PD#TV-9668
Problem:
After cpu idle enabled, watch point event register will be cleared
if cpu exit pm(idle). This will cause watch point can't work.
Solution:
re-enable watch point after cpu exit pm(idle)
Verify:
TL1
Change-Id: I4fc2002eaabecd4c5e60a5916bc29e0107882bec
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-14256
Problem:
When ATV Mode has no signal
the bright line interference at the bottom
if freescale height is set to vinfo height
Solution:
modify VPP_OSD_SC_DUMMY_DATA alpha value
Verify:
verified on txlx-r311
Change-Id: I48bbb1be533a88e8b3c622550a0a2e8c07f2a863
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-14333
Problem:
invalid address is allowed for register program
which cause kernel panic
Solution:
add protection, programming on invalid addr will
be terminated
Verify:
tl1
Change-Id: I44bedec256ee5c386b53188fb2d8e40ae8c3f553
Signed-off-by: Xihai Zhu <xihai.zhu@amlogic.com>
PD#SWPL-13969
Problem:
In sysfs.c, return value of class_register is not checked.
Solution:
check return value of class_register
Verify:
local coverity check
Change-Id: If8deb3e388e784650e4812257143c3ac919c2d9a
Signed-off-by: Qianggui Song <qianggui.song@amlogic.com>
PD#SWPL-6863
Problem:
eARCRX/ARCRX function for sm1/tm2
Solution:
add eARCRX/ARCRX driver for sm1/tm2
plug in/out HDMI cable, notify user space current attended type
Verify:
tested on ac200, ab311
Change-Id: I0332723ef9c9d45f7797df38a7077561fddb13bf
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-8980
Problem:
bright edge at the top when beans falling
Solution:
revert the setting of top two lines do weave to Feijun's suggestions
Verify:
TL1
Change-Id: I314e0d23e4e7c00939bd0203cd821144274fbf9e
Signed-off-by: Wenfeng Guo <wenfeng.guo@amlogic.com>
PD#OTT-5999
[Problem]
In binder_transaction of binder.c, there is a possible out of bounds
write due to an integer overflow. This could lead to local escalation of
privilege with noadditional execution privileges needed. User interaction
is needed for exploitation.
The fix is designed to check for the integer overflow.
[Solution]
UPSTREAM: binder: check for overflow when alloc for security context
commit 0b0509508b upstream.
When allocating space in the target buffer for the security context,
make sure the extra_buffers_size doesn't overflow. This can only
happen if the given size is invalid, but an overflow can turn it
into a valid size. Fail the transaction if an overflow is detected.
Bug: 130571081
Change-Id: Ibaec652d2073491cc426a4a24004a848348316bf
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5676
[Problem]
digital security team requires OSS to be patched up to the latest or non-vulnerable version
[Solution]
mm: get rid of vmacache_flush_all() entirely
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[Test]
Change-Id: I536c7b183ced970e18c9d67211f32da0ee404111
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5671
[Problem]
The irda_setsockopt function in net/irda/af_irda.c and later in
drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17
allows local users to cause a denial of service (ias_object
use-after-free and system crash) or possibly have unspecified other
impact via an AF_IRDA socket.
[Solution]
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
[Test]
Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5666
[Problem]
In pppol2tp_connect, there is possible memory corruption due to a
use after free. This could lead to local escalation of privilege with
System execution privileges needed. User interaction is not needed for
exploitation.
[Solution]
l2tp: pass tunnel pointer to ->session_create()
Using l2tp_tunnel_find() in pppol2tp_session_create() and
l2tp_eth_create() is racy, because no reference is held on the
returned session. These functions are only used to implement the
->session_create callback which is run by l2tp_nl_cmd_session_create().
Therefore searching for the parent tunnel isn't necessary because
l2tp_nl_cmd_session_create() already has a pointer to it and holds a
reference.
This patch modifies ->session_create()'s prototype to directly pass the
the parent tunnel as parameter, thus avoiding searching for it in
pppol2tp_session_create() and l2tp_eth_create().
Since we have to touch the ->session_create() call in
l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
we know that ->session_create isn't NULL at this point because it's
already been checked earlier in this same function.
Finally, one might be tempted to think that the removed
l2tp_tunnel_find() calls were harmless because they would return the
same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
But that tunnel might be removed and a new one created with same tunnel
Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
would return the new tunnel which wouldn't be protected by the
reference held by l2tp_nl_cmd_session_create().
Change-Id: I50e19ae5abb4009205e59105222bf92e3587f9c4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5669
[Problem]
Linux kernel versions 4.9+ can be forced to make very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming
packet which can lead to a denial of service.
[Solution]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet.
With tcp_rmem[2] default of 6MB, the ooo queue could
contain ~7000 nodes.
This patch series makes sure we cut cpu cycles enough to
render the attack not critical.
We might in the future go further, like disconnecting
or black-holing proven malicious flows.
[Test]
Change-Id: I09c72cd11a38516f3b6e293deb21c5dd0faa3d9e
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-13232
Problem:
amvideo drops excessive video frames than it should drop
Solution:
drop only after omx_run is true
Verify:
verified on Franklin
Change-Id: Iacb8f23c9635d00ce6265a0228c1e1e458902c6a
Signed-off-by: Rico Yang <wei.yang@amlogic.com>
PD#SWPL-13243
Problem:
pmu event is not accurate or not complete in A53/A55/A73.
Solution:
1, modify event config for A53/A55/A73.
2, perf executable file must compiled from latest kernel(5.1+)
3, A55 events are most complete, A73 are least complete(eg: less ld_retired/st_retired/stall/prefetch events)
4, A55/A53 same event meanings simlar, but A73 is more different(eg: L1/L2 dcache/icache loads meanings)
sample commands:
a55 arm64:
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,armv8_pmuv3/ld_retired/,armv8_pmuv3/st_retired/,cycles,branch-loads,branch-load-misses,armv8_pmuv3/a55_l1d_cache_rd/,armv8_pmuv3/a55_l1d_cache_refill_rd/,armv8_pmuv3/a55_l1d_cache_wr/,armv8_pmuv3/a55_l1d_cache_refill_wr/,L1-icache-loads,L1-icache-load-misses,armv8_pmuv3/a55_l2d_cache_rd/,armv8_pmuv3/a55_l2d_cache_refill_rd/,armv8_pmuv3/a55_l1d_cache_refill_inner/,armv8_pmuv3/a55_l1d_cache_refill_outer/,armv8_pmuv3/a55_l1d_cache_refill_prefetch/,armv8_pmuv3/a55_l2d_cache_refill_prefetch/,armv8_pmuv3/a5x_stall_frontend_cache/,armv8_pmuv3/a5x_stall_frontend_tlb/,armv8_pmuv3/a5x_stall_backend_ld/,armv8_pmuv3/a55_stall_backend_ld_cache/,armv8_pmuv3/a55_stall_backend_ld_tlb/,armv8_pmuv3/a5x_stall_backend_st/,armv8_pmuv3/a5x_stall_backend_ilock_agu/,armv8_pmuv3/a5x_stall_backend_ilock_fpu/ ls
a53 arm64:
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,armv8_pmuv3/ld_retired/,armv8_pmuv3/st_retired/,cycles,branch-loads,branch-load-misses,armv8_pmuv3/l1d_cache/,armv8_pmuv3/l1d_cache_refill/,L1-icache-loads,L1-icache-load-misses,armv8_pmuv3/a5x_l2d_cache/,armv8_pmuv3/a5x_l2d_cache_refill/,armv8_pmuv3/a53_cache_refill_prefetch/,armv8_pmuv3/a53_scu_snooped/,armv8_pmuv3/a5x_stall_frontend_cache/,armv8_pmuv3/a5x_stall_frontend_tlb/,armv8_pmuv3/a5x_stall_backend_ld/,,armv8_pmuv3/a5x_stall_backend_st/,armv8_pmuv3/a5x_stall_backend_ilock_agu/,armv8_pmuv3/a5x_stall_backend_ilock_fpu/ ls
a73 arm64: (w400 bind to a73 cpu2)
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,cycles,branch-loads,branch-load-misses,armv8_pmuv3/l1d_cache/,armv8_pmuv3/l1d_cache_refill/,armv8_pmuv3/a55_l1d_cache_rd/,armv8_pmuv3/a55_l1d_cache_wr/,armv8_pmuv3/a5x_l2d_cache/,armv8_pmuv3/a5x_l2d_cache_refill/,armv8_pmuv3/a55_l2d_cache_rd/,armv8_pmuv3/a55_l2d_cache_wr/ busybox taskset 4 ls
a55 arm:
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,armv7_cortex_a15/ld_retired/,armv7_cortex_a15/st_retired/,cycles,branch-loads,branch-load-misses,armv7_cortex_a15/a55_l1d_cache_rd/,armv7_cortex_a15/a55_l1d_cache_refill_rd/,armv7_cortex_a15/a55_l1d_cache_wr/,armv7_cortex_a15/a55_l1d_cache_refill_wr/,L1-icache-loads,L1-icache-load-misses,armv7_cortex_a15/a55_l2d_cache_rd/,armv7_cortex_a15/a55_l2d_cache_refill_rd/,armv7_cortex_a15/a55_l1d_cache_refill_inner/,armv7_cortex_a15/a55_l1d_cache_refill_outer/,armv7_cortex_a15/a55_l1d_cache_refill_prefetch/,armv7_cortex_a15/a55_l2d_cache_refill_prefetch/,armv7_cortex_a15/a5x_stall_frontend_cache/,armv7_cortex_a15/a5x_stall_frontend_tlb/,armv7_cortex_a15/a5x_stall_backend_ld/,armv7_cortex_a15/a55_stall_backend_ld_cache/,armv7_cortex_a15/a55_stall_backend_ld_tlb/,armv7_cortex_a15/a5x_stall_backend_st/,armv7_cortex_a15/a5x_stall_backend_ilock_agu/,armv7_cortex_a15/a5x_stall_backend_ilock_fpu/ ls
a53 arm:
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,armv7_cortex_a15/ld_retired/,armv7_cortex_a15/st_retired/,cycles,branch-loads,branch-load-misses,armv7_cortex_a15/l1d_cache/,armv7_cortex_a15/l1d_cache_refill/,L1-icache-loads,L1-icache-load-misses,armv7_cortex_a15/a5x_l2d_cache/,armv7_cortex_a15/a5x_l2d_cache_refill/,armv7_cortex_a15/a53_cache_refill_prefetch/,armv7_cortex_a15/a53_scu_snooped/,armv7_cortex_a15/a5x_stall_frontend_cache/,armv7_cortex_a15/a5x_stall_frontend_tlb/,armv7_cortex_a15/a5x_stall_backend_ld/,armv7_cortex_a15/a5x_stall_backend_st/,armv7_cortex_a15/a5x_stall_backend_ilock_agu/,armv7_cortex_a15/a5x_stall_backend_ilock_fpu/ ls
a73 arm: (w400 bind to a73 cpu2)
perf stat -e task-clock,context-switches,cpu-migrations,page-faults,instructions,cycles,branch-loads,branch-load-misses,armv7_cortex_a15/l1d_cache/,armv7_cortex_a15/l1d_cache_refill/,armv7_cortex_a15/a55_l1d_cache_rd/,armv7_cortex_a15/a55_l1d_cache_wr/,armv7_cortex_a15/a5x_l2d_cache/,armv7_cortex_a15/a5x_l2d_cache_refill/,armv7_cortex_a15/a55_l2d_cache_rd/,armv7_cortex_a15/a55_l2d_cache_wr/ busybox taskset 4 ls
Verify:
ac200/u200/w400
Change-Id: I7f11e1480c3c27d016b011d2a84c33e824f69b08
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-10211
Problem:
log level less than 3, the function call flow changed, and
enc mode vlock max line, max pixel varible havn't be initialed.
Solution:
move initial max line/pixel varible in vlock initial function.
Verify:
tl1
Change-Id: Ib36662045e28a911bf1585bf57bc849b1952d6f9
Signed-off-by: Yong Qin <yong.qin@amlogic.com>
PD#SWPL-3826
Problem:
use gp1 pll for cpufreq.
Solution:
use gp1 pll for cpufreq.
Verify:
x301_tl1
Change-Id: Iefb6d31ec40ba304f41024e4b7adceec881d043e
Signed-off-by: Hong Guo <hong.guo@amlogic.com>
PD#SWPL-14156
Problem:
TOSHIBA Disk can't be recognized on the Port of USB 2.0 and since then
any disk can't be recognized.This is because
that the CCS flag of the PORTSC is still set and if write 0
to 0x38 of usb phy register the CCS will change to
0 and so that other disks can be recognized.
Solution:
when the enumeration fails, call set_usb_phy_host_tuning.
Verify:
test pass on u212
Change-Id: I507f269afc825de75c7dcce5f79c9c1dd7793d84
Signed-off-by: he.he <he.he@amlogic.com>
PD#SWPL-3826
Problem:
optimize the power consumption of tl1 with vad wakeup
Solution:
optimize the power consumption when enter freeze mode
switch the clk81 to 24M
cpu and dsu clk switch to gp1 pll,frequency is 600M
closed the fixed pll
closed the vddio_3.3V
Verify:
TL1 revB
Change-Id: I39170bb8efb91b126b6a15faad3cefee19b13089
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
Signed-off-by: Hong Guo <hong.guo@amlogic.com>
PD#SWPL-14024
Problem:
add protection mechanism for all plls
Solution:
add protection mechanism for all plls
Verify:
test passed on
1)axg
2)g12a
3)txl
4)txlx
Change-Id: I6f29026422f73c690854d5ffa292857d14922d22
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
PD#SWPL-14115
Problem:
DV is bypass for SDR->SDR case on sm1, but
bypass failed due to dolby_vision_status is
not sync with uboot.
Solution:
Update dolby_vision_status after startup.
Verify:
passed on sm1
Change-Id: I8025b0982ce5bfb2afc5ece1b5f14be54f3a80d6
Signed-off-by: yao liu <yao.liu@amlogic.com>
PD#SH-1185
Problem:
AXG need to support secure upgrade check
Solution:
1.add defendkey support in AXG dts
2.add defendkey config in smarthome defconfig
Verify:
AXG skt board verify pass
Change-Id: I1d173d4e7ce8d47c486bf8df4f6b7e417809c424
Signed-off-by: Zhongfu Luo <zhongfu.luo@amlogic.com>
PD#SWPL-14033
Problem:
if clk invert bit set, 100M will not connect
Solution:
don't invert clk when connect 100M network
Verify:
w400
Change-Id: I4c3acbcc0d05fc2c99b5a982461ab3d5ff83fe26
Signed-off-by: qi duan <qi.duan@amlogic.com>
PD#SWPL-12602
Problem:
omni phy can not connect network probably
after long stress suspend test
for gxl/txl/txlx
Solution:
In suspend/resume sequeue, add eth reset
Verify:
verify on p212/r311
Change-Id: I4b6ab34eb2eae40533f4a33db8fb40a00f5b3d51
Signed-off-by: qi duan <qi.duan@amlogic.com>
PD#SWPL-12746
Problem:
VAD does not use HIFI PLL, it will effect vad wakup
Solution:
VAD use HIFI PLL
Verify:
T962X2_X301
Change-Id: Iad13661c4ec3495130f485447f3c8b034bee9ce2
Signed-off-by: jian.zhou <jian.zhou@amlogic.com>
PD#SWPL-13914
Problem:
G12A TDMA affects the tuning, make tuning process
+/- dly is useless.
Solution:
add pdata save val operation.
Verify:
G12A_u212
Change-Id: I204dd989fae0d400b14725df068378be0262b1cc
Signed-off-by: Nan Li <nan.li@amlogic.com>
PD#SWPL-14102
Problem:
need to detect out of range signal
correctly
Solution:
refine the checking
Verify:
tl1
Change-Id: Ia2e47ca3a427e4f66a5464997aeb8dd766b4f7ff
Signed-off-by: Xihai Zhu <xihai.zhu@amlogic.com>
PD#SWPL-14041
Problem:
sometimes after hpcp_hpd 0->1, ESM doesn't
respond to AKE_INIT, it will lead to flash
red screen on TCL DCLS-HG50
Solution:
add control for hpcp_hpd, keep it high by default
Verify:
X301
Change-Id: I8f8e5c880400084d6ed252667460c4e397b9909d
Signed-off-by: Hang Cheng <hang.cheng@amlogic.com>
PD#SWPL-12796
Problem:
tm2 is run hs200 200M now
Solution:
modify dts
Verify:
passed on tm2_t962e2_ab311
Change-Id: If834e822aefe3c9b469ff69ce58672a94caaabb4
Signed-off-by: Ruixuan Li <ruixuan.li@amlogic.com>
PD#SWPL-13103
Problem:
S905Y2 can not use adb.
Solution:
config dts, and switch the state in uboot.
setenv otg_device 0 or 1.
Verify:
verify by faraday.
Change-Id: If4cda761e346fb63d6918db74bc03f23cdcb3a1b
Signed-off-by: Luan Yuan <luan.yuan@amlogic.com>
PD#SWPL-11936
Problem:
set screen position frequently
frame flashes white stripes
Solution:
modify threshold for updating all registers
on vsync coming
Verify:
Verfied on u212
Change-Id: Iac1ec8b5ec36809d5f5ffe2fe8e79c182e9c126b
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-13948
Problem:
customer want to set hdr tone mapping curve themself,
we provide hdr interface for them
Solution:
add hdr iocontrol interface
Verify:
verify on TL1
Change-Id: I9b7d5b33e0a72c6d1ca1fca2ebffe2a3c7e460aa
Signed-off-by: MingLiang Dong <mingliang.dong@amlogic.com>
PD#SWPL-13523
Problem:
gxm can't enter suspend
Solution:
modify the system sleep parameter
Verify:
gxm_q201
Change-Id: I697f03170a56925aa0fdb2160340cc0d480623a8
Signed-off-by: Hong Guo <hong.guo@amlogic.com>
PD#SWPL-13880
Problem:
free_irq was called twice continuously while ponter is NULL at 2nd time.
Solution:
use mutex to prevent reentry
Verify:
verified by t962x2_x301
Change-Id: I8032d15de0a2fe5a1ab30b70af0e342d0aa3ac40
Signed-off-by: zhiwei.yuan <zhiwei.yuan@amlogic.com>
PD#SWPL-13378
Problem:
BUG: KASAN: use-after-free in di_task_handle+0x1dc/0x790
Solution:
add judgement before use
Verify:
u212
Change-Id: I6281257997239fa9adbe215ca31ef7d760c9302c
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
PD#SWPL-11934
Problem:
pcie pll lock failed some times
Solution:
1.add retry mechanism when pcie lock failed
2.add protection mechanism for all plls
Verify:
test passed on tm2 ab311
Change-Id: Id34e87d84e2bc2368c074556f500f8af1f2a4088
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
PD#SWPL-13664
Problem:
when open some special UI app, DI will have a lot of timeout,
this cause display abnormal.
Solution:
add retry after timeout;
Verify:
tl1
Change-Id: I3316252577bad218256651ebbc6d4fd8b25acb12
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
PD#SWPL-13075
Problem:
some pattern need special handling
Solution:
per VLSI'e suggestion, add pattern
detection to try to detect special pattern
Verify:
tl1
Change-Id: I545b6e8c1b4a11fca927be46f16caeeb2cbe5327
Signed-off-by: Xihai Zhu <xihai.zhu@amlogic.com>
