(from https://patchwork.kernel.org/patch/10058587/)
proc->files cleanup is initiated by binder_vma_close. Therefore
a reference on the binder_proc is not enough to prevent the
files_struct from being released while the binder_proc still has
a reference. This can lead to an attempt to dereference the
stale pointer obtained from proc->files prior to proc->files
cleanup. This has been seen once in task_get_unused_fd_flags()
when __alloc_fd() is called with a stale "files".
The fix is to always use get_files_struct() to obtain struct_files
so that the refcount on the files_struct is used to prevent
a premature free. proc->files is removed since we get it every
time.
Bug: 69164715
Change-Id: I6431027d3d569e76913935c21885201505627982
Signed-off-by: Todd Kjos <tkjos@google.com>
Git-commit: 1d6b43334b45144beb0dc8236f9eb3b6cf3b2995
Git-repo: https://android.googlesource.com/kernel/common
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
When doing WLAN SSR tests on Rome PCIe platform, system hang
is observed. After debugging, setting D3hot to PCIe link when
suspending leads to the hang.
Setting D3hot is a new change, which is added for Napier platform.
But this code path shares with legacy Rome platform. In previous
implementations for Rome PCIe platforms, setting D3hot to link
is not needed.
Fix is to set D3hot for Napier specific platforms.
Change-Id: Ia6bcb1b898204c0a8fd63355dd1f0808021182c4
CRs-Fixed: 2145090
Signed-off-by: Jia Ding <jiad@codeaurora.org>
It is required to pass usb-audio-qmi-dev device node from dtsi to
provide StreamID and interrupt number info so that this info will be
used for enabling for USB audio tunneling mode over USB. Hence add
the node to enable audio tunneling mode for msm8996.
Change-Id: Iba4d18ff0495460f5d488604f31c4d5209252940
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
Fix the divider programming of DisplayPort PLL with the correct
value. Without this, display doesn't up fine with certain
resolutions on some sinks when link rate is 5.4 GHz.
Change-Id: I7c5a452a9df757240a1c6c3d371bd46a16f98efd
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
msm8953 uses a new version of csid. Adding new
configuration file and making necessary driver changes.
Change-Id: I5c0ce7f43a4ccd55bd18461bc910e4dcb0c23bb0
Signed-off-by: Shankar Ravi <rshankar@codeaurora.org>
If return is inside the if condition, rc value is returned
only for that case. Hence shifting the return rc statement
outside the if loop, to return the value of rc for all cases.
Change-Id: I2f96cd0d301f580c0e7019746bade4e125661a36
CRs-Fixed: 1076948
Signed-off-by: Samyukta Mogily <smogily@codeaurora.org>
Currently GSI driver is clearing Doorbell to GSI in gsi_suspend(),
when it receives function suspend and notifying suspend to GSI in work
queue context. In ipa_suspend_work_handler(), driver is first checking
whether GSI wrapper is ready to suspend before doing xdci_suspend(). This
check fails if function resume received before ipa_suspend_work_handler()
gets chance to run. Due to this, state machine still stays at CONNECTED
state. When function resume is received, state machine is not handling
resume event and results in not ringing Doorbell to GSI. This eventually
causes data stall. Hence fix the issue by ringing Doorbell to GSI if in
case check for suspend fails in ipa_suspend_work_handler.
Change-Id: Ifbc03b7edde6e1be23c326118e89f805b148f9ff
Signed-off-by: Vijayavardhan Vennapusa <vvreddy@codeaurora.org>
The minium value of u32 is zero instead of -1. -1 will become the
largest value in u32.
Change-Id: I20fcab7d5912d6da7c4afe1ec7a86333767b0bf1
Signed-off-by: Camus Wong <camusw@codeaurora.org>
Parameter mdss_mdp_plane_sizes must be cleared to 0 before returning
under an error condition, otherwise caller function will use the
uninitialized mdss_mdp_plane_sizes values and caused incorrect
operation.
Change-Id: I856b17ce9e917cc450040463ec34b7309d34b9b5
Signed-off-by: Benjamin Chan <bkchan@codeaurora.org>
Add device tree files needed to support MSM8996 based
mizar platform.
Change-Id: Ife6c6659b981b37c6b9d9cbb0a0c106488f1e07f
Signed-off-by: Bharathraj Nagaraju <snbraj@codeaurora.org>
Some userspace modules expect USB driver to send event to userspace, when
usb device enumeration failure with device descriptor read errors.
Add USB_DEVICE_ERROR uevent in the USB driver to explicitly send the ERROR
uevent for such case.
Change-Id: I7128869ff0700ab90d4c949de24cd03c5c90e22e
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Current path to query field info: SOF ISR -> tasklet -> query thread
with high priority -> ba driver -> adv7481.
Pass field type to user space if they are valid after verification.
Change-Id: Id9926236389200446092dc9abb688ee1f83ab0c3
Signed-off-by: Andy Sun <bins@codeaurora.org>
When reg update isn't issued for given settings current
buffer is marked as drop buffer. To avoid such drop bu-
ffers, reconfigure same buffer to next SOF and propaga-
te that error to MCT and IFACE modules and make sure
request frame is delayed by one SOF Frame.
Change-Id: Iaec5eef3f26f941cc54825d40815c047ccebb3bc
Signed-off-by: Lokesh Kumar Aakulu <lkumar@codeaurora.org>
During reset isp HW, don't set stripe_rd reload bit, otherwise
it might cause iommu page fault, which actually is a fasle alarm.
CRs-Fixed: 2135311
Change-Id: I9be0400640edbf687ecfe08edcfdc1c7f7de25b6
Signed-off-by: Gaoxiang Chen <gaochen@codeaurora.org>
Take the bind lock when we dump information about sparse memory
allocations through the debugfs node.
Change-Id: I955d64d06a259a2bbe4d85a33d68887ee01aad07
Signed-off-by: Lynus Vaz <lvaz@codeaurora.org>
Currently, Rconn is configured once in fg_hw_init() if it is not
configured already. However, if the driver loads the profile
later, it will overwrite the Rconn value configured during
fg_hw_init. To fix this problem, configure Rconn after handling
battery profile loading.
Usually the Rconn configuration is setup differently from what
the profile has for it. We check if the profile in SRAM is bit
to bit matching with the profile in device tree. We may come
across a mismatch for Rconn configuration and conclude that the
profile isn't matching. Fix this by initializing the Rconn
configuration in the profile read from device tree to the value
read from SRAM.
CRs-Fixed: 2142441
Change-Id: I2b7ac8cd6efe811527c29bc5cd0fa43b77da7b15
Signed-off-by: Subbaraman Narayanamurthy <subbaram@codeaurora.org>
Share memory with kernel and user and update latest
kernel sof frame id.
Change-Id: Ie35132ffb9bd0298483b451b3333b3b2e3bb32ac
Signed-off-by: Lokesh Kumar Aakulu <lkumar@codeaurora.org>
Add mutex unlock in function audio_effects_shared_ioctl
at appropriate place to prevent use after free.
CRs-Fixed: 2123291
Change-Id: Ie0d321dc8cc20a295d102a44faea7e5710834932
Signed-off-by: Tanya Dixit <tdixit@codeaurora.org>
sg_ioctl could be spammed by requests, leading to a double free in
__free_pages. This protects the entry points of sg_ioctl where the
memory could be corrupted by a double call to __free_pages if multiple
requests are happening concurrently.
Bug:35644812
Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1
Signed-off-by: Robb Glasser <rglasser@google.com>
Git-commit: 22d8e80738b5ce8784d59b48b0b051a520da4bec
Git-repo: https://android.googlesource.com/kernel/msm
[srkupp@codeaurora.org: Resolved trivial conflicts]
Signed-off-by: Srinivasa Rao Kuppala <srkupp@codeaurora.org>
Signed-off-by: Sayali Lokhande <sayalil@codeaurora.org>
qmi_send_req_wait expects timeout argument to be passed in ms and not
in jiffies. Update the call in service-locator to pass in the correct
argument.
Change-Id: Ib2f8deedf2fb2a561c30b0c8511bb1edd5a37361
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
ENOMSG is not a real failure return code for qmi_recv_msg. Instead ENOMSG
signifies that we have finished reading the entirety of the message buffer.
Update the error condition to print errors only when any error message
other than ENOMSG is returned.
Change-Id: Id6b42df182cb02f2cbffaae9698363b7dafce4e4
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
Fix the programming of DisplayPort SDP registers primarily related
to Audio enable sequence. This would fix potential issues caused by
read/append/write operations on SDP registers which might corrupt
the parity/data bytes. This would lead to audio issues since the DP
controller would treat the corrupt SDP information as invalid data.
Change-Id: I55db6a70be0fdf94a60fd7cc8bf0d30702febef8
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
Issue:
When total_steps is updated, after that, copy_from_user
fails with an error, then, i2c_reg_tbl is not allocated.
In this case, when calling msm_actuator_parse_i2c_params,
it lead to out-of-bound memory write.
Fix:
1) Assign total_steps to zero when error from copying.
2) Add NULL pointer check for i2c tbl.
Change-Id: I4df8557719533900a5c571fc00f9844943c8f7b1
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
There can be use after free with multiple ioctl calls.
Add mutex lock when updating userspace power.
Change-Id: Ieae08d05478a462b19cf7f91b64267177eaebe84
Signed-off-by: Maulik Shah <mkshah@codeaurora.org>
ADV7481 driver is board-specific, and thus should be compiled
as a module. This is part of the kernel modularization requirement.
Change-Id: I38ab9efca34ac9f898c2b76843563d8f74c29320
Suggested-by: Resmi Rajendran <resmir@qti.qualcomm.com>
Signed-off-by: Rahul Sharma <sharah@codeaurora.org>
Reset ASRC after audio playback is completed to clear
the FIFO and avoid any noise being generated.
CRs-Fixed: 2129994
Change-Id: Ie45796e1bd68d5a8bd790490a65520358f26b811
Signed-off-by: Walter Yang <yandongy@codeaurora.org>
Add kernel pointer restriction while printing the global
page table entries through the debugfs.
Change-Id: Ia2ef4243248ece477e3f679c0027379686670928
Signed-off-by: Hareesh Gundu <hareeshg@codeaurora.org>
Add SLPI fw name property to support dynamic loading of SLPI
fw images based on the version info.
Change-Id: I31baf971106a7a076cf83bd72c4509d860b3e7cb
Signed-off-by: Ananda Kishore <kananda@codeaurora.org>
Add support for clients to notify SRM update
to HDCP 1.x driver.
Integrate the SRM validation check in the HDCP 1.x
authentication flow to check HDCP 1.x receiver/repeater
KSV against the SRM revoked list and fail the authentication
if the sink is found to be present in the list.
Change-Id: I6615122f785bde94cb746ec4df7ab63b9f878528
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
During linkdown pci host cannot save the config space
prior to suspending the link. If saved_state is null
recover rc config space using shadow recovery.
CRs-Fixed: 2141146
Change-Id: I6c6e817ae2c32d8040853fe22785040480aa76eb
Signed-off-by: Sujeev Dias <sdias@codeaurora.org>
