Merge android13-gs-pixel-5.10-24Q2 into android13-gs-pixel-5.10
SBMerger: 571992243
Change-Id: I2be5f584759847af84525e4d72d060912c073952
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
diff --git a/aoc.c b/aoc.c
index 654306b..5c17af0 100644
--- a/aoc.c
+++ b/aoc.c
@@ -1924,6 +1924,9 @@
case AOC_IOCTL_ION_FD_TO_HANDLE:
{
ret = aoc_unlocked_ioctl_handle_ion_fd(cmd, arg);
+ if (ret == -EINVAL) {
+ pr_err("invalid argument\n");
+ }
}
break;
diff --git a/aoc_v1.c b/aoc_v1.c
index e67937f..93045b3 100644
--- a/aoc_v1.c
+++ b/aoc_v1.c
@@ -375,12 +375,26 @@
}
EXPORT_SYMBOL_GPL(aoc_create_dma_buf_heaps);
+/* Returns true if `base` is located within the aoc dram carveout */
+static bool is_aoc_dma_buf(struct aoc_prvdata *prvdata, phys_addr_t base) {
+ phys_addr_t dram_carveout_start;
+ phys_addr_t dram_carveout_end;
+
+ dram_carveout_start = prvdata->dram_resource.start;
+ dram_carveout_end = dram_carveout_start + resource_size(&prvdata->dram_resource);
+ return (base <= dram_carveout_end && base >= dram_carveout_start);
+}
+
long aoc_unlocked_ioctl_handle_ion_fd(unsigned int cmd, unsigned long arg)
{
struct aoc_ion_handle handle;
struct dma_buf *dmabuf;
struct samsung_dma_buffer *dma_heap_buf;
+
+ struct ion_physical_heap *phys_heap;
+ phys_addr_t base;
long ret = -EINVAL;
+ struct aoc_prvdata *prvdata = platform_get_drvdata(aoc_platform_device);
BUILD_BUG_ON(sizeof(struct aoc_ion_handle) !=
_IOC_SIZE(AOC_IOCTL_ION_FD_TO_HANDLE));
@@ -398,6 +412,19 @@
dma_heap_buf = dmabuf->priv;
handle.handle = (u64)dma_heap_buf->priv;
+ /*
+ * Ensure base is in aoc dram carveout. Ensures that the dmabuf
+ * is created and maintained by AoC.
+ */
+ base = 0;
+ if (dma_heap_buf->heap->priv) {
+ phys_heap = dma_heap_buf->heap->priv;
+ base = phys_heap->base;
+ }
+
+ if (!(is_aoc_dma_buf(prvdata, base)))
+ return ret;
+
dma_buf_put(dmabuf);
if (!copy_to_user((struct aoc_ion_handle *)arg, &handle, _IOC_SIZE(cmd)))
diff --git a/ion_physical_heap.c b/ion_physical_heap.c
index 30c8250..e4a0c2e 100644
--- a/ion_physical_heap.c
+++ b/ion_physical_heap.c
@@ -19,18 +19,6 @@
#define ION_PHYSICAL_ALLOCATE_FAIL -1
-struct ion_physical_heap {
- struct gen_pool *pool;
- phys_addr_t base;
- size_t size;
-
- ion_physical_heap_allocate_callback *allocate_cb;
- void *allocate_ctx;
-
- ion_physical_heap_free_callback *free_cb;
- void *free_ctx;
-};
-
static int _clear_pages(struct page **pages, int num, pgprot_t pgprot)
{
void *addr = vmap(pages, num, VM_MAP, pgprot);
diff --git a/ion_physical_heap.h b/ion_physical_heap.h
index fa66671..f48ccd8 100644
--- a/ion_physical_heap.h
+++ b/ion_physical_heap.h
@@ -4,6 +4,7 @@
*/
#include <linux/samsung-dma-heap.h>
+#include <linux/genalloc.h>
typedef void(ion_physical_heap_allocate_callback)(struct samsung_dma_buffer *buffer,
void *ctx);
@@ -15,3 +16,15 @@
ion_physical_heap_allocate_callback alloc_cb,
ion_physical_heap_free_callback free_cb,
void *ctx);
+
+struct ion_physical_heap {
+ struct gen_pool *pool;
+ phys_addr_t base;
+ size_t size;
+
+ ion_physical_heap_allocate_callback *allocate_cb;
+ void *allocate_ctx;
+
+ ion_physical_heap_free_callback *free_cb;
+ void *free_ctx;
+};
