PD#172714: touchscreen: goodix_gt1x: fix coverity warning
There is no judgment about whether it is null before
using the pointer.
This causes "Untrusted value as argument".
Change-Id: I147b89e9a96cddf4bdc3c42753bd165b6b802065
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172714: touchscreen: goodix_gt1x: fix coverity warning
1.The return value of the function "gt1x_i2c_read" is not
checked in the "gt1x_generic.c" file.
2.There is no exit condition for the "while (retry > 0)"
loop statement in the "gt1x_update.c" file.
This causes "Untrusted valued as argument" and "Logically dead code".
Change-Id: I07c0639d084ca3b961dd187ce6721f0167b2e4cc
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172715: touchscreen: focaltech: fix coverity warning
In the "copy_from_user" function does not ensure that
the string "writebuf" ends with a null character.So that
need to add a null character at the end.
This causes "String not null terminated".
Change-Id: I4cc0736ec06652226f39dd5dcde3dc7406639b89
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172715: touchscreen: focaltech: fix coverity warning
In the "drivers/amlogic/input/touchscreen/focaltech_touch/
focaltech_core.c" file,the variable "irq_gpio"and
"reset_gpio" is an unsigned integer, they cannot be
compared with 0.
This causes "Unsigned compared against 0.
Change-Id: Ic0ef2043e18550cc6c81867ef73f492d2dc446ec
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172717: meson: adc_key: fix coverity warning
The "strncpy" function does not ensure that
the string "key->name"ends with a null character.
So, the function "strncpy" is replaced by the function "snprintf".
This causes "Buffer not null terminated".
Change-Id: I83cd35f2df8790ca779a8cc8bcde1cd97f2c9020
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172718: meson: pwm: fix coverity warning
"value < 0" and "value > 255", two conditions cannot be
met simultaneously.So that the if statement cannot be executed.
This causes "Logically dead code".
Change-Id: I55930eb7ae9c6b44aa3b20b85aab6fbae9b04210
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172722: meson: i2c: fix coverity warning
When the function "devm_ioremap_resource" returns
an error,the previously applied memory resource
"slave" is not released.
This causes resource leak.
Change-Id: I2dfb7fab007977e1ae57e714ae489fbf80ec7103
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172720: meson: pinctrl: fix coverity warning
The variable "reg" should be replaced by "ret",
otherwise statement "if (ret) return ret;" will
not be executed.
This causes "Logically dead code".
Change-Id: I2a69b68dd00235198e17255f78c580212f922724
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172716: meson: remote: fix coverity warning
The "strncpy" function does not ensure that the
string "ptable->tab.custom_name"ends with a null character.
So,the function "strncpy" is replaced by the function "snprintf".
This causes "Buffer not null terminated".
Change-Id: I4dd7ce89778ba8be7d60f3463e445f5a3a753061
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172715: touchscreen: focaltech: fix coverity warning
The two header files "focaltech_upgrade_common.h" and
"focaltech_flash.h" contain each other.
This causes "Recursion in included headers".
Change-Id: I5ca6deae0c33a7cc32aa4f9498e19d40c001b2d3
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172714: touchscreen: goodix_gt1x: fix coverity warning
The value of "ret" variable is overridden by
the new value before it is used.
This causes "Unused value".
Change-Id: Ie48b58668c4f4077606d69d5bafbd8d59264ae7e
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172713: touchscreen: goodix_gt9xx: fix coverity warning
1.The return value of function "gtp_i2c_read" is not
checked in the "gt9xx.c" file.
2."ts"null pointer dereferencing reference in the "gt9xx.c" file.
3.In the "goodix_tool.c" file, because the third argument to
"memset" function is of type int, expression "cmd_head.data_len + 1"
is of type u16, so it need to convert to int.
This causes "Unused value".
Change-Id: I85ae8d9c11da0ed5d0ffbef97ad4b6c89fd78cf3
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#172721: meson: adc: fix coverity warning
1.Function "regmap_write" does not check the return value.
2.There's a risk of dividing by 0.
3.There is a risk of null pointer dereferencing the reference
This causes "Unchecked return value" and "Division or modulo by zero".
Change-Id: I10a04dbd49db2d3f3e7def18b6b9eb9f836bc9f0
Signed-off-by: Yingyuan Zhu <yingyuan.zhu@amlogic.com>
PD#171080: backlight: add pwm range 0~255 support
both support 0~100, 0~255 pwm range,
depend on pwm_duty_max value is bigger than 100 or not.
Change-Id: Ib5962ccaf5fbc728640326dfae3f82f70594001e
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#172028 merge CVE patch
inet: frag: enforce memory limits earlier
[ Upstream commit 56e2c94f05 ]
We currently check current frags memory usage only when
a new frag queue is created. This allows attackers to first
consume the memory budget (default : 4 MB) creating thousands
of frag queues, then sending tiny skbs to exceed high_thresh
limit by 2 to 3 order of magnitude.
Note that before commit 648700f76b ("inet: frags: use rhashtables
for reassembly units"), work queue could be starved under DOS,
getting no cpu cycles.
After commit 648700f76b, only the per frag queue timer can eventually
remove an incomplete frag queue and its skbs.
Change-Id: I93236ff2764c02ad347339872b05b6f4dce7a06a
Fixes: b13d3cbfb8 ("inet: frag: move eviction of queues to work queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jann Horn <jannh@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Peter Oskolkov <posk@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#172623: for vpu clock enabled before drm probed,
so we need a flag used in drm to emulate irq
enable/disable.
Change-Id: Iaddee0a885a396cfd6fa102533a1bde08536229e
Signed-off-by: sky zhou <sky.zhou@amlogic.com>
PD#172019: hdmitx: optimise hdmi power consumption
A tiny modification of HDMI_PHY_CNTL5 under suspend.
Change-Id: I429d930f980c1eb9af3c186c138c538c9ad4fcd0
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
PD#172028 merge CVE patch
ipv4: frags: handle possible skb truesize change
[ Upstream commit 4672694bd4 ]
ip_frag_queue() might call pskb_pull() on one skb that
is already in the fragment queue.
We need to take care of possible truesize change, or we
might have an imbalance of the netns frags memory usage.
IPv6 is immune to this bug, because RFC5722, Section 4,
amended by Errata ID 3089 states :
When reassembling an IPv6 datagram, if
one or more its constituent fragments is determined to be an
overlapping fragment, the entire datagram (and any constituent
fragments) MUST be silently discarded.
Change-Id: I55a7bb378c160972d99736e4ba592bc10c10f94e
Fixes: 158f323b98 ("net: adjust skb->truesize in pskb_expand_head()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#172028 merge CVE patch
tcp: detect malicious patterns in tcp_collapse_ofo_queue()
[ Upstream commit 3d4bf93ac1 ]
In case an attacker feeds tiny packets completely out of order,
tcp_collapse_ofo_queue() might scan the whole rb-tree, performing
expensive copies, but not changing socket memory usage at all.
1) Do not attempt to collapse tiny skbs.
2) Add logic to exit early when too many tiny skbs are detected.
We prefer not doing aggressive collapsing (which copies packets)
for pathological flows, and revert to tcp_prune_ofo_queue() which
will be less expensive.
In the future, we might add the possibility of terminating flows
that are proven to be malicious.
Change-Id: I5f857fe551726fcc5144cf0e217362ba0b8d85ae
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
PD#172028 merge CVE patch
tcp: avoid collapses in tcp_prune_queue() if possible
[ Upstream commit f4a3313d8e ]
Right after a TCP flow is created, receiving tiny out of order
packets allways hit the condition :
if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf)
tcp_clamp_window(sk);
tcp_clamp_window() increases sk_rcvbuf to match sk_rmem_alloc
(guarded by tcp_rmem[2])
Calling tcp_collapse_ofo_queue() in this case is not useful,
and offers a O(N^2) surface attack to malicious peers.
Better not attempt anything before full queue capacity is reached,
forcing attacker to spend lots of resource and allow us to more
easily detect the abuse.
Change-Id: I45bfe1bc87670f0871aebd5d6963aaf82b357f3e
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
PD#172028: merge CVE patch
tcp: free batches of packets in tcp_prune_ofo_queue()
[ Upstream commit 72cd43ba64 ]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet. out_of_order_queue rb-tree can contain
thousands of nodes, iterating over all of them is not nice.
Before linux-4.9, we would have pruned all packets in ofo_queue
in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs
truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB.
Since we plan to increase tcp_rmem[2] in the future to cope with
modern BDP, can not revert to the old behavior, without great pain.
Strategy taken in this patch is to purge ~12.5 % of the queue capacity.
Change-Id: I647968cc33ccb0acd37ce647923b7cc320eaaf4f
Fixes: 36a6503fed ("tcp: refine tcp_prune_ofo_queue() to not drop all packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Juha-Matti Tilli <juha-matti.tilli@iki.fi>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
PD#172367: sdemmc: update fix adj tuning method
All adj delay are avalible is not fair when
fix adj mode were used for tuning.
We had tried to add all data with rx delay
to find out the unstable adj delay point.
This method can not cover all scene.
For example:
All adj delay are available as below.
ADJ 0 1 2 3 4 0 1
Src --__--__--__--__--__--__--
D0 __________________--------
D1 __________________--------
D2 __________________--------
D3 __________________--------
when same rx delay were added to all data line.
All adj delay are still avalible as below.
ADJ 0 1 2 3 4 0 1
Src --__--__--__--__--__--__--
D0 ----__________________----
D1 ----__________________----
D2 ----__________________----
D3 ----__________________----
So, a new method to find out the unstable adj point
were designed for better compatibility.
Rx delay were added on only 1 data line, such as D1.
When rx delay were added on D1 only. Adj delay 1 is
not available anymore as below.
ADJ 0 1 2 3 4 0 1
Src --__--__--__--__--__--__--
D0 __________________--------
D1 ----__________________----
D2 __________________--------
D3 __________________--------
In this way, the unsatble adj delay could be
distinguished.
Change-Id: I0488dec001a55f6b50b431ee4d691c872947f0f3
Signed-off-by: Yonghui Yu <yonghui.yu@amlogic.com>
PD#172867: cec: cmd interface cause system crash
1.cmd file interface will cause system crash
when send data more than 4 bytes
Change-Id: I57035a17138df6c8929d0879068ea095463c128e
Signed-off-by: Yong Qin <yong.qin@amlogic.com>
PD#171930: add the position check to avoid refresh logo when mode changed
Change-Id: I6760a70736209d89d6edeba40c6772d5f794208d
Signed-off-by: Brian Zhu <brian.zhu@amlogic.com>
PD#172926: hdmitx: fix KASAN Bug in store_valid_mode
==================================================================
BUG: KASAN: slab-out-of-bounds in store_valid_mode+0x48/0x70
Read of size 32 at addr ffffffc04a64ef80 by task systemcontrol/2924
CPU: 1 PID: 2924 Comm: systemcontrol Tainted: G O 4.9.113 #7
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba140>] print_address_description+0x68/0x258
[<ffffff90092ba694>] kasan_report+0x264/0x338
[<ffffff90092b8fdc>] check_memory_region+0x12c/0x1c0
[<ffffff90092b90c4>] __asan_loadN+0x14/0x20
[<ffffff9009c0c250>] store_valid_mode+0x48/0x70
[<ffffff9009757104>] dev_attr_store+0x4c/0x68
[<ffffff90093973b0>] sysfs_kf_write+0x98/0xb8
[<ffffff9009396134>] kernfs_fop_write+0x12c/0x270
[<ffffff90092c9870>] __vfs_write+0xd8/0x268
[<ffffff90092cae30>] vfs_write+0xd8/0x240
[<ffffff90092ccd74>] SyS_write+0xc4/0x148
[<ffffff9009083f00>] el0_svc_naked+0x34/0x38
Allocated by task 2924:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_kmalloc+0xd8/0x188
__kmalloc+0x14c/0x2e8
kernfs_fop_write+0x1d0/0x270
__vfs_write+0xd8/0x268
vfs_write+0xd8/0x240
SyS_write+0xc4/0x148
el0_svc_naked+0x34/0x38
Freed by task 2746:
save_stack_trace_tsk+0x0/0x268
save_stack_trace+0x24/0x30
kasan_slab_free+0x88/0x188
kfree+0x80/0x280
selinux_cred_free+0x34/0x50
security_cred_free+0x48/0x70
put_cred_rcu+0x38/0x110
rcu_process_callbacks+0x3b4/0x950
__do_softirq+0x210/0x5ec
The buggy address belongs to the object at ffffffc04a64ef80
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffffffc04a64ef80, ffffffc04a64efc0)
The buggy address belongs to the page:
page:ffffffbf01299380 count:1 mapcount:0 mapping: (null) index:0x0
flags: 0x7ab1600000080(slab)
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffffffc04a64ee80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffffffc04a64ef00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffffffc04a64ef80: 00 00 02 fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffffffc04a64f000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffffc04a64f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================
Change-Id: I553bd648453385788899fadf0da9f17817891db2
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
PD#171879: hdmirx: add power ctrl in early suspend
add rxsense pulse(20ms) to fix mtk box sda low
issue. 50ms delay is needed between rxsense pulse
and rxsense high, accroding to experiment and LG TV
Change-Id: Ifceeec415f9c69abce7aced1f3011020848043d0
Signed-off-by: Hang Cheng <hang.cheng@amlogic.com>
PD#171577:hdr: add some flags in t962e dts
1.PD#164627: hdr: add osd lut table for nts test
2.PD#165557: hdr set bt2020 output when connect hdr tv
Change-Id: I826f7ce51d484cea0508f87b0eda5b278b9391aa
Signed-off-by: Yi Zhou <yi.zhou@amlogic.com>
PD#170391
Change getting cpuid function for 32bit kernel compile.
Change-Id: Ibccfc8ab1df599b23555fd14efc63c1d4df07895
Signed-off-by: Yan Wang <yan.wang@amlogic.com>
PD#172700:
1. Fix boot fail due to vmap exit problem after enable kasan;
2. Fix make fail problem when open stack/static size check
after enable kasan;
3. fix dt-match problems reported by kasan:
==================================================================
BUG: KASAN: global-out-of-bounds in __of_match_node+0x78/0xc0
Read of size 1 at addr ffffff900a5696d0 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.9.113 #5
Hardware name: Amlogic (DT)
Call trace:
[<ffffff900908ecc0>] dump_backtrace+0x0/0x368
[<ffffff900908f0cc>] show_stack+0x24/0x30
[<ffffff900963bdb0>] dump_stack+0xa0/0xc8
[<ffffff90092ba21c>] print_address_description+0x144/0x258
[<ffffff90092ba694>] kasan_report+0x264/0x338
[<ffffff90092b897c>] __asan_load1+0x4c/0x58
[<ffffff9009ab99c0>] __of_match_node+0x78/0xc0
[<ffffff9009ab9a48>] of_match_node+0x40/0x68
[<ffffff9009abcac8>] of_match_device+0x38/0x50
[<ffffff90097631c4>] platform_match+0x7c/0x128
[<ffffff900975fcdc>] __device_attach_driver+0x64/0x140
[<ffffff900975c8b4>] bus_for_each_drv+0xec/0x158
[<ffffff900975f694>] __device_attach+0x164/0x1c8
[<ffffff900975fe4c>] device_initial_probe+0x24/0x30
[<ffffff900975e3a8>] bus_probe_device+0xe8/0xf8
[<ffffff900975aae8>] device_add+0x548/0x880
[<ffffff9009abd21c>] of_device_add+0x64/0x90
[<ffffff9009abdbd8>] of_platform_device_create_pdata+0xc0/0x128
[<ffffff9009abde4c>] of_platform_bus_create+0x1c4/0x488
[<ffffff9009abe274>] of_platform_populate+0x74/0xd0
[<ffffff900abfeaa0>] of_platform_default_populate_init+0x78/0x88
[<ffffff900908421c>] do_one_initcall+0xac/0x1f8
[<ffffff900abb10bc>] kernel_init_freeable+0x254/0x2f4
[<ffffff900a290b40>] kernel_init+0x18/0x118
[<ffffff9009083e80>] ret_from_fork+0x10/0x50
The buggy address belongs to the variable:
meson_gxl_pinctrl_dt_match+0x190/0x840
Memory state around the buggy address:
ffffff900a569580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffffff900a569600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffff900a569680: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
^
ffffff900a569700: 00 04 fa fa fa fa fa fa 00 06 fa fa fa fa fa fa
ffffff900a569780: 03 fa fa fa fa fa fa fa 05 fa fa fa fa fa fa fa
==================================================================
Change-Id: I8b0a6369fbdc10ba5106bf4f40d4b82971b7ad23
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
