2 years agomm: remove gup_flags FOLL_WRITE games from __get_user_pages() rel-24-sb-r1
Gagan Grover [Fri, 21 Oct 2016 08:25:48 +0000]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Change-Id: I13a55845a79f92c0c90228a229947d2bdf616a4a
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
     s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1240491
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocdc_ncm: add back FLAG_RMNET flag
Vaibhav Shinde [Thu, 20 Oct 2016 05:30:33 +0000]
cdc_ncm: add back FLAG_RMNET flag

This flasg was missed while cherry-picking the upstream change
4d06dd537f95683aba3651098ae288b7cbff8274 in commit
efceda32988b9cce46559bd936f3f2e3dd51f617

Change-Id: Ife6363cca4ef6616b3ed433c03517def9f4e88d5
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1239634
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotegra-profiler: fix security vulnerability issue
Igor Nabirushkin [Thu, 18 Aug 2016 08:35:20 +0000]
tegra-profiler: fix security vulnerability issue

Tegra Profiler: some fields of structs are not initialized.
So, when they are copied to user space, stack information leaks.

Bug 1797747

Change-Id: I2b00f30fa2e3360c412573d40faf96f45c113346
Signed-off-by: Igor Nabirushkin <inabirushkin@nvidia.com>
Reviewed-on: http://git-master/r/1208892
(cherry picked from commit 08d72717508f180fcf6f5b73557c4413356d76eb)
Reviewed-on: http://git-master/r/1210648
(cherry picked from commit 7cd76fe2e159ea7368a2f39b137140a78be9a4e2)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1236439
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agogpu: nvgpu: initialize local variable
Deepak Nibade [Thu, 4 Aug 2016 14:12:38 +0000]
gpu: nvgpu: initialize local variable

Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD

Bug 1793398

Change-Id: Iffd654dbaca3b4e3c8fd2ac270d0febd01c165b8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1195862
(cherry picked from commit 118809f4bd07af20df2b6c012828834695a5fccf)
Reviewed-on: http://git-master/r/1197614
(cherry picked from commit af5e2bd79ba3ea5575f1d2aa26aa581074d81ad5)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1236438
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agogpu: nvgpu: fix use-after-free in case of error notifier
Gagan Grover [Wed, 12 Oct 2016 11:35:06 +0000]
gpu: nvgpu: fix use-after-free in case of error notifier

A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier

Fix this by introducing mutex error_notifier_mutex for
error notifier accesses

Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier

In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized

Bug 1824788

Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Reviewed-on: http://git-master/r/1233988
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1235729
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoppp: take reference on channels netns
Guillaume Nault [Wed, 23 Mar 2016 15:38:55 +0000]
ppp: take reference on channels netns

Let channels hold a reference on their network namespace.
Some channel types, like ppp_async and ppp_synctty, can have their
userspace controller running in a different namespace. Therefore they
can't rely on them to preclude their netns from being removed from
under them.

==================================================================
BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
addr ffff880064e217e0
Read of size 8 by task syz-executor/11581
=============================================================================
BUG net_namespace (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

Disabling lock debugging due to kernel taint
INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
[<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
[<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
[<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
[<     inline     >] slab_alloc kernel/mm/slub.c:2574
[<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
[<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
[<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
[<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
[<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
[<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
[<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
[<     inline     >] copy_process kernel/kernel/fork.c:1274
[<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
[<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
[<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
[<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185

INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
[<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
[<     inline     >] slab_free kernel/mm/slub.c:2805
[<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
[<     inline     >] net_free kernel/net/core/net_namespace.c:341
[<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
[<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
[<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
[<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
[<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
[<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
flags=0x5fffc0000004080
INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200

CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
 ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
 ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
Call Trace:
 [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
 [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
 [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
 [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
 [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
 [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
 [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
 [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
 [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
 [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
 [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
 [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
 [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
 [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
 [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
 [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
 [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
 [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
 [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
 [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
 [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
 [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
 [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
 [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
 [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
 [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
 [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
 [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
 [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
 [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
 [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
 [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
 [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
 [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
 [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
 [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
 [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
 [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
 [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
 [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
 [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
 [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
 [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
Memory state around the buggy address:
 ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                       ^
 ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 273ec51dd7ce ("net: ppp_generic - introduce net-namespace functionality v2")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Reviewed-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: I5e04b3c178b408af0412f635714b4bb3d2ff6a44
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214545
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 493649df1bec9216bfd9ecb0430e5bfbaac61b2b)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1227652
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoUPSTREAM: netfilter: x_tables: validate e->target_offset early
Florian Westphal [Tue, 22 Mar 2016 17:02:49 +0000]
UPSTREAM: netfilter: x_tables: validate e->target_offset early

(cherry pick from commit bdf533de6968e9686df777dc178486f600c6e617)

We should check that e->target_offset is sane before
mark_source_chains gets called since it will fetch the target entry
for loop detection.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ic2dbc31c9525d698e94d4d8875886acf3524abbd
Bug: 29637687
Bug 1797728
(cherry picked from commit 7ed1e120e1cc31bea816709c25ebb80203ce9f1b)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214540
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

(cherry picked from commit 7f418177a6ac021fc6a10560b17733577b898b6f)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Change-Id: I0a8de95d8239f8eebe73ce1805d47ad66fc40930
Reviewed-on: http://git-master/r/1231204
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agousbnet: cleanup after bind() in probe()
Oliver Neukum [Mon, 7 Mar 2016 10:31:10 +0000]
usbnet: cleanup after bind() in probe()

In case bind() works, but a later error forces bailing
in probe() in error cases work and a timer may be scheduled.
They must be killed. This fixes an error case related to
the double free reported in
http://www.spinics.net/lists/netdev/msg367669.html
and needs to go on top of Linus' fix to cdc-ncm.

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Bug 1797728

(cherry picked from commit 1666984c8625b3db19a9abc298931d35ab7bc64b)
Change-Id: Ibc50a06dee69894e18bb62f5969e1718138395cf
(cherry picked from commmit f10f1a249226dfac19ce97b606bb5cea814e63ca)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214495
Reviewed-by: Jinyoung Park <jinyoungp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

(cherry picked from commit fee44a55ae456313dcfb0e41ea70fc2227ebe44c)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Change-Id: Ia1dd62d6e0e8453c146a8161fc68f8e092c88c3a
Reviewed-on: http://git-master/r/1231203
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: wireless: bcmdhd*: Fix buffer too short
Ira Zhuang [Thu, 29 Sep 2016 07:56:13 +0000]
net: wireless: bcmdhd*: Fix buffer too short

1. Elevation of privilege vulnerability in Broadcom Wi-Fi driver
2. CVE-2016-3869, A-29009982 (B-RB#96070) of Security Bulletin.
Elevation of privilege vulnerability in Broadcom Wi-Fi driver (device specific)

Bug 1797728

Change-Id: Ied3f93adcb7edb292ff64a46d342339d46a5ef58
Signed-off-by: Ira Zhuang <izhuang@nvidia.com>
Reviewed-on: http://git-master/r/1228978
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
Reviewed-by: Om Prakash Singh <omp@nvidia.com>

2 years agoUPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue
Rainer Weikusat [Fri, 20 Nov 2015 22:07:23 +0000]
UPSTREAM: unix: avoid use-after-free in ep_remove_wait_queue

(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c)

Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.

Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.

Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
Bug: 29119002
Bug 1797728
(cherry picked from commit fe182ffd23b2db9ab321acb691212e7eec0383c5)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214547
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 724e0127af124d5a6f4f1ec3bded7e5e7579390c)
Reviewed-on: http://git-master/r/1230822
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoipv6: Don't reduce hop limit for an interface
D.S. Ljungmark [Wed, 25 Mar 2015 08:28:15 +0000]
ipv6: Don't reduce hop limit for an interface

A local route may have a lower hop_limit set than global routes do.

RFC 3756, Section 4.2.7, "Parameter Spoofing"

>   1.  The attacker includes a Current Hop Limit of one or another small
>       number which the attacker knows will cause legitimate packets to
>       be dropped before they reach their destination.

>   As an example, one possible approach to mitigate this threat is to
>   ignore very small hop limits.  The nodes could implement a
>   configurable minimum hop limit, and ignore attempts to set it below
>   said limit.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: Ib639dde094374ad892c5cb24488a68eb14fabd8d
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214541
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 6269ea5362ad71fe468631fd97d3f938face2c34)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1230825
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoudp: fix behavior of wrong checksums
Eric Dumazet [Sat, 30 May 2015 16:16:53 +0000]
udp: fix behavior of wrong checksums

We have two problems in UDP stack related to bogus checksums :

1) We return -EAGAIN to application even if receive queue is not empty.
   This breaks applications using edge trigger epoll()

2) Under UDP flood, we can loop forever without yielding to other
   processes, potentially hanging the host, especially on non SMP.

This patch is an attempt to make things better.

We might in the future add extra support for rt applications
wanting to better control time spent doing a recv() in a hostile
environment. For example we could validate checksums before queuing
packets in socket receive queue.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: Ifed7af7b676fe46ad47437c19be50671efb07054
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214539
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 15e20e9b6b4163b46f8393aba5db4ffb79189b5f)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1230827
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoipv4: try to cache dst_entries which would cause a redirect
Hannes Frederic Sowa [Fri, 23 Jan 2015 11:01:26 +0000]
ipv4: try to cache dst_entries which would cause a redirect

Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f88649721268999 ("ipv4: fix dst race in sk_dst_get()").

Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU.  Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.

Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.

This issue was discovered by Marcelo Leitner.

Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 1797728

Change-Id: I7d6fed96b599c8e10cb905c9e9824b134b4646d4
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214535
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 65a64a2f0b05e20cda0296e1e30a5700c133618a)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1230828
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoKEYS: potential uninitialized variable
Dan Carpenter [Thu, 16 Jun 2016 14:48:57 +0000]
KEYS: potential uninitialized variable

If __key_link_begin() failed then "edit" would be uninitialized.  I've
added a check to fix that.

This allows a random user to crash the kernel, though it's quite
difficult to achieve.  There are three ways it can be done as the user
would have to cause an error to occur in __key_link():

 (1) Cause the kernel to run out of memory.  In practice, this is difficult
     to achieve without ENOMEM cropping up elsewhere and aborting the
     attempt.

 (2) Revoke the destination keyring between the keyring ID being looked up
     and it being tested for revocation.  In practice, this is difficult to
     time correctly because the KEYCTL_REJECT function can only be used
     from the request-key upcall process.  Further, users can only make use
     of what's in /sbin/request-key.conf, though this does including a
     rejection debugging test - which means that the destination keyring
     has to be the caller's session keyring in practice.

 (3) Have just enough key quota available to create a key, a new session
     keyring for the upcall and a link in the session keyring, but not then
     sufficient quota to create a link in the nominated destination keyring
     so that it fails with EDQUOT.

The bug can be triggered using option (3) above using something like the
following:

echo 80 >/proc/sys/kernel/keys/root_maxbytes
keyctl request2 user debug:fred negate @t

The above sets the quota to something much lower (80) to make the bug
easier to trigger, but this is dependent on the system.  Note also that
the name of the keyring created contains a random number that may be
between 1 and 10 characters in size, so may throw the test off by
changing the amount of quota used.

Assuming the failure occurs, something like the following will be seen:

kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
------------[ cut here ]------------
kernel BUG at ../mm/slab.c:2821!
...
RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
...
Call Trace:
  kfree+0xde/0x1bc
  assoc_array_cancel_edit+0x1f/0x36
  __key_link_end+0x55/0x63
  key_reject_and_link+0x124/0x155
  keyctl_reject_key+0xb6/0xe0
  keyctl_negate_key+0x10/0x12
  SyS_keyctl+0x9f/0xe7
  do_syscall_64+0x63/0x13a
  entry_SYSCALL64_slow_path+0x25/0x25

(cherry picked from commit 38327424b40bcebe2de92d07312c89360ac9229a)
Jira EASS-863

Bug 1797728

Change-Id: Iaf1905f06f52e547654274cbb4827dd03866b71b
Fixes: f70e2e06196a ('KEYS: Do preallocation for __key_link()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: http://git-master/r/1209532
(cherry picked from commit d84542d36e9d5968c1cef665e9e0a5c70f8eabc4)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213221
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 552d71467ba0fda2d8816408201b77599e624aca)
Reviewed-on: http://git-master/r/1230814
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agofs: ext4: disable support for FALLOC_FL_PUNCH_HOLE
Woojung Min [Tue, 30 Aug 2016 07:44:07 +0000]
fs: ext4: disable support for FALLOC_FL_PUNCH_HOLE

Disable support for the fallocate FALLOC_FL_PUNCH_HOLE to
prevent the race conditions.

CVE-2015-8839
ANDROID-28760453

Jira EASS-863

Bug 1797728

Change-Id: Iae76df73f811da4e8209d21dd0803b070c0db684
Reviewed-on: http://git-master/r/1209635
(cherry picked from commit 9704617c5412f4cde41270259331a9078b479915)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213238
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 533c2cafdb20f630647b88ae443b580216ebfc34)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1230816
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoUPSTREAM: ASN.1: Fix non-match detection failure on data overrun
David Howells [Mon, 11 Jul 2016 21:18:11 +0000]
UPSTREAM: ASN.1: Fix non-match detection failure on data overrun

(cherry pick from commit 0d62e9dd6da45bbf0f33a8617afc5fe774c8f45f)

If the ASN.1 decoder is asked to parse a sequence of objects, non-optional
matches get skipped if there's no more data to be had rather than a
data-overrun error being reported.

This is due to the code segment that decides whether to skip optional
matches (ie. matches that could get ignored because an element is marked
OPTIONAL in the grammar) due to a lack of data also skips non-optional
elements if the data pointer has reached the end of the buffer.

This can be tested with the data decoder for the new RSA akcipher algorithm
that takes three non-optional integers.  Currently, it skips the last
integer if there is insufficient data.

Without the fix, #defining DEBUG in asn1_decoder.c will show something
like:

next_op: pc=0/13 dp=0/270 C=0 J=0
- match? 30 30 00
- TAG: 30 266 CONS
next_op: pc=2/13 dp=4/270 C=1 J=0
- match? 02 02 00
- TAG: 02 257
- LEAF: 257
next_op: pc=5/13 dp=265/270 C=1 J=0
- match? 02 02 00
- TAG: 02 3
- LEAF: 3
next_op: pc=8/13 dp=270/270 C=1 J=0
next_op: pc=11/13 dp=270/270 C=1 J=0
- end cons t=4 dp=270 l=270/270

The next_op line for pc=8/13 should be followed by a match line.

This is not exploitable for X.509 certificates by means of shortening the
message and fixing up the ASN.1 CONS tags because:

 (1) The relevant records being built up are cleared before use.

 (2) If the message is shortened sufficiently to remove the public key, the
     ASN.1 parse of the RSA key will fail quickly due to a lack of data.

 (3) Extracted signature data is either turned into MPIs (which cope with a
     0 length) or is simpler integers specifying algoritms and suchlike
     (which can validly be 0); and

 (4) The AKID and SKID extensions are optional and their removal is handled
     without risking passing a NULL to asymmetric_key_generate_id().

 (5) If the certificate is truncated sufficiently to remove the subject,
     issuer or serialNumber then the ASN.1 decoder will fail with a 'Cons
     stack underflow' return.

This is not exploitable for PKCS#7 messages by means of removal of
elements from such a message from the tail end of a sequence:

 (1) Any shortened X.509 certs embedded in the PKCS#7 message are survivable
     as detailed above.

 (2) The message digest content isn't used if it shows a NULL pointer,
     similarly, the authattrs aren't used if that shows a NULL pointer.

 (3) A missing signature results in a NULL MPI - which the MPI routines deal
     with.

 (4) If data is NULL, it is expected that the message has detached content and
     that is handled appropriately.

 (5) If the serialNumber is excised, the unconditional action associated
     with it will pick up the containing SEQUENCE instead, so no NULL
     pointer will be seen here.

     If both the issuer and the serialNumber are excised, the ASN.1 decode
     will fail with an 'Unexpected tag' return.

     In either case, there's no way to get to asymmetric_key_generate_id()
     with a NULL pointer.

 (6) Other fields are decoded to simple integers.  Shortening the message
     to omit an algorithm ID field will cause checks on this to fail early
     in the verification process.

This can also be tested by snipping objects off of the end of the ASN.1 stream
such that mandatory tags are removed - or even from the end of internal
SEQUENCEs.  If any mandatory tag is missing, the error EBADMSG *should* be
produced.  Without this patch ERANGE or ENOPKG might be produced or the parse
may apparently succeed, perhaps with ENOKEY or EKEYREJECTED being produced
later, depending on what gets snipped.

Just snipping off the final BIT_STRING or OCTET_STRING from either sample
should be a start since both are mandatory and neither will cause an EBADMSG
without the patches

Jira EASS-863

Bug 1797728

Reported-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Marcel Holtmann <marcel@holtmann.org>
Reviewed-by: David Woodhouse <David.Woodhouse@intel.com>
Change-Id: I4f6003fade25d8c77baafdff3af084c739efa69c
Bug: 28751627
(cherry picked from commit 62882e757d95076bbd14371ebfaf1246f0191816)
Reviewed-on: http://git-master/r/1209644
(cherry picked from commit 4d84d5a01f0ff0eaa16cc94632a0e83208998bc0)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213242
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 2a4e8a8787008b4730837f29c62726249705eea0)
Reviewed-on: http://git-master/r/1230817
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonetfilter: x_tables: fix unconditional helper
Florian Westphal [Tue, 22 Mar 2016 17:02:52 +0000]
netfilter: x_tables: fix unconditional helper

Ben Hawkes says:

 In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
 is possible for a user-supplied ipt_entry structure to have a large
 next_offset field. This field is not bounds checked prior to writing a
 counter value at the supplied offset.

Problem is that mark_source_chains should not have been called --
the rule doesn't have a next entry, so its supposed to return
an absolute verdict of either ACCEPT or DROP.

However, the function conditional() doesn't work as the name implies.
It only checks that the rule is using wildcard address matching.

However, an unconditional rule must also not be using any matches
(no -m args).

The underflow validator only checked the addresses, therefore
passing the 'unconditional absolute verdict' test, while
mark_source_chains also tested for presence of matches, and thus
proceeeded to the next (not-existent) rule.

Unify this so that all the callers have same idea of 'unconditional rule'.

Reported-by: Ben Hawkes <hawkes@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Bug 1797728

Change-Id: I7884811fd948fed4e18f1a0d38792bce4b397ed9
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1214549
GVS: Gerrit_Virtual_Submit
(cherry picked from commit 9540a626609d490cd0fff4ae97ea713f5806ddd7)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1227648
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoUPSTREAM: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind
Bjørn Mork [Fri, 8 Jul 2016 18:14:51 +0000]
UPSTREAM: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind

(cherry pick from commit 4d06dd537f95683aba3651098ae288b7cbff8274)

usbnet_link_change will call schedule_work and should be
avoided if bind is failing. Otherwise we will end up with
scheduled work referring to a netdev which has gone away.

Instead of making the call conditional, we can just defer
it to usbnet_probe, using the driver_info flag made for
this purpose.

Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change")
Reported-by: Andrey Konovalov <andreyknvl@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: Id9a6d02bdd98bf495d26595cf2cc90e480746186
Bug: 28744625
Bug 1797728
(cherry picked from commit e0328ff123d1085b05f4e8b0ccde9c9e5203b61c)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1213267
GVS: Gerrit_Virtual_Submit

(cherry picked from commit e69933605e81838544cceecfa44b1c86010b5287)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: I59dd67e0b6caaec130e037ae3329ab2647d834f8
Reviewed-on: http://git-master/r/1227669
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agommc: card: test: Fix out of boundary array access
Xia Yang [Mon, 15 Aug 2016 21:56:51 +0000]
mmc: card: test: Fix out of boundary array access

Allocate buffer with 1 extra byte for NULL terminator.

Bug 1791602

Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
Signed-off-by: Xia Yang <xiay@nvidia.com>
(cherry picked from commit 53f628117d0a092182254ad81bc38cf943b994e3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1213890
GVS: Gerrit_Virtual_Submit
(cherry picked from commit 208246e4079123187e2c60745979d9fa4d5b175d)
Reviewed-on: http://git-master/r/1221237
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonvavp: Add missing mutex unlock
Soumen Kumar Dey [Thu, 15 Sep 2016 03:53:29 +0000]
nvavp: Add missing mutex unlock

Add missing mutex unlock for nvavp_submit.

bug 1775299

Change-Id: I1b525e192bfd9dd19bcd0211484400445eda7b2b
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
(cherry picked from commit a256d3c567aae345b04622e502f00068d0d20df4)
Reviewed-on: http://git-master/r/1221126
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm: tegra: no need to reserve fbmem
Eric Miao [Wed, 25 Feb 2015 20:19:12 +0000]
arm: tegra: no need to reserve fbmem

Bug 1602113

Now framebuffer memory is allocated by the driver, there is no
need to reserve by tegra_reserve4().

(cherry picked from commit bc3f5f7d619578d864a33508747de03c6adeba0b)

Change-Id: I07082e781ab9d8bbcc3ac5ff3ca31bbbc5666eb3
Signed-off-by: Eric Miao <emiao@nvidia.com>
Reviewed-on: http://git-master/r/711712
Reviewed-on: http://git-master/r/805260
Reviewed-on: http://git-master/r/1029127
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
Reviewed-by: Jon Mayo <jmayo@nvidia.com>
Reviewed-on: http://git-master/r/1118665
GVS: Gerrit_Virtual_Submit
Reviewed-on: http://git-master/r/1204061
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: dc: manage alloc/release framebuffer memory by driver
Eric Miao [Tue, 28 Oct 2014 13:30:51 +0000]
video: tegra: dc: manage alloc/release framebuffer memory by driver

Bug 1602113

Manage the allocation and release of the framebuffer memory by the fb
driver. This allows system such as Android, which doesn't actually map
the framebuffer, to release this memory.

Patch based on previous work done by Sri Krishna, but largely rewriten
per discussion with Jon/Krishna so that:

  1. Make use of standard DMA API - specifically

     - dma_alloc_writecombine()
     - dma_free_writecombine()
     - dma_mmap_writecombine()

  2. Do not break seamless display by copying over the content from
     bootloader framebuffer, which is passed in the resource instead
     of the reserved framebuffer memory

  3. Release the allocated framebuffer from DC driver when buffers
     submitted available for display, but only safely when:

     - no kernel use (e.g. fbcon)
     - no mmap into userspace

  4. Allocation size defaults to 4K with double buffering if not
     specified otherwise. This allows maximum backward compatibility,
     the memory will be released anyway once Android is up - and for
     the cases where it's not necessary to allocate such a big memory
     block, one can still modify the DT attribute 'nvidia,fbmem-size'
     for that.

(cherry-picked from commit 69867681b50f345c9180d63570a8436a33557809)

Change-Id: I8c4ba7a8f037497dc64cd7fd215027ce91c59201
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Eric Miao <emiao@nvidia.com>
Cc: Jon Mayo <jmayo@nvidia.com>
Cc: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/711711
Reviewed-on: http://git-master/r/805259
Reviewed-on: http://git-master/r/1029126
Reviewed-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-by: Naveen Kumar S <nkumars@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
Reviewed-on: http://git-master/r/1118664
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jon Mayo <jmayo@nvidia.com>
Reviewed-on: http://git-master/r/1204060
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agodvfs: tegra: Validate CLDVFS register address rel-24-sb-r1-2
Alex Frid [Thu, 30 Jun 2016 01:21:46 +0000]
dvfs: tegra: Validate CLDVFS register address

Bug 1783583

Change-Id: I8b0e865db02c00f741dafb473d4bd39c5075f23f
(cherry picked from commit 453a77c5cd9a1316307458203365f9eb5bda62de)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1199574
GVS: Gerrit_Virtual_Submit
Reviewed-by: Yu-Huan Hsu <yhsu@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoUPSTREAM: ipv6: add complete rcu protection around np->opt
Eric Dumazet [Mon, 30 Nov 2015 03:37:57 +0000]
UPSTREAM: ipv6: add complete rcu protection around np->opt

[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]

This patch addresses multiple problems :

UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.

Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())

This patch adds full RCU protection to np->opt

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Bug: 28746669
Change-Id: I81775b2269a8263c4e4760b94b9fdd0d5916b31e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 7b370290db9d0b32e80db546a35295c23e9a3792)
Reviewed-on: http://git-master/r/1201690
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
Kangjie Lu [Tue, 3 May 2016 20:44:32 +0000]
ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

The stack object “r1” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Change-Id: I70d3702d220e0e192d8d582abc9fb0ac33566daf
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit bafe24cb6fbbb07348651dc6811b4f7080c51124)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200997
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
Kangjie Lu [Tue, 3 May 2016 20:44:07 +0000]
ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

The stack object “tread” has a total size of 32 bytes. Its field
“event” and “val” both contain 4 bytes padding. These 8 bytes
padding bytes are sent to user without being initialized.

Change-Id: I2011f354d6ba6de55c8c8f3b5f4f4c7c19483094
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 4daee9b8b14fa519eb30b6fc3460c3f997f5643b)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200996
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: fix infoleak in rtnetlink
Kangjie Lu [Tue, 3 May 2016 20:46:24 +0000]
net: fix infoleak in rtnetlink

The stack object “map” has a total size of 32 bytes. Its last 4
bytes are padding generated by compiler. These padding bytes are
not initialized and sent out via “nla_put”.

Bug 1787007

Change-Id: I33c4a566efc17fc6a8c6d850bc3e9602d7a996ad
Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Woojung Min <wmin@nvidia.com>
(cherry picked from commit 5f8e44741f9f216e33736ea4ec65ca9ac03036e6)
Reviewed-on: http://git-master/r/1196545
GVS: Gerrit_Virtual_Submit
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 87a091d594056f577fe79e410492fc2c853995b7)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200995
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm64: configs: restrict access to perf events
Woojung Min [Tue, 9 Aug 2016 07:16:30 +0000]
arm64: configs: restrict access to perf events

Enable CONFIG_SECURITY_PERF_EVENTS_RESTRICT to restrict access to perf events
It is for android security patch CVE-2016-3843/ANDROID-29119870.

Bug 1787007

Change-Id: Icc6731a05752456d8d611ac723baff22df625d23
Signed-off-by: Woojung Min <wmin@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 55ad767c3fc99fd0fa53afaad3bca37c60fdd293)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200994
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoFROMLIST: security,perf: Allow further restriction of perf_event_open
Jeff Vander Stoep [Sun, 29 May 2016 21:22:32 +0000]
FROMLIST: security,perf: Allow further restriction of perf_event_open

When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.

This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN).  This version doesn't include making
the variable read-only.  It also allows enabling further restriction
at run-time regardless of whether the default is changed.

https://lkml.org/lkml/2016/1/11/587

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Bug: 29054680
Bug 1787007

Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
(cherry picked from commit 012b0adcf7299f6509d4984cf46ee11e6eaed4e4)
Signed-off-by: Woojung Min <wmin@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 95e053179b5adac26f16da316a72f26461afa08d)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200993
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoBACKPORT: perf tools: Document the perf sysctls
Ben Hutchings [Tue, 19 Jan 2016 21:35:15 +0000]
BACKPORT: perf tools: Document the perf sysctls

perf_event_paranoid was only documented in source code and a perf error
message.  Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.

perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

Bug: 29054680
Bug 1787007

Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
(cherry picked from commit 925d82a466131093dee9a301372f4c29a28d948b)
Signed-off-by: Woojung Min <wmin@nvidia.com>
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
(cherry picked from commit 2531330dcd419eb9714b539a202ca3b1bddc83d6)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200992
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: compress: fix an integer overflow check
Dan Carpenter [Wed, 16 Jul 2014 06:37:04 +0000]
ALSA: compress: fix an integer overflow check

I previously added an integer overflow check here but looking at it now,
it's still buggy.

The bug happens in snd_compr_allocate_buffer().  We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.

Change-Id: I8123ec91a1befa6628151c8ab8ac0b1a6a9235fc
Fixes: b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
(cherry picked from commit 4ac28c0a5d6fe4d10983fc3d34e8f7a2273e98dc)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200991
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom
Al Viro [Tue, 2 Aug 2016 09:21:30 +0000]
net: validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom

Change-Id: Iec24dc91a140510c1666801f6204dced8d2318f9
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit c759aa8f6b81b6c525cb93fbe3b38ac486f32a81)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1200988
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonvavp: Add mutex lock for all avp submit
Soumen Kumar Dey [Tue, 14 Jun 2016 09:01:57 +0000]
nvavp: Add mutex lock for all avp submit

Add mutex lock for nvavp_submit to avoid race condition.

bug 1775299

Change-Id: I11a66a58a1f048d6a0ee5aa949f852bfef56dc07
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
(cherry picked from commit fe20d48bb7fc453166806a2efe4e3905d12414fd)
Reviewed-on: http://git-master/r/1164121
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoUSB: fix invalid memory access in hub_activate()
Alan Stern [Wed, 16 Dec 2015 18:32:38 +0000]
USB: fix invalid memory access in hub_activate()

Commit 8520f38099cc ("USB: change hub initialization sleeps to
delayed_work") changed the hub_activate() routine to make part of it
run in a workqueue.  However, the commit failed to take a reference to
the usb_hub structure or to lock the hub interface while doing so.  As
a result, if a hub is plugged in and quickly unplugged before the work
routine can run, the routine will try to access memory that has been
deallocated.  Or, if the hub is unplugged while the routine is
running, the memory may be deallocated while it is in active use.

This patch fixes the problem by taking a reference to the usb_hub at
the start of hub_activate() and releasing it at the end (when the work
is finished), and by locking the hub interface while the work routine
is running.  It also adds a check at the start of the routine to see
if the hub has already been disconnected, in which nothing should be
done.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Alexandru Cornea <alexandru.cornea@intel.com>
Tested-by: Alexandru Cornea <alexandru.cornea@intel.com>
Fixes: 8520f38099cc ("USB: change hub initialization sleeps to delayed_work")
CC: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit e50293ef9775c5f1cf3fcc093037dd6a8c5684ea)

CVE-2015-8816
Bug 1774591

Change-Id: Ifbbf8bfd456120b1e1720f4371c1ba15d1b948fa
Signed-off-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Signed-off-by: Rohith Seelaboyina <rseelaboyina@nvidia.com>
(cherry picked from commit 32c1beb5a9adb0ff5072619a0a7fe4ff973fd7ae)
Signed-off-by: Vaibhav Shinde <vashinde@nvidia.com>
Reviewed-on: http://git-master/r/1190813
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoUSB: usbfs: fix potential infoleak in devio
Kangjie Lu [Tue, 3 May 2016 20:32:16 +0000]
USB: usbfs: fix potential infoleak in devio

The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
are padding bytes which are not initialized and leaked to userland
via “copy_to_user”.

CVE-2016-4482
Bug 1787007

Change-Id: I1488436e8322fd645f76c942aeae1daada6be995
(cherry picked from commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee)

Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Rohith Seelaboyina <rseelaboyina@nvidia.com>
Signed-off-by: Dhiren Parmar <dparmar@nvidia.com>
Change-Id: I1488436e8322fd645f76c942aeae1daada6be995
Reviewed-on: http://git-master/r/1190551

2 years agodtsi: sensors: Remove restrictions to run sensors at full speed
Robert Collins [Mon, 18 Jul 2016 22:48:22 +0000]
dtsi: sensors: Remove restrictions to run sensors at full speed

- Remove frequency restrictions on gyro, accel, compass, barometer.
- Remove barometer_disabled, if currently disabled.

Bug 200191681
Bug 200201316

Change-Id: If75f10034a4c14ebb4010ed4ae3a511e0bd2ade6
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1183090
GVS: Gerrit_Virtual_Submit
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Reviewed-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Tested-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>

2 years agoiio: imu: nvi v.336 Add DMP AUX support
Erik Lilliebjerg [Mon, 18 Jul 2016 04:48:59 +0000]
iio: imu: nvi v.336 Add DMP AUX support

- Add DMP support for devices on the auxiliary ports behind the MPU/ICM.  Due
  to the differences between the MPU and ICM DMPs, the auxiliary port API was
  extended that allowed the DMP dependencies to be removed from the auxiliary
  device's external drivers.
- Updated the pressure calculations for the BMP280 driver to the latest BMP280
  specification.

Bug 200191681
Bug 200201316
Bug 200195822

Change-Id: Id4338b11094f8ef00df214c14649b7bc951a6891
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1182908
GVS: Gerrit_Virtual_Submit
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>

2 years agovideo: tegra: host: add upper bound for num_syncpt_incrs
Deepak Nibade [Thu, 21 Jul 2016 09:22:31 +0000]
video: tegra: host: add upper bound for num_syncpt_incrs

Check if num_syncpt_incrs are not more than number of
syncpoints available

Bug 1781393

Change-Id: Iee5070c87c8db0d6c30eb55ca03ec27c7de379ee
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1184846
(cherry picked from commit d85d48ec37173633d8efbc394b2508c710a0cda1)
Reviewed-on: http://git-master/r/1190704
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: host: fix integer overflow
Deepak Nibade [Mon, 27 Jun 2016 08:43:26 +0000]
video: tegra: host: fix integer overflow

Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs

Fix this and other calculations by explicitly typecasting
variables to u64 first

Bug 1781393

Change-Id: Ib7d9c0be4ac61dc404512b4bb0331aa20a6978bc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1171748
(cherry picked from commit 8f00b96c137b9c4cb43a8dbe2e153fae49524113)
Reviewed-on: http://git-master/r/1172522
Reviewed-on: http://git-master/r/1182025
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: host: fix possible overflow with num_syncpt_incrs
Deepak Nibade [Mon, 27 Jun 2016 08:33:15 +0000]
video: tegra: host: fix possible overflow with num_syncpt_incrs

We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];

If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack

Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack

Bug 1781393

Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172521
Reviewed-on: http://git-master/r/1181862
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoAIO: properly check iovec sizes
Greg Kroah-Hartman [Sat, 20 Feb 2016 01:36:21 +0000]
AIO: properly check iovec sizes

In Linus's tree, the iovec code has been reworked massively, but in
older kernels the AIO layer should be checking this before passing the
request on to other layers.

Many thanks to Ben Hawkes of Google Project Zero for pointing out the
issue.

Bug 1774591

Reported-by: Ben Hawkes <hawkes@google.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Willy Tarreau <w@1wt.eu>
[backported to 3.10 - willy]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit ff19ac8fb71e8a2bf07d61b959062998139c1104)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ia91c9dcbb605fefa8cd186bc0c896f1cd8aec4eb
Reviewed-on: http://git-master/r/1175560
Reviewed-on: http://git-master/r/1180073
GVS: Gerrit_Virtual_Submit
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
Peter Hurley [Mon, 11 Jan 2016 06:40:55 +0000]
tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)

ioctl(TIOCGETD) retrieves the line discipline id directly from the
ldisc because the line discipline id (c_line) in termios is untrustworthy;
userspace may have set termios via ioctl(TCSETS*) without actually
changing the line discipline via ioctl(TIOCSETD).

However, directly accessing the current ldisc via tty->ldisc is
unsafe; the ldisc ptr dereferenced may be stale if the line discipline
is changing via ioctl(TIOCSETD) or hangup.

Wait for the line discipline reference (just like read() or write())
to retrieve the "current" line discipline id.

CVE-2016-0723
Bug 1774591

Cc: <stable@vger.kernel.org>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5c17c861a357e9458001f021a7afa7aab9937439)
Change-Id: Ie8de32a16a05fe7a5b444301ead0d5c32a805a13
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1175591
Reviewed-on: http://git-master/r/1180086
GVS: Gerrit_Virtual_Submit
Reviewed-by: Nitin Kumbhar <nkumbhar@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.334 ICM SMD
Erik Lilliebjerg [Thu, 7 Jul 2016 03:53:55 +0000]
iio: imu: nvi v.334 ICM SMD

- Fix ICM DMP FW v.2 significant motion default parameters.
- Add realtime sensor configuration for significant motion.
- Fix ICM DMP FW v.2 maximum period by limiting accelerometer slowest clock
  setting to gyros since the FW v.2 WAR requires the same speed.

Bug 1768847

Change-Id: I8e3d2574019da6e2e9a0e0e574cc33cab363d490
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1177151
(cherry picked from commit 24b210f89d2856b8ecedb5443e604788e3964680)
Reviewed-on: http://git-master/r/1178465
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Robert Collins <rcollins@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.333 ICM DMP FW v.2
Erik Lilliebjerg [Wed, 29 Jun 2016 01:57:07 +0000]
iio: imu: nvi v.333 ICM DMP FW v.2

- Implement Invensense ICM DMP FW v.2 that fixes sensor data timing gaps.

Bug 1768847

Change-Id: I0bde444d2cdfa0721541fad40589135a37a74acd
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1172879
(cherry picked from commit c95d320e9a4b85d13261d2572a39608e1dbb5f43)
(cherry picked from commit c4c0c358b2eeca85496bbbfb931b9ad1d607f31e)
Reviewed-on: http://git-master/r/1176322
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Robert Collins <rcollins@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.330 MPL520 support
Erik Lilliebjerg [Tue, 7 Jun 2016 02:19:47 +0000]
iio: imu: nvi v.330 MPL520 support

- Add sensor dependency for wake interrupt.
- Sensor mounting matrix is now globally based.

Bug 1768847

Change-Id: I24c0db40ed7ef4ff75da5b629276ee950673eb1f
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1159846
(cherry picked from commit 3a3706e3c23a2cfe50cb82581bb71223b7085a10)
Reviewed-on: http://git-master/r/1176320
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Robert Collins <rcollins@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.329 Fix ICM DMP period
Erik Lilliebjerg [Sun, 29 May 2016 12:16:55 +0000]
iio: imu: nvi v.329 Fix ICM DMP period

- Fix batch period calls that were getting dropped if the ICM DMP was enabled.

Bug 200199302

Change-Id: Iec7f9e4a8488890409d916bfecdaa98d12ac19f8
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1155678
(cherry picked from commit f137e7d5218a2f2bd11479e3308eb701cdbe6a5b)
Reviewed-on: http://git-master/r/1176319
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Robert Collins <rcollins@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocfboost: Boost on MSC_ACTIVITY and any ABS
Brian Harris [Thu, 1 May 2014 17:37:51 +0000]
cfboost: Boost on MSC_ACTIVITY and any ABS

Modifies cfboost to trigger on EV_MSC=MSC_ACTIVITY and any EV_ABS. Also added
a timeout between boosts equal to half the boost duration since it will be
getting a lot more events now. This makes cfboost more resilient to touch
driver changes.

Bug 1509022

Change-Id: I734cdce22b6a1f65466924a92768c2afd4992960
Signed-off-by: brianh@nvidia.com
Reviewed-on: http://git-master/r/404285
(cherry picked from commit 66f5b8b0b842c6792da6f70196a09f145182e972)
Reviewed-on: http://git-master/r/747674
(cherry picked from commit 6a79891def064c7c35f20edcee55f60ad33c3fb7)
Reviewed-on: http://git-master/r/1169136
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jordan Nien <jnien@nvidia.com>
Tested-by: Jordan Nien <jnien@nvidia.com>
Reviewed-by: David Pu <dpu@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.328 fix wake IRQ
Erik Lilliebjerg [Tue, 24 May 2016 00:28:14 +0000]
iio: imu: nvi v.328 fix wake IRQ

- Some sensors require other sensors to be enabled (significant motion requires
  accelerometer) which caused the setting of the ICM DMP wake IRQ to be
  incorrect.  Fixed by basing the ICM DMP wake IRQ setting on only the intended
  enabled sensors (enabled from HAL as opposed to enabled due to dependency).

Bug 200199302

Change-Id: Ia8fe2f475c1cac1efc3606b4250633655facc874
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1152136
(cherry picked from commit 97c50202f49092f7c762b96e7b417e27385a6c04)
Reviewed-on: http://git-master/r/1159656
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoplatform: tegra: enable motion_int wake
Akhilesh Reddy Khumbum [Fri, 20 May 2016 20:56:36 +0000]
platform: tegra: enable motion_int wake

- Enable wake63 for motion_int: The GPIO_PX2 to which the MPU hw irq
  is routed is currently not configured as a wake up source and because
  of this when the system goes into suspend, the MPU irq is unable to
  wake the system up.

Bug 200199302

Change-Id: If27acc8d077b691aa671ce6c1a59e9adcf0f3304
Signed-off-by: Akhilesh Reddy Khumbum <akhumbum@nvidia.com>
Reviewed-on: http://git-master/r/1151301
(cherry picked from commit 4bef08e949bce50908cacac793df159f141bb112)
Reviewed-on: http://git-master/r/1159655
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agodts: sensors: Fix sensor orientation matrix
Robert Collins [Mon, 23 May 2016 14:33:26 +0000]
dts: sensors: Fix sensor orientation matrix

Bug 200189040

Change-Id: Ia22c592c95c85dc70cdff93c6805a47fac87227b
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1151869
GVS: Gerrit_Virtual_Submit
Reviewed-on: http://git-master/r/1159654
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.327 ICM DMP matrix
Erik Lilliebjerg [Mon, 23 May 2016 14:13:46 +0000]
iio: imu: nvi v.327 ICM DMP matrix

- Change how the NVI driver handles sensor mounting matrix from a localized
  method to a global method.

Bug 200189040

Change-Id: I8842389e8a954945c0ea4219edef95dd730a3c19
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1151863
(cherry picked from commit 0622db2cf9e89f03e72b8fb9ee92e19b29a3e4ae)
Reviewed-on: http://git-master/r/1159653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.326 DMP configuration
Erik Lilliebjerg [Mon, 23 May 2016 14:05:29 +0000]
iio: imu: nvi v.326 DMP configuration

- Add device tree ICM DMP sensor configuration allowing which sensors enable
  the ICM DMP.
- Add this configuration ability at runtime.

Bug 200189040

Change-Id: Ifb3c4e6cd2535b4271d1bc1cb931876b62f5486b
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1151862
(cherry picked from commit 273dfcf8424192cfcced79a6e14b0b7a3230b0fe)
Reviewed-on: http://git-master/r/1159652
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.325 ICM DMP support
Erik Lilliebjerg [Mon, 23 May 2016 08:27:46 +0000]
iio: imu: nvi v.325 ICM DMP support

The following done to support the Invensense ICM DMP:
- Add ability for AUX client to select the AUX port.
- Add efficient AUX device enable/disable.
- Add sensor accuracy.
- Add DMP initialization after AUX device registers.

Bug 200189040

Change-Id: Ibfb93703f9e10a69bb0164bde3b0d1c16f0fc0ec
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1151696
(cherry picked from commit c3f4471e90fde5409cead50dfcbaf0a4700c69f5)
Reviewed-on: http://git-master/r/1159651
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi v.324 Fix wakeup IRQ
Erik Lilliebjerg [Thu, 19 May 2016 19:44:43 +0000]
iio: imu: nvi v.324 Fix wakeup IRQ

- The DMP IRQ mode is selected by which sensors are enabled which is tracked
  by a bit mask.  The bug was that this bit mask was not clearing the bit
  pertaining to a disabled sensor and hence the DMP was programming the
  incorrect IRQ mode when suspending.

Bug 200199302

Change-Id: Id4fa3f1bc96041a3c5eb81689af0a5be04075697
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1150633
(cherry picked from commit 73a907d169612ce79ca6363c7bbd7661e6a8c335)
Reviewed-on: http://git-master/r/1159650
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: meter: Coverity: Use secure snprintf to prevent buffer overrun.
Robert Collins [Thu, 21 Apr 2016 21:31:25 +0000]
iio: meter: Coverity: Use secure snprintf to prevent buffer overrun.

Function sprintf has no safety checks for buffer length.  As a result,
it may overrun a buffer and create a potential security hazard or
crash the system.  Using snprintf will limit the number of characters
written and reduce or eliminate the risk of the security or crash
hazard.

For sysfs nodes, PAGE_SIZE buffers are allocated.  We can use PAGE_SIZE
to limit the size of snprintf output.
https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt

Coverity ID: 27096
Coverity ID: 27097
Bug 200192580

Change-Id: Ie05749d5a402cec13e2a285f6b27728678686d27
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1130644
(cherry picked from commit 702369be010431715dc8a578e74fec2d116534fa)
Reviewed-on: http://git-master/r/1141583
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: meter: Coverity: Use secure snprintf to prevent buffer overrun.
Robert Collins [Thu, 21 Apr 2016 21:25:33 +0000]
iio: meter: Coverity: Use secure snprintf to prevent buffer overrun.

Function sprintf has no safety checks for buffer length.  As a result,
it may overrun a buffer and create a potential security hazard or
crash the system.  Using snprintf will limit the number of characters
written and reduce or eliminate the risk of the security or crash
hazard.

For sysfs nodes, PAGE_SIZE buffers are allocated.  We can use PAGE_SIZE
to limit the size of snprintf output.
https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt

Coverity ID: 27094
Coverity ID: 27095
Bug 200192580

Change-Id: I9d7e96e20439409b8a9d6a7c47bcf8e00e7f2076
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1130643
(cherry picked from commit f6666ddfc0a18cd049b14f536dbd4ff6da07fc59)
Reviewed-on: http://git-master/r/1141582
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: meter: Coverity: Use secure snprintf to prevent buffer overrun.
Robert Collins [Thu, 21 Apr 2016 21:21:31 +0000]
iio: meter: Coverity: Use secure snprintf to prevent buffer overrun.

Function sprintf has no safety checks for buffer length.  As a result,
it may overrun a buffer and create a potential security hazard or
crash the system.  Using snprintf will limit the number of characters
written and reduce or eliminate the risk of the security or crash
hazard.

For sysfs nodes, PAGE_SIZE buffers are allocated.  We can use PAGE_SIZE
to limit the size of snprintf output.
https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt

Coverity ID: 27093
Bug 200192580

Change-Id: I20996d11961f3cba261860f718d8c822ae5059aa
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1130642
(cherry picked from commit 9d77f97ffbddd011b5d346f8e8fd4dbfa4c31950)
Reviewed-on: http://git-master/r/1141581
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: mag: Coverity: Correct data case to prevent endian confusion.
Robert Collins [Wed, 20 Apr 2016 19:23:23 +0000]
iio: mag: Coverity: Correct data case to prevent endian confusion.

Coverity(31776): Reliance on integer endianness (INCOMPATIBLE_CAST)
Pointer "&st->asa_q30[2]" points to an object whose effective type
is "unsigned long long" (64 bits, unsigned) but is dereferenced as
a narrower "unsigned int" (32 bits, unsigned).  This may lead to
unexpected results depending on machine endianness.

Coverity ID: 31776
Bug 200192580

Change-Id: I15b563be83e38b45ce97614cfc3ba39e54975055
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1130646
(cherry picked from commit 12359ce8cb10d456e599a6795738b7a3106bc034)
Reviewed-on: http://git-master/r/1141580
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: mag: Coverity: Use secure snprintf to prevent buffer overrun.
Robert Collins [Wed, 20 Apr 2016 17:11:34 +0000]
iio: mag: Coverity: Use secure snprintf to prevent buffer overrun.

Function sprintf has no safety checks for buffer length.  As a result,
it may overrun a buffer and create a potential security hazard or
crash the system.  Using snprintf will limit the number of characters
written and reduce or eliminate the risk of the security or crash
hazard.

For sysfs nodes, PAGE_SIZE buffers are allocated.  We can use PAGE_SIZE
to limit the size of snprintf output.
https://www.kernel.org/doc/Documentation/filesystems/sysfs.txt

Coverity ID: 26797
Coverity ID: 26798
Coverity ID: 26799
Bug 200192580

Change-Id: I9452fe9d49d28b0127d331af0bee1731f4bff3d4
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1130645
(cherry picked from commit e8f792d026833f2c8eaf2ad06a606c276b6f018b)
Reviewed-on: http://git-master/r/1141579
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: NVI v.323 Fix ICM significant motion
Erik Lilliebjerg [Sun, 10 Apr 2016 20:16:38 +0000]
iio: imu: NVI v.323 Fix ICM significant motion

- Fix the ICM significant motion sensor.  There are two parts to the fix:
  - Fix SM retrigger.  Previously the sensor only triggered once and never
    retriggered.  The problem was that the enable bit is self-clearing when
    triggered and the cache saw it as always set and wouldn't execute the
    write to re-set it.
  - Even with the retrigger fixed the SM sensor triggered after a period of
    time regardless of motion.  To resolve the issue, all of the ICM DMP
    sensors are initialized.
- Add both versions of ICM DMP FW selectable by a build define for debug
  purposes.  The DMP FW version is added to the driver version debug dump.

Bug 200189044

Change-Id: I080a394e7ec4e0743824fee9f69960a5b1387d9f
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1123793
(cherry picked from commit 62e30d27f8b65e16939b4128f6564a991615d4cf)
Reviewed-on: http://git-master/r/1141577
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agodtsi: sensors: Limit gyroscope min frequency to 10hz
Robert Collins [Wed, 6 Apr 2016 16:36:45 +0000]
dtsi: sensors: Limit gyroscope min frequency to 10hz

Bug 1722103

Change-Id: I75bb22d45582180246e2ace7922c283299ea1c81
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1121205
(cherry picked from commit f866e77c54f509918c6d72c1f8d5d31ab73a917d)
Reviewed-on: http://git-master/r/1141576
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: NVI v.322 Fix sensor DT configuration
Erik Lilliebjerg [Wed, 6 Apr 2016 03:10:50 +0000]
iio: imu: NVI v.322 Fix sensor DT configuration

- Fix device tree configuration for each sensor.
  Although DT configuration was applied to each sensor, the DT values were
  overwritten later by initialization code.  Moved DT configuration to after
  the initialization code.

Change-Id: Ibab84a93e644c829f3024e0ea9a081c92ae85ddc
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1120862
(cherry picked from commit 4a747645ff37546c4b55006adf26682246ae2412)
Reviewed-on: http://git-master/r/1141575
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi: v.321 Spawn probe function into separate thread.
Akhilesh Reddy Khumbum [Tue, 5 Apr 2016 02:22:55 +0000]
iio: imu: nvi: v.321 Spawn probe function into separate thread.

Move the dmp_fw_load function to bottom half by spawing a kworker thread
that calls it.

Bug 1722103

Change-Id: If746c5ef338709cc6a9ebfd4cee262f40bf4c2dd
Signed-off-by: Akhilesh Reddy Khumbum <akhumbum@nvidia.com>
Reviewed-on: http://git-master/r/1120138
(cherry picked from commit a89c703da76d978433ce0b54f71d4221abef8d74)
Reviewed-on: http://git-master/r/1141574
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: imu: nvi: v.320 ICM DMP support
Erik Lilliebjerg [Mon, 14 Mar 2016 02:48:22 +0000]
iio: imu: nvi: v.320 ICM DMP support

- Add ICM DMP support to MPU/ICM driver.
- Add ICM DMP support to AKM compass driver.
- Add ICM Significant Motion sensor support.
- Fix AKM09911 support.
- Fix BMPx80 possible NULL ptr crash on auto-detect.
- Fix coverity 20453.

Coverity ID: 20453

Bug 1416640
Bug 1722103
Bug 100130656
Bug 200162691

Change-Id: I19ae42f2fdeb67eb45bc54f440366ecaf0583b44
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1031756
(cherry picked from commit 057038054403bfd75a8d3adf46c9d62e567dc7c9)
Reviewed-on: http://git-master/r/1115010
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoiio: common: nvs: NVS v212 Fix coverity
Erik Lilliebjerg [Fri, 19 Feb 2016 21:55:58 +0000]
iio: common: nvs: NVS v212 Fix coverity

- Fix sizeof dereferenced pointer.
- Fix possible out of bounds loop.

Coverity ID: 12707
Coverity ID: 13297

Bug 1416640
Bug 200116059

Change-Id: Ib054679d884e0615f5e391cd7068327e8b6f0a9e
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1014126
(cherry picked from commit 6b1c3a86cc6a9b4b266b9c675ae0a4f8e418e62f)
Reviewed-on: http://git-master/r/1115009
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotegra:nvavp: Fix buffer overflow issue
Praveen Kumar Reddy M.V [Mon, 13 Jun 2016 11:38:32 +0000]
tegra:nvavp: Fix buffer overflow issue

Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().

Bug 1774401

Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
(cherry picked from commit ee1e48fa39e58bff973987b3c12f751a530c567c)
Reviewed-on: http://git-master/r/1164208
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoPlatform: Tegra: Update OV5693 driver
Frank Chen [Fri, 3 Jun 2016 22:20:25 +0000]
Platform: Tegra: Update OV5693 driver

- Update OV5693 driver source code to not
  refernece DT entrieis from camera.pcl node.

  Camera.pcl will be removed from this kernel to avoid
  security vulnerability issues.

- Add dpd control to on/off function.

Bug 1768563

Change-Id: Iddad65ff1b43c009c0481d650121e85406324bfa
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1158895
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agoARM64: DT: update DT for Shield Tablet
Frank Chen [Fri, 3 Jun 2016 20:50:07 +0000]
ARM64: DT: update DT for Shield Tablet

- remove all camera.pcl references
- register camera and focuser using i2c bus
- add module definition to tegra-camera-platform
  node

Bug 1768563

Change-Id: Iaff32f81160ee3b15a308f93a6179425a42ff69f
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1158894
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agodrivers: video: camera: Fix build issue
Bhanu Murthy V [Tue, 5 Apr 2016 18:31:28 +0000]
drivers: video: camera: Fix build issue

Bug 1736471

Change-Id: Icd3f1934d535b14052ad40eda76d2675cdad4b8d
Signed-off-by: Bhanu Murthy V <bmurthyv@nvidia.com>
(cherry picked from commit a0cc4a775b29c8b0c94c2e4ad69cf69bfaefd372)
Reviewed-on: http://git-master/r/1120539
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/1141866
(cherry picked from commit c043b91fc26087ab835af04bf45f182942126ecb)
Reviewed-on: http://git-master/r/1157440
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agomedia: tegra: camera: Re-arch MFI (2/2)
Sudhir Vyas [Fri, 16 Oct 2015 12:58:18 +0000]
media: tegra: camera: Re-arch MFI (2/2)

* Disable MFI callback registration from camera PCL.
* Enable focuser drivers to use MFI APIs exposed by
  tegra_camera_platform driver.

Bug 1683491

Change-Id: I1b500b3d56615555b4475eb83e9059e55ae51d5e
Signed-off-by: Sudhir Vyas <svyas@nvidia.com>
Reviewed-on: http://git-master/r/818881
(cherry picked from commit d920978e696a279e4fb8443bde6f12e279b46def)
Reviewed-on: http://git-master/r/1118351
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/1141865
(cherry picked from commit 37d81277eb2b5ee59f129d26c58a3779d0c1420f)
Reviewed-on: http://git-master/r/1157439
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agovideo: tegra: camera: Re-arch MFI (1/2)
Sudhir Vyas [Fri, 16 Oct 2015 12:48:35 +0000]
video: tegra: camera: Re-arch MFI (1/2)

Add MFI support in tegra_camera_platform driver,
as part of MFI re-arch.

Bug 1683491

Change-Id: Ic40498ca400c26b117d21de30ffa6e7f2ede9523
Signed-off-by: Sudhir Vyas <svyas@nvidia.com>
Reviewed-on: http://git-master/r/818880
(cherry picked from commit cf4276904e81892666fae9847734d43e248122b5)
Reviewed-on: http://git-master/r/1118350
Signed-off-by: Bryan Wu <pengw@nvidia.com>
Reviewed-on: http://git-master/r/1141864
(cherry picked from commit db53e173a6d590c6e965b403156c157eea22d8b4)
Reviewed-on: http://git-master/r/1157438
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>

2 years agonet: wireless: bcmdhd_88: check privilege on priv cmd
Jerry Lee [Wed, 23 Mar 2016 21:33:50 +0000]
net: wireless: bcmdhd_88: check privilege on priv cmd

ANDROID-26425765 fix from
  https://android.googlesource.com/kernel/tegra.git

Original commit message:
> (cherry pick from commit 7b4bd6e41ed514dddf9e403472b1fb6f808d3f4b)
>
> check net admin capability for ioctl calls
>
> Signed-off-by: Jerry Lee <jerrylee@broadcom.com>
> Bug: 26425765
> Bug: 27997075
> Change-Id: Iae1b53aa62fdc24530bb1b85cb69740c87d182e9

Bug 1761317

(cherry picked from commit 9f0aa0c3fede9abb0b5ccadeca95f848cc791fba)
Change-Id: I6ade4308b1763cbaf4d6291d8c08ee7a09048798
Signed-off-by: Michael Hsu <mhsu@nvidia.com>
Reviewed-on: http://git-master/r/1154016
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agonet: wireless: bcmdhd_88: Verify SSID length
Ashwin [Thu, 18 Feb 2016 22:37:04 +0000]
net: wireless: bcmdhd_88: Verify SSID length

ANDROID-26571522 fix from
  https://android.googlesource.com/kernel/msm.git

Original commit message:
> Ensure SSID length is correct before memcpy
>
> Bug: 26571522
> Bug: 27240072

Bug 1761317

Change-Id: I2b0279cd360fad613546c8aa280e0c6f4524763c
Signed-off-by: Ashwin <ashwin.bhat@broadcom.com>
Signed-off-by: Michael Hsu <mhsu@nvidia.com>
(cherry picked from commit c8a8d33845f07755f3bab9af3ac6a6fa18a09b3d)
Reviewed-on: http://git-master/r/1154017
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>

2 years agoinput: touch: raydium: fix touch not working.
Jordan Nien [Tue, 22 Dec 2015 13:42:35 +0000]
input: touch: raydium: fix touch not working.

- Issue: With partner build, there is no input
  disable/enable from frameworks to put touch into
  suspend state during lp0. It lead to touch
  stop working after lp0.
- enable device suspend/resume if input disable/enable
  is not called to fix this issue.

Bug 200162806
Bug 200203946

Change-Id: If09033197cfad8bd431a49cd8db3c5197c1ccbd9
Signed-off-by: Jordan Nien <jnien@nvidia.com>
Reviewed-on: http://git-master/r/925955
(cherry picked from commit 2ba7b886ea927b29e33382272acf9e6ac0a1c925)
Reviewed-on: http://git-master/r/1154213
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agonet: wireless: bcmdhd_88: [WAR] increase wifi turn off delay
Om Prakash Singh [Tue, 9 Feb 2016 01:04:37 +0000]
net: wireless: bcmdhd_88: [WAR] increase wifi turn off delay

When wifi power on fails, turn wifi off for sometime before attempting
next power on. Incrementally increase this wifi off time to allow previous
(failing) SDIO work to finish. Without this extended wait time subsequent
wifi power on attempts will fail.

Bug 1725516

Change-Id: I30f91f48d8a11bb899258a5e51e3f6c551752d0a
Signed-off-by: Michael Hsu <mhsu@nvidia.com>
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1133280
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agoinput: touchscreen: raydium: Keep report mode across suspend/resume.
Jordan Nien [Tue, 26 Apr 2016 02:37:41 +0000]
input: touchscreen: raydium: Keep report mode across suspend/resume.

- Don't set default report mode in init stage
  and let touch daemon to handle it. This is
  to fix the report mode is changed to default
  after suspend/resume.

Bug 1757082

Change-Id: I05685b9420946c0eff6980d58658f5202640fc65
Signed-off-by: Jordan Nien <jnien@nvidia.com>
Reviewed-on: http://git-master/r/1132263
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Pu <dpu@nvidia.com>
Reviewed-by: Vincent Chen <zochen@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agogpu: nvgpu: Clear comptags for whole buffer
Terje Bergstrom [Thu, 18 Feb 2016 19:23:44 +0000]
gpu: nvgpu: Clear comptags for whole buffer

Clear comptags for whole buffer when nvgpu sees the buffer for the
first time.

Change-Id: I67108ce0f0def46ddda1aa9b9bb5ea22549cce13
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1013517
(cherry picked from commit 544446aacdc695dc2e27c42a0086292cd69c2eee)
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1140484
GVS: Gerrit_Virtual_Submit

3 years agogpu: nvgpu: Disable illegal comptag interrupt
Terje Bergstrom [Fri, 11 Mar 2016 15:55:30 +0000]
gpu: nvgpu: Disable illegal comptag interrupt

Illegal comptag interrupt is triggered when a page is mapped with
two different kinds with incompatible compression status. This can
be intentional, so disable the interrupt.

Change-Id: I84a212beac147991d09d2d381a9e770b1364f4d8
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1029663
(cherry picked from commit 819607a768f9fccdd0b233d58bcf88b9eee4ee19)
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1140483
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit

3 years agogpu: nvgpu: Enable FB before initializing L2
Terje Bergstrom [Wed, 23 Mar 2016 19:22:49 +0000]
gpu: nvgpu: Enable FB before initializing L2

Deassert reset in L2 and FB before initializing L2. In gk20a L2 can
be off and thus writing registers results in a priv ring failure.

Change-Id: I680b8b1e77cf67a8269c6de59a15d9817301300e
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/1140482
GVS: Gerrit_Virtual_Submit

3 years agovideo: tegra: host: fix out-of-bound access in case of overflow
Deepak Nibade [Mon, 25 Apr 2016 12:28:28 +0000]
video: tegra: host: fix out-of-bound access in case of overflow

In nvhost_ioctl_ctrl_module_regrdwr(), we allocate a local buffer
of size (num_offsets * block_size), and use it to store
all the values passed from/to user space

In case erroneous values are passed from user space
(e.g. num_offsets=67108864 and block_size=64), buffer size
passed to kmalloc() overflows and is instead set as 64

And in that case, we end up accessing out-of-bounds values
from local buffer "vals"

To prevent this, allocate buffer "vals" of only one block size
and then copy it from/to user space in loop (i.e. copy the values
for each offset)

Remove variable "p1" and rename variable "remaining" as
"count" as it makes more sense

Add and use new API validate_max_size() to validate size of
register read/write. This API will check if requested read/write
block size is less than the memory resource size of device

kmalloc() might fail for any size > 4KB, hence fall back to
use vmalloc() if kmalloc() fails
Use kvfree() to free buffer allcoated with above

Bug 1739935

Change-Id: I2582e3bf7db6f47293838a4f14c260188f1564f5
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1131916
(cherry picked from commit 58c9472407093c1975b07079b487914371de88ad)
Reviewed-on: http://git-master/r/1141019
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agoapbdma: improve position reporting
Sumit Bhattacharya [Thu, 21 Jan 2016 10:51:36 +0000]
apbdma: improve position reporting

Return accurate dma position in device_tx_status()
callback.

Bug 200137565

Change-Id: Ida5b46fb3b33564d0210cf7a52991f64849a0f4a
Signed-off-by: Sumit Bhattacharya <sumitb@nvidia.com>
Reviewed-on: http://git-master/r/1113217
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>

3 years agopipe: Fix buffer offset after partially failed read
Ben Hutchings [Sat, 13 Feb 2016 02:34:52 +0000]
pipe: Fix buffer offset after partially failed read

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Bug 1744232
Bug 200188096

Change-Id: I988802f38acf40c7671fa0978880928b02d29b56
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Reviewed-on: http://git-master/r/1130746
(cherry picked from commit 6d69c98d0c296c328aca1c1501c4d7230f3d578f)
Reviewed-on: http://git-master/r/1133067
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
GVS: Gerrit_Virtual_Submit
Tested-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
(cherry picked from commit cf799042b793d425486c93cad842963c6ea9781c)
Reviewed-on: http://git-master/r/1140379
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agocamera: tegra: Fix security vulnerability issue
Frank Chen [Fri, 25 Mar 2016 05:37:18 +0000]
camera: tegra: Fix security vulnerability issue

Deprecate outdated UPDATE_GPIO function in camera.pcl
driver. This function is not used by any code anymore
and is a security vulnerability since it is trying to
access user mode pointer directly.

Bug 1745102

Change-Id: I4e7e5f9c186f980dcadfe52ec4284102255f19cf
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1115302
(cherry picked from commit 2e5c355c904a19d71456a04c70f3fb4fc7d918b0)
Reviewed-on: http://git-master/r/1139725
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agocamera: tegra: Fix security vulnerability issue
Frank Chen [Mon, 21 Mar 2016 17:40:45 +0000]
camera: tegra: Fix security vulnerability issue

We need to validate power on/off function size passed
in from user mode in order to avoid integer overflow
or out of memory failures.

Bug 1745100

Change-Id: Idddd848f7dc1e864559ad219f9204325128484e5
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1113818
(cherry picked from commit 5c7cb33118d1f966f22d56b156e5be298191838a)
Reviewed-on: http://git-master/r/1139724
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agomm: use mutex only during CMA page replacement
Krishna Reddy [Tue, 19 Apr 2016 20:47:12 +0000]
mm: use mutex only during CMA page replacement

Limit the mutex to CMA page replacement only.
This would avoid unnecessary mutex contentions in
__get_user_pages() call.

Change-Id: Ia8e2e84c2827a8ac1496e6cc95bb8a8d2dcce005
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1129399
Tested-by: Sumit Bhattacharya <sumitb@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agort5639: Reduced delay in set bias standby
Asha T [Mon, 14 Mar 2016 09:27:03 +0000]
rt5639: Reduced delay in set bias standby

Helps in reducing cold ouptput latency
to go below 100ms

Bug 200180104

Change-Id: I468afa9b7444e5dfc3128833a0b4c8537163ebf0
Signed-off-by: Asha T <atalambedu@nvidia.com>
Reviewed-on: http://git-master/r/1030772
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
GVS: Gerrit_Virtual_Submit

3 years agoRevert "Revert "bcmdhd_88: add UPDATE_CHANNEL_LIST driver command""
Om Prakash Singh [Mon, 2 May 2016 06:58:27 +0000]
Revert "Revert "bcmdhd_88: add UPDATE_CHANNEL_LIST driver command""

This reverts commit 2250b327aa873de399aef1f6c002a5e4dfad9d64.

Bug 200179093
Bug 200127847

Change-Id: Ia0f8b001d2ceacb5a1e9521527fbe4456245cd5b
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1139539
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agoRevert "Revert "bcmdhd: add UPDATE_CHANNEL_LIST driver command""
Om Prakash Singh [Mon, 2 May 2016 06:57:44 +0000]
Revert "Revert "bcmdhd: add UPDATE_CHANNEL_LIST driver command""

This reverts commit be89d21bce8357468babe06df6f7fc21c499b901.

Bug 200179093
Bug 200127847

Change-Id: I2d4c40cf82fb46303fe6ed655876a169406dd13f
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1139538
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agoRevert "video: tegra: Don't allocate double buffered fb"
Pankaj Kumar [Mon, 21 Dec 2015 12:50:09 +0000]
Revert "video: tegra: Don't allocate double buffered fb"

This reverts commit 2bc194cac57ca30ff4c1ffc1d41df32a9e967824.

Bug 200150661

Change-Id: I9283bfe60a1fef29f4604a9b7ffbef7511f44751
Signed-off-by: Pankaj Kumar <pankumar@nvidia.com>
Reviewed-on: http://git-master/r/925527
(cherry picked from commit 14519fc9371255145e82afd49f0dcb9719b9e4d3)
Reviewed-on: http://git-master/r/1123430
Reviewed-by: Harry Lin <harlin@nvidia.com>
Tested-by: Harry Lin <harlin@nvidia.com>
Reviewed-by: Robert Shih <rshih@nvidia.com>
Reviewed-by: Eric Chuang <echuang@nvidia.com>

3 years agogpu: nvgpu: bitmap allocator for comptags
Konsta Holtta [Tue, 1 Dec 2015 09:55:27 +0000]
gpu: nvgpu: bitmap allocator for comptags

Restore comptags to be bitmap-allocated, like they were before we had
the buddy allocator.

The new buddy allocator introduced by
e99aa2485f8992eabe3556f3ebcb57bdc8ad91ff (originally
6ab2e0c49cb79ca68d2f83f1d4610783d2eaa79b) is fine for the big VAs, but
unsuitable for the small compbit store.

This commit reverts partially the combination of the above commit and
also one after it, 86fc7ec9a05999bea8de320840b962db3ee11410, that fixed
a bug which is not present when using a bitmap. With a bitmap allocator,
pruning the extra allocation necessary for user-mapped mode is possible,
so that is also restored.

The original generic bitmap allocator is not restored; instead, a
comptag-only allocator is introduced.

Bug 200145635

Change-Id: I87f3a911826a801124cfd21e44857dfab1c3f378
Signed-off-by: Konsta Holtta <kholtta@nvidia.com>
Reviewed-on: http://git-master/r/837180
(cherry picked from commit 5a504aeb54f3e89e6561932971158a397157b3f2)
Reviewed-on: http://git-master/r/842798
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
(cherry picked from commit 65f2e3ed5daf6d33f903dac42d08504945b1d5f4)
Reviewed-on: http://git-master/r/1130875
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

3 years agotegra12_dvfs: implemented find_gpu_fmax_at_vmin
Mubushir Rahman [Thu, 4 Feb 2016 23:04:04 +0000]
tegra12_dvfs: implemented find_gpu_fmax_at_vmin

Bug 1739780

Change-Id: I6022a0ad75aef714dd653476f7acb349f6128553
Signed-off-by: Mubushir Rahman <mubushirr@nvidia.com>
Reviewed-on: http://git-master/r/1008646
Reviewed-by: Ilan Aelion <iaelion@nvidia.com>
Reviewed-by: Anders Kugler <akugler@nvidia.com>
Tested-by: Anders Kugler <akugler@nvidia.com>
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>

3 years agoRevert "bcmdhd_88: add UPDATE_CHANNEL_LIST driver command"
Todd Poynter [Fri, 8 Apr 2016 15:03:08 +0000]
Revert "bcmdhd_88: add UPDATE_CHANNEL_LIST driver command"

DNI - just removing from our 67.30+ rel-24-sb-r1 base.  Will pick these up in rel-24-shield-r1.

Bug 200179093
Bug 200127847

This reverts commit 07026105159443408332f12db251c568fe16dc55.

Change-Id: Ie141935d11db2ae0ac0301a2ad1400a4a38017c3
Signed-off-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-on: http://git-master/r/1122510

3 years agoRevert "bcmdhd: add UPDATE_CHANNEL_LIST driver command"
Todd Poynter [Fri, 8 Apr 2016 15:02:36 +0000]
Revert "bcmdhd: add UPDATE_CHANNEL_LIST driver command"

DNI - just removing from our 67.30+ rel-24-sb-r1 base.  Will pick these up in rel-24-shield-r1.

Bug 200179093
Bug 200127847

This reverts commit e76eebb4e2067c76a57189e57bcc8268e3feaf62.

Change-Id: Iae1011349f1567362cd98f2e79d2a9f840e0ae04
Signed-off-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-on: http://git-master/r/1122508

3 years agobcmdhd_88: add UPDATE_CHANNEL_LIST driver command
Om Prakash Singh [Mon, 28 Mar 2016 11:27:06 +0000]
bcmdhd_88: add UPDATE_CHANNEL_LIST driver command

add UPDATE_CHANNEL_LIST driver command to force update channel
list to cfg80211 layer.

Bug 200179093
Bug 200127847

Change-Id: I1df43d56af9f5c2009cd981dd60f2e2166d42198
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1111538
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

3 years agobcmdhd: add UPDATE_CHANNEL_LIST driver command
Om Prakash Singh [Mon, 28 Mar 2016 11:31:52 +0000]
bcmdhd: add UPDATE_CHANNEL_LIST driver command

add UPDATE_CHANNEL_LIST driver command to force update channel
list to cfg80211 layer.

Bug 200179093
Bug 200127847

Change-Id: Ib53d61dad84605a83628279a3d6981df582a609c
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1111539
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

3 years agoinput: touch: raydium:fix warnings during shutdown
Jordan Nien [Thu, 24 Mar 2016 03:48:33 +0000]
input: touch: raydium:fix warnings during shutdown

skip regulator_disable() if already disabled in
shutdown path.

Bug 200184433

Change-Id: Ic3217687a412f88c450cddd3337c725075fece07
Signed-off-by: Jordan Nien <jnien@nvidia.com>
Reviewed-on: http://git-master/r/1114775
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Pu <dpu@nvidia.com>
Reviewed-by: Eric Chuang <echuang@nvidia.com>

3 years agopipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
Ben Hutchings [Tue, 16 Jun 2015 21:11:06 +0000]
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic

pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

Bug: 27275324
Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
Reviewed-on: http://git-master/r/1114639
GVS: Gerrit_Virtual_Submit
Tested-by: Sharath Sarangpur <ssarangpur@nvidia.com>
Reviewed-by: Todd Poynter <tpoynter@nvidia.com>

3 years agomedia: tegra: nvavp: Fix reloc offset check
Somu Sundaram [Fri, 18 Mar 2016 07:22:59 +0000]
media: tegra: nvavp: Fix reloc offset check

- Check whether command buffer data offset is 32-bit
  aligned
- Check whether relocation offset is 32-bit aligned
  and calculated offset is within command buffer size
- Check whether target offset is 32-bit aligned
  and derived address is within target buffer size

Bug 1741516

Change-Id: Ie5370bc1538c8cf9a702904fb88eb850baeb063d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1113199
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Jaiprkash Khemkaar <jkhemkar@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

3 years agoinput: touch: raydium: update uevent driver path.
Jordan Nien [Wed, 13 Jan 2016 09:04:42 +0000]
input: touch: raydium: update uevent driver path.

- use drvier path from misc node to have a unify
  path for touch.

Bug 200157906

Change-Id: Ie671050e3739a48fcdd97b2e18a5d14055610b8c
Signed-off-by: Jordan Nien <jnien@nvidia.com>
Reviewed-on: http://git-master/r/932135
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: David Pu <dpu@nvidia.com>
Reviewed-by: Gaurav Singh <gauravsingh@nvidia.com>

3 years agomedia: tegra: nvavp: Fix arbitrary kernel write
Somu Sundaram [Tue, 15 Mar 2016 13:01:57 +0000]
media: tegra: nvavp: Fix arbitrary kernel write

Add checks for command buffer offset, relocation
offset in command buffer and target offset for patching
relocation to prevent aritrary kernel write

Bug 1741516

Change-Id: Ia6183ca75f983c0ede23606be9e5d824aa5fa41d
Signed-off-by: Somu Sundaram <somasundaram@nvidia.com>
Reviewed-on: http://git-master/r/1111697
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Somu Sundaram <somasundarams@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>