PD#OTT-6793
Problem:
socket: close race condition between sock_close() and sockfs_setattr()
Solution:
fchownat() doesn't even hold refcnt of fd until it figures out
fd is really needed (otherwise is ignored) and releases it after
it resolves the path. This means sock_close() could race with
sockfs_setattr(), which leads to a NULL pointer dereference
since typically we set sock->sk to NULL in ->release().
As pointed out by Al, this is unique to sockfs. So we can fix this
in socket layer by acquiring inode_lock in sock_close() and
checking against NULL in sockfs_setattr().
sock_release() is called in many places, only the sock_close()
path matters here. And fortunately, this should not affect normal
sock_close() as it is only called when the last fd refcnt is gone.
It only affects sock_close() with a parallel sockfs_setattr() in
progress, which is not common.
Verify:
Raven
Change-Id: I336827581400c93c655e6bd9b837ec6f07c94632
Fixes: 86741ec254 ("net: core: Add a UID field to struct sock.")
Reported-by: shankarapailoor <shankarapailoor@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5671
[Problem]
The irda_setsockopt function in net/irda/af_irda.c and later in
drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17
allows local users to cause a denial of service (ias_object
use-after-free and system crash) or possibly have unspecified other
impact via an AF_IRDA socket.
[Solution]
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
[Test]
Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5666
[Problem]
In pppol2tp_connect, there is possible memory corruption due to a
use after free. This could lead to local escalation of privilege with
System execution privileges needed. User interaction is not needed for
exploitation.
[Solution]
l2tp: pass tunnel pointer to ->session_create()
Using l2tp_tunnel_find() in pppol2tp_session_create() and
l2tp_eth_create() is racy, because no reference is held on the
returned session. These functions are only used to implement the
->session_create callback which is run by l2tp_nl_cmd_session_create().
Therefore searching for the parent tunnel isn't necessary because
l2tp_nl_cmd_session_create() already has a pointer to it and holds a
reference.
This patch modifies ->session_create()'s prototype to directly pass the
the parent tunnel as parameter, thus avoiding searching for it in
pppol2tp_session_create() and l2tp_eth_create().
Since we have to touch the ->session_create() call in
l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
we know that ->session_create isn't NULL at this point because it's
already been checked earlier in this same function.
Finally, one might be tempted to think that the removed
l2tp_tunnel_find() calls were harmless because they would return the
same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
But that tunnel might be removed and a new one created with same tunnel
Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
would return the new tunnel which wouldn't be protected by the
reference held by l2tp_nl_cmd_session_create().
Change-Id: I50e19ae5abb4009205e59105222bf92e3587f9c4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5669
[Problem]
Linux kernel versions 4.9+ can be forced to make very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming
packet which can lead to a denial of service.
[Solution]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet.
With tcp_rmem[2] default of 6MB, the ooo queue could
contain ~7000 nodes.
This patch series makes sure we cut cpu cycles enough to
render the attack not critical.
We might in the future go further, like disconnecting
or black-holing proven malicious flows.
[Test]
Change-Id: I09c72cd11a38516f3b6e293deb21c5dd0faa3d9e
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-12041
Problem:
Lost RAM is too high, we checked meminfo, found that global free
page count is not same with real value counted from buddy system
usually after long time running, this different value can be over
200 MB:
[ 484.055739@1] HighMem free:16652kB min:512kB low:15932kB
~~~~~~16MB
[ 484.067393@1] lowmem_reserve[]: 0 0 0
[ 484.071021@1] HighMem: 2308*4kB (UMC) 1296*8kB (UMC) 913*16kB
(UMC) 555*32kB (UMC) 339*64kB (UMC) 25*128kB
(UMC) 2*256kB (C) 1*512kB (C) 1*1024kB (C)
0*2048kB 39*4096kB (C) = 238656kB
~~~~~~~~238MB
Solution:
Fix wrong sub of free pages when no fallback pages get from high memzone.
Verify:
x301
Change-Id: Iae011ec216e2479dd400aea1af4750ad436fe946
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#OTT-5676
[Problem]
digital security team requires OSS to be patched up to the latest or non-vulnerable version
[Solution]
mm: get rid of vmacache_flush_all() entirely
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[Test]
Change-Id: I536c7b183ced970e18c9d67211f32da0ee404111
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-7519
Problem:
schedule_timeout did not really make task sleep. It will cause
rt thread bug when this thread is waiting for a cma page migrated:
sched: RT throttling activated for rt_rq eaf671b8 (cpu 1)
potential CPU hogs:
btu message loo (4253)
[<c037d5b8>] task_tick_rt+0x0/0x120
[<c037d914>] pick_next_task_rt+0x1cc/0x1e4
[<c0fa8534>] __schedule+0x598/0x91c
[<c0fa891c>] schedule+0x64/0xc4
[<c0fac134>] schedule_timeout+0x1dc/0x47c
[<c0493ba4>] __migration_entry_wait+0x168/0x194
~~~~~blocked here
[<c0493c20>] migration_entry_wait+0x50/0x54
[<c0473008>] do_swap_page+0x404/0x4e8
[<c047357c>] handle_mm_fault+0x1ec/0xa60
[<c031a2f0>] do_page_fault+0x2d4/0x3a8
[<c0301408>] do_PrefetchAbort+0x48/0xb0
[<c030f78c>] ret_from_exception+0x0/0x34
Solution:
using usleep_range instead of schedule_timeout
Verify:
t905x
Change-Id: I908022b747ad921b5863af377291abdf06672f15
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-6340
Problem:
ddp audio input from hdmiin is not smooth
Solution:
set hdmiin format-check threshold by input sr
Verify:
Verified by x301.
Change-Id: Idb8ffa616c3880b1c34d61ca4e8c2917343a9ffc
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-16157
Problem:
THD+N test fail of 88.2KHz and 176.4KHz from hdmiin
Solution:
1) optimize parameters of resampleB
2) disable AA filter for resampleA
Verify:
TM2 AB301
Change-Id: If3ef1e283acc8dbb38590f6ae7270b8f59ef83b8
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-10716
Problem:
when audio signal change from -30dB to 0dB, audio suddenly output power
is higher than 150% instantaneous maximum power
Solution:
add clip thd control interface
Verify:
verified on TL1-X301
Change-Id: Id16ba3c220a22b473eaa1e3ff87bf5dde2a83227
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-8663
Problem:
there is no audio clk on SM1
Solution:
fixed clk source setting error
Verify:
AC200
Change-Id: Ief01d680c435cfc2f50f9b7da0a6e4d68db846d5
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#OTT-7246
Problem:
spdifout in platform probe function will cause pop sound
as we have done this at uboot stage
Solution:
disable spdifout play zero data function
Verify:
S905Y2-U221
Change-Id: I6885a200cdb909854e239bb172568ec0af503a06
Signed-off-by: jian.zhou <jian.zhou@amlogic.com>
PD#SWPL-7798
Problem:
Crashed when audio resample setting params
are invalid.
Solution:
Add check method if the params is invalid.
Verify:
Tl1.
Change-Id: I1e0396be8d401c0a49ff0de9fd7f160f0c8133ca
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SH-1626
Problem:
Can not record ADC's i2s output from Loopback
Solution:
1. Fix the wrong reg config in TDM OE pin.
2. move the lr/sclk pad configuration to probe.
Verify:
SM1.
Change-Id: I01f419e4b0ba72fb7295641c6e7d9a189754c9d7
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-15189
Problem:
1. earc rx fails to connect to a sony tv
2. earc tx fails to connect to AVR-X4500H
Solution:
1. reset earc_rx pll
2. reduce comma_th
Verify:
ab311
Change-Id: I162b9697d151b682df01093cdc086330a97f8fab
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-6918
Problem:
lack function to read/write eARC RX/TX latency and capability
Solution:
add mixer for eARC RX set/get latency and capability
add mixer for eARC RX get latency and capability
Verify:
ab311
Change-Id: I0d8aa00af7d856493417dc881a1a8c40497b12a5
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-8134
Problem:
kernel NULL pointer for aml_resample_enable
Solution:
add lock for resampler
Verify:
Need stress test for x301
Change-Id: I1bbf5d7aeab681399c93f0cba9cc59195d3be0d6
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#TV-8460
Problem:
ATV str test is stucked
Solution:
disable some audio print messages
Verify:
Verfied on marconi
Change-Id: I284c8afde3a6bc9ff3b8ebfe19360abbb152c3f8
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-9142
Problem:
Audio stuck in stress test.
Solution:
Work around:
Wait until the fifo stops and then stop toddr.
Verify:
Tl1.
Change-Id: I8ce50732a7e23124b4b37374aa4505d79cd68cfe
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-11054
Problem:
hdmiin source, audio input is randomly LR invert
Solution:
set audio path from frhdmirx through spdifin mode
Verify:
Verified on X301
Change-Id: Ib40d30b8b6d8bc28da69bf9b4f37ae2ef9228761
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-8967
Problem:
ARC amplitude,The test value is 0.376V, requiring 0.4-0.6VPP
Solution:
update to single mode
Verify:
tl1
Change-Id: I59198596f6db22ec49eea35084325005f13bc5b6
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#TV-10448
Problem:
crash when finished early supend but not entry suspend,
the system is waked up
Solution:
add toddr irq interrupt protection when entry suspend
and exit from suspend
Verify:
x301
Change-Id: I7ade7a745511bab83c70b5649b6af318163568d9
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-9142
Problem:
Audio Abus may be stuck if it is stopped
when the burst is not finished.
And the stuck can't be recovered
unless reboot the system.
Solution:
Add check to make sure that the transfer
is over then start to disable the toddr fifo.
Verify:
TL1 stress test.
Change-Id: I28dcf84ddec421bc70370b2544f0bf1f3272e7b4
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-8306
Problem:
speaker without audio on S400. sideeffect of SWPL-7680
Solution:
add control interface in dts to enable clk tuning
and start clk before codec init
Verify:
verify on S400
Change-Id: Ic9f4e7b13b7d4ced18852346cdc7cf5f48e510dc
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-9593
Problem:
dtv audio is heard slower in spk
Solution:
when mclk is changed, spdif clk changes correspondingly in samesource case
Verify:
X301
Change-Id: I15fcb598ba893762580f0a5aac856376af8c94ec
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-3667
Problem:
after playback none-48K raw audio, the spdif clock
is not recoved to 48K when tdm/spdif same source
Solution:
use the same clock source as tdm if samesource and
config that when tdm hardware prepare.
Verify:
AC213
Change-Id: I0d5dc5f51b5de14d155902e0fe72c293071c93ec
Signed-off-by: Jian Xu <jian.xu@amlogic.com>
PD#SWPL-6427
Problem:
ALSA tdmout buffer frequently underrun.
This will cause the tdmout channel map error.
And the other channels data go into the spk.
Solution:
1)Adjust the sequence of starting and stopping.
2)reserved frddrA for EQ/DRC module
Verify:
Test more that 1 hour and pass.
Need more stress test.
Change-Id: Ib9b6897f0b6c32652c611a8c2c367aa76b9f1e3f
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-12746
Problem:
VAD does not use HIFI PLL, it will effect vad wakup
Solution:
VAD use HIFI PLL
Verify:
T962X2_X301
Change-Id: Iad13661c4ec3495130f485447f3c8b034bee9ce2
Signed-off-by: jian.zhou <jian.zhou@amlogic.com>
PD#SWPL-5644
Problem:
bringup new hw resample modules on SM1/TM2
Solution:
bringup new hw resample modules on SM1/TM2
1) resample A is used for HDMIRX/SPDIFIN
2) resample B is used for LOOPBACK anti-aliasing
if capture loopback data with 16KHz, enable it in dts.
Verify:
AB301
Change-Id: I0c2e403ff089a28e8d5695d854d13358ecffa313
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#TV-8989
Problem:
loopback with datain pdm, no vad to wakeup
Solution:
loopback with pdmin still works when entry freeze mode
vad works in two channel mode, mapping pdm ch0 & ch1 to vad
add channel num to loopback for vad
Verify:
x301
Change-Id: Ied244292bf2a2f668bb5a2216ec6a12964a46663
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-3825
Problem:
VAD & PDM works in 24m clks for lowpower mode when in deep suspend
Solution:
support VAD & PDM in 24m sysclk, 768k dclk
Verify:
x301
Change-Id: Ic363337ee9b0eba0f890ae62b9e0cb6bb54dcd6a
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-12104
Problem:
when hdmirx timing switching, pop noise.
Solution:
when audio hdmirx is unstable, mute all input buffer
Verify:
T962x2 x301
Change-Id: I594b5bf9c1f4af45bb3653a7bfef5e0c7dab2825
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#TV-6044, PD#TV-6047
Problem:
ATV sound output has noise when input non standard signal.
Solution:
release atv source select function to atv demod
Verify:
x301.
Change-Id: I96e58531150c3f20946ab636d701296328215686
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-13728
Problem:
when enable DACL_EN and DACR_EN, it will has pop sound
Solution:
Only enable DACL_EN and DACR_EN once at probe function
Verify:
U212
Change-Id: I0f26977ad5d9b86df264069f8732ddb44615cc09
Signed-off-by: jian.zhou <jian.zhou@amlogic.com>
PD#SWPL-18805
Problem:
there is noise when analog AMP on idle state
Solution:
invalidate dapm line-out driver widget
Verify:
x301_t962x2
Change-Id: I448273229d1ceb9bdaf7ee8d8aeade5893f6de8d
Signed-off-by: Cheng Tong <cheng.tong@amlogic.com>
PD#SWPL-15741
Problem:
Ab301 volume level is too low
Solution:
set tas5805 default volume to 10dB
Verify:
AB301
Change-Id: Ic5658d1c66db624fd87f8b6ce44ffae5ea6508e3
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
