PD#SWPL-15199
Problem:
tunig process of hs400 is too slow
Solution:
saved tuning parameter of hs400 on emmc
Verify:
passed on tm2_t962e2_ab311
Change-Id: Ifd1ba375dd93745c9db33a94f3480ebfc21e999f
Signed-off-by: Ruixuan Li <ruixuan.li@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-28058
Problem:
the PCIe wifi is not recognized,
because wifi is not powered on.
Solution:
power on wifi by default.
Verify:
AC200
Signed-off-by: libo <bo.li@amlogic.com>
Change-Id: I254324756695bdcabfa808d84b69298d392f669d
PD#SWPL-30668
Problem:
too many vecm printk durning boot.
Solution:
Unnecessary prints by annotated
Verify:
on x301
Change-Id: Ia15dc9c83d62e1055bbf2c4dedf7d0619be17344
Signed-off-by: Cheng Wang <cheng.wang@amlogic.com>
PD#SWPL-30662
Problem:
Too many logs during kernel boot up, which slows system down
Solution:
Remove unnecessary logs
Verify:
AC214
only two lines remained
[4.967828] unifykey: no efuse-version set, use default value: -1
[4.968140] unifykey: aml_unifykeys_init done!
Change-Id: I093f93825f8478bb692092c877b32d374cdb7039
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
PD#SWPL-20468
Problem:
nv12 format is not support in vpp
Solution:
add nv12 format support
Verify:
on U212
Change-Id: I1e621bede63a283931743c2cd3a5ea1548149368
Signed-off-by: Dezhi Kong <dezhi.kong@amlogic.com>
PD#SWPL-16226
Problem:
v4l2 can not display on vf video
Solution:
add v4l2 vf video support
Verify:
U212
Change-Id: If04fc991edaa57c202f1adcf6b1be6d453bb2af9
Signed-off-by: rongrong zhou <rongrong.zhou@amlogic.com>
PD#SWPL-1449
Problem:
need to implement a way to get multi-vdec information
Solution:
add new data struct to dynamically record each VDEC's information
Verify:
u212
Change-Id: I5e63d4cf6e7f5e2739b95e2626cc6565d42bdbb0
Signed-off-by: apollo.ling <apollo.ling@amlogic.com>
PD#SWPL-19709
Problem:
Playback youtube 360vr video blurred screen when switch
Solution:
need to check the inst is valid when the res change.
Verify:
u212
Change-Id: I7c58d3b882be47f9681edf074673c4c75f6e3a62
Signed-off-by: Nanxin Qin <nanxin.qin@amlogic.com>
PD#SWPL-17328
Problem:
drop frames
Solution:
1. add trace for debug
2. less than 256K, do not use codec_mm allocation
3. osd fence crash
Verify:
local
Change-Id: Ibc0fe63b73cf20359bda1d743dfc6a14dc82c03f
Signed-off-by: rongrong zhou <rongrong.zhou@amlogic.com>
PD#SWPL-29593
Problem:
Because each buffer is equipped with canvas, the canvas is not enough.
Solution:
Only use the canvas when the buffer is used,
and allocate the canvas to the next buffer after use.
Verify:
on tm2-ab301
Change-Id: I98a5986f80471c05dfb5638c5404305c03aec867
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
PD#SWPL-19445
Problem:
Can not recognize keyboard and mouse form microsoft and A4TECH
Solution:
Enable CONFIG_HID_A4TECH and CONFIG_HID_MICROSOFT
Verify:
AC214
Change-Id: I0dceaecd86feedf1d6e79bd853ae29e14036f89e
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-29560
commit 056ad39ee9 upstream.
FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug
in the USB scatter-gather library:
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170
drivers/usb/core/hcd.c:1607
Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27
CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.10.2-1ubuntu1 04/01/2014
Workqueue: scsi_tmf_2 scmd_eh_abort_handler
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xce/0x128 lib/dump_stack.c:118
print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
__kasan_report+0x153/0x1cb mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192
__kasan_check_read+0x11/0x20 mm/kasan/common.c:95
atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607
usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657
usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602
usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937
This bug occurs when cancellation of the S-G transfer races with
transfer completion. When that happens, usb_sg_cancel() may continue
to access the transfer's URBs after usb_sg_wait() has freed them.
The bug is caused by the fact that usb_sg_cancel() does not take any
sort of reference to the transfer, and so there is nothing to prevent
the URBs from being deallocated while the routine is trying to use
them. The fix is to take such a reference by incrementing the
transfer's io->count field while the cancellation is in progres and
decrementing it afterward. The transfer's URBs are not deallocated
until io->complete is triggered, which happens when io->count reaches
zero.
Change-Id: I2caeb600a37113f0f6a6374a4481d15f13c8b55e
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-29581
commit fb73974172 upstream.
Fix the SELinux netlink_send hook to properly handle multiple netlink
messages in a single sk_buff; each message is parsed and subject to
SELinux access control. Prior to this patch, SELinux only inspected
the first message in the sk_buff.
Change-Id: Id73f242290f8693b1ab1177c27cae8add5a5cbe6
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-29182
commit 07e6124a1a upstream.
syzkaller reported this UAF:
BUG: KASAN: use-after-free in n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
Read of size 1 at addr ffff8880089e40e9 by task syz-executor.1/13184
CPU: 0 PID: 13184 Comm: syz-executor.1 Not tainted 5.4.7 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
...
kasan_report+0xe/0x20 mm/kasan/common.c:634
n_tty_receive_buf_common+0x2481/0x2940 drivers/tty/n_tty.c:1741
tty_ldisc_receive_buf+0xac/0x190 drivers/tty/tty_buffer.c:461
paste_selection+0x297/0x400 drivers/tty/vt/selection.c:372
tioclinux+0x20d/0x4e0 drivers/tty/vt/vt.c:3044
vt_ioctl+0x1bcf/0x28d0 drivers/tty/vt/vt_ioctl.c:364
tty_ioctl+0x525/0x15a0 drivers/tty/tty_io.c:2657
vfs_ioctl fs/ioctl.c:47 [inline]
It is due to a race between parallel paste_selection (TIOCL_PASTESEL)
and set_selection_user (TIOCL_SETSEL) invocations. One uses sel_buffer,
while the other frees it and reallocates a new one for another
selection. Add a mutex to close this race.
The mutex takes care properly of sel_buffer and sel_buffer_lth only. The
other selection global variables (like sel_start, sel_end, and sel_cons)
are protected only in set_selection_user. The other functions need quite
some more work to close the races of the variables there. This is going
to happen later.
This likely fixes (I am unsure as there is no reproducer provided) bug
206361 too. It was marked as CVE-2020-8648.
Change-Id: I0ebcb48ecb58db7d12b0d2068deddea73deea1cd
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: syzbot+59997e8d5cbdc486e6f6@syzkaller.appspotmail.com
References: https://bugzilla.kernel.org/show_bug.cgi?id=206361
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20200210081131.23572-2-jslaby@suse.cz
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
OTT-6792
upstream a45403b515
The extended attribute code now uses the crc32c checksum for hashing
purposes, so we should just always always initialize it. We also want
to prevent NULL pointer dereferences if one of the metadata checksum
features is enabled after the file sytsem is originally mounted.
This issue has been assigned CVE-2018-1094.
https://bugzilla.kernel.org/show_bug.cgi?id=199183https://bugzilla.redhat.com/show_bug.cgi?id=1560788
Solution:
Verify:
Change-Id: I30362945537ff4aa05fbf8e83dc52c25b3d24586
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In ext4_xattr_make_inode_space of xattr.c, there is a possible out-of-bounds
write due to improper input validation. This could lead to local escalation
of privilege in the kernel with no additional execution privileges needed.
User interaction is needed for exploitation.
Solution:
The fix is designed to never move system.data out of the inode.
Platform:
Raven
Verify:
Raven
Change-Id: I0820e6e84c8a5ab7d40d14ce14c11f9f8e1f9503
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In sdcardfs_open of file.c, there is a possible Use After Free
due to an unusual root cause. This could lead to local escalation
of privilege with no additional execution privileges needed.
User interaction is not needed for exploitation.
Solution:
The fix is designed to avoid the OVERRIDE_CRED macro in favor
of more explicit control flow.
Platform:
Raven
Verify:
Raven
Change-Id: Idab016c33c2dfbd9425533ed5c5501b671677572
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In usb_destroy_configuration of config.c, there is a possible
out of bounds write due to a missing bounds check. This could
lead to local escalation of privilege with no additional execution
privileges needed. User interaction is not needed for exploitation.
Solution:
The fix is designed to make sure the driver only frees as many
configurations and interfaces as it could have allocated.
Platform:
Raven
Verify:
Raven
Change-Id: I4a3d2ad27d09e606d4e363a75ce09a2e2fcf0070
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In the hidp_process_report in bluetooth, there is an integer overflow.
This could lead to an out of bounds write with no additional execution
privileges needed. User interaction is not needed for exploitation.
Solution:
The fix is designed to make the length an unsigned integer and prevent
the overflow condition.
Platform:
Raven
Verify:
Raven
Change-Id: I2f7b2c5aea90120777177a4bdf238110e2ec22e2
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-17563
Problem:
add power domain control API for TM2 and SM1
Solution:
add power domain control API for TM2 and SM1
Verify:
T962E2
Change-Id: I2587b2b554281ee7c81d77e8978a2640e5f73be5
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
Signed-off-by: chunlong.cao <chunlong.cao@amlogic.com>
PD#SWPL-17785
Problem:
csi use new power control API
Solution:
change api in csi
Verify:
sm1
Change-Id: I56e1055096c743d07401254c254acf24d08b64c5
Signed-off-by: Jiacheng Mei <jiacheng.mei@amlogic.com>
PD#SWPL-17634
Problem:
add power domain control
Solution:
add power domain control
Verify:
T962E2 AB319
Change-Id: I1c0f8eef091a57b924c0cb431eb82c290ff56d35
Signed-off-by: Cao Jian <jian.cao@amlogic.com>
PD#SWPL-17633
Problem:
add usb & pcie power domain control for TM2 and SM1.
Solution:
add usb & pcie power domain control for TM2 and SM1.
Verify:
T962E2
Change-Id: Ic433074c7d64365a644c78d3cb4804f0df379860
Signed-off-by: Yue Wang <yue.wang@amlogic.com>
PD#SWPL-28591
Problem:
8M camera crash after capture
Solution:
encrease the cma size in dts
Verify:
local
Change-Id: Ia67489ca03f64cb532e42a8b9c9b4ae90deae019
Signed-off-by: junwei.ma <junwei.ma@amlogic.com>
