that the pointer is a user pointer.
Bug: 63165064
Change-Id: I936f73a2c2029f9e7ca12cc8fc06d0698e6710c0
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
Signed-off-by: Sean Callanan <spyffe@google.com>
The buffer length that is being passed could result in overflow
condition causing invalid memory to be accessed.
Bug: 34112914
CRs-Fixed: 1110747
Change-Id: I3e23f31b8cb61f8e77d09a39fab4a2d4c222cf25
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
Signed-off-by: Siqi Lin <siqilin@google.com>
(cherry picked from commit ded48b4476bc53662791a4f5fdf5152b63490b5d)
The buffer length that is being used to validate gets truncated
due to it being assigned to wrong type causing invalid memory
to be accessed when the actual buffer length is used to copy
user buffer contents.
Bug: 31695439
CRs-Fixed: 1086123
Change-Id: If04dee27b8bae04eef7455773d9f4327fd008a21
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
The buffer length that is being used to allocate gets truncated
due to it being assigned to wrong type causing a much smaller
buffer to be allocated than what is required for copying.
Bug: 31695439
CRs-Fixed: 1100695
Change-Id: I30818acd42bd282837c7c7aa16d56d3b95d4dfe7
Signed-off-by: Sathish Ambley <sathishambley@codeaurora.org>
Signed-off-by: Biswajit Paul <biswajitpaul@codeaurora.org>
Cache operations via userspace address has a risk of a page
fault as on arm64 these addresses are marked as write protect
and fixed up on first access. To avoid aborts happening when
the mmap semaphore is locked at this time, clear non-overlapped
output buffers before caches could be invalidated.
Change-Id: Iedb42e6d3dca4530b1cf065ea87fee1befea3bc6
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Cache operations via userspace address has a risk of a page
fault as on arm64 these addresses are marked as write protect
and fixed up on first access. To avoid aborts happening when
the mmap semaphore is locked at this time, invalidate the
buffers using the physical address.
Change-Id: I4a24b4959df374719c89ba8b6262412ea0eda07d
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Make sure that the entire input buffer gets copied always to account
for cases where the output buffer could overlap the input buffer.
Change-Id: I8d63ff8c8ebd6f11b71f75112cb48bf095614bfc
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
When multiple channels are opened from same process, free
contexts associated only with the current channel when the
device is released.
Change-Id: Iaa1f06ee00f3b9420ef5b00995bdf8186cb83283
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Ensure that the buffer being passed to remote processor is
always from ADSP ION heap. Passing buffers from other ION
heaps would result in a copy operation into the ADSP ION
heap before the buffer is passed over.
Change-Id: I0cf53887d4ec18b81a1c35f8c7c9dc4f1ca4e97f
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Scan the non-ion buffers for overlapping memory and only copy each
segment once.
Change-Id: I5cacb0f821f217038cb0b2f7c407bb09ed6a362d
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The new ioctl exposes mechanism for user processes to create
a new process on the remote end when the device is opened.
Change-Id: Id27c7572d3bdd5ecfb899ac20dd237ab25f5a161
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Liam Mark <lmark@codeaurora.org>
The subsystem restart handler aborts all pending transactions and
propagates the error back to the user for it to take appropriate
recovery actions. Once the subsystem restart notification is
received, iommu driver calls are skipped for all pending
transactions to avoid bus errors due to unclocked access.
Change-Id: I16465e5f82e01bab1ba32be2574be9734ed3e247
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Liam Mark <lmark@codeaurora.org>
msm_ion_client_create doesn't actually do anything with its heap_mask
parameter. Remove it. Also remove the extra argument from an audio
function that wraps msm_ion_client_create.
The following semantic patch was used to generate this patch:
@@
expression E1, E2;
@@
msm_ion_client_create(
- E1,
E2)
@@
expression E1, E2;
@@
msm_audio_ion_client_create(
- E1,
E2)
Change-Id: I403a125a1715b29a3db1f27c993abe0bc6d3fb11
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Update the data types to handle 64 bit address space and
communicate 64 bit addresses to remote processor. Provide
compat ioctl call to allow for 32 bit user space to call
into the driver.
Change-Id: I954f07382bbc9998aed574a7bf74fab9299f0b45
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The interrupted context list keeps track of all requests made
to the remote processor for which a response has not been
received and were interrupted by APPS processor. Free saved
contexts from interrupt list on device close to avoid memory leaks.
Change-Id: I5e4515b8d06d981a066a812a57242662b5bb82b9
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The buffers being passed to remote processor did not have
the right offset into the IOMMU VA for cases where the offset
was greater than 4K.
Change-Id: I32360a337ecbb9ebe3d33e5a6d680b1033945641
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Upstream prefers existing drivers be converted to support multiplatform
kernels. This requires drivers to be located in generic functionality
directories instead of specific mach directories.
Move the smd and smsm drivers to the drivers/soc/qcom location to support
multiplatform.
Change-Id: I7f2e990341f0f34e336e71bd3b06a7c2a46d8bc1
Signed-off-by: Jeffrey Hugo <jhugo@codeaurora.org>
The driver depends on MSM IOMMU subsystem driver to be initialized
first to get the domain information. Move the initialization phase
of the driver to late_initcall so that the dependent drivers get
initialized first.
Change-Id: Id9524f09f21110aa7539434e9febdd2b84361f9d
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
If the buffers are not mapped into IOMMU and the physical address
is passed to remote processor, then it could result in IOMMU faults
if the passed physical address falls in the IOMMU virtual address
range. Map all buffers into IOMMU if one is present and do not pass
the physical address directly to the remote processor.
Change-Id: Id567ac4bff16f49487439d1d505dd25b88ed2868
Acked-by: Sathish Ambley <sambley@qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The iommu_domain code isn't really MSM specific and is better suited
to live in the iommu directory. Move it accordingly.
Change-Id: Ie88b4aba6901722166bb180275d352b745821772
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
While a RPC session is in progress, wait could get interrupted
as a result of device entering power collase and the system call
retried once the device leaves power collapse. This requires that
the RPC session context is saved and restored across these
interrupts to avoid duplicate invocations being sent across to
the remote processor.
Change-Id: I71141c13da7be3d33e13305e0744148921123160
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The remote heap buffers need to be mapped and unmapped in
the IOMMU when SMMU is present on the remote processor.
Change-Id: I9d78e1098a4163109dbde4c23681be4cfb8a353a
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Open separate channels to each DSP processor based on the
file descriptor to support remote procedure calls to
multiple DSP processors.
Change-Id: I9c51d15b38eef67ccc38fc6dd0867d8256fbbdf6
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The buffers allocated by ION for ADSP/AUDIO heap would be
physically contiguous and no additional checks are required
to validate this.
Change-Id: Ib54aaf6c18448d18d0a22dac0ddab50a0ab4f493
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The SMD channel open request needs to be delayed as the
remote processor may not be up early on when the driver
is initialized. The SMD channel is opened when the first
RPC session is opened and closed when the last RPC
session ends.
Change-Id: I0bbff2956c3e367312d4344107340feb29e643ab
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
This file is now mostly useless. Move the remaining defintions elsewhere
and cleanup the cruft.
Change-Id: Icc19f9138a0d9d24a466511d69bc0eed45789fb9
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Release the RPC session only when the file handle is closed
and not release it when interrupted. It is possible for the
completion to be interrupted in power collapse scenarios
when the tasks are frozen.
Change-Id: Ib507c6ada624bb68c0e6aa798f0ca76c3213af65
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Check for invalid parameters passed in user invocation
and validate the return values using appropriate macros.
Change-Id: If529873d025ac0c13725efbedda5a58fae327722
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Update the class name passed during class creation to match the module
rather than use a generic one. If another driver uses this same generic
name then the class creation would fail.
Change-Id: I33d7527e27c56fd943c93f823d99d244e2348319
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Set the rpc mode to either serial or parallel via an ioctl, and ensure
that output buffers are invalidated in serial mode before calling into
the dsp.
Change-Id: I565faba24106cd7e3bba5368b06c4036bb468483
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The current APIs for Ion and the custom IOMMU mapping assume that
many parameters are unsigned long. This type is not big enough to
hold physical addresses on LPAE systems. Update the APIs to accomodate
these types. Because we are updating the APIs, all clients need to be
updated as well, either by using the correct type or using a cast
where necessary.
Change-Id: I12e6fb6ec8a8481a7eef374cb9316e5ccbc29090
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Pass ION_FLAG_CACHED flag to allocate cached memory for ADSP
RPC buffers that are flushed before being passed to the remote
processor.
Change-Id: I5faa2c074157efcdc3d859090c046b6a700e52a4
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Map / unmap the IOMMU heap buffers based on SMMU presence so as
to allow for these buffers to be passed to the remote processor
with zero-copy.
Change-Id: I95b3bdd46a8fa6eb3bca660a3900b5d690c12617
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
If the buffer range is split across multiple vma structs, failure
was being returned as the range was being checked only on the initial
vma struct. Explictly find the vma for the end address and use that
to find the page associated with it.
Change-Id: Icc64674562ced99a168de5d483853d1f35f94ab4
Acked-by: Sathish Ambley <sambley@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Output buffers that are not aligned on cache line boundaries need to
be flushed before the remote invocation since the invalidate that
happens later could result in a flush of an un-aligned buffer,
overwriting the remote end results.
Change-Id: I2e7b4c33ccd29413b0e5d2abe47cd069e08e8c80
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Map / unmap the buffers being passed to the remote processor based
on the SMMU presence.
Change-Id: I79906b3cc382616cd381d5161d504aca8b04f667
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
The error paths in fastrpc_device_init() and fastrpc_init() did
not properly roll back their operations. It was also possible for
fastrpc_deinit() to be called multiple times in the course of
handling a single initialization error in fastrpc_init(), such as
an SMD channel failing to open. This would result in a double-free
of the context list, leading to potential memory corruption.
CRs-Fixed: 478489
Change-Id: Ie078ce6595dc67316c25b9be9daf540552dccc2d
Signed-off-by: Matt Wagantall <mattw@codeaurora.org>
Implement ioctl for persistent mapping of memory to the dsp. Keep track
of mappings and free them when the device is released.
Change-Id: Iefc836bd982b28d37de649d1685c8965604f7f58
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Use hlist_for_each_entry_safe to iterate over nodes when deleting them.
Don't assume that for_each loop will find a node to delete.
Change-Id: Ia3bf5c88844b865d8cfb7e02ce6008a1b9f8e2b4
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Calculate page start so the offset is always less then the minimum
page size.
Change-Id: I5dc2cf5052a16e9f78862eb79f6141e2b7502ba2
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Create device node under /dev/adsprpc-smd. Users no longer have to run
mknod after the driver is installed.
Change-Id: I5f5ae4dafc37ce8e87ef2c91358be9bfd5934b8a
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Cleanup header and source to conform with coding guidelines.
Change-Id: I0fba2a7a758930003d5bce9c8ffc0036574736b8
Acked-by: Anatoly Yakovenko <anatolyy@qti.qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Move RPC driver that allows for clients to make remote
invocation calls between apps and adsp into drivers.
Change-Id: I4ff4edfed692576e38070e525ca07537b4e54a5a
Acked-by: Sathish Ambley <sambley@qualcomm.com>
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Dennis Cagle