PD#SWPL-26439
commit 54648cf1ec upstream.
We find the memory use-after-free issue in __blk_drain_queue()
on the kernel 4.14. After read the latest kernel 4.18-rc6 we
think it has the same problem.
Memory is allocated for q->fq in the blk_init_allocated_queue().
If the elevator init function called with error return, it will
run into the fail case to free the q->fq.
Then the __blk_drain_queue() uses the same memory after the free
of the q->fq, it will lead to the unpredictable event.
The patch is to set q->fq as NULL in the fail case of
blk_init_allocated_queue().
Change-Id: I8f328135c35326c60be07ec23926720cc3cb9ccd
Fixes: commit 7c94e1c157 ("block: introduce blk_flush_queue to drive flush machinery")
Cc: <stable@vger.kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Bart Van Assche <bart.vanassche@wdc.com>
Signed-off-by: xiao jin <jin.xiao@intel.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
[groeck: backport to v4.4.y/v4.9.y (context change)]
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Alessio Balsini <balsini@android.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 513f86d738 upstream.
If there an inode points to a block which is also some other type of
metadata block (such as a block allocation bitmap), the
buffer_verified flag can be set when it was validated as that other
metadata block type; however, it would make a really terrible external
attribute block. The reason why we use the verified flag is to avoid
constantly reverifying the block. However, it doesn't take much
overhead to make sure the magic number of the xattr block is correct,
and this will avoid potential crashes.
This addresses CVE-2018-10879.
https://bugzilla.kernel.org/show_bug.cgi?id=200001
Change-Id: Ife4c34ccf556447817b9865b72860ab16a6a31b8
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
[Backported to 4.9: adjust context]
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 5f8cf71258 upstream.
If a USB sound card reports 0 interfaces, an error condition is triggered
and the function usb_audio_probe errors out. In the error path, there was a
use-after-free vulnerability where the memory object of the card was first
freed, followed by a decrement of the number of active chips. Moving the
decrement above the atomic_dec fixes the UAF.
[ The original problem was introduced in 3.1 kernel, while it was
developed in a different form. The Fixes tag below indicates the
original commit but it doesn't mean that the patch is applicable
cleanly. -- tiwai ]
Change-Id: Ice17f852ebaa7020ef54e6ecb4d36f936e365db8
Fixes: 362e4e49ab ("ALSA: usb-audio - clear chip->probing on error exit")
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Signed-off-by: Hui Peng <benquike@gmail.com>
Signed-off-by: Mathias Payer <mathias.payer@nebelwelt.net>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 8c55dedb79 upstream.
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Change-Id: Ic2c31725ef68a8c8650fdfb2bfdae3728c544de5
Bug: 142967706
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
PD#SWPL-26439
commit d9d4b1e46d upstream.
The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff
driver. The problem is caused by the driver's assumption that the
device must have an input report. While this will be true for all
normal HID input devices, a suitably malicious device can violate the
assumption.
The same assumption is present in over a dozen other HID drivers.
This patch fixes them by checking that the list of hid_inputs for the
hid_device is nonempty before allowing it to be used.
Change-Id: Id320865d0ef3a95df7c40e608a76a84286b7573b
Reported-and-tested-by: syzbot+403741a091bf41d4ae79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#SWPL-26439
commit 303911cfc5 upstream.
The syzbot fuzzer has found two (!) races in the USB character device
registration and deregistration routines. This patch fixes the races.
The first race results from the fact that usb_deregister_dev() sets
usb_minors[intf->minor] to NULL before calling device_destroy() on the
class device. This leaves a window during which another thread can
allocate the same minor number but will encounter a duplicate name
error when it tries to register its own class device. A typical error
message in the system log would look like:
sysfs: cannot create duplicate filename '/class/usbmisc/ldusb0'
The patch fixes this race by destroying the class device first.
The second race is in usb_register_dev(). When that routine runs, it
first allocates a minor number, then drops minor_rwsem, and then
creates the class device. If the device creation fails, the minor
number is deallocated and the whole routine returns an error. But
during the time while minor_rwsem was dropped, there is a window in
which the minor number is allocated and so another thread can
successfully open the device file. Typically this results in
use-after-free errors or invalid accesses when the other thread closes
its open file reference, because the kernel then tries to release
resources that were already deallocated when usb_register_dev()
failed. The patch fixes this race by keeping minor_rwsem locked
throughout the entire routine.
Change-Id: Ibc1510c929adc3effab627f575895dcbdde02e12
Reported-and-tested-by: syzbot+30cf45ebfe0b0c4847a1@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1908121607590.1659-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#TV-17133
Problem:
need API to unprotect mem for codec and so on
Solution:
add api tee_unprotect_mem
Verify:
Android Q + TM2
Test: manual
Change-Id: I9dc205e209988297724c9461254c028e779ae1eb
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
PD#SWPL-16829
Problem:
need API to protect mem for gpu and so on
Solution:
add api tee_protect_mem_by_type
Verify:
Android Q + TL1
Test: manual
wq
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
Change-Id: Ibf420e1d4845c1020ae2ff91629f6e31a32a7bc3
Signed-off-by: changqing.gao <changqing.gao@amlogic.com>
PD#SWPL-18795
Problem:
need API to protect mem for tvp
Solution:
add api tee_protect_tvp_mem
Verify:
Android Q + franklin
Test: manual
Change-Id: I46daec70a843524789aa63b32ef5e43111b65c66
Signed-off-by: Pengguang Zhu <pengguang.zhu@amlogic.com>
PD#SWPL-17563
Problem:
DOS should be compatible forward previous version in the same chip
Solution:
add the probe done flag
Verify:
AC200
Change-Id: Id8696147646d6ecb1077acd0907650987823dea4
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-17563
Problem:
modify smarthome deconfig for power domain control API
Solution:
modify smarthome deconfig for power domain control API
Verify:
T962E2
Change-Id: I335eeba045ef26253f33b5d13178b0625b361deb
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-17563
Problem:
add power domain control API for TM2 and SM1
Solution:
add power domain control API for TM2 and SM1
Verify:
T962E2
Change-Id: I2587b2b554281ee7c81d77e8978a2640e5f73be5
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-28012
Problem:
ion buf not correctly attached
Solution:
ion buf treat the same as dmabuf
Verify:
local
Change-Id: I5b4b4aad26b5c9aff224d100ad94342570c397b0
Signed-off-by: Jun Zhang <jun.zhang@amlogic.com>
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-26044
Problem:
secure memory is not enabled
Solution:
add support for secure memory
Verify:
ac214
Change-Id: If93577beba551b4495cd4eaa72c46e8dee8f866f
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-25894
Problem:
GE2D Support color space convert
Solution:
add this support
Verify:
w400
Change-Id: I0d47c3bb7734fcc6246d7e01cf8b6902ff2a5c15
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-17634
Problem:
add power domain control
Solution:
add power domain control
Verify:
T962E2 AB319
Change-Id: I1c0f8eef091a57b924c0cb431eb82c290ff56d35
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-27213
Problem:
need different lcd init_level policy
Solution:
support more init_level
Verify:
x301
Change-Id: I28d39d50066494fc0aed640fe3c93986f6fd394e
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-25943
Problem:
need to use video buffer in ge2d driver
Solution:
add export buffer interface
Verify:
u202
Change-Id: I3d104e188b4fe0b493b26aa52f53eb476ce74103
Signed-off-by: Keke Li <keke.li@amlogic.com>
PD#SWPL-26390
Problem:
1. WiFi Module might not be ready for card scan.
Solution:
1. Optimize the position of delay in the code.
Verify:
W400
Change-Id: Ia6c102bda13c20c8480c43c4635e191e45b9eb33
Signed-off-by: Weiguang Ruan <Weiguang.ruan@amlogic.com>
PD#SWPL-25954
Problem:
1, need add vbyone&lvds prbs both test
Solution:
1, add vbyone&lvds prbs both test
2, support only test vx1 or lvds
Verify:
tl1_x301
Change-Id: Iabfa7ba58e323fd8172af6f281dd4c88c01143f5
Signed-off-by: shaochan.liu <shaochan.liu@amlogic.com>
PD#SWPL-17480
Problem:
sometime there need shift a little for frac
Solution:
add clk frac shift support
Verify:
x301
Change-Id: I937cca1b07f20d95144d1b85addc2cac775d1aac
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-28320
Problem:
Kernel may crash when dump vmalloc info
Solution:
skip invalid vm_struct
Verify:
tm2
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
Change-Id: Iaa58d54c60441c3b2b3a9559ad3340cf339e961c
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-27008
Problem:
exphy setting will del
Solution:
set delay once more
Verify:
verify on sm1 202 customer's board
Change-Id: I47bb705bd13f17320f095589d1a08f89635b76b1
Signed-off-by: Zhuo Wang <zhuo.wang@amlogic.com>
PD#SWPL-28030
Problem:
there is risk when trying to destroy
the context being processed.
Solution:
add mutex to avoid the risk
Verify:
SM1
Change-Id: I6b85b4eb54f3b185613f37e5f83ef54663ddb01f
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-19862
Problem:
osd regs init are different with meson-hwc setting
Solution:
osd regs init are different with meson-hwc setting
Verify:
franklin
Change-Id: Ic9f19a82859e1e18e57084935873b10057436e3b
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
PD#SWPL-18250
Problem:
After fix vmap stack error, cpu usage from top is incorrect.
Solution:
fix sp not right issue.
Verify:
ampere
Change-Id: I935f98758ba6d13c608ff2cfe2428df6f552d05a
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
Problem:
There is no t931 platform config for google newman
Solution:
add t931 platform config for google newman
Verify:
on google newman platform
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
Change-Id: Ia7cfff4c6b6ce0415991416943a8b0e510ef4548
PD#SWPL-24627
Problem:
i2c may hangup when reading edid during system power up.
it's caused by ddc filter reset
Solution:
move ddc filter reset to place which no ddc operation
Verify:
S805Y(P244)
Change-Id: I624dee1ae0ff338b7d6a357fad4b98337378a304
Signed-off-by: hang cheng <hang.cheng@amlogic.com>
PD#SWPL-19410
Problem:
Connect with Hisense HZ55A65 TV, It will lost resolution
Solution:
Modify the code using read edid
Verify:
verify on the board of U212
Change-Id: Iaa2692508db6bcde07578e027e23bbf52399b25c
Signed-off-by: Zhengrong Zhu <zhengrong.zhu@amlogic.com>
PD#SWPL-23499
Problem:
osd sdr2hdr process cause osd color contour
Solution:
1. root cause is cgain curve is not smooth
2. bypass cgain
Verify:
verify on G12A
Change-Id: I81480244c8b13f942ae99b45238d947f874120fe
Signed-off-by: MingLiang Dong <mingliang.dong@amlogic.com>
PD#SWPL-24882
Problem:
When 4K output, DoVi core3 htotal does not leave enough timing,
in addition to scaler pipeline delay, cause output does not get
data in time.
Solution:
reduce htotal(porting setting from g12b) for 4K output timing.
Verify:
HDMI DoVi 4K input, connect to DV 4K TV, set same axis as preview:
echo 1740 0 3839 1299 > /sys/class/video/axi
and check display: no more garbage display.
Signed-off-by: robin.zhu <robin.zhu@amlogic.com>
Change-Id: Ic075d00ea784b2bd080e6069baf9ea2c96c1c782
PD#SWPL-24904
Problem:
When the semaphore is used, it is suddenly re-initialized.
Solution:
The semaphore is only initialized during the probe.
Verify:
on X301
Change-Id: I1c45a56c1c204f5a3e2ee2fc7e31ac3da88348e1
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
PD#SWPL-24864
Problem:
High security vulnerability in dm-anroid-verity
Solution:
we add this code for test.
It was improperly released, revert it.
Android avb code is ok after revert it.
Revert "md: use dm-anroid-verity [3/4]"
This reverts commit 84edbc7284.
Verify:
franklin
Change-Id: I8daa068475ee6d29b3ee8a5e8475b7594d71ce7d
Signed-off-by: Xindong Xu <xindong.xu@amlogic.com>
PD#SWPL-24764
Problem:
dv mem power down is earlier then dv core off
Solution:
delay one vsync to power down dv mem
Verify:
tm2
Change-Id: I895b2444358d365bf9481d964c6da0f207ff8733
Signed-off-by: yao liu <yao.liu@amlogic.com>
