DivestOS/Patches/Linux_CVEs/CVE-2016-6749/ANY/0001.patch

From f9185dc83b92e7d1ee341e32e8cf5ed00a7253a7 Mon Sep 17 00:00:00 2001
From: Divya Ponnusamy <pdivya@codeaurora.org>
Date: Wed, 24 Aug 2016 17:06:54 +0530
Subject: msm: kgsl: Change %p to %pK in debug messages

The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which evaluates whether
kptr_restrict is set.

Change-Id: I0778e43e0a03852ca2944377256a7b401586a747
Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
---
 drivers/gpu/msm/adreno_debugfs.c |  4 ++--
 drivers/gpu/msm/kgsl.c           |  5 ++---
 drivers/gpu/msm/kgsl_cffdump.c   |  9 +--------
 drivers/gpu/msm/kgsl_cmdbatch.c  |  4 ++--
 drivers/gpu/msm/kgsl_iommu.c     | 19 +++++++++----------
 drivers/gpu/msm/kgsl_pwrctrl.c   |  4 ++--
 drivers/gpu/msm/kgsl_snapshot.c  |  5 +----
 7 files changed, 19 insertions(+), 31 deletions(-)

diff --git a/drivers/gpu/msm/adreno_debugfs.c b/drivers/gpu/msm/adreno_debugfs.c
index 9c045b5..7628285 100644
--- a/drivers/gpu/msm/adreno_debugfs.c
+++ b/drivers/gpu/msm/adreno_debugfs.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2002,2008-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2002,2008-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -83,7 +83,7 @@ static void sync_event_print(struct seq_file *s,
 		break;
 	}
 	case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
-		seq_printf(s, "sync: [%p] %s", sync_event->handle,
+		seq_printf(s, "sync: [%pK] %s", sync_event->handle,
 		(sync_event->handle && sync_event->handle->fence)
 				? sync_event->handle->fence->name : "NULL");
 		break;
diff --git a/drivers/gpu/msm/kgsl.c b/drivers/gpu/msm/kgsl.c
index 4c3753e..18cc267 100644
--- a/drivers/gpu/msm/kgsl.c
+++ b/drivers/gpu/msm/kgsl.c
@@ -4131,9 +4131,8 @@ int kgsl_device_platform_probe(struct kgsl_device *device)
 	disable_irq(device->pwrctrl.interrupt_num);
 
 	KGSL_DRV_INFO(device,
-		"dev_id %d regs phys 0x%08lx size 0x%08x virt %p\n",
-		device->id, device->reg_phys, device->reg_len,
-		device->reg_virt);
+		"dev_id %d regs phys 0x%08lx size 0x%08x\n",
+		device->id, device->reg_phys, device->reg_len);
 
 	rwlock_init(&device->context_lock);
 
diff --git a/drivers/gpu/msm/kgsl_cffdump.c b/drivers/gpu/msm/kgsl_cffdump.c
index 1f10a33..67e3d02 100644
--- a/drivers/gpu/msm/kgsl_cffdump.c
+++ b/drivers/gpu/msm/kgsl_cffdump.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2010-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2010-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -515,10 +515,6 @@ EXPORT_SYMBOL(kgsl_cffdump_waitirq);
 static int subbuf_start_handler(struct rchan_buf *buf,
 	void *subbuf, void *prev_subbuf, size_t prev_padding)
 {
-	pr_debug("kgsl: cffdump: subbuf_start_handler(subbuf=%p, prev_subbuf"
-		"=%p, prev_padding=%08zx)\n", subbuf, prev_subbuf,
-		 prev_padding);
-
 	if (relay_buf_full(buf)) {
 		if (!suspended) {
 			suspended = 1;
@@ -575,9 +571,6 @@ static struct rchan *create_channel(unsigned subbuf_size, unsigned n_subbufs)
 {
 	struct rchan *chan;
 
-	pr_info("kgsl: cffdump: relay: create_channel: subbuf_size %u, "
-		"n_subbufs %u, dir 0x%p\n", subbuf_size, n_subbufs, dir);
-
 	chan = relay_open("cpu", dir, subbuf_size,
 			  n_subbufs, &relay_callbacks, NULL);
 	if (!chan) {
diff --git a/drivers/gpu/msm/kgsl_cmdbatch.c b/drivers/gpu/msm/kgsl_cmdbatch.c
index 46e053f..7dfd691 100644
--- a/drivers/gpu/msm/kgsl_cmdbatch.c
+++ b/drivers/gpu/msm/kgsl_cmdbatch.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2008-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2008-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -92,7 +92,7 @@ void kgsl_dump_syncpoints(struct kgsl_device *device,
 		}
 		case KGSL_CMD_SYNCPOINT_TYPE_FENCE:
 			if (event->handle)
-				dev_err(device->dev, "  fence: [%p] %s\n",
+				dev_err(device->dev, "  fence: [%pK] %s\n",
 					event->handle->fence,
 					event->handle->name);
 			else
diff --git a/drivers/gpu/msm/kgsl_iommu.c b/drivers/gpu/msm/kgsl_iommu.c
index 249df4d..f510ac4 100644
--- a/drivers/gpu/msm/kgsl_iommu.c
+++ b/drivers/gpu/msm/kgsl_iommu.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2011-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2011-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -612,7 +612,7 @@ static void kgsl_detach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
 			iommu_detach_device(iommu_pt->domain, ctx->dev);
 			ctx->attached = false;
 			KGSL_MEM_INFO(mmu->device,
-				"iommu %p detached from user dev of MMU: %p\n",
+				"iommu %pK detached from user dev of MMU: %pK\n",
 				iommu_pt->domain, mmu);
 		}
 	}
@@ -700,7 +700,7 @@ static int kgsl_attach_pagetable_iommu_domain(struct kgsl_mmu *mmu)
 		}
 		ctx->attached = true;
 		KGSL_MEM_INFO(mmu->device,
-				"iommu pt %p attached to dev %p, ctx_id %d\n",
+				"iommu pt %pK attached to dev %pK, ctx_id %d\n",
 				iommu_pt->domain, ctx->dev, ctx->ctx_id);
 		if (KGSL_IOMMU_CONTEXT_SECURE != i) {
 			ret = iommu_domain_get_attr(iommu_pt->domain,
@@ -1108,8 +1108,8 @@ kgsl_iommu_unmap(struct kgsl_pagetable *pt,
 		unmapped = iommu_unmap(iommu_pt->domain, gpuaddr, range);
 	if (unmapped != range) {
 		KGSL_CORE_ERR(
-			"iommu_unmap(%p, %llx, %lld) failed with unmapped size: %zd\n",
-			iommu_pt->domain, gpuaddr, range, unmapped);
+			"iommu_unmap(%llx, %lld) failed with unmapped size: %zd\n",
+			gpuaddr, range, unmapped);
 		return -EINVAL;
 	}
 
@@ -1237,8 +1237,8 @@ int _iommu_add_guard_page(struct kgsl_pagetable *pt,
 				protflags & ~IOMMU_WRITE);
 		if (ret) {
 			KGSL_CORE_ERR(
-			"iommu_map(%p, addr %016llX, flags %x) err: %d\n",
-			iommu_pt->domain, gpuaddr, protflags & ~IOMMU_WRITE,
+			"iommu_map(addr %016llX, flags %x) err: %d\n",
+			gpuaddr, protflags & ~IOMMU_WRITE,
 			ret);
 			return ret;
 		}
@@ -1306,9 +1306,8 @@ kgsl_iommu_map(struct kgsl_pagetable *pt,
 	}
 
 	if (mapped != size) {
-		KGSL_CORE_ERR("iommu_map_sg(%p, %016llX, %lld, %x) err: %zd\n",
-				iommu_pt->domain, addr, size,
-				flags, mapped);
+		KGSL_CORE_ERR("iommu_map_sg(%016llX, %lld, %x) err: %zd\n",
+				addr, size,	flags, mapped);
 		return -ENODEV;
 	}
 
diff --git a/drivers/gpu/msm/kgsl_pwrctrl.c b/drivers/gpu/msm/kgsl_pwrctrl.c
index 1c89d74..f50e6d7 100644
--- a/drivers/gpu/msm/kgsl_pwrctrl.c
+++ b/drivers/gpu/msm/kgsl_pwrctrl.c
@@ -1593,7 +1593,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
 
 		if (!pwr->ocmem_pcl) {
 			KGSL_PWR_ERR(device,
-				"msm_bus_scale_register_client failed: id %d table %p",
+				"msm_bus_scale_register_client failed: id %d table %pK",
 				device->id, ocmem_scale_table);
 			result = -EINVAL;
 			goto done;
@@ -1643,7 +1643,7 @@ int kgsl_pwrctrl_init(struct kgsl_device *device)
 				(pdata->bus_scale_table);
 		if (!pwr->pcl) {
 			KGSL_PWR_ERR(device,
-				"msm_bus_scale_register_client failed: id %d table %p",
+				"msm_bus_scale_register_client failed: id %d table %pK",
 				device->id, pdata->bus_scale_table);
 			result = -EINVAL;
 			goto done;
diff --git a/drivers/gpu/msm/kgsl_snapshot.c b/drivers/gpu/msm/kgsl_snapshot.c
index 42eabe4..bbfd8a7 100644
--- a/drivers/gpu/msm/kgsl_snapshot.c
+++ b/drivers/gpu/msm/kgsl_snapshot.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2012-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License version 2 and
@@ -1120,9 +1120,6 @@ void kgsl_snapshot_save_frozen_objs(struct work_struct *work)
 		goto done;
 
 	snapshot->mempool = vmalloc(size);
-	if (snapshot->mempool != NULL)
-		KGSL_CORE_ERR("snapshot: mempool address %p, size %zx\n",
-				snapshot->mempool, size);
 
 	ptr = snapshot->mempool;
 	snapshot->mempool_size = 0;
-- 
cgit v1.1