PD#SWPL-26439
commit 2a3f7221ac upstream.
There is a small race window in the card disconnection code that
allows the registration of another card with the very same card id.
This leads to a warning in procfs creation as caught by syzkaller.
The problem is that we delete snd_cards and snd_cards_lock entries at
the very beginning of the disconnection procedure. This makes the
slot available to be assigned for another card object while the
disconnection procedure is being processed. Then it becomes possible
to issue a procfs registration with the existing file name although we
check the conflict beforehand.
The fix is simply to move the snd_cards and snd_cards_lock clearances
at the end of the disconnection procedure. The references to these
entries are merely either from the global proc files like
/proc/asound/cards or from the card registration / disconnection, so
it should be fine to shift at the very end.
Change-Id: Iaa692b113ba5ae52f5db259a572c35e4aa2ac863
Reported-by: syzbot+48df349490c36f9f54ab@syzkaller.appspotmail.com
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit eb66ae0308 upstream
Jann Horn points out that our TLB flushing was subtly wrong for the
mremap() case. What makes mremap() special is that we don't follow the
usual "add page to list of pages to be freed, then flush tlb, and then
free pages". No, mremap() obviously just _moves_ the page from one page
table location to another.
That matters, because mremap() thus doesn't directly control the
lifetime of the moved page with a freelist: instead, the lifetime of the
page is controlled by the page table locking, that serializes access to
the entry.
As a result, we need to flush the TLB not just before releasing the lock
for the source location (to avoid any concurrent accesses to the entry),
but also before we release the destination page table lock (to avoid the
TLB being flushed after somebody else has already done something to that
page).
This also makes the whole "need_flush" logic unnecessary, since we now
always end up flushing the TLB for every valid entry.
Change-Id: Ida7dcda3734c75e4656346904ff17aa0073960cb
Reported-and-tested-by: Jann Horn <jannh@google.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Tested-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 8bc1379b82 upstream.
Use a separate journal transaction if it turns out that we need to
convert an inline file to use an data block. Otherwise we could end
up failing due to not having journal credits.
This addresses CVE-2018-10883.
https://bugzilla.kernel.org/show_bug.cgi?id=200071
Change-Id: I8335ae417334d9123fc39222f411bfc881003fbf
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
[fengc@google.com: 4.4 and 4.9 backport: adjust context]
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 5369a762c8 upstream.
In theory this should have been caught earlier when the xattr list was
verified, but in case it got missed, it's simple enough to add check
to make sure we don't overrun the xattr buffer.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Change-Id: I37cb5a7278fdb7da1ac8dcfbe2ccfefda3974b4d
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[bwh: Backported to 3.16:
- Add inode parameter to ext4_xattr_set_entry() and update callers
- Return -EIO instead of -EFSCORRUPTED on error
- Adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
[adjusted context for 4.9]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 54648cf1ec upstream.
We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.
Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.
Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.
The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().
Change-Id: I8f328135c35326c60be07ec23926720cc3cb9ccd
Fixes: commit 7c94e1c157 ("block: introduce blk_flush_queue to drive flush machinery")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: xiao jin <jin.xiao@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[groeck: backport to v4.4.y/v4.9.y (context change)]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Alessio Balsini <balsini@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 513f86d738 upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Change-Id: Ife4c34ccf556447817b9865b72860ab16a6a31b8
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.9: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 5f8cf71258 upstream.
If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.
[ The original problem was introduced in 3.1 kernel, while it was
developed in a different form. The Fixes tag below indicates the
original commit but it doesn't mean that the patch is applicable
cleanly. -- tiwai ]
Change-Id: Ice17f852ebaa7020ef54e6ecb4d36f936e365db8
Fixes: 362e4e49ab ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 8c55dedb79 upstream.
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Change-Id: Ic2c31725ef68a8c8650fdfb2bfdae3728c544de5
Bug: 142967706
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
PD#SWPL-26439
commit d9d4b1e46d upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Change-Id: Id320865d0ef3a95df7c40e608a76a84286b7573b
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 303911cfc5 upstream.
The syzbot fuzzer has found two (!) races in the USB character device
registration and deregistration routines. This patch fixes the races.
The first race results from the fact that usb_deregister_dev() sets
usb_minors[intf->minor] to NULL before calling device_destroy() on the
class device. This leaves a window during which another thread can
allocate the same minor number but will encounter a duplicate name
error when it tries to register its own class device. A typical error
message in the system log would look like:
sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'
The patch fixes this race by destroying the class device first.
The second race is in usb_register_dev(). When that routine runs, it
first allocates a minor number, then drops minor_rwsem, and then
creates the class device. If the device creation fails, the minor
number is deallocated and the whole routine returns an error. But
during the time while minor_rwsem was dropped, there is a window in
which the minor number is allocated and so another thread can
successfully open the device file. Typically this results in
use-after-free errors or invalid accesses when the other thread closes
its open file reference, because the kernel then tries to release
resources that were already deallocated when usb_register_dev()
failed. The patch fixes this race by keeping minor_rwsem locked
throughout the entire routine.
Change-Id: Ibc1510c929adc3effab627f575895dcbdde02e12
Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#TV-17133
Problem:
need API to unprotect mem for codec and so on
Solution:
add api tee_unprotect_mem
Verify:
Android Q + TM2
Test: manual
Change-Id: I9dc205e209988297724c9461254c028e779ae1eb
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
PD#SWPL-16829
Problem:
need API to protect mem for gpu and so on
Solution:
add api tee_protect_mem_by_type
Verify:
Android Q + TL1
Test: manual
wq
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
Change-Id: Ibf420e1d4845c1020ae2ff91629f6e31a32a7bc3
Signed-off-by: changqing.gao <changqing.gao@amlogic.com>
PD#SWPL-18795
Problem:
need API to protect mem for tvp
Solution:
add api tee_protect_tvp_mem
Verify:
Android Q + franklin
Test: manual
Change-Id: I46daec70a843524789aa63b32ef5e43111b65c66
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
PD#SWPL-17563
Problem:
DOS should be compatible forward previous version in the same chip
Solution:
add the probe done flag
Verify:
AC200
Change-Id: Id8696147646d6ecb1077acd0907650987823dea4
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-17563
Problem:
modify smarthome deconfig for power domain control API
Solution:
modify smarthome deconfig for power domain control API
Verify:
T962E2
Change-Id: I335eeba045ef26253f33b5d13178b0625b361deb
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-17563
Problem:
add power domain control API for TM2 and SM1
Solution:
add power domain control API for TM2 and SM1
Verify:
T962E2
Change-Id: I2587b2b554281ee7c81d77e8978a2640e5f73be5
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-28012
Problem:
ion buf not correctly attached
Solution:
ion buf treat the same as dmabuf
Verify:
local
Change-Id: I5b4b4aad26b5c9aff224d100ad94342570c397b0
Signed-off-by: Jun Zhang <jun.zhang@amlogic.com>
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-26044
Problem:
secure memory is not enabled
Solution:
add support for secure memory
Verify:
ac214
Change-Id: If93577beba551b4495cd4eaa72c46e8dee8f866f
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-25894
Problem:
GE2D Support color space convert
Solution:
add this support
Verify:
w400
Change-Id: I0d47c3bb7734fcc6246d7e01cf8b6902ff2a5c15
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-17634
Problem:
add power domain control
Solution:
add power domain control
Verify:
T962E2 AB319
Change-Id: I1c0f8eef091a57b924c0cb431eb82c290ff56d35
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-27213
Problem:
need different lcd init_level policy
Solution:
support more init_level
Verify:
x301
Change-Id: I28d39d50066494fc0aed640fe3c93986f6fd394e
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-25943
Problem:
need to use video buffer in ge2d driver
Solution:
add export buffer interface
Verify:
u202
Change-Id: I3d104e188b4fe0b493b26aa52f53eb476ce74103
Signed-off-by: Keke Li <keke.li@amlogic.com>
PD#SWPL-26390
Problem:
1. WiFi Module might not be ready for card scan.
Solution:
1. Optimize the position of delay in the code.
Verify:
W400
Change-Id: Ia6c102bda13c20c8480c43c4635e191e45b9eb33
Signed-off-by: Weiguang Ruan <Weiguang.ruan@amlogic.com>
PD#SWPL-25954
Problem:
1, need add vbyone&lvds prbs both test
Solution:
1, add vbyone&lvds prbs both test
2, support only test vx1 or lvds
Verify:
tl1_x301
Change-Id: Iabfa7ba58e323fd8172af6f281dd4c88c01143f5
Signed-off-by: shaochan.liu <shaochan.liu@amlogic.com>
PD#SWPL-17480
Problem:
sometime there need shift a little for frac
Solution:
add clk frac shift support
Verify:
x301
Change-Id: I937cca1b07f20d95144d1b85addc2cac775d1aac
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-28320
Problem:
Kernel may crash when dump vmalloc info
Solution:
skip invalid vm_struct
Verify:
tm2
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
Change-Id: Iaa58d54c60441c3b2b3a9559ad3340cf339e961c
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-27008
Problem:
exphy setting will del
Solution:
set delay once more
Verify:
verify on sm1 202 customer's board
Change-Id: I47bb705bd13f17320f095589d1a08f89635b76b1
Signed-off-by: Zhuo Wang <zhuo.wang@amlogic.com>
PD#SWPL-28030
Problem:
there is risk when trying to destroy
the context being processed.
Solution:
add mutex to avoid the risk
Verify:
SM1
Change-Id: I6b85b4eb54f3b185613f37e5f83ef54663ddb01f
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-19862
Problem:
osd regs init are different with meson-hwc setting
Solution:
osd regs init are different with meson-hwc setting
Verify:
franklin
Change-Id: Ic9f19a82859e1e18e57084935873b10057436e3b
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
PD#SWPL-18250
Problem:
After fix vmap stack error, cpu usage from top is incorrect.
Solution:
fix sp not right issue.
Verify:
ampere
Change-Id: I935f98758ba6d13c608ff2cfe2428df6f552d05a
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
Problem:
There is no t931 platform config for google newman
Solution:
add t931 platform config for google newman
Verify:
on google newman platform
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
Change-Id: Ia7cfff4c6b6ce0415991416943a8b0e510ef4548
PD#SWPL-24627
Problem:
i2c may hangup when reading edid during system power up.
it's caused by ddc filter reset
Solution:
move ddc filter reset to place which no ddc operation
Verify:
S805Y(P244)
Change-Id: I624dee1ae0ff338b7d6a357fad4b98337378a304
Signed-off-by: hang cheng <hang.cheng@amlogic.com>
PD#SWPL-19410
Problem:
Connect with Hisense HZ55A65 TV, It will lost resolution
Solution:
Modify the code using read edid
Verify:
verify on the board of U212
Change-Id: Iaa2692508db6bcde07578e027e23bbf52399b25c
Signed-off-by: Zhengrong Zhu <zhengrong.zhu@amlogic.com>
PD#SWPL-23499
Problem:
osd sdr2hdr process cause osd color contour
Solution:
1. root cause is cgain curve is not smooth
2. bypass cgain
Verify:
verify on G12A
Change-Id: I81480244c8b13f942ae99b45238d947f874120fe
Signed-off-by: MingLiang Dong <mingliang.dong@amlogic.com>
