diff options
Diffstat (limited to 'drivers')
31 files changed, 662 insertions, 289 deletions
diff --git a/drivers/ata/ahci-tegra.c b/drivers/ata/ahci-tegra.c index 791679c2a419..3c93eb831fc4 100644 --- a/drivers/ata/ahci-tegra.c +++ b/drivers/ata/ahci-tegra.c @@ -1081,12 +1081,10 @@ static int tegra_ahci_controller_init(struct tegra_ahci_host_priv *tegra_hpriv, val &= ~NVA2SATA_OOB_ON_POR_MASK; misc_writel(val, SATA_AUX_MISC_CNTL_1_REG); - if (tegra_hpriv->sata_connector != MINI_SATA) { - /* Disable DEVSLP Feature */ - val = misc_readl(SATA_AUX_MISC_CNTL_1_REG); - val &= ~SDS_SUPPORT; - misc_writel(val, SATA_AUX_MISC_CNTL_1_REG); - } + /* Disable DEVSLP Feature */ + val = misc_readl(SATA_AUX_MISC_CNTL_1_REG); + val &= ~SDS_SUPPORT; + misc_writel(val, SATA_AUX_MISC_CNTL_1_REG); val = sata_readl(SATA_CONFIGURATION_0_OFFSET); val |= EN_FPCI; diff --git a/drivers/gpio/gpio-pca953x.c b/drivers/gpio/gpio-pca953x.c index a5653ea0342f..3d4cbd5cb126 100644 --- a/drivers/gpio/gpio-pca953x.c +++ b/drivers/gpio/gpio-pca953x.c @@ -308,7 +308,7 @@ static int pca953x_gpio_get_value(struct gpio_chip *gc, unsigned off) return 0; } - return (reg_val & (1u << off)) ? 1 : 0; + return (reg_val & (1u << (off % BANK_SZ))) ? 1 : 0; } static void pca953x_gpio_set_value(struct gpio_chip *gc, unsigned off, int val) diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c index 8759d699bd8e..d8fcc80ecee6 100644 --- a/drivers/gpu/drm/drm_crtc.c +++ b/drivers/gpu/drm/drm_crtc.c @@ -2956,8 +2956,8 @@ static struct drm_property_blob *drm_property_create_blob(struct drm_device *dev struct drm_property_blob *blob; int ret; - if (!length || !data) - return NULL; + if (!length || !data || length > ULONG_MAX - sizeof(struct drm_property_blob)) + return ERR_PTR(-EINVAL); blob = kzalloc(sizeof(struct drm_property_blob)+length, GFP_KERNEL); if (!blob) diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c index f64bda9b6dc5..3065e8403559 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.c @@ -3,7 +3,7 @@ * * GK20A Graphics channel * - * Copyright (c) 2011-2015, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -552,8 +552,7 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch, dmabuf = dma_buf_get(args->mem); - if (ch->error_notifier_ref) - gk20a_free_error_notifiers(ch); + gk20a_free_error_notifiers(ch); if (IS_ERR(dmabuf)) { pr_err("Invalid handle: %d\n", args->mem); @@ -574,16 +573,23 @@ static int gk20a_init_error_notifier(struct channel_gk20a *ch, return -ENOMEM; } - /* set channel notifiers pointer */ - ch->error_notifier_ref = dmabuf; ch->error_notifier = va + args->offset; ch->error_notifier_va = va; memset(ch->error_notifier, 0, sizeof(struct nvhost_notification)); + + /* set channel notifiers pointer */ + mutex_lock(&ch->error_notifier_mutex); + ch->error_notifier_ref = dmabuf; + mutex_unlock(&ch->error_notifier_mutex); + return 0; } void gk20a_set_error_notifier(struct channel_gk20a *ch, __u32 error) { + bool notifier_set = false; + + mutex_lock(&ch->error_notifier_mutex); if (ch->error_notifier_ref) { struct timespec time_data; u64 nsec; @@ -596,20 +602,27 @@ void gk20a_set_error_notifier(struct channel_gk20a *ch, __u32 error) (u32)(nsec >> 32); ch->error_notifier->info32 = error; ch->error_notifier->status = 0xffff; - gk20a_err(dev_from_gk20a(ch->g), - "error notifier set to %d\n", error); + + notifier_set = true; } + mutex_unlock(&ch->error_notifier_mutex); + + if (notifier_set) + gk20a_err(dev_from_gk20a(ch->g), + "error notifier set to %d for ch %d", error, ch->hw_chid); } static void gk20a_free_error_notifiers(struct channel_gk20a *ch) { + mutex_lock(&ch->error_notifier_mutex); if (ch->error_notifier_ref) { dma_buf_vunmap(ch->error_notifier_ref, ch->error_notifier_va); dma_buf_put(ch->error_notifier_ref); - ch->error_notifier_ref = 0; - ch->error_notifier = 0; - ch->error_notifier_va = 0; + ch->error_notifier_ref = NULL; + ch->error_notifier = NULL; + ch->error_notifier_va = NULL; } + mutex_unlock(&ch->error_notifier_mutex); } void gk20a_free_channel(struct channel_gk20a *ch, bool finish) @@ -706,9 +719,12 @@ unbind: int gk20a_channel_release(struct inode *inode, struct file *filp) { struct channel_gk20a *ch = (struct channel_gk20a *)filp->private_data; - struct gk20a *g = ch->g; + struct gk20a *g = ch ? ch->g : NULL; int err; + if (!ch) + return 0; + trace_gk20a_channel_release(dev_name(&g->dev->dev)); err = gk20a_busy(ch->g->dev); @@ -1630,6 +1646,7 @@ int gk20a_init_channel_support(struct gk20a *g, u32 chid) c->bound = false; c->remove_support = gk20a_remove_channel_support; mutex_init(&c->jobs_lock); + mutex_init(&c->error_notifier_mutex); INIT_LIST_HEAD(&c->jobs); #if defined(CONFIG_GK20A_CYCLE_STATS) mutex_init(&c->cyclestate.cyclestate_buffer_mutex); @@ -1982,7 +1999,7 @@ long gk20a_channel_ioctl(struct file *filp, { struct channel_gk20a *ch = filp->private_data; struct platform_device *dev = ch->g->dev; - u8 buf[NVHOST_IOCTL_CHANNEL_MAX_ARG_SIZE]; + u8 buf[NVHOST_IOCTL_CHANNEL_MAX_ARG_SIZE] = {0}; int err = 0; if ((_IOC_TYPE(cmd) != NVHOST_IOCTL_MAGIC) || @@ -2049,18 +2066,6 @@ long gk20a_channel_ioctl(struct file *filp, (struct nvhost_alloc_obj_ctx_args *)buf); gk20a_idle(dev); break; - case NVHOST_IOCTL_CHANNEL_FREE_OBJ_CTX: - err = gk20a_busy(dev); - if (err) { - dev_err(&dev->dev, - "%s: failed to host gk20a for ioctl cmd: 0x%x", - __func__, cmd); - return err; - } - err = gk20a_free_obj_ctx(ch, - (struct nvhost_free_obj_ctx_args *)buf); - gk20a_idle(dev); - break; case NVHOST_IOCTL_CHANNEL_ALLOC_GPFIFO: err = gk20a_busy(dev); if (err) { diff --git a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h index 320ada62a965..831db0f4986a 100644 --- a/drivers/gpu/nvgpu/gk20a/channel_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/channel_gk20a.h @@ -3,7 +3,7 @@ * * GK20A graphics channel * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -98,7 +98,6 @@ struct channel_gk20a { u64 userd_iova; u64 userd_gpu_va; - s32 num_objects; u32 obj_class; /* we support only one obj per channel */ struct priv_cmd_queue priv_cmd_q; @@ -132,6 +131,7 @@ struct channel_gk20a { struct dma_buf *error_notifier_ref; struct nvhost_notification *error_notifier; void *error_notifier_va; + struct mutex error_notifier_mutex; struct gk20a_channel_sync *sync; }; diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c index 9e032e03a153..d5a3bbd34a78 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.c @@ -1,7 +1,7 @@ /* * GK20A Graphics * - * Copyright (c) 2011-2015, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -2697,7 +2697,6 @@ void gk20a_free_channel_ctx(struct channel_gk20a *c) memset(&c->ch_ctx, 0, sizeof(struct channel_ctx_gk20a)); - c->num_objects = 0; c->first_init = false; } @@ -2848,8 +2847,6 @@ int gk20a_alloc_obj_ctx(struct channel_gk20a *c, c->first_init = true; } - c->num_objects++; - gk20a_dbg_fn("done"); return 0; out: @@ -2861,29 +2858,6 @@ out: return err; } -int gk20a_free_obj_ctx(struct channel_gk20a *c, - struct nvhost_free_obj_ctx_args *args) -{ - unsigned long timeout = gk20a_get_gr_idle_timeout(c->g); - - gk20a_dbg_fn(""); - - if (c->num_objects == 0) - return 0; - - c->num_objects--; - - if (c->num_objects == 0) { - c->first_init = false; - gk20a_disable_channel(c, - !c->has_timedout, - timeout); - gr_gk20a_unmap_channel_patch_ctx(c); - } - - return 0; -} - static void gk20a_remove_gr_support(struct gr_gk20a *gr) { struct gk20a *g = gr->g; diff --git a/drivers/gpu/nvgpu/gk20a/gr_gk20a.h b/drivers/gpu/nvgpu/gk20a/gr_gk20a.h index 2a31aa0b830f..526eefb46b6f 100644 --- a/drivers/gpu/nvgpu/gk20a/gr_gk20a.h +++ b/drivers/gpu/nvgpu/gk20a/gr_gk20a.h @@ -1,7 +1,7 @@ /* * GK20A Graphics Engine * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -324,12 +324,9 @@ int gk20a_init_gr_channel(struct channel_gk20a *ch_gk20a); int gr_gk20a_init_ctx_vars(struct gk20a *g, struct gr_gk20a *gr); struct nvhost_alloc_obj_ctx_args; -struct nvhost_free_obj_ctx_args; int gk20a_alloc_obj_ctx(struct channel_gk20a *c, struct nvhost_alloc_obj_ctx_args *args); -int gk20a_free_obj_ctx(struct channel_gk20a *c, - struct nvhost_free_obj_ctx_args *args); void gk20a_free_channel_ctx(struct channel_gk20a *c); int gk20a_gr_isr(struct gk20a *g); diff --git a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c index d94755bbdf33..2bbd973ad0b1 100644 --- a/drivers/gpu/nvgpu/gk20a/mm_gk20a.c +++ b/drivers/gpu/nvgpu/gk20a/mm_gk20a.c @@ -3,7 +3,7 @@ * * GK20A memory management * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -2318,7 +2318,7 @@ int gk20a_vm_alloc_space(struct gk20a_as_share *as_share, va_node->vaddr_start = vaddr_start; va_node->size = (u64)args->page_size * (u64)args->pages; - va_node->pgsz_idx = args->page_size; + va_node->pgsz_idx = pgsz_idx; INIT_LIST_HEAD(&va_node->va_buffers_list); INIT_LIST_HEAD(&va_node->reserved_va_list); @@ -2488,6 +2488,9 @@ int gk20a_vm_map_buffer(struct gk20a_as_share *as_share, /* get ref to the mem handle (released on unmap_locked) */ dmabuf = dma_buf_get(dmabuf_fd); + if (IS_ERR(dmabuf)) + return PTR_ERR(dmabuf); + if (!dmabuf) return 0; diff --git a/drivers/media/platform/tegra/cam_dev/imx135.c b/drivers/media/platform/tegra/cam_dev/imx135.c index eaa085637aa4..7dd3e9bd61be 100644 --- a/drivers/media/platform/tegra/cam_dev/imx135.c +++ b/drivers/media/platform/tegra/cam_dev/imx135.c @@ -4,7 +4,7 @@ * the virtual PCL driver to handle some special features (hardware resources, * sequences, etc.). * - * Copyright (c) 2013, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -42,11 +42,11 @@ struct imx135_info { }; static int imx135_update( - struct camera_device *cdev, struct cam_update *upd, int num) + struct camera_device *cdev, struct cam_update *upd, u32 num) { /* struct imx135_info *info = dev_get_drvdata(cdev->dev); */ int err = 0; - int idx; + u32 idx; dev_dbg(cdev->dev, "%s %d\n", __func__, num); mutex_lock(&cdev->mutex); diff --git a/drivers/media/platform/tegra/cam_dev/of_camera.c b/drivers/media/platform/tegra/cam_dev/of_camera.c index 460ca1a844e8..f293b9a27cd0 100644 --- a/drivers/media/platform/tegra/cam_dev/of_camera.c +++ b/drivers/media/platform/tegra/cam_dev/of_camera.c @@ -1,7 +1,7 @@ /* * debugfs.c * - * Copyright (c) 2013-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved. * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -222,7 +222,7 @@ int of_camera_get_property(struct camera_info *cam, unsigned long arg) } /* sanity check */ - if (!param.sizeofvalue) { + if (!param.sizeofvalue || param.sizeofvalue > INT_MAX) { dev_err(cam->dev, "%s invalid property name length %d\n", __func__, param.sizeofvalue); return -EBADF; diff --git a/drivers/media/platform/tegra/cam_dev/virtual.c b/drivers/media/platform/tegra/cam_dev/virtual.c index f08ad1563a73..d25becc1ec24 100644 --- a/drivers/media/platform/tegra/cam_dev/virtual.c +++ b/drivers/media/platform/tegra/cam_dev/virtual.c @@ -41,10 +41,10 @@ struct chip_config { }; static int virtual_update( - struct camera_device *cdev, struct cam_update *upd, int num) + struct camera_device *cdev, struct cam_update *upd, u32 num) { int err = 0; - int idx; + u32 idx; dev_dbg(cdev->dev, "%s %d\n", __func__, num); mutex_lock(&cdev->mutex); diff --git a/drivers/media/platform/tegra/camera.c b/drivers/media/platform/tegra/camera.c index 2542f4210de6..9017e7fcd2cc 100644 --- a/drivers/media/platform/tegra/camera.c +++ b/drivers/media/platform/tegra/camera.c @@ -1,7 +1,7 @@ /* * camera.c - generic camera device driver * - * Copyright (c) 2013-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved. * * Contributors: * Charlie Huang <chahuang@nvidia.com> @@ -131,12 +131,12 @@ int camera_copy_user_params(unsigned long arg, struct nvc_param *prm) } #endif -int camera_get_params( +int __camera_get_params( struct camera_info *cam, unsigned long arg, int u_size, - struct nvc_param *prm, void **data) + struct nvc_param *prm, void **data, bool zero_size_ok) { void *buf; - unsigned size; + size_t size; #ifdef CONFIG_COMPAT memset(prm, 0, sizeof(*prm)); @@ -156,9 +156,14 @@ int camera_get_params( if (!data) return 0; + if (zero_size_ok && prm->sizeofvalue == 0) { + *data = ZERO_SIZE_PTR; + return 0; + } + size = prm->sizeofvalue * u_size; - buf = kzalloc(size, GFP_KERNEL); - if (!buf) { + buf = kcalloc(prm->sizeofvalue, u_size, GFP_KERNEL); + if (ZERO_OR_NULL_PTR(buf)) { dev_err(cam->dev, "%s allocate memory failed!\n", __func__); return -ENOMEM; } @@ -173,6 +178,20 @@ int camera_get_params( return 0; } +static int camera_validate_p_i2c_table(struct camera_info *cam, + const struct nvc_param *params, + const struct camera_reg *p_i2c_table, const char *caller) +{ + u32 idx, last_idx = params->sizeofvalue / sizeof(p_i2c_table[0]); + + for (idx = 0; idx < last_idx; idx++) + if (p_i2c_table[idx].addr == CAMERA_TABLE_END) + return 0; + + dev_err(cam->dev, "%s: table is not properly terminated\n", caller); + return -EINVAL; +} + static int camera_seq_rd(struct camera_info *cam, unsigned long arg) { struct nvc_param params; @@ -184,6 +203,10 @@ static int camera_seq_rd(struct camera_info *cam, unsigned long arg) if (err) return err; + err = camera_validate_p_i2c_table(cam, ¶ms, p_i2c_table, __func__); + if (err) + goto seq_rd_end; + err = camera_dev_rd_table(cam->cdev, p_i2c_table); if (!err && copy_to_user(MAKE_USER_PTR(params.p_value), p_i2c_table, params.sizeofvalue)) { @@ -192,6 +215,7 @@ static int camera_seq_rd(struct camera_info *cam, unsigned long arg) err = -EINVAL; } +seq_rd_end: kfree(p_i2c_table); return err; } @@ -231,7 +255,7 @@ static int camera_seq_wr(struct camera_info *cam, unsigned long arg) } p_i2c_table = devm_kzalloc(cdev->dev, params.sizeofvalue, GFP_KERNEL); - if (p_i2c_table == NULL) { + if (ZERO_OR_NULL_PTR(p_i2c_table)) { dev_err(cam->dev, "%s devm_kzalloc err line %d\n", __func__, __LINE__); return -ENOMEM; @@ -246,6 +270,10 @@ static int camera_seq_wr(struct camera_info *cam, unsigned long arg) goto seq_wr_end; } + err = camera_validate_p_i2c_table(cam, ¶ms, p_i2c_table, __func__); + if (err) + goto seq_wr_end; + switch (params.param) { case CAMERA_SEQ_REGISTER_EXEC: case CAMERA_SEQ_REGISTER_ONLY: @@ -498,13 +526,13 @@ static int camera_new_device(struct camera_info *cam, unsigned long arg) next_dev->client->addr == dev_info.addr) { dev_dbg(cam_desc.dev, "%s: device already exists.\n", __func__); - camera_remove_device(new_dev, false); if (atomic_xchg(&next_dev->in_use, 1)) { dev_err(cam_desc.dev, "%s device %s BUSY\n", __func__, next_dev->name); err = -EBUSY; goto new_device_err; - } + } else + camera_remove_device(new_dev, false); new_dev = next_dev; goto new_device_done; } @@ -586,7 +614,8 @@ static int camera_update(struct camera_info *cam, unsigned long arg) return err; } - err = camera_get_params(cam, arg, sizeof(*upd), ¶m, (void **)&upd); + err = __camera_get_params(cam, arg, sizeof(*upd), ¶m, (void **)&upd, + true); if (err) return err; @@ -657,9 +686,20 @@ static int camera_layout_get(struct camera_info *cam, unsigned long arg) if (err) return err; + if (param.variant > MAX_PARAM_VARIANT) { + dev_err(cam->dev, "%s param variant is too large: %u\n", + __func__, param.variant); + return -EINVAL; + } + if (param.sizeofvalue > MAX_PARAM_SIZE_OF_VALUE) { + dev_err(cam->dev, "%s size of param value is too large: %u\n", + __func__, param.sizeofvalue); + return -EINVAL; + } + len = (int)cam_desc.size_layout - param.variant; if (len <= 0) { - dev_err(cam->dev, "%s invalid offset %d\n", + dev_err(cam->dev, "%s invalid offset %u\n", __func__, param.variant); err = -EINVAL; goto getlayout_end; @@ -838,31 +878,46 @@ static long camera_ioctl(struct file *file, break; case PCLLK_IOCTL_DEV_DEL: mutex_lock(cam_desc.d_mutex); + if (!cam->cdev) { + err = -ENODEV; + mutex_unlock(cam_desc.d_mutex); + break; + } list_del(&cam->cdev->list); - mutex_unlock(cam_desc.d_mutex); camera_remove_device(cam->cdev, true); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_DEV_FREE: err = camera_free_device(cam, arg); break; case PCLLK_IOCTL_SEQ_WR: + mutex_lock(cam_desc.d_mutex); err = camera_seq_wr(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_SEQ_RD: + mutex_lock(cam_desc.d_mutex); err = camera_seq_rd(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_PARAM_RD: /* err = camera_param_rd(cam, arg); */ break; case PCLLK_IOCTL_PWR_WR: /* This is a Guaranteed Level of Service (GLOS) call */ + mutex_lock(cam_desc.d_mutex); err = camera_dev_pwr_set(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_PWR_RD: + mutex_lock(cam_desc.d_mutex); err = camera_dev_pwr_get(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_UPDATE: + mutex_lock(cam_desc.d_mutex); err = camera_update(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_LAYOUT_WR: err = camera_layout_update(cam, arg); @@ -884,16 +939,22 @@ static long camera_ioctl(struct file *file, err = virtual_device_add(cam_desc.dev, arg); break; case PCLLK_IOCTL_32_SEQ_WR: + mutex_lock(cam_desc.d_mutex); err = camera_seq_wr(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_SEQ_RD: + mutex_lock(cam_desc.d_mutex); err = camera_seq_rd(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_PARAM_RD: /* err = camera_param_rd(cam, arg); */ break; case PCLLK_IOCTL_32_UPDATE: + mutex_lock(cam_desc.d_mutex); err = camera_update(cam, arg); + mutex_unlock(cam_desc.d_mutex); break; case PCLLK_IOCTL_32_LAYOUT_WR: err = camera_layout_update(cam, arg); diff --git a/drivers/media/platform/tegra/nvavp/nvavp_dev.c b/drivers/media/platform/tegra/nvavp/nvavp_dev.c index 843ea338c949..25dee33ea9aa 100644 --- a/drivers/media/platform/tegra/nvavp/nvavp_dev.c +++ b/drivers/media/platform/tegra/nvavp/nvavp_dev.c @@ -1,7 +1,7 @@ /* * drivers/media/video/tegra/nvavp/nvavp_dev.c * - * Copyright (c) 2011-2016, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This file is licensed under the terms of the GNU General Public License * version 2. This program is licensed "as is" without any warranty of any @@ -135,6 +135,7 @@ struct nvavp_info { int mbox_from_avp_pend_irq; struct mutex open_lock; + struct mutex submit_lock; int refcount; int video_initialized; int video_refcnt; @@ -871,6 +872,7 @@ static int nvavp_pushbuffer_update(struct nvavp_info *nvavp, u32 phys_addr, u32 wordcount = 0; u32 index, value = -1; int ret = 0; + u32 max_index = 0; mutex_lock(&nvavp->open_lock); nvavp_runtime_get(nvavp); @@ -885,7 +887,9 @@ static int nvavp_pushbuffer_update(struct nvavp_info *nvavp, u32 phys_addr, mutex_lock(&channel_info->pushbuffer_lock); /* check for pushbuffer wrapping */ - if (channel_info->pushbuf_index >= channel_info->pushbuf_fence) + max_index = channel_info->pushbuf_fence; + max_index = ext_ucode_flag ? max_index : max_index - (sizeof(u32) * 4); + if (channel_info->pushbuf_index >= max_index) channel_info->pushbuf_index = 0; if (!ext_ucode_flag) { @@ -1518,24 +1522,31 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, syncpt.id = NVSYNCPT_INVALID; syncpt.value = 0; + mutex_lock(&nvavp->submit_lock); if (_IOC_DIR(cmd) & _IOC_WRITE) { if (copy_from_user(&hdr, (void __user *)arg, - sizeof(struct nvavp_pushbuffer_submit_hdr))) + sizeof(struct nvavp_pushbuffer_submit_hdr))) { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; + } } - if (!hdr.cmdbuf.mem) + if (!hdr.cmdbuf.mem) { + mutex_unlock(&nvavp->submit_lock); return 0; + } if (hdr.num_relocs > NVAVP_MAX_RELOCATION_COUNT) { dev_err(&nvavp->nvhost_dev->dev, "invalid num_relocs %d\n", hdr.num_relocs); + mutex_unlock(&nvavp->submit_lock); return -EINVAL; } if (copy_from_user(clientctx->relocs, (void __user *)hdr.relocs, sizeof(struct nvavp_reloc) * hdr.num_relocs)) { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; } @@ -1543,6 +1554,7 @@ static int nvavp_pushbuffer_submit_ioctl(struct file *filp, unsigned int cmd, if (IS_ERR(cmdbuf_dmabuf)) { dev_err(&nvavp->nvhost_dev->dev, "invalid cmd buffer handle %08x\n", hdr.cmdbuf.mem); + mutex_unlock(&nvavp->submit_lock); return PTR_ERR(cmdbuf_dmabuf); } @@ -1679,6 +1691,7 @@ err_dmabuf_map: dma_buf_detach(cmdbuf_dmabuf, cmdbuf_attach); err_dmabuf_attach: dma_buf_put(cmdbuf_dmabuf); + mutex_unlock(&nvavp->submit_lock); return ret; } @@ -1692,19 +1705,26 @@ static int nvavp_pushbuffer_submit_compat_ioctl(struct file *filp, struct nvavp_pushbuffer_submit_hdr_v32 hdr_v32; struct nvavp_pushbuffer_submit_hdr __user *user_hdr; int ret = 0; + mutex_lock(&nvavp->submit_lock); if (_IOC_DIR(cmd) & _IOC_WRITE) { if (copy_from_user(&hdr_v32, (void __user *)arg, - sizeof(struct nvavp_pushbuffer_submit_hdr_v32))) + sizeof(struct nvavp_pushbuffer_submit_hdr_v32))) { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; + } } - if (!hdr_v32.cmdbuf.mem) + if (!hdr_v32.cmdbuf.mem) { + mutex_unlock(&nvavp->submit_lock); return 0; + } user_hdr = compat_alloc_user_space(sizeof(*user_hdr)); - if (!access_ok(VERIFY_WRITE, user_hdr, sizeof(*user_hdr))) + if (!access_ok(VERIFY_WRITE, user_hdr, sizeof(*user_hdr))) { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; + } if (__put_user(hdr_v32.cmdbuf.mem, &user_hdr->cmdbuf.mem) || __put_user(hdr_v32.cmdbuf.offset, &user_hdr->cmdbuf.offset) @@ -1714,21 +1734,29 @@ static int nvavp_pushbuffer_submit_compat_ioctl(struct file *filp, || __put_user(hdr_v32.num_relocs, &user_hdr->num_relocs) || __put_user((void __user *)(unsigned long)hdr_v32.syncpt, &user_hdr->syncpt) - || __put_user(hdr_v32.flags, &user_hdr->flags)) + || __put_user(hdr_v32.flags, &user_hdr->flags)) { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; + } + mutex_unlock(&nvavp->submit_lock); ret = nvavp_pushbuffer_submit_ioctl(filp, cmd, (unsigned long)user_hdr); if (ret) return ret; - if (__get_user(hdr_v32.syncpt, &user_hdr->syncpt)) + mutex_lock(&nvavp->submit_lock); + if (__get_user(hdr_v32.syncpt, (uintptr_t *)&user_hdr->syncpt)) + { + mutex_unlock(&nvavp->submit_lock); return -EFAULT; + } if (copy_to_user((void __user *)arg, &hdr_v32, sizeof(struct nvavp_pushbuffer_submit_hdr_v32))) { ret = -EFAULT; } + mutex_unlock(&nvavp->submit_lock); return ret; } #endif @@ -2009,10 +2037,17 @@ out: static int tegra_nvavp_video_release(struct inode *inode, struct file *filp) { - struct nvavp_clientctx *clientctx = filp->private_data; - struct nvavp_info *nvavp = clientctx->nvavp; + struct nvavp_clientctx *clientctx; + struct nvavp_info *nvavp; int ret = 0; + clientctx = filp->private_data; + if (!clientctx) + return ret; + nvavp = clientctx->nvavp; + if (!nvavp) + return ret; + mutex_lock(&nvavp->open_lock); filp->private_data = NULL; ret = tegra_nvavp_release(clientctx, NVAVP_VIDEO_CHANNEL); @@ -2025,10 +2060,17 @@ static int tegra_nvavp_video_release(struct inode *inode, struct file *filp) static int tegra_nvavp_audio_release(struct inode *inode, struct file *filp) { - struct nvavp_clientctx *clientctx = filp->private_data; - struct nvavp_info *nvavp = clientctx->nvavp; + struct nvavp_clientctx *clientctx; + struct nvavp_info *nvavp; int ret = 0; + clientctx = filp->private_data; + if (!clientctx) + return ret; + nvavp = clientctx->nvavp; + if (!nvavp) + return ret; + mutex_lock(&nvavp->open_lock); filp->private_data = NULL; ret = tegra_nvavp_release(clientctx, NVAVP_AUDIO_CHANNEL); @@ -2040,9 +2082,15 @@ static int tegra_nvavp_audio_release(struct inode *inode, int tegra_nvavp_audio_client_release(nvavp_clientctx_t client) { struct nvavp_clientctx *clientctx = client; - struct nvavp_info *nvavp = clientctx->nvavp; + struct nvavp_info *nvavp; int ret = 0; + if (!clientctx) + return ret; + nvavp = clientctx->nvavp; + if (!nvavp) + return ret; + mutex_lock(&nvavp->open_lock); ret = tegra_nvavp_release(clientctx, NVAVP_AUDIO_CHANNEL); mutex_unlock(&nvavp->open_lock); @@ -2084,10 +2132,8 @@ nvavp_channel_open(struct file *filp, struct nvavp_channel_open_args *arg) return err; } - fd_install(fd, file); - - nonseekable_open(file->f_inode, filp); mutex_lock(&nvavp->open_lock); + err = tegra_nvavp_open(nvavp, (struct nvavp_clientctx **)&file->private_data, clientctx->channel_id); @@ -2097,9 +2143,13 @@ nvavp_channel_open(struct file *filp, struct nvavp_channel_open_args *arg) mutex_unlock(&nvavp->open_lock); return err; } - mutex_unlock(&nvavp->open_lock); arg->channel_fd = fd; + + nonseekable_open(file->f_inode, filp); + fd_install(fd, file); + + mutex_unlock(&nvavp->open_lock); return err; } @@ -2380,6 +2430,7 @@ static int tegra_nvavp_probe(struct platform_device *ndev) nvavp->mbox_from_avp_pend_irq = irq; mutex_init(&nvavp->open_lock); + mutex_init(&nvavp->submit_lock); for (channel_id = 0; channel_id < NVAVP_NUM_CHANNELS; channel_id++) mutex_init(&nvavp->channel_info[channel_id].pushbuffer_lock); diff --git a/drivers/misc/tegra-cryptodev.c b/drivers/misc/tegra-cryptodev.c index 7d95fcc6f156..88c9cb217880 100644 --- a/drivers/misc/tegra-cryptodev.c +++ b/drivers/misc/tegra-cryptodev.c @@ -3,7 +3,7 @@ * * crypto dev node for NVIDIA tegra aes hardware * - * Copyright (c) 2010-2014, NVIDIA Corporation. All Rights Reserved. + * Copyright (c) 2010-2017, NVIDIA Corporation. All Rights Reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -40,6 +40,10 @@ #define XBUFSIZE 8 #define RNG_DRBG 1 #define RNG 0 +#define NUM_RSA_ALGO 4 +#define ECC_MODE_MIN_INDEX 7 +#define ECC_MODE_MAX_INDEX 13 +#define MAX_RSA_MSG_LEN 256 #define TEGRA_RSA512 0 #define TEGRA_RSA1024 1 @@ -539,6 +543,11 @@ static int tegra_crypto_sha(struct tegra_sha_req *sha_req) unsigned long *xbuf[XBUFSIZE]; int ret = -ENOMEM; + if (sha_req->plaintext_sz > PAGE_SIZE) { + pr_err("alg:hash: invalid plaintext_sz for sha_req\n"); + return -EINVAL; + } + tfm = crypto_alloc_ahash(sha_req->algo, 0, 0); if (IS_ERR(tfm)) { pr_err("alg:hash:Failed to load transform for %s:%ld\n", @@ -653,6 +662,11 @@ static long tegra_crypto_dev_ioctl(struct file *filp, ret = copy_from_user(&crypt_req_32, (void __user *)arg, sizeof(crypt_req_32)); + if (crypt_req_32.keylen > TEGRA_CRYPTO_MAX_KEY_SIZE) { + pr_err("key length %d exceeds max value %d\n", + crypt_req_32.keylen, TEGRA_CRYPTO_MAX_KEY_SIZE); + return -EINVAL; + } crypt_req.op = crypt_req_32.op; crypt_req.encrypt = crypt_req_32.encrypt; crypt_req.skip_key = crypt_req_32.skip_key; @@ -792,6 +806,11 @@ rng_out: ret = copy_from_user(&sha_req_32, (void __user *)arg, sizeof(sha_req_32)); + if (sha_req_32.keylen > TEGRA_CRYPTO_MAX_KEY_SIZE) { + pr_err("key length %d not within the range [0,%d]\n", + sha_req_32.keylen, TEGRA_CRYPTO_MAX_KEY_SIZE); + return -EINVAL; + } for (i = 0; i < sha_req_32.keylen; i++) sha_req.key[i] = sha_req_32.key[i]; sha_req.keylen = sha_req_32.keylen; @@ -816,7 +835,12 @@ rng_out: __func__, ret); return ret; } - + if (sha_req.keylen > TEGRA_CRYPTO_MAX_KEY_SIZE) { + pr_err("key length %d out of range [0,%d]\n", + sha_req.keylen + , TEGRA_CRYPTO_MAX_KEY_SIZE); + return -EINVAL; + } ret = tegra_crypto_sha(&sha_req); } else { ret = -EINVAL; @@ -856,7 +880,16 @@ rng_out: pr_err("%s: copy_from_user fail(%d)\n", __func__, ret); return ret; } - + if (rsa_req.msg_len > MAX_RSA_MSG_LEN) { + pr_err("Illegal message from user of length = %d\n", + rsa_req.msg_len); + return -EINVAL; + } + if (rsa_req.algo >= NUM_RSA_ALGO) { + pr_err("Invalid value of algo index %d\n", + rsa_req.algo); + return -EINVAL; + } ret = tegra_crypt_rsa(ctx, &rsa_req); break; diff --git a/drivers/misc/tegra-cryptodev.h b/drivers/misc/tegra-cryptodev.h index 706d0af25d57..de89516fe6fc 100644 --- a/drivers/misc/tegra-cryptodev.h +++ b/drivers/misc/tegra-cryptodev.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010-2014, NVIDIA Corporation. All Rights Reserved. + * Copyright (c) 2010-2017, NVIDIA Corporation. All Rights Reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -50,7 +50,7 @@ struct tegra_crypt_req { int op; /* e.g. TEGRA_CRYPTO_ECB */ bool encrypt; char key[TEGRA_CRYPTO_MAX_KEY_SIZE]; - int keylen; + unsigned int keylen; char iv[TEGRA_CRYPTO_IV_SIZE]; int ivlen; u8 *plaintext; @@ -67,7 +67,7 @@ struct tegra_crypt_req_32 { int op; /* e.g. TEGRA_CRYPTO_ECB */ bool encrypt; char key[TEGRA_CRYPTO_MAX_KEY_SIZE]; - int keylen; + unsigned int keylen; char iv[TEGRA_CRYPTO_IV_SIZE]; int ivlen; __u32 plaintext; @@ -112,12 +112,12 @@ struct tegra_rsa_req { char *key; char *message; char *result; - int algo; - int keylen; - int msg_len; - int modlen; - int pub_explen; - int prv_explen; + unsigned int algo; + unsigned int keylen; + unsigned int msg_len; + unsigned int modlen; + unsigned int pub_explen; + unsigned int prv_explen; int skip_key; }; #define TEGRA_CRYPTO_IOCTL_RSA_REQ \ @@ -128,12 +128,12 @@ struct tegra_rsa_req_32 { __u32 key; __u32 message; __u32 result; - int algo; - int keylen; - int msg_len; - int modlen; - int pub_explen; - int prv_explen; + __u32 algo; + __u32 keylen; + __u32 msg_len; + __u32 modlen; + __u32 pub_explen; + __u32 prv_explen; int skip_key; }; #define TEGRA_CRYPTO_IOCTL_RSA_REQ_32 \ @@ -142,11 +142,11 @@ struct tegra_rsa_req_32 { struct tegra_sha_req { char key[TEGRA_CRYPTO_MAX_KEY_SIZE]; - int keylen; + unsigned int keylen; unsigned char *algo; unsigned char *plaintext; unsigned char *result; - int plaintext_sz; + unsigned int plaintext_sz; }; #define TEGRA_CRYPTO_IOCTL_GET_SHA \ _IOWR(0x98, 104, struct tegra_sha_req) @@ -154,11 +154,11 @@ struct tegra_sha_req { #ifdef CONFIG_COMPAT struct tegra_sha_req_32 { char key[TEGRA_CRYPTO_MAX_KEY_SIZE]; - int keylen; + __u32 keylen; __u32 algo; __u32 plaintext; __u32 result; - int plaintext_sz; + __u32 plaintext_sz; }; #define TEGRA_CRYPTO_IOCTL_GET_SHA_32 \ _IOWR(0x98, 104, struct tegra_sha_req_32) diff --git a/drivers/misc/tegra-profiler/comm.c b/drivers/misc/tegra-profiler/comm.c index 80c84614081a..f99ee849fcff 100644 --- a/drivers/misc/tegra-profiler/comm.c +++ b/drivers/misc/tegra-profiler/comm.c @@ -483,6 +483,7 @@ device_ioctl(struct file *file, break; case IOCTL_GET_CAP: + memset(&cap, 0, sizeof(cap)); comm_ctx.control->get_capabilities(&cap); if (copy_to_user((void __user *)ioctl_param, &cap, sizeof(struct quadd_comm_cap))) { @@ -493,6 +494,7 @@ device_ioctl(struct file *file, break; case IOCTL_GET_VERSION: + memset(&versions, 0, sizeof(versions)); strcpy((char *)versions.branch, QUADD_MODULE_BRANCH); strcpy((char *)versions.version, QUADD_MODULE_VERSION); diff --git a/drivers/mmc/card/mmc_test.c b/drivers/mmc/card/mmc_test.c index 69f549d17a53..784e5b4dc46d 100644 --- a/drivers/mmc/card/mmc_test.c +++ b/drivers/mmc/card/mmc_test.c @@ -3021,7 +3021,7 @@ static ssize_t mtf_test_write(struct file *file, const char __user *buf, char *data_buf = NULL; long testcase; - data_buf = kzalloc(count, GFP_KERNEL); + data_buf = kzalloc(count+1, GFP_KERNEL); if (data_buf == NULL) return -ENOMEM; @@ -3029,7 +3029,6 @@ static ssize_t mtf_test_write(struct file *file, const char __user *buf, kfree(data_buf); return -EFAULT; } - data_buf[strlen(data_buf) - 1] = '\0'; if (mmc_test_extract_parameters(data_buf)) { mmc_test_usage(sf); return -EFAULT; diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index 2ed77066e8d6..3e1cabd21919 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -294,7 +294,7 @@ static int mmc_read_ext_csd(struct mmc_card *card, u8 *ext_csd) } card->ext_csd.rev = ext_csd[EXT_CSD_REV]; - if (card->ext_csd.rev > 7) { + if (card->ext_csd.rev > 8) { pr_err("%s: unrecognised EXT_CSD revision %d\n", mmc_hostname(card->host), card->ext_csd.rev); err = -EINVAL; diff --git a/drivers/spi/spi-tegra114.c b/drivers/spi/spi-tegra114.c index e6f6becf57de..f0e694a8a3a2 100644 --- a/drivers/spi/spi-tegra114.c +++ b/drivers/spi/spi-tegra114.c @@ -1,7 +1,7 @@ /* * SPI driver for NVIDIA's Tegra114 SPI Controller. * - * Copyright (c) 2013-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2013-2016, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -161,18 +161,20 @@ #define SPI_DMA_TIMEOUT (msecs_to_jiffies(10000)) #define DEFAULT_SPI_DMA_BUF_LEN (16*1024) -#define TX_FIFO_EMPTY_COUNT_MAX SPI_TX_FIFO_EMPTY_COUNT(0x40) -#define RX_FIFO_FULL_COUNT_ZERO SPI_RX_FIFO_FULL_COUNT(0) +#define TX_FIFO_EMPTY_COUNT_MAX (0x40) +#define RX_FIFO_FULL_COUNT_ZERO (0) #define MAX_HOLD_CYCLES 16 #define SPI_DEFAULT_SPEED 25000000 #define MAX_CHIP_SELECT 4 #define SPI_FIFO_DEPTH 64 +#define SPI_FIFO_FLUSH_MAX_DELAY 2000 #ifdef CONFIG_ARCH_TEGRA_12x_SOC #define SPI_SPEED_TAP_DELAY_MARGIN 35000000 #define SPI_DEFAULT_RX_TAP_DELAY 10 #endif +#define SPI_POLL_TIMEOUT 10000 struct tegra_spi_data { struct device *dev; @@ -184,6 +186,8 @@ struct tegra_spi_data { phys_addr_t phys; unsigned irq; bool clock_always_on; + bool polling_mode; + bool boost_reg_access; u32 spi_max_frequency; u32 cur_speed; @@ -202,6 +206,7 @@ struct tegra_spi_data { unsigned max_buf_size; bool is_curr_dma_xfer; bool is_hw_based_cs; + bool transfer_in_progress; struct completion rx_dma_complete; struct completion tx_dma_complete; @@ -233,6 +238,8 @@ struct tegra_spi_data { static int tegra_spi_runtime_suspend(struct device *dev); static int tegra_spi_runtime_resume(struct device *dev); +static int tegra_spi_status_poll(struct tegra_spi_data *tspi); +static int tegra_spi_set_clock_rate(struct tegra_spi_data *tspi, u32 speed); static inline unsigned long tegra_spi_readl(struct tegra_spi_data *tspi, unsigned long reg) @@ -246,7 +253,7 @@ static inline void tegra_spi_writel(struct tegra_spi_data *tspi, writel(val, tspi->base + reg); /* Read back register to make sure that register writes completed */ - if (reg != SPI_TX_FIFO) + if ((reg == SPI_COMMAND1) && (val & SPI_PIO)) readl(tspi->base + SPI_COMMAND1); } @@ -256,11 +263,12 @@ static void tegra_spi_clear_status(struct tegra_spi_data *tspi) /* Write 1 to clear status register */ val = tegra_spi_readl(tspi, SPI_TRANS_STATUS); - tegra_spi_writel(tspi, val, SPI_TRANS_STATUS); + if (val & SPI_RDY) + tegra_spi_writel(tspi, val, SPI_TRANS_STATUS); /* Clear fifo status error if any */ - val = tegra_spi_readl(tspi, SPI_FIFO_STATUS); - if (val & SPI_ERR) + tspi->status_reg = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + if (tspi->status_reg & SPI_ERR) tegra_spi_writel(tspi, SPI_ERR | SPI_FIFO_ERROR, SPI_FIFO_STATUS); } @@ -305,7 +313,6 @@ static unsigned tegra_spi_fill_tx_fifo_from_client_txbuf( { unsigned nbytes; unsigned tx_empty_count; - unsigned long fifo_status; unsigned max_n_32bit; unsigned i, count; unsigned long x; @@ -313,8 +320,7 @@ static unsigned tegra_spi_fill_tx_fifo_from_client_txbuf( unsigned fifo_words_left; u8 *tx_buf = (u8 *)t->tx_buf + tspi->cur_tx_pos; - fifo_status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); - tx_empty_count = SPI_TX_FIFO_EMPTY_COUNT(fifo_status); + tx_empty_count = TX_FIFO_EMPTY_COUNT_MAX; if (tspi->is_packed) { fifo_words_left = tx_empty_count * tspi->words_per_32bit; @@ -354,7 +360,7 @@ static unsigned int tegra_spi_read_rx_fifo_to_client_rxbuf( unsigned len; u8 *rx_buf = (u8 *)t->rx_buf + tspi->cur_rx_pos; - fifo_status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + fifo_status = tspi->status_reg; rx_full_count = SPI_RX_FIFO_FULL_COUNT(fifo_status); if (tspi->is_packed) { len = tspi->curr_dma_words * tspi->bytes_per_word; @@ -496,21 +502,43 @@ static int tegra_spi_start_rx_dma(struct tegra_spi_data *tspi, int len) return 0; } -static int tegra_spi_start_dma_based_transfer( - struct tegra_spi_data *tspi, struct spi_transfer *t) +static int tegra_spi_clear_fifo(struct tegra_spi_data *tspi) { - unsigned long val; - unsigned int len; - int ret = 0; unsigned long status; + int cnt = SPI_FIFO_FLUSH_MAX_DELAY; /* Make sure that Rx and Tx fifo are empty */ - status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + status = tspi->status_reg; if ((status & SPI_FIFO_EMPTY) != SPI_FIFO_EMPTY) { + /* flush the fifo */ + status |= (SPI_RX_FIFO_FLUSH | SPI_TX_FIFO_FLUSH); + tegra_spi_writel(tspi, status, SPI_FIFO_STATUS); + do { + status = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + if ((status & SPI_FIFO_EMPTY) == SPI_FIFO_EMPTY) { + tspi->status_reg = status; + return 0; + } + udelay(1); + } while (cnt--); dev_err(tspi->dev, "Rx/Tx fifo are not empty status 0x%08lx\n", status); return -EIO; } + return 0; +} + +static int tegra_spi_start_dma_based_transfer( + struct tegra_spi_data *tspi, struct spi_transfer *t) +{ + unsigned long val; + unsigned int len; + int ret = 0; + u32 speed; + + ret = tegra_spi_clear_fifo(tspi); + if (ret != 0) + return ret; val = SPI_DMA_BLK_SET(tspi->curr_dma_words - 1); tegra_spi_writel(tspi, val, SPI_DMA_BLK); @@ -529,11 +557,12 @@ static int tegra_spi_start_dma_based_transfer( else val |= SPI_TX_TRIG_8 | SPI_RX_TRIG_8; - if (tspi->cur_direction & DATA_DIR_TX) - val |= SPI_IE_TX; - - if (tspi->cur_direction & DATA_DIR_RX) - val |= SPI_IE_RX; + if (!tspi->polling_mode) { + if (tspi->cur_direction & DATA_DIR_TX) + val |= SPI_IE_TX; + if (tspi->cur_direction & DATA_DIR_RX) + val |= SPI_IE_RX; + } tegra_spi_writel(tspi, val, SPI_DMA_CTL); tspi->dma_control_reg = val; @@ -562,6 +591,15 @@ static int tegra_spi_start_dma_based_transfer( return ret; } } + + if (tspi->boost_reg_access) { + speed = t->speed_hz ? t->speed_hz : + tspi->cur_spi->max_speed_hz; + ret = tegra_spi_set_clock_rate(tspi, speed); + if (ret < 0) + return ret; + } + tspi->is_curr_dma_xfer = true; tspi->dma_control_reg = val; @@ -575,6 +613,9 @@ static int tegra_spi_start_cpu_based_transfer( { unsigned long val; unsigned cur_words; + int ret = 0; + u32 speed; + if (tspi->cur_direction & DATA_DIR_TX) cur_words = tegra_spi_fill_tx_fifo_from_client_txbuf(tspi, t); @@ -585,15 +626,24 @@ static int tegra_spi_start_cpu_based_transfer( tegra_spi_writel(tspi, val, SPI_DMA_BLK); val = 0; - if (tspi->cur_direction & DATA_DIR_TX) - val |= SPI_IE_TX; - - if (tspi->cur_direction & DATA_DIR_RX) - val |= SPI_IE_RX; + if (!tspi->polling_mode) { + if (tspi->cur_direction & DATA_DIR_TX) + val |= SPI_IE_TX; + if (tspi->cur_direction & DATA_DIR_RX) + val |= SPI_IE_RX; + } tegra_spi_writel(tspi, val, SPI_DMA_CTL); tspi->dma_control_reg = val; + if (tspi->boost_reg_access) { + speed = t->speed_hz ? t->speed_hz : + tspi->cur_spi->max_speed_hz; + ret = tegra_spi_set_clock_rate(tspi, speed); + if (ret < 0) + return ret; + } + tspi->is_curr_dma_xfer = false; val = tspi->command1_reg; val |= SPI_PIO; @@ -685,6 +735,22 @@ static void tegra_spi_deinit_dma_param(struct tegra_spi_data *tspi, dma_release_channel(dma_chan); } +static int tegra_spi_set_clock_rate(struct tegra_spi_data *tspi, u32 speed) +{ + int ret; + + if (speed == tspi->cur_speed) + return 0; + ret = clk_set_rate(tspi->clk, speed); + if (ret) { + dev_err(tspi->dev, "Failed to set clk freq %d\n", ret); + return -EINVAL; + } + tspi->cur_speed = speed; + + return 0; +} + static int tegra_spi_start_transfer_one(struct spi_device *spi, struct spi_transfer *t, bool is_first_of_msg, bool is_single_xfer) @@ -702,10 +768,13 @@ static int tegra_spi_start_transfer_one(struct spi_device *spi, speed = t->speed_hz ? t->speed_hz : spi->max_speed_hz; if (!speed) speed = tspi->spi_max_frequency; - if (speed != tspi->cur_speed) { - clk_set_rate(tspi->clk, speed); - tspi->cur_speed = speed; - } + /* set max clock for faster register access */ + if (tspi->boost_reg_access) + ret = tegra_spi_set_clock_rate(tspi, tspi->spi_max_frequency); + else + ret = tegra_spi_set_clock_rate(tspi, speed); + if (ret < 0) + return ret; tspi->cur_spi = spi; tspi->cur_pos = 0; @@ -834,6 +903,8 @@ static int tegra_spi_start_transfer_one(struct spi_device *spi, dev_dbg(tspi->dev, "The def 0x%x and written 0x%lx\n", tspi->def_command1_reg, command1); + tspi->status_reg = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + if (total_fifo_words > SPI_FIFO_DEPTH) ret = tegra_spi_start_dma_based_transfer(tspi, t); else @@ -976,8 +1047,11 @@ static int tegra_spi_wait_on_message_xfer(struct tegra_spi_data *tspi) { int ret; - ret = wait_for_completion_timeout(&tspi->xfer_completion, - SPI_DMA_TIMEOUT); + if (tspi->polling_mode) + ret = tegra_spi_status_poll(tspi); + else + ret = wait_for_completion_timeout(&tspi->xfer_completion, + SPI_DMA_TIMEOUT); if (WARN_ON(ret == 0)) { dev_err(tspi->dev, "spi trasfer timeout, err %d\n", ret); @@ -992,6 +1066,7 @@ static int tegra_spi_wait_on_message_xfer(struct tegra_spi_data *tspi) } if (tspi->tx_status || tspi->rx_status) { dev_err(tspi->dev, "Error in Transfer\n"); + tegra_spi_clear_fifo(tspi); ret = -EIO; } @@ -1029,6 +1104,13 @@ static int tegra_spi_handle_message(struct tegra_spi_data *tspi, int ret = 0; long wait_status; + if (tspi->boost_reg_access) { + /* set max clock for faster register access */ + ret = tegra_spi_set_clock_rate(tspi, tspi->spi_max_frequency); + if (ret < 0) + return ret; + } + if (!tspi->is_curr_dma_xfer) { if (tspi->cur_direction & DATA_DIR_RX) tegra_spi_read_rx_fifo_to_client_rxbuf(tspi, xfer); @@ -1204,7 +1286,10 @@ static irqreturn_t tegra_spi_isr(int irq, void *context_data) { struct tegra_spi_data *tspi = context_data; - tspi->status_reg = tegra_spi_readl(tspi, SPI_FIFO_STATUS); + if (tspi->polling_mode) + dev_warn(tspi->dev, "interrupt raised in polling mode\n"); + + tegra_spi_clear_status(tspi); if (tspi->cur_direction & DATA_DIR_TX) tspi->tx_status = tspi->status_reg & (SPI_TX_FIFO_UNF | SPI_TX_FIFO_OVF); @@ -1218,7 +1303,6 @@ static irqreturn_t tegra_spi_isr(int irq, void *context_data) dev_err(tspi->dev, "spurious interrupt, status_reg = 0x%x\n", tspi->status_reg); - tegra_spi_clear_status(tspi); if (!tspi->is_curr_dma_xfer) handle_cpu_based_err_xfer(tspi); else @@ -1228,6 +1312,51 @@ static irqreturn_t tegra_spi_isr(int irq, void *context_data) return IRQ_HANDLED; } +static int tegra_spi_status_poll(struct tegra_spi_data *tspi) +{ + unsigned int status; + unsigned long timeout; + + timeout = SPI_POLL_TIMEOUT; + /* + * Read register would take between 1~3us and 1us delay added in loop + * Calculate timeout taking this into consideration + */ + do { + status = tegra_spi_readl(tspi, SPI_TRANS_STATUS); + if (status & SPI_RDY) + break; + timeout--; + udelay(1); + } while (timeout); + + if (!timeout) { + dev_err(tspi->dev, "transfer timeout (polling)\n"); + return 0; + } + + tegra_spi_clear_status(tspi); + if (tspi->cur_direction & DATA_DIR_TX) + tspi->tx_status = tspi->status_reg & + (SPI_TX_FIFO_UNF | SPI_TX_FIFO_OVF); + + if (tspi->cur_direction & DATA_DIR_RX) + tspi->rx_status = tspi->status_reg & + (SPI_RX_FIFO_OVF | SPI_RX_FIFO_UNF); + + if (!(tspi->cur_direction & DATA_DIR_TX) && + !(tspi->cur_direction & DATA_DIR_RX)) + dev_err(tspi->dev, "spurious interrupt, status_reg = 0x%x\n", + tspi->status_reg); + + if (!tspi->is_curr_dma_xfer) + handle_cpu_based_err_xfer(tspi); + else + handle_dma_based_err_xfer(tspi); + + return timeout; +} + static struct tegra_spi_platform_data *tegra_spi_parse_dt( struct platform_device *pdev) { @@ -1248,6 +1377,12 @@ static struct tegra_spi_platform_data *tegra_spi_parse_dt( if (of_find_property(np, "nvidia,clock-always-on", NULL)) pdata->is_clkon_always = true; + if (of_find_property(np, "nvidia,polling-mode", NULL)) + pdata->is_polling_mode = true; + + if (of_find_property(np, "nvidia,boost-reg-access", NULL)) + pdata->boost_reg_access = true; + return pdata; } @@ -1306,6 +1441,8 @@ static int tegra_spi_probe(struct platform_device *pdev) tspi = spi_master_get_devdata(master); tspi->master = master; tspi->clock_always_on = pdata->is_clkon_always; + tspi->polling_mode = pdata->is_polling_mode; + tspi->boost_reg_access = pdata->boost_reg_access; tspi->dev = &pdev->dev; spin_lock_init(&tspi->lock); diff --git a/drivers/usb/gadget/tegra_udc.c b/drivers/usb/gadget/tegra_udc.c index 0fd68f7bfb4b..b4141f4c5d06 100644 --- a/drivers/usb/gadget/tegra_udc.c +++ b/drivers/usb/gadget/tegra_udc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2012-2016, NVIDIA CORPORATION. All rights reserved. * * Description: * High-speed USB device controller driver. @@ -911,6 +911,20 @@ static struct ep_td_struct *tegra_build_dtd(struct tegra_req *req, dtd->size_ioc_sts = cpu_to_le32(swap_temp); + /* The short packet happened with ISO multi-transaction */ + if (req->ep->ep.mult && ((req->ep->desc->bmAttributes & + 0x3) == USB_ENDPOINT_XFER_ISOC)) { + if (*length <= req->ep->ep.maxpacket) { + swap_temp = cpu_to_le32(dtd->size_ioc_sts); + swap_temp |= DTD_MULTO_MULTIPLIER_1; + dtd->size_ioc_sts = cpu_to_le32(swap_temp); + } else if (*length <= (req->ep->ep.maxpacket * + req->ep->ep.mult)) { + swap_temp = cpu_to_le32(dtd->size_ioc_sts); + swap_temp |= DTD_MULTO_MULTIPLIER_2; + dtd->size_ioc_sts = cpu_to_le32(swap_temp); + } + } mb(); VDBG("length = %d address= 0x%x", *length, (int)*dma); diff --git a/drivers/usb/gadget/tegra_udc.h b/drivers/usb/gadget/tegra_udc.h index a7fe163785ff..67484720bc31 100644 --- a/drivers/usb/gadget/tegra_udc.h +++ b/drivers/usb/gadget/tegra_udc.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2012-2016, NVIDIA CORPORATION. All rights reserved. * * Description: * High-speed USB device controller driver. @@ -321,6 +321,8 @@ /* Endpoint Transfer Descriptor bit Masks */ #define DTD_NEXT_TERMINATE 0x00000001 +#define DTD_MULTO_MULTIPLIER_1 0x00000400 +#define DTD_MULTO_MULTIPLIER_2 0x00000800 #define DTD_IOC 0x00008000 #define DTD_STATUS_ACTIVE 0x00000080 #define DTD_STATUS_HALTED 0x00000040 diff --git a/drivers/video/tegra/dc/dsi_debug.c b/drivers/video/tegra/dc/dsi_debug.c index 9e3288be4cce..a29acca7491b 100644 --- a/drivers/video/tegra/dc/dsi_debug.c +++ b/drivers/video/tegra/dc/dsi_debug.c @@ -1,7 +1,7 @@ /* * drivers/video/tegra/dc/dsi_debug.c * - * Copyright (c) 2013-2014 NVIDIA CORPORATION, All rights reserved. + * Copyright (c) 2013-2017 NVIDIA CORPORATION, All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -31,6 +31,8 @@ #ifdef CONFIG_DEBUG_FS +#define MAX_PANEL_REG_READ_SIZE 300 + static int dbg_dsi_show(struct seq_file *s, void *unused) { struct tegra_dc_dsi_data *dsi = s->private; @@ -152,36 +154,43 @@ static int read_panel_get(struct seq_file *s, void *unused) struct tegra_dc_dsi_data *dsi = s->private; struct tegra_dc *dc = dsi->dc; int err = 0; - u8 buf[300] = {0}; + u8 buf[MAX_PANEL_REG_READ_SIZE] = {0}; int j = 0 , b = 0 , k; u32 payload_size = 0; if (!dsi->enabled) { dev_info(&dc->ndev->dev, " controller suspended\n"); - return -EINVAL; -} + return -EINVAL; + } seq_printf(s, "max ret payload size:0x%x\npanel reg addr:0x%x\n", max_ret_payload_size, panel_reg_addr); - if (max_ret_payload_size == 0) { - seq_puts(s, "echo was not successful\n"); - return err; -} + + if ((max_ret_payload_size > MAX_PANEL_REG_READ_SIZE) || + (max_ret_payload_size == 0)) { + seq_printf(s, "payload size should be positive value < 0x%x\n", + MAX_PANEL_REG_READ_SIZE); + return err; + } + + if (panel_reg_addr >= MAX_PANEL_REG_READ_SIZE) { + seq_puts(s, "panel reg addr is outside the range\n"); + return err; + } + + if (max_ret_payload_size > + (MAX_PANEL_REG_READ_SIZE - panel_reg_addr)) + max_ret_payload_size = + MAX_PANEL_REG_READ_SIZE - panel_reg_addr; + err = tegra_dsi_read_data(dsi->dc, dsi, max_ret_payload_size, panel_reg_addr, buf); - seq_printf(s, " Read data[%d] ", b); - - for (b = 1; b < (max_ret_payload_size+1); b++) { - j = (b*4)-1; - for (k = j; k > (j-4); k--) - if ((k%4) == 0 && b != max_ret_payload_size) { - seq_printf(s, " %x ", buf[k]); - seq_printf(s, "\n Read data[%d] ", b); - } - else - seq_printf(s, " %x ", buf[k]); + for (b = 0; b < max_ret_payload_size; b += 4) { + seq_printf(s, "\n Read data[%d] ", j++); + for (k = b+4; k > b; k--) + seq_printf(s, " %x ", buf[k-1]); } seq_puts(s, "\n"); diff --git a/drivers/video/tegra/dc/hdmi.c b/drivers/video/tegra/dc/hdmi.c index cb1a6c838839..eb8cf5d83852 100644 --- a/drivers/video/tegra/dc/hdmi.c +++ b/drivers/video/tegra/dc/hdmi.c @@ -4,7 +4,7 @@ * Copyright (C) 2010 Google, Inc. * Author: Erik Gilling <konkers@android.com> * - * Copyright (c) 2010-2015, NVIDIA CORPORATION, All rights reserved. + * Copyright (c) 2010-2016, NVIDIA CORPORATION, All rights reserved. * * This software is licensed under the terms of the GNU General Public * License version 2, as published by the Free Software Foundation, and @@ -2219,6 +2219,10 @@ static unsigned long tegra12x_hdmi_determine_parent( f = m % 1000; /* fractional parts */ f = (0 == f) ? f : (1000 - f); /* round-up */ if (0 == f) { /* exact match */ + if ((ref / 2 * b) < 100000000) { + /* parent clock runs at a minumum of 100MHz */ + continue; + } b = n; fr = f; break; diff --git a/drivers/video/tegra/host/bus_client.c b/drivers/video/tegra/host/bus_client.c index 2bf11ed426c0..eabb09f1a683 100644 --- a/drivers/video/tegra/host/bus_client.c +++ b/drivers/video/tegra/host/bus_client.c @@ -173,6 +173,9 @@ struct nvhost_channel_userctx { u32 priority; int clientid; bool timeout_debug_dump; + + /* lock to protect this structure from concurrent ioctl usage */ + struct mutex ioctl_lock; }; static int nvhost_channelrelease(struct inode *inode, struct file *filp) @@ -276,6 +279,7 @@ static int __nvhost_channelopen(struct inode *inode, pdata = dev_get_drvdata(ch->dev->dev.parent); priv->timeout = pdata->nvhost_timeout_default; priv->timeout_debug_dump = true; + mutex_init(&priv->ioctl_lock); if (!tegra_platform_is_silicon()) priv->timeout = 0; mutex_unlock(&channel_lock); @@ -394,12 +398,17 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, u32 __user *waitbases = (u32 *)(uintptr_t)args->waitbases; u32 __user *fences = (u32 *)(uintptr_t)args->fences; u32 __user *class_ids = (u32 *)(uintptr_t)args->class_ids; + struct nvhost_device_data *pdata = platform_get_drvdata(ctx->ch->dev); struct nvhost_master *host = nvhost_get_host(ctx->ch->dev); u32 *local_waitbases = NULL, *local_class_ids = NULL; int err, i, hwctx_syncpt_idx = -1; - if (num_syncpt_incrs > host->info.nb_pts) + if ((num_syncpt_incrs < 1) || (num_syncpt_incrs > + host->info.nb_pts)) + return -EINVAL; + + if (num_cmdbufs < 0 || num_syncpt_incrs < 0) return -EINVAL; job = nvhost_job_alloc(ctx->ch, @@ -449,6 +458,13 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, if (err) cmdbuf_ext.pre_fence = -1; + if (class_id && + class_id != pdata->class && + class_id != NV_HOST1X_CLASS_ID) { + err = -EINVAL; + goto fail; + } + nvhost_job_add_gather(job, cmdbuf.mem, cmdbuf.words, cmdbuf.offset, class_id, cmdbuf_ext.pre_fence); @@ -504,6 +520,8 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, for (i = 0; i < num_syncpt_incrs; ++i) { u32 waitbase; struct nvhost_syncpt_incr sp; + bool found = false; + int j; /* Copy */ err = copy_from_user(&sp, syncpt_incrs + i, sizeof(sp)); @@ -511,7 +529,19 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, goto fail; /* Validate */ - if (sp.syncpt_id >= host->info.nb_pts) { + if (sp.syncpt_id == 0) { + err = -EINVAL; + goto fail; + } + + for (j = 0; j < NVHOST_MODULE_MAX_SYNCPTS; ++j) { + if (pdata->syncpts[j] == sp.syncpt_id) { + found = true; + break; + } + } + + if (!found) { err = -EINVAL; goto fail; } @@ -580,7 +610,15 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, * syncpoint is used. */ if (args->flags & BIT(NVHOST_SUBMIT_FLAG_SYNC_FENCE_FD)) { - struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs]; + struct nvhost_ctrl_sync_fence_info *pts; + + pts = kzalloc(num_syncpt_incrs * + sizeof(struct nvhost_ctrl_sync_fence_info), + GFP_KERNEL); + if (!pts) { + err = -ENOMEM; + goto fail; + } for (i = 0; i < num_syncpt_incrs; i++) { pts[i].id = job->sp[i].id; @@ -589,6 +627,7 @@ static int nvhost_ioctl_channel_submit(struct nvhost_channel_userctx *ctx, err = nvhost_sync_create_fence_fd(ctx->ch->dev, pts, num_syncpt_incrs, "fence", &args->fence); + kfree(pts); if (err) goto fail; } else if (num_syncpt_incrs == 1) @@ -739,8 +778,12 @@ static long nvhost_channelctl(struct file *filp, return -EFAULT; } + /* serialize calls from this fd */ + mutex_lock(&priv->ioctl_lock); + if (!priv->ch->dev) { pr_warn("Channel already unmapped\n"); + mutex_unlock(&priv->ioctl_lock); return -EFAULT; } @@ -772,7 +815,6 @@ static long nvhost_channelctl(struct file *filp, put_unused_fd(fd); break; } - fd_install(fd, file); err = __nvhost_channelopen(NULL, priv->ch, file); if (err) { @@ -782,6 +824,7 @@ static long nvhost_channelctl(struct file *filp, } ((struct nvhost_channel_open_args *)buf)->channel_fd = fd; + fd_install(fd, file); break; } case NVHOST_IOCTL_CHANNEL_GET_SYNCPOINTS: @@ -798,8 +841,12 @@ static long nvhost_channelctl(struct file *filp, platform_get_drvdata(priv->ch->dev); struct nvhost_get_param_arg *arg = (struct nvhost_get_param_arg *)buf; - if (arg->param >= NVHOST_MODULE_MAX_SYNCPTS) - return -EINVAL; + + if (arg->param >= NVHOST_MODULE_MAX_SYNCPTS) { + err = -EINVAL; + break; + } + /* if we already have required syncpt then return it ... */ if (pdata->syncpts[arg->param]) { arg->value = pdata->syncpts[arg->param]; @@ -808,8 +855,10 @@ static long nvhost_channelctl(struct file *filp, /* ... otherwise get a new syncpt dynamically */ arg->value = nvhost_get_syncpt_host_managed(pdata->pdev, arg->param); - if (!arg->value) - return -EAGAIN; + if (!arg->value) { + err = -EAGAIN; + break; + } /* ... and store it for further references */ pdata->syncpts[arg->param] = arg->value; break; @@ -827,8 +876,10 @@ static long nvhost_channelctl(struct file *filp, if (args_name) { if (strncpy_from_user(name, args_name, - sizeof(name)) < 0) - return -EFAULT; + sizeof(name)) < 0) { + err = -EFAULT; + break; + } name[sizeof(name) - 1] = '\0'; } else { name[0] = '\0'; @@ -842,8 +893,10 @@ static long nvhost_channelctl(struct file *filp, snprintf(set_name, sizeof(set_name), "%s_%s", dev_name(&pdata->pdev->dev), name); args->value = nvhost_get_syncpt_client_managed(set_name); - if (!args->value) - return -EAGAIN; + if (!args->value) { + err = -EAGAIN; + break; + } /* ... and store it for further references */ pdata->client_managed_syncpt = args->value; break; @@ -856,8 +909,10 @@ static long nvhost_channelctl(struct file *filp, platform_get_drvdata(priv->ch->dev); if (!args->value) break; - if (args->value != pdata->client_managed_syncpt) - return -EINVAL; + if (args->value != pdata->client_managed_syncpt) { + err = -EINVAL; + break; + } nvhost_free_syncpt(args->value); pdata->client_managed_syncpt = 0; break; @@ -878,8 +933,10 @@ static long nvhost_channelctl(struct file *filp, struct nvhost_get_param_arg *arg = (struct nvhost_get_param_arg *)buf; if (arg->param >= NVHOST_MODULE_MAX_WAITBASES - || !pdata->waitbases[arg->param]) - return -EINVAL; + || !pdata->waitbases[arg->param]) { + err = -EINVAL; + break; + } arg->value = pdata->waitbases[arg->param]; break; } @@ -898,9 +955,13 @@ static long nvhost_channelctl(struct file *filp, platform_get_drvdata(priv->ch->dev); struct nvhost_get_param_arg *arg = (struct nvhost_get_param_arg *)buf; - if (arg->param >= NVHOST_MODULE_MAX_MODMUTEXES - || !pdata->modulemutexes[arg->param]) - return -EINVAL; + + if (arg->param >= NVHOST_MODULE_MAX_MODMUTEXES || + !pdata->modulemutexes[arg->param]) { + err = -EINVAL; + break; + } + arg->value = pdata->modulemutexes[arg->param]; break; } @@ -1019,6 +1080,8 @@ static long nvhost_channelctl(struct file *filp, break; } + mutex_unlock(&priv->ioctl_lock); + if ((err == 0) && (_IOC_DIR(cmd) & _IOC_READ)) err = copy_to_user((void __user *)arg, buf, _IOC_SIZE(cmd)); diff --git a/drivers/video/tegra/host/host1x/host1x.c b/drivers/video/tegra/host/host1x/host1x.c index 5631189c354f..522219484286 100644 --- a/drivers/video/tegra/host/host1x/host1x.c +++ b/drivers/video/tegra/host/host1x/host1x.c @@ -206,11 +206,11 @@ static int nvhost_ioctl_ctrl_sync_fence_create(struct nvhost_ctrl_userctx *ctx, name[0] = '\0'; } - pts = kmalloc(sizeof(*pts) * args->num_pts, GFP_KERNEL); + pts = kmalloc_array(args->num_pts, sizeof(*pts), GFP_KERNEL); if (!pts) return -ENOMEM; - + /* Multiplication overflow would have errored in kmalloc_array */ if (copy_from_user(pts, args_pts, sizeof(*pts) * args->num_pts)) { err = -EFAULT; goto out; diff --git a/drivers/video/tegra/host/nvhost_job.c b/drivers/video/tegra/host/nvhost_job.c index 2100749d60dc..cd83b965a112 100644 --- a/drivers/video/tegra/host/nvhost_job.c +++ b/drivers/video/tegra/host/nvhost_job.c @@ -3,7 +3,7 @@ * * Tegra Graphics Host Job * - * Copyright (c) 2010-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2010-2016, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify it * under the terms and conditions of the GNU General Public License, @@ -38,21 +38,22 @@ static size_t job_size(u32 num_cmdbufs, u32 num_relocs, u32 num_waitchks, u32 num_syncpts) { - s64 num_unpins = num_cmdbufs + num_relocs; - s64 total; + u64 num_unpins = (u64)num_cmdbufs + (u64)num_relocs; + u64 total; total = sizeof(struct nvhost_job) - + num_relocs * sizeof(struct nvhost_reloc) - + num_relocs * sizeof(struct nvhost_reloc_shift) + + (u64)num_relocs * sizeof(struct nvhost_reloc) + + (u64)num_relocs * sizeof(struct nvhost_reloc_shift) + num_unpins * sizeof(struct nvhost_job_unpin) - + num_waitchks * sizeof(struct nvhost_waitchk) - + num_cmdbufs * sizeof(struct nvhost_job_gather) + + (u64)num_waitchks * sizeof(struct nvhost_waitchk) + + (u64)num_cmdbufs * sizeof(struct nvhost_job_gather) + num_unpins * sizeof(dma_addr_t) + num_unpins * sizeof(struct nvhost_pinid) - + num_syncpts * sizeof(struct nvhost_job_syncpt); + + (u64)num_syncpts * sizeof(struct nvhost_job_syncpt); - if(total > ULONG_MAX) + if (total > UINT_MAX) return 0; + return (size_t)total; } diff --git a/drivers/video/tegra/nvmap/nvmap.c b/drivers/video/tegra/nvmap/nvmap.c index 16eeeb2638d5..662646a2d6c6 100644 --- a/drivers/video/tegra/nvmap/nvmap.c +++ b/drivers/video/tegra/nvmap/nvmap.c @@ -3,7 +3,7 @@ * * Memory manager for Tegra GPU * - * Copyright (c) 2009-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2009-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -196,6 +196,9 @@ void *__nvmap_kmap(struct nvmap_handle *h, unsigned int pagenum) if (!h) return NULL; + if (!h->alloc) + goto out; + if (pagenum >= h->size >> PAGE_SHIFT) goto out; prot = nvmap_pgprot(h, PG_PROT_KERNEL); @@ -222,7 +225,7 @@ void __nvmap_kunmap(struct nvmap_handle *h, unsigned int pagenum, phys_addr_t paddr; struct vm_struct *area = NULL; - if (!h || + if (!h || !h->alloc || WARN_ON(!virt_addr_valid(h)) || WARN_ON(!addr)) return; @@ -265,6 +268,9 @@ void *__nvmap_mmap(struct nvmap_handle *h) if (!h) return NULL; + if (!h->alloc) + goto put_handle; + prot = nvmap_pgprot(h, PG_PROT_KERNEL); if (h->heap_pgalloc) { @@ -273,7 +279,7 @@ void *__nvmap_mmap(struct nvmap_handle *h) pages = nvmap_pages(h->pgalloc.pages, h->size >> PAGE_SHIFT); if (!pages) - return NULL; + goto put_handle; vaddr = vm_map_ram(pages, h->size >> PAGE_SHIFT, -1, prot); nvmap_altfree(pages, @@ -293,10 +299,8 @@ void *__nvmap_mmap(struct nvmap_handle *h) adj_size = PAGE_ALIGN(adj_size); v = alloc_vm_area(adj_size, 0); - if (!v) { - nvmap_handle_put(h); - return NULL; - } + if (!v) + goto put_handle; p = v->addr + (h->carveout->base & ~PAGE_MASK); ioremap_page_range((ulong)v->addr, (ulong)v->addr + adj_size, @@ -306,11 +310,14 @@ void *__nvmap_mmap(struct nvmap_handle *h) * the handle will not be freed while the kernel mapping exists. * nvmap_handle_put will be called by unmapping this address */ return p; +put_handle: + nvmap_handle_put(h); + return NULL; } void __nvmap_munmap(struct nvmap_handle *h, void *addr) { - if (!h || + if (!h || !h->alloc || WARN_ON(!virt_addr_valid(h)) || WARN_ON(!addr)) return; @@ -444,6 +451,11 @@ struct sg_table *__nvmap_sg_table(struct nvmap_client *client, if (!h) return ERR_PTR(-EINVAL); + if (!h->alloc) { + err = -EINVAL; + goto put_handle; + } + npages = PAGE_ALIGN(h->size) >> PAGE_SHIFT; sgt = kzalloc(sizeof(*sgt), GFP_KERNEL); if (!sgt) { @@ -473,6 +485,7 @@ struct sg_table *__nvmap_sg_table(struct nvmap_client *client, err: kfree(sgt); +put_handle: nvmap_handle_put(h); return ERR_PTR(err); } diff --git a/drivers/video/tegra/nvmap/nvmap_dmabuf.c b/drivers/video/tegra/nvmap/nvmap_dmabuf.c index e0ade759a340..d5b0c8805766 100644 --- a/drivers/video/tegra/nvmap/nvmap_dmabuf.c +++ b/drivers/video/tegra/nvmap/nvmap_dmabuf.c @@ -599,7 +599,6 @@ err_nomem: int __nvmap_dmabuf_fd(struct nvmap_client *client, struct dma_buf *dmabuf, int flags) { - int fd; int start_fd = CONFIG_NVMAP_FD_START; #ifdef CONFIG_NVMAP_DEFER_FD_RECYCLE @@ -615,14 +614,8 @@ int __nvmap_dmabuf_fd(struct nvmap_client *client, * __FD_SETSIZE limitation issue for select(), * pselect() syscalls. */ - fd = __alloc_fd(current->files, start_fd, - sysctl_nr_open, flags); - if (fd < 0) - return fd; - - fd_install(fd, dmabuf->file); - - return fd; + return __alloc_fd(current->files, start_fd, + sysctl_nr_open, flags); } int nvmap_get_dmabuf_fd(struct nvmap_client *client, struct nvmap_handle *h) @@ -634,12 +627,8 @@ int nvmap_get_dmabuf_fd(struct nvmap_client *client, struct nvmap_handle *h) if (IS_ERR(dmabuf)) return PTR_ERR(dmabuf); fd = __nvmap_dmabuf_fd(client, dmabuf, O_CLOEXEC); - if (fd < 0) - goto err_out; - return fd; - -err_out: - dma_buf_put(dmabuf); + if (IS_ERR_VALUE(fd)) + dma_buf_put(dmabuf); return fd; } diff --git a/drivers/video/tegra/nvmap/nvmap_ioctl.c b/drivers/video/tegra/nvmap/nvmap_ioctl.c index 850afd1ff437..3f7573a9ffcc 100644 --- a/drivers/video/tegra/nvmap/nvmap_ioctl.c +++ b/drivers/video/tegra/nvmap/nvmap_ioctl.c @@ -3,7 +3,7 @@ * * User-space interface to nvmap * - * Copyright (c) 2011-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2011-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -88,6 +88,7 @@ int nvmap_ioctl_pinop(struct file *filp, bool is_pin, void __user *arg, return -EFAULT; op.handles = (__u32 *)(uintptr_t)op32.handles; op.count = op32.count; + op.addr = (unsigned long *)(uintptr_t)op32.addr; } else #endif if (copy_from_user(&op, arg, sizeof(op))) @@ -226,6 +227,33 @@ const struct file_operations nvmap_fd_fops = { .mmap = nvmap_share_mmap, }; +static int nvmap_install_fd(struct nvmap_client *client, + struct nvmap_handle *handle, int fd, void __user *arg, + void *op, size_t op_size, bool free) +{ + int err = 0; + + if (IS_ERR_VALUE(fd)) { + err = fd; + goto fd_fail; + } + + if (copy_to_user(arg, op, op_size)) { + err = -EFAULT; + goto copy_fail; + } + + fd_install(fd, handle->dmabuf->file); + return err; + +copy_fail: + put_unused_fd(fd); +fd_fail: + if (free) + nvmap_free_handle(client, handle); + return err; +} + int nvmap_ioctl_getfd(struct file *filp, void __user *arg) { struct nvmap_handle *handle; @@ -241,14 +269,9 @@ int nvmap_ioctl_getfd(struct file *filp, void __user *arg) op.fd = nvmap_get_dmabuf_fd(client, handle); nvmap_handle_put(handle); - if (op.fd < 0) - return op.fd; - if (copy_to_user(arg, &op, sizeof(op))) { - sys_close(op.fd); - return -EFAULT; - } - return 0; + return nvmap_install_fd(client, handle, + op.fd, arg, &op, sizeof(op), 0); } int nvmap_ioctl_alloc(struct file *filp, void __user *arg) @@ -309,30 +332,11 @@ int nvmap_ioctl_alloc_kind(struct file *filp, void __user *arg) return err; } -int nvmap_create_fd(struct nvmap_client *client, struct nvmap_handle *h) -{ - int fd; - - fd = __nvmap_dmabuf_fd(client, h->dmabuf, O_CLOEXEC); - BUG_ON(fd == 0); - if (fd < 0) { - pr_err("Out of file descriptors"); - return fd; - } - /* __nvmap_dmabuf_fd() associates fd with dma_buf->file *. - * fd close drops one ref count on dmabuf->file *. - * to balance ref count, ref count dma_buf. - */ - get_dma_buf(h->dmabuf); - return fd; -} - int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg) { struct nvmap_create_handle op; struct nvmap_handle_ref *ref = NULL; struct nvmap_client *client = filp->private_data; - int err = 0; int fd = 0; if (copy_from_user(&op, arg, sizeof(op))) @@ -354,20 +358,10 @@ int nvmap_ioctl_create(struct file *filp, unsigned int cmd, void __user *arg) if (IS_ERR(ref)) return PTR_ERR(ref); - fd = nvmap_create_fd(client, ref->handle); - if (fd < 0) - err = fd; - + fd = nvmap_get_dmabuf_fd(client, ref->handle); op.handle = fd; - - if (copy_to_user(arg, &op, sizeof(op))) { - err = -EFAULT; - nvmap_free_handle(client, __nvmap_ref_to_id(ref)); - } - - if (err && fd > 0) - sys_close(fd); - return err; + return nvmap_install_fd(client, ref->handle, fd, + arg, &op, sizeof(op), 1); } int nvmap_map_into_caller_ptr(struct file *filp, void __user *arg, bool is32) @@ -472,9 +466,9 @@ int nvmap_ioctl_get_param(struct file *filp, void __user *arg, bool is32) struct nvmap_handle_param __user *uarg = arg; struct nvmap_handle_param op; struct nvmap_client *client = filp->private_data; - struct nvmap_handle_ref *ref; - struct nvmap_handle *h; - u64 result; + struct nvmap_handle_ref *ref = NULL; + struct nvmap_handle *h = NULL; + u64 result = 0; int err = 0; #ifdef CONFIG_COMPAT @@ -500,6 +494,9 @@ int nvmap_ioctl_get_param(struct file *filp, void __user *arg, bool is32) } err = nvmap_get_handle_param(client, ref, op.param, &result); + if (err) { + goto ref_fail; + } #ifdef CONFIG_COMPAT if (is32) @@ -936,6 +933,11 @@ int __nvmap_do_cache_maint(struct nvmap_client *client, if (!h) return -EFAULT; + if ((start >= h->size) || (end > h->size)) { + nvmap_handle_put(h); + return -EFAULT; + } + if (op == NVMAP_CACHE_OP_INV) op = NVMAP_CACHE_OP_WB_INV; @@ -1088,7 +1090,7 @@ int nvmap_ioctl_cache_maint_list(struct file *filp, void __user *arg, if (copy_from_user(&op, arg, sizeof(op))) return -EFAULT; - if (!op.nr) + if (!op.nr || op.nr > UINT_MAX / sizeof(u32)) return -EINVAL; if (!access_ok(VERIFY_READ, op.handles, op.nr * sizeof(u32))) diff --git a/drivers/video/tegra/nvmap/nvmap_mm.c b/drivers/video/tegra/nvmap/nvmap_mm.c index 133f00b1aaa9..fbf510081be7 100644 --- a/drivers/video/tegra/nvmap/nvmap_mm.c +++ b/drivers/video/tegra/nvmap/nvmap_mm.c @@ -3,7 +3,7 @@ * * Some MM related functionality specific to nvmap. * - * Copyright (c) 2013-2014, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2013-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -193,6 +193,10 @@ void nvmap_zap_handle(struct nvmap_handle *handle, u32 offset, u32 size) size = PAGE_ALIGN((offset & ~PAGE_MASK) + size); + if ((offset >= handle->size) || (offset > handle->size - size) || + (size > handle->size)) + return; + mutex_lock(&handle->lock); vmas = &handle->vmas; list_for_each_entry(vma_list, vmas, list) { @@ -231,6 +235,15 @@ int nvmap_reserve_pages(struct nvmap_handle **handles, u32 *offsets, u32 *sizes, { int i; + /* validates all page params first */ + for (i = 0; i < nr; i++) { + u32 size = sizes[i] ? sizes[i] : handles[i]->size; + u32 offset = sizes[i] ? offsets[i] : 0; + + if ((offset != 0) || (size != handles[i]->size)) + return -EINVAL; + } + for (i = 0; i < nr; i++) { u32 size = sizes[i] ? sizes[i] : handles[i]->size; u32 offset = sizes[i] ? offsets[i] : 0; diff --git a/drivers/video/tegra/nvmap/nvmap_priv.h b/drivers/video/tegra/nvmap/nvmap_priv.h index a90a3269cd62..705745702abd 100644 --- a/drivers/video/tegra/nvmap/nvmap_priv.h +++ b/drivers/video/tegra/nvmap/nvmap_priv.h @@ -3,7 +3,7 @@ * * GPU memory management driver for Tegra * - * Copyright (c) 2009-2016, NVIDIA CORPORATION. All rights reserved. + * Copyright (c) 2009-2017, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -467,10 +467,13 @@ static inline void nvmap_handle_mk(struct nvmap_handle *h, void (*fn)(struct page **)) { int i; - int start_page = PAGE_ALIGN(offset) >> PAGE_SHIFT; - int end_page = (offset + size) >> PAGE_SHIFT; + u32 start_page = offset >> PAGE_SHIFT; + u32 end_page = PAGE_ALIGN(offset + size) >> PAGE_SHIFT; - if (h->heap_pgalloc) { + if (h->heap_pgalloc && + (offset < h->size) && + (size <= h->size) && + (offset <= (h->size - size))) { for (i = start_page; i < end_page; i++) fn(&h->pgalloc.pages[i]); } |