| Age | Commit message (Collapse) | Author |
|---|
|
With gcc 7 the following compile time error occurs:
| arch/arm/mach-tegra/tegra11_soctherm.c:2978:40: error: the omitted middle operand in ?: will always be 'true', suggest explicit middle operand [-Werror=parentheses]
| s->sensor_enable = s->sensor_enable ?: therm->zone_enable;
| ^
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
With gcc 7 the following compile time error occurs:
| drivers/video/tegra/dc/dsi.c:766:34: error: '*' in boolean context, suggest '&&' instead [-Werror=int-in-bool-context]
| drivers/video/tegra/dc/dsi.c:757:1:
| (platform_t_phy_ps) ? ( \
| ~~~~~~~~~~~~~~~~~~~
| kernel-source/drivers/video/tegra/dc/dsi.c:766:34:
| dsi->info.phy_timing.t_tlpx_ns * 1000,
| drivers/video/tegra/dc/dsi.c:757:2: note: in definition of macro 'SELECT_T_PHY'
| (platform_t_phy_ps) ? ( \
| ^~~~~~~~~~~~~~~~~
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
With gcc 7 the following compile time error occurs:
| arch/arm/mach-tegra/powergate-t12x.c:814:10: error: statement will never be executed [-Werror=switch-unreachable]
| return true;
| ^~~~
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
With gcc 7 the following compile time error occurs:
| .../drivers/usb/gadget/tegra_udc.c:2565:17: error: 'out' directive writing 3 bytes into a region of size between 2 and 11 [-Werror=format-overflow=]
| sprintf(name, "ep%dout", i);
| ^~~~~~~~~
| .../drivers/usb/gadget/tegra_udc.c:2565:3: note: 'sprintf' output between 7 and 16 bytes into a destination of size 14
| sprintf(name, "ep%dout", i);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~
The last end point will never be greater than 32 but the compiler can
not find this out from the code. Work around this by passing a format
specifier to interpreat i as a signed char.
Signed-off-by: Max Krummenacher <max.krummenacher@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Activate PWM pin muxing for Apalis PWM3. Note that the same PWM3 is
already active on pu6 being Apalis BKL1_PWM as well. Therefore exporting
that one for raw sysfs access will fail and one has to revert to using
the pwm backlight.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
Enable support for the Large Physical Address Extension aka LPAE.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
Signed-off-by: Dominik Sliwa <dominik.sliwa@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Tegra spi driver was using devm_kzalloc before dev
was bound.
Signed-off-by: Dominik Sliwa <dominik.sliwa@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
It turns out that the current PCIe reset implementation is not quite
working reliably due to some Intel i210 errata. Fix this by making sure
the i210's +V3.3_ETH rail is properly disabled during its reset
sequence.
Also further improve on the bringing up the PCIe switch as found on the
Apalis Evaluation board.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
Signed-off-by: Dominik Sliwa <dominik.sliwa@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Toradex Carrier boards use the ST M41T0 RTC (not M41T00). The RTC
is almost the same, but the M41T0 needs some special handling in
case the oscillator fails. Now that support for this difference is
available, using the new compatible string to make use of it.
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
The m41t0 variant is very similar to the already supported m41t00
variant, with the notable exception of the oscillator fail bit.
The data sheet notes:
If the oscillator fail (OF) bit is internally set to a '1,' this
indicates that the oscillator has either stopped, or was stopped
for some period of time and can be used to judge the validity of
the clock and date data.
The bit will get cleared with a regular write of the system time,
so no changes are needed to clear it.
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
(backported from commit 8566f70c8a90f3914b06e934852596ba94aaa381)
|
|
We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being
only partially available, and can lead to use-after-free.
Bug 1885775
Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1506479
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.
Bug 1835857
Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1248391
Reviewed-on: https://git-master.nvidia.com/r/1512958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Prepare for snapd integration.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
Change SPI2 clock parent to clk_m being 12 MHz which is anyway the
maximum frequency the K20 micro controller's SPI peripheral can be run.
This further allows for the EzPort to be run at exactly 2 MHz which is
the maximum allowed as well.
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
Signed-off-by: Stefan Agner <stefan.agner@toradex.com>
Acked-by: Max Krummenacher <max.krummenacher@toradex.com>
(cherry picked from commit 15e73283a975a1b899d7f6807aa882ef885573dd)
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
This patch includes CAN driver and improvements in SPI communications
for Apalis TK1 k20 based MFD.
Requires firmware version 0.9.
Signed-off-by: Dominik Sliwa <dominik.sliwa@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Drive current for LANE4 was not set if configured as 24bpp LVDS out.
Fix it by programming proper drive current register if using 24bpp out.
https://devtalk.nvidia.com/default/topic/1003030
Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
Acked-by: Dominik Sliwa <dominik.sliwa@toradex.com>
|
|
In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.
Bug 1873360
Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1507653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.
This patch fixes Google Bug 31668540
bug 1832092
Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.
CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492
Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1489467
(cherry picked from commit 89559abb25f82dc333eafa26391be0a50d6e9e0a)
Reviewed-on: http://git-master/r/1504674
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use the correct page size index for pgsz_idx in gk20a_vm_alloc_space().
Previously the page size itself was used, not the page size index.
Bug 1837624
Change-Id: I652f5af5321c1c49dc8eb170d3f92f00c23d2b6f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit fd13e0e1c4e397335c24497a0f92c85934d6185f)
Reviewed-on: http://git-master/r/1503371
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
which has heap_pgalloc as true and tries to access pages[]
which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
which again results in NULL dereference if pages[] is accessed.
A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.
bug 1838597
bug 1883708
Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 8244d104b7635cb0b26b651b6851498b9a84d7d6)
Reviewed-on: http://git-master/r/1489579
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.
Bug 1884311
Bug 1820242
Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-on: http://git-master/r/1489707
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Check all pages' parameters before reserve pages.
Bug 1883463
Bug 1831426
Bug 200247013
Manual port: http://git-psac/r/9287
(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)
Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
gk20a_channel_release() should bail if filp->private_data is
NULL. This can happen as a result of gk20a_channel_release()
being called when __gk20a_channel_open() fails in
NVHOST_IOCTL_CHANNEL_OPEN.
Bug 200014898
Change-Id: I32cc957aca46fcd4265a8052ac5be355b644b9f7
Signed-off-by: Aingara Paramakuru <aparamakuru@nvidia.com>
Reviewed-on: http://git-master/r/496138
(cherry picked from commit cb0db6618c42ab4c33574f09f212ab1ee9a0438a)
Reviewed-on: http://git-master/r/1258588
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
Fix UAF (use-after-free) security issue in
camera.pcl driver
Bug 1832830
Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.
(Back ported from Nexus N9 project)
Bug 1832830
Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Check a few input params to make sure there is
no potential for a heap overflow in the driver.
(Back ported from Nexus N9 project)
Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)
Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
The driver expects the userspace-provided table to be terminated with
addr == CAMERA_TABLE_END. Reject tables that aren't.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Id1e168e02fbf323d094fe8c36c6e4bd90cceee4f
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271368
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.
For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation. In fact the existing userspace camera driver makes calls
like these and expects them to succeed! Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
change the type modifier from signed to unsigned
for plaintext_sz variable in tegra_sha_req structure
to avoid occurence of negative values in plaintext_sz
variable.
Bug 1883640
Change-Id: I853f1916f7d4b6ea901cfe83419d624720a7e64f
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474814
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Currently nvhost performs minimal checking for submits it passes
to hardware: The kernel does not check if job syncpoints are allocated
and the gather classes are not verified currently.
This patch adds checks for syncpoint ids and gather classes.
Adapted from 0abcbd69c4cbd0093e223b6c248fdd53c2886951.
Bug 1831406
Change-Id: Ifb9d2090009d16d0f56bc11546036167c7f72228
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1242190
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.
This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947
Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>
Bug 1846814
Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
dma_buf_get() return value is now validated before
passed down for further process.
Bug 1812180
Bug 1883864
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1220869
(cherry picked from commit e6fe9437c609252cf28ac76d2e6b33e905eaa843 in rel-21)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Reviewed-on: http://git-master/r/1469135
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
This patch fixes pllx max value to 1530 and 1836Mhz
based on embedded clok settings considering aging factor
for CD575MI 24x7 and CD575MI 4/4/16 config
Bug 1900076
Change-Id: I9c6a769787fc04eac7ce4548e1a37a9a76972a6c
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1464315
GVS: Gerrit_Virtual_Submit
Reviewed-by: Peter Chiang <pchiang@nvidia.com>
|
|
Channel ioctl interface is not multithreading safe and as the
common case is that we have only a single active user for an open
fd, add a mutex to force serialization of ioctl calls.
Bug 1830021
Change-Id: Ifa6595a105b913345104f216f0541c371e89efe5
(cherry picked from commit 7b24caa9a8d2ab08fe0c7be112e805e44906d956)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248801
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
|
|
Fix possible use after free issue.
Bug 1814555
Bug 1884319
Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
New emc table for samsung dram is added on JetsonTK1 target.
Based on tegra bct strap value it can be chosen dynamically.
Both emc table and embedded emc table has been updated accordingly.
Bug 1752744
Change-Id: Ifc577d925712690daec6c6f1121458f01f720846
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1312498
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Jetson TK1 doesn't support usb charging but the detection is still
running. Disable it to avoid unexpected behavior.
Bug 1861049
Change-Id: I13425d69e190a75084486ff1fc9afeb8aa7acb60
Signed-off-by: Roger Hsieh <rhsieh@nvidia.com>
Reviewed-on: http://git-master/r/1308015
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.
Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.
Coverity ID 27942
Bug 1856419
Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1295062
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.
A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.
bug 1837468
Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Copy from user may taint the scalar value members
in the respective struct variables.
Add check for verifying the validity of the
scalar value members to avoid undefined behaviour.
Bug 1903278
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Change-Id: Ic01c8d10886f9b02c61156f811b430acce8aca23
Reviewed-on: http://git-master/r/1473534
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.
Fix by checking message length for SHA before
copying from user space
Bug 1883640
Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets
freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Similar fixes for TCP:
fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly
freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug 200285540
Change-Id: I3bec712b03278102c88933d4684324c3f414b606
Signed-off-by: Sandipan Patra <spatra@nvidia.com>
Reviewed-on: http://git-master/r/1325204
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Due to problems with LP0 sleep, make LP1 the default option.
Signed-off-by: Dominik Sliwa <dominik.sliwa@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Use modedb to set mode on Apalis TK1 frame buffer/display
controller.
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Allow to specify framebuffer videomode using kernel command line
parameters. NVIDIAs binary X driver later on picks up those settings
and start X with current mode settings, if no EDID data are available.
Reused some of the implementation from Stefan's work for modedb
support[1] on Tegra20/30
[1] http://git.toradex.com/cgit/linux-toradex.git/commit/?h=tegra-next&id=1d3625dd9903bcc59e2df56836565ebb682948c1
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
|
Instead of providing revision, SKU and PID information
via soc_id pass SoC's unique ID.
Signed-off-by: Bhuvanchandra DV <bhuvanchandra.dv@toradex.com>
Acked-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
|
