15 months agov4l2: prevent speculative load
Jeetesh Burman [Thu, 15 Feb 2018 08:37:39 +0000]
v4l2: prevent speculative load

bug 2039126

Change-Id: Id1908c3058c9ecc0dfb4f2d85440a8d36db45db5
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650029
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 7a0213eca150614fe88d197a09d461fff6168652)
Reviewed-on: https://git-master.nvidia.com/r/1660781
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agocryptodev: prevent speculative load related leak
Jeetesh Burman [Thu, 15 Feb 2018 07:30:39 +0000]
cryptodev: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Id85eb9c91932f358dd999b28dd53d7788b37ea04
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640356
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650014
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 25bd9436b11f41e23048c9515deae97900a46669)
Reviewed-on: https://git-master.nvidia.com/r/1660780
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

15 months agodrivers: speculative load before bound-check
Jeetesh Burman [Wed, 14 Feb 2018 10:48:40 +0000]
drivers: speculative load before bound-check

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

Bug 1964290
CVE-2017-5753

Change-Id: I7382dbcc6e9f352fafd457301beafe753925f3c4
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650791
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 5cabd53985a30aa818896abdb64564a74c09ab9c)
Reviewed-on: https://git-master.nvidia.com/r/1660772
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agoarm: define speculation barrier
Jeetesh Burman [Wed, 14 Feb 2018 06:20:57 +0000]
arm: define speculation barrier

The instruction sequency "dsb sy" followed by "isb" functions as
a speculation barrier, which prevents the instructions after that
from being speculatively executed.

bug 2039126

Change-Id: I898aab771ff82b26b08214a06814d2e6e78969a7
Signed-off-by: Bo Yan <byan@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618222
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650093
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit f125c60045878513902cac4a084fde9a516eb3e2)
Reviewed-on: https://git-master.nvidia.com/r/1660771
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agogpu: nvgpu: Add ref counting to channels
Alex Waterman [Thu, 13 Oct 2016 17:03:59 +0000]
gpu: nvgpu: Add ref counting to channels

Make sure that the VM owned by a channel lives for at least
as long as that channel does. If the channel's VM is cleaned
up before the channel then use-after-free bugs can occur.

Bug: 31680980
NvBug 1825464
Bug: 1885921

Change-Id: I0711781492a764b643c2ed1da1b3ba87fda72744
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-psac.nvidia.com/r/#/c/9261
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit e205f2720fcee61886e7979e9588602d691507ea)
Reviewed-on: https://git-master.nvidia.com/r/1681801
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agotegra-cryptodev:Avoid untrusted usrptr dereference
Mallikarjun Kasoju [Fri, 16 Mar 2018 10:10:06 +0000]
tegra-cryptodev:Avoid untrusted usrptr dereference

In RSA operations use copy_from_user to get key data
into local buffer before using it.

This will avoid untrusted user pointer dereference.

Coverity ID 24040

Bug 200192571
Bug 1932494

Change-Id: I9c8f3fd7cfc18121d9c2179127dfb28202f38cdb
Signed-off-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1676570
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agoASoC: tegra: check ucode upper limit
Ravindra Lokhande [Mon, 8 May 2017 09:12:48 +0000]
ASoC: tegra: check ucode upper limit

Check ucode size for upper limit.

Bug 1901435
Bug 1954563
Bug 1917589

Signed-off-by: Ravindra Lokhande <rlokhande@nvidia.com>
Signed-off-by: Xia Yang <xiay@nvidia.com>
Change-Id: I2f455771147bb4466d154878d2461e472647c4fb
Reviewed-on: https://git-master.nvidia.com/r/1575925
Reviewed-on: https://git-master.nvidia.com/r/1674399
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Tested-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

16 months agovideo: tegra: sor: set drive current for lane4
David Pu [Tue, 26 Jan 2016 19:21:06 +0000]
video: tegra: sor: set drive current for lane4

drive current for LANE4 was not set if configured as 24bpp lvds out.
fix it by programming proper drive current register if using 24bpp out.

Bug 1724122

Change-Id: Ie2ad71ace0b4f247e007e671be828230545b15f6
Signed-off-by: David Pu <dpu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1544691
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Wayne Wang (SW-TEGRA) <waywang@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

16 months agogpu: nvgpu: Validate buffer_offset argument
Debarshi Dutta [Fri, 9 Mar 2018 07:11:55 +0000]
gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Manual Cherry pick - https://git-master.nvidia.com/r/1547046

Bug 1954931
Bug 1965443

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit e68391690cfcc23b77c68aec3f9605badea226ed in
dev-kernel)
Reviewed-on: https://git-master.nvidia.com/r/1671883
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

16 months agothermal: add boundary check to set_cur_state
Srikar Srimath Tirumala [Tue, 12 Sep 2017 19:27:13 +0000]
thermal: add boundary check to set_cur_state

Prevent sysfs from setting a cur_state that exceeds the max cur_state
of the cooling device.

Bug 200334223
Bug 200331706
Bug 1968660
Bug 1968616

Change-Id: I935be6166a9e184683abfcdce70cb08cbe4a1350
Signed-off-by: Srikar Srimath Tirumala <srikars@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558407
(cherry picked from commit 142cf9d96ed221124ea2b778dc37cf5db8d5702c)
Reviewed-on: https://git-master.nvidia.com/r/1661413
Reviewed-on: https://git-master.nvidia.com/r/1662626
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

17 months agoCRYPTO: disable crypto dev fot t124
Konduri Praveen [Fri, 20 Oct 2017 06:01:36 +0000]
CRYPTO: disable crypto dev fot t124

disabling tegra SE crypto dev for
t124 platform.

Bug 1927682

Change-Id: I16a24009e8f528df4be40ec65aa621b4ac779e41
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1582395
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

17 months agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598
Bug 1883567

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d in rel-24)
Reviewed-on: https://git-master.nvidia.com/r/1513005
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650064
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

17 months agocryptodev: avoid untrusted user pointers
Konduri Praveen [Tue, 1 Aug 2017 12:05:58 +0000]
cryptodev: avoid untrusted user pointers

add algo variable for avoid the usage of
user space pointers

Bug 200286426

Change-Id: I7e208b45ba11348e7b89a429d457ae51ac29bde0
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1530560
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

17 months agomm: larger stack guard gap, between vmas
Sri Krishna chowdary [Fri, 23 Jun 2017 06:26:03 +0000]
mm: larger stack guard gap, between vmas

commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.

Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.

This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.

Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.

One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications.  For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).

Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.

Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.

Bug 1946430

Change-Id: I9a66aabc34b687996fb971e01bb0ef30a3d4de7d
Original-patch-by: Oleg Nesterov <oleg@redhat.com>
Original-patch-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Tested-by: Helge Deller <deller@gmx.de> # parisc
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: backport to 4.11: adjust context]
[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1509390
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

19 months agopcie: host: tegra: WAR for RAW violations
Jay Agarwal [Tue, 14 Oct 2014 06:02:07 +0000]
pcie: host: tegra: WAR for RAW violations

Some of reads transaction getting before write
has completed resulting in RAW violation. This
WAR avoids this situation.

Bug 1345350

Change-Id: I56728d00326b193be26ccb4fe68787ebd8a2623d
Signed-off-by: Jay Agarwal <jagarwal@nvidia.com>
Reviewed-on: http://git-master/r/365301
(cherry picked from commit a706735e3c50a70dfee4a3d11378d3a1872a71d7)
Reviewed-on: https://git-master.nvidia.com/r/1595945
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Mantravadi Karthik <mkarthik@nvidia.com>

21 months agoRevert "gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX"
Debarshi Dutta [Tue, 8 Aug 2017 10:04:57 +0000]
Revert "gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX"

Bug 200336148

This reverts commit 2db040946ff8340485b2b33fe5a46f3166fa96f6.

Change-Id: I8a80a7bd1bd8b1a949fba26b683ac1c9bebc0c04
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1534941
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

21 months agoBluetooth: Properly check L2CAP config option output buffer length
Ben Seri [Wed, 13 Sep 2017 08:34:32 +0000]
Bluetooth: Properly check L2CAP config option output buffer length

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Bug 1989825

Change-Id: Id158ece2176c4ac339a7232dfde8c47ce2241122
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558952
GVS: Gerrit_Virtual_Submit

23 months agogpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
Debarshi Dutta [Wed, 21 Jun 2017 10:45:09 +0000]
gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being
only partially available, and can lead to use-after-free.

Bug 1885775

Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1506479
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

23 months agovideo: tegra: nvmap: fix nvmap create handle vulnerability
Krishna Reddy [Fri, 4 Nov 2016 19:45:53 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1248391
Reviewed-on: https://git-master.nvidia.com/r/1512958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: dsi: Set max limit for reading panel
Pavan Kunapuli [Thu, 16 Mar 2017 14:02:06 +0000]
video: tegra: dsi: Set max limit for reading panel

In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.

Bug 1873360

Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1507653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000]
video: tegra: nvmap: fix information leak in pin/unpin

When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

bug 1832092

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agomedia: tegra: nvavp: Fix UAF issue.
Jitendra Kumar [Thu, 27 Oct 2016 08:35:00 +0000]
media: tegra: nvavp: Fix UAF issue.

Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.

CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492

Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1489467
(cherry picked from commit 89559abb25f82dc333eafa26391be0a50d6e9e0a)
Reviewed-on: http://git-master/r/1504674
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agogpu: nvgpu: Fix pgsz_idx used in gk20a_vm_alloc_space()
Alex Waterman [Wed, 30 Nov 2016 22:12:25 +0000]
gpu: nvgpu: Fix pgsz_idx used in gk20a_vm_alloc_space()

Use the correct page size index for pgsz_idx in gk20a_vm_alloc_space().
Previously the page size itself was used, not the page size index.

Bug 1837624

Change-Id: I652f5af5321c1c49dc8eb170d3f92f00c23d2b6f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit fd13e0e1c4e397335c24497a0f92c85934d6185f)
Reviewed-on: http://git-master/r/1503371
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: nvmap: Fix NULL pointer dereference
Sri Krishna chowdary [Wed, 14 Dec 2016 06:28:30 +0000]
video: tegra: nvmap: Fix NULL pointer dereference

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

bug 1838597
bug 1883708

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 8244d104b7635cb0b26b651b6851498b9a84d7d6)
Reviewed-on: http://git-master/r/1489579
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1884311
Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-on: http://git-master/r/1489707
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1883463
Bug 1831426
Bug 200247013

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: fix crash in gk20a_channel_release
Aingara Paramakuru [Fri, 5 Sep 2014 18:38:21 +0000]
gpu: nvgpu: fix crash in gk20a_channel_release

gk20a_channel_release() should bail if filp->private_data is
NULL. This can happen as a result of gk20a_channel_release()
being called when __gk20a_channel_open() fails in
NVHOST_IOCTL_CHANNEL_OPEN.

Bug 200014898

Change-Id: I32cc957aca46fcd4265a8052ac5be355b644b9f7
Signed-off-by: Aingara Paramakuru <aparamakuru@nvidia.com>
Reviewed-on: http://git-master/r/496138
(cherry picked from commit cb0db6618c42ab4c33574f09f212ab1ee9a0438a)
Reviewed-on: http://git-master/r/1258588
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera: Fix UAF security issue
Frank Chen [Wed, 14 Dec 2016 19:36:41 +0000]
tegra: camera: Fix UAF security issue

Fix UAF (use-after-free) security issue in
camera.pcl driver

Bug 1832830

Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera race condition vulnerability
Mark Salyzyn [Tue, 17 May 2016 20:23:32 +0000]
tegra: camera race condition vulnerability

- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.

(Back ported from Nexus N9 project)

Bug 1832830

Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agocamera: tegra: Fix security vulnerability
Amey Asgaonkar [Fri, 29 Apr 2016 01:01:42 +0000]
camera: tegra: Fix security vulnerability

Check a few input params to make sure there is
no potential for a heap overflow in the driver.

(Back ported from Nexus N9 project)

Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)

Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera: validate PCLLK_IOCTL_SEQ_XX params
Greg Hackmann [Fri, 19 Feb 2016 23:04:23 +0000]
tegra: camera: validate PCLLK_IOCTL_SEQ_XX params

The driver expects the userspace-provided table to be terminated with
addr == CAMERA_TABLE_END.  Reject tables that aren't.

(back ported from Nexus N9 project)

Bug 1832830

Change-Id: Id1e168e02fbf323d094fe8c36c6e4bd90cceee4f
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271368
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agomedia: tegra: camera: sanity-check ioctl parameter
Greg Hackmann [Fri, 19 Feb 2016 21:33:31 +0000]
media: tegra: camera: sanity-check ioctl parameter

Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.

For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation.  In fact the existing userspace camera driver makes calls
like these and expects them to succeed!  Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.

(back ported from Nexus N9 project)

Bug 1832830

Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra-cryptodev: type modifier change in plaintext_sz
Konduri Praveen [Wed, 3 May 2017 19:48:50 +0000]
tegra-cryptodev: type modifier change in plaintext_sz

change the type modifier from signed to unsigned
for plaintext_sz variable in tegra_sha_req structure
to avoid occurence of negative values in plaintext_sz
variable.

Bug 1883640

Change-Id: I853f1916f7d4b6ea901cfe83419d624720a7e64f
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474814
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: host: Add submit checks
Mikko Perttunen [Tue, 25 Oct 2016 09:31:15 +0000]
video: tegra: host: Add submit checks

Currently nvhost performs minimal checking for submits it passes
to hardware: The kernel does not check if job syncpoints are allocated
and the gather classes are not verified currently.

This patch adds checks for syncpoint ids and gather classes.

Adapted from 0abcbd69c4cbd0093e223b6c248fdd53c2886951.

Bug 1831406

Change-Id: Ifb9d2090009d16d0f56bc11546036167c7f72228
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1242190
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agoBACKPORT: drm: crtc: integer overflow in drm_property_create_blob()
Shreshtha SAHU [Wed, 30 Nov 2016 18:38:01 +0000]
BACKPORT: drm: crtc: integer overflow in drm_property_create_blob()

The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.

This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947

Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>

Bug 1846814

Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: add ptr validation for vm_map_buffer
Xia Yang [Wed, 14 Sep 2016 18:13:57 +0000]
gpu: nvgpu: add ptr validation for vm_map_buffer

dma_buf_get() return value is now validated before
passed down for further process.

Bug 1812180
Bug 1883864

Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1220869

(cherry picked from commit e6fe9437c609252cf28ac76d2e6b33e905eaa843 in rel-21)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Reviewed-on: http://git-master/r/1469135
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra: curtain pllx freq to its max value
Bibek Basu [Mon, 17 Apr 2017 16:44:53 +0000]
arm: tegra: curtain pllx freq to its max value

This patch fixes pllx max value to 1530 and 1836Mhz
based on embedded clok settings considering aging factor
for CD575MI 24x7 and CD575MI 4/4/16 config

Bug 1900076

Change-Id: I9c6a769787fc04eac7ce4548e1a37a9a76972a6c
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1464315
GVS: Gerrit_Virtual_Submit
Reviewed-by: Peter Chiang <pchiang@nvidia.com>

2 years agovideo: tegra: host: Protect channel ioctl
Arto Merilainen [Tue, 14 Oct 2014 07:12:26 +0000]
video: tegra: host: Protect channel ioctl

Channel ioctl interface is not multithreading safe and as the
common case is that we have only a single active user for an open
fd, add a mutex to force serialization of ioctl calls.

Bug 1830021

Change-Id: Ifa6595a105b913345104f216f0541c371e89efe5
(cherry picked from commit 7b24caa9a8d2ab08fe0c7be112e805e44906d956)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248801
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit

2 years agovideo: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000]
video: tegra: nvmap: fix possible use after free

Fix possible use after free issue.

Bug 1814555
Bug 1884319

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agoT124: Add emc table to program SAMSUNG DRAM
Sandipan Patra [Tue, 28 Feb 2017 10:16:07 +0000]
T124: Add emc table to program SAMSUNG DRAM

New emc table for samsung dram is added on JetsonTK1 target.
Based on tegra bct strap value it can be chosen dynamically.
Both emc table and embedded emc table has been updated accordingly.

Bug 1752744

Change-Id: Ifc577d925712690daec6c6f1121458f01f720846
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1312498
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra12: jetson: disable usb charging detection
Roger Hsieh [Thu, 16 Feb 2017 10:00:32 +0000]
arm: tegra12: jetson: disable usb charging detection

Jetson TK1 doesn't support usb charging but the detection is still
running. Disable it to avoid unexpected behavior.

Bug 1861049

Change-Id: I13425d69e190a75084486ff1fc9afeb8aa7acb60
Signed-off-by: Roger Hsieh <rhsieh@nvidia.com>
Reviewed-on: http://git-master/r/1308015
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: host: Fix overflow issue allocation
Mikko Perttunen [Fri, 27 Jan 2017 07:32:20 +0000]
video: tegra: host: Fix overflow issue allocation

Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.

Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.

Coverity ID 27942
Bug 1856419

Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1295062
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: Check if handle holds a buffer before map
Sri Krishna chowdary [Tue, 15 Nov 2016 05:53:30 +0000]
video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.

A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.

bug 1837468

Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agodrivers: crypto: Avoid use of tainted scalar value
Konduri Praveen [Tue, 2 May 2017 09:20:40 +0000]
drivers: crypto: Avoid use of tainted scalar value

Copy from user may taint the scalar value members
in the respective struct variables.
Add check for verifying the validity of the
scalar value members to avoid undefined behaviour.

Bug 1903278

Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Change-Id: Ic01c8d10886f9b02c61156f811b430acce8aca23
Reviewed-on: http://git-master/r/1473534
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra-cryptodev:check valid SHA message length
Konduri Praveen [Thu, 27 Apr 2017 09:10:36 +0000]
tegra-cryptodev:check valid SHA message length

SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.

Fix by checking message length for SHA before
copying from user space

Bug 1883640

Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agodccp: fix freeing skb too early for IPV6_RECVPKTINFO
Sandipan Patra [Tue, 21 Mar 2017 10:14:31 +0000]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets
freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly
freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Bug 200285540

Change-Id: I3bec712b03278102c88933d4684324c3f414b606
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1325204
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: fix time-of-check,time-of-use vulnerability
Sri Krishna chowdary [Fri, 10 Feb 2017 09:32:14 +0000]
video: tegra: nvmap: fix time-of-check,time-of-use vulnerability

Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.

This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.

Fixes Google Bug 34113000.

bug 1862379

Change-Id: Ief81887b3d94b49f3dcf4d2680d9d7b257c54092
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1310316
(cherry picked from commit 57367ab3be5f1c52dd6b885f114ae90dfce5a363)
Reviewed-on: http://git-master/r/1319910
GVS: Gerrit_Virtual_Submit

2 years agogpu: nvgpu: initialize local variable
Deepak Nibade [Thu, 4 Aug 2016 14:12:38 +0000]
gpu: nvgpu: initialize local variable

Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD

Bug 1793398

Change-Id: Iffd654dbaca3b4e3c8fd2ac270d0febd01c165b8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1195862
(cherry picked from commit 118809f4bd07af20df2b6c012828834695a5fccf from dev-kernel linux-nvgpu.git)
Reviewed-on: http://git-master/r/1269683
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Christian Gonzalez <christiang@nvidia.com>
Tested-by: Christian Gonzalez <christiang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra: fix cpu speedo check for UCM1
Bibek Basu [Thu, 15 Dec 2016 08:23:27 +0000]
arm: tegra: fix cpu speedo check for UCM1

for UCM1 CD575M, check for cpu speedo 5 to
apply edp contraints

Bug 200195229
Bug 200199079

Change-Id: I704dd64f32c82c7499b6c5f0c96c04fdc062cf71
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1271709
GVS: Gerrit_Virtual_Submit

2 years agodvfs: tegra: Validate CLDVFS register address
Bibek Basu [Thu, 10 Nov 2016 10:18:17 +0000]
dvfs: tegra: Validate CLDVFS register address

Bug 1783583

Change-Id: I8b0e865db02c00f741dafb473d4bd39c5075f23f
Signed-off-by: Alex Frid <afrid@nvidia.com>
Reviewed-on: http://git-master/r/1173469
(cherry picked from commit 453a77c5cd9a1316307458203365f9eb5bda62de)
Reviewed-on: http://git-master/r/1174714
(cherry picked from commit f2ce702f49c5631e8a7cbda6fbf09140f8fb55d9)
Reviewed-on: http://git-master/r/1239794
(cherry picked from commit f62bd56958ca743d512f757555e4a3b66f4c9cff)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1251020
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: Prevent the race between channel open and close
Gagan Grover [Fri, 4 Nov 2016 11:09:33 +0000]
video: tegra: host: Prevent the race between channel open and close

Moved fd_install() at the end of the channel_open ioctl. So, the fd
can't be used until open ioctl completes.

Bug 1832094

Change-Id: Ib33d43bf5164418a38f98677d4e3295f3d1c1450
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248180
(cherry picked from commit e6a41d5c0049c2878543006b67b7ee2b2bbda2ab)
Reviewed-on: http://git-master/r/1249505
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: add lower bound to num_syncpt_incrs
Gagan Grover [Fri, 21 Oct 2016 10:33:47 +0000]
video: tegra: host: add lower bound to num_syncpt_incrs

Check if there is at least one syncpt_incrs in each job.

Bug 1812182

Change-Id: I0bd0b2e7c4d01641c83ba729ec34390ddea81496
Reviewed-on: http://git-master/r/1221226
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248797
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>

2 years agogpio: pca953x: fix gpio input on gpio offsets >= 8
Martin Chi [Mon, 24 Oct 2016 08:57:37 +0000]
gpio: pca953x: fix gpio input on gpio offsets >= 8

This change fixes a regression introduced by commit
f5f0b7aa8 (gpio: pca953x: make the register access by GPIO bank)

When the pca953x driver was converted to using 8-bit reads/writes
the bitmask in pca953x_gpio_get_value wasn't adjusted with a
modulus BANK_SZ and consequently looks at the wrong bits in the
input register.

Bug 1826501

Change-Id: Id9c9d1cab9fb97e2fdf9408b03873722f787fbec
Signed-off-by: Andrew Ruder <andrew.ruder@elecsyscorp.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
(cherry picked from commit 40a625daa88653d7942dc85483f6f289cd687cb7)
Signed-off-by: Martin Chi <mchi@nvidia.com>
Reviewed-on: http://git-master/r/1241694
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-on: http://git-master/r/1242944
GVS: Gerrit_Virtual_Submit

2 years agommc: core: update EXT_CSD version to 8
Anubhav Jain [Wed, 29 Jun 2016 10:42:18 +0000]
mmc: core: update EXT_CSD version to 8

Bug 1779090

Change-Id: I733c6ff7b3e39216fcf25f9c0d048b4c752a9e84
Signed-off-by: Anubhav Jain <anubhavj@nvidia.com>
Reviewed-on: http://git-master/r/1173092
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

2 years agommc: card: test: Fix out of boundary array access
Xia Yang [Mon, 15 Aug 2016 21:56:51 +0000]
mmc: card: test: Fix out of boundary array access

Allocate buffer with 1 extra byte for NULL terminator.

Bug 1791602

Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1216897
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agomm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Linus Torvalds [Thu, 13 Oct 2016 20:07:36 +0000]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
     s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change-Id: I6fbb1abf656ff7e05ec4c65f07dbbdd694546fb4
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-on: http://git-master/r/1241321
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: fix use-after-free in case of error notifier
Gagan Grover [Wed, 12 Oct 2016 11:35:06 +0000]
gpu: nvgpu: fix use-after-free in case of error notifier

A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier

Fix this by introducing mutex error_notifier_mutex for
error notifier accesses

Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier

In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized

Bug 1824788

Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Reviewed-on: http://git-master/r/1233988
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Gaurav Singh <gaursingh@nvidia.com>
Reviewed-on: http://git-master/r/1236695
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoUPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()
Yevgeny Pats [Tue, 19 Jan 2016 22:09:04 +0000]
UPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()

(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>

int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}

if (keyctl(KEYCTL_SETPERM, serial,
   KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}

for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}

return 0;
}

If, after the program has run, there something like the following line in
/proc/keys:

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Bug 1720836

Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
(cherry picked from commit 9fc5f368bb89b65b591c4f800dfbcc7432e49de5)
Signed-off-by: Sumit Singh <sumsingh@nvidia.com>
Reviewed-on: http://git-master/r/935565
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
(cherry picked from commit 07be7f19b4c356ce94642d0c2cecb93179a9a9bc)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1210637
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>

2 years agoRevert "arm64:mm: rm swtch to ASID0 in ctxt swtch"
Rohit Khanna [Wed, 7 Sep 2016 20:00:23 +0000]
Revert "arm64:mm: rm swtch to ASID0 in ctxt swtch"

This reverts commit 584b60200b8bdcc895c8edacb94f48db5929f70a.

Change-Id: Ibe5b217521b77fa5799400b9460182e3329e1779
Signed-off-by: Rohit Khanna <rokhanna@nvidia.com>
Reviewed-on: http://git-master/r/1216501
(cherry picked from commit 04c8d66d61e15198b95d54672b2f2fe047d180b3)
Reviewed-on: http://git-master/r/1223596
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agonvavp: Add missing mutex unlock
Soumen Kumar Dey [Thu, 15 Sep 2016 03:53:29 +0000]
nvavp: Add missing mutex unlock

Add missing mutex unlock for nvavp_submit.

bug 1775299

Change-Id: I1b525e192bfd9dd19bcd0211484400445eda7b2b
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1221210
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agonvavp: Add mutex lock for all avp submit
Soumen Kumar Dey [Tue, 14 Jun 2016 09:01:57 +0000]
nvavp: Add mutex lock for all avp submit

Add mutex lock for nvavp_submit to avoid race condition.

bug 1775299

Change-Id: I11a66a58a1f048d6a0ee5aa949f852bfef56dc07
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1164117
(cherry picked from commit 1faa6a739996fdacff3dbc85ad46235f42ad79c9)
Reviewed-on: http://git-master/r/1214643
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agotegra:nvavp: Fix buffer overflow issue
Praveen Kumar Reddy M.V [Mon, 13 Jun 2016 11:38:32 +0000]
tegra:nvavp: Fix buffer overflow issue

Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().

Bug 1774401

Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
Reviewed-on: http://git-master/r/1163365
(cherry picked from commit 1e9ba50b225e841b52a93503fce818c1a21100f7)
Reviewed-on: http://git-master/r/1164130
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agoata: ahci_tegra: disable devslp
Preetham Chandru R [Fri, 19 Aug 2016 06:44:25 +0000]
ata: ahci_tegra: disable devslp

Devslp is not POR for T124 anymore.

Bug 200231146

Change-Id: Ia5380a17d545d3082a31c5b16b6946fa0e7ce4d5
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1207452
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agospi: tegra: support polling mode
Krishna Yarlagadda [Tue, 17 Nov 2015 14:01:22 +0000]
spi: tegra: support polling mode

Added support to use polling mode instead of interrupts
through a property in dt

Bug 1679083

Change-Id: Ic82ab592822cc96bacda05124d38ddd913e09af9
Reviewed-on: http://git-master/r/840233
(cherry picked from commit cd1c4db5adc8317572106099da37fa434245e699)
Reviewed-on: http://git-master/r/1009988
(cherry picked from commit b29ce03a6b7ebb306ff157640470dd5ab99c6f6b)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1175213
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

2 years agospi: tegra: Reduce register access
Krishna Yarlagadda [Mon, 8 Feb 2016 13:48:17 +0000]
spi: tegra: Reduce register access

Reduce register accesses to SPI as it is dependent on
slow, variable SPI clock frequency.

Bug 1675619

Change-Id: I5d638b8f95d9207fbad1e30e21234fc7433e03b3
Reviewed-on: http://git-master/r/1009503
(cherry picked from commit 890a422a7b75507c33b53f1ca4c512f7911d61c4)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174582
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agospi: tegra: option to boost register access
Krishna Yarlagadda [Mon, 8 Feb 2016 11:17:35 +0000]
spi: tegra: option to boost register access

SPI register access for T210 and earlier chips depend
on SPI clock frequency. Provided an option to set SPI
clock at max frequency for register access.

Bug 1675625

Change-Id: Ie52c83cd4602604822462d9f02ddf31ead83aafc
Reviewed-on: http://git-master/r/1009782
(cherry picked from commit a2ccd28f2850538064668568432fee5d70a22e82)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174581
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agotegra: quadd: fix stack information disclose bug
Jianqiang Zhao [Fri, 15 Jul 2016 08:58:55 +0000]
tegra: quadd: fix stack information disclose bug

fix stack information disclose bug

Bug 1797747

Change-Id: I7d2d33b9dbe3e81e8bb33aa9d7401dbb50525dce
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205757
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agoquadd: fix stack info leak when getting capabilities
Jianqiang Zhao [Tue, 2 Aug 2016 03:57:13 +0000]
quadd: fix stack info leak when getting capabilities

Fix stack info leak when getting capabilities

Bug 1797747

Change-Id: Ic39112748fb2f053e6963b88e46ba2d953390edf
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205756
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agousb: gadget: tegra: Fix short packet issue
Peter Chiang [Mon, 4 Jul 2016 10:52:33 +0000]
usb: gadget: tegra: Fix short packet issue

Fix Tranaction Error due to short packet with ISO mult-transaction.
Set new value in Override Mult field to support short packet

Bug 1745903

Change-Id: I7409ba8943c2490afe714a0da9f7c05a63c949b4
Signed-off-by: Peter Chiang <pchiang@nvidia.com>
Reviewed-on: http://git-master/r/1175184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agovideo: tegra: host: fix integer overflow
Deepak Nibade [Mon, 27 Jun 2016 08:43:26 +0000]
video: tegra: host: fix integer overflow

Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs

Fix this and other calculations by explicitly typecasting
variables to u64 first

Bug 1781393

Change-Id: Ib7d9c0be4ac61dc404512b4bb0331aa20a6978bc
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171748
(cherry picked from commit 8f00b96c137b9c4cb43a8dbe2e153fae49524113)
Reviewed-on: http://git-master/r/1172519
(cherry picked from commit 61229625b1e19d5a93a9458f04e0cce356dbdee3)
Reviewed-on: http://git-master/r/1190218
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: fix possible overflow with num_syncpt_incrs
Deepak Nibade [Mon, 27 Jun 2016 08:33:15 +0000]
video: tegra: host: fix possible overflow with num_syncpt_incrs

We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];

If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack

Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack

Bug 1781393

Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172518
(cherry picked from commit 1db2d69b6abeb6fc9d4257db88f631d9c8aef74d)
Reviewed-on: http://git-master/r/1190211
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: hdmi: choose clk rate above 100MHz
Naveen Kumar S [Wed, 20 Jul 2016 11:17:05 +0000]
video: tegra: hdmi: choose clk rate above 100MHz

pll_d2 runs at a minimum of 100MHz on T124. Update logic
to choose parent clock rate more than 100MHz.
e.g.: A mode with 32MHz pclk chooses parent clock of
96MHz with a divider of 3.0, which fails as pll_d
can't be pulled below 100MHz.

bug 1785365

Change-Id: I12400549a3ed42295ddd46adcb6493232f2d896a
Signed-off-by: Naveen Kumar S <nkumars@nvidia.com>
Reviewed-on: http://git-master/r/1184235
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

3 years agoata: ahci_tegra: disable DIPM l4t/l4t-r21.5 tegra-l4t-r21.5
Preetham Chandru R [Tue, 23 Feb 2016 06:24:34 +0000]
ata: ahci_tegra: disable DIPM

DIPM is not a POR for Tegra AHCI Sata Controller

Bug 200087528

Change-Id: I5a742170177c9f57426f3756a8cfafefa88af92b
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1013776
(cherry picked from commit 7ebd3b1058491ee87686e9e731b79ecd914e00d9)
Reviewed-on: http://git-master/r/1031624
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

3 years agoplatform: tegra: nvavp: fix for pre-decrement of clk_enabled cntr
Bhushan Rupde [Fri, 13 May 2016 09:00:19 +0000]
platform: tegra: nvavp: fix for pre-decrement of clk_enabled cntr

Bug 1729847

Change-Id: Ie455b0469a1d4e35453ca9e36c5e90dfdc6f56a2
Signed-off-by: Bhushan Rupde <brupde@nvidia.com>
Reviewed-on: http://git-master/r/1147432
Reviewed-by: Mohan Nimaje <mnimaje@nvidia.com>
Reviewed-by: Soumen Dey <sdey@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agovideo: tegra: host: Fix ch open error handling
Arto Merilainen [Tue, 10 May 2016 06:16:03 +0000]
video: tegra: host: Fix ch open error handling

In case kernel fails to open a channel (e.g. due to inability to
allocate hardware context or turn on the device), the channel open
function releases the resources that were already allocated
successfully.

However, currently the error path additionally calls the channel
release function for putting the channel pointer after the private
data structures have been freed - thereby causing use-after-free
memory usage.

This patch reworks error handling in channel open to release
channel without risking usage of already freed memory.

Bug 1763577

Change-Id: Ic7562e69f2babad653afc7a11e413701494a30b4
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-on: http://git-master/r/1148081
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

3 years agovideo: tegra: host: check if offset is u32 aligned
Deepak Nibade [Fri, 11 Mar 2016 08:29:20 +0000]
video: tegra: host: check if offset is u32 aligned

In nvhost_ioctl_ctrl_module_regrdwr(), we copy offset
to read/write from user space but we do not have
any check on it

So it is possible for user space to add unaligned
offset and request read/write which would crash the
system

Fix this by explicitly checking alignment of the
offset passed by user space

Bug 1739935

Change-Id: Iea2a07c60500af876b732a0e9d9d08535aa53b5c
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1029405
(cherry picked from commit 422baa09a17a6a17f4e572aa5441ca174634de0d)
Reviewed-on: http://git-master/r/1123363
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agocamera: tegra: Fix security vulnerability issue
Frank Chen [Fri, 25 Mar 2016 05:37:18 +0000]
camera: tegra: Fix security vulnerability issue

Deprecate outdated UPDATE_GPIO function in camera.pcl
driver. This function is not used by any code anymore
and is a security vulnerability since it is trying to
access user mode pointer directly.

Bug 1745102

Change-Id: I4e7e5f9c186f980dcadfe52ec4284102255f19cf
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1115302
(cherry picked from commit 2e5c355c904a19d71456a04c70f3fb4fc7d918b0)
Reviewed-on: http://git-master/r/1123362
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

3 years agocamera: tegra: Fix security vulnerability issue
Frank Chen [Mon, 21 Mar 2016 17:40:45 +0000]
camera: tegra: Fix security vulnerability issue

We need to validate power on/off function size passed
in from user mode in order to avoid integer overflow
or out of memory failures.

Bug 1745100

Change-Id: Idddd848f7dc1e864559ad219f9204325128484e5
Signed-off-by: Frank Chen <frankc@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1114354
(cherry picked from commit 8b3afcc132882f3102083f9a24de7f55476ca59b)
Reviewed-on: http://git-master/r/1150944
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agomedia: tegra: camera: Fix stack overread
Amey Asgaonkar [Mon, 16 May 2016 23:33:15 +0000]
media: tegra: camera: Fix stack overread

We are not checking a variable which is user
controlled. This can lead to reading of the
stack data. Adding a check to ensure it is
less than the max possible value of the variable.

Bug 1763649

Change-Id: I395e882d030199bdd7684837906a9b5d60741650
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1150943
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agoarm: tegra: new dvfs update for aging factor
Bibek Basu [Fri, 6 May 2016 10:08:26 +0000]
arm: tegra: new dvfs update for aging factor

Following support added
DVFS for Gauranteed freq considering aging
CPU freq limit at higher temperature
EDP max current limits for each SKU

Bug 200195229

Change-Id: If00f3fd6b891cf366047dda331bd7ab1c15b40f7
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1146577
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

3 years agoarm: tegra: emc dvfs selection based on ddr
Bibek Basu [Tue, 10 May 2016 10:31:17 +0000]
arm: tegra: emc dvfs selection based on ddr

select emc evfs table based on DDR present
using RAMCODE

Bug 200195279

Change-Id: I7fbc693383c9e231b2c2119020eebc7bba544c6e
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1144528
Reviewed-by: Jimmy Zhang <jimmzhang@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

3 years agoarm: config: T124: L4T: systemd related configs
Ninad Malwade [Fri, 29 Apr 2016 06:55:48 +0000]
arm: config: T124: L4T: systemd related configs

Added kernel configurations to support
systemd functionality

boot.img size is increased by 69632 bytes

Bug 1731796

Change-Id: I4209fee15843ac645600500ed8c9fc37b7ff0c04
Signed-off-by: Ninad Malwade <nmalwade@nvidia.com>
Reviewed-on: http://git-master/r/1134828
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Rajkumar Kasirajan <rkasirajan@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agovideo: tegra: nvmap: Add ref count in nvmap_vma_list
Sri Krishna chowdary [Wed, 27 Apr 2016 04:14:15 +0000]
video: tegra: nvmap: Add ref count in nvmap_vma_list

Add ref count to prevent invalid vma removal from the h->vmas list
and also allow addition of a different vma which also has same
nvmap_vma_priv as vm_private_data into the h->vmas list. Both cases
are allowed in valid usage of nvmap_vma_open/nvmap_vma_close.

Bug 200164002

Change-Id: Ifc4d281dd91e1d072a9a3ee85e925040bd65a6bc
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/1133708
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>

3 years ago[media] v4l: vb2-dma-contig: fix vb2_get_vma()
Sri Krishna chowdary [Tue, 12 Jan 2016 10:24:08 +0000]
[media] v4l: vb2-dma-contig: fix vb2_get_vma()

nvmap expects that same VMA is opened and closed to disallow
memory leaks. So, nvmap panics if a previously non-existent vma
is being closed through it.

Hence modify the sequence in vb2_get_vma() to
open the vma_copy before returning it. This way nvmap sees that
the vma_copy exists in its list and will close the vma.

Bug 200164002

Change-Id: I45dfb8ca710375a0e70d9802ebdcc9fd4d0b4600
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/931997
(cherry picked from commit bf1d15d8a879a599f9801310cecbbb61ea60e931)
Reviewed-on: http://git-master/r/1133707
Tested-by: Bryan Wu <pengw@nvidia.com>
Reviewed-by: Bryan Wu <pengw@nvidia.com>
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agomedia: tegra: nvavp: Fix reloc offset check
Somu Sundaram [Fri, 18 Mar 2016 07:22:59 +0000]
media: tegra: nvavp: Fix reloc offset check

- Check whether command buffer data offset is 32-bit
  aligned
- Check whether relocation offset is 32-bit aligned
  and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
  and derived address is within target buffer size

Bug 1741516

Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1113949
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agomedia: tegra: nvavp: Fix arbitrary kernel write
Somu Sundaram [Tue, 15 Mar 2016 13:01:57 +0000]
media: tegra: nvavp: Fix arbitrary kernel write

Add checks for command buffer offset, relocation
offset in command buffer and target offset for patching
relocation to prevent aritrary kernel write

Bug 1741516

Change-Id: Ia6183ca75f983c0ede23606be9e5d824aa5fa41d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1111699
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agopipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
Ben Hutchings [Tue, 16 Jun 2015 21:11:06 +0000]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic

pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

Bug 1744232

References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 14f81062f365fa9e3839bb2a16862217b71a553c)
Change-Id: Ia5f97a4cfdaa2eb0e2a4974c2f04bc9a75934bd4
Reviewed-on: http://git-master/r/1111957
(cherry picked from commit e5bc77c0676277fd0b58ee469bd5638019a65d95)
Reviewed-on: http://git-master/r/1112337
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agomedia: tegra: nvavp: Fix heap overflow
Somasundaram S [Thu, 10 Mar 2016 12:03:11 +0000]
media: tegra: nvavp: Fix heap overflow

Increase NVAVP_MAX_RELOCATION_COUNT to max. possible value
and add check to return error if num_relocs in
nvavp_pushbuffer_submit_ioctl exceeds
NVAVP_MAX_RELOCATION_COUNT

Bug 1739930

Change-Id: Ief36cedd692aa53135fc6a0039b19f18609259dd
Signed-off-by: Somasundaram S <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1030885
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agogpu: nvgpu: validate wait notification offset
Konsta Holtta [Tue, 8 Mar 2016 12:35:21 +0000]
gpu: nvgpu: validate wait notification offset

Make sure that the notification object fits within the supplied buffer.

Bug 1739182

Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026431
(cherry picked from commit 2484c47f123c717030aa00253446e8756e1a0807)
Reviewed-on: http://git-master/r/1030663
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

3 years agogpu: nvgpu: validate error notifier offset
Konsta Holtta [Tue, 8 Mar 2016 11:58:11 +0000]
gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183
Bug 1739932

Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026410
(cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d)
Reviewed-on: http://git-master/r/1029379
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agovideo: tegra: host: validate error notifier offset
Konsta Holtta [Tue, 8 Mar 2016 11:56:19 +0000]
video: tegra: host: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183

Change-Id: Ifbf46eddea86bedf0236851ea1c3f73e5f820beb
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026409
(cherry picked from commit 4086d2137e9b51137aa335fa264d924c73dea5fc)
Reviewed-on: http://git-master/r/1029074
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Reviewed-by: Shridhar Rasal <srasal@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>

3 years agowatchdog: remove timeout setting in open call
Jeetesh Burman [Tue, 29 Dec 2015 09:59:40 +0000]
watchdog: remove timeout setting in open call

timeout should not be set as part of open call.
It should be set as part of Probe if watchdog enabled on
probe, Otherwise timeout should be 0 since watchdog is not enabled.

Bug 200160105

Change-Id: I2bc0f35436dafd01d17e3ea2ec5459fd0d75af5a
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: http://git-master/r/927429
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agowatchdog: enable TEGRA_WATCHDOG_ENABLE_ON_PROBE
Jeetesh Burman [Tue, 29 Dec 2015 12:01:11 +0000]
watchdog: enable TEGRA_WATCHDOG_ENABLE_ON_PROBE

enable TEGRA_WATCHDOG_ENABLE_ON_PROBE to set "timeout" in probe call

Bug 200160105

Change-Id: Ifcef77b3229acee821c5cdd2f31e449e010b9d2f
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: http://git-master/r/927464
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agotegra: ictlr: clear error status register
Bibek Basu [Tue, 8 Dec 2015 05:21:02 +0000]
tegra: ictlr: clear error status register

Clear error status register during init

Bug 1709814

Change-Id: I348526828015c84027b647bc728355ac9271a5fe
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/842868
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agoata: ahci: Enable 40 bit alignment detection
Preetham Chandru R [Mon, 26 Oct 2015 11:51:46 +0000]
ata: ahci: Enable 40 bit alignment detection

Bug 1694187

Change-Id: Idb8d95f0a7bc099989cc5b7b0bc97bf5cc896b32
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/837972
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

3 years agovideo: tegra: host: Query vi/isp max clk-rate
Sudhir Vyas [Mon, 18 Aug 2014 13:59:58 +0000]
video: tegra: host: Query vi/isp max clk-rate

Query max vi/isp clk-rate runtime to calcuate max BW.
Remove max-bw defines.

Bug 1538490
Bug 1695435

Change-Id: I86a5c22fa3c7c9582351bbe9a95776aaea6a613d
Signed-off-by: Sudhir Vyas <svyas@nvidia.com>
Reviewed-on: http://git-master/r/461278
(cherry picked from commit bbcd86c917430ceea1603e03964296ca4e26ac3a)
Reviewed-on: http://git-master/r/825139
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Tested-by: Frank Shi <fshi@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agomedia: tegra_camera: introduce 2 kthreads for capture
Bryan Wu [Thu, 15 Oct 2015 20:10:29 +0000]
media: tegra_camera: introduce 2 kthreads for capture

Use one kthread to start capture a frame and wait for next frame start.
Before waiting, it will move the current buffer to another queue which
will be handled another kthread.

The second kthread (capture_done) will wait for memory output done sync
point event and handle the buffer to videobuffer2 framework as capture
done.

Bug 1686911

Change-Id: Ia092c708ecca3b2e7cbc657a96fd247ea4a00d2f
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/819177
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agomedia: tegra_camera: replace workqueue with kthread
Bryan Wu [Wed, 14 Oct 2015 18:52:57 +0000]
media: tegra_camera: replace workqueue with kthread

Use kthread instead of workqueue, which will create a dedicated kernel
thread for capture.

Remove useless mutex and convert spin_lock_irq() to normal spin_lock().

Bug 1686911

Change-Id: Ib236a7ebbdd0359f2705774a979825f1f9e9d82a
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/819176
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agomedia: tegra_camera: add line alignment check
Bryan Wu [Tue, 13 Oct 2015 19:47:09 +0000]
media: tegra_camera: add line alignment check

bytes_per_line should be 64 bytes aligned in Tegra. Add a function to
check that and return the right value for LINE_STRIDE register.

Bug 1694764

Change-Id: I1bb926a416719d19cad509f9a9a7c4fce06b851a
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/816975
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agousb: gadget: composite: Fix cdev null after rmmod
Peter Chiang [Fri, 25 Sep 2015 10:04:17 +0000]
usb: gadget: composite: Fix cdev null after rmmod

Avoid to disconnect gadget again after unbinding

bug 200141741

Change-Id: I6fadcb4c5b5262d861a865f24ba2d8666e126923
Signed-off-by: Peter Chiang <pchiang@nvidia.com>
Reviewed-on: http://git-master/r/805175
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Hui Fu <hfu@nvidia.com>
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>