David S. Miller [Tue, 15 Dec 2015 20:39:08 +0000 (15:39 -0500)]
bluetooth: Validate socket address length in sco_sock_bind().
[ Upstream commit
5233252fce714053f0151680933571a2da9cbfb4 ]
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-8575]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ib385bb8bb72ae28328cc859da4d633545b0251cb
WANG Cong [Mon, 14 Dec 2015 21:48:36 +0000 (13:48 -0800)]
pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
[ Upstream commit
09ccfd238e5a0e670d8178cf50180ea81ae09ae1 ]
Reported-by: Dmitry Vyukov <dvyukov@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-8569]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ice4407c9ce5e0cfd7e91b1f704ac772496fe3e22
David Howells [Thu, 15 Oct 2015 16:21:37 +0000 (17:21 +0100)]
KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
commit
f05819df10d7b09f6d1eb6f8534a8f68e5a4fe61 upstream.
The following sequence of commands:
i=`keyctl add user a a @s`
keyctl request2 keyring foo bar @t
keyctl unlink $i @s
tries to invoke an upcall to instantiate a keyring if one doesn't already
exist by that name within the user's keyring set. However, if the upcall
fails, the code sets keyring->type_data.reject_error to -ENOKEY or some
other error code. When the key is garbage collected, the key destroy
function is called unconditionally and keyring_destroy() uses list_empty()
on keyring->type_data.link - which is in a union with reject_error.
Subsequently, the kernel tries to unlink the keyring from the keyring names
list - which oopses like this:
BUG: unable to handle kernel paging request at
00000000ffffff8a
IP: [<
ffffffff8126e051>] keyring_destroy+0x3d/0x88
...
Workqueue: events key_garbage_collector
...
RIP: 0010:[<
ffffffff8126e051>] keyring_destroy+0x3d/0x88
RSP: 0018:
ffff88003e2f3d30 EFLAGS:
00010203
RAX:
00000000ffffff82 RBX:
ffff88003bf1a900 RCX:
0000000000000000
RDX:
0000000000000000 RSI:
000000003bfc6901 RDI:
ffffffff81a73a40
RBP:
ffff88003e2f3d38 R08:
0000000000000152 R09:
0000000000000000
R10:
ffff88003e2f3c18 R11:
000000000000865b R12:
ffff88003bf1a900
R13:
0000000000000000 R14:
ffff88003bf1a908 R15:
ffff88003e2f4000
...
CR2:
00000000ffffff8a CR3:
000000003e3ec000 CR4:
00000000000006f0
...
Call Trace:
[<
ffffffff8126c756>] key_gc_unused_keys.constprop.1+0x5d/0x10f
[<
ffffffff8126ca71>] key_garbage_collector+0x1fa/0x351
[<
ffffffff8105ec9b>] process_one_work+0x28e/0x547
[<
ffffffff8105fd17>] worker_thread+0x26e/0x361
[<
ffffffff8105faa9>] ? rescuer_thread+0x2a8/0x2a8
[<
ffffffff810648ad>] kthread+0xf3/0xfb
[<
ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
[<
ffffffff815f2ccf>] ret_from_fork+0x3f/0x70
[<
ffffffff810647ba>] ? kthread_create_on_node+0x1c2/0x1c2
Note the value in RAX. This is a 32-bit representation of -ENOKEY.
The solution is to only call ->destroy() if the key was successfully
instantiated.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-7872]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ica254cfb71f0b0b5caae0719678f96f008d4a25f
David Howells [Fri, 25 Sep 2015 15:30:08 +0000 (16:30 +0100)]
KEYS: Fix race between key destruction and finding a keyring by name
commit
94c4554ba07adbdde396748ee7ae01e86cf2d8d7 upstream.
There appears to be a race between:
(1) key_gc_unused_keys() which frees key->security and then calls
keyring_destroy() to unlink the name from the name list
(2) find_keyring_by_name() which calls key_permission(), thus accessing
key->security, on a key before checking to see whether the key usage is 0
(ie. the key is dead and might be cleaned up).
Fix this by calling ->destroy() before cleaning up the core key data -
including key->security.
Reported-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix issue before applying CVE-2015-7872]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I857d740596bf886d02fe149055df3191cad9e9db
Linus Torvalds [Wed, 30 Sep 2015 16:48:40 +0000 (12:48 -0400)]
Initialize msg/shm IPC objects before doing ipc_addid()
commit
b9a532277938798b53178d5a66af6e2915cb27cf upstream.
As reported by Dmitry Vyukov, we really shouldn't do ipc_addid() before
having initialized the IPC object state. Yes, we initialize the IPC
object in a locked state, but with all the lockless RCU lookup work,
that IPC object lock no longer means that the state cannot be seen.
We already did this for the IPC semaphore code (see commit
e8577d1f0329:
"ipc/sem.c: fully initialize sem_array before making it visible") but we
clearly forgot about msg and shm.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Davidlohr Bueso <dbueso@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-7613]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I6f398b1bf047a7937e84364e737bfcf391aec9fc
Manfred Spraul [Tue, 2 Dec 2014 23:59:34 +0000 (15:59 -0800)]
ipc/sem.c: fully initialize sem_array before making it visible
ipc_addid() makes a new ipc identifier visible to everyone. New objects
start as locked, so that the caller can complete the initialization
after the call. Within struct sem_array, at least sma->sem_base and
sma->sem_nsems are accessed without any locks, therefore this approach
doesn't work.
Thus: Move the ipc_addid() to the end of the initialization.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Reported-by: Rik van Riel <riel@redhat.com>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Acked-by: Rafael Aquini <aquini@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[sw0312.kim: cherry-pick from mainline to sync with CVE-2015-7613]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ie03c97b2e6d8783f1c89650540ffc129f89d3846
Eric W. Biederman [Wed, 7 Jan 2015 20:28:26 +0000 (14:28 -0600)]
mnt: Fail collect_mounts when applied to unmounted mounts
The only users of collect_mounts are in audit_tree.c
In audit_trim_trees and audit_add_tree_rule the path passed into
collect_mounts is generated from kern_path passed an audit_tree
pathname which is guaranteed to be an absolute path. In those cases
collect_mounts is obviously intended to work on mounted paths and
if a race results in paths that are unmounted when collect_mounts
it is reasonable to fail early.
The paths passed into audit_tag_tree don't have the absolute path
check. But are used to play with fsnotify and otherwise interact with
the audit_trees, so again operating only on mounted paths appears
reasonable.
Avoid having to worry about what happens when we try and audit
unmounted filesystems by restricting collect_mounts to mounts
that appear in the mount tree.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
[sw0312.kim: cherry-pick from mainline to fix CVE-2015-4177]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ifd9c9c40fe41d7a0b927a83af66c265bf01405f8
Kirill A. Shutemov [Mon, 6 Jul 2015 20:18:37 +0000 (23:18 +0300)]
mm: avoid setting up anonymous pages into file mapping
commit
6b7339f4c31ad69c8e9c0b2859276e22cf72176d upstream.
Reading page fault handler code I've noticed that under right
circumstances kernel would map anonymous pages into file mappings: if
the VMA doesn't have vm_ops->fault() and the VMA wasn't fully populated
on ->mmap(), kernel would handle page fault to not populated pte with
do_anonymous_page().
Let's change page fault handler to use do_anonymous_page() only on
anonymous VMA (->vm_ops == NULL) and make sure that the VMA is not
shared.
For file mappings without vm_ops->fault() or shred VMA without vm_ops,
page fault on pte_none() entry would lead to SIGBUS.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick form linux-3.10.y to fix CVE-2015-3288]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ib676dd0151f6dcba1797eac3cf8f114fc717cdbf
Linus Torvalds [Thu, 29 Jan 2015 19:15:17 +0000 (11:15 -0800)]
vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS
commit
9c145c56d0c8a0b62e48c8d71e055ad0fb2012ba upstream.
The stack guard page error case has long incorrectly caused a SIGBUS
rather than a SIGSEGV, but nobody actually noticed until commit
fee7e49d4514 ("mm: propagate error from stack expansion even for guard
page") because that error case was never actually triggered in any
normal situations.
Now that we actually report the error, people noticed the wrong signal
that resulted. So far, only the test suite of libsigsegv seems to have
actually cared, but there are real applications that use libsigsegv, so
let's not wait for any of those to break.
Reported-and-tested-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
Cc: linux-arch@vger.kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I939ee01f44e21175fceed914d750b27cca137b49
Linus Torvalds [Thu, 29 Jan 2015 18:51:32 +0000 (10:51 -0800)]
vm: add VM_FAULT_SIGSEGV handling support
commit
33692f27597fcab536d7cbbcc8f52905133e4aa7 upstream.
The core VM already knows about VM_FAULT_SIGBUS, but cannot return a
"you should SIGSEGV" error, because the SIGSEGV case was generally
handled by the caller - usually the architecture fault handler.
That results in lots of duplication - all the architecture fault
handlers end up doing very similar "look up vma, check permissions, do
retries etc" - but it generally works. However, there are cases where
the VM actually wants to SIGSEGV, and applications _expect_ SIGSEGV.
In particular, when accessing the stack guard page, libsigsegv expects a
SIGSEGV. And it usually got one, because the stack growth is handled by
that duplicated architecture fault handler.
However, when the generic VM layer started propagating the error return
from the stack expansion in commit
fee7e49d4514 ("mm: propagate error
from stack expansion even for guard page"), that now exposed the
existing VM_FAULT_SIGBUS result to user space. And user space really
expected SIGSEGV, not SIGBUS.
To fix that case, we need to add a VM_FAULT_SIGSEGV, and teach all those
duplicate architecture fault handlers about it. They all already have
the code to handle SIGSEGV, so it's about just tying that new return
value to the existing code, but it's all a bit annoying.
This is the mindless minimal patch to do this. A more extensive patch
would be to try to gather up the mostly shared fault handling logic into
one generic helper routine, and long-term we really should do that
cleanup.
Just from this patch, you can generally see that most architectures just
copied (directly or indirectly) the old x86 way of doing things, but in
the meantime that original x86 model has been improved to hold the VM
semaphore for shorter times etc and to handle VM_FAULT_RETRY and other
"newer" things, so it would be a good idea to bring all those
improvements to the generic case and teach other architectures about
them too.
Reported-and-tested-by: Takashi Iwai <tiwai@suse.de>
Tested-by: Jan Engelhardt <jengelh@inai.de>
Acked-by: Heiko Carstens <heiko.carstens@de.ibm.com> # "s390 still compiles and boots"
Cc: linux-arch@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[shengyong: Backport to 3.10
- adjust context
- ignore modification for arch nios2, because 3.10 does not support it
- ignore modification for driver lustre, because 3.10 does not support it
- ignore VM_FAULT_FALLBACK in VM_FAULT_ERROR, becase 3.10 does not support
this flag
- add SIGSEGV handling to powerpc/cell spu_fault.c, because 3.10 does not
separate it to copro_fault.c
- add SIGSEGV handling in mm/memory.c, because 3.10 does not separate it
to gup.c
]
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I6f418ae2623b821f3949aa47e588497caff65226
Eric W. Biederman [Sun, 16 Aug 2015 01:27:13 +0000 (20:27 -0500)]
vfs: Test for and handle paths that are unreachable from their mnt_root
commit
397d425dc26da728396e66d392d5dcb8dac30c37 upstream.
In rare cases a directory can be renamed out from under a bind mount.
In those cases without special handling it becomes possible to walk up
the directory tree to the root dentry of the filesystem and down
from the root dentry to every other file or directory on the filesystem.
Like division by zero .. from an unconnected path can not be given
a useful semantic as there is no predicting at which path component
the code will realize it is unconnected. We certainly can not match
the current behavior as the current behavior is a security hole.
Therefore when encounting .. when following an unconnected path
return -ENOENT.
- Add a function path_connected to verify path->dentry is reachable
from path->mnt.mnt_root. AKA to validate that rename did not do
something nasty to the bind mount.
To avoid races path_connected must be called after following a path
component to it's next path component.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-2925]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I93d42edb823ecd450eaf1f17b7399f388a163d5a
Eric W. Biederman [Sat, 15 Aug 2015 18:36:12 +0000 (13:36 -0500)]
dcache: Handle escaped paths in prepend_path
commit
cde93be45a8a90d8c264c776fab63487b5038a65 upstream.
A rename can result in a dentry that by walking up d_parent
will never reach it's mnt_root. For lack of a better term
I call this an escaped path.
prepend_path is called by four different functions __d_path,
d_absolute_path, d_path, and getcwd.
__d_path only wants to see paths are connected to the root it passes
in. So __d_path needs prepend_path to return an error.
d_absolute_path similarly wants to see paths that are connected to
some root. Escaped paths are not connected to any mnt_root so
d_absolute_path needs prepend_path to return an error greater
than 1. So escaped paths will be treated like paths on lazily
unmounted mounts.
getcwd needs to prepend "(unreachable)" so getcwd also needs
prepend_path to return an error.
d_path is the interesting hold out. d_path just wants to print
something, and does not care about the weird cases. Which raises
the question what should be printed?
Given that <escaped_path>/<anything> should result in -ENOENT I
believe it is desirable for escaped paths to be printed as empty
paths. As there are not really any meaninful path components when
considered from the perspective of a mount tree.
So tweak prepend_path to return an empty path with an new error
code of 3 when it encounters an escaped path.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-2925]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: If8631c315bbe221487dc0b1066a246cbd0bc0cb8
Hector Marco-Gisbert [Sat, 14 Feb 2015 17:33:50 +0000 (09:33 -0800)]
x86, mm/ASLR: Fix stack randomization on 64-bit systems
commit
4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream.
The issue is that the stack for processes is not properly randomized on
64 bit architectures due to an integer overflow.
The affected function is randomize_stack_top() in file
"fs/binfmt_elf.c":
static unsigned long randomize_stack_top(unsigned long stack_top)
{
unsigned int random_variable = 0;
if ((current->flags & PF_RANDOMIZE) &&
!(current->personality & ADDR_NO_RANDOMIZE)) {
random_variable = get_random_int() & STACK_RND_MASK;
random_variable <<= PAGE_SHIFT;
}
return PAGE_ALIGN(stack_top) + random_variable;
return PAGE_ALIGN(stack_top) - random_variable;
}
Note that, it declares the "random_variable" variable as "unsigned int".
Since the result of the shifting operation between STACK_RND_MASK (which
is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
random_variable <<= PAGE_SHIFT;
then the two leftmost bits are dropped when storing the result in the
"random_variable". This variable shall be at least 34 bits long to hold
the (22+12) result.
These two dropped bits have an impact on the entropy of process stack.
Concretely, the total stack entropy is reduced by four: from 2^28 to
2^30 (One fourth of expected entropy).
This patch restores back the entropy by correcting the types involved
in the operations in the functions randomize_stack_top() and
stack_maxrandom_size().
The successful fix can be tested with:
$ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
7ffeda566000-
7ffeda587000 rw-p
00000000 00:00 0 [stack]
7fff5a332000-
7fff5a353000 rw-p
00000000 00:00 0 [stack]
7ffcdb7a1000-
7ffcdb7c2000 rw-p
00000000 00:00 0 [stack]
7ffd5e2c4000-
7ffd5e2e5000 rw-p
00000000 00:00 0 [stack]
...
Once corrected, the leading bytes should be between 7ffc and 7fff,
rather than always being 7fff.
Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll <iripoll@upv.es>
[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Fixes: CVE-2015-1593
Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
Signed-off-by: Borislav Petkov <bp@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-1593]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I25159c04b9d3897616e8153cdacaa6ed6309abb1
Sasha Levin [Wed, 28 Jan 2015 20:30:43 +0000 (15:30 -0500)]
vfs: read file_handle only once in handle_to_path
commit
161f873b89136eb1e69477c847d5a5033239d9ba upstream.
We used to read file_handle twice. Once to get the amount of extra
bytes, and once to fetch the entire structure.
This may be problematic since we do size verifications only after the
first read, so if the number of extra bytes changes in userspace between
the first and second calls, we'll have an incoherent view of
file_handle.
Instead, read the constant size once, and copy that over to the final
structure without having to re-read it again.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2015-1420]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I9ba4c74512c3dff4687bad2bbfb470cac513333d
Seung-Woo Kim [Thu, 4 Dec 2014 10:17:17 +0000 (19:17 +0900)]
regulator: core: Fix regualtor_ena_gpio_free not to access pin after freeing
After freeing pin from regulator_ena_gpio_free, loop can access
the pin. So this patch fixes not to access pin after freeing.
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
[sw0312.kim: cherry-pick from mainline to fix CVE-2014-9940]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Id4cbf09593e15909f33337ac09081bcbf0ce71ea
Dan Carpenter [Wed, 16 Jul 2014 06:37:04 +0000 (09:37 +0300)]
ALSA: compress: fix an integer overflow check
I previously added an integer overflow check here but looking at it now,
it's still buggy.
The bug happens in snd_compr_allocate_buffer(). We multiply
".fragments" and ".fragment_size" and that doesn't overflow but then we
save it in an unsigned int so it truncates the high bits away and we
allocate a smaller than expected size.
Fixes:
b35cc8225845 ('ALSA: compress_core: integer overflow in snd_compr_allocate_buffer()')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
[sw0312.kim: cherry-pick from mainline to fix CVE-2014-9904]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ied21a7b60e89347957bac40cd94b44a68ffb6199
Russell King [Wed, 23 Oct 2013 15:14:59 +0000 (16:14 +0100)]
ARM: dma-mapping: don't allow DMA mappings to be marked executable
DMA mapping permissions were being derived from pgprot_kernel directly
without using PAGE_KERNEL. This causes them to be marked with executable
permission, which is not what we want. Fix this.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[sw0312.kim: cherry-pick from mainline to fix CVE-2014-9888]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I2091a256d8ceba7b0f2508e8c354e7064777e503
André Hentschel [Tue, 18 Jun 2013 22:23:26 +0000 (23:23 +0100)]
ARM: 7735/2: Preserve the user r/w register TPIDRURW on context switch and fork
Since commit
6a1c53124aa1 the user writeable TLS register was zeroed to
prevent it from being used as a covert channel between two tasks.
There are more and more applications coming to Windows RT,
Wine could support them, but mostly they expect to have
the thread environment block (TEB) in TPIDRURW.
This patch preserves that register per thread instead of clearing it.
Unlike the TPIDRURO, which is already switched, the TPIDRURW
can be updated from userspace so needs careful treatment in the case that we
modify TPIDRURW and call fork(). To avoid this we must always read
TPIDRURW in copy_thread.
Signed-off-by: André Hentschel <nerv@dawncrow.de>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Jonathan Austin <jonathan.austin@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[sw0312.kim: cherry-pick from mainline to fix CVE-2014-9870]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I8909978010a67300d8e4c2031655343671ef45b2
Kees Cook [Tue, 25 Nov 2014 00:32:38 +0000 (16:32 -0800)]
crypto: include crypto- module prefix in template
commit
4943ba16bbc2db05115707b3ff7b4874e9e3c560 upstream.
This adds the module loading prefix "crypto-" to the template lookup
as well.
For example, attempting to load 'vfat(blowfish)' via AF_ALG now correctly
includes the "crypto-" prefix at every level, correctly rejecting "vfat":
net-pf-38
algif-hash
crypto-vfat(blowfish)
crypto-vfat(blowfish)-all
crypto-vfat
Reported-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Mathias Krause <minipli@googlemail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-9644]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I6222e5a693b197ece55ec35ad1fe87a10976bb03
Jari Ruusu [Sat, 13 Jun 2015 16:01:31 +0000 (19:01 +0300)]
d_walk() might skip too much
When Al Viro's VFS deadlock fix "deal with deadlock in d_walk()" was
backported to 3.10.y 3.4.y and 3.2.y stable kernel brances, the deadlock fix
was copied to 3 different places. Later, a bug in that code was discovered.
Al Viro's fix involved fixing only one part of code in mainline kernel. That
fix is called "d_walk() might skip too much".
3.10.y 3.4.y and 3.2.y stable kernel brances need that later fix copied to 3
different places. Greg Kroah-Hartman included Al Viro's "d_walk() might skip
too much" fix only once in 3.10.80 kernel, leaving 2 more places without a
fix.
The patch below was not written by me. I only applied Al Viro's "d_walk()
might skip too much" fix 2 more times to 3.10.80 kernel, and cheched that
the fixes went to correct places. With this patch applied, all 3 places that
I am aware of 3.10.y stable branch are now fixed.
Signed-off-by: Jari Ruusu <jariruusu@users.sourceforge.net>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8559]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I357bc43bbe165ccebf4a87ff16c00f757ef165ab
Al Viro [Fri, 29 May 2015 03:09:19 +0000 (23:09 -0400)]
d_walk() might skip too much
commit
2159184ea01e4ae7d15f2017e296d4bc82d5aeb0 upstream.
when we find that a child has died while we'd been trying to ascend,
we should go into the first live sibling itself, rather than its sibling.
Off-by-one in question had been introduced in "deal with deadlock in
d_walk()" and the fix needs to be backported to all branches this one
has been backported to.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8559]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I78ff69a2f7d08b1dfffadec153ceed50080de8f1
Ben Hutchings [Wed, 11 Feb 2015 03:16:35 +0000 (03:16 +0000)]
dcache: Fix locking bugs in backported "deal with deadlock in d_walk()"
commit
20defcec264ceab2630356fb9d397f3d237b5e6d upstream in 3.2-stable
Steven Rostedt reported:
> Porting -rt to the latest 3.2 stable tree I triggered this bug:
>
> =====================================
> [ BUG: bad unlock balance detected! ]
> -------------------------------------
> rm/1638 is trying to release lock (rcu_read_lock) at:
> [<
c04fde6c>] rcu_read_unlock+0x0/0x23
> but there are no more locks to release!
>
> other info that might help us debug this:
> 2 locks held by rm/1638:
> #0: (&sb->s_type->i_mutex_key#9/1){+.+.+.}, at: [<
c04f93eb>] do_rmdir+0x5f/0xd2
> #1: (&sb->s_type->i_mutex_key#9){+.+.+.}, at: [<
c04f9329>] vfs_rmdir+0x49/0xac
>
> stack backtrace:
> Pid: 1638, comm: rm Not tainted 3.2.66-test-rt96+ #2
> Call Trace:
> [<
c083f390>] ? printk+0x1d/0x1f
> [<
c0463cdf>] print_unlock_inbalance_bug+0xc3/0xcd
> [<
c04653a8>] lock_release_non_nested+0x98/0x1ec
> [<
c046228d>] ? trace_hardirqs_off_caller+0x18/0x90
> [<
c0456f1c>] ? local_clock+0x2d/0x50
> [<
c04fde6c>] ? d_hash+0x2f/0x2f
> [<
c04fde6c>] ? d_hash+0x2f/0x2f
> [<
c046568e>] lock_release+0x192/0x1ad
> [<
c04fde83>] rcu_read_unlock+0x17/0x23
> [<
c04ff344>] shrink_dcache_parent+0x227/0x270
> [<
c04f9348>] vfs_rmdir+0x68/0xac
> [<
c04f9424>] do_rmdir+0x98/0xd2
> [<
c04f03ad>] ? fput+0x1a3/0x1ab
> [<
c084dd42>] ? sysenter_exit+0xf/0x1a
> [<
c0465b58>] ? trace_hardirqs_on_caller+0x118/0x149
> [<
c04fa3e0>] sys_unlinkat+0x2b/0x35
> [<
c084dd13>] sysenter_do_call+0x12/0x12
>
>
>
>
> There's a path to calling rcu_read_unlock() without calling
> rcu_read_lock() in have_submounts().
>
> goto positive;
>
> positive:
> if (!locked && read_seqretry(&rename_lock, seq))
> goto rename_retry;
>
> rename_retry:
> rcu_read_unlock();
>
> in the above path, rcu_read_lock() is never done before calling
> rcu_read_unlock();
I reviewed locking contexts in all three functions that I changed when
backporting "deal with deadlock in d_walk()". It's actually worse
than this:
- We don't hold this_parent->d_lock at the 'positive' label in
have_submounts(), but it is unlocked after 'rename_retry'.
- There is an rcu_read_unlock() after the 'out' label in
select_parent(), but it's not held at the 'goto out'.
Fix all three lock imbalances.
Reported-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8559]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I5a9a6cc7dc35982d4080e9647d369be1d55dca98
Al Viro [Sun, 26 Oct 2014 23:31:10 +0000 (19:31 -0400)]
deal with deadlock in d_walk()
commit
ca5358ef75fc69fee5322a38a340f5739d997c10 upstream.
... by not hitting rename_retry for reasons other than rename having
happened. In other words, do _not_ restart when finding that
between unlocking the child and locking the parent the former got
into __dentry_kill(). Skip the killed siblings instead...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Ben Hutchings <ben@decadent.org.uk>
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
- As we only have try_to_ascend() and not d_walk(), apply this
change to all callers of try_to_ascend()
- Adjust context to make __dentry_kill() apply to d_kill()]
Signed-off-by: hujianyang <hujianyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8559]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I9965aad4c4add2e35f2e3ab2b71cc4e9712bba1e
Al Viro [Sun, 26 Oct 2014 23:19:16 +0000 (19:19 -0400)]
move d_rcu from overlapping d_child to overlapping d_alias
commit
946e51f2bf37f1656916eb75bd0742ba33983c28 upstream.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Ben Hutchings <ben@decadent.org.uk>
[hujianyang: Backported to 3.10 refer to the work of Ben Hutchings in 3.2:
- Apply name changes in all the different places we use d_alias and d_child
- Move the WARN_ON() in __d_free() to d_free() as we don't have dentry_free()]
Signed-off-by: hujianyang <hujianyang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8559]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: If4e2a5cdcf9b0759f54cc1c1adca4f73b32cca07
Al Viro [Fri, 4 Oct 2013 15:06:42 +0000 (11:06 -0400)]
get rid of s_files and files_lock
commit
eee5cc2702929fd41cce28058dc6d6717f723f87 upstream.
The only thing we need it for is alt-sysrq-r (emergency remount r/o)
and these days we can do just as well without going through the
list of files.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
[wangkai: backport to 3.10: adjust context]
Signed-off-by: Wang Kai <morgan.wang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2014-8172]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Id0c1179c0f3b250c2a2928ff816aa080dd10c117
Oleg Nesterov [Mon, 8 Jul 2013 21:24:16 +0000 (14:24 -0700)]
fput: turn "list_head delayed_fput_list" into llist_head
commit
4f5e65a1cc90bbb15b9f6cdc362922af1bcc155a upstream.
fput() and delayed_fput() can use llist and avoid the locking.
This is unlikely path, it is not that this change can improve
the performance, but this way the code looks simpler.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Suggested-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Andrey Vagin <avagin@openvz.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: David Howells <dhowells@redhat.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Wang Kai <morgan.wang@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from mainline to apply CVE patch]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I3b09d96bc0d3a317175bcf3b2f2637d1b64b8955
Rainer Weikusat [Fri, 20 Nov 2015 22:07:23 +0000 (22:07 +0000)]
unix: avoid use-after-free in ep_remove_wait_queue
[ Upstream commit
7d267278a9ece963d77eefec61630223fce08c6c ]
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes:
ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2013-7446]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I3144916df9ce8b3e227e634c0eeb64cb341591dc
Kees Cook [Fri, 21 Nov 2014 01:05:53 +0000 (17:05 -0800)]
crypto: prefix module autoloading with "crypto-"
commit
5d26a105b5a73e5635eae0629b42fa0a90e07b7b upstream.
This prefixes all crypto module loading with "crypto-" so we never run
the risk of exposing module auto-loading to userspace via a crypto API,
as demonstrated by Mathias Krause:
https://lkml.org/lkml/2013/3/4/70
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2013-7421]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I3875b4559a9a0b30801487ea6f81847e0a19a3e7
Seung-Woo Kim [Fri, 29 Sep 2017 02:22:35 +0000 (11:22 +0900)]
gpu: remove ununsed ion
The driver/gpu/ion is not used at all and instead, same module in
driver/staging/android/ion is used. Remove unused ion.
Change-Id: I5004efbd53f2613d86fada3b7ef812ba5177238c
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Kirill A. Shutemov [Mon, 20 Oct 2014 09:23:12 +0000 (12:23 +0300)]
kernel: use the gnu89 standard explicitly
Sasha Levin reports:
"gcc5 changes the default standard to c11, which makes kernel build
unhappy
Explicitly define the kernel standard to be gnu89 which should keep
everything working exactly like it was before gcc5"
There are multiple small issues with the new default, but the biggest
issue seems to be that the old - and very useful - GNU extension to
allow a cast in front of an initializer has gone away.
Patch updated by Kirill:
"I'm pretty sure all gcc versions you can build kernel with supports
-std=gnu89. cc-option is redunrant.
We also need to adjust HOSTCFLAGS otherwise allmodconfig fails for me"
Note by Andrew Pinski:
"Yes it was reported and both problems relating to this extension has
been added to gnu99 and gnu11. Though there are other issues with the
kernel dealing with extern inline have different semantics between
gnu89 and gnu99/11"
End result: we may be able to move up to a newer stdc model eventually,
but right now the newer models have some annoying deficiencies, so the
traditional "gnu89" model ends up being the preferred one.
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Singed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[sw0312.kim: backported from mainline to remove build warning with gcc 6]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I2761b6b4d3eb9b6aad060726747d1010ba0328cb
Will Deacon [Fri, 15 Sep 2017 00:06:27 +0000 (09:06 +0900)]
ARM: perf: add support for perf registers API
This patch implements the functions required for the perf registers API,
allowing the perf tool to interface kernel register dumps with libunwind
in order to provide userspace backtracing.
Cc: Jean Pihet <jean.pihet@linaro.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
[cw00.choi: Backported the mainline patch from Linus Torvarlds git repo]
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Change-Id: Ic317dc4184f4a83734f6c33b4f79ac7c7a134066
Ben Seri [Sat, 9 Sep 2017 21:15:59 +0000 (23:15 +0200)]
Bluetooth: Properly check L2CAP config option output buffer length
commit
e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[dh79.pyun: Cherry-pick from mainline to fix CVE-2017-1000251]
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
Change-Id: I3de2bb146a60c20a90cfcdf10614f3febed3ed8b
Denis Khalikov [Fri, 25 Aug 2017 10:02:18 +0000 (13:02 +0300)]
packaging: Disable UBSan build
UBSan build on kernel will cause build error because kernel has its own
sanitizer build options. So, dislable UBSan build from packaging spec.
Change-Id: Ifaf2fa1838cd686a94f7a09eb9081ad5bdc7514b
Signed-off-by: Denis Khalikov <d.khalikov@partner.samsung.com>
hyunuktak [Fri, 18 Aug 2017 08:44:29 +0000 (17:44 +0900)]
ARM: tizen_tm1_defconfig: enable CONFIG_CONNECTOR and CONFIG_PROC_EVENTS
These options enable Netlink Connector feature of kernel to monitor
process lifecycle like Fork and Exit status of all processes
asynchronously.
Connector - unified userspace <-> kernelspace linker
Report process events to userspace
In Tzen, it will be used by stc-manager(smart traffic control) to
monitor process lifecycle.
Change-Id: I265504609e6b2ce963875e66884d064affc48d9d
Signed-off-by: hyunuktak <hyunuk.tak@samsung.com>
Jaechul Lee [Thu, 10 Aug 2017 06:40:26 +0000 (15:40 +0900)]
packaging: Remove symbolic link in a devel package
The symbolic link to kernel-devel-tizen-dev doesn't need anymore because
those who want to build SWAP-DA will use the absolute package name for
building respectively on the several kernels.
The out-of-tree kernel module build uses absolute devel package name to
bulid SWAP-DA. It should be left out to prevent a conflict between
each kernel devel packages.
Change-Id: If1b4323a6076876e94d2ad7fbc5b5dd5e1228f0c
Signed-off-by: Jaechul Lee <jcsing.lee@samsung.com>
Arnd Bergmann [Tue, 10 May 2016 21:30:01 +0000 (23:30 +0200)]
kbuild: move -Wunused-const-variable to W=1 warning level
gcc-6 started warning by default about variables that are not
used anywhere and that are marked 'const', generating many
false positives in an allmodconfig build, e.g.:
arch/arm/mach-davinci/board-da830-evm.c:282:20: warning: 'da830_evm_emif25_pins' defined but not used [-Wunused-const-variable=]
arch/arm/plat-omap/dmtimer.c:958:34: warning: 'omap_timer_match' defined but not used [-Wunused-const-variable=]
drivers/bluetooth/hci_bcm.c:625:39: warning: 'acpi_bcm_default_gpios' defined but not used [-Wunused-const-variable=]
drivers/char/hw_random/omap-rng.c:92:18: warning: 'reg_map_omap4' defined but not used [-Wunused-const-variable=]
drivers/devfreq/exynos/exynos5_bus.c:381:32: warning: 'exynos5_busfreq_int_pm' defined but not used [-Wunused-const-variable=]
drivers/dma/mv_xor.c:1139:34: warning: 'mv_xor_dt_ids' defined but not used [-Wunused-const-variable=]
This is similar to the existing -Wunused-but-set-variable warning
that was added in an earlier release and that we disable by default
now and only enable when W=1 is set, so it makes sense to do
the same here. Once we have eliminated the majority of the
warnings for both, we can put them back into the default list.
We probably want this in backport kernels as well, to allow building
them with gcc-6 without introducing extra warnings.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Olof Johansson <olof@lixom.net>
Acked-by: Lee Jones <lee.jones@linaro.org>
Cc: stable@vger.kernel.org
Signed-off-by: Michal Marek <mmarek@suse.com>
[sw0312.kim: Backport from mainline to remove GCC 6 build warnings]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I2253ee7b385704137cef252c2835842183f2ddc8
Hyuk Lee [Thu, 6 Jul 2017 07:26:01 +0000 (16:26 +0900)]
Bluetooth: Fix enhance audio streaming chopping issue
If BT controller's buffer is occupied by another profile such as
OPP or SPP, and it is blocked due to RF condition, A2DP packets
couldn't be sent properly. It causes the A2DP chopping issue.
It is because HCI buffer is limited but another tx requests
occupy it and audio streaming packet delay is occurred. So this
patch reserves some HCI buffer for A2DP to guarantee A2DP QoS
better.
Change-Id: I9e2e1fc718cfa6b65dcd0e3aa4439ccce4da99a2
Signed-off-by: Seungyoun Ju <sy39.ju@samsung.com>
Signed-off-by: Hyuk Lee <hyuk0512.lee@samsung.com>
Joonyoung Shim [Wed, 21 Jun 2017 05:03:29 +0000 (14:03 +0900)]
serial: sprd: add locking for tx
Sometimes booting time is delayed as waiting in tty for closing_wait
value when tty device is closed during do tx.
The tty driver requests to wakeup waiting process if pending tx data is
handled by tty driver, then above waiting should be stopped. BTW now
without stop, the waiting is kept until closing_wait value.
I'm not sure, but this problem seems be occured by processing about tx
data without any synchronization.
This patch adds locking for tx in sprd serial driver, then this problem
is gone.
Change-Id: Icb9d774c4d989c09b666be6951d01a820bb17be5
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Gonzha Dmitriy Evgenevich [Wed, 24 May 2017 10:51:05 +0000 (13:51 +0300)]
packaging: Turn off building with ASan
Turn off ASan for ASan sanitized firmware build
Change-Id: If786306821ff22e994efaba2b00dcabcc5eb8426
Signed-off-by: Gonzha Dmitriy Evgenevich <d.gonzha@samsung.com>
Seung-Woo Kim [Wed, 29 Mar 2017 06:33:48 +0000 (15:33 +0900)]
usb: gadget: slp: fix not to set product string when it is enabled
It is not required to set default product string again when it is
enabled, so this patch fixes not to set product string.
Change-Id: I01fd7b908da9b95bf5105961a6dfac1f4e9030a1
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Wed, 29 Mar 2017 02:25:27 +0000 (11:25 +0900)]
build: scripts: add FS label to modules.img
In Tizen ramdisk, it required proper FS label to mount properly, so
this patch adds FS label to modules.img.
Change-Id: I91089822ff348897c6fd915e43da0f475f51a1f1
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Mon, 27 Mar 2017 06:21:34 +0000 (15:21 +0900)]
packaging: install license for rpm package instead of license package
This patch replaces license rpm package to license file in rpm
package.
Change-Id: If3038ca2fad6f62027c2caaa5f35f961f17b2e6d
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Marek Szyprowski [Tue, 21 Feb 2017 11:20:25 +0000 (12:20 +0100)]
dma-buf: Add ioctls to allow userspace to flush
The userspace might need some sort of cache coherency management e.g. when CPU
and GPU domains are being accessed through dma-buf at the same time. To
circumvent this problem there are begin/end coherency markers, that forward
directly to existing dma-buf device drivers vfunc hooks. Userspace can make use
of those markers through the DMA_BUF_IOCTL_SYNC ioctl. The sequence would be
used like following:
- mmap dma-buf fd
- for each drawing/upload cycle in CPU 1. SYNC_START ioctl, 2. read/write
to mmap area 3. SYNC_END ioctl. This can be repeated as often as you
want (with the new data being consumed by the GPU or say scanout device)
- munmap once you don't need the buffer any more
v2 (Tiago): Fix header file type names (u64 -> __u64)
v3 (Tiago): Add documentation. Use enum dma_buf_sync_flags to the begin/end
dma-buf functions. Check for overflows in start/length.
v4 (Tiago): use 2d regions for sync.
v5 (Tiago): forget about 2d regions (v4); use _IOW in DMA_BUF_IOCTL_SYNC and
remove range information from struct dma_buf_sync.
v6 (Tiago): use __u64 structured padded flags instead enum. Adjust
documentation about the recommendation on using sync ioctls.
v7 (Tiago): Alex' nit on flags definition and being even more wording in the
doc about sync usage.
v9 (Tiago): remove useless is_dma_buf_file check. Fix sync.flags conditionals
and its mask order check. Add <linux/types.h> include in dma-buf.h.
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Signed-off-by: Tiago Vignatti <tiago.vignatti@intel.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
[mszyprow: backport of mainline commit
c11e391da2a8fe973c3c2398452000bed505851e]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Change-Id: I74eabf0faafebadabce17cb91e9962a44b5af544
Vishnu Pratap Singh [Thu, 2 Mar 2017 01:15:14 +0000 (10:15 +0900)]
staging/ion: free ION buffer after gem object unreference
It's bug that ION buffer is accessed to unreference gem object after ION
buffer is freed. It can cause memory corruption.
Change-Id: Idbfb5f66e8223b408d529d88b5af5079daac7018
Fixes:
03a9b03a2ab2 ("staging/ion: decrease gem reference count in release of dma-buf")
Signed-off-by: Vishnu Pratap Singh <vishnu.ps@samsung.com>
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Jaehoon Chung [Wed, 15 Feb 2017 05:06:32 +0000 (14:06 +0900)]
ARM: tizen_tm1_defconfig: enable CONFIG_NF_NAT_IPV6
Enable CONFIG_NF_NAT_IPV6 for supporting IPv6 tethering.
Change-Id: I62399e8b15d8af8e0a34879a75ca0e91cdeffb84
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Dongwoo Lee [Thu, 9 Feb 2017 10:53:03 +0000 (19:53 +0900)]
power: battery: sec-battery: Support force disabling battery charge
The new attribute "disable_charge" will be added. If this attribute is
set to 1, battery charging is completely stopped within "discharging"
state.
Until setting the attribute to 0 or reboot the target, charging cannot
be resumed.
Change-Id: Ib57d3dbcc1e0925940d818c9bc5eced94b7bfddc
Signed-off-by: Dongwoo Lee <dwoo08.lee@samsung.com>
Andrey Ryabinin [Thu, 24 Nov 2016 13:23:10 +0000 (13:23 +0000)]
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
commit
f5527fffff3f002b0a6b376163613b82f69de073 upstream.
This fixes CVE-2016-8650.
If mpi_powm() is given a zero exponent, it wants to immediately return
either 1 or 0, depending on the modulus. However, if the result was
initalised with zero limb space, no limbs space is allocated and a
NULL-pointer exception ensues.
Fix this by allocating a minimal amount of limb space for the result when
the 0-exponent case when the result is 1 and not touching the limb space
when the result is 0.
This affects the use of RSA keys and X.509 certificates that carry them.
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
PGD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
task:
ffff8804011944c0 task.stack:
ffff880401294000
RIP: 0010:[<
ffffffff8138ce5d>] [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP: 0018:
ffff880401297ad8 EFLAGS:
00010212
RAX:
0000000000000000 RBX:
ffff88040868bec0 RCX:
ffff88040868bba0
RDX:
ffff88040868b260 RSI:
ffff88040868bec0 RDI:
ffff88040868bee0
RBP:
ffff880401297ba8 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000047 R11:
ffffffff8183b210 R12:
0000000000000000
R13:
ffff8804087c7600 R14:
000000000000001f R15:
ffff880401297c50
FS:
00007f7a7918c700(0000) GS:
ffff88041fb80000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000000 CR3:
0000000401250000 CR4:
00000000001406e0
Stack:
ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
Call Trace:
[<
ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
[<
ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
[<
ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
[<
ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
[<
ffffffff8132a95c>] rsa_verify+0x9d/0xee
[<
ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
[<
ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
[<
ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
[<
ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
[<
ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
[<
ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
[<
ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
[<
ffffffff812fc9f3>] key_create_or_update+0x145/0x399
[<
ffffffff812fe227>] SyS_add_key+0x154/0x19e
[<
ffffffff81001c2b>] do_syscall_64+0x80/0x191
[<
ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
RIP [<
ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
RSP <
ffff880401297ad8>
CR2:
0000000000000000
---[ end trace
d82015255d4a5d8d ]---
Basically, this is a backport of a libgcrypt patch:
http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=
6e1adb05d290aeeb1c230c763970695f4a538526
Fixes:
cdec9cb5167a ("crypto: GnuPG based MPI lib - source files (part 1)")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
cc: linux-ima-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from v3.10.105 to fix CVE security issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I0f600412772c8975f31c98360f7febb96c3afcc2
David Howells [Wed, 26 Oct 2016 14:01:54 +0000 (15:01 +0100)]
KEYS: Fix short sprintf buffer in /proc/keys show function
commit
03dab869b7b239c4e013ec82aea22e181e441cfc upstream.
This fixes CVE-2016-7042.
Fix a short sprintf buffer in proc_keys_show(). If the gcc stack protector
is turned on, this can cause a panic due to stack corruption.
The problem is that xbuf[] is not big enough to hold a 64-bit timeout
rendered as weeks:
(gdb) p 0xffffffffffffffffULL/(60*60*24*7)
$2 =
30500568904943
That's 14 chars plus NUL, not 11 chars plus NUL.
Expand the buffer to 16 chars.
I think the unpatched code apparently works if the stack-protector is not
enabled because on a 32-bit machine the buffer won't be overflowed and on a
64-bit machine there's a 64-bit aligned pointer at one side and an int that
isn't checked again on the other side.
The panic incurred looks something like:
Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in:
ffffffff81352ebe
CPU: 0 PID: 1692 Comm: reproducer Not tainted 4.7.2-201.fc24.x86_64 #1
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
0000000000000086 00000000fbbd2679 ffff8800a044bc00 ffffffff813d941f
ffffffff81a28d58 ffff8800a044bc98 ffff8800a044bc88 ffffffff811b2cb6
ffff880000000010 ffff8800a044bc98 ffff8800a044bc30 00000000fbbd2679
Call Trace:
[<
ffffffff813d941f>] dump_stack+0x63/0x84
[<
ffffffff811b2cb6>] panic+0xde/0x22a
[<
ffffffff81352ebe>] ? proc_keys_show+0x3ce/0x3d0
[<
ffffffff8109f7f9>] __stack_chk_fail+0x19/0x30
[<
ffffffff81352ebe>] proc_keys_show+0x3ce/0x3d0
[<
ffffffff81350410>] ? key_validate+0x50/0x50
[<
ffffffff8134db30>] ? key_default_cmp+0x20/0x20
[<
ffffffff8126b31c>] seq_read+0x2cc/0x390
[<
ffffffff812b6b12>] proc_reg_read+0x42/0x70
[<
ffffffff81244fc7>] __vfs_read+0x37/0x150
[<
ffffffff81357020>] ? security_file_permission+0xa0/0xc0
[<
ffffffff81246156>] vfs_read+0x96/0x130
[<
ffffffff81247635>] SyS_read+0x55/0xc0
[<
ffffffff817eb872>] entry_SYSCALL_64_fastpath+0x1a/0xa4
Reported-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Ondrej Kozina <okozina@redhat.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from v3.10.105 to fix CVE security issue]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I791f4ca1ec351cc7dba684bb2216a797ce945633
Seung-Woo Kim [Thu, 26 Jan 2017 06:26:37 +0000 (15:26 +0900)]
packaging: add provided name for kernel image package
This patch adds default provided name for kernel image package as
linux-kernel.
Change-Id: I294b76f6b28e7682949568f74b253ee16856e626
Suggested-by: MyungJoo Ham <myungjoo.ham@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Thu, 8 Dec 2016 06:14:16 +0000 (15:14 +0900)]
power: fuel_gauge: sprd2713: fix division by zero during initialization
This patch fixes following division by zero during initialization.
Division by zero in kernel.
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.10.65 #1-Tizen
[<
c00153bc>] (unwind_backtrace+0x0/0x118) from [<
c0013010>] (show_stack+0x10/0x14)
[<
c0013010>] (show_stack+0x10/0x14) from [<
c021487c>] (Ldiv0+0x8/0x10)
[<
c021487c>] (Ldiv0+0x8/0x10) from [<
c043b184>] (:+0x38c/0xb70)
[<
c043b184>] (sprdfgu_init+0x38c/0xb70) from [<
c0438b00>] (sec_hal_fg_init+0x1b0/0x22c)
[<
c0438b00>] (sec_hal_fg_init+0x1b0/0x22c) from [<
c043965c>] (sec_fuelgauge_probe+0x154/0x2fc)
[<
c043965c>] (sec_fuelgauge_probe+0x154/0x2fc) from [<
c02c1b14>] (driver_probe_device+0x124/0x32c)
[<
c02c1b14>] (driver_probe_device+0x124/0x32c) from [<
c02c1dc8>] (__driver_attach+0x68/0x8c)
[<
c02c1dc8>] (__driver_attach+0x68/0x8c) from [<
c02bfffc>] (bus_for_each_dev+0x68/0x8c)
[<
c02bfffc>] (bus_for_each_dev+0x68/0x8c) from [<
c02c1120>] (bus_add_driver+0x104/0x240)
[<
c02c1120>] (bus_add_driver+0x104/0x240) from [<
c02c2340>] (driver_register+0x9c/0x120)
[<
c02c2340>] (driver_register+0x9c/0x120) from [<
c0009550>] (do_one_initcall+0xb8/0x160)
[<
c0009550>] (do_one_initcall+0xb8/0x160) from [<
c09c6be4>] (kernel_init_freeable+0x158/0x220)
[<
c09c6be4>] (kernel_init_freeable+0x158/0x220) from [<
c06c2efc>] (kernel_init+0x8/0xe8)
[<
c06c2efc>] (kernel_init+0x8/0xe8) from [<
c000f258>] (ret_from_fork+0x14/0x3c)
Change-Id: Iba009b1eab23c34456c8d2b0283efda4b003498b
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Fri, 13 Jan 2017 05:19:37 +0000 (14:19 +0900)]
packaging: remove To-Be-Unsupported macro
The tizen_target_name macro will be removed, so this patch removes
it.
Change-Id: I58a8fbe2a9005c307f8b3c621958860b06086861
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Andi Shyti [Wed, 7 Dec 2016 07:52:25 +0000 (16:52 +0900)]
input: ist3xx: replace misused strncat with s(n)printf
strncat is used improperly exposing the driver to a buffer
overflow risk.
Use s(n)printf instead.
An implicit result of this patch is some code simplification.
Change-Id: I7dfb61addf015362fed1a4ebd595ac533a012a48
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Rafal Krypa [Tue, 13 Dec 2016 12:46:54 +0000 (13:46 +0100)]
ARM: tizen_tm1_defconfig: enable SECURITY_SMACK_APPEND_SIGNALS
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
Change-Id: Iba70704a166d50ef295acd3166bf5d738adb9295
Casey Schaufler [Tue, 30 Aug 2016 17:31:39 +0000 (10:31 -0700)]
Smack: Signal delivery as an append operation
Under a strict subject/object security policy delivering a
signal or delivering network IPC could be considered either
a write or an append operation. The original choice to make
both write operations leads to an issue where IPC delivery
is desired under policy, but delivery of signals is not.
This patch provides the option of making signal delivery
an append operation, allowing Smack rules that deny signal
delivery while allowing IPC. This was requested for Tizen.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[mainline backport of commit
c60b906673eebb4f65840fa9dc204401caf276ea]
Change-Id: I969f0f9eefc076d81a95f3d36e695cd07507bfd4
jooseong lee [Tue, 13 Dec 2016 01:12:48 +0000 (10:12 +0900)]
Smack: fix d_instantiate logic for sockfs and pipefs
Since
4b936885a (v2.6.32) all inodes on sockfs and pipefs are disconnected.
It caused filesystem specific code in smack_d_instantiate to be skipped,
because all inodes on those pseudo filesystems were treated as root inodes.
As a result all sockfs inodes had the Smack label set to floor.
In most cases access checks for sockets use socket_smack data so the inode
label is not important. But there are special cases that were broken.
One example would be calling fcntl with F_SETOWN command on a socket fd.
Now smack_d_instantiate expects all pipefs and sockfs inodes to be
disconnected and has the logic in appropriate place.
Change-Id: I06e1977d30afe39f6758ea18245046d413fa46a4
Signed-off-by: Rafal Krypa <r.krypa@samsung.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Pablo Neira Ayuso [Wed, 7 Aug 2013 17:12:34 +0000 (19:12 +0200)]
netfilter: ctnetlink: refactor ctnetlink_create_expect
This patch refactors ctnetlink_create_expect by spliting it in two
chunks. As a result, we have a new function ctnetlink_alloc_expect
to allocate and to setup the expectation from ctnetlink.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[Applied from mainline v3.11 for the other backported commit
930a2d023b07 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I97e8ac912bab81a4668cbaa602c5ba7bc52fb2e8
Jiri Slaby [Mon, 13 Apr 2015 14:41:28 +0000 (16:41 +0200)]
core, nfqueue, openvswitch: fix compilation warning
Stable commit "core, nfqueue, openvswitch: Orphan frags in
skb_zerocopy and handle errors", upstream commit
36d5fe6a000790f56039afe26834265db0a3ad4c, was not correctly backported
and missed to change a const 'from' parameter to non-const. This
results in a new batch of warnings:
net/netfilter/nfnetlink_queue_core.c: In function ‘nfqnl_zcopy’:
net/netfilter/nfnetlink_queue_core.c:272:2: warning: passing argument 1 of ‘skb_orphan_frags’ discards ‘const’ qualifier from pointer target type [enabled by default]
if (unlikely(skb_orphan_frags(from, GFP_ATOMIC))) {
^
In file included from net/netfilter/nfnetlink_queue_core.c:18:0:
include/linux/skbuff.h:1822:19: note: expected ‘struct sk_buff *’ but argument is of type ‘const struct sk_buff *’
static inline int skb_orphan_frags(struct sk_buff *skb, gfp_t gfp_mask)
^
net/netfilter/nfnetlink_queue_core.c:273:3: warning: passing argument 1 of ‘skb_tx_error’ discards ‘const’ qualifier from pointer target type [enabled by default]
skb_tx_error(from);
^
In file included from net/netfilter/nfnetlink_queue_core.c:18:0:
include/linux/skbuff.h:630:13: note: expected ‘struct sk_buff *’ but argument is of type ‘const struct sk_buff *’
extern void skb_tx_error(struct sk_buff *skb);
Remove const from the 'from' parameter, the same as in the upstream
commit.
As far as I can see, this leaked into 3.10, 3.12, and 3.13 already.
Cc: Zoltan Kiss <zoltan.kiss@citrix.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Kamal Mostafa <kamal.mostafa@canonical.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[applied from linux-3.10.y to fix build warning]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I8ea0f40716ad40c79d5b076546ba2ac567eda0ee
Philip Pettersson [Thu, 8 Dec 2016 08:18:53 +0000 (17:18 +0900)]
packet: fix race condition in packet_set_ring
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Ps. This is CVE-2016-8655 patch,
http://seclists.org/oss-sec/2016/q4/607
Change-Id: I3396f1bfe60b03082a981ae9d8a787b41cb5a529
Fixes:
f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Jin-young Jeon [Thu, 10 Nov 2016 08:18:58 +0000 (17:18 +0900)]
video/sprdfb: dispc: fix clipping problem for yuv buffer.
Aligned width(pitch) instead of width of buffer should be used to
calculate base address of UV and V of YUV image format, then this will
solve clipping problem for YUV image.
This commit comes from product kernel.
Change-Id: Idafe5d0231888693a41450fe65b1af85d35f6911
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
[jy0922.shim: rewrite commit messages]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Jin-young Jeon [Mon, 28 Mar 2016 04:29:36 +0000 (13:29 +0900)]
video/sprdfb: add dispc_is_yuv_format() on dispc.
This adds dispc_is_yuv_format() function to be easy to check whether
image format is YUV or not, and can cleanup related codes.
This commit comes from product kernel.
Change-Id: I934756c355b533bdbadbeb10b5555ab597a43fce
Signed-off-by: Jin-young Jeon <jy0.jeon@samsung.com>
[jy0922.shim: remove unfit changes and write commit messages]
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Sergei Rogachev [Fri, 21 Oct 2016 13:24:15 +0000 (16:24 +0300)]
mmc: sdhost: fix scheduling while atomic
The function mmc_regulator_set_ocr() cannot be called under the spinlock,
because internally it calls regulator_disable() which uses a sleeping primitive:
regulator_dev->mutex.
The patch unlocks the spinlock sdhost_host->lock to avoid scheduling in atomic
context and prevent possible consequent live-locks.
It is done totally the same way as it is done in drivers/mmc/host/sdhci.c and
many other places.
Change-Id: I2a7b893124efb2a515a3d55706d9a292a3d27edd
Signed-off-by: Sergei Rogachev <s.rogachev@samsung.com>
jooseong lee [Thu, 8 Dec 2016 02:46:33 +0000 (11:46 +0900)]
netfilter: Fix wrong backporting
Regard of:
the commit
930a2d023b07 ("netfilter: nfnetlink_queue: allow to attach expectations to conntracks")
lock() was missed.
Change-Id: I8d5b4bec6dcee0ac43e9207180bb949b9cb1a49f
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Sudha Bheemanna [Wed, 30 Nov 2016 09:59:46 +0000 (15:29 +0530)]
Bluetooth: Fix Set IRK Mgmt opcode to match product codeline.
Modified the Mgmt opcode value to match the header in product code.
Change-Id: Ifcfbe313540527238950f1afbe2c33378bd4de29
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
jooseong lee [Mon, 28 Nov 2016 05:52:17 +0000 (14:52 +0900)]
ARM: tizen_tm1_defconfig: enable CONFIG_NETFILTER_XT_TARGET_SECMARK
The config allows security marking of network packets.
Iptable need to set packet's secmark to 'System' label to avoid
Smack deny issue only for multicast address range.
* Refer to : https://review.tizen.org/gerrit/#/c/100096/
Change-Id: Ia2902525a76d31a9db6d4665b4b488f4a4c45b22
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
jooseong lee [Mon, 28 Nov 2016 05:51:26 +0000 (14:51 +0900)]
Revert "ARM: tizen_tm1_defconfig: disable smack_netfilter temporarily"
This reverts commit
9807397c2e1c82653b1df12f5022f138b298d6f4.
Change-Id: Ie5a993dfcb58130cbb1d5bb3a278a337d01eab2e
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Inki Dae [Mon, 28 Nov 2016 05:17:24 +0000 (14:17 +0900)]
config: tizen_tm1_defconfig: sync defconfig file
This patch makes the defconfig file to sync with menuconfig
Change-Id: Ied39f624f82fb800d2fabc5bf0825065b309202c
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:46:35 +0000 (14:46 +0900)]
misc: remove SLP Global lock module
This patch removes SLP Global lock module which is unnecessary anymore.
Change-Id: I200c6bfb701b124c531e5da0fa793c434808d122
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:45:16 +0000 (14:45 +0900)]
arm: config: tizen_tm1_defconfig: enable Tizen global lock
This patch enables Tizen global lock instead of SGL module.
Change-Id: Ida728764728980b6484e6e2b178aefc7590b460c
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Inki Dae [Fri, 25 Nov 2016 05:41:49 +0000 (14:41 +0900)]
misc: add Tizen global lock module
This module is enhanced version - including some refactoring
and bug fixups - of SGL module which resolves rendering order
issue of Utgard DDK.
Change-Id: I94a59232e31fb7bba1be22c463b8c9c469667a8b
Signed-off-by: Inki Dae <inki.dae@samsung.com>
h.sandeep [Mon, 21 Nov 2016 10:23:26 +0000 (15:53 +0530)]
Bluetooth: Fix IRK dstribution issue when Privacy is disabled
The devices, like Android 6.x, which don't support privacy 1.2
couldn't make BLE connection to the device which doesn't distribute
IRK when pairing because they use use wrong address type.
For compatibility, it needs to distribute IRK even though Privacy
feature is disabled. So setting IRK interface is added and BlueZ
will set IRK if privacy feature is disabled. And when BLE pairing,
IRK will be always distributed.
Change-Id: I196b6e726bff3a396ba040201c760f74ddfba946
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
h.sandeep [Tue, 15 Nov 2016 09:12:18 +0000 (14:42 +0530)]
Bluetooth: Add MGMT interface for setting IRK
It is required to set IRK from BlueZ if privacy feature is disabled,
so this patch adds setting IRK interface to MGMT.
Change-Id: I2343ce34c894ad24557218ed41b61151caa8a1a5
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
h.sandeep [Tue, 15 Nov 2016 09:04:01 +0000 (14:34 +0530)]
Bluetooth: add to support LE privacy 1.2 & MGMT to load device RPA resolution
RPA resolution support of peer device to be checked before starting
directed advertising. This patch load the resolution support info of
device and check before starting directed advertising.
Change-Id: I9c982e72e83024bcb493488e29c33aba7ffbf485
Signed-off-by: h.sandeep <h.sandeep@samsung.com>
[Fix coding style and adjust commit-msg]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Hyuk Lee [Mon, 21 Nov 2016 00:49:40 +0000 (09:49 +0900)]
Bluetooth: distinguish the interface about LE scan set state
Actually, it has the function both "BR/EDR" discovery set state function and
"LE" discovery set state function. So, it is better to distinguish the "LE"
discovery set state function for "LE" scenario.
Change-Id: I7694a58a793b7ecef5c57a85563c99ca0cefd1cf
Signed-off-by: Hyuk Lee <hyuk0512.lee@samsung.com>
Slava Barinov [Wed, 12 Oct 2016 09:06:23 +0000 (12:06 +0300)]
packaging: switch find calls from -exec to xargs
The -delete and xargs approach is faster than -exec and in Tizen 3.0
cross-builds it grants huge build acceleration due to tool acceleration
system peculiarities.
Change-Id: Ibbbb82962235cd098cd6952c288e9f120bb63ed3
Signed-off-by: Slava Barinov <v.barinov@samsung.com>
Linus Torvalds [Thu, 13 Oct 2016 20:07:36 +0000 (13:07 -0700)]
mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
commit
19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
This is an ancient bug that was actually attempted to be fixed once
(badly) by me eleven years ago in commit
4ceb5db9757a ("Fix
get_user_pages() race for write access") but that was then undone due to
problems on s390 by commit
f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now
fix it by checking the pte_dirty() bit properly (and do it better). The
s390 dirty bit was implemented in
abf09bed3cce ("s390/mm: implement
software dirty bits") which made it into v3.9. Earlier kernels will
have to look at the page state itself.
Also, the VM has become more scalable, and what used a purely
theoretical race back then has become easier to trigger.
To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
we already did a COW" rather than play racy games with FOLL_WRITE that
is very fundamental, and then use the pte dirty flag to validate that
the FOLL_COW flag is still valid.
Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Michal Hocko <mhocko@suse.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Nick Piggin <npiggin@gmail.com>
Cc: Greg Thelen <gthelen@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[wt: s/gup.c/memory.c; s/follow_page_pte/follow_page_mask;
s/faultin_page/__get_user_page]
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.104 to fix CVE-2016-5195]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I5a99df42c34af2b109a8f9e1647b606324e981e7
Joe Perches [Thu, 25 Jun 2015 22:01:02 +0000 (15:01 -0700)]
compiler-gcc: integrate the various compiler-gcc[345].h files
commit
cb984d101b30eb7478d32df56a0023e4603cba7f upstream.
As gcc major version numbers are going to advance rather rapidly in the
future, there's no real value in separate files for each compiler
version.
Deduplicate some of the macros #defined in each file too.
Neaten comments using normal kernel commenting style.
Signed-off-by: Joe Perches <joe@perches.com>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Michal Marek <mmarek@suse.cz>
Cc: Segher Boessenkool <segher@kernel.crashing.org>
Cc: Sasha Levin <levinsasha928@gmail.com>
Cc: Anton Blanchard <anton@samba.org>
Cc: Alan Modra <amodra@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ philm: backport to 3.10-stable ]
Signed-off-by: Philip Müller <philm@manjaro.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[Apply from linux-3.10.102 for supporting build with gcc6]
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ideba2a089dba420a5d8fda0b56942ad949e93e71
Seung-Woo Kim [Thu, 27 Oct 2016 05:26:15 +0000 (14:26 +0900)]
cpufreq: sprd: move unused prototypes to blocked area
This patch blocks unused prototypes which causes following build
error on specific toolchains.
In file included from include/asm-generic/percpu.h:6:0,
from /home/sw0312.kim/linux-3.10-sc7730/arch/arm/include/asm/percpu.h:50,
from include/linux/percpu.h:10,
from include/linux/kernel_stat.h:6,
from drivers/cpufreq/cpufreq_sprdemand.c:18:
drivers/cpufreq/cpufreq_sprdemand.c: At top level:
drivers/cpufreq/cpufreq_sprdemand.c:101:48: error: storage size of 'uwi' isn't known
static DEFINE_PER_CPU(struct unplug_work_info, uwi);
^
Change-Id: Ida47ea5e16a2f3f8883afe37adf9fcb9975c9ef1
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Behan Webster [Wed, 24 Sep 2014 00:06:46 +0000 (01:06 +0100)]
ARM: 8158/1: LLVMLinux: use static inline in ARM ftrace.h
With compilers which follow the C99 standard (like modern versions of gcc and
clang), "extern inline" does the wrong thing (emits code for an externally
linkable version of the inline function). In this case using static inline
and removing the NULL version of return_address in return_address.c does
the right thing.
Signed-off-by: Behan Webster <behanw@converseincode.com>
Reviewed-by: Mark Charlebois <charlebm@gmail.com>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
[Backport from mainline to fix build error with gcc 5.x or later]
Reported-by: Sung-jae Park <nicesj@nicesj.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: I8a1cbff2ce69a9d9d021b434ae062fdf0bbc67c0
Joonyoung Shim [Mon, 10 Oct 2016 01:31:24 +0000 (10:31 +0900)]
staging/ion: enable debugfs for pool
Define DEBUG_HEAP_SHRINKER to enable debugfs to shrink pool and read
pool size.
Change-Id: Ic3d5ef7a68eb8b3a08d4d6e98872f895aa7f7de4
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
Dmitry Kovalenko [Mon, 3 Oct 2016 14:27:23 +0000 (17:27 +0300)]
packaging: devel package name unification
All kernels provides unified kernel-devel-tizen package and located at
/boot/kernel/devel/tizen-devel (solved using symlink).
Change-Id: Ie0fd3d6572d78d3eeaa3df0bca83cafa5700caa2
Signed-off-by: Dmitry Kovalenko <d.kovalenko@samsung.com>
[Update commit-msg and just add Provided name for devel package instead of replacing]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Seung-Woo Kim [Wed, 5 Oct 2016 02:08:31 +0000 (11:08 +0900)]
Bluetooth: add missing 6lowpan connect in mgmt handler
The 6lowpan connect api is added, but it is missed from mgmt handler,
so this patch adds it.
Change-Id: Ib2ac9c227cec0ce8b7c1c6a9d01329788810511a
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:52:52 +0000 (17:22 +0530)]
Bluetooth: Fix IPSP connection callback event issue.
This patch fixes the IPSP connection callback event issue
between kernel and bluez layer.
Change-Id: I3c0308873a1acd270696af300cacd3e0aead0346
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:41:16 +0000 (17:11 +0530)]
Bluetooth: Set le data length command and event
Sets the data length for the le data packet with in the
advised limits. MGMT command and event are added to handle
the setting of data length.
Change-Id: Icc7db1a7361764fcb3d5a990357408942effe25d
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 11:10:04 +0000 (16:40 +0530)]
Bluetooth: Read host suggested default le data length
This patch adds MGMT command and code for supporting reading
default le data length value set at the controller.
Change-Id: I96d33e17259e847df443d63536a92930e46b02a1
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 10:56:38 +0000 (16:26 +0530)]
Bluetooth: Write host suggested default le data length
This patch adds MGMT command and code for supporting write
default le data length command to the controller.
Change-Id: Icc3509186261831cad7be98708a13bfa49730d93
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 10:30:53 +0000 (16:00 +0530)]
Bluetooth: Read LE Max data length command
This patch adds the MGMT command and code to support reading
the maximum data length supported command for LE.
Change-Id: I3fd266b3a2fe0be755d2f00a38a603a2f887a938
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 09:16:09 +0000 (14:46 +0530)]
Bluetooth: IPSP Connect/Disconnect apis
This patch adds MGMT code to support IPSP connect and
disconnect apis and handle connection state changed event.
Change-Id: I372ea923acd06c25cfa4c50094bf946e55dc30c8
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Sudha Bheemanna [Mon, 3 Oct 2016 06:06:17 +0000 (11:36 +0530)]
Bluetooth: Add support to enable/disable IPSP
This patch supports MGMT commands and code to enable or disable
IPSP 6LowPan features.
Change-Id: I4fa404d01493562251b821a68a400a5e05d48078
Signed-off-by: Sudha Bheemanna <b.sudha@samsung.com>
Michal Bloch [Tue, 20 Sep 2016 15:21:25 +0000 (17:21 +0200)]
kmsg: format back to previous for /dev/kmsg
* no binary characters and no \0 at the end
* done because the new format breaks various tools (such as sd-journal)
* only affects prime /dev/kmsg, the additional /dev/kmsg12 etc unaffected
Signed-off-by: Michal Bloch <m.bloch@samsung.com>
Change-Id: Icafebabe08f960fa7a2766b91ab2a72e8d2891b6
jooseong lee [Tue, 20 Sep 2016 10:36:24 +0000 (19:36 +0900)]
ARM: tizen_tm1_defconfig: disable smack_netfilter temporarily
smack_netfilter was enabled to check network permission in Nether.
But it makes unintended Smack denial issue. For stability, we disable
smack_netfilter temporarily untill fixing the problem.
Change-Id: I63636e6bda95c35976c0fed5c49ff6bf359aa657
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 20:19:31 +0000 (22:19 +0200)]
usb: gadget: g_ffs: Allow to set bmAttributes of configuration
usb host tests expect configuration bmAttributes to have
a predefined value. As on 3.10 kernel we cannot use
ConfigFS to achieve this let's add a module parameter
which allows us to set it.
Change-Id: Iecf773d98c398ce1d3c529e7202155fb1e5e9ba6
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 20:23:26 +0000 (22:23 +0200)]
usb: gadget: g_ffs: Allow to set configuration string
usb host tests expect configuration string to have
a predefined value. As on 3.10 kernel we cannot use
ConfigFS to achieve this let's add a module parameter
which allows us to set it.
Change-Id: I7556ef87fb4da7ae1f86fa4f110f78ffd5d2b854
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Krzysztof Opasiak [Mon, 12 Sep 2016 18:54:59 +0000 (20:54 +0200)]
usb: gadget: fix: Call usb_gadget_connect() for dummy_udc
Ugly hack which comes from Android removes a call
to usb_gadget_connect() in udc_bind_to_driver() to
prevent android/slp gadget from communication before
userspace explicitly enables it.
Mainline gadgets (like g_ffs) expect this function
to be called as they don't have any sysfs interface
to enable them later.
As for usb-host API tests we need to use dummy_hcd
and g_ffs let's call usb_gadget_connect() for all
dummy_udc's.
Change-Id: I782bbb51c54e0b87ff6ef976070b6d8870a1a745
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Paweł Szewczyk [Wed, 7 Sep 2016 19:24:12 +0000 (21:24 +0200)]
usb: gadget: f_fs: add poll for endpoint 0
This patch adds poll function for file representing ep0.
Ability of read from or write to ep0 file is related with actual state of ffs:
- When desctiptors or strings are not written yet, POLLOUT flag is set.
- If there is any event to read, POLLIN flag is set.
- If setup request was read, POLLIN and POLLOUT flag is set, to allow
send response (by performing I/O operation consistent with setup request
direction) or set stall (by performing I/O operation opposite setup
request direction).
Signed-off-by: Robert Baldyga <r.baldyga@samsung.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
[Backported from mainline commit 23de91e]
Signed-off-by: Paweł Szewczyk <p.szewczyk@samsung.com>
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Change-Id: I4286847252357b4796cc3794ce71d5a4ec2af9f5
Seung-Woo Kim [Wed, 7 Sep 2016 06:12:48 +0000 (15:12 +0900)]
Input: tc305k: remove event log
This patch removes key event log.
Change-Id: I86f1967e54be571ab41d6025a1443e3aa2a25fda
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 06:07:44 +0000 (15:07 +0900)]
Input: sc_keypad: remove event log
This patch removes key event log.
Change-Id: I3cbe04efcd4e16b30616c59f96a30cafa72b6827
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 05:56:10 +0000 (14:56 +0900)]
Input: sprd_eic_keys: remove event log
This patch removes event log.
Change-Id: Iaeeaab3c71d3513edd3af51df5dbb870099fecd2
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Wed, 7 Sep 2016 05:53:43 +0000 (14:53 +0900)]
Input: ist30xxc: remove touch event log
This patch removes touch event log.
Change-Id: I4a3ec5ccaf8455a48a8f67769c2056162a97c4de
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Andi Shyti <andi.shyti@samsung.com>
Seung-Woo Kim [Mon, 5 Sep 2016 01:52:21 +0000 (10:52 +0900)]
usb: gadget: f_fs: remove build warnings from ffs_epfile_io
This patch removes build warnings to convert unsigned int pointer
to char pointer from ffs_epfile_io().
Change-Id: I2b46093add10c647f3488220b123e3920a1cfeb4
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Krzysztof Opasiak [Fri, 2 Sep 2016 10:52:40 +0000 (12:52 +0200)]
Build dummy_hcd and g_ffs as a modules
Change-Id: Ic505dd282eaf2740848fddbb98678d8fb147be1e
Signed-off-by: Krzysztof Opasiak <k.opasiak@samsung.com>