Merge branch 'android-msm-pixel-4.14-sc-security' into android-msm-pixel-4.14-sc-qpr3
Jul 2022.1
Bug: 229184979
Change-Id: Ic5066819c7b05f2feae5fa31658e06be580cbe64
diff --git a/drivers/gpu/msm/kgsl_drawobj.c b/drivers/gpu/msm/kgsl_drawobj.c
index 05c4136..5a0294c 100644
--- a/drivers/gpu/msm/kgsl_drawobj.c
+++ b/drivers/gpu/msm/kgsl_drawobj.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2016-2019, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2016-2019,2021, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -569,6 +569,7 @@
{
struct kgsl_mem_entry *entry;
struct kgsl_drawobj *drawobj = DRAWOBJ(cmdobj);
+ u64 start;
if (!(drawobj->flags & KGSL_DRAWOBJ_PROFILING))
return;
@@ -585,7 +586,14 @@
gpuaddr);
if (entry != NULL) {
- if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size)) {
+ start = id ? (entry->memdesc.gpuaddr + offset) : gpuaddr;
+ /*
+ * Make sure there is enough room in the object to store the
+ * entire profiling buffer object
+ */
+ if (!kgsl_gpuaddr_in_memdesc(&entry->memdesc, gpuaddr, size) ||
+ !kgsl_gpuaddr_in_memdesc(&entry->memdesc, start,
+ sizeof(struct kgsl_drawobj_profiling_buffer))) {
kgsl_mem_entry_put(entry);
entry = NULL;
}
@@ -598,28 +606,7 @@
return;
}
-
- if (!id) {
- cmdobj->profiling_buffer_gpuaddr = gpuaddr;
- } else {
- u64 off = offset + sizeof(struct kgsl_drawobj_profiling_buffer);
-
- /*
- * Make sure there is enough room in the object to store the
- * entire profiling buffer object
- */
- if (off < offset || off >= entry->memdesc.size) {
- dev_err(device->dev,
- "ignore invalid profile offset ctxt %d id %d offset %lld gpuaddr %llx size %lld\n",
- drawobj->context->id, id, offset, gpuaddr, size);
- kgsl_mem_entry_put(entry);
- return;
- }
-
- cmdobj->profiling_buffer_gpuaddr =
- entry->memdesc.gpuaddr + offset;
- }
-
+ cmdobj->profiling_buffer_gpuaddr = start;
cmdobj->profiling_buf_entry = entry;
}
diff --git a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
index 1fe016f..5a7a1fd 100644
--- a/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
+++ b/drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.c
@@ -209,6 +209,11 @@
goto err_exit;
if (fw.len == 0xFFFFU) {
+ if (sw.len > sizeof(self->rpc)) {
+ printk(KERN_INFO "Invalid sw len: %x\n", sw.len);
+ err = -EINVAL;
+ goto err_exit;
+ }
err = hw_atl_utils_fw_rpc_call(self, sw.len);
if (err < 0)
goto err_exit;
@@ -219,6 +224,11 @@
if (rpc) {
if (fw.len) {
+ if (fw.len > sizeof(self->rpc)) {
+ printk(KERN_INFO "Invalid fw len: %x\n", fw.len);
+ err = -EINVAL;
+ goto err_exit;
+ }
err =
hw_atl_utils_fw_downld_dwords(self,
PHAL_ATLANTIC->rpc_addr,
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index e099738..94ec92a 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2281,8 +2281,11 @@
copy_skb = skb_get(skb);
skb_head = skb->data;
}
- if (copy_skb)
+ if (copy_skb) {
+ memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0,
+ sizeof(PACKET_SKB_CB(copy_skb)->sa.ll));
skb_set_owner_r(copy_skb, sk);
+ }
}
snaplen = po->rx_ring.frame_size - macoff;
if ((int)snaplen < 0) {
@@ -3437,6 +3440,8 @@
sock_recv_ts_and_drops(msg, sk, skb);
if (msg->msg_name) {
+ const size_t max_len = min(sizeof(skb->cb),
+ sizeof(struct sockaddr_storage));
int copy_len;
/* If the address length field is there to be filled
@@ -3459,6 +3464,10 @@
msg->msg_namelen = sizeof(struct sockaddr_ll);
}
}
+ if (WARN_ON_ONCE(copy_len > max_len)) {
+ copy_len = max_len;
+ msg->msg_namelen = copy_len;
+ }
memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len);
}