GitLab

[YETIN-2070][camera][wangkun21]fix CameraStress test after a period of time can't connect to the camera appeared

Change-Id: Ic3e823c87654a7297095b495d125acce54d1aec8
Signed-off-by: wangkun21 <wangkun21@lenovo.com>

This reverts commit 28bc6628.

[YETIN-1689]

zhanghx11 review

Revert "Revert "<YETI_N><mmc><yangpn1> add timed-out dynamic wakelocks for mmc host during rw operation""

This reverts commit 60fb769f.

[YETIN-1689]

zhanghx11 review

This reverts commit 5ad476d3.

[issue] [YETIN-1689] fixed

zhanghx11 review

This reverts commit d4754f03.

Change-Id: I430439f52967ea41a9abf00a88b3c65d05a3f3b1

reserve space for uid <= 10000 when storage is low

Change-Id: I8a92b623cacc329e8230bdc900396afab89bd0e9
Signed-off-by: lizq13 <lizq13@lenovo.com>

Set register values in kernel.

Change-Id: Ic536698ac090f80759695076abf61bb1d7accba2

[issue] [YETIN-2543] fixed

[rootcause] front camera ov2470 max resolution is 1932x1092,
can not use use padding_w > 12.

[solution] change the suitable padding_w and padding_h.

Change-Id: I6233ea2202bf36384f90b261a1d84342900266cf

This reverts commit 0ce832b0.

Change-Id: I07fe2c1db8fa7fa6203977ff7035c94031ff80be

Change-Id: I8c99cd76b40e8d971773dc76181c2ab46c846805

This reverts commit c33cad8f.

Change-Id: I585a4a8063f05e292fff8e93d788efee15f171bf

[issue] [YETIN-2610] fixed

[rootcause]

[solution]

Change-Id: Ic4ff5e9579ba8ba001c9cf03f163c630e0f19271
Signed-off-by: wangzj12 <wangzj12@lenovo.com>

Change-Id: I9e2bf8122e90085b4fbf1c16ffcfb42169a96a34

Change-Id: I9e370e5b4bb15034cb43dfe7c810727102b5f73c

[issue] [YETIN-136] fixed

[rootcause]
we need follow android M to change wceis status
[solution]
bLenghth:0x08(8 bytes)
bDescriptorType:0x0B
bFirstInterface:0x00
bFunctionClass:0xE0(Wireless controler)
bFunctionSubClass:0x01
bFunctionProtocol:0x03
iFunction:0x07
Language 0x0409:"RNDIS"

Change-Id: If49554bf29fbf9af33ae19334dafd39280f5db4b
Signed-off-by: wangzj12 <wangzj12@lenovo.com>

[issue] [YETIN-2190] [YETIN-1549] [YETIN-1462] fixed

[rootcause]
  the voltage of headset key was changed.

[solution]
  change the micbias to proper voltage level and
add consideration about KEY_VOICECOMMAND.

Change-Id: I11734f4f058450dad75f523cbe0ffbdb0c6731ee

[issue] [yetin-564] fixed

[rootcause]

[solution]

Change-Id: I9cd4bd95df8f048d260ecc8a2f5a8e651b2e7080

[issue] [yetin-564] fixed

[rootcause]

[solution]

Change-Id: I1a8af404b277ffdd7038796ba9569412bdec34a9

[issue] [yetin-564] fixed

[rootcause]

[solution]

Change-Id: I414eb9d0410621caf8bb5110687019637b72f797

[issue] [YETIN-564] fixed

[rootcause]
   Kernel hacking config not enabled in user version by default

[solution]
    enable all these config

Change-Id: Ife6fdca3094803b00a9f547f49a13da969674698

[issue] [YETIN-1689] fixed

[rootcause]

	if screen is off when mmc rw operation is on going, suspend sequence would sync filesystems but it hangs in sys_sync() because there is some sdhci_tasklet_finish() cmds left. mmc bus clock should be kept.

[solution]
	1.	include mmc0 and mmc1 to sdhci_runtime_suspend/resume_host() sequence for ext4 rw operation
	2.	isolate tasklet skip_cnt and wakelock timeout value for mmc0 and mmc1
	3.	include mmc1 to mmc_bus_suspend/resume() for vfat rw operation
	4.	as for usbotg device, there is constant wakelock defined in bq2589x_charger.c
	5.	as for screen off mp3 case, the case itself holds system wakelock named PowerManagementService.WakeLocks, so the new wakelock would not introduce power consumption impact.
	6.	add spin_lock_irqsave and spin_unlock_irqrestore to protect busbusy_wakelock_en and tasklet_cnt

Change-Id: I726b18efcd066784723415d230314727ec392c3c

[YETIN-1689]

This reverts commit 28bc6628.

[issue] [YETIN-1689] fixed

[rootcause]

	if screen is off when mmc rw operation is on going, suspend sequence would sync filesystems but it hangs in sys_sync() because there is some sdhci_tasklet_finish() cmds left. mmc bus clock should be kept.

[solution]
	1.  include mmc0 and mmc1 to sdhci_runtime_suspend/resume_host() sequence for ext4 rw operation
	2.  isolate tasklet skip_cnt and wakelock timeout value for mmc0 and mmc1
	3.  include mmc1 to mmc_bus_suspend/resume() for vfat rw operation
	4.  as for usbotg device, there is constant wakelock defined in bq2589x_charger.c
	5.  as for screen off mp3 case, the case itself holds system wakelock named PowerManagementService.WakeLocks, so the new wakelock would not introduce power consumption impact.

Change-Id: Ie0e6bd8064cdb5b71f8aae22e042d533f5cd1738

[issue] [YETIN-17] fixed

[rootcause]

[solution]

Change-Id: Ia47cbb92399e45ef487ceacfddb4b932ca4dca02

[issue] [YETIN-1526] fixed

[rootcause]when reusem the system. the first time tap on Bface cannot case interrupt

[solution]

Change-Id: I4e3624197b92febca7e32b3ecc2b2be2500960cb

[issue] [YETIN-13] fixed

[rootcause]

[solution]

Change-Id: I84341da4c6590663ddc140085041f2823f34b2f3

[issue] [YETIN-1314] fixed

[rootcause]

Change-Id: I7f93c3efbe4c51fb523b83bdf654bfbfbf76921d

[issue] [YETIN-29] fixed

[rootcause]

[solution]change register value about 18,19 ;cat /1-0028 reg about 18,19 North is 56,other country is different

Change-Id: I4c4487b7e203072d8c09e6138020318958670b11

This likely breaks tracing tools like trace-cmd.  It logs in the same
format but now addresses are all 0x0.

Bug: 34277115

Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
CVE: CVE-2017-0630
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-44275Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/577647

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Bug: 33300353
Signed-off-by: Robb Glasser <rglasser@google.com>

Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
CVE: CVE-2017-0627
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-44275Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/577646

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Change-Id: I900dc151e7bb280f32df93e813a5a2d7966e918d
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-44275Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/577645

commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.

Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed().  This is potentially racy, since the stream
may get released even during the irq handler is running.  Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.

As a quick workaround, move kill_fasync() call inside the stream
lock.  The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.

Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler.  But this oneliner should suffice for most
cases, so far.
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change-Id: Ibcd2198a74b6ce136515918576b06242275ab450
CVE: CVE-2016-9794
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-44275Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/577644

The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.

Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.

Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.

Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.orgSigned-off-by: Ingo Molnar <mingo@kernel.org>

Change-Id: I5e77b9d98466ad37c3312a5effb20d0792064b4c
CVE: CVE-2015-9004
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-44275Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/577643

[issue] [YETIN-564] fixed

[rootcause]

[solution]

Change-Id: I8dc2ecf272962b452e83cd2ed5074868ae1560cb

We are seeing multiple list corruption issues

1.

[80329.240487] WARNING: CPU: 0 PID: 22520 at ../../../../../../kernel/cht/lib/list_debug.c:63 __list_del_entry+0xc5/0xf0()
[80329.252539] list_del corruption. prev->next should be ffff88002af75838, but was ffff88002af75438
[80329.252562] Modules linked in: tcp_diag inet_diag atomisp_css2401a0_v21 videobuf_vmalloc videobuf_core bt_lpm rfkill_gpio 8723bs(O) cfg80211 ov2680 ov8858_driver silead_ts ltr501 bmg160 ak09911 kxcjk_1013
[80329.273007] CPU: 0 PID: 22520 Comm: kworker/0:1 Tainted: G        W  O 3.14.79-x86_64-02759-gbc7150af8263 #1
[80329.283989] Hardware name: Insyde CherryTrail/T3 MRD, BIOS CHTMRD.A6.002.016.004 12/13/2016
[80329.293363] Workqueue: atomisp-css2401a0_v21 0 atomisp_wdt_work [atomisp_css2401a0_v21]
[80329.302316]  0000000000000000 ffff8800083ffc10 ffffffff81ad90a2 ffff8800083ffc58
[80329.302442]  0000000000000009 ffff8800083ffc48 ffffffff8108b83d ffff88006de23a40
[80329.302570]  ffff88006de23da0 ffff88006de20028 0000000000000286 ffff88002af75800
[80329.302698] Call Trace:
[80329.302732]  [<ffffffff81ad90a2>] dump_stack+0x67/0x90
[80329.308477]  [<ffffffff8108b83d>] warn_slowpath_common+0x7d/0xa0
[80329.315190]  [<ffffffff8108b8ac>] warn_slowpath_fmt+0x4c/0x50
[80329.321611]  [<ffffffff813ab0e5>] __list_del_entry+0xc5/0xf0
[80329.327957]  [<ffffffffa02ad7e6>] atomisp_flush_video_pipe.part.20+0x116/0x180 [atomisp_css2401a0_v21]
[80329.338382]  [<ffffffffa02af0a4>] atomisp_flush_bufs_and_wakeup+0x44/0x90 [atomisp_css2401a0_v21]
[80329.348322]  [<ffffffffa02b3abe>] __atomisp_css_recover+0x45e/0x660 [atomisp_css2401a0_v21]
[80329.357678]  [<ffffffffa02b4187>] atomisp_wdt_work+0x4c7/0x560 [atomisp_css2401a0_v21]
[80329.366529]  [<ffffffff81ae0a2d>] ? __schedule+0x39d/0x940
[80329.372662]  [<ffffffff810a8faf>] process_one_work+0x16f/0x4f0
[80329.379180]  [<ffffffff810a9d3c>] worker_thread+0x12c/0x3d0
[80329.385408]  [<ffffffff810a9c10>] ? manage_workers.isra.27+0x290/0x290
[80329.392704]  [<ffffffff810afcfd>] kthread+0xed/0x110
[80329.398252]  [<ffffffff810afc10>] ? kthread_create_on_node+0x190/0x190

2.
<4>[31010.186503] WARNING: CPU: 2 PID: 9496 at ../../../../../../kernel/cht/lib/list_debug.c:31 __list_add+0xe8/0xf0()
<7>[31010.197896] list_add corruption. next->prev should be prev (ffff880068429f38), but was ffff88006a363d78. (next=ffff88006a363d78).
<4>[31010.197913] Modules linked in: tcp_diag inet_diag atomisp_css2401a0_v21 videobuf_vmalloc videobuf_core 8723bs(O) cfg80211 bt_lpm rfkill_gpio ov2680 ov8858_driver silead_ts ltr501 bmg160 ak09911 kxcjk_1013
<4>[31010.218499] CPU: 2 PID: 9496 Comm: PreviewStream Tainted: G W O 3.14.70-x86_64-02220-g4d315b0b #1
<4>[31010.229108] Hardware name: Insyde CherryTrail/T3 MRD, BIOS CHTMRD.A6.002.016 09/20/2016
<7>[31010.238073] 0000000000000000 ffff880005a77978 ffffffff81a9c698 ffff880005a779c0
<7>[31010.238196] 0000000000000009 ffff880005a779b0 ffffffff8108b67d ffff880033a49338
<7>[31010.238325] ffff88006a363d78 ffff880068429f38 ffff880033a49301 0000000000000202
<7>[31010.238453] Call Trace:
<4>[31010.238507] [<ffffffff81a9c698>] dump_stack+0x67/0x90
<4>[31010.244283] [<ffffffff8108b67d>] warn_slowpath_common+0x7d/0xa0
<4>[31010.251019] [<ffffffff8108b6ec>] warn_slowpath_fmt+0x4c/0x50
<4>[31010.257473] [<ffffffff81aa73f2>] ? __mutex_lock_slowpath+0x292/0x3d0
<4>[31010.264692] [<ffffffff813a5b58>] __list_add+0xe8/0xf0
<4>[31010.270566] [<ffffffffa02c83e2>] atomisp_buf_queue+0x52/0x90 [atomisp_css2401a0_v21]
<4>[31010.279356] [<ffffffffa00d1911>] videobuf_qbuf+0x441/0x4e0 [videobuf_core]
<4>[31010.287261] [<ffffffffa02b54cf>] atomisp_qbuf+0x14f/0x540 [atomisp_css2401a0_v21]
<4>[31010.295762] [<ffffffff817793db>] v4l_qbuf+0x3b/0x50
<4>[31010.301330] [<ffffffff81778a4c>] __video_do_ioctl+0x26c/0x360
<4>[31010.307887] [<ffffffff8116bfa5>] ? __alloc_pages_nodemask+0x175/0xb50
<4>[31010.315212] [<ffffffff817787e0>] ? v4l_dqevent+0x20/0x20
<4>[31010.321276] [<ffffffff8177a3e0>] video_usercopy+0x390/0x650
<4>[31010.327630] [<ffffffff810e7b8a>] ? __srcu_read_lock+0x7a/0xb0
<4>[31010.334179] [<ffffffff8177a6b5>] video_ioctl2+0x15/0x20
<4>[31010.340135] [<ffffffff81774b64>] v4l2_ioctl+0x154/0x190
<4>[31010.346096] [<ffffffff817834e7>] do_video_ioctl+0x477/0x1690

capq.bufs[x] video buffers get added to buffers_waiting_for_param /
activeq lists. Any update/access to these lists should be proected
with the lock.

Looks like this issue is causing because the list opearations on
buffers_waiting_for_param list are not protected properly with the
lock.

Take a lock before accessing/modifying the buffers_waiting_for_param
list

Change-Id: I3ce95f41fda31bf4bd99170a4559ff2b8b557f27
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43791Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com>
Reviewed-on: https://android.intel.com:443/574687

This patch is cherry-picked from -
- Repository - https://android.googlesource.com/kernel/common.git
- Branch - android-3.18
- Commit - d018e6f70470ce01ab6275e423906dcc79f847e2.

To quote Riley Andrews(riandrews@google.com) - This ends up doing
more damage than good on most devices. Go back to using a standard
mutex.

rt_mutex is causing issues while warm reboot regression test hence
use standard mutex.

Change-Id: I5d839e875be5ccff6dd9ff210adf150cc00376e5
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43742Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com>
Reviewed-on: https://android.intel.com:443/573109

(cherry pick from commit 073931017b49d9458aa351605b43a7e34598caef)

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

NB: conflicts resolution included extending the change to all visible
    users of the near deprecated function posix_acl_equiv_mode
    replaced with posix_acl_update_mode. We did not resolve the ACL
    leak in this CL, require additional upstream fixes.

References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Bug: 32458736

Change-Id: I19591ad452cc825ac282b3cfd2daaa72aa9a1ac1
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43399Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/572049

added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 34469904

Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
CVE: CVE-2017-0573
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43399Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/572047

added boundary check not to override allocated buffer
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 34203305

Change-Id: Iad44141ba4e4cd224eda292c05ffe525bf74227d
CVE: CVE-2017-0571
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43399Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/572046

1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.
3) Issue of chances of cumulative results->pkt_count length
exceeding allocated memory length of results->total_count is
avoided in this fix. change_array is the destination array
whose length is allocated to results->total_count.
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>

Bug: 34197514
Bug: 34199963
Bug: 34198729

Change-Id: I0cd268ab696daac938a99f451607a3f4b2cfaed3
CVE: CVE-2017-0569, CVE-2017-0570, CVE-2017-0568
Tracked-On: https://jira01.devtools.intel.com/browse/OAM-43399Signed-off-by: Dave Lin <dave.lin@intel.com>
Reviewed-on: https://android.intel.com:443/572045