19 months agopower: bq2419x: Capture Fault events in sysfs rel-24-uda-r1.2
Venkata Jagadish [Tue, 3 Oct 2017 11:41:18 +0000]
power: bq2419x: Capture Fault events in sysfs

Bug 1987213
Bug 1987216

Change-Id: I6f65d6e11fb236787d8f545a77a3da8efd117504
Signed-off-by: Venkata Jagadish <vjagadish@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1579436
Tested-by: Laxman Dewangan <ldewangan@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

19 months agoBACKPORT: pids: make task_tgid_nr_ns() safe
Oleg Nesterov [Fri, 6 Oct 2017 06:54:01 +0000]
BACKPORT: pids: make task_tgid_nr_ns() safe

This was reported many times, and this was even mentioned in commit
52ee2dfdd4f5 "pids: refactor vnr/nr_ns helpers to make them safe" but
somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns()
is not safe because task->group_leader points to nowhere after the
exiting task passes exit_notify(), rcu_read_lock() can not help.

We really need to change __unhash_process() to nullify group_leader,
parent, and real_parent, but this needs some cleanups. Until then we
can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and
fix the problem.

Bug 2000058

Bug: 31495866
Reported-by: Troy Kensinger <tkensinger@google.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
(cherry picked from commit dd1c1f2f2028a7b851f701fc6a8ebe39dcb95e7c)
Change-Id: Iad19a77f4f0aa9f3b6b0539ac9c549fa64c18550
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1574195
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

19 months agoipv6/dccp: do not inherit ipv6_mc_list from parent
WANG Cong [Tue, 9 May 2017 23:59:54 +0000]
ipv6/dccp: do not inherit ipv6_mc_list from parent

Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.

Bug 1970716
Bug 1971959
Bug 200288656

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 83eaddab4378db256d00d295bda6ca997cd13a52)
Change-Id: Icaa523c47ab1daa47caa2ffd13c6f6d1ab3b1b55
Reviewed-on: https://git-master.nvidia.com/r/1574218
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agonet: wireless: bcmdhd_88: remove SDIO debug IOVARs causing out of bounds
Insun Song [Fri, 7 Jul 2017 21:53:03 +0000]
net: wireless: bcmdhd_88: remove SDIO debug IOVARs causing out of bounds

"sd_devreg" IOVAR can cause out of bounds access when user input
manipulated. Proposed fix is removing debug oriented IOVARs completely.

Bug: 37622847
Bug 1990376

Change-Id: I95627c0a0c09df997a82dc50331d6e246b05a6ad
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1565309
(cherry picked from commit c0fac815bbc4b78915e030054a01752f133fe219)
Reviewed-on: https://git-master.nvidia.com/r/1574183
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agoRevert "net: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds"
Dhiren Parmar [Fri, 6 Oct 2017 11:35:42 +0000]
Revert "net: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds"

This reverts commit 04f0d590de0b1df3817c73724005c47532967a01.

Change-Id: Ieb441910dc8e8d89b04a0a2394eee5d7359ea06f
Signed-off-by: Dhiren Parmar <dparmar@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1574361

19 months agonet: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds
Insun Song [Fri, 7 Jul 2017 21:53:03 +0000]
net: wireless: bcmdhd: remove SDIO debug IOVARs causing out of bounds

"sd_devreg" IOVAR can cause out of bounds access when user input
manipulated. Proposed fix is removing debug oriented IOVARs completely.

Bug: 37622847
Bug 1990376
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: I8fc5111fe9d8d2c5d7ae5b1c24ae8e531113beae
Reviewed-on: https://git-master.nvidia.com/r/1565309
(cherry picked from commit c0fac815bbc4b78915e030054a01752f133fe219)
Reviewed-on: https://git-master.nvidia.com/r/1573683
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Tested-by: Om Prakash Singh <omp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agonet: wireless: bcmdhd_88: adding boundary check in wl_notify_rx_mgmt_frame
Insun Song [Wed, 24 May 2017 16:21:02 +0000]
net: wireless: bcmdhd_88: adding boundary check in wl_notify_rx_mgmt_frame

added boundary check for input parameters not to corrupt kernel heap in
case user injected malformed input

Bug: 37306719
Bug 1971966
Bug 200351732
Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1570810
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agonet: wireless: bcmdhd_88: adding boudary check in wl_escan_handler
Insun Song [Mon, 5 Jun 2017 17:21:10 +0000]
net: wireless: bcmdhd_88: adding boudary check in wl_escan_handler

WLC_E_ESCAN_RESULT event could be manipulated especially two length field
inside, one is for escan_result buffer length and another one is
bss_info length, the forged fields may bypass current length check and
corrupt kernel heap memory.

so added checking validation for two length fields in WLC_E_ESCAN_RESULT
event.

Bug: 37351060
Bug 1971966
Bug 200351732
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1570809
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agomm/mempolicy.c: fix error handling in set_mempolicy and mbind.
Chris Salls [Sat, 8 Apr 2017 06:48:11 +0000]
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.

Bug 1970716
Bug 1971959
Bug 200288656

Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62)
Change-Id: I60f7ed76df891df1ad57140b0892d6b22cde94f9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568281
(cherry picked from commit d1032e2d497514b4539dd7be66972b9f62356016)
Reviewed-on: https://git-master.nvidia.com/r/1570208
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agoip6_gre: fix ip6gre_err() invalid reads
Eric Dumazet [Sun, 5 Feb 2017 07:18:55 +0000]
ip6_gre: fix ip6gre_err() invalid reads

Andrey Konovalov reported out of bound accesses in ip6gre_err()

If GRE flags contains GRE_KEY, the following expression
*(((__be32 *)p) + (grehlen / 4) - 1)

accesses data ~40 bytes after the expected point, since
grehlen includes the size of IPv6 headers.

Let's use a "struct gre_base_hdr *greh" pointer to make this
code more readable.

p[1] becomes greh->protocol.
grhlen is the GRE header length.

Bug 1970716
Bug 1971959
Bug 200288656

Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756)
Change-Id: Iad0a924abddf49d0f5ba07afd9ce16795f74bdfd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568275
(cherry picked from commit 98ba3df721c016a83d1d74963b0c09d17eaa6f7f)
Reviewed-on: https://git-master.nvidia.com/r/1570207
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agotcp: avoid infinite loop in tcp_splice_read()
Eric Dumazet [Fri, 3 Feb 2017 22:59:38 +0000]
tcp: avoid infinite loop in tcp_splice_read()

Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.

__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.

This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.

Again, this gem was found by syzkaller tool.

Bug 1970716
Bug 1971959
Bug 200288656

Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82)
Change-Id: I0ed67e83effcc6c1970fe6f8192e00bf3947138d
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1565183
(cherry picked from commit 63fdebd244e1b6ddb72fcd75e6cd4fc97a3aac97)
Reviewed-on: https://git-master.nvidia.com/r/1570206
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agoipx: call ipxitf_put() in ioctl error path
Dan Carpenter [Tue, 2 May 2017 10:58:53 +0000]
ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

Bug 1970716
Bug 1971959
Bug 200288656

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Change-Id: I5460804b62e4d81dd8de403aafc7aff64a5a3edf
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1565173
(cherry picked from commit fd2ac9fa0a7ef25f584f6d9bd05843f94594f4d1)
Reviewed-on: https://git-master.nvidia.com/r/1570203
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

19 months agodccp/tcp: do not inherit mc_list from parent
Eric Dumazet [Tue, 9 May 2017 13:29:19 +0000]
dccp/tcp: do not inherit mc_list from parent

syzkaller found a way to trigger double frees from ip_mc_drop_socket()

It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.

Very similar to commit 8b485ce69876 ("tcp: do not inherit
fastopen_req from parent")

Initial report from Pray3r, completed by Andrey one.
Thanks a lot to them !

Bug 1970716
Bug 1971959
Bug 200288656

Change-Id: I5917eb701382a098553186fcf9f50347957cf5cd
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Pray3r <pray3r.z@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1564121
(cherry picked from commit 84a456465ed1e2e980f8490a534223f957998e75)
Reviewed-on: https://git-master.nvidia.com/r/1570196
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd_88: fix for IOVAR GET failed
Insun Song [Fri, 8 Sep 2017 10:48:29 +0000]
net: wireless: bcmdhd_88: fix for IOVAR GET failed

found some case that IOVAR callers set response buffer not enough to
contain input command string + argument. so it finally fail in IOVAR
transaction by its shorter buffer length.

proposed fix is taking care this case by providing enough local
buffer inside dhd_iovar, which enough to input/output.

Bug 1899974

Change-Id: I170c983d3fc762179e7059064c2b692ffae937db
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1557591
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd_88: fix incorrect IOVAR buffer length use case
Insun Song [Fri, 8 Sep 2017 10:36:24 +0000]
net: wireless: bcmdhd_88: fix incorrect IOVAR buffer length use case

The buffer used by host driver for sending IOVAR request/response can
deliver some private kernel information to the dongle if it's not
properly uninitailized.
the fix is to redefine current IOVAR API to manage buffer length
correctly. and updated all IOVAR caller instances.
Bug: 36000515

Bug 1899974
Change-Id: Idbc5fb9175f6eee26214e2cbe947a8b1ace36615
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1557590
GVS: Gerrit_Virtual_Submit
Reviewed-by: Neil Patel <neilp@nvidia.com>
Reviewed-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd: additional length check for BRCM EVENT frame.
Insun Song [Fri, 8 Sep 2017 11:15:52 +0000]
net: wireless: bcmdhd: additional length check for BRCM EVENT frame.

(cherry picked from commit 72c9463eaab0fa19a461ac8de7d0abbf825a44bd)

This is just for exceptional case where user has updated kernel to the
latest, but still used non-patched firmware. The non-patched firmware
could deliver ETHER_TYPE_BRCM packet to host.

If attacker inject packet with its header length forged, it could bypass
current host driver's length check routine and cause memory corruption.

Proposed fix is enhancing length check to validate its header length.

Bug 1954564
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Bug: 37168488
Change-Id: I90fc5101bddfd1d427e0a52758ddf8bc16577555
Reviewed-on: https://git-master.nvidia.com/r/1522916
(cherry picked from commit 621ef2077d66b60ccdd0a852839fb8a3f31c558f)
Reviewed-on: https://git-master.nvidia.com/r/1555479
Reviewed-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agovideo: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000]
video: tegra: nvmap: fix information leak in pin/unpin

When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

Bug 1832092

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1315807
(cherry picked from commit d25ef256594f41723eaae3ba0bb9cb4e9c4a3b4c)
Reviewed-on: https://git-master.nvidia.com/r/1497752
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd_88: fix overrun in wl_run_escan
Insun Song [Tue, 25 Apr 2017 16:44:59 +0000]
net: wireless: bcmdhd_88: fix overrun in wl_run_escan

prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
 overriden by attacker and its return manipulated.

Bug 1887273
Bug 200288656

Bug: 34197514
Change-Id: I767a3f70639e4fb5fd82320a6436d7c0e21a7a4e
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: http://git-master/r/1469661
(cherry picked from commit fd48660294bd00c7ef2df874c912bc581acfab2b)
Reviewed-on: https://git-master.nvidia.com/r/1546610
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agof2fs: sanity check checkpoint segno and blkoff
Jin Qian [Wed, 19 Jul 2017 08:39:53 +0000]
f2fs: sanity check checkpoint segno and blkoff

Make sure segno and blkoff read from raw image are valid.

Bug 1954564
Bug 200288656

Change-Id: I4896cc63550f5810638861c04b6bcfcf9d36e056
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522958
(cherry picked from commit 801d43cf1b16b20fa07f02bc1f38ce6528b548f1)
Reviewed-on: https://git-master.nvidia.com/r/1546675
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agof2fs: sanity check segment count
Jin Qian [Tue, 25 Apr 2017 23:28:48 +0000]
f2fs: sanity check segment count

F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Bug 1954564
Bug 200288656

Change-Id: I4c288b7d044067ca9b850ffdddd0bdeeb5bfdcb5
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522954
(cherry picked from commit 54ad73b49caabba0d7c7dc8f82fc7026597a97b2)
Reviewed-on: https://git-master.nvidia.com/r/1546674
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoBACKPORT: f2fs: sanity check log_blocks_per_seg
Jin Qian [Wed, 19 Jul 2017 08:17:53 +0000]
BACKPORT: f2fs: sanity check log_blocks_per_seg

f2fs currently only supports 4KB block size and 2MB segment size.
Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)

Partially
(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)

f2fs: do more integrity verification for superblock

Do more sanity check for superblock during ->mount.

Bug 1954564
Bug 200288656

Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Bug: 36817013
Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
Reviewed-on: https://git-master.nvidia.com/r/1522952
(cherry picked from commit fa7cb31997e5f945661b8fa8a79ea535d85afdef)
Reviewed-on: https://git-master.nvidia.com/r/1546667
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agotimerfd: Protect the might cancel mechanism proper
Thomas Gleixner [Tue, 31 Jan 2017 14:24:03 +0000]
timerfd: Protect the might cancel mechanism proper

The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Bug 1954564
Bug 200288656

Change-Id: Ie6c4c1a404cb0bfafc8a3a48bbc202560da7608c
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522946
(cherry picked from commit 11c677c13527777f2a8413cfb12f4d2fe10db7df)
Reviewed-on: https://git-master.nvidia.com/r/1546666
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet/packet: fix overflow in check for tp_reserve
Andrey Konovalov [Wed, 29 Mar 2017 14:11:22 +0000]
net/packet: fix overflow in check for tp_reserve

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Bug 1940296
Bug 200288656

Change-Id: I12128da5390c28d4fbf99ef94ebbafe8dbc24ed8
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512350
(cherry picked from commit e656e44867126338fbe7435edb0d7169e5d6a8ed)
Reviewed-on: https://git-master.nvidia.com/r/1546659
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet/packet: fix overflow in check for tp_frame_nr
Andrey Konovalov [Wed, 29 Mar 2017 14:11:21 +0000]
net/packet: fix overflow in check for tp_frame_nr

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Bug 1940296
Bug 200288656

Change-Id: Id499c301d4a538be717e260cac34b29134172de7
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512349
(cherry picked from commit 105ed894d50a54efa6d425fd5621e10baf258337)
Reviewed-on: https://git-master.nvidia.com/r/1546658
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agovideo: tegra: dsi: Set max limit for reading panel
Gagan Grover [Wed, 12 Apr 2017 11:28:42 +0000]
video: tegra: dsi: Set max limit for reading panel

In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.

Bug 1873360
Bug 200288656

Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1322188
Reviewed-on: https://git-master.nvidia.com/r/1461401
(cherry picked from commit c57a594cfc45c61e2e3cbba439c6b94ada2e1626)
Reviewed-on: https://git-master.nvidia.com/r/1546653
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoudf: Check path length when reading symlink
Jan Kara [Thu, 18 Dec 2014 21:37:50 +0000]
udf: Check path length when reading symlink

Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.

Bug 1940296
Bug 200288656

Change-Id: I7858524c1878fb5af78a27759596befbcb164d08
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512354
(cherry picked from commit d7942b2678c23d8de5dd24447582b4ef671eaa06)
Reviewed-on: https://git-master.nvidia.com/r/1546651
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet/packet: fix overflow in check for priv area size
Andrey Konovalov [Wed, 29 Mar 2017 14:11:20 +0000]
net/packet: fix overflow in check for priv area size

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Bug 1940296
Bug 200288656

Change-Id: I832dab4250dcbeb8e7ddf7c83a53f13b15cd28c8
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512348
(cherry picked from commit 827cb7eb0127f807ea6a67df69a49c46006ce19a)
Reviewed-on: https://git-master.nvidia.com/r/1546649
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoRevert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"
Nick Desaulniers [Mon, 3 Jul 2017 05:23:49 +0000]
Revert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"

This reverts commit f0ce0eee6b71bc310153edb87e66e6b25e12fece.

Bug 1940296
Bug 200288656

Bug: 34951864
Bug: 36468447
Change-Id: I87bd92e096c6c28a53b9ecf302ae008f5e58eba1
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512345
(cherry picked from commit 6ea30839ed3fd0a54b465d5c1de871eae036710a)
Reviewed-on: https://git-master.nvidia.com/r/1546648
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoipv4: keep skb->dst around in presence of IP options
Eric Dumazet [Sat, 4 Feb 2017 19:16:52 +0000]
ipv4: keep skb->dst around in presence of IP options

Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
is accessed.

ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
are present.

We could refine the test to the presence of ts_needtime or srr,
but IP options are not often used, so let's be conservative.

Thanks to syzkaller team for finding this bug.

Bug 1940296
Bug 200288656

Change-Id: I0811582c8f0a0c3e205ccf3276596ae13bbe1130
Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512314
(cherry picked from commit 6eab5f969496387221220adff51d0ece83e254e8)
Reviewed-on: https://git-master.nvidia.com/r/1546647
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agodccp: fix freeing skb too early for IPV6_RECVPKTINFO
Andrey Konovalov [Thu, 16 Feb 2017 16:22:46 +0000]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Bug 1940296
Bug 200288656

Change-Id: I9b68d6d5208ea46e0e389cc74af31ed208384afa
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512313
(cherry picked from commit 44f5ff83371c6b3e3a1c31bf8b9d1d2e244085e6)
Reviewed-on: https://git-master.nvidia.com/r/1546646
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agotegra-alt: adsp: add parameter size checks
Viraj Karandikar [Tue, 14 Mar 2017 05:17:22 +0000]
tegra-alt: adsp: add parameter size checks

Fix possible buffer overflow in case of invalid user
parameter by adding size checks

Bug 1869543
Bug 1888389
Bug 200288656

Change-Id: I82ac00e24a3ca40915eb6c556454c9649cb644bd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1297227
(cherry-picked from commit 2e4308a3800f3dcd4aa91a1b446cf00cf7ebda59)
Reviewed-on: http://git-master/r/1320244
(cherry picked from commit b897a07b3e83248304253cb1fbb6952bcd0c97a5)
Reviewed-on: http://git-master/r/1322108
(cherry picked from commit c15996eb01662db5b186bd84627f1385f899f1d1)
Reviewed-on: https://git-master.nvidia.com/r/1546637
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoflounder: FIQ and sysrq default deauthorized
Mark Salyzyn [Fri, 9 Jun 2017 17:40:47 +0000]
flounder: FIQ and sysrq default deauthorized

Bug 1920259
Bug 200288656
Bug: 36101220

Change-Id: Iadd05a78d39cdda0eecf46d46fa97085ec8bddce
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1499400
(cherry picked from commit 07a57d94efc37d8c8e08600733c0265803a3ab3e)
Reviewed-on: https://git-master.nvidia.com/r/1546635
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoASoC: tegra-alt: add parameter OOB access check
Shashank Verma [Thu, 30 Mar 2017 10:48:25 +0000]
ASoC: tegra-alt: add parameter OOB access check

Prevent out-of-bound array access by adding
checks to the parameter passed from user-space.

Bug 1880773
Bug 1920259
Bug 200288656

Change-Id: I611ec5a2982b0472eae10762f5db7437e76ee5fc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1499389
(cherry picked from commit c48ffa0346fe2d5959b0837dd4ecd6892e8f3ec6)
Reviewed-on: https://git-master.nvidia.com/r/1546633
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months ago[PATCH] tracing: do not leak kernel addresses
Nick Desaulniers [Sun, 16 Apr 2017 18:02:15 +0000]
[PATCH] tracing: do not leak kernel addresses

This likely breaks tracing tools like trace-cmd.  It logs in the same
format but now addresses are all 0x0.

Bug 1899974

Bug: 34277115
Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463515
(cherry picked from commit d4077427aa5ccb3f0538fd6301b7b722c41af321)
Reviewed-on: https://git-master.nvidia.com/r/1469696
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months ago[PATCH] Prevent heap overflow in uvc driver
Robb Glasser [Sun, 16 Apr 2017 17:55:58 +0000]
[PATCH] Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Bug 1899974

Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463514
(cherry picked from commit 2ce4b93b8abcdeafd922ad03ab77b490d49f2e96)
Reviewed-on: https://git-master.nvidia.com/r/1469694
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoxfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
Andy Whitcroft [Wed, 22 Mar 2017 07:29:31 +0000]
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

Bug 1899974

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Icfade54ffb7afeb808f73ad3ff2ab50ceaf5f610
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463513
(cherry picked from commit d97f69ee6e71a4afc01b31279daa6714bb89e303)
Reviewed-on: https://git-master.nvidia.com/r/1469693
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoregulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing
Seung-Woo Kim [Thu, 4 Dec 2014 10:17:17 +0000]
regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing

After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.

Bug 1899974

Change-Id: I613a9ceca9471c93631231840ed61f86f6180850
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463512
(cherry picked from commit 58f77d4fb29f439f9b875a7fa1e06113b25218ee)
Reviewed-on: https://git-master.nvidia.com/r/1469692
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoperf: Tighten (and fix) the grouping condition
Peter Zijlstra [Fri, 23 Jan 2015 10:19:48 +0000]
perf: Tighten (and fix) the grouping condition

The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.

Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.

Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.

Bug 1899974

Change-Id: Ie4752ec048cd813b2587ce459aea8ccc6f1b5189
Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463511
(cherry picked from commit 3363bc34d21e31994ba91187afd9d4a550f71c76)
Reviewed-on: https://git-master.nvidia.com/r/1469691
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agotrace: resolve stack corruption due to string copy
Amey Telawane [Sun, 16 Apr 2017 17:37:32 +0000]
trace: resolve stack corruption due to string copy

Strcpy has no limit on string being copied which causes
stack corruption leading to kernel panic. Use strlcpy to
resolve the issue by providing length of string to be copied.

Bug 1899974

CRs-fixed: 1048480
Change-Id: Ib290b25f7e0ff96927b8530e5c078869441d409f
Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463510
(cherry picked from commit 31181e12cc26953993314db7e493c1d545ef176e)
Reviewed-on: https://git-master.nvidia.com/r/1469690
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoALSA: pcm : Call kill_fasync() in stream lock
Takashi Iwai [Mon, 12 Dec 2016 16:33:06 +0000]
ALSA: pcm : Call kill_fasync() in stream lock

commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.

Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed().  This is potentially racy, since the stream
may get released even during the irq handler is running.  Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.

As a quick workaround, move kill_fasync() call inside the stream
lock.  The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.

Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler.  But this oneliner should suffice for most
cases, so far.

Bug 1899974

Change-Id: Ic31806608aae8ae3ee37145e118d9203040618a0
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463509
(cherry picked from commit 54674e2776f0f965625778b268df97dcdde7092f)
Reviewed-on: https://git-master.nvidia.com/r/1469688
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agovideo: tegra: nvmap: fix time-of-check,time-of-use vulnerability
Sri Krishna chowdary [Sat, 25 Feb 2017 19:02:47 +0000]
video: tegra: nvmap: fix time-of-check,time-of-use vulnerability

Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.
This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.
Fixes Google Bug 34113000.

Bug 1862379
Bug 1880033

Change-Id: I32786d26c269a95122fbaf0b91d6d090cba7388e
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311631
(cherry picked from commit 22168ee3a52622c20ca8480de82102fb08119193)
Reviewed-on: https://git-master.nvidia.com/r/1469686
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd_88: fix buffer overrun in wlfc reordering
Insun Song [Tue, 25 Apr 2017 16:49:07 +0000]
net: wireless: bcmdhd_88: fix buffer overrun in wlfc reordering

added boundary check not to override allocated buffer

Bug 1887273
Bug 200288656

Bug: 34203305
Change-Id: Ibb90d5ec99841c920495fcf7ca8a0605bb864510
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: http://git-master/r/1469662
(cherry picked from commit 20e3d2497a033d4046cd64803d8c0e8ccae7c111)
Reviewed-on: https://git-master.nvidia.com/r/1546612
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoARM64: config: tegra21: Disable I2C_HID
Gagan Grover [Wed, 19 Apr 2017 18:08:05 +0000]
ARM64: config: tegra21: Disable I2C_HID

This feature is not in use. But, its codepath exposes some security
vulnerability. Better to disable it.

boot.img size is reduced by 4096 bytes.

Bug 1857996

Change-Id: I73af25b7080fc765919864ac8369c230bfc384eb
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1465814
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoARM: config: tegra12: Disable tegra-cryptodev
Gagan Grover [Wed, 19 Apr 2017 17:58:57 +0000]
ARM: config: tegra12: Disable tegra-cryptodev

tegra-cryptodev is used to expose IOCTLS for tegra
hardware engine. However as SE hardware engine is
disabled due to performance reasons, so disable
tegra-cryptodev module as well.

boot.img size is reduced by 4096 bytes.

Bug 1857996
Bug 200297552

Change-Id: Ibe692a3bd4fd251d02a6a524c0d6cc31855db806
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458998
Reviewed-on: https://git-master.nvidia.com/r/1465802
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agogpu: nvgpu: Remove ref count from as_share
Alex Waterman [Tue, 31 Jan 2017 23:49:40 +0000]
gpu: nvgpu: Remove ref count from as_share

Remove the broke ref counting from as_share. The ref-count is
incremented for every bind channel but never decremented. This
results in VMs never being freed.

Bug 1846718
Bug 200288656

Change-Id: I6253b3eab7c7471d3ed6feddb3705c49a8704bed
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1296900
(cherry picked from commit c6594c744d8fca738a1a8f5177c84a05899695dc)
Reviewed-on: http://git-master/r/1306725
(cherry picked from commit f4e861ec2acea948bd160dc044f1d49e2e45fd98)
Reviewed-on: http://git-master/r/1320259
(cherry picked from commit df37ea58960aaa4974c4d5a5b5cb800086b80ed8)
Reviewed-on: https://git-master.nvidia.com/r/1465784
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agogpu: nvgpu: Simplify ref-counting on VMs
Alex Waterman [Wed, 30 Nov 2016 00:01:41 +0000]
gpu: nvgpu: Simplify ref-counting on VMs

Simplify ref-counting on VMs: take a ref when a VM is bound to a
channel and drop a ref when a channel is freed.

Previously ref-counts were scattered over the driver. Also the CE
and CDE code would bind channels with custom rolled code. This was
because the gk20a_vm_bind_channel() function took an as_share as
the VM argument (the VM was then inferred from that as_share).
However, it is trivial to abtract that bit out and allow a central
bind channel function that just takes a VM and a channel.

Bug 1846718
Bug 200288656

Change-Id: I156aab259f6c7a2fa338408c6c4a3a464cd44a0c
Reviewed-on: http://git-master/r/1261886
(cherry picked from commit 7e403974d3584ab8880e42d422ee3afb7f49d6f3)
Reviewed-on: http://git-master/r/1312293
(cherry picked from commit 1b73a6e97bf66f6bd67ffacf49a4cec1e4c14790)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1320258
(cherry picked from commit c8b139cfb4835735cb1302c69e37a8793de286d3)
Reviewed-on: https://git-master.nvidia.com/r/1465783
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd: fix overrun in wl_run_escan
Insun Song [Sat, 14 Jan 2017 00:25:59 +0000]
net: wireless: bcmdhd: fix overrun in wl_run_escan

prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
 overriden by attacker and its return manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ifbbaa3c2bdfd9bea7533d605303f18e17c8d85cc
Bug: 34197514
Reviewed-on: http://git-master/r/1459053
(cherry picked from commit aad3219daaaa44172f1c1ffeaf3447e230ef0f57)
Reviewed-on: https://git-master.nvidia.com/r/1465772
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref
Insun Song [Wed, 1 Feb 2017 00:18:40 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref

added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
Bug: 34469904
Reviewed-on: http://git-master/r/1459055
(cherry picked from commit 7bbbb5e7c7007959ce2704883aff37fc470a95c1)
Reviewed-on: https://git-master.nvidia.com/r/1465774
GVS: Gerrit_Virtual_Submit
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd: fix buffer overrun in wlfc reordering
Insun Song [Wed, 25 Jan 2017 19:41:49 +0000]
net: wireless: bcmdhd: fix buffer overrun in wlfc reordering

added boundary check not to override allocated buffer

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Iad44141ba4e4cd224eda292c05ffe525bf74227d
Bug: 34203305
Reviewed-on: http://git-master/r/1459054
(cherry picked from commit b88e3d0b355ce821c92760bf41d04a917dab092d)
Reviewed-on: https://git-master.nvidia.com/r/1465773
GVS: Gerrit_Virtual_Submit
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agonet: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie
Insun Song [Wed, 1 Feb 2017 03:57:20 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie

added boundary check not to override allocated buffer.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: I76211db7ef595fc41cf5d5d58de79cedfe80e521
Bug: 32125310
Reviewed-on: http://git-master/r/1459052
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
(cherry picked from commit 6e92cb348bf85964526c7f257e11972608bc3f3e)
Reviewed-on: https://git-master.nvidia.com/r/1465771
GVS: Gerrit_Virtual_Submit
Tested-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoposix_acl: Clear SGID bit when setting file permissions
Jan Kara [Mon, 19 Sep 2016 15:39:09 +0000]
posix_acl: Clear SGID bit when setting file permissions

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

Bug 1887273
Bug 200288656

Change-Id: I513706c5a9f674517a340fc797fb1de6aa0c4a3f
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458111
(cherry picked from commit f6ad7afd14a181e0e2a5734242a65c1200d5ba3b)
Reviewed-on: http://git-master/r/1459849
(cherry picked from commit 9e810f23f710b3019107c4e898f009a2d45e5fde)
Reviewed-on: https://git-master.nvidia.com/r/1465770
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agofs: limit filesystem stacking depth
Miklos Szeredi [Thu, 23 Oct 2014 22:14:39 +0000]
fs: limit filesystem stacking depth

Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems.  Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.

Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.

To limit the kernel stack usage we must limit the depth of the
filesystem stack.  Initially the limit is set to 2.

Bug 1887273
Bug 200288656

Change-Id: Ibaa154eb2b102d02370fe2003387b0131fe2955a
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1455849
(cherry picked from commit 5fa62435eaef75e479c0c157b4d911344f64b002)
Reviewed-on: http://git-master/r/1459845
(cherry picked from commit f9aa5494d35892be63c7268deb7fe7adacb6123e)
Reviewed-on: https://git-master.nvidia.com/r/1465769
GVS: Gerrit_Virtual_Submit
Reviewed-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

20 months agoudp: properly support MSG_PEEK with truncated buffers
Eric Dumazet [Wed, 30 Dec 2015 13:51:12 +0000]
udp: properly support MSG_PEEK with truncated buffers

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
                                 msg->msg_iov);
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Bug 1885879

Change-Id: Ie7215bf99beee2fccd662152e80767cdeb6ff9b2
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1330671
(cherry picked from commit e2df10a5b70a3c56253e31da6ff7070d0694d1ef)
Reviewed-on: http://git-master/r/1459841
(cherry picked from commit 85316cefaf3640a14a7da4190fca09bb81e7ac15)
Reviewed-on: https://git-master.nvidia.com/r/1465768
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "usb: phy: tegra: set PD_CHRG after charger detection"
Rakesh Babu Bodla [Thu, 20 Apr 2017 11:53:08 +0000]
Revert "usb: phy: tegra: set PD_CHRG after charger detection"

Bug 200286082

This reverts commit 2e5308380be3c8c7942e37a1645566aa7d4961d6.

Change-Id: Ie2efe2fb3b6438334043930c9555616009cc6adb
Signed-off-by: Rakesh Babu Bodla <rbodla@nvidia.com>
Reviewed-on: http://git-master/r/1467414
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agomisc: tegra-baseband: prevent EHCI unload during resume
Neil Patel [Tue, 21 Feb 2017 15:54:42 +0000]
misc: tegra-baseband: prevent EHCI unload during resume

Unloading the EHCI driver during Linux system resume leads to a
condition where the unload work gets stuck forever waiting for
the device to be detached from its PM domain. This patch ensures
the Linux system resume has completed before doing the unload
work by waiting for the PM_POST_SUSPEND notification.

Bug 200273534

Change-Id: I689d409871b419c1afae1f430d315997decbadb7
Signed-off-by: Neil Patel <neilp@nvidia.com>
Reviewed-on: http://git-master/r/1308905
GVS: Gerrit_Virtual_Submit
Reviewed-by: Steve Lin <stlin@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agogpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME
Sami Kiminki [Tue, 12 Apr 2016 19:33:36 +0000]
gpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME

Implement NVGPU_GPU_IOCTL_GET_GPU_TIME for reading the GPU time.

Bug 1395833

Change-Id: I7ddc7c28ff0c9a336cc0dcd820b15fb0fea714d0
Signed-off-by: Sami Kiminki <skiminki@nvidia.com>
Reviewed-on: http://git-master/r/1125630
(cherry picked from commit 6b35cb05b7822174bf037da7229154004df4f229)
Reviewed-on: http://git-master/r/1317214
(cherry picked from commit cf731c89ab525c59dad38a346649999517e8ecea)
Reviewed-on: http://git-master/r/1325192
(cherry picked from commit f118e3efb7aa3ff107b00540bbd55a032cd1ddf3)
Reviewed-on: http://git-master/r/1330681
GVS: Gerrit_Virtual_Submit
Reviewed-by: Donghan Ryu <dryu@nvidia.com>

2 years agonet: wireless: bcmdhd: remove unsed WEXT file.
Insun Song [Wed, 4 Jan 2017 00:21:01 +0000]
net: wireless: bcmdhd: remove unsed WEXT file.

WEXT API was already obsoleted and should be removed.

Bug: 32124445
CVE:2017-0509 A-32124445
Bug 1880704

Change-Id: Iffb1c81afb9874120c64008c1072eebb8695c65f
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1310286
(cherry picked from commit 8c671aeb5f013590c58d7a5c7d4456e30fddcba3)
Reviewed-on: http://git-master/r/1314598
(cherry picked from commit 1aea8784f3e48a1964ac4e23a8d6daad8c86e386)
Reviewed-on: http://git-master/r/1324150
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoCHROMIUM: usb: gadget: configfs: Fix KASAN use-after-free
Jim Lin [Mon, 27 Feb 2017 11:33:06 +0000]
CHROMIUM: usb: gadget: configfs: Fix KASAN  use-after-free

When gadget is disconnected, running sequence is like this.
. android_work: sent uevent USB_STATE=DISCONNECTED
. Call trace:
  usb_string_copy+0xd0/0x128
  gadget_config_name_configuration_store+0x4
  gadget_config_name_attr_store+0x40/0x50
  configfs_write_file+0x198/0x1f4
  vfs_write+0x100/0x220
  SyS_write+0x58/0xa8
. configfs_composite_unbind
. configfs_composite_bind

In configfs_composite_bind, it has
"cn->strings.s = cn->configuration;"

When usb_string_copy is invoked. it would
allocate memory, copy input string, release previous pointed memory space,
and use new allocated memory.

When gadget is connected, host sends down request to get information.
Call trace:
  usb_gadget_get_string+0xec/0x168
  lookup_string+0x64/0x98
  composite_setup+0xa34/0x1ee8
  android_setup+0xb4/0x140

If gadget is disconnected and connected quickly, in the failed case,
cn->configuration memory has been released by usb_string_copy kfree but
configfs_composite_bind hasn't been run in time to assign new allocated
"cn->configuration" pointer to "cn->strings.s".

When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
memory is accessed, "BUG: KASAN: use-after-free" error occurs.

BUG=chrome-os-partner:58412
TEST=After smaug device was connected to ubuntu PC host, detached and attached
type-C cable quickly several times without seeing
"BUG: KASAN: use-after-free in usb_gadget_get_string".

CVE:2017-0537 A-31614969
Bug 1880704

Bug: 31614969
Change-Id: I58240ee7c55ae8f8fb8597d14f09c5ac07abb032
Signed-off-by: Jim Lin <jilin@nvidia.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311872
(cherry picked from commit b0eda88ead4f9269a8697d963628050d7e6b88a3)
Reviewed-on: http://git-master/r/1313689
(cherry picked from commit f2e1288a22d6e2eadf52ccb0b0dd1387cb8ef74e)
Reviewed-on: http://git-master/r/1324148
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: avoid signed overflows for SO_{SND|RCV}BUFFORCE
Eric Dumazet [Fri, 2 Dec 2016 17:44:53 +0000]
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Bug 1880704

Change-Id: I26b2411b5a5fd532fa8c02e2c68d0ec9acb784b1
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311861
(cherry picked from commit f459cad9a16059c8dbebb9a092ae172ea4a86235)
Reviewed-on: http://git-master/r/1314069
(cherry picked from commit 59df690ce8a50ea463e93ecc65dd897833cc54ad)
Reviewed-on: http://git-master/r/1324147
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agopacket: fix race condition in packet_set_ring
Philip Pettersson [Wed, 30 Nov 2016 22:55:36 +0000]
packet: fix race condition in packet_set_ring

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Bug 1880704

Change-Id: I22d2920ff6c26877f671908ea683468aed693fec
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311860
(cherry picked from commit 41db91bad41df89ba1e8b3d32f935130f71ac78e)
Reviewed-on: http://git-master/r/1314068
(cherry picked from commit b4db8ee7615291eeb622024f5c3e9175bcea6d50)
Reviewed-on: http://git-master/r/1324145
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agol2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
Guillaume Nault [Fri, 18 Nov 2016 21:13:00 +0000]
l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()

Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.

BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
 ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
 [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [<     inline     >] print_address_description mm/kasan/report.c:194
 [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [<     inline     >] kasan_report mm/kasan/report.c:303
 [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [<     inline     >] __write_once_size ./include/linux/compiler.h:249
 [<     inline     >] __hlist_del ./include/linux/list.h:622
 [<     inline     >] hlist_del_init ./include/linux/list.h:637
 [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
 [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
 [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
 [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
 [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
 [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
 [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
 [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
 [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
 [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
 [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
 [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
 [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
 [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
 [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
 [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
 [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
 [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
 [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
 [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
 [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
 [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
 [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
 [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
 [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
 [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
 [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
 [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.

Bug 1880704

Change-Id: I74188f62fd6f46aa4dcf057009c5ed086c20342a
Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311851
(cherry picked from commit 8038d929e8e2e116740a50c1f6d073547f9d27b7)
Reviewed-on: http://git-master/r/1314067
(cherry picked from commit f7be678c865fb8772c6a5219743cdc63cef2b00c)
Reviewed-on: http://git-master/r/1324143
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonetlink: Fix dump skb leak/double free
Herbert Xu [Mon, 16 May 2016 09:28:16 +0000]
netlink: Fix dump skb leak/double free

When we free cb->skb after a dump, we do it after releasing the
lock.  This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.

This patch saves the skb and module before we unlock so we free
the right memory.

Bug 1880704

Change-Id: I99a013d97bbbb793ebc0a196cd0e35ec198e3cb1
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311849
(cherry picked from commit 2605cb0c4277297fdcab1257f796d623f649235f)
Reviewed-on: http://git-master/r/1314066
(cherry picked from commit bb5a0b14761206d8ab4aef2f5c9317215c3796dd)
Reviewed-on: http://git-master/r/1324142
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoandroid: fiq_debugger: restrict access to critical commands.
Mark Salyzyn [Mon, 27 Feb 2017 09:13:25 +0000]
android: fiq_debugger: restrict access to critical commands.

Sysrq must be enabled via /proc/sys/kernel/sysrq as a security
measure to enable various critical fiq debugger commands that
either leak information or can be used as a system attack.

Default disabled, this will leave the reboot, reset, irqs, sleep,
nosleep, console and ps commands.  Reboot and reset commands
will be restricted from taking any parameters.  We will also
switch to showing the limited command set in this mode.

CVE:2017-0510 A-32402555
Bug 1880704

Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 32402555
Change-Id: I3f74b1ff5e4971d619bcb37a911fed68fbb538d5
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1311806
(cherry picked from commit a079fb27cbb54535e3aa68429d3928dc3d1d8b5b)
Reviewed-on: http://git-master/r/1313680
(cherry picked from commit 77c42ffd1f2ec7891d1ab9830c9cb16e2b5c5cd0)
Reviewed-on: http://git-master/r/1324139
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: host: Fix overflow issue allocation
Mikko Perttunen [Fri, 27 Jan 2017 07:32:20 +0000]
video: tegra: host: Fix overflow issue allocation

Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.

Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.

Coverity ID 27942
Bug 1856419
Bug 1880704

Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295053
(cherry picked from commit 66adb8e35e0ad0d5ce383996fcc8bad3be8821f5)
Reviewed-on: http://git-master/r/1312008
(cherry picked from commit 9b414f949780a48a1c93d495465c8c39eb342df8)
Reviewed-on: http://git-master/r/1324133
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d)
Reviewed-on: http://git-master/r/1270244
(cherry picked from commit bcfa618cda62fd56ee30676ed7ee62a7b0b942cd)
Reviewed-on: http://git-master/r/1306719
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoBACKPORT: aio: mark AIO pseudo-fs noexec
Nick Desaulniers [Mon, 16 Jan 2017 12:58:30 +0000]
BACKPORT: aio: mark AIO pseudo-fs noexec

This ensures that do_mmap() won't implicitly make AIO memory mappings
executable if the READ_IMPLIES_EXEC personality flag is set.  Such
behavior is problematic because the security_mmap_file LSM hook doesn't
catch this case, potentially permitting an attacker to bypass a W^X
policy enforced by SELinux.

I have tested the patch on my machine.

To test the behavior, compile and run this:

    #define _GNU_SOURCE
    #include <unistd.h>
    #include <sys/personality.h>
    #include <linux/aio_abi.h>
    #include <err.h>
    #include <stdlib.h>
    #include <stdio.h>
    #include <sys/syscall.h>

    int main(void) {
        personality(READ_IMPLIES_EXEC);
        aio_context_t ctx = 0;
        if (syscall(__NR_io_setup, 1, &ctx))
            err(1, "io_setup");

        char cmd[1000];
        sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'",
            (int)getpid());
        system(cmd);
        return 0;
    }

In the output, "rw-s" is good, "rwxs" is bad.

Signed-off-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a)

Bug: 31711619
Bug 1858126
CVE:2016-10044 (A-31711619)

Change-Id: I9f2872703bef240d6b82320c744529459bb076dc
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285940
(cherry picked from commit b552c94fbcad36a52973a1141adafbe351b75b90)
Reviewed-on: http://git-master/r/1299533
(cherry picked from commit 79d1f35c10e5438fbb441cd1524b02cda377e04f)
Reviewed-on: http://git-master/r/1306718
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 23 Jan 2017 09:41:30 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE:2017-0430 (A-32838767)

Change-Id: I3676556002c3bc63762919e540f68d13959b2af4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292382
(cherry picked from commit 2a408e9f998e0013906c58f7a2314bacf47ec672)
Reviewed-on: http://git-master/r/1299528
(cherry picked from commit 088ac085161e19efa60fddb9c20bd1e838c8f5e3)
Reviewed-on: http://git-master/r/1306717
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()
Greg Hackmann [Mon, 16 Jan 2017 12:30:19 +0000]
net: wireless: bcmdhd: fix use-after-free in _dhd_pno_get_for_batch()

Bug: 32838767
Bug 1858126
CVE:2017-0430 (A-32838767)

Change-Id: I987b07c30b3ed76865a002e7c154a5fa36b1bf29
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285925
(cherry picked from commit bc90cd7f96782e30db3bc3a82d7f20efae9ea78e)
Reviewed-on: http://git-master/r/1299526
(cherry picked from commit 9f5ee0dfa24f656ff6e49b5909bdaeae088d59fa)
Reviewed-on: http://git-master/r/1306716
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agofs/proc/array.c: make safe access to group_leader
Adrian Salido [Mon, 16 Jan 2017 11:56:05 +0000]
fs/proc/array.c: make safe access to group_leader

As mentioned in commit 52ee2dfdd4f51cf422ea6a96a0846dc94244aa37
("pids: refactor vnr/nr_ns helpers to make them safe"). *_nr_ns
helpers used to be buggy. The commit addresses most of the helpers but
is missing task_tgid_xxx()

Without this protection there is a possible use after free reported by
kasan instrumented kernel:

==================================================================
BUG: KASAN: use-after-free in task_tgid_nr_ns+0x2c/0x44 at addr ***
Read of size 8 by task cat/2472
CPU: 1 PID: 2472 Comm: cat Tainted: ****
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc00020ad2c>] dump_backtrace+0x0/0x17c
[<ffffffc00020aec0>] show_stack+0x18/0x24
[<ffffffc0011573d0>] dump_stack+0x94/0x100
[<ffffffc0003c7dc0>] kasan_report+0x308/0x554
[<ffffffc0003c7518>] __asan_load8+0x20/0x7c
[<ffffffc00025a54c>] task_tgid_nr_ns+0x28/0x44
[<ffffffc00046951c>] proc_pid_status+0x444/0x1080
[<ffffffc000460f60>] proc_single_show+0x8c/0xdc
[<ffffffc0004081b0>] seq_read+0x2e8/0x6f0
[<ffffffc0003d1420>] vfs_read+0xd8/0x1e0
[<ffffffc0003d1b98>] SyS_read+0x68/0xd4

Accessing group_leader while holding rcu_lock and using the now safe
helpers introduced in the commit mentioned, this race condition is
addressed.

Bug: 31495866
Bug 1858126
CVE:2017-0427 (A-31495866)

Signed-off-by: Adrian Salido <salidoa@google.com>
Change-Id: I4315217922dda375a30a3581c0c1740dda7b531b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285902
(cherry picked from commit 3367b633042dcc778642f95cd0b3acd6c3a0a0fe)
Reviewed-on: http://git-master/r/1299523
(cherry picked from commit d6b8dd489f260d69473e03609b2ac637a3a75201)
Reviewed-on: http://git-master/r/1306714
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: nvmap: fix nvmap create handle vulnerability
skadamati [Thu, 15 Dec 2016 11:23:22 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857
Bug 200260161
Bug 1849492
Bug 1825283
CVE:2016-8424 (A-31606947)

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Reviewed-on: http://git-master/r/1248391
(cherry picked from commit c26f2a34c189bef2d99740a420b2ab4023d912c0)
Reviewed-on: http://git-master/r/1273324
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285852
(cherry picked from commit b1513dff2b4bd35d1b400645642bce8dcf3c96c7)
Reviewed-on: http://git-master/r/1299501
(cherry picked from commit 3993b1f51cd24e93b460d24b2659f0c7a6c6cf8a)
Reviewed-on: http://git-master/r/1306703
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1831426
Bug 200247013
Bug 1849492
CVE:2016-8428 (A-31993456)

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Reviewed-on: http://git-master/r/1273326
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285872
(cherry picked from commit 0a44c684a3bdad4d25d0c5a89e04170196e12ff6)
Reviewed-on: http://git-master/r/1299504
(cherry picked from commit e124868998c604716d0ece1a0cb7e187db4adb18)
Reviewed-on: http://git-master/r/1306692
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoKEYS: Fix short sprintf buffer in /proc/keys show function
David Howells [Wed, 26 Oct 2016 14:01:54 +0000]
KEYS: Fix short sprintf buffer in /proc/keys show function

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

CVE:2016-7042
Bug 1849492

Change-Id: I5117ab6175297f657a498fd2140080c7595b3a10
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285745
(cherry picked from commit 7c1dcda59f88a1dec328afd398a9d9465fb44084)
Reviewed-on: http://git-master/r/1299506
(cherry picked from commit abd6568565c92f5246345f6195f2142ff2abf7ad)
Reviewed-on: http://git-master/r/1306691
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoperf: don't leave group_entry on sibling list(use-after-free)
John Dias [Mon, 16 Jan 2017 08:22:04 +0000]
perf: don't leave group_entry on sibling list(use-after-free)

When perf_group_detach is called on a group leader,
it should empty its sibling list. Otherwise, when
a sibling is later deallocated, list_del_event()
removes the sibling's group_entry from its current
list, which can be the now-deallocated group leader's
sibling list (use-after-free bug).

Bug: 32402548

CVE:2017-0403 (A-32402548)
Bug 1849492

Change-Id: I99f6bc97c8518df1cb0035814368012ba72ab1f1
Signed-off-by: John Dias <joaodias@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285800
(cherry picked from commit a5dc2d079ba88bba5dc78484d4820842af65d656)
Reviewed-on: http://git-master/r/1299508
(cherry picked from commit 8dae5d362123d37d29552b5a9ed89c7dbfe3dd55)
Reviewed-on: http://git-master/r/1306689
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agomedia: tegra: nvavp: Fix UAF issue.
Jitendra Kumar [Thu, 27 Oct 2016 08:35:00 +0000]
media: tegra: nvavp: Fix UAF issue.

Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.

CVE:2016-8449 (A-31798848)
Bug 1830023
Bug 1849492

Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1306688
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoALSA: info: Check for integer overflow in snd_info_entry_write()
Siqi Lin [Mon, 16 Jan 2017 08:28:01 +0000]
ALSA: info: Check for integer overflow in snd_info_entry_write()

snd_info_entry_write() resizes the buffer with an unsigned long
size argument that gets truncated because resize_info_buffer()
takes the size parameter as an unsigned int. On 64-bit kernels,
this causes the following copy_to_user() to write out-of-bounds
if (pos + count) can't be represented by an unsigned int.

Bug: 32510733

CVE:2017-0404 (A-32510733)
Bug 1849492

Change-Id: I9e8b55f93f2bd606b4a73b5a4525b71ee88c7c23
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285802
(cherry picked from commit 080aad52eb18b8f622676063334f105a77f6cf58)
Reviewed-on: http://git-master/r/1299509
(cherry picked from commit 935b76652a88fd9906eefea1030c051613310f64)
Reviewed-on: http://git-master/r/1306687
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoring-buffer: Prevent overflow of size in ring_buffer_resize()
Steven Rostedt (Red Hat) [Fri, 13 May 2016 13:34:12 +0000]
ring-buffer: Prevent overflow of size in ring_buffer_resize()

If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

CVE:2016-9754
Bug 1849492

Change-Id: I442132282517827c51b3fdbd31f323fe426d6daa
Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285747
(cherry picked from commit 8f8088aaee836d8c6c93c3df52a0d08b8f67b3b0)
Reviewed-on: http://git-master/r/1299510
(cherry picked from commit 580a30ff59e0fcc79159da6ea8afe5b2c7640861)
Reviewed-on: http://git-master/r/1306686
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agogpu: nvgpu: serialize debug session IOCTLs
Deepak Nibade [Mon, 23 Jan 2017 11:32:07 +0000]
gpu: nvgpu: serialize debug session IOCTLs

Hold debug_s->ioctl_lock for all debug session IOCTLs to prevent
multi-threaded user space IOCTL calls.
Debug session IOCTL calls are not thread-safe and hence this
serialization is required.

Bug 1832267
Bug 1832095
Bug 1849492

Change-Id: I847ac951601d4f0093546b592bdb8c8f00185317
Reviewed-on: http://git-master/r/1286436
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1292432
(cherry picked from commit d4629278161f2dc3c74e0f13c6ca08038355dd22)
Reviewed-on: http://git-master/r/1299511
(cherry picked from commit 6800b190bfb4ca00c5fef064b5a7ac2c65b8f4a4)
Reviewed-on: http://git-master/r/1306684
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agonet: wireless: bcmdhd: fix buffer overrun in private command path
Insun Song [Sun, 29 Jan 2017 10:48:08 +0000]
net: wireless: bcmdhd: fix buffer overrun in private command path

buffer overrun case found when length parameter manipulated.

1. if input parameter buffer length is less than 4k,
then allocate 4k by default. It help to get enough margin
for output string overwritten.

2. added additional length check not to override user space
allocated buffer size.

Bug 1849492

Change-Id: I586ad7aed3fce24264d520f5257e2833d4e57159
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1295708
(cherry picked from commit 1402382883c9f6793630d6abe6f424a354771980)
Reviewed-on: http://git-master/r/1298474
(cherry picked from commit 347ad09ee15929eb3e7b79b82855c6aea74418d3)
Reviewed-on: http://git-master/r/1306683
GVS: Gerrit_Virtual_Submit
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoarm: dts: Add DTB build time
Gagan Grover [Thu, 16 Feb 2017 08:59:46 +0000]
arm: dts: Add DTB build time

Add DTB build time for all T124 SOCs.
This will also help us to identify that DTB file is updated
correctly or not.

Bug 200278602

Change-Id: Icb40db26e5e776085dcf2a218270603b53fb3cba
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1306072
Reviewed-by: Harry Lin <harlin@nvidia.com>
Reviewed-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agousb : tegra : prevent current value corruption
Somdutta Roy [Thu, 16 Feb 2017 02:23:10 +0000]
usb : tegra : prevent current value corruption

In cases when the node for the current in uA value
is absent in the DTB, prevent taking a corrupt
value in the container variable and passing it
over to the regulator. This issue has hit EU's
in cases when the DTB does not get updated during
OTA / flashing.

Bug 200278602

Change-Id: If02ad71e7335d77f39c9b7842d1cdeb1f9a4d111
Signed-off-by: Somdutta Roy <somduttar@nvidia.com>
Reviewed-on: http://git-master/r/1305809
Reviewed-by: Venkat Reddy Talla <vreddytalla@nvidia.com>
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "Revert "ARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ""
Todd Poynter [Wed, 25 Jan 2017 21:14:37 +0000]
Revert "Revert "ARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ""

This reverts commit 1e4a15c3346469026ee3a58075d42bddb7b16cf2.

bug 200262350

Change-Id: I34809d18772254da4ee13133429939a6ee8ac609
signed-off-by: Todd Poynter <tpoynter@nvidia.com>
Reviewed-on: http://git-master/r/1294216

2 years agoRevert "ARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ"
Dhiren Parmar [Wed, 25 Jan 2017 04:01:08 +0000]
Revert "ARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ"

This reverts commit 3a4c3292041ae74bc1f8dbb6cfbabc936b69af88.

bug 200262350

Change-Id: I5f5a4e004a46341093801d8914cc123e0e4ef731
Signed-off-by: Dhiren Parmar <dparmar@nvidia.com>
Reviewed-on: http://git-master/r/1293660

2 years agoARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ
Ian Chang [Fri, 20 Jan 2017 08:29:29 +0000]
ARM: enable CONFIG_IOSCHED_DEADLINE and CONFIG_IOSCHED_CFQ

bug 200262350

Change-Id: I6ca11684b743923b57ec5bdbc074104e889a7f9b
Signed-off-by: Andy Chiang <achiang@nvidia.com>
Reviewed-on: http://git-master/r/1291483
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "DNI: revert block related code to rel-24-sb-r1"
Dhiren Parmar [Fri, 20 Jan 2017 08:29:16 +0000]
Revert "DNI: revert block related code to rel-24-sb-r1"

This reverts commit b1ffeb9b2f33b957085a284d87b7b297746e1dc1.

Change-Id: I9d0e9533ca3338ffe11c22a1ed7aade2ac4e15af
Signed-off-by: Dhiren Parmar <dparmar@nvidia.com>
Reviewed-on: http://git-master/r/1291479

2 years agoDNI: revert block related code to rel-24-sb-r1
Ian Chang [Wed, 18 Jan 2017 12:53:50 +0000]
DNI: revert block related code to rel-24-sb-r1

Change-Id: Ic8c6b5f939e9127b867478c7211cad5de2d34a39
Signed-off-by: Ian Chang <ianc@nvidia.com>
Reviewed-on: http://git-master/r/1287800
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agovideo: tegra: dc: Add quick for Vizio P series rel-24-uda-r1
Aly Hirani [Wed, 11 Jan 2017 07:29:58 +0000]
video: tegra: dc: Add quick for Vizio P series

The Vizio SmartCast P series 4K TVs fail 1/3 hotplugs with "No Signal".
Experiments showed that enabling HDMI 2.0 scrambling and HDCP at the
same time causes this failure from Vizio's side.

This change adds a WAR to introduce a 5 second delay after modeset to
start the hdcp (instead of the standard 100ms delay).

This change also adds edid quirks to limit the 5 second delay to only
the P cast series.

Bug ??

Change-Id: I96d1200afa20401d09ab5d1d2966ab24ac761b2b
Signed-off-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-on: http://git-master/r/1283347
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>

2 years agodrivers: wireless: bcmdhd_88: increase dpc_bound to 12ms
Srinivas Ramachandran [Wed, 4 Jan 2017 19:05:52 +0000]
drivers: wireless: bcmdhd_88: increase dpc_bound to 12ms

Increase dpc_bound to improve tx throughput

Bug 200266248

Change-Id: Iaef3d23f32b2b3ffafe3abd66429bb008ab57ad2
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: http://git-master/r/1282300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>

2 years agoiio: imu: NVI v.342 Fix ACC resume
Erik Lilliebjerg [Sun, 8 Jan 2017 23:48:17 +0000]
iio: imu: NVI v.342 Fix ACC resume

- Accelerometer sensor is HW disabled when suspending.  When resuming, if
  the gyroscope sensor is enabled first, it didn't account for HW enabling
  the accelerometer as well if previously enabled before suspending.  This
  was intermittent behavior depending on the wake source and resume timing
  of the external sensors on the auxiliary ports, as well as resume enable
  from user space.

Bug 200266677

Change-Id: Iada223304f7991d6da256a19a26cddd5ff20ec55
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1281847
(cherry picked from commit 427c6f17fbf810f399138627b5294a8bc602cafe)
Reviewed-on: http://git-master/r/1282259
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix false error message
Erik Lilliebjerg [Sat, 31 Dec 2016 21:37:41 +0000]
iio: imu: nvi: Fix false error message

- Due to Invensense parts being register incompatible (even the HW ID),
  there were false error messages during the driver process of identifying
  the part.  This patch suppresses those error messages until the part is
  identified and the errors become legitimate.

Bug 200260974

Change-Id: Ibd7c6fe6e4b6424cfc2f7bf04f1a64405b03e539
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1278897
(cherry picked from commit 010a8eaf597e519d5c1a258bf0015c719e0928c6)
Reviewed-on: http://git-master/r/1282258
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoiio: imu: nvi: Fix coverity
Erik Lilliebjerg [Wed, 28 Dec 2016 13:41:15 +0000]
iio: imu: nvi: Fix coverity

- Fix bad shift.
- Fix uninitialized scalar variable.

Coverity ID: 38965
Coverity ID: 38966
Coverity ID: 38967
Coverity ID: 38968
Coverity ID: 38969
Coverity ID: 38971

Bug 200192580

Change-Id: I2a972f00a7097f61c943ad035dc23d50f9f8e2e7
Signed-off-by: Erik Lilliebjerg <elilliebjerg@nvidia.com>
Reviewed-on: http://git-master/r/1277691
(cherry picked from commit 2f8d063e538089007d6b0c5234cce1229620ece0)
Reviewed-on: http://git-master/r/1281938
Reviewed-by: Akhilesh Khumbum <akhumbum@nvidia.com>
Tested-by: Robert Collins <rcollins@nvidia.com>
Reviewed-by: Robert Collins <rcollins@nvidia.com>

2 years agoTegra210: increase vmin to increase reliability
David DSH [Fri, 6 Jan 2017 01:14:44 +0000]
Tegra210: increase vmin to increase reliability

Bug 1828585

Change-Id: I654bc0c0f7cb8dbb70dd0aed5c0ec664ac217dd9
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1280477
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoRevert "bcmdhd_88: save the firmware events in a file"
Bibhay Ranjan [Wed, 4 Jan 2017 07:00:30 +0000]
Revert "bcmdhd_88: save the firmware events in a file"

This reverts commit 5d5bcb34932dcc257067beb3d6c8a248c5c2c125.

Bug 200231321

Change-Id: I8adb48d6157bd4dfba40049a559e27da1fe407b2
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279949
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: increase timestamp array size"
Bibhay Ranjan [Wed, 4 Jan 2017 06:59:27 +0000]
Revert "bcmdhd_88: increase timestamp array size"

This reverts commit 125ef44ac4e4ea7f8d03f05b3a7aec15eb048708.

Bug 200231321

Change-Id: I4bbc875cf78988a38cee9f714d184955c74b0e96
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279948
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: add DHD_ERROR for nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:50 +0000]
Revert "bcmdhd_88: add DHD_ERROR for nv_logger"

This reverts commit 83275c2716e3f838a278b5ecfdb46fbe1b552d73.

Bug 200231321

Change-Id: I3bbf9ea2aaff4b421326d4b25c8e4c7ad741a493
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279947
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: improve data integrity of nv_logger"
Bibhay Ranjan [Wed, 4 Jan 2017 06:58:04 +0000]
Revert "bcmdhd_88: improve data integrity of nv_logger"

This reverts commit 49308708221379d6749b0f596b1e0f1011a29d0c.

Bug 200231321

Change-Id: Ia51bdc77ae5c86b888a3ecabaf22d296473ae30f
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279946
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agoRevert "bcmdhd_88: disable nv_logger logging by default"
Bibhay Ranjan [Wed, 4 Jan 2017 06:56:18 +0000]
Revert "bcmdhd_88: disable nv_logger logging by default"

This reverts commit 1ee03ed037ac6576e6bf09b8228ec0b3f63f36d2.

Bug 200231321

Change-Id: I4cfbd01bf8d78a9604cd161f2c4f91f9fe43695a
Signed-off-by: Bibhay Ranjan <bibhayr@nvidia.com>
Reviewed-on: http://git-master/r/1279945
Reviewed-by: Dhiren Parmar <dparmar@nvidia.com>
Tested-by: Dhiren Parmar <dparmar@nvidia.com>

2 years agosysedp_reactive_capping: Fix warning string check
Anand Prasad [Wed, 28 Dec 2016 19:45:29 +0000]
sysedp_reactive_capping: Fix warning string check

The current implementation incorrectly checks if a pointer value is
NULL when actually referencing an array.
Instead, use a pointer to read the threshold warning string from
device-tree so that the pointer NULL check now works.

Bug 200266221

Change-Id: Iff9e43780534cf43e93b489c7ebe150fdf4ac437
Signed-off-by: Anand Prasad <anprasad@nvidia.com>
Reviewed-on: http://git-master/r/1277816
(cherry picked from commit 29d326af77ad71f6e61ce6e6e35eac6626500a72)
Reviewed-on: http://git-master/r/1279362
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Raymond Poudrier <rapoudrier@nvidia.com>

2 years agoCIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE
Federico Sauter [Tue, 17 Mar 2015 16:45:28 +0000]
CIFS: Fix race condition on RFC1002_NEGATIVE_SESSION_RESPONSE

This patch fixes a race condition that occurs when connecting
to a NT 3.51 host without specifying a NetBIOS name.
In that case a RFC1002_NEGATIVE_SESSION_RESPONSE is received
and the SMB negotiation is reattempted, but under some conditions
it leads SendReceive() to hang forever while waiting for srv_mutex.
This, in turn, sets the calling process to an uninterruptible sleep
state and makes it unkillable.

The solution is to unlock the srv_mutex acquired in the demux
thread *before* going to sleep (after the reconnect error) and
before reattempting the connection.

Bug 200266605

Change-Id: I168f4977192307dd859f83d6850bdd1eecf27dfe
(cherry picked from commit 4afe260bab50290a05e5732570329a530ed023f3)
Signed-off-by: Mithun Maragiri <mmaragiri@nvidia.com>
Reviewed-on: http://git-master/r/1277404
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

2 years agoALSA: hda: Allow 8ch/192k for HD capable sinks
Ashok Mudithanapalli [Fri, 23 Dec 2016 12:03:04 +0000]
ALSA: hda: Allow 8ch/192k for HD capable sinks

If the sink is DTSHD/MLP decode capable, but not supporting
8ch/192k in its ELD, ALSA card doesn't add these in supported
rates & ch. Add these in ALSA card for HD decode capable sinks,
so that user-space can open pcm device and play HD content.

Bug 200261363

Change-Id: Ia979868f27a740abcb16b1fea37fd9684779d4be
Signed-off-by: Ashok Mudithanapalli <ashokm@nvidia.com>
Reviewed-on: http://git-master/r/1276193
GVS: Gerrit_Virtual_Submit
Reviewed-by: Rahul Mittal <rmittal@nvidia.com>
Reviewed-by: Ravindra Lokhande <rlokhande@nvidia.com>
(cherry picked from commit fde817178e6bf99ea0d161d0175f0e69a5881d6a)
Reviewed-on: http://git-master/r/1277059
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Tested-by: Sanjay Singh Chauhan <schauhan@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

2 years agoTS/Pepper: Protect buffer deallocation
David DSH [Mon, 19 Dec 2016 20:51:09 +0000]
TS/Pepper: Protect buffer deallocation

Bug 1842498

Change-Id: Ibf0181fd17e7cbe3964bec21072bf2d6ae85d9f2
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: http://git-master/r/1273658
Tested-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Hall Jiang <hallj@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>