9 months agommc: core: Set clock before speed mode switch l4t/l4t-r24.2.3 tegra-l4t-r24.2.3.update-01
Aniruddha Tvs Rao [Thu, 9 Aug 2018 04:59:49 +0000]
mmc: core: Set clock before speed mode switch

Set clock to mx_dtr before switching to high speed mode to
avoid chances of CRC errors for send status command after bus speed
mode switch.

Bug 200281075
Bug 200391328

Change-Id: I355134516f700a6fd44876f29cb356bc57a4fa7f
Signed-off-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1795592
Reviewed-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>

9 months agommc: tegra: Set DQS trim delay by default
Pavan Kunapuli [Wed, 21 Feb 2018 08:52:12 +0000]
mmc: tegra: Set DQS trim delay by default

Setting DQS trim delay after configuring HS400 mode could result in
glitch on the pads resulting in CMD/DATA transfer failures. To avoid this,
set DQS trim delay by default while initialising the host.

Bug 200281075
Bug 200391328

Change-Id: I8d096eddb4542a0489ceb3f5deb31c64423f039b
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1794857
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Tested-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

9 months agommc: core: Run post init after enabling HS400 mode
Pavan Kunapuli [Thu, 1 Mar 2018 10:44:05 +0000]
mmc: core: Run post init after enabling HS400 mode

Run post init after enabling HS400 mode to handle any
required init on the host controller for eMMC bus to work
in the configured bus speed mode.
As per recommendation from ASIC, do not issue send status command
until eMMC initialisation is not completed.

Bug 2069492
Bug 200281075
Bug 200391328

Change-Id: I7286a2d566f9aa88956afce3e0f14d861cd0042f
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: R Raj Kumar <rrajk@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1792995
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Tested-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

9 months agot210: dt: Enable eMMC enhanced strobe mode
Aniruddha Tvs Rao [Tue, 15 May 2018 05:58:52 +0000]
t210: dt: Enable eMMC enhanced strobe mode

Add required dt property to enable enhanced
strobe mode on t210 platforms.

Bug 200281075

Change-Id: I5bb27eef24916e1746535e9a6b9a7b1d5cd567a5
Signed-off-by: Aniruddha Tvs Rao <anrao@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1719133
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
(cherry picked from commit 7b6c59d8e5e32ce656abb6f00b1dbe9689568b42)
Reviewed-on: https://git-master.nvidia.com/r/1787785
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>

13 months agot210: tegra-fuse: correct the fuse offsets l4t/l4t-r24.2 tegra-l4t-r24.2.3
Shardar Shariff Md [Tue, 23 Aug 2016 12:17:05 +0000]
t210: tegra-fuse: correct the fuse offsets

Correct the fuse offsets for device_key, device_selection, reserved_sw
and arm_jtag_disable fuses

Bug 200214601

Change-Id: I52cbd48182cd8e3d9b8e76ec65cd43437c9ed05a
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1206366
(cherry picked from commit cb417897f5e103bfc4e37ecf4e030883c15d2f72)
Reviewed-on: http://git-master/r/1208300
Reviewed-on: https://git-master.nvidia.com/r/1494422
GVS: Gerrit_Virtual_Submit
Reviewed-by: Martin Chi <mchi@nvidia.com>
Tested-by: Martin Chi <mchi@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoarm64: make sys_call_table const
Mark Rutland [Thu, 8 Jan 2015 11:42:59 +0000]
arm64: make sys_call_table const

As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.

Bug 1836932

Change-Id: I1b8da149e9a117663b63bb5df0c348ff5ad8a12d
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260568
(cherry picked from commit 346c7bd778ef0ec475cef174f1b455fa01b516d4)
Reviewed-on: https://git-master.nvidia.com/r/1694045
GVS: Gerrit_Virtual_Submit
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agostaging/android/ion : fix a race condition in the ion driver
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000]
staging/android/ion : fix a race condition in the ion driver

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
                            ion_handle_get_by_id()
                            (ref == 3)

ion_free()
(ref == 2)

ion_handle_put()
(ref == 1)

                            ion_free()
                            (ref == 0 so ion_handle_destroy() is
                            called
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Bug 1836932

Change-Id: I45abd9dd1f696105a7840a25ba4a594b5af4fa65
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260541
(cherry picked from commit cde60b4e09dcff7942ab9bd703c435d5b62dd104)
Reviewed-on: https://git-master.nvidia.com/r/1694046
GVS: Gerrit_Virtual_Submit
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agopercpu: fix synchronization between synchronous map extension and chunk destruction
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000]
percpu: fix synchronization between synchronous map extension and chunk destruction

For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.

This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.

Bug 1836932

Change-Id: I1031ca004b5487bc7c6d57db15863e5c847946b4
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260507
(cherry picked from commit 48478a55ba97f012e34c6801f78912d58da67132)
Reviewed-on: https://git-master.nvidia.com/r/1694050
GVS: Gerrit_Virtual_Submit
Reviewed-by: Prabhu Kuttiyam <pkuttiyam@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoperf: Fix event->ctx locking
Peter Zijlstra [Fri, 23 Jan 2015 11:24:14 +0000]
perf: Fix event->ctx locking

There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.

It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.

What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.

Bug 1836932

Change-Id: Ia307722c251bb9a058df98f2061625cfcace984c
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1260590
Reviewed-on: https://git-master.nvidia.com/r/1696753
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

13 months agoext4:fix use after free in __ext4_journal_stop
Amulya Y [Thu, 5 Apr 2018 22:06:13 +0000]
ext4:fix use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259975
(cherry picked from commit 3c15c37dc613cb75339f8e0d546ab30643e65b84)
Reviewed-on: https://git-master.nvidia.com/r/1689577
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoperf: Fix race in swevent hash
Amulya Y [Thu, 5 Apr 2018 21:58:38 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317
But 1935735

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259934
(cherry picked from commit 5ea640855404df656d94bfa3990d8eba2b5f90f9)
Reviewed-on: https://git-master.nvidia.com/r/1689560
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoHID: core: prevent out-of-bound readings
Amulya Y [Thu, 5 Apr 2018 21:49:07 +0000]
HID: core: prevent out-of-bound readings

Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.

The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.

Bug 1823317
Bug 1935735

Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259928
(cherry picked from commit fbc389a39540e177bfa4d49b9214dfe408ef2d4a)
Reviewed-on: https://git-master.nvidia.com/r/1689557
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoproc:prevent /proc/PID/environ access until ready
Amulya Y [Thu, 5 Apr 2018 21:40:20 +0000]
proc:prevent /proc/PID/environ access until ready

If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Bug 1823317
Bug 1935735

Change-Id: I38356eb68ffd1294f1f1250fb328bd01a3b37158
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259930
(cherry picked from commit 78d40f25b8e090782ca6b0c6051020557d373c92)
Reviewed-on: https://git-master.nvidia.com/r/1689554
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agocgroup: Correct the address format specifier
Amulya Y [Thu, 5 Apr 2018 21:30:07 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system
settings.The fix is designed to use %pK instead
of %p, which also evaluates whether
kptr_restrict is set.

Bug 1823317
Bug 1935735

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Reviewed-on: https://git-master.nvidia.com/r/1689551
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agotty: Prevent ldisc drivers from re-using stale tty fields
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000]
tty: Prevent ldisc drivers from re-using stale tty fields

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

[1]
    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Bug 1823317
Bug 1935735

Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259925
(cherry picked from commit 2b1401855a2bdd31556a93feba50dd0dc0bb70e8)
Reviewed-on: https://git-master.nvidia.com/r/1689529
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoaudit: fix a double fetch in audit_log_single_execve_arg()
Paul Moore [Tue, 19 Jul 2016 21:42:57 +0000]
audit: fix a double fetch in audit_log_single_execve_arg()

There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1].  Of course this leaves a window of
opportunity for an unsavory application to munge with the data.

This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s).  In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).

As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:

 * https://github.com/linux-audit/audit-testsuite/issues/25

[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.

[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data.  I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation).  The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.

Bug 1823317
Bug 1935735

Change-Id: I500834e1e699cb43d207333fa91292673de54933
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1261377
(cherry picked from commit 1cc418b165a23b352e06aa5ab66a2d1e1a942a98)
Reviewed-on: https://git-master.nvidia.com/r/1689521
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoaf_unix: Guard against other == sk in unix_dgram_sendmsg
Rainer Weikusat [Thu, 11 Feb 2016 19:37:27 +0000]
af_unix: Guard against other == sk in unix_dgram_sendmsg

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Bug 1823317

Change-Id: I5b8f74348f82b4a84a3e01a93c58c49829b26efa
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259949
(cherry picked from commit 68a171695a57acd9b63c18ef2700e74ce0713993)
Reviewed-on: https://git-master.nvidia.com/r/1689516
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317
Bug 1935735

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
(cherry picked from commit 14e09c3233fb7578c778b70ec3933ba5cadfccb6)
Reviewed-on: https://git-master.nvidia.com/r/1689503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317
Bug 1935735

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
(cherry picked from commit 9d4a4a8711e9570c3ead013b64ff6e8bad05afbc)
Reviewed-on: https://git-master.nvidia.com/r/1689504
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317
Bug 1935735

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
(cherry picked from commit 15e376e5d8b1399d02814cf8b1481f7ac40dc483)
Reviewed-on: https://git-master.nvidia.com/r/1689507
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317
Bug 1935735

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
(cherry picked from commit b49da4529988ca02bddaed8091a7f5e91105970a)
Reviewed-on: https://git-master.nvidia.com/r/1689513
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months ago[media] xc2028: avoid use after free
Mauro Carvalho Chehab [Thu, 28 Jan 2016 11:22:44 +0000]
[media] xc2028: avoid use after free

If struct xc2028_config is passed without a firmware name,
the following trouble may happen:

[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------

[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012]  ___slab_alloc+0x581/0x5b0
[11009.908014]  __slab_alloc+0x51/0x90
[11009.908017]  __kmalloc+0x27b/0x350
[11009.908022]  xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026]  usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029]  usb_submit_urb+0xb0e/0x1200
[11009.908032]  usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035]  usb_serial_generic_write+0x92/0xc0
[11009.908039]  usb_console_write+0x38a/0x560
[11009.908045]  call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051]  console_unlock+0x40d/0x900
[11009.908056]  vprintk_emit+0x4b4/0x830
[11009.908061]  vprintk_default+0x1f/0x30
[11009.908064]  printk+0x99/0xb5
[11009.908067]  kasan_report_error+0x10a/0x550
[11009.908070]  __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077]  __slab_free+0x2ec/0x460
[11009.908080]  kfree+0x266/0x280
[11009.908083]  xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086]  xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090]  em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094]  em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098]  em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101]  em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105]  em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108]  do_one_initcall+0x141/0x300
[11009.908111]  do_init_module+0x1d0/0x5ad
[11009.908114]  load_module+0x6666/0x9ba0
[11009.908117]  SyS_finit_module+0x108/0x130
[11009.908120]  entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001

[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405]                                            ^
[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================

In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.

Bug 1823317
Bug 1935735

Change-Id: I1825fc7eb08bd458ed5413fea8b47de539c9b23f
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1689515
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it
at the tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317
Bug 1935735

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
(cherry picked from commit 0c20962647685008dfc6a15fb8a2169ed2abafe6)
Reviewed-on: https://git-master.nvidia.com/r/1689499
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agostaging: ion: Fix ION subsystem privilege vulnerability
Gagan Grover [Fri, 25 Nov 2016 12:28:44 +0000]
staging: ion: Fix ION subsystem privilege vulnerability

A malicious application can take advantage of the ION kmalloc heap
to create a specific memory chunk size to exercise a rowhammer
attack on the physical hardware.

The fix is designed to disable ION heap type.

CVE-2016-6728: A-30400942

Bug 1823317

Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1689490
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agogpu: nvgpu: Validate buffer_offset argument
skadamati [Thu, 28 Sep 2017 06:51:28 +0000]
gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Manual Cherry pick - https://git-master.nvidia.com/r/1547046

Bug 1954931
Bug 1993254
Bug 200288656

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Signed-off-by: skadamati <skadamati@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1569976
(cherry picked from commit 84c14d463b613b6f29455295f27683821a78dce9)
Reviewed-on: https://git-master.nvidia.com/r/1584264
(cherry picked from commit 25e2877d988453dc29bd1573e6d8f8b566bce170)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1606956
Reviewed-on: https://git-master.nvidia.com/r/1632961
(cherry picked from commit aa3a7d24153973653f9a278baa67fea3475fa9c3)
Reviewed-on: https://git-master.nvidia.com/r/1606103
GVS: Gerrit_Virtual_Submit
Tested-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoarm: define speculation barrier
Jeetesh Burman [Wed, 14 Feb 2018 06:20:57 +0000]
arm: define speculation barrier

The instruction sequency "dsb sy" followed by "isb" functions as
a speculation barrier, which prevents the instructions after that
from being speculatively executed.

bug 2039126

Change-Id: I9eaec78aad2ac0f6b690e17698e08c52854eff4c
Signed-off-by: Bo Yan <byan@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618222
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650093
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit f125c60045878513902cac4a084fde9a516eb3e2)
Reviewed-on: https://git-master.nvidia.com/r/1689113
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

13 months agoDocumentation: Document array_index_nospec
Mark Rutland [Tue, 30 Jan 2018 01:02:16 +0000]
Documentation: Document array_index_nospec

Document the rationale and usage of the new array_index_nospec() helper.

Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: linux-arch@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: gregkh@linuxfoundation.org
Cc: kernel-hardening@lists.openwall.com
Cc: torvalds@linux-foundation.org
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727413645.33451.15878817161436755393.stgit@dwillia2-desk3.amr.corp.intel.com
Change-Id: I983cd0214a1b3c5aa0ccc298d27e06932e8713d1
Reviewed-on: https://git-master.nvidia.com/r/1662100
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Gilhooley <dgilhooley@nvidia.com>
Tested-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
(cherry picked from commit 8ac22de979e56e1b1d9192b636acbdcce4af381a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1687456
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoarm64: Implement array_index_mask_nospec()
Robin Murphy [Mon, 5 Feb 2018 15:34:17 +0000]
arm64: Implement array_index_mask_nospec()

Provide an optimised, assembly implementation of array_index_mask_nospec()
for arm64 so that the compiler is not in a position to transform the code
in ways which affect its ability to inhibit speculation (e.g. by introducing
conditional branches).

This is similar to the sequence used by x86, modulo architectural differences
in the carry/borrow flags.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Change-Id: I168000d0f3c718902ffd7ca1ad2147d914f19e94
Reviewed-on: https://git-master.nvidia.com/r/1662099
(cherry picked from commit 39c48ac56f2d7db8c291e16c9a1bc53898f86ba5)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1687455
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

13 months agonospec: Move array_index_nospec() parameter checking into separate macro
Will Deacon [Mon, 5 Feb 2018 14:16:06 +0000]
nospec: Move array_index_nospec() parameter checking into separate macro

For architectures providing their own implementation of
array_index_mask_nospec() in asm/barrier.h, attempting to use WARN_ONCE() to
complain about out-of-range parameters using WARN_ON() results in a mess
of mutually-dependent include files.

Rather than unpick the dependencies, simply have the core code in nospec.h
perform the checking for us.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: http://lkml.kernel.org/r/1517840166-15399-1-git-send-email-will.deacon@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Change-Id: Id320556bbf89d7baab12b62757a0c58325b59290
Reviewed-on: https://git-master.nvidia.com/r/1662098
(cherry picked from commit cb43890033d95db565461009fac6f9b57b252f56)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1687454
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

13 months agoarray_index_nospec: Sanitize speculative array de-references
Dan Williams [Tue, 30 Jan 2018 01:02:22 +0000]
array_index_nospec: Sanitize speculative array de-references

array_index_nospec() is proposed as a generic mechanism to mitigate
against Spectre-variant-1 attacks, i.e. an attack that bypasses boundary
checks via speculative execution. The array_index_nospec()
implementation is expected to be safe for current generation CPUs across
multiple architectures (ARM, x86).

Based on an original implementation by Linus Torvalds, tweaked to remove
speculative flows by Alexei Starovoitov, and tweaked again by Linus to
introduce an x86 assembly implementation for the mask generation.

Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Co-developed-by: Alexei Starovoitov <ast@kernel.org>
Suggested-by: Cyril Novikov <cnovikov@lynx.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: gregkh@linuxfoundation.org
Cc: torvalds@linux-foundation.org
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727414229.33451.18411580953862676575.stgit@dwillia2-desk3.amr.corp.intel.com
Change-Id: I52bfd4256e39b2a81c5e4f5195e2f9985990cade
Reviewed-on: https://git-master.nvidia.com/r/1662097
(cherry picked from commit 3d81db8940d73ca8526189ae6d87716925787f3c)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1687453
GVS: Gerrit_Virtual_Submit
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoarm64: barrier: Add CSDB macros to control data-value prediction
Will Deacon [Mon, 5 Feb 2018 15:34:16 +0000]
arm64: barrier: Add CSDB macros to control data-value prediction

For CPUs capable of data value prediction, CSDB waits for any outstanding
predictions to architecturally resolve before allowing speculative execution
to continue. Provide macros to expose it to the arch code.

Reviewed-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Change-Id: Iecb67a5e9953b0dd510fd946e95365d4b2ec9276
Reviewed-on: https://git-master.nvidia.com/r/1662096
(cherry picked from commit 5ad3a2c3e638cf849cc857f5414861bcc2eba65a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1687452
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

13 months agodrivers: speculative load before bound-check
Jeetesh Burman [Thu, 29 Mar 2018 18:36:55 +0000]
drivers: speculative load before bound-check

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

Bug 1964290
CVE-2017-5753

Change-Id: I69ce0633516b3a838cf2547adcff4ded806394e0
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650789
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 7541f4625b73b64e0c64b403c6182cb295fd884c)
Reviewed-on: https://git-master.nvidia.com/r/1684501
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agodrivers: speculative load before bound-check
Jeetesh Burman [Thu, 29 Mar 2018 18:16:44 +0000]
drivers: speculative load before bound-check

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

Bug 1964290
CVE-2017-5753

Change-Id: I7382dbcc6e9f352fafd457301beafe753925f3c4
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650791
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 5cabd53985a30aa818896abdb64564a74c09ab9c)
Reviewed-on: https://git-master.nvidia.com/r/1684500
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agomedia: isc: prevent speculative load related leak
James Huang [Thu, 1 Feb 2018 03:53:29 +0000]
media: isc: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I3fdea370a0c713ec84dc3fb58fb6b9891880190a
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640354
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650059
(cherry picked from commit efac96bc2e7f333211bbcb7950a2ab1559890ff0)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682748
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agogpu: nvgpu: add speculative load barrier (ctrl IOCTLs)
James Huang [Thu, 1 Feb 2018 06:58:59 +0000]
gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682715
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agohost1x: prevent speculative load related leak
James Huang [Thu, 1 Feb 2018 03:14:14 +0000]
host1x: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650036
(cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682714
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agocryptodev: prevent speculative load related leak
Jeetesh Burman [Tue, 27 Mar 2018 09:47:52 +0000]
cryptodev: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Id85eb9c91932f358dd999b28dd53d7788b37ea04
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640356
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650014
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682713
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoplatform: nvadsp: prevent speculative load related leak
James Huang [Thu, 1 Feb 2018 01:42:30 +0000]
platform: nvadsp: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: I5a745320b64bf6689cf8ac4b713cf1b32f662a23
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640352
Reviewed-on: https://git-master.nvidia.com/r/1649976
(cherry picked from commit 53deb61791f7227f33f365d3a7f12032dc5af4f2)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682712
GVS: Gerrit_Virtual_Submit
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoarm64: define speculation barrier
James Huang [Thu, 1 Feb 2018 05:01:50 +0000]
arm64: define speculation barrier

The instruction sequency "dsb sy" followed by "isb" functions as
a speculation barrier, which prevents the instructions after that
from being speculatively executed.

Bug 2039126

Change-Id: I898aab771ff82b26b08214a06814d2e6e78969a7
Signed-off-by: Bo Yan <byan@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618222
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650093
(cherry picked from commit f125c60045878513902cac4a084fde9a516eb3e2)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682711
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

13 months agov4l2: prevent speculative load
James Huang [Thu, 1 Feb 2018 02:58:04 +0000]
v4l2: prevent speculative load

bug 2039126
Change-Id: Id1908c3058c9ecc0dfb4f2d85440a8d36db45db5
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650029

(cherry picked from commit 7a0213eca150614fe88d197a09d461fff6168652)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Change-Id: Ia7f3feb5c2a755f585a80fcd9664b8a5fff0c6fa
Reviewed-on: https://git-master.nvidia.com/r/1682710
GVS: Gerrit_Virtual_Submit
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

14 months agoASoC: tegra: check ucode upper limit
Ravindra Lokhande [Mon, 8 May 2017 09:12:48 +0000]
ASoC: tegra: check ucode upper limit

Check ucode size for upper limit.

Bug 1901435
Bug 1954563
Bug 1917589

Signed-off-by: Ravindra Lokhande <rlokhande@nvidia.com>
Signed-off-by: Xia Yang <xiay@nvidia.com>
Change-Id: I2f455771147bb4466d154878d2461e472647c4fb
Reviewed-on: https://git-master.nvidia.com/r/1575925
Reviewed-on: https://git-master.nvidia.com/r/1674393
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

14 months agotegra-cryptodev:Avoid untrusted usrptr dereference
Amulya Y [Tue, 13 Mar 2018 17:44:43 +0000]
tegra-cryptodev:Avoid untrusted usrptr dereference

In RSA operations use copy_from_user to get key data
into local buffer before using it.

This will avoid untrusted user pointer dereference.

Coverity ID 24040

Bug 200192571
Bug 1932494

Signed-off-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Change-Id: I0b66ab530453a2174ea41721bfef62143ee8631a
Reviewed-on: http://git-master/r/1471452
(cherry picked from commit 3c4b3e5eaec607e9c23613563d447e149298fd22)
Reviewed-on: https://git-master.nvidia.com/r/1674423
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

14 months agoarm64: alternative: Provide if/else/endif assembler macros
Nicolin Chen [Thu, 21 Dec 2017 03:58:13 +0000]
arm64: alternative: Provide if/else/endif assembler macros

The existing alternative_insn macro has some limitations that make it
hard to work with. In particular the fact it takes instructions from it
own macro arguments means it doesn't play very nicely with C pre-processor
macros because the macro arguments look like a string to the C
pre-processor. Workarounds are (probably) possible but things start to
look ugly.

Introduce an alternative set of macros that allows instructions to be
presented to the assembler as normal and switch everything over to the
new macros.

==  This is a back port change from K4.4 to K3.10 so it also includes: ==
  arm64: alternatives: add enable parameter to conditional asm macros

  There are cases where we want to compile out both versions of an
  alternative code block, so add an enable parameter to the new conditional
  alternative assembly macros in the same way as alternative_insn.

Bug 1975157

Change-Id: I39fd42525f717c63e9b5f8a9ec182e77a3e28401
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1626807
(cherry picked from commit 4ae908187dee327273f159a34ae11b8516421d57)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1648617
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agoarm64: Add CONFIG_HARDEN_BRANCH_PREDICTOR option
Martin Gao [Thu, 21 Dec 2017 23:48:19 +0000]
arm64: Add CONFIG_HARDEN_BRANCH_PREDICTOR option

Aliasing attacks against CPU branch predictors can allow an attacker to
redirect speculative control flow on some CPUs and potentially divulge
information from one context to another.

This patch adds a Kconfig option to enable implementation-specific
mitigations against these attacks for CPUs that are affected. Currently,
a workaround is only implemented for Cortex-A57 and Cortex-A72, which
additionally relies on the EL3 firmware setting CPUACTLR_EL1[0] to 1.

Back ported from K4.9: https://git-master.nvidia.com/r/1621628/

Bug 1975157

Change-Id: Id0b12003837f64a60780ec96b2cf22725615ad35
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1626828
(cherry picked from commit bfb554062622f53f47eb762302c98df1f3ee4959)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1648611
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agoclocksource: arch_timer: make virtual counter access configurable
Greg Hackmann [Tue, 9 Jan 2018 04:00:15 +0000]
clocksource: arch_timer: make virtual counter access configurable

Bug 2031796

Change-Id: Ibdb1fd768b748002b90bfc165612c12c8311f8a2
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1634425
(cherry picked from commit 3245205e4f115cc16f6b09b41548e6a3fc9e2442)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1648574
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agoarm64: Handle traps from accessing CNTVCT/CNTFRQ via 32-bit instructions
Nicolin Chen [Wed, 10 Jan 2018 02:59:20 +0000]
arm64: Handle traps from accessing CNTVCT/CNTFRQ via 32-bit instructions

CNTVCT and CNTFRQ can be accessed via 32-bit instructions (mrrc/mrc).

So the trap handler should take care of these two situations as well.
Otherwise, it will trigger an "undefined instruction" state and file
a SIGILL back to user space without caring about which application.

Bug 2044346

Change-Id: I39de0a3f332c405042bb181ccdf616eeb96b1608
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1635304
(cherry picked from commit c4f4342ab3dc8c3185820bc55e08feeed0240c0a)
Reviewed-on: https://git-master.nvidia.com/r/1648572
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agoarm64: Issue isb when trapping CNTVCT_EL0 access
Greg Hackmann [Wed, 20 Dec 2017 09:36:20 +0000]
arm64: Issue isb when trapping CNTVCT_EL0 access

Bug 2031796
CVE-2017-13218

Change-Id: I6005a6e944494257bfc2243fde2f7a09c3fd76c6
Reviewed-on: https://git-master.nvidia.com/r/1623697
(cherry picked from commit e0d40dddcfa7388d2f71a1fe3798eaae0704fd0a)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1648570
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agoBACKPORT: arm64: Add CNTFRQ_EL0 trap handler
Marc Zyngier [Wed, 20 Dec 2017 09:34:10 +0000]
BACKPORT: arm64: Add CNTFRQ_EL0 trap handler

We now trap accesses to CNTVCT_EL0 when the counter is broken
enough to require the kernel to mediate the access. But it
turns out that some existing userspace (such as OpenMPI) do
probe for the counter frequency, leading to an UNDEF exception
as CNTVCT_EL0 and CNTFRQ_EL0 share the same control bit.

The fix is to handle the exception the same way we do for CNTVCT_EL0.

Bug 2031796
CVE-2017-13218

Fixes: a86bd139f2ae ("arm64: arch_timer: Enable CNTVCT_EL0 trap if workaround is enabled")
Reported-by: Hanjun Guo <guohanjun@huawei.com>
Tested-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 9842119a238bfb92cbab63258dabb54f0e7b111b)
Change-Id: Ie5a9a93fcca238d6097ecacd6df0e540be90220b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1623696
(cherry picked from commit b7437af000c530e53cedce73a942571405766245)
Reviewed-on: https://git-master.nvidia.com/r/1648568
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months ago[PATCH 1/4] BACKPORT: arm64: Add CNTVCT_EL0 trap handler
Marc Zyngier [Wed, 20 Dec 2017 03:24:17 +0000]
[PATCH 1/4] BACKPORT: arm64: Add CNTVCT_EL0 trap handler

Since people seem to make a point in breaking the userspace visible
counter, we have no choice but to trap the access. Add the required
handler.

Bug 2031796
CVE-2017-13218

Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
(cherry picked from commit 6126ce0588eb5a0752d5c8b5796a7fca324fd887)
Change-Id: I4204b5e1db899849ca16e6b26fe234339815f864
Signed-off-by: Rohit Khanna <rokhanna@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1621712
(cherry picked from commit fe7b634c82d1c21f7c83caecf8bd23cbdf56d389)
Reviewed-on: https://git-master.nvidia.com/r/1648567
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit

14 months agotegra-alt: adsp: add parameter size checks
Viraj Karandikar [Tue, 14 Mar 2017 05:17:22 +0000]
tegra-alt: adsp: add parameter size checks

Fix possible buffer overflow in case of invalid user
parameter by adding size checks

Bug 1869543
Bug 1888389
Bug 2002359

Change-Id: I82ac00e24a3ca40915eb6c556454c9649cb644bd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1297227
(cherry-picked from commit 2e4308a3800f3dcd4aa91a1b446cf00cf7ebda59)
Reviewed-on: http://git-master/r/1320244
Signed-off-by: Amulya Y <ayarlagadda@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1656808
Reviewed-by: Jonathan Hunter <jonathanh@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agothermal: add boundary check to set_cur_state
Srikar Srimath Tirumala [Tue, 12 Sep 2017 19:27:13 +0000]
thermal: add boundary check to set_cur_state

Prevent sysfs from setting a cur_state that exceeds the max cur_state
of the cooling device.

Bug 200334223
Bug 200331706
Bug 1968660
Bug 1968616

Change-Id: I935be6166a9e184683abfcdce70cb08cbe4a1350
Signed-off-by: Srikar Srimath Tirumala <srikars@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558407
(cherry picked from commit 142cf9d96ed221124ea2b778dc37cf5db8d5702c)
Reviewed-on: https://git-master.nvidia.com/r/1630002
Reviewed-on: https://git-master.nvidia.com/r/1661413
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>

15 months agocryptodev: avoid untrusted user pointers
Konduri Praveen [Tue, 1 Aug 2017 12:05:58 +0000]
cryptodev: avoid untrusted user pointers

add algo variable for avoid the usage of
user space pointers

Bug 200286426

Change-Id: I7e208b45ba11348e7b89a429d457ae51ac29bde0
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1530560
(cherry picked from commit b210c724aea24160a5fdcec5ee9b8f9c86c8540d)
Reviewed-on: https://git-master.nvidia.com/r/1649889
GVS: Gerrit_Virtual_Submit
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

15 months agoCRYPTO: disable disable crypto dev for t210
Konduri Praveen [Fri, 20 Oct 2017 05:48:09 +0000]
CRYPTO: disable disable crypto dev for t210

disabling tegra SE crypto dev for t210
platform.

Bug 1927682

Change-Id: I57cd2b143e82122945b78635f36706bdbdeaca6c
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1582386
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

16 months agopcie: host: disable AFI dynamic clock gating
Ken Chang [Tue, 25 Apr 2017 04:46:02 +0000]
pcie: host: disable AFI dynamic clock gating

Override AFI clock enable to disable dynamic clock gating logic.

Bug 200366033

Change-Id: I15a4f67f0a0fd0fb5d28504f9317a9228fca9531
Reviewed-on: http://git-master/r/1469192
(cherry picked from commit fbacedca8e25ebc5400191156316efc52edc3888)
Signed-off-by: Ken Chang <kenc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1602161
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Sandipan Patra <spatra@nvidia.com>
Tested-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

18 months agocryptodev: Use wait_for_completion_timeout for async calls
Debarshi Dutta [Tue, 3 Oct 2017 09:00:47 +0000]
cryptodev: Use wait_for_completion_timeout for async calls

AES operations are asynchronous and when waiting for them
to complete, don't allow tasks to be interruptible.

Bug 200327042
Bug 200292436

Change-Id: I17305f601543d349e60cd986df3e949b7439e971
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1572379
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Tested-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

19 months agovideo: tegra: nvmap: handle the vma->vm_mm NULL case
Krishna Reddy [Mon, 18 Sep 2017 18:00:27 +0000]
video: tegra: nvmap: handle the vma->vm_mm NULL case

v4l2 is registering vma with vm_mm = NULL.

Bug 1874184

Change-Id: I24e61a531d9a506c7c146335240754931b3c238d
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1564203
Tested-by: Frank Shi <fshi@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Reviewed-by: Sachin Nikam <snikam@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

20 months agoarm64: dts: update emc dvfs table for Jetson CV
Sandipan Patra [Fri, 9 Jun 2017 05:19:41 +0000]
arm64: dts: update emc dvfs table for Jetson CV

Updating emc dvfs table dts for Jetson CV with
Samsung and Hynix configuration.

Bug 200315053

Change-Id: I199c65c7e1261b37748b5045eac0d1da702ba986
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1499061
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

20 months agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598
Bug 1883567

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
Signed-off-bu: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d in rel-24)
Reviewed-on: https://git-master.nvidia.com/r/1513005
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

20 months agotegra-se: Set IV in UIV slot
Konduri Praveen [Wed, 31 May 2017 05:58:20 +0000]
tegra-se: Set IV in UIV slot

Set IV in UIV slot so that when an IV is not set,
Engine will use updated IV from UIV which is
calculated from previous AES operation.

Bug 200225148

Change-Id: I16133f87a37fccf6645e7e99b4a37ebbe4e145d0
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1492705
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

20 months agoMerge "Merge remote-tracking branch 'origin/dev/tsp-to-l4t-r24.2' into l4t-r24.2...
Gerrit Code Review [Tue, 19 Sep 2017 21:00:43 +0000]
Merge "Merge remote-tracking branch 'origin/dev/tsp-to-l4t-r24.2' into l4t-r24.2" into l4t/l4t-r24.2

20 months agoarm64: tegra21: Add USB_SERIAL_CP210X config
Shreshtha SAHU [Fri, 11 Aug 2017 04:40:50 +0000]
arm64: tegra21: Add USB_SERIAL_CP210X config

Bug 1954342

Change-Id: Ie327ae44a96fc30a76364b06a71974e999f81203
Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1537342
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

20 months agogpu: nvgpu: Simplify ref-counting on VMs
Alex Waterman [Wed, 30 Nov 2016 00:01:41 +0000]
gpu: nvgpu: Simplify ref-counting on VMs

Simplify ref-counting on VMs: take a ref when a VM is bound to a
channel and drop a ref when a channel is freed.

Previously ref-counts were scattered over the driver. Also the CE
and CDE code would bind channels with custom rolled code. This was
because the gk20a_vm_bind_channel() function took an as_share as
the VM argument (the VM was then inferred from that as_share).
However, it is trivial to abtract that bit out and allow a central
bind channel function that just takes a VM and a channel.

Bug 1846718
Bug 1885921

Change-Id: I156aab259f6c7a2fa338408c6c4a3a464cd44a0c
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1261886
(cherry picked from commit 7e403974d3584ab8880e42d422ee3afb7f49d6f3)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: Ibac97d05e13fad3dcbe55c56f1b166699ce39af7
Reviewed-on: https://git-master.nvidia.com/r/1551138
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

20 months agogpu: nvgpu: Remove ref count from as_share
Alex Waterman [Tue, 31 Jan 2017 23:49:40 +0000]
gpu: nvgpu: Remove ref count from as_share

Remove the broke ref counting from as_share. The ref-count is
incremented for every bind channel but never decremented. This
results in VMs never being freed.

Bug 1846718
Bug 1885921

Change-Id: I6253b3eab7c7471d3ed6feddb3705c49a8704bed
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1296900
(cherry picked from commit c6594c744d8fca738a1a8f5177c84a05899695dc in
rel-24)
Reviewed-on: https://git-master.nvidia.com/r/1483632
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

20 months agoBluetooth: Properly check L2CAP config option output buffer length
Ben Seri [Wed, 13 Sep 2017 08:34:32 +0000]
Bluetooth: Properly check L2CAP config option output buffer length

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Bug 1989825

Change-Id: Id158ece2176c4ac339a7232dfde8c47ce2241122
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558940
GVS: Gerrit_Virtual_Submit

21 months agoMerge remote-tracking branch 'origin/dev/tsp-to-l4t-r24.2' into l4t-r24.2
Igor Nabirushkin [Tue, 8 Aug 2017 14:49:44 +0000]
Merge remote-tracking branch 'origin/dev/tsp-to-l4t-r24.2' into l4t-r24.2

Bug 1968122

Change-Id: Ib0a684568442cd15b6fcb1cdb8e50fa56289f2ab
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>

21 months agomisc: tegra-profiler: fix stopping the session
Igor Nabirushkin [Thu, 3 Aug 2017 15:52:21 +0000]
misc: tegra-profiler: fix stopping the session

Do not stop profiling if some clocks are not available.
This commit fixes unexpected stop on some devices.

Bug 1968948

Change-Id: Ieacf481d1884ec717027aff2460be499ddf77ff8
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1532770
(cherry picked from commit abec385924a12beda1c281a1b5aa872729761d05)

21 months agomisc: tegra-profiler: send virtual ids
Igor Nabirushkin [Sun, 23 Jul 2017 18:56:46 +0000]
misc: tegra-profiler: send virtual ids

Send virtual pid and tgid of the current task (from
the pid namespace).
This is useful for correlation between ids coming from the kernel
module with ids coming from the injection library.

Bug 1963327

Change-Id: I8e15a9803730ef443ada528e39116056b05157a2
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1525176
(cherry picked from commit ee3f90e2c768558107c7ee43a3f7378418214600)

21 months agomisc: tegra-profiler: fix lost samples
Igor Nabirushkin [Mon, 10 Jul 2017 19:54:12 +0000]
misc: tegra-profiler: fix lost samples

Do not send 'header' samples for non-present cores.
This fixes lost samples in some cases.

Bug 1956713

Change-Id: Ib09aecbb71265b96840e18dcb40315adf286994f
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1516355
(cherry picked from commit 333e27f016348a41473292189be72ad05512c528)

21 months agomisc: tegra-profiler: fix uninitialized spinlocks
Igor Nabirushkin [Tue, 4 Jul 2017 06:12:42 +0000]
misc: tegra-profiler: fix uninitialized spinlocks

Fix uninitialized spinlocks for some systems with "holes"
in the CPU numbering.
Use possible cpus instead of nr_cpu_ids for per-cpu buffers.
This fixes possible system crash.

Bug 200320513

Change-Id: I4610459b84bff2ed78d0521e77c6251dc4ded0ad
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: https://git-master/r/1512907
(cherry picked from commit ada8ad34fad3522974d9d7a1ea835474779d91c8)

21 months agomisc: tegra-profiler: fix out-of-bounds access
Igor Nabirushkin [Tue, 4 Jul 2017 05:53:45 +0000]
misc: tegra-profiler: fix out-of-bounds access

Fix potential out-of-bounds write in read_all_sources() function
that can lead to data corruption.
This commit fixes the problem (the array size is increased by 1).

Bug 1953704

Change-Id: Iac6c54dfbd13b7ebef20de67f60cd3281e13814c
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: https://git-master/r/1512895
(cherry picked from commit 38c82f0ff897d6a8b9f5d0793f113a09d229a0cc)

21 months agotegra-profiler: fix UBSAN shift_out_of_bound error
Igor Nabirushkin [Wed, 7 Jun 2017 11:54:47 +0000]
tegra-profiler: fix UBSAN shift_out_of_bound error

The UBSAN reports the following error in armv8_pmu.c:

[.../lib/ubsan.c:421>] __ubsan_handle_shift_out_of_bounds
[.../drivers/misc/tegra-profiler/armv8_pmu.c:273>] pmu_start
[.../drivers/misc/tegra-profiler/hrt.c:594>] __quadd_task_sched_in

The reason for this error is wrong value for PMOVSCLR_EL0 register.
This commit fixes this problem.

Bug 1932645

Change-Id: I589587b0d30e1c84a6c27d2f6b06cb2ced742655
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1497591
(cherry picked from commit 96ca19ae7cdceae82ff3e96cae247334775e30c5)

21 months agomisc: tegra-profiler: add overhead information
Igor Nabirushkin [Tue, 6 Jun 2017 12:22:35 +0000]
misc: tegra-profiler: add overhead information

Add profiler overhead information: store duration
of the profiler┬ásampling period in the tail of sample.

Bug 1939233

Change-Id: Ifbfb0b98ed8c6ffeec8af96b682761f3fd3d2d61
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1496893
(cherry picked from commit eb061ee4457f2ff5b271f133c14f553759acab6f)

21 months agomisc: tegra-profiler: support raw hardware events
Igor Nabirushkin [Wed, 10 May 2017 06:48:52 +0000]
misc: tegra-profiler: support raw hardware events

Support arbitrary raw hardware PMU events.
There are also a few minor changes in procfs output.

Bug 1923017

Change-Id: I490817d4dba10100d7450572835c45dcba8cac32
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1478869
(cherry picked from commit 83d257b17e00e97b3c2fc93e8a2b142c7074c23f)

21 months agomisc: tegra-profiler: fix crash in power_clk stop
Igor Nabirushkin [Fri, 5 May 2017 11:56:59 +0000]
misc: tegra-profiler: fix crash in power_clk stop

Fix crash in profiler when using gpu and emc clocks: using
the freed clock source can cause the kernel panic.
Remove redundant clk_get_sys calls.

Bug 1918185

Change-Id: I421049c7a30fad6356f7300226e84794cecf0673
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1476299
(cherry picked from commit 8b0d7e1748b31dd87ab2837a6b9f0a1d2e3d6ecc)

21 months agomisc: tegra-profiler: add instruction barriers
Igor Nabirushkin [Wed, 29 Mar 2017 08:35:04 +0000]
misc: tegra-profiler: add instruction barriers

Add missing instruction synchronization barriers:
- After writing to the performance counter selection register.
- Before writing to the performance monitors control register.

Bug 1896853

Change-Id: Id63f73ef26eb0c99277339936f06cda109f6afe8
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1330552
(cherry picked from commit 3775cd2936a345405143c7d71f100d88136986c6)

21 months agomisc: tegra-profiler: use power-of-2 sized buffer
Igor Nabirushkin [Mon, 6 Mar 2017 10:00:20 +0000]
misc: tegra-profiler: use power-of-2 sized buffer

Kernel/User-space circle buffers:
- Use power-of-2 sized buffers to reduce overhead
- Use the common circular buffer macros

Bug 1881997

Change-Id: I664f4745e625cc4cd395d1683eada191abe12624
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1315654
(cherry picked from commit a7971b07d3f04fe424a3506ae665214e76abecb4)

21 months agomisc: tegra-profiler: add a memory barrier
Igor Nabirushkin [Mon, 6 Mar 2017 10:06:10 +0000]
misc: tegra-profiler: add a memory barrier

Use smp_store_release() to update circle buffer write pointers to
ensure the data is stored before we update write pointer.

Bug 1881996

Change-Id: Icaade5e6f57056c638efa61e65e9a8a6f6e12416
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1315657
(cherry picked from commit c19fa2487c1d385d9cde0595cab66aeea416c00d)

21 months agomisc: tegra-profiler: fix coverity defect
Igor Nabirushkin [Sun, 12 Mar 2017 21:04:54 +0000]
misc: tegra-profiler: fix coverity defect

Fix coverity defect "Bad bit shift operation".

Coverity ID: 33234

Bug 200192567

Change-Id: I7f0edb9c41ac9a9b624bafab3eab660968e57fef
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1319568
(cherry picked from commit 40a0e6c7d697b72a05258c587c6062c9c6f09c65)

21 months agomisc: tegra-profiler: fix dwarf unwinding
Igor Nabirushkin [Sat, 11 Mar 2017 14:21:51 +0000]
misc: tegra-profiler: fix dwarf unwinding

DWARF unwinding: do not stop unwinding if stack is not growing
at the first function in call chain.
This patch fixes broken backtraces in leaf functions with
empty FDE entries.

Bug 1887662

Change-Id: Ib3d577afc20c923b6240e797482717f1a3e00ea4
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1319323
(cherry picked from commit 82729960283f432cdbfc82af546dbfbde3e2cd7f)

21 months agomisc: tegra-profiler: verify stack pointer
Igor Nabirushkin [Sun, 29 Jan 2017 20:33:13 +0000]
misc: tegra-profiler: verify stack pointer

Add additional stack pointer verification for DWARF unwinding
since stack always has to grow downwards in memory.
This commit prevents infinite loop when FDE entry is empty.

Bug 1868657

Change-Id: I4e8eda697606f2b9ca9d613b35ffad5a39a14be7
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1295733
(cherry picked from commit 832bcf45afce219eb4beb8d0ad385f07ef40ac95)
Reviewed-on: http://git-master/r/1302041
(cherry picked from commit c9848e202c00f1ccc5edf14cb7c080c63ec119c9)

21 months agomisc: tegra-profiler: fix crash in dwarf unwinding
Igor Nabirushkin [Wed, 11 Jan 2017 10:45:30 +0000]
misc: tegra-profiler: fix crash in dwarf unwinding

Do not update sections information in sched context,
it is not safely.

Bug 200246808

Change-Id: Iadca09f29e62d57330430c3325ccbc9ac8280f88
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1252603
(cherry picked from commit 819e89ac73a5f62f04cbdea328683c25332ba71b)
Reviewed-on: http://git-master/r/1283451
(cherry picked from commit 247a28b42dc1f67c011b5c50af9ebdd35d6eb1c6)
Reviewed-on: http://git-master/r/1302040
(cherry picked from commit 846036e40df43448784389e087e8f9397396a57c)

21 months agomisc: tegra-profiler: fix backtraces
Igor Nabirushkin [Mon, 9 Jan 2017 17:39:36 +0000]
misc: tegra-profiler: fix backtraces

Fix missed user address for unwinding from the kernel context.

Bug 1859763

Change-Id: Ia5d1fc779f47a954f624ee16dd4353910d62de05
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1282285
(cherry picked from commit 57babc79f6edaaec3e4c43962e3db7c7ecec7749)
Reviewed-on: http://git-master/r/1302039
(cherry picked from commit d9d001cd59e020a25f7b6bde0481070f34a1f5dd)

21 months agomisc: tegra-profiler: fix a potential crash
Igor Nabirushkin [Wed, 21 Dec 2016 11:42:08 +0000]
misc: tegra-profiler: fix a potential crash

Incorrect cpu number in ioctl can lead to system crash.
Add additional validations to prevent the potential crash.

Bug 1855617

Change-Id: Ib87e3999da9212fbd22f5a46b5615c860c895af5
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1274785
(cherry picked from commit b3738f63c28da9fe8a9acba8a7ef419e70b641fb)
Reviewed-on: http://git-master/r/1302038
(cherry picked from commit 44a80bd56710447a195f04da2e1a8a8810775453)

21 months agomisc: tegra-profiler: fix pmu init failure
Igor Nabirushkin [Mon, 5 Dec 2016 10:18:07 +0000]
misc: tegra-profiler: fix pmu init failure

On some linux-linux systems, midr register can be zeroed for
cores which are not really present in VM and this leads to PMU
initialization failure.
Process such cores correctly.
Do not show them in capabilities.

Bug 1848139

Change-Id: Id434a8e2cf4a323d49bdffe9ac06d837b05474ed
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1270083
(cherry picked from commit 13569332e89040fe6a5ad05587ab52005055f4e6)
Reviewed-on: http://git-master/r/1274708
(cherry picked from commit 0889663b7fd527c06c37d0b25157eefce8b260b2)

21 months agomisc: tegra_profiler: fix dwarf unwinding
Igor Nabirushkin [Wed, 30 Nov 2016 09:29:26 +0000]
misc: tegra_profiler: fix dwarf unwinding

Problem is that on systems with a 64-bit kernel and 32 bit userspace,
read_user_data function reads 32-bit value into 64-bit uninitialized
variable, so high half of the variable might be dirty.
Use 32-bit temporary variable in such cases.

Bug 1846986

Change-Id: I2b024a00da536ad95e12e354597bde9811ca7998
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1262234
(cherry picked from commit d58031aa0cb381ecc5a8c11d08b81a141c435244)
Reviewed-on: http://git-master/r/1274707
(cherry picked from commit 8b990d05eb94c305642dc2fbd8f79bc00bce0308)

21 months agotegra-profiler: convert spinlock to raw spinlock
Igor Nabirushkin [Mon, 21 Nov 2016 11:55:35 +0000]
tegra-profiler: convert spinlock to raw spinlock

Profiler kernel thread tries to acquire a spinlock for ring buffer
that was already locked before, this leads to BUG_ON in rt_mutex.
Convert this lock to raw lock, this prevents preemption during
the critical sections.
This commit fixes the bug on -rt kernels.

Bug 1843939

Change-Id: I3f4c0d28d13cb1c117dae4699fc79f466e72825f
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1257247
(cherry picked from commit 7fb4665bde29ee5b4ab96618cc6b19c1ce9a59a6)
Reviewed-on: http://git-master/r/1274706
(cherry picked from commit 86f2c7adeac42096d46e5f531f6a8e1bf5a72826)

21 months agomisc: tegra-profiler: add timestamps to mmap event
Igor Nabirushkin [Mon, 10 Oct 2016 13:17:40 +0000]
misc: tegra-profiler: add timestamps to mmap event

- Add timestamps to mmap events.
- Add size of sample data (useful for user space).

Bug 1825161

Change-Id: I13d63f938d891eac1e697fab1d6118a57a5faa4b
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1236250
(cherry picked from commit d0a5f9f394af8462bca1690abf7ee2cd8d8a5ca3)
Reviewed-on: http://git-master/r/1251886
(cherry picked from commit 32858420961ae8c615638050f1be320f5833c21c)

21 months agomisc: tegra-profiler: fix possible deadlock
Igor Nabirushkin [Fri, 2 Sep 2016 15:08:26 +0000]
misc: tegra-profiler: fix possible deadlock

power_clk: fix possible deadlock in read_source - move
cpufreq_get call out of power_clk_source lock.

Bug 200224828

Change-Id: Ia06159ccf5c084840818917ca10dcd667c347650
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1216914
(cherry picked from commit 2d9bc2aa4fb102cb3f4064524503d76905240504)
Reviewed-on: http://git-master/r/1251883
(cherry picked from commit 3e413f90129a50346ccf6510033ec1715c1fcba8)

21 months agomisc: tegra-profiler: fix sleep inside atomic
Igor Nabirushkin [Thu, 1 Sep 2016 06:49:43 +0000]
misc: tegra-profiler: fix sleep inside atomic

Unwinding: fix possible sleep in atomic context.

Bug 200214930
Bug 200224828

Change-Id: Iaca298a689d14a5eb46fea01c24d72c56fd44a79
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1216911
(cherry picked from commit 2decd51ef944f4804099bee4a1ebd2aca4e7ac47)
Reviewed-on: http://git-master/r/1251881
(cherry picked from commit 71d4937be67ec177c23131a3252752a939c778ca)

21 months agomisc: tegra-profiler: remove polling mode
Igor Nabirushkin [Tue, 23 Aug 2016 08:25:14 +0000]
misc: tegra-profiler: remove polling mode

Tegra Profiler: remove polling mode (we don't use this mode).

Bug 1801804

Change-Id: Ifef37af2e05322c9de8c15c13c3782abb1dc29f6
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1208894
(cherry picked from commit 6e8d6cc08aeedc0d7308d9f66206fcaf46005045)
Reviewed-on: http://git-master/r/1251878
(cherry picked from commit c801413829a2e9a3648e0b3277c1047657e0f553)

21 months agomisc: tegra-profiler: fix validate_addr errors
Igor Nabirushkin [Fri, 11 Nov 2016 09:22:49 +0000]
misc: tegra-profiler: fix validate_addr errors

DWARF unwinding: do not try to read from unloaded sections

Bug 200176624

Change-Id: I2c0f90857a036a59ef80f905a5d7c7d2faea78b3
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1168215
(cherry picked from commit b099bf6ed21bb3ff57ad5fe2f18849e67dc8b437)
Reviewed-on: http://git-master/r/1249596
(cherry picked from commit a2edf3f388259bf4b2bca0e0bd4cdec1707bf75e)

21 months agomisc: tegra-profiler: fix coverity defects
Igor Nabirushkin [Sun, 5 Jun 2016 12:58:52 +0000]
misc: tegra-profiler: fix coverity defects

Fix coverity defects. Use strlcpy() instead of strcpy() and
snprintf() instead of sprintf().

Coverity ID 24003 24004 24005 24006

Bug 200192567

Change-Id: Ifd33023ea9cf622e0376bcd249d5f0c4da28abfa
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1171557
(cherry picked from commit 503371a9301b85f92b395497199a082754ed2b48)
Reviewed-on: http://git-master/r/1249594
(cherry picked from commit d054a43aca021ea757ed1428269ffd402be7526f)

21 months agomisc: tegra-profiler: fix coverity defect
Igor Nabirushkin [Sat, 4 Jun 2016 10:38:58 +0000]
misc: tegra-profiler: fix coverity defect

Fix coverity defect "Use of untrusted scalar value".

Coverity ID 24041

Bug 200192567

Change-Id: I92b4464525f45481e23a4fcfe2aea51de8cb8e07
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1171552
(cherry picked from commit a3f967b70c47aa583ef2e1f4164c688ed641f388)
Reviewed-on: http://git-master/r/1249584
(cherry picked from commit 17f5d17ac835466558832cf6ed67eb72d2fc28c1)

21 months agomisc: tegra-profiler: fix coverity defect
Igor Nabirushkin [Sat, 4 Jun 2016 09:10:08 +0000]
misc: tegra-profiler: fix coverity defect

Fix coverity defect "Buffer not null terminated".

Coverity ID 23890

Bug 200192567

Change-Id: I5c55c7f0460b45a9185eb790338fc01b301bb10c
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1171551
(cherry picked from commit 2d10b141f51e39602f1fe4c566c55ad3db184b07)
Reviewed-on: http://git-master/r/1249582
(cherry picked from commit 4e8a826423196af98fbdc0a5adc5d14b696e75b5)

21 months agomisc: tegra-profiler: fix coverity defect
Igor Nabirushkin [Sat, 4 Jun 2016 04:27:33 +0000]
misc: tegra-profiler: fix coverity defect

Fix coverity defect "Out-of-bounds access".

Coverity ID 29588

Bug 200192567

Change-Id: I8d1057d29216eeabdd24686fa12a52d7e2a220d4
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1171550
(cherry picked from commit 7c76afae5c3fcac4c7365d3fd1fb5706e2b64446)
Reviewed-on: http://git-master/r/1249579
(cherry picked from commit 2ffb50ff95239cf489672c30f1ba40014e780da5)

21 months agotegra-profiler: fix unused function build issue
Sri Krishna chowdary [Tue, 24 May 2016 15:14:00 +0000]
tegra-profiler: fix unused function build issue

fix below compilation issues pointed out by clang

eh_unwind.c:182:1: error: unused function 'prel31_to_addr'
dwarf_unwind.c:441:1: error: unused function 'set_rule_reg'
armv8_pmu.c:236:1: error: unused function 'armv8_pmu_pmintenset_read'
armv8_pmu.c:246:1: error: unused function 'armv8_pmu_pmintenset_write'
armv8_pmu.c:260:1: error: unused function 'armv8_pmu_pmovsclr_read'
armv8_pmu.c:364:1: error: unused function 'disable_interrupt'
armv8_pmu.c:612:1: error: unused function 'pmu_read_emulate'

bug 1745660

Change-Id: If4a57aa0bfc375980357e3d92bdadac0b165695a
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1171549
(cherry picked from commit 4c4d58f49c61ebfe3b729b30166ddd9fe309977d)
Reviewed-on: http://git-master/r/1249578
(cherry picked from commit fee6b59514b50811bf66f8d531fd692bce63b29e)

21 months agomisc: tegra-profiler: fix compilation issue
Igor Nabirushkin [Thu, 19 May 2016 09:06:37 +0000]
misc: tegra-profiler: fix compilation issue

Fix below compilation issue.

dwarf_unwind.c:2044:1: error: stack frame size of 2080 bytes in
function 'quadd_get_user_cc_dwarf' [-Werror,-Wframe-larger-than=]

bug 1745660

Change-Id: I1b30ff58a1f636a2f0fe4160d0141a3bdf268675
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1159465
(cherry picked from commit afff85102772697e5df2e18d0b94e1fe4dc29a3f)
Reviewed-on: http://git-master/r/1249576
(cherry picked from commit 667313a3cf7ceb84c4bf2e60dcebaaaee0f5c7ca)

21 months agomisc: tegra-profiler: fix getting capabilities
Alexey Kravets [Mon, 9 Nov 2015 10:32:08 +0000]
misc: tegra-profiler: fix getting capabilities

Bug 1416640

Change-Id: I96bef5e1f7326a8ba3e3e63a2d764f937b252da5
Signed-off-by: Alexey Kravets <akravets@nvidia.com>
Reviewed-on: http://git-master/r/830693
(cherry picked from commit 3576da34ba83153968df2121627d939562f81cec)
Reviewed-on: http://git-master/r/1249570
(cherry picked from commit 7e0b6b87c5410e0e5b65fda68678fb835a5ba405)

21 months agomm: larger stack guard gap, between vmas
Sri Krishna chowdary [Fri, 23 Jun 2017 06:26:03 +0000]
mm: larger stack guard gap, between vmas

commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.

Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.

This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.

Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.

One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications.  For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).

Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.

Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.

Bug 1946430

Change-Id: I9a66aabc34b687996fb971e01bb0ef30a3d4de7d
Original-patch-by: Oleg Nesterov <oleg@redhat.com>
Original-patch-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Tested-by: Helge Deller <deller@gmx.de> # parisc
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: backport to 4.11: adjust context]
[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1509433
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

22 months agovideo: tegra: dsi: Set max limit for reading panel
Pavan Kunapuli [Thu, 16 Mar 2017 14:02:06 +0000]
video: tegra: dsi: Set max limit for reading panel

In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.

Bug 1873360

Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1505449
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>