The current length check:
sizeof(cmd) + len > r->entry_size
will allow very large values of len (> U16_MAX - sizeof(cmd))
and can cause a buffer overflow. Fix the check to cover this case.
In addition, ensure the mailbox entry_size is not too small,
since this can also bypass the above check.
Change-Id: Iecb4f53ef05da0e015bc954b57b0e40debb7c8b7
Signed-off-by: Lior David <liord@codeaurora.org>
SDM636 inherits all SDM660 GPU properties, but it will support
GPU max frequency 430Mhz and DDR max frequency 1353Mhz.
Change-Id: I7f88e5d187df2880757ceb6676e75f3cfe5d9218
Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
do_cleanup_data pointer is created for every SSR notification and
stored in cb_data. It is possible that the stored pointer can be
overwritten if two peripherals SSR happens at the same time.
Use do_cleanup_data pointer directly in pkt_priv, instead of
dereferencing from cb_data.
CRs-Fixed: 2121529
Change-Id: Ife68cdc460c0628623dea6827632b8acd8d1d955
Signed-off-by: Dhoat Harpal <hdhoat@codeaurora.org>
Currently, in instance init, CAPTURE and OUTPUT formats are copied
from fixed indices. When formats struct enhanced with new formats,
it is possible to assign CAPTURE format on OUTPUT port. Hence derive
the formats with fourcc.
CRs-Fixed: 2048564
Change-Id: I6c31b1c68797dec9c7fbe58afc10be1221a20a6d
Signed-off-by: Praneeth Paladugu <ppaladug@codeaurora.org>
Signed-off-by: Santhosh Behara <santhoshbehara@codeaurora.org>
Signed-off-by: Praveen Chavan <pchavan@codeaurora.org>
When driver loading and registering to cnss,
the interruptible wait in cnss_driver_event_post
could be woken up by signal. In this driver
register failure case, the __hdd_module_init
will release all the driver resource.
But the cnss_driver_event_work is still probing
the driver normally in the same time. The driver
state mismatch will cause crash.
Fixed by using non interruptible wait for driver
register
Change-Id: I6e99e83f1f3312e0b7d74e432ce90ff23631bc19
Signed-off-by: Liangwei Dong <liangwei@codeaurora.org>
CRs-Fixed: 2134631
There is a scenario where the status change work can hold
a mutex lock for ~1.5 seconds which can race with the FG resume
callback. Avoid this condition by adding a state variable
to track the suspend/resume state and skip executing the
status change work while suspended.
CRs-Fixed: 2101514
Change-Id: Ib5300a5dfce30c4c6bcc8d8428b664c184a83fb4
Signed-off-by: Anirudh Ghayal <aghayal@codeaurora.org>
Add support to route QDSS data received from MDM via MHI
to USB. The driver will help route diag traffic over the
QDSS sub-system to USB on APPS side. It acts as a bridge
between PCIE MHI and USB interface.
Change-Id: I98bea976638ce3f80785d8f40e2a936fc62397eb
Signed-off-by: Satyajit Desai <sadesai@codeaurora.org>
IPAv2 hardware works with 32 bit addressing,
so allocate a kernel memory using GFP_DMA flag
which is processed by IPA hardware.
Change-Id: I6f35e7f2179dc48f718221f6a3d228aca67c4154
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This change disables FB driver and enable DRM display driver
on msm8996 auto defconfig.
Change-Id: Ic214b70dd47379464220e4f801c2ab38753c9a10
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
The existing state check will create a corner case that when FW
crashed during driver probe, platform driver won't send early
uevent notification to host driver, which create a small window where
host can communicate with FW when FW is crashed. This case can be
covered by checking FW_READY state instead.
CRs-Fixed: 2122702
Change-Id: I0bde9cb5a526ccd9fe81cd38bd4c27cf2e95042b
Signed-off-by: Yuanyuan Liu <yuanliu@codeaurora.org>
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>
Add base register property in respective pil nodes to iomap them
during probe of the subsystem pil driver.
Change-Id: I961ab80f1caf84ab63d649c3a1545b89fed56c0b
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Check NMI STATUS register and dump the log if the err fatal caused
on subsystem is due to TZ NMI.
Change-Id: I8ac4190aca60aeedcd41fd06e2f7dd053edd0f30
Signed-off-by: Avaneesh Kumar Dwivedi <akdwived@codeaurora.org>
Windows XP host takes upto 6 seconds to enumerate RNDIS composition when
RNDIS (tethering) is enabled while in MTP/PTP composition. This results in
Userpsace Tethering enable timeout (1 second) causing RNDIS enumeration
failure and falls back to default composition. Workaround the issue by not
sending disconnect event to userspace on composition switch (MTP/PTP to
RNDIS). Send the disconnect event from USB bus reset so that userspace
enable timer starts from bus reset.
Change-Id: I2d1fcaa0704e369204fbba4eceb8ba9b1c525b41
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Fix voltage range selection logic used for voltage min/max
constraints check.
CRs-Fixed: 2136747
Change-Id: I80ab9ca583fda625ae2d9bd9e0c176a4b8c343db
Signed-off-by: Tirupathi Reddy <tirupath@codeaurora.org>
Vulkan memory types are added into UMD.
Print Vulkan memory type as an int value.
CRs-Fixed: 2119633
Change-Id: Idf5d58a6a02dbef6ef8cf6663e7819d221bf3e11
Signed-off-by: Young Hwan Kwak <ykwak@codeaurora.org>
The minimum bandwidth supported is 5 MHZ. Kernel API
wiphy_apply_custom_regulatory can enable channels 12/13
with BW 5/10 even for reg rule 2402-2472. Circumvent the issue
by doing a check in the driver.
CRs-Fixed: 2136273
Change-Id: I296e45d142c38a83c90deb743e992eb1a7743feb
Signed-off-by: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Excess logs are printed in msm_compr_pointer during ADSP SSR.
This causes failure of some interrupts to occur which
results in SSR failure. Logs can be reduced by applying ratelimit.
CRs-Fixed: 2128011
Change-Id: I9a6a5e0fed17154e201bce0d7fa2de91b6ec159d
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
Dsi controller v2.1 and above supports scheduling of dma
commands. Schedule dsi cmds at the starting of blanking
region to avoid sending of commands in active region
resulting in dsi overflow errors.
Change-Id: I658b7d7008eb9071148820c0ea949ae9ba593ed9
Signed-off-by: Ashish Garg <ashigarg@codeaurora.org>
When icnss driver sees a PD down, and if the recovery is already in
progress, it forces an assert in debug builds. That is to detect any
Modem failures during PDR or to catch any instance of recursive PDRs.
When system goes thru a reboot or shutdown, and if the recovery is in
progress then avoid calling this assert.
CRs-Fixed: 2135071
Change-Id: I28f5c79a4cd8b83f60a62111535b11c2fba6000b
Signed-off-by: Sameer Thalappil <sameert@codeaurora.org>
For deaggregation, the real device receives a large linear skb and
passes it on to rmnet. rmnet creates new skbs from this large frame.
If the real device supports recycling, it does not need to allocate
the large skbs during packet reception and can instead reuse them.
CRs-Fixed: 2140499
Change-Id: I4f3c67bafe1918dc1a96690305d00cc8c625a9b7
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
sdm660-mtp has only tavil as codec.If tasha codec is also
enabled then it results in enumeration of device twice
which results in kernel crash sometimes.
This can be avoided if we disable tasha codec from dts.
Similarly sdm660-qrd has only tasha as codec.
CRs-Fixed: 2124709
Change-Id: I66812186d2e769681f00f1ba9a87a3588b04eaf9
Signed-off-by: Vatsal Bucha <vbucha@codeaurora.org>
By default sparse uses the characteristics of the build
machine to infer things like the wordsize.
This is fine when doing native builds but for ARM it's,
I suspect, very rarely the case and if the build are done
on a 64bit machine we get a bunch of warnings like:
'cast truncates bits from constant value (... becomes ...)'
Fix this by adding the -m32 flags for sparse.
Change-Id: I9045e5b77578d03e328a4a6af297e84356c02cf8
Reported-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit: 6042b8c7c08cad7a8bdc0456c619ae941962b40a
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Fix serialization of access to the SDE resource manager by
adding mutex protection to its external APIs.
Change-Id: I469a1c7b37d4a2f115443bdc308d0236d786fc68
Signed-off-by: Lloyd Atkinson <latkinso@codeaurora.org>
Signed-off-by: Lihui Wen <lwen@codeaurora.org>
Add the property to determine the current command timeout
value which is used by the clients via KGSL IOCTL.
Change-Id: Ifd6b373d211ebd78dc3a8032ede073258487d689
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlny7PcACgkQONu9yGCS
aT7UAw//Zqfv7J8fAyfeTnVsbBg5GcD7SW7clzILMclb2nCGcS1g6ZFZAOoWRZV3
eSnYKLBvOxfnF+TunD/aNagtKMIEuPqA/9Srd3uL2sdso1FtMsL8PR07Ml1o3Qf3
eUeKt/JfchpD5r+1ca4CWqRDvFyuQwP8RMsbXUqjsDEy/5USeGOzPGa9jdQ5JI/O
zvXlHyWuXryvDWHlM52H67CSdZC2KSUNeybji8EqrJlK2yijJQ8CvN7jrBevSVVy
2XpMx9RoeAbOAH36VuW5R3/tpUPW70L3Tw8zTo8dfs5w/TEMgddzDd4aWz8PLLqo
mhD6V3bgkqzkbXEaLvmmht/IMg497K6HcAFzfDu/M8X1wSaNfNmJ8IBKmDTBeuBO
t5Ha2mqDxiCTrEXq/USEgiBW28PJXKv3C5MhdSlYPWo/QGho0boTRirmbbmYupf/
T02LwRWo8MQT9l+sX5zFx+/Tw/f5/f1bWSWVJ5ns+lFbQ5smnA2nxvcPLg6LuGEe
tXZ7R+7v5yFp5quyUPTz6eY8Tau4mswuzm4avob0QLr6ZDQXTt8WbD8kmaQRoDq4
U0k58ZZbdPnOyf0zxFTURQoPk+MI/EV9tclQcWEsR+AXWVzqA71rSUMCcSl7Gad2
/vSkgDcSQ1xt0UQ7Bqf7PdNSVLtfH/n/jXJGJXwYW/Q0r/zRTYY=
=vcfF
-----END PGP SIGNATURE-----
Merge 4.4.95 into android-4.4
Changes in 4.4.95
USB: devio: Revert "USB: devio: Don't corrupt user memory"
USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
USB: serial: metro-usb: add MS7820 device id
usb: cdc_acm: Add quirk for Elatec TWN3
usb: quirks: add quirk for WORLDE MINI MIDI keyboard
usb: hub: Allow reset retry for USB2 devices on connect bounce
ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital
can: gs_usb: fix busy loop if no more TX context is available
usb: musb: sunxi: Explicitly release USB PHY on exit
usb: musb: Check for host-mode using is_host_active() on reset interrupt
can: esd_usb2: Fix can_dlc value for received RTR, frames
drm/nouveau/bsp/g92: disable by default
drm/nouveau/mmu: flush tlbs before deleting page tables
ALSA: seq: Enable 'use' locking in all configurations
ALSA: hda: Remove superfluous '-' added by printk conversion
i2c: ismt: Separate I2C block read from SMBus block read
brcmsmac: make some local variables 'static const' to reduce stack size
bus: mbus: fix window size calculation for 4GB windows
clockevents/drivers/cs5535: Improve resilience to spurious interrupts
rtlwifi: rtl8821ae: Fix connection lost problem
KEYS: encrypted: fix dereference of NULL user_key_payload
lib/digsig: fix dereference of NULL user_key_payload
KEYS: don't let add_key() update an uninstantiated key
pkcs7: Prevent NULL pointer dereference, since sinfo is not always set.
parisc: Avoid trashing sr2 and sr3 in LWS code
parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels
sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
f2fs crypto: replace some BUG_ON()'s with error checks
f2fs crypto: add missing locking for keyring_key access
fscrypt: fix dereference of NULL user_key_payload
KEYS: Fix race between updating and finding a negative key
fscrypto: require write access to mount to set encryption policy
FS-Cache: fix dereference of NULL user_key_payload
Linux 4.4.95
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
DFS support is disabled for ath10k driver.
Enable the DFS support for ath10k in the defconfig and perf defconfig.
CRs-Fixed: 2124757
Change-Id: Iccecd2226fd13034b12a8978b68f9535178ed430
Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
GPU clock requires to support 430MHz, so add the support
for the same on sdm660.
Change-Id: Ief238fbe521a10f8096ac44844f5abe013649f81
Signed-off-by: Odelu Kukatla <okukatla@codeaurora.org>
Apq8096 lite board has one DSI-HDMI display through adv7533 bridge chip,
so enable this bridge chip node.
Change-Id: I3539889b70b5a14d6acd09d13e387bdce11d59b1
CRs-Fixed: 2113147
Signed-off-by: Guchun Chen <guchunc@codeaurora.org>
The linker routines that we rely on to produce a relocatable PIE binary
treat it as a shared ELF object in some ways, i.e., it emits symbol based
R_AARCH64_ABS64 relocations into the final binary since doing so would be
appropriate when linking a shared library that is subject to symbol
preemption. (This means that an executable can override certain symbols
that are exported by a shared library it is linked with, and that the
shared library *must* update all its internal references as well, and point
them to the version provided by the executable.)
Symbol preemption does not occur for OS hosted PIE executables, let alone
for vmlinux, and so we would prefer to get rid of these symbol based
relocations. This would allow us to simplify the relocation routines, and
to strip the .dynsym, .dynstr and .hash sections from the binary. (Note
that these are tiny, and are placed in the .init segment, but they clutter
up the vmlinux binary.)
Note that these R_AARCH64_ABS64 relocations are only emitted for absolute
references to symbols defined in the linker script, all other relocatable
quantities are covered by anonymous R_AARCH64_RELATIVE relocations that
simply list the offsets to all 64-bit values in the binary that need to be
fixed up based on the offset between the link time and run time addresses.
Fortunately, GNU ld has a -Bsymbolic option, which is intended for shared
libraries to allow them to ignore symbol preemption, and unconditionally
bind all internal symbol references to its own definitions. So set it for
our PIE binary as well, and get rid of the asoociated sections and the
relocation code that processes them.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
[will: fixed conflict with __dynsym_offset linker script entry]
Signed-off-by: Will Deacon <will.deacon@arm.com>
Note: This backport only adds -Bsymbolic to LDFLAGS_vmlinux, but doesn't
remove R_AARCH64_ABS64 relocation handling, because those changes depend
on later refactoring of the code that we don't need in android-4.4.
Bug: 66932127
Change-Id: I56f664e02bc8d2fa3e5f496fb041bc3a8e1a4094
(cherry picked from commit 08cc55b2afd97a654f71b3bebf8bb0ec89fdc498)
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Fix UAF where two threads can open and close the same file. Second
open will cause the private data for the first file to be overwritten.
When the first file is closed and the private data is freed, this makes
the now-shared private data OOB for the second thread.
CRs-Fixed: 1109763
Change-Id: I1c4618d5be99e140abf0f3ea0d7f485897db5ab2
Signed-off-by: Ankit Sharma <ansharma@codeaurora.org>
Signed-off-by: Anirudh Ghayal <aghayal@codeaurora.org>
Currently, all the values of raw monotonic SOC (0-255) gets
rounded off to 0-100. This can show up monotonic SOC hitting 0%
earlier when the SOC hadn't really hit zero yet. Improve the
SOC round off calculation so that 0 and 100 % can be shown when
it reaches the exact point.
Change-Id: I5bd9ebc8667a5beed9e1e97ff492aa1350f4d0f7
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
have_sched_energy_data is defined only for CONFIG_SMP, so declare it
only with CONFIG_SMP.
Fixes warning from intel bot:
tree: https://android.googlesource.com/kernel/msm android-4.4
head: a21299785a
commit: a21299785a [5/5] sched/core: Warn
if ENERGY_AWARE is enabled but data is missing
config: i386-randconfig-x002-201743 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
git checkout a21299785a
# save the attached .config to linux build tree
make ARCH=i386
All warnings (new ones prefixed by >>):
>> kernel//sched/core.c:94:13: warning: 'have_sched_energy_data' used
but never defined
static bool have_sched_energy_data(void);
^~~~~~~~~~~~~~~~~~~~~~
vim +/have_sched_energy_data +94 kernel//sched/core.c
93
> 94 static bool have_sched_energy_data(void);
95
Change-Id: I266b63ece6fb31d2b5b11821a8244e147ba6d3a4
Signed-off-by: Joel Fernandes <joelaf@google.com>
If the EAS energy model is missing or incomplete, i.e. sd_scs is NULL, then
sched_group_energy will return -EINVAL on the assumption that it raced with a
CPU hotplug event. In that case, energy_diff will return 0 and the energy-aware
wake path will silently fail to trigger any migrations.
This case can be triggered by disabling CONFIG_SCHED_MC on existing platforms,
so that there are no sched_groups with the SD_SHARE_CAP_STATES flag, so that
sd_scs is NULL.
Add checks so that a warning is printed if EAS is ever enabled while the
necessary data is not present.
Change-Id: Id233a510b5ad8b7fcecac0b1d789e730bbfc7c4a
Signed-off-by: Brendan Jackman <brendan.jackman@arm.com>
It is preferable that WALT window rollover occurs just
before a tick, since the tick is an opportune moment
to record a complete window's statistics, as well as report
those stats to the cpu frequency governor. When CONFIG_HZ
results in a TICK_NSEC that isn't a integral number, this
requirement may be violated. Account for this by reducing
the WALT window size to the nearest multiple of TICK_NSEC.
Commit d368c6faa1 ("sched: walt: fix window misalignment
when HZ=300") attempted to do this but WALT isn't using
MIN_SCHED_RAVG_WINDOW as the window size and the patch was
doing nothing.
Also, change the type of 'walt_disabled' to bool and warn
if an invalid window size causes WALT to be disabled.
Change-Id: Ie3dcfc21a3df4408254ca1165a355bbe391ed5c7
Signed-off-by: Vikram Mulukutla <markivx@codeaurora.org>
(from https://patchwork.kernel.org/patch/9895261/)
This patch adds a parameter to select_task_rq, sibling_count_hint
allowing the caller, where it has this information, to inform the
sched_class the number of tasks that are being woken up as part of
the same event.
The wake_q mechanism is one case where this information is available.
select_task_rq_fair can then use the information to detect that it
needs to widen the search space for task placement in order to avoid
overloading the last-level cache domain's CPUs.
* * *
The reason I am investigating this change is the following use case
on ARM big.LITTLE (asymmetrical CPU capacity): 1 task per CPU, which
all repeatedly do X amount of work then
pthread_barrier_wait (i.e. sleep until the last task finishes its X
and hits the barrier). On big.LITTLE, the tasks which get a "big" CPU
finish faster, and then those CPUs pull over the tasks that are still
running:
v CPU v ->time->
-------------
0 (big) 11111 /333
-------------
1 (big) 22222 /444|
-------------
2 (LITTLE) 333333/
-------------
3 (LITTLE) 444444/
-------------
Now when task 4 hits the barrier (at |) and wakes the others up,
there are 4 tasks with prev_cpu=<big> and 0 tasks with
prev_cpu=<little>. want_affine therefore means that we'll only look
in CPUs 0 and 1 (sd_llc), so tasks will be unnecessarily coscheduled
on the bigs until the next load balance, something like this:
v CPU v ->time->
------------------------
0 (big) 11111 /333 31313\33333
------------------------
1 (big) 22222 /444|424\4444444
------------------------
2 (LITTLE) 333333/ \222222
------------------------
3 (LITTLE) 444444/ \1111
------------------------
^^^
underutilization
So, I'm trying to get want_affine = 0 for these tasks.
I don't _think_ any incarnation of the wakee_flips mechanism can help
us here because which task is waker and which tasks are wakees
generally changes with each iteration.
However pthread_barrier_wait (or more accurately FUTEX_WAKE) has the
nice property that we know exactly how many tasks are being woken, so
we can cheat.
It might be a disadvantage that we "widen" _every_ task that's woken in
an event, while select_idle_sibling would work fine for the first
sd_llc_size - 1 tasks.
IIUC, if wake_affine() behaves correctly this trick wouldn't be
necessary on SMP systems, so it might be best guarded by the presence
of SD_ASYM_CPUCAPACITY?
* * *
Final note..
In order to observe "perfect" behaviour for this use case, I also had
to disable the TTWU_QUEUE sched feature. Suppose during the wakeup
above we are working through the work queue and have placed tasks 3
and 2, and are about to place task 1:
v CPU v ->time->
--------------
0 (big) 11111 /333 3
--------------
1 (big) 22222 /444|4
--------------
2 (LITTLE) 333333/ 2
--------------
3 (LITTLE) 444444/ <- Task 1 should go here
--------------
If TTWU_QUEUE is enabled, we will not yet have enqueued task
2 (having instead sent a reschedule IPI) or attached its load to CPU
2. So we are likely to also place task 1 on cpu 2. Disabling
TTWU_QUEUE means that we enqueue task 2 before placing task 1,
solving this issue. TTWU_QUEUE is there to minimise rq lock
contention, and I guess that this contention is less of an issue on
big.LITTLE systems since they have relatively few CPUs, which
suggests the trade-off makes sense here.
Change-Id: I2080302839a263e0841a89efea8589ea53bbda9c
Signed-off-by: Brendan Jackman <brendan.jackman@arm.com>
Signed-off-by: Chris Redpath <chris.redpath@arm.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Josef Bacik <josef@toxicpanda.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
