From 3494ec4c7f2f6f0261cbf582ea6a605f9033cb7b Mon Sep 17 00:00:00 2001 From: Debarshi Dutta Date: Tue, 8 Aug 2017 15:34:57 +0530 Subject: Revert "gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX" Bug 200336148 This reverts commit 2db040946ff8340485b2b33fe5a46f3166fa96f6. Change-Id: I8a80a7bd1bd8b1a949fba26b683ac1c9bebc0c04 Signed-off-by: Debarshi Dutta Reviewed-on: https://git-master.nvidia.com/r/1534941 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 14 +++++++++++++- drivers/gpu/nvgpu/gk20a/channel_gk20a.h | 3 ++- drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 28 +++++++++++++++++++++++++++- drivers/gpu/nvgpu/gk20a/gr_gk20a.h | 5 ++++- 4 files changed, 46 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 3065e8403559..947b1dc668bf 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -3,7 +3,7 @@ * * GK20A Graphics channel * - * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2015, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -2066,6 +2066,18 @@ long gk20a_channel_ioctl(struct file *filp, (struct nvhost_alloc_obj_ctx_args *)buf); gk20a_idle(dev); break; + case NVHOST_IOCTL_CHANNEL_FREE_OBJ_CTX: + err = gk20a_busy(dev); + if (err) { + dev_err(&dev->dev, + "%s: failed to host gk20a for ioctl cmd: 0x%x", + __func__, cmd); + return err; + } + err = gk20a_free_obj_ctx(ch, + (struct nvhost_free_obj_ctx_args *)buf); + gk20a_idle(dev); + break; case NVHOST_IOCTL_CHANNEL_ALLOC_GPFIFO: err = gk20a_busy(dev); if (err) { diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h index 831db0f4986a..547bb064fd63 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h @@ -3,7 +3,7 @@ * * GK20A graphics channel * - * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -98,6 +98,7 @@ struct channel_gk20a { u64 userd_iova; u64 userd_gpu_va; + s32 num_objects; u32 obj_class; /* we support only one obj per channel */ struct priv_cmd_queue priv_cmd_q; diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index d5a3bbd34a78..9e032e03a153 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -1,7 +1,7 @@ /* * GK20A Graphics * - * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2015, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -2697,6 +2697,7 @@ void gk20a_free_channel_ctx(struct channel_gk20a *c) memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a)); + c->num_objects = 0; c->first_init = false; } @@ -2847,6 +2848,8 @@ int gk20a_alloc_obj_ctx(struct channel_gk20a *c, c->first_init = true; } + c->num_objects++; + gk20a_dbg_fn("done"); return 0; out: @@ -2858,6 +2861,29 @@ out: return err; } +int gk20a_free_obj_ctx(struct channel_gk20a *c, + struct nvhost_free_obj_ctx_args *args) +{ + unsigned long timeout = gk20a_get_gr_idle_timeout(c->g); + + gk20a_dbg_fn(""); + + if (c->num_objects == 0) + return 0; + + c->num_objects--; + + if (c->num_objects == 0) { + c->first_init = false; + gk20a_disable_channel(c, + !c->has_timedout, + timeout); + gr_gk20a_unmap_channel_patch_ctx(c); + } + + return 0; +} + static void gk20a_remove_gr_support(struct gr_gk20a *gr) { struct gk20a *g = gr->g; diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.h b/drivers/gpu/nvgpu/gk20a/gr_gk20a.h index 526eefb46b6f..2a31aa0b830f 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.h @@ -1,7 +1,7 @@ /* * GK20A Graphics Engine * - * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -324,9 +324,12 @@ int gk20a_init_gr_channel(struct channel_gk20a *ch_gk20a); int gr_gk20a_init_ctx_vars(struct gk20a *g, struct gr_gk20a *gr); struct nvhost_alloc_obj_ctx_args; +struct nvhost_free_obj_ctx_args; int gk20a_alloc_obj_ctx(struct channel_gk20a *c, struct nvhost_alloc_obj_ctx_args *args); +int gk20a_free_obj_ctx(struct channel_gk20a *c, + struct nvhost_free_obj_ctx_args *args); void gk20a_free_channel_ctx(struct channel_gk20a *c); int gk20a_gr_isr(struct gk20a *g); -- cgit v1.2.3 From ea1df6ecbe78c63b25a64ee28bb5dce0e31ca736 Mon Sep 17 00:00:00 2001 From: Jay Agarwal Date: Tue, 14 Oct 2014 11:32:07 +0530 Subject: pcie: host: tegra: WAR for RAW violations Some of reads transaction getting before write has completed resulting in RAW violation. This WAR avoids this situation. Bug 1345350 Change-Id: I56728d00326b193be26ccb4fe68787ebd8a2623d Signed-off-by: Jay Agarwal Reviewed-on: http://git-master/r/365301 (cherry picked from commit a706735e3c50a70dfee4a3d11378d3a1872a71d7) Reviewed-on: https://git-master.nvidia.com/r/1595945 Reviewed-by: Vidya Sagar Reviewed-by: Manikanta Maddireddy GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Mantravadi Karthik --- drivers/pci/host/pci-tegra.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) (limited to 'drivers') diff --git a/drivers/pci/host/pci-tegra.c b/drivers/pci/host/pci-tegra.c index 371dc91c4cf5..7c8b714be77d 100644 --- a/drivers/pci/host/pci-tegra.c +++ b/drivers/pci/host/pci-tegra.c @@ -178,6 +178,7 @@ #define RP_VEND_XP 0x00000F00 #define RP_VEND_XP_DL_UP (1 << 30) +#define RP_VEND_XP_UPDATE_FC_THRESHOLD (0xFF << 18) #define RP_LINK_CONTROL_STATUS 0x00000090 @@ -191,6 +192,13 @@ #define NV_PCIE2_RP_INTR_BCR 0x0000003C #define NV_PCIE2_RP_INTR_BCR_INTR_LINE (0xFF << 0) +#define NV_PCIE2_RP_PRIV_XP_DL 0x00000494 +#define PCIE2_RP_PRIV_XP_DL_GEN2_UPD_FC_TSHOLD (0x1FF << 1) + +#define NV_PCIE2_RP_RX_HDR_LIMIT 0x00000E00 +#define PCIE2_RP_RX_HDR_LIMIT_PW_MASK (0xFF00) +#define PCIE2_RP_RX_HDR_LIMIT_PW (0x0E << 8) + #define NV_PCIE2_RP_PRIV_MISC 0x00000FE0 #define PCIE2_RP_PRIV_MISC_PRSNT_MAP_EP_PRSNT (0xE << 0) #define PCIE2_RP_PRIV_MISC_PRSNT_MAP_EP_ABSNT (0xF << 0) @@ -1486,6 +1494,19 @@ static void tegra_pcie_apply_sw_war(int index, bool enum_done) data = rp_readl(NV_PCIE2_RP_INTR_BCR, index); data |= NV_PCIE2_RP_INTR_BCR_INTR_LINE; rp_writel(data, NV_PCIE2_RP_INTR_BCR, index); + /* WAR for RAW violation on T124/T132 platforms */ + data = rp_readl(NV_PCIE2_RP_RX_HDR_LIMIT, index); + data &= ~PCIE2_RP_RX_HDR_LIMIT_PW_MASK; + data |= PCIE2_RP_RX_HDR_LIMIT_PW; + rp_writel(data, NV_PCIE2_RP_RX_HDR_LIMIT, index); + + data = rp_readl(NV_PCIE2_RP_PRIV_XP_DL, index); + data |= PCIE2_RP_PRIV_XP_DL_GEN2_UPD_FC_TSHOLD; + rp_writel(data, NV_PCIE2_RP_PRIV_XP_DL, index); + + data = rp_readl(RP_VEND_XP, index); + data |= RP_VEND_XP_UPDATE_FC_THRESHOLD; + rp_writel(data, RP_VEND_XP, index); } } -- cgit v1.2.3 From b210c724aea24160a5fdcec5ee9b8f9c86c8540d Mon Sep 17 00:00:00 2001 From: Konduri Praveen Date: Tue, 1 Aug 2017 17:35:58 +0530 Subject: cryptodev: avoid untrusted user pointers add algo variable for avoid the usage of user space pointers Bug 200286426 Change-Id: I7e208b45ba11348e7b89a429d457ae51ac29bde0 Signed-off-by: Konduri Praveen Reviewed-on: https://git-master.nvidia.com/r/1530560 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Mallikarjun Kasoju Reviewed-by: Bibek Basu Tested-by: Bibek Basu --- drivers/misc/tegra-cryptodev.c | 32 +++++++++++++++++++++++--------- 1 file changed, 23 insertions(+), 9 deletions(-) (limited to 'drivers') diff --git a/drivers/misc/tegra-cryptodev.c b/drivers/misc/tegra-cryptodev.c index 88c9cb217880..d1fa004367b1 100644 --- a/drivers/misc/tegra-cryptodev.c +++ b/drivers/misc/tegra-cryptodev.c @@ -537,6 +537,7 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) struct crypto_ahash *tfm; struct scatterlist sg[1]; char result[64]; + char algo[64]; struct ahash_request *req; struct tegra_crypto_completion sha_complete; void *hash_buff; @@ -548,17 +549,23 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) return -EINVAL; } - tfm = crypto_alloc_ahash(sha_req->algo, 0, 0); + if (strncpy_from_user(algo, sha_req->algo, sizeof(algo)) < 0) { + ret = -EFAULT; + goto out_alloc; + } + algo[sizeof(algo) - 1] = '\0'; + + tfm = crypto_alloc_ahash(algo, 0, 0); if (IS_ERR(tfm)) { pr_err("alg:hash:Failed to load transform for %s:%ld\n", - sha_req->algo, PTR_ERR(tfm)); + algo, PTR_ERR(tfm)); goto out_alloc; } req = ahash_request_alloc(tfm, GFP_KERNEL); if (!req) { pr_err("alg:hash:Failed to allocate request for %s\n", - sha_req->algo); + algo); goto out_noreq; } @@ -574,7 +581,14 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) hash_buff = xbuf[0]; - memcpy(hash_buff, sha_req->plaintext, sha_req->plaintext_sz); + ret = copy_from_user((void *)hash_buff, + (void __user *)sha_req->plaintext, + sha_req->plaintext_sz); + if (ret) { + ret = -EFAULT; + pr_err("%s: copy_from_user failed (%d)\n", __func__, ret); + goto out; + } sg_init_one(&sg[0], hash_buff, sha_req->plaintext_sz); if (sha_req->keylen) { @@ -583,7 +597,7 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) sha_req->keylen); if (ret) { pr_err("alg:hash:setkey failed on %s:ret=%d\n", - sha_req->algo, ret); + algo, ret); goto out; } @@ -594,21 +608,21 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) ret = sha_async_hash_op(req, &sha_complete, crypto_ahash_init(req)); if (ret) { pr_err("alg: hash: init failed for %s: ret=%d\n", - sha_req->algo, ret); + algo, ret); goto out; } ret = sha_async_hash_op(req, &sha_complete, crypto_ahash_update(req)); if (ret) { pr_err("alg: hash: update failed for %s: ret=%d\n", - sha_req->algo, ret); + algo, ret); goto out; } ret = sha_async_hash_op(req, &sha_complete, crypto_ahash_final(req)); if (ret) { pr_err("alg: hash: final failed for %s: ret=%d\n", - sha_req->algo, ret); + algo, ret); goto out; } @@ -617,7 +631,7 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) if (ret) { ret = -EFAULT; pr_err("alg: hash: copy_to_user failed (%d) for %s\n", - ret, sha_req->algo); + ret, algo); } out: -- cgit v1.2.3 From 0fd9a32f3a6796791b4fe93bfbc05df4d4bf646e Mon Sep 17 00:00:00 2001 From: Gagan Grover Date: Tue, 22 Nov 2016 15:43:19 +0530 Subject: video: tegra: host: use lock to get syncpt name Use sp->syncpt_mutex lock to get syncpt name in syncpt_name_show() Without the lock, it is possible for user to read syncpt name in corrupted state if user read coincides with syncpt free Bug 1838598 Bug 1883567 Change-Id: I69ca5c1d80adaca4b93a337fe4a5debeb78f34fc Reviewed-on: http://git-master/r/1252580 Signed-off-by: Gagan Grover Reviewed-on: http://git-master/r/1258020 (cherry picked from commit 9a7d12e49ca6c627dff2dc4c15fa9ba153e9265d in rel-24) Reviewed-on: https://git-master.nvidia.com/r/1513005 Signed-off-by: Debarshi Dutta Reviewed-on: https://git-master.nvidia.com/r/1650064 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/video/tegra/host/nvhost_syncpt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/video/tegra/host/nvhost_syncpt.c b/drivers/video/tegra/host/nvhost_syncpt.c index b0af8a143bd2..4d431cc14890 100644 --- a/drivers/video/tegra/host/nvhost_syncpt.c +++ b/drivers/video/tegra/host/nvhost_syncpt.c @@ -3,7 +3,7 @@ * * Tegra Graphics Host Syncpoints * - * Copyright (c) 2010-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2010-2018, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -650,13 +650,18 @@ static ssize_t syncpt_name_show(struct kobject *kobj, { struct nvhost_syncpt_attr *syncpt_attr = container_of(attr, struct nvhost_syncpt_attr, attr); + ssize_t count = 0; if (syncpt_attr->id < 0) return snprintf(buf, PAGE_SIZE, "\n"); - return snprintf(buf, PAGE_SIZE, "%s\n", + mutex_lock(&syncpt_attr->host->syncpt.syncpt_mutex); + count = snprintf(buf, PAGE_SIZE, "%s\n", nvhost_syncpt_get_name(syncpt_attr->host->dev, syncpt_attr->id)); + mutex_unlock(&syncpt_attr->host->syncpt.syncpt_mutex); + + return count; } static ssize_t syncpt_min_show(struct kobject *kobj, -- cgit v1.2.3 From 370b9f7a1dad9ccb7198bb0ffd30a8e7df112ab2 Mon Sep 17 00:00:00 2001 From: Srikar Srimath Tirumala Date: Tue, 12 Sep 2017 12:27:13 -0700 Subject: thermal: add boundary check to set_cur_state Prevent sysfs from setting a cur_state that exceeds the max cur_state of the cooling device. Bug 200334223 Bug 200331706 Bug 1968660 Bug 1968616 Change-Id: I935be6166a9e184683abfcdce70cb08cbe4a1350 Signed-off-by: Srikar Srimath Tirumala Reviewed-on: https://git-master.nvidia.com/r/1558407 (cherry picked from commit 142cf9d96ed221124ea2b778dc37cf5db8d5702c) Reviewed-on: https://git-master.nvidia.com/r/1661413 Reviewed-on: https://git-master.nvidia.com/r/1662626 GVS: Gerrit_Virtual_Submit Tested-by: Amulya Yarlagadda Reviewed-by: Winnie Hsu --- drivers/thermal/thermal_core.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c index ffb4b9c41a40..68e6e09fdb37 100644 --- a/drivers/thermal/thermal_core.c +++ b/drivers/thermal/thermal_core.c @@ -944,8 +944,8 @@ thermal_cooling_device_cur_state_store(struct device *dev, const char *buf, size_t count) { struct thermal_cooling_device *cdev = to_cooling_device(dev); - unsigned long state; - int result; + unsigned long state, max_state; + int result, ret; if (!sscanf(buf, "%ld\n", &state)) return -EINVAL; @@ -953,6 +953,13 @@ thermal_cooling_device_cur_state_store(struct device *dev, if ((long)state < 0) return -EINVAL; + ret = cdev->ops->get_max_state(cdev, &max_state); + if (ret) + return ret; + + if (state > max_state) + return -EINVAL; + result = cdev->ops->set_cur_state(cdev, state); if (result) return result; -- cgit v1.2.3 From 9d09b31470a2714817375f86d9e56ffb1b617739 Mon Sep 17 00:00:00 2001 From: Debarshi Dutta Date: Fri, 9 Mar 2018 12:41:55 +0530 Subject: gpu: nvgpu: Validate buffer_offset argument Validate the mapping_size argument in the VM mapping IOCTL before attempting to use the argument for anything. Manual Cherry pick - https://git-master.nvidia.com/r/1547046 Bug 1954931 Bug 1965443 Change-Id: I81b22dc566c6c6f89e5e62604ce996376b33a343 Signed-off-by: Alex Waterman Reviewed-on: https://git-master.nvidia.com/r/1547046 Signed-off-by: Debarshi Dutta (cherry picked from commit e68391690cfcc23b77c68aec3f9605badea226ed in dev-kernel) Reviewed-on: https://git-master.nvidia.com/r/1671883 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index 2a5bd760f82d..59dc3656f486 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c @@ -1330,6 +1330,12 @@ u64 gk20a_vm_map(struct vm_gk20a *vm, bfr.pgsz_idx = -1; mapping_size = mapping_size ? mapping_size : bfr.size; + if ((mapping_size > bfr.size) || + (buffer_offset > (bfr.size - mapping_size))) { + err = -EINVAL; + goto clean_up; + } + /* If FIX_OFFSET is set, pgsz is determined. Otherwise, select * page size according to memory alignment */ if (flags & NVHOST_AS_MAP_BUFFER_FLAGS_FIXED_OFFSET) { -- cgit v1.2.3 From 1357daf84c6e99b32c50ed39a524871d003d1886 Mon Sep 17 00:00:00 2001 From: David Pu Date: Tue, 26 Jan 2016 11:21:06 -0800 Subject: video: tegra: sor: set drive current for lane4 drive current for LANE4 was not set if configured as 24bpp lvds out. fix it by programming proper drive current register if using 24bpp out. Bug 1724122 Change-Id: Ie2ad71ace0b4f247e007e671be828230545b15f6 Signed-off-by: David Pu Reviewed-on: https://git-master.nvidia.com/r/1544691 Reviewed-by: Automatic_Commit_Validation_User Tested-by: Wayne Wang (SW-TEGRA) GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/video/tegra/dc/sor.c | 6 +++++- drivers/video/tegra/dc/sor_regs.h | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/video/tegra/dc/sor.c b/drivers/video/tegra/dc/sor.c index e5fe66be55d0..f4992eced400 100644 --- a/drivers/video/tegra/dc/sor.c +++ b/drivers/video/tegra/dc/sor.c @@ -1,7 +1,7 @@ /* * drivers/video/tegra/dc/sor.c * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -186,6 +186,7 @@ static int dbg_sor_show(struct seq_file *s, void *unused) DUMP_REG(NV_SOR_DC(0)); DUMP_REG(NV_SOR_DC(1)); DUMP_REG(NV_SOR_LANE_DRIVE_CURRENT(0)); + DUMP_REG(NV_SOR_LANE4_DRIVE_CURRENT(0)); DUMP_REG(NV_SOR_PR(0)); DUMP_REG(NV_SOR_LANE4_PREEMPHASIS(0)); DUMP_REG(NV_SOR_POSTCURSOR(0)); @@ -1230,6 +1231,9 @@ void tegra_dc_sor_enable_lvds(struct tegra_dc_sor_data *sor, tegra_sor_writel(sor, NV_SOR_LVDS, reg_val); tegra_sor_writel(sor, NV_SOR_LANE_DRIVE_CURRENT(sor->portnum), 0x40404040); + if (!conforming && (sor->dc->pdata->default_out->depth == 24)) + tegra_sor_writel(sor, NV_SOR_LANE4_DRIVE_CURRENT(sor->portnum), + 0x40); #if 0 tegra_sor_write_field(sor, NV_SOR_LVDS, diff --git a/drivers/video/tegra/dc/sor_regs.h b/drivers/video/tegra/dc/sor_regs.h index cbf4b94c1664..8080e2925d82 100644 --- a/drivers/video/tegra/dc/sor_regs.h +++ b/drivers/video/tegra/dc/sor_regs.h @@ -1,7 +1,7 @@ /* * drivers/video/tegra/dc/sor_regs.h * - * Copyright (c) 2011-2013, NVIDIA CORPORATION, All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION, All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -611,6 +611,7 @@ #define NV_SOR_DC_LANE0_DP_LANE2_P1_LEVEL2 (43) #define NV_SOR_DC_LANE0_DP_LANE2_P0_LEVEL3 (51) #define NV_SOR_LANE_DRIVE_CURRENT(i) (0x4e + (i)) +#define NV_SOR_LANE4_DRIVE_CURRENT(i) (0x50 + (i)) #define NV_SOR_PR(i) (0x52 + (i)) #define NV_SOR_PR_LANE3_DP_LANE3_SHIFT (24) #define NV_SOR_PR_LANE3_DP_LANE3_MASK (0xff << 24) -- cgit v1.2.3 From 7b67aa2c06e6906c6c190aabb1fa9722fd3cfb36 Mon Sep 17 00:00:00 2001 From: Mallikarjun Kasoju Date: Fri, 16 Mar 2018 15:40:06 +0530 Subject: tegra-cryptodev:Avoid untrusted usrptr dereference In RSA operations use copy_from_user to get key data into local buffer before using it. This will avoid untrusted user pointer dereference. Coverity ID 24040 Bug 200192571 Bug 1932494 Change-Id: I9c8f3fd7cfc18121d9c2179127dfb28202f38cdb Signed-off-by: Mallikarjun Kasoju Reviewed-on: https://git-master.nvidia.com/r/1676570 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/misc/tegra-cryptodev.c | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) (limited to 'drivers') diff --git a/drivers/misc/tegra-cryptodev.c b/drivers/misc/tegra-cryptodev.c index d1fa004367b1..4dc6ca63226d 100644 --- a/drivers/misc/tegra-cryptodev.c +++ b/drivers/misc/tegra-cryptodev.c @@ -425,6 +425,33 @@ static int tegra_crypt_rsa(struct tegra_crypto_ctx *ctx, int ret = 0; unsigned long *xbuf[XBUFSIZE]; struct tegra_crypto_completion rsa_complete; + unsigned int total_key_len; + char *key_mem; + + if ((((rsa_req->keylen >> 16) & 0xFFFF) > + MAX_RSA_MSG_LEN) || + ((rsa_req->keylen & 0xFFFF) > + MAX_RSA_MSG_LEN)) { + pr_err("Invalid rsa key length\n"); + return -EINVAL; + } + + total_key_len = (((rsa_req->keylen >> 16) & 0xFFFF) + + (rsa_req->keylen & 0xFFFF)); + + key_mem = kzalloc(total_key_len, GFP_KERNEL); + if (!key_mem) + return -ENOMEM; + + ret = copy_from_user(key_mem, (void __user *)rsa_req->key, + total_key_len); + if (ret) { + pr_err("%s: copy_from_user fail(%d)\n", __func__, ret); + kfree(key_mem); + return -EINVAL; + } + + rsa_req->key = key_mem; switch (rsa_req->algo) { case TEGRA_RSA512: @@ -475,10 +502,8 @@ static int tegra_crypt_rsa(struct tegra_crypto_ctx *ctx, init_completion(&rsa_complete.restart); result = kzalloc(rsa_req->keylen >> 16, GFP_KERNEL); - if (!result) { - pr_err("\nresult alloc fail\n"); + if (!result) goto result_fail; - } hash_buff = xbuf[0]; @@ -528,6 +553,7 @@ result_fail: buf_fail: ahash_request_free(req); req_fail: + kfree(key_mem); return ret; } -- cgit v1.2.3 From 763ada650d0d24dde8d4ec90f665f16c8d7edab7 Mon Sep 17 00:00:00 2001 From: Alex Waterman Date: Thu, 13 Oct 2016 10:03:59 -0700 Subject: gpu: nvgpu: Add ref counting to channels Make sure that the VM owned by a channel lives for at least as long as that channel does. If the channel's VM is cleaned up before the channel then use-after-free bugs can occur. Bug: 31680980 NvBug 1825464 Bug: 1885921 Change-Id: I0711781492a764b643c2ed1da1b3ba87fda72744 Signed-off-by: Alex Waterman Reviewed-on: https://git-psac.nvidia.com/r/#/c/9261 Signed-off-by: Debarshi Dutta (cherry picked from commit e205f2720fcee61886e7979e9588602d691507ea) Reviewed-on: https://git-master.nvidia.com/r/1681801 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/gpu/nvgpu/gk20a/channel_gk20a.c | 5 +++-- drivers/gpu/nvgpu/gk20a/mm_gk20a.c | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index 947b1dc668bf..0a48f6a551ae 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -669,7 +669,7 @@ void gk20a_free_channel(struct channel_gk20a *ch, bool finish) memset(&ch->ramfc, 0, sizeof(struct mem_desc_sub)); /* free gpfifo */ - if (ch->gpfifo.gpu_va) + if (ch->vm && ch->gpfifo.gpu_va) gk20a_gmmu_unmap(ch_vm, ch->gpfifo.gpu_va, ch->gpfifo.size, gk20a_mem_flag_none); if (ch->gpfifo.cpu_va) @@ -698,8 +698,9 @@ unbind: channel_gk20a_unbind(ch); channel_gk20a_free_inst(g, ch); - ch->vpr = false; + gk20a_vm_put(ch->vm); /* Don't use VM after this. */ ch->vm = NULL; + ch->vpr = false; WARN_ON(ch->sync); /* unlink all debug sessions */ diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index 59dc3656f486..5a828d394bfc 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c @@ -2427,6 +2427,7 @@ int gk20a_vm_bind_channel(struct gk20a_as_share *as_share, gk20a_dbg_fn(""); + gk20a_vm_get(vm); ch->vm = vm; err = channel_gk20a_commit_va(ch); if (err) -- cgit v1.2.3 From 92779c767e5e7c750cdea0c392e3f31befc37921 Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Wed, 14 Feb 2018 16:18:40 +0530 Subject: drivers: speculative load before bound-check Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. Bug 1964290 CVE-2017-5753 Change-Id: I7382dbcc6e9f352fafd457301beafe753925f3c4 Signed-off-by: Hien Goi Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650791 Signed-off-by: Jeetesh Burman (cherry picked from commit 5cabd53985a30aa818896abdb64564a74c09ab9c) Reviewed-on: https://git-master.nvidia.com/r/1660772 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/media/i2c/ad9389b.c | 4 ++++ drivers/media/i2c/adv7604.c | 4 ++++ drivers/media/i2c/ov7670.c | 4 ++++ drivers/media/i2c/ov9650.c | 3 +++ drivers/media/i2c/s5c73m3/s5c73m3-core.c | 7 +++++++ drivers/media/i2c/s5k6aa.c | 3 +++ drivers/media/v4l2-core/videobuf2-core.c | 3 +++ 7 files changed, 28 insertions(+) (limited to 'drivers') diff --git a/drivers/media/i2c/ad9389b.c b/drivers/media/i2c/ad9389b.c index 58344b6c3a55..436b9fd4775e 100644 --- a/drivers/media/i2c/ad9389b.c +++ b/drivers/media/i2c/ad9389b.c @@ -36,6 +36,7 @@ #include #include #include +#include static int debug; module_param(debug, int, 0644); @@ -627,6 +628,9 @@ static int ad9389b_get_edid(struct v4l2_subdev *sd, struct v4l2_subdev_edid *edi } if (edid->start_block >= state->edid.segments * 2) return -E2BIG; + + speculation_barrier(); + if (edid->blocks + edid->start_block >= state->edid.segments * 2) edid->blocks = state->edid.segments * 2 - edid->start_block; memcpy(edid->edid, &state->edid.data[edid->start_block * 128], diff --git a/drivers/media/i2c/adv7604.c b/drivers/media/i2c/adv7604.c index 31a63c9324fe..84202010d7d8 100644 --- a/drivers/media/i2c/adv7604.c +++ b/drivers/media/i2c/adv7604.c @@ -40,6 +40,7 @@ #include #include #include +#include static int debug; module_param(debug, int, 0644); @@ -1593,6 +1594,9 @@ static int adv7604_get_edid(struct v4l2_subdev *sd, struct v4l2_subdev_edid *edi return -EINVAL; if (edid->start_block >= state->edid_blocks) return -EINVAL; + + speculation_barrier(); + if (edid->start_block + edid->blocks > state->edid_blocks) edid->blocks = state->edid_blocks - edid->start_block; if (!edid->edid) diff --git a/drivers/media/i2c/ov7670.c b/drivers/media/i2c/ov7670.c index 617ad3fff4aa..7124145a210b 100644 --- a/drivers/media/i2c/ov7670.c +++ b/drivers/media/i2c/ov7670.c @@ -21,6 +21,7 @@ #include #include #include +#include MODULE_AUTHOR("Jonathan Corbet "); MODULE_DESCRIPTION("A low-level driver for OmniVision ov7670 sensors"); @@ -1087,6 +1088,9 @@ static int ov7670_enum_frameintervals(struct v4l2_subdev *sd, { if (interval->index >= ARRAY_SIZE(ov7670_frame_rates)) return -EINVAL; + + speculation_barrier(); + interval->type = V4L2_FRMIVAL_TYPE_DISCRETE; interval->discrete.numerator = 1; interval->discrete.denominator = ov7670_frame_rates[interval->index]; diff --git a/drivers/media/i2c/ov9650.c b/drivers/media/i2c/ov9650.c index 1dbb8118a285..47902efae8d4 100644 --- a/drivers/media/i2c/ov9650.c +++ b/drivers/media/i2c/ov9650.c @@ -30,6 +30,7 @@ #include #include #include +#include static int debug; module_param(debug, int, 0644); @@ -1086,6 +1087,8 @@ static int ov965x_enum_frame_sizes(struct v4l2_subdev *sd, if (fse->index > ARRAY_SIZE(ov965x_framesizes)) return -EINVAL; + speculation_barrier(); + while (--i) if (fse->code == ov965x_formats[i].code) break; diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c index 9eac5310942f..a7078441e1e1 100644 --- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c +++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "s5c73m3.h" @@ -959,6 +960,8 @@ static int s5c73m3_oif_enum_frame_interval(struct v4l2_subdev *sd, if (fie->index >= ARRAY_SIZE(s5c73m3_intervals)) return -EINVAL; + speculation_barrier(); + mutex_lock(&state->lock); fi = &s5c73m3_intervals[fie->index]; if (fie->width > fi->size.width || fie->height > fi->size.height) @@ -1228,6 +1231,8 @@ static int s5c73m3_enum_frame_size(struct v4l2_subdev *sd, if (fse->index >= s5c73m3_resolutions_len[idx]) return -EINVAL; + speculation_barrier(); + fse->min_width = s5c73m3_resolutions[idx][fse->index].width; fse->max_width = fse->min_width; fse->max_height = s5c73m3_resolutions[idx][fse->index].height; @@ -1272,6 +1277,8 @@ static int s5c73m3_oif_enum_frame_size(struct v4l2_subdev *sd, if (fse->index >= s5c73m3_resolutions_len[idx]) return -EINVAL; + speculation_barrier(); + fse->min_width = s5c73m3_resolutions[idx][fse->index].width; fse->max_width = fse->min_width; fse->max_height = s5c73m3_resolutions[idx][fse->index].height; diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c index bdf5e3db31d1..aff91c3bcfde 100644 --- a/drivers/media/i2c/s5k6aa.c +++ b/drivers/media/i2c/s5k6aa.c @@ -29,6 +29,7 @@ #include #include #include +#include static int debug; module_param(debug, int, 0644); @@ -1006,6 +1007,8 @@ static int s5k6aa_enum_frame_interval(struct v4l2_subdev *sd, if (fie->index > ARRAY_SIZE(s5k6aa_intervals)) return -EINVAL; + speculation_barrier(); + v4l_bound_align_image(&fie->width, S5K6AA_WIN_WIDTH_MIN, S5K6AA_WIN_WIDTH_MAX, 1, &fie->height, S5K6AA_WIN_HEIGHT_MIN, diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c index e3bdc3be91e1..60ba606afc56 100644 --- a/drivers/media/v4l2-core/videobuf2-core.c +++ b/drivers/media/v4l2-core/videobuf2-core.c @@ -23,6 +23,7 @@ #include #include #include +#include static int debug; module_param(debug, int, 0644); @@ -1800,6 +1801,8 @@ int vb2_expbuf(struct vb2_queue *q, struct v4l2_exportbuffer *eb) return -EINVAL; } + speculation_barrier(); + vb = q->bufs[eb->index]; if (eb->plane >= vb->num_planes) { -- cgit v1.2.3 From 5fea92e18248d450c16c897f95d295e8ecdea000 Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Thu, 15 Feb 2018 13:00:39 +0530 Subject: cryptodev: prevent speculative load related leak Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Id85eb9c91932f358dd999b28dd53d7788b37ea04 Signed-off-by: David Gilhooley Reviewed-on: https://git-master.nvidia.com/r/1640356 Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650014 Signed-off-by: Jeetesh Burman (cherry picked from commit 25bd9436b11f41e23048c9515deae97900a46669) Reviewed-on: https://git-master.nvidia.com/r/1660780 Reviewed-by: Winnie Hsu Tested-by: Winnie Hsu --- drivers/misc/tegra-cryptodev.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'drivers') diff --git a/drivers/misc/tegra-cryptodev.c b/drivers/misc/tegra-cryptodev.c index 4dc6ca63226d..2c0d3918100d 100644 --- a/drivers/misc/tegra-cryptodev.c +++ b/drivers/misc/tegra-cryptodev.c @@ -33,6 +33,7 @@ #include #include #include +#include #include "tegra-cryptodev.h" @@ -282,6 +283,8 @@ static int process_crypt_req(struct tegra_crypto_ctx *ctx, struct tegra_crypt_re const u8 *key = NULL; struct tegra_crypto_completion tcrypt_complete; + speculation_barrier(); + if (crypt_req->op & TEGRA_CRYPTO_ECB) { req = ablkcipher_request_alloc(ctx->ecb_tfm, GFP_KERNEL); tfm = ctx->ecb_tfm; @@ -930,6 +933,9 @@ rng_out: rsa_req.algo); return -EINVAL; } + + speculation_barrier(); + ret = tegra_crypt_rsa(ctx, &rsa_req); break; -- cgit v1.2.3 From 68bd404adda3b13e3a5a465696ec85647f08dbdf Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Thu, 15 Feb 2018 14:07:39 +0530 Subject: v4l2: prevent speculative load bug 2039126 Change-Id: Id1908c3058c9ecc0dfb4f2d85440a8d36db45db5 Signed-off-by: David Gilhooley Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650029 Signed-off-by: Jeetesh Burman (cherry picked from commit 7a0213eca150614fe88d197a09d461fff6168652) Reviewed-on: https://git-master.nvidia.com/r/1660781 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- drivers/media/v4l2-core/v4l2-ioctl.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 7658586fe5f4..80bef0e66683 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -28,6 +28,7 @@ #include #include #include +#include /* Zero out the end of the struct pointed to by p. Everything after, but * not including, the specified field is cleared. */ @@ -2119,6 +2120,7 @@ bool v4l2_is_known_ioctl(unsigned int cmd) { if (_IOC_NR(cmd) >= V4L2_IOCTLS) return false; + speculation_barrier(); return v4l2_ioctls[_IOC_NR(cmd)].ioctl == cmd; } @@ -2128,6 +2130,7 @@ struct mutex *v4l2_ioctl_get_lock(struct video_device *vdev, unsigned cmd) return vdev->lock; if (test_bit(_IOC_NR(cmd), vdev->disable_locking)) return NULL; + speculation_barrier(); if (vdev->queue && vdev->queue->lock && (v4l2_ioctls[_IOC_NR(cmd)].flags & INFO_FL_QUEUE)) return vdev->queue->lock; -- cgit v1.2.3 From ff6dbd5dff104b4d6d4aeeeafe90493e377474e2 Mon Sep 17 00:00:00 2001 From: Gagan Grover Date: Fri, 25 Nov 2016 17:58:44 +0530 Subject: staging: ion: Fix ION subsystem privilege vulnerability A malicious application can take advantage of the ION kmalloc heap to create a specific memory chunk size to exercise a rowhammer attack on the physical hardware. The fix is designed to disable ION heap type. CVE-2016-6728: A-30400942 Bug 1823317 Change-Id: I6b6d891a85da0c175f88cc1a3e48875796db80d4 Signed-off-by: Gagan Grover Reviewed-on: https://git-master.nvidia.com/r/1690291 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Amulya Yarlagadda Reviewed-by: Winnie Hsu --- drivers/staging/android/ion/ion_heap.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/staging/android/ion/ion_heap.c b/drivers/staging/android/ion/ion_heap.c index 551fe2e0bc2d..ec1fb7913f4c 100644 --- a/drivers/staging/android/ion/ion_heap.c +++ b/drivers/staging/android/ion/ion_heap.c @@ -269,6 +269,8 @@ static int ion_heap_shrink(struct shrinker *shrinker, struct shrink_control *sc) { struct ion_heap *heap = container_of(shrinker, struct ion_heap, shrinker); + if (IS_ERR_OR_NULL(heap)) + return -EINVAL; int total = 0; int freed = 0; int to_scan = sc->nr_to_scan; @@ -309,8 +311,9 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data) switch (heap_data->type) { case ION_HEAP_TYPE_SYSTEM_CONTIG: - heap = ion_system_contig_heap_create(heap_data); - break; + pr_err("%s: Heap type is disabled: %d\n", __func__, + heap_data->type); + return ERR_PTR(-EINVAL); case ION_HEAP_TYPE_SYSTEM: heap = ion_system_heap_create(heap_data); break; @@ -343,12 +346,13 @@ struct ion_heap *ion_heap_create(struct ion_platform_heap *heap_data) void ion_heap_destroy(struct ion_heap *heap) { - if (!heap) + if (IS_ERR_OR_NULL(heap)) return; switch (heap->type) { case ION_HEAP_TYPE_SYSTEM_CONTIG: - ion_system_contig_heap_destroy(heap); + pr_err("%s: Heap type is disabled: %d\n", __func__, + heap->type); break; case ION_HEAP_TYPE_SYSTEM: ion_system_heap_destroy(heap); -- cgit v1.2.3 From 0a84f61d56be62df02267668dc60a8220bf15472 Mon Sep 17 00:00:00 2001 From: Calvin Owens Date: Fri, 30 Oct 2015 16:57:00 -0700 Subject: sg: Fix double-free when drives detach during SG_IO In sg_common_write(), we free the block request and return -ENODEV if the device is detached in the middle of the SG_IO ioctl(). Unfortunately, sg_finish_rem_req() also tries to free srp->rq, so we end up freeing rq->cmd in the already free rq object, and then free the object itself out from under the current user. This ends up corrupting random memory via the list_head on the rq object. The most common crash trace I saw is this: ------------[ cut here ]------------ kernel BUG at block/blk-core.c:1420! Call Trace: [] blk_put_request+0x5b/0x80 [] sg_finish_rem_req+0x6b/0x120 [sg] [] sg_common_write.isra.14+0x459/0x5a0 [sg] [] ? selinux_file_alloc_security+0x48/0x70 [] sg_new_write.isra.17+0x195/0x2d0 [sg] [] sg_ioctl+0x644/0xdb0 [sg] [] do_vfs_ioctl+0x90/0x520 [] ? file_has_perm+0x97/0xb0 [] SyS_ioctl+0x91/0xb0 [] tracesys+0xdd/0xe2 RIP [] __blk_put_request+0x154/0x1a0 The solution is straightforward: just set srp->rq to NULL in the failure branch so that sg_finish_rem_req() doesn't attempt to re-free it. Additionally, since sg_rq_end_io() will never be called on the object when this happens, we need to free memory backing ->cmd if it isn't embedded in the object itself. KASAN was extremely helpful in finding the root cause of this bug. Bug 1823317 Bug 1935735 Change-Id: I883243dce583cd79e28facaa2cdd81157b293d74 Signed-off-by: Calvin Owens Acked-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Gagan Grover Reviewed-on: http://git-master/r/1259958 (cherry picked from commit b49da4529988ca02bddaed8091a7f5e91105970a) Reviewed-on: https://git-master.nvidia.com/r/1690295 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Amulya Yarlagadda Reviewed-by: Winnie Hsu --- drivers/scsi/sg.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index df5e961484e1..47eafb87e038 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -765,8 +765,14 @@ sg_common_write(Sg_fd * sfp, Sg_request * srp, return k; /* probably out of space --> ENOMEM */ } if (sdp->detached) { - if (srp->bio) + if (srp->bio) { + if (srp->rq->cmd != srp->rq->__cmd) + kfree(srp->rq->cmd); + blk_end_request_all(srp->rq, -EIO); + srp->rq = NULL; + } + sg_finish_rem_req(srp); return -ENODEV; } -- cgit v1.2.3 From 781051311df5d2e155f0ff3f67aa0b2763c54ede Mon Sep 17 00:00:00 2001 From: Mauro Carvalho Chehab Date: Thu, 28 Jan 2016 09:22:44 -0200 Subject: [media] xc2028: avoid use after free If struct xc2028_config is passed without a firmware name, the following trouble may happen: [11009.907205] xc2028 5-0061: type set to XCeive xc2028/xc3028 tuner [11009.907491] ================================================================== [11009.907750] BUG: KASAN: use-after-free in strcmp+0x96/0xb0 at addr ffff8803bd78ab40 [11009.907992] Read of size 1 by task modprobe/28992 [11009.907994] ============================================================================= [11009.907997] BUG kmalloc-16 (Tainted: G W ): kasan: bad access detected [11009.907999] ----------------------------------------------------------------------------- [11009.908008] INFO: Allocated in xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] age=0 cpu=3 pid=28992 [11009.908012] ___slab_alloc+0x581/0x5b0 [11009.908014] __slab_alloc+0x51/0x90 [11009.908017] __kmalloc+0x27b/0x350 [11009.908022] xhci_urb_enqueue+0x214/0x14c0 [xhci_hcd] [11009.908026] usb_hcd_submit_urb+0x1e8/0x1c60 [11009.908029] usb_submit_urb+0xb0e/0x1200 [11009.908032] usb_serial_generic_write_start+0xb6/0x4c0 [11009.908035] usb_serial_generic_write+0x92/0xc0 [11009.908039] usb_console_write+0x38a/0x560 [11009.908045] call_console_drivers.constprop.14+0x1ee/0x2c0 [11009.908051] console_unlock+0x40d/0x900 [11009.908056] vprintk_emit+0x4b4/0x830 [11009.908061] vprintk_default+0x1f/0x30 [11009.908064] printk+0x99/0xb5 [11009.908067] kasan_report_error+0x10a/0x550 [11009.908070] __asan_report_load1_noabort+0x43/0x50 [11009.908074] INFO: Freed in xc2028_set_config+0x90/0x630 [tuner_xc2028] age=1 cpu=3 pid=28992 [11009.908077] __slab_free+0x2ec/0x460 [11009.908080] kfree+0x266/0x280 [11009.908083] xc2028_set_config+0x90/0x630 [tuner_xc2028] [11009.908086] xc2028_attach+0x310/0x8a0 [tuner_xc2028] [11009.908090] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb] [11009.908094] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb] [11009.908098] em28xx_dvb_init+0x81/0x8a [em28xx_dvb] [11009.908101] em28xx_register_extension+0xd9/0x190 [em28xx] [11009.908105] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb] [11009.908108] do_one_initcall+0x141/0x300 [11009.908111] do_init_module+0x1d0/0x5ad [11009.908114] load_module+0x6666/0x9ba0 [11009.908117] SyS_finit_module+0x108/0x130 [11009.908120] entry_SYSCALL_64_fastpath+0x16/0x76 [11009.908123] INFO: Slab 0xffffea000ef5e280 objects=25 used=25 fp=0x (null) flags=0x2ffff8000004080 [11009.908126] INFO: Object 0xffff8803bd78ab40 @offset=2880 fp=0x0000000000000001 [11009.908130] Bytes b4 ffff8803bd78ab30: 01 00 00 00 2a 07 00 00 9d 28 00 00 01 00 00 00 ....*....(...... [11009.908133] Object ffff8803bd78ab40: 01 00 00 00 00 00 00 00 b0 1d c3 6a 00 88 ff ff ...........j.... [11009.908137] CPU: 3 PID: 28992 Comm: modprobe Tainted: G B W 4.5.0-rc1+ #43 [11009.908140] Hardware name: /NUC5i7RYB, BIOS RYBDWi35.86A.0350.2015.0812.1722 08/12/2015 [11009.908142] ffff8803bd78a000 ffff8802c273f1b8 ffffffff81932007 ffff8803c6407a80 [11009.908148] ffff8802c273f1e8 ffffffff81556759 ffff8803c6407a80 ffffea000ef5e280 [11009.908153] ffff8803bd78ab40 dffffc0000000000 ffff8802c273f210 ffffffff8155ccb4 [11009.908158] Call Trace: [11009.908162] [] dump_stack+0x4b/0x64 [11009.908165] [] print_trailer+0xf9/0x150 [11009.908168] [] object_err+0x34/0x40 [11009.908171] [] kasan_report_error+0x230/0x550 [11009.908175] [] ? trace_hardirqs_off_caller+0x21/0x290 [11009.908179] [] ? kasan_unpoison_shadow+0x36/0x50 [11009.908182] [] __asan_report_load1_noabort+0x43/0x50 [11009.908185] [] ? __asan_register_globals+0x50/0xa0 [11009.908189] [] ? strcmp+0x96/0xb0 [11009.908192] [] strcmp+0x96/0xb0 [11009.908196] [] xc2028_set_config+0x15c/0x630 [tuner_xc2028] [11009.908200] [] xc2028_attach+0x310/0x8a0 [tuner_xc2028] [11009.908203] [] ? memset+0x28/0x30 [11009.908206] [] ? xc2028_set_config+0x630/0x630 [tuner_xc2028] [11009.908211] [] em28xx_attach_xc3028.constprop.7+0x1f9/0x30d [em28xx_dvb] [11009.908215] [] ? em28xx_dvb_init.part.3+0x37c/0x5cf4 [em28xx_dvb] [11009.908219] [] ? hauppauge_hvr930c_init+0x487/0x487 [em28xx_dvb] [11009.908222] [] ? lgdt330x_attach+0x1cc/0x370 [lgdt330x] [11009.908226] [] ? i2c_read_demod_bytes.isra.2+0x210/0x210 [lgdt330x] [11009.908230] [] ? ref_module.part.15+0x10/0x10 [11009.908233] [] ? module_assert_mutex_or_preempt+0x80/0x80 [11009.908238] [] em28xx_dvb_init.part.3+0x8e4/0x5cf4 [em28xx_dvb] [11009.908242] [] ? em28xx_attach_xc3028.constprop.7+0x30d/0x30d [em28xx_dvb] [11009.908245] [] ? string+0x14d/0x1f0 [11009.908249] [] ? symbol_string+0xff/0x1a0 [11009.908253] [] ? uuid_string+0x6f0/0x6f0 [11009.908257] [] ? __kernel_text_address+0x7e/0xa0 [11009.908260] [] ? print_context_stack+0x7f/0xf0 [11009.908264] [] ? __module_address+0xb6/0x360 [11009.908268] [] ? is_ftrace_trampoline+0x99/0xe0 [11009.908271] [] ? __kernel_text_address+0x7e/0xa0 [11009.908275] [] ? debug_check_no_locks_freed+0x290/0x290 [11009.908278] [] ? dump_trace+0x11b/0x300 [11009.908282] [] ? em28xx_register_extension+0x23/0x190 [em28xx] [11009.908285] [] ? trace_hardirqs_off_caller+0x21/0x290 [11009.908289] [] ? trace_hardirqs_on_caller+0x16/0x590 [11009.908292] [] ? trace_hardirqs_on+0xd/0x10 [11009.908296] [] ? em28xx_register_extension+0x23/0x190 [em28xx] [11009.908299] [] ? mutex_trylock+0x400/0x400 [11009.908302] [] ? do_one_initcall+0x131/0x300 [11009.908306] [] ? call_rcu_sched+0x17/0x20 [11009.908309] [] ? put_object+0x48/0x70 [11009.908314] [] em28xx_dvb_init+0x81/0x8a [em28xx_dvb] [11009.908317] [] em28xx_register_extension+0xd9/0x190 [em28xx] [11009.908320] [] ? 0xffffffffa0150000 [11009.908324] [] em28xx_dvb_register+0x10/0x1000 [em28xx_dvb] [11009.908327] [] do_one_initcall+0x141/0x300 [11009.908330] [] ? try_to_run_init_process+0x40/0x40 [11009.908333] [] ? trace_hardirqs_on_caller+0x16/0x590 [11009.908337] [] ? kasan_unpoison_shadow+0x36/0x50 [11009.908340] [] ? kasan_unpoison_shadow+0x36/0x50 [11009.908343] [] ? kasan_unpoison_shadow+0x36/0x50 [11009.908346] [] ? __asan_register_globals+0x87/0xa0 [11009.908350] [] do_init_module+0x1d0/0x5ad [11009.908353] [] load_module+0x6666/0x9ba0 [11009.908356] [] ? symbol_put_addr+0x50/0x50 [11009.908361] [] ? em28xx_dvb_init.part.3+0x5989/0x5cf4 [em28xx_dvb] [11009.908366] [] ? module_frob_arch_sections+0x20/0x20 [11009.908369] [] ? open_exec+0x50/0x50 [11009.908374] [] ? ns_capable+0x5b/0xd0 [11009.908377] [] SyS_finit_module+0x108/0x130 [11009.908379] [] ? SyS_init_module+0x1f0/0x1f0 [11009.908383] [] ? lockdep_sys_exit_thunk+0x12/0x14 [11009.908394] [] entry_SYSCALL_64_fastpath+0x16/0x76 [11009.908396] Memory state around the buggy address: [11009.908398] ffff8803bd78aa00: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc [11009.908401] ffff8803bd78aa80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [11009.908403] >ffff8803bd78ab00: fc fc fc fc fc fc fc fc 00 00 fc fc fc fc fc fc [11009.908405] ^ [11009.908407] ffff8803bd78ab80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [11009.908409] ffff8803bd78ac00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [11009.908411] ================================================================== In order to avoid it, let's set the cached value of the firmware name to NULL after freeing it. While here, return an error if the memory allocation fails. Bug 1823317 Bug 1935735 Change-Id: I1825fc7eb08bd458ed5413fea8b47de539c9b23f Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Gagan Grover Reviewed-on: https://git-master.nvidia.com/r/1690296 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Amulya Yarlagadda Reviewed-by: Winnie Hsu --- drivers/media/tuners/tuner-xc2028.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/media/tuners/tuner-xc2028.c b/drivers/media/tuners/tuner-xc2028.c index 9771cd83c06e..38afc54ef349 100644 --- a/drivers/media/tuners/tuner-xc2028.c +++ b/drivers/media/tuners/tuner-xc2028.c @@ -1385,11 +1385,12 @@ static int xc2028_set_config(struct dvb_frontend *fe, void *priv_cfg) * in order to avoid troubles during device release. */ kfree(priv->ctrl.fname); + priv->ctrl.fname = NULL; memcpy(&priv->ctrl, p, sizeof(priv->ctrl)); if (p->fname) { priv->ctrl.fname = kstrdup(p->fname, GFP_KERNEL); if (priv->ctrl.fname == NULL) - rc = -ENOMEM; + return -ENOMEM; } /* -- cgit v1.2.3 From 1de99ac66623dc420140c8a1a6c0271a553fe515 Mon Sep 17 00:00:00 2001 From: Peter Hurley Date: Fri, 27 Nov 2015 14:30:21 -0500 Subject: tty: Prevent ldisc drivers from re-using stale tty fields Line discipline drivers may mistakenly misuse ldisc-related fields when initializing. For example, a failure to initialize tty->receive_room in the N_GIGASET_M101 line discipline was recently found and fixed [1]. Now, the N_X25 line discipline has been discovered accessing the previous line discipline's already-freed private data [2]. Harden the ldisc interface against misuse by initializing revelant tty fields before instancing the new line discipline. [1] commit fd98e9419d8d622a4de91f76b306af6aa627aa9c Author: Tilman Schmidt Date: Tue Jul 14 00:37:13 2015 +0200 isdn/gigaset: reset tty->receive_room when attaching ser_gigaset [2] Report from Sasha Levin [ 634.336761] ================================================================== [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 [ 634.339558] Read of size 4 by task syzkaller_execu/8981 [ 634.340359] ============================================================================= [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected ... [ 634.405018] Call Trace: [ 634.405277] dump_stack (lib/dump_stack.c:52) [ 634.405775] print_trailer (mm/slub.c:655) [ 634.406361] object_err (mm/slub.c:662) [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) Bug 1823317 Bug 1935735 Change-Id: Ica54faa9334c587594cc19bc9da007340fda672d Cc: Tilman Schmidt Cc: Sasha Levin Signed-off-by: Peter Hurley Signed-off-by: Greg Kroah-Hartman Signed-off-by: Gagan Grover Reviewed-on: http://git-master/r/1259925 (cherry picked from commit 2b1401855a2bdd31556a93feba50dd0dc0bb70e8) Reviewed-on: https://git-master.nvidia.com/r/1690300 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Amulya Yarlagadda Reviewed-by: Winnie Hsu --- drivers/tty/tty_ldisc.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'drivers') diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c index 1afe192bef6a..b5cbe12e2815 100644 --- a/drivers/tty/tty_ldisc.c +++ b/drivers/tty/tty_ldisc.c @@ -400,6 +400,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush); * they are not on hot paths so a little discipline won't do * any harm. * + * The line discipline-related tty_struct fields are reset to + * prevent the ldisc driver from re-using stale information for + * the new ldisc instance. + * * Locking: takes termios_mutex */ @@ -408,6 +412,9 @@ static void tty_set_termios_ldisc(struct tty_struct *tty, int num) mutex_lock(&tty->termios_mutex); tty->termios.c_line = num; mutex_unlock(&tty->termios_mutex); + + tty->disc_data = NULL; + tty->receive_room = 0; } /** -- cgit v1.2.3 From e592ed68b3c3c27d74d5592f99b423596755263a Mon Sep 17 00:00:00 2001 From: Amulya Y Date: Fri, 6 Apr 2018 15:48:49 -0700 Subject: HID: core: prevent out-of-bound readings Plugging a Logitech DJ receiver with KASAN activated raises a bunch of out-of-bound readings. The fields are allocated up to MAX_USAGE, meaning that potentially, we do not have enough fields to fit the incoming values. Add checks and silence KASAN. Bug 1823317 Bug 1935735 Change-Id: Ib3ba92572acbdd4c9ec265e54a45f92606107700 Signed-off-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Gagan Grover Signed-off-by: Amulya Yarlagadda Reviewed-on: http://git-master/r/1259928 (cherry picked from commit fbc389a39540e177bfa4d49b9214dfe408ef2d4a) Reviewed-on: https://git-master.nvidia.com/r/1690285 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Reviewed-by: Winnie Hsu --- drivers/hid/hid-core.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c index 46b7b12376f9..dcea21ed9cd6 100644 --- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1138,6 +1138,7 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, /* Ignore report if ErrorRollOver */ if (!(field->flags & HID_MAIN_ITEM_VARIABLE) && value[n] >= min && value[n] <= max && + value[n] - min < field->maxusage && field->usage[value[n] - min].hid == HID_UP_KEYBOARD + 1) goto exit; } @@ -1150,11 +1151,13 @@ static void hid_input_field(struct hid_device *hid, struct hid_field *field, } if (field->value[n] >= min && field->value[n] <= max + && field->value[n] - min < field->maxusage && field->usage[field->value[n] - min].hid && search(value, field->value[n], count)) hid_process_event(hid, field, &field->usage[field->value[n] - min], 0, interrupt); if (value[n] >= min && value[n] <= max + && value[n] - min < field->maxusage && field->usage[value[n] - min].hid && search(field->value, value[n], count)) hid_process_event(hid, field, &field->usage[value[n] - min], 1, interrupt); -- cgit v1.2.3 From 0eb5e1ea3339a378f8150cdf9592ece4193f3850 Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Thu, 19 Apr 2018 21:16:37 +0530 Subject: gpu: nvgpu: add speculative load barrier (ctrl IOCTLs) Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem insert a speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ib6c4b2f99b85af3119cce3882fe35ab47509c76f Signed-off-by: Alex Waterman Reviewed-on: https://git-master.nvidia.com/r/1640500 Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650050 (cherry picked from commit f293fa670fd2f4fbe170f1e372e9aa237283c67a) Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1682715 Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1698610 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Bibek Basu --- drivers/gpu/nvgpu/gk20a/gr_gk20a.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers') diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index 9e032e03a153..db34cc0e85e9 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -26,6 +26,7 @@ #include #include #include +#include #include "gk20a.h" #include "kind_gk20a.h" @@ -3594,6 +3595,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr, mutex_lock(&gr->zbc_lock); switch (zbc_val->type) { case GK20A_ZBC_TYPE_COLOR: + speculation_barrier(); /* search existing tables */ for (i = 0; i < gr->max_used_color_index; i++) { @@ -3632,6 +3634,7 @@ int gr_gk20a_add_zbc(struct gk20a *g, struct gr_gk20a *gr, } break; case GK20A_ZBC_TYPE_DEPTH: + speculation_barrier(); /* search existing tables */ for (i = 0; i < gr->max_used_depth_index; i++) { -- cgit v1.2.3 From db28d5d9c87a31dd53716ab2bad7a1571212f7e8 Mon Sep 17 00:00:00 2001 From: Jeetesh Burman Date: Thu, 19 Apr 2018 21:27:20 +0530 Subject: host1x: prevent speculative load related leak Data can be speculatively loaded from memory and stay in cache even when bound check fails. This can lead to unintended information disclosure via side-channel analysis. To mitigate this problem, insert speculation barrier. bug 2039126 CVE-2017-5753 Change-Id: Ifc618c00cee497e6d84cac01a9b73fcecbe8f260 Signed-off-by: David Gilhooley Signed-off-by: James Huang Reviewed-on: https://git-master.nvidia.com/r/1650036 (cherry picked from commit 164f8684deb5b15a53c60a60c7d9b8e3bf5af5be) Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1682714 Signed-off-by: Jeetesh Burman Reviewed-on: https://git-master.nvidia.com/r/1698611 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Bibek Basu --- drivers/video/tegra/host/host1x/host1x.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'drivers') diff --git a/drivers/video/tegra/host/host1x/host1x.c b/drivers/video/tegra/host/host1x/host1x.c index 522219484286..6af16bab059c 100644 --- a/drivers/video/tegra/host/host1x/host1x.c +++ b/drivers/video/tegra/host/host1x/host1x.c @@ -33,6 +33,8 @@ #include #include +#include +#include #include "dev.h" #include @@ -267,6 +269,8 @@ static int nvhost_ioctl_ctrl_module_mutex(struct nvhost_ctrl_userctx *ctx, args->lock > 1) return -EINVAL; + speculation_barrier(); + trace_nvhost_ioctl_ctrl_module_mutex(args->lock, args->id); if (args->lock && !ctx->mod_locks[args->id]) { if (args->id == 0) @@ -379,6 +383,7 @@ static int nvhost_ioctl_ctrl_syncpt_read_max(struct nvhost_ctrl_userctx *ctx, { if (args->id >= nvhost_syncpt_nb_pts(&ctx->dev->syncpt)) return -EINVAL; + speculation_barrier(); args->value = nvhost_syncpt_read_max(&ctx->dev->syncpt, args->id); return 0; } -- cgit v1.2.3