Age | Commit message (Collapse) | Author |
|
We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being
only partially available, and can lead to use-after-free.
Bug 1885775
Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: https://git-master.nvidia.com/r/1506479
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Handle the race condition between malicious fd close and
copy_to_user error, which can create use after free condition.
This is fixed by deferring the fd install, which eliminates
the race that leads to use after free condition.
Fixing Google Bug 32160775.
Bug 1835857
Change-Id: I337807e4360661beced8f9e1155c47b66607b8df
Signed-off-by: Krishna Reddy <vdumpa@nvidia.com>
Reviewed-on: http://git-master/r/1248391
Reviewed-on: https://git-master.nvidia.com/r/1512958
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
In the debugfs support for reading panel registers, max payload
needs to be limited to the buff array size to avoid stack corruption.
Bug 1873360
Change-Id: Ibee7bd81027d2669297942c09b905f1dd3bb09ee
Signed-off-by: Pavan Kunapuli <pkunapuli@nvidia.com>
Signed-off-by: sakets <sakets@nvidia.com>
Reviewed-on: https://git-master/r/1507653
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
When the NVMAP_IOC_PIN_MULT_32 and NVMAP_IOC_UNPIN_MULT_32 are
called it is possible that the op.addr is not initialized. This
can cause write to some random address thus causing corruption.
This patch fixes Google Bug 31668540
bug 1832092
Change-Id: I4d12d1a6c777131ba1fa2a753ea640861f8e82a6
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1314406
(cherry picked from commit da0c43534bb61e2e0849e297d389517d5e4ed168)
Reviewed-on: http://git-master/r/1504673
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use locking to protect generated fd, so that it can't be
freed before channel open completes. Also add null value checks
in release call.
CVE-2016-8449 (A-31798848)
Bug 1830023
Bug 1849492
Change-Id: Ie6e2b29c7132fdfdff6b0bfa75440bd43afffd5f
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1285817
(cherry picked from commit 2ff0fdedfd65f269359d6540df4662e958681aa7)
Reviewed-on: http://git-master/r/1299505
(cherry picked from commit ea1af2ce5a746bda36205357c9e0adaf527026bb)
Reviewed-on: http://git-master/r/1489467
(cherry picked from commit 89559abb25f82dc333eafa26391be0a50d6e9e0a)
Reviewed-on: http://git-master/r/1504674
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Use the correct page size index for pgsz_idx in gk20a_vm_alloc_space().
Previously the page size itself was used, not the page size index.
Bug 1837624
Change-Id: I652f5af5321c1c49dc8eb170d3f92f00c23d2b6f
Signed-off-by: Alex Waterman <alexw@nvidia.com>
(cherry picked from commit fd13e0e1c4e397335c24497a0f92c85934d6185f)
Reviewed-on: http://git-master/r/1503371
Reviewed-by: Terje Bergstrom <tbergstrom@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE on IOVMM gives a valid fd to user space
2. user space does not call NVMAP_IOC_ALLOC.
3. user space calls a client driver IOCTL which calls dma_buf_map_attachment
4. call to dma_buf_map_attachment propagates till__nvmap_sg_table
which has heap_pgalloc as true and tries to access pages[]
which has all NULL.
5. Similarly, a dma_buf_kmap() can result in __nvmap_kmap() being called
which again results in NULL dereference if pages[] is accessed.
A valid __nvmap_sg_table should occur only when h->alloc is true.
So, add check for it.
bug 1838597
bug 1883708
Change-Id: I400d9d8a94ff1003db207fc9c252b9256d796f60
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
(cherry picked from commit 8244d104b7635cb0b26b651b6851498b9a84d7d6)
Reviewed-on: http://git-master/r/1489579
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Initialized the uninitialized variables and handled return status
from nvmap_get_handle_param.
Bug 1884311
Bug 1820242
Change-Id: I2390c859d2b2af39eaff44749ca64e60920fe944
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1259560
Reviewed-on: http://git-master/r/1489707
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Check all pages' parameters before reserve pages.
Bug 1883463
Bug 1831426
Bug 200247013
Manual port: http://git-psac/r/9287
(cherry picked from commit 61a05b52b8a17593e2817076b9bf59efdd9268ad)
Change-Id: I2f47c385ff8f4a9ca6bf37ee41749bd684ca1a20
Signed-off-by: Xia Yang <xiay@nvidia.com>
Signed-off-by: Sagar Kadamati <skadamati@nvidia.com>
Reviewed-on: http://git-master/r/1273326
Reviewed-on: http://git-master/r/1488769
GVS: Gerrit_Virtual_Submit
Tested-by: Sumit Gupta <sumitg@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
gk20a_channel_release() should bail if filp->private_data is
NULL. This can happen as a result of gk20a_channel_release()
being called when __gk20a_channel_open() fails in
NVHOST_IOCTL_CHANNEL_OPEN.
Bug 200014898
Change-Id: I32cc957aca46fcd4265a8052ac5be355b644b9f7
Signed-off-by: Aingara Paramakuru <aparamakuru@nvidia.com>
Reviewed-on: http://git-master/r/496138
(cherry picked from commit cb0db6618c42ab4c33574f09f212ab1ee9a0438a)
Reviewed-on: http://git-master/r/1258588
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
Fix UAF (use-after-free) security issue in
camera.pcl driver
Bug 1832830
Change-Id: Ie0f8a58a7bb9d1b4949e0f68d25d6da108f06e76
Signed-off-by: Frank Chen <frankc@nvidia.com>
Reviewed-on: http://git-master/r/1271371
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
- Add mutex_lock(cam_desc.d_mutex) around ioctl access functions.
- Check cam->cdev in PCLLK_IOCTL_DEV_DEL ioctl.
(Back ported from Nexus N9 project)
Bug 1832830
Signed-off-by: <tiangangpi@gmail.com>
Signed-off-by: Xiaya Hu <xiaya@nvidia.com>
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 28026625
Change-Id: I81fbab628fb6516afa2cf5d3e0adf333aa2eb003
Reviewed-on: http://git-master/r/1271370
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Check a few input params to make sure there is
no potential for a heap overflow in the driver.
(Back ported from Nexus N9 project)
Bug 1757475 (nvidia)
Bug 1832830 (nvidia)
Bug 28193342 (google)
Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13
Signed-off-by: Amey Asgaonkar <aasgaonkar@nvidia.com>
Reviewed-on: http://git-master/r/1271369
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
The driver expects the userspace-provided table to be terminated with
addr == CAMERA_TABLE_END. Reject tables that aren't.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Id1e168e02fbf323d094fe8c36c6e4bd90cceee4f
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271368
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Several places in the camera stack can hit integer overflows or cause
bad allocations if userspace passes in a bogus sizeofvalue parameter.
Protect against this by using appropriately-sized integer types, adding
range checks, replacing array-allocation calls with kcalloc(), and
checking for allocations returning ZERO_SIZE_PTR.
For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine,
since when that happens the subdrivers won't actually touch the returned
allocation. In fact the existing userspace camera driver makes calls
like these and expects them to succeed! Handle this special case by
adding a __camera_get_params variant that optionally treats zero-sized
inputs as valid.
(back ported from Nexus N9 project)
Bug 1832830
Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f
Reported-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Reviewed-on: http://git-master/r/1271367
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Frank Chen <frankc@nvidia.com>
Tested-by: Frank Chen <frankc@nvidia.com>
Reviewed-by: Jihoon Bang <jbang@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
change the type modifier from signed to unsigned
for plaintext_sz variable in tegra_sha_req structure
to avoid occurence of negative values in plaintext_sz
variable.
Bug 1883640
Change-Id: I853f1916f7d4b6ea901cfe83419d624720a7e64f
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1474814
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Currently nvhost performs minimal checking for submits it passes
to hardware: The kernel does not check if job syncpoints are allocated
and the gather classes are not verified currently.
This patch adds checks for syncpoint ids and gather classes.
Adapted from 0abcbd69c4cbd0093e223b6c248fdd53c2886951.
Bug 1831406
Change-Id: Ifb9d2090009d16d0f56bc11546036167c7f72228
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1242190
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
The size here comes from the user via the ioctl, it is a number between
1-u32max so the addition here could overflow on 32 bit systems.
This patch fixes a security vulnerability reported here:
https://code.google.com/p/android/issues/detail?id=228947
Change-Id: I17ed8c6e30826074cfc6dd833deb423be9bd89c5
Fixes: f453ba046074 ('DRM: add mode setting support')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Daniel Stone <daniels@collabora.com>
Cc: stable@kernel.org # v4.2
Signed-off-by: Dave Airlie <airlied@gmail.com>
Bug 1846814
Signed-off-by: Shreshtha SAHU <ssahu@nvidia.com>
Change-Id: I308e65797972a0a0650bd96bd130dfd2fbe9c993
Reviewed-on: http://git-master/r/1262503
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
dma_buf_get() return value is now validated before
passed down for further process.
Bug 1812180
Bug 1883864
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1220869
(cherry picked from commit e6fe9437c609252cf28ac76d2e6b33e905eaa843 in rel-21)
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Change-Id: I443d676af2948c924f187988ab1c64c72b3e9232
Reviewed-on: http://git-master/r/1469135
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Channel ioctl interface is not multithreading safe and as the
common case is that we have only a single active user for an open
fd, add a mutex to force serialization of ioctl calls.
Bug 1830021
Change-Id: Ifa6595a105b913345104f216f0541c371e89efe5
(cherry picked from commit 7b24caa9a8d2ab08fe0c7be112e805e44906d956)
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248801
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
|
|
Fix possible use after free issue.
Bug 1814555
Bug 1884319
Change-Id: I826aa34f61d43fda5419a528697ce84ba2ce1eae
Reviewed-on: http://git-master/r/1221643
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Debarshi Dutta <ddutta@nvidia.com>
Reviewed-on: http://git-master/r/1257999
(cherry picked from commit b1647da33cff0c498ca8439a722ea1962ecf6901 in rel-24)
Reviewed-on: http://git-master/r/1461184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Change kmalloc to kmalloc_array to prevent overflow issues
caused by large values supplied by user.
Based on "video: tegra: host: Fix overflow issues in allocation"
in nvhost/.
Coverity ID 27942
Bug 1856419
Change-Id: I5e96d0ec184543782dfe8814ad7e856b3b71221c
Signed-off-by: Mikko Perttunen <mperttunen@nvidia.com>
Reviewed-on: http://git-master/r/1295062
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Consider the following case:
1. NVMAP_IOC_CREATE gives a valid fd to user space
2. user space calls NVMAP_IOC_ALLOC and it fails. So, all
of the handle's allocation fields are zero.
3. Subsequent dma_buf_vmap, mmap on fd leads to __nvmap_mmap
call.
4. handle is valid but h->alloc, h->carveout, h->heap_pgalloc,
h->vaddr all are 0.
5. We check for h->heap_pgalloc which is false, so proceed and
dereference h->carveout leading to NULL pointer exception.
A valid __nvmap_mmap should occur only when h->alloc is true.
So, add check for it.
bug 1837468
Change-Id: I9be9d94f9b74c25b9b588fb1a16a74e96161ceda
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Reviewed-on: http://git-master/r/1253236
(cherry picked from commit c5da78cf3d0c19f1e04501a4b3f64a5acacd0ff3)
Reviewed-on: http://git-master/r/1312264
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Copy from user may taint the scalar value members
in the respective struct variables.
Add check for verifying the validity of the
scalar value members to avoid undefined behaviour.
Bug 1903278
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Change-Id: Ic01c8d10886f9b02c61156f811b430acce8aca23
Reviewed-on: http://git-master/r/1473534
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
SHA message length is provided from user space
through IOCTL call. If this length is not valid,
then it can lead to panic due to buffer overflow.
Fix by checking message length for SHA before
copying from user space
Bug 1883640
Change-Id: Idc5c6074784290b4622b1c23e5feb43849100cb5
Signed-off-by: Konduri Praveen <kondurip@nvidia.com>
Reviewed-on: http://git-master/r/1471180
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Mallikarjun Kasoju <mkasoju@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Validate the region specified by offset and size before performing
the operations like nvmap_prot_handle, nvmap_cache_maint and nvmap_handle_mk*.
This validation of offset and size once the values are in local variables
guarantees that even though user space changes the values in user buffers,
nvmap continues to perform operations with the contents that are validated.
Fixes Google Bug 34113000.
bug 1862379
Change-Id: Ief81887b3d94b49f3dcf4d2680d9d7b257c54092
Signed-off-by: Sri Krishna chowdary <schowdary@nvidia.com>
Signed-off-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-on: http://git-master/r/1298712
(cherry picked from commit f45441da608d8015ece73d253d4bdb48863f99e2)
Reviewed-on: http://git-master/r/1310316
(cherry picked from commit 57367ab3be5f1c52dd6b885f114ae90dfce5a363)
Reviewed-on: http://git-master/r/1319910
GVS: Gerrit_Virtual_Submit
|
|
Initialize character array buf in gk20a_channel_ioctl() to zero
Keeping it uninitialized can result in leaking kernel stack
info to user space since we pass this buffer to UMD
Bug 1793398
Change-Id: Iffd654dbaca3b4e3c8fd2ac270d0febd01c165b8
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1195862
(cherry picked from commit 118809f4bd07af20df2b6c012828834695a5fccf from dev-kernel linux-nvgpu.git)
Reviewed-on: http://git-master/r/1269683
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Christian Gonzalez <christiang@nvidia.com>
Tested-by: Christian Gonzalez <christiang@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Moved fd_install() at the end of the channel_open ioctl. So, the fd
can't be used until open ioctl completes.
Bug 1832094
Change-Id: Ib33d43bf5164418a38f98677d4e3295f3d1c1450
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248180
(cherry picked from commit e6a41d5c0049c2878543006b67b7ee2b2bbda2ab)
Reviewed-on: http://git-master/r/1249505
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
Check if there is at least one syncpt_incrs in each job.
Bug 1812182
Change-Id: I0bd0b2e7c4d01641c83ba729ec34390ddea81496
Reviewed-on: http://git-master/r/1221226
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Reviewed-on: http://git-master/r/1248797
GVS: Gerrit_Virtual_Submit
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
|
|
This change fixes a regression introduced by commit
f5f0b7aa8 (gpio: pca953x: make the register access by GPIO bank)
When the pca953x driver was converted to using 8-bit reads/writes
the bitmask in pca953x_gpio_get_value wasn't adjusted with a
modulus BANK_SZ and consequently looks at the wrong bits in the
input register.
Bug 1826501
Change-Id: Id9c9d1cab9fb97e2fdf9408b03873722f787fbec
Signed-off-by: Andrew Ruder <andrew.ruder@elecsyscorp.com>
Reviewed-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
(cherry picked from commit 40a625daa88653d7942dc85483f6f289cd687cb7)
Signed-off-by: Martin Chi <mchi@nvidia.com>
Reviewed-on: http://git-master/r/1241694
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
Reviewed-on: http://git-master/r/1242944
GVS: Gerrit_Virtual_Submit
|
|
Bug 1779090
Change-Id: I733c6ff7b3e39216fcf25f9c0d048b4c752a9e84
Signed-off-by: Anubhav Jain <anubhavj@nvidia.com>
Reviewed-on: http://git-master/r/1173092
GVS: Gerrit_Virtual_Submit
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
|
|
Allocate buffer with 1 extra byte for NULL terminator.
Bug 1791602
Change-Id: I3c3658315c2cd2a1dc7be7d72953998a5275e71e
Signed-off-by: Xia Yang <xiay@nvidia.com>
Reviewed-on: http://git-master/r/1216897
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
A use-after-free scenario is possible where one thread in
gk20a_free_error_notifiers() is trying to free the error
notifier and another thread in gk20a_set_error_notifier()
is still using the error notifier
Fix this by introducing mutex error_notifier_mutex for
error notifier accesses
Take mutex in gk20a_free_error_notifiers() and in
gk20a_set_error_notifier() before accessing notifier
In gk20a_init_error_notifier(), set the pointer
ch->error_notifier_ref inside the mutex and only
after notifier is completely initialized
Bug 1824788
Change-Id: I47e1ab57d54f391799f5a0999840b663fd34585f
Reviewed-on: http://git-master/r/1233988
Signed-off-by: Gagan Grover <ggrover@nvidia.com>
Signed-off-by: Gaurav Singh <gaursingh@nvidia.com>
Reviewed-on: http://git-master/r/1236695
GVS: Gerrit_Virtual_Submit
Reviewed-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
Add missing mutex unlock for nvavp_submit.
bug 1775299
Change-Id: I1b525e192bfd9dd19bcd0211484400445eda7b2b
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1221210
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Add mutex lock for nvavp_submit to avoid race condition.
bug 1775299
Change-Id: I11a66a58a1f048d6a0ee5aa949f852bfef56dc07
Signed-off-by: Soumen Kumar Dey <sdey@nvidia.com>
Reviewed-on: http://git-master/r/1164117
(cherry picked from commit 1faa6a739996fdacff3dbc85ad46235f42ad79c9)
Reviewed-on: http://git-master/r/1214643
GVS: Gerrit_Virtual_Submit
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Fixed possible buffer overflow issue in func
nvavp_pushbuffer_update().
Bug 1774401
Change-Id: Id0dec1cbf91d492335d0809c3c0bf146f6cb9d3d
Signed-off-by: Praveen Kumar Reddy M.V. <pkreddy@nvidia.com>
Reviewed-on: http://git-master/r/1163365
(cherry picked from commit 1e9ba50b225e841b52a93503fce818c1a21100f7)
Reviewed-on: http://git-master/r/1164130
Reviewed-by: Automatic_Commit_Validation_User
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
|
|
Devslp is not POR for T124 anymore.
Bug 200231146
Change-Id: Ia5380a17d545d3082a31c5b16b6946fa0e7ce4d5
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1207452
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Added support to use polling mode instead of interrupts
through a property in dt
Bug 1679083
Change-Id: Ic82ab592822cc96bacda05124d38ddd913e09af9
Reviewed-on: http://git-master/r/840233
(cherry picked from commit cd1c4db5adc8317572106099da37fa434245e699)
Reviewed-on: http://git-master/r/1009988
(cherry picked from commit b29ce03a6b7ebb306ff157640470dd5ab99c6f6b)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1175213
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
Tested-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Reduce register accesses to SPI as it is dependent on
slow, variable SPI clock frequency.
Bug 1675619
Change-Id: I5d638b8f95d9207fbad1e30e21234fc7433e03b3
Reviewed-on: http://git-master/r/1009503
(cherry picked from commit 890a422a7b75507c33b53f1ca4c512f7911d61c4)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174582
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
|
|
SPI register access for T210 and earlier chips depend
on SPI clock frequency. Provided an option to set SPI
clock at max frequency for register access.
Bug 1675625
Change-Id: Ie52c83cd4602604822462d9f02ddf31ead83aafc
Reviewed-on: http://git-master/r/1009782
(cherry picked from commit a2ccd28f2850538064668568432fee5d70a22e82)
Signed-off-by: Krishna Yarlagadda <kyarlagadda@nvidia.com>
Reviewed-on: http://git-master/r/1174581
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
|
|
fix stack information disclose bug
Bug 1797747
Change-Id: I7d2d33b9dbe3e81e8bb33aa9d7401dbb50525dce
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205757
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Fix stack info leak when getting capabilities
Bug 1797747
Change-Id: Ic39112748fb2f053e6963b88e46ba2d953390edf
Signed-off-by: Jianqiang Zhao <zhaojianqiang1@gmail.com>
Reviewed-on: http://git-master/r/1205756
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|
|
Fix Tranaction Error due to short packet with ISO mult-transaction.
Set new value in Override Mult field to support short packet
Bug 1745903
Change-Id: I7409ba8943c2490afe714a0da9f7c05a63c949b4
Signed-off-by: Peter Chiang <pchiang@nvidia.com>
Reviewed-on: http://git-master/r/1175184
GVS: Gerrit_Virtual_Submit
Reviewed-by: Laxman Dewangan <ldewangan@nvidia.com>
|
|
Below addition on 32 bit architecture machines could
cause integer overflow since we will assign overflowed
value to "num_unpins"
s64 num_unpins = num_cmdbufs + num_relocs
Fix this and other calculations by explicitly typecasting
variables to u64 first
Bug 1781393
Change-Id: Ib7d9c0be4ac61dc404512b4bb0331aa20a6978bc
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171748
(cherry picked from commit 8f00b96c137b9c4cb43a8dbe2e153fae49524113)
Reviewed-on: http://git-master/r/1172519
(cherry picked from commit 61229625b1e19d5a93a9458f04e0cce356dbdee3)
Reviewed-on: http://git-master/r/1190218
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
We allocate below without checking if num_syncpt_incrs
is valid or not
struct nvhost_ctrl_sync_fence_info pts[num_syncpt_incrs];
If UMD passes a negative value in num_syncpt_incrs, then
it is possible to corrupt the stack
Hence, first check if num_syncpt_incrs is valid (i.e.
not negative)
And then allocate the array dynamically using kzalloc
instead of allocating it on stack
Bug 1781393
Change-Id: I5389fd271149b457f63831a41c104c9814299ddf
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1171747
(cherry picked from commit 07fb347b4060a888b19df3524f36fcf7974a79d1)
Reviewed-on: http://git-master/r/1172518
(cherry picked from commit 1db2d69b6abeb6fc9d4257db88f631d9c8aef74d)
Reviewed-on: http://git-master/r/1190211
GVS: Gerrit_Virtual_Submit
Reviewed-by: Jeetesh Burman <jburman@nvidia.com>
Tested-by: Jeetesh Burman <jburman@nvidia.com>
Reviewed-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
pll_d2 runs at a minimum of 100MHz on T124. Update logic
to choose parent clock rate more than 100MHz.
e.g.: A mode with 32MHz pclk chooses parent clock of
96MHz with a divider of 3.0, which fails as pll_d
can't be pulled below 100MHz.
bug 1785365
Change-Id: I12400549a3ed42295ddd46adcb6493232f2d896a
Signed-off-by: Naveen Kumar S <nkumars@nvidia.com>
Reviewed-on: http://git-master/r/1184235
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Aleksandr Frid <afrid@nvidia.com>
Reviewed-by: Aly Hirani <ahirani@nvidia.com>
Reviewed-by: Venu Byravarasu <vbyravarasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
|
|
DIPM is not a POR for Tegra AHCI Sata Controller
Bug 200087528
Change-Id: I5a742170177c9f57426f3756a8cfafefa88af92b
Signed-off-by: Preetham Chandru R <pchandru@nvidia.com>
Reviewed-on: http://git-master/r/1013776
(cherry picked from commit 7ebd3b1058491ee87686e9e731b79ecd914e00d9)
Reviewed-on: http://git-master/r/1031624
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
|
|
Bug 1729847
Change-Id: Ie455b0469a1d4e35453ca9e36c5e90dfdc6f56a2
Signed-off-by: Bhushan Rupde <brupde@nvidia.com>
Reviewed-on: http://git-master/r/1147432
Reviewed-by: Mohan Nimaje <mnimaje@nvidia.com>
Reviewed-by: Soumen Dey <sdey@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
|
|
In case kernel fails to open a channel (e.g. due to inability to
allocate hardware context or turn on the device), the channel open
function releases the resources that were already allocated
successfully.
However, currently the error path additionally calls the channel
release function for putting the channel pointer after the private
data structures have been freed - thereby causing use-after-free
memory usage.
This patch reworks error handling in channel open to release
channel without risking usage of already freed memory.
Bug 1763577
Change-Id: Ic7562e69f2babad653afc7a11e413701494a30b4
Signed-off-by: Arto Merilainen <amerilainen@nvidia.com>
Reviewed-on: http://git-master/r/1148081
Reviewed-by: Winnie Hsu <whsu@nvidia.com>
Tested-by: Winnie Hsu <whsu@nvidia.com>
|
|
In nvhost_ioctl_ctrl_module_regrdwr(), we copy offset
to read/write from user space but we do not have
any check on it
So it is possible for user space to add unaligned
offset and request read/write which would crash the
system
Fix this by explicitly checking alignment of the
offset passed by user space
Bug 1739935
Change-Id: Iea2a07c60500af876b732a0e9d9d08535aa53b5c
Signed-off-by: Deepak Nibade <dnibade@nvidia.com>
Reviewed-on: http://git-master/r/1029405
(cherry picked from commit 422baa09a17a6a17f4e572aa5441ca174634de0d)
Reviewed-on: http://git-master/r/1123363
Reviewed-by: Automatic_Commit_Validation_User
GVS: Gerrit_Virtual_Submit
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Matthew Pedro <mapedro@nvidia.com>
|