From 08590cd62f8b63776f54cb8ad1b2d329e45341e5 Mon Sep 17 00:00:00 2001 From: Krishna Yarlagadda Date: Mon, 8 Feb 2016 16:47:35 +0530 Subject: spi: tegra: option to boost register access SPI register access for T210 and earlier chips depend on SPI clock frequency. Provided an option to set SPI clock at max frequency for register access. Bug 1675625 Change-Id: Ie52c83cd4602604822462d9f02ddf31ead83aafc Reviewed-on: http://git-master/r/1009782 (cherry picked from commit a2ccd28f2850538064668568432fee5d70a22e82) Signed-off-by: Krishna Yarlagadda Reviewed-on: http://git-master/r/1174581 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Laxman Dewangan --- include/linux/spi/spi-tegra.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/linux/spi/spi-tegra.h b/include/linux/spi/spi-tegra.h index 4b9385d2c93d..10e773094ce8 100644 --- a/include/linux/spi/spi-tegra.h +++ b/include/linux/spi/spi-tegra.h @@ -1,7 +1,7 @@ /* * spi-tegra.h: SPI interface for Nvidia Tegra20 SLINK controller. * - * Copyright (C) 2011 NVIDIA Corporation + * Copyright (c) 2011-2016, NVIDIA CORPORATION. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -25,6 +25,7 @@ struct tegra_spi_platform_data { int dma_req_sel; unsigned int spi_max_frequency; bool is_clkon_always; + bool boost_reg_access; }; /* -- cgit v1.2.3 From d0080959ebe08f3b4a0f0453eaa8c8c9dff4ae9d Mon Sep 17 00:00:00 2001 From: Krishna Yarlagadda Date: Tue, 17 Nov 2015 19:31:22 +0530 Subject: spi: tegra: support polling mode Added support to use polling mode instead of interrupts through a property in dt Bug 1679083 Change-Id: Ic82ab592822cc96bacda05124d38ddd913e09af9 Reviewed-on: http://git-master/r/840233 (cherry picked from commit cd1c4db5adc8317572106099da37fa434245e699) Reviewed-on: http://git-master/r/1009988 (cherry picked from commit b29ce03a6b7ebb306ff157640470dd5ab99c6f6b) Signed-off-by: Krishna Yarlagadda Reviewed-on: http://git-master/r/1175213 Reviewed-by: Matthew Pedro Tested-by: Matthew Pedro --- include/linux/spi/spi-tegra.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/spi/spi-tegra.h b/include/linux/spi/spi-tegra.h index 10e773094ce8..3e0203c2a671 100644 --- a/include/linux/spi/spi-tegra.h +++ b/include/linux/spi/spi-tegra.h @@ -25,6 +25,7 @@ struct tegra_spi_platform_data { int dma_req_sel; unsigned int spi_max_frequency; bool is_clkon_always; + bool is_polling_mode; bool boost_reg_access; }; -- cgit v1.2.3 From d0d666fcd21dea1424006c34fd158067ced90ce2 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 13 Oct 2016 13:07:36 -0700 Subject: mm: remove gup_flags FOLL_WRITE games from __get_user_pages() commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream. This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug"). In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself. Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger. To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid. Reported-and-tested-by: Phil "not Paul" Oester Acked-by: Hugh Dickins Reviewed-by: Michal Hocko Cc: Andy Lutomirski Cc: Kees Cook Cc: Oleg Nesterov Cc: Willy Tarreau Cc: Nick Piggin Cc: Greg Thelen Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds [wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask; s/faultin_page/__get_user_page] Signed-off-by: Willy Tarreau Change-Id: I6fbb1abf656ff7e05ec4c65f07dbbdd694546fb4 Signed-off-by: Krishna Reddy Signed-off-by: Sumit Gupta Reviewed-on: http://git-master/r/1241321 GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu Tested-by: Bibek Basu --- include/linux/mm.h | 1 + 1 file changed, 1 insertion(+) (limited to 'include') diff --git a/include/linux/mm.h b/include/linux/mm.h index a23bb6b1f449..03a60a38ec45 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h @@ -1714,6 +1714,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma, #define FOLL_NUMA 0x200 /* force NUMA hinting page fault */ #define FOLL_MIGRATION 0x400 /* wait for page to replace migration entry */ #define FOLL_DURABLE 0x800 /* get the page reference for a long time */ +#define FOLL_COW 0x4000 /* internal GUP flag */ typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr, void *data); -- cgit v1.2.3 From 651cce8f33cff889007ca563cdcff98abe3a5e90 Mon Sep 17 00:00:00 2001 From: Greg Hackmann Date: Fri, 19 Feb 2016 13:33:31 -0800 Subject: media: tegra: camera: sanity-check ioctl parameter Several places in the camera stack can hit integer overflows or cause bad allocations if userspace passes in a bogus sizeofvalue parameter. Protect against this by using appropriately-sized integer types, adding range checks, replacing array-allocation calls with kcalloc(), and checking for allocations returning ZERO_SIZE_PTR. For one specific ioctl (PCLLK_IOCTL_UPDATE) sizeofvalue = 0 is fine, since when that happens the subdrivers won't actually touch the returned allocation. In fact the existing userspace camera driver makes calls like these and expects them to succeed! Handle this special case by adding a __camera_get_params variant that optionally treats zero-sized inputs as valid. (back ported from Nexus N9 project) Bug 1832830 Change-Id: Ie3250d8a4b814de5820fa0190b4cbd1af3ca4b3f Reported-by: Jianqiang Zhao Signed-off-by: Greg Hackmann Reviewed-on: http://git-master/r/1271367 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Frank Chen Tested-by: Frank Chen Reviewed-by: Jihoon Bang Reviewed-by: Winnie Hsu --- include/media/camera.h | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) (limited to 'include') diff --git a/include/media/camera.h b/include/media/camera.h index 5cbac56de269..7528b9acede8 100644 --- a/include/media/camera.h +++ b/include/media/camera.h @@ -337,7 +337,7 @@ struct camera_chip { int (*power_off)(struct camera_device *cdev); int (*shutdown)(struct camera_device *cdev); int (*update)(struct camera_device *cdev, - struct cam_update *upd, int num); + struct cam_update *upd, u32 num); }; struct camera_sync_dev { @@ -386,8 +386,14 @@ struct camera_platform_info { }; /* common functions */ -int camera_get_params( - struct camera_info *, unsigned long, int, struct nvc_param *, void **); +int __camera_get_params( + struct camera_info *, unsigned long, int, struct nvc_param *, void **, + bool); +static inline int camera_get_params(struct camera_info *cam, unsigned long arg, + int u_size, struct nvc_param *prm, void **data) +{ + return __camera_get_params(cam, arg, u_size, prm, data, false); +} int camera_copy_user_params(unsigned long, struct nvc_param *); int virtual_device_add(struct device *, unsigned long); -- cgit v1.2.3 From 47f46d91bdd0ec42cf688dda09dcd187afdadffd Mon Sep 17 00:00:00 2001 From: Amey Asgaonkar Date: Thu, 28 Apr 2016 18:01:42 -0700 Subject: camera: tegra: Fix security vulnerability Check a few input params to make sure there is no potential for a heap overflow in the driver. (Back ported from Nexus N9 project) Bug 1757475 (nvidia) Bug 1832830 (nvidia) Bug 28193342 (google) Change-Id: I979fa38c5f453cfad7070f0340ec04adde5bac13 Signed-off-by: Amey Asgaonkar Reviewed-on: http://git-master/r/1271369 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Frank Chen Tested-by: Frank Chen Reviewed-by: Jihoon Bang Reviewed-by: Winnie Hsu --- include/media/camera.h | 3 +++ 1 file changed, 3 insertions(+) (limited to 'include') diff --git a/include/media/camera.h b/include/media/camera.h index 7528b9acede8..22f097ee3db2 100644 --- a/include/media/camera.h +++ b/include/media/camera.h @@ -117,6 +117,9 @@ #define CAMERA_DT_ARRAY_U16 22 #define CAMERA_DT_ARRAY_U32 23 +#define MAX_PARAM_SIZE_OF_VALUE 1024 +#define MAX_PARAM_VARIANT 4096 + enum { CAMERA_SEQ_EXEC, CAMERA_SEQ_REGISTER_EXEC, -- cgit v1.2.3 From 2db040946ff8340485b2b33fe5a46f3166fa96f6 Mon Sep 17 00:00:00 2001 From: Debarshi Dutta Date: Wed, 21 Jun 2017 16:15:09 +0530 Subject: gpu: nvgpu: Remove IOCTL FREE_OBJ_CTX We have never used the IOCTL FREE_OBJ_CTX. Using it leads to context being only partially available, and can lead to use-after-free. Bug 1885775 Change-Id: I9d2b632ab79760f8186d02e0f35861b3a6aae649 Signed-off-by: Debarshi Dutta Reviewed-on: https://git-master.nvidia.com/r/1506479 Reviewed-by: Automatic_Commit_Validation_User GVS: Gerrit_Virtual_Submit Reviewed-by: Bibek Basu --- include/linux/nvhost_ioctl.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) (limited to 'include') diff --git a/include/linux/nvhost_ioctl.h b/include/linux/nvhost_ioctl.h index b060864ff1d1..a1011e5a1daf 100644 --- a/include/linux/nvhost_ioctl.h +++ b/include/linux/nvhost_ioctl.h @@ -3,7 +3,7 @@ * * Tegra graphics host driver * - * Copyright (c) 2009-2014, NVIDIA Corporation. All rights reserved. + * Copyright (c) 2009-2017, NVIDIA Corporation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by @@ -118,10 +118,6 @@ struct nvhost_alloc_obj_ctx_args { __u64 obj_id; /* output, used to free later */ }; -struct nvhost_free_obj_ctx_args { - __u64 obj_id; /* obj ctx to free */ -}; - struct nvhost_alloc_gpfifo_args { __u32 num_entries; #define NVHOST_ALLOC_GPFIFO_FLAGS_VPR_ENABLED (1 << 0) /* set owner channel of this gpfifo as a vpr channel */ @@ -390,8 +386,6 @@ struct nvhost_set_ctxswitch_args { _IOWR(NVHOST_IOCTL_MAGIC, 107, struct nvhost_submit_gpfifo_args) #define NVHOST_IOCTL_CHANNEL_ALLOC_OBJ_CTX \ _IOWR(NVHOST_IOCTL_MAGIC, 108, struct nvhost_alloc_obj_ctx_args) -#define NVHOST_IOCTL_CHANNEL_FREE_OBJ_CTX \ - _IOR(NVHOST_IOCTL_MAGIC, 109, struct nvhost_free_obj_ctx_args) #define NVHOST_IOCTL_CHANNEL_ZCULL_BIND \ _IOWR(NVHOST_IOCTL_MAGIC, 110, struct nvhost_zcull_bind_args) #define NVHOST_IOCTL_CHANNEL_SET_ERROR_NOTIFIER \ -- cgit v1.2.3