11 months agousb: xhci: tegra: fix invalid access for portsc rel-24-uda-r2
WayneChang [Tue, 22 May 2018 09:28:46 +0000]
usb: xhci: tegra: fix invalid access for portsc

As downgrade feature only designed for devices
connected to root hub, we should only read portsc
inside the root hub scope. Otherwise, it might be an
invalid access when device was removed from external
hub.

Bug 2117617

Change-Id: I6ab6dfcbc9d075c72a52ca95d5a100a5761e7cd7
Signed-off-by: WayneChang <waynec@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1726951
Reviewed-by: Jim Lin <jilin@nvidia.com>
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1748349
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

11 months agousb: xhci-tegra: Fix invalid address access
Rakesh Babu Bodla [Wed, 14 Mar 2018 09:08:10 +0000]
usb: xhci-tegra: Fix invalid address access

This fixes the panic if any of arguments
to tegra_xhci_free_dev are invalid.

Bug 200360410

Change-Id: I69345be9c3f1e42f2f14c3287b13dda54abf62fc
Signed-off-by: Rakesh Babu Bodla <rbodla@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1675559
(cherry picked from commit 2a2cac8855cbe0b86c004351cb7da052dd42f1b2)
Reviewed-on: https://git-master.nvidia.com/r/1748348
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

11 months agousb: xhci: tegra: Fix deadlock in switching speed
Jim Lin [Wed, 18 Apr 2018 09:20:30 +0000]
usb: xhci: tegra: Fix deadlock in switching speed

Switching USB mode between Compatibility (USB2.0), Max performance
(USB3.0), or Auto mode (either USB2.0 or USB3.0, depending on
specified device) will enable or disable USB3.0 PORT_POWER (VBUS).
This may generate a hot-plug event.
In the ISR of hot-plug event it will hold another spin_lock and
cause deadlock.

To fix this issue we have to disable interrupt while holding spin
lock to avoid this deadlock.

Bug 200401298

Change-Id: I326a6a399dcf98555e8ed3ed238ed7b3021a9b87
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1697400
Reviewed-by: WK Tsai <wtsai@nvidia.com>
Reviewed-by: BH Hsieh <bhsieh@nvidia.com>
Reviewed-by: Ashutosh Jha <ajha@nvidia.com>
(cherry picked from commit 5ad1108ddb56353ea4d792bcbac08cd8cf296271)
Reviewed-on: https://git-master.nvidia.com/r/1748095
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

14 months agousb: xhci-hub: Fix kernel panic on invalid addr
Jim Lin [Thu, 2 Nov 2017 10:54:52 +0000]
usb: xhci-hub: Fix kernel panic on invalid addr

To fix a kernel panic in xhci_find_slot_id_by_port when xhci->devs[i]->udev
is accessed but not initialized.

bug 200326779

Change-Id: I6dacd488d59a7e06f32b28464ef50008990c52be
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1590604
(cherry picked from commit 9c6887dfb689fd49be66b8efa739a326f0b5784d)
Reviewed-on: https://git-master.nvidia.com/r/1676434
GVS: Gerrit_Virtual_Submit
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

14 months agousb: xhci-tegra: Add option en/disable USB3 speed
Jim Lin [Fri, 17 Nov 2017 14:02:40 +0000]
usb: xhci-tegra: Add option en/disable USB3 speed

Add user-mode option to disable USB3 speed.
Writing 0xFFFFFFFF to
  /sys/devices/platform/tegra-xhci/downgrade_usb3
will downgrade device from USB3.0 speed to USB2.0 speed immediately.
e.g.,
echo "0xFFFFFFFF" > /sys/devices/platform/tegra-xhci/downgrade_usb3
in command line.

Add user-mode option to enable USB3 speed.
Writing 0 to
  /sys/devices/platform/tegra-xhci/downgrade_usb3
will support USB3.0 speed on next device connection.
e.g.,
echo "0" > /sys/devices/platform/tegra-xhci/downgrade_usb3
in command line.

bug 200365041

Change-Id: I9e2a60d1f7e6f38fa2d3d52c3483f1e8e5dc813f
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1600372
(cherry picked from commit e4774757994a86ecf0d6383cd4b977012bcefffe)
Reviewed-on: https://git-master.nvidia.com/r/1673196
GVS: Gerrit_Virtual_Submit
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

14 months agomm: add preempt points into __purge_vmap_area_lazy()
Christoph Hellwig [Thu, 1 Feb 2018 19:42:34 +0000]
mm: add preempt points into __purge_vmap_area_lazy()

Use cond_resched_lock to avoid holding the vmap_area_lock for a
potentially long time and thus creating bad latencies for various
workloads.

Change-Id: I1e6bd60526e049fd8cdcea13783af519347c4c67
[hch: split from a larger patch by Joel, wrote the crappy changelog]
Link: http://lkml.kernel.org/r/1479474236-4139-11-git-send-email-hch@lst.de
Signed-off-by: Joel Fernandes <joelaf@google.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jisheng Zhang <jszhang@marvell.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: John Dias <joaodias@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: https://git-master.nvidia.com/r/1662294
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

14 months agomm: turn vmap_purge_lock into a mutex
Christoph Hellwig [Thu, 1 Feb 2018 19:39:00 +0000]
mm: turn vmap_purge_lock into a mutex

The purge_lock spinlock causes high latencies with non RT kernel.  This
has been reported multiple times on lkml [1] [2] and affects
applications like audio.

This patch replaces it with a mutex to allow preemption while holding
the lock.

Thanks to Joel Fernandes for the detailed report and analysis as well as
an earlier attempt at fixing this issue.

[1] http://lists.openwall.net/linux-kernel/2016/03/23/29
[2] https://lkml.org/lkml/2016/10/9/59

Change-Id: Iff178f427084393694e1742bf19c6e16c8719355
Link: http://lkml.kernel.org/r/1479474236-4139-10-git-send-email-hch@lst.de
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jisheng Zhang <jszhang@marvell.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: John Dias <joaodias@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: https://git-master.nvidia.com/r/1662293
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

14 months agomm: refactor __purge_vmap_area_lazy()
Christoph Hellwig [Thu, 1 Feb 2018 19:13:59 +0000]
mm: refactor __purge_vmap_area_lazy()

Move the purge_lock synchronization to the callers, move the call to
purge_fragmented_blocks_allcpus at the beginning of the function to the
callers that need it, move the force_flush behavior to the caller that
needs it, and pass start and end by value instead of by reference.

No change in behavior.

Change-Id: Ie7de8539711d381dcc3cc980d00aae66e8e1b442
Link: http://lkml.kernel.org/r/1479474236-4139-4-git-send-email-hch@lst.de
Signed-off-by: Christoph Hellwig <hch@lst.de>
Tested-by: Jisheng Zhang <jszhang@marvell.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Joel Fernandes <joelaf@google.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: John Dias <joaodias@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-on: https://git-master.nvidia.com/r/1662292
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agoarm64: Handle traps from accessing CNTVCT/CNTFRQ via 32-bit instructions
Nicolin Chen [Wed, 10 Jan 2018 02:59:20 +0000]
arm64: Handle traps from accessing CNTVCT/CNTFRQ via 32-bit instructions

CNTVCT and CNTFRQ can be accessed via 32-bit instructions (mrrc/mrc).

So the trap handler should take care of these two situations as well.
Otherwise, it will trigger an "undefined instruction" state and file
a SIGILL back to user space without caring about which application.

Bug 2044346

Change-Id: I39de0a3f332c405042bb181ccdf616eeb96b1608
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1635304
(cherry picked from commit c4f4342ab3dc8c3185820bc55e08feeed0240c0a)
Reviewed-on: https://git-master.nvidia.com/r/1638668
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agoarm64: Add CONFIG_HARDEN_BRANCH_PREDICTOR option
Martin Gao [Thu, 21 Dec 2017 23:48:19 +0000]
arm64: Add CONFIG_HARDEN_BRANCH_PREDICTOR option

Aliasing attacks against CPU branch predictors can allow an attacker to
redirect speculative control flow on some CPUs and potentially divulge
information from one context to another.

This patch adds a Kconfig option to enable implementation-specific
mitigations against these attacks for CPUs that are affected. Currently,
a workaround is only implemented for Cortex-A57 and Cortex-A72, which
additionally relies on the EL3 firmware setting CPUACTLR_EL1[0] to 1.

Back ported from K4.9: https://git-master.nvidia.com/r/1621628/

Bug 1975157

Change-Id: Id0b12003837f64a60780ec96b2cf22725615ad35
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1626828
(cherry picked from commit bfb554062622f53f47eb762302c98df1f3ee4959)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1631448

16 months agoarm64: alternative: Provide if/else/endif assembler macros
Nicolin Chen [Thu, 21 Dec 2017 03:58:13 +0000]
arm64: alternative: Provide if/else/endif assembler macros

The existing alternative_insn macro has some limitations that make it
hard to work with. In particular the fact it takes instructions from it
own macro arguments means it doesn't play very nicely with C pre-processor
macros because the macro arguments look like a string to the C
pre-processor. Workarounds are (probably) possible but things start to
look ugly.

Introduce an alternative set of macros that allows instructions to be
presented to the assembler as normal and switch everything over to the
new macros.

==  This is a back port change from K4.4 to K3.10 so it also includes: ==
  arm64: alternatives: add enable parameter to conditional asm macros

  There are cases where we want to compile out both versions of an
  alternative code block, so add an enable parameter to the new conditional
  alternative assembly macros in the same way as alternative_insn.

Bug 1975157

Change-Id: I39fd42525f717c63e9b5f8a9ec182e77a3e28401
Signed-off-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1626807
(cherry picked from commit 4ae908187dee327273f159a34ae11b8516421d57)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1631447

16 months ago[PATCH 4/4] clocksource: arch_timer: make virtual counter access configurable
Greg Hackmann [Tue, 9 Jan 2018 04:00:15 +0000]
[PATCH 4/4] clocksource: arch_timer: make virtual counter access configurable

Bug 2031796

Change-Id: Ibdb1fd768b748002b90bfc165612c12c8311f8a2
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1634425
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1638653

16 months ago[PATCH 3/4] arm64: Issue isb when trapping CNTVCT_EL0 access
Greg Hackmann [Wed, 20 Dec 2017 09:36:20 +0000]
[PATCH 3/4] arm64: Issue isb when trapping CNTVCT_EL0 access

Bug 2031796
CVE-2017-13218

Change-Id: I6005a6e944494257bfc2243fde2f7a09c3fd76c6
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1623697
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1638638

16 months ago[PATCH 2/4] BACKPORT: arm64: Add CNTFRQ_EL0 trap handler
Marc Zyngier [Wed, 20 Dec 2017 09:34:10 +0000]
[PATCH 2/4] BACKPORT: arm64: Add CNTFRQ_EL0 trap handler

We now trap accesses to CNTVCT_EL0 when the counter is broken
enough to require the kernel to mediate the access. But it
turns out that some existing userspace (such as OpenMPI) do
probe for the counter frequency, leading to an UNDEF exception
as CNTVCT_EL0 and CNTFRQ_EL0 share the same control bit.

The fix is to handle the exception the same way we do for CNTVCT_EL0.

Bug 2031796
CVE-2017-13218

Fixes: a86bd139f2ae ("arm64: arch_timer: Enable CNTVCT_EL0 trap if workaround is enabled")
Reported-by: Hanjun Guo <guohanjun@huawei.com>
Tested-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Hanjun Guo <guohanjun@huawei.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
(cherry picked from commit 9842119a238bfb92cbab63258dabb54f0e7b111b)
Change-Id: Ie5a9a93fcca238d6097ecacd6df0e540be90220b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1623696
(cherry picked from commit b7437af000c530e53cedce73a942571405766245)
Reviewed-on: https://git-master.nvidia.com/r/1638629
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months ago[PATCH 1/4] BACKPORT: arm64: Add CNTVCT_EL0 trap handler
Marc Zyngier [Wed, 20 Dec 2017 03:24:17 +0000]
[PATCH 1/4] BACKPORT: arm64: Add CNTVCT_EL0 trap handler

Since people seem to make a point in breaking the userspace visible
counter, we have no choice but to trap the access. Add the required
handler.

Bug 2031796
CVE-2017-13218

Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
(cherry picked from commit 6126ce0588eb5a0752d5c8b5796a7fca324fd887)
Change-Id: I4204b5e1db899849ca16e6b26fe234339815f864
Signed-off-by: Rohit Khanna <rokhanna@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1621712
(cherry picked from commit fe7b634c82d1c21f7c83caecf8bd23cbdf56d389)
Reviewed-on: https://git-master.nvidia.com/r/1638622
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agoTZ: API to invalidate BTB
Mahesh Lagadapati [Fri, 22 Dec 2017 01:22:53 +0000]
TZ: API to invalidate BTB

This change exposes the API "te_invalidate_btb" to invalidate BTB

Bug 1975157

Change-Id: I0143c6ff27381844db7a0f736b41e335590b2fbc
Signed-off-by: Mahesh Lagadapati <mlagadapati@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1624365
(cherry picked from commit 20d84a63fedec4a7e33e6cf6865850c6ab7ff82c)
Reviewed-on: https://git-master.nvidia.com/r/1638592
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agoALSA: timer: Call notifier in the same spinlock
Manoj Gangwal [Thu, 14 Dec 2017 08:34:55 +0000]
ALSA: timer: Call notifier in the same spinlock

From fe9cd48f4b3273dc1c9e52567edb4e77dafa45d8 Mon Sep 17 00:00:00 2001
From: Takashi Iwai <tiwai@suse.de>
Date: Wed, 10 Feb 2016 12:47:03 +0100
Subject: [PATCH] UPSTREAM: ALSA: timer: Call notifier in the same spinlock

snd_timer_notify1() is called outside the spinlock and it retakes the
lock after the unlock.  This is rather racy, and it's safer to move
snd_timer_notify() call inside the main spinlock.

The patch also contains a slight refactoring / cleanup of the code.
Now all start/stop/continue/pause look more symmetric and a bit better
readable.

Bug: 37240993

Change-Id: I2e0b18e14ed6ecb39c7425dce0f67bec0e13ae36
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Siqi Lin <siqilin@google.com>
Signed-off-by: Manoj Gangwal <mgangwal@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1617816
(cherry picked from commit 83236551f4f4ed0b18d9a890fb0a87cd8735b452)
Reviewed-on: https://git-master.nvidia.com/r/1632964
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agostaging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
Viktor Slavkovic [Fri, 15 Dec 2017 11:45:48 +0000]
staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl

A lock-unlock is missing in ASHMEM_SET_SIZE ioctl which can result in a
race condition when mmap is called. After the !asma->file check, before
setting asma->size, asma->file can be set in mmap. That would result in
having different asma->size than the mapped memory size. Combined with
ASHMEM_UNPIN ioctl and shrinker invocation, this can result in memory
corruption.

Bug 2031796
ANDROID-66954097

Bug: 66954097
Signed-off-by: Viktor Slavkovic <viktors@google.com>
Change-Id: I268225133f96fde0fadd1ec621aafef27d392d65
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618689
(cherry picked from commit e8edf1f06effc6eda80a031aa086d4c1d151f5fb)
Reviewed-on: https://git-master.nvidia.com/r/1632540
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

16 months agogpu: nvgpu: Validate buffer_offset argument
skadamati [Thu, 28 Sep 2017 06:51:28 +0000]
gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Manual Cherry pick - https://git-master.nvidia.com/r/1547046

Bug 1954931
Bug 1993254
Bug 200288656

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Signed-off-by: skadamati <skadamati@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1569976
(cherry picked from commit 84c14d463b613b6f29455295f27683821a78dce9)
Reviewed-on: https://git-master.nvidia.com/r/1584264
(cherry picked from commit 25e2877d988453dc29bd1573e6d8f8b566bce170)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1606956
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Mandar Padmawar <mpadmawar@nvidia.com>
Tested-by: Mandar Padmawar <mpadmawar@nvidia.com>
(cherry picked from commit b7b4cd159ea47dbfab8bec7aefd3867f2274ad99)
Reviewed-on: https://git-master.nvidia.com/r/1632961
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agousb: xhci-tegra: Add sysfs node to degrade USB3.0
Jim Lin [Thu, 19 Oct 2017 11:12:05 +0000]
usb: xhci-tegra: Add sysfs node to degrade USB3.0

Add sysfs node at
 /sys/devices/platform/tegra-xhci/downgrade_usb3
for system app to write non-zero value to trigger degradation
to USB2.0 mode if USB3.0 device is listed in
 /sys/module/xhci_hcd/parameters/downgraded_usb3
already.

Bug 1978463

Change-Id: Iacf3e663354b648f9fc8d7b7a36129a633ee95c0
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1581878
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
(cherry picked from commit 48550e8c4da3085a18dc8529e4dd137bfc9efa40)
Reviewed-on: https://git-master.nvidia.com/r/1583594
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agousb: core: quirks: Added to be downgraded to USB2.0
Jim Lin [Tue, 17 Oct 2017 13:49:21 +0000]
usb: core: quirks: Added to be downgraded to USB2.0

Added into quirk list to downgrade USB 3.0 to USB2.0 mode
when device is connected to root-hub port to reduce RF interference.

Bug 1978463

Change-Id: I58d3fed174e12e723c87b30a8cf4bf5627c9021d
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1580531
GVS: Gerrit_Virtual_Submit
Reviewed-by: ChihMin Cheng <ccheng@nvidia.com>
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
(cherry picked from commit e4c529e88355d5b7c1de6c17ac06f5d9e463497a)
Reviewed-on: https://git-master.nvidia.com/r/1583593
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agousb: xhci-tegra: downgrade USB3 device for quirk
Jim Lin [Tue, 26 Sep 2017 13:51:42 +0000]
usb: xhci-tegra: downgrade USB3 device for quirk

Add module_param_array for downgraded_usb3 array parameter which
can be filled with maximum 100 array members.

The parameter will have quirk flag USB_QUIRK_DOWNGRADE_USB3
to be set in update_driver callback during hub_port_init phase.

Quirked USB3.0 device will be running at USB2.0 mode.

Bug 1978463

Change-Id: I46f5ceee4d915d24e4359c879690e83a0a3ac435
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568577
(cherry picked from commit a3c1aabfec7cb484a45dffc3dc91586b195780f2)
Reviewed-on: https://git-master.nvidia.com/r/1583564
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agousb: Add quirk flag to downgrade USB3.0 device
Jim Lin [Tue, 26 Sep 2017 13:45:59 +0000]
usb: Add quirk flag to downgrade USB3.0 device

Add quirk flag to downgrade USB3.0 to USB2.0 mode.

Bug 1978463

Change-Id: I800e765dce96d4a4902834b84a50acdb6d63be4f
Signed-off-by: Jim Lin <jilin@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568576
(cherry picked from commit 0b4ba0de567883f5e1af3c6297251df0efcf9c0a)
Reviewed-on: https://git-master.nvidia.com/r/1583563
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agonet: wireless: bcmdhd: Disable roaming by default
Srinivas Ramachandran [Wed, 29 Mar 2017 00:19:28 +0000]
net: wireless: bcmdhd: Disable roaming by default

Issue: Roaming triggers known regression issues with latest
       firmware and leads to no internet access (until user
       manually disconnects and reconnects to AP).
Fix:   To prevent this state, disable roaming until fw issue
       is resolved.

Bug 1895940

Change-Id: Icd5cc4d5d4d0ab0eb2940c2e59553f8ec1e65947
Signed-off-by: Srinivas Ramachandran <srinivasra@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1580682
(cherry picked from commit ab328ee45fd4d1edc714ccb23339e4d66e4cf615)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1581709
GVS: Gerrit_Virtual_Submit

19 months agonet: wireless: bcmdhd: fix for IOVAR GET failed
Insun Song [Tue, 25 Apr 2017 01:33:07 +0000]
net: wireless: bcmdhd: fix for IOVAR GET failed

found some case that IOVAR callers set response buffer not enough to
contain input command string + argument. so it finally fail in IOVAR
transaction by its shorter buffer length.

proposed fix is taking care this case by providing enough local
buffer inside dhd_iovar, which enough to input/output.

Bug 1899974

Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: I54cbb2843e094d4abe585973776063e67cabc0aa
Reviewed-on: http://git-master/r/1467988
(cherry picked from commit 0b360adab630e507023bea7b0bcac8823e5497cf)
(cherry picked from commit 5c912b711d18e2ef1f5122ff6cb8a95ee8f44a31)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1581708
GVS: Gerrit_Virtual_Submit

19 months agonet: wireless: bcmdhd: fix incorrect IOVAR buffer length use case
Insun Song [Tue, 30 May 2017 08:40:04 +0000]
net: wireless: bcmdhd: fix incorrect IOVAR buffer length use case

The buffer used by host driver for sending IOVAR request/response can
deliver some private kernel information to the dongle if it's not
properly uninitailized.
the fix is to redefine current IOVAR API to manage buffer length
correctly. and updated all IOVAR caller instances.
Bug: 36000515

Bug 1899974
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: Iaeaf87da066778f484b62f2e7617b24b9f14b5de
Reviewed-on: http://git-master/r/1468898

(cherry picked from commit 5c4b4ab1eca19180943274093be303445aa727c7)
(cherry picked from commit 298ea17a4062e0fccd08898c2b22a1cdffefb99c)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Change-Id: I57c58289ae94b51dff2138c69762fd0ccf1c439e
Reviewed-on: https://git-master.nvidia.com/r/1581707
GVS: Gerrit_Virtual_Submit

19 months agonet: wireless: bcmdhd: adding boundary check in wl_notify_rx_mgmt_frame
Insun Song [Wed, 24 May 2017 16:21:02 +0000]
net: wireless: bcmdhd: adding boundary check in wl_notify_rx_mgmt_frame

added boundary check for input parameters not to corrupt kernel heap in
case user injected malformed input

Bug: 37306719
Bug 1971966
Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1562394
(cherry picked from commit 0104f956f90f2eb6460461392aa6aacc426a3593)
Reviewed-on: https://git-master.nvidia.com/r/1572856
(cherry picked from commit 47b888c1b5799c014b19bd5f13c80a13f7f2e46c)
Reviewed-on: https://git-master.nvidia.com/r/1580301
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agonet: wireless: bcmdhd: adding boudary check in wl_escan_handler
Insun Song [Mon, 5 Jun 2017 17:21:10 +0000]
net: wireless: bcmdhd: adding boudary check in wl_escan_handler

WLC_E_ESCAN_RESULT event could be manipulated especially two length field
inside, one is for escan_result buffer length and another one is
bss_info length, the forged fields may bypass current length check and
corrupt kernel heap memory.

so added checking validation for two length fields in WLC_E_ESCAN_RESULT
event.

Bug: 37351060
Bug 1971966
Change-Id: I31e9fccc48fc06278fb3a87a76ef7337296c2b0d
Signed-off-by: Insun Song <insun.song@broadcom.com>
Reviewed-on: https://git-master.nvidia.com/r/1562393
(cherry picked from commit ff046d4d4051d582a21cee2e453ac892158d20ff)
Reviewed-on: https://git-master.nvidia.com/r/1572855
(cherry picked from commit 8d2610cd3de9a2b2eff46dff3f72de2f69f79b7b)
Reviewed-on: https://git-master.nvidia.com/r/1580300
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoBACKPORT: pids: make task_tgid_nr_ns() safe
Oleg Nesterov [Fri, 6 Oct 2017 06:54:01 +0000]
BACKPORT: pids: make task_tgid_nr_ns() safe

This was reported many times, and this was even mentioned in commit
52ee2dfdd4f5 "pids: refactor vnr/nr_ns helpers to make them safe" but
somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns()
is not safe because task->group_leader points to nowhere after the
exiting task passes exit_notify(), rcu_read_lock() can not help.

We really need to change __unhash_process() to nullify group_leader,
parent, and real_parent, but this needs some cleanups. Until then we
can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and
fix the problem.

Bug 2000058

Bug: 31495866
Reported-by: Troy Kensinger <tkensinger@google.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
(cherry picked from commit dd1c1f2f2028a7b851f701fc6a8ebe39dcb95e7c)
Change-Id: Iad19a77f4f0aa9f3b6b0539ac9c549fa64c18550
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1574419
(cherry picked from commit 8fce117dbda65eb3d7268066a0509f2ebbcbe16a)
Reviewed-on: https://git-master.nvidia.com/r/1580302
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months ago[PATCH] Prevent potential double frees in sg driver
Robb Glasser [Tue, 26 Sep 2017 06:21:02 +0000]
[PATCH] Prevent potential double frees in sg driver

sg_ioctl could be spammed by requests, leading to a double free in
__free_pages. This protects the entry points of sg_ioctl where the
memory could be corrupted by a double call to __free_pages if multiple
requests are happening concurrently.

Bug 1970716
Bug 1971959
Bug 200288656

Bug:35644812
Change-Id: Ie13f65beb6974430f90292e2742841b26aecb8b1
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568288
(cherry picked from commit a59fff36c5a23ded36dab87d70548f7ba18b6d4a)
Reviewed-on: https://git-master.nvidia.com/r/1570222
(cherry picked from commit 918f514b93b8a8d33d5341561b34cadb5677e272)
Reviewed-on: https://git-master.nvidia.com/r/1580297
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agomm/mempolicy.c: fix error handling in set_mempolicy and mbind.
Chris Salls [Sat, 8 Apr 2017 06:48:11 +0000]
mm/mempolicy.c: fix error handling in set_mempolicy and mbind.

In the case that compat_get_bitmap fails we do not want to copy the
bitmap to the user as it will contain uninitialized stack data and leak
sensitive data.

Bug 1970716
Bug 1971959
Bug 200288656

Signed-off-by: Chris Salls <salls@cs.ucsb.edu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
(cherry picked from commit cf01fb9985e8deb25ccf0ea54d916b8871ae0e62)
Change-Id: I60f7ed76df891df1ad57140b0892d6b22cde94f9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568281
(cherry picked from commit d1032e2d497514b4539dd7be66972b9f62356016)
Reviewed-on: https://git-master.nvidia.com/r/1570221
(cherry picked from commit 1c4d727091b9f0ab40bd76e770d0673af7bead73)
Reviewed-on: https://git-master.nvidia.com/r/1580296
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoip6_gre: fix ip6gre_err() invalid reads
Eric Dumazet [Sun, 5 Feb 2017 07:18:55 +0000]
ip6_gre: fix ip6gre_err() invalid reads

Andrey Konovalov reported out of bound accesses in ip6gre_err()

If GRE flags contains GRE_KEY, the following expression
*(((__be32 *)p) + (grehlen / 4) - 1)

accesses data ~40 bytes after the expected point, since
grehlen includes the size of IPv6 headers.

Let's use a "struct gre_base_hdr *greh" pointer to make this
code more readable.

p[1] becomes greh->protocol.
grhlen is the GRE header length.

Bug 1970716
Bug 1971959
Bug 200288656

Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 7892032cfe67f4bde6fc2ee967e45a8fbaf33756)
Change-Id: Iad0a924abddf49d0f5ba07afd9ce16795f74bdfd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1568275
(cherry picked from commit 98ba3df721c016a83d1d74963b0c09d17eaa6f7f)
Reviewed-on: https://git-master.nvidia.com/r/1570220
(cherry picked from commit b141b057e91e2287094d3d0042d3e5875f231448)
Reviewed-on: https://git-master.nvidia.com/r/1580294
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agotcp: avoid infinite loop in tcp_splice_read()
Eric Dumazet [Fri, 3 Feb 2017 22:59:38 +0000]
tcp: avoid infinite loop in tcp_splice_read()

Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.

__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.

This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.

Again, this gem was found by syzkaller tool.

Bug 1970716
Bug 1971959
Bug 200288656

Fixes: 9c55e01c0cc8 ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ccf7abb93af09ad0868ae9033d1ca8108bdaec82)
Change-Id: I0ed67e83effcc6c1970fe6f8192e00bf3947138d
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1565183
(cherry picked from commit 63fdebd244e1b6ddb72fcd75e6cd4fc97a3aac97)
Reviewed-on: https://git-master.nvidia.com/r/1570219
(cherry picked from commit 572c46621d6b8822220de2188ec9752f45ef045f)
Reviewed-on: https://git-master.nvidia.com/r/1580293
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoipx: call ipxitf_put() in ioctl error path
Dan Carpenter [Tue, 2 May 2017 10:58:53 +0000]
ipx: call ipxitf_put() in ioctl error path

We should call ipxitf_put() if the copy_to_user() fails.

Bug 1970716
Bug 1971959
Bug 200288656

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit ee0d8d8482345ff97a75a7d747efc309f13b0d80)
Change-Id: I5460804b62e4d81dd8de403aafc7aff64a5a3edf
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1565173
(cherry picked from commit fd2ac9fa0a7ef25f584f6d9bd05843f94594f4d1)
Reviewed-on: https://git-master.nvidia.com/r/1570217
(cherry picked from commit f3a0b8a339ff063fb86306e6fa8b57b17f691732)
Reviewed-on: https://git-master.nvidia.com/r/1580292
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoipv6/dccp: do not inherit ipv6_mc_list from parent
WANG Cong [Tue, 9 May 2017 23:59:54 +0000]
ipv6/dccp: do not inherit ipv6_mc_list from parent

Like commit 657831ffc38e ("dccp/tcp: do not inherit mc_list from parent")
we should clear ipv6_mc_list etc. for IPv6 sockets too.

Bug 1970716
Bug 1971959
Bug 200288656

Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 83eaddab4378db256d00d295bda6ca997cd13a52)
Change-Id: Icaa523c47ab1daa47caa2ffd13c6f6d1ab3b1b55
Reviewed-on: https://git-master.nvidia.com/r/1574219
(cherry picked from commit 6d9e5a2534b920f23ade2f2a06e89b5cafe2b9be)
Reviewed-on: https://git-master.nvidia.com/r/1580290
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agodccp/tcp: do not inherit mc_list from parent
Eric Dumazet [Tue, 9 May 2017 13:29:19 +0000]
dccp/tcp: do not inherit mc_list from parent

syzkaller found a way to trigger double frees from ip_mc_drop_socket()

It turns out that leave a copy of parent mc_list at accept() time,
which is very bad.

Very similar to commit 8b485ce69876 ("tcp: do not inherit
fastopen_req from parent")

Initial report from Pray3r, completed by Andrey one.
Thanks a lot to them !

Bug 1970716
Bug 1971959
Bug 200288656

Change-Id: I5917eb701382a098553186fcf9f50347957cf5cd
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Pray3r <pray3r.z@gmail.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1564121
(cherry picked from commit 84a456465ed1e2e980f8490a534223f957998e75)
Reviewed-on: https://git-master.nvidia.com/r/1570216
(cherry picked from commit 85204469e25690546119d3356c4cc8f4b67b4a21)
Reviewed-on: https://git-master.nvidia.com/r/1580289
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoplatform: tegra: powergate: use tegra_mc_flush API
Krishna Reddy [Tue, 22 Aug 2017 18:47:59 +0000]
platform: tegra: powergate: use tegra_mc_flush API

powergate code shouldn't access hotreset registers directly.
It should use tegra_mc_flush API.

Bug 200327368

Change-Id: Ibd35744a8e2b68dfd74c677b95912b7b2a3743d9
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1554867
(cherry picked from commit 72663c6477ad587cdb4f31c5f860f2f18bc57841)
Reviewed-on: https://git-master.nvidia.com/r/1566235
(cherry picked from commit e14cc7e98735c6a36f7c7be3338af9f68d8cb8ff)
Reviewed-on: https://git-master.nvidia.com/r/1575166
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agokernel: timer: sanity check pointer address before access
Martin Gao [Tue, 22 Aug 2017 03:57:24 +0000]
kernel: timer: sanity check pointer address before access

Bug 200343941
Bug 1977274
Bug 1972419

Change-Id: Id2ce7ff86463762e7eb116937b8b71fc4b2d1824
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1543168
(cherry picked from commit 9a438a4d2a77045a1b195873cce2cea98a78489e)
Reviewed-on: https://git-master.nvidia.com/r/1571362
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agot210: disable power gating for nvdec
Vivek Bangera [Tue, 22 Aug 2017 06:15:45 +0000]
t210: disable power gating for nvdec

Disabling power gating for nvdec
for all T210 devices

Bug 200308164

Change-Id: I41ca30e64a744abbfbcfede64a9bef12d2739cf1
Signed-off-by: Vivek Bangera <vbangera@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1544128
(cherry picked from commit 1ffc0b905e8f450a943303b896fa99c759509ec1)
Reviewed-on: https://git-master.nvidia.com/r/1571361
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agohid: jarvis: don't fake button release for repeats
Andrew Chen [Fri, 26 May 2017 03:28:27 +0000]
hid: jarvis: don't fake button release for repeats

Bug 1907511

Change-Id: Iff453c971464a553343010c3b990654830bc8108
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1498080
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571360
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agodrivers: hid: hid-atv-javis: set silence timeout
Martin Gao [Thu, 21 Sep 2017 03:15:51 +0000]
drivers: hid: hid-atv-javis: set silence timeout

- If we are getting no new audio data for 5 seconds continously, then
  simply make timer callback no-op and waits for pcm lib's timeout
  mechanism (alsa's timeout currently is set to be 10 seconds) to detect
  this case and trigger stop/suspend.

Bug 1992638

Change-Id: I34f43b94adb2a8c9c926cfeeb1d0ad378ca328cc
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1565005
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>
Tested-by: Manish Tuteja <mtuteja@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571359
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agohid: hid-atv-jarvis: fix substream deadlock
Martin Gao [Tue, 29 Aug 2017 19:50:44 +0000]
hid: hid-atv-jarvis: fix substream deadlock

- substream lock is acquired without disabling irq, and thus it can be
  re-entrant and cause deadlock.
- use spin_lock_irqsave and spin_lock_irqrestore instead.
- if DEBUG_TIMER defined, latency measurement is added to log as well to
  check whether the latency is within tolerance.
- remove unneeded debug print (guarding with debug flag)

Bug 1980335
Bug 200339401

Change-Id: I2ce1ffb182dfb0fe3788c355bb8dbe54f7a6e45d
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547896
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-on: https://git-master.nvidia.com/r/1571358
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agohid: move to spinlock instead of using barrier
Martin Gao [Tue, 22 Aug 2017 01:39:55 +0000]
hid: move to spinlock instead of using barrier

- hid-atv-remote driver always uses barrier for synchronization, but
  it's not enough in this case. Making minumum change to avoid impacting
  perf and added a spinlock to synchronize timer modification and
  deletion

Bug 1977274
Bug 1972419

Change-Id: Ic7fcc13a809a177151b7ca82cbabae9eebf90c67
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1543114
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571357
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agohid: fix race condition of delete timer and mod timer
Martin Gao [Tue, 15 Aug 2017 00:59:52 +0000]
hid: fix race condition of delete timer and mod timer

- traditionally, hid-atv-jarvis doesn't use lock and depends on memory
  barrier to certain sychronization, which lead to a small window of
  opportunity of this above race condition
- changing timer_enabled to bit mask base instead of boolean to indicate
  three different states: enabled, re-scheduling (mod timer), disabled
- when disabling timer, polling block to check whether it's in
  re-scheduling or not to ensure re-scheduling happen before delete
  timer
- add a time out to avoid infinite polling with error message

Bug 1972419

Change-Id: I25cc42d90e351be5b28fa423567a74c7a35d5444
Signed-off-by: Martin Gao <marting@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1538564
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571356
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agohid: jarvis: add pepper button release miss stats
Andrew Chen [Tue, 2 May 2017 09:19:50 +0000]
hid: jarvis: add pepper button release miss stats

Bug 1907511

Change-Id: I07e0c7390dbd2a1986b805ccce1dd2dd917cad06
Signed-off-by: Andrew Chen <andrewc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1481944
Reviewed-by: mobile promotions <svcmobile_promotions@nvidia.com>
Tested-by: mobile promotions <svcmobile_promotions@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571355
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

19 months agoTS/Pepper: Mitigate timer deletion bug
David DSH [Wed, 21 Dec 2016 23:51:54 +0000]
TS/Pepper: Mitigate timer deletion bug

Current implementation crashes sometime when deleting timer due to
race condition between timer call back and control of the timer
You cannot call del_timer_sync from interupt and the context is unclear
so instead use del_timer. Note this may leave the timer to trigger once
or twice with no actual work left.

Also add proper barrier for pcm_stopped.

Bug 1856286
Bug 200279149

Change-Id: Iad10c4fdac28581f82532483662e66d15cbd15ac
Signed-off-by: David DSH <ddastoussthi@nvidia.com>
Reviewed-on: https://git-master/r/1275134
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1571354
GVS: Gerrit_Virtual_Submit
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

20 months agodc: hdmi: Resetting HDA prior to disabling HDMI
Jerry Wang [Wed, 14 Jun 2017 03:27:10 +0000]
dc: hdmi: Resetting HDA prior to disabling HDMI

When HDMI unplug happens while playing audio,
HDA has chance to accesses SOR when it's already
disabled and cause host read timeout.

Resetting HDA before disabling HDMI to avoid
this problem.

Bug 1922197
Bug 200319900

Change-Id: I3f4d04bcb2b6232a400046898caf0247c25c7b0e
Signed-off-by: Jerry Wang <jerryw@nvidia.com>
Reviewed-on: http://git-master/r/1501997
(cherry picked from commit 550eea1f37ace6e55ba31149abdd64fb208dd6f8)
Reviewed-on: https://git-master.nvidia.com/r/1505541
Reviewed-on: https://git-master.nvidia.com/r/1548514
(cherry picked from commit 522c40b3660676e9add60124137940f63ba5363a)
Reviewed-on: https://git-master.nvidia.com/r/1549117
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

20 months agodc: hdmi: hda: protect hda from race
Ahung Cheng [Thu, 15 Jun 2017 08:37:38 +0000]
dc: hdmi: hda: protect hda from race

add mutex to protect hda pointer from
race condition if hot plug happens right
after hda check is just passed

bug 1922197
bug 200319900

Change-Id: I84d28ce2075163b7cf42c7a0dda739da6ad4fafd
Signed-off-by: Ahung Cheng <ahcheng@nvidia.com>
Reviewed-on: http://git-master/r/1502917
(cherry picked from commit 66fcf53525a368cebf00680c843e44447ef88944)
Reviewed-on: https://git-master.nvidia.com/r/1505540
Reviewed-on: https://git-master.nvidia.com/r/1548513
(cherry picked from commit 1f8aa36c9d57c101fa123c6ca7a2d3822bd2398f)
Reviewed-on: https://git-master.nvidia.com/r/1549107
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agosched, rt: Prefer waking up on idle CPUs
Sai Gurrappadi [Wed, 19 Jul 2017 22:26:15 +0000]
sched, rt: Prefer waking up on idle CPUs

RT tasks currently try and prefer staying on the same CPU if they can
preempt the current running task (lower priority). While this yields for
a lower latency/better cache residency for the RT task, it can be
significantly detrimental for system throughput if RT runtime is
signficiant.

To that end, try and find an idle CPU in our cache sharing domain if there
exists one. This should improve system throughput at the expense of
worse cache-residency for the RT task's data (it will ping pong around).

Change-Id: I7221cd7ae4fb5294cae2ad012e7e3371520d5531
Signed-off-by: Sai Gurrappadi <sgurrappadi@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1545543
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agof2fs: sanity check segment count
Jin Qian [Tue, 25 Apr 2017 23:28:48 +0000]
f2fs: sanity check segment count

F2FS uses 4 bytes to represent block address. As a result, supported
size of disk is 16 TB and it equals to 16 * 1024 * 1024 / 2 segments.

Bug 1954564
Bug 200288656

Change-Id: I4c288b7d044067ca9b850ffdddd0bdeeb5bfdcb5
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522954
(cherry picked from commit 54ad73b49caabba0d7c7dc8f82fc7026597a97b2)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1544663

21 months agof2fs: sanity check checkpoint segno and blkoff
Jin Qian [Wed, 19 Jul 2017 08:39:53 +0000]
f2fs: sanity check checkpoint segno and blkoff

Make sure segno and blkoff read from raw image are valid.

Bug 1954564
Bug 200288656

Change-Id: I4896cc63550f5810638861c04b6bcfcf9d36e056
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522958
(cherry picked from commit 801d43cf1b16b20fa07f02bc1f38ce6528b548f1)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1544662

21 months agotegra-alt: adsp: add parameter size checks
Viraj Karandikar [Tue, 14 Mar 2017 05:17:22 +0000]
tegra-alt: adsp: add parameter size checks

Fix possible buffer overflow in case of invalid user
parameter by adding size checks

Bug 1869543
Bug 1888389
Bug 200288656

Change-Id: I82ac00e24a3ca40915eb6c556454c9649cb644bd
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1297227
(cherry-picked from commit 2e4308a3800f3dcd4aa91a1b446cf00cf7ebda59)
Reviewed-on: http://git-master/r/1320244
(cherry picked from commit b897a07b3e83248304253cb1fbb6952bcd0c97a5)
Reviewed-on: http://git-master/r/1322108
(cherry picked from commit c15996eb01662db5b186bd84627f1385f899f1d1)

Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Change-Id: I729c877b254e9c962cbb2fc9fc8618ed8184e92d
Reviewed-on: https://git-master.nvidia.com/r/1544661

21 months agonet: wireless: bcmdhd: additional length check for BRCM EVENT frame.
Insun Song [Wed, 19 Jul 2017 07:39:02 +0000]
net: wireless: bcmdhd: additional length check for BRCM EVENT frame.

(cherry picked from commit 72c9463eaab0fa19a461ac8de7d0abbf825a44bd)

This is just for exceptional case where user has updated kernel to the
latest, but still used non-patched firmware. The non-patched firmware
could deliver ETHER_TYPE_BRCM packet to host.

If attacker inject packet with its header length forged, it could bypass
current host driver's length check routine and cause memory corruption.

Proposed fix is enhancing length check to validate its header length.

Bug 1954564
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Bug: 37168488
Change-Id: I90fc5101bddfd1d427e0a52758ddf8bc16577555
Reviewed-on: https://git-master.nvidia.com/r/1522916
(cherry picked from commit 621ef2077d66b60ccdd0a852839fb8a3f31c558f)
Reviewed-on: https://git-master.nvidia.com/r/1544659
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agotimerfd: Protect the might cancel mechanism proper
Thomas Gleixner [Tue, 31 Jan 2017 14:24:03 +0000]
timerfd: Protect the might cancel mechanism proper

The handling of the might_cancel queueing is not properly protected, so
parallel operations on the file descriptor can race with each other and
lead to list corruptions or use after free.

Protect the context for these operations with a seperate lock.

The wait queue lock cannot be reused for this because that would create a
lock inversion scenario vs. the cancel lock. Replacing might_cancel with an
atomic (atomic_t or atomic bit) does not help either because it still can
race vs. the actual list operation.

Bug 1954564
Bug 200288656

Change-Id: Ie6c4c1a404cb0bfafc8a3a48bbc202560da7608c
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: "linux-fsdevel@vger.kernel.org"
Cc: syzkaller <syzkaller@googlegroups.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1701311521430.3457@nanos
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1522946
(cherry picked from commit 11c677c13527777f2a8413cfb12f4d2fe10db7df)
Reviewed-on: https://git-master.nvidia.com/r/1544658
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoBACKPORT: f2fs: sanity check log_blocks_per_seg
Jin Qian [Wed, 19 Jul 2017 08:17:53 +0000]
BACKPORT: f2fs: sanity check log_blocks_per_seg

f2fs currently only supports 4KB block size and 2MB segment size.
Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)

Partially
(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)

f2fs: do more integrity verification for superblock

Do more sanity check for superblock during ->mount.

Bug 1954564
Bug 200288656

Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Jin Qian <jinqian@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Bug: 36817013
Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
Reviewed-on: https://git-master.nvidia.com/r/1522952
(cherry picked from commit fa7cb31997e5f945661b8fa8a79ea535d85afdef)
Reviewed-on: https://git-master.nvidia.com/r/1544655
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agodccp: fix freeing skb too early for IPV6_RECVPKTINFO
Andrey Konovalov [Thu, 16 Feb 2017 16:22:46 +0000]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Bug 1940296
Bug 200288656

Change-Id: I9b68d6d5208ea46e0e389cc74af31ed208384afa
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512313
(cherry picked from commit 44f5ff83371c6b3e3a1c31bf8b9d1d2e244085e6)
Reviewed-on: https://git-master.nvidia.com/r/1544654
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoipv4: keep skb->dst around in presence of IP options
Eric Dumazet [Sat, 4 Feb 2017 19:16:52 +0000]
ipv4: keep skb->dst around in presence of IP options

Andrey Konovalov got crashes in __ip_options_echo() when a NULL skb->dst
is accessed.

ipv4_pktinfo_prepare() should not drop the dst if (evil) IP options
are present.

We could refine the test to the presence of ts_needtime or srr,
but IP options are not often used, so let's be conservative.

Thanks to syzkaller team for finding this bug.

Bug 1940296
Bug 200288656

Change-Id: I0811582c8f0a0c3e205ccf3276596ae13bbe1130
Fixes: d826eb14ecef ("ipv4: PKTINFO doesnt need dst reference")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512314
(cherry picked from commit 6eab5f969496387221220adff51d0ece83e254e8)
Reviewed-on: https://git-master.nvidia.com/r/1544652
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoRevert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"
Nick Desaulniers [Mon, 3 Jul 2017 05:23:49 +0000]
Revert "proc: smaps: Allow smaps access for CAP_SYS_RESOURCE"

This reverts commit f0ce0eee6b71bc310153edb87e66e6b25e12fece.

Bug 1940296
Bug 200288656

Bug: 34951864
Bug: 36468447
Change-Id: I87bd92e096c6c28a53b9ecf302ae008f5e58eba1
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512345
(cherry picked from commit 6ea30839ed3fd0a54b465d5c1de871eae036710a)
Reviewed-on: https://git-master.nvidia.com/r/1544651
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agonet/packet: fix overflow in check for tp_reserve
Andrey Konovalov [Wed, 29 Mar 2017 14:11:22 +0000]
net/packet: fix overflow in check for tp_reserve

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Bug 1940296
Bug 200288656

Change-Id: I12128da5390c28d4fbf99ef94ebbafe8dbc24ed8
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512350
(cherry picked from commit e656e44867126338fbe7435edb0d7169e5d6a8ed)
Reviewed-on: https://git-master.nvidia.com/r/1544650
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agonet/packet: fix overflow in check for tp_frame_nr
Andrey Konovalov [Wed, 29 Mar 2017 14:11:21 +0000]
net/packet: fix overflow in check for tp_frame_nr

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Bug 1940296
Bug 200288656

Change-Id: Id499c301d4a538be717e260cac34b29134172de7
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512349
(cherry picked from commit 105ed894d50a54efa6d425fd5621e10baf258337)
Reviewed-on: https://git-master.nvidia.com/r/1544648
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agonet/packet: fix overflow in check for priv area size
Andrey Konovalov [Wed, 29 Mar 2017 14:11:20 +0000]
net/packet: fix overflow in check for priv area size

Subtracting tp_sizeof_priv from tp_block_size and casting to int
to check whether one is less then the other doesn't always work
(both of them are unsigned ints).

Compare them as is instead.

Also cast tp_sizeof_priv to u64 before using BLK_PLUS_PRIV, as
it can overflow inside BLK_PLUS_PRIV otherwise.

Bug 1940296
Bug 200288656

Change-Id: I832dab4250dcbeb8e7ddf7c83a53f13b15cd28c8
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512348
(cherry picked from commit 827cb7eb0127f807ea6a67df69a49c46006ce19a)
Reviewed-on: https://git-master.nvidia.com/r/1544645
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoudf: Check path length when reading symlink
Jan Kara [Thu, 18 Dec 2014 21:37:50 +0000]
udf: Check path length when reading symlink

Symlink reading code does not check whether the resulting path fits into
the page provided by the generic code. This isn't as easy as just
checking the symlink size because of various encoding conversions we
perform on path. So we have to check whether there is still enough space
in the buffer on the fly.

Bug 1940296
Bug 200288656

Change-Id: I7858524c1878fb5af78a27759596befbcb164d08
CC: stable@vger.kernel.org
Reported-by: Carl Henrik Lunde <chlunde@ping.uio.no>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1512354
(cherry picked from commit d7942b2678c23d8de5dd24447582b4ef671eaa06)
Reviewed-on: https://git-master.nvidia.com/r/1544644
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agovideo: tegra: dsi: Set max limit for reading panel
Gagan Grover [Wed, 12 Apr 2017 11:28:42 +0000]
video: tegra: dsi: Set max limit for reading panel

In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.

Bug 1873360
Bug 200288656

Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1322188
Reviewed-on: https://git-master.nvidia.com/r/1461401
(cherry picked from commit c57a594cfc45c61e2e3cbba439c6b94ada2e1626)
Reviewed-on: https://git-master.nvidia.com/r/1544643
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoflounder: FIQ and sysrq default deauthorized
Mark Salyzyn [Fri, 9 Jun 2017 17:40:47 +0000]
flounder: FIQ and sysrq default deauthorized

Bug 1920259
Bug 200288656
Bug: 36101220

Change-Id: Iadd05a78d39cdda0eecf46d46fa97085ec8bddce
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1499400
(cherry picked from commit 07a57d94efc37d8c8e08600733c0265803a3ab3e)
Reviewed-on: https://git-master.nvidia.com/r/1544642
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agoASoC: tegra-alt: add parameter OOB access check
Shashank Verma [Thu, 30 Mar 2017 10:48:25 +0000]
ASoC: tegra-alt: add parameter OOB access check

Prevent out-of-bound array access by adding
checks to the parameter passed from user-space.

Bug 1880773
Bug 1920259
Bug 200288656

Change-Id: I611ec5a2982b0472eae10762f5db7437e76ee5fc
Signed-off-by: Shashank Verma <shashankv@nvidia.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1499389
(cherry picked from commit c48ffa0346fe2d5959b0837dd4ecd6892e8f3ec6)
Reviewed-on: https://git-master.nvidia.com/r/1543348
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agotegra: hdcp: protect sor control reg by sor reset_lock
Ken Chang [Wed, 2 Aug 2017 07:55:00 +0000]
tegra: hdcp: protect sor control reg by sor reset_lock

Introduce sor locking 'reset_lock' to avoid sor accesses during
sor reset sequence from TSEC firmware.

Bug 1954641

Change-Id: I9d1f4409c3d4559fb7874ec1b3f67eded6654d40
Signed-off-by: Ken Chang <kenc@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1531244
(cherry picked from commit 146647ef78f9e75a8e9b774f5e5a69dde5d0c471)
Reviewed-on: https://git-master.nvidia.com/r/1536437
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agovideo: dc: avoid sor access during reset
Ken Chang [Wed, 2 Aug 2017 07:27:21 +0000]
video: dc: avoid sor access during reset

SOR register access during reset is not allowed and will
cause host1x timeout. Thus introduce locking between SOR
reset and SOR read/write to avoid SOR accesses.

We don't want mutual exclusion for SOR read/write callers
because SOR supports concurrent accesses. We do want mutual
exclusion for SOR read/write and SOR reset (also reset from
different callers).
Given that SOR reset is performed only in enable or disable
calls with a rare number of callers compared with SOR
read/write, rwsem is used for this locking, SOR read/write
is the reader and SOR reset is the writer.

Bug 1922197

Change-Id: Icfd9f41cd02b4d96fba3fbad1bd5a1300e1b00fd
Signed-off-by: Ken Chang <kenc@nvidia.com>
(cherry picked from commit 1624104fff3cdd87f1dca996ac4250feead1420a)
Reviewed-on: https://git-master.nvidia.com/r/1518430
(cherry picked from commit 8b037d2acb8c59ec9b9c675125e85c6341cb6feb)
Reviewed-on: https://git-master.nvidia.com/r/1531225
(cherry picked from commit 986b9e8dfc95fc4beb3bebee20a5c06f4d658889)
Reviewed-on: https://git-master.nvidia.com/r/1536436
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agotegra:hdcp: Fix compliance failure 1b-05, 06
Pranami Bhattacharya [Wed, 10 May 2017 04:43:58 +0000]
tegra:hdcp: Fix compliance failure 1b-05, 06

The HDCP 1.x spec requires encryption to be enabled after performing
stage 1 of authentication. Currently the encryption is enabled after
getting the repeater information. This patch fixes this to turn on
encryption after stage 1 of authentication is complete.

Bug 200305084

Change-Id: I126ab0ce58cb213377ef94de1b0f50320a4e5ccd
Signed-off-by: Pranami Bhattacharya <pranamib@nvidia.com>
Reviewed-on: http://git-master/r/1483676
(cherry picked from commit cef8422bc3e9d9ec1b0c0d0238777cc87cc9f144)
Reviewed-on: https://git-master.nvidia.com/r/1536435
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

21 months agotegra: hdcp: use workqueue for plug work
Prafull Suryawanshi [Thu, 2 Feb 2017 07:05:35 +0000]
tegra: hdcp: use workqueue for plug work

HDMI plug events causes hdcp to turn on/off. Sometimes
errors in hdcp causes plug event to take time and respond
back to dc driver. To remove this delay, now hdcp work
can be done in workqueue.

bug 200265967

Change-Id: I37f636a54bdf14550232079351e5bc30a4196352
Signed-off-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-on: http://git-master/r/1297760
(cherry picked from commit f40042ded9f25955ab382aa84f9cd5f03555c8d7)
Reviewed-on: https://git-master.nvidia.com/r/1536369
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

22 months agoRevert "net: wireless: bcmdhd: add shutdown handler for bcmdhd driver"
Manikanta [Tue, 3 Jan 2017 11:48:36 +0000]
Revert "net: wireless: bcmdhd: add shutdown handler for bcmdhd driver"

This reverts commit 89bca7fbb5891ef3f466c35b2901f15bdacbc28e.

Issue: WiFi driver is accessing I/O registers during shutdown.
These register accesses are failing because WiFi chip powered OFF
as part of shutdown.
Fix: WiFi shutdown handler is added as WAR for bug 200042650,
which is actually fixed with bootrom patch later, so it is
not required now.

bug 200267646
bug 200326157

Change-Id: Ia050e918ea4a30a0735ef22a713550c7f925c6a6
Signed-off-by: Manikanta <mmaddireddy@nvidia.com>
Reviewed-on: http://git-master/r/1279524
(cherry picked from commit 4be0be0f87b6537e12dfd83a1b8980e0814064ca)
Reviewed-on: https://git-master.nvidia.com/r/1523984
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>

22 months agoRevert "net: wireless: bcmdhd: ignore hang event during shutown"
Manikanta [Tue, 3 Jan 2017 11:48:05 +0000]
Revert "net: wireless: bcmdhd: ignore hang event during shutown"

This reverts commit b9a667f961c73156d27ae1de32486564144e090d.

Issue: WiFi driver is accessing I/O registers during shutdown.
These register accesses are failing because WiFi chip powered OFF
as part of shutdown.
Fix: WiFi shutdown handler is added as WAR for bug 200042650,
which is actually fixed with bootrom patch later, so it is
not required now.

bug 200267646
bug 200326157

Change-Id: I523cf5eea6e03223287c86eb89727cf1aae26513
Signed-off-by: Manikanta <mmaddireddy@nvidia.com>
Reviewed-on: http://git-master/r/1279523
(cherry picked from commit abdbe20f52e8202db76af5e23a88708c7ccaa3de)
Reviewed-on: https://git-master.nvidia.com/r/1523983
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>

22 months agoRevert "net: wireless: bcmdhd: Ignore IOCTL during shutdown"
Manikanta [Tue, 3 Jan 2017 11:43:26 +0000]
Revert "net: wireless: bcmdhd: Ignore IOCTL during shutdown"

This reverts commit cdd719b7c16df2b4720170b8213ddc2bd8a6bfeb.

Issue: WiFi driver is accessing I/O registers during shutdown.
These register accesses are failing because WiFi chip powered OFF
as part of shutdown.
Fix: WiFi shutdown handler is added as WAR for bug 200042650,
which is actually fixed with bootrom patch later, so it is
not required now.

bug 200267646
bug 200326157

Change-Id: Id7731e8595a2b8712cab7bbb07d4fb2bde929e1e
Signed-off-by: Manikanta <mmaddireddy@nvidia.com>
Reviewed-on: http://git-master/r/1279522
(cherry picked from commit 0fe874331e111cf8ec3fb5d3c58ddcf028c47ce3)
Reviewed-on: https://git-master.nvidia.com/r/1523982
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>

22 months agoarm64: dts: t210: add gpt bootargs for Foster
Yunfan Zhang [Fri, 14 Apr 2017 07:51:50 +0000]
arm64: dts: t210: add gpt bootargs for Foster

- we removed gpt cmdline option in bootloader
- add gpt option for Foster device only, since sata device has no protective
  mbr flashed, or system will failed to init and mount partition

Bug 200285232

Change-Id: I7781ec2d198415dc887f579bee776c259eb90cc2
Signed-off-by: Yunfan Zhang <yunfanz@nvidia.com>
Reviewed-on: http://git-master/r/1462901
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
Reviewed-on: https://git-master/r/1514238
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

22 months agoAdding NOTASSOCIATED FW error to disconnect wifi
Mahesh Patil [Mon, 27 Mar 2017 20:05:09 +0000]
Adding NOTASSOCIATED FW error to disconnect wifi

Adding NOTASSOCIATED error from FW to Disconnect wifi and
setting disconnect timer to 5 sec

Bug 200215502

Change-Id: I205f6a73780f5a5980851cb805c263e2ed9270c1
Signed-off-by: Mahesh Patil <maheshp@nvidia.com>
Reviewed-on: http://git-master/r/1329313
Reviewed-on: https://git-master/r/1503643
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agonet: wireless: bcmdhd: Heap overflow in wl_run_escan
Sudhir Kohalli [Wed, 10 May 2017 17:15:45 +0000]
net: wireless: bcmdhd: Heap overflow in wl_run_escan

1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.

Bug: 34197514
Bug: 34199963
Bug: 34198729

Bug 1887273

Change-Id: Ic583c12b00523186718bc891fc3d9505a07738b6
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-on: http://git-master/r/1480396
(cherry picked from commit 06fb341c4675b2d3176b319c53ef97492174f26c)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496749

23 months agousb tuner: Enable si2168 driver
Jean Huang [Fri, 12 May 2017 17:43:57 +0000]
usb tuner: Enable si2168 driver

Bug 1923707

Change-Id: I33743d132881ac3630082b5b071219efffb4a44a
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Reviewed-on: http://git-master/r/1480980
(cherry picked from commit c95167402752b8c4eedb9c40b64242555bd016ce)
Reviewed-on: http://git-master/r/1496753
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agore-enable CONFIG_RC_DECODERS
Jean Huang [Thu, 27 Apr 2017 01:57:06 +0000]
re-enable CONFIG_RC_DECODERS

Bug 1914147

Change-Id: Id0f040662bb4a7ba6e0abf2c79451b911bce9805
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Reviewed-on: http://git-master/r/1470905
(cherry picked from commit 5878f5ad7599ebb1ff13cabf6712285948e2588f)
Reviewed-on: http://git-master/r/1496691
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agomedia: usb: em28xx: fix build break in em28xx-input
Jean Huang [Mon, 24 Apr 2017 23:20:48 +0000]
media: usb: em28xx: fix build break in em28xx-input

Bug 1904252

Change-Id: Id76adbb4e623b86391fc2127942829de61dcb246
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng<phorng@nvidia.com>
Reviewed-on: http://git-master/r/1468925
(cherry picked from commit 883d9948e58da00fca66553260de784c903459e1)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496678

23 months agomedia: usb: em28xx: resolve WinTV dualHD plugging/unplugging crash
Sungtak Lee [Thu, 9 Feb 2017 18:02:35 +0000]
media: usb: em28xx: resolve WinTV dualHD plugging/unplugging crash

The second adapter has to be removed first because the data structure of
the first adapter contains a pointer to the second. If memory of the
first adapter is freed before the second adapter is removed the pointer
could be corrupted and kernel crashes could follow.
SHA1 commit:d86686b5879b5fba57a0fac47d94982cafaa65bb

Bug: 32669837
Bug 1904252

Change-Id: Ie3e8d726261e7d88822a5875e89b31e04bef9fce
Signed-off-by: Jean Huang <jeanh@nvidia.com>
Signed-off-by: Patrick Horng<phorng@nvidia.com>
Reviewed-on: http://git-master/r/1460865
(cherry picked from commit d0cc413ef80e4bbd90d3ce6d8eaad22aa72e7881)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496673

23 months agomedia: usb: em28xx: support bulk mode of Hauppauge WinTV-DualHD devices
Dongwon Kang [Wed, 21 Dec 2016 18:09:50 +0000]
media: usb: em28xx: support bulk mode of Hauppauge WinTV-DualHD devices

SHA1 commit:7a1ab4e2cb16186c224c018981da752fecbe845d

Bug: 30095176
Bug 1904252

Change-Id: I43061ca56ddb85415aa581e90e0d2449a640e0bf
(cherry picked from commit 70a32da6df1bfbdb7411c4494e6d3f22bd04e3f8)
Signed-off-by: Patrick Horng <phorng@nvidia.com>
Reviewed-on: http://git-master/r/1463074
Reviewed-by: Vinayak Pane <vpane@nvidia.com>
(cherry picked from commit 6ad89cc6291395517872be10dbd21a0e140bc8d1)
Reviewed-on: http://git-master/r/1460889
(cherry picked from commit 4da3d427ac18ebbc77a0f4ce44ee5003444f39fb)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496672

23 months ago[PATCH] tracing: do not leak kernel addresses
Nick Desaulniers [Sun, 16 Apr 2017 18:02:15 +0000]
[PATCH] tracing: do not leak kernel addresses

This likely breaks tracing tools like trace-cmd.  It logs in the same
format but now addresses are all 0x0.

Bug 1899974

Bug: 34277115
Change-Id: Ifb0d4d2a184bf0d95726de05b1acee0287a375d9
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463515
(cherry picked from commit d4077427aa5ccb3f0538fd6301b7b722c41af321)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496533

23 months agoRevert "video: tegra: dc: Increase HPD debounce to 500ms"
Prafull Suryawanshi [Wed, 12 Apr 2017 04:25:32 +0000]
Revert "video: tegra: dc: Increase HPD debounce to 500ms"

This reverts commit 4c3ae6eb3bfbde66128de486cbafa1a7217724e0.

bug 200297722

Change-Id: I99560b44f3e4d3fed97763308bf2e4eac42ad62f
Signed-off-by: Prafull Suryawanshi <prafulls@nvidia.com>
Reviewed-on: http://git-master/r/1461057
(cherry picked from commit 9fb63dc05e1b60a20b2da313a40d9cc223b950c1)
Reviewed-on: http://git-master/r/1496541
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoperf: Tighten (and fix) the grouping condition
Peter Zijlstra [Fri, 23 Jan 2015 10:19:48 +0000]
perf: Tighten (and fix) the grouping condition

The fix from 9fc81d87420d ("perf: Fix events installation during
moving group") was incomplete in that it failed to recognise that
creating a group with events for different CPUs is semantically
broken -- they cannot be co-scheduled.

Furthermore, it leads to real breakage where, when we create an event
for CPU Y and then migrate it to form a group on CPU X, the code gets
confused where the counter is programmed -- triggered in practice
as well by me via the perf fuzzer.

Fix this by tightening the rules for creating groups. Only allow
grouping of counters that can be co-scheduled in the same context.
This means for the same task and/or the same cpu.

Bug 1899974

Change-Id: Ie4752ec048cd813b2587ce459aea8ccc6f1b5189
Fixes: 9fc81d87420d ("perf: Fix events installation during moving group")
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20150123125834.090683288@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463511
(cherry picked from commit 3363bc34d21e31994ba91187afd9d4a550f71c76)
Reviewed-on: http://git-master/r/1496536
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agotrace: resolve stack corruption due to string copy
Amey Telawane [Sun, 16 Apr 2017 17:37:32 +0000]
trace: resolve stack corruption due to string copy

Strcpy has no limit on string being copied which causes
stack corruption leading to kernel panic. Use strlcpy to
resolve the issue by providing length of string to be copied.

Bug 1899974

CRs-fixed: 1048480
Change-Id: Ib290b25f7e0ff96927b8530e5c078869441d409f
Signed-off-by: Amey Telawane <ameyt@codeaurora.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463510
(cherry picked from commit 31181e12cc26953993314db7e493c1d545ef176e)
Reviewed-on: http://git-master/r/1496534
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months ago[PATCH] Prevent heap overflow in uvc driver
Robb Glasser [Sun, 16 Apr 2017 17:55:58 +0000]
[PATCH] Prevent heap overflow in uvc driver

The size of uvc_control_mapping is user controlled leading to a
potential heap overflow in the uvc driver. This adds a check to verify
the user provided size fits within the bounds of the defined buffer
size.

Bug 1899974

Bug: 33300353
Change-Id: If29c1b396633b6137966a12e38f6fd1841b045bd
Signed-off-by: Robb Glasser <rglasser@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463514
(cherry picked from commit 2ce4b93b8abcdeafd922ad03ab77b490d49f2e96)
Reviewed-on: http://git-master/r/1496530
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoxfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
Andy Whitcroft [Wed, 22 Mar 2017 07:29:31 +0000]
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window

When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer.  However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call.  There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents.  We do
not at this point check that the replay_window is within the allocated
memory.  This leads to out-of-bounds reads and writes triggered by
netlink packets.  This leads to memory corruption and the potential for
priviledge escalation.

We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len().  This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn.  It however does not check the replay_window
remains within that buffer.  Add validation of the contained
replay_window.

Bug 1899974

CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Change-Id: Icfade54ffb7afeb808f73ad3ff2ab50ceaf5f610
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463513
(cherry picked from commit d97f69ee6e71a4afc01b31279daa6714bb89e303)
Reviewed-on: http://git-master/r/1496527
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoregulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing
Seung-Woo Kim [Thu, 4 Dec 2014 10:17:17 +0000]
regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing

After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.

Bug 1899974

Change-Id: I613a9ceca9471c93631231840ed61f86f6180850
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463512
(cherry picked from commit 58f77d4fb29f439f9b875a7fa1e06113b25218ee)
Reviewed-on: http://git-master/r/1496525
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoALSA: pcm : Call kill_fasync() in stream lock
Takashi Iwai [Mon, 12 Dec 2016 16:33:06 +0000]
ALSA: pcm : Call kill_fasync() in stream lock

commit 3aa02cb664c5fb1042958c8d1aa8c35055a2ebc4 upstream.

Currently kill_fasync() is called outside the stream lock in
snd_pcm_period_elapsed().  This is potentially racy, since the stream
may get released even during the irq handler is running.  Although
snd_pcm_release_substream() calls snd_pcm_drop(), this doesn't
guarantee that the irq handler finishes, thus the kill_fasync() call
outside the stream spin lock may be invoked after the substream is
detached, as recently reported by KASAN.

As a quick workaround, move kill_fasync() call inside the stream
lock.  The fasync is rarely used interface, so this shouldn't have a
big impact from the performance POV.

Ideally, we should implement some sync mechanism for the proper finish
of stream and irq handler.  But this oneliner should suffice for most
cases, so far.

Bug 1899974

Change-Id: Ic31806608aae8ae3ee37145e118d9203040618a0
Reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1463509
(cherry picked from commit 54674e2776f0f965625778b268df97dcdde7092f)
Reviewed-on: http://git-master/r/1496524
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agonet: wireless: bcmdhd: fix overrun in wl_run_escan
Insun Song [Sat, 14 Jan 2017 00:25:59 +0000]
net: wireless: bcmdhd: fix overrun in wl_run_escan

prevent buffer overrun case where WLC_GET_VALID_CHANNELS IOCTL
 overriden by attacker and its return manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Ifbbaa3c2bdfd9bea7533d605303f18e17c8d85cc
Bug: 34197514
Reviewed-on: http://git-master/r/1459053
(cherry picked from commit aad3219daaaa44172f1c1ffeaf3447e230ef0f57)
Reviewed-on: http://git-master/r/1463481
(cherry picked from commit 09f665dfdf3cc09e5484f50732e26f351c9649f1)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496441

23 months agonet: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie
Insun Song [Wed, 1 Feb 2017 03:57:20 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie

added boundary check not to override allocated buffer.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: I76211db7ef595fc41cf5d5d58de79cedfe80e521
Bug: 32125310
Reviewed-on: http://git-master/r/1459052
(cherry picked from commit 6e92cb348bf85964526c7f257e11972608bc3f3e)
Reviewed-on: http://git-master/r/1463480
(cherry picked from commit c954fbde7184885b8f847a41fad33c7b3cc23370)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1496437

23 months agonet: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref
Insun Song [Wed, 1 Feb 2017 00:18:40 +0000]
net: wireless: bcmdhd: fix buffer overrun in wl_android_set_roampref

added boundary check not to override allocated buffer.
Specially when user input corrupted or manipulated.

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Id6196da10111517696eda5f186b1e2dd19f66085
Bug: 34469904
Reviewed-on: http://git-master/r/1459055
(cherry picked from commit 7bbbb5e7c7007959ce2704883aff37fc470a95c1)
Reviewed-on: http://git-master/r/1463483
(cherry picked from commit a428a33208af05c6d4ce0b28897a9587135c4281)
Reviewed-on: http://git-master/r/1496439
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agonet: wireless: bcmdhd: fix buffer overrun in wlfc reordering
Insun Song [Wed, 25 Jan 2017 19:41:49 +0000]
net: wireless: bcmdhd: fix buffer overrun in wlfc reordering

added boundary check not to override allocated buffer

Bug 1887273
Bug 200288656

Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Change-Id: Iad44141ba4e4cd224eda292c05ffe525bf74227d
Bug: 34203305
Reviewed-on: http://git-master/r/1459054
(cherry picked from commit b88e3d0b355ce821c92760bf41d04a917dab092d)
Reviewed-on: http://git-master/r/1463482
(cherry picked from commit 858f41ea51deca008d4752f7b382ba6151411b9b)
Reviewed-on: http://git-master/r/1496438
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoARM64: config: tegra21: Disable tegra-cryptodev
Gagan Grover [Tue, 11 Apr 2017 04:15:35 +0000]
ARM64: config: tegra21: Disable tegra-cryptodev

tegra-cryptodev is used to expose IOCTLS for tegra
hardware engine. However as SE hardware engine is
disabled due to performance reasons, so disable
tegra-cryptodev module as well.

boot.img size is reduced by 2048 bytes.

Bug 1857996
Bug 200297552

Change-Id: I90b3ef36f59681e16b9e52f03a05685ed0d6d86b
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458879
Reviewed-on: http://git-master/r/1460134
(cherry picked from commit 651195a1155ff6559009d8dc9824dcee509bfba3)
Reviewed-on: http://git-master/r/1463508
(cherry picked from commit cb3f7c82c555f33499e918fdf2bca6c4da905dbe)
Reviewed-on: http://git-master/r/1496436
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoposix_acl: Clear SGID bit when setting file permissions
Jan Kara [Mon, 19 Sep 2016 15:39:09 +0000]
posix_acl: Clear SGID bit when setting file permissions

When file permissions are modified via chmod(2) and the user is not in
the owning group or capable of CAP_FSETID, the setgid bit is cleared in
inode_change_ok().  Setting a POSIX ACL via setxattr(2) sets the file
permissions as well as the new ACL, but doesn't clear the setgid bit in
a similar way; this allows to bypass the check in chmod(2).  Fix that.

Bug 1887273
Bug 200288656

Change-Id: I513706c5a9f674517a340fc797fb1de6aa0c4a3f
References: CVE-2016-7097
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1458111
(cherry picked from commit f6ad7afd14a181e0e2a5734242a65c1200d5ba3b)
Reviewed-on: http://git-master/r/1459849
(cherry picked from commit 9e810f23f710b3019107c4e898f009a2d45e5fde)
Reviewed-on: http://git-master/r/1463479
(cherry picked from commit 8c4970d07a0cacb45e9b571b25800ea972a6f9d7)
Reviewed-on: http://git-master/r/1496435
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agofs: limit filesystem stacking depth
Miklos Szeredi [Thu, 23 Oct 2014 22:14:39 +0000]
fs: limit filesystem stacking depth

Add a simple read-only counter to super_block that indicates how deep this
is in the stack of filesystems.  Previously ecryptfs was the only stackable
filesystem and it explicitly disallowed multiple layers of itself.

Overlayfs, however, can be stacked recursively and also may be stacked
on top of ecryptfs or vice versa.

To limit the kernel stack usage we must limit the depth of the
filesystem stack.  Initially the limit is set to 2.

Bug 1887273
Bug 200288656

Change-Id: Ibaa154eb2b102d02370fe2003387b0131fe2955a
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1455849
(cherry picked from commit 5fa62435eaef75e479c0c157b4d911344f64b002)
Reviewed-on: http://git-master/r/1459845
(cherry picked from commit bdf94e85be19fd3b91669427343d6fde4177fb83)
Reviewed-on: http://git-master/r/1496433
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoudp: properly support MSG_PEEK with truncated buffers
Eric Dumazet [Wed, 30 Dec 2015 13:51:12 +0000]
udp: properly support MSG_PEEK with truncated buffers

Backport of this upstream commit into stable kernels :
89c22d8c3b27 ("net: Fix skb csum races when peeking")
exposed a bug in udp stack vs MSG_PEEK support, when user provides
a buffer smaller than skb payload.

In this case,
skb_copy_and_csum_datagram_iovec(skb, sizeof(struct udphdr),
                                 msg->msg_iov);
returns -EFAULT.

This bug does not happen in upstream kernels since Al Viro did a great
job to replace this into :
skb_copy_and_csum_datagram_msg(skb, sizeof(struct udphdr), msg);
This variant is safe vs short buffers.

For the time being, instead reverting Herbert Xu patch and add back
skb->ip_summed invalid changes, simply store the result of
udp_lib_checksum_complete() so that we avoid computing the checksum a
second time, and avoid the problematic
skb_copy_and_csum_datagram_iovec() call.

This patch can be applied on recent kernels as it avoids a double
checksumming, then backported to stable kernels as a bug fix.

Bug 1885879

Change-Id: Ie7215bf99beee2fccd662152e80767cdeb6ff9b2
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1330675
(cherry picked from commit 4e811459502fbf165d5148f9b0f2cdae03077a45)
Reviewed-on: http://git-master/r/1496432
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agogpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME
Sami Kiminki [Tue, 12 Apr 2016 19:33:36 +0000]
gpu: nvgpu: Implement NVGPU_GPU_IOCTL_GET_GPU_TIME

Implement NVGPU_GPU_IOCTL_GET_GPU_TIME for reading the GPU time.

Bug 1395833

Change-Id: I7ddc7c28ff0c9a336cc0dcd820b15fb0fea714d0
Signed-off-by: Sami Kiminki <skiminki@nvidia.com>
Reviewed-on: http://git-master/r/1125630
(cherry picked from commit 6b35cb05b7822174bf037da7229154004df4f229)
Reviewed-on: http://git-master/r/1317214
(cherry picked from commit cf731c89ab525c59dad38a346649999517e8ecea)
Reviewed-on: http://git-master/r/1325192
GVS: Gerrit_Virtual_Submit
Reviewed-by: Donghan Ryu <dryu@nvidia.com>
(cherry picked from commit f118e3efb7aa3ff107b00540bbd55a032cd1ddf3)
Reviewed-on: http://git-master/r/1461691
(cherry picked from commit 634e56e988dead11407da36952a58e7fb4456fd0)
Reviewed-on: http://git-master/r/1495980
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months ago[media] uvcvideo: Increase UVC_MAX_STATUS_SIZE
Peter Yu [Fri, 3 Mar 2017 04:38:31 +0000]
[media] uvcvideo: Increase UVC_MAX_STATUS_SIZE

When system does camera stress(open and close camera) with
Logiteceh HP Pro Webcam C920. Babble error are found in beginning
of every test loop. Sometimes, device will disconnect unexpectedly.
This is a specific issue to C920. Increase UVC_MAX_STATUS_SIZE to
1024 will prevent babble error and device unexpected disconnection
issue during test.

Bug 200265143
Bug 200268964

Change-Id: I0e99f7d17894fab2d12008687f9218c1a47ad26f
Signed-off-by: Peter Yu <pyu@nvidia.com>
Reviewed-on: http://git-master/r/1314405
(cherry picked from commit 8e82c0ce17af3b7d83134b04ea490b8d3197491f)
Reviewed-on: http://git-master/r/1495966
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agodma-coherent: fix possible panic when releasing chunk
Sri Krishna chowdary [Tue, 22 Mar 2016 04:25:13 +0000]
dma-coherent: fix possible panic when releasing chunk

When more than cma_chunk_size is being released then dma
release callback panics. Treat it as a valid release as long
as it lies within the current size of the cma region shared
with the OS.

bug 1715544
bug 200290806

Change-Id: Iee513067f00d2f0c91ca1811f58382b7724b528e
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1113872
(cherry picked from commit b7b3f787bfb885678c6470f00671247743cf0aaa)
Reviewed-on: http://git-master/r/1325120
(cherry picked from commit 2512205c8bc2599275bfb9fd044b700e10b8dae6)
Reviewed-on: http://git-master/r/1495965
Reviewed-by: Xianhui Wang <xianhuiw@nvidia.com>
Tested-by: Xianhui Wang <xianhuiw@nvidia.com>

23 months agoRevert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent"
Erik Kline [Tue, 7 Feb 2017 12:48:55 +0000]
Revert "netfilter: have ip*t REJECT set the sock err when an icmp is to be sent"

This reverts commit 6f489c42a92e0e33d4257017d6fd4a3e79f75f79.

Bug: 28719525

Bug 1864178
Change-Id: I108152d14d5844a2fe5532ac3b5a757e54b8ff73
Signed-off-by: Erik Kline <ek@google.com>
Signed-off-by: Om Prakash Singh <omp@nvidia.com>
Reviewed-on: http://git-master/r/1300539
(cherry picked from commit 50b7fca845c724e6b3281b7173221cc278317f6b)
Reviewed-on: http://git-master/r/1458307
(cherry picked from commit 2c224aa2836eb7028faca6863ae3324434878529)
Signed-off-by: Xianhui Wang <xianhuiw@nvidia.com>
Reviewed-on: http://git-master/r/1495920