PD#SWPL-12289
Problem:
drm driver has no debug sysfs file
Solution:
add follow sysfs node
1. dump the osd register
/sys/kernel/debug/dri/%minor%/vpu/reg_dump
2. dump the gem buffer image
/sys/kernel/debug/dri/%minor%/vpu/dump
3. set the gem buffer image store path
/sys/kernel/debug/dri/%minor%/vpu/imgpath
4. set 1 to disable the osd plane
/sys/kernel/debug/dri/%minor%/vpu/blank
Verify:
g12a-u200
Change-Id: I10746d65b09d3b530dc22720b8cee669fa120dde
Signed-off-by: Ao Xu <ao.xu@amlogic.com>
PD#SWPL-13092
Problem:
drm driver has no drm support
Solution:
add afbc block support
Verify:
g12a-u200
Change-Id: If2e57b63032e9f93be800bda652b80e560163231
Signed-off-by: Ao Xu <ao.xu@amlogic.com>
PD#SWPL-8061
Problem:
SM1 support
Solution:
add sm1 support
Verify:
verify by ac200 with modetest command
Change-Id: Id79f227afa7f7dbcaad09887f8bdbd1f64b93c4a
Signed-off-by: Dezhi Kong <dezhi.kong@amlogic.com>
PD#SWPL-9646
Problem:
unsupport multi-layer
Solution:
add multi-layer support
Verify:
verify by w400 with modetest command
Change-Id: I5cd50761d2ab9cfff0f80d38e20455044c7a33fd
Signed-off-by: Dezhi Kong <dezhi.kong@amlogic.com>
PD#SWPL-7872
Problem:
TM2 special case , vd2 afbc can't work on TM2
Solution:
Process bl+el as SDR on TM2
Verify:
T962e2
Change-Id: I2433b72c4b5548e75665aba9623a29cd5f12d202
Signed-off-by: yao liu <yao.liu@amlogic.com>
PD#TV-1586
Problem:
no atv format get func
Solution:
Add atv format get func
Verify:
verified by x301
Change-Id: Ia43d5a67370d2b025e1b32833a5408a5e7d251d4
Signed-off-by: Nian Jing <nian.jing@amlogic.com>
PD#TV-6007
Problem:
ATV scan range is not qualified
Solution:
1.change 0x128 from 0x140008 to 0x1f0008 for ntsc-m
2.support cutwindow adjust debug:
echo h index val >/sys/class/tvafe/tvafe0/cutwin
echo v index val >/sys/class/tvafe/tvafe0/cutwin
echo r >/sys/class/tvafe/tvafe0/cutwin
3.support cutwindow config in dts
Verify:
x301
Change-Id: Idc3a3e8857cea2462da6edcbbf4ffefab6d48f7b
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-13115
Problem:
Apk drop lots of frames before render
the first frame, in this case, omx_run
is false and no frames will render.
Decoder doesn't have free output buffer.
Solution:
Drop dv frames in video sync before render
the first frame if app want to drop.
Verify:
Verified on U212
Change-Id: I463619f658d7f78ad8d513e17ca78482e17b3a4e
Signed-off-by: yao liu <yao.liu@amlogic.com>
PD#SWPL-6397
Problem:
tm2 is a new chip
Solution:
add vpu driver support for tm2
Verify:
pxp
Change-Id: I19275c513b68fba8feced37f1ff8fca9bf48d395
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#OTT-5603
Problem:
Configurate GPIO_AO 9 as mclk_0,it doesn't work.
Solution:
From SM1, the mclk pad register is changed.
Using standard clk tree to make it compitable.
Verify:
TM2, SM1.
Change-Id: I8d53296297536c90768495232570f33fc89db131
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
PD#SWPL-4233
Problem:
3D framepacking mode display black screen
Solution:
Add vinfo 3d flag and hdmitx update
when work 3d mode
Verify:
U212
Change-Id: Ia2b7b25c9ed401dbec2c487ea2a5c6cc1e0d8b8d
Signed-off-by: Kaifu Hu <kaifu.hu@amlogic.com>
PD#TV-5482
Problem:
Image flicker for non-std avin,
because the force_nostd parameter is modified to a unsuitable value.
Solution:
remove force_nostd paramete,
add sysfs node support for force_nostd
Verify:
x301
Change-Id: Ic50a311c6b5a63bcbd1d56651713de5be60a38a2
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
PD#SWPL-6404
Problem:
KASAN error:global-out-of-bounds in nls_uniname_cmp
Solution:
Append "\0\0" to the string of UNI_CUR_DIR_NAME and UNI_PAR_DIR_NAME
Verify:
x301
Change-Id: Ic94e837ed7874d337207c31eedfc966b46ab8ecd
Signed-off-by: changqing.gao <changqing.gao@amlogic.com>
PD#SWPL-15901
Problem:
OTT-6792
upstream a45403b515
The extended attribute code now uses the crc32c checksum for hashing
purposes, so we should just always always initialize it. We also want
to prevent NULL pointer dereferences if one of the metadata checksum
features is enabled after the file sytsem is originally mounted.
This issue has been assigned CVE-2018-1094.
https://bugzilla.kernel.org/show_bug.cgi?id=199183https://bugzilla.redhat.com/show_bug.cgi?id=1560788
Solution:
Verify:
Change-Id: I30362945537ff4aa05fbf8e83dc52c25b3d24586
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In ext4_xattr_make_inode_space of xattr.c, there is a possible out-of-bounds
write due to improper input validation. This could lead to local escalation
of privilege in the kernel with no additional execution privileges needed.
User interaction is needed for exploitation.
Solution:
The fix is designed to never move system.data out of the inode.
Platform:
Raven
Verify:
Raven
Change-Id: I0820e6e84c8a5ab7d40d14ce14c11f9f8e1f9503
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-15901
Problem:
In sdcardfs_open of file.c, there is a possible Use After Free
due to an unusual root cause. This could lead to local escalation
of privilege with no additional execution privileges needed.
User interaction is not needed for exploitation.
Solution:
The fix is designed to avoid the OVERRIDE_CRED macro in favor
of more explicit control flow.
Platform:
Raven
Verify:
Raven
Change-Id: Idab016c33c2dfbd9425533ed5c5501b671677572
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-6798
Problem:
ext4: zero out the unused memory region in the extent tree block
Solution:
This commit zeroes out the unused memory region in the buffer_head
corresponding to the extent metablock after writing the extent header
and the corresponding extent node entries.
This is done to prevent random uninitialized data from getting into
the filesystem when the extent block is synced.
This fixes CVE-2019-11833.
Verify:
Raven
Change-Id: I5c6aae01432f5517b539312507e59e8dfb9c25eb
Signed-off-by: Sriram Rajagopalan <sriramr@arista.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-6028
PD#SWPL-8535
Problem:
enable ftrce in ramoops for new dtbs
Solution:
enable ftrce in ramoops for new dtbs
Verify:
X301
Change-Id: If5db23ed5e37dcd2522229e5aa2ed31e78a75c48
Signed-off-by: Jianxin Pan <jianxin.pan@amlogic.com>
PD#SWPL-8759
Problem:
disable EAS on non-big-little platforms
Solution:
disable EAS on non-big-little platforms
Verify:
w400, u200
Change-Id: I11845def9efaa2e1da8fd30ac26daeb0dc47eda4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#GH-134
Problem:
When freeze abort happen, it will lose device_unblock_probing(),
so device probe is blocked.
Solution:
When freeze abort happen, release device_block_probing
Verify:
SM1_S905D3_AC200
Change-Id: I3e591fe9ed392b6a4d30285817a91fbfec25336f
Signed-off-by: Qiufang Dai <qiufang.dai@amlogic.com>
PD#SWPL-16045
commit b2eb85b49a upstream
When there are no callbacks pending on an idle system, I noticed that
RCU softirq is continuously firing. During this the cpu_no_qs is set to
false, and core_needs_qs is set to true indefinitely. This causes
rcu_process_callbacks to be repeatedly called, even though the node
corresponding to the CPU has that CPU's mask bit cleared and the system
is idle. I believe the race is when such mask clearing is done during
idle CPU scan of the quiescent state forcing stage in the kthread
instead of the softirq. Since the rnp mask is cleared, but the flags on
the CPU's rdp are not cleared, the CPU thinks it still needs to report
to core RCU.
Cure this by clearing the core_needs_qs flag when the CPU detects that
its node is already updated which will avoid the unwanted softirq raises
to the benefit of real-time systems.
Test: Ran rcutorture for various tree RCU configs.
Change-Id: Ibf34014eabdb0105847e5e642348e32e4a6194a1
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#SWPL-7092
This reverts commit 68c4a4f8ab, with
various conflict clean-ups.
With the default root directory mode set to 0750 now, the capability
check was redundant.
Change-Id: If978c34cef8345b0ba67a038eed7d54d4f1423d6
Suggested-by: Nick Kralevich <nnk@google.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
PD#SWPL-7852
Problem:
android.security.sts.Poc16_11#testPocCVE_2016_6753 fail
Solution:
do not expose kernel addr info via cgroup_css_links_read
Verify:
U200
Change-Id: I74e4904e8b662db9d6589a1926c62c87e12d6f6f
Signed-off-by: Jiamin Ma <jiamin.ma@amlogic.com>
PD#SWPL-2399
Problem:
freeze mode can not kill the secondary cpus
Solution:
move the cpu kill function before the freeze function
Verify:
tl1 test success
Change-Id: I1da7cb8bcd800b8372fd152490eadd4ef3866ece
Signed-off-by: zhiqiang liang <zhiqiang.liang@amlogic.com>
PD#SWPL-15901
Problem:
In the hidp_process_report in bluetooth, there is an integer overflow.
This could lead to an out of bounds write with no additional execution
privileges needed. User interaction is not needed for exploitation.
Solution:
The fix is designed to make the length an unsigned integer and prevent
the overflow condition.
Platform:
Raven
Verify:
Raven
Change-Id: I2f7b2c5aea90120777177a4bdf238110e2ec22e2
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-6793
Problem:
socket: close race condition between sock_close() and sockfs_setattr()
Solution:
fchownat() doesn't even hold refcnt of fd until it figures out
fd is really needed (otherwise is ignored) and releases it after
it resolves the path. This means sock_close() could race with
sockfs_setattr(), which leads to a NULL pointer dereference
since typically we set sock->sk to NULL in ->release().
As pointed out by Al, this is unique to sockfs. So we can fix this
in socket layer by acquiring inode_lock in sock_close() and
checking against NULL in sockfs_setattr().
sock_release() is called in many places, only the sock_close()
path matters here. And fortunately, this should not affect normal
sock_close() as it is only called when the last fd refcnt is gone.
It only affects sock_close() with a parallel sockfs_setattr() in
progress, which is not common.
Verify:
Raven
Change-Id: I336827581400c93c655e6bd9b837ec6f07c94632
Fixes: 86741ec254 ("net: core: Add a UID field to struct sock.")
Reported-by: shankarapailoor <shankarapailoor@gmail.com>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Lorenzo Colitti <lorenzo@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5671
[Problem]
The irda_setsockopt function in net/irda/af_irda.c and later in
drivers/staging/irda/net/af_irda.c in the Linux kernel before 4.17
allows local users to cause a denial of service (ias_object
use-after-free and system crash) or possibly have unspecified other
impact via an AF_IRDA socket.
[Solution]
The irda_setsockopt() function conditionally allocates memory for a new
self->ias_object or, in some cases, reuses the existing
self->ias_object. Existing objects were incorrectly reinserted into the
LM_IAS database which corrupted the doubly linked list used for the
hashbin implementation of the LM_IAS database. When combined with a
memory leak in irda_bind(), this issue could be leveraged to create a
use-after-free vulnerability in the hashbin list. This patch fixes the
issue by only inserting newly allocated objects into the database.
[Test]
Change-Id: Idbdc870be0064e331969b39a7b6e447c16a9073a
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5666
[Problem]
In pppol2tp_connect, there is possible memory corruption due to a
use after free. This could lead to local escalation of privilege with
System execution privileges needed. User interaction is not needed for
exploitation.
[Solution]
l2tp: pass tunnel pointer to ->session_create()
Using l2tp_tunnel_find() in pppol2tp_session_create() and
l2tp_eth_create() is racy, because no reference is held on the
returned session. These functions are only used to implement the
->session_create callback which is run by l2tp_nl_cmd_session_create().
Therefore searching for the parent tunnel isn't necessary because
l2tp_nl_cmd_session_create() already has a pointer to it and holds a
reference.
This patch modifies ->session_create()'s prototype to directly pass the
the parent tunnel as parameter, thus avoiding searching for it in
pppol2tp_session_create() and l2tp_eth_create().
Since we have to touch the ->session_create() call in
l2tp_nl_cmd_session_create(), let's also remove the useless conditional:
we know that ->session_create isn't NULL at this point because it's
already been checked earlier in this same function.
Finally, one might be tempted to think that the removed
l2tp_tunnel_find() calls were harmless because they would return the
same tunnel as the one held by l2tp_nl_cmd_session_create() anyway.
But that tunnel might be removed and a new one created with same tunnel
Id before the l2tp_tunnel_find() call. In this case l2tp_tunnel_find()
would return the new tunnel which wouldn't be protected by the
reference held by l2tp_nl_cmd_session_create().
Change-Id: I50e19ae5abb4009205e59105222bf92e3587f9c4
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#OTT-5669
[Problem]
Linux kernel versions 4.9+ can be forced to make very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming
packet which can lead to a denial of service.
[Solution]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet.
With tcp_rmem[2] default of 6MB, the ooo queue could
contain ~7000 nodes.
This patch series makes sure we cut cpu cycles enough to
render the attack not critical.
We might in the future go further, like disconnecting
or black-holing proven malicious flows.
[Test]
Change-Id: I09c72cd11a38516f3b6e293deb21c5dd0faa3d9e
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-12041
Problem:
Lost RAM is too high, we checked meminfo, found that global free
page count is not same with real value counted from buddy system
usually after long time running, this different value can be over
200 MB:
[ 484.055739@1] HighMem free:16652kB min:512kB low:15932kB
~~~~~~16MB
[ 484.067393@1] lowmem_reserve[]: 0 0 0
[ 484.071021@1] HighMem: 2308*4kB (UMC) 1296*8kB (UMC) 913*16kB
(UMC) 555*32kB (UMC) 339*64kB (UMC) 25*128kB
(UMC) 2*256kB (C) 1*512kB (C) 1*1024kB (C)
0*2048kB 39*4096kB (C) = 238656kB
~~~~~~~~238MB
Solution:
Fix wrong sub of free pages when no fallback pages get from high memzone.
Verify:
x301
Change-Id: Iae011ec216e2479dd400aea1af4750ad436fe946
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#OTT-5676
[Problem]
digital security team requires OSS to be patched up to the latest or non-vulnerable version
[Solution]
mm: get rid of vmacache_flush_all() entirely
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too. It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit. That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.
So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too. Win-win.
[Test]
Change-Id: I536c7b183ced970e18c9d67211f32da0ee404111
Signed-off-by: Hanjie Lin <hanjie.lin@amlogic.com>
PD#TV-7519
Problem:
schedule_timeout did not really make task sleep. It will cause
rt thread bug when this thread is waiting for a cma page migrated:
sched: RT throttling activated for rt_rq eaf671b8 (cpu 1)
potential CPU hogs:
btu message loo (4253)
[<c037d5b8>] task_tick_rt+0x0/0x120
[<c037d914>] pick_next_task_rt+0x1cc/0x1e4
[<c0fa8534>] __schedule+0x598/0x91c
[<c0fa891c>] schedule+0x64/0xc4
[<c0fac134>] schedule_timeout+0x1dc/0x47c
[<c0493ba4>] __migration_entry_wait+0x168/0x194
~~~~~blocked here
[<c0493c20>] migration_entry_wait+0x50/0x54
[<c0473008>] do_swap_page+0x404/0x4e8
[<c047357c>] handle_mm_fault+0x1ec/0xa60
[<c031a2f0>] do_page_fault+0x2d4/0x3a8
[<c0301408>] do_PrefetchAbort+0x48/0xb0
[<c030f78c>] ret_from_exception+0x0/0x34
Solution:
using usleep_range instead of schedule_timeout
Verify:
t905x
Change-Id: I908022b747ad921b5863af377291abdf06672f15
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#SWPL-6340
Problem:
ddp audio input from hdmiin is not smooth
Solution:
set hdmiin format-check threshold by input sr
Verify:
Verified by x301.
Change-Id: Idb8ffa616c3880b1c34d61ca4e8c2917343a9ffc
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-16157
Problem:
THD+N test fail of 88.2KHz and 176.4KHz from hdmiin
Solution:
1) optimize parameters of resampleB
2) disable AA filter for resampleA
Verify:
TM2 AB301
Change-Id: If3ef1e283acc8dbb38590f6ae7270b8f59ef83b8
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-10716
Problem:
when audio signal change from -30dB to 0dB, audio suddenly output power
is higher than 150% instantaneous maximum power
Solution:
add clip thd control interface
Verify:
verified on TL1-X301
Change-Id: Id16ba3c220a22b473eaa1e3ff87bf5dde2a83227
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
PD#SWPL-8663
Problem:
there is no audio clk on SM1
Solution:
fixed clk source setting error
Verify:
AC200
Change-Id: Ief01d680c435cfc2f50f9b7da0a6e4d68db846d5
Signed-off-by: Zhe Wang <Zhe.Wang@amlogic.com>
