From 1631069bebe3a645755716e80579fe6072a65f87 Mon Sep 17 00:00:00 2001
From: willy tarreau <w@1wt.eu>
Date: Sun, 10 Jan 2016 07:54:56 +0100
Subject: [PATCH 01/16] unix: properly account for FDs passed over unix sockets

[ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]

It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.

This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.

Change-Id: I5e4f12dada69f3c253ead12f893ccf5f88053765
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 include/linux/sched.h |  1 +
 net/unix/af_unix.c    | 24 ++++++++++++++++++++----
 net/unix/garbage.c    | 16 ++++++++++++----
 3 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/include/linux/sched.h b/include/linux/sched.h
index d9a4eaf..86d6e1b 100644
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -673,6 +673,7 @@ struct user_struct {
 	unsigned long mq_bytes;	/* How many bytes can be allocated to mqueue? */
 #endif
 	unsigned long locked_shm; /* How many pages of mlocked shm ? */
+	unsigned long unix_inflight;	/* How many files in flight in unix sockets */
 
 #ifdef CONFIG_KEYS
 	struct key *uid_keyring;	/* UID specific keyring */
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index c80c107..9accfb0 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1367,6 +1367,21 @@ static void unix_destruct_scm(struct sk_buff *skb)
 	sock_wfree(skb);
 }
 
+/*
+ * The "user->unix_inflight" variable is protected by the garbage
+ * collection lock, and we just read it locklessly here. If you go
+ * over the limit, there might be a tiny race in actually noticing
+ * it across threads. Tough.
+ */
+static inline bool too_many_unix_fds(struct task_struct *p)
+{
+	struct user_struct *user = current_user();
+
+	if (unlikely(user->unix_inflight > task_rlimit(p, RLIMIT_NOFILE)))
+		return !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN);
+	return false;
+}
+
 #define MAX_RECURSION_LEVEL 4
 
 static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
@@ -1375,6 +1390,9 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 	unsigned char max_level = 0;
 	int unix_sock_count = 0;
 
+	if (too_many_unix_fds(current))
+		return -ETOOMANYREFS;
+
 	for (i = scm->fp->count - 1; i >= 0; i--) {
 		struct sock *sk = unix_get_socket(scm->fp->fp[i]);
 
@@ -1396,10 +1414,8 @@ static int unix_attach_fds(struct scm_cookie *scm, struct sk_buff *skb)
 	if (!UNIXCB(skb).fp)
 		return -ENOMEM;
 
-	if (unix_sock_count) {
-		for (i = scm->fp->count - 1; i >= 0; i--)
-			unix_inflight(scm->fp->fp[i]);
-	}
+	for (i = scm->fp->count - 1; i >= 0; i--)
+		unix_inflight(scm->fp->fp[i]);
 	return max_level;
 }
 
diff --git a/net/unix/garbage.c b/net/unix/garbage.c
index 9bc73f8..06730fe 100644
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -125,9 +125,12 @@ struct sock *unix_get_socket(struct file *filp)
 void unix_inflight(struct file *fp)
 {
 	struct sock *s = unix_get_socket(fp);
+
+	spin_lock(&unix_gc_lock);
+
 	if (s) {
 		struct unix_sock *u = unix_sk(s);
-		spin_lock(&unix_gc_lock);
+
 		if (atomic_long_inc_return(&u->inflight) == 1) {
 			BUG_ON(!list_empty(&u->link));
 			list_add_tail(&u->link, &gc_inflight_list);
@@ -135,22 +138,27 @@ void unix_inflight(struct file *fp)
 			BUG_ON(list_empty(&u->link));
 		}
 		unix_tot_inflight++;
-		spin_unlock(&unix_gc_lock);
 	}
+	fp->f_cred->user->unix_inflight++;
+	spin_unlock(&unix_gc_lock);
 }
 
 void unix_notinflight(struct file *fp)
 {
 	struct sock *s = unix_get_socket(fp);
+
+	spin_lock(&unix_gc_lock);
+
 	if (s) {
 		struct unix_sock *u = unix_sk(s);
-		spin_lock(&unix_gc_lock);
+
 		BUG_ON(list_empty(&u->link));
 		if (atomic_long_dec_and_test(&u->inflight))
 			list_del_init(&u->link);
 		unix_tot_inflight--;
-		spin_unlock(&unix_gc_lock);
 	}
+	fp->f_cred->user->unix_inflight--;
+	spin_unlock(&unix_gc_lock);
 }
 
 static void scan_inflight(struct sock *x, void (*func)(struct unix_sock *),
-- 
2.7.4


From 8c41b079b562476cf698b0e7e24fac2770297ddb Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 31 Mar 2016 12:04:25 -0400
Subject: [PATCH 02/16] USB: cypress_m8: add endpoint sanity check

commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.

An attack using missing endpoints exists.

CVE-2016-3137

Change-Id: I58a2e1025bf8f3f0ba3ce9e949c1fa80f78636ce
Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 drivers/usb/serial/cypress_m8.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 0821201..09f0f63 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct usb_serial_port *port)
 	struct usb_serial *serial = port->serial;
 	struct cypress_private *priv;
 
+	if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+		dev_err(&port->dev, "required endpoint is missing\n");
+		return -ENODEV;
+	}
+
 	priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct usb_serial_port *port)
 		cypress_set_termios(tty, port, &priv->tmp_termios);
 
 	/* setup the port and start reading from the device */
-	if (!port->interrupt_in_urb) {
-		dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
-			__func__);
-		return -1;
-	}
-
 	usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
 		usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
 		port->interrupt_in_urb->transfer_buffer,
-- 
2.7.4


From 9163feadabd45d0f01e426bfb56d9ee52320d1e1 Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oneukum@suse.com>
Date: Thu, 31 Mar 2016 12:04:24 -0400
Subject: [PATCH 03/16] USB: mct_u232: add sanity checking in probe

commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.

An attack using the lack of sanity checking in probe is known. This
patch checks for the existence of a second port.

CVE-2016-3136

Signed-off-by: Oliver Neukum <ONeukum@suse.com>
CC: stable@vger.kernel.org
[johan: add error message ]
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>

Change-Id: Icd1c5482b10f647177c7793c93fc7b592df4e79e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 drivers/usb/serial/mct_u232.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/serial/mct_u232.c b/drivers/usb/serial/mct_u232.c
index 6a15adf..c14c29f 100644
--- a/drivers/usb/serial/mct_u232.c
+++ b/drivers/usb/serial/mct_u232.c
@@ -377,14 +377,21 @@ static void mct_u232_msr_to_state(struct usb_serial_port *port,
 
 static int mct_u232_port_probe(struct usb_serial_port *port)
 {
+	struct usb_serial *serial = port->serial;
 	struct mct_u232_private *priv;
 
+	/* check first to simplify error handling */
+	if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
+		dev_err(&port->dev, "expected endpoint missing\n");
+		return -ENODEV;
+	}
+
 	priv = kzalloc(sizeof(*priv), GFP_KERNEL);
 	if (!priv)
 		return -ENOMEM;
 
 	/* Use second interrupt-in endpoint for reading. */
-	priv->read_urb = port->serial->port[1]->interrupt_in_urb;
+	priv->read_urb = serial->port[1]->interrupt_in_urb;
 	priv->read_urb->context = port;
 
 	spin_lock_init(&priv->lock);
-- 
2.7.4


From 516e18f3d272e2695e727d1f49ddc7e6e7b96f02 Mon Sep 17 00:00:00 2001
From: Johan Hovold <johan@kernel.org>
Date: Wed, 23 Sep 2015 11:41:42 -0700
Subject: [PATCH 04/16] USB: whiteheat: fix potential null-deref at probe

commit cbb4be652d374f64661137756b8f357a1827d6a4 upstream.

Fix potential null-pointer dereference at probe by making sure that the
required endpoints are present.

The whiteheat driver assumes there are at least five pairs of bulk
endpoints, of which the final pair is used for the "command port". An
attempt to bind to an interface with fewer bulk endpoints would
currently lead to an oops.

Fixes CVE-2015-5257.

Reported-by: Moein Ghasemzadeh <moein@istuary.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Change-Id: Ib2b005674463119d8f6ebcaa1184cba668b1400e
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 drivers/usb/serial/whiteheat.c | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/drivers/usb/serial/whiteheat.c b/drivers/usb/serial/whiteheat.c
index 5e3dd9f..ae79c22 100644
--- a/drivers/usb/serial/whiteheat.c
+++ b/drivers/usb/serial/whiteheat.c
@@ -81,6 +81,8 @@ static int  whiteheat_firmware_download(struct usb_serial *serial,
 static int  whiteheat_firmware_attach(struct usb_serial *serial);
 
 /* function prototypes for the Connect Tech WhiteHEAT serial converter */
+static int whiteheat_probe(struct usb_serial *serial,
+				const struct usb_device_id *id);
 static int  whiteheat_attach(struct usb_serial *serial);
 static void whiteheat_release(struct usb_serial *serial);
 static int  whiteheat_port_probe(struct usb_serial_port *port);
@@ -117,6 +119,7 @@ static struct usb_serial_driver whiteheat_device = {
 	.description =		"Connect Tech - WhiteHEAT",
 	.id_table =		id_table_std,
 	.num_ports =		4,
+	.probe =		whiteheat_probe,
 	.attach =		whiteheat_attach,
 	.release =		whiteheat_release,
 	.port_probe =		whiteheat_port_probe,
@@ -218,6 +221,34 @@ static int whiteheat_firmware_attach(struct usb_serial *serial)
 /*****************************************************************************
  * Connect Tech's White Heat serial driver functions
  *****************************************************************************/
+
+static int whiteheat_probe(struct usb_serial *serial,
+				const struct usb_device_id *id)
+{
+	struct usb_host_interface *iface_desc;
+	struct usb_endpoint_descriptor *endpoint;
+	size_t num_bulk_in = 0;
+	size_t num_bulk_out = 0;
+	size_t min_num_bulk;
+	unsigned int i;
+
+	iface_desc = serial->interface->cur_altsetting;
+
+	for (i = 0; i < iface_desc->desc.bNumEndpoints; i++) {
+		endpoint = &iface_desc->endpoint[i].desc;
+		if (usb_endpoint_is_bulk_in(endpoint))
+			++num_bulk_in;
+		if (usb_endpoint_is_bulk_out(endpoint))
+			++num_bulk_out;
+	}
+
+	min_num_bulk = COMMAND_PORT + 1;
+	if (num_bulk_in < min_num_bulk || num_bulk_out < min_num_bulk)
+		return -ENODEV;
+
+	return 0;
+}
+
 static int whiteheat_attach(struct usb_serial *serial)
 {
 	struct usb_serial_port *command_port;
-- 
2.7.4


From 69e4e4e9a186ec3236320a2d9cb0d140d12d70bd Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:21:24 +0000
Subject: [PATCH 05/16] isdn_ppp: Add checks for allocation failure in
 isdn_ppp_open()

[ Upstream commit 0baa57d8dc32db78369d8b5176ef56c5e2e18ab3 ]

Compile-tested only.

Change-Id: I32e9c951314f1ce66338c560aaa299b4536e4b93
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 drivers/isdn/i4l/isdn_ppp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index 38ceac5..12bcce1 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -301,6 +301,8 @@ isdn_ppp_open(int min, struct file *file)
 	is->compflags = 0;
 
 	is->reset = isdn_ppp_ccp_reset_alloc(is);
+	if (!is->reset)
+		return -ENOMEM;
 
 	is->lp = NULL;
 	is->mp_seqno = 0;       /* MP sequence number */
@@ -320,6 +322,10 @@ isdn_ppp_open(int min, struct file *file)
 	 * VJ header compression init
 	 */
 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
+	if (!is->slcomp) {
+		isdn_ppp_ccp_reset_free(is);
+		return -ENOMEM;
+	}
 #endif
 #ifdef CONFIG_IPPP_FILTER
 	is->pass_filter = NULL;
-- 
2.7.4


From 644c6f3c5d12cc0ce07ac01c257d017475451832 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sun, 1 Nov 2015 16:22:53 +0000
Subject: [PATCH 06/16] ppp, slip: Validate VJ compression slot parameters
 completely
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

[ Upstream commit 4ab42d78e37a294ac7bc56901d563c642e03c4ae ]

Currently slhc_init() treats out-of-range values of rslots and tslots
as equivalent to 0, except that if tslots is too large it will
dereference a null pointer (CVE-2015-7799).

Add a range-check at the top of the function and make it return an
ERR_PTR() on error instead of NULL.  Change the callers accordingly.

Compile-tested only.

Change-Id: I4bd504aa497919117fec9d5ba97365fcca266b4c
Reported-by: 郭永刚 <guoyonggang@360.cn>
References: http://article.gmane.org/gmane.comp.security.oss.general/17908
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Junghoon Kim <jhoon20.kim@samsung.com>
---
 drivers/isdn/i4l/isdn_ppp.c   | 10 ++++------
 drivers/net/ppp/ppp_generic.c |  6 ++----
 drivers/net/slip/slhc.c       | 12 ++++++++----
 drivers/net/slip/slip.c       |  2 +-
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/drivers/isdn/i4l/isdn_ppp.c b/drivers/isdn/i4l/isdn_ppp.c
index 12bcce1..0ed6731 100644
--- a/drivers/isdn/i4l/isdn_ppp.c
+++ b/drivers/isdn/i4l/isdn_ppp.c
@@ -322,9 +322,9 @@ isdn_ppp_open(int min, struct file *file)
 	 * VJ header compression init
 	 */
 	is->slcomp = slhc_init(16, 16);	/* not necessary for 2. link in bundle */
-	if (!is->slcomp) {
+	if (IS_ERR(is->slcomp)) {
 		isdn_ppp_ccp_reset_free(is);
-		return -ENOMEM;
+		return PTR_ERR(is->slcomp);
 	}
 #endif
 #ifdef CONFIG_IPPP_FILTER
@@ -574,10 +574,8 @@ isdn_ppp_ioctl(int min, struct file *file, unsigned int cmd, unsigned long arg)
 			is->maxcid = val;
 #ifdef CONFIG_ISDN_PPP_VJ
 			sltmp = slhc_init(16, val);
-			if (!sltmp) {
-				printk(KERN_ERR "ippp, can't realloc slhc struct\n");
-				return -ENOMEM;
-			}
+			if (IS_ERR(sltmp))
+				return PTR_ERR(sltmp);
 			if (is->slcomp)
 				slhc_free(is->slcomp);
 			is->slcomp = sltmp;
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 5a1897d..a2d7d5f 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -716,10 +716,8 @@ static long ppp_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 			val &= 0xffff;
 		}
 		vj = slhc_init(val2+1, val+1);
-		if (!vj) {
-			netdev_err(ppp->dev,
-				   "PPP: no memory (VJ compressor)\n");
-			err = -ENOMEM;
+		if (IS_ERR(vj)) {
+			err = PTR_ERR(vj);
 			break;
 		}
 		ppp_lock(ppp);
diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
index 1252d9c..b52eabc 100644
--- a/drivers/net/slip/slhc.c
+++ b/drivers/net/slip/slhc.c
@@ -84,8 +84,9 @@ static long decode(unsigned char **cpp);
 static unsigned char * put16(unsigned char *cp, unsigned short x);
 static unsigned short pull16(unsigned char **cpp);
 
-/* Initialize compression data structure
+/* Allocate compression data structure
  *	slots must be in range 0 to 255 (zero meaning no compression)
+ * Returns pointer to structure or ERR_PTR() on error.
  */
 struct slcompress *
 slhc_init(int rslots, int tslots)
@@ -94,11 +95,14 @@ slhc_init(int rslots, int tslots)
 	register struct cstate *ts;
 	struct slcompress *comp;
 
+	if (rslots < 0 || rslots > 255 || tslots < 0 || tslots > 255)
+		return ERR_PTR(-EINVAL);
+
 	comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
 	if (! comp)
 		goto out_fail;
 
-	if ( rslots > 0  &&  rslots < 256 ) {
+	if (rslots > 0) {
 		size_t rsize = rslots * sizeof(struct cstate);
 		comp->rstate = kzalloc(rsize, GFP_KERNEL);
 		if (! comp->rstate)
@@ -106,7 +110,7 @@ slhc_init(int rslots, int tslots)
 		comp->rslot_limit = rslots - 1;
 	}
 
-	if ( tslots > 0  &&  tslots < 256 ) {
+	if (tslots > 0) {
 		size_t tsize = tslots * sizeof(struct cstate);
 		comp->tstate = kzalloc(tsize, GFP_KERNEL);
 		if (! comp->tstate)
@@ -141,7 +145,7 @@ out_free2:
 out_free:
 	kfree(comp);
 out_fail:
-	return NULL;
+	return ERR_PTR(-ENOMEM);
 }
 
 
diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index a34d6bf..ca3e737 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -163,7 +163,7 @@ static int sl_alloc_bufs(struct slip *sl, int mtu)
 	if (cbuff == NULL)
 		goto err_exit;
 	slcomp = slhc_init(16, 16);
-	if (slcomp == NULL)
+	if (IS_ERR(slcomp))
 		goto err_exit;
 #endif
 	spin_lock_bh(&sl->lock);
-- 
2.7.4


From 2ac39fc04e2f43c9a531eddd235080556ed58188 Mon Sep 17 00:00:00 2001
From: Seung-Woo Kim <sw0312.kim@samsung.com>
Date: Thu, 4 Aug 2016 09:35:23 +0900
Subject: [PATCH 07/16] packaging: exclude build except target TM1

This patch excludes build except target TM1.

Change-Id: I21fd72c705af10bb61b7b99a4bb8b3d60babaee3
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---
 packaging/linux-3.10-sc7730.spec | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packaging/linux-3.10-sc7730.spec b/packaging/linux-3.10-sc7730.spec
index 0e9dd80..510df84 100644
--- a/packaging/linux-3.10-sc7730.spec
+++ b/packaging/linux-3.10-sc7730.spec
@@ -25,6 +25,10 @@ BuildRequires:	system-tools
 BuildRequires:	bc
 ExclusiveArch:  %arm
 
+%if "%{?tizen_target_name}" != "TM1"
+ExcludeArch: %{arm}
+%endif
+
 %description
 The Linux Kernel, the operating system core itself
 
-- 
2.7.4


From 1d693164c998065673204a172d009ac888a6af12 Mon Sep 17 00:00:00 2001
From: hyunuktak <hyunuk.tak@samsung.com>
Date: Fri, 29 Jul 2016 10:42:41 +0900
Subject: [PATCH 08/16] wlan_cfg80211: Set the hidden ssid scan properly.

"vif->cfg80211.hidden_ssid_scan" value is always setting as true although "ssid[i].ssid_len" value is zero.
If there are no ssids passed from celler, then unable to do ssid scan.
So it is needed to properly set it.

Change-Id: Id4064ab1b65b29a375c276c16c095309ca4a92b1
Signed-off-by: hyunuktak <hyunuk.tak@samsung.com>
---
 drivers/net/wireless/sc2331/wlan_cfg80211.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/sc2331/wlan_cfg80211.c b/drivers/net/wireless/sc2331/wlan_cfg80211.c
index 90e27ce..a4a4a20 100644
--- a/drivers/net/wireless/sc2331/wlan_cfg80211.c
+++ b/drivers/net/wireless/sc2331/wlan_cfg80211.c
@@ -846,11 +846,14 @@ static int wlan_cfg80211_scan(struct wiphy *wiphy,
 					   + sizeof(scan_ssids->len));
 			scan_ssids = (struct wlan_cmd_scan_ssid *)
 			    (data + scan_ssids_len);
-		}
 
-		vif->cfg80211.hidden_ssid_scan = true;
+			if (vif->cfg80211.hidden_ssid_scan == false)
+				vif->cfg80211.hidden_ssid_scan = true;
+		}
 	}
 
+	printkd("hidden ssid scanning: %d\n", vif->cfg80211.hidden_ssid_scan);
+
 	n = min(request->n_channels, 14);
 	if (n > 15)
 		n = 15;
-- 
2.7.4


From 72cfe31711caf034d6db05bcc7c29ab0dfbbe242 Mon Sep 17 00:00:00 2001
From: Seonah Moon <seonah1.moon@samsung.com>
Date: Tue, 2 Aug 2016 18:00:56 +0900
Subject: [PATCH 09/16] wlan_cfg80211: Add SOFTAP WPS type to support WPS in
 tethering

The tethering and soft AP should offer features of general APs.
The WPS is one of security types and standard to create a secure wireless home network.

This patch makes 80211 packets(beacon, probe response and associate response) include WPS ies.

Change-Id: I89f60d5ee7a797c48b80b9f3dbfa2eca6825b5f2
Signed-off-by: Seonah Moon <seonah1.moon@samsung.com>
---
 drivers/net/wireless/sc2331/wlan_cfg80211.c | 53 +++++++++++++++++++++++++++++
 drivers/net/wireless/sc2331/wlan_cfg80211.h |  5 ++-
 2 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/sc2331/wlan_cfg80211.c b/drivers/net/wireless/sc2331/wlan_cfg80211.c
index a4a4a20..70d051d 100644
--- a/drivers/net/wireless/sc2331/wlan_cfg80211.c
+++ b/drivers/net/wireless/sc2331/wlan_cfg80211.c
@@ -2314,6 +2314,59 @@ static int wlan_change_beacon(wlan_vif_t *vif,
 	unsigned char vif_id = vif->id;
 
 	printkd("%s enter\n", __func__);
+
+	if (vif->id == NETIF_0_ID) {
+		/* send beacon extra ies */
+		if (beacon->beacon_ies != NULL) {
+			printkd("begin send beacon extra ies\n");
+
+			ret = wlan_cmd_set_wps_ie(vif_id,
+					SOFTAP_WPS_BEACON_IE,
+					beacon->beacon_ies,
+					beacon->beacon_ies_len);
+			if (ret) {
+				printkd("wlan_cmd_set_wps_ie failed with %d\n", ret);
+				return ret;
+			} else {
+				printkd("send beacon extra ies successfully\n");
+			}
+		}
+
+		/* send probe response ies */
+		if (beacon->proberesp_ies != NULL) {
+			printkd("begin send probe response extra ies\n");
+
+			ret = wlan_cmd_set_wps_ie(vif_id,
+					SOFTAP_WPS_PROBERESP_IE,
+					beacon->proberesp_ies,
+					beacon->proberesp_ies_len);
+			if (ret) {
+				printkd("wlan_cmd_set_wps_ie failed with %d\n", ret);
+				return ret;
+			} else {
+				printkd("send proberesp_ies successfully\n");
+			}
+		}
+
+		/* send associate response ies */
+		if (beacon->assocresp_ies != NULL) {
+			printkd("begin send associate response extra ies\n");
+
+			ret = wlan_cmd_set_wps_ie(vif_id,
+					SOFTAP_WPS_ASSOCRESP_IE,
+					beacon->assocresp_ies,
+					beacon->assocresp_ies_len);
+			if (ret) {
+				printkd("wlan_cmd_set_wps_ie failed with %d\n", ret);
+				return ret;
+			} else {
+				printkd("send assocresp_iessuccessfully\n");
+			}
+		}
+
+		return ret;
+	}
+
 #ifdef WIFI_DIRECT_SUPPORT
 	/* send beacon extra ies */
 	if (beacon->head != NULL) {
diff --git a/drivers/net/wireless/sc2331/wlan_cfg80211.h b/drivers/net/wireless/sc2331/wlan_cfg80211.h
index 832b37d..c15fc3c 100644
--- a/drivers/net/wireless/sc2331/wlan_cfg80211.h
+++ b/drivers/net/wireless/sc2331/wlan_cfg80211.h
@@ -80,7 +80,10 @@ enum WPS_TYPE {
 	P2P_PROBERESP_IE,
 	P2P_ASSOCRESP_IE,
 	P2P_BEACON_IE_HEAD,
-	P2P_BEACON_IE_TAIL
+	P2P_BEACON_IE_TAIL,
+	SOFTAP_WPS_PROBERESP_IE = 11,
+	SOFTAP_WPS_BEACON_IE,
+	SOFTAP_WPS_ASSOCRESP_IE,
 };
 
 enum wlan_state {
-- 
2.7.4


From 9e8b134ebac4f24697a52e57ae804698a6a4c307 Mon Sep 17 00:00:00 2001
From: Seung-Woo Kim <sw0312.kim@samsung.com>
Date: Thu, 11 Aug 2016 15:02:52 +0900
Subject: [PATCH 10/16] packaging: fix not to provide kernel-headers

The kernel-headers pakcage is provided for common kernel headers
from linux-glibc-devel pacakge but currently, it is also provided
from tm1 kernel. So this patch fixes not to provide kernel-headers.

Change-Id: Idcf7b8c6f605eea0bc7f8a0f70d9443f9dfe2c39
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
---
 packaging/linux-3.10-sc7730.spec | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/packaging/linux-3.10-sc7730.spec b/packaging/linux-3.10-sc7730.spec
index 510df84..41f2ece 100644
--- a/packaging/linux-3.10-sc7730.spec
+++ b/packaging/linux-3.10-sc7730.spec
@@ -71,8 +71,7 @@ end }
 License:        GPL-2.0
 Summary:        Linux support headers for userspace development
 Group:          System/Kernel
-Provides:       kernel-headers, kernel-headers-tizen-dev
-Obsoletes:      kernel-headers
+Provides:       kernel-headers-tizen-dev
 
 %description -n kernel-headers-3.10-sc7730
 This package provides userspaces headers from the Linux kernel.  These
-- 
2.7.4


From d606127f461117847f91d88498a55cb0d072158d Mon Sep 17 00:00:00 2001
From: Joonyoung Shim <jy0922.shim@samsung.com>
Date: Thu, 18 Aug 2016 17:52:44 +0900
Subject: [PATCH 11/16] scripts: add sprd_dtbtool.sh

sprd_dtbtool.sh is script file to make to one merged-dtb binary from
multi dtb binaries for TM1. This will substitute dtbtool binary of
system-tools.

Change-Id: I69b73426ee43e0a5de3d6b4f5a28ec8965da5c6d
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
---
 scripts/sprd_dtbtool.sh | 152 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100755 scripts/sprd_dtbtool.sh

diff --git a/scripts/sprd_dtbtool.sh b/scripts/sprd_dtbtool.sh
new file mode 100755
index 0000000..14a1f36
--- /dev/null
+++ b/scripts/sprd_dtbtool.sh
@@ -0,0 +1,152 @@
+#!/bin/bash
+
+
+## Functions
+function write_to_4bytes_binary()
+{
+	HEX=`echo "obase=16; $1" | bc`
+
+	NUM=$((8-${#HEX}))
+
+	ZERO="00000000"
+	SUB=${ZERO:0:$NUM}
+
+	HEX=$SUB$HEX
+
+	for str in $(echo $HEX | sed 's/../& /g' | rev); do
+		str=$(echo -en $str | rev)
+		echo -en "\x$str"
+	done > $2
+}
+
+function write_to_padding_binary()
+{
+	rm -f padding
+
+	PAD_SIZE=$(($(($PAD - $(($1 % $PAD)))) % $PAD))
+	if [ $PAD_SIZE -gt 0 ]; then
+		dd if=/dev/zero of=./padding bs=1 count=$PAD_SIZE 2>/dev/zero
+	else
+		touch padding
+	fi
+
+	echo -en " | PAD: $PAD_SIZE[B]\n"
+}
+
+function get_dtb_size()
+{
+	SIZE=`du -b $1 | awk '{print $1}'`
+	PAD_SIZE=$(($(($PAD - $(($SIZE % $PAD)))) % $PAD))
+	DTB_SIZE=$(($SIZE + $PAD_SIZE))
+}
+
+
+## Defines
+OUT="merged-dtb"
+OUT_TMP="multi.tmp"
+
+OUT_DIR="./arch/arm/boot"
+DTS_DIR="./arch/arm/boot/dts"
+
+SPRD_MAGIC="SPRD"
+SPRD_VERSION=1
+
+DTB=(
+"sprd-scx35-tizen_z3-r00.dtb"
+"sprd-scx35-tizen_z3-r01.dtb"
+"sprd-scx35-tizen_z3-r02.dtb"
+"sprd-scx35-tizen_z3-r03.dtb"
+)
+DTB_CNT=4
+
+CHIPSET=8830
+PLATFORM=0
+REV=131072
+DTB_OFFSET=2048
+
+ENDOFHEADER=0
+
+PAD=2048
+
+
+## Header
+rm -f $OUT
+rm -f $OUT_TMP
+touch $OUT_TMP
+
+HEADER_SIZE=$((12 + 20 * $DTB_CNT + 4))
+
+echo -en " *HEADER "
+echo -en "$HEADER_SIZE[B]\n"
+
+echo -en $SPRD_MAGIC > $OUT
+cat $OUT >> $OUT_TMP
+write_to_4bytes_binary $SPRD_VERSION $OUT
+cat $OUT >> $OUT_TMP
+write_to_4bytes_binary $DTB_CNT $OUT
+cat $OUT >> $OUT_TMP
+
+for i in ${DTB[*]}; do
+	FILE="$DTS_DIR/$i"
+	if [ -e $FILE ]; then
+		write_to_4bytes_binary $CHIPSET $OUT
+		cat $OUT >> $OUT_TMP
+
+		write_to_4bytes_binary $PLATFORM $OUT
+		cat $OUT >> $OUT_TMP
+		PLATFORM=$(($PLATFORM + 1))
+
+		write_to_4bytes_binary $REV $OUT
+		cat $OUT >> $OUT_TMP
+
+		write_to_4bytes_binary $DTB_OFFSET $OUT
+		cat $OUT >> $OUT_TMP
+
+		get_dtb_size $FILE
+		write_to_4bytes_binary $DTB_SIZE $OUT
+		cat $OUT >> $OUT_TMP
+
+		DTB_OFFSET=$(($DTB_OFFSET + $DTB_SIZE))
+	else
+		echo -en "$i not found.\nexit\n"
+		exit -1
+	fi
+done
+
+write_to_4bytes_binary $ENDOFHEADER $OUT
+cat $OUT >> $OUT_TMP
+
+write_to_padding_binary $HEADER_SIZE
+cat $OUT_TMP padding > $OUT
+
+
+## DTB
+for i in ${DTB[*]}; do
+	FILE="$DTS_DIR/$i"
+	if [ -e $FILE ]; then
+		NAME=`echo $i`
+		echo -en " *$NAME "
+
+		cat $OUT $FILE > $OUT_TMP
+
+		SIZE=`du -b $FILE | awk '{print $1}'`
+		echo -en "$SIZE[B]\n"
+
+		write_to_padding_binary $SIZE
+		cat $OUT_TMP padding > $OUT
+	else
+		echo -en "$i not found.\nexit\n"
+		exit -1
+	fi
+done
+
+
+## End
+rm -f $OUT_TMP
+rm -f padding
+rm -f $OUT_DIR/$OUT
+mv -f $OUT $OUT_DIR/
+
+S=`du -b $OUT_DIR/$OUT | awk '{print $1}'`
+S_K=$(($S/1024))
+echo -en "## OUT: $OUT size: $S[B]; $S_K[K]\n"
-- 
2.7.4


From 0d8633643c69d06d2e5a04552138ab6a22dafe85 Mon Sep 17 00:00:00 2001
From: Joonyoung Shim <jy0922.shim@samsung.com>
Date: Mon, 22 Aug 2016 11:24:57 +0900
Subject: [PATCH 12/16] scripts: add sprd_mkdzimage.sh

sprd_mkdzimage.sh is script file to make dzImage binary that is TM1
specific kernel binary from zImage and merged-dtb binary. This will
substitute mkdzimage binary of system-tools.

Change-Id: Idb78c73eb5b195b7122c9cc5a033ae136769cf79
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
---
 scripts/sprd_mkdzimage.sh | 141 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 141 insertions(+)
 create mode 100755 scripts/sprd_mkdzimage.sh

diff --git a/scripts/sprd_mkdzimage.sh b/scripts/sprd_mkdzimage.sh
new file mode 100755
index 0000000..f6ea777
--- /dev/null
+++ b/scripts/sprd_mkdzimage.sh
@@ -0,0 +1,141 @@
+#!/bin/bash
+
+
+## Functions
+function write_to_4bytes_binary()
+{
+	HEX=`echo "obase=16; $1" | bc`
+
+	NUM=$((8-${#HEX}))
+
+	ZERO="00000000"
+	SUB=${ZERO:0:$NUM}
+
+	HEX=$SUB$HEX
+
+	for str in $(echo $HEX | sed 's/../& /g' | rev); do
+		str=$(echo -en $str | rev)
+		echo -en "\x$str"
+	done > $2
+}
+
+function write_to_padding_binary()
+{
+	rm -f padding
+
+	PAD_SIZE=$(($(($PAD - $(($1 % $PAD)))) % $PAD))
+	if [ $PAD_SIZE -gt 0 ]; then
+		dd if=/dev/zero of=./padding bs=1 count=$PAD_SIZE 2>/dev/zero
+	else
+		touch padding
+	fi
+
+	echo -en " | PAD: $PAD_SIZE[B]\n"
+}
+
+
+## Defines
+OUT="dzImage"
+OUT_TMP="dzImage.tmp"
+
+OUT_DIR="./arch/arm/boot"
+BOOT_DIR="./arch/arm/boot"
+
+MAGIC="NZIT"		# 0x54495A4E
+KERNEL_ADDR=32768	# 0x00008000
+ATAGS_ADDR=31457280	# 0x01e00000
+
+PAD=2048
+
+
+## Header
+rm -f $OUT
+rm -f $OUT_TMP
+touch $OUT_TMP
+
+HEADER_SIZE=28
+
+echo -en " *HEADER "
+echo -en "$HEADER_SIZE[B]\n"
+
+echo -en $MAGIC > $OUT
+cat $OUT >> $OUT_TMP
+write_to_4bytes_binary $KERNEL_ADDR $OUT
+cat $OUT >> $OUT_TMP
+
+FILE="$BOOT_DIR/zImage"
+if [ -e $FILE ]; then
+	SIZE=`du -b $FILE | awk '{print $1}'`
+	write_to_4bytes_binary $SIZE $OUT
+	cat $OUT >> $OUT_TMP
+else
+	echo -en "$FILE not found.\nexit\n"
+	exit -1
+fi
+
+DTB_ADDR=$(($KERNEL_ADDR + $SIZE))
+write_to_4bytes_binary $DTB_ADDR $OUT
+cat $OUT >> $OUT_TMP
+
+FILE="$BOOT_DIR/merged-dtb"
+if [ -e $FILE ]; then
+	SIZE=`du -b $FILE | awk '{print $1}'`
+	write_to_4bytes_binary $SIZE $OUT
+	cat $OUT >> $OUT_TMP
+else
+	echo -en "$FILE not found.\nexit\n"
+	exit -1
+fi
+
+write_to_4bytes_binary $ATAGS_ADDR $OUT
+cat $OUT >> $OUT_TMP
+write_to_4bytes_binary $PAD $OUT
+cat $OUT >> $OUT_TMP
+
+write_to_padding_binary $HEADER_SIZE
+cat $OUT_TMP padding > $OUT
+
+
+## Kernel Binary
+FILE="$BOOT_DIR/zImage"
+if [ -e $FILE ]; then
+	echo -en " *zImage "
+	cat $OUT $FILE > $OUT_TMP
+
+	SIZE=`du -b $FILE | awk '{print $1}'`
+	echo -en "$SIZE[B]\n"
+
+	write_to_padding_binary $SIZE
+	cat $OUT_TMP padding > $OUT
+else
+	echo -en "zImage not found.\nexit\n"
+	exit -1
+fi
+
+
+## merged-dtb Binary
+FILE="$BOOT_DIR/merged-dtb"
+if [ -e $FILE ]; then
+	echo -en " *merged-dtb "
+	cat $OUT $FILE > $OUT_TMP
+
+	SIZE=`du -b $FILE | awk '{print $1}'`
+	echo -en "$SIZE[B]\n"
+
+	write_to_padding_binary $SIZE
+	cat $OUT_TMP padding > $OUT
+else
+	echo -en "merged-dtb not found.\nexit\n"
+	exit -1
+fi
+
+
+## END
+rm -f $OUT_TMP
+rm -f padding
+rm -f $OUT_DIR/$OUT
+mv -f $OUT $OUT_DIR/
+
+S=`du -b $OUT_DIR/$OUT | awk '{print $1}'`
+S_K=$(($S/1024))
+echo -en "## OUT: $OUT size: $S[B]; $S_K[K]\n"
-- 
2.7.4


From e6cfc390b12fc1bc1d4f2bc765abbe2de2e22c83 Mon Sep 17 00:00:00 2001
From: Joonyoung Shim <jy0922.shim@samsung.com>
Date: Mon, 22 Aug 2016 16:13:08 +0900
Subject: [PATCH 13/16] build: use scripts to make kernel binary

Use our scripts to make kernel binary instead of binaries of
system-tools package, then we can remove dependency with system-tools
package.

Change-Id: I86a2de0af8743eaa22d1de5fa7dc68debadfc43c
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
---
 release.sh     | 4 ++--
 release_obs.sh | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/release.sh b/release.sh
index 7fa20f1..b947192 100755
--- a/release.sh
+++ b/release.sh
@@ -47,13 +47,13 @@ if [ "$?" != "0" ]; then
 	exit 1
 fi
 
-dtbtool -o ${BOOT_PATH}/merged-dtb -p ${DTC_PATH} -v ${BOOT_PATH}/dts/
+./scripts/sprd_dtbtool.sh
 if [ "$?" != "0" ]; then
 	echo "Failed to make merged-dtb"
 	exit 1
 fi
 
-mkdzimage -o ${BOOT_PATH}/${DZIMAGE} -k ${BOOT_PATH}/zImage -d ${BOOT_PATH}/merged-dtb
+./scripts/sprd_mkdzimage.sh
 if [ "$?" != "0" ]; then
 	echo "Failed to make mkdzImage"
 	exit 1
diff --git a/release_obs.sh b/release_obs.sh
index 27e46d9..6e5b05b 100755
--- a/release_obs.sh
+++ b/release_obs.sh
@@ -91,13 +91,13 @@ if [ "$?" != "0" ]; then
         exit 1
 fi
 
-dtbtool -o $BOOT_PATH/merged-dtb -p $DTC_PATH -v $BOOT_PATH/dts/
+./scripts/sprd_dtbtool.sh
 if [ "$?" != "0" ]; then
 	echo "Failed to make merged-dtb"
 	exit 1
 fi
 
-mkdzimage -o $BOOT_PATH/$DZIMAGE -k $BOOT_PATH/zImage -d $BOOT_PATH/merged-dtb
+./scripts/sprd_mkdzimage.sh
 if [ "$?" != "0" ]; then
 	echo "Failed to make mkdzImage"
 	exit 1
-- 
2.7.4


From c3989cbee87ad6010f6c94894c1ec674146a43e2 Mon Sep 17 00:00:00 2001
From: Joonyoung Shim <jy0922.shim@samsung.com>
Date: Mon, 22 Aug 2016 16:13:17 +0900
Subject: [PATCH 14/16] packaging: remove BuildRequires for system-tools

TM1 kernel doesn't need system-tools package anymore, so remove
BuildRequires for system-tools.

Change-Id: I906a32f81f0b3c28518d7a1b610c01ddbc48c407
Signed-off-by: Joonyoung Shim <jy0922.shim@samsung.com>
---
 packaging/linux-3.10-sc7730.spec | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packaging/linux-3.10-sc7730.spec b/packaging/linux-3.10-sc7730.spec
index 41f2ece..21ae0a8 100644
--- a/packaging/linux-3.10-sc7730.spec
+++ b/packaging/linux-3.10-sc7730.spec
@@ -21,7 +21,6 @@ BuildRequires:  module-init-tools
 BuildRequires:	python
 BuildRequires:	gcc
 BuildRequires:	bash
-BuildRequires:	system-tools
 BuildRequires:	bc
 ExclusiveArch:  %arm
 
-- 
2.7.4


From 624da3bf8b24ef974c0e7386f3ed8dc572511ab9 Mon Sep 17 00:00:00 2001
From: Nagaraj D R <nagaraj.dr@samsung.com>
Date: Thu, 5 May 2016 14:23:06 +0530
Subject: [PATCH 15/16] bluetooth: Increase the manufacturer data type size

To support tizen specific manufacturer data, data length needs to be increased.

Change-Id: I2c7d5d01348074d09684b52fac4b106609327ab0
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
---
 include/net/bluetooth/hci_core.h   | 6 +++++-
 include/net/bluetooth/mgmt_tizen.h | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 9a5791e..d1f3691 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -170,6 +170,10 @@ struct amp_assoc {
 
 #define HCI_MAX_PAGES	3
 
+#ifdef CONFIG_TIZEN_WIP
+#define HCI_MAX_EIR_MANUFACTURER_DATA_LENGTH	100
+#endif
+
 #define NUM_REASSEMBLY 4
 struct hci_dev {
 	struct list_head list;
@@ -372,7 +376,7 @@ struct hci_dev {
 	__u8			adv_type;
 
 	__u8			manufacturer_len;
-	__u8			manufacturer_data[HCI_MAX_AD_LENGTH - 3];
+	__u8			manufacturer_data[HCI_MAX_EIR_MANUFACTURER_DATA_LENGTH];
 #endif
 
 	int (*open)(struct hci_dev *hdev);
diff --git a/include/net/bluetooth/mgmt_tizen.h b/include/net/bluetooth/mgmt_tizen.h
index 3bf6fa6..54e753b 100644
--- a/include/net/bluetooth/mgmt_tizen.h
+++ b/include/net/bluetooth/mgmt_tizen.h
@@ -136,10 +136,10 @@ struct mgmt_cp_le_conn_update {
 } __packed;
 
 #define MGMT_OP_SET_MANUFACTURER_DATA		(TIZEN_OP_CODE_BASE + 0x0e)
+#define MGMT_SET_MANUFACTURER_DATA_SIZE		100
 struct mgmt_cp_set_manufacturer_data {
-	__u8 data[28];
+	__u8 data[MGMT_SET_MANUFACTURER_DATA_SIZE];
 } __packed;
-#define MGMT_SET_MANUFACTURER_DATA_SIZE		28
 
 #define MGMT_OP_LE_SET_SCAN_PARAMS		(TIZEN_OP_CODE_BASE + 0x0f)
 struct mgmt_cp_le_set_scan_params {
-- 
2.7.4


From d587ffac0e6b0849334d575bca4e9e1caa48f891 Mon Sep 17 00:00:00 2001
From: Casey Schaufler <casey@schaufler-ca.com>
Date: Tue, 26 Apr 2016 16:28:27 +0900
Subject: [PATCH 16/16] Smack: secmark support for netfilter

Smack uses CIPSO to label internet packets and thus provide
for access control on delivery of packets. The netfilter facility
was not used to allow for Smack to work properly without netfilter
configuration. Smack does not need netfilter, however there are
cases where it would be handy.

As a side effect, the labeling of local IPv4 packets can be optimized
and the handling of local IPv6 packets is just all out better.

The best part is that the netfilter tools use "contexts" that
are just strings, and they work just as well for Smack as they
do for SELinux.

All of the conditional compilation for IPv6 was implemented
by Rafal Krypa <r.krypa@samsung.com>

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[jooseong.lee: Backported from mainline]
Signed-off-by: jooseong lee <jooseong.lee@samsung.com>

Change-Id: Ia4cf70850795c50ab9f2d58f4d1b42cca7411c21
---
 security/smack/Kconfig           | 12 +++++
 security/smack/Makefile          |  1 +
 security/smack/smack.h           |  1 +
 security/smack/smack_lsm.c       | 94 +++++++++++++++++++++++++++++++++++----
 security/smack/smack_netfilter.c | 96 ++++++++++++++++++++++++++++++++++++++++
 5 files changed, 196 insertions(+), 8 deletions(-)
 create mode 100644 security/smack/smack_netfilter.c

diff --git a/security/smack/Kconfig b/security/smack/Kconfig
index b065f97..271adae 100644
--- a/security/smack/Kconfig
+++ b/security/smack/Kconfig
@@ -28,3 +28,15 @@ config SECURITY_SMACK_BRINGUP
 	  access rule set once the behavior is well understood.
 	  This is a superior mechanism to the oft abused
 	  "permissive" mode of other systems.
+	  If you are unsure how to answer this question, answer N.
+
+config SECURITY_SMACK_NETFILTER
+	bool "Packet marking using secmarks for netfilter"
+	depends on SECURITY_SMACK
+	depends on NETWORK_SECMARK
+	depends on NETFILTER
+	default n
+	help
+	  This enables security marking of network packets using
+	  Smack labels.
+	  If you are unsure how to answer this question, answer N.
diff --git a/security/smack/Makefile b/security/smack/Makefile
index 67a63aa..616cf93 100644
--- a/security/smack/Makefile
+++ b/security/smack/Makefile
@@ -5,3 +5,4 @@
 obj-$(CONFIG_SECURITY_SMACK) := smack.o
 
 smack-y := smack_lsm.o smack_access.o smackfs.o
+smack-$(CONFIG_NETFILTER) += smack_netfilter.o
diff --git a/security/smack/smack.h b/security/smack/smack.h
index a03cf4a..c29a59d 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -267,6 +267,7 @@ void smk_destroy_label_list(struct list_head *list);
 /*
  * Shared data.
  */
+extern int smack_enabled;
 extern int smack_cipso_direct;
 extern int smack_cipso_mapped;
 extern struct smack_known *smack_net_ambient;
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 7e800c6..d2a13f9 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -52,8 +52,11 @@
 #define SMK_RECEIVING	1
 #define SMK_SENDING	2
 
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 LIST_HEAD(smk_ipv6_port_list);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 static struct kmem_cache *smack_inode_cache;
+int smack_enabled;
 
 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
 
@@ -2297,6 +2300,7 @@ static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
 	return smack_netlabel(sk, sk_lbl);
 }
 
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 /**
  * smk_ipv6_port_label - Smack port access table management
  * @sock: socket
@@ -2446,6 +2450,7 @@ auditout:
 	rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);
 	return rc;
 }
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 
 /**
  * smack_inode_setsecurity - set smack xattrs
@@ -2506,8 +2511,10 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
 	} else
 		return -EOPNOTSUPP;
 
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 	if (sock->sk->sk_family == PF_INET6)
 		smk_ipv6_port_label(sock, NULL);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 
 	return 0;
 }
@@ -2547,6 +2554,7 @@ static int smack_socket_post_create(struct socket *sock, int family,
 	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
 }
 
+#ifndef CONFIG_SECURITY_SMACK_NETFILTER
 /**
  * smack_socket_bind - record port binding information.
  * @sock: the socket
@@ -2560,11 +2568,14 @@ static int smack_socket_post_create(struct socket *sock, int family,
 static int smack_socket_bind(struct socket *sock, struct sockaddr *address,
 				int addrlen)
 {
+#if IS_ENABLED(CONFIG_IPV6)
 	if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)
 		smk_ipv6_port_label(sock, address);
+#endif
 
 	return 0;
 }
+#endif /* !CONFIG_SECURITY_SMACK_NETFILTER */
 
 /**
  * smack_socket_connect - connect access check
@@ -2593,8 +2604,10 @@ static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
 	case PF_INET6:
 		if (addrlen < sizeof(struct sockaddr_in6))
 			return -EINVAL;
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 		rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,
 						SMK_CONNECTING);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 		break;
 	}
 	return rc;
@@ -3493,7 +3506,9 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 				int size)
 {
 	struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 	struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 	int rc = 0;
 
 	/*
@@ -3507,7 +3522,9 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
 		rc = smack_netlabel_send(sock->sk, sip);
 		break;
 	case AF_INET6:
+#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
 		rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
+#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */
 		break;
 	}
 	return rc;
@@ -3598,6 +3615,7 @@ static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
 	return smack_net_ambient;
 }
 
+#if IS_ENABLED(CONFIG_IPV6)
 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
 {
 	u8 nexthdr;
@@ -3644,6 +3662,7 @@ static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
 	}
 	return proto;
 }
+#endif /* CONFIG_IPV6 */
 
 /**
  * smack_socket_sock_rcv_skb - Smack packet delivery access check
@@ -3656,15 +3675,30 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 {
 	struct netlbl_lsm_secattr secattr;
 	struct socket_smack *ssp = sk->sk_security;
-	struct smack_known *skp;
-	struct sockaddr_in6 sadd;
+	struct smack_known *skp = NULL;
 	int rc = 0;
 	struct smk_audit_info ad;
 #ifdef CONFIG_AUDIT
 	struct lsm_network_audit net;
 #endif
+#if IS_ENABLED(CONFIG_IPV6)
+	struct sockaddr_in6 sadd;
+	int proto;
+#endif /* CONFIG_IPV6 */
+
 	switch (sk->sk_family) {
 	case PF_INET:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+		/*
+		 * If there is a secmark use it rather than the CIPSO label.
+		 * If there is no secmark fall back to CIPSO.
+		 * The secmark is assumed to reflect policy better.
+		 */
+		if (skb && skb->secmark != 0) {
+			skp = smack_from_secid(skb->secmark);
+			goto access_check;
+		}
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
 		/*
 		 * Translate what netlabel gave us.
 		 */
@@ -3678,6 +3712,9 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 
 		netlbl_secattr_destroy(&secattr);
 
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+access_check:
+#endif
 #ifdef CONFIG_AUDIT
 		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
 		ad.a.u.net->family = sk->sk_family;
@@ -3698,14 +3735,32 @@ static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
 		if (rc != 0)
 			netlbl_skbuff_err(skb, rc, 0);
 		break;
+#if IS_ENABLED(CONFIG_IPV6)
 	case PF_INET6:
-		rc = smk_skb_to_addr_ipv6(skb, &sadd);
-		if (rc == IPPROTO_UDP || rc == IPPROTO_TCP)
-			rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
+		proto = smk_skb_to_addr_ipv6(skb, &sadd);
+		if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
+			break;
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+		if (skb && skb->secmark != 0)
+			skp = smack_from_secid(skb->secmark);
 		else
-			rc = 0;
+			skp = smack_net_ambient;
+#ifdef CONFIG_AUDIT
+		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
+		ad.a.u.net->family = sk->sk_family;
+		ad.a.u.net->netif = skb->skb_iif;
+		ipv6_skb_to_auditdata(skb, &ad.a, NULL);
+#endif /* CONFIG_AUDIT */
+		rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
+		rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
+					MAY_WRITE, rc);
+#else /* CONFIG_SECURITY_SMACK_NETFILTER */
+		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
 		break;
+#endif /* CONFIG_IPV6 */
 	}
+
 	return rc;
 }
 
@@ -3767,16 +3822,25 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
 	if (skb != NULL) {
 		if (skb->protocol == htons(ETH_P_IP))
 			family = PF_INET;
+#if IS_ENABLED(CONFIG_IPV6)
 		else if (skb->protocol == htons(ETH_P_IPV6))
 			family = PF_INET6;
+#endif /* CONFIG_IPV6 */
 	}
 	if (family == PF_UNSPEC && sock != NULL)
 		family = sock->sk->sk_family;
 
-	if (family == PF_UNIX) {
+	switch (family) {
+	case PF_UNIX:
 		ssp = sock->sk->sk_security;
 		s = ssp->smk_out->smk_secid;
-	} else if (family == PF_INET || family == PF_INET6) {
+		break;
+	case PF_INET:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+		s = skb->secmark;
+		if (s != 0)
+			break;
+#endif
 		/*
 		 * Translate what netlabel gave us.
 		 */
@@ -3789,6 +3853,14 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
 			s = skp->smk_secid;
 		}
 		netlbl_secattr_destroy(&secattr);
+		break;
+#if IS_ENABLED(CONFIG_IPV6)
+	case PF_INET6:
+#ifdef CONFIG_SECURITY_SMACK_NETFILTER
+		s = skb->secmark;
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
+		break;
+#endif /* CONFIG_IPV6 */
 	}
 	*secid = s;
 	if (s == 0)
@@ -3844,6 +3916,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 	struct lsm_network_audit net;
 #endif
 
+#if IS_ENABLED(CONFIG_IPV6)
 	if (family == PF_INET6) {
 		/*
 		 * Handle mapped IPv4 packets arriving
@@ -3855,6 +3928,7 @@ static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
 		else
 			return 0;
 	}
+#endif /* CONFIG_IPV6 */
 
 	netlbl_secattr_init(&secattr);
 	rc = netlbl_skbuff_getattr(skb, family, &secattr);
@@ -4293,7 +4367,9 @@ struct security_operations smack_ops = {
 	.unix_may_send = 		smack_unix_may_send,
 
 	.socket_post_create = 		smack_socket_post_create,
+#ifndef CONFIG_SECURITY_SMACK_NETFILTER
 	.socket_bind =			smack_socket_bind,
+#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
 	.socket_connect =		smack_socket_connect,
 	.socket_sendmsg =		smack_socket_sendmsg,
 	.socket_sock_rcv_skb = 		smack_socket_sock_rcv_skb,
@@ -4377,6 +4453,8 @@ static __init int smack_init(void)
 	if (!security_module_enable(&smack_ops))
 		return 0;
 
+	smack_enabled = 1;
+
 	smack_rule_cache = KMEM_CACHE(smack_rule, 0);
 	if (!smack_rule_cache)
 		return -ENOMEM;
diff --git a/security/smack/smack_netfilter.c b/security/smack/smack_netfilter.c
new file mode 100644
index 0000000..29d0411
--- /dev/null
+++ b/security/smack/smack_netfilter.c
@@ -0,0 +1,96 @@
+/*
+ *  Simplified MAC Kernel (smack) security module
+ *
+ *  This file contains the Smack netfilter implementation
+ *
+ *  Author:
+ *	Casey Schaufler <casey@schaufler-ca.com>
+ *
+ *  Copyright (C) 2014 Casey Schaufler <casey@schaufler-ca.com>
+ *  Copyright (C) 2014 Intel Corporation.
+ *
+ *	This program is free software; you can redistribute it and/or modify
+ *	it under the terms of the GNU General Public License version 2,
+ *	as published by the Free Software Foundation.
+ */
+
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/netdevice.h>
+#include "smack.h"
+
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+
+static unsigned int smack_ipv6_output(unsigned int hooknum,
+					struct sk_buff *skb,
+					const struct net_device *in,
+					const struct net_device *out,
+					int (*okfn)(struct sk_buff *))
+{
+	struct socket_smack *ssp;
+	struct smack_known *skp;
+
+	if (skb && skb->sk && skb->sk->sk_security) {
+		ssp = skb->sk->sk_security;
+		skp = ssp->smk_out;
+		skb->secmark = skp->smk_secid;
+	}
+
+	return NF_ACCEPT;
+}
+#endif	/* IPV6 */
+
+static unsigned int smack_ipv4_output(unsigned int hooknum,
+					struct sk_buff *skb,
+					const struct net_device *in,
+					const struct net_device *out,
+					int (*okfn)(struct sk_buff *))
+{
+	struct socket_smack *ssp;
+	struct smack_known *skp;
+
+	if (skb && skb->sk && skb->sk->sk_security) {
+		ssp = skb->sk->sk_security;
+		skp = ssp->smk_out;
+		skb->secmark = skp->smk_secid;
+	}
+
+	return NF_ACCEPT;
+}
+
+static struct nf_hook_ops smack_nf_ops[] = {
+	{
+		.hook =		smack_ipv4_output,
+		.owner =	THIS_MODULE,
+		.pf =		NFPROTO_IPV4,
+		.hooknum =	NF_INET_LOCAL_OUT,
+		.priority =	NF_IP_PRI_SELINUX_FIRST,
+	},
+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
+	{
+		.hook =		smack_ipv6_output,
+		.owner =	THIS_MODULE,
+		.pf =		NFPROTO_IPV6,
+		.hooknum =	NF_INET_LOCAL_OUT,
+		.priority =	NF_IP6_PRI_SELINUX_FIRST,
+	},
+#endif	/* IPV6 */
+};
+
+static int __init smack_nf_ip_init(void)
+{
+	int err;
+
+	if (smack_enabled == 0)
+		return 0;
+
+	printk(KERN_DEBUG "Smack: Registering netfilter hooks\n");
+
+	err = nf_register_hooks(smack_nf_ops, ARRAY_SIZE(smack_nf_ops));
+	if (err)
+		pr_info("Smack: nf_register_hooks: error %d\n", err);
+
+	return 0;
+}
+
+__initcall(smack_nf_ip_init);
-- 
2.7.4