2 years ago[PATCH] tracing: do not leak kernel addresses
Nick Desaulniers [Sun, 16 Apr 2017 18:02:15 +0000]
[PATCH] tracing: do not leak kernel addresses

This likely breaks tracing tools like trace-cmd.  It logs in the same
format but now addresses are all 0x0.

Bug 1899974

Bug: 34277115
Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463515
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years ago[PATCH] Prevent heap overflow in uvc driver
Robb Glasser [Sun, 16 Apr 2017 17:55:58 +0000]
[PATCH] Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Bug 1899974

Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463514
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bhanu Murthy V <bmurthyv@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoxfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
Andy Whitcroft [Wed, 22 Mar 2017 07:29:31 +0000]
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

Bug 1899974

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Icfade54ffb7afeb808f73ad3ff2ab50ceaf5f610
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463513
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoregulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing
Seung-Woo Kim [Thu, 4 Dec 2014 10:17:17 +0000]
regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing

After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.

Bug 1899974

Change-Id: I613a9ceca9471c93631231840ed61f86f6180850
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463512
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoALSA: pcm : Call kill_fasync() in stream lock
Takashi Iwai [Mon, 12 Dec 2016 16:33:06 +0000]
ALSA: pcm : Call kill_fasync() in stream lock

commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.

Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed().  This is potentially racy, since the stream
may get released even during the irq handler is running.  Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.

As a quick workaround, move kill_fasync() call inside the stream
lock.  The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.

Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler.  But this oneliner should suffice for most
cases, so far.

Bug 1899974

Change-Id: Ic31806608aae8ae3ee37145e118d9203040618a0
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463509
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agonet: wireless: bcmdhd: fix overrun in wl_run_escan
Insun Song [Sat, 14 Jan 2017 00:25:59 +0000]
net: wireless: bcmdhd: fix overrun in wl_run_escan

prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
 overriden by attacker and its return manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ifbbaa3c2bdfd9bea7533d605303f18e17c8d85cc
Bug: 34197514
Reviewed-on: http://git-master/r/1459053
(cherry picked from commit aad3219daaaa44172f1c1ffeaf3447e230ef0f57)
Reviewed-on: http://git-master/r/1463481
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref
Insun Song [Wed, 1 Feb 2017 00:18:40 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref

added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
Bug: 34469904
Reviewed-on: http://git-master/r/1459055
(cherry picked from commit 7bbbb5e7c7007959ce2704883aff37fc470a95c1)
Reviewed-on: http://git-master/r/1463483
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in wlfc reordering
Insun Song [Wed, 25 Jan 2017 19:41:49 +0000]
net: wireless: bcmdhd: fix buffer overrun in wlfc reordering

added boundary check not to override allocated buffer

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Iad44141ba4e4cd224eda292c05ffe525bf74227d
Bug: 34203305
Reviewed-on: http://git-master/r/1459054
(cherry picked from commit b88e3d0b355ce821c92760bf41d04a917dab092d)
Reviewed-on: http://git-master/r/1463482
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie
Insun Song [Wed, 1 Feb 2017 03:57:20 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie

added boundary check not to override allocated buffer.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: I76211db7ef595fc41cf5d5d58de79cedfe80e521
Bug: 32125310
Reviewed-on: http://git-master/r/1459052
(cherry picked from commit 6e92cb348bf85964526c7f257e11972608bc3f3e)
Reviewed-on: http://git-master/r/1463480
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoARM64: config: tegra21: Disable tegra-cryptodev
Gagan Grover [Tue, 11 Apr 2017 04:15:35 +0000]
ARM64: config: tegra21: Disable tegra-cryptodev

tegra-cryptodev is used to expose IOCTLS for tegra
hardware engine. However as SE hardware engine is
disabled due to performance reasons, so disable
tegra-cryptodev module as well.

boot.img size is reduced by 2048 bytes.

Bug 1857996
Bug 200297552

Change-Id: I90b3ef36f59681e16b9e52f03a05685ed0d6d86b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458879
Reviewed-on: http://git-master/r/1460134
(cherry picked from commit 651195a1155ff6559009d8dc9824dcee509bfba3)
Reviewed-on: http://git-master/r/1463508
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoposix_acl: Clear SGID bit when setting file permissions
Jan Kara [Mon, 19 Sep 2016 15:39:09 +0000]
posix_acl: Clear SGID bit when setting file permissions

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

Bug 1887273
Bug 200288656

Change-Id: I513706c5a9f674517a340fc797fb1de6aa0c4a3f
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458111
(cherry picked from commit f6ad7afd14a181e0e2a5734242a65c1200d5ba3b)
Reviewed-on: http://git-master/r/1459849
(cherry picked from commit 9e810f23f710b3019107c4e898f009a2d45e5fde)
Reviewed-on: http://git-master/r/1463479
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agofs: limit filesystem stacking depth
Miklos Szeredi [Thu, 23 Oct 2014 22:14:39 +0000]
fs: limit filesystem stacking depth

Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems.  Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.

Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.

To limit the kernel stack usage we must limit the depth of the
filesystem stack.  Initially the limit is set to 2.

Bug 1887273
Bug 200288656

Change-Id: Ibaa154eb2b102d02370fe2003387b0131fe2955a
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1455849
(cherry picked from commit 5fa62435eaef75e479c0c157b4d911344f64b002)
Reviewed-on: http://git-master/r/1459845
(cherry picked from commit f9aa5494d35892be63c7268deb7fe7adacb6123e)
Reviewed-on: http://git-master/r/1463477
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoudp: properly support MSG_PEEK with truncated buffers
Eric Dumazet [Wed, 30 Dec 2015 13:51:12 +0000]
udp: properly support MSG_PEEK with truncated buffers

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
                                 msg->msg_iov);
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Bug 1885879

Change-Id: Ie7215bf99beee2fccd662152e80767cdeb6ff9b2
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1330675
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agothermal: Move tegra_fan to sysfs nodes.
Mithun Maragiri [Thu, 26 Jan 2017 09:32:08 +0000]
thermal: Move tegra_fan to sysfs nodes.

1) Create the following tegra_fan sysfs nodes
cur_pwm
target_pwm
rpm_measured
pwm_rpm_table
step_time
tach_enable
temp_control

2) Set bus_id for pwm-fan

3) Remove tegra_fan debugfs nodes

Bug 1865528

Change-Id: Id730a0ae9937b7fcd7940330b52a113fd9b28258
Reviewed-on: http://git-master/r/1294549
(cherry picked from commit 485de1b4514444b4f94196db3fbbc00b49f0031e)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1461894
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME
Sami Kiminki [Tue, 12 Apr 2016 19:33:36 +0000]
gpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME

Implement NVGPU_GPU_IOCTL_GET_GPU_TIME for reading the GPU time.

Bug 1395833

Change-Id: I7ddc7c28ff0c9a336cc0dcd820b15fb0fea714d0
Signed-off-by: Sami Kiminki <skiminki@nvidia.com>
Reviewed-on: http://git-master/r/1125630
(cherry picked from commit 6b35cb05b7822174bf037da7229154004df4f229)
Reviewed-on: http://git-master/r/1317214
(cherry picked from commit cf731c89ab525c59dad38a346649999517e8ecea)
Reviewed-on: http://git-master/r/1325192
GVS: Gerrit_Virtual_Submit
Reviewed-by: Donghan Ryu <dryu@nvidia.com>
(cherry picked from commit f118e3efb7aa3ff107b00540bbd55a032cd1ddf3)
Reviewed-on: http://git-master/r/1461691
Tested-by: Daniel Koch <dkoch@nvidia.com>
Reviewed-by: Daniel Koch <dkoch@nvidia.com>

2 years agovideo: tegra: dc: Add edid quirk for denon dvr
Prafull Suryawanshi [Wed, 8 Feb 2017 10:51:44 +0000]
video: tegra: dc: Add edid quirk for denon dvr

Denon DVR 2313 have YUV422 bug where it display out
pink screen when set this mode. So adding edid quirk
to filter out YUV422 modes for this DVR.

bug 200265680

Change-Id: I394bcb0df660cf18e460aaad88c0744c9f8ffeff
Signed-off-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-on: http://git-master/r/1301331
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>
(cherry picked from commit 665da618c0ab47b13a973d3e3dc5792c7aa4eaae)
(cherry picked from commit ac0d2bfa3b41b83a8cebfede647ace08828cc6ff)
Reviewed-on: http://git-master/r/1458813
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years ago[media] uvcvideo: Increase UVC_MAX_STATUS_SIZE
Peter Yu [Fri, 3 Mar 2017 04:38:31 +0000]
[media] uvcvideo: Increase UVC_MAX_STATUS_SIZE

When system does camera stress(open and close camera) with
Logiteceh HP Pro Webcam C920. Babble error are found in beginning
of every test loop. Sometimes, device will disconnect unexpectedly.
This is a specific issue to C920. Increase UVC_MAX_STATUS_SIZE to
1024 will prevent babble error and device unexpected disconnection
issue during test.

Bug 200265143
Bug 200268964

Change-Id: I0e99f7d17894fab2d12008687f9218c1a47ad26f
Signed-off-by: Peter Yu <pyu@nvidia.com>
Reviewed-on: http://git-master/r/1314405
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 61fbccb9de9a3c8134f00f3052ba8e9c5ac423bc)
Reviewed-on: http://git-master/r/1317756

2 years agodma-coherent: fix possible panic when releasing chunk
Sri Krishna chowdary [Tue, 22 Mar 2016 04:25:13 +0000]
dma-coherent: fix possible panic when releasing chunk

When more than cma_chunk_size is being released then dma
release callback panics. Treat it as a valid release as long
as it lies within the current size of the cma region shared
with the OS.

bug 1715544
bug 200290806

Change-Id: Iee513067f00d2f0c91ca1811f58382b7724b528e
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1113872
(cherry picked from commit b7b3f787bfb885678c6470f00671247743cf0aaa)
Reviewed-on: http://git-master/r/1325120
Reviewed-by: Michael Frydrych <mfrydrych@nvidia.com>
Tested-by: Michael Frydrych <mfrydrych@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit af2c2cd6b076fb03026c2cdb73b433431549779d)
Reviewed-on: http://git-master/r/1459993
Tested-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agodrivers/input/evdev.c: don't kfree() a vmalloc address
Andrew Morton [Tue, 2 Dec 2014 23:59:31 +0000]
drivers/input/evdev.c: don't kfree() a vmalloc address

If kzalloc() failed and then evdev_open_device() fails, evdev_open()
will pass a vmalloc'ed pointer to kfree.

This might fix https://bugzilla.kernel.org/show_bug.cgi?id=88401, where
there was a crash in kfree().

Bug 1901485

Change-Id: I090226511af6b11e374f08b8d2e92933bcace9c2
Reported-by: Christian Casteyde <casteyde.christian@free.fr>
Belatedly-Acked-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Cc: Henrik Rydberg <rydberg@euromail.se>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: http://git-master/r/1460832
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomisc: tegra_cec: add recover IOCTL
Chun XU [Tue, 7 Feb 2017 11:19:12 +0000]
misc: tegra_cec: add recover IOCTL

Provide error recovery from IOCTL to user space.

Bug 1866338

Change-Id: I705ada6c8d4cb13f1c882993468f467da2908fdf
Signed-off-by: Chun XU <chunx@nvidia.com>
Reviewed-on: http://git-master/r/1300499
(cherry picked from commit a646f4903c8794641432fa838a27ee5584944eb5)
Reviewed-on: http://git-master/r/1316756
(cherry picked from commit 92307b94a5c4d771134f6209818211988e64d58d)
Reviewed-on: http://git-master/r/1457558
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoRevert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent"
Erik Kline [Tue, 7 Feb 2017 12:48:55 +0000]
Revert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent"

This reverts commit 6f489c42a92e0e33d4257017d6fd4a3e79f75f79.

Bug: 28719525

Bug 1864178
Change-Id: I108152d14d5844a2fe5532ac3b5a757e54b8ff73
Signed-off-by: Erik Kline <ek@google.com>
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1300539
(cherry picked from commit 50b7fca845c724e6b3281b7173221cc278317f6b)
Reviewed-on: http://git-master/r/1458307
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "video: tegra: hdmi: Disable HDCP for BlackMagic"
Aly Hirani [Wed, 15 Feb 2017 21:15:37 +0000]
Revert "video: tegra: hdmi: Disable HDCP for BlackMagic"

This reverts commit 33be76c8401a2ead5a802c5a0c659ca0fb8cd2e0.

Change-Id: Ibadfafa50967d698c5904b70e02491b2ffe64f71
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1305643
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: dc: Increase HPD debounce to 500ms
Aly Hirani [Wed, 15 Feb 2017 21:17:07 +0000]
video: tegra: dc: Increase HPD debounce to 500ms

Now that we do have a proper EDID recheck mechanism in the event of a
quick hotplug, the HPD debounce interval can be increased. Setting to
500ms to match the dGPU behavior.

Bug 1870842

Change-Id: I784df47578e058b2a55131f1e5dfc41551ce5597
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1305645
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: dc: rename tegra_dc_blank
Ujwal Patel [Tue, 11 Oct 2016 16:11:15 +0000]
video: tegra: dc: rename tegra_dc_blank

bug 1865109

tegra_dc_blank detaches list of windows passed in the argument from
a given head. Purpose of this function is limited to detaching
windows only. However current function name is misleading and
non-window specific logic is being added into that function.
Rename this function to tegra_dc_blank_wins and move out non-window
specific logic.

TDS 1232

Change-Id: I22c77a32af1f81ca73abea4dd531ef03ae91f94c
Signed-off-by: Ujwal Patel <ujwalp@nvidia.com>
Reviewed-on: http://git-master/r/1234529
Reviewed-by: Alex Waterman <alexw@nvidia.com>
Tested-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit feafeede194469a454f98bd87f58827999f4a9e9)
Reviewed-on: http://git-master/r/1278025
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
(cherry picked from commit 67dc7f01d85ec4098cbf3ee1fe8b190955731a39)
Reviewed-on: http://git-master/r/1458819
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: dc: set sor to sleep at vsync during dc shutdown
Anshuman Nath Kar [Wed, 13 Jul 2016 22:03:55 +0000]
video: tegra: dc: set sor to sleep at vsync during dc shutdown

bug 1865109

The DC shutdown sequence includes disabling the windows during
tegra_dc_blank and shutting down DC during sor_detach. However
since these two events are ansynchronous, it can lead to stray
pixels getting transmitted to the panel. Hence we sleep the sor
during tegra_dc_blank and detach it later.

Change-Id: I017cab4c46978ee2e7ab4cb2581f4e76b62a2506
Signed-off-by: Anshuman Nath Kar <anshumank@nvidia.com>
Reviewed-on: http://git-master/r/1180987
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Tested-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
(cherry picked from commit f6507d5beb105bc79799073c66c6b8ab45318cd4)
Reviewed-on: http://git-master/r/1278024
Reviewed-by: Prafull Suryawanshi <prafulls@nvidia.com>
Tested-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
(cherry picked from commit 8a367aab0c9e2f2f9df845945fa03b0b81bac41f)
Reviewed-on: http://git-master/r/1458808
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000]
video: tegra: nvmap: fix information leak in pin/unpin

When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

Bug 1832092
Bug 1887273

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1315807
(cherry picked from commit d25ef256594f41723eaae3ba0bb9cb4e9c4a3b4c)
Reviewed-on: http://git-master/r/1458149
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agogpu: nvgpu: Remove ref count from as_share
Alex Waterman [Tue, 31 Jan 2017 23:49:40 +0000]
gpu: nvgpu: Remove ref count from as_share

Remove the broke ref counting from as_share. The ref-count is
incremented for every bind channel but never decremented. This
results in VMs never being freed.

Bug 1846718
Bug 200288656
Bug 1887273

Change-Id: I6253b3eab7c7471d3ed6feddb3705c49a8704bed
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1296900
(cherry picked from commit c6594c744d8fca738a1a8f5177c84a05899695dc)
Reviewed-on: http://git-master/r/1306725
(cherry picked from commit f4e861ec2acea948bd160dc044f1d49e2e45fd98)
Reviewed-on: http://git-master/r/1320259
(cherry picked from commit df37ea58960aaa4974c4d5a5b5cb800086b80ed8)
Reviewed-on: http://git-master/r/1458143
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agogpu: nvgpu: Simplify ref-counting on VMs
Alex Waterman [Wed, 30 Nov 2016 00:01:41 +0000]
gpu: nvgpu: Simplify ref-counting on VMs

Simplify ref-counting on VMs: take a ref when a VM is bound to a
channel and drop a ref when a channel is freed.

Previously ref-counts were scattered over the driver. Also the CE
and CDE code would bind channels with custom rolled code. This was
because the gk20a_vm_bind_channel() function took an as_share as
the VM argument (the VM was then inferred from that as_share).
However, it is trivial to abtract that bit out and allow a central
bind channel function that just takes a VM and a channel.

Bug 1846718
Bug 200288656
Bug 1887273

Change-Id: I156aab259f6c7a2fa338408c6c4a3a464cd44a0c
Reviewed-on: http://git-master/r/1261886
(cherry picked from commit 7e403974d3584ab8880e42d422ee3afb7f49d6f3)
Reviewed-on: http://git-master/r/1312293
(cherry picked from commit 1b73a6e97bf66f6bd67ffacf49a4cec1e4c14790)
Reviewed-on: http://git-master/r/1320258
(cherry picked from commit c8b139cfb4835735cb1302c69e37a8793de286d3)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458139
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: fix NPE when unplugging Hauppauge 955Q tuner
Jean Huang [Thu, 2 Mar 2017 23:45:21 +0000]
usbtuner: fix NPE when unplugging Hauppauge 955Q tuner

Bug 1884094

Change-Id: I96889e205fbaaff42bea337189c7abab3da85335
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1316567
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-on: http://git-master/r/1456517
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: fix dvb functionality after v4l2 operation
Jean Huang [Fri, 24 Feb 2017 18:31:39 +0000]
usbtuner: fix dvb functionality after v4l2 operation

Cameraserver calls v4l2_open to check the device type as
soon as a v4l2 device is registered, and then v4l2_close
if the device isn't a camera.

For cx231xx tuners, the device needs to stay in DIGITAL_MODE
for dvb_init, however, in v4l2_open the mode is switched to
ANALOG_MODE, which fails dvb_init. This patch fails v4l2_open
if it's called before dvb_init is done for cx231xx tuners.

For em28xx tuners, v4l2_close resets the usb interface alternate
to 0, which is supposed to be 1 for dvb function to work after
dvb_init. This patch skipped the usb interface reset after dvb_init
for em28xx tuners.

Bug 1861283

Change-Id: I91eb7ae0e171529ed7c0cf0f07404afb33b32d53
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1313562
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456516
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoarm64: config: enable Hauppauge 995Q and Avermedia H837 tuner
Jean Huang [Mon, 6 Feb 2017 21:09:04 +0000]
arm64: config: enable Hauppauge 995Q and Avermedia H837 tuner

Bug 1736911

Change-Id: Ic481794745d5aafef010a719cd4cee5d03a95284
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1300041
(cherry picked from commit 81ea6eb1cc47f4e5e3d23f3feb67e38021e98c66)
Reviewed-on: http://git-master/r/1311301
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456515
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoarch: arm64: usbtuner: add configs for WinTV-DualHD
Jean Huang [Thu, 12 Jan 2017 03:14:27 +0000]
arch: arm64: usbtuner: add configs for WinTV-DualHD

Porting from AOSP

arch/x86_64: configs: fugu: add configs for WinTV-DualHD
https://android.googlesource.com/kernel/x86_64/+/e3eff23370861a8f6af6e0ac5929dcba9078591f

Bug 1736911

Change-Id: If634e5e1dd72a28a8baecc68894f30176a6316ba
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284473
(cherry picked from commit f96269d0e83af81c16952de6969d79fe918f13b7)
Reviewed-on: http://git-master/r/1311300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456514
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: usb: add WinTV DualHD DVB and ATSC Bulk version IDs
Henning Garbers [Wed, 6 Jul 2016 00:57:00 +0000]
media: usb: add WinTV DualHD DVB and ATSC Bulk version IDs

Bug: 30095176
Bug 1736911

Change-Id: I61b089bf258d095a1988fc48c18f503c8367b6d3
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284472
(cherry picked from commit eca1a102ca006daab7f5cb44f0617e5cba938b1f)
Reviewed-on: http://git-master/r/1311299
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456513
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: usb: cx231xx: attach tuner si2157 as i2c device
Henning Garbers [Sun, 3 Jul 2016 02:41:00 +0000]
media: usb: cx231xx: attach tuner si2157 as i2c device

Bug: 30095176
Bug 1736911

Change-Id: I201555673f1252347889bb6fdb05b53c86d65841
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284471
(cherry picked from commit ef324e5ac66c529046ff2a099f3f17d1cbd83eef)
Reviewed-on: http://git-master/r/1311298
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456512
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: usb: em28xx: add Hauppauge WinTV-DualHD DVB and ATSC devices
Henning Garbers [Sat, 2 Jul 2016 20:50:34 +0000]
media: usb: em28xx: add Hauppauge WinTV-DualHD DVB and ATSC devices

Bug: 30095176
Bug 1736911

Change-Id: Ic9c7e6641417986d16de6dae9900bee074cfeb42
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284470
(cherry picked from commit 767de1720a89840c3962d1a476e1f654dfa720dd)
Reviewed-on: http://git-master/r/1311297
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456511
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: tuner si2157: add i2c device handling calls for WinTV-DualHD
Henning Garbers [Sat, 2 Jul 2016 20:43:12 +0000]
media: tuner si2157: add i2c device handling calls for WinTV-DualHD

Bug: 30095176
Bug 1736911

Change-Id: I50a4ec8309e438462104c5acf9bc9a6b2b657bcc
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284469
(cherry picked from commit a2cf0de6c5706d97b7417c48811512cc94488850)
Reviewed-on: http://git-master/r/1311296
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456510
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: dvb-frontends: add demod si2168 for WinTV-DualHD
Henning Garbers [Sat, 2 Jul 2016 20:39:46 +0000]
media: dvb-frontends: add demod si2168 for WinTV-DualHD

Bug: 30095176
Bug 1736911

Change-Id: Ia02bc1cf54a737d0183bf3647dd6c70d64bc4291
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284468
(cherry picked from commit 39a023a8468ac60caca57895b3d236b8795f211b)
Reviewed-on: http://git-master/r/1311295
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456509
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: dvb-frontends: demod lgdt3306a: add i2c gate logic and i2c device handling...
Henning Garbers [Sat, 2 Jul 2016 20:35:52 +0000]
media: dvb-frontends: demod lgdt3306a: add i2c gate logic and i2c device handling calls for WinTV-DualHD

Bug: 30095176
Bug 1736911

Change-Id: Iae614a6e03babd010e94b47da905dca4b3b597d5
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284466
(cherry picked from commit edbe9ee471da3e24335c555afdc79ce05321d013)
Reviewed-on: http://git-master/r/1311294
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456508
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agomedia: dvb-frontends: inlining i2c adapter get for WinTV-DualHD
Henning Garbers [Wed, 31 Aug 2016 22:40:33 +0000]
media: dvb-frontends: inlining i2c adapter get for WinTV-DualHD

Bug: 30095176
Bug 1736911

Change-Id: I75ae4d9c9500bd0c77696b0d012bdece51521aca
Signed-off-by: Sungtak Lee <taklee@google.com>
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284465
(cherry picked from commit 73323cfaf70f8cc164bea5d06a84827e7f3cc37d)
Reviewed-on: http://git-master/r/1311293
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456507
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: demod lgdt3306a: optimize search duration
Henning Garbers [Wed, 28 Sep 2016 16:01:18 +0000]
usbtuner: demod lgdt3306a: optimize search duration

Bug: 31834690
Bug 1736911

Change-Id: I0adcaa1911dee150831b91bd6c27a7b78a94237f
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284464
(cherry picked from commit 90a4ba957235c112c2ae724bcad964446238c3cf)
Reviewed-on: http://git-master/r/1311292
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456506
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: control AVerMedia H837 LED
ManuChen [Mon, 13 Jul 2015 03:14:27 +0000]
usbtuner: control AVerMedia H837 LED

Bug: 22351873
Bug 1736911

Change-Id: If229decccf3279ad3c2179a48cf877d1f1dc0578
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1284463
(cherry picked from commit 6c3e92a4890beadbb0dc8fb7bb23fbd857a146b2)
Reviewed-on: http://git-master/r/1311291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456505
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: fix NPE by unplugging Avermedia tuner device
Terry Heo [Thu, 25 Jun 2015 07:12:09 +0000]
usbtuner: fix NPE by unplugging Avermedia tuner device

Bug: 21806987
Bug 1736911

Change-Id: I519a5c544266ed4a0cdf01a84f510629d5ec41ed
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029832
(cherry picked from commit adbf2d3571db3b34bf3d70a8d837d9fbb09b2a21)
Reviewed-on: http://git-master/r/1311290
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456504
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: reset USB tuner endpoint when it is stalled
Terry Heo [Mon, 15 Jun 2015 07:38:04 +0000]
usbtuner: reset USB tuner endpoint when it is stalled

Bug: 21312311
Bug 1736911

Change-Id: I37496b5252353430b085729e4c77787e3f8df9d8
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029831
(cherry picked from commit e738d072807f067ddb5e2e9c8cdb702aa6266b8e)
Reviewed-on: http://git-master/r/1311289
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456503
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: add AVerMedia H837 support
Terry Heo [Thu, 7 May 2015 02:17:38 +0000]
usbtuner: add AVerMedia H837 support

Bug: 20649732
Bug 1736911

Change-Id: Ib550504231ba2eaedebb864295db50069ebe769c
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029830
(cherry picked from commit b290895387dbe45399a095591fc7b61167a9caa0)
Reviewed-on: http://git-master/r/1311288
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456502
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: enable Linux DVB API with USB tuner
Terry Heo [Mon, 18 May 2015 04:52:24 +0000]
usbtuner: enable Linux DVB API with USB tuner

Bug 1736911

Change-Id: If6dee29c3dfe67867f47e8959b797b2a359f03cb
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029827
(cherry picked from commit 31aa5cbc5946802422d87b6fc3405371f6ab97e3)
Reviewed-on: http://git-master/r/1311285
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456482
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: improve stability of bulk transfer mode
Terry Heo [Fri, 22 May 2015 07:49:43 +0000]
usbtuner: improve stability of bulk transfer mode

Fix memory leak issue on cx231xx_uninit_bulk().
And clear halt on cx231xx_init_bulk().

Bug: 20509486
Bug: 21312311

Bug 1736911

Change-Id: I5eb7c152263c09151853fe3ea27cf67e0d0d9fca
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029829
(cherry picked from commit cc4b60a9ab1ffd77d0ea904928c634fecd187abb)
Reviewed-on: http://git-master/r/1311287
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456501
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: use bulk transfer mode
Terry Heo [Tue, 19 May 2015 07:18:42 +0000]
usbtuner: use bulk transfer mode

There is a TS packet loss issue on isochronous transfer mode of Nexus
Player. Change to use bulk transfer mode to avoid it.
In addition, fix a typo on cx231xx_uninit_bulk() function.

Bug 1736911

Change-Id: I1fac4b13bf006b4071ce5934a5b2dfa4aab6307a
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029828
(cherry picked from commit 262f3337265125ec5f496bb6b4c65a925b73ffa5)
Reviewed-on: http://git-master/r/1311286
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456484
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agousbtuner: add Hauppauge 955Q USB tuner support
Terry Heo [Thu, 7 May 2015 02:33:36 +0000]
usbtuner: add Hauppauge 955Q USB tuner support

Apply hvr-955q-kernel-3.10.74-2015-05-06.patch

Bug 1736911

Change-Id: I132e0bc65ad9a3ee5eaabe91a200bc1d2dd7e556
Signed-off-by: Terry Heo <terryheo@google.com>
Reviewed-on: http://git-master/r/1029826
(cherry picked from commit d11e85df3a19e48511bc5cd02c19be6df93a020a)
Reviewed-on: http://git-master/r/1311303
GVS: Gerrit_Virtual_Submit
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456480
Tested-by: Patrick Horng <phorng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agocifs: Quiet readdir harmless error
Patrick Horng [Thu, 23 Mar 2017 00:06:45 +0000]
cifs: Quiet readdir harmless error

Moved the readdir EINVAL printk to
debug level so as to not clutter kmsg.
This error is harmless and want to remove
for end-users.

Bug 200268378

Change-Id: I4ff28cf955ba733a3de3fdea7f97737ccd86c847
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1326462
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: http://git-master/r/1456410
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agotegra: dc: hdcp: Fix buffer overflow in driver
Pranami Bhattacharya [Thu, 22 Dec 2016 22:52:58 +0000]
tegra: dc: hdcp: Fix buffer overflow in driver

- We are allocating a buffer of 16 bytes
- While assigning values to the buffer, we run past 16 bytes
- This leads to buffer overflow and can cause exploits
- We have now increased the packet size to 32 bytes
- This will avoid any overflow

Bug 1856227

Change-Id: Ic3cf1054efbbe06a0d7579dee236071cced9f592
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1275811
(cherry picked from commit b2f451bbc25fc64ac31fd33d2ead9ba011dd52a3)
Reviewed-on: http://git-master/r/1455421
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoARM64: config: tegra21: Disable ION memory
Gagan Grover [Wed, 29 Mar 2017 10:10:29 +0000]
ARM64: config: tegra21: Disable ION memory

ION memory is not needed for Android.
Disabling it for ATV.

boot.img size not changed.

Bug 1849492

Change-Id: I6896a5a8bd5bfac73a9a5885077556659287926a
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1330590
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>

2 years agovideo: tegra: nvmap: fix time-of-check,time-of-use vulnerability
Sri Krishna chowdary [Sat, 25 Feb 2017 19:02:47 +0000]
video: tegra: nvmap: fix time-of-check,time-of-use vulnerability

Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.
This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.
Fixes Google Bug 34113000.

Bug 1862379
Bug 1880033

Change-Id: I32786d26c269a95122fbaf0b91d6d090cba7388e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1311631
(cherry picked from commit 22168ee3a52622c20ca8480de82102fb08119193)
Reviewed-on: http://git-master/r/1455425
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: nvmap: Fix NULL pointer dereference issues
Sri Krishna chowdary [Wed, 14 Dec 2016 06:28:30 +0000]
video: tegra: nvmap: Fix NULL pointer dereference issues

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

Bug 1838597

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1270827
(cherry picked from commit 928dc0a9fdc3f2f507dbc08ed4d54d0292fd4d9e)
Reviewed-on: http://git-master/r/1313777
(cherry picked from commit 9ae4f6fbb844760b4e6b34a25c4fb8178420dabb)
Reviewed-on: http://git-master/r/1455402
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: remove unsed WEXT file.
Insun Song [Wed, 4 Jan 2017 00:21:01 +0000]
net: wireless: bcmdhd: remove unsed WEXT file.

WEXT API was already obsoleted and should be removed.

Bug: 32124445
CVE-2017-0509 A-32124445
Bug 1880704

Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1310286
(cherry picked from commit 8c671aeb5f013590c58d7a5c7d4456e30fddcba3)
Reviewed-on: http://git-master/r/1330544
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoCHROMIUM: usb: gadget: configfs: Fix KASAN use-after-free
Jim Lin [Mon, 27 Feb 2017 11:33:06 +0000]
CHROMIUM: usb: gadget: configfs: Fix KASAN  use-after-free

When gadget is disconnected, running sequence is like this.
. android_work: sent uevent USB_STATE=DISCONNECTED
. Call trace:
  usb_string_copy+0xd0/0x128
  gadget_config_name_configuration_store+0x4
  gadget_config_name_attr_store+0x40/0x50
  configfs_write_file+0x198/0x1f4
  vfs_write+0x100/0x220
  SyS_write+0x58/0xa8
. configfs_composite_unbind
. configfs_composite_bind

In configfs_composite_bind, it has
"cn->strings.s = cn->configuration;"

When usb_string_copy is invoked. it would
allocate memory, copy input string, release previous pointed memory space,
and use new allocated memory.

When gadget is connected, host sends down request to get information.
Call trace:
  usb_gadget_get_string+0xec/0x168
  lookup_string+0x64/0x98
  composite_setup+0xa34/0x1ee8
  android_setup+0xb4/0x140

If gadget is disconnected and connected quickly, in the failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".

When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: use-after-free" error occurs.

BUG=chrome-os-partner:58412
TEST=After smaug device was connected to ubuntu PC host, detached and attached
type-C cable quickly several times without seeing
"BUG: KASAN: use-after-free in usb_gadget_get_string".

CVE-2017-0537 A-31614969
Bug 1880704

Bug: 31614969
Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311872
(cherry picked from commit b0eda88ead4f9269a8697d963628050d7e6b88a3)
Reviewed-on: http://git-master/r/1313689
(cherry picked from commit f2e1288a22d6e2eadf52ccb0b0dd1387cb8ef74e)
Reviewed-on: http://git-master/r/1455430
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: avoid signed overflows for SO_{SND|RCV}BUFFORCE
Eric Dumazet [Fri, 2 Dec 2016 17:44:53 +0000]
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Bug 1880704

Change-Id: I26b2411b5a5fd532fa8c02e2c68d0ec9acb784b1
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311861
(cherry picked from commit f459cad9a16059c8dbebb9a092ae172ea4a86235)
Reviewed-on: http://git-master/r/1314069
(cherry picked from commit 59df690ce8a50ea463e93ecc65dd897833cc54ad)
Reviewed-on: http://git-master/r/1455429
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agopacket: fix race condition in packet_set_ring
Philip Pettersson [Wed, 30 Nov 2016 22:55:36 +0000]
packet: fix race condition in packet_set_ring

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Bug 1880704

Change-Id: I22d2920ff6c26877f671908ea683468aed693fec
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311860
(cherry picked from commit 41db91bad41df89ba1e8b3d32f935130f71ac78e)
Reviewed-on: http://git-master/r/1314068
(cherry picked from commit b4db8ee7615291eeb622024f5c3e9175bcea6d50)
Reviewed-on: http://git-master/r/1455428
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agol2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
Guillaume Nault [Fri, 18 Nov 2016 21:13:00 +0000]
l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()

Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.

BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
 ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
 [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<     inline     >] print_address_description mm/kasan/report.c:194
 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [<     inline     >] kasan_report mm/kasan/report.c:303
 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [<     inline     >] __write_once_size ./include/linux/compiler.h:249
 [<     inline     >] __hlist_del ./include/linux/list.h:622
 [<     inline     >] hlist_del_init ./include/linux/list.h:637
 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
 [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
 [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
 [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
 [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
 [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
 [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
 [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.

Bug 1880704

Change-Id: I74188f62fd6f46aa4dcf057009c5ed086c20342a
Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311851
(cherry picked from commit 8038d929e8e2e116740a50c1f6d073547f9d27b7)
Reviewed-on: http://git-master/r/1330548
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonetlink: Fix dump skb leak/double free
Herbert Xu [Mon, 16 May 2016 09:28:16 +0000]
netlink: Fix dump skb leak/double free

When we free cb->skb after a dump, we do it after releasing the
lock.  This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.

This patch saves the skb and module before we unlock so we free
the right memory.

Bug 1880704

Change-Id: I99a013d97bbbb793ebc0a196cd0e35ec198e3cb1
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311849
(cherry picked from commit 2605cb0c4277297fdcab1257f796d623f649235f)
Reviewed-on: http://git-master/r/1330547
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoandroid: fiq_debugger: restrict access to critical commands.
Mark Salyzyn [Mon, 27 Feb 2017 09:13:25 +0000]
android: fiq_debugger: restrict access to critical commands.

Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
measure to enable various critical fiq debugger commands that
either leak information or can be used as a system attack.

Default disabled, this will leave the reboot, reset, irqs, sleep,
nosleep, console and ps commands.  Reboot and reset commands
will be restricted from taking any parameters.  We will also
switch to showing the limited command set in this mode.

CVE-2017-0510 A-32402555
Bug 1880704

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32402555
Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311806
(cherry picked from commit a079fb27cbb54535e3aa68429d3928dc3d1d8b5b)
Reviewed-on: http://git-master/r/1330545
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: host: Fix overflow issue allocation
Mikko Perttunen [Fri, 27 Jan 2017 07:32:20 +0000]
video: tegra: host: Fix overflow issue allocation

Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.

Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.

Coverity ID 27942
Bug 1856419

Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295053
(cherry picked from commit 66adb8e35e0ad0d5ce383996fcc8bad3be8821f5)
Reviewed-on: http://git-master/r/1330541
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agocifs: Missing files in mount
Patrick Horng [Sat, 25 Feb 2017 01:11:03 +0000]
cifs: Missing files in mount

Missing files was caused by EINVAL from filldir64
during cifs_filldir when revalidating the inode.

Bug 1834380

Change-Id: Ia0c8e7a72f4b9b810c9f1c15d3190d42fcf5fd8c
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1311307
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 23 Jan 2017 09:41:30 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE-2017-0430 (A-32838767)

Change-Id: I3676556002c3bc63762919e540f68d13959b2af4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292382
(cherry picked from commit 2a408e9f998e0013906c58f7a2314bacf47ec672)
Reviewed-on: http://git-master/r/1299528
(cherry picked from commit 088ac085161e19efa60fddb9c20bd1e838c8f5e3)
Reviewed-on: http://git-master/r/1311425
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 16 Jan 2017 12:30:19 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE-2017-0430 (A-32838767)

Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285925
(cherry picked from commit bc90cd7f96782e30db3bc3a82d7f20efae9ea78e)
Reviewed-on: http://git-master/r/1299526
(cherry picked from commit 9f5ee0dfa24f656ff6e49b5909bdaeae088d59fa)
Reviewed-on: http://git-master/r/1311424
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in private command path
Insun Song [Sun, 29 Jan 2017 10:48:08 +0000]
net: wireless: bcmdhd: fix buffer overrun in private command path

buffer overrun case found when length parameter manipulated.

1. if input parameter buffer length is less than 4k,
then allocate 4k by default. It help to get enough margin
for output string overwritten.

2. added additional length check not to override user space
allocated buffer size.

bug 1849492

Change-Id: I586ad7aed3fce24264d520f5257e2833d4e57159
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295708
(cherry picked from commit 1402382883c9f6793630d6abe6f424a354771980)
Reviewed-on: http://git-master/r/1298474
(cherry picked from commit 347ad09ee15929eb3e7b79b82855c6aea74418d3)
Reviewed-on: http://git-master/r/1311414
GVS: Gerrit_Virtual_Submit
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomedia: tegra: nvavp: Fix UAF issue.
Jitendra Kumar [Thu, 27 Oct 2016 08:35:00 +0000]
media: tegra: nvavp: Fix UAF issue.

Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.

CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492

Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1311418
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598
Bug 1858126

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d)
Reviewed-on: http://git-master/r/1270244
(cherry picked from commit bcfa618cda62fd56ee30676ed7ee62a7b0b942cd)
Reviewed-on: http://git-master/r/1311427
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoBACKPORT: aio: mark AIO pseudo-fs noexec
Nick Desaulniers [Mon, 16 Jan 2017 12:58:30 +0000]
BACKPORT: aio: mark AIO pseudo-fs noexec

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)

Bug: 31711619
Bug 1858126
CVE-2016-10044 (A-31711619)

Change-Id: I9f2872703bef240d6b82320c744529459bb076dc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285940
(cherry picked from commit b552c94fbcad36a52973a1141adafbe351b75b90)
Reviewed-on: http://git-master/r/1299533
(cherry picked from commit 79d1f35c10e5438fbb441cd1524b02cda377e04f)
Reviewed-on: http://git-master/r/1311426
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agofs/proc/array.c: make safe access to group_leader
Adrian Salido [Mon, 16 Jan 2017 11:56:05 +0000]
fs/proc/array.c: make safe access to group_leader

As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()

Without this protection there is a possible use after free reported by
kasan instrumented kernel:

==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4

Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.

Bug: 31495866
Bug 1858126
CVE-2017-0427 (A-31495866)

Signed-off-by: Adrian Salido <salidoa@google.com>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285902
(cherry picked from commit 3367b633042dcc778642f95cd0b3acd6c3a0a0fe)
Reviewed-on: http://git-master/r/1299523
(cherry picked from commit d6b8dd489f260d69473e03609b2ac637a3a75201)
Reviewed-on: http://git-master/r/1311423
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix nvmap create handle vulnerability
skadamati [Thu, 15 Dec 2016 11:23:22 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857
Bug 200260161
Bug 1849492
Bug 1825283
CVE-2016-8424 (A-31606947)

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Reviewed-on: http://git-master/r/1248391
(cherry picked from commit c26f2a34c189bef2d99740a420b2ab4023d912c0)
Reviewed-on: http://git-master/r/1273324
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285852
(cherry picked from commit b1513dff2b4bd35d1b400645642bce8dcf3c96c7)
Reviewed-on: http://git-master/r/1299501
(cherry picked from commit 3993b1f51cd24e93b460d24b2659f0c7a6c6cf8a)
Reviewed-on: http://git-master/r/1311422
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1831426
Bug 200247013
Bug 1849492
CVE-2016-8428 (A-31993456)

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Reviewed-on: http://git-master/r/1273326
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285872
(cherry picked from commit 0a44c684a3bdad4d25d0c5a89e04170196e12ff6)
Reviewed-on: http://git-master/r/1299504
(cherry picked from commit e124868998c604716d0ece1a0cb7e187db4adb18)
Reviewed-on: http://git-master/r/1311421
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoKEYS: Fix short sprintf buffer in /proc/keys show function
David Howells [Wed, 26 Oct 2016 14:01:54 +0000]
KEYS: Fix short sprintf buffer in /proc/keys show function

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

CVE-2016-7042
Bug 1849492

Change-Id: I5117ab6175297f657a498fd2140080c7595b3a10
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285745
(cherry picked from commit 7c1dcda59f88a1dec328afd398a9d9465fb44084)
Reviewed-on: http://git-master/r/1299506
(cherry picked from commit abd6568565c92f5246345f6195f2142ff2abf7ad)
Reviewed-on: http://git-master/r/1311420
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoperf: don't leave group_entry on sibling list(use-after-free)
John Dias [Mon, 16 Jan 2017 08:22:04 +0000]
perf: don't leave group_entry on sibling list(use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

Bug: 32402548

CVE-2017-0403 (A-32402548)
Bug 1849492

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285800
(cherry picked from commit a5dc2d079ba88bba5dc78484d4820842af65d656)
Reviewed-on: http://git-master/r/1299508
(cherry picked from commit 8dae5d362123d37d29552b5a9ed89c7dbfe3dd55)
Reviewed-on: http://git-master/r/1311419
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: info: Check for integer overflow in snd_info_entry_write()
Siqi Lin [Mon, 16 Jan 2017 08:28:01 +0000]
ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733

CVE-2017-0404 (A-32510733)
Bug 1849492

Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285802
(cherry picked from commit 080aad52eb18b8f622676063334f105a77f6cf58)
Reviewed-on: http://git-master/r/1299509
(cherry picked from commit 935b76652a88fd9906eefea1030c051613310f64)
Reviewed-on: http://git-master/r/1311417
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoring-buffer: Prevent overflow of size in ring_buffer_resize()
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000]
ring-buffer: Prevent overflow of size in ring_buffer_resize()

If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

CVE-2016-9754
Bug 1849492

Change-Id: I442132282517827c51b3fdbd31f323fe426d6daa
Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285747
(cherry picked from commit 8f8088aaee836d8c6c93c3df52a0d08b8f67b3b0)
Reviewed-on: http://git-master/r/1299510
(cherry picked from commit 580a30ff59e0fcc79159da6ea8afe5b2c7640861)
Reviewed-on: http://git-master/r/1311416
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: serialize debug session IOCTLs
Deepak Nibade [Mon, 23 Jan 2017 11:32:07 +0000]
gpu: nvgpu: serialize debug session IOCTLs

Hold debug_s->ioctl_lock for all debug session IOCTLs to prevent
multi-threaded user space IOCTL calls.
Debug session IOCTL calls are not thread-safe and hence this
serialization is required.

Bug 1832267
Bug 1832095
Bug 1849492

Change-Id: I847ac951601d4f0093546b592bdb8c8f00185317
Reviewed-on: http://git-master/r/1286436
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292432
(cherry picked from commit d4629278161f2dc3c74e0f13c6ca08038355dd22)
Reviewed-on: http://git-master/r/1299511
(cherry picked from commit 6800b190bfb4ca00c5fef064b5a7ac2c65b8f4a4)
Reviewed-on: http://git-master/r/1311415
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodts: darcy a08 dtb support
Martin Gao [Tue, 7 Feb 2017 05:02:52 +0000]
dts: darcy a08 dtb support

- a08 darcy sku uses AOTAG
- a07 and below uses NCT

Bug 1872194

Change-Id: I67145853db908bed1cca0bbcf736b51268a11c41
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1300969
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agovideo: tegra: hdmi: Disable HDCP for BlackMagic
Aly Hirani [Fri, 3 Feb 2017 00:06:55 +0000]
video: tegra: hdmi: Disable HDCP for BlackMagic

BlackMagic 12G has a bug where it spams us with a constant stream of
hotplugs 130 ms apart if we enable HDCP. This stream of hotplugs end up
as a "blank screen" since we are stuck in a loop of modeset and display
teardown.

Since it doesn't support HDCP, this change blacklists it from HDCP. Once
done, it never sends us a hotplug and the device works perfectly after.

Bug 1870842

Change-Id: Id93b7e9bb1e11ca0cb969c9a8179bae7b4c64072
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1298315
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Prafull Suryawanshi <prafulls@nvidia.com>

2 years agonet: wireless: bcmdhd_88: add more European country in wifi county code
Om Prakash Singh [Wed, 1 Feb 2017 11:16:18 +0000]
net: wireless: bcmdhd_88: add more European country in wifi county code

Bug 200275653

Change-Id: I0a952f421b2708d8a51b7fc77f2d126aa78f84c2
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298339
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoarm64: dts: add more European country for Foster/Darcy
Om Prakash Singh [Wed, 1 Feb 2017 10:58:25 +0000]
arm64: dts: add more European country for Foster/Darcy

Bug 200275653

Change-Id: Ic19e438f9ab8be44b80528db352952d37b982e9e
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1298338
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoJarvis: Prevent crash with invalid input device
David DSH [Sat, 21 Jan 2017 02:02:47 +0000]
Jarvis: Prevent crash with invalid input device

Bug 1864174

Change-Id: I3c62d723bc15817c687a7c70567238825703bc19
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1291898
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Shih <rshih@nvidia.com>
Tested-by: Robert Shih <rshih@nvidia.com>
(cherry picked from commit 27d75519b396282a2f688ce14fdb6a0491068b65)
Reviewed-on: http://git-master/r/1298934
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoDarcy: Increase pmic voltage of sd2
David DSH [Wed, 1 Feb 2017 04:08:44 +0000]
Darcy: Increase pmic voltage of sd2

Increase preregulator voltage pin SD2 that feeds into LDO

Bug 1869208

Change-Id: I02dba37caed0963ec0900147216731741635e4f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296999
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agogpu: nvgpu: sysfs node to read PMU state
Mahantesh Kumbar [Wed, 25 Jan 2017 10:00:45 +0000]
gpu: nvgpu: sysfs node to read PMU state

sysfs node to know PMU state whether PMU
boot completed & its ready with state
"pmu->pmu_state == PMU_STATE_STARTED" to
process command request.

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error due to unknown state of
PMU at boot time.

Fix: Provided node to read PMU state if ready then
send commands else wait till gets ready.

Bug 1865815

Change-Id: Idad4c5390fffafbe591658b85942e8c6c6d3afc8
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296823
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonvgpu: disable elgp and clock gating via dt
Martin Gao [Fri, 27 Jan 2017 23:17:37 +0000]
nvgpu: disable elgp and clock gating via dt

Bug 1865815

Change-Id: Ibd151f775f51f7a299aa61af4fbb34287b1cae64
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1296821
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: elpg/aelpg sysfs update
Mahantesh Kumbar [Wed, 25 Jan 2017 07:38:47 +0000]
gpu: nvgpu: elpg/aelpg sysfs update

check g->power_on & pmu->pmu_state flags
to know the status of PMU whether ready to take
commands for PG request or not. If not ready
then update ELPG/AELPG global flags
used within kernel driver & skip sending
commands to PMU

issue: enable/disable request for ELPG/AELPG
through sysfs node during init stage of boot process
causing PMU halt error

Bug 1865815

Change-Id: I1c14d2ea4ac529e5782093569edde28e5da22325
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1296820
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "Tegra210: increase vmin to increase reliability"
David Dastous St Hilaire [Fri, 20 Jan 2017 03:02:46 +0000]
Revert "Tegra210: increase vmin to increase reliability"

This reverts commit dee4048d8cb60b1ec497869a67edc826fac29104.

Bug 1828585

Change-Id: Iefbd4910b780f33fdab24bb1ed3ade066b08f0f7
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1296819
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: dc: Add quick for Vizio P series rel-24-uda-r1
Aly Hirani [Wed, 11 Jan 2017 07:29:58 +0000]
video: tegra: dc: Add quick for Vizio P series

The Vizio SmartCast P series 4K TVs fail 1/3 hotplugs with "No Signal".
Experiments showed that enabling HDMI 2.0 scrambling and HDCP at the
same time causes this failure from Vizio's side.

This change adds a WAR to introduce a 5 second delay after modeset to
start the hdcp (instead of the standard 100ms delay).

This change also adds edid quirks to limit the 5 second delay to only
the P cast series.

Bug ??

Change-Id: I96d1200afa20401d09ab5d1d2966ab24ac761b2b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1283347
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agodrivers: wireless: bcmdhd_88: increase dpc_bound to 12ms
Srinivas Ramachandran [Wed, 4 Jan 2017 19:05:52 +0000]
drivers: wireless: bcmdhd_88: increase dpc_bound to 12ms

Increase dpc_bound to improve tx throughput

Bug 200266248

Change-Id: Iaef3d23f32b2b3ffafe3abd66429bb008ab57ad2
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1282300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoiio: imu: NVI v.342 Fix ACC resume
Erik Lilliebjerg [Sun, 8 Jan 2017 23:48:17 +0000]
iio: imu: NVI v.342 Fix ACC resume

- Accelerometer sensor is HW disabled when suspending.  When resuming, if
  the gyroscope sensor is enabled first, it didn't account for HW enabling
  the accelerometer as well if previously enabled before suspending.  This
  was intermittent behavior depending on the wake source and resume timing
  of the external sensors on the auxiliary ports, as well as resume enable
  from user space.

Bug 200266677

Change-Id: Iada223304f7991d6da256a19a26cddd5ff20ec55
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1281847
(cherry picked from commit 427c6f17fbf810f399138627b5294a8bc602cafe)
Reviewed-on: http://git-master/r/1282259
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix false error message
Erik Lilliebjerg [Sat, 31 Dec 2016 21:37:41 +0000]
iio: imu: nvi: Fix false error message

- Due to Invensense parts being register incompatible (even the HW ID),
  there were false error messages during the driver process of identifying
  the part.  This patch suppresses those error messages until the part is
  identified and the errors become legitimate.

Bug 200260974

Change-Id: Ibd7c6fe6e4b6424cfc2f7bf04f1a64405b03e539
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1278897
(cherry picked from commit 010a8eaf597e519d5c1a258bf0015c719e0928c6)
Reviewed-on: http://git-master/r/1282258
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix coverity
Erik Lilliebjerg [Wed, 28 Dec 2016 13:41:15 +0000]
iio: imu: nvi: Fix coverity

- Fix bad shift.
- Fix uninitialized scalar variable.

Coverity ID: 38965
Coverity ID: 38966
Coverity ID: 38967
Coverity ID: 38968
Coverity ID: 38969
Coverity ID: 38971

Bug 200192580

Change-Id: I2a972f00a7097f61c943ad035dc23d50f9f8e2e7
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1277691
(cherry picked from commit 2f8d063e538089007d6b0c5234cce1229620ece0)
Reviewed-on: http://git-master/r/1281938
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoTegra210: increase vmin to increase reliability
David DSH [Fri, 6 Jan 2017 01:14:44 +0000]
Tegra210: increase vmin to increase reliability

Bug 1828585

Change-Id: I654bc0c0f7cb8dbb70dd0aed5c0ec664ac217dd9
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1280477
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "bcmdhd_88: save the firmware events in a file"
Bibhay Ranjan [Wed, 4 Jan 2017 07:00:30 +0000]
Revert "bcmdhd_88: save the firmware events in a file"

This reverts commit 5d5bcb34932dcc257067beb3d6c8a248c5c2c125.

Bug 200231321

Change-Id: I8adb48d6157bd4dfba40049a559e27da1fe407b2
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279949
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: increase timestamp array size"
Bibhay Ranjan [Wed, 4 Jan 2017 06:59:27 +0000]
Revert "bcmdhd_88: increase timestamp array size"

This reverts commit 125ef44ac4e4ea7f8d03f05b3a7aec15eb048708.

Bug 200231321

Change-Id: I4bbc875cf78988a38cee9f714d184955c74b0e96
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279948
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: add DHD_ERROR for nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:50 +0000]
Revert "bcmdhd_88: add DHD_ERROR for nv_logger"

This reverts commit 83275c2716e3f838a278b5ecfdb46fbe1b552d73.

Bug 200231321

Change-Id: I3bbf9ea2aaff4b421326d4b25c8e4c7ad741a493
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279947
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: improve data integrity of nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:04 +0000]
Revert "bcmdhd_88: improve data integrity of nv_logger"

This reverts commit 49308708221379d6749b0f596b1e0f1011a29d0c.

Bug 200231321

Change-Id: Ia51bdc77ae5c86b888a3ecabaf22d296473ae30f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279946
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: disable nv_logger logging by default"
Bibhay Ranjan [Wed, 4 Jan 2017 06:56:18 +0000]
Revert "bcmdhd_88: disable nv_logger logging by default"

This reverts commit 1ee03ed037ac6576e6bf09b8228ec0b3f63f36d2.

Bug 200231321

Change-Id: I4cfbd01bf8d78a9604cd161f2c4f91f9fe43695a
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279945
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agosysedp_reactive_capping: Fix warning string check
Anand Prasad [Wed, 28 Dec 2016 19:45:29 +0000]
sysedp_reactive_capping: Fix warning string check

The current implementation incorrectly checks if a pointer value is
NULL when actually referencing an array.
Instead, use a pointer to read the threshold warning string from
device-tree so that the pointer NULL check now works.

Bug 200266221

Change-Id: Iff9e43780534cf43e93b489c7ebe150fdf4ac437
Signed-off-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-on: http://git-master/r/1277816
(cherry picked from commit 29d326af77ad71f6e61ce6e6e35eac6626500a72)
Reviewed-on: http://git-master/r/1279362
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoCIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
Federico Sauter [Tue, 17 Mar 2015 16:45:28 +0000]
CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE

This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.

Bug 200266605

Change-Id: I168f4977192307dd859f83d6850bdd1eecf27dfe
(cherry picked from commit 4afe260bab50290a05e5732570329a530ed023f3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1277404
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: hda: Allow 8ch/192k for HD capable sinks
Ashok Mudithanapalli [Fri, 23 Dec 2016 12:03:04 +0000]
ALSA: hda: Allow 8ch/192k for HD capable sinks

If the sink is DTSHD/MLP decode capable, but not supporting
8ch/192k in its ELD, ALSA card doesn't add these in supported
rates & ch. Add these in ALSA card for HD decode capable sinks,
so that user-space can open pcm device and play HD content.

Bug 200261363

Change-Id: Ia979868f27a740abcb16b1fea37fd9684779d4be
Signed-off-by: Ashok Mudithanapalli <ashokm@nvidia.com>
Reviewed-on: http://git-master/r/1276193
GVS: Gerrit_Virtual_Submit
Reviewed-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit fde817178e6bf99ea0d161d0175f0e69a5881d6a)
Reviewed-on: http://git-master/r/1277059
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>