The four jpeg enc core are not the same queue, and there is only one
core in a single queue.
So, can not use queue->cores to get different core.
Signed-off-by: Yandong Lin <yandong.lin@rock-chips.com>
Change-Id: If9f56e351af23871e68b83de1917f26e88382dfc
commit d270453a0d upstream.
There are destructive operations such as nfcmrvl_fw_dnld_abort and
gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware,
gpio and so on could be destructed while the upper layer functions such as
nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads
to double-free, use-after-free and null-ptr-deref bugs.
There are three situations that could lead to double-free bugs.
The first situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... | nfcmrvl_nci_unregister_dev
release_firmware() | nfcmrvl_fw_dnld_abort
kfree(fw) //(1) | fw_dnld_over
| release_firmware
... | kfree(fw) //(2)
| ...
The second situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... |
mod_timer |
(wait a time) |
fw_dnld_timeout | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
... | kfree(fw) //(2)
The third situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_nci_recv_frame |
if(..->fw_download_in_progress)|
nfcmrvl_fw_dnld_recv_frame |
queue_work |
|
fw_dnld_rx_work | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
| kfree(fw) //(2)
The firmware struct is deallocated in position (1) and deallocated
in position (2) again.
The crash trace triggered by POC is like below:
BUG: KASAN: double-free or invalid-free in fw_dnld_over
Call Trace:
kfree
fw_dnld_over
nfcmrvl_nci_unregister_dev
nci_uart_tty_close
tty_ldisc_kill
tty_ldisc_hangup
__tty_hangup.part.0
tty_release
...
What's more, there are also use-after-free and null-ptr-deref bugs
in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or
set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev,
then, we dereference firmware, gpio or the members of priv->fw_dnld in
nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen.
This patch reorders destructive operations after nci_unregister_device
in order to synchronize between cleanup routine and firmware download
routine.
The nci_unregister_device is well synchronized. If the device is
detaching, the firmware download routine will goto error. If firmware
download routine is executing, nci_unregister_device will wait until
firmware download routine is finished.
Bug: 234690530
Fixes: 3194c68701 ("NFC: nfcmrvl: add firmware download support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I8cc1f6450c7fecf5f5994033931da1d23a522282
Hdmi controller hardware automatic flt has compatibility issues.
For example, the 980B protocol analyzer cannot recognize signal.
Therefore, software flt is needed.
Signed-off-by: Algea Cao <algea.cao@rock-chips.com>
Change-Id: Ie32ac705622048ff71cb301e2e06d5673b5889cc
Provide a vendor hook android_vh_free_pages to clear the
information in struct page_ext, when the page is freed.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iac8e3a72f59f8d3ae16dbc93d94034fe4b627d61
Create and export a function is_swap_slot_cache_enabled
to check whether the swap slot cache can be used.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iaca9519b838e0c3c8c06acbec83003f8309aa363
Provide a vendor hook android_vh_swap_slot_cache_active to
pass the active status of swap_slots_cache. This status
will be used in the process of reclaiming the pages that
is required to be reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I8211760e0f37fe4a514f6ceaae9993925da8cd6d
Export swapcache_free_entries to be used in the alternative function
android_vh_drain_slots_cache_cpu to swap entries in swap slot cache,
it's usage is similar to the usage in drain_slots_cache_cpu.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ia89b1728d540c5cc8995a939a918e12c23057266
3 symbols are exported to be used in vendor hook android_vh_get_swap_page:
1)check_cache_active, used to get swap page from the specified
swap location, it's usage is similar to the usage in get_swap_page
2)scan_swap_map_slots, used to get swap page from the specified swap,
it's usage is similar to get_swap_pages
3)swap_alloc_cluster, used to get swap page from the specified swap,
it's usage is similar to get_swap_pages
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ie24c5d32a16c7cb87905d034095ec8fb070dbe0f
Three vendor hooks are provided to extend struct swap_slots_cache.
The extended data are used to record the information of the
specified reclaimed swap location:
1) android_vh_alloc_swap_slot_cache, replace the function
alloc_swap_slot_cache adding allocation of the extension
of struct swap_slots_cache;
2) android_vh_drain_slots_cache_cpu, replace the function
drain_slots_cache_cpu adding the initialization of the
extension of struct swap_slots_cache;
3) android_vh_get_swap_page, replace the function get_swap_page,
according to the reclaimed location information of the page,
get the the swap page from the specified swap location;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I3bce6e8cf255df1d879b7c4022d54981cce7c273
The function swap_type_to_swap_info is exported to access the
swap_info_struct of the specified swap, which is regarded as
reserved extended memory.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I0107e7d561150f1945a4c161e886e9e03383fff6
Provide a vendor hook android_vh_si_swapinf to replace the
process of updating nr_to_be_unused. When the page is swapped
to a specified swap location, nr_to_be_unused should not be
updated. Because the specified swap is regarded as a reserved
extended memory.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ie41caec345658589bf908fb0f96d038d1fba21f3
Two vendor hooks are added to extend the struct swap_info_struct:
android_vh_alloc_si, extend the allocation of struct swap_info_struct,
adding data to record the information of specified reclaimed location;
android_vh_init_swap_info_struct, adding initializing the extension of
struct swap_info_struct;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I0e1d8e38ba7dfd52b609b1c14eb78f8b0ef0f9e6
When the page is unused, a vendor hook android_vh_unuse_swap_page
should be called to specify that the page should not be swapped
to the specified swap location any more.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I3fc3675020517f7cc69c76a06150dfb2380dae21
Provide a vendor hook to replace the function free_swap_slot,
adding the free_swap_slot process of pages swapped to the
specified swap location(i.e., the reserved expended memory)
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Idd6d0007e64d56d556d1234a8b931fce06031809
The specified swap is regarded as reserved extended memory.
So nr_swap_pages and total_swap_pages should not be affected
by the specified swap.
Provide a vendor hook android_vh_account_swap_pages to replace
the updating process of nr_swap_pages and total_swap_pages.
When the page is swapped to the specified swap location,
nr_swap_pages and total_swap_pages should not be updated.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ib8dfb355d190399a037b9d9eda478a81c436e224
Add android_vh_page_referenced_one_end at the end of function
page_referenced_one to update the status that whether the page
need to be reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ia06a229956328ef776da5d163708dcb011a327fb
android_vh_count_pswpin, Update the write I/O statistics of the swap;
android_vh_count_pswpout, Update the read I/O statistics of the swap;
android_vh_count_swpout_vm_event, Replace count_swpout_vm_event with
adding updating the I/O statistics of the swap;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I4eb69db59fe2d822555a508c2f0c6cd5ca9083d1
Provide a vendor hook to copy the status whether the page need to be
reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I1a451b40407718900b56de6ed17b7fd5ef56da01
android_vh_waiting_for_page_migration: provide a vendor hook
to force not to reclaim the page under migration to a specified
swap location, until the migration is finished.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iceeae91cbd912d9c44d7eac25f1299bbff547388
android_vh_handle_pte_fault_end: after handle_pte_fault, update
the information that whether this page need to be reclaimed to
a swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I0ceb02422fc858ed96fbb47e220bf96bdc8fa68c
android_vh_swapin_add_anon_rmap: after add pte mapping to an anonymous
page durning do_swap_page, update the status that whether this page
need to be reclaimed to a swap location, according to the information
of vm_fault.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I8a2d603102c315323817e6c9366db9b0da878344
android_vh_cow_user_page: when copy a page to a new page, set the
status that whether the new page should be reclaimed to a specified
swap location, according to the information of vm_fault.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ie445c7b034ca176ec1e8fd1cd67c88581bf9ddf4
Provide a vendor hook android_vh_page_isolated_for_reclaim to
process whether the page should be reclaimed to a specified
swap(i.e., the expanded memory).
This strategy will take into account the state of the current
process/application, resource usage, and other information.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Id80a377c87bea13922e7b23963b050ab37ba0cb0
Provide a vendor hook android_vh_snapshot_refaults to record the
refault statistics of WORKINGSET_RESTORE_ANON;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I20eb5ea99bf21fa8ba34b45e87d2ab9e9cdca167
Provide a vendor hook android_vh_inactive_is_low to replace the
calculation process of inactive_ratio.
The alternative calculation algorithm takes into account the
difference between file pages and anonymous pages.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I6cf9c47fbc440852cc36e04f49d644146eb2c6af
support:
1. Use EXTCON Subsystem to detect charger cables for charging
2. Set current limit of battery for over current protection
3. Set power limit of charger for overload protection
4. control charge pump charging current/voltage
Signed-off-by: shengfei Xu <xsf@rock-chips.com>
Change-Id: I97a461996977d418a47e6075202d82c5b87bd17b
The 32k clock is used for hp timer on RK3588, and it should be always on.
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
Change-Id: Ie28a16308521fadc33ae91c25215f30bd2265f33
According to the CEA-861, 1280x720p25 Hblank timing up to 2680,
and all standard video format timings are less than 3000
Signed-off-by: Wangqiang Guo <kay.guo@rock-chips.com>
Change-Id: I936ac8d6a21754fee6038328fd45eaf028f2dd2f
