media: v4l2-compat-ioctl32.c: move 'helper' functions to __get/put_v4l2_format32

commit 486c521510c44a04cd756a9267e7d1e271c8a4ba upstream.

These helper functions do not really help. Move the code to the
__get/put_v4l2_format32 functions.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I055f604210da7586257dcfa667d4d02d92f98697

media: v4l2-compat-ioctl32.c: fix the indentation

commit b7b957d429f601d6d1942122b339474f31191d75 upstream.

The indentation of this source is all over the place. Fix this.
This patch only changes whitespace.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: <stable@vger.kernel.org> # for v4.15 and up
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I32d44cc5a5e598fe44cfa31f72fb1adee9aee903

media: v4l2-compat-ioctl32.c: add missing VIDIOC_PREPARE_BUF

commit 3ee6d040719ae09110e5cdf24d5386abe5d1b776 upstream.

The result of the VIDIOC_PREPARE_BUF ioctl was never copied back
to userspace since it was missing in the switch.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: <stable@vger.kernel.org> # for v4.15 and up
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I46cfe614d06f3e5885e29f8e07f0196398fb837c

vb2: V4L2_BUF_FLAG_DONE is set after DQBUF

commit 3171cc2b4eb9831ab4df1d80d0410a945b8bc84e upstream.

According to the doc, V4L2_BUF_FLAG_DONE is cleared after DQBUF:

V4L2_BUF_FLAG_DONE 0x00000004  ... After calling the VIDIOC_QBUF or
VIDIOC_DQBUF it is always cleared ...

Unfortunately, it seems that videobuf2 keeps it set after DQBUF. This
can be tested with vivid and dev_debug:

[257604.338082] video1: VIDIOC_DQBUF: 71:33:25.00260479 index=3,
type=vid-cap, flags=0x00002004, field=none, sequence=163,
memory=userptr, bytesused=460800, offset/userptr=0x344b000,
length=460800

This patch forces FLAG_DONE to 0 after calling DQBUF.

Reported-by: Dimitrios Katsaros <patcherwork@gmail.com>
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I22dc967ed1cceece77e6235c72ebdb3472bd4245

media: v4l2-ioctl.c: don't copy back the result for -ENOTTY

commit 181a4a2d5a0a7b43cab08a70710d727e7764ccdd upstream.

If the ioctl returned -ENOTTY, then don't bother copying
back the result as there is no point.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: <stable@vger.kernel.org> # for v4.15 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I74f89733fb3be9adb9ba8026be1dc699bed0445f

media: v4l2-ctrl: Fix flags field on Control events

commit 9cac9d2fb2fe0e0cadacdb94415b3fe49e3f724f upstream.

VIDIOC_DQEVENT and VIDIOC_QUERY_EXT_CTRL should give the same output for
the control flags field.

This patch creates a new function user_flags(), that calculates the user
exported flags value (which is different than the kernel internal flags
structure). This function is then used by all the code that exports the
internal flags to userspace.

Reported-by: Dimitrios Katsaros <patcherwork@gmail.com>
Signed-off-by: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I7ce4c954bdf559e7cf60816202e4fb1f2fa2ad90

media: v4l2-compat-ioctl32: Fix timespec conversion

commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream.

Certain syscalls like recvmmsg support 64 bit timespec values for the
X32 ABI. The helper function compat_put_timespec converts a timespec
value to a 32 bit or 64 bit value depending on what ABI is used. The
v4l2 compat layer, however, is not designed to support 64 bit timespec
values and always uses 32 bit values. Hence, compat_put_timespec must
not be used.

Without this patch, user space will be provided with bad timestamp
values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct
v4l2_event32 that come immediately after timestamp get overwritten,
namely the field named id.

Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)")
Cc: H. Peter Anvin <hpa@linux.intel.com>
Cc: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Cc: Tiffany Lin <tiffany.lin@mediatek.com>
Cc: Ricardo Ribalda Delgado <ricardo.ribalda@gmail.com>
Cc: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Daniel Mentz <danielmentz@google.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I713662fe9e2103c91fe717929116ae28c57e150d

vb2: Fix an off by one error in 'vb2_plane_vaddr'

commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 upstream.

We should ensure that 'plane_no' is '< vb->num_planes' as done in
'vb2_plane_cookie' just a few lines below.

Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework")

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I78542d0bb4c29c29a1c111cebed7ece2fc6d81cf

media: remove unused variable that causes a warning

commit 1d11437f4fd02f9b5d3749675a1232216787dcc6 upstream.

My 'allmodconfig' build is _almost_ free of warnings, and most of the
remaining ones are for legacy drivers that just do bad things that I
can't find it in my black heart to care too much about.  But this one
was just annoying me:

   drivers/media/v4l2-core/videobuf2-core.c:3256:26: warning: unused variable ‘fileio’ [-Wunused-variable]

because commit 0e661006370b ("[media] vb2: fix 'UNBALANCED' warnings
when calling vb2_thread_stop()") removed all users of 'fileio' and
instead calls "__vb2_cleanup_fileio(q)" to clean up q->fileio.  But the
now unused 'fileio' variable was left around.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ibcc1613a6740e15d51218a4373647f262088c1d1

media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32

[ Upstream commit 7df5ab8774aa383c6d2bff00688d004585d96dfd ]

In v4l2-compliance utility, test QUERYBUF required correct length
value to go through each planar to check planar's length in
multi-planar buffer type

Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Cc: <stable@vger.kernel.org> # for v3.7 and up
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I08b90f7703cb8e46c3e26d8d596f806f9c24185e

vb2: fix a regression in poll() behavior for output,streams

[ Upstream commit 4623e5967448444a4ea1e77beb58898c4af48693 ]

In the 3.17 kernel the poll() behavior changed for output streams:
as long as not all buffers were queued up poll() would return that
userspace can write. This is fine for the write() call, but when
using stream I/O this changed the behavior since the expectation
was that it would wait for buffers to become available for dequeuing.

This patch only enables the check whether you can queue buffers
for file I/O only, and skips it for stream I/O.

Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: <stable@vger.kernel.org> # for v3.17 and up
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[sw0312.kim: cherry-pick from linux-3.18.y]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I6874d98e4881c059d592addb2e9767d398d82262

netfilter: nfnetlink_queue: fix secctx memory leak

We must call security_release_secctx to free the memory returned by
security_secid_to_secctx, otherwise memory may be leaked forever.

Fixes: ef493bd930ae ("netfilter: nfnetlink_queue: add security context information")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[sw0312.kim: backport the commit 77c1c03c5b8 from mainline to fix already backported commit
 - the commit ef493bd930ae ("netfilter: nfnetlink_queue: add security context information") was backported for nether.service in tizen
 - change in net/netfilter/nfnetlink_queue.c is applied to net/netfilter/nfnetlink_queue_core.c]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ifbc5f96bb6039503b7390864936fe6eda2e53acb

proc, coredump: add CoreDumping flag to /proc/pid/status

Right now there is no convenient way to check if a process is being
coredumped at the moment.

It might be necessary to recognize such state to prevent killing the
process and getting a broken coredump.  Writing a large core might take
significant time, and the process is unresponsive during it, so it might
be killed by timeout, if another process is monitoring and
killing/restarting hanging tasks.

We're getting a significant number of corrupted coredump files on
machines in our fleet, just because processes are being killed by
timeout in the middle of the core writing process.

We do have a process health check, and some agent is responsible for
restarting processes which are not responding for health check requests.
Writing a large coredump to the disk can easily exceed the reasonable
timeout (especially on an overloaded machine).

This flag will allow the agent to distinguish processes which are being
coredumped, extend the timeout for them, and let them produce a full
coredump file.

To provide an ability to detect if a process is in the state of being
coredumped, we can expose a boolean CoreDumping flag in
/proc/pid/status.

Example:
$ cat core.sh
  #!/bin/sh

  echo "|/usr/bin/sleep 10" > /proc/sys/kernel/core_pattern
  sleep 1000 &
  PID=$!

  cat /proc/$PID/status | grep CoreDumping
  kill -ABRT $PID
  sleep 1
  cat /proc/$PID/status | grep CoreDumping

$ ./core.sh
  CoreDumping: 0
  CoreDumping: 1

[guro@fb.com: document CoreDumping flag in /proc/<pid>/status]
Link: http://lkml.kernel.org/r/20170928135357.GA8470@castle.DHCP.thefacebook.com
Link: http://lkml.kernel.org/r/20170920230634.31572-1-guro@fb.com
Signed-off-by: Roman Gushchin <guro@fb.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[inki.dae: backported from mainline - commit : c643401218be
  On Tizen, there is one issue that a process doing coredump can be killed.
  This patch allows a process to detect if given process is being dumped.
  With this, Tizen can exclude such process from 'kill list' so that
  coredump process can finish coredump work.]
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Change-Id: I7ddd9fc618942244bd7e8523be3f080504cc9a06

packaging: add the dzImage-recovery image

Add the dzImage-recovery image as using recovery.

Change-Id: Iafac3bdbd8165a12701fa12c6ddd2ca23ab91d2d
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>

mm,ksm: fix endless looping in allocating memory when ksm enable

[ Upstream commit 5b398e416e880159fe55eefd93c6588fa072cd66 ]

I hit the following hung task when runing a OOM LTP test case with 4.1
kernel.

Call trace:
[<ffffffc000086a88>] __switch_to+0x74/0x8c
[<ffffffc000a1bae0>] __schedule+0x23c/0x7bc
[<ffffffc000a1c09c>] schedule+0x3c/0x94
[<ffffffc000a1eb84>] rwsem_down_write_failed+0x214/0x350
[<ffffffc000a1e32c>] down_write+0x64/0x80
[<ffffffc00021f794>] __ksm_exit+0x90/0x19c
[<ffffffc0000be650>] mmput+0x118/0x11c
[<ffffffc0000c3ec4>] do_exit+0x2dc/0xa74
[<ffffffc0000c46f8>] do_group_exit+0x4c/0xe4
[<ffffffc0000d0f34>] get_signal+0x444/0x5e0
[<ffffffc000089fcc>] do_signal+0x1d8/0x450
[<ffffffc00008a35c>] do_notify_resume+0x70/0x78

The oom victim cannot terminate because it needs to take mmap_sem for
write while the lock is held by ksmd for read which loops in the page
allocator

ksm_do_scan
scan_get_next_rmap_item
down_read
get_next_rmap_item
alloc_rmap_item   #ksmd will loop permanently.

There is no way forward because the oom victim cannot release any memory
in 4.1 based kernel.  Since 4.6 we have the oom reaper which would solve
this problem because it would release the memory asynchronously.
Nevertheless we can relax alloc_rmap_item requirements and use
__GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan
would just retry later after the lock got dropped.

Such a patch would be also easy to backport to older stable kernels which
do not have oom_reaper.

While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed
by the allocation failure.

Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Suggested-by: Hugh Dickins <hughd@google.com>
Suggested-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[jcsing.lee: cherry-pick from linux-3.18.y to fix ltp issue]
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
Change-Id: I491c912e110399da272b268cdb40508ba1b9f916

sysv, ipc: fix security-layer leaking

[ Upstream commit 9b24fef9f0410fb5364245d6cc2bd044cc064007 ]

Commit 53dad6d3a8e5 ("ipc: fix race with LSMs") updated ipc_rcu_putref()
to receive rcu freeing function but used generic ipc_rcu_free() instead
of msg_rcu_free() which does security cleaning.

Running LTP msgsnd06 with kmemleak gives the following:

  cat /sys/kernel/debug/kmemleak

  unreferenced object 0xffff88003c0a11f8 (size 8):
    comm "msgsnd06", pid 1645, jiffies 4294672526 (age 6.549s)
    hex dump (first 8 bytes):
      1b 00 00 00 01 00 00 00                          ........
    backtrace:
      kmemleak_alloc+0x23/0x40
      kmem_cache_alloc_trace+0xe1/0x180
      selinux_msg_queue_alloc_security+0x3f/0xd0
      security_msg_queue_alloc+0x2e/0x40
      newque+0x4e/0x150
      ipcget+0x159/0x1b0
      SyS_msgget+0x39/0x40
      entry_SYSCALL_64_fastpath+0x13/0x8f

Manfred Spraul suggested to fix sem.c as well and Davidlohr Bueso to
only use ipc_rcu_free in case of security allocation failure in newary()

Fixes: 53dad6d3a8e ("ipc: fix race with LSMs")
Link: http://lkml.kernel.org/r/1470083552-22966-1-git-send-email-fabf@skynet.be
Signed-off-by: Fabian Frederick <fabf@skynet.be>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org> [3.12+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[jcsing.lee: cherry-pick from linux-3.18.y to fix ltp issue]
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
Change-Id: I4e9ab23d55251dc816db9408e89d9a5baf49cfda

locks: use file_inode()

[ Upstream commit 6343a2120862f7023006c8091ad95c1f16a32077 ]

(Another one for the f_path debacle.)

ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.

The reason is that generic_add_lease() used filp->f_path.dentry->inode
while all the others use file_inode().  This makes a difference for files
opened on overlayfs since the former will point to the overlay inode the
latter to the underlying inode.

So generic_add_lease() added the lease to the overlay inode and
generic_delete_lease() removed it from the underlying inode.  When the file
was released the lease remained on the overlay inode's lock list, resulting
in use after free.

Reported-by: Eryu Guan <eguan@redhat.com>
Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[jcsing.lee: cherry-pick from linux-3.18.y to fix ltp issue]
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
Change-Id: I6091178a330b85ebb34022f9fbbd5226516399f5

net: socket: Fix the wrong returns for recvmsg and sendmsg

[ Upstream commit HEAD ]

Based on 08adb7dabd4874cc5666b4490653b26534702ce0 upstream.

We found that after v3.10.73, recvmsg might return -EFAULT while -EINVAL
was expected.

We tested it through the recvmsg01 testcase come from LTP testsuit. It set
msg->msg_namelen to -1 and the recvmsg syscall returned errno 14, which is
unexpected (errno 22 is expected):

recvmsg01    4  TFAIL  :  invalid socket length ; returned -1 (expected -1),
errno 14 (expected 22)

Linux mainline has no this bug for commit 08adb7dab fixes it accidentally.
However, it is too large and complex to be backported to LTS 3.10.

Commit 281c9c36 (net: compat: Update get_compat_msghdr() to match
copy_msghdr_from_user() behaviour) made get_compat_msghdr() return
error if msg_sys->msg_namelen was negative, which changed the behaviors
of recvmsg and sendmsg syscall in a lib32 system:

Before commit 281c9c36, get_compat_msghdr() wouldn't fail and it would
return -EINVAL in move_addr_to_user() or somewhere if msg_sys->msg_namelen
was invalid and then syscall returned -EINVAL, which is correct.

And now, when msg_sys->msg_namelen is negative, get_compat_msghdr() will
fail and wants to return -EINVAL, however, the outer syscall will return
-EFAULT directly, which is unexpected.

This patch gets the return value of get_compat_msghdr() as well as
copy_msghdr_from_user(), then returns this expected value if
get_compat_msghdr() fails.

Fixes: 281c9c36 (net: compat: Update get_compat_msghdr() to match copy_msghdr_from_user() behaviour)
Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
Signed-off-by: Hanbing Xu <xuhanbing@huawei.com>
Cc: Li Zefan <lizefan@huawei.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 5ca74d43d929e6ecaba677a411f0e81371d61f76)
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[sw0312.kim: cherry-pick from linux-3.18.y to fix ltp issue]
Reported-by: Jaechul Lee <jcsing.lee@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Idd759ce13ae9a66ca823513724818e7e3f41ce42

Bluetooth: Properly check L2CAP config option output buffer length

commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.

Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.

Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: Cherry-pick from linux-3.18.y tree to fix CVE-2017-1000251]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I479e2d5141a9cb0b5bc105dc40298cbd4bddbff0

packaging: Disable UBSan build

UBSan build on kernel will cause build error because kernel has its own
sanitizer build options. So, dislable UBSan build from packaging spec.

Change-Id: Ia7cccf6daf0718e6d34b0382a62edc18f02ba999
Signed-off-by: Denis Khalikov <d.khalikov@partner.samsung.com>

video/fbdev: decon: fix wrong pixel format setting.

fix wrong pixel format setting.
This patch comes from product kernel.

Change-Id: If5008ffacb65afef7e819ceea4f4b11bb666464e
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm/pp: add shift setting operation during set size.

add shift setting operation during set size
This patch comes from product kernel.

Change-Id: I98692214aaec340db6efecbcb240288d86e14241
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm/pp: add alignmentation to fix cropping problem.

add alignmentation to fix cropping problem
This patch comes from product kernel.

Change-Id: I2901cbe286471ae47932ea7970e5d1025eef0aa9
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

packaging: Remove permission settings for devel package

Setting 644 permissions for devel package is removed. The all files in
the devel package are created with 644 permission. As a result, executable
files don't work when building out-of-tree module because they don't have a
execution permission.

Change-Id: I79854937593af982ed829a39446273e89e91a5f5
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: fix to create uapi header before kernel build

To create proper kernel devel package, kernel should not be cleaned
after build. So, fix to create uapi header which execute clean
before kernel build.

Change-Id: Ie83a2ea56815561074b3e1ee0e77719cbd8a4711
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

packaging: remove unnecessary files from devel package

The files created by build, including Image and merged-dtb, are not
necessary in devel package. Also, for arm64, compressed image is
not zImage or bzImage but Image.gz. Remove the unnecessary files
from devel package instead of not existing zImage or bzImage.

Change-Id: I5c930133a0d062f68545054c84f7229b62a4b1a3
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

packaging: Remove symbolic link in a devel package

The symbolic link to kernel-devel-tizen-dev doesn't need anymore because
those who want to build SWAP-DA will use the absolute package name for
building respectively on the several kernels.

The out-of-tree kernel module build uses absolute devel package name to
bulid SWAP-DA. It should be left out to prevent a conflict between
each kernel devel packages.

Change-Id: I6b55002174a424267db4d5cb4a5c09d9a0ad8358
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

ARM64: tizen_tw2_defconfig: enable MODULES

To support kernel modules build, loading, and unloading enable config
option MODULES and force loading and unloading options.

Change-Id: If67e5a8c5ae91c632a3225244a385ac9ff26728b
Signed-off-by: Alexander Aksenov <a.aksenov@samsung.com>
[sw0312.kim: spilt config patch and adjust commit-msg]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

kconfig: fix not to select TIMA_LKMAUTH from MODULES

TIMA_LKMAUTH prevents loading modules built for development. Fix
not to select TIMA_LKMAUTH by selecting MODULES for possibility
to set the config option.

Change-Id: I65b084ff31e7428296d8995ecb1a9c7a005118c8
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

misc: mcu_ipc: fix duplicated export symbol

There is duplicated export symbol with EXPORT_SYMBOL(). Fix one from
the symbols with proper function name.

With this modification, build error with CONFIG_MODULES is removed.

Change-Id: I696e324cc55ac381063ba8e442dc45e55ba78a01
Signed-off-by: Alexander Aksenov <a.aksenov@samsung.com>
[sw0312.kim: spilt mcu_ipc patch and adjust commit-msg]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

drm/tgm: tdm_pp: add pp_set_planar_addr().

It should be supported to divide each planar address.
This patch is from product kernel.

Change-Id: I3bd2cfa5fabd67ee57ffb7a575e6bf35e2ba161e
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm_pp: add size field on tdm_pp_buf_info.

This patch is from product kernel.

Change-Id: I4d2901793835fe708781ad72c0a3fd28d4608d41
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tbm: add tbm_gem_get_size().

This patch is from product kernel.

Change-Id: Ia5089be4a803861b66eb17d4463efe860e17914d
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

ARM64: tizen_tw2_defconfig: disble VIDEO_EXYNOS_SCALER

This patch disbles V4L2 based scaler driver.
We use DRM based IPP driver so this configuraion should be disabled.

Change-Id: If1544d8b4db9225f26db51c2c9a1c3940b36be5e
Signed-off-by: Inki Dae <inki.dae@samsung.com>

ARM64: tizen_tw2_defconfig: enable post processing driver

This patch enables post processing driver for TGM module.

Change-Id: Iff25cbe6383231d81b2b44b3773769300103e087
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: code sync with product kernel

This patch synchronizes tgm driver with latest product kernel.

Almost patches have been merged based on original patch of product kernel
but there are missing code from beginning so regarding this code,
I have merged it manually.

Change-Id: If699b55a5ad67e7a82e8195376d81ffbebf78535
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm: change completion interface.

Add cmd completion instead of start / stop completion.
This patch is from product kernel.

Change-Id: I09d0e61d307d619db1ebb61b8e4242edff4a4259
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm: add ttrace log to check vsync

This patch is from product kernel.

Change-Id: I46d68956d4cbf196379a3f6037189712248694dd
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm/pp: add fence mechanism on TDM PP.

This patch is from product kernel.

Change-Id: Iae386e3a0a1984d9dec157153a280ac5886ba5e0
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tbm: add get dma_buf interface.

This patch is from product kernel.

Change-Id: Id6c8221c75b2bd715968df8fdd49d4b86f26a599
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tdm: implement msc driver to support PP.

MSC driver is included. This patch is from product kernel.

Change-Id: Ibe08ff732fb4e5cc9718b59254cd52f8716bad5b
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tdm: implement PP interface.

PP interface is included. This patch is from product kernel.

Change-Id: I44d06ab017e2023440010ad64a4265e24954f0c2
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tbm: add get/put dma address interface.

DMA address interface set for pp driver.
This patch is from product kernel.

Change-Id: I41ad97483fdd7f0e3c17fc216d04d47edca2f8b1
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: add sub driver handling interface.

It doesn't have the pp interface for the pp driver.
And this patch is from product kernel.

Change-Id: Iceb891e602fe6e6e246445b7d845927cc39a73c0
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: add pid information on gem_info

This patch is from product kernel.

Change-Id: Id408cab17ca339bb2d8c8af1193a7905f2a34869
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

drm/tgm: tdm: change sequence to turn off vblank.

Prevent duplicated low power mode request.
This patch is from product kernel.

Change-Id: I729af7274ca491a84ec72790c8ca6bf67530ce5b
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>

packaging: Turn off building with ASan

Turn off ASan for ASan sanitized firmware build

Change-Id: If786306821ff22e994efaba2b00dcabcc5eb8426
Signed-off-by: Gonzha Dmitriy Evgenevich <d.gonzha@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

packaging: install license for rpm package instead of license package

This patch replaces license rpm package to license file in rpm
package.

Change-Id: I8d06a0b42bce3e5d774151f2d708b081c1b46956
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better).  The
s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9.  Earlier kernels will
have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.

Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[mainline backport of commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 to resolve CVE-2016-5195]
Change-Id: I9d58d4199fe3c5aa712ed7e58d4bf6a624eb0005
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packet: fix race condition in packet_set_ring

[ Upstream commit 84ac7260236a49c79eede91617700174c2c19b0c ]

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[mainline backport of commit 5c120b79dd6601a987eb33214f2686e5b75f3c3e to resolve CVE-2016-8655]
Change-Id: I587603ef7796a4b227aa992a873fd6d5ec22774a
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

KEYS: Fix short sprintf buffer in /proc/keys show function

[ Upstream commit 03dab869b7b239c4e013ec82aea22e181e441cfc ]

This fixes CVE-2016-7042.

Fix a short sprintf buffer in proc_keys_show().  If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.

The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:

(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 = 30500568904943

That's 14 chars plus NUL, not 11 chars plus NUL.

Expand the buffer to 16 chars.

I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.

The panic incurred looks something like:

Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
 ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
 ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
 [<ffffffff813d941f>] dump_stack+0x63/0x84
 [<ffffffff811b2cb6>] panic+0xde/0x22a
 [<ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
 [<ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
 [<ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
 [<ffffffff81350410>] ? key_validate+0x50/0x50
 [<ffffffff8134db30>] ? key_default_cmp+0x20/0x20
 [<ffffffff8126b31c>] seq_read+0x2cc/0x390
 [<ffffffff812b6b12>] proc_reg_read+0x42/0x70
 [<ffffffff81244fc7>] __vfs_read+0x37/0x150
 [<ffffffff81357020>] ? security_file_permission+0xa0/0xc0
 [<ffffffff81246156>] vfs_read+0x96/0x130
 [<ffffffff81247635>] SyS_read+0x55/0xc0
 [<ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4

Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[mainline backport of commit abe571f80e33d3df7741d15cd03a8b95a93f659f]
Change-Id: I9785f8f6a9bb18d734b75b9c929be90ca433c5ab
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

ecryptfs: don't allow mmap when the lower fs doesn't support it

[ Upstream commit f0fe970df3838c202ef6c07a4c2b36838ef0a88b ]

There are legitimate reasons to disallow mmap on certain files, notably
in sysfs or procfs.  We shouldn't emulate mmap support on file systems
that don't offer support natively.

CVE-2016-1583

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Cc: stable@vger.kernel.org
[tyhicks: clean up f_op check by using ecryptfs_file_to_lower()]
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
[mainline backport of commit 8c8e669bb8c5f690976883dd3b7a32d605c58d9a]
Change-Id: I47d4d1c3945782ff77bf58259fcafff4d2f7e7b3
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

ppp, slip: Validate VJ compression slot parameters completely

[ Upstream commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae ]

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL.  Change the callers accordingly.

Compile-tested only.

Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit 82185755d90c8047c6f4b589c39998ff3d4ca3ad]
Change-Id: Icb00d92ae3e8e8f5d4d06dd55955e1f98a2980b5
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

KEYS: Fix keyring ref leak in join_session_keyring()

[ Upstream commit 23567fd052a9abb6d67fe8e7a9ccdd9800a540f2 ]

This fixes CVE-2016-0728.

If a thread is asked to join as a session keyring the keyring that's already
set as its session, we leak a keyring reference.

This can be tested with the following program:

#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
#include <keyutils.h>

int main(int argc, const char *argv[])
{
int i = 0;
key_serial_t serial;

serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}

if (keyctl(KEYCTL_SETPERM, serial,
   KEY_POS_ALL | KEY_USR_ALL) < 0) {
perror("keyctl");
return -1;
}

for (i = 0; i < 100; i++) {
serial = keyctl(KEYCTL_JOIN_SESSION_KEYRING,
"leaked-keyring");
if (serial < 0) {
perror("keyctl");
return -1;
}
}

return 0;
}

If, after the program has run, there something like the following line in
/proc/keys:

3f3d898f I--Q---   100 perm 3f3f0000     0     0 keyring   leaked-keyring: empty

with a usage count of 100 * the number of times the program has been run,
then the kernel is malfunctioning.  If leaked-keyring has zero usages or
has been garbage collected, then the problem is fixed.

Reported-by: Yevgeny Pats <yevgeny@perception-point.io>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Don Zickus <dzickus@redhat.com>
Acked-by: Prarit Bhargava <prarit@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit d25b4531a808bd0faae3dcd0553421d0570373d1]
Change-Id: I00f47005e93ffb2fe1c68024e9d6820f35ac2602
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

KEYS: Fix race between read and revoke

[ Upstream commit b4a1b4f5047e4f54e194681125c74c0aa64d637d ]

This fixes CVE-2015-7550.

There's a race between keyctl_read() and keyctl_revoke().  If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.

This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.

Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.

I think the bug was introduced with the original keyrings code.

This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller).  Here's a cleaned up version:

#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}

Build as:

cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread

Run as:

while keyctl-race; do :; done

as it may need several iterations to crash the kernel.  The crash can be
summarised as:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
 [<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
 [<ffffffff81277815>] SyS_keyctl+0x83/0xe0
 [<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit e41946e47ec501023afd7e5dfeb794ab7492e7c0]
Change-Id: Ic57adba03af8c5d8c50d7b4817ae9e48adba677f
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

RDS: fix race condition when sending a message on unbound socket

[ Upstream commit 8c7188b23474cca017b3ef354c4a58456f68303a ]

Sasha's found a NULL pointer dereference in the RDS connection code when
sending a message to an apparently unbound socket.  The problem is caused
by the code checking if the socket is bound in rds_sendmsg(), which checks
the rs_bound_addr field without taking a lock on the socket.  This opens a
race where rs_bound_addr is temporarily set but where the transport is not
in rds_bind(), leading to a NULL pointer dereference when trying to
dereference 'trans' in __rds_conn_create().

Vegard wrote a reproducer for this issue, so kindly ask him to share if
you're interested.

I cannot reproduce the NULL pointer dereference using Vegard's reproducer
with this patch, whereas I could without.

Complete earlier incomplete fix to CVE-2015-6937:

  74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection")

Cc: David S. Miller <davem@davemloft.net>
Cc: stable@vger.kernel.org
Change-Id: I7b41743a51bd3213de624d6165c6366c9f808067
Reviewed-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit 96c7b10cd8000973035b667adf62ea1164f4b9b4]
Change-Id: I7b41743a51bd3213de624d6165c6366c9f808067
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

net: add validation for the socket syscall protocol argument

[ Upstream commit 79462ad02e861803b3840cc782248c7359451cd9 ]

郭永刚 reported that one could simply crash the kernel as root by
using a simple program:

int socket_fd;
struct sockaddr_in addr;
addr.sin_port = 0;
addr.sin_addr.s_addr = INADDR_ANY;
addr.sin_family = 10;

socket_fd = socket(10,3,0x40000000);
connect(socket_fd , &addr,16);

AF_INET, AF_INET6 sockets actually only support 8-bit protocol
identifiers. inet_sock's skc_protocol field thus is sized accordingly,
thus larger protocol identifiers simply cut off the higher bits and
store a zero in the protocol fields.

This could lead to e.g. NULL function pointer because as a result of
the cut off inet_num is zero and we call down to inet_autobind, which
is NULL for raw sockets.

kernel: Call Trace:
kernel:  [<ffffffff816db90e>] ? inet_autobind+0x2e/0x70
kernel:  [<ffffffff816db9a4>] inet_dgram_connect+0x54/0x80
kernel:  [<ffffffff81645069>] SYSC_connect+0xd9/0x110
kernel:  [<ffffffff810ac51b>] ? ptrace_notify+0x5b/0x80
kernel:  [<ffffffff810236d8>] ? syscall_trace_enter_phase2+0x108/0x200
kernel:  [<ffffffff81645e0e>] SyS_connect+0xe/0x10
kernel:  [<ffffffff81779515>] tracesys_phase2+0x84/0x89

I found no particular commit which introduced this problem.

CVE: CVE-2015-8543
Cc: Cong Wang <cwang@twopensource.com>
Reported-by: 郭永刚 <guoyonggang@360.cn>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit e60ccfd9e596b48d4b9d6e2b5440261c83d10c12]
Change-Id: Ia74ccac11d64e4e107b2696661abf87787fd62eb
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

KEYS: ensure we free the assoc array edit if edit is valid

[ Upstream commit HEAD ]

commit ca4da5dd1f99fe9c59f1709fb43e818b18ad20e0 upstream.

__key_link_end is not freeing the associated array edit structure
and this leads to a 512 byte memory leak each time an identical
existing key is added with add_key().

The reason the add_key() system call returns okay is that
key_create_or_update() calls __key_link_begin() before checking to see
whether it can update a key directly rather than adding/replacing - which
it turns out it can.  Thus __key_link() is not called through
__key_instantiate_and_link() and __key_link_end() must cancel the edit.

CVE-2015-1333

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit c9cd9b18dac801040ada16562dc579d5ac366d75)
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
[mainline backport of commit 66db51c9f7b2fe7ebdfa753b2aa9abbb9feddc87]
Change-Id: I00cf148142abfc956609aeb35b030b4d1bba16e6
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

dma-buf: add support for compat ioctl

Add compat ioctl support to dma-buf. This lets one to use DMA_BUF_IOCTL_SYNC
ioctl from 32bit application on 64bit kernel. Data structures for both 32
and 64bit modes are same, so there is no need for additional translation
layer.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Acked-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1487683261-2655-1-git-send-email-m.szyprowski@samsung.com
[Adjust commit-msg with commit in next tree]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I902d06598ffa5a8985274185f6dc5b15ae119fcb

dma-buf: Add ioctls to allow userspace to flush

The userspace might need some sort of cache coherency management e.g. when CPU
and GPU domains are being accessed through dma-buf at the same time. To
circumvent this problem there are begin/end coherency markers, that forward
directly to existing dma-buf device drivers vfunc hooks. Userspace can make use
of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The sequence would be
used like following:
     - mmap dma-buf fd
     - for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
       to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
       want (with the new data being consumed by the GPU or say scanout device)
     - munmap once you don't need the buffer any more

v2 (Tiago): Fix header file type names (u64 -> __u64)
v3 (Tiago): Add documentation. Use enum dma_buf_sync_flags to the begin/end
dma-buf functions. Check for overflows in start/length.
v4 (Tiago): use 2d regions for sync.
v5 (Tiago): forget about 2d regions (v4); use _IOW in DMA_BUF_IOCTL_SYNC and
remove range information from struct dma_buf_sync.
v6 (Tiago): use __u64 structured padded flags instead enum. Adjust
documentation about the recommendation on using sync ioctls.
v7 (Tiago): Alex' nit on flags definition and being even more wording in the
doc about sync usage.
v9 (Tiago): remove useless is_dma_buf_file check. Fix sync.flags conditionals
and its mask order check. Add <linux/types.h> include in dma-buf.h.

Change-Id: Id20b5354ba481e2d896b08500e1323eedcb16e5b
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1455228291-29640-1-git-send-email-tiago.vignatti@intel.com
And below things are included,
- backport of mainline commit 831e9da7dc5c22fd2a5fb64e999f6e077a4338c3
- fix build errors incurred by argument mismatches of dma_buf_begin/end_cpu_access function calls in v4l2/mali/ion drivers.
Signed-off-by: Inki Dae <inki.dae@samsung.com>

packaging: exported kernel-header based on armv7l

There were difference in kernel-headers between arch64 and armv7l
architecture. It need to be built and exported respectively. So, I
enabled building and made kernel-headers for armv7l.

Change-Id: Ia890e98a591f3474711313ab41800712717190f8
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

power: battery: sec-battery: Add support for disabling battery charge

The new attribute "disable_charge" will be added. If this attribute is
set to 1, battery charging completely stops within "discharging"
state, and it cannot resume until restoring the attribute as 0 or
rebooting the target.

Change-Id: I0638bf73ba89d72c34d1c338a411e6d4978060db
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>

packaging: exported kernel-header properly

Orginally, kernel-header which is based on 3.18.14 was exported.
We applied some patches on the kernel therefore it need to export
patched kernel-header again. Moreover, organized spec script properly
and removed unnecessary code.

Change-Id: I8935d9cc374a2551e57a4ba4f551c047abad2814
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: added execution authority to script files

GBS build would be failed sometimes because script file don't have
execution authority even though I already added execution permission
like this '755'. So, I added execute permisson forcibly while RPM is
executed.

Change-Id: Ie014c03575659c5f1bca18af8572c712251c38fd
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: removed '%post' script and unnecessary code

There are two rpms as a result such as aarch64 and armv7l. In case of
aarh64, It works well but %post script in armv7l arch won't run because
of baselibs. Therefore, I located dzImage in /boot/kernel/dzImage
directly.

Change-Id: Ibeb43d6db22f597b9ffad07d16b925516ea1950d
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: removed code associated with module build

It is not need to build kernel modules, we don't use it.

Change-Id: I534648cf110ae606187a75bca6e49bd9d954eb33
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: baselibs didn't work.

if i use the name of rpm packages included '.' or '_' like
'linux-3.18-tizen_tw2', it will be failed to make armv7l rpm packages.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: fixed baselibs contents.

added "+/" for making arm7l binary and changed rpm name.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: added 'ExclusiveArch:aarch64'

TW2 should be built to use aarch64.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: added baselibs.conf for building arm7l arch.

It also need to build kernel based on arm7l.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: fixed the permission error when execute "scripts/exynos_*.sh"

script files for dtb were created with 644 permission in the scratchbox even
though i already changed perm to 755. Therefore, build will be failed when
execute "exynos_dtbtool.sh" because it doesn't have 'x' permission.

I tried to touch these files again and it worked well. I suspect that first
patch couldn't apply the file attribute. That's why i made this meaningless
commit.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: removed useless BuildRequires.

Removed useless "BuildRequires" in the spec file such as gcc, lzop, python and
etc. It is possible to build kernel without these packages.

The reason why, kernel doesn't need to have dependencies these packages
associated with Tizen platform.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

arm64: defconfig: disable SWAP_DA config.

removed useless config.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

input: removed annoying input event logs.

Removed unnecessary logs when occuring hardkeys, touchscreen, rotary event.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

arm64: defconfig: changed defconfig name to tw2 from solis

Removed unnecessary defconfigs and changed defconfig name to tw2.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

drm/tgm: tbm: implement prime import ops on gem_ion.

This patch implementes prime import for gem_ion.

Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

ion: add apis to get client property.

This patch adds APIs to get ion client property.

Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

power-supply: sync supply properties and type

This patch fixes to sync supply properties and their type to avoid
int type in string type position.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

battery: p9220: adjust log and log level for get_property

The get_property function prints not matched value with info level,
so this patch adjusts value name and change to debug level.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

video: exynos: Add DECON_STATE_INIT in the suspend function

DECON_STATE_INIT is not defined in the suspend function. So, it return while
booting tizen. Besides, added logs to check the device state.

Errors
dpm_run_callback(): pm_genpd_suspend+0x0/0x78 returns -16
PM: Device 14830000.decon_fb failed to suspend: error -16

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

power: Removed unnecessary logs during booting and idle state.

Changed levels of unnecessary log to debug from error and info.
Moreover, changed error code to ENODATA from EINVAL to avoid printing out
too much logs during idle state.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: Added '.gbs.conf' for partial build

Added gbs configuration file for enhanced building.
it makes gbs build faster than before.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

packaging: Made build scripts for GBS.

Build scripts were fixed to be worked on GBS environment based on gcc6.

Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>

arm64: tizen_solis_defconfig: adjust smack options

This patch adjusts smack options to enable smack netfilter and
smack append signals.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

netfilter: nfnetlink_queue: add security context information

This patch adds an additional attribute when sending
packet information via netlink in netfilter_queue module.
It will send additional security context data, so that
userspace applications can verify this context against
their own security databases.

Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Smack: secmark connections

If the secmark is available us it on connection as
well as packet delivery.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: Repair netfilter dependency

On 1/23/2015 8:20 AM, Jim Davis wrote:
> Building with the attached random configuration file,
>
> security/smack/smack_netfilter.c: In function ‘smack_ipv4_output’:
> security/smack/smack_netfilter.c:55:6: error: ‘struct sk_buff’ has no
> member named ‘secmark’
>    skb->secmark = skp->smk_secid;
>       ^
> make[2]: *** [security/smack/smack_netfilter.o] Error 1

The existing Makefile used the wrong configuration option to
determine if smack_netfilter should be built. This sets it right.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: secmark support for netfilter

Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.

As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.

The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.

All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: ignore private inode for file functions

The access to fd from anon_inode is always failed because there is
no set xattr operations. So this patch fixes to ignore private
inode including anon_inode for file functions.

It was only ignored for smack_file_receive() to share dma-buf fd,
but dma-buf has other functions like ioctl and mmap.

Reference: https://lkml.org/lkml/2015/4/17/16

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: fix d_instantiate logic for sockfs and pipefs

Since 4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.

In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.

Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.

Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: Assign smack_known_web label for kernel thread's

Assign smack_known_web label for kernel thread's socket

Creating struct sock by sk_alloc function in various kernel subsystems
like bluetooth doesn't call smack_socket_post_create(). In such case,
received sock label is the floor('_') label and makes access deny.

Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>

Smack: Signal delivery as an append operation

Under a strict subject/object security policy delivering a
signal or delivering network IPC could be considered either
a write or an append operation. The original choice to make
both write operations leads to an issue where IPC delivery
is desired under policy, but delivery of signals is not.
This patch provides the option of making signal delivery
an append operation, allowing Smack rules that deny signal
delivery while allowing IPC. This was requested for Tizen.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>

modem_if: remove not necessary comparison

The numerical comparison on boolean value causes build warning
with gcc 6, so this patch removes not necessary comparison.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

fix non proper indents for if clause

non proper indent for if clause causes build error with gcc 6. So
this patch fixes them.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

SWAP-DA: remove invalid semicolons on energy module

There are invalid semicolons after if clause on energy module and
it causes following build error with gcc 6, so this patch removes
the invalid semicolons.

  kernel/swap/energy/energy.c: In function 'calc_wifi_recv_energy':
  kernel/swap/energy/energy.c:640:2: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
    if (len <= 0 || check_wlan0(sock));
    ^~
  kernel/swap/energy/energy.c:641:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'
     return;
     ^~~~~~
  kernel/swap/energy/energy.c: In function 'calc_wifi_send_energy':
  kernel/swap/energy/energy.c:653:2: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
    if (len <= 0 || check_wlan0(sock));
    ^~
  kernel/swap/energy/energy.c:654:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'
     return;
     ^~~~~~

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

net: bcm4358: fix not to check same value in macro

When BCMBUSTYPE is not defined, then BUSTYPE(bustype) is just
bustype. So comparing bustype and BUSTYPE(bustype) is not necessary.

This patch removes following build warning with gcc 6.
   drivers/net/wireless/bcmdhd4358/siutils.c: In function 'si_doattach':
   drivers/net/wireless/bcmdhd4358/siutils.c:512:14: warning: self-comparison always evaluates to false [-Wtautological-compare]
     if (bustype != BUSTYPE(bustype)) {
                 ^~

Change-Id: I1cac3dd31bcb86983469830013a1093ed9ceaa89
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

trace: remove invalid semicolon after if clause

The commit 6f6f99a38132 ("trace: add non-hierarchical function_graph option"),
in https://android.googlesource.com/kernel/common.git/+/android-3.18,
added invalid semicolon after if clause, so it causes following
build error on gcc 6, so this patch removes the invalid seimicolon.

  kernel/trace/trace_output.c: In function 'trace_graph_ret_raw':
  kernel/trace/trace_output.c:976:2: error: this 'if' clause does not guard... [-Werror=misleading-indentation]
    if (!trace_seq_printf(&iter->seq, "%lx %lld %lld %ld %d\n",
    ^~
  kernel/trace/trace_output.c:982:3: note: ...this statement, but the latter is misleadingly indented as if it is guarded by the 'if'
     return TRACE_TYPE_PARTIAL_LINE;
     ^~~~~~

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

kbuild: move -Wunused-const-variable to W=1 warning level

[ Upstream commit c9c6837d39311b0cc14cdbe7c18e815ab44aefb1 ]

gcc-6 started warning by default about variables that are not
used anywhere and that are marked 'const', generating many
false positives in an allmodconfig build, e.g.:

arch/arm/mach-davinci/board-da830-evm.c:282:20: warning: 'da830_evm_emif25_pins' defined but not used [-Wunused-const-variable=]
arch/arm/plat-omap/dmtimer.c:958:34: warning: 'omap_timer_match' defined but not used [-Wunused-const-variable=]
drivers/bluetooth/hci_bcm.c:625:39: warning: 'acpi_bcm_default_gpios' defined but not used [-Wunused-const-variable=]
drivers/char/hw_random/omap-rng.c:92:18: warning: 'reg_map_omap4' defined but not used [-Wunused-const-variable=]
drivers/devfreq/exynos/exynos5_bus.c:381:32: warning: 'exynos5_busfreq_int_pm' defined but not used [-Wunused-const-variable=]
drivers/dma/mv_xor.c:1139:34: warning: 'mv_xor_dt_ids' defined but not used [-Wunused-const-variable=]

This is similar to the existing -Wunused-but-set-variable warning
that was added in an earlier release and that we disable by default
now and only enable when W=1 is set, so it makes sense to do
the same here. Once we have eliminated the majority of the
warnings for both, we can put them back into the default list.

We probably want this in backport kernels as well, to allow building
them with gcc-6 without introducing extra warnings.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Olof Johansson <olof@lixom.net>
Acked-by: Lee Jones <lee.jones@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

compiler-gcc: integrate the various compiler-gcc[345].h files

[ Upstream commit f320793e52aee78f0fbb8bcaf10e6614d2e67bfc ]

[ Upstream commit cb984d101b30eb7478d32df56a0023e4603cba7f ]

As gcc major version numbers are going to advance rather rapidly in the
future, there's no real value in separate files for each compiler
version.

Deduplicate some of the macros #defined in each file too.

Neaten comments using normal kernel commenting style.

Signed-off-by: Joe Perches <joe@perches.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Segher Boessenkool <segher@kernel.crashing.org>
Cc: Sasha Levin <levinsasha928@gmail.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Alan Modra <amodra@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>

build: add exynos system-tools script files

This patch adds exynos system-tools script files to make
merged dtb file and merged kernel file with dtbs.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>