20 May, 2020
1 commit
-
According to Mixel MIPI CSI PHY spec, the minimum value for RXHS_SETTLE
is 85ns + 6*UI and the maximum value for RXHS_SETTLE is 145ns + 10*UI,
so get average value of maximum and minimum as RXHS_SETTLE typical value.Signed-off-by: Guoniu.zhou
Reviewed-by: Sandor Yu
(cherry picked from commit af684872dceece899b439b6167343b1e7655a251)
08 Apr, 2020
2 commits
-
For multi power domain, if DL_FLAG_RPM_ACTIVE flag is set when device link
binding, power domain will keep active after probe, but driver need to let
device into lp status when there is no camera streaming. So remove the flag
in driver.Signed-off-by: Andy Duan
Signed-off-by: Guoniu.zhou -
For multi power domain, if DL_FLAG_RPM_ACTIVE flag is set when device link
binding, power domain will keep active after probe, but driver need to let
device into lp status when there is no camera streaming. So remove the flag
in driver.Signed-off-by: Andy Duan
Signed-off-by: Guoniu.zhou
25 Mar, 2020
1 commit
-
Need flush outer cache after zero CMA allocated memory on arm32 platform.
Change-Id: Ieaa7c62bf65e4490f904d68bed1fa16fb7c5d8fa
Signed-off-by: Richard Liu
Reviewed-by: Bing Song
23 Mar, 2020
1 commit
-
ION CMA memory default is cacheable, need flush cache after memset(),
else cache and physical memory not sync may cause problem.Issue case:
VPU Video playback or GPU render have dirty line issue.Root cause:
ION CMA allocate cacheable buffer and do memset(), some data still in cache
not in physical memory, VPU or GPU write the buffer with physical address,
or user call ion_mmap() to map the buffer through pgprot_writecombine() as
no-cache and write the buffer, later some CPU cache access trigger cache
flush, previous memset() data go to physical memory as dirty data.Change-Id: I82b4cb61bbe6cffc687d452f9f81c1e35914d2f1
Signed-off-by: Richard Liu
Reviewed-by: Bing Song
16 Mar, 2020
1 commit
-
Enable ISI m2m feature for i.MX865. For i.MX8QXP and QM, ISI
use port 5 as image source port from memory, but for i.MX865,
it change to port 2, so add this info as platform data and
configure image source port selection according to the data.Signed-off-by: Guoniu.zhou
Reviewed-by: Sandor Yu
11 Mar, 2020
3 commits
-
For iMX8QM ov5640 camera, if resolution is 1024x768@15, the image
will have overlapping issue.
For iMX8QXP ov5640 camera, if resolution is 1024x768@15, camera APP
will hang, it means no data from driver.Run command as bellow can reproduce the issue:
/unit_tests/V4L2/mx8_v4l2_cap_drm.out -cam 1 -ow 1024 -oh 768 -fr 15Setting HS_SETTLE of CSI to 0x23 for 1024x768@15 can fix the issue
Reviewed-by: Robby Cai
Signed-off-by: Guoniu.zhou -
Fix issue reported by coverity, CCID is 1477259
Reviewed-by: Robby.Cai
Signed-off-by: Guoniu.zhou -
Fix issue reported by Coverity, CID are 1477361 and 6345201
Reviewed-by: Robby.Cai
Signed-off-by: Guoniu.zhou
08 Mar, 2020
1 commit
-
Merge Linux stable release v5.4.24 into imx_5.4.y
* tag 'v5.4.24': (3306 commits)
Linux 5.4.24
blktrace: Protect q->blk_trace with RCU
kvm: nVMX: VMWRITE checks unsupported field before read-only field
...Signed-off-by: Jason Liu
Conflicts:
arch/arm/boot/dts/imx6sll-evk.dts
arch/arm/boot/dts/imx7ulp.dtsi
arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
drivers/clk/imx/clk-composite-8m.c
drivers/gpio/gpio-mxc.c
drivers/irqchip/Kconfig
drivers/mmc/host/sdhci-of-esdhc.c
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c
drivers/net/can/flexcan.c
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
drivers/net/ethernet/mscc/ocelot.c
drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
drivers/net/phy/realtek.c
drivers/pci/controller/mobiveil/pcie-mobiveil-host.c
drivers/perf/fsl_imx8_ddr_perf.c
drivers/tee/optee/shm_pool.c
drivers/usb/cdns3/gadget.c
kernel/sched/cpufreq.c
net/core/xdp.c
sound/soc/fsl/fsl_esai.c
sound/soc/fsl/fsl_sai.c
sound/soc/sof/core.c
sound/soc/sof/imx/Kconfig
sound/soc/sof/loader.c
29 Feb, 2020
8 commits
-
commit b7db58105b80fa9232719c8329b995b3addfab55 upstream.
When we call kobject_put() and it's the last reference to the kobject
then it calls gb_audio_module_release() and frees module. We dereference
"module" on the next line which is a use after free.Fixes: c77f85bbc91a ("greybus: audio: Fix incorrect counting of 'ida'")
Signed-off-by: Dan Carpenter
Acked-by: Viresh Kumar
Reviewed-by: Vaibhav Agarwal
Link: https://lore.kernel.org/r/20200205123217.jreendkyxulqsool@kili.mountain
Signed-off-by: Greg Kroah-Hartman -
commit 8ae9a588ca35eb9c32dc03299c5e1f4a1e9a9617 upstream.
Currently the rtw_sprintf prints the contents of thread_name
onto thread_name and this can lead to a potential copy of a
string over itself. Avoid this by printing the literal string RTWHALXT
instread of the contents of thread_name.Addresses-Coverity: ("copy of overlapping memory")
Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver")
Signed-off-by: Colin Ian King
Reviewed-by: Hans de Goede
Link: https://lore.kernel.org/r/20200126220549.9849-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Greg Kroah-Hartman -
commit 23954cb078febfc63a755301fe77e06bccdb4d2a upstream.
In routine wpa_supplicant_ioctl(), the user-controlled p->length is
checked to be at least the size of struct ieee_param size, but the code
does not detect the case where p->length is greater than the size
of the struct, thus a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").Reported by: Pietro Oliva
Cc: Pietro Oliva
Cc: Stable
Fixes: 554c0a3abf216 ("staging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger
Link: https://lore.kernel.org/r/20200210180235.21691-5-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman -
commit ac33597c0c0d1d819dccfe001bcd0acef7107e7c upstream.
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").Reported by: Pietro Oliva
Cc: Pietro Oliva
Cc: Stable
Fixes 554c0a3abf216 ("0taging: Add rtl8723bs sdio wifi driver").
Signed-off-by: Larry Finger
Link: https://lore.kernel.org/r/20200210180235.21691-3-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman -
commit 4ddf8ab8d15ddbc52eefb44eb64e38466ce1f70f upstream.
In routine wpa_supplicant_ioctl(), the user-controlled p->length is
checked to be at least the size of struct ieee_param size, but the code
does not detect the case where p->length is greater than the size
of the struct, thus a malicious user could be wasting kernel memory.
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").Reported by: Pietro Oliva
Cc: Pietro Oliva
Cc: Stable
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").
Signed-off-by: Larry Finger
Link: https://lore.kernel.org/r/20200210180235.21691-4-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman -
commit 499c405b2b80bb3a04425ba3541d20305e014d3e upstream.
In routine rtw_hostapd_ioctl(), the user-controlled p->length is assumed
to be at least the size of struct ieee_param size, but this assumption is
never checked. This could result in out-of-bounds read/write on kernel
heap in case a p->length less than the size of struct ieee_param is
specified by the user. If p->length is allowed to be greater than the size
of the struct, then a malicious user could be wasting kernel memory.
Fixes commit a2c60d42d97c ("Add files for new driver - part 16").Reported by: Pietro Oliva
Cc: Pietro Oliva
Cc: Stable
Fixes: a2c60d42d97c ("staging: r8188eu: Add files for new driver - part 16")
Signed-off-by: Larry Finger
Link: https://lore.kernel.org/r/20200210180235.21691-2-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman -
commit 93134df520f23f4e9998c425b8987edca7016817 upstream.
bb_pre_ed_rssi is an u8 rx_dm always returns negative signed
values add minus operator to always yield positive.fixes issue where rx sensitivity is always set to maximum because
the unsigned numbers were always greater then 100.Fixes: 63b9907f58f1 ("staging: vt6656: mac80211 conversion: create rx function.")
Cc: stable
Signed-off-by: Malcolm Priestley
Link: https://lore.kernel.org/r/aceac98c-6e69-3ce1-dfec-2bf27b980221@gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit 6d67b0290b4b84c477e6a2fc6e005e174d3c7786 upstream.
When ashmem file is mmapped, the resulting vma->vm_file points to the
backing shmem file with the generic fops that do not check ashmem
permissions like fops of ashmem do. If an mremap is done on the ashmem
region, then the permission checks will be skipped. Fix that by disallowing
mapping operation on the backing shmem file.Reported-by: Jann Horn
Signed-off-by: Suren Baghdasaryan
Cc: stable # 4.4,4.9,4.14,4.18,5.4
Signed-off-by: Todd Kjos
Reviewed-by: Joel Fernandes (Google)
Link: https://lore.kernel.org/r/20200127235616.48920-1-tkjos@google.com
Signed-off-by: Greg Kroah-Hartman
26 Feb, 2020
4 commits
-
Only create debugfs entries if the QBMan nodes exist in the device
tree.Signed-off-by: Roy Pledge
Acked-by: Madalin Bucur
Signed-off-by: Dong Aisheng
(cherry picked from commit 68db373cc5721a31e604604fefeaa66b71204da5) -
- This will enable link update event notification for
user space USDPAA application.Signed-off-by: Sachin Saxena
DPDK-2128
(cherry picked from commit fb53c813a779cc3fc28c8ed3fc8bc0dde24db0ea)(cherry picked from commit 13efcd6d3c9078d22880e23c022b521935e4d78c)
-
Disable portal channel IRQs to avoid them stopping QBMan from
entering idle mode. Since push mode is used in this driver these
interrupts are not needed/used.Signed-off-by: Roy Pledge
(cherry picked from commit 977cf95ef173bf22b1816e7dbafcbb0f8a151133)
(cherry picked from commit 1d40832f4fa7a166b8c142b0baf9541ebb2a80c5) -
Fix the kernel crash when MAC addr is not passed in dtb.
Signed-off-by: Anji Jagarlmudi
(cherry picked from commit 2be5e9c740060b58e962db4c9c20161b0c656ea9)
24 Feb, 2020
2 commits
-
[ Upstream commit c497ae2077c055b85c1bf04f3d182a84bd8f365b ]
The rtl8188 copy of the os_dep support code causes a
warning about a very significant stack usage in the translate_scan()
function:drivers/staging/rtl8188eu/os_dep/ioctl_linux.c: In function 'translate_scan':
drivers/staging/rtl8188eu/os_dep/ioctl_linux.c:306:1: error: the frame size of 1560 bytes is larger than 1400 bytes [-Werror=frame-larger-than=]Use the same trick as in the rtl8723bs copy of the same function, and
allocate it dynamically.Signed-off-by: Arnd Bergmann
Link: https://lore.kernel.org/r/20200104214832.558198-1-arnd@arndb.de
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Sasha Levin -
[ Upstream commit 11e0e167d071a28288a7a0a211d48c571d19b56f ]
Currently if the allocation of new_buf fails then a null pointer
dereference occurs when assiging new_buf->vb. Avoid this by returning
early on a memory allocation failure as there is not much more can
be done at this point.Addresses-Coverity: ("Dereference null return")
Fixes: 3e7f51bd9607 ("media: meson: add v4l2 m2m video decoder driver")
Signed-off-by: Colin Ian King
Reviewed-by: Kevin Hilman
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin
01 Feb, 2020
6 commits
-
[ Upstream commit b483b4e4d3f6bfd5089b9e6dc9ba259879c6ce6f ]
Depending on revision of the chip, reset lines are inverted. Make code
more readable making use of 'soc_device_match' in driver probe function.Signed-off-by: Sergio Paracuellos
Link: https://lore.kernel.org/r/20191006181032.19112-1-sergio.paracuellos@gmail.com
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Sasha Levin -
commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream.
The driver reporting IEEE80211_TX_STAT_ACK is not being handled
correctly. The driver should only report on TSR_TMO flag is not
set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK
is being requested.Cc: stable
Signed-off-by: Malcolm Priestley
Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit d579c43c82f093e63639151625b2139166c730fd upstream.
It appears that the drivers does not go into power save correctly the
NULL data packets are not being transmitted because it not enabled
in mac80211.The driver needs to capture ieee80211_is_nullfunc headers and
copy the duration_id to it's own duration data header.Cc: stable
Signed-off-by: Malcolm Priestley
Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream.
It appears that the driver still transmits in CTS protect mode even
though it is not enabled in mac80211.That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect.
The only difference between them GA does not use B rates.Find if only B rate in GB or GA in protect mode otherwise transmit packets
as PK_TYPE_11A.Cc: stable
Signed-off-by: Malcolm Priestley
Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com
Signed-off-by: Greg Kroah-Hartman -
commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream.
Currently when the call to prism2sta_ifst fails a netdev_err error
is reported, error return variable result is set to -1 but the
function always returns 0 for success. Fix this by returning
the error value in variable result rather than 0.Addresses-Coverity: ("Unused value")
Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver")
Signed-off-by: Colin Ian King
Cc: stable
Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Greg Kroah-Hartman -
commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream.
If the length of the socket buffer is 0xFFFFFFFF (max size for an
unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14
(ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN)
which overflows and results in a value of 2. These values for
payload_len and mdp_len will pass current buffer size checks.This patch checks if derived from skb->len sum may overflow.
The check is based on the following idea:
For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`,
`V1 + V2` overflows iif `SUM < V1`.Reported-by: Greg Kroah-Hartman
Signed-off-by: Andrey Shvetsov
Cc: stable
Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com
Signed-off-by: Greg Kroah-Hartman
23 Jan, 2020
2 commits
-
commit 9fea3a40f6b07de977a2783270c8c3bc82544d45 upstream.
This patch fixes a regression on setting up asynchronous commands to use
external trigger sources when board-specific routing information is
missing.`ni_find_device_routes()` (called via `ni_assign_device_routes()`) finds
the table of register values for the device family and the set of valid
routes for the specific board. If both are found,
`tables->route_values` is set to point to the table of register values
for the device family and `tables->valid_routes` is set to point to the
list of valid routes for the specific board. If either is not found,
both `tables->route_values` and `tables->valid_routes` are left set at
their initial null values (initialized by `ni_assign_device_routes()`)
and the function returns `-ENODATA`.Returning an error results in some routing functionality being disabled.
Unfortunately, leaving `table->route_values` set to `NULL` also breaks
the setting up of asynchronous commands that are configured to use
external trigger sources. Calls to `ni_check_trigger_arg()` or
`ni_check_trigger_arg_roffs()` while checking the asynchronous command
set-up would result in a null pointer dereference if
`table->route_values` is `NULL`. The null pointer dereference is fixed
in another patch, but it now results in failure to set up the
asynchronous command. That is a regression from the behavior prior to
commit 347e244884c3 ("staging: comedi: tio: implement global tio/ctr
routing") and commit 56d0b826d39f ("staging: comedi: ni_mio_common:
implement new routing for TRIG_EXT").Change `ni_find_device_routes()` to set `tables->route_values` and/or
`tables->valid_routes` to valid information even if the other one can
only be set to `NULL` due to missing information. The function will
still return an error in that case. This should result in
`tables->valid_routes` being valid for all currently supported device
families even if the board-specific routing information is missing.
That should be enough to fix the regression on setting up asynchronous
commands to use external triggers for boards with missing routing
information.Fixes: 347e244884c3 ("staging: comedi: tio: implement global tio/ctr routing")
Fixes: 56d0b826d39f ("staging: comedi: ni_mio_common: implement new routing for TRIG_EXT").
Cc: # 4.20+
Cc: Spencer E. Olson
Signed-off-by: Ian Abbott
Link: https://lore.kernel.org/r/20200114182532.132058-3-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman -
commit 01e20b664f808a4f3048ca3f930911fd257209bd upstream.
In `ni_find_route_source()`, `tables->route_values` gets dereferenced.
However it is possible that `tables->route_values` is `NULL`, leading to
a null pointer dereference. `tables->route_values` will be `NULL` if
the call to `ni_assign_device_routes()` during board initialization
returned an error due to missing device family routing information or
missing board-specific routing information. For example, there is
currently no board-specific routing information provided for the
PCIe-6251 board and several other boards, so those are affected by this
bug.The bug is triggered when `ni_find_route_source()` is called via
`ni_check_trigger_arg()` or `ni_check_trigger_arg_roffs()` when checking
the arguments for setting up asynchronous commands. Fix it by returning
`-EINVAL` if `tables->route_values` is `NULL`.Even with this fix, setting up asynchronous commands to use external
trigger sources for boards with missing routing information will still
fail gracefully. Since `ni_find_route_source()` only depends on the
device family routing information, it would be better if that was made
available even if the board-specific routing information is missing.
That will be addressed by another patch.Fixes: 4bb90c87abbe ("staging: comedi: add interface to ni routing table information")
Cc: # 4.20+
Cc: Spencer E. Olson
Signed-off-by: Ian Abbott
Link: https://lore.kernel.org/r/20200114182532.132058-2-abbotti@mev.co.uk
Signed-off-by: Greg Kroah-Hartman
18 Jan, 2020
5 commits
-
[ Upstream commit ce644cf3fa06504c2c71ab1b794160d54aaccbc0 ]
A struct that needs to be aligned to 32 bytes has a size of 28. Increase
the size to 32.This makes elements of arrays of this struct aligned to 32 as well, and
other structs where members are aligned to 32 mixing
ipu3_uapi_awb_fr_config_s as well as other types.Fixes: commit dca5ef2aa1e6 ("media: staging/intel-ipu3: remove the unnecessary compiler flags")
Signed-off-by: Sakari Ailus
Tested-by: Bingbu Cao
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Sasha Levin -
commit a2cbf80a842add9663522bf898cf13cb2ac4e423 upstream.
The FIELDPIC_FLAG_E bit should be set when field_pic_flag exists in stream,
it is currently set based on field_pic_flag of current frame.
The PIC_FIELDMODE_E bit is correctly set based on the field_pic_flag.Fix this by setting the FIELDPIC_FLAG_E bit when frame_mbs_only is not set.
Fixes: dea0a82f3d22 ("media: hantro: Add support for H264 decoding on G1")
Signed-off-by: Jonas Karlman
Reviewed-by: Boris Brezillon
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
commit e17f08e3166635d2eaa6a894afeb28ca651ddd35 upstream.
Scaling list supplied from userspace should be in matrix order
and can be used without applying the inverse scanning process.The HW also only support 8x8 scaling list for the Y component, indices 0
and 1 in the scaling list supplied from userspace.Remove reordering and write the scaling matrix in an order expected by
the VPU, also only allocate memory for the two 8x8 lists supported.Fixes: a9471e25629b ("media: hantro: Add core bits to support H264 decoding")
Signed-off-by: Jonas Karlman
Reviewed-by: Philipp Zabel
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
commit a6b8feae7c88343212686120740cf7551dd16e08 upstream.
Documentation now defines the expected order of scaling lists,
change to use correct indices.Fixes: 6eb9b758e307 ("media: cedrus: Add H264 decoding support")
Signed-off-by: Jonas Karlman
Reviewed-by: Philipp Zabel
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman -
commit 9db5f87f6723678a7e7e5e3165439c5c4378edbb upstream.
Step '8.2.4.1 Decoding process for picture numbers' was missing in the
reflist creation logic, leading to invalid P reflists when a
->frame_num wraparound happens.Fixes: a9471e25629b ("media: hantro: Add core bits to support H264 decoding")
Reported-by: Francois Buergisser
Signed-off-by: Boris Brezillon
Reviewed-by: Philipp Zabel
Tested-by: Philipp Zabel
Tested-by: Francois Buergisser
Reviewed-by: Tomasz Figa
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
17 Jan, 2020
3 commits
-
Set panic threshold for Y, U, V output buffer in ISI for different version
Signed-off-by: Guoniu.zhou
Reviewed-by: Robby Cai -
For i.MX8MN platform, it uses dispmix-reset driver to control bus reset,
clock enable for LCDIF, DSI, CSI and ISI in dispmix GPR. But for i.MX8MP,
driver for mediamxi GPR isn't ready, so use no-reset-control property in
dts to skip parse reset node.Signed-off-by: Guoniu.zhou
Reviewed-by: Robby Cai -
Remove CSI PHY clock operation because MIPI CSI only need clock
for CSI core.Signed-off-by: Guoniu.zhou
Reviewed-by: Robby Cai