Allocate all memory given to remote subsystem in the kernel
instead of mapping memory allocated in userspace.
Change-Id: I79c1f40d426e271403afa67514714fe6af26cf4e
Acked-by: Thyagarajan Venkatanarayanan <venkatan@qti.qualcomm.com>
Signed-off-by: Tharun Kumar Merugu <mtharu@codeaurora.org>
To resolve the timing issue between usb-driver
and android framework, made the change on rndis
ipa to send the usb-connect msg when usb-driver
connect the IPA pipes.
Change-Id: I51de37bc7610cb0a94659c64146f10ed322210b2
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
WDSP private data structure is freed in wdsp_glink_release()
but some of the member variables like work_queue pointer is
accessed even after free. Fix this issue by making sure that
glink callback functions are finished execution
before freeing up wdsp private data structure.
Change-Id: Ia4dd9d667109168874dc9188d70741cb9541b0c6
Signed-off-by: Vidyakumar Athota <vathota@codeaurora.org>
Signed-off-by: Ashish Jain <ashishj@codeaurora.org>
If user passes an aribitary command with _IOC_DIR(cmd) == _IOC_NONE,
"arg" should point to any arbitrary address.
Check for invalid command and return error.
Change-Id: If60191a07bb80939af2d471a5acf1b17dd68aa58
CRs-Fixed: 2299567
Signed-off-by: Abhishek Abbanaveni <aabban@codeaurora.org>
Invalid type conversion with x64 bit command VIDIOC_MSM_LASER_LED_CFG
passed in,for which the type should be "msm_laser_led_cfg_data_t"
Change-Id: I43e112224c612fb5390fa5fc23e8ae9c0e553288
CRs-Fixed: 2299699
Signed-off-by: Abhishek Abbanaveni <aabban@codeaurora.org>
Signed-off-by: E V Ravi <evenka@codeaurora.org>
If the user passes the arbitrary command with _IOC_DIR(cmd) == _IOC_NONE,
"arg" should point to any arbitrary address.
Check for invalid command and return error.
CRs-Fixed: 2299567
Change-Id: Ibd77adfe53ef0777ff4eb96c914e21f43dfd6749
Signed-off-by: E V Ravi <evenka@codeaurora.org>
Sanitize debugfs inputs to only allow access to mdp memory block
specified in dtsi file. This change will allow only one single block
to be read at the time and will avoid accessing memory outside of valid
decode space which can trigger AHB error bus response.
Change-Id: I91b91ac2b31eac4facb0c402c92ed8fcfc01d91e
Signed-off-by: Amine Najahi <anajahi@codeaurora.org>
There is a possibility of use-after-free and
double free because of not marking buffer as
NULL after freeing. The patch marks buffer
as NULL after freeing in error case.
Change-Id: Iacf8f8a4a4e644f48c87d5445ccd594766f2e156
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Add initial device trees for SDM455 RCM devices for both external
and internal codec variant.
Change-Id: Idd6034727acc8b9ef600da421963becf5f2305cd
Signed-off-by: Teng Fei Fan <tengfei@codeaurora.org>
Signed-off-by: Maria Yu <aiquny@codeaurora.org>
Signed-off-by: Tengfei Fan <tengfeif@codeaurora.org>
In few scenarios where the buffers are not
queued from HAL, request queue overflow is seen.
Added changes to reset the queue at destroy and
when the buffer is not available to process.
Change-Id: I7239175dda9cbc26fb65f568cbc5f7183ceaa24d
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, where the register update ioctl is
missed, the handling of frame drop is not working
in such scenarios as the frame drop pattern is not
set correctly. Once the epoch handling is done,
we need to re-configure the buffer and pattern.
Change-Id: I87b2cecda7e7e1addc68511dad6a80498051f87a
Signed-off-by: Meera Gande <mgande@codeaurora.org>
In few scenarios, the request frame may get
delayed and current and request frame id may
become same. To handle such scenarios, made
changes to inform user to delay a frame and
process the request.
Change-Id: I31fa04c386922c48a043c511a163c76316e21987
Signed-off-by: Meera Gande <mgande@codeaurora.org>
The correct sequence for enabling HOLB drop is first
to suspend the pipe and then to HOLB drop.
Change-Id: I78b7b268eec230a4993e446bd90846f800364e06
CRs-Fixed: 2141518
Acked-by: Ady Abraham <adya@qti.qualcomm.com>
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
Dynamic refresh update and dynamic bit clock switch cannot happen
on the same vsync boundary. Serialize them in the commit thread
to avoid vsync timeout issues.
Change-Id: I55077eca7415bf307ddd30040024b3716a78f6fd
Signed-off-by: Padmanabhan Komanduru <pkomandu@codeaurora.org>
In soundwire controller, bank switch happen twice
for a playback session with stereo speakers. Ensure
the setting of div2 applied to inactive bank before
bank switch occurs to avoid impact based on bank chosen.
Change-Id: I033b19e78309485ca9da85ec67b54409e6fe22cc
Signed-off-by: Laxminath Kasam <lkasam@codeaurora.org>
Remove the out of bound access vulnerability in the qce
driver reachable via ioctl.
Change-Id: I4320cd27334eaae975f4a6ad07fb7b2e5ebccffd
Signed-off-by: Monika Singh <monising@codeaurora.org>
Upon driver unbind usb_free_all_descriptors() function frees all
speed descriptor pointers without setting them to NULL. In case
gadget speed changes (i.e from super speed plus to super speed)
after driver unbind only upto super speed descriptor pointers get
populated. Super speed plus desc still holds the stale (already
freed) pointer. As a result next composition switch results into
double free of super speed plus descriptor. Fix this issue by
setting all descriptor pointers to NULL after freeing them in
usb_free_all_descriptors(). Also clean up gsi_unbind() which is
setting up descriptor pointers to NULL already.
Change-Id: I4f28294c165bb3b5dc9feb4f22d819f527ad4d50
Signed-off-by: Hemant Kumar <hemantk@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
usb3 phy is needed when core is operating at super speed or
higher. Do not turn on usb3 phy clocks even when core is
programmed to work at high speed only mode. While at it,
remove redundant module parameter to control max speed. Speed
can be controlled using existing sysfs entry.
Example: To set High speed only:
echo "high" > /sys/devices/platform/soc/<devname>/speed
To set super speed:
echo "super" > /sys/devices/platform/soc/<devname>/speed
Change-Id: I24a9a869d97e6efc3ebc0d7a1374805139c65648
Signed-off-by: Vamsi Krishna Samavedam <vskrishn@codeaurora.org>
Signed-off-by: Sriharsha Allenki <sallenki@codeaurora.org>
scm_call2 can block scm calls up to 2s due to its
retry mechanism whenever the secure firmware is
busy waiting for certain processing by the client
who in turn is waiting upon its scm call to either
complete or return with failure.
Upon early return, client can process the pending
requests to free up secure firmware and unblock
processing of all pending scm calls. Add a noretry
variant for scm_call2 which can be used by clients
who do not intend to wait for 2s for return status.
Change-Id: I1f0849464a64c32a4de4510fa5787b0ab328725c
Signed-off-by: Kaushal Kumar <kaushalk@codeaurora.org>
While handling dsi_gen_read_status, status buffer
was xlogging without checking for its max size.
Add proper conditional check to xlog status buffer.
Change-Id: Ia5a1fe18de123d2911c31ae79492b96f67e1273d
Signed-off-by: Narender Ankam <nankam@codeaurora.org>
Attempting to avoid cloning the skb when broadcasting by inflating
the refcount with sock_hold/sock_put while under RCU lock is dangerous
and violates RCU principles. It leads to subtle race conditions when
attempting to free the SKB, as we may reference sockets that have
already been freed by the stack.
Unable to handle kernel paging request at virtual address 6b6b6b6b6b6c4b
[006b6b6b6b6b6c4b] address between user and kernel address ranges
Internal error: Oops: 96000004 [#1] PREEMPT SMP
task: fffffff78f65b380 task.stack: ffffff8049a88000
pc : sock_rfree+0x38/0x6c
lr : skb_release_head_state+0x6c/0xcc
Process repro (pid: 7117, stack limit = 0xffffff8049a88000)
Call trace:
sock_rfree+0x38/0x6c
skb_release_head_state+0x6c/0xcc
skb_release_all+0x1c/0x38
__kfree_skb+0x1c/0x30
kfree_skb+0xd0/0xf4
pfkey_broadcast+0x14c/0x18c
pfkey_sendmsg+0x1d8/0x408
sock_sendmsg+0x44/0x60
___sys_sendmsg+0x1d0/0x2a8
__sys_sendmsg+0x64/0xb4
SyS_sendmsg+0x34/0x4c
el0_svc_naked+0x34/0x38
Kernel panic - not syncing: Fatal exception
CRs-Fixed: 2251019
Change-Id: Ib3b01f941a34a7df61fe9445f746b7df33f4656a
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
if the result of (min + max) is negative, then fls() returns
signed integer with value as 32. This leads to signed integer
overflow as complete operation is considered as signed integer.
UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
signed integer overflow:
-2147483648 - 1 cannot be represented in type 'int'
Call trace:
[<ffffff852f746fe4>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffff852f746fe4>] dump_stack+0xec/0x158 lib/dump_stack.c:51
[<ffffff852f7b5f3c>] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
[<ffffff852f7b6840>] handle_overflow+0xf8/0x130 lib/ubsan.c:195
[<ffffff852f7b68f0>] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
[<ffffff85307971a0>] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382
Typecast the operation to unsigned int to fix the issue.
Change-Id: I40d070b1357f016eb1622146180e4abb340e5d00
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Git-commit: ae7d1247d8673ebfd686b17e759d4be391165368
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Changes the naming convention and adds
PID as suffix to the debugfs files.
Adds debugfs file data in the tabular format and also
creates global file in /sys/kernel/debug/adsprpc directory.
Change-Id: I25f3f7ea59dd39c9d44d99c8503f431f10072c33
Signed-off-by: Mohammed Nayeem Ur Rahman <mohara@codeaurora.org>
If the result of (min + max) is negative in functions
snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(), there
will be an overflow for the variable 'mask'.
UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:6
signed integer overflow:
-2147483648 - 1 cannot be represented in type 'int'
Fix this by updating the variable type of 'mask' to unsigned int.
Change-Id: Ia34f397fad5b93c0e2ffacae60e051ad20c20bdf
Signed-off-by: Banajit Goswami <bgoswami@codeaurora.org>
pppolac driver incorrectly enqueues the packet into the sock queue
without pulling UDP headers. The application will receive data along
with UDP header when L2TP control packets are received.
The issue was introduced after moving UDP header removal functionality
from process rcvmesg context to BH context.
Instead of pppolac driver directly queuing L2TP control packets into
socket queue, return packet to udp_queue_rcv_skb, which will deliver the
packet to the application after pulling the UDP header.
Fixes: e6afc8ace ("udp: remove headers from UDP packets before queueing")
Change-Id: Icfa0fd8da43ea9c14fa7c718746a6529651ac202
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>
Signed-off-by: Chinmay Agarwal <chinagar@codeaurora.org>
Acked-by: Sharath Chandra Vurukala <sharathv@qti.qualcomm.com>
Smp2p test code is used internally to test the
functionality of drivers and has no real use case
in end product.
Change-Id: I7a50c077bb71068188b5411424c5782b3d0edbb7
Signed-off-by: Hardik Arya <harya@codeaurora.org>
Currently, when a client invokes the service-locator to get
the domain list for a service, a data structure is dynamically
allocated to hold this information, and that is given to the
client for use. However, after the client uses the domain list,
the data structure is not freed, resulting in a memory leak.
Free domain list data structure after client use to fix
memory leak.
Change-Id: I2b87afefbb35c2c296b4267450fa3152e3725ab9
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
Adding code changes to validate user inputs.
Before allocating the NAT entry verifying the
NAT entry size in range or not.
Change-Id: I21147f20a12243af5d21aebdc206703964db2be4
Acked-by: Ashok Vuyyuru <avuyyuru@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>
This patch add a coresight unit specific function coresight_cross_read
which can be used for ETM registers by providing a ETM specific read
function which does smp cross call to ensure the unit is powered up
before the register is accessed.
Change-Id: I4037028a171c8ca733513e82c4443b6e332a088c
Signed-off-by: Yuanfang Zhang <zhangyuanfang@codeaurora.org>
