This repository has been archived by the owner on Aug 12, 2023. It is now read-only.
Cm 12.1 roberto #4
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
QP range differs from codec to codec. This change adds support for VP8 QP min and max range. Change-Id: Ia44cf885a8b6f71b7eef51076968021ae68d7a7e CRs-Fixed: 578892 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
Enable LTR support for VP8 codec to add robust error resilience. Change-Id: I3b87c5cdaef836a6d02d5b9fe71b7165b7f13581 Signed-off-by: Ashray Kulkarni <ashrayk@codeaurora.org>
Use generic LTR HFI APIs for h264 and vp8 formats. Change-Id: I9f307046d7ec6de4eb6d43704686be902356882a Signed-off-by: Ashray Kulkarni <ashrayk@codeaurora.org>
This option is intended to be used to request as extra-data the frame level QP. Change-Id: Icaf88bd5a48ac394d1ed7ded8dc320cfeebc2765 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
The resulting QP information for H264 is the slice level QP averaged over whole frame; for all other codecs its frame level QP. Change-Id: I288904b05d886c1e94fc113b8bd3fba5b13b48f3 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
This option is intended to be used to request as extra-data the size in bits from frame header and frame itself. Change-Id: I207045cda8c8038981bcf4548eb3d221502a67e1 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
Provides information regarding number of bits in the frame (i.e frame size expressed in bits) & also the number of bits in frame header (i.e frame header size expressed in bits). Number of bits in header is reported as: For H264, sum of all slice headers bits for all the slices in the frame. For all other codecs, number of bits in the frame header. Change-Id: I6caeca025ff0ce059a20891a6d657b47c4b452b3 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
Sending meaningful information in the extra-data plane structure instead of trashy values for some uninitialized fields. Change-Id: I6d1a5debb801836f48e4cdbd6129b5086ec18a63 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
Macro Block Information extradata (if enabled) allows interested clients to query for metadata about each macroblock. Change-Id: Icfee32770018338e28ae149e1ccb654f5a48cbec Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
This change will enable firmware to perform Hierarchical video encoding for P frames. Hierarchical video encoding is used to improve error resilience and temporal scalability. The encoded frames are logically organized in to multiple layers with frames in one layer referencing only frames from lower layers. The lowest layer, i.e. base layer, is the only exception. Change-Id: Ie30e6d075b76b3337ec895584cf1f3be9f4bb6c6 Signed-off-by: Arun Menon <avmenon@codeaurora.org>
The v4l2 control framework requires a qmenu containing a string description of each menu item. Change-Id: Id41fd794a6f7ad8711caf9d072975ad6cabad6f9 Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
This change fixes the warnings raised by the static code analyzer. Change-Id: Ibbefb9bb945128ece8923dbb23679716a0654f7b Signed-off-by: Arun Menon <avmenon@codeaurora.org>
When buffers are not mapped by the driver (i.e. buffer being used by kernel client), inst->registered_buffers is usually empty. As a result, in *_dqbuf(), binfo is always NULL. This commit bypasses the NULL check if buffers aren't being mapped by the driver. CRs-Fixed: 610866 Change-Id: I111150564549a74f077ba8a7115129f497d734fc Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Suppress a needlessly spammy log that shows up when secure content is being played. Also make some other logs print out something useful. Change-Id: I971e8f45393730218bc7a6947bdd938aa6b0732c Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
If userspace crashes prematurely, there will be a good chance that the driver hasn't unmapped or freed certain buffers. These buffers will be freed in the state transition to UNINIT. At that point the smem client needs to be valid for the free/unmaps to be valid. CRs-Fixed: 611946 Change-Id: I089dcbd1e79f1c2a8671e5719d3a5dbc9926b252 Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Venus hfi locks were initialized during core init, which is invoked when the first video instance is created. If a debugfs command is executed before starting the first video instance, then video driver crashes trying to lock an uninitialized mutex. Change-Id: I472e9de91dada94a2728dd02c747e7fde63e3e4f Signed-off-by: Arun Menon <avmenon@codeaurora.org>
As part of power collapse we turn off the venus GDSC. When we turn it back on, we need to re-program the VBIF registers to overwrite the reset values. CRs-Fixed: 585609 Change-Id: Ic2ac40274773f9592f510ccb573b9d4920a8647f Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Add a check for minimum supported video resolution, based on firmware capabilities and reject unsupported video sessions. Change-Id: Ib5a4eb6e6ab66408cf13829e20d3933138f357c1 Signed-off-by: Arun Menon <avmenon@codeaurora.org>
The missing string descriptor caused a mismatch in array sizes causing the v4l2 control framework make an out of bounds access. Change-Id: I9a9f64e16ca95163d800702d94528833f5892537 Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Previously we only queried the core for buffer requirements in VIDIOC_REQBUFS, and relied on that information in _G_FMT. However, there's no expectation that the client calls _REQBUFS before _G_FMT, which leads to stale information being returned as part of _G_FMT. As such, always retreive fresh info from the core for either ioctl. Change-Id: Ife94343f4bd4f62da7f2bef4266076ceed409bca Signed-off-by: Deva Ramasubramanian <dramasub@codeaurora.org>
Firmware will set the FBD flags if mbaff interface is detected for decoded video bitstream. Previously the mbaff information was parsed in the v4l2 video client, but now firmware parses and sends the information. Change-Id: Ic557cdb7bf49aab3eb29a3f3aa3e363bf7223a36 Signed-off-by: Arun Menon <avmenon@codeaurora.org>
Memory allocation must be verified before proceeding. CRs-Fixed: 606527 Change-Id: Ic340bf9926f84507294c576997948ddbe61dd62f Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
Check for invalid null parameter passed to functions CRs-Fixed: 606467 Change-Id: I860ca3d69d8705c7b3d6f27f9504b567be5aeea3 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
During instance cleanup, if internal or output buffer list is not empty, respective buffers are unmapped. Modify the cleanup instance to send release buffers to video core if internal or output buffer list is not empty and then unmap the respective buffers. CRs-Fixed: 619239 Change-Id: I56bd4248173992dedfb36098dfa9ddf35fc12a4e Signed-off-by: Rajeshwar Kurapaty <rkurapat@codeaurora.org>
Memory allocation must be verified before proceeding. CRs-Fixed: 606522 Change-Id: I809acc21dcd5e680827feb5d0fa8f45814bf4773 Signed-off-by: Jorge Solano Altamirano <jsolano@codeaurora.org>
The input parameters may be null. This change adds input checks at function q6_hfi_iface_eventq_read CRs-Fixed: 606516 Change-Id: I801a9d3249e9b97fa218fc29bc3a2a0e7a0d4d3f Signed-off-by: Prasad Nallani <pnalla@codeaurora.org>
msm_vidc_inst pointer instance is used in without any null pointer check, dereferencing t could device crash. Fix the issue by adding null pointer checks. Change-Id: Ia17b380063326aa587aac941aac0131871147e8a CRs-Fixed: 606486,606469 Signed-off-by: Jayasena Sangaraboina <jsanga@codeaurora.org>
Retire fence timeline should follow the actual panel vsync more closely. For video mode the retire fence can be signaled along with the release timeline with +1 offset, since this is signaled at vsync. In case of command mode the panel vsync can be different from buffer release timeline. To handle the command mode panel vsyncs better, create a new timeline for the retire fence signaling. Change-Id: If8a1eb717d733ca215275a8be4f0054091dbc147 Signed-off-by: Adrian Salido-Moreno <adrianm@codeaurora.org>
…uffer Enable bus bandwidth request during get/free buffer to ensure iommu is in proper state while mapping/un-mapping any buffers. Change-Id: I85cc74a666dbfd29abd26609cbdd3e968d1ecd01 Signed-off-by: Pawan Kumar <pavaku@codeaurora.org>
Fix off by one error leading to log spam. 'nad_cfgs' is the upper bound of the zero-indexed mixer/AD/dspp pipe enumeration. Change-Id: I963d175aad23a8eb621772d6c9bd06676fa2e27e Signed-off-by: Carl Vanderlip <carlv@codeaurora.org> Signed-off-by: Ping Li <quicpingli@codeaurora.org>
When a key is being garbage collected, it's key->user would get put before the ->destroy() callback is called, where the key is removed from it's respective tracking structures. This leaves a key hanging in a semi-invalid state which leaves a window open for a different task to try an access key->user. An example is find_keyring_by_name() which would dereference key->user for a key that is in the process of being garbage collected (where key->user was freed but ->destroy() wasn't called yet - so it's still present in the linked list). This would cause either a panic, or corrupt memory. Change-Id: Ic74246dc2dcc593f04f71063e3301e7356d588b7 Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Break the initialization dependency on module-load and tie it to opening up the actual v4l device. Change-Id: I12d5226e7e9b15d14cf62e2dc666612f4cb608f1
Include <linux/types.h> into ashmem.h to ensure referenced types are defined Signed-off-by: Rom Lemarchand <romlem@android.com> Change-Id: If82d92caa6c148ab2182a681637fc8e17c44346d
Dmitry Chernenkov used KASAN to discover that eCryptfs writes past the end of the allocated buffer during encrypted filename decoding. This fix corrects the issue by getting rid of the unnecessary 0 write when the current bit offset is 2. Change-Id: I63ab4859f7085d5c48f2b782b1757fea4aab0dda Signed-off-by: Michael Halcrow <mhalcrow@google.com> Reported-by: Dmitry Chernenkov <dmitryc@google.com> Suggested-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org # v2.6.29+: 51ca58d eCryptfs: Filename Encryption: Encoding and encryption functions Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Sasha Levin found a NULL pointer dereference that is due to a missing
page table lock, which in turn is due to the pmd entry in question being
a transparent huge-table entry.
The code - introduced in commit 1998cc048901 ("mm: make
madvise(MADV_WILLNEED) support swap file prefetch") - correctly checks
for this situation using pmd_none_or_trans_huge_or_clear_bad(), but it
turns out that that function doesn't work correctly.
pmd_none_or_trans_huge_or_clear_bad() expected that pmd_bad() would
trigger if the transparent hugepage bit was set, but it doesn't do that
if pmd_numa() is also set. Note that the NUMA bit only gets set on real
NUMA machines, so people trying to reproduce this on most normal
development systems would never actually trigger this.
Fix it by removing the very subtle (and subtly incorrect) expectation,
and instead just checking pmd_trans_huge() explicitly.
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Andrea Arcangeli <aarcange@redhat.com>
[ Additionally remove the now stale test for pmd_trans_huge() inside the
pmd_bad() case - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Ia5a4e246d2a11574deca34222140704dd4178205
When adding new field to struct bio there is a crash in the removed code lines. This issue was introduced by commit 80a8f0f87bee18283e9ca0a8966ec97ad9f084e5 "block: row-iosched idling triggered by readahead pages" (Partly) reverting this patch till root cause is fixed (on FS level). Change-Id: Ie82bc806ea52a6370b57aa15455c85b2db10d0da Signed-off-by: Tanya Brokhman <tlinder@codeaurora.org>
FIOPS (Fair IOPS) ioscheduler is IOPS based ioscheduler, so only targets for drive without I/O seek. It's quite similar like CFQ, but the dispatch decision is made according to IOPS instead of slice. The algorithm is simple. Drive has a service tree, and each task lives in the tree. The key into the tree is called vios (virtual I/O). Every request has vios, which is calculated according to its ioprio, request size and so on. Task's vios is the sum of vios of all requests it dispatches. FIOPS always selects task with minimum vios in the service tree and let the task dispatch request. The dispatched request's vios is then added to the task's vios and the task is repositioned in the sevice tree. Unlike CFQ, FIOPS doesn't have separate sync/async queues, because with I/O less writeback, usually a task can only dispatch either sync or async requests. Bias read or write request can still be done with read/write scale. One issue is if workload iodepth is lower than drive queue_depth, IOPS share of a task might not be strictly according to its priority, request size and so on. In this case, the drive is in idle actually. Solving the problem need make drive idle, so impact performance. I believe CFQ isn't completely fair between tasks in such case too. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops read/write request scale read/write speed of Flash based storage usually is different. For example, in my SSD maxium thoughput of read is about 3 times faster than that of write. Add a scale to differenate read and write. Also add a tunable, so user can assign different scale for read and write. By default, the scale is 1:1, which means the scale is a noop. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops sync/async scale CFQ gives 2.5 times more share to sync workload. This matches CFQ. Note this is different with the read/write scale. We have 3 types of requests: 1. read 2. sync write 3. write CFQ doesn't differentitate type 1 and 2, but request cost of 1 and 2 are usually different for flash based storage. So we have both sync/async and read/write scale here. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops add ioprio support Add CFQ-like ioprio support. Priority A will get 20% more share than priority A+1, which matches CFQ. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops preserve vios key for deep queue depth workload If the task has running request, even it's added into service tree newly, we preserve its vios key, so it will not lost its share. This should work for task driving big queue depth. For single depth task, there is no approach to preserve its vios key. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops bias sync workload If there are async requests running, delay async workload. Otherwise async workload (usually very deep iodepth) will use all queue iodepth and later sync requests will get long delayed. The idea is from CFQ. Signed-off-by: Shaohua Li <shaohua.li@intel.com> block: fiops add some trace information Add some trace information, which is helpful when I do debugging. Change-Id: I971fcef95e7fdb6360b0e07cffefc0b51a6fbbc0 Signed-off-by: Shaohua Li <shaohua.li@intel.com>
Update Kconfig.iosched and do the related Makefile changes to include kernel configuration options for BFQ. Also add the bfqio controller to the cgroups subsystem. Signed-off-by: Paolo Valente <paolo.valente@unimore.it> Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
Add the BFQ-v7r8 I/O scheduler to 3.4.
The general structure is borrowed from CFQ, as much of the code for
handling I/O contexts. Over time, several useful features have been
ported from CFQ as well (details in the changelog in README.BFQ). A
(bfq_)queue is associated to each task doing I/O on a device, and each
time a scheduling decision has to be made a queue is selected and served
until it expires.
- Slices are given in the service domain: tasks are assigned
budgets, measured in number of sectors. Once got the disk, a task
must however consume its assigned budget within a configurable
maximum time (by default, the maximum possible value of the
budgets is automatically computed to comply with this timeout).
This allows the desired latency vs "throughput boosting" tradeoff
to be set.
- Budgets are scheduled according to a variant of WF2Q+, implemented
using an augmented rb-tree to take eligibility into account while
preserving an O(log N) overall complexity.
- A low-latency tunable is provided; if enabled, both interactive
and soft real-time applications are guaranteed a very low latency.
- Latency guarantees are preserved also in the presence of NCQ.
- Also with flash-based devices, a high throughput is achieved
while still preserving latency guarantees.
- BFQ features Early Queue Merge (EQM), a sort of fusion of the
cooperating-queue-merging and the preemption mechanisms present
in CFQ. EQM is in fact a unified mechanism that tries to get a
sequential read pattern, and hence a high throughput, with any
set of processes performing interleaved I/O over a contiguous
sequence of sectors.
- BFQ supports full hierarchical scheduling, exporting a cgroups
interface. Since each node has a full scheduler, each group can
be assigned its own weight.
- If the cgroups interface is not used, only I/O priorities can be
assigned to processes, with ioprio values mapped to weights
with the relation weight = IOPRIO_BE_NR - ioprio.
- ioprio classes are served in strict priority order, i.e., lower
priority queues are not served as long as there are higher
priority queues. Among queues in the same class the bandwidth is
distributed in proportion to the weight of each queue. A very
thin extra bandwidth is however guaranteed to the Idle class, to
prevent it from starving.
Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com>
A set of processes may happen to perform interleaved reads, i.e.,requests whose union would give rise to a sequential read pattern. There are two typical cases: in the first case, processes read fixed-size chunks of data at a fixed distance from each other, while in the second case processes may read variable-size chunks at variable distances. The latter case occurs for example with QEMU, which splits the I/O generated by the guest into multiple chunks, and lets these chunks be served by a pool of cooperating processes, iteratively assigning the next chunk of I/O to the first available process. CFQ uses actual queue merging for the first type of rocesses, whereas it uses preemption to get a sequential read pattern out of the read requests performed by the second type of processes. In the end it uses two different mechanisms to achieve the same goal: boosting the throughput with interleaved I/O. This patch introduces Early Queue Merge (EQM), a unified mechanism to get a sequential read pattern with both types of processes. The main idea is checking newly arrived requests against the next request of the active queue both in case of actual request insert and in case of request merge. By doing so, both the types of processes can be handled by just merging their queues. EQM is then simpler and more compact than the pair of mechanisms used in CFQ. Finally, EQM also preserves the typical low-latency properties of BFQ, by properly restoring the weight-raising state of a queue when it gets back to a non-merged state. Signed-off-by: Mauro Andreolini <mauro.andreolini@unimore.it> Signed-off-by: Arianna Avanzini <avanzini.arianna@gmail.com> Signed-off-by: Paolo Valente <paolo.valente@unimore.it>
This change fixes a problem where reboot on Android panics the kernel almost every time when file systems are mounted over loop devices. Android reboot command does: - sync - echo u > /proc/sysrq-trigger - syscall_reboot The problem is with sysrq emergency remount R/O trying to remount-ro in wrong order. since /data is re-mounted ro before loop devices, loop device remount-ro fails to flush the journal and panics the kernel: EXT4-fs (loop0): Remounting filesystem read-only EXT4-fs (loop0): previous I/O error to superblock detected loop: Write error at byte offset 0, length 4096. Buffer I/O error on device loop0, logical block 0 lost page write due to I/O error on loop0 Kernel panic - not syncing: EXT4-fs panic from previous error The fix is quite simple. In do_emergency_remount(), use list_for_each_entry_reverse() on sb list instead of list_for_each_entry(). It makes a lot of sense to umount the file systems in reverse order in which they were added to sb list. Change-Id: I4370e39b5873bd16ade5d5f9ddb2704beb02a2bb Signed-off-by: Amir Goldstein <amir@cellrox.com> Acked-by: Oren Laadan <orenl@cellrox.com>
syscall_get_nr can return -1 in the case that the task is not executing
a system call.
This patch fixes perf_syscall_{enter,exit} to check that the syscall
number is valid before using it as an index into a bitmap.
Link: http://lkml.kernel.org/r/1345137254-7377-1-git-send-email-will.deacon@arm.com
Change-Id: I03d131612783e1fcae9700b4d48cc98c09e2194a
Cc: Jason Baron <jbaron@redhat.com>
Cc: Wade Farnsworth <wade_farnsworth@mentor.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
ARM has some private syscalls (for example, set_tls(2)) which lie
outside the range of NR_syscalls. If any of these are called while
syscall tracing is being performed, out-of-bounds array access will
occur in the ftrace and perf sys_{enter,exit} handlers.
# trace-cmd record -e raw_syscalls:* true && trace-cmd report
...
true-653 [000] 384.675777: sys_enter: NR 192 (0, 1000, 3, 4000022, ffffffff, 0)
true-653 [000] 384.675812: sys_exit: NR 192 = 1995915264
true-653 [000] 384.675971: sys_enter: NR 983045 (76f74480, 76f74000, 76f74b28, 76f74480, 76f76f74, 1)
true-653 [000] 384.675988: sys_exit: NR 983045 = 0
...
# trace-cmd record -e syscalls:* true
[ 17.289329] Unable to handle kernel paging request at virtual address aaaaaace
[ 17.289590] pgd = 9e71c000
[ 17.289696] [aaaaaace] *pgd=00000000
[ 17.289985] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 17.290169] Modules linked in:
[ 17.290391] CPU: 0 PID: 704 Comm: true Not tainted 3.18.0-rc2+ #21
[ 17.290585] task: 9f4dab00 ti: 9e710000 task.ti: 9e710000
[ 17.290747] PC is at ftrace_syscall_enter+0x48/0x1f8
[ 17.290866] LR is at syscall_trace_enter+0x124/0x184
Fix this by ignoring out-of-NR_syscalls-bounds syscall numbers.
Commit cd0980f "tracing: Check invalid syscall nr while tracing syscalls"
added the check for less than zero, but it should have also checked
for greater than NR_syscalls.
Link: http://lkml.kernel.org/p/1414620418-29472-1-git-send-email-rabin@rab.in
Change-Id: I3cab2ba461dac74846a540eefde7bb4bccce5106
Fixes: cd0980f "tracing: Check invalid syscall nr while tracing syscalls"
Cc: stable@vger.kernel.org # 2.6.33+
Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Kenton Varda <kenton@sandstorm.io> discovered that by remounting a read-only bind mount read-only in a user namespace the MNT_LOCK_READONLY bit would be cleared, allowing an unprivileged user to the remount a read-only mount read-write. Correct this by replacing the mask of mount flags to preserve with a mask of mount flags that may be changed, and preserve all others. This ensures that any future bugs with this mask and remount will fail in an easy to detect way where new mount flags simply won't change. Change-Id: If07d0c9f49fa7c5f17cb4315f75e4df79fa8ed3e Cc: stable@vger.kernel.org Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Andy Lutomirski recently demonstrated that when chroot is used to set the root path below the path for the new ``root'' passed to pivot_root the pivot_root system call succeeds and leaks mounts. In examining the code I see that starting with a new root that is below the current root in the mount tree will result in a loop in the mount tree after the mounts are detached and then reattached to one another. Resulting in all kinds of ugliness including a leak of that mounts involved in the leak of the mount loop. Prevent this problem by ensuring that the new mount is reachable from the current root of the mount tree. [Added stable cc. Fixes CVE-2014-7970. --Andy] Change-Id: I8a2b98b62777c7f7f5ab056cd60f9e2713a6e5e0 Cc: stable@vger.kernel.org Reported-by: Andy Lutomirski <luto@amacapital.net> Reviewed-by: Andy Lutomirski <luto@amacapital.net> Link: http://lkml.kernel.org/r/87bnpmihks.fsf@x220.int.ebiederm.org Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
This prevents a race between chown() and execve(), where chowning a setuid-user binary to root would momentarily make the binary setuid root. This patch was mostly written by Linus Torvalds. Change-Id: I7e387041fc5857910d36577e4d54c0dd2a8168c3 Signed-off-by: Jann Horn <jann@thejh.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
If a /d/binder/proc/[pid] entry is kept open after linux has torn down the associated process, binder_proc_show can deference an invalid binder_proc that has been stashed in the debugfs inode. Validate that the binder_proc ptr passed into binder_proc_show has not been freed by looking for it within the global process list whilst the global lock is held. If the ptr is not valid, print nothing. Bug 19587483 Change-Id: I4abc6443d96cca6500608976cded5ff3d1697d33 Signed-off-by: Riley Andrews <riandrews@android.com>
Rename the source file to match the function name and thereby also make room for a possible future even slightly faster "non-safe" decompressor version. Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
This commit updates the kernel LZO code to the current upsteam version which features a significant speed improvement - benchmarking the Calgary and Silesia test corpora typically shows a doubled performance in both compression and decompression on modern i386/x86_64/powerpc machines. Signed-off-by: Markus F.X.J. Oberhumer <markus@oberhumer.com>
This fix ensures that we never meet an integer overflow while adding
255 while parsing a variable length encoding. It works differently from
commit 206a81c ("lzo: properly check for overruns") because instead of
ensuring that we don't overrun the input, which is tricky to guarantee
due to many assumptions in the code, it simply checks that the cumulated
number of 255 read cannot overflow by bounding this number.
The MAX_255_COUNT is the maximum number of times we can add 255 to a base
count without overflowing an integer. The multiply will overflow when
multiplying 255 by more than MAXINT/255. The sum will overflow earlier
depending on the base count. Since the base count is taken from a u8
and a few bits, it is safe to assume that it will always be lower than
or equal to 2*255, thus we can always prevent any overflow by accepting
two less 255 steps.
This patch also reduces the CPU overhead and actually increases performance
by 1.1% compared to the initial code, while the previous fix costs 3.1%
(measured on x86_64).
The fix needs to be backported to all currently supported stable kernels.
Reported-by: Willem Pinckaers <willem@lekkertech.net>
Cc: "Don A. Bailey" <donb@securitymouse.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is a squash of all changes from kernel/common android-3.4 up to 5e35d66 android: configs: add IPV6 ROUTE INFO Change-Id: I848f1865ec7da1dfc3338a3e9d7f944a6f00f2a6 Signed-off-by: JP Abgrall <jpa@google.com>
Signed-off-by: Ashish Sharma <ashishsharma@google.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com> Change-Id: If8d324ffdb4ebd56e5d68876f8e229547e20eaf6
Change-Id: I6e6a807c7851aa78fc6e37949436bb135a007b91 Signed-off-by: Mark Salyzyn <salyzyn@google.com> Bug: 13505761
…addr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing from
a non-pi futex to a pi futex with this call. If we attempt this, then
dangling pointers may be left for rt_waiter resulting in an exploitable
condition.
This change brings futex_requeue() in line with futex_wait_requeue_pi()
which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
uaddr == uaddr2 in futex_wait_requeue_pi()")
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Allows the panel to dynamically change its FPS, saving power during A/V usecases and idle. Unfortunately, our MDSS subsystem is quite old so we can't make use of the newer and more useful dynamic FPS options, allowing for much greater power savings. One improvement to make in the future is to update the MDSS subsystem with the appropriate patches to enable the newer options, or we could just rebase on a newer CAF base - both choices are equally tiresome. Change-Id: I0c1f1ff7864b2f23a1bdb223905bf2c0e95e866a
scsi_wait_scan was introduced with asynchronous host scanning as a hack for distributions that weren't using proper udev based wait for root to appear in their initramfs scripts. In 2.6.30 Commit c751085 Author: Rafael J. Wysocki <rjw@sisk.pl> Date: Sun Apr 12 20:06:56 2009 +0200 PM/Hibernate: Wait for SCSI devices scan to complete during resume Actually broke scsi_wait_scan because it renders scsi_complete_async_scans() a nop for modular SCSI if you include scsi_scans.h (which this module does). The lack of bug reports is sufficient proof that this module is no longer used. Change-Id: I1f56e4c80cc5ad70c8760d391061e80bfaeb7077 Cc: Jeff Mahoney <jeffm@suse.de> Cc: Dave Jones <davej@redhat.com> Cc: maximilian attems <max@stro.at> Signed-off-by: James Bottomley <JBottomley@Parallels.com>
Define both I2C and Simbus control interfaces as tristate. Change-Id: I5b6e1a8d31f0075a7035c802a7e8e97e86fb93ec
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.