2 years agomm: remove gup_flags FOLL_WRITE games from __get_user_pages() rel-24-foster-r7
Gagan Grover [Fri, 21 Oct 2016 08:25:48 +0000]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Change-Id: I13a55845a79f92c0c90228a229947d2bdf616a4a
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
     s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1241290
Reviewed-by: Eric Chuang <echuang@nvidia.com>
Tested-by: Eric Chuang <echuang@nvidia.com>

2 years agoARM64: tegra21: increase max vpr to 750MB for foster
Sri Krishna chowdary [Mon, 26 Sep 2016 09:58:31 +0000]
ARM64: tegra21: increase max vpr to 750MB for foster

The worst case requirement for vpr is 750 MB as we
support upto 4K resolution.

bug 1787861

Change-Id: I902bd47c953cbfdb758c23f8a17aefc769f7b1f0
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1226940
(cherry picked from commit c712f49ab478a21903cd6c48c27eadd38ea710e7)
Reviewed-on: http://git-master/r/1228180
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agonetfilter: x_tables: fix unconditional helper
Florian Westphal [Tue, 22 Mar 2016 17:02:52 +0000]
netfilter: x_tables: fix unconditional helper

Ben Hawkes says:

 In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
 is possible for a user-supplied ipt_entry structure to have a large
 next_offset field. This field is not bounds checked prior to writing a
 counter value at the supplied offset.

Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.

However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.

However, an unconditional rule must also not be using any matches
(no -m args).

The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.

Unify this so that all the callers have same idea of 'unconditional rule'.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Bug 1797728

Change-Id: I7884811fd948fed4e18f1a0d38792bce4b397ed9
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214549
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agousbnet: cleanup after bind() in probe()
Oliver Neukum [Mon, 7 Mar 2016 10:31:10 +0000]
usbnet: cleanup after bind() in probe()

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Bug 1797728

(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
Change-Id: Ibc50a06dee69894e18bb62f5969e1718138395cf
(cherry picked from commmit f10f1a249226dfac19ce97b606bb5cea814e63ca)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214495
Reviewed-by: Jinyoung Park <jinyoungp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUPSTREAM: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
Bjørn Mork [Fri, 8 Jul 2016 18:14:51 +0000]
UPSTREAM: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind

(cherry pick from commit 4d06dd537f95683aba3651098ae288b7cbff8274)

usbnet_link_change will call schedule_work and should be
avoided if bind is failing. Otherwise we will end up with
scheduled work referring to a netdev which has gone away.

Instead of making the call conditional, we can just defer
it to usbnet_probe, using the driver_info flag made for
this purpose.

Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Id9a6d02bdd98bf495d26595cf2cc90e480746186
Bug: 28744625
Bug 1797728
(cherry picked from commit e0328ff123d1085b05f4e8b0ccde9c9e5203b61c)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213267
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jinyoung Park <jinyoungp@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue
Rainer Weikusat [Fri, 20 Nov 2015 22:07:23 +0000]
UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue

(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c)

Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.

Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.

Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
Bug: 29119002
Bug 1797728
(cherry picked from commit fe182ffd23b2db9ab321acb691212e7eec0383c5)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214547
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoppp: take reference on channels netns
Guillaume Nault [Wed, 23 Mar 2016 15:38:55 +0000]
ppp: take reference on channels netns

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
[<     inline     >] slab_alloc kernel/mm/slub.c:2574
[<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
[<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
[<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[<     inline     >] copy_process kernel/kernel/fork.c:1274
[<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
[<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[<     inline     >] slab_free kernel/mm/slub.c:2805
[<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[<     inline     >] net_free kernel/net/core/net_namespace.c:341
[<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
 [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
 [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
 [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
 [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
 [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
 [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
 [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
 [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
 [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
 [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
 [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
 [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
 [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
 [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
 [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
 [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
 [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
 [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
 [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
 [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
 [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
 [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
 [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
 [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
 [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
 [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
 [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
 [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
 [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: I5e04b3c178b408af0412f635714b4bb3d2ff6a44
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214545
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoipv6: Don't reduce hop limit for an interface
D.S. Ljungmark [Wed, 25 Mar 2015 08:28:15 +0000]
ipv6: Don't reduce hop limit for an interface

A local route may have a lower hop_limit set than global routes do.

RFC 3756, Section 4.2.7, "Parameter Spoofing"

>   1.  The attacker includes a Current Hop Limit of one or another small
>       number which the attacker knows will cause legitimate packets to
>       be dropped before they reach their destination.

>   As an example, one possible approach to mitigate this threat is to
>   ignore very small hop limits.  The nodes could implement a
>   configurable minimum hop limit, and ignore attempts to set it below
>   said limit.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: Ib639dde094374ad892c5cb24488a68eb14fabd8d
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214541
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUPSTREAM: netfilter: x_tables: validate e->target_offset early
Florian Westphal [Tue, 22 Mar 2016 17:02:49 +0000]
UPSTREAM: netfilter: x_tables: validate e->target_offset early

(cherry pick from commit bdf533de6968e9686df777dc178486f600c6e617)

We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ic2dbc31c9525d698e94d4d8875886acf3524abbd
Bug: 29637687
Bug 1797728
(cherry picked from commit 7ed1e120e1cc31bea816709c25ebb80203ce9f1b)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214540
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoudp: fix behavior of wrong checksums
Eric Dumazet [Sat, 30 May 2015 16:16:53 +0000]
udp: fix behavior of wrong checksums

We have two problems in UDP stack related to bogus checksums :

1) We return -EAGAIN to application even if receive queue is not empty.
   This breaks applications using edge trigger epoll()

2) Under UDP flood, we can loop forever without yielding to other
   processes, potentially hanging the host, especially on non SMP.

This patch is an attempt to make things better.

We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: Ifed7af7b676fe46ad47437c19be50671efb07054
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214539
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoipv4: try to cache dst_entries which would cause a redirect
Hannes Frederic Sowa [Fri, 23 Jan 2015 11:01:26 +0000]
ipv4: try to cache dst_entries which would cause a redirect

Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").

Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU.  Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.

Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.

This issue was discovered by Marcelo Leitner.

Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: I7d6fed96b599c8e10cb905c9e9824b134b4646d4
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214535
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUPSTREAM: ASN.1: Fix non-match detection failure on data overrun
David Howells [Mon, 11 Jul 2016 21:18:11 +0000]
UPSTREAM: ASN.1: Fix non-match detection failure on data overrun

(cherry pick from commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f)

If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.

This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.

This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers.  Currently, it skips the last
integer if there is insufficient data.

Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:

next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270

The next_op line for pc=8/13 should be followed by a match line.

This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:

 (1) The relevant records being built up are cleared before use.

 (2) If the message is shortened sufficiently to remove the public key, the
     ASN.1 parse of the RSA key will fail quickly due to a lack of data.

 (3) Extracted signature data is either turned into MPIs (which cope with a
     0 length) or is simpler integers specifying algoritms and suchlike
     (which can validly be 0); and

 (4) The AKID and SKID extensions are optional and their removal is handled
     without risking passing a NULL to asymmetric_key_generate_id().

 (5) If the certificate is truncated sufficiently to remove the subject,
     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
     stack underflow' return.

This is not exploitable for PKCS#7 messages by means of removal of
elements from such a message from the tail end of a sequence:

 (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
     as detailed above.

 (2) The message digest content isn't used if it shows a NULL pointer,
     similarly, the authattrs aren't used if that shows a NULL pointer.

 (3) A missing signature results in a NULL MPI - which the MPI routines deal
     with.

 (4) If data is NULL, it is expected that the message has detached content and
     that is handled appropriately.

 (5) If the serialNumber is excised, the unconditional action associated
     with it will pick up the containing SEQUENCE instead, so no NULL
     pointer will be seen here.

     If both the issuer and the serialNumber are excised, the ASN.1 decode
     will fail with an 'Unexpected tag' return.

     In either case, there's no way to get to asymmetric_key_generate_id()
     with a NULL pointer.

 (6) Other fields are decoded to simple integers.  Shortening the message
     to omit an algorithm ID field will cause checks on this to fail early
     in the verification process.

This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.

Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches

Jira EASS-863

Bug 1797728

Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Change-Id: I4f6003fade25d8c77baafdff3af084c739efa69c
Bug: 28751627
(cherry picked from commit 62882e757d95076bbd14371ebfaf1246f0191816)
Reviewed-on: http://git-master/r/1209644
(cherry picked from commit 4d84d5a01f0ff0eaa16cc94632a0e83208998bc0)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213242
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agofs: ext4: disable support for FALLOC_FL_PUNCH_HOLE
Woojung Min [Tue, 30 Aug 2016 07:44:07 +0000]
fs: ext4: disable support for FALLOC_FL_PUNCH_HOLE

Disable support for the fallocate FALLOC_FL_PUNCH_HOLE to
prevent the race conditions.

CVE-2015-8839
ANDROID-28760453

Jira EASS-863

Bug 1797728

Change-Id: Iae76df73f811da4e8209d21dd0803b070c0db684
Reviewed-on: http://git-master/r/1209635
(cherry picked from commit 9704617c5412f4cde41270259331a9078b479915)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213238
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoKEYS: potential uninitialized variable
Dan Carpenter [Thu, 16 Jun 2016 14:48:57 +0000]
KEYS: potential uninitialized variable

If __key_link_begin() failed then "edit" would be uninitialized.  I've
added a check to fix that.

This allows a random user to crash the kernel, though it's quite
difficult to achieve.  There are three ways it can be done as the user
would have to cause an error to occur in __key_link():

 (1) Cause the kernel to run out of memory.  In practice, this is difficult
     to achieve without ENOMEM cropping up elsewhere and aborting the
     attempt.

 (2) Revoke the destination keyring between the keyring ID being looked up
     and it being tested for revocation.  In practice, this is difficult to
     time correctly because the KEYCTL_REJECT function can only be used
     from the request-key upcall process.  Further, users can only make use
     of what's in /sbin/request-key.conf, though this does including a
     rejection debugging test - which means that the destination keyring
     has to be the caller's session keyring in practice.

 (3) Have just enough key quota available to create a key, a new session
     keyring for the upcall and a link in the session keyring, but not then
     sufficient quota to create a link in the nominated destination keyring
     so that it fails with EDQUOT.

The bug can be triggered using option (3) above using something like the
following:

echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t

The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system.  Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.

Assuming the failure occurs, something like the following will be seen:

kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
...
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
...
Call Trace:
  kfree+0xde/0x1bc
  assoc_array_cancel_edit+0x1f/0x36
  __key_link_end+0x55/0x63
  key_reject_and_link+0x124/0x155
  keyctl_reject_key+0xb6/0xe0
  keyctl_negate_key+0x10/0x12
  SyS_keyctl+0x9f/0xe7
  do_syscall_64+0x63/0x13a
  entry_SYSCALL64_slow_path+0x25/0x25

(cherry picked from commit 38327424b40bcebe2de92d07312c89360ac9229a)
Jira EASS-863

Bug 1797728

Change-Id: Iaf1905f06f52e547654274cbb4827dd03866b71b
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: http://git-master/r/1209532
(cherry picked from commit d84542d36e9d5968c1cef665e9e0a5c70f8eabc4)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213221
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: host: add upper bound for num_syncpt_incrs
Deepak Nibade [Thu, 21 Jul 2016 09:22:31 +0000]
video: tegra: host: add upper bound for num_syncpt_incrs

Check if num_syncpt_incrs are not more than number of
syncpoints available

Bug 1781393

Change-Id: Iee5070c87c8db0d6c30eb55ca03ec27c7de379ee
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1184846
(cherry picked from commit d85d48ec37173633d8efbc394b2508c710a0cda1)
Reviewed-on: http://git-master/r/1190749
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
(cherry picked from commit 950b1dc0c12547ae79de05f025fe144d56b5b047)
Reviewed-on: http://git-master/r/1220528
Tested-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agovideo: tegra: host: fix possible overflow with num_syncpt_incrs
Deepak Nibade [Mon, 27 Jun 2016 08:33:15 +0000]
video: tegra: host: fix possible overflow with num_syncpt_incrs

We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];

If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack

Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack

Bug 1781393

Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1190751
(cherry picked from commit d0542f962dbebe197c1b08bf0ab9b1128207404a)
Reviewed-on: http://git-master/r/1220527
Tested-by: Bharat Nihalani <bnihalani@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agovideo: tegra: host: fix integer overflow
Deepak Nibade [Mon, 27 Jun 2016 08:43:26 +0000]
video: tegra: host: fix integer overflow

Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs

Fix this and other calculations by explicitly typecasting
variables to u64 first

Bug 1781393

Change-Id: Ib7d9c0be4ac61dc404512b4bb0331aa20a6978bc
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171748
(cherry picked from commit 8f00b96c137b9c4cb43a8dbe2e153fae49524113)
Reviewed-on: http://git-master/r/1190752
(cherry picked from commit 3fae9674f9fc01f4fbdc9cffa3e88899f9e6a923)
Reviewed-on: http://git-master/r/1220384
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Bharat Nihalani <bnihalani@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agommc: card: test: Fix out of boundary array access
Xia Yang [Mon, 15 Aug 2016 21:56:51 +0000]
mmc: card: test: Fix out of boundary array access

Allocate buffer with 1 extra byte for NULL terminator.

Bug 1791602

Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
(cherry picked from commit 53f628117d0a092182254ad81bc38cf943b994e3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213883
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoFROMLIST: security,perf: Allow further restriction of perf_event_open
Jeff Vander Stoep [Sun, 29 May 2016 21:22:32 +0000]
FROMLIST: security,perf: Allow further restriction of perf_event_open

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

https://lkml.org/lkml/2016/1/11/587

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Bug: 29054680
Bug 1787007

Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
(cherry picked from commit 012b0adcf7299f6509d4984cf46ee11e6eaed4e4)
Reviewed-on: http://git-master/r/1200000
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203941
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
Kangjie Lu [Tue, 3 May 2016 20:44:32 +0000]
ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Change-Id: I70d3702d220e0e192d8d582abc9fb0ac33566daf
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-on: http://git-master/r/1197222
(cherry picked from commit d99fadb0097c4058f3de8dc539f4088cc833976e)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203952
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agof2fs: add check for bmap param
Nitin Kumbhar [Thu, 7 Jul 2016 06:01:06 +0000]
f2fs: add check for bmap param

Validate parameter passed to the ioctl_fibmap function
that could lead to an array overflow. This is fixed by
adding a max block check for get_data_block_bmap.

CVE-2016-3802
Bug 1774591

Change-Id: If2280bb30ed06221faaae2de37cf3eccc0d25273
Reviewed-on: http://git-master/r/1176676
(cherry picked from commit 7be761dbcabc4e078e9e976b9a44dfe06dacf168)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1205312
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agotty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
Peter Hurley [Mon, 11 Jan 2016 06:40:55 +0000]
tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)

ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).

However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.

Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.

CVE-2016-0723
Bug 1774591

Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5c17c861a357e9458001f021a7afa7aab9937439)
Change-Id: Ie8de32a16a05fe7a5b444301ead0d5c32a805a13
Reviewed-on: http://git-master/r/1175591
(cherry picked from commit f6b119e8f5c70948d34935e2cc04867aaa9fab46)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1205300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoxt_qtaguid: fix printing kernel pointers
Nitin Kumbhar [Tue, 5 Jul 2016 07:59:14 +0000]
xt_qtaguid: fix printing kernel pointers

Kernel pointers are printed to all users. This could enable
a local malicious application to access data outside of its
permission levels. The fix is designed to not print kernel
pointers to any user.

CVE-2016-3809
Bug 1774591

Change-Id: Ia9d6fedd4a9d0811585586dbbaeb5ed151771c58
Reviewed-on: http://git-master/r/1175528
(cherry picked from commit 32b4fdc1d841f560fc52520a719193048e55a835)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1205297
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUSB: fix invalid memory access in hub_activate()
Alan Stern [Wed, 16 Dec 2015 18:32:38 +0000]
USB: fix invalid memory access in hub_activate()

Commit 8520f38099cc ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue.  However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so.  As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated.  Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.

This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running.  It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea)

CVE-2015-8816
Bug 1774591

Change-Id: Ifbbf8bfd456120b1e1720f4371c1ba15d1b948fa
Reviewed-on: http://git-master/r/1175595
(cherry picked from commit f6285c019035638301a86f2d36ba3faa63a65775)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1205291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoAIO: properly check iovec sizes
Greg Kroah-Hartman [Sat, 20 Feb 2016 01:36:21 +0000]
AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Bug 1774591

Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
[backported to 3.10 - willy]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ff19ac8fb71e8a2bf07d61b959062998139c1104)
Change-Id: Ia91c9dcbb605fefa8cd186bc0c896f1cd8aec4eb
Reviewed-on: http://git-master/r/1175560
(cherry picked from commit 637e4e4bacb1b8e8413078356fdb50b951d1827e)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1205285
GVS: Gerrit_Virtual_Submit
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoUSB: usbfs: fix potential infoleak in devio
Kangjie Lu [Tue, 3 May 2016 20:32:16 +0000]
USB: usbfs: fix potential infoleak in devio

The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.

Bug 1787007

Change-Id: I7781eb74fdf57a461530107336b275388dda0d5f
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Woojung Min <wmin@nvidia.com>
Reviewed-on: http://git-master/r/1196541
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jubeom Kim <jubeomk@nvidia.com>
Reviewed-by: Rohith Seelaboyina <rseelaboyina@nvidia.com>
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1199490
(cherry picked from commit 390bbf0977c3473f705f6eff50f2a297fe943155)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203953
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
Kangjie Lu [Tue, 3 May 2016 20:44:07 +0000]
ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Change-Id: I2011f354d6ba6de55c8c8f3b5f4f4c7c19483094
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1197219
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit 05d23eabd548e4b1727ba49c330a590cd3fd1cd7)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203949
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: fix infoleak in rtnetlink
Kangjie Lu [Tue, 3 May 2016 20:46:24 +0000]
net: fix infoleak in rtnetlink

The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.

Bug 1787007

Change-Id: I33c4a566efc17fc6a8c6d850bc3e9602d7a996ad
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Woojung Min <wmin@nvidia.com>
(cherry picked from commit 5f8e44741f9f216e33736ea4ec65ca9ac03036e6)
Reviewed-on: http://git-master/r/1196545
Reviewed-on: http://git-master/r/1199480
(cherry picked from commit b9b0f6f46a8723e5c3198840d6548c54d9df9b98)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203948
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoarm64: configs: restrict access to perf events
Woojung Min [Tue, 9 Aug 2016 07:16:30 +0000]
arm64: configs: restrict access to perf events

Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT to restrict access to perf events
It is for android security patch CVE-2016-3843/ANDROID-29119870.

Bug 1787007

Change-Id: Icc6731a05752456d8d611ac723baff22df625d23
Signed-off-by: Woojung Min <wmin@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1200020
(cherry picked from commit f9210ab26a74177c88ddb02abba3360700993d15)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203943
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoBACKPORT: perf tools: Document the perf sysctls
Ben Hutchings [Tue, 19 Jan 2016 21:35:15 +0000]
BACKPORT: perf tools: Document the perf sysctls

perf_event_paranoid was only documented in source code and a perf error
message.  Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.

perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

Bug: 29054680
Bug 1787007

Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
(cherry picked from commit 925d82a466131093dee9a301372f4c29a28d948b)
Signed-off-by: Woojung Min <wmin@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1199997
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 4e82f031635e9a672c50aca666ecb21825287f9b)
Reviewed-on: http://git-master/r/1203931

2 years agoALSA: compress: fix an integer overflow check
Dan Carpenter [Wed, 16 Jul 2014 06:37:04 +0000]
ALSA: compress: fix an integer overflow check

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Change-Id: I8123ec91a1befa6628151c8ab8ac0b1a6a9235fc
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Reviewed-on: http://git-master/r/1197174
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
Tested-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-by: Woojung Min <wmin@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 4d74dbeda5893b7501ddcbcdae909fffa47ed09a)
Reviewed-on: http://git-master/r/1203930

2 years agoUPSTREAM: ipv6: add complete rcu protection around np->opt
Eric Dumazet [Mon, 30 Nov 2015 03:37:57 +0000]
UPSTREAM: ipv6: add complete rcu protection around np->opt

[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]

This patch addresses multiple problems :

UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.

Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())

This patch adds full RCU protection to np->opt

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Bug: 28746669
Change-Id: I81775b2269a8263c4e4760b94b9fdd0d5916b31e
Reviewed-on: http://git-master/r/1201486
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203938
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agonet: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
Al Viro [Tue, 2 Aug 2016 09:21:30 +0000]
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

Change-Id: Iec24dc91a140510c1666801f6204dced8d2318f9
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-on: http://git-master/r/1197034
(cherry picked from commit ca502c1791bbb3f09bbdb3fc0f4118c0ee7b11bc)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1203933
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodvfs: tegra: Validate CLDVFS register address
Alex Frid [Thu, 30 Jun 2016 01:21:46 +0000]
dvfs: tegra: Validate CLDVFS register address

Bug 1783583

Change-Id: I8b0e865db02c00f741dafb473d4bd39c5075f23f
(cherry picked from commit 453a77c5cd9a1316307458203365f9eb5bda62de)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1201538
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 61127d264edef130ea20e80a5b95c2981ce768d5)
Reviewed-on: http://git-master/r/1203892

2 years agotegra:hdcp: Fix error in infinite max_retries
Ankita Garg [Fri, 22 Jul 2016 21:59:46 +0000]
tegra:hdcp: Fix error in infinite max_retries

We are setting max_retries to -1 to enable
infinite retries. However, max_retries is
currently an unsigned char.

Bug 1694737

Change-Id: I439254fce45f8e491ebe42071df8484de7fc627e
Signed-off-by: Ankita Garg <ankitag@nvidia.com>
Reviewed-on: http://git-master/r/1189790
(cherry picked from commit 42ad6683f8b034c8ff9d2e5a2563c95321d0bb53)
Reviewed-on: http://git-master/r/1199358
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agofs: enable UTF-8 character set
Jean Huang [Fri, 17 Jun 2016 21:28:28 +0000]
fs: enable UTF-8 character set

Bug 1778283

Change-Id: I5f648a1ac0997f7bd9837efd81307c0b9f74e5e5
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Reviewed-on: http://git-master/r/1167180
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agocifs: enable CONFIG_CIFS_WEAK_PW_HASH to support LANMAN
Jean Huang [Thu, 16 Jun 2016 17:19:43 +0000]
cifs: enable CONFIG_CIFS_WEAK_PW_HASH to support LANMAN

Bug 200209739

Change-Id: I9684ba32a156512e46d010c4b06859343fecc751
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Reviewed-on: http://git-master/r/1166010
Reviewed-by: Louis Li <louli@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: hdmi: fix AFD info in AVI infoframe
Santosh Reddy Galma [Tue, 31 May 2016 12:49:03 +0000]
video: tegra: hdmi: fix AFD info in AVI infoframe

Setting Active Format Information Present bit to 0
in AVI infoframe as AFD is not currently programmed.

Bug 1758679

Change-Id: I7689b55c2b533d71d3c1dd42b72e1045471fae5e
Signed-off-by: Santosh Reddy Galma <galmar@nvidia.com>
Reviewed-on: http://git-master/r/1156551
(cherry picked from commit b2697c5c56926c5d1a8695c137ef51fe0110c5d2)
Reviewed-on: http://git-master/r/1158671
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agovideo: tegra: host: Make syncpt_thresh_cascade_fn realtime
David Lock [Tue, 10 Nov 2015 00:15:04 +0000]
video: tegra: host: Make syncpt_thresh_cascade_fn realtime

Promote the syncpt_thresh_cascade_fn workqueue to a kthread and set
it's priority to realtime.  This removes scheduling latency as a
potential bottleneck for syncpoint latency.

Bug 200121259

Change-Id: I42ed37621e5430853f323e8e4bcd18019c77c92d
Signed-off-by: David Lock <dlock@nvidia.com>
Reviewed-on: http://git-master/r/830995
(cherry picked from commit 4a6d5d4cb1c8ee15659cb04e0628bd75fd560e2b)
Reviewed-on: http://git-master/r/1154806
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agotegra: sor: dump NV_SOR_HDMI_GENERIC_CTRL reg
Arun Swain [Fri, 3 Jun 2016 19:02:59 +0000]
tegra: sor: dump NV_SOR_HDMI_GENERIC_CTRL reg

Add support for dumping NV_SOR_HDMI_GENERIC_CTRL
reg.

Bug 200122117

Change-Id: If237e64fdeff0cacd4837940a4c995db06900b52
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1158841
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agotegra: hdmi: Fix HDR exit
Arun Swain [Fri, 3 Jun 2016 01:29:53 +0000]
tegra: hdmi: Fix HDR exit

Don't stop sending HDR infoframe if HDR is
re-eanbled in dc within the 2 secs of stipulated
time of starting the exit-hdr worker thread.

Bug 1773605

Change-Id: I1adafcf7b5c15b81b8dc614d8125c0e7b5e25cde
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1158509
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Ujwal Patel <ujwalp@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: Fix 2084 signalling
Aly Hirani [Tue, 31 May 2016 07:49:53 +0000]
video: tegra: Fix 2084 signalling

We currently tell the userspace HDR = if the user has the HDR EDID
block. There is a case where the block could be present but 2084 =
false.

This change WARs that case. Also helps pass HF1-53 HDMI 2.0a compliance.

Bug 200182153

Change-Id: I4e5439ffe49c2430b31aab1bb88699eb13c3292b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1158422
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agovideo: tegra: dc: Fix MAX_AC calculation
Aly Hirani [Wed, 1 Jun 2016 18:53:23 +0000]
video: tegra: dc: Fix MAX_AC calculation

This fixes the MAX_AC_PACKET calculation. It should have been using the
"rekey - 2" value, not rekey itself.

Bug 200201234

Change-Id: I31fbd1404dba78938dfa1c0fe67270a7f4ae0c8c
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1157399
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jon Mayo <jmayo@nvidia.com>

3 years agoALSA: hda: Allow 192khz for EAC3 capable sinks
Rahul Mittal [Fri, 13 May 2016 09:20:15 +0000]
ALSA: hda: Allow 192khz for EAC3 capable sinks

If the sink is eac3 decode capable, but not supporting 192khz
in its ELD, ALSA card doesn't add 192khz in supported rates.
Add 192khz in ALSA card for eac3 decode capable sinks, so
that user-space can open pcm device and play EAC3 content.

Bug 1764782

Change-Id: Iac5cdc5eb0acd448cec88ab0cacecc9c8a77c155
Signed-off-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-on: http://git-master/r/1147326
Reviewed-by: Sumit Bhattacharya <sumitb@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>

3 years agoARM64: dts: update LDO7 and SD2 FPS source at boot
Venkat Reddy Talla [Thu, 31 Mar 2016 14:05:11 +0000]
ARM64: dts: update LDO7 and SD2 FPS source at boot

Configuring different FPS source for LDO7 PMIC rail
at boot time and SC7 entry as recommended by sys-eng
team to avoid power down sequence violation of
PLL rail with DDRIO and also with 3.3V rail.
setting SD2 pmic rail as part of FPS1 at boot time.

Bug 1748154
Bug 1748159

Change-Id: Ibad7c730e8e0343d2028500930ac17b277a5e27c
Reviewed-on: http://git-master/r/1118375
(cherry picked from commit 45400a95fa7f7d1d30f93c5e094d2ba2ace69bfc)
Signed-off-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-on: http://git-master/r/1128743
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

3 years agonet: wireless: bcmdhd: Add command to restrict p2p AGO bw
Srinivas Ramachandran [Tue, 3 May 2016 22:27:27 +0000]
net: wireless: bcmdhd: Add command to restrict p2p AGO bw

When device is operating with 50Hz HDMI refresh rate
1. If AP is not associated, restrict the bw of p2p AGO to 20Mhz
2. If AP is associated, follow the AP bw

This is a WAR to prevent controller connectivity issues
in 1080p50Hz mode due to Wi-Fi desense.

Bug 200176240
Bug 200193305

Change-Id: I759aefe2ad175f195dc26239e77839bf0abb12f5
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1140705
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agoRevert "arm64: dts: Add parameter restrict_bw_20 for foster"
Srinivas Ramachandran [Tue, 3 May 2016 22:27:09 +0000]
Revert "arm64: dts: Add parameter restrict_bw_20 for foster"

This reverts commit 2490734b70e4280c91dd13baef0c3e1a9560b0fb.
Bug 200176240
Bug 200193305

Change-Id: I2a643e0927c6e841c09cc51c62c6179d7498c9d0
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1140704
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agoRevert "net: wireless: bcmdhd: Restrict default p2p AGO to 20Mhz bw"
Srinivas Ramachandran [Fri, 29 Apr 2016 19:32:27 +0000]
Revert "net: wireless: bcmdhd: Restrict default p2p AGO to 20Mhz bw"

This reverts commit 9d2cae937a50f005c5befe633602e90447765940.

Reverting this change as this feature need to implement using driver
command

Bug 200176240
Bug 200193305

Change-Id: Ia12930ec8cb70cb23d03e88d38e7dbe506dd9d45
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1140703
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-by: Dara Ramesh <dramesh@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agonet: disable capability check for net_bind_service
Xiao Bo Zhao [Wed, 27 Apr 2016 22:26:54 +0000]
net: disable capability check for net_bind_service

If group id matches, then skip capability and selinux check for capability
CAP_NET_BIND_SERVICE

Bug 1763043

Change-Id: I5935860c016d0f76b874595e83f2fd918f3fa36d
Signed-off-by: Xiao Bo Zhao <xiaoboz@nvidia.com>
Reviewed-on: http://git-master/r/1133850
Reviewed-by: Toby Butzon <tbutzon@nvidia.com>
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Inamdar Sharif <isharif@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agosecurity: tlk_driver: add support for PHYS_LIST handling.
Chris Johnson [Mon, 23 Mar 2015 23:37:35 +0000]
security: tlk_driver: add support for PHYS_LIST handling.

Bug 200091941
Bug 1754253

Change-Id: Ia5b920e6f45280b7a3fb4360b828612225af5761
Signed-off-by: Chris Johnson <cwj@nvidia.com>
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: http://git-master/r/1132411
GVS: Gerrit_Virtual_Submit
Reviewed-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-by: Hyung Taek Ryoo <hryoo@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agotlk: code cleanup
Mahesh Lagadapati [Mon, 10 Aug 2015 20:11:12 +0000]
tlk: code cleanup

Cleaned up the code to do proper error handling and to remove unused
variables.

Bug 200091941
Bug 1754253

Change-Id: Ia0e84451bbbb29edd35dd3060864c6e60cbc6192
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: http://git-master/r/1132416
GVS: Gerrit_Virtual_Submit
Reviewed-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agosecurity: tlk_driver: fix memory leak
Hridya Valsaraju [Tue, 2 Jun 2015 17:21:50 +0000]
security: tlk_driver: fix memory leak

Fix memory leak in te_pin_user_pages().
When get_user_pages() fail, free allocated memory and
release each mapped page from the page cache.

Bug 200091941
Bug 1754253

Change-Id: Ifdd311863916baa42e6e1b38f1692c72382bb44a
(cherry picked from commit 82f26d7cdd8244b498049e2ae49cc6ab87f21908)
Signed-off-by: Hridya Valsaraju <hvalsaraju@nvidia.com>
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: http://git-master/r/1132415
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-by: Hyung Taek Ryoo <hryoo@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agoRevert "security: tlk_driver: lock/fault userspace pages"
Mahesh Lagadapati [Thu, 31 Mar 2016 19:59:58 +0000]
Revert "security: tlk_driver: lock/fault userspace pages"

This reverts commit a517ace37e656ea3023b527882d349329a026a84.

mlock is not required if buffers are send with physical address.

Bug 200091941
Bug 1754253

Change-Id: I82b7db24b33d867581d031d79230aa3265f1eb7e
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: http://git-master/r/1132414
GVS: Gerrit_Virtual_Submit
Reviewed-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-by: Hyung Taek Ryoo <hryoo@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agoRevert "security:tlk_driver:fix sys_munlock issue"
Mahesh Lagadapati [Thu, 31 Mar 2016 19:59:03 +0000]
Revert "security:tlk_driver:fix sys_munlock issue"

This reverts commit ddb690950d1402f995d0c73bb00bd5bf865cdda5.

mlock is not required if buffers are send with physical address.

Bug 200091941
Bug 1754253

Change-Id: I5240d41e6659461c0b43df015f6dc44db594174c
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: http://git-master/r/1132413
GVS: Gerrit_Virtual_Submit
Reviewed-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-by: Hyung Taek Ryoo <hryoo@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agousb: gadget: xudc: update sw deq pointer
Henry Lin [Tue, 3 May 2016 02:46:41 +0000]
usb: gadget: xudc: update sw deq pointer

In nvudc_eq_dequeue(), driver updates hw dequeue pointer if usb request
has been processed by HW. Corresponding sw dequeue pointer should also be
updated to the same position.

Bug 200195992

Change-Id: I1bb6ab3bcd3579b6055d4074550c9b802d394d72
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1140014
(cherry picked from commit 96bddf2904a9ade906d93563c91acd7ef156bacb)
Reviewed-on: http://git-master/r/1143835
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agousb: gadget: xudc: fix unbalanced spinlock
Henry Lin [Mon, 2 May 2016 09:29:35 +0000]
usb: gadget: xudc: fix unbalanced spinlock

The unblanced xudc spinlock is also used in nvudc_irq(). It may cause
cpu 0 stuck in nvudc_irq().

Bug 200180858
Bug 200195992

Change-Id: Ia4ac30cad0b6e12e83a4cc7968e70bbcfbc05470
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1139607
(cherry picked from commit 432134aef3bd00e419c2718529fadc5fdd59276f)
Reviewed-on: http://git-master/r/1143834
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

3 years agotegra: hdmi: Add support for graceful HDR exit
Arun Swain [Tue, 1 Mar 2016 03:24:15 +0000]
tegra: hdmi: Add support for graceful HDR exit

1. Implement the spec way of exiting HDR.
2. Clean up the bit setting part in hdr
infoframe.
3. Take out tegra_dc_set_hdr () from CMU ifdef.

Bug 200122117

Change-Id: I6575cb742827bd83f7f60eac30c4c487733187a4
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1022283
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
(cherry picked from commit 1f84dc48634790bbf668b0dd9263a4b72a6e27f1)
Reviewed-on: http://git-master/r/1142267
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

3 years agovideo: tegra: hdmi: fix audio for hdr
Utkarsh Vaidya [Thu, 14 Jan 2016 10:44:08 +0000]
video: tegra: hdmi: fix audio for hdr

audio bit was getting cleared as previous audio
bit state was not restored.

Bug 200150881

Change-Id: Ic1340f38b84eff9924d6a81b1e980ff182b21976
Signed-off-by: Utkarsh Vaidya <uvaidya@nvidia.com>
Reviewed-on: http://git-master/r/932693
(cherry picked from commit 7f44933f536a7b0de9cceacd38c6d10a8d82acbe)
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1142259
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

3 years agotegra: dc: trace: Add trace event for hdr
Arun Swain [Thu, 24 Dec 2015 00:40:25 +0000]
tegra: dc: trace: Add trace event for hdr

Add trace event for debugging hdr.When enabled
this prints out the hdr struct received from
hwcomposer in flip.

Change-Id: I2b5da80cd829c5881edb06e70cbcf8aad458d65d
Reviewed-on: http://git-master/r/926598
(cherry picked from commit d11087ec2f9b0e3cedb84f2cd73c29927c715b7b)
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1142257
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

3 years agovideo: tegra: hdmi: modify vmode macros values
Arun Swain [Wed, 6 Jan 2016 00:39:45 +0000]
video: tegra: hdmi: modify vmode macros values

With deep color support, the vmode
macro values are overlapping. This fixes the
overlapping values.

Bug 1763278

Change-Id: Ib1d6f68e8b6edffd0069991587ba8eadbe110722
Signed-off-by: Arun Swain <arswain@nvidia.com>
Reviewed-on: http://git-master/r/1142701
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

3 years agovideo: tegra: Re-enable CMU on BYPASS exit
Aly Hirani [Fri, 29 Apr 2016 23:25:49 +0000]
video: tegra: Re-enable CMU on BYPASS exit

This change restores the CMU to the previous state before we entered the
BYPASS. Used by hwcomposer when it wants to on-the-fly decide to do
range reduction in GL or in DC.

Bug 1750555

Change-Id: Ice31b607f8d1f4c7d53cf03473f0d3dd79226848
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1135240
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Michael I Gold <gold@nvidia.com>
Reviewed-by: Michael I Gold <gold@nvidia.com>
Reviewed-by: Jon Mayo <jmayo@nvidia.com>

3 years agovideo: tegra: Encode blank for Y444
Aly Hirani [Fri, 29 Apr 2016 01:46:38 +0000]
video: tegra: Encode blank for Y444

This implements black background window for YUV444 at 24bpp

Bug 1750555

Change-Id: I3a7e53dafce41d8ef5bedbfdefcfccfaa0c8402d
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1134628
Tested-by: Michael I Gold <gold@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Animesh Kishore <ankishore@nvidia.com>
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Michael I Gold <gold@nvidia.com>

3 years agovideo: tegra: Add deep color support
Santosh Reddy Galma [Mon, 19 Oct 2015 11:08:14 +0000]
video: tegra: Add deep color support

This change adds support for YUV422, YUV444 and RGB444 deep color
formats. It also fixes the associated masks and values.

Change-Id: Iea8551df9783a1f5c05679d971d62cb5d8ef3ba8
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Signed-off-by: Michael I. Gold <gold@nvidia.com>
Reviewed-on: http://git-master/r/1134544
Reviewed-by: Santosh Galma <galmar@nvidia.com>
GVS: Gerrit_Virtual_Submit

3 years agovideo: tegra: hdmi: signal Y444 in AVI InfoFrame
Ivan Raul Guadarrama [Tue, 12 Apr 2016 18:01:05 +0000]
video: tegra: hdmi: signal Y444 in AVI InfoFrame

Correctly signal YUV 444 content in the AVI InfoFrame.

Bug 200145872

Change-Id: Iefad983f21d692e6f4a9868baa80c25a7733b2c3
Signed-off-by: Ivan Raul Guadarrama <iguadarrama@nvidia.com>
(cherry picked from commit 7a961c273ffecc024e6b2a243d6dd91fad467763)
Reviewed-on: http://git-master/r/1129096
(cherry picked from commit 6e109ab9297989491b70486d239180ac85897383)
Reviewed-on: http://git-master/r/1133012
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Michael I Gold <gold@nvidia.com>
Reviewed-by: Michael Frydrych <mfrydrych@nvidia.com>
Reviewed-by: Michael I Gold <gold@nvidia.com>
GVS: Gerrit_Virtual_Submit

3 years agogpu: nvgpu: Fix fake MMU fault for TSGs
Terje Bergstrom [Fri, 16 Oct 2015 19:40:19 +0000]
gpu: nvgpu: Fix fake MMU fault for TSGs

When we induce a fake MMU fault, we do not have pointer to a channel.
Use the tsg pointer instead. Also remove the error print in case we
do not have ch pointer.

Change-Id: I14fd75d2b743244915bf32fe39de76097ef5c42f
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/819034
(cherry picked from commit abeb26374f0a847ccfbc27f05f8c16191bb15d8c)
Reviewed-on: http://git-master/r/1133371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit

3 years agogpu: nvgpu: WARN_ON if NULL params in pmu_cmd_post
Gagan Grover [Mon, 28 Mar 2016 12:09:39 +0000]
gpu: nvgpu: WARN_ON if NULL params in pmu_cmd_post

Don't need to BUG_ON. We can simply print kernel error message
along with call stack and return.

Bug 200182457

Change-Id: I06693f88372dfb5dd0dd2fae7630540594f302ba
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1115992
(cherry picked from commit f5cc88880e147f90d2cf9980db4322ee5fd613a6)
Reviewed-on: http://git-master/r/1132626
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agoreboot: freeze processes before restart/shutdown
Deepak Nibade [Thu, 4 Feb 2016 10:14:51 +0000]
reboot: freeze processes before restart/shutdown

Add new API freeze_processes_ignore_wakeup() which will
freeze all processes ignoring the wakeup sources

Use this API before triggering restart/shutdown

Bug 200125494

Change-Id: I093d6e5dcc02fe3ff73c7c4d7c6bc14fa8e91cb8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1007555
(cherry picked from commit 32212d6e42147942a853aa5238a417497d31d1c6)
Reviewed-on: http://git-master/r/1130943
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agogpu: nvgpu: fix race condition with poweroff
Seshendra Gadagottu [Thu, 28 Jan 2016 18:54:32 +0000]
gpu: nvgpu: fix race condition with poweroff

When gpu rail-gating is enabled, it is possible that
both rail gating code and system shudown can start
executing gk20a_pm_prepare_poweroff() in parallel.
To synchronize this execution, protect gk20a_pm_prepare_poweroff()
with a mutex lock.

Bug 200168805
Bug 200179045
Bug 200177659

Change-Id: I19536a43ed20c3e82b32c316922dc3e19e3f59bb
Signed-off-by: Seshendra Gadagottu <sgadagottu@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/999548
(cherry picked from commit 9f1c2cefae513783e2609cfafc94c066ad09f956)
Reviewed-on: http://git-master/r/1130942
GVS: Gerrit_Virtual_Submit
Tested-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agogpu: nvgpu: return from worker if gpu is not up
Deepak Nibade [Wed, 20 Jan 2016 15:45:52 +0000]
gpu: nvgpu: return from worker if gpu is not up

During GPU shutdown path, it is possible that we
shut down the GPU while worker thread is still
running gk20a_channel_update()

Hence before accessing gp_put/get, check if GPU
is up or not

Bug 200166139

Change-Id: Iba3ec173041a84527c4700a93f20564a842cfb01
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/935193
(cherry picked from commit c81ea5fe383c44e872754b363968af57d84225ac)
Reviewed-on: http://git-master/r/1130941
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agogpu: nvgpu: force close all channels on shutdown
Deepak Nibade [Tue, 12 Jan 2016 12:19:57 +0000]
gpu: nvgpu: force close all channels on shutdown

In gk20a_pm_shutdown(), we currently wait for 2s
for all channels to finish their work

Instead of waiting, force close all channels
(disable and preempt) during shutdown

Also, if GPU is already railgated during shutdown,
then we can just disable runtime_pm and return
without doing anything

Bug 200166139

Change-Id: I0012f1b3c0f4f676958d083f8c60a001f7015fb0
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/931706
(cherry picked from commit 8341a21e0453b549a9a31090d278631c999d768a)
Reviewed-on: http://git-master/r/1130940
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agogpu: nvgpu: preempt before adjusting fences
Deepak Nibade [Thu, 10 Dec 2015 08:58:32 +0000]
gpu: nvgpu: preempt before adjusting fences

Current sequence in gk20a_disable_channel() is
- disable channel in gk20a_channel_abort()
- adjust pending fence in gk20a_channel_abort()
- preempt channel

But this leads to scenarios where syncpoint has
min > max value

Hence to fix this, make sequence in gk20a_disable_channel()
- disable channel in gk20a_channel_abort()
- preempt channel in gk20a_channel_abort()
- adjust pending fence in gk20a_channel_abort()

If gk20a_channel_abort() is called from other API where
preemption is not needed, then use channel_preempt
flag and do not preempt channel in those cases

Bug 1683059

Change-Id: I4d46d4294cf8597ae5f05f79dfe1b95c4187f2e3
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/921290
(cherry picked from commit a174139ec383ba6d2ede096743192066e8582684)
Reviewed-on: http://git-master/r/1131668
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agovideo: tegra: host: fix out-of-bound access in case of overflow
Deepak Nibade [Mon, 25 Apr 2016 12:28:28 +0000]
video: tegra: host: fix out-of-bound access in case of overflow

In nvhost_ioctl_ctrl_module_regrdwr(), we allocate a local buffer
of size (num_offsets * block_size), and use it to store
all the values passed from/to user space

In case erroneous values are passed from user space
(e.g. num_offsets=67108864 and block_size=64), buffer size
passed to kmalloc() overflows and is instead set as 64

And in that case, we end up accessing out-of-bounds values
from local buffer "vals"

To prevent this, allocate buffer "vals" of only one block size
and then copy it from/to user space in loop (i.e. copy the values
for each offset)

Remove variable "p1" and rename variable "remaining" as
"count" as it makes more sense

Add and use new API validate_max_size() to validate size of
register read/write. This API will check if requested read/write
block size is less than the memory resource size of device

kmalloc() might fail for any size > 4KB, hence fall back to
use vmalloc() if kmalloc() fails
Use kvfree() to free buffer allcoated with above

Bug 1739935

Change-Id: I2582e3bf7db6f47293838a4f14c260188f1564f5
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1131916
(cherry picked from commit 58c9472407093c1975b07079b487914371de88ad)
Reviewed-on: http://git-master/r/1134081
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agovideo: tegra: dc: Enable YUVBYPASS for all modes
Aly Hirani [Mon, 25 Apr 2016 23:04:50 +0000]
video: tegra: dc: Enable YUVBYPASS for all modes

YUVBYPASS in its current design was limited for only YUV modes. This change
extends it such at it can be applied to any mode and makes it atomic with
respect to the flip.

Main reason for this patch is for hwcomposer to be able to toggle the
full->limited range conversion for RGB and do it in GLC instead for better
picture quality.

Bug 1750555

Change-Id: I2cd923dbfdd764253d232dcae7eefa310858d61d
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1132153
Reviewed-by: Jon Mayo <jmayo@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Michael I Gold <gold@nvidia.com>

3 years agovideo: tegra: hdcp: Set max_retries to be inifinite
Ankita Garg [Fri, 22 Apr 2016 20:33:56 +0000]
video: tegra: hdcp: Set max_retries to be inifinite

Some TVs/monitors do not send a hotplug event on
wake-up or change of source. Currently HDCP link
verification only retries max of 5 times. The counter
is reset on hotplug or successful verification. So on
these monitors the max count is hit and we never
resume HDCP. This change changes max retries to
infinite.

Bug 1694737

Change-Id: I121fcb1212b453037cadeb306b553e5a40ac3a87
Signed-off-by: Ankita Garg <ankitag@nvidia.com>
Reviewed-on: http://git-master/r/1131295
GVS: Gerrit_Virtual_Submit
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Sharath Sarangpur <ssarangpur@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>

3 years agoi2c: tegra: Ratelimit error print
Ankita Garg [Thu, 21 Apr 2016 21:47:30 +0000]
i2c: tegra: Ratelimit error print

We are switching over to
infinite number of retries for HDCP. This
change ratelimits the error messages from
i2c to prevent the kernel log buffer from
being filled with i2c failure messages.

Bug 1694737

Change-Id: Ie57881d367ab1b309f2feb362de1414fa59a59f6
Signed-off-by: Ankita Garg <ankitag@nvidia.com>
Reviewed-on: http://git-master/r/1132150
GVS: Gerrit_Virtual_Submit
Reviewed-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>

3 years agovideo: tegra: dc: Revert pclk rounding
Aly Hirani [Thu, 21 Apr 2016 20:37:34 +0000]
video: tegra: dc: Revert pclk rounding

We added pclk rounding to leverage dGPU IOT. Unfortunately the
side effect of the fix was that it skewed the refresh rate a bit
(we ended up at 23.979 Hz)

This meant that the videos which were at true/closer to 23.976 Hz
would stutter at every ~5 mins.

The only fix is to revert back to the older 1000/1001 pclk
calculations

Bug 1756191

Change-Id: I69f54a6b1dc78322f877c5965194ab19ecc8d567
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1130612
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

3 years agoarm64: boot: dts: Disable hdmi-vrr
Aly Hirani [Mon, 25 Apr 2016 02:53:19 +0000]
arm64: boot: dts: Disable hdmi-vrr

Reading/writing to a non-standard DDC address (0x37 for Gsync) breaks
a large range of Phillips TVs in the field.

This change disables it for both Foster and Darcy.

Bug 200179037

Change-Id: If1ac9fc61e4b3b9c7995f54b30e2c6252f769f65
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1129326
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agopipe: Fix buffer offset after partially failed read
Ben Hutchings [Sat, 13 Feb 2016 02:34:52 +0000]
pipe: Fix buffer offset after partially failed read

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Bug 1744232
Bug 200188096

Change-Id: I988802f38acf40c7671fa0978880928b02d29b56
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Reviewed-on: http://git-master/r/1130746
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agoarm64: dts: Add parameter restrict_bw_20 for foster
Srinivas Ramachandran [Wed, 20 Apr 2016 19:59:13 +0000]
arm64: dts: Add parameter restrict_bw_20 for foster

This enables a WAR to prevent controller connectivity issues
in 1080p50Hz mode due to Wi-Fi desense.

Bug 200176240

Change-Id: Icf9e99a7c191e7bdddc72268ee1526dd6f7e4d48
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1129852
Reviewed-by: Mahesh Patil <maheshp@nvidia.com>
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agonet: wireless: bcmdhd: Restrict default p2p AGO to 20Mhz bw
Srinivas Ramachandran [Wed, 20 Apr 2016 01:13:20 +0000]
net: wireless: bcmdhd: Restrict default p2p AGO to 20Mhz bw

For platforms with DT parameter restrict_bw_20 defined,
1. If AP is not associated, restrict the bw of p2p AGO to 20Mhz
2. If AP is associated, follow the AP bw

This is a WAR to prevent controller connectivity issues
in 1080p50Hz mode due to Wi-Fi desense.

Bug 200176240

Change-Id: I7824873ce95a2465dc67081ab9bce96d7b604389
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1129260
Reviewed-by: Mahesh Patil <maheshp@nvidia.com>
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agogpu: nvgpu: Disable illegal comptag interrupt
Terje Bergstrom [Fri, 11 Mar 2016 15:55:30 +0000]
gpu: nvgpu: Disable illegal comptag interrupt

Illegal comptag interrupt is triggered when a page is mapped with
two different kinds with incompatible compression status. This can
be intentional, so disable the interrupt.

Change-Id: I84a212beac147991d09d2d381a9e770b1364f4d8
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1029663
(cherry picked from commit 819607a768f9fccdd0b233d58bcf88b9eee4ee19)
Reviewed-on: http://git-master/r/1125814
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Mathias Heyer <mheyer@nvidia.com>

3 years agogpu: nvgpu: Clear comptags for whole buffer
Terje Bergstrom [Thu, 18 Feb 2016 19:23:44 +0000]
gpu: nvgpu: Clear comptags for whole buffer

Clear comptags for whole buffer when nvgpu sees the buffer for the
first time.

Change-Id: I67108ce0f0def46ddda1aa9b9bb5ea22549cce13
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1013517
(cherry picked from commit 544446aacdc695dc2e27c42a0086292cd69c2eee)
Reviewed-on: http://git-master/r/1125813
GVS: Gerrit_Virtual_Submit
Tested-by: Mathias Heyer <mheyer@nvidia.com>

3 years agocifs: Avoid umount hangs with smb2 when server is unresponsive
Shirish Pargaonkar [Thu, 3 Oct 2013 10:44:45 +0000]
cifs: Avoid umount hangs with smb2 when server is unresponsive

Do not send SMB2 Logoff command when reconnecting, the way smb1
code base works.

Also, no need to wait for a credit for an echo command when one is already
in flight.

Without these changes, umount command hangs if the server is unresponsive
e.g. hibernating.

bug 200167108

Change-Id: Ic9cbdf7a8aeea096434577e61459d087da365c80
Signed-off-by: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <smfrench@us.ibm.com>
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/934943
(cherry picked from commit 0001c9be7c04680fc2c49e8ce11fabd189af8a23)
Reviewed-on: http://git-master/r/1125723
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agoARM: tegra: enable CONFIG_CIFS_SMB2
Ian Chang [Wed, 20 Jan 2016 07:54:57 +0000]
ARM: tegra: enable CONFIG_CIFS_SMB2

enable SMB2 protocol to enhance CIFS performance.

bug 200167108

Change-Id: Ia32e9345b14ca627c8f46afde0db8e62b397e20f
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/934942
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Robert Shih <rshih@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
Reviewed-on: http://git-master/r/1125722
Tested-by: Jean Huang <jeanh@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agoata: ahci: skip read log ext for log page 0x10
Preetham Chandru R [Fri, 1 Apr 2016 13:00:02 +0000]
ata: ahci: skip read log ext for log page 0x10

Tegra SATA controller does not handle read log ext
command for log page address set to 0x10.
This patch is a WAR to take of this issue.

Bug 1715463

Change-Id: Ic9a85341f2ee8a099331902cebb11b6a07afa8a4
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/999280
(cherry-picked from commit 4dc81003aed10547e455354a5e32348bcc6c4949)
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Signed-off-by: Li Li <lli5@nvidia.com>
Reviewed-on: http://git-master/r/1120015
GVS: Gerrit_Virtual_Submit
Reviewed-by: Eric Miao <emiao@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

3 years agogpu: nvgpu: bitmap allocator for comptags
Konsta Holtta [Tue, 1 Dec 2015 09:55:27 +0000]
gpu: nvgpu: bitmap allocator for comptags

Restore comptags to be bitmap-allocated, like they were before we had
the buddy allocator.

The new buddy allocator introduced by
e99aa2485f8992eabe3556f3ebcb57bdc8ad91ff (originally
6ab2e0c49cb79ca68d2f83f1d4610783d2eaa79b) is fine for the big VAs, but
unsuitable for the small compbit store.

This commit reverts partially the combination of the above commit and
also one after it, 86fc7ec9a05999bea8de320840b962db3ee11410, that fixed
a bug which is not present when using a bitmap. With a bitmap allocator,
pruning the extra allocation necessary for user-mapped mode is possible,
so that is also restored.

The original generic bitmap allocator is not restored; instead, a
comptag-only allocator is introduced.

Bug 200145635

Change-Id: I87f3a911826a801124cfd21e44857dfab1c3f378
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/837180
(cherry picked from commit 5a504aeb54f3e89e6561932971158a397157b3f2)
Reviewed-on: http://git-master/r/1123569
GVS: Gerrit_Virtual_Submit
Tested-by: Hrishikesh Manohar <hrishikeshm@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agovideo: tegra: dc: move EESS by 1 pclk for HDCP 2.2
Sharath Sarangpur [Tue, 29 Mar 2016 00:00:43 +0000]
video: tegra: dc: move EESS by 1 pclk for HDCP 2.2

Adjusted EESS start and end by 1 pclk for HDCP 2.2

Bug 1755313

Change-Id: I64ae4b4a45714024ad494c07293f411b8fb95eac
Signed-off-by: Sharath Sarangpur <ssarangpur@nvidia.com>
Reviewed-on: http://git-master/r/1116687
(cherry picked from commit 72c1cb3bc71b9f93b96564603e36ddbd6a15a47d)
Reviewed-on: http://git-master/r/1116686
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit

3 years agovideo: tegra: host: use dynamically allocated wait_queue rel-24-foster-r2
Deepak Nibade [Wed, 20 Jan 2016 13:39:19 +0000]
video: tegra: host: use dynamically allocated wait_queue

In nvhost_syncpt_wait_timeout(), we currently allocate
wait_queue_head on stack using
DECLARE_WAIT_QUEUE_HEAD_ONSTACK()

If wait is complete, then this wait_queue_head will
removed off the stack

But in some rare case if action_wakeup_interruptible()
is called after wait is complete, we try to access
wait_queue_head which is already deleted from stack

To fix this, define wait_queue_head inside nvhost_waitlist
and allocate it dynamically along with waitlist

Bug 200126989

Change-Id: Iad7869323832e6f36c044e0d29fdea62dca762d5
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/935161
(cherry picked from commit 80b5c960e95b9f1f4c1401b03d72641ac4b6ccc6)
Reviewed-on: http://git-master/r/1113381
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agohid: jarvis: WAR for cypress controller reset
Ankita Garg [Wed, 23 Mar 2016 08:36:12 +0000]
hid: jarvis: WAR for cypress controller reset

Whenever cypress controller gets reset and
enters bootloader (version mis-match on jarvis
startup or OTA), it pulls all the buttons low,
causing spurious input events. This WAR disables
inputs when all three buttons are either pressed
or released.

Bug 200174400

Change-Id: If916a8f11004fc2e25a6c5131d32f621e2729ea2
Signed-off-by: Ankita Garg <ankitag@nvidia.com>
Reviewed-on: http://git-master/r/1114574
Reviewed-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agopipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
Ben Hutchings [Tue, 16 Jun 2015 21:11:06 +0000]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic

pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

Bug: 27275324
Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
Reviewed-on: http://git-master/r/1114630
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agovideo: tegra: host: check if offset is u32 aligned
Deepak Nibade [Fri, 11 Mar 2016 08:29:20 +0000]
video: tegra: host: check if offset is u32 aligned

In nvhost_ioctl_ctrl_module_regrdwr(), we copy offset
to read/write from user space but we do not have
any check on it

So it is possible for user space to add unaligned
offset and request read/write which would crash the
system

Fix this by explicitly checking alignment of the
offset passed by user space

Bug 1739935

Change-Id: Iea2a07c60500af876b732a0e9d9d08535aa53b5c
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1029405
(cherry picked from commit 422baa09a17a6a17f4e572aa5441ca174634de0d)
Reviewed-on: http://git-master/r/1111328
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agogpu: nvgpu: Call ELPG enable/disable on condition
Mahantesh Kumbar [Wed, 9 Mar 2016 07:13:55 +0000]
gpu: nvgpu: Call ELPG enable/disable on condition

Call ELPG enable/disable if ELPG support enabled else ignore

Bug 200156347
Bug 1716764

Change-Id: I0bf4bacb23c087600b0632f806b12e94ebe090a5
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1027030
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Tested-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Vijayakumar Subbu <vsubbu@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agogpu: nvgpu: Enable ELPG when disabled due to reset
Mahantesh Kumbar [Wed, 9 Mar 2016 07:00:51 +0000]
gpu: nvgpu: Enable ELPG when disabled due to reset

Enable ELPG back whenever ELPG disable is done due to reset or recovery.
Otherwise elpg_refcnt mismatch doesn\222t engage ELPG correctly

Bug 200156347
Bug 1716764

Change-Id: I16dd47ebc647e631c1ace59099a36c92d4c3abb0
Signed-off-by: Mahantesh Kumbar <mkumbar@nvidia.com>
Reviewed-on: http://git-master/r/1027020
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Tested-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agoUPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()
Yevgeny Pats [Tue, 19 Jan 2016 22:09:04 +0000]
UPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()

(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>

int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}

if (keyctl(KEYCTL_SETPERM, serial,
   KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}

for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}

return 0;
}

If, after the program has run, there something like the following line in
/proc/keys:

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Bug 1720836

Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
(cherry picked from commit 9fc5f368bb89b65b591c4f800dfbcc7432e49de5)
Signed-off-by: Sumit Singh <sumsingh@nvidia.com>
Reviewed-on: http://git-master/r/935565
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
(cherry picked from commit 07be7f19b4c356ce94642d0c2cecb93179a9a9bc)
Signed-off-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-on: http://git-master/r/936979
(cherry picked from commit 2af5d2a42a8da43f466aed81941174219470486b)
Signed-off-by: Toby Butzon <tbutzon@nvidia.com>
Reviewed-on: http://git-master/r/1031380
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agogpu: nvgpu: validate error notifier offset
Konsta Holtta [Tue, 8 Mar 2016 11:58:11 +0000]
gpu: nvgpu: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183
Bug 1739932

Change-Id: I713574ce797ffc23cec10b5114f469dbadc68f1e
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026410
(cherry picked from commit f476b93eb19b962b8760457102448bd533efc54d)
Reviewed-on: http://git-master/r/1029380
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agomedia: tegra: nvavp: Fix heap overflow
Somasundaram S [Thu, 10 Mar 2016 12:03:11 +0000]
media: tegra: nvavp: Fix heap overflow

Bug 1739930

Increase NVAVP_MAX_RELOCATION_COUNT to max. possible value
and add check to return error if num_relocs in
nvavp_pushbuffer_submit_ioctl exceeds
NVAVP_MAX_RELOCATION_COUNT

Change-Id: Ief36cedd692aa53135fc6a0039b19f18609259dd
Signed-off-by: Somasundaram S <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1028913
(cherry-picked from commit <TODO>)
Reviewed-on: http://git-master/r/1029636
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agovideo: tegra: host: validate error notifier offset
Konsta Holtta [Tue, 8 Mar 2016 11:56:19 +0000]
video: tegra: host: validate error notifier offset

Make sure that the notifier object fits within the supplied buffer.

Bug 1739183

Change-Id: Ifbf46eddea86bedf0236851ea1c3f73e5f820beb
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1026409
(cherry picked from commit 4086d2137e9b51137aa335fa264d924c73dea5fc)
Reviewed-on: http://git-master/r/1029382
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agogpu: nvgpu: validate wait notification offset
Konsta Holtta [Tue, 8 Mar 2016 12:35:21 +0000]
gpu: nvgpu: validate wait notification offset

Make sure that the notification object fits within the supplied buffer.

Bug 1739182

Change-Id: Ifb66f848e3758438f37645be6f534f5b60260214
Reviewed-on: http://git-master/r/1026431
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
(cherry-picked from commit <TODO>)
Reviewed-on: http://git-master/r/1029635
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>

3 years agoxhci: fix off by one error in TRB DMA address boundary check
Mathias Nyman [Mon, 3 Aug 2015 13:07:48 +0000]
xhci: fix off by one error in TRB DMA address boundary check

We need to check that a TRB is part of the current segment
before calculating its DMA address.

Previously a ring segment didn't use a full memory page, and every
new ring segment got a new memory page, so the off by one
error in checking the upper bound was never seen.

Now that we use a full memory page, 256 TRBs (4096 bytes), the off by one
didn't catch the case when a TRB was the first element of the next segment.

This is triggered if the virtual memory pages for a ring segment are
next to each in increasing order where the ring buffer wraps around and
causes errors like:

[  106.398223] xhci_hcd 0000:00:14.0: ERROR Transfer event TRB DMA ptr not part of current TD ep_index 0 comp_code 1
[  106.398230] xhci_hcd 0000:00:14.0: Looking for event-dma fffd3000 trb-start fffd4fd0 trb-end fffd5000 seg-start fffd4000 seg-end fffd4ff0

The trb-end address is one outside the end-seg address.

Bug 1730718

Change-Id: I27bff8497493ea94b357184bd321e7dc478a0a1a
Cc: <stable@vger.kernel.org>
Tested-by: Arkadiusz Miśkiewicz <arekm@maven.pl>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ajay Gupta <ajayg@nvidia.com>
Reviewed-on: http://git-master/r/1020811
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

3 years agokconfig: Foster PRO no idle sata
David DSH [Thu, 3 Mar 2016 20:51:22 +0000]
kconfig: Foster PRO no idle sata

Idle doens't work properly with this feature in.

boot.img size is reduced by 2632 bytes

Bug 1579438
Bug 200176631
Bug 200173379

Change-Id: I4b1f9568bec4aed55ea98726dbbeb6831fcd7bf3
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
(cherry picked from commit 223b9ecdb0321b06b225eb91d25802eaa330a6d8)
Reviewed-on: http://git-master/r/1023631
Reviewed-by: Sang-Hun Lee <sanlee@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>