The preferred allocation of memory for kernel data structures in
ION is to use kmalloc. This is mainly for performance reasons. However,
we are not guaranteed to be able to allocate large sizes. So to keep
the code performing well and at the same time allow for larger allocations,
implement a fallback mechanism for allocation of memory for ION kernel data
structures.
CRs-Fixed: 488521
Change-Id: I8c6a13ad74cce69f590920d28c01a58f7a540fd2
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
[Resolved merge conflict]
Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
Use correct type for variables to prevent overflow of signed
type when assiging from an unsigned type.
Change-Id: I0055d35c7310d111de590db3798950fd98f1b298
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
There are some Ion clients who would like to use the kmalloc
heap. Enable it.
Change-Id: Ie818be9e1211d52d489ad2cb63d94e2fddfc0f01
Signed-off-by: Mitchel Humpherys <mitchelh@codeaurora.org>
Align the virtual address to the max buffer size to
allow IOMMU mappings at the biggest buffer size.
Change-Id: I74ba665c1782e2f0631274766c5caeeb192224e0
Signed-off-by: Olav Haugan <ohaugan@codeaurora.org>
Amend error check conditions appropriately to return
properly from video applications in case of ION API
failures.
Change-Id: Ibe95a8438a66e88b35dbff0af8842ff4b038c5e1
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
This change supports client to get the current
performance level of the video driver via
IOCTL_GET_PERF_LEVEL. The current performance
level indicate the number of MBs per second
is being processed by video hardware.
Change-Id: Ic6f5b2b14e0d77bf801c4f857f8a0e20339c199f
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
- Allow client to set TURBO performance level
to video driver.
- Update max performance level to TURBO perf level
on supported targets.
Change-Id: I0b3b38140d777984ba5062ddd614c07a002389ba
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
Calling unncessary unmap function resulting in
target reset. This change resolves the issue by
removing unncessary unmap functions in video driver.
Change-Id: I0b501f0a7115bba085b067a5e78172df210da8f1
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Signed-off-by: Sridhar Gujje <sgujje@codeaurora.org>
IOMMU map size is not required to be double the actual
buffer size for H264 decoder. So reducing IOMMU map
size for H264 format which will enable support for
two H264 decoder instances in parallel in smooth streamig
mode where the number of output buffers equal to 18 with
each buffer size equal to 1080p buffer size.
CRs-fixed: 491718
Change-Id: Ie6782b2ff58667000213f25482eea151b849762b
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Extradata flag is not set to output buffer header's flag in
case when a Mpeg2 clip is played and extenstion and user data
extradata is not enabled.
This change fixes the issue and set extradata flag properly
if extradata is enabled and extradata is available with the
the buffer.
CRs-fixed: 490067
Change-Id: I029dadb17d98dd37388eee34f51bd0dfaf56d14a
Signed-off-by: Deepak Verma <dverma@codeaurora.org>
- To propagate VCD_FRAME_FLAG_DATACORRUPT flag to IL client, dont reset.
Change-Id: I68bf4c953c02a2a4327fe6e875863853cb4e0bf8
CRs-Fixed: 472798
Signed-off-by: Srinu Gorle <sgorle@codeaurora.org>
This change removes the compilation error in kernel
if ddl logs are enabled.
CRs-Fixed: 483776
Change-Id: Iffc37fcdd4e5ce7ddcd8560d432af5c3f3e6c433
Signed-off-by: Shobhit Pandey <cshopan@codeaurora.org>
The sub_anchor_mv size is not sufficient if the height
is more than 1088 in video clips, this change will amend
the buffer size to avoid video hardware resulting iommu
crash failures for such clips.
Change-Id: Ie59f04b9edaa9d2364d4e5014d2eb6f882728c76
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Free the buffer pool entry first and then delete the
address table (which will unmap the buffer with iommu)
else we might get a corner case where the entry was not
freed but the buffer is unmapped and the next buffer is
mapped with the same physical address which is still
available in the buffer pool entry, which results in
video recording failure.
Change-Id: I6978d5e5de35db63f43a7f38c58940216217b676
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
- Metadata buffer size is being set to zero when
client calls set buffer requirements to video driver.
This change fix it by properly assigning the
metadata buffer size to video driver.
- When continuous mode enabled, do not get min_dpb
from resource tracker for non-H264 codecs,
for H264 codec get min_dpb from resource tracker.
Change-Id: Ie16bc47605edc6f67dbf3ae77290d4d764c5c613
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
We need to remove stale entries in the cache when allocating buffers, as
the ION driver doesn't invalidate the cache.
CRs-Fixed: 456500
Change-Id: Ibe931251b6f06c6acbe6bc8a095b0e925dc08857
Signed-off-by: Rajeshwar Kurapaty <rkurapat@codeaurora.org>
Driver will consider descriptor buffer empty error
as warning and will continue to decode next frame.
Change-Id: Ia89ea520131f9b3e1bbe68727c34fb72685d5af9
Signed-off-by: Gopikrishnaiah Anandan <agopik@codeaurora.org>
This change frees the allocated meta buffers, if any
present, during video core address table cleanup.
Change-Id: Id8c42491040bc5be09f3bb59780d376e6921c76e
CRs-fixed: 459980
Signed-off-by: Deepak Verma <dverma@codeaurora.org>
This change fixes the iommu map failure in movie studio
application by removing the delayed unmap flag in
ion_map_iommu(). The delayed unmap will cause the
iommu buffer to be unmapped only when all the clients
unmap the buffer.
Change-Id: I9e226fd56fecfa292e4d77aa94b2883bcfbf6ec2
CRs-fixed: 464374
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
Video has very large buffers to be flushed. Due to lack of
vmalloc space, ion_map_kernel cannot be called on each of
the video buffers. With this change the ion handle can be
flushed without the need of the kernel mapping.
Change-Id: If026f21e44a2cce6c2b8c232fc80a69d0dabcd14
Signed-off-by: Neeti Desai <neetid@codeaurora.org>
Conflicts:
drivers/gpu/ion/ion_cp_heap.c
drivers/gpu/ion/msm/msm_ion.c
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
This change will remove the kernel mapping of input and
output buffers for both video encoder and decoder to
avoid the errors resulting from ion_map_kernel() for
high resolution video concurrency use cases due to the
limited vmalloc space. It also removed the metadata
processing in kerner video driver as kernel virtual
address is removed. The metadata processing can be
done in user space video component.
Change-Id: I3f2c9b7c13b3e09097ce07ca7b59154b97401052
CRs-fixed: 471135
Signed-off-by: Maheshwar Ajja <majja@codeaurora.org>
* Commit "egl: Avoid use of retire as present"
in frameworks/native deprecated the use
of retire fence, therefore retire fence
support has to be removed from the kernel
to allow HWC2on1Adapter support
This reverts commit fd75d86c883b7a6852d8d291b58203b0999a1584.
Change-Id: I19877296ac762e4d5c3162843ccaf5cc9a88ff1c
Signed-off-by: Adrian DC <radian.dc@gmail.com>
On the low-class hardware like flo this only introduces issues
and performance degradation due to increased scheduler overhead.
Revert "arm: configs: flo: set CONFIG_HZ to 300"
This reverts commit 029a1baa6f.
Revert "ARM: msm: flo: fix idle_timeout value to 100ms"
This reverts commit a63fd90f21.
Revert "msm: kgsl: Fix direct references to HZ"
This reverts commit 38d48e1127.
Change-Id: Ib65977c959bff9cce43f5039f8f543e074992fec
Revert "sched_clock: Avoid corrupting hrtimer tree during suspend"
This reverts commit 8aad725c70.
Revert "sched_clock: Add support for >32 bit sched_clock"
This reverts commit 657eb100e4.
Revert "sched_clock: Use an hrtimer instead of timer"
This reverts commit b2ee62ec51.
Revert "sched_clock: Use seqcount instead of rolling our own"
This reverts commit 538b187b6e.
Revert "ARM: sched_clock: Load cycle count after epoch stabilizes"
This reverts commit 8c7175ba39.
Revert "sched_clock: Make ARM's sched_clock generic for all architectures"
This reverts commit ebb97da74a.
Revert "ARM: 7699/1: sched_clock: Add more notrace to prevent recursion"
This reverts commit 086da6a6c4.
Revert "ARM: make sched_clock just call a function pointer"
This reverts commit 0dd4fad6c9.
Revert "ARM: sched_clock: allow changing to higher frequency counter"
This reverts commit 4a3cf85432.
Change-Id: I98aaec7b554a2e11be4c551a864d952e0d8c3e22
The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used
as an array index. This can lead to an out-of-bound access, kernel lockup and
DoS. Add a check for the 'dir' value.
This fixes CVE-2017-11600.
Change-Id: Ic55eec5b4767ad1bd8328b382c35f7b213abc38d
References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928
Fixes: 80c9abaabf ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Cc: <stable@vger.kernel.org> # v2.6.21-rc1
Reported-by: "bo Zhang" <zhangbo5891001@gmail.com>
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
SPS debugfs APIs can be called concurrently which can result
in dangling pointer access. This change synchronizes access
to the SPS debugfs buffer.
Change-Id: I409b3f0618f760cb67eba47b43c81d166cdae4aa
Signed-off-by: Siva Kumar Akkireddi <sivaa@codeaurora.org>
(cherry picked from commit de875dd095d3ec0906c77518d28f793e6c69a9da)
Add changes to drop assoc request and return error if RSNIE or
WPAIE parsing fail during parsing of assoc request.
CRs-Fixed: 2046578
Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
(cherry picked from commit aae237dfbaf8edcf310eeb84b887b20e7e9c0ff3)
WEXT API was already obsoleted and should be removed.
Bug: 34199963
Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 32124445
(cherry picked from commit 9c5e11d70f)
The cache maintenance routines in ashmem were causing
several security issues. Since they are not being used
anymore by any drivers, its well to remove them entirely.
Bug: 34126808
Bug: 34173755
Bug: 34203176
CRs-Fixed: 1107034, 2001129, 2007786
Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
(cherry picked from commit e7f623aa1b8ba3b843c70eeae99aae95bddfe03d)
"file" can be already freed if bprm->file is NULL after
search_binary_handler() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.
So obtain d_is_su before search_binary_handler() runs.
This should explain this crash:
[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address 00000185
[..]
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474
Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
The list usage in msm_bus_dbg driver are not correct which will cause
kernel panic.
. The list operation should be protected by a lock, e.g. mutex_lock.
. The list entry should only be operated on a valid entry.
Change-Id: I19efeb346d1bacf129ccfd7a6511bc795c029afc
Signed-off-by: Lianwei Wang <lian-wei.wang@motorola.com>
Reviewed-on: http://gerrit.pcs.mot.com/384275
Reviewed-by: Guo-Jian Chen <A21757@motorola.com>
Reviewed-by: Ke Lv <a2435c@motorola.com>
Tested-by: Jira Key <JIRAKEY@motorola.com>
Reviewed-by: Jeffrey Carlyle <jeff.carlyle@motorola.com>
Reviewed-by: Check Patch <CHEKPACH@motorola.com>
Reviewed-by: Klocwork kwcheck <klocwork-kwcheck@sourceforge.mot.com>
Reviewed-by: Tao Hu <taohu@motorola.com>
(cherry picked from commit d109d8d7e2998a635406215a559e298fa7ef4bb8)
Use proper synchronization to ensure driver file is opened
only once.
CRs-Fixed: 2023513
Change-Id: I71e55e2d487fe561d3f596590b3e8102c5e921b5
Signed-off-by: Trishansh Bhardwaj <tbhardwa@codeaurora.org>
(cherry picked from commit 84f8c42e5d848b1d04f49d253f98296e8c2280b9)
Validate a buffer virtual address is fully within the region before
returning the region to ensure functionality for an extended edge
case.
Change-Id: Iba3e080889980f393d6a9f0afe0231408b92d654
Signed-off-by: Siena Richard <sienar@codeaurora.org>
CRs-fixed: 1108461
(cherry picked from commit 208e72e59c8411e75d4118b48648a5b7d42b1682)
msm-compr-q6-v2.c and msm-compr-q6-v2.h are no longer used.
CRs-Fixed: 2022953
Change-Id: I856d90a212a3e123a2c8b80092aff003f7c608c7
Signed-off-by: Xiaojun Sang <xsang@codeaurora.org>
(cherry picked from commit dc333eb1c31b5bdd2b6375d7cb890086d8f27d8b)
This was found during userspace fuzzing test when a large size
allocation is made from ion
[<ffffffc00008a098>] show_stack+0x10/0x1c
[<ffffffc00119c390>] dump_stack+0x74/0xc8
[<ffffffc00020d9a0>] kasan_report_error+0x2b0/0x408
[<ffffffc00020dbd4>] kasan_report+0x34/0x40
[<ffffffc00020cfec>] __asan_storeN+0x15c/0x168
[<ffffffc00020d228>] memset+0x20/0x44
[<ffffffc00009b730>] __dma_alloc_coherent+0x114/0x18c
[<ffffffc00009c6e8>] __dma_alloc_noncoherent+0xbc/0x19c
[<ffffffc000c2b3e0>] ion_cma_allocate+0x178/0x2f0
[<ffffffc000c2b750>] ion_secure_cma_allocate+0xdc/0x190
[<ffffffc000c250dc>] ion_alloc+0x264/0xb88
[<ffffffc000c25e94>] ion_ioctl+0x1f4/0x480
[<ffffffc00022f650>] do_vfs_ioctl+0x67c/0x764
[<ffffffc00022f790>] SyS_ioctl+0x58/0x8c
Change-Id: Idc9c19977a8cc62c7d092f689d30368704b400bc
Signed-off-by: Rohit Vaswani <rvaswani@codeaurora.org>
(cherry picked from commit 1f8f9b566e)
We should call ipxitf_put() if the copy_to_user() fails.
Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ib541c679cc5f4242713eb035aed458043b8ce97e
(cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
The default_normal option causes mounts with the gid set to
AID_SDCARD_RW to have user specific gids, as in the normal case.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Change-Id: I9619b8ac55f41415df943484dc8db1ea986cef6f
Bug: 64672411
fsnotify_open is not called within dentry_open,
so we need to call it ourselves.
Change-Id: Ia7f323b3d615e6ca5574e114e8a5d7973fb4c119
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 70706497
... rather than relying on ciptool(8) never passing it anything else. Give
it e.g. an AF_UNIX connected socket (from socketpair(2)) and it'll oops,
trying to evaluate &l2cap_pi(sock->sk)->chan->dst...
Bug: 33982955
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Change-Id: I078260c1b5be6a96b54c265da0236bf84842e450
same story as cmtp
Bug: 33982955
Change-Id: I60ce3e3b5a5a0e41ddaec155a0c6a46307eedeb7
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
commit b3916db32c upstream.
We need to verify that the given sockets actually are l2cap sockets. If
they aren't, we are not supposed to access bt_sk(sock) and we shouldn't
start the session if the offsets turn out to be valid local BT addresses.
That is, if someone passes a TCP socket to HIDCONNADD, then we access some
random offset in the TCP socket (which isn't even guaranteed to be valid).
Fix this by checking that the socket is an l2cap socket.
Change-Id: I401bca741588b34876a1c835d8d4567852b4ec75
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
CONFIG_CC_OPTIMIZE_FOR_SIZE is set on modern android devices.
Originally this config was set with the assumption that smaller
code size would yield hot cache lines and faster code, however,
that's not the case today.
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: Ib127ede04e700650b97541d6cca16da659f45c69
