PD#SWPL-6404
Problem:
KASAN error:global-out-of-bounds in nls_uniname_cmp
Solution:
Append "\0\0" to the string of UNI_CUR_DIR_NAME and UNI_PAR_DIR_NAME
Verify:
x301
Change-Id: Ic94e837ed7874d337207c31eedfc966b46ab8ecd
Signed-off-by: changqing.gao <changqing.gao@amlogic.com>
PD#SWPL-15901
Problem:
OTT-6792
upstream a45403b515
The extended attribute code now uses the crc32c checksum for hashing
purposes, so we should just always always initialize it. We also want
to prevent NULL pointer dereferences if one of the metadata checksum
features is enabled after the file sytsem is originally mounted.
This issue has been assigned CVE-2018-1094.
https://bugzilla.kernel.org/show_bug.cgi?id=199183https://bugzilla.redhat.com/show_bug.cgi?id=1560788
Solution:
Verify:
Change-Id: I30362945537ff4aa05fbf8e83dc52c25b3d24586
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In ext4_xattr_make_inode_space of xattr.c, there is a possible out-of-bounds
write due to improper input validation. This could lead to local escalation
of privilege in the kernel with no additional execution privileges needed.
User interaction is needed for exploitation.
Solution:
The fix is designed to never move system.data out of the inode.
Platform:
Raven
Verify:
Raven
Change-Id: I0820e6e84c8a5ab7d40d14ce14c11f9f8e1f9503
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In sdcardfs_open of file.c, there is a possible Use After Free
due to an unusual root cause. This could lead to local escalation
of privilege with no additional execution privileges needed.
User interaction is not needed for exploitation.
Solution:
The fix is designed to avoid the OVERRIDE_CRED macro in favor
of more explicit control flow.
Platform:
Raven
Verify:
Raven
Change-Id: Idab016c33c2dfbd9425533ed5c5501b671677572
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-6798
Problem:
ext4: zero out the unused memory region in the extent tree block
Solution:
This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.
This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.
This fixes CVE-2019-11833.
Verify:
Raven
Change-Id: I5c6aae01432f5517b539312507e59e8dfb9c25eb
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-6028
PD#SWPL-8535
Problem:
enable ftrce in ramoops for new dtbs
Solution:
enable ftrce in ramoops for new dtbs
Verify:
X301
Change-Id: If5db23ed5e37dcd2522229e5aa2ed31e78a75c48
Signed-off-by: Jianxin Pan <jianxin.pan@amlogic.com>
PD#SWPL-8759
Problem:
disable EAS on non-big-little platforms
Solution:
disable EAS on non-big-little platforms
Verify:
w400, u200
Change-Id: I11845def9efaa2e1da8fd30ac26daeb0dc47eda4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#GH-134
Problem:
When freeze abort happen, it will lose device_unblock_probing(),
so device probe is blocked.
Solution:
When freeze abort happen, release device_block_probing
Verify:
SM1_S905D3_AC200
Change-Id: I3e591fe9ed392b6a4d30285817a91fbfec25336f
Signed-off-by: Qiufang Dai <qiufang.dai@amlogic.com>
PD#SWPL-16045
commit b2eb85b49a upstream
When there are no callbacks pending on an idle system, I noticed that
RCU softirq is continuously firing. During this the cpu_no_qs is set to
false, and core_needs_qs is set to true indefinitely. This causes
rcu_process_callbacks to be repeatedly called, even though the node
corresponding to the CPU has that CPU's mask bit cleared and the system
is idle. I believe the race is when such mask clearing is done during
idle CPU scan of the quiescent state forcing stage in the kthread
instead of the softirq. Since the rnp mask is cleared, but the flags on
the CPU's rdp are not cleared, the CPU thinks it still needs to report
to core RCU.
Cure this by clearing the core_needs_qs flag when the CPU detects that
its node is already updated which will avoid the unwanted softirq raises
to the benefit of real-time systems.
Test: Ran rcutorture for various tree RCU configs.
Change-Id: Ibf34014eabdb0105847e5e642348e32e4a6194a1
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-7092
This reverts commit 68c4a4f8ab, with
various conflict clean-ups.
With the default root directory mode set to 0750 now, the capability
check was redundant.
Change-Id: If978c34cef8345b0ba67a038eed7d54d4f1423d6
Suggested-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
PD#SWPL-7852
Problem:
android.security.sts.Poc16_11#testPocCVE_2016_6753 fail
Solution:
do not expose kernel addr info via cgroup_css_links_read
Verify:
U200
Change-Id: I74e4904e8b662db9d6589a1926c62c87e12d6f6f
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
PD#SWPL-2399
Problem:
freeze mode can not kill the secondary cpus
Solution:
move the cpu kill function before the freeze function
Verify:
tl1 test success
Change-Id: I1da7cb8bcd800b8372fd152490eadd4ef3866ece
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-15901
Problem:
In the hidp_process_report in bluetooth, there is an integer overflow.
This could lead to an out of bounds write with no additional execution
privileges needed. User interaction is not needed for exploitation.
Solution:
The fix is designed to make the length an unsigned integer and prevent
the overflow condition.
Platform:
Raven
Verify:
Raven
Change-Id: I2f7b2c5aea90120777177a4bdf238110e2ec22e2
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-6793
Problem:
socket: close race condition between sock_close() and sockfs_setattr()
Solution:
fchownat() doesn't even hold refcnt of fd until it figures out
fd is really needed (otherwise is ignored) and releases it after
it resolves the path. This means sock_close() could race with
sockfs_setattr(), which leads to a NULL pointer dereference
since typically we set sock->sk to NULL in ->release().
As pointed out by Al, this is unique to sockfs. So we can fix this
in socket layer by acquiring inode_lock in sock_close() and
checking against NULL in sockfs_setattr().
sock_release() is called in many places, only the sock_close()
path matters here. And fortunately, this should not affect normal
sock_close() as it is only called when the last fd refcnt is gone.
It only affects sock_close() with a parallel sockfs_setattr() in
progress, which is not common.
Verify:
Raven
Change-Id: I336827581400c93c655e6bd9b837ec6f07c94632
Fixes: 86741ec254 ("net: core: Add a UID field to struct sock.")
Reported-by: shankarapailoor <shankarapailoor@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5671
[Problem]
The irda_setsockopt function in net/irda/af_irda.c and later in
drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17
allows local users to cause a denial of service (ias_object
use-after-free and system crash) or possibly have unspecified other
impact via an AF_IRDA socket.
[Solution]
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
[Test]
Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5666
[Problem]
In pppol2tp_connect, there is possible memory corruption due to a
use after free. This could lead to local escalation of privilege with
System execution privileges needed. User interaction is not needed for
exploitation.
[Solution]
l2tp: pass tunnel pointer to ->session_create()
Using l2tp_tunnel_find() in pppol2tp_session_create() and
l2tp_eth_create() is racy, because no reference is held on the
returned session. These functions are only used to implement the
->session_create callback which is run by l2tp_nl_cmd_session_create().
Therefore searching for the parent tunnel isn't necessary because
l2tp_nl_cmd_session_create() already has a pointer to it and holds a
reference.
This patch modifies ->session_create()'s prototype to directly pass the
the parent tunnel as parameter, thus avoiding searching for it in
pppol2tp_session_create() and l2tp_eth_create().
Since we have to touch the ->session_create() call in
l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
we know that ->session_create isn't NULL at this point because it's
already been checked earlier in this same function.
Finally, one might be tempted to think that the removed
l2tp_tunnel_find() calls were harmless because they would return the
same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
But that tunnel might be removed and a new one created with same tunnel
Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
would return the new tunnel which wouldn't be protected by the
reference held by l2tp_nl_cmd_session_create().
Change-Id: I50e19ae5abb4009205e59105222bf92e3587f9c4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5669
[Problem]
Linux kernel versions 4.9+ can be forced to make very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming
packet which can lead to a denial of service.
[Solution]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet.
With tcp_rmem[2] default of 6MB, the ooo queue could
contain ~7000 nodes.
This patch series makes sure we cut cpu cycles enough to
render the attack not critical.
We might in the future go further, like disconnecting
or black-holing proven malicious flows.
[Test]
Change-Id: I09c72cd11a38516f3b6e293deb21c5dd0faa3d9e
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-12041
Problem:
Lost RAM is too high, we checked meminfo, found that global free
page count is not same with real value counted from buddy system
usually after long time running, this different value can be over
200 MB:
[ 484.055739@1] HighMem free:16652kB min:512kB low:15932kB
~~~~~~16MB
[ 484.067393@1] lowmem_reserve[]: 0 0 0
[ 484.071021@1] HighMem: 2308*4kB (UMC) 1296*8kB (UMC) 913*16kB
(UMC) 555*32kB (UMC) 339*64kB (UMC) 25*128kB
(UMC) 2*256kB (C) 1*512kB (C) 1*1024kB (C)
0*2048kB 39*4096kB (C) = 238656kB
~~~~~~~~238MB
Solution:
Fix wrong sub of free pages when no fallback pages get from high memzone.
Verify:
x301
Change-Id: Iae011ec216e2479dd400aea1af4750ad436fe946
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#OTT-5676
[Problem]
digital security team requires OSS to be patched up to the latest or non-vulnerable version
[Solution]
mm: get rid of vmacache_flush_all() entirely
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[Test]
Change-Id: I536c7b183ced970e18c9d67211f32da0ee404111
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-7519
Problem:
schedule_timeout did not really make task sleep. It will cause
rt thread bug when this thread is waiting for a cma page migrated:
sched: RT throttling activated for rt_rq eaf671b8 (cpu 1)
potential CPU hogs:
btu message loo (4253)
[<c037d5b8>] task_tick_rt+0x0/0x120
[<c037d914>] pick_next_task_rt+0x1cc/0x1e4
[<c0fa8534>] __schedule+0x598/0x91c
[<c0fa891c>] schedule+0x64/0xc4
[<c0fac134>] schedule_timeout+0x1dc/0x47c
[<c0493ba4>] __migration_entry_wait+0x168/0x194
~~~~~blocked here
[<c0493c20>] migration_entry_wait+0x50/0x54
[<c0473008>] do_swap_page+0x404/0x4e8
[<c047357c>] handle_mm_fault+0x1ec/0xa60
[<c031a2f0>] do_page_fault+0x2d4/0x3a8
[<c0301408>] do_PrefetchAbort+0x48/0xb0
[<c030f78c>] ret_from_exception+0x0/0x34
Solution:
using usleep_range instead of schedule_timeout
Verify:
t905x
Change-Id: I908022b747ad921b5863af377291abdf06672f15
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-6340
Problem:
ddp audio input from hdmiin is not smooth
Solution:
set hdmiin format-check threshold by input sr
Verify:
Verified by x301.
Change-Id: Idb8ffa616c3880b1c34d61ca4e8c2917343a9ffc
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-16157
Problem:
THD+N test fail of 88.2KHz and 176.4KHz from hdmiin
Solution:
1) optimize parameters of resampleB
2) disable AA filter for resampleA
Verify:
TM2 AB301
Change-Id: If3ef1e283acc8dbb38590f6ae7270b8f59ef83b8
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-10716
Problem:
when audio signal change from -30dB to 0dB, audio suddenly output power
is higher than 150% instantaneous maximum power
Solution:
add clip thd control interface
Verify:
verified on TL1-X301
Change-Id: Id16ba3c220a22b473eaa1e3ff87bf5dde2a83227
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-8663
Problem:
there is no audio clk on SM1
Solution:
fixed clk source setting error
Verify:
AC200
Change-Id: Ief01d680c435cfc2f50f9b7da0a6e4d68db846d5
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#OTT-7246
Problem:
spdifout in platform probe function will cause pop sound
as we have done this at uboot stage
Solution:
disable spdifout play zero data function
Verify:
S905Y2-U221
Change-Id: I6885a200cdb909854e239bb172568ec0af503a06
Signed-off-by: jian.zhou <jian.zhou@amlogic.com>
PD#SWPL-7798
Problem:
Crashed when audio resample setting params
are invalid.
Solution:
Add check method if the params is invalid.
Verify:
Tl1.
Change-Id: I1e0396be8d401c0a49ff0de9fd7f160f0c8133ca
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SH-1626
Problem:
Can not record ADC's i2s output from Loopback
Solution:
1. Fix the wrong reg config in TDM OE pin.
2. move the lr/sclk pad configuration to probe.
Verify:
SM1.
Change-Id: I01f419e4b0ba72fb7295641c6e7d9a189754c9d7
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-15189
Problem:
1. earc rx fails to connect to a sony tv
2. earc tx fails to connect to AVR-X4500H
Solution:
1. reset earc_rx pll
2. reduce comma_th
Verify:
ab311
Change-Id: I162b9697d151b682df01093cdc086330a97f8fab
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-6918
Problem:
lack function to read/write eARC RX/TX latency and capability
Solution:
add mixer for eARC RX set/get latency and capability
add mixer for eARC RX get latency and capability
Verify:
ab311
Change-Id: I0d8aa00af7d856493417dc881a1a8c40497b12a5
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-8134
Problem:
kernel NULL pointer for aml_resample_enable
Solution:
add lock for resampler
Verify:
Need stress test for x301
Change-Id: I1bbf5d7aeab681399c93f0cba9cc59195d3be0d6
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#TV-8460
Problem:
ATV str test is stucked
Solution:
disable some audio print messages
Verify:
Verfied on marconi
Change-Id: I284c8afde3a6bc9ff3b8ebfe19360abbb152c3f8
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-9142
Problem:
Audio stuck in stress test.
Solution:
Work around:
Wait until the fifo stops and then stop toddr.
Verify:
Tl1.
Change-Id: I8ce50732a7e23124b4b37374aa4505d79cd68cfe
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-11054
Problem:
hdmiin source, audio input is randomly LR invert
Solution:
set audio path from frhdmirx through spdifin mode
Verify:
Verified on X301
Change-Id: Ib40d30b8b6d8bc28da69bf9b4f37ae2ef9228761
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-8967
Problem:
ARC amplitude,The test value is 0.376V, requiring 0.4-0.6VPP
Solution:
update to single mode
Verify:
tl1
Change-Id: I59198596f6db22ec49eea35084325005f13bc5b6
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#TV-10448
Problem:
crash when finished early supend but not entry suspend,
the system is waked up
Solution:
add toddr irq interrupt protection when entry suspend
and exit from suspend
Verify:
x301
Change-Id: I7ade7a745511bab83c70b5649b6af318163568d9
Signed-off-by: Xing Wang <xing.wang@amlogic.com>
PD#SWPL-9142
Problem:
Audio Abus may be stuck if it is stopped
when the burst is not finished.
And the stuck can't be recovered
unless reboot the system.
Solution:
Add check to make sure that the transfer
is over then start to disable the toddr fifo.
Verify:
TL1 stress test.
Change-Id: I28dcf84ddec421bc70370b2544f0bf1f3272e7b4
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-8306
Problem:
speaker without audio on S400. sideeffect of SWPL-7680
Solution:
add control interface in dts to enable clk tuning
and start clk before codec init
Verify:
verify on S400
Change-Id: Ic9f4e7b13b7d4ced18852346cdc7cf5f48e510dc
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-9593
Problem:
dtv audio is heard slower in spk
Solution:
when mclk is changed, spdif clk changes correspondingly in samesource case
Verify:
X301
Change-Id: I15fcb598ba893762580f0a5aac856376af8c94ec
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-3667
Problem:
after playback none-48K raw audio, the spdif clock
is not recoved to 48K when tdm/spdif same source
Solution:
use the same clock source as tdm if samesource and
config that when tdm hardware prepare.
Verify:
AC213
Change-Id: I0d5dc5f51b5de14d155902e0fe72c293071c93ec
Signed-off-by: Jian Xu <jian.xu@amlogic.com>
