2 years agostaging/android/ion : fix a race condition in the ion driver
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000]
staging/android/ion : fix a race condition in the ion driver

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
(ref == 2)
                            (ref == 3)

(ref == 2)

(ref == 1)

                            (ref == 0 so ion_handle_destroy() is
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Bug 1836932

Change-Id: I45abd9dd1f696105a7840a25ba4a594b5af4fa65
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262250
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agopercpu: fix synchronization between synchronous map extension and chunk destruction
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000]
percpu: fix synchronization between synchronous map extension and chunk destruction

For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.

This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.

Bug 1836932

Change-Id: I1031ca004b5487bc7c6d57db15863e5c847946b4
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262243
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocgroup: Correct the address format specifier
Gagan Grover [Fri, 25 Nov 2016 17:22:19 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Bug 1823317

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262238
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agoperf: Fix race in swevent hash
Peter Zijlstra [Tue, 15 Dec 2015 12:49:05 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259934
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.

If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoext4: fix potential use after free in __ext4_journal_stop
Lukas Czerner [Sun, 18 Oct 2015 02:57:06 +0000]
ext4: fix potential use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259975
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
pid_t pid, child;
long nproc, i;

syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
} else {
child = wait(NULL);
assert(child == pid);

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);

return 0;

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    BUG kmalloc-32 (Not tainted): kasan: bad access detected

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoaf_unix: Guard against other == sk in unix_dgram_sendmsg
Rainer Weikusat [Thu, 11 Feb 2016 19:37:27 +0000]
af_unix: Guard against other == sk in unix_dgram_sendmsg

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Bug 1823317

Change-Id: I5b8f74348f82b4a84a3e01a93c58c49829b26efa
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259949
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoproc: prevent accessing /proc/<PID>/environ until it's ready
Mathias Krause [Thu, 5 May 2016 23:22:26 +0000]
proc: prevent accessing /proc/<PID>/environ until it's ready

If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment

Bug 1823317

Change-Id: I38356eb68ffd1294f1f1250fb328bd01a3b37158
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259930
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: core: prevent out-of-bound readings
Benjamin Tissoires [Tue, 19 Jan 2016 11:34:58 +0000]
HID: core: prevent out-of-bound readings

Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.

The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.

Bug 1823317

Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259928
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agotty: Prevent ldisc drivers from re-using stale tty fields
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000]
tty: Prevent ldisc drivers from re-using stale tty fields

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Bug 1823317

Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259925
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodrivers: media: Remove support for IMX208 sensor
Vincent Chung [Tue, 22 Nov 2016 02:33:03 +0000]
drivers: media: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the IMX208 driver.

Bug 1825317

Change-Id: I5a5b140526c9aabe3f57d60cd750176579f18391
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259195
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoarm: dts: Remove support for IMX208 sensor
Vincent Chung [Thu, 24 Nov 2016 01:24:43 +0000]
arm: dts: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the DeviceTree and configuration references.

boot.img size not changed.

Bug 1825317

Change-Id: I04c7a8cad07f31ea5aa4a33389838f2ce2a8f31f
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259194
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
Terje Bergstrom [Tue, 8 Nov 2016 22:29:14 +0000]
gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context
being only partially available, and can lead to use-after-free.

Bug 1834225

Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1250004
Reviewed-on: http://git-master/r/1258422
Reviewed-by: Martin Gao <marting@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Eric Chuang <echuang@nvidia.com>

2 years ago[media] uvcvideo: fix null pointer dereference
Henry Lin [Wed, 23 Nov 2016 11:51:34 +0000]
[media] uvcvideo: fix null pointer dereference

stream->urb_num needs to set to 0 while freeing urbs to avoid null
pointer dereference afterwards.

Bug 200237870

Change-Id: Ib26f7b23f34db049790e7a5b31a8bde181b74d99
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1258903
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: WK Tsai <wtsai@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: usbhid: improve handling of Clear-Halt and reset
Alan Stern [Tue, 2 Sep 2014 15:39:15 +0000]
HID: usbhid: improve handling of Clear-Halt and reset

This patch changes the way usbhid carries out Clear-Halt and reset.

Currently, after a Clear-Halt on the interrupt-IN endpoint, the driver
immediately restarts the interrupt URB, even if the Clear-Halt failed.
This doesn't work out well when the reason for the failure was that
the device was disconnected (when a low- or full-speed device is
connected through a hub to an EHCI controller, transfer errors caused
by disconnection are reported as stalls by the hub).  Instead now the
driver will attempt a reset after a failed Clear-Halt.

The way resets are carried out is also changed.  Now the driver will
call usb_queue_reset_device() instead of calling usb_reset_device()
directly.  This avoids a deadlock that would arise when a device is
unplugged: The hid_reset() routine runs as a workqueue item, a reset
attempt after the device has been unplugged will fail, failure will
cause usbhid to be unbound, and the disconnect routine will try to do
cancel_work_sync().  The usb_queue_reset_device() implementation is
carefully written to handle scenarios like this one properly.

Bug 1838664

Change-Id: Ifb3fb19787b87ce72c8010f3d15d8b8392413162
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Reviewed-on: http://git-master/r/1257991
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Hans Yang <hansy@nvidia.com>
Tested-by: Hans Yang <hansy@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "HID: usbhid: fix a lockup in usbhid_disconnect()"
Hans Yang [Mon, 21 Nov 2016 06:29:29 +0000]
Revert "HID: usbhid: fix a lockup in usbhid_disconnect()"

This reverts commit 5d54db82ef875f17a9b053d9267d9c222402a1c6.

Bug 1838664

Change-Id: I440d5aa147c46478d453ff5fd2ae4f17d616d832
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1257990
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000]
video: tegra: nvmap: fix possible use after free

Fix possible use after free issue.

Bug 1814555

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1257999
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agohdmi: fix a dead lock in tegra_hdmi_hpd_worker()
Haley Teng [Thu, 25 Aug 2016 09:29:01 +0000]
hdmi: fix a dead lock in tegra_hdmi_hpd_worker()

We should not call cancel_delayed_work_sync() in tegra_hdmi_hpd_worker()
since tegra_hdmi_hpd_worker() is a function called by workqueue.
Replacing cancel_delayed_work_sync() by cancel_delayed_work() in

The below backtrace is an example of the dead lock issue.

[   81.663560] kworker/5:2     D ffffffc000085de8     0   173      2 0x00000000
[   81.670634] Workqueue: events tegra_hdmi_hpd_worker
[   81.675520] Call trace:
[   81.677959] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   81.683099] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   81.688326] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   81.693213] [<ffffffc0000b8e98>] __cancel_work_timer+0x18c/0x190
[   81.699216] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   81.705483] [<ffffffc000447d74>] tegra_hdmi_hpd_worker+0x134/0x28c
[   81.711668] [<ffffffc0000b87b4>] process_one_work+0x158/0x44c
[   81.717415] [<ffffffc0000b95e4>] worker_thread+0x134/0x4a8
[   81.722899] [<ffffffc0000be8c0>] kthread+0xe0/0xf4
[   81.727691] [<ffffffc000084c90>] ret_from_fork+0x10/0x40
[   86.791409] sh              D ffffffc000085de8     0  1879   1782 0x00000000
[   86.798477] Call trace:
[   86.800916] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   86.806055] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   86.811280] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   86.816161] [<ffffffc000b6d1fc>] schedule_timeout+0x1f0/0x280
[   86.821908] [<ffffffc000b6b110>] wait_for_common+0xa0/0x144
[   86.827486] [<ffffffc000b6b1c8>] wait_for_completion+0x14/0x1c
[   86.833322] [<ffffffc0000b80ec>] flush_work+0xd0/0x188
[   86.838460] [<ffffffc0000b8da4>] __cancel_work_timer+0x98/0x190
[   86.844383] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   86.850652] [<ffffffc00044a380>] tegra_hdmi_set_hotplug_state+0x48/0xc0
[   86.857264] [<ffffffc00044a448>] tegra_hdmi_hotplug_dbg_write+0x50/0x84
[   86.863877] [<ffffffc0001c2d88>] __vfs_write+0x2c/0xe0
[   86.869019] [<ffffffc0001c370c>] vfs_write+0x90/0x19c
[   86.874070] [<ffffffc0001c4214>] SyS_write+0x44/0xa0
[   86.879038] [<ffffffc000084cf0>] el0_svc_naked+0x24/0x28

Bug 200228986

Change-Id: I431e7903a283324f4ed482464ac150790a1ec8e1
Signed-off-by: Haley Teng <hteng@nvidia.com>
Reviewed-on: http://git-master/r/1207728
Reviewed-on: http://git-master/r/1258745
Tested-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agonet: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread
Srinivas Ramachandran [Sat, 19 Nov 2016 01:04:07 +0000]
net: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread

Add time bound for dhd_dpc thread. Ensures dpc thread does not
hog cpu, while at same time does not hurt perf. either.

Bug 1844359

Change-Id: I34b061ea495581ba92d249eaa34d992f1d54b6e6
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1256652
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Bhadram Varka <vbhadram@nvidia.com>
Reviewed-by: Narayan Reddy <narayanr@nvidia.com>
Tested-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Check if handle holds a buffer before map
Sri Krishna chowdary [Tue, 15 Nov 2016 05:53:30 +0000]
video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.

A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.

bug 1837468

Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
GVS: Gerrit_Virtual_Submit
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Pritesh Raithatha <praithatha@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotty: serial8250: save/dump the port statistics
Shardar Shariff Md [Wed, 24 Feb 2016 13:21:49 +0000]
tty: serial8250: save/dump the port statistics

Save the port statistics before handling serial
interrupt and dump the current port stats when
too much work is done in serial irq handler to
know which interrupt is causing this.

Bug 1730156

Change-Id: I2b85245f1fb5f23335b13f51a298f375504a38ae
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1018177
(cherry picked from commit 31cf754a649df20d7c2969d92db95e606848731f)
Reviewed-on: http://git-master/r/1257296
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Daniel Fu <danifu@nvidia.com>

2 years agohid: release snd_card without causing a deadlock
Mithun Maragiri [Mon, 14 Nov 2016 23:55:56 +0000]
hid: release snd_card without causing a deadlock

use snd_card_free_when_closed

Bug 1835468

Change-Id: I570ceb92431da457f1ec2136f19fc11f80e0211f
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1253091
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoKEYS: Fix ASN.1 indefinite length object parsing
David Howells [Tue, 23 Feb 2016 11:03:12 +0000]
KEYS: Fix ASN.1 indefinite length object parsing

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Bug 1812688

Change-Id: I808500200996d58481ad705174c8cf0559fa19c1
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1254648
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoandroid: Fix information disclosure vulnerability
Gagan Grover [Tue, 15 Nov 2016 07:18:31 +0000]
android: Fix information disclosure vulnerability

The format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates whether
kptr_restrict is set.

CVE-2016-6683 A-30143283
CVE-2016-6684 A-30148243

Bug 1812688

Change-Id: If2b1d25948af5c21333a189fe25e5412c6c2c27f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253303
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agobinder: Fix Information disclosure vulnerability
Gagan Grover [Tue, 15 Nov 2016 06:29:38 +0000]
binder: Fix Information disclosure vulnerability

The interaction between the kernel /dev/binder and the usermode
Parcel.cpp means that when a Binder object is passed as
object (in the server process) is leaked to the client process as the
cookie value. This leads to a leak of a heap address in many of the
privileged Binder services, including system_server.
The fix is designed to zero out the Binder pointer and cookie before
sending it to the client process

Bug 1812688

Change-Id: Ie5374c3126e226f783e2d043139f9ba61e383bd9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253265
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agosound: Fix DoS vulnerability in kernel sound driver
Gagan Grover [Mon, 14 Nov 2016 20:17:50 +0000]
sound: Fix DoS vulnerability in kernel sound driver

There is no validation of the codec variable passed to the
snd_soc_read and snd_soc_write functions.
The fix is designed to add a check for null function pointers
in the dummy sound driver.

CVE-2016-6690 A-28838221

Bug 1812688

Change-Id: I884b330e8247f345d14469d2b207a7e2a5fa8786
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1252960
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agobinder: Fix Elevation of privilege vulnerability in system_server
Gagan Grover [Mon, 14 Nov 2016 19:52:08 +0000]
binder: Fix Elevation of privilege vulnerability in system_server

The usage of weak references instead of strong references in Binder
can potentially lead to a use-after-free vulnerability in
system_server. The fix is designed to no longer allow weak references
in cases where strong references are needed.

CVE-2016-6674 A-30445380

Bug 1812688

Change-Id: Ic4e028e8f1f6ae4b1ff562127f87a4a15d0a0999
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1252938
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoarm64: dma-mapping: always clear allocated buffers
Marek Szyprowski [Thu, 23 Apr 2015 11:46:16 +0000]
arm64: dma-mapping: always clear allocated buffers

[ Upstream commit 6829e274a623187c24f7cfc0e3d35f25d087fcc5 ]

Buffers allocated by dma_alloc_coherent() are always zeroed on Alpha,
ARM (32bit), MIPS, PowerPC, x86/x86_64 and probably other architectures.
It turned out that some drivers rely on this 'feature'. Allocated buffer
might be also exposed to userspace with dma_mmap() call, so clearing it
is desired from security point of view to avoid exposing random memory
to userspace. This patch unifies dma_alloc_coherent() behavior on ARM64
architecture with other implementations by unconditionally zeroing
allocated buffer.

Bug 1812688

CRs-Fixed: 1041735
Change-Id: I74bf024e0f603ca8c0b05430dc2ee154d579cfb2
Cc: <stable@vger.kernel.org> # v3.14+
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Git-commit: a142e9641dcbead2c8845c949ad518acac96ed28
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[lmark@codeaurora.org: resolve merge conflicts]
Signed-off-by: Liam Mark <lmark@codeaurora.org>

(cherry picked from commit 6e2c437a2d0a85d90d3db85a7471f99764f7bbf8)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ie0d4f733e1257c128af63821f7d87af50c34957e
Reviewed-on: http://git-master/r/1251952
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoarm64: perf: reject groups spanning multiple HW PMUs
Suzuki K. Poulose [Tue, 17 Mar 2015 18:14:59 +0000]
arm64: perf: reject groups spanning multiple HW PMUs

The perf core implicitly rejects events spanning multiple HW PMUs, as in
these cases the event->ctx will differ. However this validation is
performed after pmu::event_init() is called in perf_init_event(), and
thus pmu::event_init() may be called with a group leader from a
different HW PMU.

The ARM64 PMU driver does not take this fact into account, and when
validating groups assumes that it can call to_arm_pmu(event->pmu) for
any HW event. When the event in question is from another HW PMU this is
wrong, and results in dereferencing garbage.

This patch updates the ARM64 PMU driver to first test for and reject
events from other PMUs, moving the to_arm_pmu and related logic after
this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
a CCI PMU present:

Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
PC is at 0x0
LR is at validate_event+0x90/0xa8
pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
sp : ffffffc07b0a3ba0

[<          (null)>]           (null)
[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
[<ffffffc000164094>] perf_init_event+0xe0/0x10c
[<ffffffc000164348>] perf_event_alloc+0x288/0x358
[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
Code: bad PC value

Also cleans up the code to use the arm_pmu only when we know
that we are dealing with an arm pmu event.

Bug 1812688

Cc: Will Deacon <will.deacon@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
(cherry picked from commit 8fff105e13041e49b82f92eef034f363a6b1c071)

Change-Id: I883668dcc826e91f373653651916e25503231297
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1251882
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: Fix use after free in the recvmmsg exit path
Arnaldo Carvalho de Melo [Mon, 14 Mar 2016 12:56:35 +0000]
net: Fix use after free in the recvmmsg exit path

The syzkaller fuzzer hit the following use-after-free:

  Call Trace:
   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.

Bug 1812688

Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Change-Id: I82425d90859812db30fddbf5423735559091768e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1251868
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agodrivers: hid driver for steam valve controller
Martin Gao [Fri, 18 Nov 2016 05:40:37 +0000]
drivers: hid driver for steam valve controller

Bug 200229135

For both wired and wireless connection:
- all buttons working
- gyro and accel sensors turned on (only works in wireless connection)
- right trackpad is implmented to function like right joystick. It sends
  ABS_Z and ABS_RZ to simuluate right joystick events

Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1252313
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoPepper: Spotfix for write silence
David DSH [Fri, 18 Nov 2016 18:28:49 +0000]
Pepper: Spotfix for write silence

Have the timer grab the lock to prevent task accessing the pcm_buffer to
get bad pointer.

Bug 1842498

Change-Id: I7f9691ceceeb8e7bb8dc00bd68617b91c4275c30
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1256442
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agohid: jarvis: remove the sound card limit
Siddardha Naraharisetti [Tue, 15 Nov 2016 07:43:20 +0000]
hid: jarvis: remove the sound card limit

Remove the limit of 5 sound cards in driver.

Bug 1821999

Change-Id: I47ee126b3bf179902cdab4fd6faa1baaafa0117e
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1253331
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoCompilation of 3.10 kernel with GCC-6.1
Sujeet Baranwal [Thu, 10 Nov 2016 19:14:45 +0000]
Compilation of 3.10 kernel with GCC-6.1

All necessary chnages made all across kernel to make the
build go thru with GCC 6.1

Bug 1838484

Change-Id: Ie9eb1aecd6847df689a99abd6ea8651309db4e57
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242348
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoAlignment correction
Sujeet Baranwal [Thu, 10 Nov 2016 18:30:20 +0000]
Alignment correction

GCC-6.1 fails to build these files because of alignement errors.
Files modified accordingly.

Bug 1838484

Change-Id: Ie493dfbea195f7f756227b8e4fa355b6a011fd82
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1251327
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoAdd sancov plugin
Emese Revfy [Wed, 9 Nov 2016 17:59:44 +0000]
Add sancov plugin

The sancov gcc plugin inserts a __sanitizer_cov_trace_pc() call
at the start of basic blocks.

This plugin is a helper plugin for the kcov feature. It supports
all gcc versions with plugin support (from gcc-4.5 on).
It is based on the gcc commit "Add fuzzing coverage support" by Dmitry Vyukov

Signed-off-by: Emese Revfy <re.emese@gmail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michal Marek <mmarek@suse.com>


Bug 1838484

Change-Id: I590c06bdc07146a36e8d68c92151da7e7a647652
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1250558
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoGCC plugin infrastructure
Emese Revfy [Thu, 20 Oct 2016 22:16:16 +0000]
GCC plugin infrastructure

This patch allows to build the whole kernel with GCC plugins. It was ported from
grsecurity/PaX. The infrastructure supports building out-of-tree modules and
building in a separate directory. Cross-compilation is supported too.
Currently the x86, arm, arm64 and uml architectures enable plugins.
The directory of the gcc plugins is scripts/gcc-plugins. You can use a file or a directory
there. The plugins compile with these options:
 * -fno-rtti: gcc is compiled with this option so the plugins must use it too
 * -fno-exceptions: this is inherited from gcc too
 * -fasynchronous-unwind-tables: this is inherited from gcc too
 * -ggdb: it is useful for debugging a plugin (better backtrace on internal
 * -Wno-narrowing: to suppress warnings from gcc headers (ipa-utils.h)
 * -Wno-unused-variable: to suppress warnings from gcc headers (gcc_version
    variable, plugin-version.h)
The infrastructure introduces a new Makefile target called gcc-plugins. It
supports all gcc versions from 4.5 to 6.0. The scripts/gcc-plugin.sh script
chooses the proper host compiler (gcc-4.7 can be built by either gcc or g++).
This script also checks the availability of the included headers in
The gcc-common.h header contains frequently included headers for GCC plugins
and it has a compatibility layer for the supported gcc versions.
The gcc-generate-*-pass.h headers automatically generate the registration
structures for GIMPLE, SIMPLE_IPA, IPA and RTL passes.
Note that 'make clean' keeps the *.so files (only the distclean or mrproper
targets clean all) because they are needed for out-of-tree modules.
Based on work created by the PaX Team.
Signed-off-by: Emese Revfy <re.emese@gmail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michal Marek <mmarek@suse.com>

Bug 1838484

Change-Id: I576d5ff30576449d9947489d45aff4fd79d10129
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242346
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: add AFL-style tracing
Quentin Casasnovas [Thu, 20 Oct 2016 20:57:41 +0000]
kcov: add AFL-style tracing

AFL uses a fixed-size buffer (typically 64 KiB) where each byte is
a counter representing how many times an A -> B branch was taken.
Of course, since the buffer is fixed size, it's a little imprecise
in that e.g. two different branches could map to the same counter,
but in practice it works well.
See afl:docs/technical_details.txt for more information.
Here is a small test program that demonstrates the new capability:
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/types.h>
#define KCOV_INIT_TRACE                 _IOR('c', 1, unsigned long)
#define KCOV_INIT_AFL                   _IOR('c', 2, unsigned long)
#define KCOV_ENABLE                     _IO('c', 100)
#define KCOV_DISABLE                    _IO('c', 101)
int main(int argc, char *argv[])
int fd = open("/sys/kernel/debug/kcov", O_RDWR);
if (fd == -1)
error(1, errno, "open()");
unsigned long size = 1 << 10;
if (ioctl(fd, KCOV_INIT_AFL, size) != 0)
error(1, errno, "ioctl(KCOV_INIT_AFL)");
void *mem = mmap(NULL, size * sizeof(long), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (mem == MAP_FAILED)
error(1, errno, "mmap()");
/* Start kernel instrumentation */
if (ioctl(fd, KCOV_ENABLE, 0) != 0)
error(1, errno, "ioctl(KCOV_ENABLE)");
printf("Hello world!\n");
/* End kernel instrumentation*/
if (ioctl(fd, KCOV_DISABLE, 0) != 0)
error(1, errno, "ioctl(KCOV_DISABLE)");
/* Hex dump of memory area */
unsigned char *mem2 = mem;
for (unsigned int i = 0; i < size; ++i) {
printf("%02x ", mem2[i]);
if (i % 32 == 31)
return 0;
This patch is a collaboration between Quentin Casasnovas and Vegard Nossum.

Bug 1838484

Change-Id: I5c7f98386857eb5fca9689ee2e0d2126bd0456ea
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Michal Zalewski <lcamtuf@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242345
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: allow more fine-grained coverage instrumentation
Vegard Nossum [Thu, 20 Oct 2016 20:47:50 +0000]
kcov: allow more fine-grained coverage instrumentation

For more targeted fuzzing, it's better to disable kernel-wide
instrumentation and instead enable it on a per-subsystem basis. This
follows the pattern of UBSAN and allows you to compile in the kcov driver
without instrumenting the whole kernel.
To instrument a part of the kernel, you can use either
    # for a single file in the current directory
    KCOV_INSTRUMENT_filename.o := y
    # for all the files in the current directory (excluding subdirectories)
    # (same as above)
    ccflags-y += $(CFLAGS_KCOV)
    # for all the files in the current directory (including subdirectories)
    subdir-ccflags-y += $(CFLAGS_KCOV)

Bug 1838484

Change-Id: I2ecd3cdcaaae7a9b2f285b1b048bc03ae4686d38
Link: http://lkml.kernel.org/r/1464008380-11405-1-git-send-email-vegard.nossum@oracle.com
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242344
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoarm64: allow building with kcov coverage on ARM64
Alexander Potapenko [Wed, 19 Oct 2016 23:03:26 +0000]
arm64: allow building with kcov coverage on ARM64

Add ARCH_HAS_KCOV to ARM64 config. To avoid potential crashes, disable
instrumentation of the files in arch/arm64/kvm/hyp/*.

Signed-off-by: Alexander Potapenko <glider@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: James Morse <james.morse@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Bug 1838484

Change-Id: I83e7810cfdbe842b31e128b177b037fb5275fb4a
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242343
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
Tested-by: Bharat Nihalani <bnihalani@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User

2 years agokcov: don't profile branches in kcov
Andrey Ryabinin [Wed, 19 Oct 2016 23:02:03 +0000]
kcov: don't profile branches in kcov

Profiling 'if' statements in __sanitizer_cov_trace_pc() leads
to unbound recursion and crash:
__sanitizer_cov_trace_pc() ->
ftrace_likely_update ->
__sanitizer_cov_trace_pc() ...

Define DISABLE_BRANCH_PROFILING to disable this tracer.

Bug 1838484

Change-Id: I8384d520f2616871183cecd5f2ace463478f675f
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242342
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: don't trace the code coverage code
James Morse [Wed, 19 Oct 2016 23:00:46 +0000]
kcov: don't trace the code coverage code

Kcov causes the compiler to add a call to __sanitizer_cov_trace_pc() in
every basic block. Ftrace patches in a call to _mcount() to each function
it has annotated.

Letting these mechanisms annotate each other is a bad thing. Break the loop
by adding 'notrace' to __sanitizer_cov_trace_pc() so that ftrace won't try
to patch this code.

This patch lets arm64 with KCOV and STACK_TRACER boot.

Bug 1838484

Change-Id: Iddb322e4dcab7986413ab8af5be37c1fb1db04d2
Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242341
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokernel: add kcov code coverage
Dmitry Vyukov [Wed, 19 Oct 2016 21:37:22 +0000]
kernel: add kcov code coverage

kcov provides code coverage collection for coverage-guided fuzzing
(randomized testing).  Coverage-guided fuzzing is a testing technique
that uses coverage feedback to determine new interesting inputs to a
system.  A notable user-space example is AFL
(http://lcamtuf.coredump.cx/afl/).  However, this technique is not
widely used for kernel testing due to missing compiler and kernel
kcov does not aim to collect as much coverage as possible.  It aims to
collect more or less stable coverage that is function of syscall inputs.
To achieve this goal it does not collect coverage in soft/hard
interrupts and instrumentation of some inherently non-deterministic or
non-interesting parts of kernel is disbled (e.g.  scheduler, locking).
Currently there is a single coverage collection mode (tracing), but the
API anticipates additional collection modes.  Initially I also
implemented a second mode which exposes coverage in a fixed-size hash
table of counters (what Quentin used in his original patch).  I've
dropped the second mode for simplicity.
This patch adds the necessary support on kernel side.  The complimentary
compiler support was added in gcc revision 231296.
We've used this support to build syzkaller system call fuzzer, which has
found 90 kernel bugs in just 2 months:
We've also found 30+ bugs in our internal systems with syzkaller.
Another (yet unexplored) direction where kcov coverage would greatly
help is more traditional "blob mutation".  For example, mounting a
random blob as a filesystem, or receiving a random blob over wire.
Why not gcov.  Typical fuzzing loop looks as follows: (1) reset
coverage, (2) execute a bit of code, (3) collect coverage, repeat.  A
typical coverage can be just a dozen of basic blocks (e.g.  an invalid
input).  In such context gcov becomes prohibitively expensive as
reset/collect coverage steps depend on total number of basic
blocks/edges in program (in case of kernel it is about 2M).  Cost of
kcov depends only on number of executed basic blocks/edges.  On top of
that, kernel requires per-thread coverage because there are always
background threads and unrelated processes that also produce coverage.
With inlined gcov instrumentation per-thread coverage is not possible.
kcov exposes kernel PCs and control flow to user-space which is
insecure.  But debugfs should not be mapped as user accessible.
Based on a patch by Quentin Casasnovas.
[akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode']
[akpm@linux-foundation.org: unbreak allmodconfig]
[akpm@linux-foundation.org: follow x86 Makefile layout standards]
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@google.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: David Drysdale <drysdale@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Bug 1838484

Change-Id: I3c2c66e5f431f5bfe1cb7cba4209614e60578613
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242340
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoPCI/ASPM: fix un-initialized variable access
Vidya Sagar [Tue, 30 Aug 2016 12:29:36 +0000]
PCI/ASPM: fix un-initialized variable access

fixes un-initialized structure variable access by
memsetting it to zero

Bug 200219196

Change-Id: I6b927e374038e3b3d349cf8330dc1215ceb7b9f0
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-on: http://git-master/r/1215383
(cherry picked from commit b70ad37fb59b347eeb0289e44a8b109375014633)
Reviewed-on: http://git-master/r/1257028
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agopcie: host: tegra: use GFP_DMA32 for MSI mem alloc
Vidya Sagar [Tue, 27 Sep 2016 13:03:03 +0000]
pcie: host: tegra: use GFP_DMA32 for MSI mem alloc

uses GFP_DMA32 instead of GFP_KERNEL while allocating
memory to be given to PCIe end points to issue write
transactions to generate MSI interrupts.
This fixes issues with PCIe end points that are capable
of generating writes to only 32-bit addresses for generating
MSI interrupts

Bug 200234273

Change-Id: I269cb5c55bcac20fd14deb2311067e8a1f58c49b
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-on: http://git-master/r/1227735
(cherry picked from commit 11b39e38141e2b862ed79b9b414e0412e0e0e2f4)
Reviewed-on: http://git-master/r/1257027
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm64: dma-mapping: fix invalid page count check
Vidya Sagar [Mon, 2 May 2016 07:39:09 +0000]
arm64: dma-mapping: fix invalid page count check

Fix the false assertion caused by invalid page count check.

Bug 200178753
Bug 1823434

Change-Id: Ib100714ab54ff08ca0ee6bf63f45a5c00e46ce77
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-on: http://git-master/r/1139581
(cherry picked from commit 27cc6b3e8262c3c91f27f242d62d1f904b3cebc4)
Reviewed-on: http://git-master/r/1235015
(cherry picked from commit 6d534cac2e328300d19c8d9be0d8fa8265e00841)
Reviewed-on: http://git-master/r/1243046
(cherry picked from commit f796a417a64212c388223f8fb1de858ba120f65d)
Reviewed-on: http://git-master/r/1257024
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years ago[media] uvcvideo: improve urb buffer allocation
Henry Lin [Wed, 21 Sep 2016 16:02:03 +0000]
[media] uvcvideo: improve urb buffer allocation

Some UVC device (e.g. StereoLabs ZED camera) may have strict timing
requirement for transferring video payload. This change improves URB
buffer allocation for UVC device with bulk VideoStreaming interface. The
criteria for buffer allocation are:
- Let an URB able to receive a complete UVC payload
- Prepare and submit URBs for a complete video frame

If system memory is large enough, URB buffers will consume memory size
up to a complete video frame.

Bug 1674178

Change-Id: If5f366582ee1c1cb559e890176d74484634dccef
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1225266
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Hans Yang <hansy@nvidia.com>
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>
GVS: Gerrit_Virtual_Submit
(cherry picked from commit 4797f84301fe6ff42313c688e72e4f7c0d52b2e6)
Reviewed-on: http://git-master/r/1239557
Reviewed-by: Peter Yu <pyu@nvidia.com>
Tested-by: Peter Yu <pyu@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRT8168: Add power control sysfs knobs
David DSH [Wed, 16 Nov 2016 02:50:24 +0000]
RT8168: Add power control sysfs knobs

Add low power modes control knobs via sysfs

Bug 1828585

Change-Id: If9fbd678399c811177f4550f54ef7be88070b795
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1254366
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoT124 : platform : Enable CPUSETS
Somdutta Roy [Wed, 12 Oct 2016 18:16:41 +0000]
T124 : platform : Enable CPUSETS

- Enable CPUSETS in the T124 kernel
- Allow system UID (1000) to make changes in cgroups

boot.img size not changed

Bug 1792325

Change-Id: Ifcaf3d8ebfc97b257db5755d9dd54d0bcfd46ab5
Signed-off-by: Somdutta Roy <somduttar@nvidia.com>
Reviewed-on: http://git-master/r/1235435
Reviewed-by: Christopher Freeman <cfreeman@nvidia.com>
Reviewed-by: David Lock <dlock@nvidia.com>
Reviewed-by: Wen Yi <wyi@nvidia.com>
Reviewed-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: host: check debuginfo for nvdec boot
Deepak Nibade [Mon, 3 Oct 2016 09:53:41 +0000]
video: tegra: host: check debuginfo for nvdec boot

After waiting for falcon idle, confirm successful nvdec boot
by reading nvdec_debuginfo_r()

If register reads 0, then booting is successful
Otherwise, its error

Bug 200237849
Jira HOSTX-118

Change-Id: Ibaf6a21baaa3b5c61b432c9ceac4ddf9af233ebc
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1230795
Reviewed-on: http://git-master/r/1242938
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agot210: tegra-fuse: add support to read UID
Shardar Shariff Md [Thu, 1 Sep 2016 09:12:20 +0000]
t210: tegra-fuse: add support to read UID

- Add support to read unique ID (UID), there is no one register
field to read UID, instead UID is constructed from various bits
of information burned into the fuses during the manufactoring

UID is constructed to 64 bit as below from below UID register

- rename tegra21x offset filename to tegra210

Bug 1803702

Change-Id: Ie14ab25e147d6668ab2a092305a0c62b7257279a
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1218594
(cherry picked from commit d4b54be134a1c70ef00c4931bc48c2be29b7ed40)
Reviewed-on: http://git-master/r/1253246
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agobcmdhd_88: disable nv_logger logging by default
Bibhay Ranjan [Mon, 24 Oct 2016 08:36:13 +0000]
bcmdhd_88: disable nv_logger logging by default

Bug 200231321

Change-Id: Icb02bf96cf565fac493da0c68dee7967338e090f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1235065
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Todd Poynter <tpoynter@nvidia.com>

2 years agoarm64: dts: HE: enable BL poweroff on red state
Yunfan Zhang [Mon, 14 Nov 2016 08:39:10 +0000]
arm64: dts: HE: enable BL poweroff on red state

- BL power off device when verified boot in RED state

Bug 200205420

Change-Id: I1a779e42b76352aa37275e8d8efa686cddd5b72c
Signed-off-by: Yunfan Zhang <yunfanz@nvidia.com>
Reviewed-on: http://git-master/r/1252601
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Ian Chang <ianc@nvidia.com>
Tested-by: Ian Chang <ianc@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jay Bhukhanwala <jbhukhanwala@nvidia.com>
Reviewed-by: Robert Shih <rshih@nvidia.com>

2 years agommc: sd: change attribute speed_class to decimal
Harry Lin [Mon, 14 Nov 2016 05:53:40 +0000]
mmc: sd: change attribute speed_class to decimal

Change SD attribute /sys/block/mmcblk#/device/speed_class
from hexadecimal to decimal.

Bug 200245639

Change-Id: Iad3a7d709db405cbd0b73459ca8ed69856674543
Signed-off-by: Harry Lin <harlin@nvidia.com>
Reviewed-on: http://git-master/r/1252512
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

2 years agoUPSTREAM: ASN.1: Fix non-match detection failure on data overrun
David Howells [Mon, 11 Jul 2016 21:18:11 +0000]
UPSTREAM: ASN.1: Fix non-match detection failure on data overrun

(cherry pick from commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f)

If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.

This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.

This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers.  Currently, it skips the last
integer if there is insufficient data.

Without the fix, #defining DEBUG in asn1_decoder.c will show something

next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270

The next_op line for pc=8/13 should be followed by a match line.

This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:

 (1) The relevant records being built up are cleared before use.

 (2) If the message is shortened sufficiently to remove the public key, the
     ASN.1 parse of the RSA key will fail quickly due to a lack of data.

 (3) Extracted signature data is either turned into MPIs (which cope with a
     0 length) or is simpler integers specifying algoritms and suchlike
     (which can validly be 0); and

 (4) The AKID and SKID extensions are optional and their removal is handled
     without risking passing a NULL to asymmetric_key_generate_id().

 (5) If the certificate is truncated sufficiently to remove the subject,
     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
     stack underflow' return.

This is not exploitable for PKCS#7 messages by means of removal of
elements from such a message from the tail end of a sequence:

 (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
     as detailed above.

 (2) The message digest content isn't used if it shows a NULL pointer,
     similarly, the authattrs aren't used if that shows a NULL pointer.

 (3) A missing signature results in a NULL MPI - which the MPI routines deal

 (4) If data is NULL, it is expected that the message has detached content and
     that is handled appropriately.

 (5) If the serialNumber is excised, the unconditional action associated
     with it will pick up the containing SEQUENCE instead, so no NULL
     pointer will be seen here.

     If both the issuer and the serialNumber are excised, the ASN.1 decode
     will fail with an 'Unexpected tag' return.

     In either case, there's no way to get to asymmetric_key_generate_id()
     with a NULL pointer.

 (6) Other fields are decoded to simple integers.  Shortening the message
     to omit an algorithm ID field will cause checks on this to fail early
     in the verification process.

This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.

Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches

Jira EASS-863

Bug 1797728

Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Change-Id: I4f6003fade25d8c77baafdff3af084c739efa69c
Bug: 28751627
(cherry picked from commit 62882e757d95076bbd14371ebfaf1246f0191816)
Reviewed-on: http://git-master/r/1209644
(cherry picked from commit 4d84d5a01f0ff0eaa16cc94632a0e83208998bc0)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213242
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 2a4e8a8787008b4730837f29c62726249705eea0)
Reviewed-on: http://git-master/r/1230817
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
(cherry picked from commit dae3090aff58be2ffb4df841102a806573fe4459)
Reviewed-on: http://git-master/r/1250875
Reviewed-by: Vaibhav Shinde <vashinde@nvidia.com>
Tested-by: Vaibhav Shinde <vashinde@nvidia.com>

2 years agoKEYS: potential uninitialized variable
Dan Carpenter [Thu, 16 Jun 2016 14:48:57 +0000]
KEYS: potential uninitialized variable

If __key_link_begin() failed then "edit" would be uninitialized.  I've
added a check to fix that.

This allows a random user to crash the kernel, though it's quite
difficult to achieve.  There are three ways it can be done as the user
would have to cause an error to occur in __key_link():

 (1) Cause the kernel to run out of memory.  In practice, this is difficult
     to achieve without ENOMEM cropping up elsewhere and aborting the

 (2) Revoke the destination keyring between the keyring ID being looked up
     and it being tested for revocation.  In practice, this is difficult to
     time correctly because the KEYCTL_REJECT function can only be used
     from the request-key upcall process.  Further, users can only make use
     of what's in /sbin/request-key.conf, though this does including a
     rejection debugging test - which means that the destination keyring
     has to be the caller's session keyring in practice.

 (3) Have just enough key quota available to create a key, a new session
     keyring for the upcall and a link in the session keyring, but not then
     sufficient quota to create a link in the nominated destination keyring
     so that it fails with EDQUOT.

The bug can be triggered using option (3) above using something like the

echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t

The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system.  Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.

Assuming the failure occurs, something like the following will be seen:

kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
Call Trace:

(cherry picked from commit 38327424b40bcebe2de92d07312c89360ac9229a)
Jira EASS-863

Bug 1797728

Change-Id: Iaf1905f06f52e547654274cbb4827dd03866b71b
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: http://git-master/r/1209532
(cherry picked from commit d84542d36e9d5968c1cef665e9e0a5c70f8eabc4)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213221
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 552d71467ba0fda2d8816408201b77599e624aca)
Reviewed-on: http://git-master/r/1230814
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
(cherry picked from commit 842aad2797759fcb19e49457882ab40b7859160f)
Reviewed-on: http://git-master/r/1250872
Reviewed-by: Vaibhav Shinde <vashinde@nvidia.com>
Tested-by: Vaibhav Shinde <vashinde@nvidia.com>

2 years agofs: ext4: disable support for FALLOC_FL_PUNCH_HOLE
Woojung Min [Thu, 10 Nov 2016 05:48:18 +0000]
fs: ext4: disable support for FALLOC_FL_PUNCH_HOLE

Disable support for the fallocate FALLOC_FL_PUNCH_HOLE to
prevent the race conditions.


Jira EASS-863

Bug 1797728

Change-Id: Iae76df73f811da4e8209d21dd0803b070c0db684
Reviewed-on: http://git-master/r/1209635
(cherry picked from commit 9704617c5412f4cde41270259331a9078b479915)
Reviewed-on: http://git-master/r/1213238
(cherry picked from commit 533c2cafdb20f630647b88ae443b580216ebfc34)
Reviewed-on: http://git-master/r/1230816
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1250871
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agousbnet: cleanup after bind() in probe()
Oliver Neukum [Mon, 7 Mar 2016 10:31:10 +0000]
usbnet: cleanup after bind() in probe()

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Bug 1797728

(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
Change-Id: Ibc50a06dee69894e18bb62f5969e1718138395cf
(cherry picked from commmit f10f1a249226dfac19ce97b606bb5cea814e63ca)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214495
Reviewed-by: Jinyoung Park <jinyoungp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

(cherry picked from commit fee44a55ae456313dcfb0e41ea70fc2227ebe44c)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Change-Id: Ia1dd62d6e0e8453c146a8161fc68f8e092c88c3a
Reviewed-on: http://git-master/r/1231203
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
(cherry picked from commit 795ce24a85f0b197431d4dba743e78ffd99a56fb)
Reviewed-on: http://git-master/r/1250870

2 years agovideo: tegra: host: Optimize the accuracy of actmon average load
Nicolin Chen [Thu, 3 Nov 2016 20:03:29 +0000]
video: tegra: host: Optimize the accuracy of actmon average load

According to Bug 1381833, we can enlarge the k value and sample period
to increase the accuracy of the average load value from the activity
monitor. (The range of k is [1, 6] while the sample period should not
exceed 22us.)

Based on the experiments mentioned in the Bug 1828143, we found that
setting k=5 and sample period=20us could be relatively benifit to the
accuracy of the average load.

So this patch just modifies these two values.

Bug 1828143

Change-Id: I6fbd4d6a832248e121f177cc5e30640d3702e84c
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: http://git-master/r/1248444
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>

2 years agotegra: fuse: remove cmd sensing after fuse program
Shardar Shariff Md [Fri, 11 Nov 2016 14:23:25 +0000]
tegra: fuse: remove cmd sensing after fuse program

- Remove cmd sense after fuse programming as recommended by ASIC.
- Correct the fuse programing width time

Bug 1832850

Change-Id: I6fb4ac0fa55bb3830cb1ea937c9939ecfba308bf
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1251999
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agonet: wireless: bcmdhd / bcmdhd_88: Disable tcpdump feature by default
Michael Hsu [Thu, 6 Oct 2016 23:43:03 +0000]
net: wireless: bcmdhd / bcmdhd_88: Disable tcpdump feature by default

Disable saving tcpdump records until it is enabled (by writing 'enable'
command to the sysfs node).

Only tcpdump records is disabled by default - other record types, such
as power or wifi stats records, are still enabled by default.

Bug 200240507

Change-Id: I033b5e3057b25c4e828a2ea179e0898e13002a31
Signed-off-by: Michael Hsu <mhsu@nvidia.com>
Reviewed-on: http://git-master/r/1232801
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoRevert "ext4: use old interface for ext4_readdir()"
Ian Chang [Mon, 7 Nov 2016 08:14:16 +0000]
Revert "ext4: use old interface for ext4_readdir()"

This reverts commit b6b8b43596251f7f1e8379665ac2bcc4aa1c831c.

The change we revert will cause file system iterate call back
function broken. So reverting that.

bug 200205692

Change-Id: I95cf767789c3c93ff772d55ddc53669bb7eadd81
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/1249510
Reviewed-by: Robert Shih <rshih@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoARM64: dts: darcy: rtc alarm2 wakeup via EN1 signal
Venkat Reddy Talla [Thu, 10 Nov 2016 08:37:15 +0000]
ARM64: dts: darcy: rtc alarm2 wakeup via EN1 signal

Adding maxim,enable-rtc2-alarm-wakeup to pmic dts node
to enable rtc alarm2 wake up via EN1 signal.

Bug 200236913

Change-Id: Ia3f0eaa60886acd9f875b213f3e76095c028d8e6
Signed-off-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-on: http://git-master/r/1250977
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agortc: max77620: set rtc alarm2 for 9sec wakeup
Venkat Reddy Talla [Thu, 13 Oct 2016 14:06:32 +0000]
rtc: max77620: set rtc alarm2 for 9sec wakeup

configuring rtc alarm2 for 9sec wakeup to handle
darcy device boot fail when power adapter is removed
and connected back with in 5 seconds, resetting alarm time
+9 sec to current time again before expire in workqueue.
alarm time should expire only when power adapater is removed.

Bug 200236913

Change-Id: I6aa4f58ef83b53b4223d7502c9e7cf059c34dc60
Signed-off-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-on: http://git-master/r/1250976
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: usbhid: fix asynchronous resource free
Hans Yang [Tue, 8 Nov 2016 09:31:25 +0000]
HID: usbhid: fix asynchronous resource free

If usb_disconnect() and usbhid_disconnect() are invoked
asynchronously due to bottom-half workqueue to postpone
work in usbhid_disconnect(), following conditions might
* struct usb_device *dev memory resource has been freed.
* struct hid_device *dev is still available.
* user space issues a write to get hid report, calling
usbhid_output_raw_report() and lead to a kernel panic
due to invalid dereference from usbhid_device* to usb_dev*.

[ 137.137063] Unable to handle kernel paging request at
virtual address 000010ef
[ 137.144426] pgd = ffffffc0a1ec2000
[ 138.488914] Call trace:
[ 138.491362] [<ffffffc00073d0fc>] usb_submit_urb+0xb4/0x3e4
[ 138.496842] [<ffffffc00073e0f8>] usb_start_wait_urb+0x54/0x130
[ 138.502667] [<ffffffc00073e280>] usb_control_msg+0xac/0xf4
[ 138.508147] [<ffffffc000941aa8>] usbhid_output_raw_report+0xb8/0x10c
[ 138.514494] [<ffffffc00091ab0c>] hidraw_send_report+0x134/0x168
[ 138.520407] [<ffffffc00091ab7c>] hidraw_write+0x3c/0x58
[ 138.525625] [<ffffffc0001a1280>] vfs_write+0xc0/0x17c
[ 138.530669] [<ffffffc0001a1abc>] SyS_write+0x94/0x164

Also, if usb_dev memory is freed before freeing usbhid_device
resources, following crash dump may also be seen:

[42230.701858] Call trace:
[42230.704306] [<ffffffc000724e64>] hcd_buffer_free+0x18/0x130
[42230.709872] [<ffffffc000712a28>] usb_free_coherent+0x1c/0x24
[42230.715526] [<ffffffc000917ad8>] hid_free_buffers.isra.7+0x24/0x60
[42230.721696] [<ffffffc000917bf8>] usbhid_stop+0xe4/0x108
[42230.726914] [<ffffffc000913a80>] atvr_remove+0xa4/0x138
[42230.732134] [<ffffffc0008ec5f4>] hid_device_remove+0x80/0xc4
[42230.737788] [<ffffffc00051f7bc>] __device_release_driver+0x94/0xe4
[42230.743961] [<ffffffc00051f830>] device_release_driver+0x24/0x38
[42230.749959] [<ffffffc00051efd0>] bus_remove_device+0x140/0x164
[42230.755782] [<ffffffc00051c43c>] device_del+0x13c/0x19c
[42230.761001] [<ffffffc0008ec76c>] hid_destroy_device+0x28/0x60
[42230.766738] [<ffffffc000916b08>] usbhid_disconnect_bh+0x28/0x3c
[42230.772652] [<ffffffc0000c9a6c>] process_one_work+0x260/0x410
[42230.778390] [<ffffffc0000cabac>] worker_thread+0x204/0x378
[42230.783870] [<ffffffc0000d12a0>] kthread+0xc0/0xc8

This commit forces the usbhid_device and usb_dev resources
free are in order by introducing reference couning method into
usb hid driver. Whatever usb_disconnect() or usbhid_stop() is called
first, the usb_dev memory will only be freed when ref count goes to
zero, just before usbhid_device memory gets freed.

Bug 1834364

Signed-off-by: Hans Yang <hansy@nvidia.com>
Change-Id: I81748c60216c81dae55daaa9b0f331152121f8f6
Reviewed-on: http://git-master/r/1249662
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Tested-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoclock: T124: Refine default cpu-emc table for power/perf benefits
Suril [Thu, 20 Oct 2016 20:35:23 +0000]
clock: T124: Refine default cpu-emc table for power/perf benefits

For the T124 CPU-EMC frequency in display off cases will use the default
table. This table has values that are refined for better perf/power
requirements. this patch has a more passive behavior for low power/perf

Bug 1825329

Signed-off-by: Suril Dhruv <sdhruv@nvidia.com>
Change-Id: Ifaefd927a7f1bd4a81035eb26b81ae0241730f73
Reviewed-on: http://git-master/r/1240146
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoclock : Pick up CPU-EMC frequency relation from device tree
Suril [Thu, 20 Oct 2016 19:14:31 +0000]
clock : Pick up CPU-EMC frequency relation from device tree

Provision darcy/foster to pick up the CPU-EMC frequency co relation
from it's individual device tree entry for display on cases and
from the default table in display off cases. The dtb has slightly
more aggressive values as compared to the default table optimized
for higher perf.

Bug 1825329
Signed-off-by: Suril Dhruv <sdhruv@nvidia.com>
Change-Id: Ib989389a6ee110868070fc89725386239a5a1674
Reviewed-on: http://git-master/r/1240072
Reviewed-by: Somdutta Roy <somduttar@nvidia.com>
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jonathan Mccaffrey <jmccaffrey@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: Restrict init TSFW_ICM to TS only
Spencer Sutterlin [Fri, 21 Oct 2016 22:14:22 +0000]
hid: jarvis: Restrict init TSFW_ICM to TS only

Bug 200250677
Bug 1807528

Change-Id: I8b3933cb0fe8d4da5cbdb9d2bff031de2b791690
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1248539
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoARM64: config: tegra21: Increase compat mmap rnd bits to 16
Sri Krishna chowdary [Thu, 3 Nov 2016 08:55:26 +0000]
ARM64: config: tegra21: Increase compat mmap rnd bits to 16

This is required for Aslr test to pass with entropy 8.

bug 200226998

Change-Id: I78aefdacb862c94d2346da572809efaac488bdc1
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1247320
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agommc: sd: add attribute for speed class of SD
Harry Lin [Thu, 27 Oct 2016 08:03:02 +0000]
mmc: sd: add attribute for speed class of SD

Follow the design of debug sysfs node speed_class to add
a speed class attribute of SD.
cat /sys/block/mmcblk#/device/speed_class
4 - Class 10
3 - Class 6
2 - Class 4
1 - Class 2
0 - Class 0

Bug 200245639

Change-Id: I94f0e6557c2af7170c0b3ad813575d5c689e78ed
Signed-off-by: Harry Lin <harlin@nvidia.com>
Reviewed-on: http://git-master/r/1243608
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

2 years agoRevert "iio: imu: nvi: v.337 Fix DMP gyro"
Todd Poynter [Tue, 8 Nov 2016 22:06:04 +0000]
Revert "iio: imu: nvi: v.337 Fix DMP gyro"

Bug 1831500

This reverts commit d686b0fd4d60b0a9fc8f7bfd5408f6e557a16684.

Change-Id: I9c09d8aa711bb89c968b96d57912f12ed8dd6847
Signed-off-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-on: http://git-master/r/1249988
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit

2 years agousb: core: avoid PM error -ENODEV for detached MSD
Petlozu Pravareshwar [Thu, 22 Sep 2016 10:44:42 +0000]
usb: core: avoid PM error -ENODEV for detached MSD

Let rpm_resume() be successful for auto-suspended
usb MSD when disconnected, instead of failing with
-ENODEV. This would allow the resumption of upper
layer devices such as SCSI and would prevent
indefinite writeback wait on page if suspended MSD
is disonnected in middle of data transfer.

Bug 1731175

Change-Id: I534eeb19bb635c96eb6fb240790001ee723bb5ef
Signed-off-by: Petlozu Pravareshwar <petlozup@nvidia.com>
Reviewed-on: http://git-master/r/1225243
(cherry picked from commit 05bd5b51751a460e7510519255cd88ee16ab7c5a)
Reviewed-on: http://git-master/r/1246443
GVS: Gerrit_Virtual_Submit
Reviewed-by: Suresh Mangipudi <smangipudi@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agousb: storage: enable auto-suspend for USB storage
Petlozu Pravareshwar [Thu, 22 Sep 2016 10:40:24 +0000]
usb: storage: enable auto-suspend for USB storage

Enable auto-suspend for USB Mass storage devices.

Bug 1731175

Change-Id: I0cfeff38e1cb4911419aaf91c25146a5ed1a2210
Signed-off-by: Petlozu Pravareshwar <petlozup@nvidia.com>
Reviewed-on: http://git-master/r/1180730
(cherry picked from commit 5dbb7628c7fe5b31e916172cc660f563600faefd)
Reviewed-on: http://git-master/r/1246442
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Suresh Mangipudi <smangipudi@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agodriver core / PM: move the calling to device_pm_remove behind the calling to bus_remo...
LongX Zhang [Wed, 24 Oct 2012 22:21:28 +0000]
driver core / PM: move the calling to device_pm_remove behind the calling to bus_remove_device

We hit an hang issue when removing a mmc device on Medfield Android phone by sysfs interface.

device_pm_remove will call pm_runtime_remove which would disable
runtime PM of the device. After that pm_runtime_get* or
pm_runtime_put* will be ignored. So if we disable the runtime PM
before device really be removed, drivers' _remove callback may
access HW even pm_runtime_get* fails. That is bad.

Consider below call sequence when removing a device:
device_del => device_pm_remove
             => class_intf->remove_dev(dev, class_intf)  => pm_runtime_get_sync/put_sync
             => bus_remove_device => device_release_driver => pm_runtime_get_sync/put_sync

remove_dev might call pm_runtime_get_sync/put_sync.
Then, generic device_release_driver also calls pm_runtime_get_sync/put_sync.
Since device_del => device_pm_remove firstly, later _get_sync wouldn't really wake up the device.

I git log -p to find the patch which moves the calling to device_pm_remove ahead.
It's below patch:

commit  775b64d2b6ca37697de925f70799c710aab5849a
Author: Rafael J. Wysocki <rjw@sisk.pl>
Date:   Sat Jan 12 20:40:46 2008 +0100

     PM: Acquire device locks on suspend

     This patch reorganizes the way suspend and resume notifications are
     sent to drivers.  The major changes are that now the PM core acquires
     every device semaphore before calling the methods, and calls to
     device_add() during suspends will fail, while calls to device_del()
     during suspends will block.

     It also provides a way to safely remove a suspended device with the
     help of the PM core, by using the device_pm_schedule_removal() callback
     introduced specifically for this purpose, and updates two drivers (msr
     and cpuid) that need to use it.

As device_pm_schedule_removal is deleted by another patch, we need also revert other parts of the patch,
i.e. move the calling of device_pm_remove after the calling to bus_remove_device.

Signed-off-by: LongX Zhang <longx.zhang@intel.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
(cherry picked from commit 4b6d1f12f9c4e0e420d5747d3ae285d8f66d627f)

Bug 1731175

Change-Id: Ic6113974660fc4a6a63566b8dbbb4887ff04dd2b
Signed-off-by: Petlozu Pravareshwar <petlozup@nvidia.com>
Reviewed-on: http://git-master/r/1246440
GVS: Gerrit_Virtual_Submit
Reviewed-by: Suresh Mangipudi <smangipudi@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agovideo: tegra: host: Prevent the race between channel open and close
Gagan Grover [Fri, 4 Nov 2016 11:09:33 +0000]
video: tegra: host: Prevent the race between channel open and close

Moved fd_install() at the end of the channel_open ioctl. So, the fd
can't be used until open ioctl completes.

Bug 1832094

Change-Id: Ib33d43bf5164418a38f98677d4e3295f3d1c1450
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248180
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>

2 years agoiio: imu: nvi: v.337 Fix DMP gyro
Erik Lilliebjerg [Tue, 1 Nov 2016 15:54:52 +0000]
iio: imu: nvi: v.337 Fix DMP gyro

- Fix ICM DMP gyroscope data output to match the standard FIFO data output.

Bug 1831500

Change-Id: Ie26071fe211c390a03d4f912815ed00a89beff8b
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1245846
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoARM: enable PSTORE_PMSG
Ian Chang [Fri, 26 Jun 2015 06:12:04 +0000]

enable CONFIG_PSTORE_PMSG in tegra124/tegra210

bug 200104058
bug 200247808

Change-Id: I733d2b0cf6355bf0be4fa67c845b4f8ee983808a
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/762795
(cherry picked from commit 17970ff09ffe126aff215aa7edb42b9f957b1612)
Reviewed-on: http://git-master/r/1244236
Reviewed-by: Robert Shih <rshih@nvidia.com>
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoplatform: tegra: add PSTORE_PMSG buffer
Ian Chang [Fri, 26 Jun 2015 06:09:16 +0000]
platform: tegra: add PSTORE_PMSG buffer

add pstore pmsg buffer to store in tegra

bug 200104058
bug 200247808

Change-Id: Icfd2c6be5320a3e904e1470d961b1a3689699717
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/762794
(cherry picked from commit 9d9f73fbf26e1c246a15a765ab2eac501b208ff8)
Reviewed-on: http://git-master/r/1244234
Reviewed-by: Robert Shih <rshih@nvidia.com>
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agotegra-alt:adsp: NULL check for app variable
Viswanath L [Fri, 28 Oct 2016 07:46:39 +0000]
tegra-alt:adsp: NULL check for app variable

ADSP app variables are not initialized in all cases (like at APM
output pin) causing NULL pointer access to app->override_freq_work

NULL check fixes this; override_freq_work will get called at widget
ON event

Bug 200245012

Change-Id: Ie6161c0247d8b15db88bdef706ab6c3b472fa977
Signed-off-by: Viswanath L <viswanathl@nvidia.com>
Reviewed-on: http://git-master/r/1244336
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Sumit Bhattacharya <sumitb@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>

2 years agocdc_ncm: add back FLAG_RMNET flag
Vaibhav Shinde [Thu, 20 Oct 2016 05:30:33 +0000]
cdc_ncm: add back FLAG_RMNET flag

This flasg was missed while cherry-picking the upstream change
4d06dd537f95683aba3651098ae288b7cbff8274 in commit

Bug 200244875

Change-Id: Ife6363cca4ef6616b3ed433c03517def9f4e88d5
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1239634
(cherry picked from commit 1c2cf72f8ec8efd04c4822561fdf04a7233263cc)
Reviewed-on: http://git-master/r/1243138
Reviewed-by: Todd Poynter <tpoynter@nvidia.com>
Tested-by: Todd Poynter <tpoynter@nvidia.com>

2 years agousb: gadget: f_fs: make it support v2 func descp
Hans Yang [Tue, 4 Oct 2016 06:48:35 +0000]
usb: gadget: f_fs: make it support v2 func descp

To support Android N adb via super spped to work,
need to accept V2 function descriptors from user space
drivers; without this change it will crash when adb is
working as superspeed.

Bug 200235473

Change-Id: I06f74880e26dd9c71e4cee2c8034d44a0259d5a1
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1231235
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>
(cherry picked from commit 90105aa07f720c14e175499809351f240b5b6f8e)
Reviewed-on: http://git-master/r/1243574
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Mark Kuo <mkuo@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agousb: gadget: xudc: fix null update deq pointer
Hans Yang [Wed, 19 Oct 2016 03:28:46 +0000]
usb: gadget: xudc: fix null update deq pointer

This commit adds pointer-check to prevent empty dma address
from an event trb (Ring Overrun/Underrun) being dereferenced
at updating dequeue pointer in udc driver.

The empty dma address will also be translated to null virtual
address and hence dereferencing it causes a kernel panic:

Unable to handle kernel NULL pointer dereference at virtual
address 0000001c
[  269.335313] PC is at update_dequeue_pt+0x38/0x5c
[  269.339925] LR is at update_dequeue_pt+0x2c/0x5c

Bug 200241737

Change-Id: I77c71703ea3ee353005349e9b33e4a587a81cef3
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1243062
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agonet: wireless: bcmdhd_88: security enhancement for BRCM ether type
Ramanathan R [Mon, 24 Oct 2016 08:06:34 +0000]
net: wireless: bcmdhd_88: security enhancement for BRCM ether type

Strict checkup for type and event data length
Patch to fix CVE-2016-0801 in DHD driver

Bug 200240360

Change-Id: I67cab7809740c1cba9079fbab0a3ad1848cd7586
Signed-off-by: Ramanathan R <ramanathan.r@broadcom.com>
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-on: http://git-master/r/1241426
GVS: Gerrit_Virtual_Submit
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agovideo: tegra: dc: protect unpin handle using mutex
Prafull Suryawanshi [Wed, 13 Jul 2016 09:14:11 +0000]
video: tegra: dc: protect unpin handle using mutex

bug 200208064

This change fixes the race condition where detach dma buffer
happens due to parallel paths in dc driver.
hpd worker and fb blank calls unpin window which unpin dma handles.
This is also done by flip_worker. There is possibility that same
buffer can be detached twice causing kernel panic. This change
protects cur_handle which is referred before doing unpin dma handles.

Change-Id: I8fa317d8d5fe62724c44c3630f71739ebb0c23ed
Signed-off-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-on: http://git-master/r/1180645
(cherry picked from commit f48c266c999337b216abe3f49d709843b58d2fdb)
Reviewed-on: http://git-master/r/1199050
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agousb: gadget: xudc: fix retrieve request logic
Hans Yang [Sat, 22 Oct 2016 05:58:36 +0000]
usb: gadget: xudc: fix retrieve request logic

This commit fixes a wrong memory access issue.
When the gadget function driver dequeues a request which
may has been completed by HW, then at handling its transfer
event, retrieving its corresponding request pointer could
be incorrect. SW should check if the request queue
is empty and the request is the correct one to avoid incorrect
memory access.

Below shows the call trace for an incorrect memory access case
Unable to handle kernel paging request at virtual
address ff0000c0be320e0a
PC is at ep_matches+0x38/0x2b4
LR is at usb_ep_autoconfig_ss+0x148/0x180
[<ffffffc00078b50c>] ep_matches+0x38/0x2b4
[<ffffffc00078b8d0>] usb_ep_autoconfig_ss+0x148/0x180
[<ffffffc00078b918>] usb_ep_autoconfig+0x10/0x18
[<ffffffc0007a9c84>] __ffs_func_bind_do_descs+0x100/0x170
[<ffffffc0007aa94c>] ffs_do_descs+0x4c/0x13c
[<ffffffc0007b29b8>] ffs_func_bind+0x224/0x338
[<ffffffc00078bdc4>] usb_add_function+0x98/0x180
[<ffffffc0007b3a68>] functionfs_bind_config+0xd0/0x100
[<ffffffc0007b3ab0>] ffs_function_bind_config+0x18/0x20
[<ffffffc0007a94e8>] android_bind_config+0x44/0x94
[<ffffffc00078c40c>] usb_add_config+0x7c/0x2ac
[<ffffffc0007b3cf4>] android_enable.isra.53+0x44/0x78
[<ffffffc0007ba154>] ffs_ep0_write+0x5c0/0x7bc
[<ffffffc0001a11ec>] vfs_write+0xc0/0x17c
[<ffffffc0001a1a28>] SyS_write+0x94/0x164

Bug 1824860

Change-Id: If742a8b4f8686cfa147c085913cf065b54dd022b
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1243044
Reviewed-by: Mark Kuo <mkuo@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodevfreq: governor_pod: Raise threshold for vic03
Nicolin Chen [Thu, 13 Oct 2016 19:35:27 +0000]
devfreq: governor_pod: Raise threshold for vic03

The threshold used to govern the vic03 clock rate
is set at 250 (25% of the total capacity) which
seems to be too low as it's easier for devfreq to
drive the clock higher and then impact the power.

So this patch raises the threshold further to 30%
so as not to make the frequency fluctuate much.

Bug 200228585

Change-Id: Id13950bf170b21c8f6f9caf670efff25c4341f67
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: http://git-master/r/1236174
GVS: Gerrit_Virtual_Submit
Reviewed-by: Somdutta Roy <somduttar@nvidia.com>
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Tested-by: Somdutta Roy <somduttar@nvidia.com>

2 years agoiio: common: nvs: Set st->trig null after free
Spencer Sutterlin [Fri, 28 Oct 2016 01:11:33 +0000]
iio: common: nvs: Set st->trig null after free

Bug 200244923

Change-Id: Icd3cb01825fed14604130b278af6fa64b70365c0
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1244153
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agomedia: i2c: ov5693: Fix potential power-leaks
Sudhir Vyas [Wed, 14 Sep 2016 05:58:45 +0000]
media: i2c: ov5693: Fix potential power-leaks

- Make sure to power off camera rails
in case of intermediate errors.
- Remove unnecessary return error checks for
power-off function calls.

Bug 200186908
Bug 200233021

Change-Id: I63ef1929535756b8378380fee5134b9c275d96bb
Signed-off-by: Sudhir Vyas <svyas@nvidia.com>
Reviewed-on: http://git-master/r/1220516
(cherry picked from commit 600f6a141c99893ac92d937d4cb0e37834faf2fc)
Reviewed-on: http://git-master/r/1242841
Reviewed-by: Aaron Huang <aaronh@nvidia.com>
Tested-by: Aaron Huang <aaronh@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agovideo: tegra: hdmi2.0: fix hpd state in recovery
Prafull Suryawanshi [Mon, 24 Oct 2016 07:03:01 +0000]
video: tegra: hdmi2.0: fix hpd state in recovery

bug 200242122
bug 200243233

In kernel recovery path, we accidently disable hdmi
monitor in hpd event. This causes no display on hdmi
monitor in recovery mode which is 480p.
In normal scenario, rest of hpd engine takes care
but recovery, hpd is disabled causing this issue.
The hpd state is now checked which is set by bl for
this specific scenario.

Change-Id: I8812753927a2c6845c6b1c58cde83e91abbbbec0
Signed-off-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-on: http://git-master/r/1241478
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agohid: jarvis: Use kmalloc for pcm buffers
Ankita Garg [Wed, 12 Oct 2016 19:46:07 +0000]
hid: jarvis: Use kmalloc for pcm buffers

For buffering voice data before mic open,
we moved buffer allocations to the
audio_dec function. However, audio_dec
could be called from interrupt context if
the controller is connected over USB
instead of BT. So the allocations inside
audio_dec cannot use vmalloc.

This change causes the audio buffers to
be pre-allocated at device probe time
and will be allocated until the device
is connected.

Bug 1825439

Change-Id: I26dab7f232a5e146168482e13d7d19301bf8a4c9
Signed-off-by: Ankita Garg <ankitag@nvidia.com>
Reviewed-on: http://git-master/r/1235462
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoarch: arm64: config: enable cpuset for t210 android
Christopher Freeman [Tue, 4 Oct 2016 20:26:03 +0000]
arch: arm64: config: enable cpuset for t210 android

boot.img size is increased by 18432 bytes

Bug 1815239

Change-Id: I5bb8fd436f2fc9de19f2fd0ff8b9f08d06b17d6f
Signed-off-by: Christopher Freeman <cfreeman@nvidia.com>
Reviewed-on: http://git-master/r/1231557
(cherry picked from commit f05cb72943a893a73cbfd9edd667b2b12241dd87 in
Reviewed-on: http://git-master/r/1240275
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agokernel: cpuset: Make cpusets restore on hotplug
Riley Andrews [Fri, 12 Jun 2015 21:36:28 +0000]
kernel: cpuset: Make cpusets restore on hotplug

This deliberately changes the behavior of the per-cpuset
cpus file to not be effected by hotplug. When a cpu is offlined,
it will be removed from the cpuset/cpus file. When a cpu is onlined,
if the cpuset originally requested that that cpu was part of the cpuset, that
cpu will be restored to the cpuset. The cpus files still
have to be hierachical, but the ranges no longer have to be out of
the currently online cpus, just the physically present cpus.

Bug 1815239

Change-Id: I3efbae24a1f6384be1e603fb56f0d3baef61d924
Signed-off-by: Christopher Freeman <cfreeman@nvidia.com>
Reviewed-on: http://git-master/r/1231559
(cherry picked from commit 2b02e3175e322505383c4c2cb123de34294e77e5 in
Reviewed-on: http://git-master/r/1235405
Reviewed-by: Maneet Maneet Singh <mmaneetsingh@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoangler: Add allow_attach hook for cpusets on android.
Riley Andrews [Sat, 6 Jun 2015 01:59:29 +0000]
angler: Add allow_attach hook for cpusets on android.

Bug 1815239

Change-Id: Ic1b61b2bbb7ce74c9e9422b5e22ee9078251de21
[cfreeman@nvidia.com: change uid comparators]
Signed-off-by: Christopher Freeman <cfreeman@nvidia.com>
Reviewed-on: http://git-master/r/1231558
(cherry picked from commit c310b0a2468af82b44e7b320c43de2acfbd2f478 in
Reviewed-on: http://git-master/r/1240274
Reviewed-by: Maneet Maneet Singh <mmaneetsingh@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agomm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Gagan Grover [Fri, 21 Oct 2016 08:25:48 +0000]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

bug 1829674

Change-Id: I13a55845a79f92c0c90228a229947d2bdf616a4a
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1240465
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: host: add lower bound to num_syncpt_incrs
Gagan Grover [Fri, 21 Oct 2016 06:15:00 +0000]
video: tegra: host: add lower bound to num_syncpt_incrs

Check if there is at least one syncpt_incrs in each job.

Bug 1812182

Change-Id: I0bd0b2e7c4d01641c83ba729ec34390ddea81496
Reviewed-on: http://git-master/r/1221226
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1240374
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>