2 years agoBACKPORT: aio: mark AIO pseudo-fs noexec
Nick Desaulniers [Mon, 16 Jan 2017 12:58:30 +0000]
BACKPORT: aio: mark AIO pseudo-fs noexec

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)

Bug: 31711619
Bug 1858126
CVE-2016-10044 (A-31711619)

Change-Id: I9f2872703bef240d6b82320c744529459bb076dc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285940
(cherry picked from commit b552c94fbcad36a52973a1141adafbe351b75b90)
Reviewed-on: http://git-master/r/1299533
(cherry picked from commit 79d1f35c10e5438fbb441cd1524b02cda377e04f)
Reviewed-on: http://git-master/r/1311426
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agofs/proc/array.c: make safe access to group_leader
Adrian Salido [Mon, 16 Jan 2017 11:56:05 +0000]
fs/proc/array.c: make safe access to group_leader

As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()

Without this protection there is a possible use after free reported by
kasan instrumented kernel:

==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4

Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.

Bug: 31495866
Bug 1858126
CVE-2017-0427 (A-31495866)

Signed-off-by: Adrian Salido <salidoa@google.com>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285902
(cherry picked from commit 3367b633042dcc778642f95cd0b3acd6c3a0a0fe)
Reviewed-on: http://git-master/r/1299523
(cherry picked from commit d6b8dd489f260d69473e03609b2ac637a3a75201)
Reviewed-on: http://git-master/r/1311423
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix nvmap create handle vulnerability
skadamati [Thu, 15 Dec 2016 11:23:22 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857
Bug 200260161
Bug 1849492
Bug 1825283
CVE-2016-8424 (A-31606947)

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Reviewed-on: http://git-master/r/1248391
(cherry picked from commit c26f2a34c189bef2d99740a420b2ab4023d912c0)
Reviewed-on: http://git-master/r/1273324
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285852
(cherry picked from commit b1513dff2b4bd35d1b400645642bce8dcf3c96c7)
Reviewed-on: http://git-master/r/1299501
(cherry picked from commit 3993b1f51cd24e93b460d24b2659f0c7a6c6cf8a)
Reviewed-on: http://git-master/r/1311422
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1831426
Bug 200247013
Bug 1849492
CVE-2016-8428 (A-31993456)

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Reviewed-on: http://git-master/r/1273326
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285872
(cherry picked from commit 0a44c684a3bdad4d25d0c5a89e04170196e12ff6)
Reviewed-on: http://git-master/r/1299504
(cherry picked from commit e124868998c604716d0ece1a0cb7e187db4adb18)
Reviewed-on: http://git-master/r/1311421
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoKEYS: Fix short sprintf buffer in /proc/keys show function
David Howells [Wed, 26 Oct 2016 14:01:54 +0000]
KEYS: Fix short sprintf buffer in /proc/keys show function

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

CVE-2016-7042
Bug 1849492

Change-Id: I5117ab6175297f657a498fd2140080c7595b3a10
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285745
(cherry picked from commit 7c1dcda59f88a1dec328afd398a9d9465fb44084)
Reviewed-on: http://git-master/r/1299506
(cherry picked from commit abd6568565c92f5246345f6195f2142ff2abf7ad)
Reviewed-on: http://git-master/r/1311420
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoperf: don't leave group_entry on sibling list(use-after-free)
John Dias [Mon, 16 Jan 2017 08:22:04 +0000]
perf: don't leave group_entry on sibling list(use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

Bug: 32402548

CVE-2017-0403 (A-32402548)
Bug 1849492

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285800
(cherry picked from commit a5dc2d079ba88bba5dc78484d4820842af65d656)
Reviewed-on: http://git-master/r/1299508
(cherry picked from commit 8dae5d362123d37d29552b5a9ed89c7dbfe3dd55)
Reviewed-on: http://git-master/r/1311419
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: info: Check for integer overflow in snd_info_entry_write()
Siqi Lin [Mon, 16 Jan 2017 08:28:01 +0000]
ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733

CVE-2017-0404 (A-32510733)
Bug 1849492

Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285802
(cherry picked from commit 080aad52eb18b8f622676063334f105a77f6cf58)
Reviewed-on: http://git-master/r/1299509
(cherry picked from commit 935b76652a88fd9906eefea1030c051613310f64)
Reviewed-on: http://git-master/r/1311417
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoring-buffer: Prevent overflow of size in ring_buffer_resize()
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000]
ring-buffer: Prevent overflow of size in ring_buffer_resize()

If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

CVE-2016-9754
Bug 1849492

Change-Id: I442132282517827c51b3fdbd31f323fe426d6daa
Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285747
(cherry picked from commit 8f8088aaee836d8c6c93c3df52a0d08b8f67b3b0)
Reviewed-on: http://git-master/r/1299510
(cherry picked from commit 580a30ff59e0fcc79159da6ea8afe5b2c7640861)
Reviewed-on: http://git-master/r/1311416
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: serialize debug session IOCTLs
Deepak Nibade [Mon, 23 Jan 2017 11:32:07 +0000]
gpu: nvgpu: serialize debug session IOCTLs

Hold debug_s->ioctl_lock for all debug session IOCTLs to prevent
multi-threaded user space IOCTL calls.
Debug session IOCTL calls are not thread-safe and hence this
serialization is required.

Bug 1832267
Bug 1832095
Bug 1849492

Change-Id: I847ac951601d4f0093546b592bdb8c8f00185317
Reviewed-on: http://git-master/r/1286436
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292432
(cherry picked from commit d4629278161f2dc3c74e0f13c6ca08038355dd22)
Reviewed-on: http://git-master/r/1299511
(cherry picked from commit 6800b190bfb4ca00c5fef064b5a7ac2c65b8f4a4)
Reviewed-on: http://git-master/r/1311415
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodts: darcy a08 dtb support
Martin Gao [Tue, 7 Feb 2017 05:02:52 +0000]
dts: darcy a08 dtb support

- a08 darcy sku uses AOTAG
- a07 and below uses NCT

Bug 1872194

Change-Id: I67145853db908bed1cca0bbcf736b51268a11c41
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1300969
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agovideo: tegra: hdmi: Disable HDCP for BlackMagic
Aly Hirani [Fri, 3 Feb 2017 00:06:55 +0000]
video: tegra: hdmi: Disable HDCP for BlackMagic

BlackMagic 12G has a bug where it spams us with a constant stream of
hotplugs 130 ms apart if we enable HDCP. This stream of hotplugs end up
as a "blank screen" since we are stuck in a loop of modeset and display
teardown.

Since it doesn't support HDCP, this change blacklists it from HDCP. Once
done, it never sends us a hotplug and the device works perfectly after.

Bug 1870842

Change-Id: Id93b7e9bb1e11ca0cb969c9a8179bae7b4c64072
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1298315
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Prafull Suryawanshi <prafulls@nvidia.com>

2 years agonet: wireless: bcmdhd_88: add more European country in wifi county code
Om Prakash Singh [Wed, 1 Feb 2017 11:16:18 +0000]
net: wireless: bcmdhd_88: add more European country in wifi county code

Bug 200275653

Change-Id: I0a952f421b2708d8a51b7fc77f2d126aa78f84c2
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298339
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoarm64: dts: add more European country for Foster/Darcy
Om Prakash Singh [Wed, 1 Feb 2017 10:58:25 +0000]
arm64: dts: add more European country for Foster/Darcy

Bug 200275653

Change-Id: Ic19e438f9ab8be44b80528db352952d37b982e9e
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298338
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoJarvis: Prevent crash with invalid input device
David DSH [Sat, 21 Jan 2017 02:02:47 +0000]
Jarvis: Prevent crash with invalid input device

Bug 1864174

Change-Id: I3c62d723bc15817c687a7c70567238825703bc19
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1291898
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Shih <rshih@nvidia.com>
Tested-by: Robert Shih <rshih@nvidia.com>
(cherry picked from commit 27d75519b396282a2f688ce14fdb6a0491068b65)
Reviewed-on: http://git-master/r/1298934
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoDarcy: Increase pmic voltage of sd2
David DSH [Wed, 1 Feb 2017 04:08:44 +0000]
Darcy: Increase pmic voltage of sd2

Increase preregulator voltage pin SD2 that feeds into LDO

Bug 1869208

Change-Id: I02dba37caed0963ec0900147216731741635e4f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296999
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agogpu: nvgpu: sysfs node to read PMU state
Mahantesh Kumbar [Wed, 25 Jan 2017 10:00:45 +0000]
gpu: nvgpu: sysfs node to read PMU state

sysfs node to know PMU state whether PMU
boot completed & its ready with state
"pmu->pmu_state == PMU_STATE_STARTED" to
process command request.

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error due to unknown state of
PMU at boot time.

Fix: Provided node to read PMU state if ready then
send commands else wait till gets ready.

Bug 1865815

Change-Id: Idad4c5390fffafbe591658b85942e8c6c6d3afc8
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296823
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonvgpu: disable elgp and clock gating via dt
Martin Gao [Fri, 27 Jan 2017 23:17:37 +0000]
nvgpu: disable elgp and clock gating via dt

Bug 1865815

Change-Id: Ibd151f775f51f7a299aa61af4fbb34287b1cae64
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1296821
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: elpg/aelpg sysfs update
Mahantesh Kumbar [Wed, 25 Jan 2017 07:38:47 +0000]
gpu: nvgpu: elpg/aelpg sysfs update

check g->power_on & pmu->pmu_state flags
to know the status of PMU whether ready to take
commands for PG request or not. If not ready
then update ELPG/AELPG global flags
used within kernel driver & skip sending
commands to PMU

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error

Bug 1865815

Change-Id: I1c14d2ea4ac529e5782093569edde28e5da22325
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296820
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "Tegra210: increase vmin to increase reliability"
David Dastous St Hilaire [Fri, 20 Jan 2017 03:02:46 +0000]
Revert "Tegra210: increase vmin to increase reliability"

This reverts commit dee4048d8cb60b1ec497869a67edc826fac29104.

Bug 1828585

Change-Id: Iefbd4910b780f33fdab24bb1ed3ade066b08f0f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296819
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: dc: Add quick for Vizio P series rel-24-uda-r1
Aly Hirani [Wed, 11 Jan 2017 07:29:58 +0000]
video: tegra: dc: Add quick for Vizio P series

The Vizio SmartCast P series 4K TVs fail 1/3 hotplugs with "No Signal".
Experiments showed that enabling HDMI 2.0 scrambling and HDCP at the
same time causes this failure from Vizio's side.

This change adds a WAR to introduce a 5 second delay after modeset to
start the hdcp (instead of the standard 100ms delay).

This change also adds edid quirks to limit the 5 second delay to only
the P cast series.

Bug ??

Change-Id: I96d1200afa20401d09ab5d1d2966ab24ac761b2b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1283347
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agodrivers: wireless: bcmdhd_88: increase dpc_bound to 12ms
Srinivas Ramachandran [Wed, 4 Jan 2017 19:05:52 +0000]
drivers: wireless: bcmdhd_88: increase dpc_bound to 12ms

Increase dpc_bound to improve tx throughput

Bug 200266248

Change-Id: Iaef3d23f32b2b3ffafe3abd66429bb008ab57ad2
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1282300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoiio: imu: NVI v.342 Fix ACC resume
Erik Lilliebjerg [Sun, 8 Jan 2017 23:48:17 +0000]
iio: imu: NVI v.342 Fix ACC resume

- Accelerometer sensor is HW disabled when suspending.  When resuming, if
  the gyroscope sensor is enabled first, it didn't account for HW enabling
  the accelerometer as well if previously enabled before suspending.  This
  was intermittent behavior depending on the wake source and resume timing
  of the external sensors on the auxiliary ports, as well as resume enable
  from user space.

Bug 200266677

Change-Id: Iada223304f7991d6da256a19a26cddd5ff20ec55
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1281847
(cherry picked from commit 427c6f17fbf810f399138627b5294a8bc602cafe)
Reviewed-on: http://git-master/r/1282259
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix false error message
Erik Lilliebjerg [Sat, 31 Dec 2016 21:37:41 +0000]
iio: imu: nvi: Fix false error message

- Due to Invensense parts being register incompatible (even the HW ID),
  there were false error messages during the driver process of identifying
  the part.  This patch suppresses those error messages until the part is
  identified and the errors become legitimate.

Bug 200260974

Change-Id: Ibd7c6fe6e4b6424cfc2f7bf04f1a64405b03e539
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1278897
(cherry picked from commit 010a8eaf597e519d5c1a258bf0015c719e0928c6)
Reviewed-on: http://git-master/r/1282258
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix coverity
Erik Lilliebjerg [Wed, 28 Dec 2016 13:41:15 +0000]
iio: imu: nvi: Fix coverity

- Fix bad shift.
- Fix uninitialized scalar variable.

Coverity ID: 38965
Coverity ID: 38966
Coverity ID: 38967
Coverity ID: 38968
Coverity ID: 38969
Coverity ID: 38971

Bug 200192580

Change-Id: I2a972f00a7097f61c943ad035dc23d50f9f8e2e7
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1277691
(cherry picked from commit 2f8d063e538089007d6b0c5234cce1229620ece0)
Reviewed-on: http://git-master/r/1281938
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoTegra210: increase vmin to increase reliability
David DSH [Fri, 6 Jan 2017 01:14:44 +0000]
Tegra210: increase vmin to increase reliability

Bug 1828585

Change-Id: I654bc0c0f7cb8dbb70dd0aed5c0ec664ac217dd9
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1280477
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "bcmdhd_88: save the firmware events in a file"
Bibhay Ranjan [Wed, 4 Jan 2017 07:00:30 +0000]
Revert "bcmdhd_88: save the firmware events in a file"

This reverts commit 5d5bcb34932dcc257067beb3d6c8a248c5c2c125.

Bug 200231321

Change-Id: I8adb48d6157bd4dfba40049a559e27da1fe407b2
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279949
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: increase timestamp array size"
Bibhay Ranjan [Wed, 4 Jan 2017 06:59:27 +0000]
Revert "bcmdhd_88: increase timestamp array size"

This reverts commit 125ef44ac4e4ea7f8d03f05b3a7aec15eb048708.

Bug 200231321

Change-Id: I4bbc875cf78988a38cee9f714d184955c74b0e96
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279948
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: add DHD_ERROR for nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:50 +0000]
Revert "bcmdhd_88: add DHD_ERROR for nv_logger"

This reverts commit 83275c2716e3f838a278b5ecfdb46fbe1b552d73.

Bug 200231321

Change-Id: I3bbf9ea2aaff4b421326d4b25c8e4c7ad741a493
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279947
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: improve data integrity of nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:04 +0000]
Revert "bcmdhd_88: improve data integrity of nv_logger"

This reverts commit 49308708221379d6749b0f596b1e0f1011a29d0c.

Bug 200231321

Change-Id: Ia51bdc77ae5c86b888a3ecabaf22d296473ae30f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279946
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: disable nv_logger logging by default"
Bibhay Ranjan [Wed, 4 Jan 2017 06:56:18 +0000]
Revert "bcmdhd_88: disable nv_logger logging by default"

This reverts commit 1ee03ed037ac6576e6bf09b8228ec0b3f63f36d2.

Bug 200231321

Change-Id: I4cfbd01bf8d78a9604cd161f2c4f91f9fe43695a
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279945
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agosysedp_reactive_capping: Fix warning string check
Anand Prasad [Wed, 28 Dec 2016 19:45:29 +0000]
sysedp_reactive_capping: Fix warning string check

The current implementation incorrectly checks if a pointer value is
NULL when actually referencing an array.
Instead, use a pointer to read the threshold warning string from
device-tree so that the pointer NULL check now works.

Bug 200266221

Change-Id: Iff9e43780534cf43e93b489c7ebe150fdf4ac437
Signed-off-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-on: http://git-master/r/1277816
(cherry picked from commit 29d326af77ad71f6e61ce6e6e35eac6626500a72)
Reviewed-on: http://git-master/r/1279362
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoCIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
Federico Sauter [Tue, 17 Mar 2015 16:45:28 +0000]
CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE

This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.

Bug 200266605

Change-Id: I168f4977192307dd859f83d6850bdd1eecf27dfe
(cherry picked from commit 4afe260bab50290a05e5732570329a530ed023f3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1277404
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: hda: Allow 8ch/192k for HD capable sinks
Ashok Mudithanapalli [Fri, 23 Dec 2016 12:03:04 +0000]
ALSA: hda: Allow 8ch/192k for HD capable sinks

If the sink is DTSHD/MLP decode capable, but not supporting
8ch/192k in its ELD, ALSA card doesn't add these in supported
rates & ch. Add these in ALSA card for HD decode capable sinks,
so that user-space can open pcm device and play HD content.

Bug 200261363

Change-Id: Ia979868f27a740abcb16b1fea37fd9684779d4be
Signed-off-by: Ashok Mudithanapalli <ashokm@nvidia.com>
Reviewed-on: http://git-master/r/1276193
GVS: Gerrit_Virtual_Submit
Reviewed-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit fde817178e6bf99ea0d161d0175f0e69a5881d6a)
Reviewed-on: http://git-master/r/1277059
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoTS/Pepper: Protect buffer deallocation
David DSH [Mon, 19 Dec 2016 20:51:09 +0000]
TS/Pepper: Protect buffer deallocation

Bug 1842498

Change-Id: Ibf0181fd17e7cbe3964bec21072bf2d6ae85d9f2
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1273658
Tested-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agohid:jarvis: send uevent on creating timeout node
Siddardha Naraharisetti [Wed, 21 Dec 2016 04:07:59 +0000]
hid:jarvis: send uevent on creating timeout node

send uevent to userspace on node creation so that
permissions can be updated

Bug 1854947

Change-Id: I7487ea060d58a17f7ffdb48565e3696005bb228b
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1274602
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: imu: tsfw_icm: Add null checks in recv path
Spencer Sutterlin [Fri, 9 Dec 2016 00:35:49 +0000]
iio: imu: tsfw_icm: Add null checks in recv path

Bug 1850884

Change-Id: Ie750a30b822cd18c8c7f45235dfd52d707aec1fc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272201
(cherry picked from commit 9eaec0173ddf9eb9b4a4b9440b6df0ecd064ae52)
Reviewed-on: http://git-master/r/1268031
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Finish fix with spinlock around some reads
Spencer Sutterlin [Tue, 6 Dec 2016 20:30:25 +0000]
iio: Finish fix with spinlock around some reads

Bug 1843012

Change-Id: I9acf63c755ea7afb6f94496ef7aef40c199f42c9
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272200
(cherry picked from commit e329d6dedf2731b435e99406ca8ce0930fce81be)
Reviewed-on: http://git-master/r/1266149
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: fake button release events for pepper
Andrew Chen [Tue, 13 Dec 2016 09:16:29 +0000]
hid: jarvis: fake button release events for pepper

Fake button release events when not receiving them from pepper.
Also provide sysfs interface for shieldtech to set the timeout value
according to firmware version.

Bug 200216036

Change-Id: Iec7ef71431fc435cfb956c04bbf77a63361e9aa0
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1270311
Reviewed-by: Varun Colbert <vcolbert@nvidia.com>
Tested-by: Varun Colbert <vcolbert@nvidia.com>

2 years agovideo: tegra: hdmi: disable hdmi2.0 during disable
Santosh Reddy Galma [Thu, 15 Dec 2016 17:47:06 +0000]
video: tegra: hdmi: disable hdmi2.0 during disable

Bug 1850165

This change disables scdc when disabling hdmi controller.
This fixes issue if we are going to fastboot mode which is
set at 1080p where we should not enable scdc. This causes
issue for some TVs specially HDR 4K.

Change-Id: Ifa8ad45db43aa1b70810b92b4a39fc64d17e5df7
Signed-off-by: Santosh Reddy Galma <galmar@nvidia.com>
Reviewed-on: http://git-master/r/1272521
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agocpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory
Viresh Kumar [Fri, 17 May 2013 10:39:09 +0000]
cpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory

When we don't have any file in cpu/cpufreq directory we shouldn't
create it. Specially with the introduction of per-policy governor
instance patchset, even governors are moved to
cpu/cpu*/cpufreq/governor-name directory and so this directory is
just not required.

Lets have it only when required.

Bug 200260321

Change-Id: I376d8919a9c12e01ea2ba8d8edf700b17c3ff707
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1272226
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomisc: Remove stale code in cpuload
Sai Gurrappadi [Fri, 22 May 2015 19:50:50 +0000]
misc: Remove stale code in cpuload

cpuloadmon no longer needs a timer to sample load as it uses the
idle-counter delta to determine load over an interval. Removed the timer
along with a lot of unused code most of which was copied over from
cpufreq_interactive.c.

Bug 1828392
Bug 200260321

Change-Id: Ib23d19a18311878c6e6e6c7ca55acebcd9a3b777
(cherry picked from commit ab8f8ec440a17895eb902751caf8792727042f53)
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1271444
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "T124 : platform : Enable CPUSETS"
Gagan Grover [Fri, 9 Dec 2016 06:53:07 +0000]
Revert "T124 : platform : Enable CPUSETS"

This reverts commit 75cc1514386107905693363b5e524dc1c3d51873.

bug 200257427

Change-Id: I9f8b7cdb97abfa83b28c25b4ffc55875c72f7150
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1268227
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRT8168: Fix typo for power spender
David DSH [Wed, 14 Dec 2016 02:00:29 +0000]
RT8168: Fix typo for power spender

Bug 1828585

Change-Id: I73e27339200f87437ffc08ebd23b2cca2f30545c
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1270646
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: Supress kernel debug prints in atvr_raw_event()
Mithun Maragiri [Thu, 8 Dec 2016 20:39:48 +0000]
hid: jarvis: Supress kernel debug prints in atvr_raw_event()

There is a spew of debug prints when handling debug HID reports
sent by Thunderstrike. This report has debug information about
the current status of TS.

Bug 1852042

Change-Id: Icd7ed09608301a7dcd70c9721392e4a437cbfb18
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1267770
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoTo handle pm enable before Wi-fi turns ON.
nagaraj [Tue, 13 Dec 2016 02:17:49 +0000]
To handle pm enable before Wi-fi turns ON.

Bug 1828585

Change-Id: Ib41d228b5d9948cb9f3f8a61f11bae15ef0f364d
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
Reviewed-on: http://git-master/r/1269916
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agocpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug
Nicolin Chen [Sat, 23 Jan 2016 00:00:48 +0000]
cpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug

The functions that are used to write to cpufreq sysfs files (such as
store_scaling_max_freq()) are not hotplug safe. They can race with CPU
hotplug tasks and lead to problems such as trying to acquire an already
destroyed timer-mutex etc.

Eg:

    __cpufreq_remove_dev()
     __cpufreq_governor(policy, CPUFREQ_GOV_STOP);
       policy->governor->governor(policy, CPUFREQ_GOV_STOP);
        cpufreq_governor_dbs()
         case CPUFREQ_GOV_STOP:
          mutex_destroy(&cpu_cdbs->timer_mutex)
          cpu_cdbs->cur_policy = NULL;
      <PREEMPT>
    store()
     __cpufreq_set_policy()
      __cpufreq_governor(policy, CPUFREQ_GOV_LIMITS);
        policy->governor->governor(policy, CPUFREQ_GOV_LIMITS);
         case CPUFREQ_GOV_LIMITS:
          mutex_lock(&cpu_cdbs->timer_mutex); <-- Warning (destroyed mutex)
           if (policy->max < cpu_cdbs->cur_policy->cur) <- cur_policy == NULL

So use get_online_cpus()/put_online_cpus() in the store_*() functions, to
synchronize with CPU hotplug.

[ Merging the same patch from the Linux mainline, commited by Srivatsa
  S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>; could not do cherry-pick
  due to conflicts. Also revised the commit log to make less confusion
  as the original commit log mentioned an issue that isn't included in
  our 3.10 branch.

  This commit could be treated as a fix to the Bug 200152270 as there
  is a race condition here between SYSFS operations and a cpu hotplug
  that when the init process tries to GOV_START all online cpus via
  SYSFS, a cpu hotplug may happen to turn off one cpu without updating
  the new_policy->cpus in time. So the new_policy->cpus might contain
  an offlined cpu which is the root cause of this bug. Adding a lock
  of hotplug here ensures no race would happen during the SYSFS access.

  As policy->cpus is always updated during hotplug in its add/remove
  functions, we don't need to worry that it gets out-of-date as long
  as any hotplug operation is locked during the store_*().

  I applied this change and passed both the cpufreqhotplugstress and
  the following test:

  while true; do echo 0 > /sys/devices/system/cpu/cpu3/online; echo 1 > /sys/devices/system/cpu/cpu3/online; done&
  while true; do echo userspace > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; echo interactive > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; done&

  -- Nicolin ]

Bug 200152270
Bug 200254695

Change-Id: If871094dc92d4478a9484e92fd5cbebaeb9ae5e8
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: http://git-master/r/1111679
Reviewed-by: Richard Wiley <rwiley@nvidia.com>
Tested-by: Richard Wiley <rwiley@nvidia.com>
(cherry picked from commit 39be41de331032a0fc596b9d20a8e11dcb0a5f7d)
Reviewed-on: http://git-master/r/1268903
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agoRevert "arm64: t210: Enable TSFW_ICM"
Spencer Sutterlin [Wed, 30 Nov 2016 03:00:15 +0000]
Revert "arm64: t210: Enable TSFW_ICM"

The kernel panics are fixed, but there are still several userspace
sensor HAL and sensorservice crashes

Bug 1807528
Bug 1850381
Bug 1850405
Bug 1850410

This reverts commit d8db5dc7f0e6bb076e8a8272d00c13bfd3ab1505.

Change-Id: I7beedfe61bba074f806e3031a665d04a451ea7dc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1262015
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "gpu: nvgpu: Add ref counting to channels"
Alex Waterman [Fri, 9 Dec 2016 19:48:41 +0000]
Revert "gpu: nvgpu: Add ref counting to channels"

This reverts commit ba5e6cc875971f0559d05f44035d27fc067e446f.

Bug 1850554

Change-Id: Iac7c616a40e8bfd61789c630e8a23955f85565e4
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268671
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "gpu: nvgpu: Fix CDE bind channel usage"
Alex Waterman [Fri, 9 Dec 2016 18:54:35 +0000]
Revert "gpu: nvgpu: Fix CDE bind channel usage"

This reverts commit efc0204b472571bb9ab7e243c318bd12f3e721fc.

Bug 1850554

Change-Id: I02df6e6bba4c05ba0f255f9f828289f58ad4483a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268640
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "driver core / PM: move the calling to device_pm_remove behind the calling...
Peter Yu [Tue, 6 Dec 2016 13:40:36 +0000]
Revert "driver core / PM: move the calling to device_pm_remove behind the calling to bus_remove_device"

This reverts commit 70a657f97a2fb712aff46e5ba436c7e5e4cbb3f3.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I3b20838102aab119c97d6bc94c09384dffa23883
Reviewed-on: http://git-master/r/1265897
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: storage: enable auto-suspend for USB storage"
Peter Yu [Tue, 6 Dec 2016 13:37:10 +0000]
Revert "usb: storage: enable auto-suspend for USB storage"

This reverts commit 907a021305c226d8b2130a95cf53be805fcc4f1d.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I2d2f100f5bb4b030a5cac6848c076526e958eb65
Reviewed-on: http://git-master/r/1265893
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: core: avoid PM error -ENODEV for detached MSD"
Peter Yu [Tue, 6 Dec 2016 13:32:58 +0000]
Revert "usb: core: avoid PM error -ENODEV for detached MSD"

This reverts commit 225c916b5d5bf93d0b02f646dbd4df8209bf74f4.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I17c000cdf69fa810abbe860b6013671d3c142d1b
Reviewed-on: http://git-master/r/1265890
GVS: Gerrit_Virtual_Submit
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: do tsfw_icm's probe in workqueue
Andrew Chen [Wed, 30 Nov 2016 03:48:04 +0000]
hid: jarvis: do tsfw_icm's probe in workqueue

tsfw_icm probe takes around 2 seconds to be finished and this
causes incoming HID data to be dropped at stack layer in the
duration. Make it running in workqueue to fix this problem.

Bug 1845197

Change-Id: I69c26222795af5a83242c165d0c61ea414a97c03
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Reviewed-on: http://git-master/r/1263719
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoRevert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""
Robert Collins [Mon, 28 Nov 2016 17:47:13 +0000]
Revert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""

This reverts commit 79d3a1160b94d4b8f83ad5e643c5b6f4cc6b0ce7.

This patch restores the following commit:
    iio: imu: nvi: v.337 Fix DMP gyro

    - Fix ICM DMP gyroscope data output to match the standard FIFO data output.

    Bug 1831500

Bug 200246901
Bug 1831500

Change-Id: Id33e9b4024a6455f65503c6de18b7dbdae76652e
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1263653
GVS: Gerrit_Virtual_Submit
Reviewed-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Tested-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Tested-by: Spencer Sutterlin <ssutterlin@nvidia.com>

2 years agogpu: nvgpu: Fix CDE bind channel usage
Alex Waterman [Tue, 29 Nov 2016 00:25:28 +0000]
gpu: nvgpu: Fix CDE bind channel usage

Use the shared bind channel code from CDE instead of custom
channel binding cide. The CDE code was using its own bind
channel code because the bind channel API took a gk20a_as_share
argument to define the VM. However, the core bind channel API
is trivially abstractable so that the core API can take a
vm_gk20a struct directly.

Bug: 31680980
NvBug 1825464

Change-Id: I0ad766748f22a64d30003a089eaa7dc65fa10e8a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265359
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Add ref counting to channels
Alex Waterman [Thu, 13 Oct 2016 17:03:59 +0000]
gpu: nvgpu: Add ref counting to channels

Make sure that the VM owned by a channel lives for at least
as long as that channel does. If the channel's VM is cleaned
up before the channel then use-after-free bugs can occur.

It seems like the gk20a_vm_get() was simply missing from the
bind channel. This patch adds it. The corresponding
gk20a_vm_put() happens during channel close.

Bug: 31680980
NvBug 1825464

Change-Id: If745ad4c1454386ddad9a83ff22ccd9ba2a72168
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265358
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoDNI: hid: jarvis: Fix lost key events
Mithun Maragiri [Wed, 30 Nov 2016 06:54:51 +0000]
DNI: hid: jarvis: Fix lost key events

The issue of key events getting lost happens when the HID report
is of the report->id = SENSOR_REPORT_ID_COMBINED.
Sensor report data from the data buffer was handled properly
however the button report part was not handled properly

Bug 200250863

Change-Id: Ib6cd985b472ba927aa854e9c4b7f4e243f5cd22e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1263496
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Add refcount and buffer poll wakeup
Spencer Sutterlin [Wed, 30 Nov 2016 20:31:23 +0000]
iio: Add refcount and buffer poll wakeup

Bring ideas from the following upstream commits
- commit "cadc2125e" (iio: fix: Keep a reference to the IIO device
  for open file descriptors)
- commit "d2f0a48f3" (iio: Wakeup poll and blocking reads when the
  device is unregistered)

Bug 200254499

Change-Id: If5f9275091ae3f86f5c2994af5a619797b9425f0
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1263974
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoARM: config: tegra12: disable CONFIG_ION
Gagan Grover [Sun, 4 Dec 2016 11:50:54 +0000]
ARM: config: tegra12: disable CONFIG_ION

ION memory is not needed in Android Tegra.

boot.img size is reduced by 14336 bytes

Bug 1823317

Change-Id: If83051043b763cdb0cd3e2d550f4769a728ed491
Reviewed-on: http://git-master/r/1263861
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264550
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoARM: config: tegra12: auto generated diff
Gagan Grover [Sun, 4 Dec 2016 11:42:33 +0000]
ARM: config: tegra12: auto generated diff

No change done manually. Diff is auto generated by performing
these three steps on tot:
1) ksetup tegra12_android_defconfig
2) kconfig (just touched one config, no change made)
3) ksavedefconfig tegra12_android_defconfig

boot.img size not changed.

Bug 1823317
Change-Id: Ic9c17b292c2257d2f0c43017b1b3700d8732e5a2
Reviewed-on: http://git-master/r/1263858
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264549
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoAdd enable and disable Wi-Fi Power management through syfs.
nagaraj [Wed, 30 Nov 2016 22:54:18 +0000]
Add enable and disable Wi-Fi Power management through syfs.

Bug 1828585

Change-Id: I713de1dddbec21d0e3c0105d9f2630a45cecd2ff
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
(cherry picked from commit 63fa1393ea127c753002cc7fce893590b7931b34)
Reviewed-on: http://git-master/r/1263671
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terry Wang <terwang@nvidia.com>
Reviewed-by: Ramaiyer Ramesh <ramaiyerr@nvidia.com>

2 years agoElevation of privilege vulnerability in kernel networking subsystem
Mithun Maragiri [Tue, 29 Nov 2016 01:54:46 +0000]
Elevation of privilege vulnerability in kernel networking subsystem

An elevation of privilege vulnerability in the kernel networking
subsystem could enable a local malicious application to execute
arbitrary code within the context of the kernel. This issue is
rated as Moderate because it first requires compromising a
privileged process and current compiler optimizations restrict
access to the vulnerable code.

There is no validation of the len variable passed to the
ping_common_sendmsg function to check if it is less than
icmph_len leading to a potential overflow. The fix is designed
to add additional validation to prevent the potential overflow.

CVE-2016-8399
A-31349935
Bug 1836932

Change-Id: Ia61de145bd5e12c1f30847812abd06334054b416
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262344
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoDenial of service vulnerability in kernel sound driver
Mithun Maragiri [Tue, 29 Nov 2016 04:11:18 +0000]
Denial of service vulnerability in kernel sound driver

A denial of service vulnerability in the kernel could allow a
local malicious application to cause a device reboot.
This issue is rated as Low because it is a temporary denial of
service.

The original fix used -EIO as the error return code but
the function signatures had unsigned int as the return type.
The updated fix uses -1 as the error return code instead of -EIO
so the error return code is more clearly defined.

CVE-2016-6690
A-28838221
Bug 1836932

Change-Id: I10754b638b7432242d7baa1355d35bf56c2ad085
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262338
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 04:05:43 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also
evaluates whether kptr_restrict is set.

CVE-2016-8406
A-31796940
Bug 1836932

Change-Id: I6718ace16ac0de99ecd3c9cf290bda79eac6632e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262333
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:54:24 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8402
A-31495231

Bug 1836932

Change-Id: I25843416454a29ac6c7c762072635d699ff7acbf
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262331
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:29:27 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8401
A-31494725
Bug 1836932

Change-Id: I5e62e63c694735ab2711e5451f0deddd57ebfaac
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262328
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:15:33 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8408 A-31496571

Bug 1844902

Change-Id: I35c3ddb7b6a52e4edba814de0eaa5e85629130b9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262308
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoperf: Fix event->ctx locking
Peter Zijlstra [Fri, 23 Jan 2015 11:24:14 +0000]
perf: Fix event->ctx locking

There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.

It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.

What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.

Bug 1836932

Change-Id: Ia307722c251bb9a058df98f2061625cfcace984c
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262262
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:02:40 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8409 A-31495687

Bug 1844902

Change-Id: I57a1fca9c58c0ac433415e39c82ab72d7429e48e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262260
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoaudit: fix a double fetch in audit_log_single_execve_arg()
Paul Moore [Tue, 19 Jul 2016 21:42:57 +0000]
audit: fix a double fetch in audit_log_single_execve_arg()

There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1].  Of course this leaves a window of
opportunity for an unsavory application to munge with the data.

This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s).  In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).

As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:

 * https://github.com/linux-audit/audit-testsuite/issues/25

[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.

[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data.  I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation).  The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.

Bug 1823317

Change-Id: I500834e1e699cb43d207333fa91292673de54933
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262255
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm64: make sys_call_table const
Mark Rutland [Thu, 8 Jan 2015 11:42:59 +0000]
arm64: make sys_call_table const

As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.

Bug 1836932

Change-Id: I1b8da149e9a117663b63bb5df0c348ff5ad8a12d
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262251
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agostaging/android/ion : fix a race condition in the ion driver
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000]
staging/android/ion : fix a race condition in the ion driver

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
                            ion_handle_get_by_id()
                            (ref == 3)

ion_free()
(ref == 2)

ion_handle_put()
(ref == 1)

                            ion_free()
                            (ref == 0 so ion_handle_destroy() is
                            called
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Bug 1836932

Change-Id: I45abd9dd1f696105a7840a25ba4a594b5af4fa65
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262250
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agopercpu: fix synchronization between synchronous map extension and chunk destruction
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000]
percpu: fix synchronization between synchronous map extension and chunk destruction

For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.

This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.

Bug 1836932

Change-Id: I1031ca004b5487bc7c6d57db15863e5c847946b4
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262243
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocgroup: Correct the address format specifier
Gagan Grover [Fri, 25 Nov 2016 17:22:19 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Bug 1823317

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262238
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agoperf: Fix race in swevent hash
Peter Zijlstra [Tue, 15 Dec 2015 12:49:05 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259934
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.

If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoext4: fix potential use after free in __ext4_journal_stop
Lukas Czerner [Sun, 18 Oct 2015 02:57:06 +0000]
ext4: fix potential use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259975
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoaf_unix: Guard against other == sk in unix_dgram_sendmsg
Rainer Weikusat [Thu, 11 Feb 2016 19:37:27 +0000]
af_unix: Guard against other == sk in unix_dgram_sendmsg

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Bug 1823317

Change-Id: I5b8f74348f82b4a84a3e01a93c58c49829b26efa
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259949
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoproc: prevent accessing /proc/<PID>/environ until it's ready
Mathias Krause [Thu, 5 May 2016 23:22:26 +0000]
proc: prevent accessing /proc/<PID>/environ until it's ready

If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Bug 1823317

Change-Id: I38356eb68ffd1294f1f1250fb328bd01a3b37158
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259930
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: core: prevent out-of-bound readings
Benjamin Tissoires [Tue, 19 Jan 2016 11:34:58 +0000]
HID: core: prevent out-of-bound readings

Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.

The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.

Bug 1823317

Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259928
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agotty: Prevent ldisc drivers from re-using stale tty fields
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000]
tty: Prevent ldisc drivers from re-using stale tty fields

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

[1]
    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Bug 1823317

Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259925
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodrivers: media: Remove support for IMX208 sensor
Vincent Chung [Tue, 22 Nov 2016 02:33:03 +0000]
drivers: media: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the IMX208 driver.

Bug 1825317

Change-Id: I5a5b140526c9aabe3f57d60cd750176579f18391
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259195
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoarm: dts: Remove support for IMX208 sensor
Vincent Chung [Thu, 24 Nov 2016 01:24:43 +0000]
arm: dts: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the DeviceTree and configuration references.

boot.img size not changed.

Bug 1825317

Change-Id: I04c7a8cad07f31ea5aa4a33389838f2ce2a8f31f
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259194
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
Terje Bergstrom [Tue, 8 Nov 2016 22:29:14 +0000]
gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context
being only partially available, and can lead to use-after-free.

Bug 1834225

Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1250004
Reviewed-on: http://git-master/r/1258422
Reviewed-by: Martin Gao <marting@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Eric Chuang <echuang@nvidia.com>

2 years ago[media] uvcvideo: fix null pointer dereference
Henry Lin [Wed, 23 Nov 2016 11:51:34 +0000]
[media] uvcvideo: fix null pointer dereference

stream->urb_num needs to set to 0 while freeing urbs to avoid null
pointer dereference afterwards.

Bug 200237870

Change-Id: Ib26f7b23f34db049790e7a5b31a8bde181b74d99
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1258903
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: WK Tsai <wtsai@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: usbhid: improve handling of Clear-Halt and reset
Alan Stern [Tue, 2 Sep 2014 15:39:15 +0000]
HID: usbhid: improve handling of Clear-Halt and reset

This patch changes the way usbhid carries out Clear-Halt and reset.

Currently, after a Clear-Halt on the interrupt-IN endpoint, the driver
immediately restarts the interrupt URB, even if the Clear-Halt failed.
This doesn't work out well when the reason for the failure was that
the device was disconnected (when a low- or full-speed device is
connected through a hub to an EHCI controller, transfer errors caused
by disconnection are reported as stalls by the hub).  Instead now the
driver will attempt a reset after a failed Clear-Halt.

The way resets are carried out is also changed.  Now the driver will
call usb_queue_reset_device() instead of calling usb_reset_device()
directly.  This avoids a deadlock that would arise when a device is
unplugged: The hid_reset() routine runs as a workqueue item, a reset
attempt after the device has been unplugged will fail, failure will
cause usbhid to be unbound, and the disconnect routine will try to do
cancel_work_sync().  The usb_queue_reset_device() implementation is
carefully written to handle scenarios like this one properly.

Bug 1838664

Change-Id: Ifb3fb19787b87ce72c8010f3d15d8b8392413162
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Reviewed-on: http://git-master/r/1257991
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Hans Yang <hansy@nvidia.com>
Tested-by: Hans Yang <hansy@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "HID: usbhid: fix a lockup in usbhid_disconnect()"
Hans Yang [Mon, 21 Nov 2016 06:29:29 +0000]
Revert "HID: usbhid: fix a lockup in usbhid_disconnect()"

This reverts commit 5d54db82ef875f17a9b053d9267d9c222402a1c6.

Bug 1838664

Change-Id: I440d5aa147c46478d453ff5fd2ae4f17d616d832
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1257990
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000]
video: tegra: nvmap: fix possible use after free

Fix possible use after free issue.

Bug 1814555

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1257999
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agohdmi: fix a dead lock in tegra_hdmi_hpd_worker()
Haley Teng [Thu, 25 Aug 2016 09:29:01 +0000]
hdmi: fix a dead lock in tegra_hdmi_hpd_worker()

We should not call cancel_delayed_work_sync() in tegra_hdmi_hpd_worker()
since tegra_hdmi_hpd_worker() is a function called by workqueue.
Replacing cancel_delayed_work_sync() by cancel_delayed_work() in
tegra_hdmi_hpd_worker().

The below backtrace is an example of the dead lock issue.

[   81.663560] kworker/5:2     D ffffffc000085de8     0   173      2 0x00000000
[   81.670634] Workqueue: events tegra_hdmi_hpd_worker
[   81.675520] Call trace:
[   81.677959] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   81.683099] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   81.688326] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   81.693213] [<ffffffc0000b8e98>] __cancel_work_timer+0x18c/0x190
[   81.699216] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   81.705483] [<ffffffc000447d74>] tegra_hdmi_hpd_worker+0x134/0x28c
[   81.711668] [<ffffffc0000b87b4>] process_one_work+0x158/0x44c
[   81.717415] [<ffffffc0000b95e4>] worker_thread+0x134/0x4a8
[   81.722899] [<ffffffc0000be8c0>] kthread+0xe0/0xf4
[   81.727691] [<ffffffc000084c90>] ret_from_fork+0x10/0x40
......
[   86.791409] sh              D ffffffc000085de8     0  1879   1782 0x00000000
[   86.798477] Call trace:
[   86.800916] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   86.806055] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   86.811280] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   86.816161] [<ffffffc000b6d1fc>] schedule_timeout+0x1f0/0x280
[   86.821908] [<ffffffc000b6b110>] wait_for_common+0xa0/0x144
[   86.827486] [<ffffffc000b6b1c8>] wait_for_completion+0x14/0x1c
[   86.833322] [<ffffffc0000b80ec>] flush_work+0xd0/0x188
[   86.838460] [<ffffffc0000b8da4>] __cancel_work_timer+0x98/0x190
[   86.844383] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   86.850652] [<ffffffc00044a380>] tegra_hdmi_set_hotplug_state+0x48/0xc0
[   86.857264] [<ffffffc00044a448>] tegra_hdmi_hotplug_dbg_write+0x50/0x84
[   86.863877] [<ffffffc0001c2d88>] __vfs_write+0x2c/0xe0
[   86.869019] [<ffffffc0001c370c>] vfs_write+0x90/0x19c
[   86.874070] [<ffffffc0001c4214>] SyS_write+0x44/0xa0
[   86.879038] [<ffffffc000084cf0>] el0_svc_naked+0x24/0x28

Bug 200228986

Change-Id: I431e7903a283324f4ed482464ac150790a1ec8e1
Signed-off-by: Haley Teng <hteng@nvidia.com>
Reviewed-on: http://git-master/r/1207728
Reviewed-on: http://git-master/r/1258745
Tested-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agonet: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread
Srinivas Ramachandran [Sat, 19 Nov 2016 01:04:07 +0000]
net: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread

Add time bound for dhd_dpc thread. Ensures dpc thread does not
hog cpu, while at same time does not hurt perf. either.

Bug 1844359

Change-Id: I34b061ea495581ba92d249eaa34d992f1d54b6e6
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1256652
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Bhadram Varka <vbhadram@nvidia.com>
Reviewed-by: Narayan Reddy <narayanr@nvidia.com>
Tested-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Check if handle holds a buffer before map
Sri Krishna chowdary [Tue, 15 Nov 2016 05:53:30 +0000]
video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.

A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.

bug 1837468

Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
GVS: Gerrit_Virtual_Submit
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Pritesh Raithatha <praithatha@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotty: serial8250: save/dump the port statistics
Shardar Shariff Md [Wed, 24 Feb 2016 13:21:49 +0000]
tty: serial8250: save/dump the port statistics

Save the port statistics before handling serial
interrupt and dump the current port stats when
too much work is done in serial irq handler to
know which interrupt is causing this.

Bug 1730156

Change-Id: I2b85245f1fb5f23335b13f51a298f375504a38ae
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1018177
(cherry picked from commit 31cf754a649df20d7c2969d92db95e606848731f)
Reviewed-on: http://git-master/r/1257296
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Daniel Fu <danifu@nvidia.com>

2 years agohid: release snd_card without causing a deadlock
Mithun Maragiri [Mon, 14 Nov 2016 23:55:56 +0000]
hid: release snd_card without causing a deadlock

use snd_card_free_when_closed

Bug 1835468

Change-Id: I570ceb92431da457f1ec2136f19fc11f80e0211f
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1253091
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoKEYS: Fix ASN.1 indefinite length object parsing
David Howells [Tue, 23 Feb 2016 11:03:12 +0000]
KEYS: Fix ASN.1 indefinite length object parsing

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Bug 1812688

Change-Id: I808500200996d58481ad705174c8cf0559fa19c1
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1254648
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoandroid: Fix information disclosure vulnerability
Gagan Grover [Tue, 15 Nov 2016 07:18:31 +0000]
android: Fix information disclosure vulnerability

The format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates whether
kptr_restrict is set.

CVE-2016-6683 A-30143283
CVE-2016-6684 A-30148243

Bug 1812688

Change-Id: If2b1d25948af5c21333a189fe25e5412c6c2c27f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253303
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>