2 years agoARM64: config: tegra21: Disable ION memory
Gagan Grover [Wed, 29 Mar 2017 10:10:29 +0000]
ARM64: config: tegra21: Disable ION memory

ION memory is not needed for Android.
Disabling it for ATV.

boot.img size not changed.

Bug 1849492

Change-Id: I6896a5a8bd5bfac73a9a5885077556659287926a
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1330590
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>

2 years agovideo: tegra: nvmap: fix time-of-check,time-of-use vulnerability
Sri Krishna chowdary [Sat, 25 Feb 2017 19:02:47 +0000]
video: tegra: nvmap: fix time-of-check,time-of-use vulnerability

Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.
This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.
Fixes Google Bug 34113000.

Bug 1862379
Bug 1880033

Change-Id: I32786d26c269a95122fbaf0b91d6d090cba7388e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1311631
(cherry picked from commit 22168ee3a52622c20ca8480de82102fb08119193)
Reviewed-on: http://git-master/r/1455425
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: nvmap: Fix NULL pointer dereference issues
Sri Krishna chowdary [Wed, 14 Dec 2016 06:28:30 +0000]
video: tegra: nvmap: Fix NULL pointer dereference issues

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

Bug 1838597

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1270827
(cherry picked from commit 928dc0a9fdc3f2f507dbc08ed4d54d0292fd4d9e)
Reviewed-on: http://git-master/r/1313777
(cherry picked from commit 9ae4f6fbb844760b4e6b34a25c4fb8178420dabb)
Reviewed-on: http://git-master/r/1455402
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: remove unsed WEXT file.
Insun Song [Wed, 4 Jan 2017 00:21:01 +0000]
net: wireless: bcmdhd: remove unsed WEXT file.

WEXT API was already obsoleted and should be removed.

Bug: 32124445
CVE-2017-0509 A-32124445
Bug 1880704

Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1310286
(cherry picked from commit 8c671aeb5f013590c58d7a5c7d4456e30fddcba3)
Reviewed-on: http://git-master/r/1330544
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoCHROMIUM: usb: gadget: configfs: Fix KASAN use-after-free
Jim Lin [Mon, 27 Feb 2017 11:33:06 +0000]
CHROMIUM: usb: gadget: configfs: Fix KASAN  use-after-free

When gadget is disconnected, running sequence is like this.
. android_work: sent uevent USB_STATE=DISCONNECTED
. Call trace:
  usb_string_copy+0xd0/0x128
  gadget_config_name_configuration_store+0x4
  gadget_config_name_attr_store+0x40/0x50
  configfs_write_file+0x198/0x1f4
  vfs_write+0x100/0x220
  SyS_write+0x58/0xa8
. configfs_composite_unbind
. configfs_composite_bind

In configfs_composite_bind, it has
"cn->strings.s = cn->configuration;"

When usb_string_copy is invoked. it would
allocate memory, copy input string, release previous pointed memory space,
and use new allocated memory.

When gadget is connected, host sends down request to get information.
Call trace:
  usb_gadget_get_string+0xec/0x168
  lookup_string+0x64/0x98
  composite_setup+0xa34/0x1ee8
  android_setup+0xb4/0x140

If gadget is disconnected and connected quickly, in the failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".

When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: use-after-free" error occurs.

BUG=chrome-os-partner:58412
TEST=After smaug device was connected to ubuntu PC host, detached and attached
type-C cable quickly several times without seeing
"BUG: KASAN: use-after-free in usb_gadget_get_string".

CVE-2017-0537 A-31614969
Bug 1880704

Bug: 31614969
Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311872
(cherry picked from commit b0eda88ead4f9269a8697d963628050d7e6b88a3)
Reviewed-on: http://git-master/r/1313689
(cherry picked from commit f2e1288a22d6e2eadf52ccb0b0dd1387cb8ef74e)
Reviewed-on: http://git-master/r/1455430
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: avoid signed overflows for SO_{SND|RCV}BUFFORCE
Eric Dumazet [Fri, 2 Dec 2016 17:44:53 +0000]
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Bug 1880704

Change-Id: I26b2411b5a5fd532fa8c02e2c68d0ec9acb784b1
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311861
(cherry picked from commit f459cad9a16059c8dbebb9a092ae172ea4a86235)
Reviewed-on: http://git-master/r/1314069
(cherry picked from commit 59df690ce8a50ea463e93ecc65dd897833cc54ad)
Reviewed-on: http://git-master/r/1455429
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agopacket: fix race condition in packet_set_ring
Philip Pettersson [Wed, 30 Nov 2016 22:55:36 +0000]
packet: fix race condition in packet_set_ring

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Bug 1880704

Change-Id: I22d2920ff6c26877f671908ea683468aed693fec
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311860
(cherry picked from commit 41db91bad41df89ba1e8b3d32f935130f71ac78e)
Reviewed-on: http://git-master/r/1314068
(cherry picked from commit b4db8ee7615291eeb622024f5c3e9175bcea6d50)
Reviewed-on: http://git-master/r/1455428
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agol2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
Guillaume Nault [Fri, 18 Nov 2016 21:13:00 +0000]
l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()

Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.

BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
 ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
 [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<     inline     >] print_address_description mm/kasan/report.c:194
 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [<     inline     >] kasan_report mm/kasan/report.c:303
 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [<     inline     >] __write_once_size ./include/linux/compiler.h:249
 [<     inline     >] __hlist_del ./include/linux/list.h:622
 [<     inline     >] hlist_del_init ./include/linux/list.h:637
 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
 [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
 [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
 [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
 [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
 [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
 [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
 [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.

Bug 1880704

Change-Id: I74188f62fd6f46aa4dcf057009c5ed086c20342a
Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311851
(cherry picked from commit 8038d929e8e2e116740a50c1f6d073547f9d27b7)
Reviewed-on: http://git-master/r/1330548
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonetlink: Fix dump skb leak/double free
Herbert Xu [Mon, 16 May 2016 09:28:16 +0000]
netlink: Fix dump skb leak/double free

When we free cb->skb after a dump, we do it after releasing the
lock.  This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.

This patch saves the skb and module before we unlock so we free
the right memory.

Bug 1880704

Change-Id: I99a013d97bbbb793ebc0a196cd0e35ec198e3cb1
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311849
(cherry picked from commit 2605cb0c4277297fdcab1257f796d623f649235f)
Reviewed-on: http://git-master/r/1330547
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoandroid: fiq_debugger: restrict access to critical commands.
Mark Salyzyn [Mon, 27 Feb 2017 09:13:25 +0000]
android: fiq_debugger: restrict access to critical commands.

Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
measure to enable various critical fiq debugger commands that
either leak information or can be used as a system attack.

Default disabled, this will leave the reboot, reset, irqs, sleep,
nosleep, console and ps commands.  Reboot and reset commands
will be restricted from taking any parameters.  We will also
switch to showing the limited command set in this mode.

CVE-2017-0510 A-32402555
Bug 1880704

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32402555
Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311806
(cherry picked from commit a079fb27cbb54535e3aa68429d3928dc3d1d8b5b)
Reviewed-on: http://git-master/r/1330545
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: host: Fix overflow issue allocation
Mikko Perttunen [Fri, 27 Jan 2017 07:32:20 +0000]
video: tegra: host: Fix overflow issue allocation

Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.

Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.

Coverity ID 27942
Bug 1856419

Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295053
(cherry picked from commit 66adb8e35e0ad0d5ce383996fcc8bad3be8821f5)
Reviewed-on: http://git-master/r/1330541
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agocifs: Missing files in mount
Patrick Horng [Sat, 25 Feb 2017 01:11:03 +0000]
cifs: Missing files in mount

Missing files was caused by EINVAL from filldir64
during cifs_filldir when revalidating the inode.

Bug 1834380

Change-Id: Ia0c8e7a72f4b9b810c9f1c15d3190d42fcf5fd8c
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1311307
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 23 Jan 2017 09:41:30 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE-2017-0430 (A-32838767)

Change-Id: I3676556002c3bc63762919e540f68d13959b2af4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292382
(cherry picked from commit 2a408e9f998e0013906c58f7a2314bacf47ec672)
Reviewed-on: http://git-master/r/1299528
(cherry picked from commit 088ac085161e19efa60fddb9c20bd1e838c8f5e3)
Reviewed-on: http://git-master/r/1311425
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 16 Jan 2017 12:30:19 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE-2017-0430 (A-32838767)

Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285925
(cherry picked from commit bc90cd7f96782e30db3bc3a82d7f20efae9ea78e)
Reviewed-on: http://git-master/r/1299526
(cherry picked from commit 9f5ee0dfa24f656ff6e49b5909bdaeae088d59fa)
Reviewed-on: http://git-master/r/1311424
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in private command path
Insun Song [Sun, 29 Jan 2017 10:48:08 +0000]
net: wireless: bcmdhd: fix buffer overrun in private command path

buffer overrun case found when length parameter manipulated.

1. if input parameter buffer length is less than 4k,
then allocate 4k by default. It help to get enough margin
for output string overwritten.

2. added additional length check not to override user space
allocated buffer size.

bug 1849492

Change-Id: I586ad7aed3fce24264d520f5257e2833d4e57159
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295708
(cherry picked from commit 1402382883c9f6793630d6abe6f424a354771980)
Reviewed-on: http://git-master/r/1298474
(cherry picked from commit 347ad09ee15929eb3e7b79b82855c6aea74418d3)
Reviewed-on: http://git-master/r/1311414
GVS: Gerrit_Virtual_Submit
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomedia: tegra: nvavp: Fix UAF issue.
Jitendra Kumar [Thu, 27 Oct 2016 08:35:00 +0000]
media: tegra: nvavp: Fix UAF issue.

Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.

CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492

Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1311418
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598
Bug 1858126

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d)
Reviewed-on: http://git-master/r/1270244
(cherry picked from commit bcfa618cda62fd56ee30676ed7ee62a7b0b942cd)
Reviewed-on: http://git-master/r/1311427
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoBACKPORT: aio: mark AIO pseudo-fs noexec
Nick Desaulniers [Mon, 16 Jan 2017 12:58:30 +0000]
BACKPORT: aio: mark AIO pseudo-fs noexec

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)

Bug: 31711619
Bug 1858126
CVE-2016-10044 (A-31711619)

Change-Id: I9f2872703bef240d6b82320c744529459bb076dc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285940
(cherry picked from commit b552c94fbcad36a52973a1141adafbe351b75b90)
Reviewed-on: http://git-master/r/1299533
(cherry picked from commit 79d1f35c10e5438fbb441cd1524b02cda377e04f)
Reviewed-on: http://git-master/r/1311426
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agofs/proc/array.c: make safe access to group_leader
Adrian Salido [Mon, 16 Jan 2017 11:56:05 +0000]
fs/proc/array.c: make safe access to group_leader

As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()

Without this protection there is a possible use after free reported by
kasan instrumented kernel:

==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4

Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.

Bug: 31495866
Bug 1858126
CVE-2017-0427 (A-31495866)

Signed-off-by: Adrian Salido <salidoa@google.com>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285902
(cherry picked from commit 3367b633042dcc778642f95cd0b3acd6c3a0a0fe)
Reviewed-on: http://git-master/r/1299523
(cherry picked from commit d6b8dd489f260d69473e03609b2ac637a3a75201)
Reviewed-on: http://git-master/r/1311423
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix nvmap create handle vulnerability
skadamati [Thu, 15 Dec 2016 11:23:22 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857
Bug 200260161
Bug 1849492
Bug 1825283
CVE-2016-8424 (A-31606947)

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Reviewed-on: http://git-master/r/1248391
(cherry picked from commit c26f2a34c189bef2d99740a420b2ab4023d912c0)
Reviewed-on: http://git-master/r/1273324
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285852
(cherry picked from commit b1513dff2b4bd35d1b400645642bce8dcf3c96c7)
Reviewed-on: http://git-master/r/1299501
(cherry picked from commit 3993b1f51cd24e93b460d24b2659f0c7a6c6cf8a)
Reviewed-on: http://git-master/r/1311422
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1831426
Bug 200247013
Bug 1849492
CVE-2016-8428 (A-31993456)

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Reviewed-on: http://git-master/r/1273326
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285872
(cherry picked from commit 0a44c684a3bdad4d25d0c5a89e04170196e12ff6)
Reviewed-on: http://git-master/r/1299504
(cherry picked from commit e124868998c604716d0ece1a0cb7e187db4adb18)
Reviewed-on: http://git-master/r/1311421
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoKEYS: Fix short sprintf buffer in /proc/keys show function
David Howells [Wed, 26 Oct 2016 14:01:54 +0000]
KEYS: Fix short sprintf buffer in /proc/keys show function

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

CVE-2016-7042
Bug 1849492

Change-Id: I5117ab6175297f657a498fd2140080c7595b3a10
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285745
(cherry picked from commit 7c1dcda59f88a1dec328afd398a9d9465fb44084)
Reviewed-on: http://git-master/r/1299506
(cherry picked from commit abd6568565c92f5246345f6195f2142ff2abf7ad)
Reviewed-on: http://git-master/r/1311420
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoperf: don't leave group_entry on sibling list(use-after-free)
John Dias [Mon, 16 Jan 2017 08:22:04 +0000]
perf: don't leave group_entry on sibling list(use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

Bug: 32402548

CVE-2017-0403 (A-32402548)
Bug 1849492

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285800
(cherry picked from commit a5dc2d079ba88bba5dc78484d4820842af65d656)
Reviewed-on: http://git-master/r/1299508
(cherry picked from commit 8dae5d362123d37d29552b5a9ed89c7dbfe3dd55)
Reviewed-on: http://git-master/r/1311419
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: info: Check for integer overflow in snd_info_entry_write()
Siqi Lin [Mon, 16 Jan 2017 08:28:01 +0000]
ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733

CVE-2017-0404 (A-32510733)
Bug 1849492

Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285802
(cherry picked from commit 080aad52eb18b8f622676063334f105a77f6cf58)
Reviewed-on: http://git-master/r/1299509
(cherry picked from commit 935b76652a88fd9906eefea1030c051613310f64)
Reviewed-on: http://git-master/r/1311417
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoring-buffer: Prevent overflow of size in ring_buffer_resize()
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000]
ring-buffer: Prevent overflow of size in ring_buffer_resize()

If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

CVE-2016-9754
Bug 1849492

Change-Id: I442132282517827c51b3fdbd31f323fe426d6daa
Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285747
(cherry picked from commit 8f8088aaee836d8c6c93c3df52a0d08b8f67b3b0)
Reviewed-on: http://git-master/r/1299510
(cherry picked from commit 580a30ff59e0fcc79159da6ea8afe5b2c7640861)
Reviewed-on: http://git-master/r/1311416
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: serialize debug session IOCTLs
Deepak Nibade [Mon, 23 Jan 2017 11:32:07 +0000]
gpu: nvgpu: serialize debug session IOCTLs

Hold debug_s->ioctl_lock for all debug session IOCTLs to prevent
multi-threaded user space IOCTL calls.
Debug session IOCTL calls are not thread-safe and hence this
serialization is required.

Bug 1832267
Bug 1832095
Bug 1849492

Change-Id: I847ac951601d4f0093546b592bdb8c8f00185317
Reviewed-on: http://git-master/r/1286436
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292432
(cherry picked from commit d4629278161f2dc3c74e0f13c6ca08038355dd22)
Reviewed-on: http://git-master/r/1299511
(cherry picked from commit 6800b190bfb4ca00c5fef064b5a7ac2c65b8f4a4)
Reviewed-on: http://git-master/r/1311415
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodts: darcy a08 dtb support
Martin Gao [Tue, 7 Feb 2017 05:02:52 +0000]
dts: darcy a08 dtb support

- a08 darcy sku uses AOTAG
- a07 and below uses NCT

Bug 1872194

Change-Id: I67145853db908bed1cca0bbcf736b51268a11c41
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1300969
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agovideo: tegra: hdmi: Disable HDCP for BlackMagic
Aly Hirani [Fri, 3 Feb 2017 00:06:55 +0000]
video: tegra: hdmi: Disable HDCP for BlackMagic

BlackMagic 12G has a bug where it spams us with a constant stream of
hotplugs 130 ms apart if we enable HDCP. This stream of hotplugs end up
as a "blank screen" since we are stuck in a loop of modeset and display
teardown.

Since it doesn't support HDCP, this change blacklists it from HDCP. Once
done, it never sends us a hotplug and the device works perfectly after.

Bug 1870842

Change-Id: Id93b7e9bb1e11ca0cb969c9a8179bae7b4c64072
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1298315
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Prafull Suryawanshi <prafulls@nvidia.com>

2 years agonet: wireless: bcmdhd_88: add more European country in wifi county code
Om Prakash Singh [Wed, 1 Feb 2017 11:16:18 +0000]
net: wireless: bcmdhd_88: add more European country in wifi county code

Bug 200275653

Change-Id: I0a952f421b2708d8a51b7fc77f2d126aa78f84c2
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298339
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoarm64: dts: add more European country for Foster/Darcy
Om Prakash Singh [Wed, 1 Feb 2017 10:58:25 +0000]
arm64: dts: add more European country for Foster/Darcy

Bug 200275653

Change-Id: Ic19e438f9ab8be44b80528db352952d37b982e9e
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298338
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoJarvis: Prevent crash with invalid input device
David DSH [Sat, 21 Jan 2017 02:02:47 +0000]
Jarvis: Prevent crash with invalid input device

Bug 1864174

Change-Id: I3c62d723bc15817c687a7c70567238825703bc19
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1291898
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Shih <rshih@nvidia.com>
Tested-by: Robert Shih <rshih@nvidia.com>
(cherry picked from commit 27d75519b396282a2f688ce14fdb6a0491068b65)
Reviewed-on: http://git-master/r/1298934
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoDarcy: Increase pmic voltage of sd2
David DSH [Wed, 1 Feb 2017 04:08:44 +0000]
Darcy: Increase pmic voltage of sd2

Increase preregulator voltage pin SD2 that feeds into LDO

Bug 1869208

Change-Id: I02dba37caed0963ec0900147216731741635e4f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296999
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agogpu: nvgpu: sysfs node to read PMU state
Mahantesh Kumbar [Wed, 25 Jan 2017 10:00:45 +0000]
gpu: nvgpu: sysfs node to read PMU state

sysfs node to know PMU state whether PMU
boot completed & its ready with state
"pmu->pmu_state == PMU_STATE_STARTED" to
process command request.

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error due to unknown state of
PMU at boot time.

Fix: Provided node to read PMU state if ready then
send commands else wait till gets ready.

Bug 1865815

Change-Id: Idad4c5390fffafbe591658b85942e8c6c6d3afc8
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296823
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonvgpu: disable elgp and clock gating via dt
Martin Gao [Fri, 27 Jan 2017 23:17:37 +0000]
nvgpu: disable elgp and clock gating via dt

Bug 1865815

Change-Id: Ibd151f775f51f7a299aa61af4fbb34287b1cae64
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1296821
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: elpg/aelpg sysfs update
Mahantesh Kumbar [Wed, 25 Jan 2017 07:38:47 +0000]
gpu: nvgpu: elpg/aelpg sysfs update

check g->power_on & pmu->pmu_state flags
to know the status of PMU whether ready to take
commands for PG request or not. If not ready
then update ELPG/AELPG global flags
used within kernel driver & skip sending
commands to PMU

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error

Bug 1865815

Change-Id: I1c14d2ea4ac529e5782093569edde28e5da22325
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296820
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "Tegra210: increase vmin to increase reliability"
David Dastous St Hilaire [Fri, 20 Jan 2017 03:02:46 +0000]
Revert "Tegra210: increase vmin to increase reliability"

This reverts commit dee4048d8cb60b1ec497869a67edc826fac29104.

Bug 1828585

Change-Id: Iefbd4910b780f33fdab24bb1ed3ade066b08f0f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296819
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: dc: Add quick for Vizio P series rel-24-uda-r1
Aly Hirani [Wed, 11 Jan 2017 07:29:58 +0000]
video: tegra: dc: Add quick for Vizio P series

The Vizio SmartCast P series 4K TVs fail 1/3 hotplugs with "No Signal".
Experiments showed that enabling HDMI 2.0 scrambling and HDCP at the
same time causes this failure from Vizio's side.

This change adds a WAR to introduce a 5 second delay after modeset to
start the hdcp (instead of the standard 100ms delay).

This change also adds edid quirks to limit the 5 second delay to only
the P cast series.

Bug ??

Change-Id: I96d1200afa20401d09ab5d1d2966ab24ac761b2b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1283347
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agodrivers: wireless: bcmdhd_88: increase dpc_bound to 12ms
Srinivas Ramachandran [Wed, 4 Jan 2017 19:05:52 +0000]
drivers: wireless: bcmdhd_88: increase dpc_bound to 12ms

Increase dpc_bound to improve tx throughput

Bug 200266248

Change-Id: Iaef3d23f32b2b3ffafe3abd66429bb008ab57ad2
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1282300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoiio: imu: NVI v.342 Fix ACC resume
Erik Lilliebjerg [Sun, 8 Jan 2017 23:48:17 +0000]
iio: imu: NVI v.342 Fix ACC resume

- Accelerometer sensor is HW disabled when suspending.  When resuming, if
  the gyroscope sensor is enabled first, it didn't account for HW enabling
  the accelerometer as well if previously enabled before suspending.  This
  was intermittent behavior depending on the wake source and resume timing
  of the external sensors on the auxiliary ports, as well as resume enable
  from user space.

Bug 200266677

Change-Id: Iada223304f7991d6da256a19a26cddd5ff20ec55
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1281847
(cherry picked from commit 427c6f17fbf810f399138627b5294a8bc602cafe)
Reviewed-on: http://git-master/r/1282259
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix false error message
Erik Lilliebjerg [Sat, 31 Dec 2016 21:37:41 +0000]
iio: imu: nvi: Fix false error message

- Due to Invensense parts being register incompatible (even the HW ID),
  there were false error messages during the driver process of identifying
  the part.  This patch suppresses those error messages until the part is
  identified and the errors become legitimate.

Bug 200260974

Change-Id: Ibd7c6fe6e4b6424cfc2f7bf04f1a64405b03e539
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1278897
(cherry picked from commit 010a8eaf597e519d5c1a258bf0015c719e0928c6)
Reviewed-on: http://git-master/r/1282258
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix coverity
Erik Lilliebjerg [Wed, 28 Dec 2016 13:41:15 +0000]
iio: imu: nvi: Fix coverity

- Fix bad shift.
- Fix uninitialized scalar variable.

Coverity ID: 38965
Coverity ID: 38966
Coverity ID: 38967
Coverity ID: 38968
Coverity ID: 38969
Coverity ID: 38971

Bug 200192580

Change-Id: I2a972f00a7097f61c943ad035dc23d50f9f8e2e7
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1277691
(cherry picked from commit 2f8d063e538089007d6b0c5234cce1229620ece0)
Reviewed-on: http://git-master/r/1281938
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoTegra210: increase vmin to increase reliability
David DSH [Fri, 6 Jan 2017 01:14:44 +0000]
Tegra210: increase vmin to increase reliability

Bug 1828585

Change-Id: I654bc0c0f7cb8dbb70dd0aed5c0ec664ac217dd9
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1280477
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "bcmdhd_88: save the firmware events in a file"
Bibhay Ranjan [Wed, 4 Jan 2017 07:00:30 +0000]
Revert "bcmdhd_88: save the firmware events in a file"

This reverts commit 5d5bcb34932dcc257067beb3d6c8a248c5c2c125.

Bug 200231321

Change-Id: I8adb48d6157bd4dfba40049a559e27da1fe407b2
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279949
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: increase timestamp array size"
Bibhay Ranjan [Wed, 4 Jan 2017 06:59:27 +0000]
Revert "bcmdhd_88: increase timestamp array size"

This reverts commit 125ef44ac4e4ea7f8d03f05b3a7aec15eb048708.

Bug 200231321

Change-Id: I4bbc875cf78988a38cee9f714d184955c74b0e96
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279948
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: add DHD_ERROR for nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:50 +0000]
Revert "bcmdhd_88: add DHD_ERROR for nv_logger"

This reverts commit 83275c2716e3f838a278b5ecfdb46fbe1b552d73.

Bug 200231321

Change-Id: I3bbf9ea2aaff4b421326d4b25c8e4c7ad741a493
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279947
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: improve data integrity of nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:04 +0000]
Revert "bcmdhd_88: improve data integrity of nv_logger"

This reverts commit 49308708221379d6749b0f596b1e0f1011a29d0c.

Bug 200231321

Change-Id: Ia51bdc77ae5c86b888a3ecabaf22d296473ae30f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279946
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: disable nv_logger logging by default"
Bibhay Ranjan [Wed, 4 Jan 2017 06:56:18 +0000]
Revert "bcmdhd_88: disable nv_logger logging by default"

This reverts commit 1ee03ed037ac6576e6bf09b8228ec0b3f63f36d2.

Bug 200231321

Change-Id: I4cfbd01bf8d78a9604cd161f2c4f91f9fe43695a
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279945
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agosysedp_reactive_capping: Fix warning string check
Anand Prasad [Wed, 28 Dec 2016 19:45:29 +0000]
sysedp_reactive_capping: Fix warning string check

The current implementation incorrectly checks if a pointer value is
NULL when actually referencing an array.
Instead, use a pointer to read the threshold warning string from
device-tree so that the pointer NULL check now works.

Bug 200266221

Change-Id: Iff9e43780534cf43e93b489c7ebe150fdf4ac437
Signed-off-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-on: http://git-master/r/1277816
(cherry picked from commit 29d326af77ad71f6e61ce6e6e35eac6626500a72)
Reviewed-on: http://git-master/r/1279362
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoCIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
Federico Sauter [Tue, 17 Mar 2015 16:45:28 +0000]
CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE

This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.

Bug 200266605

Change-Id: I168f4977192307dd859f83d6850bdd1eecf27dfe
(cherry picked from commit 4afe260bab50290a05e5732570329a530ed023f3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1277404
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: hda: Allow 8ch/192k for HD capable sinks
Ashok Mudithanapalli [Fri, 23 Dec 2016 12:03:04 +0000]
ALSA: hda: Allow 8ch/192k for HD capable sinks

If the sink is DTSHD/MLP decode capable, but not supporting
8ch/192k in its ELD, ALSA card doesn't add these in supported
rates & ch. Add these in ALSA card for HD decode capable sinks,
so that user-space can open pcm device and play HD content.

Bug 200261363

Change-Id: Ia979868f27a740abcb16b1fea37fd9684779d4be
Signed-off-by: Ashok Mudithanapalli <ashokm@nvidia.com>
Reviewed-on: http://git-master/r/1276193
GVS: Gerrit_Virtual_Submit
Reviewed-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit fde817178e6bf99ea0d161d0175f0e69a5881d6a)
Reviewed-on: http://git-master/r/1277059
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoTS/Pepper: Protect buffer deallocation
David DSH [Mon, 19 Dec 2016 20:51:09 +0000]
TS/Pepper: Protect buffer deallocation

Bug 1842498

Change-Id: Ibf0181fd17e7cbe3964bec21072bf2d6ae85d9f2
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1273658
Tested-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agohid:jarvis: send uevent on creating timeout node
Siddardha Naraharisetti [Wed, 21 Dec 2016 04:07:59 +0000]
hid:jarvis: send uevent on creating timeout node

send uevent to userspace on node creation so that
permissions can be updated

Bug 1854947

Change-Id: I7487ea060d58a17f7ffdb48565e3696005bb228b
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1274602
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: imu: tsfw_icm: Add null checks in recv path
Spencer Sutterlin [Fri, 9 Dec 2016 00:35:49 +0000]
iio: imu: tsfw_icm: Add null checks in recv path

Bug 1850884

Change-Id: Ie750a30b822cd18c8c7f45235dfd52d707aec1fc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272201
(cherry picked from commit 9eaec0173ddf9eb9b4a4b9440b6df0ecd064ae52)
Reviewed-on: http://git-master/r/1268031
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Finish fix with spinlock around some reads
Spencer Sutterlin [Tue, 6 Dec 2016 20:30:25 +0000]
iio: Finish fix with spinlock around some reads

Bug 1843012

Change-Id: I9acf63c755ea7afb6f94496ef7aef40c199f42c9
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272200
(cherry picked from commit e329d6dedf2731b435e99406ca8ce0930fce81be)
Reviewed-on: http://git-master/r/1266149
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: fake button release events for pepper
Andrew Chen [Tue, 13 Dec 2016 09:16:29 +0000]
hid: jarvis: fake button release events for pepper

Fake button release events when not receiving them from pepper.
Also provide sysfs interface for shieldtech to set the timeout value
according to firmware version.

Bug 200216036

Change-Id: Iec7ef71431fc435cfb956c04bbf77a63361e9aa0
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1270311
Reviewed-by: Varun Colbert <vcolbert@nvidia.com>
Tested-by: Varun Colbert <vcolbert@nvidia.com>

2 years agovideo: tegra: hdmi: disable hdmi2.0 during disable
Santosh Reddy Galma [Thu, 15 Dec 2016 17:47:06 +0000]
video: tegra: hdmi: disable hdmi2.0 during disable

Bug 1850165

This change disables scdc when disabling hdmi controller.
This fixes issue if we are going to fastboot mode which is
set at 1080p where we should not enable scdc. This causes
issue for some TVs specially HDR 4K.

Change-Id: Ifa8ad45db43aa1b70810b92b4a39fc64d17e5df7
Signed-off-by: Santosh Reddy Galma <galmar@nvidia.com>
Reviewed-on: http://git-master/r/1272521
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agocpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory
Viresh Kumar [Fri, 17 May 2013 10:39:09 +0000]
cpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory

When we don't have any file in cpu/cpufreq directory we shouldn't
create it. Specially with the introduction of per-policy governor
instance patchset, even governors are moved to
cpu/cpu*/cpufreq/governor-name directory and so this directory is
just not required.

Lets have it only when required.

Bug 200260321

Change-Id: I376d8919a9c12e01ea2ba8d8edf700b17c3ff707
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1272226
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomisc: Remove stale code in cpuload
Sai Gurrappadi [Fri, 22 May 2015 19:50:50 +0000]
misc: Remove stale code in cpuload

cpuloadmon no longer needs a timer to sample load as it uses the
idle-counter delta to determine load over an interval. Removed the timer
along with a lot of unused code most of which was copied over from
cpufreq_interactive.c.

Bug 1828392
Bug 200260321

Change-Id: Ib23d19a18311878c6e6e6c7ca55acebcd9a3b777
(cherry picked from commit ab8f8ec440a17895eb902751caf8792727042f53)
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1271444
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "T124 : platform : Enable CPUSETS"
Gagan Grover [Fri, 9 Dec 2016 06:53:07 +0000]
Revert "T124 : platform : Enable CPUSETS"

This reverts commit 75cc1514386107905693363b5e524dc1c3d51873.

bug 200257427

Change-Id: I9f8b7cdb97abfa83b28c25b4ffc55875c72f7150
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1268227
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRT8168: Fix typo for power spender
David DSH [Wed, 14 Dec 2016 02:00:29 +0000]
RT8168: Fix typo for power spender

Bug 1828585

Change-Id: I73e27339200f87437ffc08ebd23b2cca2f30545c
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1270646
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: Supress kernel debug prints in atvr_raw_event()
Mithun Maragiri [Thu, 8 Dec 2016 20:39:48 +0000]
hid: jarvis: Supress kernel debug prints in atvr_raw_event()

There is a spew of debug prints when handling debug HID reports
sent by Thunderstrike. This report has debug information about
the current status of TS.

Bug 1852042

Change-Id: Icd7ed09608301a7dcd70c9721392e4a437cbfb18
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1267770
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoTo handle pm enable before Wi-fi turns ON.
nagaraj [Tue, 13 Dec 2016 02:17:49 +0000]
To handle pm enable before Wi-fi turns ON.

Bug 1828585

Change-Id: Ib41d228b5d9948cb9f3f8a61f11bae15ef0f364d
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
Reviewed-on: http://git-master/r/1269916
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agocpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug
Nicolin Chen [Sat, 23 Jan 2016 00:00:48 +0000]
cpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug

The functions that are used to write to cpufreq sysfs files (such as
store_scaling_max_freq()) are not hotplug safe. They can race with CPU
hotplug tasks and lead to problems such as trying to acquire an already
destroyed timer-mutex etc.

Eg:

    __cpufreq_remove_dev()
     __cpufreq_governor(policy, CPUFREQ_GOV_STOP);
       policy->governor->governor(policy, CPUFREQ_GOV_STOP);
        cpufreq_governor_dbs()
         case CPUFREQ_GOV_STOP:
          mutex_destroy(&cpu_cdbs->timer_mutex)
          cpu_cdbs->cur_policy = NULL;
      <PREEMPT>
    store()
     __cpufreq_set_policy()
      __cpufreq_governor(policy, CPUFREQ_GOV_LIMITS);
        policy->governor->governor(policy, CPUFREQ_GOV_LIMITS);
         case CPUFREQ_GOV_LIMITS:
          mutex_lock(&cpu_cdbs->timer_mutex); <-- Warning (destroyed mutex)
           if (policy->max < cpu_cdbs->cur_policy->cur) <- cur_policy == NULL

So use get_online_cpus()/put_online_cpus() in the store_*() functions, to
synchronize with CPU hotplug.

[ Merging the same patch from the Linux mainline, commited by Srivatsa
  S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>; could not do cherry-pick
  due to conflicts. Also revised the commit log to make less confusion
  as the original commit log mentioned an issue that isn't included in
  our 3.10 branch.

  This commit could be treated as a fix to the Bug 200152270 as there
  is a race condition here between SYSFS operations and a cpu hotplug
  that when the init process tries to GOV_START all online cpus via
  SYSFS, a cpu hotplug may happen to turn off one cpu without updating
  the new_policy->cpus in time. So the new_policy->cpus might contain
  an offlined cpu which is the root cause of this bug. Adding a lock
  of hotplug here ensures no race would happen during the SYSFS access.

  As policy->cpus is always updated during hotplug in its add/remove
  functions, we don't need to worry that it gets out-of-date as long
  as any hotplug operation is locked during the store_*().

  I applied this change and passed both the cpufreqhotplugstress and
  the following test:

  while true; do echo 0 > /sys/devices/system/cpu/cpu3/online; echo 1 > /sys/devices/system/cpu/cpu3/online; done&
  while true; do echo userspace > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; echo interactive > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; done&

  -- Nicolin ]

Bug 200152270
Bug 200254695

Change-Id: If871094dc92d4478a9484e92fd5cbebaeb9ae5e8
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: http://git-master/r/1111679
Reviewed-by: Richard Wiley <rwiley@nvidia.com>
Tested-by: Richard Wiley <rwiley@nvidia.com>
(cherry picked from commit 39be41de331032a0fc596b9d20a8e11dcb0a5f7d)
Reviewed-on: http://git-master/r/1268903
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agoRevert "arm64: t210: Enable TSFW_ICM"
Spencer Sutterlin [Wed, 30 Nov 2016 03:00:15 +0000]
Revert "arm64: t210: Enable TSFW_ICM"

The kernel panics are fixed, but there are still several userspace
sensor HAL and sensorservice crashes

Bug 1807528
Bug 1850381
Bug 1850405
Bug 1850410

This reverts commit d8db5dc7f0e6bb076e8a8272d00c13bfd3ab1505.

Change-Id: I7beedfe61bba074f806e3031a665d04a451ea7dc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1262015
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "gpu: nvgpu: Add ref counting to channels"
Alex Waterman [Fri, 9 Dec 2016 19:48:41 +0000]
Revert "gpu: nvgpu: Add ref counting to channels"

This reverts commit ba5e6cc875971f0559d05f44035d27fc067e446f.

Bug 1850554

Change-Id: Iac7c616a40e8bfd61789c630e8a23955f85565e4
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268671
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "gpu: nvgpu: Fix CDE bind channel usage"
Alex Waterman [Fri, 9 Dec 2016 18:54:35 +0000]
Revert "gpu: nvgpu: Fix CDE bind channel usage"

This reverts commit efc0204b472571bb9ab7e243c318bd12f3e721fc.

Bug 1850554

Change-Id: I02df6e6bba4c05ba0f255f9f828289f58ad4483a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268640
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "driver core / PM: move the calling to device_pm_remove behind the calling...
Peter Yu [Tue, 6 Dec 2016 13:40:36 +0000]
Revert "driver core / PM: move the calling to device_pm_remove behind the calling to bus_remove_device"

This reverts commit 70a657f97a2fb712aff46e5ba436c7e5e4cbb3f3.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I3b20838102aab119c97d6bc94c09384dffa23883
Reviewed-on: http://git-master/r/1265897
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: storage: enable auto-suspend for USB storage"
Peter Yu [Tue, 6 Dec 2016 13:37:10 +0000]
Revert "usb: storage: enable auto-suspend for USB storage"

This reverts commit 907a021305c226d8b2130a95cf53be805fcc4f1d.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I2d2f100f5bb4b030a5cac6848c076526e958eb65
Reviewed-on: http://git-master/r/1265893
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: core: avoid PM error -ENODEV for detached MSD"
Peter Yu [Tue, 6 Dec 2016 13:32:58 +0000]
Revert "usb: core: avoid PM error -ENODEV for detached MSD"

This reverts commit 225c916b5d5bf93d0b02f646dbd4df8209bf74f4.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I17c000cdf69fa810abbe860b6013671d3c142d1b
Reviewed-on: http://git-master/r/1265890
GVS: Gerrit_Virtual_Submit
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: do tsfw_icm's probe in workqueue
Andrew Chen [Wed, 30 Nov 2016 03:48:04 +0000]
hid: jarvis: do tsfw_icm's probe in workqueue

tsfw_icm probe takes around 2 seconds to be finished and this
causes incoming HID data to be dropped at stack layer in the
duration. Make it running in workqueue to fix this problem.

Bug 1845197

Change-Id: I69c26222795af5a83242c165d0c61ea414a97c03
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Reviewed-on: http://git-master/r/1263719
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoRevert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""
Robert Collins [Mon, 28 Nov 2016 17:47:13 +0000]
Revert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""

This reverts commit 79d3a1160b94d4b8f83ad5e643c5b6f4cc6b0ce7.

This patch restores the following commit:
    iio: imu: nvi: v.337 Fix DMP gyro

    - Fix ICM DMP gyroscope data output to match the standard FIFO data output.

    Bug 1831500

Bug 200246901
Bug 1831500

Change-Id: Id33e9b4024a6455f65503c6de18b7dbdae76652e
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1263653
GVS: Gerrit_Virtual_Submit
Reviewed-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Tested-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Tested-by: Spencer Sutterlin <ssutterlin@nvidia.com>

2 years agogpu: nvgpu: Fix CDE bind channel usage
Alex Waterman [Tue, 29 Nov 2016 00:25:28 +0000]
gpu: nvgpu: Fix CDE bind channel usage

Use the shared bind channel code from CDE instead of custom
channel binding cide. The CDE code was using its own bind
channel code because the bind channel API took a gk20a_as_share
argument to define the VM. However, the core bind channel API
is trivially abstractable so that the core API can take a
vm_gk20a struct directly.

Bug: 31680980
NvBug 1825464

Change-Id: I0ad766748f22a64d30003a089eaa7dc65fa10e8a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265359
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Add ref counting to channels
Alex Waterman [Thu, 13 Oct 2016 17:03:59 +0000]
gpu: nvgpu: Add ref counting to channels

Make sure that the VM owned by a channel lives for at least
as long as that channel does. If the channel's VM is cleaned
up before the channel then use-after-free bugs can occur.

It seems like the gk20a_vm_get() was simply missing from the
bind channel. This patch adds it. The corresponding
gk20a_vm_put() happens during channel close.

Bug: 31680980
NvBug 1825464

Change-Id: If745ad4c1454386ddad9a83ff22ccd9ba2a72168
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265358
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoDNI: hid: jarvis: Fix lost key events
Mithun Maragiri [Wed, 30 Nov 2016 06:54:51 +0000]
DNI: hid: jarvis: Fix lost key events

The issue of key events getting lost happens when the HID report
is of the report->id = SENSOR_REPORT_ID_COMBINED.
Sensor report data from the data buffer was handled properly
however the button report part was not handled properly

Bug 200250863

Change-Id: Ib6cd985b472ba927aa854e9c4b7f4e243f5cd22e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1263496
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Add refcount and buffer poll wakeup
Spencer Sutterlin [Wed, 30 Nov 2016 20:31:23 +0000]
iio: Add refcount and buffer poll wakeup

Bring ideas from the following upstream commits
- commit "cadc2125e" (iio: fix: Keep a reference to the IIO device
  for open file descriptors)
- commit "d2f0a48f3" (iio: Wakeup poll and blocking reads when the
  device is unregistered)

Bug 200254499

Change-Id: If5f9275091ae3f86f5c2994af5a619797b9425f0
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1263974
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoARM: config: tegra12: disable CONFIG_ION
Gagan Grover [Sun, 4 Dec 2016 11:50:54 +0000]
ARM: config: tegra12: disable CONFIG_ION

ION memory is not needed in Android Tegra.

boot.img size is reduced by 14336 bytes

Bug 1823317

Change-Id: If83051043b763cdb0cd3e2d550f4769a728ed491
Reviewed-on: http://git-master/r/1263861
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264550
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoARM: config: tegra12: auto generated diff
Gagan Grover [Sun, 4 Dec 2016 11:42:33 +0000]
ARM: config: tegra12: auto generated diff

No change done manually. Diff is auto generated by performing
these three steps on tot:
1) ksetup tegra12_android_defconfig
2) kconfig (just touched one config, no change made)
3) ksavedefconfig tegra12_android_defconfig

boot.img size not changed.

Bug 1823317
Change-Id: Ic9c17b292c2257d2f0c43017b1b3700d8732e5a2
Reviewed-on: http://git-master/r/1263858
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264549
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoAdd enable and disable Wi-Fi Power management through syfs.
nagaraj [Wed, 30 Nov 2016 22:54:18 +0000]
Add enable and disable Wi-Fi Power management through syfs.

Bug 1828585

Change-Id: I713de1dddbec21d0e3c0105d9f2630a45cecd2ff
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
(cherry picked from commit 63fa1393ea127c753002cc7fce893590b7931b34)
Reviewed-on: http://git-master/r/1263671
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terry Wang <terwang@nvidia.com>
Reviewed-by: Ramaiyer Ramesh <ramaiyerr@nvidia.com>

2 years agoElevation of privilege vulnerability in kernel networking subsystem
Mithun Maragiri [Tue, 29 Nov 2016 01:54:46 +0000]
Elevation of privilege vulnerability in kernel networking subsystem

An elevation of privilege vulnerability in the kernel networking
subsystem could enable a local malicious application to execute
arbitrary code within the context of the kernel. This issue is
rated as Moderate because it first requires compromising a
privileged process and current compiler optimizations restrict
access to the vulnerable code.

There is no validation of the len variable passed to the
ping_common_sendmsg function to check if it is less than
icmph_len leading to a potential overflow. The fix is designed
to add additional validation to prevent the potential overflow.

CVE-2016-8399
A-31349935
Bug 1836932

Change-Id: Ia61de145bd5e12c1f30847812abd06334054b416
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262344
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoDenial of service vulnerability in kernel sound driver
Mithun Maragiri [Tue, 29 Nov 2016 04:11:18 +0000]
Denial of service vulnerability in kernel sound driver

A denial of service vulnerability in the kernel could allow a
local malicious application to cause a device reboot.
This issue is rated as Low because it is a temporary denial of
service.

The original fix used -EIO as the error return code but
the function signatures had unsigned int as the return type.
The updated fix uses -1 as the error return code instead of -EIO
so the error return code is more clearly defined.

CVE-2016-6690
A-28838221
Bug 1836932

Change-Id: I10754b638b7432242d7baa1355d35bf56c2ad085
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262338
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 04:05:43 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also
evaluates whether kptr_restrict is set.

CVE-2016-8406
A-31796940
Bug 1836932

Change-Id: I6718ace16ac0de99ecd3c9cf290bda79eac6632e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262333
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:54:24 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8402
A-31495231

Bug 1836932

Change-Id: I25843416454a29ac6c7c762072635d699ff7acbf
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262331
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:29:27 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8401
A-31494725
Bug 1836932

Change-Id: I5e62e63c694735ab2711e5451f0deddd57ebfaac
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262328
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:15:33 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8408 A-31496571

Bug 1844902

Change-Id: I35c3ddb7b6a52e4edba814de0eaa5e85629130b9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262308
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoperf: Fix event->ctx locking
Peter Zijlstra [Fri, 23 Jan 2015 11:24:14 +0000]
perf: Fix event->ctx locking

There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.

It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.

What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.

Bug 1836932

Change-Id: Ia307722c251bb9a058df98f2061625cfcace984c
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262262
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:02:40 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8409 A-31495687

Bug 1844902

Change-Id: I57a1fca9c58c0ac433415e39c82ab72d7429e48e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262260
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoaudit: fix a double fetch in audit_log_single_execve_arg()
Paul Moore [Tue, 19 Jul 2016 21:42:57 +0000]
audit: fix a double fetch in audit_log_single_execve_arg()

There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1].  Of course this leaves a window of
opportunity for an unsavory application to munge with the data.

This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s).  In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).

As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:

 * https://github.com/linux-audit/audit-testsuite/issues/25

[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.

[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data.  I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation).  The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.

Bug 1823317

Change-Id: I500834e1e699cb43d207333fa91292673de54933
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262255
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm64: make sys_call_table const
Mark Rutland [Thu, 8 Jan 2015 11:42:59 +0000]
arm64: make sys_call_table const

As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.

Bug 1836932

Change-Id: I1b8da149e9a117663b63bb5df0c348ff5ad8a12d
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262251
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agostaging/android/ion : fix a race condition in the ion driver
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000]
staging/android/ion : fix a race condition in the ion driver

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
                            ion_handle_get_by_id()
                            (ref == 3)

ion_free()
(ref == 2)

ion_handle_put()
(ref == 1)

                            ion_free()
                            (ref == 0 so ion_handle_destroy() is
                            called
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Bug 1836932

Change-Id: I45abd9dd1f696105a7840a25ba4a594b5af4fa65
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262250
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agopercpu: fix synchronization between synchronous map extension and chunk destruction
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000]
percpu: fix synchronization between synchronous map extension and chunk destruction

For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.

This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.

Bug 1836932

Change-Id: I1031ca004b5487bc7c6d57db15863e5c847946b4
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262243
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocgroup: Correct the address format specifier
Gagan Grover [Fri, 25 Nov 2016 17:22:19 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Bug 1823317

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262238
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agoperf: Fix race in swevent hash
Peter Zijlstra [Tue, 15 Dec 2015 12:49:05 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259934
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.

If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoext4: fix potential use after free in __ext4_journal_stop
Lukas Czerner [Sun, 18 Oct 2015 02:57:06 +0000]
ext4: fix potential use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259975
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoaf_unix: Guard against other == sk in unix_dgram_sendmsg
Rainer Weikusat [Thu, 11 Feb 2016 19:37:27 +0000]
af_unix: Guard against other == sk in unix_dgram_sendmsg

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Bug 1823317

Change-Id: I5b8f74348f82b4a84a3e01a93c58c49829b26efa
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259949
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>