sdk/emulator/emulator-kernel.git
9 years agoac97: supports codec extension for product
Jinhyung Choi [Fri, 17 Jul 2015 06:05:07 +0000 (15:05 +0900)]
ac97: supports codec extension for product

ac97_codec.c and ac97_pcm.c will not be built if maru extension is set.

Change-Id: I57e1671db09c646fc86d18c7706d51ed721277ce
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agobrillcodec: reslove casting warning for a 64bit target
Park Kyoung Won [Mon, 20 Jul 2015 07:53:37 +0000 (16:53 +0900)]
brillcodec: reslove casting warning for a 64bit target

changed uint32_t into uintptr_t in functions(context_add, task_add, task_remove)

Change-Id: Iee0f1da8896a1e70175b8d8a794de0ee3288bc81
Signed-off-by: Park Kyoung Won <kw0712.park@samsung.com>
9 years agonfc: removed build warning for 64 bit
haken.kim [Tue, 14 Jul 2015 12:23:20 +0000 (21:23 +0900)]
nfc: removed build warning for 64 bit

 fix nfc build warings for prepare the 64bit enable.

Change-Id: I70551784a4b5e50fdc19a7320d4fed9ace26dba6
Signed-off-by: haken.kim <haken.kim@samsung.com>
9 years agotouchscreen: removed warning for 64 bit build
GiWoong Kim [Fri, 17 Jul 2015 06:35:02 +0000 (15:35 +0900)]
touchscreen: removed warning for 64 bit build

enable by default, Wpointer-to-int-cast

Change-Id: I805e384e66ce99ddf692a292053a92c0342d6177
Signed-off-by: GiWoong Kim <giwoong.kim@samsung.com>
9 years agopackage: version up (3.14.7)
jinhyung.jo [Wed, 15 Jul 2015 04:27:29 +0000 (13:27 +0900)]
package: version up (3.14.7)

Change-Id: Ia9d182e396d10f3b77cd3e4e2ea78f7670008f24
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
9 years agoVIGS: Removed a compilation warnning
jinhyung.jo [Wed, 15 Jul 2015 02:48:31 +0000 (11:48 +0900)]
VIGS: Removed a compilation warnning

Changed the format specifier from '%u' to '%pa' for the type 'resource_size_t'.
Here is an excerpt from the document below,
'https://www.kernel.org/doc/Documentation/printk-formats.txt',
"
Physical addresses types phys_addr_t:

    %pa[p]  0x01234567 or 0x0123456789abcdef

    For printing a phys_addr_t type (and its derivatives, such as
    resource_size_t) which can vary based on build options, regardless of
    the width of the CPU data path. Passed by reference.
".

Change-Id: Ia0d72411de707cb7f3aaba7d91e86f79f5c2b607
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
9 years agobuild: applied -Werror on maru drivers
SeokYeon Hwang [Sun, 12 Jul 2015 05:08:10 +0000 (14:08 +0900)]
build: applied -Werror on maru drivers

Change-Id: I1d83a1130bc6b48636a95820e0b14aa48c1a3593
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoevdi: removed warning for 64 bit build
Jinhyung Choi [Mon, 13 Jul 2015 08:00:53 +0000 (17:00 +0900)]
evdi: removed warning for 64 bit build

- changed printing format from %d to %zd for ssize_t
- It supported only after C99 compiler, so this will be re-checked later.

Change-Id: Idf1bdb753b8b93490ea5bb112cf5cdd75b7ad833
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agosensor: remove warning for 64 bit build
Jinhyung Choi [Mon, 13 Jul 2015 07:59:52 +0000 (16:59 +0900)]
sensor: remove warning for 64 bit build

changed NULL device to MKDEV(0,0) for device_create/device_destroy

Change-Id: Ic223af5760a9179e368db2ecab91b998f7642387
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agopower supply: remove warnings for 64 bit
Jinhyung Choi [Mon, 13 Jul 2015 07:56:01 +0000 (16:56 +0900)]
power supply: remove warnings for 64 bit

- changed NULL device arg to MKDEV(0,0) for device_create/device_destroy

Change-Id: If53a9158364e781320d6e3db87a3bc3a84b113de
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agobuild: Modify Makefile for extension
bk0121.shin [Mon, 13 Jul 2015 01:57:13 +0000 (10:57 +0900)]
build: Modify Makefile for extension

- To be included as built-in, 'obj-' should be used
  instead of 'subdir' in Makefile

Change-Id: I5b7fafa0b07e15e067963fc231838f94f6555fba
Signed-off-by: bk0121.shin <bk0121.shin@samsung.com>
9 years agomaru-camera: Changed the method for passing the argument to/from device
jinhyung.jo [Tue, 7 Jul 2015 08:21:23 +0000 (17:21 +0900)]
maru-camera: Changed the method for passing the argument to/from device

Without using the CPU I/O, directly using the device memory.
Additionally
  Allowing the instance to 2.
  Modified the log format & contents.

Change-Id: I919b3847e7e0fec02a873bed27bd064bae92a680
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
9 years agobuild: introduced extension source path
SeokYeon Hwang [Tue, 7 Jul 2015 04:50:39 +0000 (13:50 +0900)]
build: introduced extension source path

The "extension source path" is additional source path that can be
used by product specific sources. The path can be prepared by
symbolic link or git submodule.

Change-Id: I9600fa107af5aa9755f9e071ef98c29babac83fd
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoMerge "ramfs: suppress warnings when filesystem is mounted" into tizen_2.4_develop
Sangho Park [Wed, 24 Jun 2015 06:43:03 +0000 (15:43 +0900)]
Merge "ramfs: suppress warnings when filesystem is mounted" into tizen_2.4_develop

9 years agoSmack: fix backport of multi-onlycap patch
Rafal Krypa [Tue, 23 Jun 2015 08:30:49 +0000 (10:30 +0200)]
Smack: fix backport of multi-onlycap patch

Adapt the patch for multiple labels in onlycap to older kernel version.
It was previously backported without an important dependency. There is a
difference in smk_import_entry function. In upstream it returns error codes,
but here the error is indicated by returning NULL.
Without this fix the kernel could crash when empty string is written to
onlycap interface file.

Change-Id: Ibadab8b78b86453526cd423100619ab0a10fa68c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoSmack: update patch for multi-onlycap to the final upstream version
Rafal Krypa [Tue, 23 Jun 2015 08:28:09 +0000 (10:28 +0200)]
Smack: update patch for multi-onlycap to the final upstream version

Synchronize the patch enabling multiple labels in onlycap with the last
version that was merged upstream. The patch merged in this tree was an
earlier version, before it was updated and merged upstream.
Changes are only cosmetic (function name, comments, code formatting), but
merging them will ease future synchronization with upstream Smack code.

Change-Id: Iefe9ec32659043e62bdf2a227aad8f42c3563b9d
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoSmack: allow multiple labels in onlycap
Rafal Krypa [Fri, 15 May 2015 19:22:01 +0000 (21:22 +0200)]
Smack: allow multiple labels in onlycap

Smack onlycap allows limiting of CAP_MAC_ADMIN and CAP_MAC_OVERRIDE to
processes running with the configured label. But having single privileged
label is not enough in some real use cases. On a complex system like Tizen,
there maybe few programs that need to configure Smack policy in run-time
and running them all with a single label is not always practical.
This patch extends onlycap feature for multiple labels. They are configured
in the same smackfs "onlycap" interface, separated by spaces.

Change-Id: Ia95b93b4474669b7fd02926926e10b814b78405c
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry picked from commit c0a3794dfc6a153294fa90f6499a43c78a608047)

9 years agoSmack: fix seq operations in smackfs
Rafal Krypa [Fri, 15 May 2015 17:43:33 +0000 (19:43 +0200)]
Smack: fix seq operations in smackfs

Use proper RCU functions and read locking in smackfs seq_operations.

Smack gets away with not using proper RCU functions in smackfs, because
it never removes entries from these lists. But now one list will be
needed (with interface in smackfs) that will have both elements added and
removed to it.
This change will also help any future changes implementing removal of
unneeded entries from other Smack lists.

The patch also fixes handling of pos argument in smk_seq_start and
smk_seq_next. This fixes a bug in case when smackfs is read with a small
buffer:

Kernel panic - not syncing: Kernel mode fault at addr 0xfa0000011b
CPU: 0 PID: 1292 Comm: dd Not tainted 4.1.0-rc1-00012-g98179b8 #13
Stack:
 00000003 0000000d 7ff39e48 7f69fd00
 7ff39ce0 601ae4b0 7ff39d50 600e587b
 00000010 6039f690 7f69fd40 00612003
Call Trace:
 [<601ae4b0>] load2_seq_show+0x19/0x1d
 [<600e587b>] seq_read+0x168/0x331
 [<600c5943>] __vfs_read+0x21/0x101
 [<601a595e>] ? security_file_permission+0xf8/0x105
 [<600c5ec6>] ? rw_verify_area+0x86/0xe2
 [<600c5fc3>] vfs_read+0xa1/0x14c
 [<600c68e2>] SyS_read+0x57/0xa0
 [<6001da60>] handle_syscall+0x60/0x80
 [<6003087d>] userspace+0x442/0x548
 [<6001aa77>] ? interrupt_end+0x0/0x80
 [<6001daae>] ? copy_chunk_to_user+0x0/0x2b
 [<6002cb6b>] ? save_registers+0x1f/0x39
 [<60032ef7>] ? arch_prctl+0xf5/0x170
 [<6001a92d>] fork_handler+0x85/0x87

Change-Id: I032c1fc726c0670060d1cf4c419746257159b499
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
(cherry picked from commit f638effaf324d57f37453e421be87e537140e527)

9 years agoramfs: suppress warnings when filesystem is mounted
SeokYeon Hwang [Tue, 23 Jun 2015 15:17:45 +0000 (00:17 +0900)]
ramfs: suppress warnings when filesystem is mounted

Change-Id: Iea6900dbc0c03d6d13a1448d5d3294ecb9824b7f
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agovirtio_blk: removed W/A for sdcard support
SeokYeon Hwang [Mon, 8 Jun 2015 06:23:44 +0000 (15:23 +0900)]
virtio_blk: removed W/A for sdcard support

A sdcard support will be done by udev rules and deviced.

Change-Id: I126ba1c72e1215ee28ee4da34791877d86b56435
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agopackage: version up
Munkyu Im [Wed, 27 May 2015 07:46:16 +0000 (16:46 +0900)]
package: version up

Change-Id: I629d413854a34c5f21fda4de027772d8a2a1b0a5
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
9 years agovirtio-net: support MII
Munkyu Im [Tue, 26 May 2015 04:32:58 +0000 (13:32 +0900)]
virtio-net: support MII

It's incomplete.
But support it to enable ioctl call on guest side.

Change-Id: Iaec1ed63fe5f0ce2fff19be42890ca1063555179
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
9 years agopackaging: remove dependency.
Sooyoung Ha [Sun, 17 May 2015 12:01:45 +0000 (21:01 +0900)]
packaging: remove dependency.

Remove the emulator-kernel-user-headers build dependency.

Change-Id: I6aa468dab8834e72789320e4d87e8e7752d6a951
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agoRevert "packaging: use linux-glibc-devel instread of emulator-kernel-headers"
Sangho Park [Sun, 17 May 2015 10:34:02 +0000 (19:34 +0900)]
Revert "packaging: use linux-glibc-devel instread of emulator-kernel-headers"

This reverts commit 12fbb0687ba2d1f8ecbeeac8c3be53cc378f2b37.

Change-Id: Iac02a9324f10006953f82409283a526531d2bc9e
(cherry picked from commit 08becd57e5e8375b2e2dc2fe48de664757bfde66)

9 years agosensor: added logs for sensor capability debug purpose
Jinhyung Choi [Tue, 12 May 2015 13:50:09 +0000 (22:50 +0900)]
sensor: added logs for sensor capability debug purpose

Change-Id: Ibdf600bc24c9860200a171d88583ba56f560cb68
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agosensor: add mutex for get_sensor_data in accelerometer
Jinhyung Choi [Tue, 12 May 2015 05:02:15 +0000 (14:02 +0900)]
sensor: add mutex for get_sensor_data in accelerometer

Change-Id: I6cc802e5b2ca413984b285798a2867419cec3977
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agosensor: split scatter list initialization
Jinhyung Choi [Tue, 12 May 2015 05:02:39 +0000 (14:02 +0900)]
sensor: split scatter list initialization

split in/out virtqueue scatterlist to set sg_mark_end each

Change-Id: I562d51af7ab1d5e8b57b8971e7fe4d40d971a55b
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agorotary: Apply the changed specifications
sungmin ha [Tue, 28 Apr 2015 08:12:42 +0000 (17:12 +0900)]
rotary: Apply the changed specifications

The value of REL_WHEEL event was chaneged like below.
- Before
  Right direction: 1 -> 2 -> 3
  Left direction: 3 -> 2-> 1
- After
  Departing from the current detent area: 1
  Returning the current detent area: -1
  Right direction(CW): 2
  Left direction(CCW): -2

Change-Id: Ibd86e5c97839ea90383797096ed2c887a703e8b7
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agorotary: modified virtual rotary driver
GiWoong Kim [Mon, 23 Mar 2015 12:20:29 +0000 (21:20 +0900)]
rotary: modified virtual rotary driver

tizen_rotary -> tizen_detent
Instead of the delta that the change of the degree,
sends up the detent value in every 15 degrees.

Change-Id: I1b2b7ea8e4a2ff4ac90626710ddfe7f691ad29e2
Signed-off-by: GiWoong Kim <giwoong.kim@samsung.com>
9 years agorotary: Added a new device driver
jinhyung.jo [Tue, 30 Dec 2014 10:09:49 +0000 (19:09 +0900)]
rotary: Added a new device driver

Added a new device driver for the rotary device

Change-Id: I8a388a1b40315a47e60dbf00f17ad0ad69d8414c
Signed-off-by: Jinhyung Jo <jinhyung.jo@samsung.com>
9 years agosensor driver: waited for set_sensor_data
Jinhyung Choi [Mon, 11 May 2015 09:14:56 +0000 (18:14 +0900)]
sensor driver: waited for set_sensor_data

In order to resolve timing issue, set_sensor_data is waiting for a callback
similar to get_sensor_data.

Change-Id: I436375ea99b5f19c07d0683a89dd35d50218f830
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
(cherry picked from commit b603734d766fa00ef69f2c075dd6264a7ad1bdb6)

9 years agosensor: virtio memory allocation flag changed.
Jinhyung Choi [Fri, 8 May 2015 06:27:39 +0000 (15:27 +0900)]
sensor: virtio memory allocation flag changed.

Change-Id: I58d577e26826a8f055a7c4e0349d8f326cb3ed7e
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
(cherry picked from commit 44fd6adc9dbdade3a714b3efac550e8062e2b880)

9 years agoconfig: set NOOP as a default IO scheduler
SeokYeon Hwang [Tue, 21 Apr 2015 11:53:37 +0000 (20:53 +0900)]
config: set NOOP as a default IO scheduler

Change-Id: I252dc0d20afb20559efe02ceeb90f0b825af6ce9
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
(cherry picked from commit df6d0674dc7883bf1a971ffb8d969e86074537da)

9 years agoconfig: enabled CONFIG_ANDROID_INTF_ALARM_DEV
SeokYeon Hwang [Mon, 20 Apr 2015 07:28:41 +0000 (16:28 +0900)]
config: enabled CONFIG_ANDROID_INTF_ALARM_DEV

Change-Id: I1af3b208e2dbaa28487a73f02ce04a660770e187
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
(cherry picked from commit 2b8f290969821e5602136a6abda02d6756242874)

9 years agopackage: restructure directories
Munkyu Im [Mon, 27 Apr 2015 11:11:10 +0000 (20:11 +0900)]
package: restructure directories

change installed directory

Change-Id: If295b80efe71dd6090123f17b3c2df61e3d1c606
Signed-off-by: Munkyu Im <munkyu.im@samsung.com>
9 years agoPackage: Modified package name.
minkee.lee [Fri, 17 Apr 2015 10:10:39 +0000 (19:10 +0900)]
Package: Modified package name.

- Added platform version("2.4") to package name.

Change-Id: Ia6a5eb5eca93330bdca90f799b6e941705f3669a
Signed-off-by: minkee.lee <minkee.lee@samsung.com>
9 years agoMerge branch 'tizen_2.4' into tizen_2.4_develop
minkee.lee [Fri, 17 Apr 2015 07:50:21 +0000 (16:50 +0900)]
Merge branch 'tizen_2.4' into tizen_2.4_develop

Change-Id: I94112bf901574a1ae450adcc7f545a3dd9a295b5
Signed-off-by: minkee.lee <minkee.lee@samsung.com>
9 years agopackage: version up(3.14.5)
sungmin ha [Wed, 15 Apr 2015 08:10:09 +0000 (17:10 +0900)]
package: version up(3.14.5)

Change-Id: I40c6f16893d0be8747a36ff20aca4918c3f18035
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agovfs: read file_handle only once in handle_to_path
Sasha Levin [Wed, 28 Jan 2015 11:30:43 +0000 (20:30 +0900)]
vfs: read file_handle only once in handle_to_path

This patch was related with "[CVE-2015-1420] Race condition in fs/fhandle.c in the Linux kernel".

We used to read file_handle twice. Once to get the amount of extra bytes, and
once to fetch the entire structure.

This may be problematic since we do size verifications only after the first
read, so if the number of extra bytes changes in userspace between the first
and second calls, we'll have an incoherent view of file_handle.

Instead, read the constant size once, and copy that over to the final
structure without having to re-read it again.

Change-Id: I318d7428079e323f53bc7eb1f7dc0a5dfac7eb0b
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Byungsoo Kim <bs1770.kim@samsung.com>
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agox86, mm/ASLR: Fix stack randomization on 64-bit systems
Hector Marco-Gisbert [Sat, 14 Feb 2015 17:33:50 +0000 (09:33 -0800)]
x86, mm/ASLR: Fix stack randomization on 64-bit systems

The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.

The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":

  static unsigned long randomize_stack_top(unsigned long stack_top)
  {
           unsigned int random_variable = 0;

           if ((current->flags & PF_RANDOMIZE) &&
                   !(current->personality & ADDR_NO_RANDOMIZE)) {
                   random_variable = get_random_int() & STACK_RND_MASK;
                   random_variable <<= PAGE_SHIFT;
           }
           return PAGE_ALIGN(stack_top) + random_variable;
           return PAGE_ALIGN(stack_top) - random_variable;
  }

Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):

  random_variable <<= PAGE_SHIFT;

then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.

These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).

This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().

The successful fix can be tested with:

  $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
  7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
  7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
  7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
  7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
  ...

Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.

Change-Id: I961d7977c511e0228a92f0020021fe50589e3e95
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
9 years agonet: sctp: fix slab corruption from use after free on INIT collisions
Daniel Borkmann [Thu, 22 Jan 2015 17:26:54 +0000 (18:26 +0100)]
net: sctp: fix slab corruption from use after free on INIT collisions

When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c646 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c646 ...

[  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[  533.940559] PGD 5030f2067 PUD 0
[  533.957104] Oops: 0000 [#1] SMP
[  533.974283] Modules linked in: sctp mlx4_en [...]
[  534.939704] Call Trace:
[  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

... or depending on the the application, for example this one:

[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

With slab debugging enabled, we can see that the poison has been overwritten:

[  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
[  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[  669.826424]  __slab_alloc+0x4bf/0x566
[  669.826433]  __kmalloc+0x280/0x310
[  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
[  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[  669.826635]  __slab_free+0x39/0x2a8
[  669.826643]  kfree+0x1d6/0x230
[  669.826650]  kzfree+0x31/0x40
[  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
[  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
[  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]

Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).

Reference counting of auth keys revisited:

Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.

User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().

sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().

To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a76
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.

Change-Id: I07e48e69eaa9bc6699d75957c75244849e0b5b46
Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
9 years agoVIGS: add base dmabuf import/export support
Vasiliy Ulyanov [Fri, 27 Mar 2015 11:44:35 +0000 (14:44 +0300)]
VIGS: add base dmabuf import/export support

Change-Id: I04b3c9558d99b096a8a54b57ab89a7a8b5b225b6
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
9 years agoVIGS: enable render-nodes feature
Vasiliy Ulyanov [Wed, 25 Feb 2015 06:55:49 +0000 (09:55 +0300)]
VIGS: enable render-nodes feature

Change-Id: I7304e19f61b10869dc3433d68405d5edb8645de4
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
9 years agopackage: add changelog for 3.14.4
Sooyoung Ha [Wed, 25 Mar 2015 05:30:37 +0000 (14:30 +0900)]
package: add changelog for 3.14.4

Change-Id: I489e815d248313e748d4962c3cbc1b8ba941ea98
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agoSmack Bring-up mode including unconfined feature
jooseong.lee [Wed, 25 Mar 2015 02:05:50 +0000 (11:05 +0900)]
Smack Bring-up mode including unconfined feature

Change-Id: Ie875af7fcde4af981aab4eb0219eb7ece74ff558
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agopackage: version up
Sooyoung Ha [Wed, 25 Mar 2015 05:09:19 +0000 (14:09 +0900)]
package: version up

version update to 3.14.4

Change-Id: I106f66a67ab625559d377bb14e17fc92f415b113
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agoSmack: Lock mode for the floor and hat labels
jooseong.lee [Wed, 25 Mar 2015 02:03:13 +0000 (11:03 +0900)]
Smack: Lock mode for the floor and hat labels

The lock access mode allows setting a read lock on a file
for with the process has only read access. The floor label is
defined to make it easy to have the basic system installed such
that everyone can read it. Once there's a desire to read lock
(rationally or otherwise) a floor file a rule needs to get set.
This happens all the time, so make the floor label a little bit
more special and allow everyone lock access, too. By implication,
give processes with the hat label (hat can read everything)
lock access as well. This reduces clutter in the Smack rule set.

Change-Id: I09b6d234701b3efc67aad30bc3ea09da35c61792
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agoSecurity: smack: replace kzalloc with kmem_cache for inode_smack
jooseong.lee [Wed, 25 Mar 2015 02:02:03 +0000 (11:02 +0900)]
Security: smack: replace kzalloc with kmem_cache for inode_smack

The patch use kmem_cache to allocate/free inode_smack since they are
alloced in high volumes making it a perfect case for kmem_cache.

As per analysis, 24 bytes of memory is wasted per allocation due
to internal fragmentation. With kmem_cache, this can be avoided.

Accounting of memory allocation is below :
 total       slack            net      count-alloc/free        caller
Before (with kzalloc)
1919872      719952          1919872      29998/0          new_inode_smack+0x14

After (with kmem_cache)
1201680          0           1201680      30042/0          new_inode_smack+0x18

>From above data, we found that 719952 bytes(~700 KB) of memory is
saved on allocation of 29998 smack inodes.

Change-Id: Ia930c48bb06eb9c461eb3cf449e25a3a53be7299
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agosecurity: smack: add kmem_cache for smack_master_list allocations
jooseong.lee [Wed, 25 Mar 2015 02:00:22 +0000 (11:00 +0900)]
security: smack: add kmem_cache for smack_master_list allocations

On ARM, sizeof(struct smack_master_list) == 12. Allocation by kmalloc() uses a
32-byte-long chunk to allocate 12 bytes. Just ask ksize().  It means that 63%
of memory is simply wasted for padding bytes.

The problem is fixed in this patch by using kmem_cache. The cache allocates
struct smack_master_list using 16-byte-long chunks according to ksize(). This
reduces amount of used memory by 50%.

Change-Id: Ice10c7eb1099931a82200081110275c5717b12be
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agosecurity: smack: add kmem_cache for smack_rule allocations
jooseong.lee [Wed, 25 Mar 2015 01:58:44 +0000 (10:58 +0900)]
security: smack: add kmem_cache for smack_rule allocations

On ARM, sizeof(struct smack_rule)==20. Allocation by kmalloc() uses a
32-byte-long chunk to allocate 20 bytes. Just ask ksize().  It means that 40%
of memory is simply wasted for padding bytes.

The problem is fixed in this patch by using kmem_cache. The cache allocates
struct smack_rule using 24-byte-long chunks according to ksize(). This reduces
amount of used memory by 25%.

Change-Id: I2753cabc78c31b695ac07bf76cc8861232b64b1d
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agoFix a bidirectional UDS connect check
jooseong.lee [Wed, 25 Mar 2015 01:58:10 +0000 (10:58 +0900)]
Fix a bidirectional UDS connect check

Change-Id: Ib074a4e8ea27fdfff3e30fb74ee90f32d68d37c9
Signed-off-by: jooseong.lee <jooseong.lee@samsung.com>
9 years agoinitramfs: mount devtmpfs before switching root
SeokYeon Hwang [Wed, 25 Mar 2015 04:49:03 +0000 (13:49 +0900)]
initramfs: mount devtmpfs before switching root

Change-Id: I553ba3997f6873657787b404e3fe3cefa2867435

9 years agopackage: version up (3.14.3)
sungmin ha [Fri, 20 Mar 2015 07:07:27 +0000 (16:07 +0900)]
package: version up (3.14.3)

Change-Id: I66f3abba94b7cacf2b4f1a7a2e65bfee722a413e
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agoconfig: enabled some kernel config for Tizen Zone
sungmin ha [Fri, 13 Mar 2015 05:05:07 +0000 (14:05 +0900)]
config: enabled some kernel config for Tizen Zone

Change-Id: Icc49948b8eb9ef8e0c1a477ec6fa43a0f162c21b
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agoMerge "packaging: use linux-glibc-devel instread of emulator-kernel-headers" into...
Changseok Oh [Thu, 19 Mar 2015 01:49:03 +0000 (10:49 +0900)]
Merge "packaging: use linux-glibc-devel instread of emulator-kernel-headers" into tizen_2.4

9 years agopackaging: use linux-glibc-devel instread of emulator-kernel-headers
Chanho Park [Tue, 17 Mar 2015 14:41:30 +0000 (23:41 +0900)]
packaging: use linux-glibc-devel instread of emulator-kernel-headers

Toolchain pakcages will be upgraded on tizen_2.4 branch soon. After
upgrading the packages, linux-glibc-devel package which is
kernel-headers based on linux-3.10 will be used for default kernel
header package.

Change-Id: Ia8fb8cf78c2c9c288f2faaa0ac4a42711f1efe80
Signed-off-by: Chanho Park <chanho61.park@samsung.com>
9 years agoPackage: change maintainer
Sangho Park [Fri, 13 Mar 2015 09:58:14 +0000 (18:58 +0900)]
Package: change maintainer

Change-Id: I354790d812ff9ee08b582de43d4d68c7439f8a08
Signed-off-by: Sangho Park <sangho1206.park@samsung.com>
9 years agoMerge "packaging: apply spec file to build emulator-kernel-user-headers" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 02:02:10 +0000 (11:02 +0900)]
Merge "packaging: apply spec file to build emulator-kernel-user-headers" into tizen_2.4

9 years agoMerge "build: package version up (3.14.2)" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 02:01:53 +0000 (11:01 +0900)]
Merge "build: package version up (3.14.2)" into tizen_2.4

9 years agoMerge "netfilter: conntrack: disable generic tracking for known protocols" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 02:01:11 +0000 (11:01 +0900)]
Merge "netfilter: conntrack: disable generic tracking for known protocols" into tizen_2.4

9 years agoMerge "isofs: Fix unchecked printing of ER records" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 02:00:58 +0000 (11:00 +0900)]
Merge "isofs: Fix unchecked printing of ER records" into tizen_2.4

9 years agoMerge "userns: Document what the invariant required for safe unprivileged mappings...
Sangho Park [Fri, 13 Mar 2015 02:00:47 +0000 (11:00 +0900)]
Merge "userns: Document what the invariant required for safe unprivileged mappings." into tizen_2.4

9 years agoMerge "isofs: Fix infinite looping over CE entries" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 01:59:56 +0000 (10:59 +0900)]
Merge "isofs: Fix infinite looping over CE entries" into tizen_2.4

9 years agoMerge "KEYS: close race between key lookup and freeing" into tizen_2.4
Sangho Park [Fri, 13 Mar 2015 01:59:36 +0000 (10:59 +0900)]
Merge "KEYS: close race between key lookup and freeing" into tizen_2.4

9 years agopackaging: apply spec file to build emulator-kernel-user-headers
Sooyoung Ha [Thu, 12 Mar 2015 07:36:48 +0000 (16:36 +0900)]
packaging: apply spec file to build emulator-kernel-user-headers

this header package is for SWAP module build

Change-Id: Ib27108b391903ddf7eb79959a9117c7b4218c125
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agobuild: package version up (3.14.2)
Jinhyung Choi [Thu, 12 Mar 2015 02:53:23 +0000 (11:53 +0900)]
build: package version up (3.14.2)

Change-Id: I1196a65af8298d2630f2f1230c9970aed0d77e28
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agosensor: a global sensor mutex for message transfer
Jinhyung Choi [Thu, 12 Mar 2015 02:50:00 +0000 (11:50 +0900)]
sensor: a global sensor mutex for message transfer

Change-Id: I49f9506634aeb2d87cc24b931c186a8d24e25161
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agonetfilter: conntrack: disable generic tracking for known protocols
Florian Westphal [Fri, 26 Sep 2014 09:35:42 +0000 (11:35 +0200)]
netfilter: conntrack: disable generic tracking for known protocols

Given following iptables ruleset:

-P FORWARD DROP
-A FORWARD -m sctp --dport 9 -j ACCEPT
-A FORWARD -p tcp --dport 80 -j ACCEPT
-A FORWARD -p tcp -m conntrack -m state ESTABLISHED,RELATED -j ACCEPT

One would assume that this allows SCTP on port 9 and TCP on port 80.
Unfortunately, if the SCTP conntrack module is not loaded, this allows
*all* SCTP communication, to pass though, i.e. -p sctp -j ACCEPT,
which we think is a security issue.

This is because on the first SCTP packet on port 9, we create a dummy
"generic l4" conntrack entry without any port information (since
conntrack doesn't know how to extract this information).

All subsequent packets that are unknown will then be in established
state since they will fallback to proto_generic and will match the
'generic' entry.

Our originally proposed version [1] completely disabled generic protocol
tracking, but Jozsef suggests to not track protocols for which a more
suitable helper is available, hence we now mitigate the issue for in
tree known ct protocol helpers only, so that at least NAT and direction
information will still be preserved for others.

 [1] http://www.spinics.net/lists/netfilter-devel/msg33430.html

Joint work with Daniel Borkmann.

Change-Id: Ic099f9cb24e84946e6d0f4352ce1201380cef2e9
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 years agoisofs: Fix unchecked printing of ER records
Jan Kara [Thu, 18 Dec 2014 16:26:10 +0000 (17:26 +0100)]
isofs: Fix unchecked printing of ER records

We didn't check length of rock ridge ER records before printing them.
Thus corrupted isofs image can cause us to access and print some memory
behind the buffer with obvious consequences.

Change-Id: Ie5dbb6d4e0773320442e26ab1fbd01a52f3f8042
Reported-and-tested-by: Carl Henrik Lunde <chlunde@ping.uio.no>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
9 years agouserns: Document what the invariant required for safe unprivileged mappings.
Eric W. Biederman [Fri, 5 Dec 2014 23:51:47 +0000 (17:51 -0600)]
userns: Document what the invariant required for safe unprivileged mappings.

The rule is simple.  Don't allow anything that wouldn't be allowed
without unprivileged mappings.

It was previously overlooked that establishing gid mappings would
allow dropping groups and potentially gaining permission to files and
directories that had lesser permissions for a specific group than for
all other users.

This is the rule needed to fix CVE-2014-8989 and prevent any other
security issues with new_idmap_permitted.

The reason for this rule is that the unix permission model is old and
there are programs out there somewhere that take advantage of every
little corner of it.  So allowing a uid or gid mapping to be
established without privielge that would allow anything that would not
be allowed without that mapping will result in expectations from some
code somewhere being violated.  Violated expectations about the
behavior of the OS is a long way to say a security issue.

Change-Id: I66a4970dab52327190bc2c4540c4558219703267
Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
9 years agoisofs: Fix infinite looping over CE entries
Jan Kara [Mon, 15 Dec 2014 13:22:46 +0000 (14:22 +0100)]
isofs: Fix infinite looping over CE entries

Rock Ridge extensions define so called Continuation Entries (CE) which
define where is further space with Rock Ridge data. Corrupted isofs
image can contain arbitrarily long chain of these, including a one
containing loop and thus causing kernel to end in an infinite loop when
traversing these entries.

Limit the traversal to 32 entries which should be more than enough space
to store all the Rock Ridge data.

Change-Id: Ia0475fc07ee3e8ecc1d53673439f32c175acc10b
Reported-by: P J P <ppandit@redhat.com>
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
9 years agoKEYS: close race between key lookup and freeing
Sasha Levin [Mon, 29 Dec 2014 14:39:01 +0000 (09:39 -0500)]
KEYS: close race between key lookup and freeing

When a key is being garbage collected, it's key->user would get put before
the ->destroy() callback is called, where the key is removed from it's
respective tracking structures.

This leaves a key hanging in a semi-invalid state which leaves a window open
for a different task to try an access key->user. An example is
find_keyring_by_name() which would dereference key->user for a key that is
in the process of being garbage collected (where key->user was freed but
->destroy() wasn't called yet - so it's still present in the linked list).

This would cause either a panic, or corrupt memory.

Fixes CVE-2014-9529.

Change-Id: I878791feeef1325bec21f3b69f4c0e449cdf32f2
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: David Howells <dhowells@redhat.com>
9 years agopackage: version up(3.14.1)
sungmin ha [Wed, 11 Mar 2015 05:37:39 +0000 (14:37 +0900)]
package: version up(3.14.1)

Change-Id: Id1b14d75ade23a897789cfb4f35b994d2771d0c2
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agoVIGS: workaround for qHD (540x960) video mode
Vasiliy Ulyanov [Wed, 11 Mar 2015 02:47:27 +0000 (11:47 +0900)]
VIGS: workaround for qHD (540x960) video mode

Horizontal resolution was rounded up to 544 (GTF algorithm). It was
causing wrong rendering on emulator (black screen).

Change-Id: I15de1b24773c955c470db49f0ebb080f2e823989
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
9 years agoVIGS: add new plane for cursor support 14/35114/1
Vasiliy Ulyanov [Mon, 9 Feb 2015 09:00:22 +0000 (12:00 +0300)]
VIGS: add new plane for cursor support

Change-Id: I20dcfa298a7223d6fb58e5781748b09d0978dc3d
Signed-off-by: Vasiliy Ulyanov <v.ulyanov@samsung.com>
9 years agoinitramfs: introduced prerun scripts. 59/34359/2
SeokYeon Hwang [Mon, 26 Jan 2015 06:37:13 +0000 (15:37 +0900)]
initramfs: introduced prerun scripts.

It is very useful for manipulating some files on rootfs before init.
(Configuration files, ...)

Change-Id: I356a9190b80d3c46fb8f84e8f91d346c24263901
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoevdi: added IOCTL for booting done log 95/33295/3
Jinhyung Choi [Sun, 28 Dec 2014 03:07:51 +0000 (12:07 +0900)]
evdi: added IOCTL for booting done log

Change-Id: I08bc0f9ff1122efc84925c0af60d359c881a8ac1
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agoevdi: removed emuld connection nofication. 94/33294/3
Jinhyung Choi [Mon, 5 Jan 2015 13:26:03 +0000 (22:26 +0900)]
evdi: removed emuld connection nofication.

- The connection message is sent by emuld.

Change-Id: I3d40c422c44e74bdf79b86e6ffe7c1ebe2e1a653
Signed-off-by: Jinhyung Choi <jinhyung2.choi@samsung.com>
9 years agoinitramfs: support new-partitioned image 37/33637/2
SeokYeon Hwang [Tue, 13 Jan 2015 10:43:23 +0000 (19:43 +0900)]
initramfs: support new-partitioned image

Support new-partitioned image.
Introduce rescue shell for emergency situation.

Change-Id: I4e81f3c7cbbf440a6812a85385869972892a491f
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoinitramfs: using new built busybox 36/33636/1
SeokYeon Hwang [Tue, 13 Jan 2015 10:40:51 +0000 (19:40 +0900)]
initramfs: using new built busybox

Using new built busybox for rich usage.

Change-Id: I8dc348dc5d8a1bc7d20a2aa6e5dd9bcfd79193e1
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoinitramfs: generate /dev/console to avoid warning 35/33635/1
SeokYeon Hwang [Tue, 13 Jan 2015 10:39:28 +0000 (19:39 +0900)]
initramfs: generate /dev/console to avoid warning

Change-Id: Icbb2b0da9c2ddd846bd1d6853f987eb58808d2c1
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoinitramfs: respect "init=", "root=" in kernel parameters 86/33486/1
SeokYeon Hwang [Mon, 12 Jan 2015 07:08:38 +0000 (16:08 +0900)]
initramfs: respect "init=", "root=" in kernel parameters

Change-Id: Id35d3b96deefc9df2b22471b734f6cebd9c79b97
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoinitramfs: cleaned up 85/33485/1
SeokYeon Hwang [Mon, 12 Jan 2015 06:47:06 +0000 (15:47 +0900)]
initramfs: cleaned up

Using devtmpfs for populating /dev.
Removed pre-made dev nodes.
Removed pre-linked binaries to busybox.

Change-Id: I10be92fe41da52d3b8b05edbffd2a798a199b9ca
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agobuild: package version up (2.0.8) 54/32654/1
Alice Liu [Mon, 22 Dec 2014 06:41:36 +0000 (14:41 +0800)]
build: package version up (2.0.8)

Change-Id: I3e8e1f5b24167c2b12cb25232026a9e0a5cd7ba4
Signed-off-by: Alice Liu <alice.liu@intel.com>
9 years agoMerge branch 'tizen_next_linux_3.14' into tizen_next
SeokYeon Hwang [Mon, 22 Dec 2014 05:15:22 +0000 (14:15 +0900)]
Merge branch 'tizen_next_linux_3.14' into tizen_next

9 years agocode conventions: apply the code conventions 26/32426/1
Sooyoung Ha [Thu, 18 Dec 2014 06:30:47 +0000 (15:30 +0900)]
code conventions: apply the code conventions

You should use tab instead of space for indentation.

Change-Id: I43fb0cf0d397eeb84ffde490c19689e98f41ff16
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agopermission: remove useless execute permission 25/32425/1
Sooyoung Ha [Thu, 18 Dec 2014 06:12:26 +0000 (15:12 +0900)]
permission: remove useless execute permission

Change-Id: I0e44e362f0cbfd16b788613be637954b21111da7
Signed-off-by: Sooyoung Ha <yoosah.ha@samsung.com>
9 years agohwkey: added virtqueue_add_inbuf before virtqueue_kick 23/32223/1
sungmin ha [Tue, 16 Dec 2014 06:21:14 +0000 (15:21 +0900)]
hwkey: added virtqueue_add_inbuf before virtqueue_kick

Change-Id: Icf632a24426b6fb51cf77d59cea07e4bc6e73b23
Signed-off-by: sungmin ha <sungmin82.ha@samsung.com>
9 years agobrillcodec: add ioctl/mmio command for profile module. 42/31342/1
gunsoo83.kim [Thu, 4 Dec 2014 07:27:39 +0000 (16:27 +0900)]
brillcodec: add ioctl/mmio command for profile module.

- To check the profile status, add ioctl/mmio command
  in brillcodec driver.

Change-Id: Ia03f1b65f16ad8240214f267bf5839202f36ded3
Signed-off-by: gunsoo83.kim <gunsoo83.kim@samsung.com>
9 years agobrillcodec: introduce new feature MEMORY_MONOPOLIZING 85/31085/1
SeokYeon Hwang [Sun, 14 Sep 2014 10:01:14 +0000 (19:01 +0900)]
brillcodec: introduce new feature MEMORY_MONOPOLIZING

Change-Id: I9a35dce462efee60149ee5b168d3f2ba4c65ffff
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agobrillcodec: re-arrange device command 84/31084/1
SeokYeon Hwang [Sat, 13 Sep 2014 04:38:10 +0000 (13:38 +0900)]
brillcodec: re-arrange device command

Re-arrange device command.
Apply strict version checking.

Change-Id: Ia473254cef42b077662922a151314dbf51c6def4
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agobrillcodec: introduce brillcodec version 3 83/31083/1
SeokYeon Hwang [Fri, 12 Sep 2014 08:33:56 +0000 (17:33 +0900)]
brillcodec: introduce brillcodec version 3

Change-Id: Ie08b8b4ee8094ce20b9f80f52c72aadcd4f34df5
Signed-off-by: SeokYeon Hwang <syeon.hwang@samsung.com>
9 years agoSmack: Fix setting label on successful file open 98/31098/1
Marcin Niesluchowski [Tue, 19 Aug 2014 12:26:32 +0000 (14:26 +0200)]
Smack: Fix setting label on successful file open

While opening with CAP_MAC_OVERRIDE file label is not set.
Other calls may access it after CAP_MAC_OVERRIDE is dropped from process.

Change-Id: I1d9cdeb325c397dfb0b97e60eb7b2842c1819d99
Signed-off-by: Marcin Niesluchowski <m.niesluchow@samsung.com>
9 years agoSmack: Verify read access on file open - v3 97/31097/1
Casey Schaufler [Mon, 21 Apr 2014 18:10:26 +0000 (11:10 -0700)]
Smack: Verify read access on file open - v3

Smack believes that many of the operatons that can
be performed on an open file descriptor are read operations.
The fstat and lseek system calls are examples.
An implication of this is that files shouldn't be open
if the task doesn't have read access even if it has
write access and the file is being opened write only.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Change-Id: I63d57bc62cd08fa4e1f128b544e7ed7316456e4c
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
9 years agoSmack: bidirectional UDS connect check 96/31096/1
Casey Schaufler [Thu, 10 Apr 2014 23:37:08 +0000 (16:37 -0700)]
Smack: bidirectional UDS connect check

Smack IPC policy requires that the sender have write access
to the receiver. UDS streams don't do per-packet checks. The
only check is done at connect time. The existing code checks
if the connecting process can write to the other, but not the
other way around. This change adds a check that the other end
can write to the connecting process.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Change-Id: I42bb66ba2f73c8e604bee85002fc9e419337732c
Signed-off-by: Casey Schuafler <casey@schaufler-ca.com>
9 years agoSmack: Correctly remove SMACK64TRANSMUTE attribute 95/31095/1
Casey Schaufler [Thu, 10 Apr 2014 23:35:36 +0000 (16:35 -0700)]
Smack: Correctly remove SMACK64TRANSMUTE attribute

Sam Henderson points out that removing the SMACK64TRANSMUTE
attribute from a directory does not result in the directory
transmuting. This is because the inode flag indicating that
the directory is transmuting isn't cleared. The fix is a tad
less than trivial because smk_task and smk_mmap should have
been broken out, too.

Targeted for git://git.gitorious.org/smack-next/kernel.git

Change-Id: I73e29d988fd5ca7502aeab01e340189420a95c75
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
9 years agoSMACK: Fix handling value==NULL in post setxattr 94/31094/1
José Bollo [Thu, 3 Apr 2014 11:48:41 +0000 (13:48 +0200)]
SMACK: Fix handling value==NULL in post setxattr

The function `smack_inode_post_setxattr` is called each
time that a setxattr is done, for any value of name.
The kernel allow to put value==NULL when size==0
to set an empty attribute value. The systematic
call to smk_import_entry was causing the dereference
of a NULL pointer hence a KERNEL PANIC!

The problem can be produced easily by issuing the
command `setfattr -n user.data file` under bash prompt
when SMACK is active.

Moving the call to smk_import_entry as proposed by this
patch is correcting the behaviour because the function
smack_inode_post_setxattr is called for the SMACK's
attributes only if the function smack_inode_setxattr validated
the value and its size (what will not be the case when size==0).

It also has a benefical effect to not fill the smack hash
with garbage values coming from any extended attribute
write.

Change-Id: Iaf0039c2be9bccb6cee11c24a3b44d209101fe47
Signed-off-by: José Bollo <jose.bollo@open.eurogiciel.org>
9 years agobugfix patch for SMACK 93/31093/1
Pankaj Kumar [Fri, 13 Dec 2013 09:42:22 +0000 (15:12 +0530)]
bugfix patch for SMACK

1. In order to remove any SMACK extended attribute from a file, a user
should have CAP_MAC_ADMIN capability. But user without having this
capability is able to remove SMACK64MMAP security attribute.

2. While validating size and value of smack extended attribute in
smack_inode_setsecurity hook, wrong error code is returned.

Change-Id: Ie71e86840f47b6810aaf4ff9a577cdea8274925b
Signed-off-by: Pankaj Kumar <pamkaj.k2@samsung.com>
Signed-off-by: Himanshu Shukla <himanshu.sh@samsung.com>
9 years agoSmack: adds smackfs/ptrace interface 92/31092/1
Lukasz Pawelczyk [Tue, 11 Mar 2014 16:07:06 +0000 (17:07 +0100)]
Smack: adds smackfs/ptrace interface

This allows to limit ptrace beyond the regular smack access rules.
It adds a smackfs/ptrace interface that allows smack to be configured
to require equal smack labels for PTRACE_MODE_ATTACH access.
See the changes in Documentation/security/Smack.txt below for details.

Change-Id: I5459ff414e96dde0430ed8febd92c361c9dc1d81
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
9 years agoSmack: unify all ptrace accesses in the smack 91/31091/1
Lukasz Pawelczyk [Tue, 11 Mar 2014 16:07:05 +0000 (17:07 +0100)]
Smack: unify all ptrace accesses in the smack

The decision whether we can trace a process is made in the following
functions:
smack_ptrace_traceme()
smack_ptrace_access_check()
smack_bprm_set_creds() (in case the proces is traced)

This patch unifies all those decisions by introducing one function that
checks whether ptrace is allowed: smk_ptrace_rule_check().

This makes possible to actually trace with TRACEME where first the
TRACEME itself must be allowed and then exec() on a traced process.

Additional bugs fixed:
- The decision is made according to the mode parameter that is now correctly
  translated from PTRACE_MODE_* to MAY_* instead of being treated 1:1.
  PTRACE_MODE_READ requires MAY_READ.
  PTRACE_MODE_ATTACH requires MAY_READWRITE.
- Add a smack audit log in case of exec() refused by bprm_set_creds().
- Honor the PTRACE_MODE_NOAUDIT flag and don't put smack audit info
  in case this flag is set.

Change-Id: I43d82d480f331e8ef90da7c287b1e414d55ff394
Signed-off-by: Lukasz Pawelczyk <l.pawelczyk@partner.samsung.com>
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>