12 months agoarm: Add BTB invalidation on switch_mm for Cortex-A9, A12 and A17 l4t/l4t-r21 l4t/l4t-r21.7 tegra-l4t-r21.7 tegra-l4t-r21.7.update-01
Marc Zyngier [Thu, 1 Feb 2018 11:07:33 +0000]
arm: Add BTB invalidation on switch_mm for Cortex-A9, A12 and A17

** Not yet queued for inclusion in mainline **

In order to avoid aliasing attacks against the branch predictor,
some implementations require to invalidate the BTB when switching
from one user context to another.

For this, we reuse the existing implementation for Cortex-A8, and
apply it to A9, A12 and A17.

Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Change-Id: Ibbd99465a5dcf5eda6a29dd23a55f9b21b280e65
Reviewed-on: https://git-master.nvidia.com/r/1704129
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agohost1x: prevent speculative load related leak
Jeetesh Burman [Thu, 19 Apr 2018 15:57:20 +0000]
host1x: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650036
(cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682714
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698611
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agogpu: nvgpu: add speculative load barrier (ctrl IOCTLs)
Jeetesh Burman [Thu, 19 Apr 2018 15:46:37 +0000]
gpu: nvgpu: add speculative load barrier (ctrl IOCTLs)

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem insert a speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640500
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650050
(cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a)
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1682715
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698610
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agoarm: Invalidate icache on prefetch abort outside of user mapping on Cortex-A15
Marc Zyngier [Thu, 1 Feb 2018 11:07:37 +0000]
arm: Invalidate icache on prefetch abort outside of user mapping on Cortex-A15

** Not yet queued for inclusion in mainline **

In order to prevent aliasing attacks on the branch predictor,
invalidate the icache on Cortex-A15, which has the side effect
of invalidating the BTB. This requires ACTLR[0] to be set to 1
(secure operation).

Change-Id: I4bb8e3ec05853d739bebd8fb3c61657e252808c0
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698400
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agoarm: Invalidate BTB on prefetch abort outside of user mapping on Cortex A8, A9, A12...
Marc Zyngier [Thu, 1 Feb 2018 11:07:34 +0000]
arm: Invalidate BTB on prefetch abort outside of user mapping on Cortex A8, A9, A12 and A17

** Not yet queued for inclusion in mainline **

In order to prevent aliasing attacks on the branch predictor,
invalidate the BTB on CPUs that are known to be affected when taking
a prefetch abort on a address that is outside of a user task limit.

__ACCESS_CP15 and __ACCESS_CP15_64 added from below link:
https://patchwork.kernel.org/patch/9234399/

Change-Id: Ib8c9807f5e787437e66b83ea0305d75cce4bbbdf
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698399
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agoarm: Add icache invalidation on switch_mm for Cortex-A15
Marc Zyngier [Thu, 1 Feb 2018 11:07:36 +0000]
arm: Add icache invalidation on switch_mm for Cortex-A15

** Not yet queued for inclusion in mainline **

In order to avoid aliasing attacks against the branch predictor,
Cortex-A15 require to invalidate the BTB when switching
from one user context to another. The only way to do so on this
CPU is to perform an ICIALLU, having set ACTLR[0] to 1 from secure
mode.

Change-Id: Ib0083803d75a4399b8225193349a4b490d1776a1
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698398
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agoDocumentation: Document array_index_nospec
Mark Rutland [Tue, 30 Jan 2018 01:02:16 +0000]
Documentation: Document array_index_nospec

Commit f84a56f73ddd upstream.

Document the rationale and usage of the new array_index_nospec() helper.

Change-Id: I4b804638bbe9811b82d34cd58314cbb1738d7d25
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Cc: linux-arch@vger.kernel.org
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: gregkh@linuxfoundation.org
Cc: kernel-hardening@lists.openwall.com
Cc: torvalds@linux-foundation.org
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727413645.33451.15878817161436755393.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698397
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

12 months agoarray_index_nospec: Sanitize speculative array de-references
Dan Williams [Tue, 30 Jan 2018 01:02:22 +0000]
array_index_nospec: Sanitize speculative array de-references

Commit f3804203306e upstream.

array_index_nospec() is proposed as a generic mechanism to mitigate
against Spectre-variant-1 attacks, i.e. an attack that bypasses boundary
checks via speculative execution. The array_index_nospec()
implementation is expected to be safe for current generation CPUs across
multiple architectures (ARM, x86).

Based on an original implementation by Linus Torvalds, tweaked to remove
speculative flows by Alexei Starovoitov, and tweaked again by Linus to
introduce an x86 assembly implementation for the mask generation.

Change-Id: I859161a289215b20bd25ef4006115c0268b30b83
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Co-developed-by: Alexei Starovoitov <ast@kernel.org>
Suggested-by: Cyril Novikov <cnovikov@lynx.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Cc: linux-arch@vger.kernel.org
Cc: kernel-hardening@lists.openwall.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Russell King <linux@armlinux.org.uk>
Cc: gregkh@linuxfoundation.org
Cc: torvalds@linux-foundation.org
Cc: alan@linux.intel.com
Link: https://lkml.kernel.org/r/151727414229.33451.18411580953862676575.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1698396
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

13 months agoHID: core: prevent out-of-bound readings
Amulya Y [Fri, 6 Apr 2018 22:48:49 +0000]
HID: core: prevent out-of-bound readings

Plugging a Logitech DJ receiver with KASAN activated raises a bunch of
out-of-bound readings.

The fields are allocated up to MAX_USAGE, meaning that potentially, we do
not have enough fields to fit the incoming values.
Add checks and silence KASAN.

Bug 1823317
Bug 1935735

Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259928
(cherry picked from commit fbc389a39540e177bfa4d49b9214dfe408ef2d4a)
Reviewed-on: https://git-master.nvidia.com/r/1690285
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoperf: Fix race in swevent hash
Amulya Y [Fri, 6 Apr 2018 22:42:31 +0000]
perf: Fix race in swevent hash

There's a race on CPU unplug where we free the swevent hash array
while it can still have events on. This will result in a
use-after-free which is BAD.

Simply do not free the hash array on unplug. This leaves the thing
around and no use-after-free takes place.

When the last swevent dies, we do a for_each_possible_cpu() iteration
anyway to clean these up, at which time we'll free it, so no leakage
will occur.

Bug 1823317
But 1935735

Change-Id: I309528873f8576f96663afbe51ce2739934df16c
Reported-by: Sasha Levin <sasha.levin@oracle.com>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259934
(cherry picked from commit 5ea640855404df656d94bfa3990d8eba2b5f90f9)
Reviewed-on: https://git-master.nvidia.com/r/1690284
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoext4:fix use after free in __ext4_journal_stop
Amulya Y [Thu, 5 Apr 2018 22:06:13 +0000]
ext4:fix use after free in __ext4_journal_stop

There is a use-after-free possibility in __ext4_journal_stop() in the
case that we free the handle in the first jbd2_journal_stop() because
we're referencing handle->h_err afterwards. This was introduced in
9705acd63b125dee8b15c705216d7186daea4625 and it is wrong. Fix it by
storing the handle->h_err value beforehand and avoid referencing
potentially freed handle.

Bug 1823317

Change-Id: Ib6fe50ed8013943d5fc3459eb499ecda5533c6ef
Fixes: 9705acd63b125dee8b15c705216d7186daea4625
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@vger.kernel.org
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259975
(cherry picked from commit 3c15c37dc613cb75339f8e0d546ab30643e65b84)
Reviewed-on: https://git-master.nvidia.com/r/1690287
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoproc:prevent /proc/PID/environ access until ready
Amulya Y [Thu, 5 Apr 2018 21:40:20 +0000]
proc:prevent /proc/PID/environ access until ready

If /proc/<PID>/environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.

Fix this as it is done for /proc/<PID>/cmdline by testing env_end for
zero.  It is, apparently, intentionally set last in create_*_tables().

This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.

The expected consequence is that userland trying to access
/proc/<PID>/environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.

Bug 1823317
Bug 1935735

Change-Id: I38356eb68ffd1294f1f1250fb328bd01a3b37158
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause <minipli@googlemail.com>
Cc: Emese Revfy <re.emese@gmail.com>
Cc: Pax Team <pageexec@freemail.hu>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Mateusz Guzik <mguzik@redhat.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1259930
(cherry picked from commit 78d40f25b8e090782ca6b0c6051020557d373c92)
Reviewed-on: https://git-master.nvidia.com/r/1690302
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agotty: Prevent ldisc drivers from re-using stale tty fields
Peter Hurley [Fri, 27 Nov 2015 19:30:21 +0000]
tty: Prevent ldisc drivers from re-using stale tty fields

Line discipline drivers may mistakenly misuse ldisc-related fields
when initializing. For example, a failure to initialize tty->receive_room
in the N_GIGASET_M101 line discipline was recently found and fixed [1].
Now, the N_X25 line discipline has been discovered accessing the previous
line discipline's already-freed private data [2].

Harden the ldisc interface against misuse by initializing revelant
tty fields before instancing the new line discipline.

[1]
    commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
    Author: Tilman Schmidt <tilman@imap.cc>
    Date:   Tue Jul 14 00:37:13 2015 +0200

    isdn/gigaset: reset tty->receive_room when attaching ser_gigaset

[2] Report from Sasha Levin <sasha.levin@oracle.com>
    [  634.336761] ==================================================================
    [  634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
    [  634.339558] Read of size 4 by task syzkaller_execu/8981
    [  634.340359] =============================================================================
    [  634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
    ...
    [  634.405018] Call Trace:
    [  634.405277] dump_stack (lib/dump_stack.c:52)
    [  634.405775] print_trailer (mm/slub.c:655)
    [  634.406361] object_err (mm/slub.c:662)
    [  634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
    [  634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
    [  634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
    [  634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
    [  634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
    [  634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
    [  634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
    [  634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
    [  634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)

Bug 1823317
Bug 1935735

Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259925
(cherry picked from commit 2b1401855a2bdd31556a93feba50dd0dc0bb70e8)
Reviewed-on: https://git-master.nvidia.com/r/1690300
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agocgroup: Correct the address format specifier
Amulya Y [Thu, 5 Apr 2018 21:30:07 +0000]
cgroup: Correct the address format specifier

The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system
settings.The fix is designed to use %pK instead
of %p, which also evaluates whether
kptr_restrict is set.

Bug 1823317
Bug 1935735

Change-Id: I19dc309e7f5341663add987f5d0b47ee32e1be50
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1260110
(cherry picked from commit d018ef6518a7527562bedae1eab86838cfcc0570)
Reviewed-on: https://git-master.nvidia.com/r/1690299
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoaudit: fix a double fetch in audit_log_single_execve_arg()
Paul Moore [Tue, 19 Jul 2016 21:42:57 +0000]
audit: fix a double fetch in audit_log_single_execve_arg()

There is a double fetch problem in audit_log_single_execve_arg()
where we first check the execve(2) argumnets for any "bad" characters
which would require hex encoding and then re-fetch the arguments for
logging in the audit record[1].  Of course this leaves a window of
opportunity for an unsavory application to munge with the data.

This patch reworks things by only fetching the argument data once[2]
into a buffer where it is scanned and logged into the audit
records(s).  In addition to fixing the double fetch, this patch
improves on the original code in a few other ways: better handling
of large arguments which require encoding, stricter record length
checking, and some performance improvements (completely unverified,
but we got rid of some strlen() calls, that's got to be a good
thing).

As part of the development of this patch, I've also created a basic
regression test for the audit-testsuite, the test can be tracked on
GitHub at the following link:

 * https://github.com/linux-audit/audit-testsuite/issues/25

[1] If you pay careful attention, there is actually a triple fetch
problem due to a strnlen_user() call at the top of the function.

[2] This is a tiny white lie, we do make a call to strnlen_user()
prior to fetching the argument data.  I don't like it, but due to the
way the audit record is structured we really have no choice unless we
copy the entire argument at once (which would require a rather
wasteful allocation).  The good news is that with this patch the
kernel no longer relies on this strnlen_user() value for anything
beyond recording it in the log, we also update it with a trustworthy
value whenever possible.

Bug 1823317
Bug 1935735

Change-Id: I500834e1e699cb43d207333fa91292673de54933
Reported-by: Pengfei Wang <wpengfeinudt@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1261377
(cherry picked from commit 1cc418b165a23b352e06aa5ab66a2d1e1a942a98)
Reviewed-on: https://git-master.nvidia.com/r/1690297
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months ago[media] xc2028: avoid use after free
Mauro Carvalho Chehab [Thu, 28 Jan 2016 11:22:44 +0000]
[media] xc2028: avoid use after free

If struct xc2028_config is passed without a firmware name,
the following trouble may happen:

[11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner
[11009.907491] ==================================================================
[11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40
[11009.907992] Read of size 1 by task modprobe/28992
[11009.907994] =============================================================================
[11009.907997] BUG kmalloc-16 (Tainted: G        W      ): kasan: bad access detected
[11009.907999] -----------------------------------------------------------------------------

[11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992
[11009.908012]  ___slab_alloc+0x581/0x5b0
[11009.908014]  __slab_alloc+0x51/0x90
[11009.908017]  __kmalloc+0x27b/0x350
[11009.908022]  xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd]
[11009.908026]  usb_hcd_submit_urb+0x1e8/0x1c60
[11009.908029]  usb_submit_urb+0xb0e/0x1200
[11009.908032]  usb_serial_generic_write_start+0xb6/0x4c0
[11009.908035]  usb_serial_generic_write+0x92/0xc0
[11009.908039]  usb_console_write+0x38a/0x560
[11009.908045]  call_console_drivers.constprop.14+0x1ee/0x2c0
[11009.908051]  console_unlock+0x40d/0x900
[11009.908056]  vprintk_emit+0x4b4/0x830
[11009.908061]  vprintk_default+0x1f/0x30
[11009.908064]  printk+0x99/0xb5
[11009.908067]  kasan_report_error+0x10a/0x550
[11009.908070]  __asan_report_load1_noabort+0x43/0x50
[11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992
[11009.908077]  __slab_free+0x2ec/0x460
[11009.908080]  kfree+0x266/0x280
[11009.908083]  xc2028_set_config+0x90/0x630 [tuner_xc2028]
[11009.908086]  xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908090]  em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908094]  em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908098]  em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908101]  em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908105]  em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908108]  do_one_initcall+0x141/0x300
[11009.908111]  do_init_module+0x1d0/0x5ad
[11009.908114]  load_module+0x6666/0x9ba0
[11009.908117]  SyS_finit_module+0x108/0x130
[11009.908120]  entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x          (null) flags=0x2ffff8000004080
[11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001

[11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00  ....*....(......
[11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff  ...........j....
[11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G    B   W       4.5.0-rc1+ #43
[11009.908140] Hardware name:                  /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015
[11009.908142]  ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80
[11009.908148]  ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280
[11009.908153]  ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4
[11009.908158] Call Trace:
[11009.908162]  [<ffffffff81932007>] dump_stack+0x4b/0x64
[11009.908165]  [<ffffffff81556759>] print_trailer+0xf9/0x150
[11009.908168]  [<ffffffff8155ccb4>] object_err+0x34/0x40
[11009.908171]  [<ffffffff8155f260>] kasan_report_error+0x230/0x550
[11009.908175]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908179]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908182]  [<ffffffff8155f5c3>] __asan_report_load1_noabort+0x43/0x50
[11009.908185]  [<ffffffff8155ea00>] ? __asan_register_globals+0x50/0xa0
[11009.908189]  [<ffffffff8194cea6>] ? strcmp+0x96/0xb0
[11009.908192]  [<ffffffff8194cea6>] strcmp+0x96/0xb0
[11009.908196]  [<ffffffffa13ba4ac>] xc2028_set_config+0x15c/0x630 [tuner_xc2028]
[11009.908200]  [<ffffffffa13bac90>] xc2028_attach+0x310/0x8a0 [tuner_xc2028]
[11009.908203]  [<ffffffff8155ea78>] ? memset+0x28/0x30
[11009.908206]  [<ffffffffa13ba980>] ? xc2028_set_config+0x630/0x630 [tuner_xc2028]
[11009.908211]  [<ffffffffa157a59a>] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb]
[11009.908215]  [<ffffffffa157aa2a>] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb]
[11009.908219]  [<ffffffffa157a3a1>] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb]
[11009.908222]  [<ffffffffa01795ac>] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x]
[11009.908226]  [<ffffffffa01793e0>] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x]
[11009.908230]  [<ffffffff812e87d0>] ? ref_module.part.15+0x10/0x10
[11009.908233]  [<ffffffff812e56e0>] ? module_assert_mutex_or_preempt+0x80/0x80
[11009.908238]  [<ffffffffa157af92>] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb]
[11009.908242]  [<ffffffffa157a6ae>] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb]
[11009.908245]  [<ffffffff8195222d>] ? string+0x14d/0x1f0
[11009.908249]  [<ffffffff8195381f>] ? symbol_string+0xff/0x1a0
[11009.908253]  [<ffffffff81953720>] ? uuid_string+0x6f0/0x6f0
[11009.908257]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908260]  [<ffffffff8104b02f>] ? print_context_stack+0x7f/0xf0
[11009.908264]  [<ffffffff812e9846>] ? __module_address+0xb6/0x360
[11009.908268]  [<ffffffff8137fdc9>] ? is_ftrace_trampoline+0x99/0xe0
[11009.908271]  [<ffffffff811a775e>] ? __kernel_text_address+0x7e/0xa0
[11009.908275]  [<ffffffff81240a70>] ? debug_check_no_locks_freed+0x290/0x290
[11009.908278]  [<ffffffff8104a24b>] ? dump_trace+0x11b/0x300
[11009.908282]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908285]  [<ffffffff81237d71>] ? trace_hardirqs_off_caller+0x21/0x290
[11009.908289]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908292]  [<ffffffff812404dd>] ? trace_hardirqs_on+0xd/0x10
[11009.908296]  [<ffffffffa13e8143>] ? em28xx_register_extension+0x23/0x190 [em28xx]
[11009.908299]  [<ffffffff822dcbb0>] ? mutex_trylock+0x400/0x400
[11009.908302]  [<ffffffff810021a1>] ? do_one_initcall+0x131/0x300
[11009.908306]  [<ffffffff81296dc7>] ? call_rcu_sched+0x17/0x20
[11009.908309]  [<ffffffff8159e708>] ? put_object+0x48/0x70
[11009.908314]  [<ffffffffa1579f11>] em28xx_dvb_init+0x81/0x8a [em28xx_dvb]
[11009.908317]  [<ffffffffa13e81f9>] em28xx_register_extension+0xd9/0x190 [em28xx]
[11009.908320]  [<ffffffffa0150000>] ? 0xffffffffa0150000
[11009.908324]  [<ffffffffa0150010>] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb]
[11009.908327]  [<ffffffff810021b1>] do_one_initcall+0x141/0x300
[11009.908330]  [<ffffffff81002070>] ? try_to_run_init_process+0x40/0x40
[11009.908333]  [<ffffffff8123ff56>] ? trace_hardirqs_on_caller+0x16/0x590
[11009.908337]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908340]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908343]  [<ffffffff8155e926>] ? kasan_unpoison_shadow+0x36/0x50
[11009.908346]  [<ffffffff8155ea37>] ? __asan_register_globals+0x87/0xa0
[11009.908350]  [<ffffffff8144da7b>] do_init_module+0x1d0/0x5ad
[11009.908353]  [<ffffffff812f2626>] load_module+0x6666/0x9ba0
[11009.908356]  [<ffffffff812e9c90>] ? symbol_put_addr+0x50/0x50
[11009.908361]  [<ffffffffa1580037>] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb]
[11009.908366]  [<ffffffff812ebfc0>] ? module_frob_arch_sections+0x20/0x20
[11009.908369]  [<ffffffff815bc940>] ? open_exec+0x50/0x50
[11009.908374]  [<ffffffff811671bb>] ? ns_capable+0x5b/0xd0
[11009.908377]  [<ffffffff812f5e58>] SyS_finit_module+0x108/0x130
[11009.908379]  [<ffffffff812f5d50>] ? SyS_init_module+0x1f0/0x1f0
[11009.908383]  [<ffffffff81004044>] ? lockdep_sys_exit_thunk+0x12/0x14
[11009.908394]  [<ffffffff822e6936>] entry_SYSCALL_64_fastpath+0x16/0x76
[11009.908396] Memory state around the buggy address:
[11009.908398]  ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908401]  ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc
[11009.908405]                                            ^
[11009.908407]  ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908409]  ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[11009.908411] ==================================================================

In order to avoid it, let's set the cached value of the firmware
name to NULL after freeing it. While here, return an error if
the memory allocation fails.

Bug 1823317
Bug 1935735

Change-Id: I1825fc7eb08bd458ed5413fea8b47de539c9b23f
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1690296
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agosg: Fix double-free when drives detach during SG_IO
Calvin Owens [Fri, 30 Oct 2015 23:57:00 +0000]
sg: Fix double-free when drives detach during SG_IO

In sg_common_write(), we free the block request and return -ENODEV if
the device is detached in the middle of the SG_IO ioctl().

Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we
end up freeing rq->cmd in the already free rq object, and then free
the object itself out from under the current user.

This ends up corrupting random memory via the list_head on the rq
object. The most common crash trace I saw is this:

  ------------[ cut here ]------------
  kernel BUG at block/blk-core.c:1420!
  Call Trace:
  [<ffffffff81281eab>] blk_put_request+0x5b/0x80
  [<ffffffffa0069e5b>] sg_finish_rem_req+0x6b/0x120 [sg]
  [<ffffffffa006bcb9>] sg_common_write.isra.14+0x459/0x5a0 [sg]
  [<ffffffff8125b328>] ? selinux_file_alloc_security+0x48/0x70
  [<ffffffffa006bf95>] sg_new_write.isra.17+0x195/0x2d0 [sg]
  [<ffffffffa006cef4>] sg_ioctl+0x644/0xdb0 [sg]
  [<ffffffff81170f80>] do_vfs_ioctl+0x90/0x520
  [<ffffffff81258967>] ? file_has_perm+0x97/0xb0
  [<ffffffff811714a1>] SyS_ioctl+0x91/0xb0
  [<ffffffff81602afb>] tracesys+0xdd/0xe2
    RIP [<ffffffff81281e04>] __blk_put_request+0x154/0x1a0

The solution is straightforward: just set srp->rq to NULL in the
failure branch so that sg_finish_rem_req() doesn't attempt to re-free
it.

Additionally, since sg_rq_end_io() will never be called on the object
when this happens, we need to free memory backing ->cmd if it isn't
embedded in the object itself.

KASAN was extremely helpful in finding the root cause of this bug.

Bug 1823317
Bug 1935735

Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74
Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259958
(cherry picked from commit b49da4529988ca02bddaed8091a7f5e91105970a)
Reviewed-on: https://git-master.nvidia.com/r/1690295
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoblock: fix use-after-free in sys_ioprio_get()
Omar Sandoval [Fri, 1 Jul 2016 07:39:35 +0000]
block: fix use-after-free in sys_ioprio_get()

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009]  ___slab_alloc+0x55d/0x5a0
[   35.530009]  __slab_alloc.isra.20+0x2b/0x40
[   35.530009]  kmem_cache_alloc_node+0x84/0x200
[   35.530009]  create_task_io_context+0x2b/0x370
[   35.530009]  get_task_io_context+0x92/0xb0
[   35.530009]  copy_process.part.8+0x5029/0x5660
[   35.530009]  _do_fork+0x155/0x7e0
[   35.530009]  SyS_clone+0x19/0x20
[   35.530009]  do_syscall_64+0x195/0x3a0
[   35.530009]  return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009]  __slab_free+0x27b/0x3d0
[   35.530009]  kmem_cache_free+0x1fb/0x220
[   35.530009]  put_io_context+0xe7/0x120
[   35.530009]  put_io_context_active+0x238/0x380
[   35.530009]  exit_io_context+0x66/0x80
[   35.530009]  do_exit+0x158e/0x2b90
[   35.530009]  do_group_exit+0xe5/0x2b0
[   35.530009]  SyS_exit_group+0x1d/0x20
[   35.530009]  entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Bug 1823317
Bug 1935735

Change-Id: If331a4574b63e9288d1019c45c28af82731e9abb
Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259972
(cherry picked from commit 15e376e5d8b1399d02814cf8b1481f7ac40dc483)
Reviewed-on: https://git-master.nvidia.com/r/1690294
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoblock: fix use-after-free in seq file
Vegard Nossum [Fri, 29 Jul 2016 08:40:31 +0000]
block: fix use-after-free in seq file

I got a KASAN report of use-after-free:

    ==================================================================
    BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508
    Read of size 8 by task trinity-c1/315
    =============================================================================
    BUG kmalloc-32 (Not tainted): kasan: bad access detected
    -----------------------------------------------------------------------------

    Disabling lock debugging due to kernel taint
    INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315
            ___slab_alloc+0x4f1/0x520
            __slab_alloc.isra.58+0x56/0x80
            kmem_cache_alloc_trace+0x260/0x2a0
            disk_seqf_start+0x66/0x110
            traverse+0x176/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a
    INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315
            __slab_free+0x17a/0x2c0
            kfree+0x20a/0x220
            disk_seqf_stop+0x42/0x50
            traverse+0x3b5/0x860
            seq_read+0x7e3/0x11a0
            proc_reg_read+0xbc/0x180
            do_loop_readv_writev+0x134/0x210
            do_readv_writev+0x565/0x660
            vfs_readv+0x67/0xa0
            do_preadv+0x126/0x170
            SyS_preadv+0xc/0x10
            do_syscall_64+0x1a1/0x460
            return_from_SYSCALL_64+0x0/0x6a

    CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G    B           4.7.0+ #62
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
     ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480
     ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480
     ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970
    Call Trace:
     [<ffffffff81d6ce81>] dump_stack+0x65/0x84
     [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0
     [<ffffffff814704ff>] object_err+0x2f/0x40
     [<ffffffff814754d1>] kasan_report_error+0x221/0x520
     [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40
     [<ffffffff83888161>] klist_iter_exit+0x61/0x70
     [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10
     [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50
     [<ffffffff8151f812>] seq_read+0x4b2/0x11a0
     [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180
     [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210
     [<ffffffff814b4c45>] do_readv_writev+0x565/0x660
     [<ffffffff814b8a17>] vfs_readv+0x67/0xa0
     [<ffffffff814b8de6>] do_preadv+0x126/0x170
     [<ffffffff814b92ec>] SyS_preadv+0xc/0x10

This problem can occur in the following situation:

open()
 - pread()
    - .seq_start()
       - iter = kmalloc() // succeeds
       - seqf->private = iter
    - .seq_stop()
       - kfree(seqf->private)
 - pread()
    - .seq_start()
       - iter = kmalloc() // fails
    - .seq_stop()
       - class_dev_iter_exit(seqf->private) // boom! old pointer

As the comment in disk_seqf_stop() says, stop is called even if start
failed, so we need to reinitialise the private pointer to NULL when seq
iteration stops.

An alternative would be to set the private pointer to NULL when the
kmalloc() in disk_seqf_start() fails.

Bug 1823317
Bug 1935735

Change-Id: Ic3f82ef82c570866b48c5ea8e195d8e504570d80
Cc: stable@vger.kernel.org
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259961
(cherry picked from commit 9d4a4a8711e9570c3ead013b64ff6e8bad05afbc)
Reviewed-on: https://git-master.nvidia.com/r/1690293
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream()...
Vladis Dronov [Thu, 31 Mar 2016 16:05:43 +0000]
ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call

create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
create_uaxx_quirk() functions allocate the audioformat object by themselves
and free it upon error before returning. However, once the object is linked
to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
double-freed, eventually resulting in a memory corruption.

This patch fixes these failures in the error paths by unlinking the audioformat
object before freeing it.

Based on a patch by Takashi Iwai <tiwai@suse.de>

[Note for stable backports:
 this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
 code cleanup in create_fixed_stream_quirk()')]

Bug 1823317
Bug 1935735

Change-Id: I4f65a902a19e7b21e8bc0fa21efd833c8360a3cf
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
Cc: <stable@vger.kernel.org> # see the note above
Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259999
(cherry picked from commit 14e09c3233fb7578c778b70ec3933ba5cadfccb6)
Reviewed-on: https://git-master.nvidia.com/r/1690292
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agotcp: fix use after free in tcp_xmit_retransmit_queue()
Eric Dumazet [Wed, 17 Aug 2016 12:56:26 +0000]
tcp: fix use after free in tcp_xmit_retransmit_queue()

When tcp_sendmsg() allocates a fresh and empty skb, it puts it
at the tail of the write queue using tcp_add_write_queue_tail()

Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.

Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb)

Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.

This bug was found by Marco Grassi thanks to syzkaller.

Bug 1823317
Bug 1935735

Change-Id: I9bf709b21e5637f338c34d894617f33d84f93ecc
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1260003
(cherry picked from commit 0c20962647685008dfc6a15fb8a2169ed2abafe6)
Reviewed-on: https://git-master.nvidia.com/r/1690290
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agostaging: ion: Fix ION subsystem privilege vulnerability
Gagan Grover [Fri, 25 Nov 2016 12:28:44 +0000]
staging: ion: Fix ION subsystem privilege vulnerability

A malicious application can take advantage of the ION kmalloc heap
to create a specific memory chunk size to exercise a rowhammer
attack on the physical hardware.

The fix is designed to disable ION heap type.

CVE-2016-6728: A-30400942

Bug 1823317

Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1690291
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

13 months agoarm64: define speculation barrier
James Huang [Thu, 1 Feb 2018 05:01:50 +0000]
arm64: define speculation barrier

The instruction sequency "dsb sy" followed by "isb" functions as
a speculation barrier, which prevents the instructions after that
from being speculatively executed.

bug 2039126

Change-Id: Ie3b7b873a12002617e60510ed8759bdaa7cd7057
Signed-off-by: Bo Yan <byan@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618222
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650093
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit f125c60045878513902cac4a084fde9a516eb3e2)
Reviewed-on: https://git-master.nvidia.com/r/1660782
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agov4l2: prevent speculative load
Jeetesh Burman [Thu, 15 Feb 2018 08:37:39 +0000]
v4l2: prevent speculative load

bug 2039126

Change-Id: Id1908c3058c9ecc0dfb4f2d85440a8d36db45db5
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650029
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 7a0213eca150614fe88d197a09d461fff6168652)
Reviewed-on: https://git-master.nvidia.com/r/1660781
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agocryptodev: prevent speculative load related leak
Jeetesh Burman [Thu, 15 Feb 2018 07:30:39 +0000]
cryptodev: prevent speculative load related leak

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

bug 2039126
CVE-2017-5753

Change-Id: Id85eb9c91932f358dd999b28dd53d7788b37ea04
Signed-off-by: David Gilhooley <dgilhooley@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1640356
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650014
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 25bd9436b11f41e23048c9515deae97900a46669)
Reviewed-on: https://git-master.nvidia.com/r/1660780
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

13 months agodrivers: speculative load before bound-check
Jeetesh Burman [Wed, 14 Feb 2018 10:48:40 +0000]
drivers: speculative load before bound-check

Data can be speculatively loaded from memory and stay in cache even
when bound check fails. This can lead to unintended information
disclosure via side-channel analysis.

To mitigate this problem, insert speculation barrier.

Bug 1964290
CVE-2017-5753

Change-Id: I7382dbcc6e9f352fafd457301beafe753925f3c4
Signed-off-by: Hien Goi <hgoi@nvidia.com>
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650791
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit 5cabd53985a30aa818896abdb64564a74c09ab9c)
Reviewed-on: https://git-master.nvidia.com/r/1660772
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agoarm: define speculation barrier
Jeetesh Burman [Wed, 14 Feb 2018 06:20:57 +0000]
arm: define speculation barrier

The instruction sequency "dsb sy" followed by "isb" functions as
a speculation barrier, which prevents the instructions after that
from being speculatively executed.

bug 2039126

Change-Id: I898aab771ff82b26b08214a06814d2e6e78969a7
Signed-off-by: Bo Yan <byan@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1618222
Signed-off-by: James Huang <jamehuang@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650093
Signed-off-by: Jeetesh Burman <jburman@nvidia.com>
(cherry picked from commit f125c60045878513902cac4a084fde9a516eb3e2)
Reviewed-on: https://git-master.nvidia.com/r/1660771
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

13 months agogpu: nvgpu: Add ref counting to channels
Alex Waterman [Thu, 13 Oct 2016 17:03:59 +0000]
gpu: nvgpu: Add ref counting to channels

Make sure that the VM owned by a channel lives for at least
as long as that channel does. If the channel's VM is cleaned
up before the channel then use-after-free bugs can occur.

Bug: 31680980
NvBug 1825464
Bug: 1885921

Change-Id: I0711781492a764b643c2ed1da1b3ba87fda72744
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-psac.nvidia.com/r/#/c/9261
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit e205f2720fcee61886e7979e9588602d691507ea)
Reviewed-on: https://git-master.nvidia.com/r/1681801
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

14 months agotegra-cryptodev:Avoid untrusted usrptr dereference
Mallikarjun Kasoju [Fri, 16 Mar 2018 10:10:06 +0000]
tegra-cryptodev:Avoid untrusted usrptr dereference

In RSA operations use copy_from_user to get key data
into local buffer before using it.

This will avoid untrusted user pointer dereference.

Coverity ID 24040

Bug 200192571
Bug 1932494

Change-Id: I9c8f3fd7cfc18121d9c2179127dfb28202f38cdb
Signed-off-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1676570
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

14 months agoASoC: tegra: check ucode upper limit
Ravindra Lokhande [Mon, 8 May 2017 09:12:48 +0000]
ASoC: tegra: check ucode upper limit

Check ucode size for upper limit.

Bug 1901435
Bug 1954563
Bug 1917589

Signed-off-by: Ravindra Lokhande <rlokhande@nvidia.com>
Signed-off-by: Xia Yang <xiay@nvidia.com>
Change-Id: I2f455771147bb4466d154878d2461e472647c4fb
Reviewed-on: https://git-master.nvidia.com/r/1575925
Reviewed-on: https://git-master.nvidia.com/r/1674399
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Tested-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: James Huang <jamehuang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

14 months agovideo: tegra: sor: set drive current for lane4
David Pu [Tue, 26 Jan 2016 19:21:06 +0000]
video: tegra: sor: set drive current for lane4

drive current for LANE4 was not set if configured as 24bpp lvds out.
fix it by programming proper drive current register if using 24bpp out.

Bug 1724122

Change-Id: Ie2ad71ace0b4f247e007e671be828230545b15f6
Signed-off-by: David Pu <dpu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1544691
Reviewed-by: Automatic_Commit_Validation_User
Tested-by: Wayne Wang (SW-TEGRA) <waywang@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

14 months agogpu: nvgpu: Validate buffer_offset argument
Debarshi Dutta [Fri, 9 Mar 2018 07:11:55 +0000]
gpu: nvgpu: Validate buffer_offset argument

Validate the mapping_size argument in the VM mapping IOCTL before
attempting to use the argument for anything.

Manual Cherry pick - https://git-master.nvidia.com/r/1547046

Bug 1954931
Bug 1965443

Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343
Signed-off-by: Alex Waterman <alexw@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1547046
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit e68391690cfcc23b77c68aec3f9605badea226ed in
dev-kernel)
Reviewed-on: https://git-master.nvidia.com/r/1671883
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

14 months agothermal: add boundary check to set_cur_state
Srikar Srimath Tirumala [Tue, 12 Sep 2017 19:27:13 +0000]
thermal: add boundary check to set_cur_state

Prevent sysfs from setting a cur_state that exceeds the max cur_state
of the cooling device.

Bug 200334223
Bug 200331706
Bug 1968660
Bug 1968616

Change-Id: I935be6166a9e184683abfcdce70cb08cbe4a1350
Signed-off-by: Srikar Srimath Tirumala <srikars@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558407
(cherry picked from commit 142cf9d96ed221124ea2b778dc37cf5db8d5702c)
Reviewed-on: https://git-master.nvidia.com/r/1661413
Reviewed-on: https://git-master.nvidia.com/r/1662626
GVS: Gerrit_Virtual_Submit
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

15 months agoCRYPTO: disable crypto dev fot t124
Konduri Praveen [Fri, 20 Oct 2017 06:01:36 +0000]
CRYPTO: disable crypto dev fot t124

disabling tegra SE crypto dev for
t124 platform.

Bug 1927682

Change-Id: I16a24009e8f528df4be40ec65aa621b4ac779e41
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1582395
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agovideo: tegra: host: use lock to get syncpt name
Gagan Grover [Tue, 22 Nov 2016 10:13:19 +0000]
video: tegra: host: use lock to get syncpt name

Use sp->syncpt_mutex lock to get syncpt name in
syncpt_name_show()
Without the lock, it is possible for user to read
syncpt name in corrupted state if user read
coincides with syncpt free

Bug 1838598
Bug 1883567

Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc
Reviewed-on: http://git-master/r/1252580
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1258020
(cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d in rel-24)
Reviewed-on: https://git-master.nvidia.com/r/1513005
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1650064
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

15 months agocryptodev: avoid untrusted user pointers
Konduri Praveen [Tue, 1 Aug 2017 12:05:58 +0000]
cryptodev: avoid untrusted user pointers

add algo variable for avoid the usage of
user space pointers

Bug 200286426

Change-Id: I7e208b45ba11348e7b89a429d457ae51ac29bde0
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1530560
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

16 months agomm: larger stack guard gap, between vmas
Sri Krishna chowdary [Fri, 23 Jun 2017 06:26:03 +0000]
mm: larger stack guard gap, between vmas

commit 1be7107fbe18eed3e319a6c3e83c78254b693acb upstream.

Stack guard page is a useful feature to reduce a risk of stack smashing
into a different mapping. We have been using a single page gap which
is sufficient to prevent having stack adjacent to a different mapping.
But this seems to be insufficient in the light of the stack usage in
userspace. E.g. glibc uses as large as 64kB alloca() in many commonly
used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX]
which is 256kB or stack strings with MAX_ARG_STRLEN.

This will become especially dangerous for suid binaries and the default
no limit for the stack size limit because those applications can be
tricked to consume a large portion of the stack and a single glibc call
could jump over the guard page. These attacks are not theoretical,
unfortunatelly.

Make those attacks less probable by increasing the stack guard gap
to 1MB (on systems with 4k pages; but make it depend on the page size
because systems with larger base pages might cap stack allocations in
the PAGE_SIZE units) which should cover larger alloca() and VLA stack
allocations. It is obviously not a full fix because the problem is
somehow inherent, but it should reduce attack space a lot.

One could argue that the gap size should be configurable from userspace,
but that can be done later when somebody finds that the new 1MB is wrong
for some special case applications.  For now, add a kernel command line
option (stack_guard_gap) to specify the stack gap size (in page units).

Implementation wise, first delete all the old code for stack guard page:
because although we could get away with accounting one extra page in a
stack vma, accounting a larger gap can break userspace - case in point,
a program run with "ulimit -S -v 20000" failed when the 1MB gap was
counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK
and strict non-overcommit mode.

Instead of keeping gap inside the stack vma, maintain the stack guard
gap as a gap between vmas: using vm_start_gap() in place of vm_start
(or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few
places which need to respect the gap - mainly arch_get_unmapped_area(),
and and the vma tree's subtree_gap support for that.

Bug 1946430

Change-Id: I9a66aabc34b687996fb971e01bb0ef30a3d4de7d
Original-patch-by: Oleg Nesterov <oleg@redhat.com>
Original-patch-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Tested-by: Helge Deller <deller@gmx.de> # parisc
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: backport to 4.11: adjust context]
[wt: backport to 4.9: adjust context ; kernel doc was not in admin-guide]
[wt: backport to 4.4: adjust context ; drop ppc hugetlb_radix changes]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1509390
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

18 months agopcie: host: tegra: WAR for RAW violations
Jay Agarwal [Tue, 14 Oct 2014 06:02:07 +0000]
pcie: host: tegra: WAR for RAW violations

Some of reads transaction getting before write
has completed resulting in RAW violation. This
WAR avoids this situation.

Bug 1345350

Change-Id: I56728d00326b193be26ccb4fe68787ebd8a2623d
Signed-off-by: Jay Agarwal <jagarwal@nvidia.com>
Reviewed-on: http://git-master/r/365301
(cherry picked from commit a706735e3c50a70dfee4a3d11378d3a1872a71d7)
Reviewed-on: https://git-master.nvidia.com/r/1595945
Reviewed-by: Vidya Sagar <vidyas@nvidia.com>
Reviewed-by: Manikanta Maddireddy <mmaddireddy@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Mantravadi Karthik <mkarthik@nvidia.com>

19 months agoRevert "gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX"
Debarshi Dutta [Tue, 8 Aug 2017 10:04:57 +0000]
Revert "gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX"

Bug 200336148

This reverts commit 2db040946ff8340485b2b33fe5a46f3166fa96f6.

Change-Id: I8a80a7bd1bd8b1a949fba26b683ac1c9bebc0c04
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1534941
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

19 months agoBluetooth: Properly check L2CAP config option output buffer length
Ben Seri [Wed, 13 Sep 2017 08:34:32 +0000]
Bluetooth: Properly check L2CAP config option output buffer length

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Bug 1989825

Change-Id: Id158ece2176c4ac339a7232dfde8c47ce2241122
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558952
GVS: Gerrit_Virtual_Submit

21 months agogpu: nvgpu: Remove IOCTL FREE_OBJ_CTX
Debarshi Dutta [Wed, 21 Jun 2017 10:45:09 +0000]
gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX

We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being
only partially available, and can lead to use-after-free.

Bug 1885775

Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1506479
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

21 months agovideo: tegra: nvmap: fix nvmap create handle vulnerability
Krishna Reddy [Fri, 4 Nov 2016 19:45:53 +0000]
video: tegra: nvmap: fix nvmap create handle vulnerability

Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.

Bug 1835857

Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1248391
Reviewed-on: https://git-master.nvidia.com/r/1512958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

22 months agovideo: tegra: dsi: Set max limit for reading panel
Pavan Kunapuli [Thu, 16 Mar 2017 14:02:06 +0000]
video: tegra: dsi: Set max limit for reading panel

In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.

Bug 1873360

Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1507653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

23 months agovideo: tegra: nvmap: fix information leak in pin/unpin
Sri Krishna chowdary [Fri, 3 Mar 2017 05:14:08 +0000]
video: tegra: nvmap: fix information leak in pin/unpin

When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.

This patch fixes Google Bug 31668540

bug 1832092

Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

23 months agomedia: tegra: nvavp: Fix UAF issue.
Jitendra Kumar [Thu, 27 Oct 2016 08:35:00 +0000]
media: tegra: nvavp: Fix UAF issue.

Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.

CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492

Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1489467
(cherry picked from commit 89559abb25f82dc333eafa26391be0a50d6e9e0a)
Reviewed-on: http://git-master/r/1504674
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

23 months agogpu: nvgpu: Fix pgsz_idx used in gk20a_vm_alloc_space()
Alex Waterman [Wed, 30 Nov 2016 22:12:25 +0000]
gpu: nvgpu: Fix pgsz_idx used in gk20a_vm_alloc_space()

Use the correct page size index for pgsz_idx in gk20a_vm_alloc_space().
Previously the page size itself was used, not the page size index.

Bug 1837624

Change-Id: I652f5af5321c1c49dc8eb170d3f92f00c23d2b6f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit fd13e0e1c4e397335c24497a0f92c85934d6185f)
Reviewed-on: http://git-master/r/1503371
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

23 months agovideo: tegra: nvmap: Fix NULL pointer dereference
Sri Krishna chowdary [Wed, 14 Dec 2016 06:28:30 +0000]
video: tegra: nvmap: Fix NULL pointer dereference

Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
   which has heap_pgalloc as true and tries to access pages[]
   which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
   which again results in NULL dereference if pages[] is accessed.

A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.

bug 1838597
bug 1883708

Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 8244d104b7635cb0b26b651b6851498b9a84d7d6)
Reviewed-on: http://git-master/r/1489579
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

23 months agovideo: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM
Gagan Grover [Thu, 24 Nov 2016 11:28:49 +0000]
video: tegra: nvmap: Fix security issue in NVMAP_IOC_PARAM

Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.

Bug 1884311
Bug 1820242

Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-on: http://git-master/r/1489707
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

23 months agovideo: tegra: nvmap: Fix OOB vulnerability
Sagar Kadamati [Tue, 6 Dec 2016 06:08:01 +0000]
video: tegra: nvmap: Fix OOB vulnerability

Check all pages' parameters before reserve pages.

Bug 1883463
Bug 1831426
Bug 200247013

Manual port: http://git-psac/r/9287

(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)

Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: fix crash in gk20a_channel_release
Aingara Paramakuru [Fri, 5 Sep 2014 18:38:21 +0000]
gpu: nvgpu: fix crash in gk20a_channel_release

gk20a_channel_release() should bail if filp->private_data is
NULL. This can happen as a result of gk20a_channel_release()
being called when __gk20a_channel_open() fails in
NVHOST_IOCTL_CHANNEL_OPEN.

Bug 200014898

Change-Id: I32cc957aca46fcd4265a8052ac5be355b644b9f7
Signed-off-by: Aingara Paramakuru <aparamakuru@nvidia.com>
Reviewed-on: http://git-master/r/496138
(cherry picked from commit cb0db6618c42ab4c33574f09f212ab1ee9a0438a)
Reviewed-on: http://git-master/r/1258588
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera: Fix UAF security issue
Frank Chen [Wed, 14 Dec 2016 19:36:41 +0000]
tegra: camera: Fix UAF security issue

Fix UAF (use-after-free) security issue in
camera.pcl driver

Bug 1832830

Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera race condition vulnerability
Mark Salyzyn [Tue, 17 May 2016 20:23:32 +0000]
tegra: camera race condition vulnerability

- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.

(Back ported from Nexus N9 project)

Bug 1832830

Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agocamera: tegra: Fix security vulnerability
Amey Asgaonkar [Fri, 29 Apr 2016 01:01:42 +0000]
camera: tegra: Fix security vulnerability

Check a few input params to make sure there is
no potential for a heap overflow in the driver.

(Back ported from Nexus N9 project)

Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)

Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra: camera: validate PCLLK_IOCTL_SEQ_XX params
Greg Hackmann [Fri, 19 Feb 2016 23:04:23 +0000]
tegra: camera: validate PCLLK_IOCTL_SEQ_XX params

The driver expects the userspace-provided table to be terminated with
addr == CAMERA_TABLE_END.  Reject tables that aren't.

(back ported from Nexus N9 project)

Bug 1832830

Change-Id: Id1e168e02fbf323d094fe8c36c6e4bd90cceee4f
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271368
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agomedia: tegra: camera: sanity-check ioctl parameter
Greg Hackmann [Fri, 19 Feb 2016 21:33:31 +0000]
media: tegra: camera: sanity-check ioctl parameter

Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.

For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation.  In fact the existing userspace camera driver makes calls
like these and expects them to succeed!  Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.

(back ported from Nexus N9 project)

Bug 1832830

Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra-cryptodev: type modifier change in plaintext_sz
Konduri Praveen [Wed, 3 May 2017 19:48:50 +0000]
tegra-cryptodev: type modifier change in plaintext_sz

change the type modifier from signed to unsigned
for plaintext_sz variable in tegra_sha_req structure
to avoid occurence of negative values in plaintext_sz
variable.

Bug 1883640

Change-Id: I853f1916f7d4b6ea901cfe83419d624720a7e64f
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474814
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: host: Add submit checks
Mikko Perttunen [Tue, 25 Oct 2016 09:31:15 +0000]
video: tegra: host: Add submit checks

Currently nvhost performs minimal checking for submits it passes
to hardware: The kernel does not check if job syncpoints are allocated
and the gather classes are not verified currently.

This patch adds checks for syncpoint ids and gather classes.

Adapted from 0abcbd69c4cbd0093e223b6c248fdd53c2886951.

Bug 1831406

Change-Id: Ifb9d2090009d16d0f56bc11546036167c7f72228
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1242190
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agoBACKPORT: drm: crtc: integer overflow in drm_property_create_blob()
Shreshtha SAHU [Wed, 30 Nov 2016 18:38:01 +0000]
BACKPORT: drm: crtc: integer overflow in drm_property_create_blob()

The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.

This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947

Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>

Bug 1846814

Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: add ptr validation for vm_map_buffer
Xia Yang [Wed, 14 Sep 2016 18:13:57 +0000]
gpu: nvgpu: add ptr validation for vm_map_buffer

dma_buf_get() return value is now validated before
passed down for further process.

Bug 1812180
Bug 1883864

Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1220869

(cherry picked from commit e6fe9437c609252cf28ac76d2e6b33e905eaa843 in rel-21)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Reviewed-on: http://git-master/r/1469135
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra: curtain pllx freq to its max value
Bibek Basu [Mon, 17 Apr 2017 16:44:53 +0000]
arm: tegra: curtain pllx freq to its max value

This patch fixes pllx max value to 1530 and 1836Mhz
based on embedded clok settings considering aging factor
for CD575MI 24x7 and CD575MI 4/4/16 config

Bug 1900076

Change-Id: I9c6a769787fc04eac7ce4548e1a37a9a76972a6c
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1464315
GVS: Gerrit_Virtual_Submit
Reviewed-by: Peter Chiang <pchiang@nvidia.com>

2 years agovideo: tegra: host: Protect channel ioctl
Arto Merilainen [Tue, 14 Oct 2014 07:12:26 +0000]
video: tegra: host: Protect channel ioctl

Channel ioctl interface is not multithreading safe and as the
common case is that we have only a single active user for an open
fd, add a mutex to force serialization of ioctl calls.

Bug 1830021

Change-Id: Ifa6595a105b913345104f216f0541c371e89efe5
(cherry picked from commit 7b24caa9a8d2ab08fe0c7be112e805e44906d956)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248801
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit

2 years agovideo: tegra: nvmap: fix possible use after free
Gagan Grover [Tue, 22 Nov 2016 09:31:11 +0000]
video: tegra: nvmap: fix possible use after free

Fix possible use after free issue.

Bug 1814555
Bug 1884319

Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agoT124: Add emc table to program SAMSUNG DRAM
Sandipan Patra [Tue, 28 Feb 2017 10:16:07 +0000]
T124: Add emc table to program SAMSUNG DRAM

New emc table for samsung dram is added on JetsonTK1 target.
Based on tegra bct strap value it can be chosen dynamically.
Both emc table and embedded emc table has been updated accordingly.

Bug 1752744

Change-Id: Ifc577d925712690daec6c6f1121458f01f720846
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1312498
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra12: jetson: disable usb charging detection
Roger Hsieh [Thu, 16 Feb 2017 10:00:32 +0000]
arm: tegra12: jetson: disable usb charging detection

Jetson TK1 doesn't support usb charging but the detection is still
running. Disable it to avoid unexpected behavior.

Bug 1861049

Change-Id: I13425d69e190a75084486ff1fc9afeb8aa7acb60
Signed-off-by: Roger Hsieh <rhsieh@nvidia.com>
Reviewed-on: http://git-master/r/1308015
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: host: Fix overflow issue allocation
Mikko Perttunen [Fri, 27 Jan 2017 07:32:20 +0000]
video: tegra: host: Fix overflow issue allocation

Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.

Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.

Coverity ID 27942
Bug 1856419

Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1295062
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: Check if handle holds a buffer before map
Sri Krishna chowdary [Tue, 15 Nov 2016 05:53:30 +0000]
video: tegra: nvmap: Check if handle holds a buffer before map

Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.

A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.

bug 1837468

Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agodrivers: crypto: Avoid use of tainted scalar value
Konduri Praveen [Tue, 2 May 2017 09:20:40 +0000]
drivers: crypto: Avoid use of tainted scalar value

Copy from user may taint the scalar value members
in the respective struct variables.
Add check for verifying the validity of the
scalar value members to avoid undefined behaviour.

Bug 1903278

Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Change-Id: Ic01c8d10886f9b02c61156f811b430acce8aca23
Reviewed-on: http://git-master/r/1473534
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agotegra-cryptodev:check valid SHA message length
Konduri Praveen [Thu, 27 Apr 2017 09:10:36 +0000]
tegra-cryptodev:check valid SHA message length

SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.

Fix by checking message length for SHA before
copying from user space

Bug 1883640

Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agodccp: fix freeing skb too early for IPV6_RECVPKTINFO
Sandipan Patra [Tue, 21 Mar 2017 10:14:31 +0000]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets
freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly
freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Bug 200285540

Change-Id: I3bec712b03278102c88933d4684324c3f414b606
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1325204
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agovideo: tegra: nvmap: fix time-of-check,time-of-use vulnerability
Sri Krishna chowdary [Fri, 10 Feb 2017 09:32:14 +0000]
video: tegra: nvmap: fix time-of-check,time-of-use vulnerability

Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.

This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.

Fixes Google Bug 34113000.

bug 1862379

Change-Id: Ief81887b3d94b49f3dcf4d2680d9d7b257c54092
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1310316
(cherry picked from commit 57367ab3be5f1c52dd6b885f114ae90dfce5a363)
Reviewed-on: http://git-master/r/1319910
GVS: Gerrit_Virtual_Submit

2 years agogpu: nvgpu: initialize local variable
Deepak Nibade [Thu, 4 Aug 2016 14:12:38 +0000]
gpu: nvgpu: initialize local variable

Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD

Bug 1793398

Change-Id: Iffd654dbaca3b4e3c8fd2ac270d0febd01c165b8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1195862
(cherry picked from commit 118809f4bd07af20df2b6c012828834695a5fccf from dev-kernel linux-nvgpu.git)
Reviewed-on: http://git-master/r/1269683
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Christian Gonzalez <christiang@nvidia.com>
Tested-by: Christian Gonzalez <christiang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoarm: tegra: fix cpu speedo check for UCM1
Bibek Basu [Thu, 15 Dec 2016 08:23:27 +0000]
arm: tegra: fix cpu speedo check for UCM1

for UCM1 CD575M, check for cpu speedo 5 to
apply edp contraints

Bug 200195229
Bug 200199079

Change-Id: I704dd64f32c82c7499b6c5f0c96c04fdc062cf71
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1271709
GVS: Gerrit_Virtual_Submit

2 years agodvfs: tegra: Validate CLDVFS register address
Bibek Basu [Thu, 10 Nov 2016 10:18:17 +0000]
dvfs: tegra: Validate CLDVFS register address

Bug 1783583

Change-Id: I8b0e865db02c00f741dafb473d4bd39c5075f23f
Signed-off-by: Alex Frid <afrid@nvidia.com>
Reviewed-on: http://git-master/r/1173469
(cherry picked from commit 453a77c5cd9a1316307458203365f9eb5bda62de)
Reviewed-on: http://git-master/r/1174714
(cherry picked from commit f2ce702f49c5631e8a7cbda6fbf09140f8fb55d9)
Reviewed-on: http://git-master/r/1239794
(cherry picked from commit f62bd56958ca743d512f757555e4a3b66f4c9cff)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1251020
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: Prevent the race between channel open and close
Gagan Grover [Fri, 4 Nov 2016 11:09:33 +0000]
video: tegra: host: Prevent the race between channel open and close

Moved fd_install() at the end of the channel_open ioctl. So, the fd
can't be used until open ioctl completes.

Bug 1832094

Change-Id: Ib33d43bf5164418a38f98677d4e3295f3d1c1450
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248180
(cherry picked from commit e6a41d5c0049c2878543006b67b7ee2b2bbda2ab)
Reviewed-on: http://git-master/r/1249505
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: add lower bound to num_syncpt_incrs
Gagan Grover [Fri, 21 Oct 2016 10:33:47 +0000]
video: tegra: host: add lower bound to num_syncpt_incrs

Check if there is at least one syncpt_incrs in each job.

Bug 1812182

Change-Id: I0bd0b2e7c4d01641c83ba729ec34390ddea81496
Reviewed-on: http://git-master/r/1221226
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248797
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>

2 years agogpio: pca953x: fix gpio input on gpio offsets >= 8
Martin Chi [Mon, 24 Oct 2016 08:57:37 +0000]
gpio: pca953x: fix gpio input on gpio offsets >= 8

This change fixes a regression introduced by commit
f5f0b7aa8 (gpio: pca953x: make the register access by GPIO bank)

When the pca953x driver was converted to using 8-bit reads/writes
the bitmask in pca953x_gpio_get_value wasn't adjusted with a
modulus BANK_SZ and consequently looks at the wrong bits in the
input register.

Bug 1826501

Change-Id: Id9c9d1cab9fb97e2fdf9408b03873722f787fbec
Signed-off-by: Andrew Ruder <andrew.ruder@elecsyscorp.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
(cherry picked from commit 40a625daa88653d7942dc85483f6f289cd687cb7)
Signed-off-by: Martin Chi <mchi@nvidia.com>
Reviewed-on: http://git-master/r/1241694
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-on: http://git-master/r/1242944
GVS: Gerrit_Virtual_Submit

2 years agommc: core: update EXT_CSD version to 8
Anubhav Jain [Wed, 29 Jun 2016 10:42:18 +0000]
mmc: core: update EXT_CSD version to 8

Bug 1779090

Change-Id: I733c6ff7b3e39216fcf25f9c0d048b4c752a9e84
Signed-off-by: Anubhav Jain <anubhavj@nvidia.com>
Reviewed-on: http://git-master/r/1173092
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>

2 years agommc: card: test: Fix out of boundary array access
Xia Yang [Mon, 15 Aug 2016 21:56:51 +0000]
mmc: card: test: Fix out of boundary array access

Allocate buffer with 1 extra byte for NULL terminator.

Bug 1791602

Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1216897
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agomm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Linus Torvalds [Thu, 13 Oct 2016 20:07:36 +0000]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
     s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change-Id: I6fbb1abf656ff7e05ec4c65f07dbbdd694546fb4
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-on: http://git-master/r/1241321
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agogpu: nvgpu: fix use-after-free in case of error notifier
Gagan Grover [Wed, 12 Oct 2016 11:35:06 +0000]
gpu: nvgpu: fix use-after-free in case of error notifier

A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier

Fix this by introducing mutex error_notifier_mutex for
error notifier accesses

Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier

In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized

Bug 1824788

Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Reviewed-on: http://git-master/r/1233988
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Gaurav Singh <gaursingh@nvidia.com>
Reviewed-on: http://git-master/r/1236695
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoUPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()
Yevgeny Pats [Tue, 19 Jan 2016 22:09:04 +0000]
UPSTREAM: KEYS: Fix keyring ref leak in join_session_keyring()

(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>

int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}

if (keyctl(KEYCTL_SETPERM, serial,
   KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}

for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}

return 0;
}

If, after the program has run, there something like the following line in
/proc/keys:

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Bug 1720836

Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
(cherry picked from commit 9fc5f368bb89b65b591c4f800dfbcc7432e49de5)
Signed-off-by: Sumit Singh <sumsingh@nvidia.com>
Reviewed-on: http://git-master/r/935565
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
(cherry picked from commit 07be7f19b4c356ce94642d0c2cecb93179a9a9bc)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1210637
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>

2 years agoRevert "arm64:mm: rm swtch to ASID0 in ctxt swtch"
Rohit Khanna [Wed, 7 Sep 2016 20:00:23 +0000]
Revert "arm64:mm: rm swtch to ASID0 in ctxt swtch"

This reverts commit 584b60200b8bdcc895c8edacb94f48db5929f70a.

Change-Id: Ibe5b217521b77fa5799400b9460182e3329e1779
Signed-off-by: Rohit Khanna <rokhanna@nvidia.com>
Reviewed-on: http://git-master/r/1216501
(cherry picked from commit 04c8d66d61e15198b95d54672b2f2fe047d180b3)
Reviewed-on: http://git-master/r/1223596
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agonvavp: Add missing mutex unlock
Soumen Kumar Dey [Thu, 15 Sep 2016 03:53:29 +0000]
nvavp: Add missing mutex unlock

Add missing mutex unlock for nvavp_submit.

bug 1775299

Change-Id: I1b525e192bfd9dd19bcd0211484400445eda7b2b
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1221210
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agonvavp: Add mutex lock for all avp submit
Soumen Kumar Dey [Tue, 14 Jun 2016 09:01:57 +0000]
nvavp: Add mutex lock for all avp submit

Add mutex lock for nvavp_submit to avoid race condition.

bug 1775299

Change-Id: I11a66a58a1f048d6a0ee5aa949f852bfef56dc07
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1164117
(cherry picked from commit 1faa6a739996fdacff3dbc85ad46235f42ad79c9)
Reviewed-on: http://git-master/r/1214643
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agotegra:nvavp: Fix buffer overflow issue
Praveen Kumar Reddy M.V [Mon, 13 Jun 2016 11:38:32 +0000]
tegra:nvavp: Fix buffer overflow issue

Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().

Bug 1774401

Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
Reviewed-on: http://git-master/r/1163365
(cherry picked from commit 1e9ba50b225e841b52a93503fce818c1a21100f7)
Reviewed-on: http://git-master/r/1164130
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>

2 years agoata: ahci_tegra: disable devslp
Preetham Chandru R [Fri, 19 Aug 2016 06:44:25 +0000]
ata: ahci_tegra: disable devslp

Devslp is not POR for T124 anymore.

Bug 200231146

Change-Id: Ia5380a17d545d3082a31c5b16b6946fa0e7ce4d5
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1207452
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agospi: tegra: support polling mode
Krishna Yarlagadda [Tue, 17 Nov 2015 14:01:22 +0000]
spi: tegra: support polling mode

Added support to use polling mode instead of interrupts
through a property in dt

Bug 1679083

Change-Id: Ic82ab592822cc96bacda05124d38ddd913e09af9
Reviewed-on: http://git-master/r/840233
(cherry picked from commit cd1c4db5adc8317572106099da37fa434245e699)
Reviewed-on: http://git-master/r/1009988
(cherry picked from commit b29ce03a6b7ebb306ff157640470dd5ab99c6f6b)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1175213
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>

2 years agospi: tegra: Reduce register access
Krishna Yarlagadda [Mon, 8 Feb 2016 13:48:17 +0000]
spi: tegra: Reduce register access

Reduce register accesses to SPI as it is dependent on
slow, variable SPI clock frequency.

Bug 1675619

Change-Id: I5d638b8f95d9207fbad1e30e21234fc7433e03b3
Reviewed-on: http://git-master/r/1009503
(cherry picked from commit 890a422a7b75507c33b53f1ca4c512f7911d61c4)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174582
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agospi: tegra: option to boost register access
Krishna Yarlagadda [Mon, 8 Feb 2016 11:17:35 +0000]
spi: tegra: option to boost register access

SPI register access for T210 and earlier chips depend
on SPI clock frequency. Provided an option to set SPI
clock at max frequency for register access.

Bug 1675625

Change-Id: Ie52c83cd4602604822462d9f02ddf31ead83aafc
Reviewed-on: http://git-master/r/1009782
(cherry picked from commit a2ccd28f2850538064668568432fee5d70a22e82)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174581
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agotegra: quadd: fix stack information disclose bug
Jianqiang Zhao [Fri, 15 Jul 2016 08:58:55 +0000]
tegra: quadd: fix stack information disclose bug

fix stack information disclose bug

Bug 1797747

Change-Id: I7d2d33b9dbe3e81e8bb33aa9d7401dbb50525dce
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205757
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agoquadd: fix stack info leak when getting capabilities
Jianqiang Zhao [Tue, 2 Aug 2016 03:57:13 +0000]
quadd: fix stack info leak when getting capabilities

Fix stack info leak when getting capabilities

Bug 1797747

Change-Id: Ic39112748fb2f053e6963b88e46ba2d953390edf
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205756
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

2 years agousb: gadget: tegra: Fix short packet issue
Peter Chiang [Mon, 4 Jul 2016 10:52:33 +0000]
usb: gadget: tegra: Fix short packet issue

Fix Tranaction Error due to short packet with ISO mult-transaction.
Set new value in Override Mult field to support short packet

Bug 1745903

Change-Id: I7409ba8943c2490afe714a0da9f7c05a63c949b4
Signed-off-by: Peter Chiang <pchiang@nvidia.com>
Reviewed-on: http://git-master/r/1175184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>

2 years agovideo: tegra: host: fix integer overflow
Deepak Nibade [Mon, 27 Jun 2016 08:43:26 +0000]
video: tegra: host: fix integer overflow

Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs

Fix this and other calculations by explicitly typecasting
variables to u64 first

Bug 1781393

Change-Id: Ib7d9c0be4ac61dc404512b4bb0331aa20a6978bc
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171748
(cherry picked from commit 8f00b96c137b9c4cb43a8dbe2e153fae49524113)
Reviewed-on: http://git-master/r/1172519
(cherry picked from commit 61229625b1e19d5a93a9458f04e0cce356dbdee3)
Reviewed-on: http://git-master/r/1190218
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: host: fix possible overflow with num_syncpt_incrs
Deepak Nibade [Mon, 27 Jun 2016 08:33:15 +0000]
video: tegra: host: fix possible overflow with num_syncpt_incrs

We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];

If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack

Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack

Bug 1781393

Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172518
(cherry picked from commit 1db2d69b6abeb6fc9d4257db88f631d9c8aef74d)
Reviewed-on: http://git-master/r/1190211
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agovideo: tegra: hdmi: choose clk rate above 100MHz
Naveen Kumar S [Wed, 20 Jul 2016 11:17:05 +0000]
video: tegra: hdmi: choose clk rate above 100MHz

pll_d2 runs at a minimum of 100MHz on T124. Update logic
to choose parent clock rate more than 100MHz.
e.g.: A mode with 32MHz pclk chooses parent clock of
96MHz with a divider of 3.0, which fails as pll_d
can't be pulled below 100MHz.

bug 1785365

Change-Id: I12400549a3ed42295ddd46adcb6493232f2d896a
Signed-off-by: Naveen Kumar S <nkumars@nvidia.com>
Reviewed-on: http://git-master/r/1184235
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>

2 years agoata: ahci_tegra: disable DIPM l4t/l4t-r21.5 tegra-l4t-r21.5
Preetham Chandru R [Tue, 23 Feb 2016 06:24:34 +0000]
ata: ahci_tegra: disable DIPM

DIPM is not a POR for Tegra AHCI Sata Controller

Bug 200087528

Change-Id: I5a742170177c9f57426f3756a8cfafefa88af92b
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1013776
(cherry picked from commit 7ebd3b1058491ee87686e9e731b79ecd914e00d9)
Reviewed-on: http://git-master/r/1031624
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>

2 years agoplatform: tegra: nvavp: fix for pre-decrement of clk_enabled cntr
Bhushan Rupde [Fri, 13 May 2016 09:00:19 +0000]
platform: tegra: nvavp: fix for pre-decrement of clk_enabled cntr

Bug 1729847

Change-Id: Ie455b0469a1d4e35453ca9e36c5e90dfdc6f56a2
Signed-off-by: Bhushan Rupde <brupde@nvidia.com>
Reviewed-on: http://git-master/r/1147432
Reviewed-by: Mohan Nimaje <mnimaje@nvidia.com>
Reviewed-by: Soumen Dey <sdey@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>

2 years agovideo: tegra: host: Fix ch open error handling
Arto Merilainen [Tue, 10 May 2016 06:16:03 +0000]
video: tegra: host: Fix ch open error handling

In case kernel fails to open a channel (e.g. due to inability to
allocate hardware context or turn on the device), the channel open
function releases the resources that were already allocated
successfully.

However, currently the error path additionally calls the channel
release function for putting the channel pointer after the private
data structures have been freed - thereby causing use-after-free
memory usage.

This patch reworks error handling in channel open to release
channel without risking usage of already freed memory.

Bug 1763577

Change-Id: Ic7562e69f2babad653afc7a11e413701494a30b4
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-on: http://git-master/r/1148081
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>

3 years agovideo: tegra: host: check if offset is u32 aligned
Deepak Nibade [Fri, 11 Mar 2016 08:29:20 +0000]
video: tegra: host: check if offset is u32 aligned

In nvhost_ioctl_ctrl_module_regrdwr(), we copy offset
to read/write from user space but we do not have
any check on it

So it is possible for user space to add unaligned
offset and request read/write which would crash the
system

Fix this by explicitly checking alignment of the
offset passed by user space

Bug 1739935

Change-Id: Iea2a07c60500af876b732a0e9d9d08535aa53b5c
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1029405
(cherry picked from commit 422baa09a17a6a17f4e572aa5441ca174634de0d)
Reviewed-on: http://git-master/r/1123363
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>

3 years agocamera: tegra: Fix security vulnerability issue
Frank Chen [Fri, 25 Mar 2016 05:37:18 +0000]
camera: tegra: Fix security vulnerability issue

Deprecate outdated UPDATE_GPIO function in camera.pcl
driver. This function is not used by any code anymore
and is a security vulnerability since it is trying to
access user mode pointer directly.

Bug 1745102

Change-Id: I4e7e5f9c186f980dcadfe52ec4284102255f19cf
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1115302
(cherry picked from commit 2e5c355c904a19d71456a04c70f3fb4fc7d918b0)
Reviewed-on: http://git-master/r/1123362
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>