| Age | Commit message (Collapse) | Author |
|---|
|
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Bug 1989825
Change-Id: Id158ece2176c4ac339a7232dfde8c47ce2241122
Cc: stable@vger.kernel.org
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1558952
(cherry picked from commit c005032a3ffe77437f6ebc704af377fc9bc46279)
Reviewed-on: https://git-master.nvidia.com/r/1570529
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being
only partially available, and can lead to use-after-free.
Bug 1885775
Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1506479
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.
Bug 1835857
Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1248391
Reviewed-on: https://git-master.nvidia.com/r/1512958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.
Bug 1873360
Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1507653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.
This patch fixes Google Bug 31668540
bug 1832092
Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.
CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492
Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1489467
(cherry picked from commit 89559abb25f82dc333eafa26391be0a50d6e9e0a)
Reviewed-on: http://git-master/r/1504674
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use the correct page size index for pgsz_idx in gk20a_vm_alloc_space().
Previously the page size itself was used, not the page size index.
Bug 1837624
Change-Id: I652f5af5321c1c49dc8eb170d3f92f00c23d2b6f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit fd13e0e1c4e397335c24497a0f92c85934d6185f)
Reviewed-on: http://git-master/r/1503371
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
which has heap_pgalloc as true and tries to access pages[]
which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
which again results in NULL dereference if pages[] is accessed.
A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.
bug 1838597
bug 1883708
Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 8244d104b7635cb0b26b651b6851498b9a84d7d6)
Reviewed-on: http://git-master/r/1489579
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.
Bug 1884311
Bug 1820242
Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-on: http://git-master/r/1489707
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Check all pages' parameters before reserve pages.
Bug 1883463
Bug 1831426
Bug 200247013
Manual port: http://git-psac/r/9287
(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)
Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
gk20a_channel_release() should bail if filp->private_data is
NULL. This can happen as a result of gk20a_channel_release()
being called when __gk20a_channel_open() fails in
NVHOST_IOCTL_CHANNEL_OPEN.
Bug 200014898
Change-Id: I32cc957aca46fcd4265a8052ac5be355b644b9f7
Signed-off-by: Aingara Paramakuru <aparamakuru@nvidia.com>
Reviewed-on: http://git-master/r/496138
(cherry picked from commit cb0db6618c42ab4c33574f09f212ab1ee9a0438a)
Reviewed-on: http://git-master/r/1258588
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
Fix UAF (use-after-free) security issue in
camera.pcl driver
Bug 1832830
Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.
(Back ported from Nexus N9 project)
Bug 1832830
Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Check a few input params to make sure there is
no potential for a heap overflow in the driver.
(Back ported from Nexus N9 project)
Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)
Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
The driver expects the userspace-provided table to be terminated with
addr == CAMERA_TABLE_END. Reject tables that aren't.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Id1e168e02fbf323d094fe8c36c6e4bd90cceee4f
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271368
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.
For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation. In fact the existing userspace camera driver makes calls
like these and expects them to succeed! Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
change the type modifier from signed to unsigned
for plaintext_sz variable in tegra_sha_req structure
to avoid occurence of negative values in plaintext_sz
variable.
Bug 1883640
Change-Id: I853f1916f7d4b6ea901cfe83419d624720a7e64f
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474814
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Currently nvhost performs minimal checking for submits it passes
to hardware: The kernel does not check if job syncpoints are allocated
and the gather classes are not verified currently.
This patch adds checks for syncpoint ids and gather classes.
Adapted from 0abcbd69c4cbd0093e223b6c248fdd53c2886951.
Bug 1831406
Change-Id: Ifb9d2090009d16d0f56bc11546036167c7f72228
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1242190
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.
This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947
Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>
Bug 1846814
Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
dma_buf_get() return value is now validated before
passed down for further process.
Bug 1812180
Bug 1883864
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1220869
(cherry picked from commit e6fe9437c609252cf28ac76d2e6b33e905eaa843 in rel-21)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Reviewed-on: http://git-master/r/1469135
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
This patch fixes pllx max value to 1530 and 1836Mhz
based on embedded clok settings considering aging factor
for CD575MI 24x7 and CD575MI 4/4/16 config
Bug 1900076
Change-Id: I9c6a769787fc04eac7ce4548e1a37a9a76972a6c
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1464315
GVS: Gerrit_Virtual_Submit
Reviewed-by: Peter Chiang <pchiang@nvidia.com>
|
|
Channel ioctl interface is not multithreading safe and as the
common case is that we have only a single active user for an open
fd, add a mutex to force serialization of ioctl calls.
Bug 1830021
Change-Id: Ifa6595a105b913345104f216f0541c371e89efe5
(cherry picked from commit 7b24caa9a8d2ab08fe0c7be112e805e44906d956)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248801
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
|
|
Fix possible use after free issue.
Bug 1814555
Bug 1884319
Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
New emc table for samsung dram is added on JetsonTK1 target.
Based on tegra bct strap value it can be chosen dynamically.
Both emc table and embedded emc table has been updated accordingly.
Bug 1752744
Change-Id: Ifc577d925712690daec6c6f1121458f01f720846
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1312498
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Jetson TK1 doesn't support usb charging but the detection is still
running. Disable it to avoid unexpected behavior.
Bug 1861049
Change-Id: I13425d69e190a75084486ff1fc9afeb8aa7acb60
Signed-off-by: Roger Hsieh <rhsieh@nvidia.com>
Reviewed-on: http://git-master/r/1308015
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.
Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.
Coverity ID 27942
Bug 1856419
Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1295062
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.
A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.
bug 1837468
Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Copy from user may taint the scalar value members
in the respective struct variables.
Add check for verifying the validity of the
scalar value members to avoid undefined behaviour.
Bug 1903278
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Change-Id: Ic01c8d10886f9b02c61156f811b430acce8aca23
Reviewed-on: http://git-master/r/1473534
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.
Fix by checking message length for SHA before
copying from user space
Bug 1883640
Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets
freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Similar fixes for TCP:
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly
freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 200285540
Change-Id: I3bec712b03278102c88933d4684324c3f414b606
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1325204
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.
This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.
Fixes Google Bug 34113000.
bug 1862379
Change-Id: Ief81887b3d94b49f3dcf4d2680d9d7b257c54092
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1310316
(cherry picked from commit 57367ab3be5f1c52dd6b885f114ae90dfce5a363)
Reviewed-on: http://git-master/r/1319910
GVS: Gerrit_Virtual_Submit
|
|
Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD
Bug 1793398
Change-Id: Iffd654dbaca3b4e3c8fd2ac270d0febd01c165b8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1195862
(cherry picked from commit 118809f4bd07af20df2b6c012828834695a5fccf from dev-kernel linux-nvgpu.git)
Reviewed-on: http://git-master/r/1269683
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Christian Gonzalez <christiang@nvidia.com>
Tested-by: Christian Gonzalez <christiang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
for UCM1 CD575M, check for cpu speedo 5 to
apply edp contraints
Bug 200195229
Bug 200199079
Change-Id: I704dd64f32c82c7499b6c5f0c96c04fdc062cf71
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1271709
GVS: Gerrit_Virtual_Submit
|
|
Bug 1783583
Change-Id: I8b0e865db02c00f741dafb473d4bd39c5075f23f
Signed-off-by: Alex Frid <afrid@nvidia.com>
Reviewed-on: http://git-master/r/1173469
(cherry picked from commit 453a77c5cd9a1316307458203365f9eb5bda62de)
Reviewed-on: http://git-master/r/1174714
(cherry picked from commit f2ce702f49c5631e8a7cbda6fbf09140f8fb55d9)
Reviewed-on: http://git-master/r/1239794
(cherry picked from commit f62bd56958ca743d512f757555e4a3b66f4c9cff)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1251020
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Moved fd_install() at the end of the channel_open ioctl. So, the fd
can't be used until open ioctl completes.
Bug 1832094
Change-Id: Ib33d43bf5164418a38f98677d4e3295f3d1c1450
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248180
(cherry picked from commit e6a41d5c0049c2878543006b67b7ee2b2bbda2ab)
Reviewed-on: http://git-master/r/1249505
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
Check if there is at least one syncpt_incrs in each job.
Bug 1812182
Change-Id: I0bd0b2e7c4d01641c83ba729ec34390ddea81496
Reviewed-on: http://git-master/r/1221226
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248797
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
|
|
This change fixes a regression introduced by commit
f5f0b7aa8 (gpio: pca953x: make the register access by GPIO bank)
When the pca953x driver was converted to using 8-bit reads/writes
the bitmask in pca953x_gpio_get_value wasn't adjusted with a
modulus BANK_SZ and consequently looks at the wrong bits in the
input register.
Bug 1826501
Change-Id: Id9c9d1cab9fb97e2fdf9408b03873722f787fbec
Signed-off-by: Andrew Ruder <andrew.ruder@elecsyscorp.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
(cherry picked from commit 40a625daa88653d7942dc85483f6f289cd687cb7)
Signed-off-by: Martin Chi <mchi@nvidia.com>
Reviewed-on: http://git-master/r/1241694
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-on: http://git-master/r/1242944
GVS: Gerrit_Virtual_Submit
|
|
Bug 1779090
Change-Id: I733c6ff7b3e39216fcf25f9c0d048b4c752a9e84
Signed-off-by: Anubhav Jain <anubhavj@nvidia.com>
Reviewed-on: http://git-master/r/1173092
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
|
|
Allocate buffer with 1 extra byte for NULL terminator.
Bug 1791602
Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1216897
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
Change-Id: I6fbb1abf656ff7e05ec4c65f07dbbdd694546fb4
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Signed-off-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-on: http://git-master/r/1241321
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier
Fix this by introducing mutex error_notifier_mutex for
error notifier accesses
Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier
In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized
Bug 1824788
Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Reviewed-on: http://git-master/r/1233988
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Gaurav Singh <gaursingh@nvidia.com>
Reviewed-on: http://git-master/r/1236695
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
(cherry pick from commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2)
This fixes CVE-2016-0728.
If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.
This can be tested with the following program:
#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>
int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
if (keyctl(KEYCTL_SETPERM, serial,
KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}
for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}
return 0;
}
If, after the program has run, there something like the following line in
/proc/keys:
3f3d898f I--Q--- 100 perm 3f3f0000 0 0 keyring leaked-keyring: empty
with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning. If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.
Bug 1720836
Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Change-Id: I10177a58a7b3178eda95017557edaa7298594d06
(cherry picked from commit 9fc5f368bb89b65b591c4f800dfbcc7432e49de5)
Signed-off-by: Sumit Singh <sumsingh@nvidia.com>
Reviewed-on: http://git-master/r/935565
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
(cherry picked from commit 07be7f19b4c356ce94642d0c2cecb93179a9a9bc)
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1210637
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
|
|
This reverts commit 584b60200b8bdcc895c8edacb94f48db5929f70a.
Change-Id: Ibe5b217521b77fa5799400b9460182e3329e1779
Signed-off-by: Rohit Khanna <rokhanna@nvidia.com>
Reviewed-on: http://git-master/r/1216501
(cherry picked from commit 04c8d66d61e15198b95d54672b2f2fe047d180b3)
Reviewed-on: http://git-master/r/1223596
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Add missing mutex unlock for nvavp_submit.
bug 1775299
Change-Id: I1b525e192bfd9dd19bcd0211484400445eda7b2b
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1221210
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Add mutex lock for nvavp_submit to avoid race condition.
bug 1775299
Change-Id: I11a66a58a1f048d6a0ee5aa949f852bfef56dc07
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1164117
(cherry picked from commit 1faa6a739996fdacff3dbc85ad46235f42ad79c9)
Reviewed-on: http://git-master/r/1214643
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().
Bug 1774401
Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
Reviewed-on: http://git-master/r/1163365
(cherry picked from commit 1e9ba50b225e841b52a93503fce818c1a21100f7)
Reviewed-on: http://git-master/r/1164130
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Devslp is not POR for T124 anymore.
Bug 200231146
Change-Id: Ia5380a17d545d3082a31c5b16b6946fa0e7ce4d5
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1207452
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Added support to use polling mode instead of interrupts
through a property in dt
Bug 1679083
Change-Id: Ic82ab592822cc96bacda05124d38ddd913e09af9
Reviewed-on: http://git-master/r/840233
(cherry picked from commit cd1c4db5adc8317572106099da37fa434245e699)
Reviewed-on: http://git-master/r/1009988
(cherry picked from commit b29ce03a6b7ebb306ff157640470dd5ab99c6f6b)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1175213
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Reduce register accesses to SPI as it is dependent on
slow, variable SPI clock frequency.
Bug 1675619
Change-Id: I5d638b8f95d9207fbad1e30e21234fc7433e03b3
Reviewed-on: http://git-master/r/1009503
(cherry picked from commit 890a422a7b75507c33b53f1ca4c512f7911d61c4)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174582
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
|
|
SPI register access for T210 and earlier chips depend
on SPI clock frequency. Provided an option to set SPI
clock at max frequency for register access.
Bug 1675625
Change-Id: Ie52c83cd4602604822462d9f02ddf31ead83aafc
Reviewed-on: http://git-master/r/1009782
(cherry picked from commit a2ccd28f2850538064668568432fee5d70a22e82)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174581
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
|
