Since android_vh_alloc_pages_slowpath is revert by
commit e09000ee19 ("Revert half of "ANDROID: vendor_hooks: Add hooks
for memory when debug""). re-add hooks here to measure the duration
Bug: 182443489
Signed-off-by: liuhailong <liuhailong@oppo.com>
Change-Id: Ie4534047105d8409623692cc3811b55d9ddbd17d
emulation_proc_handler() changes table->data for proc_dointvec_minmax
and can generate the following Oops if called concurrently with itself:
| Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010
| Internal error: Oops: 96000006 [#1] SMP
| Call trace:
| update_insn_emulation_mode+0xc0/0x148
| emulation_proc_handler+0x64/0xb8
| proc_sys_call_handler+0x9c/0xf8
| proc_sys_write+0x18/0x20
| __vfs_write+0x20/0x48
| vfs_write+0xe4/0x1d0
| ksys_write+0x70/0xf8
| __arm64_sys_write+0x20/0x28
| el0_svc_common.constprop.0+0x7c/0x1c0
| el0_svc_handler+0x2c/0xa0
| el0_svc+0x8/0x200
To fix this issue, keep the table->data as &insn->current_mode and
use container_of() to retrieve the insn pointer. Another mutex is
used to protect against the current_mode update but not for retrieving
insn_emulation as table->data is no longer changing.
Bug: 237540956
Co-developed-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: hewenliang <hewenliang4@huawei.com>
Signed-off-by: Haibin Zhang <haibinzhang@tencent.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com
Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com
Signed-off-by: Will Deacon <will@kernel.org>
[Lee: Added Fixes: tag]
(cherry picked from commit af483947d472eccb79e42059276c4deed76f99a6
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux.git for-next/core)
Fixes: 587064b610 ("arm64: Add framework for legacy instruction emulation")
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If9b96bb79c79903f9d8292e719b06fdef57ef1c5
According to the programming guide, it is recommended to
perform a GCTL_CORE_SOFTRESET only when switching the mode
from device to host or host to device. However, it is found
that during bootup when __dwc3_set_mode() is called for the
first time, GCTL_CORESOFTRESET is done with suspendable bit(BIT 17)
of DWC3_GUSB3PIPECTL set. This some times leads to issues
like controller going into bad state and controller registers
reading value zero. Until GCTL_CORESOFTRESET is done and
run/stop bit is set core initialization is not complete.
Setting suspendable bit of DWC3_GUSB3PIPECTL and then
performing GCTL_CORESOFTRESET is therefore not recommended.
Avoid this by only performing the reset if current_dr_role is set,
that is, when doing subsequent role switching.
Fixes: f88359e1588b ("usb: dwc3: core: Do core softreset when switch
mode")
Signed-off-by: Rohith Kollalsi <quic_rkollals@quicinc.com>
Link:
https://lore.kernel.org/r/20220714045625.20377-1-quic_rkollals@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 07903626d98853e605fe63e5ce149f1b7314bbea
https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git/
usb-next)
BUG: 239121944
Change-Id: Ice6da5dd64896d5deeab425dd1ac5389425a1cc8
Signed-off-by: Rohith Kollalsi <quic_rkollals@quicinc.com>
Add vendor hook when detecting process status through
pidfd_open.
Bug: 238725692
Change-Id: I565988cb8bf6dd44ab4dc15c410c2dcf50703def
Signed-off-by: xiaofeng <xiaofeng5@xiaomi.com>
Add vendor hook android_vh_set_shmem_page_flag in shmem_writepage to
set a flag in page_ext, which indicates that this page is a shmem page,
to be used in android_vh_get_swap_page. The shared page should not be
reclaimed to the extended memory, ie, the specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I33a9007c88b4d8aab3da044c8a05eb45d7e74f3a
When many devices share the same iova domain, iommu_dma_init_domain()
may be called at the same time. The checking of iovad->start_pfn will
all get false in iommu_dma_init_domain() and both enter init_iova_domain()
to do iovad initialization.
Fix this by protecting init_iova_domain() with iommu_dma_cookie->mutex.
Exception backtrace:
rb_insert_color(param1=0xFFFFFF80CD2BDB40, param3=1) + 64
init_iova_domain() + 180
iommu_setup_dma_ops() + 260
arch_setup_dma_ops() + 132
of_dma_configure_id() + 468
platform_dma_configure() + 32
really_probe() + 1168
driver_probe_device() + 268
__device_attach_driver() + 524
__device_attach() + 524
bus_probe_device() + 64
deferred_probe_work_func() + 260
process_one_work() + 580
worker_thread() + 1076
kthread() + 332
ret_from_fork() + 16
Signed-off-by: Ning Li <ning.li@mediatek.com>
Signed-off-by: Yunfei Wang <yf.wang@mediatek.com>
Acked-by: Robin Murphy <robin.murphy@arm.com>
Reviewed-by: Miles Chen <miles.chen@mediatek.com>
Link: https://lore.kernel.org/r/20220530120748.31733-1-yf.wang@mediatek.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Bug: 236922015
(cherry picked from commit ac9a5d522bb80be50ea84965699e1c8257d745ce
https://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu.git core)
[Yunfei: Embed iommu_dma_cookie into iommu_dma_cookie_ext to avoid
changing struct iommu_dma_cookie]
Signed-off-by: Yunfei Wang <yf.wang@mediatek.com>
Change-Id: I9b7931bea912837f17d2322713ba68a37122499d
(cherry picked from commit 8a410d778a3c3b1f535acecff7f53c542ffb348c)
When the target process is busy, incoming oneway transactions are
queued in the async_todo list. If the clients continue sending extra
oneway transactions while the target process is frozen, this queue can
become too large to accommodate new transactions. That's why binder
driver introduced ONEWAY_SPAM_DETECTION to detect this situation. It's
helpful to debug the async binder buffer exhausting issue, but the
issue itself isn't solved directly.
In real cases applications are designed to send oneway transactions
repeatedly, delivering updated inforamtion to the target process.
Typical examples are Wi-Fi signal strength and some real time sensor
data. Even if the apps might only care about the lastet information,
all outdated oneway transactions are still accumulated there until the
frozen process is thawed later. For this kind of situations, there's
no existing method to skip those outdated transactions and deliver the
latest one only.
This patch introduces a new transaction flag TF_UPDATE_TXN. To use it,
use apps can set this new flag along with TF_ONE_WAY. When such an
oneway transaction is to be queued into the async_todo list of a frozen
process, binder driver will check if any previous pending transactions
can be superseded by comparing their code, flags and target node. If
such an outdated pending transaction is found, the latest transaction
will supersede that outdated one. This effectively prevents the async
binder buffer running out and saves unnecessary binder read workloads.
Acked-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Li Li <dualli@google.com>
Link: https://lore.kernel.org/r/20220526220018.3334775-2-dualli@chromium.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 231624308
Test: manually check async binder buffer size of frozen apps
Test: stress test with kernel 4.14/4.19/5.10/5.15
(cherry picked from commit 9864bb4801331daa48514face9d0f4861e4d485b
git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git
char-misc-next)
Change-Id: I1c4bff1eda1ca15aaaad5bf696c8fc00be743176
Each cset (css_set) is pinned by its tasks. When we're moving tasks around
across csets for a migration, we need to hold the source and destination
csets to ensure that they don't go away while we're moving tasks about. This
is done by linking cset->mg_preload_node on either the
mgctx->preloaded_dst_csets or mgctx->preloaded_dst_csets list. Using the
same cset->mg_preload_node for both the src and dst lists was deemed okay as
a cset can't be both the source and destination at the same time.
Unfortunately, this overloading becomes problematic when multiple tasks are
involved in a migration and some of them are identity noop migrations while
others are actually moving across cgroups. For example, this can happen with
the following sequence on cgroup1:
#1> mkdir -p /sys/fs/cgroup/misc/a/b
#2> echo $$ > /sys/fs/cgroup/misc/a/cgroup.procs
#3> RUN_A_COMMAND_WHICH_CREATES_MULTIPLE_THREADS &
#4> PID=$!
#5> echo $PID > /sys/fs/cgroup/misc/a/b/tasks
#6> echo $PID > /sys/fs/cgroup/misc/a/cgroup.procs
the process including the group leader back into a. In this final migration,
non-leader threads would be doing identity migration while the group leader
is doing an actual one.
After #3, let's say the whole process was in cset A, and that after #4, the
leader moves to cset B. Then, during #6, the following happens:
1. cgroup_migrate_add_src() is called on B for the leader.
2. cgroup_migrate_add_src() is called on A for the other threads.
3. cgroup_migrate_prepare_dst() is called. It scans the src list.
3. It notices that B wants to migrate to A, so it tries to A to the dst
list but realizes that its ->mg_preload_node is already busy.
4. and then it notices A wants to migrate to A as it's an identity
migration, it culls it by list_del_init()'ing its ->mg_preload_node and
putting references accordingly.
5. The rest of migration takes place with B on the src list but nothing on
the dst list.
This means that A isn't held while migration is in progress. If all tasks
leave A before the migration finishes and the incoming task pins it, the
cset will be destroyed leading to use-after-free.
This is caused by overloading cset->mg_preload_node for both src and dst
preload lists. We wanted to exclude the cset from the src list but ended up
inadvertently excluding it from the dst list too.
This patch fixes the issue by separating out cset->mg_preload_node into
->mg_src_preload_node and ->mg_dst_preload_node, so that the src and dst
preloadings don't interfere with each other.
Bug: 236582926
Change-Id: Ieaf1c0c8fc23753570897fd6e48a54335ab939ce
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Mukesh Ojha <quic_mojha@quicinc.com>
Reported-by: shisiyuan <shisiyuan19870131@gmail.com>
Link: http://lkml.kernel.org/r/1654187688-27411-1-git-send-email-shisiyuan@xiaomi.com
Link: https://lore.kernel.org/lkml/Yh+RGIJ0f3nrqIiN@slm.duckdns.org/#t
Fixes: f817de9851 ("cgroup: prepare migration path for unified hierarchy")
Cc: stable@vger.kernel.org # v3.16+
(cherry picked from commit 07fd5b6cdf3cc30bfde8fe0f644771688be04447
https://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup.git for-5.19-fixes)
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
Signed-off-by: Mukesh Ojha <quic_mojha@quicinc.com>
[mojha: Move the two new list heads into a wrapper ext_css_set struct to ensure
ABI doesn't break and also defined a macro init_css_set which will be replaced
with init_ext_css_set.cset to avoid too much code changes]
This adds "function_name" configfs entry to change string value
of the iInterface field. This field will be shown in Windows' audio
settings panel, so being able to change it is useful. It will default
to "Source/Sink" just as before.
Signed-off-by: Yunhao Tian <t123yh.xyz@gmail.com>
Link: https://lore.kernel.org/r/20220122112446.1415547-2-t123yh.xyz@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 993a44fa85c1ea5989fb5c46236ca2e3cfd71b78)
Change-Id: I6061d841eee5b611f18280c901849d0c4b2a17d4
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
This adds "function_name" configfs entry to change string value
of the iInterface field. This field will be shown in Windows' audio
settings panel, so being able to change it is useful. It will default
to "AC Interface" just as before if unchanged.
Signed-off-by: Yunhao Tian <t123yh.xyz@gmail.com>
Link: https://lore.kernel.org/r/20220122112446.1415547-1-t123yh.xyz@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit dfb05b5dc3afd90e564b69b88ff6be6947a0f32f)
Change-Id: Ibd0e417ab82efe1fb3aa6fd5bb33fb70f113cf1a
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
When USB cable gets disconnected, the undergoing playback/capture
stalls, without any notification to u_audio about the change.
Experiments with a dwc2 gadget revealed that Suspend interrupt is
thrown at cable disconnection, which the gadget framework translates to
calling suspend callback of a function, if it is defined.
Add the suspend callback to f_uac2 function, calling
corresponding method of u_audio in order to stop the respective PCM
streams and to notify subscribed clients at cable disconnection.
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20220121155308.48794-10-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 7ff4a3b5489959a0256840a361b54d979b822535)
Change-Id: I43f5ccd6f84771bd63462ba9b2419a9e42f45746
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
The Playback/Capture ctl currently reports rate value set by USB
control selector UAC2_CS_CONTROL_SAM_FREQ (fixed for UAC1). When the
stops playback/capture, the reported value does not change. The gadget
side has no information whether the host has started/stopped
capture/playback.
This patch sets the value reported by the respective rate ctl to zero
when the host side has stopped playback/capture. Also, it calls
snd_ctl_notify when start/stop occurs, so that a subscribed client can
act appropriately.
Tests have confirmed that USB hosts change UAC2_CS_CONTROL_SAM_FREQ
before switching altsetting to activate playback/capture, resulting in
correct order (params->c/p_srate is set to requested rate before
u_audio_start_capture/playback is called).
The gadget rate notifications are used by user-space audio gadget
controller gaudio_ctl https://github.com/pavhofman/gaudio_ctl.
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20220121155308.48794-8-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 8fe9a03f43316cd93e753d06372159d23ba931d4)
Change-Id: I5156f080c0a22a1c3a57e8b3113a1047b945c1ca
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
A list of sampling rates can be specified via configfs. All enabled
sampling rates are sent to the USB host on request. When the host
selects a sampling rate the internal active rate is updated.
Config strings with single value stay compatible with the previous version.
Multiple samplerates passed as configuration arrays to g_audio module
when built for f_uac1.
Signed-off-by: Julian Scheel <julian@jusst.de>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20220121155308.48794-7-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 695d39ffc2b59b8333ff85724619514f98613205)
Change-Id: I0515eb9ca5ed7e809007ee711aedf389c1b1c40d
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
A list of sampling rates can be specified via configfs. All enabled
sampling rates are sent to the USB host on request. When the host
selects a sampling rate, the internal active rate (stored in
struct f_uac2) is updated.
The gadget no longer supports only one frequency. Therefore USB strings
corresponding to the clock sources are renamed from specific Hz value to
general names Input clock/Output clock.
Config strings with single value stay compatible with the previous
version.
Multiple samplerates passed as configuration arrays to g_audio module
when built for f_uac2.
Signed-off-by: Julian Scheel <julian@jusst.de>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20220121155308.48794-6-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit a7339e4f5788bd088bb0be1f96a6cce459676ed0)
Change-Id: I3ee59833975c6d010cd3335da0746eec828f4a0e
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
If bInterval is 1, then p_interval is 8000 and p_interval_mil is 8E9,
which is too big for a 32-bit value. While the storage is indeed
64-bit, this value is used as the divisor in do_div() which will
truncate it into a uint32_t leading to incorrect calculated values.
Switch back to keeping the base value in struct snd_uac_chip which fits
easily into an int, meaning that the division can be done in two steps
with the divisor fitting safely into a uint32_t on both steps.
Fixes: 6fec018a7e70 ("usb: gadget: u_audio.c: Adding Playback Pitch ctl for sync playback")
Tested-by: Pavel Hofman <pavel.hofman@ivitera.com>
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20220104183243.718258-1-john@metanate.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit f2f69bf65df12176843ca11eab99949ba69e128b)
Change-Id: Ia1e0dcdd66d60013705f9ee6ff5f76f18bdbb17e
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
The u_audio param fb_max was not set to its default value in f_uac1.c.
As a result the maximum value of Playback Pitch ctl was kept at 1000000,
not allowing to set faster playback pitch for UAC1.
The setting required moving the default constant UAC2_DEF_FB_MAX from
u_uac2.h to FBACK_FAST_MAX in u_audio.h as that header is common for
f_uac1.c and f_uac2.c.
Fixes: 6fec018a7e70 ("usb: gadget: u_audio.c: Adding Playback Pitch ctl for sync playback")
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20211022140339.248669-1-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit d9f273484358285b448aff65bffeb361d0b1f917)
Change-Id: I3aadc7c6d1695be7d1ab93078c4875b87e472afd
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
EP IN is hard-coded as ASYNC both in f_uac1 and f_uac2 but u_audio sends
steady number of audio frames in each USB packet, without any control.
This patch adds 'Playback Pitch 1000000' ctl analogous to the existing
'Capture Pitch 1000000' ctl. The calculation of playback req->length in
u_audio_iso_complete respects the Playback Pitch ctl value to 1ppm now.
Max. value for Playback Pitch is configured by the existing parameter
uac2_opts->fb_max, used also for the Capture Pitch.
Since the EP IN packet size can be increased by uac2_opts->fb_max now,
maxPacketSize for the playback direction is calculated by the same
algorithm as for the async capture direction in
f_uac2.c:set_ep_max_packet_size.
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20211013073934.36476-1-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 6fec018a7e70d611412dd961e596b0415c6d365c)
Change-Id: Ib4ed5921ed9bee7579b3f5f2eb3ae853ef263883
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
Changeset af6cbe09920 ("usb: gadget: f_uac2: add volume and mute support")
added some new elements to the table but didn't care enough to actually
adjust the columns, causing the output to be broken as warned by
Sphinx when producing the documentation.
Readjust it for it to be a valid ReST table.
Fixes: eaf6cbe09920 ("usb: gadget: f_uac2: add volume and mute support")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/d253819a4c201b942d754682bb91dd278300fb79.1632740376.git.mchehab+huawei@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 5ef803538bd2f2907b0a44e24f094cf9bbf8bc13)
Change-Id: I84fedd31e7534f884a5dafdbd3bfbf612e4161f3
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
Changeset 0356e6283c71 ("usb: gadget: f_uac1: add volume and mute support")
added some new elements to the table but didn't care enough to actually
adjust the columns, causing the output to be broken as warned by
Sphinx when producing the documentation.
Readjust it for it to be a valid ReST table.
Fixes: 0356e6283c71 ("usb: gadget: f_uac1: add volume and mute support")
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Link: https://lore.kernel.org/r/044b0c14c35922bdcca50551fe2aa870baae9b06.1632740376.git.mchehab+huawei@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 1b8af67cae654c3c8d719563a2eabb88371d01c9)
Change-Id: I55cbfab7a954b0bd4b256dd43fe6f7e40c5201e3
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
This adds bi-directional (host->device, device->host)
volume/mute support to the f_uac1 driver by adding
Feature Units and interrupt endpoint.
Currently only master channel is supported.
Volume and mute are configurable through configfs,
by default volume has -100..0 dB range with 1 dB step.
Similar to existing flexible endpoints configuration,
Feature Unit won't be added to the topology if both
mute and volume are not enabled, also interrupt endpoint
isn't added to the device if no feature unit is present
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20210712125529.76070-5-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 0356e6283c7177391d144612f4b12986ed5c4f6e)
Change-Id: If37a2696bd3cfd0ab9ad1022e804b5e355fdfb64
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
This adds bi-directional (host->device, device->host)
volume/mute support to the f_uac2 driver by adding
Feature Units and interrupt endpoint.
Currently only master channel is supported.
Volume and mute are configurable through configfs,
by default volume has -100..0 dB range with 1 dB step.
Similar to existing flexible endpoints configuration,
Feature Unit won't be added to the topology if both
mute and volume are not enabled, also interrupt endpoint
isn't added to the device if no feature unit is present
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20210712125529.76070-4-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit eaf6cbe0992052a46d93047dc122fad5126aa3bd)
[luizmmat: Resolved minor conflict in f_uac2.c]
Change-Id: Ie8e0de9ac43d2d2030e530e8b244760f45627d7e
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
USB Audio Class 1/2 have ability to change device's
volume and mute by USB Host through class-specific control
requests. Device also can notify Host about volume/mute
change on its side through optional interrupt endpoint.
This patch adds Volume and Mute ALSA controls which can be
used by user to send and receive notifications to/from
the USB Host about Volume and Mute change.
These params come from f_uac* so volume and mute controls
will be created only if the function support and enable
each explicitly
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20210712125529.76070-3-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 02de698ca8123782c0c6fb8ed99080e2f032b0d2)
Change-Id: I7354c4c354952224ab88acd0b8d77d9bc4ba0745
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
Similar to UAC1 spec, UAC2 feature unit descriptor
has variable size.
Current audio-v2 feature unit descriptor structure
is used for parsing descriptors, but can't be used
to define your own descriptor.
Add a new macro similar to what audio v1 already has.
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
Link: https://lore.kernel.org/r/20210712125529.76070-2-pavel.hofman@ivitera.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit b48f8939b9ff593ebed20433bb53c51199920412)
Change-Id: Ifa8f979824d81ce6c269f34e0e1118cb4701493a
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
Static code analysis tool reported NULL pointer access in
shrink_page_list() as the commit 26aa2d199d6f2 ("mm/migrate: demote
pages during reclaim") expects valid pgdat.
There is already an existing api, reclaim_pages, that tries to reclaim
pages from the list. use it instead of creating custom function.
Bug: 201263305
Fixes: 96f80f628451 ("ANDROID: mm: add reclaim_shmem_address_space() for faster reclaims")
Change-Id: Iaa11feac94c9e8338324ace0276c49d6a0adeb0c
Signed-off-by: Charan Teja Reddy <quic_charante@quicinc.com>
User can configure f_uac1 function via p_chmask/c_chmask
whether uac1 shall support playback and/or capture,
but it has only effect on the created ALSA device,
but not on the USB descriptor.
This patch adds playback/capture descriptors
dependent on that parameter. It is similar to
the same conversion done earlier for f_uac2
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Link: https://lore.kernel.org/r/1614599375-8803-6-git-send-email-ruslan.bilovol@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Bug: 235196743
(cherry picked from commit 254cb1e0d78cfa2c189171cacb88fc85d915bc84)
Change-Id: I02328b9c496645e487ad9eb4784e9a4ac80c85f9
Signed-off-by: Luiz Matheus <luizmmat@motorola.com>
commit d270453a0d9ec10bb8a802a142fb1b3601a83098 upstream.
There are destructive operations such as nfcmrvl_fw_dnld_abort and
gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware,
gpio and so on could be destructed while the upper layer functions such as
nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads
to double-free, use-after-free and null-ptr-deref bugs.
There are three situations that could lead to double-free bugs.
The first situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... | nfcmrvl_nci_unregister_dev
release_firmware() | nfcmrvl_fw_dnld_abort
kfree(fw) //(1) | fw_dnld_over
| release_firmware
... | kfree(fw) //(2)
| ...
The second situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... |
mod_timer |
(wait a time) |
fw_dnld_timeout | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
... | kfree(fw) //(2)
The third situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_nci_recv_frame |
if(..->fw_download_in_progress)|
nfcmrvl_fw_dnld_recv_frame |
queue_work |
|
fw_dnld_rx_work | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
| kfree(fw) //(2)
The firmware struct is deallocated in position (1) and deallocated
in position (2) again.
The crash trace triggered by POC is like below:
BUG: KASAN: double-free or invalid-free in fw_dnld_over
Call Trace:
kfree
fw_dnld_over
nfcmrvl_nci_unregister_dev
nci_uart_tty_close
tty_ldisc_kill
tty_ldisc_hangup
__tty_hangup.part.0
tty_release
...
What's more, there are also use-after-free and null-ptr-deref bugs
in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or
set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev,
then, we dereference firmware, gpio or the members of priv->fw_dnld in
nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen.
This patch reorders destructive operations after nci_unregister_device
in order to synchronize between cleanup routine and firmware download
routine.
The nci_unregister_device is well synchronized. If the device is
detaching, the firmware download routine will goto error. If firmware
download routine is executing, nci_unregister_device will wait until
firmware download routine is finished.
Bug: 234690530
Fixes: 3194c68701 ("NFC: nfcmrvl: add firmware download support")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I8cc1f6450c7fecf5f5994033931da1d23a522282
Provide a vendor hook android_vh_free_pages to clear the
information in struct page_ext, when the page is freed.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iac8e3a72f59f8d3ae16dbc93d94034fe4b627d61
Create and export a function is_swap_slot_cache_enabled
to check whether the swap slot cache can be used.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Iaca9519b838e0c3c8c06acbec83003f8309aa363
Provide a vendor hook android_vh_swap_slot_cache_active to
pass the active status of swap_slots_cache. This status
will be used in the process of reclaiming the pages that
is required to be reclaimed to a specified swap location.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I8211760e0f37fe4a514f6ceaae9993925da8cd6d
Export swapcache_free_entries to be used in the alternative function
android_vh_drain_slots_cache_cpu to swap entries in swap slot cache,
it's usage is similar to the usage in drain_slots_cache_cpu.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ia89b1728d540c5cc8995a939a918e12c23057266
3 symbols are exported to be used in vendor hook android_vh_get_swap_page:
1)check_cache_active, used to get swap page from the specified
swap location, it's usage is similar to the usage in get_swap_page
2)scan_swap_map_slots, used to get swap page from the specified swap,
it's usage is similar to get_swap_pages
3)swap_alloc_cluster, used to get swap page from the specified swap,
it's usage is similar to get_swap_pages
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: Ie24c5d32a16c7cb87905d034095ec8fb070dbe0f
Three vendor hooks are provided to extend struct swap_slots_cache.
The extended data are used to record the information of the
specified reclaimed swap location:
1) android_vh_alloc_swap_slot_cache, replace the function
alloc_swap_slot_cache adding allocation of the extension
of struct swap_slots_cache;
2) android_vh_drain_slots_cache_cpu, replace the function
drain_slots_cache_cpu adding the initialization of the
extension of struct swap_slots_cache;
3) android_vh_get_swap_page, replace the function get_swap_page,
according to the reclaimed location information of the page,
get the the swap page from the specified swap location;
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I3bce6e8cf255df1d879b7c4022d54981cce7c273
The function swap_type_to_swap_info is exported to access the
swap_info_struct of the specified swap, which is regarded as
reserved extended memory.
Bug: 234214858
Signed-off-by: Bing Han <bing.han@transsion.com>
Change-Id: I0107e7d561150f1945a4c161e886e9e03383fff6
