In few scenarios where the buffers are not
queued from HAL, request queue overflow is seen.
Added changes to reset the queue at destroy and
when the buffer is not available to process.
Change-Id: I7239175dda9cbc26fb65f568cbc5f7183ceaa24d
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, where the register update ioctl is
missed, the handling of frame drop is not working
in such scenarios as the frame drop pattern is not
set correctly. Once the epoch handling is done,
we need to re-configure the buffer and pattern.
Change-Id: I87b2cecda7e7e1addc68511dad6a80498051f87a
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, the request frame may get
delayed and current and request frame id may
become same. To handle such scenarios, made
changes to inform user to delay a frame and
process the request.
Change-Id: I31fa04c386922c48a043c511a163c76316e21987
Signed-off-by: Meera Gande <mgande@codeaurora.org>
The correct sequence for enabling HOLB drop is first
to suspend the pipe and then to HOLB drop.
Change-Id: I78b7b268eec230a4993e446bd90846f800364e06
CRs-Fixed: 2141518
Acked-by: Ady Abraham <adya@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Dynamic refresh update and dynamic bit clock switch cannot happen
on the same vsync boundary. Serialize them in the commit thread
to avoid vsync timeout issues.
Change-Id: I55077eca7415bf307ddd30040024b3716a78f6fd
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
In soundwire controller, bank switch happen twice
for a playback session with stereo speakers. Ensure
the setting of div2 applied to inactive bank before
bank switch occurs to avoid impact based on bank chosen.
Change-Id: I033b19e78309485ca9da85ec67b54409e6fe22cc
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Remove the out of bound access vulnerability in the qce
driver reachable via ioctl.
Change-Id: I4320cd27334eaae975f4a6ad07fb7b2e5ebccffd
Signed-off-by: Monika Singh <monising@codeaurora.org>
Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. As a result next composition switch results into
double free of super speed plus descriptor. Fix this issue by
setting all descriptor pointers to NULL after freeing them in
usb_free_all_descriptors(). Also clean up gsi_unbind() which is
setting up descriptor pointers to NULL already.
Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
usb3 phy is needed when core is operating at super speed or
higher. Do not turn on usb3 phy clocks even when core is
programmed to work at high speed only mode. While at it,
remove redundant module parameter to control max speed. Speed
can be controlled using existing sysfs entry.
Example: To set High speed only:
echo "high" > /sys/devices/platform/soc/<devname>/speed
To set super speed:
echo "super" > /sys/devices/platform/soc/<devname>/speed
Change-Id: I24a9a869d97e6efc3ebc0d7a1374805139c65648
Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
While handling dsi_gen_read_status, status buffer
was xlogging without checking for its max size.
Add proper conditional check to xlog status buffer.
Change-Id: Ia5a1fe18de123d2911c31ae79492b96f67e1273d
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
The macro hides some control flow, making it easier
to run into bugs.
bug: 111642636
Change-Id: I37ec207c277d97c4e7f1e8381bc9ae743ad78435
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Git-commit: e1a7c83cfd36c26e208c72740a045a8fe79aee44
Git-repo: https://android.googlesource.com/kernel/common/
Signed-off-by: Ritesh Harjani <riteshh@codeaurora.org>
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
scm_call2 can block scm calls up to 2s due to its
retry mechanism whenever the secure firmware is
busy waiting for certain processing by the client
who in turn is waiting upon its scm call to either
complete or return with failure.
Upon early return, client can process the pending
requests to free up secure firmware and unblock
processing of all pending scm calls. Add a noretry
variant for scm_call2 which can be used by clients
who do not intend to wait for 2s for return status.
Change-Id: I1f0849464a64c32a4de4510fa5787b0ab328725c
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
While handling dsi_gen_read_status, status buffer
was xlogging without checking for its max size.
Add proper conditional check to xlog status buffer.
Change-Id: Ia5a1fe18de123d2911c31ae79492b96f67e1273d
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Attempting to avoid cloning the skb when broadcasting by inflating
the refcount with sock_hold/sock_put while under RCU lock is dangerous
and violates RCU principles. It leads to subtle race conditions when
attempting to free the SKB, as we may reference sockets that have
already been freed by the stack.
Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
[006b6b6b6b6b6c4b] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
task: fffffff78f65b380 task.stack: ffffff8049a88000
pc : sock_rfree+0x38/0x6c
lr : skb_release_head_state+0x6c/0xcc
Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
Call trace:
sock_rfree+0x38/0x6c
skb_release_head_state+0x6c/0xcc
skb_release_all+0x1c/0x38
__kfree_skb+0x1c/0x30
kfree_skb+0xd0/0xf4
pfkey_broadcast+0x14c/0x18c
pfkey_sendmsg+0x1d8/0x408
sock_sendmsg+0x44/0x60
___sys_sendmsg+0x1d0/0x2a8
__sys_sendmsg+0x64/0xb4
SyS_sendmsg+0x34/0x4c
el0_svc_naked+0x34/0x38
Kernel panic - not syncing: Fatal exception
CRs-Fixed: 2251019
Change-Id: Ib3b01f941a34a7df61fe9445f746b7df33f4656a
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
if the result of (min + max) is negative, then fls() returns
signed integer with value as 32. This leads to signed integer
overflow as complete operation is considered as signed integer.
UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
signed integer overflow:
-2147483648 - 1 cannot be represented in type 'int'
Call trace:
[<ffffff852f746fe4>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffff852f746fe4>] dump_stack+0xec/0x158 lib/dump_stack.c:51
[<ffffff852f7b5f3c>] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
[<ffffff852f7b6840>] handle_overflow+0xf8/0x130 lib/ubsan.c:195
[<ffffff852f7b68f0>] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
[<ffffff85307971a0>] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382
Typecast the operation to unsigned int to fix the issue.
Change-Id: I40d070b1357f016eb1622146180e4abb340e5d00
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Git-commit: ae7d1247d8673ebfd686b17e759d4be391165368
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Changes the naming convention and adds
PID as suffix to the debugfs files.
Adds debugfs file data in the tabular format and also
creates global file in /sys/kernel/debug/adsprpc directory.
Change-Id: I25f3f7ea59dd39c9d44d99c8503f431f10072c33
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
If the result of (min + max) is negative in functions
snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(), there
will be an overflow for the variable 'mask'.
UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:6
signed integer overflow:
-2147483648 - 1 cannot be represented in type 'int'
Fix this by updating the variable type of 'mask' to unsigned int.
Change-Id: Ia34f397fad5b93c0e2ffacae60e051ad20c20bdf
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
pppolac driver incorrectly enqueues the packet into the sock queue
without pulling UDP headers. The application will receive data along
with UDP header when L2TP control packets are received.
The issue was introduced after moving UDP header removal functionality
from process rcvmesg context to BH context.
Instead of pppolac driver directly queuing L2TP control packets into
socket queue, return packet to udp_queue_rcv_skb, which will deliver the
packet to the application after pulling the UDP header.
Fixes: e6afc8ace ("udp: remove headers from UDP packets before queueing")
Change-Id: Icfa0fd8da43ea9c14fa7c718746a6529651ac202
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: Chinmay Agarwal <chinagar@codeaurora.org>
Acked-by: Sharath Chandra Vurukala <sharathv@qti.qualcomm.com>
Attempting to avoid cloning the skb when broadcasting by inflating
the refcount with sock_hold/sock_put while under RCU lock is dangerous
and violates RCU principles. It leads to subtle race conditions when
attempting to free the SKB, as we may reference sockets that have
already been freed by the stack.
Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
[006b6b6b6b6b6c4b] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
task: fffffff78f65b380 task.stack: ffffff8049a88000
pc : sock_rfree+0x38/0x6c
lr : skb_release_head_state+0x6c/0xcc
Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
Call trace:
sock_rfree+0x38/0x6c
skb_release_head_state+0x6c/0xcc
skb_release_all+0x1c/0x38
__kfree_skb+0x1c/0x30
kfree_skb+0xd0/0xf4
pfkey_broadcast+0x14c/0x18c
pfkey_sendmsg+0x1d8/0x408
sock_sendmsg+0x44/0x60
___sys_sendmsg+0x1d0/0x2a8
__sys_sendmsg+0x64/0xb4
SyS_sendmsg+0x34/0x4c
el0_svc_naked+0x34/0x38
Kernel panic - not syncing: Fatal exception
CRs-Fixed: 2251019
Change-Id: Ib3b01f941a34a7df61fe9445f746b7df33f4656a
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, when a client invokes the service-locator to get
the domain list for a service, a data structure is dynamically
allocated to hold this information, and that is given to the
client for use. However, after the client uses the domain list,
the data structure is not freed, resulting in a memory leak.
Free domain list data structure after client use to fix
memory leak.
Change-Id: I2b87afefbb35c2c296b4267450fa3152e3725ab9
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.
Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.
Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This patch add a coresight unit specific function coresight_cross_read
which can be used for ETM registers by providing a ETM specific read
function which does smp cross call to ensure the unit is powered up
before the register is accessed.
Change-Id: I4037028a171c8ca733513e82c4443b6e332a088c
Signed-off-by: Yuanfang Zhang <zhangyuanfang@codeaurora.org>
If fw build timestamp passed by QMI is a non-NULL terminated string,
it might result in a out-of-bounds read in icnss_get_soc_info. Hence,
manually NULL terminate the string.
Change-Id: I252196cd12784d841b29303c42591efc59da64f1
CRs-Fixed: 2322317
Signed-off-by: Yuanyuan Liu <yuanliu@codeaurora.org>
Add a check to make sure device actually transitioned to SUSPEND
state before halting dispatcher in adreno_suspend_device function.
kgsl_pwrctrl_change_state(device,KGSL_STATE_SUSPEND) in
kgsl_suspend_device can return zero without actually changing state
to SUSPEND if device state is NONE or INIT.
Change-Id: I4a5a69007c71651ea2cf7fa7360c960c6856031e
Signed-off-by: Deepak Kumar <dkumar@codeaurora.org>
Signed-off-by: Archana Sriram <apsrir@codeaurora.org>
Dload type imem offset is corrected for MSM8998, so that
correct imem address is updated.
Change-Id: I519603641753ec39d86fbf923bd80afcd6b1345d
Signed-off-by: Swetha Chikkaboraiah <schikk@codeaurora.org>
