2 years agovideo: tegra: dc: Add quick for Vizio P series rel-24-uda-r1
Aly Hirani [Wed, 11 Jan 2017 07:29:58 +0000]
video: tegra: dc: Add quick for Vizio P series

The Vizio SmartCast P series 4K TVs fail 1/3 hotplugs with "No Signal".
Experiments showed that enabling HDMI 2.0 scrambling and HDCP at the
same time causes this failure from Vizio's side.

This change adds a WAR to introduce a 5 second delay after modeset to
start the hdcp (instead of the standard 100ms delay).

This change also adds edid quirks to limit the 5 second delay to only
the P cast series.

Bug ??

Change-Id: I96d1200afa20401d09ab5d1d2966ab24ac761b2b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1283347
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agodrivers: wireless: bcmdhd_88: increase dpc_bound to 12ms
Srinivas Ramachandran [Wed, 4 Jan 2017 19:05:52 +0000]
drivers: wireless: bcmdhd_88: increase dpc_bound to 12ms

Increase dpc_bound to improve tx throughput

Bug 200266248

Change-Id: Iaef3d23f32b2b3ffafe3abd66429bb008ab57ad2
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1282300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoiio: imu: NVI v.342 Fix ACC resume
Erik Lilliebjerg [Sun, 8 Jan 2017 23:48:17 +0000]
iio: imu: NVI v.342 Fix ACC resume

- Accelerometer sensor is HW disabled when suspending.  When resuming, if
  the gyroscope sensor is enabled first, it didn't account for HW enabling
  the accelerometer as well if previously enabled before suspending.  This
  was intermittent behavior depending on the wake source and resume timing
  of the external sensors on the auxiliary ports, as well as resume enable
  from user space.

Bug 200266677

Change-Id: Iada223304f7991d6da256a19a26cddd5ff20ec55
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1281847
(cherry picked from commit 427c6f17fbf810f399138627b5294a8bc602cafe)
Reviewed-on: http://git-master/r/1282259
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix false error message
Erik Lilliebjerg [Sat, 31 Dec 2016 21:37:41 +0000]
iio: imu: nvi: Fix false error message

- Due to Invensense parts being register incompatible (even the HW ID),
  there were false error messages during the driver process of identifying
  the part.  This patch suppresses those error messages until the part is
  identified and the errors become legitimate.

Bug 200260974

Change-Id: Ibd7c6fe6e4b6424cfc2f7bf04f1a64405b03e539
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1278897
(cherry picked from commit 010a8eaf597e519d5c1a258bf0015c719e0928c6)
Reviewed-on: http://git-master/r/1282258
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix coverity
Erik Lilliebjerg [Wed, 28 Dec 2016 13:41:15 +0000]
iio: imu: nvi: Fix coverity

- Fix bad shift.
- Fix uninitialized scalar variable.

Coverity ID: 38965
Coverity ID: 38966
Coverity ID: 38967
Coverity ID: 38968
Coverity ID: 38969
Coverity ID: 38971

Bug 200192580

Change-Id: I2a972f00a7097f61c943ad035dc23d50f9f8e2e7
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1277691
(cherry picked from commit 2f8d063e538089007d6b0c5234cce1229620ece0)
Reviewed-on: http://git-master/r/1281938
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoTegra210: increase vmin to increase reliability
David DSH [Fri, 6 Jan 2017 01:14:44 +0000]
Tegra210: increase vmin to increase reliability

Bug 1828585

Change-Id: I654bc0c0f7cb8dbb70dd0aed5c0ec664ac217dd9
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1280477
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "bcmdhd_88: save the firmware events in a file"
Bibhay Ranjan [Wed, 4 Jan 2017 07:00:30 +0000]
Revert "bcmdhd_88: save the firmware events in a file"

This reverts commit 5d5bcb34932dcc257067beb3d6c8a248c5c2c125.

Bug 200231321

Change-Id: I8adb48d6157bd4dfba40049a559e27da1fe407b2
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279949
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: increase timestamp array size"
Bibhay Ranjan [Wed, 4 Jan 2017 06:59:27 +0000]
Revert "bcmdhd_88: increase timestamp array size"

This reverts commit 125ef44ac4e4ea7f8d03f05b3a7aec15eb048708.

Bug 200231321

Change-Id: I4bbc875cf78988a38cee9f714d184955c74b0e96
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279948
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: add DHD_ERROR for nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:50 +0000]
Revert "bcmdhd_88: add DHD_ERROR for nv_logger"

This reverts commit 83275c2716e3f838a278b5ecfdb46fbe1b552d73.

Bug 200231321

Change-Id: I3bbf9ea2aaff4b421326d4b25c8e4c7ad741a493
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279947
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: improve data integrity of nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:04 +0000]
Revert "bcmdhd_88: improve data integrity of nv_logger"

This reverts commit 49308708221379d6749b0f596b1e0f1011a29d0c.

Bug 200231321

Change-Id: Ia51bdc77ae5c86b888a3ecabaf22d296473ae30f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279946
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: disable nv_logger logging by default"
Bibhay Ranjan [Wed, 4 Jan 2017 06:56:18 +0000]
Revert "bcmdhd_88: disable nv_logger logging by default"

This reverts commit 1ee03ed037ac6576e6bf09b8228ec0b3f63f36d2.

Bug 200231321

Change-Id: I4cfbd01bf8d78a9604cd161f2c4f91f9fe43695a
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279945
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agosysedp_reactive_capping: Fix warning string check
Anand Prasad [Wed, 28 Dec 2016 19:45:29 +0000]
sysedp_reactive_capping: Fix warning string check

The current implementation incorrectly checks if a pointer value is
NULL when actually referencing an array.
Instead, use a pointer to read the threshold warning string from
device-tree so that the pointer NULL check now works.

Bug 200266221

Change-Id: Iff9e43780534cf43e93b489c7ebe150fdf4ac437
Signed-off-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-on: http://git-master/r/1277816
(cherry picked from commit 29d326af77ad71f6e61ce6e6e35eac6626500a72)
Reviewed-on: http://git-master/r/1279362
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoCIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
Federico Sauter [Tue, 17 Mar 2015 16:45:28 +0000]
CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE

This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.

Bug 200266605

Change-Id: I168f4977192307dd859f83d6850bdd1eecf27dfe
(cherry picked from commit 4afe260bab50290a05e5732570329a530ed023f3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1277404
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: hda: Allow 8ch/192k for HD capable sinks
Ashok Mudithanapalli [Fri, 23 Dec 2016 12:03:04 +0000]
ALSA: hda: Allow 8ch/192k for HD capable sinks

If the sink is DTSHD/MLP decode capable, but not supporting
8ch/192k in its ELD, ALSA card doesn't add these in supported
rates & ch. Add these in ALSA card for HD decode capable sinks,
so that user-space can open pcm device and play HD content.

Bug 200261363

Change-Id: Ia979868f27a740abcb16b1fea37fd9684779d4be
Signed-off-by: Ashok Mudithanapalli <ashokm@nvidia.com>
Reviewed-on: http://git-master/r/1276193
GVS: Gerrit_Virtual_Submit
Reviewed-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit fde817178e6bf99ea0d161d0175f0e69a5881d6a)
Reviewed-on: http://git-master/r/1277059
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoTS/Pepper: Protect buffer deallocation
David DSH [Mon, 19 Dec 2016 20:51:09 +0000]
TS/Pepper: Protect buffer deallocation

Bug 1842498

Change-Id: Ibf0181fd17e7cbe3964bec21072bf2d6ae85d9f2
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1273658
Tested-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agohid:jarvis: send uevent on creating timeout node
Siddardha Naraharisetti [Wed, 21 Dec 2016 04:07:59 +0000]
hid:jarvis: send uevent on creating timeout node

send uevent to userspace on node creation so that
permissions can be updated

Bug 1854947

Change-Id: I7487ea060d58a17f7ffdb48565e3696005bb228b
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1274602
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: imu: tsfw_icm: Add null checks in recv path
Spencer Sutterlin [Fri, 9 Dec 2016 00:35:49 +0000]
iio: imu: tsfw_icm: Add null checks in recv path

Bug 1850884

Change-Id: Ie750a30b822cd18c8c7f45235dfd52d707aec1fc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272201
(cherry picked from commit 9eaec0173ddf9eb9b4a4b9440b6df0ecd064ae52)
Reviewed-on: http://git-master/r/1268031
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Finish fix with spinlock around some reads
Spencer Sutterlin [Tue, 6 Dec 2016 20:30:25 +0000]
iio: Finish fix with spinlock around some reads

Bug 1843012

Change-Id: I9acf63c755ea7afb6f94496ef7aef40c199f42c9
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1272200
(cherry picked from commit e329d6dedf2731b435e99406ca8ce0930fce81be)
Reviewed-on: http://git-master/r/1266149
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: fake button release events for pepper
Andrew Chen [Tue, 13 Dec 2016 09:16:29 +0000]
hid: jarvis: fake button release events for pepper

Fake button release events when not receiving them from pepper.
Also provide sysfs interface for shieldtech to set the timeout value
according to firmware version.

Bug 200216036

Change-Id: Iec7ef71431fc435cfb956c04bbf77a63361e9aa0
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1270311
Reviewed-by: Varun Colbert <vcolbert@nvidia.com>
Tested-by: Varun Colbert <vcolbert@nvidia.com>

2 years agovideo: tegra: hdmi: disable hdmi2.0 during disable
Santosh Reddy Galma [Thu, 15 Dec 2016 17:47:06 +0000]
video: tegra: hdmi: disable hdmi2.0 during disable

Bug 1850165

This change disables scdc when disabling hdmi controller.
This fixes issue if we are going to fastboot mode which is
set at 1080p where we should not enable scdc. This causes
issue for some TVs specially HDR 4K.

Change-Id: Ifa8ad45db43aa1b70810b92b4a39fc64d17e5df7
Signed-off-by: Santosh Reddy Galma <galmar@nvidia.com>
Reviewed-on: http://git-master/r/1272521
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Tested-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agocpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory
Viresh Kumar [Fri, 17 May 2013 10:39:09 +0000]
cpufreq: Don't create empty /sys/devices/system/cpu/cpufreq directory

When we don't have any file in cpu/cpufreq directory we shouldn't
create it. Specially with the introduction of per-policy governor
instance patchset, even governors are moved to
cpu/cpu*/cpufreq/governor-name directory and so this directory is
just not required.

Lets have it only when required.

Bug 200260321

Change-Id: I376d8919a9c12e01ea2ba8d8edf700b17c3ff707
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1272226
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agomisc: Remove stale code in cpuload
Sai Gurrappadi [Fri, 22 May 2015 19:50:50 +0000]
misc: Remove stale code in cpuload

cpuloadmon no longer needs a timer to sample load as it uses the
idle-counter delta to determine load over an interval. Removed the timer
along with a lot of unused code most of which was copied over from
cpufreq_interactive.c.

Bug 1828392
Bug 200260321

Change-Id: Ib23d19a18311878c6e6e6c7ca55acebcd9a3b777
(cherry picked from commit ab8f8ec440a17895eb902751caf8792727042f53)
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: http://git-master/r/1271444
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "T124 : platform : Enable CPUSETS"
Gagan Grover [Fri, 9 Dec 2016 06:53:07 +0000]
Revert "T124 : platform : Enable CPUSETS"

This reverts commit 75cc1514386107905693363b5e524dc1c3d51873.

bug 200257427

Change-Id: I9f8b7cdb97abfa83b28c25b4ffc55875c72f7150
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1268227
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRT8168: Fix typo for power spender
David DSH [Wed, 14 Dec 2016 02:00:29 +0000]
RT8168: Fix typo for power spender

Bug 1828585

Change-Id: I73e27339200f87437ffc08ebd23b2cca2f30545c
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1270646
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: Supress kernel debug prints in atvr_raw_event()
Mithun Maragiri [Thu, 8 Dec 2016 20:39:48 +0000]
hid: jarvis: Supress kernel debug prints in atvr_raw_event()

There is a spew of debug prints when handling debug HID reports
sent by Thunderstrike. This report has debug information about
the current status of TS.

Bug 1852042

Change-Id: Icd7ed09608301a7dcd70c9721392e4a437cbfb18
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1267770
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoTo handle pm enable before Wi-fi turns ON.
nagaraj [Tue, 13 Dec 2016 02:17:49 +0000]
To handle pm enable before Wi-fi turns ON.

Bug 1828585

Change-Id: Ib41d228b5d9948cb9f3f8a61f11bae15ef0f364d
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
Reviewed-on: http://git-master/r/1269916
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agocpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug
Nicolin Chen [Sat, 23 Jan 2016 00:00:48 +0000]
cpufreq: Synchronize the cpufreq store_*() routines with CPU hotplug

The functions that are used to write to cpufreq sysfs files (such as
store_scaling_max_freq()) are not hotplug safe. They can race with CPU
hotplug tasks and lead to problems such as trying to acquire an already
destroyed timer-mutex etc.

Eg:

    __cpufreq_remove_dev()
     __cpufreq_governor(policy, CPUFREQ_GOV_STOP);
       policy->governor->governor(policy, CPUFREQ_GOV_STOP);
        cpufreq_governor_dbs()
         case CPUFREQ_GOV_STOP:
          mutex_destroy(&cpu_cdbs->timer_mutex)
          cpu_cdbs->cur_policy = NULL;
      <PREEMPT>
    store()
     __cpufreq_set_policy()
      __cpufreq_governor(policy, CPUFREQ_GOV_LIMITS);
        policy->governor->governor(policy, CPUFREQ_GOV_LIMITS);
         case CPUFREQ_GOV_LIMITS:
          mutex_lock(&cpu_cdbs->timer_mutex); <-- Warning (destroyed mutex)
           if (policy->max < cpu_cdbs->cur_policy->cur) <- cur_policy == NULL

So use get_online_cpus()/put_online_cpus() in the store_*() functions, to
synchronize with CPU hotplug.

[ Merging the same patch from the Linux mainline, commited by Srivatsa
  S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>; could not do cherry-pick
  due to conflicts. Also revised the commit log to make less confusion
  as the original commit log mentioned an issue that isn't included in
  our 3.10 branch.

  This commit could be treated as a fix to the Bug 200152270 as there
  is a race condition here between SYSFS operations and a cpu hotplug
  that when the init process tries to GOV_START all online cpus via
  SYSFS, a cpu hotplug may happen to turn off one cpu without updating
  the new_policy->cpus in time. So the new_policy->cpus might contain
  an offlined cpu which is the root cause of this bug. Adding a lock
  of hotplug here ensures no race would happen during the SYSFS access.

  As policy->cpus is always updated during hotplug in its add/remove
  functions, we don't need to worry that it gets out-of-date as long
  as any hotplug operation is locked during the store_*().

  I applied this change and passed both the cpufreqhotplugstress and
  the following test:

  while true; do echo 0 > /sys/devices/system/cpu/cpu3/online; echo 1 > /sys/devices/system/cpu/cpu3/online; done&
  while true; do echo userspace > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; echo interactive > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor; done&

  -- Nicolin ]

Bug 200152270
Bug 200254695

Change-Id: If871094dc92d4478a9484e92fd5cbebaeb9ae5e8
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: http://git-master/r/1111679
Reviewed-by: Richard Wiley <rwiley@nvidia.com>
Tested-by: Richard Wiley <rwiley@nvidia.com>
(cherry picked from commit 39be41de331032a0fc596b9d20a8e11dcb0a5f7d)
Reviewed-on: http://git-master/r/1268903
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>
GVS: Gerrit_Virtual_Submit

2 years agoRevert "arm64: t210: Enable TSFW_ICM"
Spencer Sutterlin [Wed, 30 Nov 2016 03:00:15 +0000]
Revert "arm64: t210: Enable TSFW_ICM"

The kernel panics are fixed, but there are still several userspace
sensor HAL and sensorservice crashes

Bug 1807528
Bug 1850381
Bug 1850405
Bug 1850410

This reverts commit d8db5dc7f0e6bb076e8a8272d00c13bfd3ab1505.

Change-Id: I7beedfe61bba074f806e3031a665d04a451ea7dc
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1262015
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "gpu: nvgpu: Add ref counting to channels"
Alex Waterman [Fri, 9 Dec 2016 19:48:41 +0000]
Revert "gpu: nvgpu: Add ref counting to channels"

This reverts commit ba5e6cc875971f0559d05f44035d27fc067e446f.

Bug 1850554

Change-Id: Iac7c616a40e8bfd61789c630e8a23955f85565e4
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268671
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "gpu: nvgpu: Fix CDE bind channel usage"
Alex Waterman [Fri, 9 Dec 2016 18:54:35 +0000]
Revert "gpu: nvgpu: Fix CDE bind channel usage"

This reverts commit efc0204b472571bb9ab7e243c318bd12f3e721fc.

Bug 1850554

Change-Id: I02df6e6bba4c05ba0f255f9f828289f58ad4483a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1268640
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>

2 years agoRevert "driver core / PM: move the calling to device_pm_remove behind the calling...
Peter Yu [Tue, 6 Dec 2016 13:40:36 +0000]
Revert "driver core / PM: move the calling to device_pm_remove behind the calling to bus_remove_device"

This reverts commit 70a657f97a2fb712aff46e5ba436c7e5e4cbb3f3.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I3b20838102aab119c97d6bc94c09384dffa23883
Reviewed-on: http://git-master/r/1265897
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: storage: enable auto-suspend for USB storage"
Peter Yu [Tue, 6 Dec 2016 13:37:10 +0000]
Revert "usb: storage: enable auto-suspend for USB storage"

This reverts commit 907a021305c226d8b2130a95cf53be805fcc4f1d.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I2d2f100f5bb4b030a5cac6848c076526e958eb65
Reviewed-on: http://git-master/r/1265893
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "usb: core: avoid PM error -ENODEV for detached MSD"
Peter Yu [Tue, 6 Dec 2016 13:32:58 +0000]
Revert "usb: core: avoid PM error -ENODEV for detached MSD"

This reverts commit 225c916b5d5bf93d0b02f646dbd4df8209bf74f4.

Bug 200258370
Bug 200255615

Signed-off-by: Peter Yu <pyu@nvidia.com>
Change-Id: I17c000cdf69fa810abbe860b6013671d3c142d1b
Reviewed-on: http://git-master/r/1265890
GVS: Gerrit_Virtual_Submit
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agohid: jarvis: do tsfw_icm's probe in workqueue
Andrew Chen [Wed, 30 Nov 2016 03:48:04 +0000]
hid: jarvis: do tsfw_icm's probe in workqueue

tsfw_icm probe takes around 2 seconds to be finished and this
causes incoming HID data to be dropped at stack layer in the
duration. Make it running in workqueue to fix this problem.

Bug 1845197

Change-Id: I69c26222795af5a83242c165d0c61ea414a97c03
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Reviewed-on: http://git-master/r/1263719
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoRevert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""
Robert Collins [Mon, 28 Nov 2016 17:47:13 +0000]
Revert "Revert "iio: imu: nvi: v.337 Fix DMP gyro""

This reverts commit 79d3a1160b94d4b8f83ad5e643c5b6f4cc6b0ce7.

This patch restores the following commit:
    iio: imu: nvi: v.337 Fix DMP gyro

    - Fix ICM DMP gyroscope data output to match the standard FIFO data output.

    Bug 1831500

Bug 200246901
Bug 1831500

Change-Id: Id33e9b4024a6455f65503c6de18b7dbdae76652e
Signed-off-by: Robert Collins <rcollins@nvidia.com>
Reviewed-on: http://git-master/r/1263653
GVS: Gerrit_Virtual_Submit
Reviewed-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Tested-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Tested-by: Spencer Sutterlin <ssutterlin@nvidia.com>

2 years agogpu: nvgpu: Fix CDE bind channel usage
Alex Waterman [Tue, 29 Nov 2016 00:25:28 +0000]
gpu: nvgpu: Fix CDE bind channel usage

Use the shared bind channel code from CDE instead of custom
channel binding cide. The CDE code was using its own bind
channel code because the bind channel API took a gk20a_as_share
argument to define the VM. However, the core bind channel API
is trivially abstractable so that the core API can take a
vm_gk20a struct directly.

Bug: 31680980
NvBug 1825464

Change-Id: I0ad766748f22a64d30003a089eaa7dc65fa10e8a
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265359
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Add ref counting to channels
Alex Waterman [Thu, 13 Oct 2016 17:03:59 +0000]
gpu: nvgpu: Add ref counting to channels

Make sure that the VM owned by a channel lives for at least
as long as that channel does. If the channel's VM is cleaned
up before the channel then use-after-free bugs can occur.

It seems like the gk20a_vm_get() was simply missing from the
bind channel. This patch adds it. The corresponding
gk20a_vm_put() happens during channel close.

Bug: 31680980
NvBug 1825464

Change-Id: If745ad4c1454386ddad9a83ff22ccd9ba2a72168
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: http://git-master/r/1265358
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoDNI: hid: jarvis: Fix lost key events
Mithun Maragiri [Wed, 30 Nov 2016 06:54:51 +0000]
DNI: hid: jarvis: Fix lost key events

The issue of key events getting lost happens when the HID report
is of the report->id = SENSOR_REPORT_ID_COMBINED.
Sensor report data from the data buffer was handled properly
however the button report part was not handled properly

Bug 200250863

Change-Id: Ib6cd985b472ba927aa854e9c4b7f4e243f5cd22e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1263496
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-by: Martin Gao <marting@nvidia.com>
Reviewed-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoiio: Add refcount and buffer poll wakeup
Spencer Sutterlin [Wed, 30 Nov 2016 20:31:23 +0000]
iio: Add refcount and buffer poll wakeup

Bring ideas from the following upstream commits
- commit "cadc2125e" (iio: fix: Keep a reference to the IIO device
  for open file descriptors)
- commit "d2f0a48f3" (iio: Wakeup poll and blocking reads when the
  device is unregistered)

Bug 200254499

Change-Id: If5f9275091ae3f86f5c2994af5a619797b9425f0
Signed-off-by: Spencer Sutterlin <ssutterlin@nvidia.com>
Reviewed-on: http://git-master/r/1263974
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoARM: config: tegra12: disable CONFIG_ION
Gagan Grover [Sun, 4 Dec 2016 11:50:54 +0000]
ARM: config: tegra12: disable CONFIG_ION

ION memory is not needed in Android Tegra.

boot.img size is reduced by 14336 bytes

Bug 1823317

Change-Id: If83051043b763cdb0cd3e2d550f4769a728ed491
Reviewed-on: http://git-master/r/1263861
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264550
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoARM: config: tegra12: auto generated diff
Gagan Grover [Sun, 4 Dec 2016 11:42:33 +0000]
ARM: config: tegra12: auto generated diff

No change done manually. Diff is auto generated by performing
these three steps on tot:
1) ksetup tegra12_android_defconfig
2) kconfig (just touched one config, no change made)
3) ksavedefconfig tegra12_android_defconfig

boot.img size not changed.

Bug 1823317
Change-Id: Ic9c17b292c2257d2f0c43017b1b3700d8732e5a2
Reviewed-on: http://git-master/r/1263858
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1264549
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoAdd enable and disable Wi-Fi Power management through syfs.
nagaraj [Wed, 30 Nov 2016 22:54:18 +0000]
Add enable and disable Wi-Fi Power management through syfs.

Bug 1828585

Change-Id: I713de1dddbec21d0e3c0105d9f2630a45cecd2ff
Signed-off-by: Nagaraj Annaiah <nannaiah@nvidia.com>
(cherry picked from commit 63fa1393ea127c753002cc7fce893590b7931b34)
Reviewed-on: http://git-master/r/1263671
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Terry Wang <terwang@nvidia.com>
Reviewed-by: Ramaiyer Ramesh <ramaiyerr@nvidia.com>

2 years agoElevation of privilege vulnerability in kernel networking subsystem
Mithun Maragiri [Tue, 29 Nov 2016 01:54:46 +0000]
Elevation of privilege vulnerability in kernel networking subsystem

An elevation of privilege vulnerability in the kernel networking
subsystem could enable a local malicious application to execute
arbitrary code within the context of the kernel. This issue is
rated as Moderate because it first requires compromising a
privileged process and current compiler optimizations restrict
access to the vulnerable code.

There is no validation of the len variable passed to the
ping_common_sendmsg function to check if it is less than
icmph_len leading to a potential overflow. The fix is designed
to add additional validation to prevent the potential overflow.

CVE-2016-8399
A-31349935
Bug 1836932

Change-Id: Ia61de145bd5e12c1f30847812abd06334054b416
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262344
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoDenial of service vulnerability in kernel sound driver
Mithun Maragiri [Tue, 29 Nov 2016 04:11:18 +0000]
Denial of service vulnerability in kernel sound driver

A denial of service vulnerability in the kernel could allow a
local malicious application to cause a device reboot.
This issue is rated as Low because it is a temporary denial of
service.

The original fix used -EIO as the error return code but
the function signatures had unsigned int as the return type.
The updated fix uses -1 as the error return code instead of -EIO
so the error return code is more clearly defined.

CVE-2016-6690
A-28838221
Bug 1836932

Change-Id: I10754b638b7432242d7baa1355d35bf56c2ad085
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262338
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 04:05:43 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also
evaluates whether kptr_restrict is set.

CVE-2016-8406
A-31796940
Bug 1836932

Change-Id: I6718ace16ac0de99ecd3c9cf290bda79eac6632e
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262333
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:54:24 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8402
A-31495231

Bug 1836932

Change-Id: I25843416454a29ac6c7c762072635d699ff7acbf
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262331
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agouse %pK instead of %p
Mithun Maragiri [Tue, 29 Nov 2016 03:29:27 +0000]
use %pK instead of %p

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8401
A-31494725
Bug 1836932

Change-Id: I5e62e63c694735ab2711e5451f0deddd57ebfaac
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262328
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:15:33 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8408 A-31496571

Bug 1844902

Change-Id: I35c3ddb7b6a52e4edba814de0eaa5e85629130b9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262308
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoperf: Fix event->ctx locking
Peter Zijlstra [Fri, 23 Jan 2015 11:24:14 +0000]
perf: Fix event->ctx locking

There have been a few reported issues wrt. the lack of locking around
changing event->ctx. This patch tries to address those.

It avoids the whole rwsem thing; and while it appears to work, please
give it some thought in review.

What I did fail at is sensible runtime checks on the use of
event->ctx, the RCU use makes it very hard.

Bug 1836932

Change-Id: Ia307722c251bb9a058df98f2061625cfcace984c
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.209535886@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262262
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: nvmap: Fix print format specifier
Gagan Grover [Tue, 29 Nov 2016 13:02:40 +0000]
video: tegra: nvmap: Fix print format specifier

The format specifier %p can leak kernel addresses.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

CVE-2016-8409 A-31495687

Bug 1844902

Change-Id: I57a1fca9c58c0ac433415e39c82ab72d7429e48e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262260
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoaudit: fix a double fetch in audit_log_single_execve_arg()
Paul Moore [Tue, 19 Jul 2016 21:42:57 +0000]
audit: fix a double fetch in audit_log_single_execve_arg()

There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1].  Of course this leaves a window of
opportunity for an unsavory application to munge with the data.

This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s).  In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).

As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:

 * https://github.com/linux-audit/audit-testsuite/issues/25

[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.

[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data.  I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation).  The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.

Bug 1823317

Change-Id: I500834e1e699cb43d207333fa91292673de54933
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262255
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm64: make sys_call_table const
Mark Rutland [Thu, 8 Jan 2015 11:42:59 +0000]
arm64: make sys_call_table const

As with x86, mark the sys_call_table const such that it will be placed
in the .rodata section. This will cause attempts to modify the table
(accidental or deliberate) to fail when strict page permissions are in
place. In the absence of strict page permissions, there should be no
functional change.

Bug 1836932

Change-Id: I1b8da149e9a117663b63bb5df0c348ff5ad8a12d
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262251
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agostaging/android/ion : fix a race condition in the ion driver
EunTaik Lee [Wed, 24 Feb 2016 04:38:06 +0000]
staging/android/ion : fix a race condition in the ion driver

There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.

A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.

cpu 0                                   cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
                            ion_handle_get_by_id()
                            (ref == 3)

ion_free()
(ref == 2)

ion_handle_put()
(ref == 1)

                            ion_free()
                            (ref == 0 so ion_handle_destroy() is
                            called
                            and the handle is freed.)

                            ion_handle_put() is called and it
                            decreases the slub's next free pointer

The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
 instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.

This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.

To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.

Bug 1836932

Change-Id: I45abd9dd1f696105a7840a25ba4a594b5af4fa65
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262250
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agopercpu: fix synchronization between synchronous map extension and chunk destruction
Tejun Heo [Wed, 25 May 2016 15:48:25 +0000]
percpu: fix synchronization between synchronous map extension and chunk destruction

For non-atomic allocations, pcpu_alloc() can try to extend the area
map synchronously after dropping pcpu_lock; however, the extension
wasn't synchronized against chunk destruction and the chunk might get
freed while extension is in progress.

This patch fixes the bug by putting most of non-atomic allocations
under pcpu_alloc_mutex to synchronize against pcpu_balance_work which
is responsible for async chunk management including destruction.

Bug 1836932

Change-Id: I1031ca004b5487bc7c6d57db15863e5c847946b4
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-and-tested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org # v3.18+
Fixes: 1a4d76076cda ("percpu: implement asynchronous chunk population")
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262243
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agocgroup: Correct the address format specifier
Gagan Grover [Fri, 25 Nov 2016 17:22:19 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses while not valuing
the kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates
whether kptr_restrict is set.

Bug 1823317

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1262238
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agoperf: Fix race in swevent hash
Peter Zijlstra [Tue, 15 Dec 2015 12:49:05 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259934
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.

If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoext4: fix potential use after free in __ext4_journal_stop
Lukas Czerner [Sun, 18 Oct 2015 02:57:06 +0000]
ext4: fix potential use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259975
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoaf_unix: Guard against other == sk in unix_dgram_sendmsg
Rainer Weikusat [Thu, 11 Feb 2016 19:37:27 +0000]
af_unix: Guard against other == sk in unix_dgram_sendmsg

The unix_dgram_sendmsg routine use the following test

if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {

to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.

Bug 1823317

Change-Id: I5b8f74348f82b4a84a3e01a93c58c49829b26efa
Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259949
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoproc: prevent accessing /proc/<PID>/environ until it's ready
Mathias Krause [Thu, 5 May 2016 23:22:26 +0000]
proc: prevent accessing /proc/<PID>/environ until it's ready

If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Bug 1823317

Change-Id: I38356eb68ffd1294f1f1250fb328bd01a3b37158
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259930
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: core: prevent out-of-bound readings
Benjamin Tissoires [Tue, 19 Jan 2016 11:34:58 +0000]
HID: core: prevent out-of-bound readings

Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.

The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.

Bug 1823317

Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259928
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agotty: Prevent ldisc drivers from re-using stale tty fields
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000]
tty: Prevent ldisc drivers from re-using stale tty fields

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

[1]
    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Bug 1823317

Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259925
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agodrivers: media: Remove support for IMX208 sensor
Vincent Chung [Tue, 22 Nov 2016 02:33:03 +0000]
drivers: media: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the IMX208 driver.

Bug 1825317

Change-Id: I5a5b140526c9aabe3f57d60cd750176579f18391
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259195
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoarm: dts: Remove support for IMX208 sensor
Vincent Chung [Thu, 24 Nov 2016 01:24:43 +0000]
arm: dts: Remove support for IMX208 sensor

Remove support for the IMX208 sensor in all T124 target branches due
to a security vulnerability reported for the Pixel C.

This Gerrit removes the DeviceTree and configuration references.

boot.img size not changed.

Bug 1825317

Change-Id: I04c7a8cad07f31ea5aa4a33389838f2ce2a8f31f
Signed-off-by: Vincent Chung <vincentc@nvidia.com>
Reviewed-on: http://git-master/r/1259194
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agogpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
Terje Bergstrom [Tue, 8 Nov 2016 22:29:14 +0000]
gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context
being only partially available, and can lead to use-after-free.

Bug 1834225

Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-on: http://git-master/r/1250004
Reviewed-on: http://git-master/r/1258422
Reviewed-by: Martin Gao <marting@nvidia.com>
Tested-by: Martin Gao <marting@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Eric Chuang <echuang@nvidia.com>

2 years ago[media] uvcvideo: fix null pointer dereference
Henry Lin [Wed, 23 Nov 2016 11:51:34 +0000]
[media] uvcvideo: fix null pointer dereference

stream->urb_num needs to set to 0 while freeing urbs to avoid null
pointer dereference afterwards.

Bug 200237870

Change-Id: Ib26f7b23f34db049790e7a5b31a8bde181b74d99
Signed-off-by: Henry Lin <henryl@nvidia.com>
Reviewed-on: http://git-master/r/1258903
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: WK Tsai <wtsai@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoHID: usbhid: improve handling of Clear-Halt and reset
Alan Stern [Tue, 2 Sep 2014 15:39:15 +0000]
HID: usbhid: improve handling of Clear-Halt and reset

This patch changes the way usbhid carries out Clear-Halt and reset.

Currently, after a Clear-Halt on the interrupt-IN endpoint, the driver
immediately restarts the interrupt URB, even if the Clear-Halt failed.
This doesn't work out well when the reason for the failure was that
the device was disconnected (when a low- or full-speed device is
connected through a hub to an EHCI controller, transfer errors caused
by disconnection are reported as stalls by the hub).  Instead now the
driver will attempt a reset after a failed Clear-Halt.

The way resets are carried out is also changed.  Now the driver will
call usb_queue_reset_device() instead of calling usb_reset_device()
directly.  This avoids a deadlock that would arise when a device is
unplugged: The hid_reset() routine runs as a workqueue item, a reset
attempt after the device has been unplugged will fail, failure will
cause usbhid to be unbound, and the disconnect routine will try to do
cancel_work_sync().  The usb_queue_reset_device() implementation is
carefully written to handle scenarios like this one properly.

Bug 1838664

Change-Id: Ifb3fb19787b87ce72c8010f3d15d8b8392413162
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Reviewed-on: http://git-master/r/1257991
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Hans Yang <hansy@nvidia.com>
Tested-by: Hans Yang <hansy@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "HID: usbhid: fix a lockup in usbhid_disconnect()"
Hans Yang [Mon, 21 Nov 2016 06:29:29 +0000]
Revert "HID: usbhid: fix a lockup in usbhid_disconnect()"

This reverts commit 5d54db82ef875f17a9b053d9267d9c222402a1c6.

Bug 1838664

Change-Id: I440d5aa147c46478d453ff5fd2ae4f17d616d832
Signed-off-by: Hans Yang <hansy@nvidia.com>
Reviewed-on: http://git-master/r/1257990
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Henry Lin <henryl@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000]
video: tegra: nvmap: fix possible use after free

Fix possible use after free issue.

Bug 1814555

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1257999
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Sri Krishna Chowdary <schowdary@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agohdmi: fix a dead lock in tegra_hdmi_hpd_worker()
Haley Teng [Thu, 25 Aug 2016 09:29:01 +0000]
hdmi: fix a dead lock in tegra_hdmi_hpd_worker()

We should not call cancel_delayed_work_sync() in tegra_hdmi_hpd_worker()
since tegra_hdmi_hpd_worker() is a function called by workqueue.
Replacing cancel_delayed_work_sync() by cancel_delayed_work() in
tegra_hdmi_hpd_worker().

The below backtrace is an example of the dead lock issue.

[   81.663560] kworker/5:2     D ffffffc000085de8     0   173      2 0x00000000
[   81.670634] Workqueue: events tegra_hdmi_hpd_worker
[   81.675520] Call trace:
[   81.677959] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   81.683099] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   81.688326] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   81.693213] [<ffffffc0000b8e98>] __cancel_work_timer+0x18c/0x190
[   81.699216] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   81.705483] [<ffffffc000447d74>] tegra_hdmi_hpd_worker+0x134/0x28c
[   81.711668] [<ffffffc0000b87b4>] process_one_work+0x158/0x44c
[   81.717415] [<ffffffc0000b95e4>] worker_thread+0x134/0x4a8
[   81.722899] [<ffffffc0000be8c0>] kthread+0xe0/0xf4
[   81.727691] [<ffffffc000084c90>] ret_from_fork+0x10/0x40
......
[   86.791409] sh              D ffffffc000085de8     0  1879   1782 0x00000000
[   86.798477] Call trace:
[   86.800916] [<ffffffc000085de8>] __switch_to+0x94/0xa8
[   86.806055] [<ffffffc000b6a048>] __schedule+0x284/0x788
[   86.811280] [<ffffffc000b6a590>] schedule+0x44/0xb0
[   86.816161] [<ffffffc000b6d1fc>] schedule_timeout+0x1f0/0x280
[   86.821908] [<ffffffc000b6b110>] wait_for_common+0xa0/0x144
[   86.827486] [<ffffffc000b6b1c8>] wait_for_completion+0x14/0x1c
[   86.833322] [<ffffffc0000b80ec>] flush_work+0xd0/0x188
[   86.838460] [<ffffffc0000b8da4>] __cancel_work_timer+0x98/0x190
[   86.844383] [<ffffffc0000b8ec4>] cancel_delayed_work_sync+0x10/0x18
[   86.850652] [<ffffffc00044a380>] tegra_hdmi_set_hotplug_state+0x48/0xc0
[   86.857264] [<ffffffc00044a448>] tegra_hdmi_hotplug_dbg_write+0x50/0x84
[   86.863877] [<ffffffc0001c2d88>] __vfs_write+0x2c/0xe0
[   86.869019] [<ffffffc0001c370c>] vfs_write+0x90/0x19c
[   86.874070] [<ffffffc0001c4214>] SyS_write+0x44/0xa0
[   86.879038] [<ffffffc000084cf0>] el0_svc_naked+0x24/0x28

Bug 200228986

Change-Id: I431e7903a283324f4ed482464ac150790a1ec8e1
Signed-off-by: Haley Teng <hteng@nvidia.com>
Reviewed-on: http://git-master/r/1207728
Reviewed-on: http://git-master/r/1258745
Tested-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Santosh Galma <galmar@nvidia.com>
Reviewed-by: Mitch Luban <mluban@nvidia.com>

2 years agonet: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread
Srinivas Ramachandran [Sat, 19 Nov 2016 01:04:07 +0000]
net: wireless: bcmdhd/bcmdhd_88: Time bound for dhd_dpc thread

Add time bound for dhd_dpc thread. Ensures dpc thread does not
hog cpu, while at same time does not hurt perf. either.

Bug 1844359

Change-Id: I34b061ea495581ba92d249eaa34d992f1d54b6e6
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1256652
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Bhadram Varka <vbhadram@nvidia.com>
Reviewed-by: Narayan Reddy <narayanr@nvidia.com>
Tested-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agovideo: tegra: nvmap: Check if handle holds a buffer before map
Sri Krishna chowdary [Tue, 15 Nov 2016 05:53:30 +0000]
video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.

A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.

bug 1837468

Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
GVS: Gerrit_Virtual_Submit
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Pritesh Raithatha <praithatha@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agotty: serial8250: save/dump the port statistics
Shardar Shariff Md [Wed, 24 Feb 2016 13:21:49 +0000]
tty: serial8250: save/dump the port statistics

Save the port statistics before handling serial
interrupt and dump the current port stats when
too much work is done in serial irq handler to
know which interrupt is causing this.

Bug 1730156

Change-Id: I2b85245f1fb5f23335b13f51a298f375504a38ae
Signed-off-by: Shardar Shariff Md <smohammed@nvidia.com>
Reviewed-on: http://git-master/r/1018177
(cherry picked from commit 31cf754a649df20d7c2969d92db95e606848731f)
Reviewed-on: http://git-master/r/1257296
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Daniel Fu <danifu@nvidia.com>

2 years agohid: release snd_card without causing a deadlock
Mithun Maragiri [Mon, 14 Nov 2016 23:55:56 +0000]
hid: release snd_card without causing a deadlock

use snd_card_free_when_closed

Bug 1835468

Change-Id: I570ceb92431da457f1ec2136f19fc11f80e0211f
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1253091
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoKEYS: Fix ASN.1 indefinite length object parsing
David Howells [Tue, 23 Feb 2016 11:03:12 +0000]
KEYS: Fix ASN.1 indefinite length object parsing

This fixes CVE-2016-0758.

In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
it isn't validated against the remaining amount of data before being added
to the cursor.  With a sufficiently large size indicated, the check:

datalen - dp < 2

may then fail due to integer overflow.

Fix this by checking the length indicated against the amount of remaining
data in both places a definite length is determined.

Whilst we're at it, make the following changes:

 (1) Check the maximum size of extended length does not exceed the capacity
     of the variable it's being stored in (len) rather than the type that
     variable is assumed to be (size_t).

 (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
     integer 0.

 (3) To reduce confusion, move the initialisation of len outside of:

for (len = 0; n > 0; n--) {

     since it doesn't have anything to do with the loop counter n.

Bug 1812688

Change-Id: I808500200996d58481ad705174c8cf0559fa19c1
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1254648
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoandroid: Fix information disclosure vulnerability
Gagan Grover [Tue, 15 Nov 2016 07:18:31 +0000]
android: Fix information disclosure vulnerability

The format specifier %p can leak kernel addresses while not valuing the
kptr_restrict system settings.
The fix is designed to use %pK instead of %p, which also evaluates whether
kptr_restrict is set.

CVE-2016-6683 A-30143283
CVE-2016-6684 A-30148243

Bug 1812688

Change-Id: If2b1d25948af5c21333a189fe25e5412c6c2c27f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253303
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agobinder: Fix Information disclosure vulnerability
Gagan Grover [Tue, 15 Nov 2016 06:29:38 +0000]
binder: Fix Information disclosure vulnerability

The interaction between the kernel /dev/binder and the usermode
Parcel.cpp means that when a Binder object is passed as
BINDER_TYPE_BINDER or BINDER_TYPE_WEAK_BINDER, a pointer to that
object (in the server process) is leaked to the client process as the
cookie value. This leads to a leak of a heap address in many of the
privileged Binder services, including system_server.
The fix is designed to zero out the Binder pointer and cookie before
sending it to the client process

Bug 1812688

Change-Id: Ie5374c3126e226f783e2d043139f9ba61e383bd9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1253265
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agosound: Fix DoS vulnerability in kernel sound driver
Gagan Grover [Mon, 14 Nov 2016 20:17:50 +0000]
sound: Fix DoS vulnerability in kernel sound driver

There is no validation of the codec variable passed to the
snd_soc_read and snd_soc_write functions.
The fix is designed to add a check for null function pointers
in the dummy sound driver.

CVE-2016-6690 A-28838221

Bug 1812688

Change-Id: I884b330e8247f345d14469d2b207a7e2a5fa8786
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1252960
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agobinder: Fix Elevation of privilege vulnerability in system_server
Gagan Grover [Mon, 14 Nov 2016 19:52:08 +0000]
binder: Fix Elevation of privilege vulnerability in system_server

The usage of weak references instead of strong references in Binder
can potentially lead to a use-after-free vulnerability in
system_server. The fix is designed to no longer allow weak references
in cases where strong references are needed.

CVE-2016-6674 A-30445380

Bug 1812688

Change-Id: Ic4e028e8f1f6ae4b1ff562127f87a4a15d0a0999
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1252938
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoarm64: dma-mapping: always clear allocated buffers
Marek Szyprowski [Thu, 23 Apr 2015 11:46:16 +0000]
arm64: dma-mapping: always clear allocated buffers

[ Upstream commit 6829e274a623187c24f7cfc0e3d35f25d087fcc5 ]

Buffers allocated by dma_alloc_coherent() are always zeroed on Alpha,
ARM (32bit), MIPS, PowerPC, x86/x86_64 and probably other architectures.
It turned out that some drivers rely on this 'feature'. Allocated buffer
might be also exposed to userspace with dma_mmap() call, so clearing it
is desired from security point of view to avoid exposing random memory
to userspace. This patch unifies dma_alloc_coherent() behavior on ARM64
architecture with other implementations by unconditionally zeroing
allocated buffer.

Bug 1812688

CRs-Fixed: 1041735
Change-Id: I74bf024e0f603ca8c0b05430dc2ee154d579cfb2
Cc: <stable@vger.kernel.org> # v3.14+
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Git-commit: a142e9641dcbead2c8845c949ad518acac96ed28
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
[lmark@codeaurora.org: resolve merge conflicts]
Signed-off-by: Liam Mark <lmark@codeaurora.org>

(cherry picked from commit 6e2c437a2d0a85d90d3db85a7471f99764f7bbf8)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ie0d4f733e1257c128af63821f7d87af50c34957e
Reviewed-on: http://git-master/r/1251952
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agoarm64: perf: reject groups spanning multiple HW PMUs
Suzuki K. Poulose [Tue, 17 Mar 2015 18:14:59 +0000]
arm64: perf: reject groups spanning multiple HW PMUs

The perf core implicitly rejects events spanning multiple HW PMUs, as in
these cases the event->ctx will differ. However this validation is
performed after pmu::event_init() is called in perf_init_event(), and
thus pmu::event_init() may be called with a group leader from a
different HW PMU.

The ARM64 PMU driver does not take this fact into account, and when
validating groups assumes that it can call to_arm_pmu(event->pmu) for
any HW event. When the event in question is from another HW PMU this is
wrong, and results in dereferencing garbage.

This patch updates the ARM64 PMU driver to first test for and reject
events from other PMUs, moving the to_arm_pmu and related logic after
this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with
a CCI PMU present:

Bad mode in Synchronous Abort handler detected, code 0x86000006 -- IABT (current EL)
CPU: 0 PID: 1371 Comm: perf_fuzzer Not tainted 3.19.0+ #249
Hardware name: V2F-1XV7 Cortex-A53x2 SMM (DT)
task: ffffffc07c73a280 ti: ffffffc07b0a0000 task.ti: ffffffc07b0a0000
PC is at 0x0
LR is at validate_event+0x90/0xa8
pc : [<0000000000000000>] lr : [<ffffffc000090228>] pstate: 00000145
sp : ffffffc07b0a3ba0

[<          (null)>]           (null)
[<ffffffc0000907d8>] armpmu_event_init+0x174/0x3cc
[<ffffffc00015d870>] perf_try_init_event+0x34/0x70
[<ffffffc000164094>] perf_init_event+0xe0/0x10c
[<ffffffc000164348>] perf_event_alloc+0x288/0x358
[<ffffffc000164c5c>] SyS_perf_event_open+0x464/0x98c
Code: bad PC value

Also cleans up the code to use the arm_pmu only when we know
that we are dealing with an arm pmu event.

Bug 1812688

Cc: Will Deacon <will.deacon@arm.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org>
Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
(cherry picked from commit 8fff105e13041e49b82f92eef034f363a6b1c071)

Change-Id: I883668dcc826e91f373653651916e25503231297
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1251882
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: Fix use after free in the recvmmsg exit path
Arnaldo Carvalho de Melo [Mon, 14 Mar 2016 12:56:35 +0000]
net: Fix use after free in the recvmmsg exit path

The syzkaller fuzzer hit the following use-after-free:

  Call Trace:
   [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
   [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
   [<     inline     >] SYSC_recvmmsg net/socket.c:2281
   [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
   [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
  arch/x86/entry/entry_64.S:185

And, as Dmitry rightly assessed, that is because we can drop the
reference and then touch it when the underlying recvmsg calls return
some packets and then hit an error, which will make recvmmsg to set
sock->sk->sk_err, oops, fix it.

Bug 1812688

Reported-and-Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Fixes: a2e2725541fa ("net: Introduce recvmmsg socket syscall")
http://lkml.kernel.org/r/20160122211644.GC2470@redhat.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Change-Id: I82425d90859812db30fddbf5423735559091768e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1251868
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agodrivers: hid driver for steam valve controller
Martin Gao [Fri, 18 Nov 2016 05:40:37 +0000]
drivers: hid driver for steam valve controller

Bug 200229135

For both wired and wireless connection:
- all buttons working
- gyro and accel sensors turned on (only works in wireless connection)
- right trackpad is implmented to function like right joystick. It sends
  ABS_Z and ABS_RZ to simuluate right joystick events

Signed-off-by: Martin Gao <marting@nvidia.com>
Change-Id:Ic730e02335da01d0270fb5a1c91551bb1b1296f8
Reviewed-on: http://git-master/r/1252313
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoPepper: Spotfix for write silence
David DSH [Fri, 18 Nov 2016 18:28:49 +0000]
Pepper: Spotfix for write silence

Have the timer grab the lock to prevent task accessing the pcm_buffer to
get bad pointer.

Bug 1842498

Change-Id: I7f9691ceceeb8e7bb8dc00bd68617b91c4275c30
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1256442
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>

2 years agohid: jarvis: remove the sound card limit
Siddardha Naraharisetti [Tue, 15 Nov 2016 07:43:20 +0000]
hid: jarvis: remove the sound card limit

Remove the limit of 5 sound cards in driver.

Bug 1821999

Change-Id: I47ee126b3bf179902cdab4fd6faa1baaafa0117e
Signed-off-by: Siddardha Naraharisetti <siddardhan@nvidia.com>
Reviewed-on: http://git-master/r/1253331
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoCompilation of 3.10 kernel with GCC-6.1
Sujeet Baranwal [Thu, 10 Nov 2016 19:14:45 +0000]
Compilation of 3.10 kernel with GCC-6.1

All necessary chnages made all across kernel to make the
build go thru with GCC 6.1

Bug 1838484

Change-Id: Ie9eb1aecd6847df689a99abd6ea8651309db4e57
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242348
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoAlignment correction
Sujeet Baranwal [Thu, 10 Nov 2016 18:30:20 +0000]
Alignment correction

GCC-6.1 fails to build these files because of alignement errors.
Files modified accordingly.

Bug 1838484

Change-Id: Ie493dfbea195f7f756227b8e4fa355b6a011fd82
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1251327
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoAdd sancov plugin
Emese Revfy [Wed, 9 Nov 2016 17:59:44 +0000]
Add sancov plugin

The sancov gcc plugin inserts a __sanitizer_cov_trace_pc() call
at the start of basic blocks.

This plugin is a helper plugin for the kcov feature. It supports
all gcc versions with plugin support (from gcc-4.5 on).
It is based on the gcc commit "Add fuzzing coverage support" by Dmitry Vyukov
(https://gcc.gnu.org/viewcvs/gcc?limit_changes=0&view=revision&revision=231296).

Signed-off-by: Emese Revfy <re.emese@gmail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michal Marek <mmarek@suse.com>

Conflicts:
Makefile
arch/Kconfig
scripts/Makefile.gcc-plugins
scripts/gcc-plugins/Makefile

Bug 1838484

Change-Id: I590c06bdc07146a36e8d68c92151da7e7a647652
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1250558
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoGCC plugin infrastructure
Emese Revfy [Thu, 20 Oct 2016 22:16:16 +0000]
GCC plugin infrastructure

This patch allows to build the whole kernel with GCC plugins. It was ported from
grsecurity/PaX. The infrastructure supports building out-of-tree modules and
building in a separate directory. Cross-compilation is supported too.
Currently the x86, arm, arm64 and uml architectures enable plugins.
The directory of the gcc plugins is scripts/gcc-plugins. You can use a file or a directory
there. The plugins compile with these options:
 * -fno-rtti: gcc is compiled with this option so the plugins must use it too
 * -fno-exceptions: this is inherited from gcc too
 * -fasynchronous-unwind-tables: this is inherited from gcc too
 * -ggdb: it is useful for debugging a plugin (better backtrace on internal
    errors)
 * -Wno-narrowing: to suppress warnings from gcc headers (ipa-utils.h)
 * -Wno-unused-variable: to suppress warnings from gcc headers (gcc_version
    variable, plugin-version.h)
The infrastructure introduces a new Makefile target called gcc-plugins. It
supports all gcc versions from 4.5 to 6.0. The scripts/gcc-plugin.sh script
chooses the proper host compiler (gcc-4.7 can be built by either gcc or g++).
This script also checks the availability of the included headers in
scripts/gcc-plugins/gcc-common.h.
The gcc-common.h header contains frequently included headers for GCC plugins
and it has a compatibility layer for the supported gcc versions.
The gcc-generate-*-pass.h headers automatically generate the registration
structures for GIMPLE, SIMPLE_IPA, IPA and RTL passes.
Note that 'make clean' keeps the *.so files (only the distclean or mrproper
targets clean all) because they are needed for out-of-tree modules.
Based on work created by the PaX Team.
Signed-off-by: Emese Revfy <re.emese@gmail.com>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Michal Marek <mmarek@suse.com>
Conflicts:
Makefile

Bug 1838484

Change-Id: I576d5ff30576449d9947489d45aff4fd79d10129
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242346
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: add AFL-style tracing
Quentin Casasnovas [Thu, 20 Oct 2016 20:57:41 +0000]
kcov: add AFL-style tracing

AFL uses a fixed-size buffer (typically 64 KiB) where each byte is
a counter representing how many times an A -> B branch was taken.
Of course, since the buffer is fixed size, it's a little imprecise
in that e.g. two different branches could map to the same counter,
but in practice it works well.
See afl:docs/technical_details.txt for more information.
Here is a small test program that demonstrates the new capability:
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/types.h>
#define KCOV_INIT_TRACE                 _IOR('c', 1, unsigned long)
#define KCOV_INIT_AFL                   _IOR('c', 2, unsigned long)
#define KCOV_ENABLE                     _IO('c', 100)
#define KCOV_DISABLE                    _IO('c', 101)
int main(int argc, char *argv[])
{
int fd = open("/sys/kernel/debug/kcov", O_RDWR);
if (fd == -1)
error(1, errno, "open()");
unsigned long size = 1 << 10;
if (ioctl(fd, KCOV_INIT_AFL, size) != 0)
error(1, errno, "ioctl(KCOV_INIT_AFL)");
void *mem = mmap(NULL, size * sizeof(long), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
if (mem == MAP_FAILED)
error(1, errno, "mmap()");
/* Start kernel instrumentation */
if (ioctl(fd, KCOV_ENABLE, 0) != 0)
error(1, errno, "ioctl(KCOV_ENABLE)");
printf("Hello world!\n");
/* End kernel instrumentation*/
if (ioctl(fd, KCOV_DISABLE, 0) != 0)
error(1, errno, "ioctl(KCOV_DISABLE)");
/* Hex dump of memory area */
unsigned char *mem2 = mem;
for (unsigned int i = 0; i < size; ++i) {
printf("%02x ", mem2[i]);
if (i % 32 == 31)
printf("\n");
}
close(fd);
return 0;
}
This patch is a collaboration between Quentin Casasnovas and Vegard Nossum.

Bug 1838484

Change-Id: I5c7f98386857eb5fca9689ee2e0d2126bd0456ea
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Michal Zalewski <lcamtuf@gmail.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242345
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: allow more fine-grained coverage instrumentation
Vegard Nossum [Thu, 20 Oct 2016 20:47:50 +0000]
kcov: allow more fine-grained coverage instrumentation

For more targeted fuzzing, it's better to disable kernel-wide
instrumentation and instead enable it on a per-subsystem basis. This
follows the pattern of UBSAN and allows you to compile in the kcov driver
without instrumenting the whole kernel.
To instrument a part of the kernel, you can use either
    # for a single file in the current directory
    KCOV_INSTRUMENT_filename.o := y
or
    # for all the files in the current directory (excluding subdirectories)
    KCOV_INSTRUMENT := y
or
    # (same as above)
    ccflags-y += $(CFLAGS_KCOV)
or
    # for all the files in the current directory (including subdirectories)
    subdir-ccflags-y += $(CFLAGS_KCOV)

Bug 1838484

Change-Id: I2ecd3cdcaaae7a9b2f285b1b048bc03ae4686d38
Link: http://lkml.kernel.org/r/1464008380-11405-1-git-send-email-vegard.nossum@oracle.com
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242344
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agoarm64: allow building with kcov coverage on ARM64
Alexander Potapenko [Wed, 19 Oct 2016 23:03:26 +0000]
arm64: allow building with kcov coverage on ARM64

Add ARCH_HAS_KCOV to ARM64 config. To avoid potential crashes, disable
instrumentation of the files in arch/arm64/kvm/hyp/*.

Signed-off-by: Alexander Potapenko <glider@google.com>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Tested-by: James Morse <james.morse@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>

Bug 1838484

Change-Id: I83e7810cfdbe842b31e128b177b037fb5275fb4a
Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242343
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
Tested-by: Bharat Nihalani <bnihalani@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User

2 years agokcov: don't profile branches in kcov
Andrey Ryabinin [Wed, 19 Oct 2016 23:02:03 +0000]
kcov: don't profile branches in kcov

Profiling 'if' statements in __sanitizer_cov_trace_pc() leads
to unbound recursion and crash:
__sanitizer_cov_trace_pc() ->
ftrace_likely_update ->
__sanitizer_cov_trace_pc() ...

Define DISABLE_BRANCH_PROFILING to disable this tracer.

Bug 1838484

Change-Id: I8384d520f2616871183cecd5f2ace463478f675f
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242342
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokcov: don't trace the code coverage code
James Morse [Wed, 19 Oct 2016 23:00:46 +0000]
kcov: don't trace the code coverage code

Kcov causes the compiler to add a call to __sanitizer_cov_trace_pc() in
every basic block. Ftrace patches in a call to _mcount() to each function
it has annotated.

Letting these mechanisms annotate each other is a bad thing. Break the loop
by adding 'notrace' to __sanitizer_cov_trace_pc() so that ftrace won't try
to patch this code.

This patch lets arm64 with KCOV and STACK_TRACER boot.

Bug 1838484

Change-Id: Iddb322e4dcab7986413ab8af5be37c1fb1db04d2
Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242341
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agokernel: add kcov code coverage
Dmitry Vyukov [Wed, 19 Oct 2016 21:37:22 +0000]
kernel: add kcov code coverage

kcov provides code coverage collection for coverage-guided fuzzing
(randomized testing).  Coverage-guided fuzzing is a testing technique
that uses coverage feedback to determine new interesting inputs to a
system.  A notable user-space example is AFL
(http://lcamtuf.coredump.cx/afl/).  However, this technique is not
widely used for kernel testing due to missing compiler and kernel
support.
kcov does not aim to collect as much coverage as possible.  It aims to
collect more or less stable coverage that is function of syscall inputs.
To achieve this goal it does not collect coverage in soft/hard
interrupts and instrumentation of some inherently non-deterministic or
non-interesting parts of kernel is disbled (e.g.  scheduler, locking).
Currently there is a single coverage collection mode (tracing), but the
API anticipates additional collection modes.  Initially I also
implemented a second mode which exposes coverage in a fixed-size hash
table of counters (what Quentin used in his original patch).  I've
dropped the second mode for simplicity.
This patch adds the necessary support on kernel side.  The complimentary
compiler support was added in gcc revision 231296.
We've used this support to build syzkaller system call fuzzer, which has
found 90 kernel bugs in just 2 months:
  https://github.com/google/syzkaller/wiki/Found-Bugs
We've also found 30+ bugs in our internal systems with syzkaller.
Another (yet unexplored) direction where kcov coverage would greatly
help is more traditional "blob mutation".  For example, mounting a
random blob as a filesystem, or receiving a random blob over wire.
Why not gcov.  Typical fuzzing loop looks as follows: (1) reset
coverage, (2) execute a bit of code, (3) collect coverage, repeat.  A
typical coverage can be just a dozen of basic blocks (e.g.  an invalid
input).  In such context gcov becomes prohibitively expensive as
reset/collect coverage steps depend on total number of basic
blocks/edges in program (in case of kernel it is about 2M).  Cost of
kcov depends only on number of executed basic blocks/edges.  On top of
that, kernel requires per-thread coverage because there are always
background threads and unrelated processes that also produce coverage.
With inlined gcov instrumentation per-thread coverage is not possible.
kcov exposes kernel PCs and control flow to user-space which is
insecure.  But debugfs should not be mapped as user accessible.
Based on a patch by Quentin Casasnovas.
[akpm@linux-foundation.org: make task_struct.kcov_mode have type `enum kcov_mode']
[akpm@linux-foundation.org: unbreak allmodconfig]
[akpm@linux-foundation.org: follow x86 Makefile layout standards]
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Vegard Nossum <vegard.nossum@oracle.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Kees Cook <keescook@google.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Cc: David Drysdale <drysdale@google.com>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Andrey Ryabinin <ryabinin.a.a@gmail.com>
Cc: Kirill A. Shutemov <kirill@shutemov.name>
Cc: Jiri Slaby <jslaby@suse.cz>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Conflicts:
Makefile
lib/Kconfig.debug
mm/kasan/Makefile
scripts/Makefile.lib
kernel/Makefile

Bug 1838484

Change-Id: I3c2c66e5f431f5bfe1cb7cba4209614e60578613
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Signed-off-by: Sujeet Baranwal <sbaranwal@nvidia.com>
Reviewed-on: http://git-master/r/1242340
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>